Malware-Traffic-Analysis.net - 2016-06-02 - EK data dump (Angler EK, KaiXin EK, Rig EK)

2016-06-02 - EK DATA DUMP (ANGLER EK, KAIXIN EK, RIG EK)

ASSOCIATED FILES:

ZIP archive of the pcaps: 2016-06-02-EK-dump-all-pcaps.zip 2.7 MB (2,737,527 bytes)

2016-06-02-KaiXin-EK-from-98.126.83.188-port-82.pcap (169,581 bytes)

2016-06-02-KaiXin-EK-from-cbat.or.kr.pcap (113,097 bytes)

2016-06-02-Rig-EK-after-doc-italia.com.pcap (325,318 bytes)

2016-06-02-Rig-EK-after-pavtube.com.pcap (482,411 bytes)

2016-06-02-other-Angler-EK-after-woogerworks.com.pcap (1,093,571 bytes)

2016-06-02-pseudoDarkleech-Angler-EK-after-mfgsci.com.pcap (1,175,862 bytes)

ZIP archive of the malware and artifacts: 2016-06-02-EK-data-dump-malware-and-artifacts.zip 986.3 kB (986,261 bytes)

2016-06-02-98.126.83.188-port-82-ZnUaLm.html.txt (16,122 bytes)

2016-06-02-98.126.83.188-port-82-index.html.txt (15,663 bytes)

2016-06-02-98.126.83.188-port-82-jquery.js.txt (15,728 bytes)

2016-06-02-98.126.83.188-port-82-logo.swf (30,337 bytes)

2016-06-02-98.126.83.188-port-82-swfobject.js.txt (12,624 bytes)

2016-06-02-98.126.83.189-port-82-smss.exe (56,064 bytes)

2016-06-02-Angler-EK-flash-exploit.swf (40,784 bytes)

2016-06-02-Rig-EK-flash-exploit.swf (378,17 bytes)

2016-06-02-Rig-EK-landing-page-after-doc-italia.com.txt (4,910 bytes)

2016-06-02-Rig-EK-landing-page-after-pavtube.com.txt (4,906 bytes)

2016-06-02-Rig-EK-payload-after-doc-italia.com.exe (249,856 bytes)

2016-06-02-Rig-EK-payload-after-pavtube.com.exe (339,968 bytes)

2016-06-02-a.topgunn.photography-pnhviewforumrembo.php.txt (944 bytes)

2016-06-02-cbat.or.kr-MzVuOo.html.txt (16,104 bytes)

2016-06-02-cbat.or.kr-SmSnRq.html.txt (10,183 bytes)

2016-06-02-cbat.or.kr-index.html.txt (9,507 bytes)

2016-06-02-cbat.or.kr-jquery.js.txt (15,728 bytes)

2016-06-02-cbat.or.kr-logo.swf (30,349 bytes)

2016-06-02-cbat.or.kr-swfobject.js.txt (12,624 bytes)

2016-06-02-other-Angler-EK-payload-CryptXXX-after-woogerworks.com.dll (155,648 bytes)

2016-06-02-other-Angler-EK-payload-CryptXXX-decrypt-instructions.bmp (3,686,454 bytes)

2016-06-02-other-Angler-EK-payload-CryptXXX-decrypt-instructions.html (14,190 bytes)

2016-06-02-other-Angler-EK-payload-CryptXXX-decrypt-instructions.txt (1,755 bytes)

2016-06-02-page-from-mfgsci.com-with-injected-pseudoDarkleech-script.txt (50,490 bytes)

2016-06-02-pseduoDarkleech-Angler-EK-CryptXXX-decrypt-instructions.bmp (3,686,454 bytes)

2016-06-02-pseduoDarkleech-Angler-EK-CryptXXX-decrypt-instructions.html (14,190 bytes)

2016-06-02-pseduoDarkleech-Angler-EK-CryptXXX-decrypt-instructions.txt (1,755 bytes)

2016-06-02-pseudoDarkleech-Angler-EK-landing-page-after-mfgsci.com.txt (7,1657 bytes)

2016-06-02-pseudoDarkleech-Angler-EK-payload-CryptXXX-after-mfgsci.com.dll (286,720 bytes)

TRAFFIC

ASSOCIATED DOMAINS:

98.126.83.188 port 82 - 98.126.83.188:82 - KaiXin EK
98.126.83.189 port 82 - 98.126.83.189:82 - GET /smss.exe - KaiXin EK payload
114.207.113.229 port 80 - cbat.or.kr - KaiXin EK
220.95.232.236 port 80 - www.ikpma.org - GET /apps/setup.exe - KaiXin EK payload (nothing returned)

212.231.130.9 port 80 - positivessl.online - GET /script/jquery.min.js - possible gate to Angler EK (I think)
162.252.83.62 port 80 - strachubedabbling.thompsons-online.co.uk - Angler EK
162.252.83.76 port 80 - blinkigheid.shropshirebroadband.co.uk - Angler EK
85.25.194.116 port 443 - CryptXXX callback traffic

68.171.129.152 port 80 - tobiasdesigns.com - GET /ckjvgphz.php?id=8426415 - gate pointing to Rig EK
67.215.187.94 port 80 - a.topgunn.photography - Gate/redirect data pointing to Rig EK
46.30.46.6 port 80 - vb.indulgenewbury.com - Rig EK

FINAL NOTES

Once again, here are the associated files:

ZIP archive of the pcaps: 2016-06-02-EK-dump-all-pcaps.zip 2.7 MB (2,737,527 bytes)
ZIP archive of the malware and artifacts: 2016-06-02-EK-data-dump-malware-and-artifacts.zip 986.3 kB (986,261 bytes)

ZIP files are password-protected with the standard password. If you don't know it, look at the "about" page of this website.

Click here to return to the main page.