2018-03-15 - GRANDSOFT EK SENDS AZORULT

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• Zip archive of the traffic:  2018-03-15-GrandSoft-EK-sends-AZORult-four-pcaps.zip   2.9 MB (2,872,466 bytes)

• 2018-03-15-GrandSoft-EK-sends-AZORult-1st-run-traffic.pcap   (797,486 bytes)
• 2018-03-15-GrandSoft-EK-sends-AZORult-2nd-run-traffic.pcap   (796,263 bytes)
• 2018-03-15-GrandSoft-EK-sends-AZORult-3rd-run-traffic.pcap   (823,982 bytes)
• 2018-03-15-GrandSoft-EK-sends-AZORult-4th-run-traffic.pcap   (871,289 bytes)

• Zip archive of the associated malware and artifacts:  2018-03-15-GrandSoft-EK-and-AZORult-malware-and-artifacts.zip   429 kB (428,966 bytes)

• 2018-03-15-GrandSoft-EK-1st-3rd-and-4th-runs-10A0A0A0.txt   (18,153 bytes)
• 2018-03-15-GrandSoft-EK-1st-3rd-and-4th-runs-dwie.hta.txt   (6,492 bytes)
• 2018-03-15-GrandSoft-EK-2nd-run-8A1A0A0.txt   (18,120 bytes)
• 2018-03-15-GrandSoft-EK-all-4-runs-EK-payload-AZORult.exe   (712,704 bytes)
• 2018-03-15-GrandSoft-EK-all-4-runs-landing-page.txt   (49,073 bytes)

 

WEB TRAFFIC BLOCK LIST

Indicators are not a block list.  If you feel the need to block web traffic, I suggest the following domains and partial URL:

• lookatmyhorse[.]cf
• infra.creationskvu[.]xyz
• asserts.miltondaza[.]xyz
• misinterpreting.ktmcmoderatorqzu[.]xyz
• bgmystorches.ktmcmoderatorqzu[.]xyz
• hxxp[:]//doueven[.]click/nonono/

 

TRAFFIC

Shown above:  Infection traffic filtered in Wireshark (image 1 of 4).

 

Shown above:  Infection traffic filtered in Wireshark (image 2 of 4).

 

Shown above:  Infection traffic filtered in Wireshark (image 3 of 4).

 

Shown above:  Infection traffic filtered in Wireshark (image 4 of 4).

 

GATE LEADING TO GRANDSOFT EK:

• 167.99.82[.]8 port 443 - lookatmyhorse[.]cf - GET /   [HTTPS, but can be tested using HTTP]

GRANDSOFT EK:

• 62.109.4[.]135 port 80 - infra.creationskvu[.]xyz
• 62.109.4[.]135 port 80 - asserts.miltondaza[.]xyz
• 62.109.4[.]135 port 80 - misinterpreting.ktmcmoderatorqzu[.]xyz
• 62.109.4[.]135 port 80 - bgmystorches.ktmcmoderatorqzu[.]xyz

POST-INFECTION TRAFFIC FROM AZORULT:

• 191.101.245[.]46 port 80 - doueven[.]click - POST /nonono/gegejokoew.php

 

FILE HASHES

MALWARE PAYLOAD - AZORULT:

• SHA256 hash:  ee305a8295212f8a8f7eda9590a1f498ef3ec064a8bcd4bbc4df9383ea5b4b37
  File size:  712,704 bytes
  File description:  GrandSoft EK payload: AZORult

 

Click here to return to the main page.