2015-11-17 - RIG EK FROM 46.30.46.146 - WEF.GRASSROOTERS.ORG
ASSOCIATED FILES:
- ZIP archive of the PCAP: 2015-11-17-Rig-EK-traffic.pcap.zip 479.9 kB (479,893 bytes)
- ZIP archive of the malware: 2015-11-17-Rig-EK-malware-and-artifacts.zip 126.4 kB (126,392 bytes)
NOTES:
- The Hybrid-Analysis.com link for the malware payload (see below) has a pcap with some good post-infection traffic.
TRAFFIC
ASSOCIATED DOMAINS:
- 85.17.223.149 port 80 - www.maliccy-stomatologia.pl - Compromised website
- 5.101.152.7 port 80 - infomicf.bget.ru - Gate/redirect
- 46.30.46.146 port 80 - wef.grassrooters.org - Rig EK
Shown above: Traffic from the pcap, filtered in Wireshark.
PRELIMINARY MALWARE ANALYSIS
RIG EK FLASH EXPLOIT:
File name: 2015-11-17-Rig-EK-flash-exploit.swf
File size: 13.4 KB ( 13,680 bytes )
MD5 hash: 37f9eb4df303f750d4f8ed12a22e093e
SHA1 hash: a1528ce6e0fa6121e85dbad5f829b49e656590fc
SHA256 hash: 97c996775fa5615b51979e489999fcc1d6b492daab924903cf41a12238cf92fd
Detection ratio: 5 / 54
First submission: 2015-11-17 16:30:08 UTC
VirusTotal link: https://www.virustotal.com/en/file/97c996775fa5615b51979e489999fcc1d6b492daab924903cf41a12238cf92fd/analysis/
RIG EK MALWARE PAYLOAD:
File name: 2015-11-17-Rig-EK-malware-payload.exe
File size: 212.0 KB ( 217,088 bytes )
MD5 hash: db78c999654f750e7b56ab79bd452dc7
SHA1 hash: 1b2d67a4891095040e9b8847ae8e467ec100219b
SHA256 hash: 89be60867344f57faf8f46d19ef8e0bb8adc0508b4696fab7a66899257d71a5b
Detection ratio: 2 / 54
First submission: 2015-11-17 16:30:40 UTC
VirusTotal link: https://www.virustotal.com/en/file/89be60867344f57faf8f46d19ef8e0bb8adc0508b4696fab7a66899257d71a5b/analysis/
Malwr.com link: https://malwr.com/analysis/OGI2MzIyYjE5NGJiNDI5Mjk3OWI5MWJhNmU1ZGE5MWY/
Hybrid-Analysis link: https://www.hybrid-analysis.com/sample/89be60867344f57faf8f46d19ef8e0bb8adc0508b4696fab7a66899257d71a5b?environmentId=4
IMAGES
Shown above: Malicious script injected into .js file from compromised website.
Shown above: Response from the redirect/gate pointing to a Rig EK landing page.
Shown above: Malware found on the infected host (a 35 MB file).
FINAL NOTES
Once again, here are the associated files:
- ZIP archive of the PCAP: 2015-11-17-Rig-EK-traffic.pcap.zip 479.9 kB (479,893 bytes)
- ZIP archive of the malware: 2015-11-17-Rig-EK-malware-and-artifacts.zip 126.4 kB (126,392 bytes)
ZIP files are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
Click here to return to the main page.