2016-04-21 - RIG EK FROM 5.200.35.189 SENDS TOFSEE

ASSOCIATED FILES:

• ZIP archive of the pcap:  2016-04-21-Rig-EK-sends-Tofsee.pcap.zip   181.2 kB (181,240 bytes)

• ZIP archive of the malware and artifacts:  2016-04-21-Rig-EK-malware-and-artifacts.zip   593.5 kB (593,453 bytes)

• 2016-04-21-Rig-EK-flash-exploit.swf   (13,887 bytes)
• 2016-04-21-Rig-EK-landing-page.txt   (4,736 bytes)
• 2016-04-21-Rig-EK-malware-pyaload-Tofsee.exe   (208,896 bytes)
• 2016-04-21-iframe-returned-from-tobiasdesigns.com-pointing-to-Rig-EK.txt   (332 bytes)
• 2016-04-21-page-from-doc-italia.com-with-injected-script.txt   (5,972 bytes)
• ppyymxkk.exe   (4,129,1776 bytes) -- Dropped at C:\Users\[username]\ppyymxkk.exe

 

Shown above:  A flow chart depicting this infection's chain of events.

 

NOTES:

• Post-infection traffic matches what I've seen before with Tofsee.
• The filter I used in the pcap image below was:  http.request or (frame.number > 64 and (dns or tcp.flags eq 0x0002))
• Something like that Wireshark filter is a quick way to check for post-infection TCP connections after the EK traffic.

 

TRAFFIC

Shown above:  Pcap of the traffic filtered in Wireshark.

 

ASSOCIATED DOMAINS:

• 68.171.129.152 port 80 - tobiasdesigns.com - Gate/redirect
• 5.200.35.189 port 80 - fe.skiresortco.com - Rig EK
• 111.121.193.242 port 443 - encrypted Post-infection traffic caused by Tofsee malware
• 171.6.91.73 port 7249 - encrypted Post-infection traffic caused by Tofsee malware
• 104.40.211.35 port 80 - Post-infection traffic caused by Tofsee malware (no content)
• Attempted SMTP to various mail server IP addresses over TCP port 25 - Post-infection traffic caused by Tofsee

 

IMAGES

Shown above:  The Rig EK payload (Tofsee).

 

Shown above:  The 41+ MB file dropped by Tofsee (the malware copied itself and
added a lot of padding) with one of the registry entries for persistence.

 

FINAL NOTES

Once again, here are the associated files:

• ZIP archive of the pcap:  2016-04-21-Rig-EK-sends-Tofsee.pcap.zip   181.2 kB (181,240 bytes)
• ZIP archive of the malware and artifacts:  2016-04-21-Rig-EK-malware-and-artifacts.zip   593.5 kB (593,453 bytes)

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.