2017-03-13 "GOOD MAN" CAMPAIGN RIG EK SENDS GODZILLA LOADER/ZBOT

ASSOCIATED FILES:

• ZIP archive of the pcap:  2017-03-13-Good-Man-Rig-EK-sends-Godzilla-Loader.pcap.zip   902 kB (902,300 bytes)
• ZIP archive of the emails and malware:  2017-03-13-Good-Man-Rig-EK-malware-and-artifacts.zip   442 kB (442,491 bytes)

NOTES:

• This is the "Good Man" campaign using Rig EK as described at:  https://malwarebreakdown.com/2017/03/10/finding-a-good-man/
• I found another gate for this campaign (previously it was hurtmehard.net, but that's off-line now).
• I tried the "Good Man gate" at perfectgirlss.org but had issues the first time, so I tried it again and got infected.
• Both attempts are in the pcap.

Shown above:  Flowchart for the infection traffic.

 

TRAFFIC

Shown above:  Traffic from the infection filtered in Wireshark.

 

ASSOCIATED DOMAINS:

• 85.204.74.238 port 80 - perfectgirlss.org - Goodman campaign gate
• 217.23.2.108 port 80 - remote.wames.xyz - Rig EK
• 185.140.114.172 port 80 - forum.alterna.pw GET /forum.php?g=773621049&k=qfQlodgR0jhoe4Qv2N8Ym9aco
• 85.217.170.81 port 80 - 85.217.170.81 POST /Bwt4nCeYpiHsDUe/file.php
• 85.217.170.81 port 80 - 85.217.170.81 POST /Bwt4nCeYpiHsDUe/dsjfgah.php
• 31.31.204.161 port 80 - portalcentr.ru POST /Bwt4nCeYpiHsDUe/file.php
• www.google.com - GET /webhp

 

Shown above:  Some alerts on the traffic from the Emerging Threats and ETPRO rulesets using Sguil on Security Onion.

 

FILE HASHES

FLASH EXPLOIT:

• SHA256 hash:  9371888ec860d6083bebd2966ed6ad136527242c68405128121310c1b965d41f
  File description:  2017-03-13 Rig EK flash exploit

MALWARE:

• SHA256 hash:  261e2d1eab2af48a416252416a1a1d529fc48d939e09fd7d43609505ee1336ec
  File description:  2017-03-13 Rig EK payload (Godzilla loader)

• SHA256 hash:  30f342741c0224b152c4d6d6cc91af5458649eedd0ad848beb2aa38cf9d79423
  File description:  2017-03-13 follow-up malware YQFXJKzLIwR4pdb0vnSTNdswR.exe (Zbot)

 

FINAL NOTES

Once again, here are the associated files:

• ZIP archive of the pcap:  2017-03-13-Good-Man-Rig-EK-sends-Godzilla-Loader.pcap.zip   902 kB (902,300 bytes)
• ZIP archive of the emails and malware:  2017-03-13-Good-Man-Rig-EK-malware-and-artifacts.zip   442 kB (442,491 bytes)

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.