Malware-Traffic-Analysis.net - 2016-12-07

2016-12-07 - RIG EK DATA DUMP

ASSOCIATED FILES:

ZIP archive of the pcap: 2016-12-07-Rig-EK-data-dump-all-pcaps.zip 1.7 MB (1,712,182 bytes)

2016-12-07-1st-run-EITest-Rig-E-sends-Gootkit.pcap (511,118 bytes)

2016-12-07-2nd-run-EITest-Rig-E-sends-Smoke-Loader.pcap (167,116 bytes)

2016-12-07-3rd-run-pseudoDarkleech-Rig-V-sends-Cerber.pcap (637,182 bytes)

2016-12-07-4th-run-pseudoDarkleech-Rig-V-sends-Cerber.pcap (651,266 bytes)

2016-12-07-5th-run-EITest-Rig-E-sends-Smoke-Loader.pcap (147,121 bytes)

ZIP archive of the malware: 2016-12-07-Rig-EK-data-dump-malware-and-artifacts.zip 1.2 MB (1,221,666 bytes)

2016-12-07-1st-run-EITest-Rig-E-artifact-MXj6sFosp.txt (1,137 bytes)

2016-12-07-1st-run-EITest-Rig-E-flash-exploit.swf (17,657 bytes)

2016-12-07-1st-run-EITest-Rig-E-landing-page.txt (85,199 bytes)

2016-12-07-1st-run-EITest-Rig-E-payload-Gootkit-rad0BCCB.tmp.exe (237,568 bytes)

2016-12-07-1st-run-page-from-cavallinomotorsport.com-with-injected-script.txt (18,838 bytes)

2016-12-07-1st-run-post-infection-follow-up-malware.exe (397,824 bytes)

2016-12-07-2nd-run-EITest-Rig-E-artifact-MXj6sFosp.txt (1,137 bytes)

2016-12-07-2nd-run-EITest-Rig-E-flash-exploit.swf (17,657 bytes)

2016-12-07-2nd-run-EITest-Rig-E-landing-page.txt (85,251 bytes)

2016-12-07-2nd-run-EITest-Rig-E-payload-Smoke-Loader-rad79415.tmp.exe (43,520 bytes)

2016-12-07-2nd-run-page-from-cavallinomotorsport.com-with-injected-script.txt (18,844 bytes)

2016-12-07-3rd-run-page-from-joellipman.com-with-injected-script.txt (68,908 bytes)

2016-12-07-3rd-run-pseudoDarkleech-Rig-V-artifact-MXj6sFosp.txt (1,137 bytes)

2016-12-07-3rd-run-pseudoDarkleech-Rig-V-flash-exploit.swf (17,618 bytes)

2016-12-07-3rd-run-pseudoDarkleech-Rig-V-landing-page.txt (5,375 bytes)

2016-12-07-3rd-run-pseudoDarkleech-Rig-V-payload-Cerber-rad30C82.tmp.exe (264,228 bytes)

2016-12-07-4th-run-pseudoDarkleech-Rig-V-artifact-MXj6sFosp.txt (1,137 bytes)

2016-12-07-4th-run-pseudoDarkleech-Rig-V-flash-exploit.swf (17,618 bytes)

2016-12-07-4th-run-pseudoDarkleech-Rig-V-landing-page.txt (5,380 bytes)

2016-12-07-4th-run-pseudoDarkleech-Rig-V-payload-Cerber-rad6EB28.tmp.exe (264,228 bytes)

2016-12-07-4th-run-wordtemplates.org-with-injected-script.txt (54,484 bytes)

2016-12-07-5th-run-EITest-Rig-E-artifact-MXj6sFosp.txt (1,137 bytes)

2016-12-07-5th-run-EITest-Rig-E-flash-exploit.swf (17,657 bytes)

2016-12-07-5th-run-EITest-Rig-E-landing-page.txt (85,229 bytes)

2016-12-07-5th-run-EITest-Rig-E-payload-Smoke-Loader-radE32E0.tmp.exe (43,520 bytes)

2016-12-07-5th-run-page-from-cavallinomotorsport.com-with-injected-script.txt (18,841 bytes)

BACKGROUND ON RIG EXPLOIT KIT:

I'm currently tracking 3 versions of Rig EK as classified in an October 2016 blog post by Kafeine.
Rig-V: a "VIP version" with new URL patterns, different landing page obfuscation, and RC4 encryption for the payload. Used by the Afraidgate & pseudoDarkleech campaigns.
Rig-E: a variant with old URL patterns, now with with RC4 encryption for the payload. Also known as Empire Pack. I often see Rig-E used by the EITest campaign.
Rig standard: uses new URL patterns introduced by Rig-V, but old obfuscation (ASCII string to XOR the payload binary) The EITest campaign formerly used Rig standard to send CryptFile2 (CryptoMix) ransomware before switching to Rig-V for that purpose.

BACKGROUND ON THE EITEST CAMPAIGN:

Something I wrote on exploit kit (EK) fundamentals: link
2016-10-03 - Palo Alto Networks Unit 42 blog: EITest Campaign Evolution: From Angler EK to Neutrino and Rig.
2016-10-03 - Broadanalysis.com: EITest campaign stopped using a gate.
2016-10-15 - Broadanalysis.com: EITest campaing stops using obfuscation for injected script in pages from compromised websites.

