2017-03-13 "GOOD MAN" CAMPAIGN RIG EK SENDS GODZILLA LOADER/ZBOT
ASSOCIATED FILES:
- ZIP archive of the pcap: 2017-03-13-Good-Man-Rig-EK-sends-Godzilla-Loader.pcap.zip 902 kB (902,300 bytes)
- ZIP archive of the emails and malware: 2017-03-13-Good-Man-Rig-EK-malware-and-artifacts.zip 442 kB (442,491 bytes)
NOTES:
- This is the "Good Man" campaign using Rig EK as described at: https://malwarebreakdown.com/2017/03/10/finding-a-good-man/
- I found another gate for this campaign (previously it was hurtmehard.net, but that's off-line now).
- I tried the "Good Man gate" at perfectgirlss.org but had issues the first time, so I tried it again and got infected.
- Both attempts are in the pcap.
Shown above: Flowchart for the infection traffic.
TRAFFIC
Shown above: Traffic from the infection filtered in Wireshark.
ASSOCIATED DOMAINS:
- 85.204.74.238 port 80 - perfectgirlss.org - Goodman campaign gate
- 217.23.2.108 port 80 - remote.wames.xyz - Rig EK
- 185.140.114.172 port 80 - forum.alterna.pw GET /forum.php?g=773621049&k=qfQlodgR0jhoe4Qv2N8Ym9aco
- 85.217.170.81 port 80 - 85.217.170.81 POST /Bwt4nCeYpiHsDUe/file.php
- 85.217.170.81 port 80 - 85.217.170.81 POST /Bwt4nCeYpiHsDUe/dsjfgah.php
- 31.31.204.161 port 80 - portalcentr.ru POST /Bwt4nCeYpiHsDUe/file.php
- www.google.com - GET /webhp
Shown above: Some alerts on the traffic from the Emerging Threats and ETPRO rulesets using Sguil on Security Onion.
FILE HASHES
FLASH EXPLOIT:
- SHA256 hash: 9371888ec860d6083bebd2966ed6ad136527242c68405128121310c1b965d41f
File description: 2017-03-13 Rig EK flash exploit
MALWARE:
- SHA256 hash: 261e2d1eab2af48a416252416a1a1d529fc48d939e09fd7d43609505ee1336ec
File description: 2017-03-13 Rig EK payload (Godzilla loader)
- SHA256 hash: 30f342741c0224b152c4d6d6cc91af5458649eedd0ad848beb2aa38cf9d79423
File description: 2017-03-13 follow-up malware YQFXJKzLIwR4pdb0vnSTNdswR.exe (Zbot)
FINAL NOTES
Once again, here are the associated files:
- ZIP archive of the pcap: 2017-03-13-Good-Man-Rig-EK-sends-Godzilla-Loader.pcap.zip 902 kB (902,300 bytes)
- ZIP archive of the emails and malware: 2017-03-13-Good-Man-Rig-EK-malware-and-artifacts.zip 442 kB (442,491 bytes)
ZIP files are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
Click here to return to the main page.