2017-03-09 - RIG EK SENDS ZBOT
ASSOCIATED FILES:
- ZIP archive of the pcap: 2017-03-09-Rig-EK-sends-Zbot.pcap.zip 980 kB (980,108 bytes)
- 2017-03-09-Rig-EK-sends-Zbot.pcap (1,251,677 bytes)
- ZIP archive of the email and malware: 2017-03-09-Rig-EK-sends-Zbot-malware-and-artifacts.zip 466 kB (465,856 bytes)
- 2017-03-09-Rig-EK-artifact-o32.tmp.txt (1,141 bytes)
- 2017-03-09-Rig-EK-flash-exploit.swf (16,090 bytes)
- 2017-03-09-Rig-EK-landing-page.txt (57,094 bytes)
- 2017-03-09-Rig-EK-payload-qfb4a0n0.exe (369,664 bytes)
- 2017-03-09-page-from-hurtmehard.net-with-injected-script.txt (253,295 bytes)
NOTES:
- This instance of Rig EK is not from one of the campaigns I normally track (Afraidgate, EITest, pseudoDarkleech).
- Also, the injected script looks like it got jumbled up in the web page from the comrpomised site.
Shown above: Injected script in page from the compromised site. Looks like the web page text may have been scrambled.
TRAFFIC
Shown above: Traffic from the infection filtered in Wireshark.
ASSOCIATED DOMAINS AND URLS:
- hurtmehard.net - Compromised site
- 139.162.203.5 port 80 - cdn3.vjv4.xyz - Rig EK
- 85.217.170.81 port 80 - 85.217.170.81 - POST /Bwt4nCeYpiHsDUe/file.php [Zbot callback]
- 31.31.204.161 port 80 - portalcentr.ru - POST /Bwt4nCeYpiHsDUe/file.php [Zbot callback]
- www.google.com - GET /webhp [Zbot post-infection connectivity check]
FILE HASHES
RIG EK FLASH EXPLOIT:
- SHA256 hash: d5ee007a06cc4b8c0100ed4950a4350c0e8e4ad17fe5417de2c2231f48a6021f
- File size: 16,090 bytes
RIG EK PAYLOAD:
- SHA256 hash: 904ba982fd067daed01ebcd896a8b8cf3e21e1a4069aadb236825f2f5180e326
- File location: C:\Users\[username]\AppData\Local\Temp\qfb4a0n0.exe
- File location: C:\Users\[username]\AppData\Roaming\Arybusquyq\egxudeuz.exe
- File size: 369,664 bytes
SOME ARTIFACTS ON THE INFECTED HOST:
- C:\Users\[username]\AppData\Local\Temp\System32\shell32.dll (4 kB)
- C:\Users\[username]\AppData\Roaming\Arybusquyq\egxudeuz.exe (361 kB)
- C:\Users\[username]\AppData\Roaming\Efhevuyni\iwpycyrow.owe (0 kB)
- C:\Users\[username]\AppData\Roaming\Qyifexihvy\saozezycmin.tmp (1 kB)
IMAGES
Shown above: Some alerts on the traffic from the Emerging Threats and ETPRO rulesets using Sguil on Security Onion.
FINAL NOTES
Once again, here are the associated files:
- ZIP archive of the pcap: 2017-03-09-Rig-EK-sends-Zbot.pcap.zip 980 kB (980,108 bytes)
- ZIP archive of the email and malware: 2017-03-09-Rig-EK-sends-Zbot-malware-and-artifacts.zip 466 kB (465,856 bytes)
ZIP files are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
Click here to return to the main page.