2017-06-16 - RIG EK FROM THE HOOKADS CAMPAIGN
NOTICE:
- The zip archives on this page have been updated, and they now use the new password scheme. For the new password, see the "about" page of this website.
ASSOCIATED FILES:
- 2017-06-16-HookAds-Rig-EK-two-pcaps.zip 7.3 MB (7,278,809 bytes)
- 2017-06-16-1st-run-HookAds-Rig-EK-sends-Dreambot.pcap (3,819,524 bytes)
- 2017-06-16-2nd-run-HookAds-Rig-EK-sends-Dreambot.pcap (3,963,196 bytes)
- 2017-06-16-HookAds-Rig-EK-artifacts-and-malware.zip 496.0 kB (496,046 bytes)
- 2017-06-16-1st-run-Rig-EK-flash-exploit.swf (16,299 bytes)
- 2017-06-16-1st-run-Rig-EK-landing-page.txt (60,820 bytes)
- 2017-06-16-1st-run-Rig-EK-o32.tmp.txt (1,141 bytes)
- 2017-06-16-1st-run-Rig-EK-payload-Dreambot-rp90ecmm.exe (251,392 bytes)
- 2017-06-16-1st-run-popunder.php-from-original-site.txt (6,02 bytes)
- 2017-06-16-1st-run-rabbey.info-bannders-uaps.txt (5,772 bytes)
- 2017-06-16-2nd-run-Rig-EK-flash-exploit.swf (16,296 bytes)
- 2017-06-16-2nd-run-Rig-EK-landing-page.txt (121,687 bytes)
- 2017-06-16-2nd-run-Rig-EK-o32.tmp.txt (1,141 bytes)
- 2017-06-16-2nd-run-Rig-EK-payload-Dreambot-4s0bv9d6.exe (266,752 bytes)
- 2017-06-16-2nd-run-immedience.info-banners-uaps.txt (5,753 bytes)
- 2017-06-16-2nd-run-popunder.php-from-original-site.txt (606 bytes)
BACKGROUND ON THE HOOKADS CAMPAIGN:
- 2016-11-01 - Malwarebytes Blog: The HookAds malvertising campaign (link)
TRAFFIC
Shown above: Traffic from the 1st run filtered in Wireshark.
Shown above: Traffic from the 2nd run filtered in Wireshark.
ASSOCIATED DOMAINS:
- [ip address redacted] port 80 - [domain redacted] - GET /popunder.php - Injected code from original site (1st run)
- [ip address redacted] port 80 - [domain redacted] - GET /js/popunder.php - Injected code from original site (2nd run)
- 80.77.82[.]41 port 80 - rabbey[.]info - GET /banners/uaps - HookAds redirect (1st run)
- 80.77.82[.]41 port 80 - immedience[.]info - GET /banners/uaps - HookAds redirect (2nd run)
- 188.225.75[.]148 port 80 - 188.225.75[.]148 - Rig EK (1st run)
- 188.225.76[.]234 port 80 - 188.225.76[.]234 - Rig EK (2nd run)
- 144.168.45[.]110 port 80 - 144.168.45[.]110 - GET /images/[long string of characters].avi - Dreambot post-infection traffic
- 144.168.45[.]110 port 80 - 144.168.45[.]110 - GET /tor/voip2.rar - Dreambot post-infection traffic
- ipinfo[.]io - GET /ip - Dreambot post-infection location check
- 198.105.244[.]228 port 80 - wdwefwefwwfewdefewfwefw[.]onion - GET /images/[long string of characters].jpeg - Dreambot post-infection traffic
- 198.105.244[.]228 port 80 - wdwefwefwwfewdefewfwefw[.]onion - GET /images/[long string of characters].gif - Dreambot post-infection traffic
- various IP addresses on various ports - various domains - Dreambot post-infection Tor traffic
FILE HASHES
FLASH EXPLOITS:
- SHA256 hash: 14e6a9025e7a268c33c98a6343179efc723a3fca80093f8c4ab58cf4d7c38798
File size: 16,299 bytes
File description: Rig EK flash exploit on 2017-06-16 (1st run)
- SHA256 hash: ecb236418b4f6a294460723a3f19d236ac25df3adfd04cac5ff6a3ebeb1fcd0c
File size: 16,296 bytes
File description: Rig EK flash exploit on 2017-06-16 (2nd run)
MALWARE RETRIEVED FROM THE INFECTED HOSTS:
- SHA256 hash: ca293693efbe0dca2b152e632fc8df70212994f00c471dc994034e53b6364dae
File size: 251,392 bytes
File location: C:\Users\[username]\AppData\Local\Temp\rp90ecmm.exe
File description: HookAds campaign Rig EK payload on 2017-06-16 (1st run) - Dreambot
- SHA256 hash: 455bd97b601ea4048c0237950810e99d7d47710c37f0719ee77f053d0c8fa427
File size: 266,752 bytes
File location: C:\Users\[username]\AppData\Local\Temp\4s0bv9d6.exe
File description: HookAds campaign Rig EK payload on 2017-06-16 (2nd run) - Dreambot
Click here to return to the main page.