2016-08-26 - RIG EK FROM 178.32.92.0/24
ASSOCIATED FILES:
- ZIP archive of both pcaps: 2016-08-29-Rig-EK-both-pcaps.zip 314.5 kB (314,494 bytes)
- 2016-08-29-Rig-EK-first-run.pcap (217,070 bytes)
- 2016-08-29-Rig-EK-second-run.pcap (267,577 bytes)
- ZIP archive of the malware: 2016-08-29-Rig-EK-malware-and-artifacts.zip 139.7 kB (139,736 bytes)
- 2016-08-29-Rig-EK-flash-exploit.swf (46,081 bytes)
- 2016-08-29-Rig-EK-landing-page-first-run.txt (3,659 bytes)
- 2016-08-29-Rig-EK-landing-page-second-run.txt (3,664 bytes)
- 2016-08-29-Rig-EK-payload.exe (188,928 bytes)
Shown above: My tipper for this traffic at http://www.malwaredomainlist.com/mdl.php.
TRAFFIC
Shown above: Traffic from the first pcap filtered in Wireshark.
Shown above: Traffic from the second pcap filtered in Wireshark.
ASSOCIATED DOMAINS:
- 93.190.140.162 port 80 - vitaly.agricolacolhue.cl - GET /rncbu3.html - Gate URL (first run)
- 93.190.140.162 port 80 - unlink.altitude.lv - GET /vdgqb3.html - Gate URL (second run)
- 178.32.92.122 port 80 - l8uh5l1m.top - Rig EK (first run)
- 178.32.92.123 port 80 - gx16p8gh.space - Rig EK (second run)
FILE HASHES
FLASH EXPLOIT:
- SHA256 hash: a36d658b9d49b7f6e66015865db24cffd9fa0ac1e548616e03ce124b12742a88
File name: 2016-08-29-Rig-EK-flash-exploit.swf
PAYLOAD:
- SHA256 hash: 9e16973b9234feb1a51c001b4338bf0929e0b967b6b877667a0d8c8f3c122eea
File name: 2016-08-29-Rig-EK-payload.exe
IMAGES
Shown above: The malware payload sent by this campaign's Rig EK.
Shown above: The only post-infection traffic I saw from the malware.
FINAL NOTES
Once again, here are the associated files:
- ZIP archive of both pcaps: 2016-08-29-Rig-EK-both-pcaps.zip 314.5 kB (314,494 bytes)
- ZIP archive of the malware: 2016-08-29-Rig-EK-malware-and-artifacts.zip 139.7 kB (139,736 bytes)
ZIP files are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
Click here to return to the main page.