2017-06-16 - RIG EK FROM THE HOOKADS CAMPAIGN

ASSOCIATED FILES:

  • 2017-06-16-1st-run-HookAds-Rig-EK-sends-Dreambot.pcap   (3,819,524 bytes)
  • 2017-06-16-2nd-run-HookAds-Rig-EK-sends-Dreambot.pcap   (3,963,196 bytes)
  • 2017-06-16-1st-run-Rig-EK-flash-exploit.swf   (16,299 bytes)
  • 2017-06-16-1st-run-Rig-EK-landing-page.txt   (60,820 bytes)
  • 2017-06-16-1st-run-Rig-EK-o32.tmp.txt   (1,141 bytes)
  • 2017-06-16-1st-run-Rig-EK-payload-Dreambot-rp90ecmm.exe   (251,392 bytes)
  • 2017-06-16-1st-run-popunder.php-from-original-site.txt   (6,02 bytes)
  • 2017-06-16-1st-run-rabbey.info-bannders-uaps.txt   (5,772 bytes)
  • 2017-06-16-2nd-run-Rig-EK-flash-exploit.swf   (16,296 bytes)
  • 2017-06-16-2nd-run-Rig-EK-landing-page.txt   (121,687 bytes)
  • 2017-06-16-2nd-run-Rig-EK-o32.tmp.txt   (1,141 bytes)
  • 2017-06-16-2nd-run-Rig-EK-payload-Dreambot-4s0bv9d6.exe   (266,752 bytes)
  • 2017-06-16-2nd-run-immedience.info-banners-uaps.txt   (5,753 bytes)
  • 2017-06-16-2nd-run-popunder.php-from-original-site.txt   (606 bytes)

 

BACKGROUND ON THE HOOKADS CAMPAIGN:

 

TRAFFIC


Shown above:  Traffic from the 1st run filtered in Wireshark.

 


Shown above:  Traffic from the 2nd run filtered in Wireshark.

 

ASSOCIATED DOMAINS:

 

FILE HASHES

FLASH EXPLOITS:

MALWARE RETRIEVED FROM THE INFECTED HOSTS:

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.