2017-05-09 - RIG EK SENDS BUNITU TROJAN

ASSOCIATED FILES:

  • 2017-05-09-Rig-EK-sends-Bunitu.pcap   (554,307 bytes)
  • 2017-05-09-Rig-EK-artifact-o32.tmp.txt   (1,141 bytes)
  • 2017-05-09-Rig-EK-flash-exploit.swf   (16,500 bytes)
  • 2017-05-09-Rig-EK-landing-page.txt   (118,254 bytes)
  • 2017-05-09-Rig-EK-payload.exe   (172,512 bytes)
  • 2017-05-09-slotdown.info.txt   (59,757 bytes)
  • 2017-05-09-slotdown3.info-1945.txt   (578 bytes)
  • airzaxz.dll   (26,624 bytes)

NOTES:


Shown above:  Tweet by @Zerophage1337 about this activity.

 

TRAFFIC


Shown above:  Script in possible gate leading to the next step.

 


Shown above:  Script leading to Rig EK landing page.

 


Shown above:  Traffic from the infection filtered in Wireshark.

 

ASSOCIATED DOMAINS:

 

FILE HASHES

RIG EK FLASH EXPLOIT:

RIG EK PAYLOAD (BUNITU):

ARTIFACT FROM THE INFECTED HOST:


Shown above:  Malware persistent on the infected Windows host.

 

IMAGES


Shown above:  Some alerts on the traffic from the Emerging Threats and ETPRO rulesets using Sguil and tcpreplay on Security Onion.

 


Shown above:  Escalating the Bunitu events reveals individual IP addresses that were contacted.

 


Shown above:  Alerts from the Snort subscriber ruleset using Snort 2.9.9.0 on Debian 7.

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.