Malware-Traffic-Analysis.net - 2016-03-31 - Rig EK from 188.227.74.171

2016-03-31 - RIG EK FROM 188.227.74.171

PCAP AND MALWARE:

ZIP archive of the pcap: 2016-03-31-Rig-EK-after-pavtube.com.pcap.zip 273.6 kB (273,553 bytes)
ZIP archive of the malware and artifacts: 2016-03-31-Rig-EK-malware-and-artifacts.zip 251.2 kB (251,214 bytes)

NOTES:

This is the same actor I've documented before using Rig EK to distribute Qbot ( link ).
Saw a Silverlight exploit in today's Rig EK traffic.
Rig EK using a Silverlight exploit was first spotted by @malcode, identified by @antonivanovm, and documented by @kafeine on 2016-03-29.

TRAFFIC

Shown above: Pcap for this blog entry's traffic filtered in Wireshark.

ASSOCIATED DOMAINS:

67.215.187.94 port 80 - xc.rottencouchtomatoes.com - GET /cuqviewforummsmz.php - returned variable to generate Rig EK landing page URL
188.227.74.171 port 80 - fg.the-schoolbook.com - Rig EK

MALWARE AND ARTIFACTS

SHA256 hash: a3b67b732f75b137ddfb5392bcb235c21dffb687304c972c8064d6bc5fe7cbac
File name: 2016-03-31-Rig-EK-flash-exploit-after-pavtube.com.swf

SHA256 hash: 13410c3855c9cd4d3e54eb45ab4836ae8086aa03aa2f21257dd0fb9879b19dcb
File name: 2016-03-31-Rig-EK-landing-page-after-pavtube.com.txt

SHA256 hash: 7b19d411ff077a6053d3ad3edb155ab932f03932cafb4905154325168c75c221
File name: 2016-03-31-Rig-EK-payload-after-pavtube.com.exe

SHA256 hash: acb74c05a1b0f97cc1a45661ea72a67a080b77f8eb9849ca440037a077461f6b
File name: 2016-03-31-Rig-EK-silverlight-exploit-after-pavtube.com.xap (same hash as Kafeine already posted)

SHA256 hash: e535cf04335e92587f640432d4ec3838b4605cd7e3864cfba2db94baae060415
File name: binaryreader.dll (extracted DLL from Silverlight .xap archive, same hash as Kafeine already posted)

SHA256 hash: 8b5e3be0c9633269c18b98bbfae9e1401037196dbc9e33ab5499881e11d189bc
File name: 2016-03-31-pavtube.com-jquery.js.txt

SHA256 hash: 225f920a3c8e88dc2d09ed122626997d043c79f3f48ad11b4381e51f525b64a3
File name: 2016-03-31-xc.rottencouchtomatoes.com-cuqviewforummsmz.php.txt

IMAGES

Shown above: Start of injected script in .js file from compromised website.

Shown above: Rig EK sends Silverlight exploit.

FINAL NOTES

Once again, here are the associated files:

ZIP archive of the pcap: 2016-03-31-Rig-EK-after-pavtube.com.pcap.zip 273.6 kB (273,553 bytes)
ZIP archive of the malware and artifacts: 2016-03-31-Rig-EK-malware-and-artifacts.zip 251.2 kB (251,214 bytes)

The ZIP files are password-protected with the standard password. If you don't know it, email me at admin@malware-traffic-analysis.net and ask.

Click here to return to the main page.