2018-03-15 - GRANDSOFT EK SENDS AZORULT

ASSOCIATED FILES:

  • 2018-03-15-GrandSoft-EK-1st-run-traffic.pcap   (797,486 bytes)
  • 2018-03-15-GrandSoft-EK-2nd-run-traffic.pcap   (796,263 bytes)
  • 2018-03-15-GrandSoft-EK-3rd-run-traffic.pcap   (823,982 bytes)
  • 2018-03-15-GrandSoft-EK-4th-run-traffic.pcap   (871,289 bytes)
  • 2018-03-15-GrandSoft-EK-1st-3rd-and-4th-runs-10A0A0A0.txt   (18,153 bytes)
  • 2018-03-15-GrandSoft-EK-1st-3rd-and-4th-runs-dwie.hta.txt   (6,492 bytes)
  • 2018-03-15-GrandSoft-EK-2nd-run-8A1A0A0.txt   (18,120 bytes)
  • 2018-03-15-GrandSoft-EK-all-4-runs-EK-payload-AZORult.exe   (712,704 bytes)
  • 2018-03-15-GrandSoft-EK-all-4-runs-landing-page.txt   (49,073 bytes)

 

WEB TRAFFIC BLOCK LIST

Indicators are not a block list.  If you feel the need to block web traffic, I suggest the following domains and partial URL:

 

TRAFFIC


Shown above:  Infection traffic filtered in Wireshark (image 1 of 4).

 


Shown above:  Infection traffic filtered in Wireshark (image 2 of 4).

 


Shown above:  Infection traffic filtered in Wireshark (image 3 of 4).

 


Shown above:  Infection traffic filtered in Wireshark (image 4 of 4).

 

GATE LEADING TO GRANDSOFT EK:

GRANDSOFT EK:

POST-INFECTION TRAFFIC FROM AZORULT:

 

FILE HASHES

MALWARE PAYLOAD - AZORULT:

 

FINAL NOTES

Once again, here are the associated files:

Zip archives are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.