2017-06-15 - RIG EK (HOOKADS AND SEAMLESS CAMPAIGNS)

ASSOCIATED FILES:

  • 2017-06-15-1st-run-Seamless-Rig-EK-sends-Ramnit.pcap   (993,395 bytes)
  • 2017-06-15-2nd-run-Seamless-Rig-EK-sends-Ramnit.pcap   (880,020 bytes)
  • 2017-06-15-3rd-run-Hookads-Rig-EK-sends-Dreambot.pcap   (609,685 bytes)
  • 2017-06-15-4th-run-Hookads-Rig-EK-sends-Dreambot.pcap   (370,858 bytes)
  • 2017-06-15-5th-run-Hookads-Rig-EK-sends-Dreambot.pcap   (4,029,509 bytes)
  • 2017-06-15-6th-run-Seamless-Rig-EK-sends-Ramnit.pcap   (870,270 bytes)
  • 2017-06-15-1st-run-Rig-EK-landing-page.txt   (121,845 bytes)
  • 2017-06-15-2nd-run-Rig-EK-landing-page.txt   (121,645 bytes)
  • 2017-06-15-3rd-run-Rig-EK-landing-page.txt   (61,241 bytes)
  • 2017-06-15-4th-run-Rig-EK-landing-page.txt   (121,599 bytes)
  • 2017-06-15-5th-run-Rig-EK-landing-page.txt   (61,001 bytes)
  • 2017-06-15-6th-run-Rig-EK-landing-page.txt   (60,940 bytes)
  • 2017-06-15-Rig-EK-artifact-o32.tmp.txt   (1,141 bytes)
  • 2017-06-15-Rig-EK-artifact-OTTYUADAF.txt   (1,137 bytes)
  • 2017-06-15-Rig-EK-flash-exploit-first-3-runs.swf   (16,299 bytes)
  • 2017-06-15-Rig-EK-flash-exploit-last-3-runs.swf   (16,299 bytes)
  • 2017-06-15-HookAds-Rig-EK-payload-Dreambot.exe   (251,392 bytes)
  • 2017-06-15-Seamless-Rig-EK-payload-Ramnit.exe   (249,864 bytes)

 

BACKGROUND ON THE CAMPAIGNS:

 

TRAFFIC


Shown above:  Traffic from one of the Seamless campaign infections filtered in Wireshark.

 


Shown above:  Traffic from one of the HookAds campaign infections filtered in Wireshark.

 

ASSOCIATED DOMAINS:

 

FILE HASHES

FLASH EXPLOITS:

MALWARE RETRIEVED FROM THE INFECTED HOSTS:

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.