2017-06-16 - RIG EK FROM THE HOOKADS CAMPAIGN

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2017-06-16-HookAds-Rig-EK-two-pcaps.zip   7.3 MB (7,278,809 bytes)

• 2017-06-16-1st-run-HookAds-Rig-EK-sends-Dreambot.pcap   (3,819,524 bytes)
• 2017-06-16-2nd-run-HookAds-Rig-EK-sends-Dreambot.pcap   (3,963,196 bytes)

• 2017-06-16-HookAds-Rig-EK-artifacts-and-malware.zip   496.0 kB (496,046 bytes)

• 2017-06-16-1st-run-Rig-EK-flash-exploit.swf   (16,299 bytes)
• 2017-06-16-1st-run-Rig-EK-landing-page.txt   (60,820 bytes)
• 2017-06-16-1st-run-Rig-EK-o32.tmp.txt   (1,141 bytes)
• 2017-06-16-1st-run-Rig-EK-payload-Dreambot-rp90ecmm.exe   (251,392 bytes)
• 2017-06-16-1st-run-popunder.php-from-original-site.txt   (6,02 bytes)
• 2017-06-16-1st-run-rabbey.info-bannders-uaps.txt   (5,772 bytes)
• 2017-06-16-2nd-run-Rig-EK-flash-exploit.swf   (16,296 bytes)
• 2017-06-16-2nd-run-Rig-EK-landing-page.txt   (121,687 bytes)
• 2017-06-16-2nd-run-Rig-EK-o32.tmp.txt   (1,141 bytes)
• 2017-06-16-2nd-run-Rig-EK-payload-Dreambot-4s0bv9d6.exe   (266,752 bytes)
• 2017-06-16-2nd-run-immedience.info-banners-uaps.txt   (5,753 bytes)
• 2017-06-16-2nd-run-popunder.php-from-original-site.txt   (606 bytes)

 

BACKGROUND ON THE HOOKADS CAMPAIGN:

• 2016-11-01 - Malwarebytes Blog:  The HookAds malvertising campaign   (link)

 

TRAFFIC

Shown above:  Traffic from the 1st run filtered in Wireshark.

 

Shown above:  Traffic from the 2nd run filtered in Wireshark.

 

ASSOCIATED DOMAINS:

• [ip address redacted] port 80 - [domain redacted] - GET /popunder.php - Injected code from original site (1st run)
• [ip address redacted] port 80 - [domain redacted] - GET /js/popunder.php - Injected code from original site (2nd run)
• 80.77.82[.]41 port 80 - rabbey[.]info - GET /banners/uaps - HookAds redirect (1st run)
• 80.77.82[.]41 port 80 - immedience[.]info - GET /banners/uaps - HookAds redirect (2nd run)

• 188.225.75[.]148 port 80 - 188.225.75[.]148 - Rig EK (1st run)
• 188.225.76[.]234 port 80 - 188.225.76[.]234 - Rig EK (2nd run)

• 144.168.45[.]110 port 80 - 144.168.45[.]110 - GET /images/[long string of characters].avi - Dreambot post-infection traffic
• 144.168.45[.]110 port 80 - 144.168.45[.]110 - GET /tor/voip2.rar - Dreambot post-infection traffic
• ipinfo[.]io - GET /ip - Dreambot post-infection location check
• 198.105.244[.]228 port 80 - wdwefwefwwfewdefewfwefw[.]onion - GET /images/[long string of characters].jpeg - Dreambot post-infection traffic
• 198.105.244[.]228 port 80 - wdwefwefwwfewdefewfwefw[.]onion - GET /images/[long string of characters].gif - Dreambot post-infection traffic
• various IP addresses on various ports - various domains - Dreambot post-infection Tor traffic

 

FILE HASHES

FLASH EXPLOITS:

• SHA256 hash:  14e6a9025e7a268c33c98a6343179efc723a3fca80093f8c4ab58cf4d7c38798
  File size:  16,299 bytes
  File description:  Rig EK flash exploit on 2017-06-16 (1st run)

• SHA256 hash:  ecb236418b4f6a294460723a3f19d236ac25df3adfd04cac5ff6a3ebeb1fcd0c
  File size:  16,296 bytes
  File description:  Rig EK flash exploit on 2017-06-16 (2nd run)

MALWARE RETRIEVED FROM THE INFECTED HOSTS:

• SHA256 hash:  ca293693efbe0dca2b152e632fc8df70212994f00c471dc994034e53b6364dae
  File size:  251,392 bytes
  File location:  C:\Users\[username]\AppData\Local\Temp\rp90ecmm.exe
  File description:  HookAds campaign Rig EK payload on 2017-06-16 (1st run) - Dreambot

• SHA256 hash:  455bd97b601ea4048c0237950810e99d7d47710c37f0719ee77f053d0c8fa427
  File size:  266,752 bytes
  File location:  C:\Users\[username]\AppData\Local\Temp\4s0bv9d6.exe
  File description:  HookAds campaign Rig EK payload on 2017-06-16 (2nd run) - Dreambot

 

Click here to return to the main page.