2015-11-16 - MALICIOUS SCRIPT WITH BACKWARD URL LEADS TO RIG EK

ASSOCIATED FILES:

• ZIP archive of the PCAPs:  2015-11-16-Rig-EK-traffic.zip   2.1 MB (2,140,744 bytes)
• ZIP archive of the malware:  2015-11-16-Rig-EK-malware-and-artifacts.zip   150.6 kB (150,615 bytes)

 

NOTES:

• First time I remember seeing backwards URLs being used in javascript from the comrpomised website (and redirect).  See the images section below for details.

 

Shown above:  Can't get to the compromised website from a Google search.

 

TRAFFIC

ASSOCIATED DOMAINS:

• 206.183.111.148 port 80 - www.hypercityindia.com - Compromised website
• 104.20.64.56 port 80 - pastebin.com - GET /raw.php?i=9tWPBSzY - First gate/redirect
• 216.70.115.177 port 80 - lachinampa.com.mx - Second gate/redirect
• 46.30.43.157 port 80 - admin.boatersresources.biz - Rig EK (first run)
• 46.30.43.173 port 80 - huge.boatersresources.co - Rig EK (second run)
• 62.76.42.21 port 80 - alohajotracks.com - Post-infection callback by the malware

 

TRAFFIC FROM THE FIRST RUN:

• 2015-11-16 15:38:31 UTC - www.hypercityindia.com - GET /
• 2015-11-16 15:38:37 UTC - pastebin.com - GET /raw.php?i=9tWPBSzY
• 2015-11-16 15:38:37 UTC - lachinampa.com.mx - GET /stat
• 2015-11-16 15:38:37 UTC - lachinampa.com.mx - GET /stat/

• 2015-11-16 15:38:39 UTC - admin.boatersresources.biz - GET /?xHiNdbSdLxzPAoI=l3SKfPrfJxzFGMSUb-nJDa9BMEXCRQLPh4SGhKrXCJ-
  ofSih17OIFxzsmTu2KV_OpqxveN0SZFSOzQfZPVQlyZAdChoB_Oqki0vHjUnH1cmQ9laHYghP7ZGRHLI-2FigmrEWc8ojlEKLv2EByO1LA1IQsgMVmqzKBKqE

• 2015-11-16 15:38:40 UTC - admin.boatersresources.biz - GET /index.php?xHiNdbSdLxzPAoI=l3SMfPrfJxzFGMSUb-nJDa9BMEXCRQLPh4SGhKrXCJ-
  ofSih17OIFxzsmTu2KV_OpqxveN0SZFSOzQfZPVQlyZAdChoB_Oqki0vHjUnH1cmQ9laHYghP7ZGRHLI-2FigmrEWc8ojlEKLv2EByO1LA1IQsgMVmqz
  KBKqKp0N6RgBnEB_CbJQlqw-BF3H6PXl5gv2pHn4oieWX_P91lZ4mmA

• 2015-11-16 15:38:41 UTC - admin.boatersresources.biz - GET /index.php?xHiNdbSdLxzPAoI=l3SMfPrfJxzFGMSUb-nJDa9BMEXCRQLPh4SGhKrXCJ-
  ofSih17OIFxzsmTu2KV_OpqxveN0SZFSOzQfZPVQlyZAdChoB_Oqki0vHjUnH1cmQ9laHYghP7ZGRHLI-2FigmrEWc8ojlEKLv2EByO1LA1IQsgMVmqz
  KBKqKp0N6RgBnEB_CbJQlqw-BF3H6PXl5gv2pHn4oieWX_PVyn5YmmA

