2017-12-14 - NGAY CAMPAIGN RIG EK PUSHES QUANT LOADER & MONERO CPU MINER

ASSOCIATED FILES:

  • 2017-12-14-Ngay-campaign-Rig-EK-traffic.pcap   (1,093,405 bytes)
  • 2017-12-14-HTML-from-192.241.150.92.txt   (2,483 bytes)
  • 2017-12-14-Ngay-campaign-Rig-EK-payload-Quant-Loader.exe   (128,969 bytes)
  • 2017-12-14-Rig-EK-artifact-o32.tmp.txt   (1,141 bytes)
  • 2017-12-14-Rig-EK-flash-exploit.swf   (13,940 bytes)
  • 2017-12-14-Rig-EK-landing-page.txt   (132,729 bytes)
  • 2017-12-14-follow-up-malware-Monero-CPU-miner.exe   (833,487 bytes)

 

NOTES:


Shown above:  Flow chart for today's infection.

 

WEB TRAFFIC BLOCK LIST

Indicators are not a block list.  If you feel the need to block web traffic, I suggest the following URLs:

 

TRAFFIC


Shown above:  Traffic from an infection filtered in Wireshark.

 

ASSOCIATED DOMAINS:

 

MALWARE AND ARTIFACTS

ARTIFACTS FROM AN INFECTED WINDOWS HOST:

 

IMAGES


Shown above:  Quant Loader persistent on the infected Windows host.

 


Shown above:  Monero (XMR) CPU miner persistent on the infected Windows host.

 

FINAL NOTES

Once again, here are the associated files:

Zip archives are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.