2017-06-15 - RIG EK (HOOKADS AND SEAMLESS CAMPAIGNS)

ASSOCIATED FILES:

• ZIP archive of the pcaps:  2017-06-15-Rig-EK-pcaps.zip   7.2 MB (7,235,379 bytes)

• 2017-06-15-1st-run-Seamless-Rig-EK-sends-Ramnit.pcap   (993,395 bytes)
• 2017-06-15-2nd-run-Seamless-Rig-EK-sends-Ramnit.pcap   (880,020 bytes)
• 2017-06-15-3rd-run-Hookads-Rig-EK-sends-Dreambot.pcap   (609,685 bytes)
• 2017-06-15-4th-run-Hookads-Rig-EK-sends-Dreambot.pcap   (370,858 bytes)
• 2017-06-15-5th-run-Hookads-Rig-EK-sends-Dreambot.pcap   (4,029,509 bytes)
• 2017-06-15-6th-run-Seamless-Rig-EK-sends-Ramnit.pcap   (870,270 bytes)

• ZIP archive of the artifacts and malware:  2017-06-15-Rig-EK-artifacts-and-malware.zip   677 kB (676,752 bytes)

• 2017-06-15-1st-run-Rig-EK-landing-page.txt   (121,845 bytes)
• 2017-06-15-2nd-run-Rig-EK-landing-page.txt   (121,645 bytes)
• 2017-06-15-3rd-run-Rig-EK-landing-page.txt   (61,241 bytes)
• 2017-06-15-4th-run-Rig-EK-landing-page.txt   (121,599 bytes)
• 2017-06-15-5th-run-Rig-EK-landing-page.txt   (61,001 bytes)
• 2017-06-15-6th-run-Rig-EK-landing-page.txt   (60,940 bytes)
• 2017-06-15-Rig-EK-artifact-o32.tmp.txt   (1,141 bytes)
• 2017-06-15-Rig-EK-artifact-OTTYUADAF.txt   (1,137 bytes)
• 2017-06-15-Rig-EK-flash-exploit-first-3-runs.swf   (16,299 bytes)
• 2017-06-15-Rig-EK-flash-exploit-last-3-runs.swf   (16,299 bytes)
• 2017-06-15-HookAds-Rig-EK-payload-Dreambot.exe   (251,392 bytes)
• 2017-06-15-Seamless-Rig-EK-payload-Ramnit.exe   (249,864 bytes)

 

BACKGROUND ON THE CAMPAIGNS:

• 2016-11-01 - Malwarebytes Blog:  The HookAds malvertising campaign   (link)
• 2017-03-29 - Cisco Umbrella Blog:  'Seamless' Campaign Delivers Ramnit via Rig EK   (link)

 

TRAFFIC

Shown above:  Traffic from one of the Seamless campaign infections filtered in Wireshark.

 

Shown above:  Traffic from one of the HookAds campaign infections filtered in Wireshark.

 

ASSOCIATED DOMAINS:

• [ip address redacted] port 80 - [domain redacted] - GET [URL redacted] - Seamless redirect
• [ip address redacted] port 80 - [domain redacted] - GET /js/popunder.php - URL from site leading to HookAds redirect
• 80.77.82.41 port 80 - promose.info - GET /banners/uaps - HookAds redirect (1 of 2)
• 80.77.82.41 port 80 - publicable.info - GET /banners/uaps - HookAds redirect (2 of 2)

• 188.225.38.60 port 80 - 188.225.38.60 - Rig EK (1st run)
• 188.225.73.238 port 80 - 188.225.73.238 - Rig EK (2nd through 6th runs)

• google.com - Ramnit post-infection connectivity check (dns and TCP connection but no actual HTTP taffic)
• 188.93.211.166 port 443 - atw82ye63ymdp.com - Ramnit post-infection traffic (encrypted)

• 144.168.45.110 port 80 - 144.168.45.110 - GET /images/[long string of characters].avi - Dreambot post-infection traffic
• 144.168.45.110 port 80 - 144.168.45.110 - GET /tor/voip2.rar - Dreambot post-infection traffic
• ipinfo.io - GET /ip - Dreambot post-infection location check
• 198.105.244.228 port 80 - wdwefwefwwfewdefewfwefw.onion - GET /images/[long string of characters].jpeg - Dreambot post-infection traffic
• 198.105.244.228 port 80 - wdwefwefwwfewdefewfwefw.onion - GET /images/[long string of characters].gif - Dreambot post-infection traffic
• various IP addresses on various ports - various domains - Dreambot post-infection Tor traffic

 

FILE HASHES

FLASH EXPLOITS:

• SHA256 hash:  5834d95ebd3c93b0e629a43affec651a3a9c3c5e3c430c37deef5608da0d8110
  File size:  16,299 bytes
  File description:  Rig EK flash exploit on 2017-06-15 (1 of 2)

• SHA256 hash:  14e6a9025e7a268c33c98a6343179efc723a3fca80093f8c4ab58cf4d7c38798
  File size:  16,299 bytes
  File description:  Rig EK flash exploit on 2017-06-15 (2 of 2)

MALWARE RETRIEVED FROM THE INFECTED HOSTS:

• SHA256 hash:  ca293693efbe0dca2b152e632fc8df70212994f00c471dc994034e53b6364dae
  File size:  251,392 bytes
  File description:  Rig EK payload from Hookads campaign on 2017-06-15 - Dreambot

• SHA256 hash:  de5c83e00f7bd1422fbe1317180efe0645c865a3b7e67f512e7cd425fb728cb6
  File size:  249,864 bytes
  File description:  Rig EK payload from Seamless campaign on 2017-06-15 - Ramnit

 

FINAL NOTES

Once again, here are the associated files:

• ZIP archive of the pcaps:  2017-06-15-Rig-EK-pcaps.zip   7.2 MB (7,235,379 bytes)
• ZIP archive of the artifacts and malware:  2017-06-15-Rig-EK-artifacts-and-malware.zip   677 kB (676,752 bytes)

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.