2017-03-15 - UNIDENTIFIED CAMPAIGN RIG EK SENDS DELOADER/ZLOADER
ASSOCIATED FILES:
- ZIP archive of the pcap: 2017-03-15-unidentified-campaign-Rig-EK-sends-DELoader.pcap.zip 3.5 MB (3,465,334 bytes)
- 2017-03-15-unidentified-campaign-Rig-EK-sends-DELoader.pcap (3,703,929 bytes)
- ZIP archive of the malware: 2017-03-15-unidentified-campaign-Rig-EK-sends-DELoader-malware-and-artifacts.zip 243 kB (242,825 bytes)
- 2017-03-15-page-from-xbox360torrent.com-with-injected-script.txt (31,651 bytes)
- 2017-03-15-unidentified-campaign-Rig-EK-1st-run-artifact-o32.tmp.txt (1,141 bytes)
- 2017-03-15-unidentified-campaign-Rig-EK-flash-exploit.swf (14,956 bytes)
- 2017-03-15-unidentified-campaign-Rig-EK-landing-page.txt (117,890 bytes)
- 2017-03-15-unidentified-campaign-Rig-EK-payload-otr4miha.exe (169,791 bytes)
DETAILS
DESCRIPTION:
- An unidentified campaign using Rig EK to distribute malware. On Wendesday 2017-03-15, it sent DELoader/Zloader as the payload.
ASSOCIATED DOMAINS:
- xbox360torrent.com - compromised side
- 5.200.52.37 port 80 - add.tas-goodiebag.com - Rig EK
- 185.121.177.53 port 53 - TCP-based DNS query for funchat.bit
- 185.13.36.121 port 80 - funchat.bit - attempted TCP connections but RST by server
- 185.13.36.121 port 443 - funchat.bit - HTTPS/SSL/TLS traffic using "Moscow Ltd" certificate
- checkip.dyndns.org - GET / - IP address check
- Various IP addresses on various ports - Tor traffic
ARTIFACTS ON THE INFECTED HOST:
- C:\Users\[username]\AppData\Roaming\Egsef\fbxae.nio (0 kB)
- C:\Users\[username]\AppData\Roaming\tor\cached-certs (19 kB)
- C:\Users\[username]\AppData\Roaming\tor\cached-microdesc-consensus (2,191 kB)
- C:\Users\[username]\AppData\Roaming\tor\cached-microdescs.new (3,680 kB)
- C:\Users\[username]\AppData\Roaming\tor\lock (0 kB)
- C:\Users\[username]\AppData\Roaming\tor\state (2 kB)
- C:\Users\[username]\AppData\Roaming\Ugnu\badeazpoo.php (4 kB)
- C:\Users\[username]\AppData\Roaming\Ugnu\php.exe (29 kB)
- C:\Users\[username]\AppData\Roaming\Ugnu\php5tl.dll (5,589 kB)
- C:\Users\[username]\AppData\Roaming\Wyqyuf\huab.zia (21,687 kB)
- C:\Users\[username]\AppData\Roaming\Ywal\efyku.ovt (95 kB)
- C:\Users\[username]\AppData\Roaming\libeay32.dll (1,944 kB)
- C:\Users\[username]\AppData\Roaming\libevent-2-0-5.dll (703 kB)
- C:\Users\[username]\AppData\Roaming\libgcc_s_sjlj-1.dll (511 kB)
- C:\Users\[username]\AppData\Roaming\libssp-0.dll (91 kB)
- C:\Users\[username]\AppData\Roaming\ssleay32.dll (391 kB)
- C:\Users\[username]\AppData\Roaming\tor.exe (2,898 kB)
- C:\Users\[username]\AppData\Roaming\zlib1.dll (105 kB)
FILE HASHES:
- SHA256 hash: cc41480100b0fd2e39d4d636fac3d4e682314b4c6b14ecef0d03281c06a7789c
File description: Rig EK Flash exploit seen on 2017-03-15
- SHA256 hash: 7a582e7ad76cd0f90b0e51092212603883f9db0d5e810f6fb20f809d4322e057
File location: C:\Users\[username]\AppData\Local\Temp\otr4miha.exe
File description: Rig EK payload sent by unidentified campaign - DELoader/ZLoader
FINAL NOTES
Once again, here are the associated files:
- ZIP archive of the pcap: 2017-03-15-unidentified-campaign-Rig-EK-sends-DELoader.pcap.zip 3.5 MB (3,465,334 bytes)
- ZIP archive of the malware: 2017-03-15-unidentified-campaign-Rig-EK-sends-DELoader-malware-and-artifacts.zip 243 kB (242,825 bytes)
ZIP files are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
Click here to return to the main page.