2016-03-14 - RIG EK FROM 188.227.72.46
PCAP AND MALWARE:
- ZIP archive of all 3 pcaps: 2016-03-14-Rig-EK-all-3-pcaps.zip 551.1 kB (551,096 bytes)
- ZIP archive of the malware and artifacts: 2016-03-14-Rig-EK-malware-and-artifacts.zip 261.4 kB (261,417 bytes)
NOTES:
- Wasn't able to get a full infection chain in the first two pcaps, and the go0ogleee.com gate URL wasn't pointing to Rig EK later in the day.
- Traffic from the last pcap (kicked off by pavtube.com) is explained in two diaries at the Internet Storm Center (ISC):
TRAFFIC
2016-03-14 14:07 UTC:
- dtransrentcar.com - Compromised website
- 191.101.21.122 port 80 - www.go0ogleee.com - GET /index.php?promo=imesh [gate redirecting to Rig EK]
- 188.227.72.46 port 80 - th.debatestage.in - Rig EK
2016-03-14 17:40 UTC:
- oysterplus.net - Compromised website
- 103.7.43.41 port 80 - thucphamchucnang69.com - GET /wp-content/uploads/2015/05/logo-final-69.jp [first gate redirecting to second date]
- 191.101.21.122 port 80 - www.go0ogleee.com - GET /index.php?promo=imesh [second gate redirecting to Rig EK]
- 188.227.72.46 port 80 - de.ediabetesremedy.com - Rig EK
2016-03-14 21:35 UTC:
- www.pavtube.com - GET /public/temp/js/jquery.js [malicious script that calls for variable from gate]
- 198.2.206.238 port 80 - xm.psychskins.com - GET /ncvutviewforumbpx.php [gate returning the variable]
- 188.227.72.46 port 80 - ef.entn.in - Rig EK
IMAGES
Shown above: Pcaps of this blog entry's traffic filtered in Wireshark.
FINAL NOTES
Once again, here are the associated files:
- ZIP archive of all 3 pcaps: 2016-03-14-Rig-EK-all-3-pcaps.zip 551.1 kB (551,096 bytes)
- ZIP archive of the malware and artifacts: 2016-03-14-Rig-EK-malware-and-artifacts.zip 261.4 kB (261,417 bytes)
ZIP files are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
Click here to return to the main page.