2018-04-06 - I WENT AFTER RIG EK LIKE IT WAS A SNAKE ON WHACKING DAY

ASSOCIATED FILES:

  • 2018-04-06-Rig-EK-traffic-1st-run.pcap   403 kB (403,019 bytes)
  • 2018-04-06-Rig-EK-traffic-2nd-run.pcap   286 kB (285,834 bytes)
  • Zip archive of the malware & artifacts:  2018-04-06-Rig-EK-malware-and-artifacts.zip   326 kB (325,845 bytes)
    • 2018-04-06-Rig-EK-flash-exploit-both-runs.swf   16 kB (15,998 bytes)
    • 2018-04-06-Rig-EK-landing-page-1st-run.txt   96 kB (95,872 bytes)
    • 2018-04-06-Rig-EK-landing-page-2nd-run.txt   96 kB (95,933 bytes)
    • 2018-04-06-Rig-EK-payload-1st-run.exe   279 kB (279,040 bytes)
    • 2018-04-06-Rig-EK-payload-2nd-run.exe   163 kB (162,816 bytes)
    • eunlock.dll   15 kB (14,848 bytes)

    NOTES:


    Shown above:  Quote from Homer, "Lisa, maybe if I'm part of that mob, I can help
    steer it in wise directions.  Now, where's my giant foam cowboy hat and airhorn?"

     

    WEB TRAFFIC BLOCK LIST

    Indicators are not a block list.  If you feel the need to block web traffic, I suggest the following domains:

     

    TRAFFIC


    Shown above:  Infection traffic filtered in Wireshark.

     

    TRAFFIC FROM AN INFECTED WINDOWS HOST:

    TRAFFIC WHEN I LATER ANALYZED ONE OF THE PAYLOAD BINARIES (BUNITU):

     

    FILE HASHES

    RIG EK FLASH EXPLOIT:

    1ST RUN RIG EK MALWARE PAYLOAD:

    2ND RUN RIG EK MALWARE PAYLOAD:

    ARTIFACT AFTER RUNNING ONE OF THE ABOVE BINARIES ON A WINDOWS HOST:


    Shown above:  Bunitu made persistent on an infected Windows host.

     

    FINAL NOTES

    Once again, here are the associated files:

    Zip archives are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

    Click here to return to the main page.