2018-10-12 - HOOKADS CAMPAIGN FALLOUT EK (3 EXAMPLES)

ASSOCIATED FILES:

  • 2018-10-12-1st-run-Hookads-campaign-Fallout-EK-sends-Minotaur-ransomware.pcap   (71,422 bytes)
  • 2018-10-12-2nd-run-Hookads-campaign-Fallout-EK-sends-AZORult-and-follow-up-malware.pcap   (5,522,466 bytes)
  • 2018-10-12-3rd-run-Hookads-campaign-Fallout-EK-sends-AZORult-and-follow-up-malware.pcap   (5,913,663 bytes)
  • 2018-10-12-1st-run-Fallout-EK-landing-page.txt   (52,667 bytes)
  • 2018-10-12-1st-run-Hookads-campaign-payload-Minotaur-ransomware.exe   (11,776 bytes)
  • 2018-10-12-1st-run-Minotaur-ransomware-How_To_Decrypt_Files.txt   (1,290 bytes)
  • 2018-10-12-2nd-run-Fallout-EK-landing-page.txt   (576,24 bytes)
  • 2018-10-12-2nd-run-Hookads-campaign-payload-AZORult.exe   (319,488 bytes)
  • 2018-10-12-2nd-run-follow-up-malware-caused-by-AZORult.exe   (421,888 bytes)
  • 2018-10-12-2nd-run-scheduled-task-for-follow-up-malware-Test_Task17.xml.txt   (1,547 bytes)
  • 2018-10-12-example-of-traffic-to-removekingonline.pro.txt   (6,220 bytes)

 

NOTES:

 

WEB TRAFFIC BLOCK LIST

Indicators are not a block list.  If you feel the need to block web traffic, I suggest the following domains:

 

TRAFFIC


Shown above:  Traffic during the first run filtered in Wireshark, where Fallout EK sent Minotaur ransomware.

 


Shown above:  Traffic during the third run filtered in Wireshark, where Fallout EK sent AZORult and follow-up malware.

 


Shown above:  Post-infection TCP traffic from the follow-up malware to names34[.]top (1 of 2).

 


Shown above:  Post-infection TCP traffic from the follow-up malware to names34[.]top (2 of 2).

 

FIRST RUN (MINOTAUR RANSOMWARE):

SECOND AND THIRD RUNS (AZORULT -> FOLLOW-UP MALWARE):

 

MALWARE

MALWARE RETRIEVED FROM AN INFECTED WINDOWS HOST:

 

IMAGES


Shown above:  Encrypted files on a USB stick from the Minotaur ransomware infection.  And that email address for the ransom...  minotaur@420blaze.it   Cute.

 


Shown above:  Follow-up malware made persistent on the infected Windows host from the 3rd run (same malware seen during the 2nd run).

 

FINAL NOTES

Once again, here are the associated files:

Zip archives are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.