2017-03-09 - RIG EK SENDS ZBOT

ASSOCIATED FILES:

• ZIP archive of the pcap:  2017-03-09-Rig-EK-sends-Zbot.pcap.zip   980 kB (980,108 bytes)

• 2017-03-09-Rig-EK-sends-Zbot.pcap   (1,251,677 bytes)

• ZIP archive of the email and malware:  2017-03-09-Rig-EK-sends-Zbot-malware-and-artifacts.zip   466 kB (465,856 bytes)

• 2017-03-09-Rig-EK-artifact-o32.tmp.txt   (1,141 bytes)
• 2017-03-09-Rig-EK-flash-exploit.swf   (16,090 bytes)
• 2017-03-09-Rig-EK-landing-page.txt   (57,094 bytes)
• 2017-03-09-Rig-EK-payload-qfb4a0n0.exe   (369,664 bytes)
• 2017-03-09-page-from-hurtmehard.net-with-injected-script.txt   (253,295 bytes)

NOTES:

• This instance of Rig EK is not from one of the campaigns I normally track (Afraidgate, EITest, pseudoDarkleech).
• Also, the injected script looks like it got jumbled up in the web page from the comrpomised site.

Shown above:  Injected script in page from the compromised site.  Looks like the web page text may have been scrambled.

 

TRAFFIC

Shown above:  Traffic from the infection filtered in Wireshark.

 

ASSOCIATED DOMAINS AND URLS:

• hurtmehard.net - Compromised site
• 139.162.203.5 port 80 - cdn3.vjv4.xyz - Rig EK
• 85.217.170.81 port 80 - 85.217.170.81 - POST /Bwt4nCeYpiHsDUe/file.php   [Zbot callback]
• 31.31.204.161 port 80 - portalcentr.ru - POST /Bwt4nCeYpiHsDUe/file.php   [Zbot callback]
• www.google.com - GET /webhp   [Zbot post-infection connectivity check]

 

FILE HASHES

RIG EK FLASH EXPLOIT:

• SHA256 hash:  d5ee007a06cc4b8c0100ed4950a4350c0e8e4ad17fe5417de2c2231f48a6021f
  
• File size:  16,090 bytes

 

RIG EK PAYLOAD:

• SHA256 hash:  904ba982fd067daed01ebcd896a8b8cf3e21e1a4069aadb236825f2f5180e326
  
• File location:  C:\Users\[username]\AppData\Local\Temp\qfb4a0n0.exe
  
• File location:  C:\Users\[username]\AppData\Roaming\Arybusquyq\egxudeuz.exe
  
• File size:  369,664 bytes

 

SOME ARTIFACTS ON THE INFECTED HOST:

• C:\Users\[username]\AppData\Local\Temp\System32\shell32.dll   (4 kB)
• C:\Users\[username]\AppData\Roaming\Arybusquyq\egxudeuz.exe  (361 kB)
• C:\Users\[username]\AppData\Roaming\Efhevuyni\iwpycyrow.owe  (0 kB)
• C:\Users\[username]\AppData\Roaming\Qyifexihvy\saozezycmin.tmp  (1 kB)

 

IMAGES

Shown above:  Some alerts on the traffic from the Emerging Threats and ETPRO rulesets using Sguil on Security Onion.

 

FINAL NOTES

Once again, here are the associated files:

• ZIP archive of the pcap:  2017-03-09-Rig-EK-sends-Zbot.pcap.zip   980 kB (980,108 bytes)
• ZIP archive of the email and malware:  2017-03-09-Rig-EK-sends-Zbot-malware-and-artifacts.zip   466 kB (465,856 bytes)

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.