2016-08-18 - EITEST RIG EK FROM 131.72.139.33 SENDS GOOTKIT

ASSOCIATED FILES:

• ZIP archive of the pcaps:  2016-08-18-EITest-Rig-EK-sends-Gootkit.pcap.zip   231.9 kB (231,935 bytes)

• 2016-08-18-EITest-Rig-EK-sends-Gootkit.pcap   (308,583 bytes)

• ZIP archive of the malware:  2016-08-18-EITest-Rig-EK-malware-and-artifacts.zip   239.6 kB (239,626 bytes)

• 2016-08-18-EITest-Rig-EK-flash-exploit.swf   (48,400 bytes)
• 2016-08-18-EITest-Rig-EK-landing-page.txt   (5,064 bytes)
• 2016-08-18-EITest-Rig-EK-payload-Gootkit.exe   (104,960 bytes)
• 2016-08-18-EITest-flash-redirector-from-yfyke.xyz.swf   (4,977 bytes)
• 2016-08-18-page-from-touche-pas-a-mes-certificats-verts.be-with-injected-script.txt   (55,584 bytes)
• fqgvmr.dll   (98,304 bytes)

 

BACKGROUND ON THE EITEST CAMPAIGN:

• Something I wrote on exploit kit (EK) fundamentals:  link
• 2016-03-31 - Palo Alto Networks Unit 42 blog:  How the EITest Campaign's Path to Angler EK Evolved Over Time.
• 2016-06-08 - SANS ISC diary:  Neutrino EK and CryptXXX  (campaigns using Angler EK switch to Neutrino EK)
• 2016-08-18 - SANS ISC diary:  1 compromised site - 2 campaigns  (EITest campaign switched to Rig EK)

 

Shown above:  Flowchart for this infection traffic.

 

TRAFFIC

Shown above:  Injected script in page from the compromised website.

 

Shown above:  Traffic from the pcap filtered in Wireshark.

 

Shown above:  Post-infection SSL traffic over port 80 using a "MyCompany Ltd" certificate.

 

ASSOCIATED DOMAINS:

• www.touche-pas-a-mes-certificats-verts.be - Compromised website
• 85.93.0.12 port 80 - yfyke.xyz - EITest gate
• 131.72.139.33 port 80 - dmqxmz.lowashemterle.top - Rig EK
• 45.59.114.112 port 80 - nerdcommunity.top - Post-infection SSL traffic over port 80
• reballancefreestyle.win - DNS queries for this domain, but no data returned.

 

FILE HASHES

FLASH FILES:

• SHA256 hash:  a2d70bfe2f4619fe355d5bc13e4bb6588321b578a534b57f6f75e7c63dee5e8e
  File name:  2016-08-18-EITest-flash-redirector-from-yfyke.xyz.swf

• SHA256 hash:  bde2ea0e5b3c6b8df9ddb71ec0bf39b31d657a60b15aaae88322ea8ac4d27725
  File name:  2016-08-18-EITest-Rig-EK-flash-exploit.swf

PAYLOAD:

• SHA256 hash:  26e0e8f419356f5a4e3623f3c71373d4d9114abb5358690dc0506db2addc070e
  File name:  2016-08-18-EITest-Rig-EK-payload-Gootkit.exe

DROPPED DLL FILE:

• SHA256 hash:  ee090178b96c823b1c8b87d0f530bc1fbcfc9720eb00d999919946c4b00eb3e3
  File name:  C:\Users\[username]\AppData\Roaming\Microsoft\Internet Explorer\fqgvmr.dll

 

IMAGES

Shown above:  Post-infection alert highlighted from EmergingThreats alerts in Security Onion.

 

Shown above:  Dropped DLL malware stays persistent through a scheduled task.

 

FINAL NOTES

Once again, here are the associated files:

• ZIP archive of the pcaps:  2016-08-18-EITest-Rig-EK-sends-Gootkit.pcap.zip   231.9 kB (231,935 bytes)
• ZIP archive of the malware:  2016-08-18-EITest-Rig-EK-malware-and-artifacts.zip   239.6 kB (239,626 bytes)

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.