2017-06-02 - SEAMLESS CAMPAIGN CONTINUES USING RIG EK TO SEND RAMNIT

NOTICE:

ASSOCIATED FILES:

  • 2017-06-02-Seamless-Rig-EK-sends-Ramnit-1st-run.pcap   (1,309,272 bytes)
  • 2017-06-02-Seamless-Rig-EK-sends-Ramnit-2nd-run.pcap   (1,070,828 bytes)
  • 2017-06-02-Rig-EK-landing-page-1st-run.txt   (26,904 bytes)
  • 2017-06-02-Rig-EK-landing-page-2nd-run.txt   (26,901 bytes)
  • 2017-06-02-Seamless-Rig-EK-payload-Ramnit-1st-run.exe   (162,816 bytes)
  • 2017-06-02-Seamless-Rig-EK-payload-Ramnit-2nd-run.exe   (162,816 bytes)

NOTES:

 

ADDITIONAL INFO:

 


Shown above:  Tweet from @thlnk3r yesterday with a Seamless campaign URL.

 

TRAFFIC


Shown above:  Traffic from the 1st run filtered in Wireshark.

 


Shown above:  Traffic from the 2nd run filtered in Wireshark.

 

ASSOCIATED DOMAINS:

 

FILE HASHES

MALWARE PAYLOAD (RAMNIT) - 1ST RUN:

MALWARE PAYLOAD (RAMNIT) - 2ND RUN:

 

OTHER IMAGES


Shown above:  Some alerts on the traffic from the Emerging Threats and ETPRO rulesets using Sguil and tcpreplay on Security Onion.

 

Click here to return to the main page.