• 2015-11-16 15:38:46 UTC - alohajotracks.com - POST / HTTP/1.0
• 2015-11-16 15:39:59 UTC - alohajotracks.com - POST / HTTP/1.0
• 2015-11-16 15:40:01 UTC - alohajotracks.com - POST /html/ HTTP/1.0
• 2015-11-16 15:40:04 UTC - alohajotracks.com - POST /html/ HTTP/1.0
• 2015-11-16 15:41:00 UTC - alohajotracks.com - POST / HTTP/1.0
• 2015-11-16 15:45:07 UTC - alohajotracks.com - POST /html/ HTTP/1.0
• 2015-11-16 15:45:10 UTC - alohajotracks.com - POST /html/ HTTP/1.0
• 2015-11-16 15:45:13 UTC - alohajotracks.com - POST /html/ HTTP/1.0
• 2015-11-16 15:45:17 UTC - alohajotracks.com - POST /html/ HTTP/1.0
• 2015-11-16 15:45:20 UTC - alohajotracks.com - POST /html/ HTTP/1.0
• 2015-11-16 15:45:22 UTC - alohajotracks.com - POST /html/ HTTP/1.0
• 2015-11-16 15:45:40 UTC - alohajotracks.com - POST /html/ HTTP/1.0

 

TRAFFIC FROM THE SECOND RUN:

• 2015-11-16 15:56:23 UTC - www.hypercityindia.com - GET /
• 2015-11-16 15:56:32 UTC - pastebin.com - GET /raw.php?i=9tWPBSzY
• 2015-11-16 15:56:32 UTC - lachinampa.com.mx - GET /stat
• 2015-11-16 15:56:32 UTC - lachinampa.com.mx - GET /stat/

• 2015-11-16 15:56:33 UTC - huge.boatersresources.co - GET /?w36KfrmUJRnNDoE=l3SKfPrfJxzFGMSUb-nJDa9BMEXCRQLPh4SGhKrXCJ-
  ofSih17OIFxzsmTu2KV_OpqxveN0SZFSOzQfZPVQlyZAdChoB_Oqki0vHjUnH1cmQ9laHYghP7caVFLJu0FXwx-JBJJh2xRSBvWVZxbkcUAwY6QIXzqfNBKqE

• 2015-11-16 15:56:34 UTC - huge.boatersresources.co - GET /index.php?w36KfrmUJRnNDoE=l3SMfPrfJxzFGMSUb-nJDa9BMEXCRQLPh4SGhKrXCJ-
  ofSih17OIFxzsmTu2KV_OpqxveN0SZFSOzQfZPVQlyZAdChoB_Oqki0vHjUnH1cmQ9laHYghP7caVFLJu0FXwx-JBJJh2xRSBvWVZxbkcUAwY6QIXzq
  fNBKqKp0N6RgBnEB_CbJQlqw-BF3H6PXl5gv2pHn4oieWX_P51mJImmA

• 2015-11-16 15:56:40 UTC - huge.boatersresources.co - GET /index.php?w36KfrmUJRnNDoE=l3SMfPrfJxzFGMSUb-nJDa9BMEXCRQLPh4SGhKrXCJ-
  ofSih17OIFxzsmTu2KV_OpqxveN0SZFSOzQfZPVQlyZAdChoB_Oqki0vHjUnH1cmQ9laHYghP7caVFLJu0FXwx-JBJJh2xRSBvWVZxbkcUAwY6QIXzqf
  NBKqKp0N6RgBnEB_CbJQlqw-fECT6PXl5gv2pHn4oieWX_P5xl9o&dop=1

• 2015-11-16 15:56:53 UTC - alohajotracks.com - POST / HTTP/1.0
• 2015-11-16 15:56:56 UTC - alohajotracks.com - POST /html/ HTTP/1.0
• 2015-11-16 15:57:00 UTC - alohajotracks.com - POST /html/ HTTP/1.0
• 2015-11-16 15:57:03 UTC - alohajotracks.com - POST /html/ HTTP/1.0
• 2015-11-16 15:57:16 UTC - alohajotracks.com - POST /html/ HTTP/1.0
• 2015-11-16 15:57:21 UTC - alohajotracks.com - POST /html/ HTTP/1.0
• 2015-11-16 15:57:23 UTC - alohajotracks.com - POST /html/ HTTP/1.0
• 2015-11-16 15:57:28 UTC - alohajotracks.com - POST /html/ HTTP/1.0
• 2015-11-16 15:57:32 UTC - alohajotracks.com - POST /html/ HTTP/1.0
• 2015-11-16 15:57:33 UTC - alohajotracks.com - POST /html/ HTTP/1.0
• 2015-11-16 15:57:35 UTC - alohajotracks.com - POST /html/ HTTP/1.0
• 2015-11-16 15:57:56 UTC - alohajotracks.com - POST / HTTP/1.0

