2017-12-28 - SEAMLESS CAMPAIGN CONTINUES USING RIG EK TO SEND RAMNIT BANKING TROJAN

ASSOCIATED FILES:

  • 2017-12-28-Seamless-campaign-Rig-EK-sends-Ramnit.pcap   (1,184,893 bytes)
  • 2017-12-28-Rig-EK-artifact-o32.tmp.txt   (1,141 bytes)
  • 2017-12-28-Rig-EK-flash-exploit.swf   (12,188 bytes)
  • 2017-12-28-Rig-EK-landing-page.txt   (96,421 bytes)
  • 2017-12-28-Rig-EK-payload-Seamless-campaign-Ramnit-bilo400.exe   (165,888 bytes)

NOTES:

 

DOCUMENTATION ON THE SEAMLESS CAMPAIGN:

 

TRAFFIC


Shown above:  Traffic from the infection filtered in Wireshark.

 

ASSOCIATED DOMAINS:

 


Shown above:  One of the TCP streams for the Ramnit post-infection traffic.

 

FILE HASHES

RIG EK FLASH EXPLOIT:

MALWARE PAYLOAD SENT BY RIG EK (RAMNIT FROM THE SEAMLESS CAMPAIGN):

 

IMAGES


Shown above:  Some alerts from Sguil in Security Onion using Suricata and the EmergingThreats Pro (ETPRO) ruleset.

 


Shown above:  Some alerts on the infection traffic from the Snort subscriber ruleset when reading the pcap with Snort 2.9.11.

 


Shown above:  Ramnit banking Trojan made persistent on the infected Windows host.

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.