2016-06-01 - RIG EK FROM 46.30.46.6 SENDS TOFSEE
ASSOCIATED FILES:
- ZIP archive of the pcaps: 2016-06-01-Rig-EK-sends-Tofsee.pcap.zip 629.7 kB (629,723 bytes)
- 2016-06-01-Rig-EK-sends-Tofsee.pcap (1,449,812 bytes)
- ZIP archive of the malware and artifacts: 2016-06-01-Rig-EK-sends-Tofsee-malware-and-artifacts.zip 573.2 kB (573,239 bytes)
- 2016-06-01-Rig-EK-flash-exploit.swf (37,819 bytes)
- 2016-06-01-Rig-EK-landing-page.txt (4,982 bytes)
- 2016-06-01-Rig-EK-payload-Tofsee.exe (241,664 bytes)
- 2016-06-01-lluuitgg.exe (42,704,896 bytes) [Found on the infected host at: C:\Users\username\lluuitgg.exe]
NOTES:
- Same type of infection seen on 2016-04-21, with the same compromised website and same gate domain (link).
TRAFFIC
Shown above: Pcap of the traffic filtered in Wireshark.
GATE AND RIG EK:
- 68.171.129.152 port 80 - tobiasdesigns.com - GET /ckjvgphz.php?id=8426419 [gate/redirect]
- 46.30.46.6 port 80 - ds.barrycommunitychoir.co.uk - Rig EK
TOFSEE POST-INFECTION TRAFFIC:
- 111.121.193.242 port 443
OTHER TCP CONNECTIONS OR ATTEMPTED CONNECTIONS FROM THE INFECTED HOST:
- 23.96.52.53 port 80
- 27.76.200.236 port 1480
- 78.96.223.247 port 3039
- 86.101.172.244 port 2639
- 88.247.23.60 port 6859
- 94.111.35.133 port 1103
- 103.62.255.92 port 8575
- 104.40.211.35 port 80
- 112.201.214.21 port 7371
- 115.73.16.161 port 9980
- 120.63.221.199 port 1061
- 122.160.166.241 port 3205
- 122.163.24.91 port 3879
- 122.163.193.181 port 4146
- 123.28.166.92 port 6576
- 176.113.145.235 port 2358
- 180.183.195.29 port 5674
- 184.173.167.98 port 80
- 202.91.73.186 port 9393
FINAL NOTES
Once again, here are the associated files:
- ZIP archive of the pcaps: 2016-06-01-Rig-EK-sends-Tofsee.pcap.zip 629.7 kB (629,723 bytes)
- ZIP archive of the malware and artifacts: 2016-06-01-Rig-EK-sends-Tofsee-malware-and-artifacts.zip 573.2 kB (573,239 bytes)
ZIP files are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
Click here to return to the main page.