BACKGROUND ON THE PSEUDO-DARKLEECH CAMPAIGN:

Something I wrote on exploit kit (EK) fundamentals: link
2016-03-22 - PaloAlto Networks Unit 42 blog: Campaign Evolution: Darkleech to Pseudo-Darkleech and Beyond
2016-07-02 - SANS ISC diary: Change in patterns for the pseudoDarkleech campaign
2016-09-14 - Malware-traffic-analysis.net: The pseudoDarkleech campaign starts using Rig EK instead of Neutrino EK
2016-10-03 - Malware-traffic-analysis.net: The pseudoDarkleech campaign stops sending CryptXXX, starts sending Cerber ransomware

OTHER NOTES:

@broadanalysis has more complete post-infection traffic on a Smoke Loader infection (SmokeBot Loader) from Rig EK today on the the Broadanalysis blog (link).

TRAFFIC

Shown above: Flow chart for today's infection traffic.

Shown above: Traffic from the 1st infection filtered in Wireshark.

Shown above: Traffic from the 2nd infection filtered in Wireshark.

Shown above: Traffic from the 3rd infection filtered in Wireshark.

Shown above: Traffic from the 4th infection filtered in Wireshark.

Shown above: Traffic from the 5th infection filtered in Wireshark.

ASSOCIATED DOMAINS:

cavallinomotorsport.com - Compromised site
81.95.7.26 port 80 - hbmuj.crpq1.xyz - Rig-E
5.39.48.106 port 80 - vnoskokos.win - Gootkit post-infection HTTPS/SSL/TLS traffic
5.79.71.225 port 80 - vnoskalkos.win - Gootkit post-infection HTTPS/SSL/TLS traffic
198.105.244.11 port 80 - wildempirellce.com - Gootkit post-infection HTTPS/SSL/TLS traffic

cavallinomotorsport.com - Compromised site
81.95.7.26 port 80 - oqw8.y2bkvol6h.xyz - Rig-E
146.0.77.16 port 80 - coifn333.info - Smoke Loader post-infection HTTP traffic

joellipman.com - Compromised site
46.30.46.210 port 80 - top.pharmavetinc.com - Rig-V
15.49.2.0 to 15.49.2.31 (15.49.2.0/27) UDP port 6892 - Cerber post-infection UDP traffic
122.1.13.0 to 122.1.1331 (122.1.13.0/27) UDP port 6892 - Cerber post-infection UDP traffic
194.165.16.0 to 194.165.17.255 (194.165.16.0/23) UDP port 6892 - Cerber post-infection UDP traffic
210.16.102.144 port 80 - ffoqr3ug7m726zou.ul8hph.top - Cerber post-infection HTTP traffic

www.wordtemplates.org - Compromised site
46.30.46.210 port 80 - free.projectlemonaid.org - Rig-V
15.49.2.0 to 15.49.2.31 (15.49.2.0/27) UDP port 6892 - Cerber post-infection UDP traffic
122.1.13.0 to 122.1.1331 (122.1.13.0/27) UDP port 6892 - Cerber post-infection UDP traffic
194.165.16.0 to 194.165.17.255 (194.165.16.0/23) UDP port 6892 - Cerber post-infection UDP traffic
210.16.102.144 port 80 - ffoqr3ug7m726zou.zgw8bu.top - Cerber post-infection HTTP traffic

cavallinomotorsport.com - Compromised site
185.162.8.142 port 80 - akb3i.ocqcg.xyz - Rig-E
146.0.77.16 port 80 - coifn333.info - Smoke Loader post-infection HTTP traffic

FILE HASHES

FLASH EXPLOITS:

SHA256 hash: 732f898c4ec1847aac57f019698c1328608bb0852ecee147fc498373283a9821 (17,657 bytes)
File description: 2016-12-07 EITest Rig-E Flash-exploit

SHA256 hash: 0dc0e76091e65b422ff0dd45b0b07de605047e8c4564cd4097dafca7ee229028 (17,618 bytes)
File description: 2016-12-07 EITest Rig-V Flash-exploit

PAYLOADS (READ: SHA256 HASH - FILE NAME - FILE SIZE):

893a38969233228c4f73b2d152797c71b9d6c8076390ada74cb655e83c61cb36 - 2016-12-07-1st-run-EITest-Rig-E-payload-Gootkit.exe - 237,568 bytes
da718292a1e40c15f512155cbda7ef807a421d0d0cb56666a639b95a1bfa0fe1 - 2016-12-07-1st-run-post-infection-follow-up-malware.exe - 397,824 bytes
772fcfe20f0bb14861a611901a7354759515cbd7d1b4762436e9c1f4c2c290df - 2016-12-07-2nd-run-EITest-Rig-E-payload-Smoke-Loader.exe - 43,520 bytes
4715f450ff14a6487a8d1876d05878b1fff3d6dd1c5d1d93d4f8aadd327af9ce - 2016-12-07-3rd-run-pseudoDarkleech-Rig-V-payload-Cerber.exe - 264,228 bytes
5998d2fc69cbab14ba4b5459bbd2ab01dda67581573900079445176782bd2e4d - 2016-12-07-4th-run-pseudoDarkleech-Rig-V-payload-Cerber.exe - 264,228 bytes
0c7a0fb9a1271f4a19868a24dfdd6faa0bfb1d35331cfbf315632e7370ddf012 - 2016-12-07-5th-run-EITest-Rig-E-payload-Smoke-Loader.exe - 43,520 bytes

FINAL NOTES

Once again, here are the associated files:

ZIP archive of the pcap: 2016-12-07-Rig-EK-data-dump-all-pcaps.zip 1.7 MB (1,712,182 bytes)
ZIP archive of the malware: 2016-12-07-Rig-EK-data-dump-malware-and-artifacts.zip 1.2 MB (1,221,666 bytes)

ZIP files are password-protected with the standard password. If you don't know it, look at the "about" page of this website.

Click here to return to the main page.