2017-04-25 - "GOOD MAN" CAMPAIGN RIG EK SENDS LATENTBOT

ASSOCIATED FILES:

  • 2017-04-25-Good-man-campaign-Rig-EK-sends-Latentbot.pcap   (1,145,861 bytes)
  • 2017-04-25-Goodma-campaign-Rig-EK-payload-Latentbot.exe   (312,832 bytes)
  • 2017-04-25-Rig-EK-artifact-o32.tmp.txt   (1,141 bytes)
  • 2017-04-25-Rig-EK-flash-exploit.swf   (16,428 bytes)
  • 2017-04-25-Rig-EK-landing-page.txt   (117,853 bytes)
  • 2017-04-25-page-from-hurtmehard.net-with-injected-script-for-Rig-EK-landing-page.txt   (54,882 bytes)

 

BACKGROUND ON THE "GOOD MAN" CAMPAIGN:

 

BACKGROUND ON LATENTBOT:


Shown above:  Flowchart for this infection traffic.

 

TRAFFIC


Shown above:  Injected script in a page from the "Good Man" domain.

 


Shown above:  Pcap of the infection traffic filtered in Wireshark.

 

ASSOCIATED DOMAINS:

 

FILE HASHES

FLASH EXPLOIT:

PAYLOAD (LATENTBOT):

 

IMAGES


Shown above:  Latentbot malware made persistent on the infected Windows host.

 


Shown above:  Some alerts on the traffic from the Emerging Threats and ETPRO rulesets using Sguil on Security Onion.

 


Shown above:  Some alerts after reading the pcap with Snort 2.9.9.0 on Debian 7 using the Snort Subscription ruleset.

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.