 

PRELIMINARY MALWARE ANALYSIS

RIG EK FLASH EXPLOIT:

File name:  2015-11-16-Rig-EK-flash-exploit.swf
File size:  13.3 KB ( 13,650 bytes )
MD5 hash:  bf43345f0b9fac7ea00d0b0a26655323
SHA1 hash:  63ad8c9823bcb005dbe851496b88c7bf221342ae
SHA256 hash:  3bba44af66ae77f18eb6108eb76b8fc3f898470d59886d9dbdecf8a74d207274
Detection ratio:  5 / 54
First submission:  2015-11-16 18:24:28 UTC
VirusTotal link:  https://www.virustotal.com/en/file/3bba44af66ae77f18eb6108eb76b8fc3f898470d59886d9dbdecf8a74d207274/analysis/

 

RIG EK MALWARE PAYLOAD:

File name:  2015-11-16-Rig-EK-malware-payload.exe
File size:  192.0 KB ( 196,608 bytes )
MD5 hash:  28b07c5d425386a55945eb354cc41354
SHA1 hash:  1a4e5cfc5c1893aeb0c666afb3ad56849fde9a5d
SHA256 hash:  21a7e9d475edf3f115af8aa7ef2367534e810267c5b376b2636a758da66434bb
Detection ratio:  5 / 54
First submission:  2015-11-16 17:56:01 UTC
VirusTotal link:  https://www.virustotal.com/en/file/21a7e9d475edf3f115af8aa7ef2367534e810267c5b376b2636a758da66434bb/analysis/
Malwr.com link:  https://malwr.com/analysis/MGNhY2JkMDNiYzM1NDM3ZTlhYzFkYzgxMTJjZmRjMWE/
Hybrid-Analysis link:  https://www.hybrid-analysis.com/sample/21a7e9d475edf3f115af8aa7ef2367534e810267c5b376b2636a758da66434bb?environmentId=1

 

REGISTRY KEY UPDATES FROM THE MALWARE FOR PERSISTENCE AFTER THE FIRST RUN:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

• Value name:  WindowsPhotoViewersync
• Value type:  REG_SZ
• Value data:  C:\ProgramData\Windows Photo Viewer\WindowsPhotoViewersync.exe

 

REGISTRY KEY UPDATES FROM THE SAME MALWARE FOR PERSISTENCE AFTER THE SECOND RUN:

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
• HKEY_USERS\S-1-5-21-970660591-2671040492-1938035795-1000\Software\Microsoft\Windows\CurrentVersion\Run

• Value name:  MSBuildtray
• Value type:  REG_SZ
• Value data:  C:\Users\[username]\AppData\Roaming\MSBuild\MSBuildtray.exe

 

IMAGES

Shown above:  Traffic filtered in Wireshark from the first run.

 

Shown above:  Traffic filtered in Wireshark from the second run.

 

Shown above:  Injected script in page from compromised website.

 

Shown above:  Script returned from Pastebin URL pointing to next redirect.

 

Shown above:  Script returned from lachinampa.com.mx pointing to the Rig EK landing page.

 

Shown above:  Registry key update by the malware from the first run.

 

Shown above:  Registry key update by the same malware from the second run.

 

FINAL NOTES

Once again, here are the associated files:

• ZIP archive of the PCAPs:  2015-11-16-Rig-EK-traffic.zip   2.1 MB (2,140,744 bytes)
• ZIP archive of the malware:  2015-11-16-Rig-EK-malware-and-artifacts.zip   150.6 kB (150,615 bytes)

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.