2016-02-23 - RIG EK DATA DUMP

PCAPS AND MALWARE:

• ZIP archive of all PCAPs:  2016-02-23-Rig-EK-data-dump-all-pcaps.zip  1.6 MB (1,562,028 bytes)
• ZIP archive of malware and artifacts:  2016-02-23-Rig-EK-data-dump-malware-and-artifacts.zip  1.4 MB (1,385,687 bytes)

 

NOTES:

• I've documented this activity in two diaries at the Internet Storm Center (ISC).  These two diaries should explain the traffic below (how the gate is used by this particular actor).

• https://isc.sans.edu/forums/diary/Actor+using+Rig+EK+to+deliver+Qbot/20513/
• https://isc.sans.edu/forums/diary/Actor+using+Rig+EK+to+deliver+Qbot+update/20551/

 

DETAILS

DATE/TIME: 2016-02-23 15:56 UTC

• www.theprojectgirl.com - Compromised website
• www.theprojectgirl.com - GET /wp-includes/js/jquery/jquery.js?ver=1.11.3   [ .js file with malicious script ]
• 198.2.206.238 port 80 - xb.mylifeisnerdy.com - GET /cozbviewforummejvz.php   [ gate URL ]
• 188.227.18.157 port 80 - rg.tampahousefinancing.com - Rig EK

DATE/TIME: 2016-02-23 18:19 UTC

• www.planetside.co.uk - Compromised website
• www.planetside.co.uk - GET /media/system/js/mootools-core.js   [ .js file with malicious script ]
• 198.2.206.238 port 80 - xb.mylifeisnerdy.com - GET /oxviewforumzkv.php   [ gate URL ]
• 188.227.18.157 port 80 - ef.glocktracker.net - Rig EK

DATE/TIME: 2016-02-23 18:41 UTC

• www.cyclocamping.com - Compromised website
• www.cyclocamping.com - GET /js/jquery.min.js   [ .js file with malicious script ]
• 198.2.206.238 port 80 - xb.mylifeisnerdy.com - GET /vjiviewforumyrjy.php   [ gate URL ]
• 188.227.18.157 port 80 - jy.glocktracker.org - Rig EK

DATE/TIME: 2016-02-23 19:01 UTC

• www.pavtube.com - Compromised website
• www.pavtube.com - GET /public/temp/js/jquery.js   [ .js file with malicious script ]
• 198.2.206.238 port 80 - xb.mylifeisnerdy.com - GET /ulmcviewforumqz.php   [ gate URL ]
• 188.227.18.157 port 80 - jy.glocktracker.org - Rig EK

DATE/TIME: 2016-02-23 19:53 UTC

• www.ancientbathsny.com - Compromised website
• www.ancientbathsny.com - GET /wp-includes/js/jquery/jquery.js?ver=1.11.3   [ .js file with malicious script ]
• 198.2.206.238 port 80 - xb.mylifeisnerdy.com - GET /mjixviewforumeamm.php   [ gate URL ]
• 188.227.18.157 port 80 - df.glocktracker.us - Rig EK

$ md5sum *.exe

• 7fa1700cee2769afbe427ec8cb233cbf   2016-02-23-Rig-EK-malware-payload-after-ancientbathsny.com.exe
• 2914443bb7808be89d717ba28378c853   2016-02-23-Rig-EK-payload-after-cyclocamping.com.exe
• 61f47a8a2e46e851b01743591e29d8cb   2016-02-23-Rig-EK-payload-after-pavtube.com.exe
• c4077ff57fb9256562ffe3b8378a213a   2016-02-23-Rig-EK-payload-after-planetside.co.uk.exe
• ca0e148da4af25a1d5c1f055ec664725   2016-02-23-Rig-EK-payload-after-theprojectgirl.com.exe

$ md5sum *.swf

• c59db4ab55a9895706d5f59cc66c7a15   2016-02-23-Rig-EK-flash-exploit-after-ancientbathsny.com.swf
• c59db4ab55a9895706d5f59cc66c7a15   2016-02-23-Rig-EK-flash-exploit-after-cyclocamping.com.swf
• c59db4ab55a9895706d5f59cc66c7a15   2016-02-23-Rig-EK-flash-exploit-after-pavtube.com.swf
• c59db4ab55a9895706d5f59cc66c7a15   2016-02-23-Rig-EK-flash-exploit-after-planetside.co.uk.swf
• dac4eae4fda6693fa56d2a6126ff02df   2016-02-23-Rig-EK-flash-exploit-after-theprojectgirl.com.swf

 

FINAL NOTES

Once again, here are the associated files:

• ZIP archive of all PCAPs:  2016-02-23-Rig-EK-data-dump-all-pcaps.zip  1.6 MB (1,562,028 bytes)
• ZIP archive of malware and artifacts:  2016-02-23-Rig-EK-data-dump-malware-and-artifacts.zip  1.4 MB (1,385,687 bytes)

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.