2017-06-16 - RIG EK FROM THE HOOKADS CAMPAIGN
ASSOCIATED FILES:
- ZIP archive of the pcaps: 2017-06-16-HookAds-Rig-EK-pcaps.zip 7.3 MB (7,278,465 bytes)
- 2017-06-16-1st-run-HookAds-Rig-EK-sends-Dreambot.pcap (3,819,524 bytes)
- 2017-06-16-2nd-run-HookAds-Rig-EK-sends-Dreambot.pcap (3,963,196 bytes)
- ZIP archive of the artifacts and malware: 2017-06-16-HookAds-Rig-EK-artifacts-and-malware.zip 495 kB (494,670 bytes)
- 2017-06-16-1st-run-Rig-EK-flash-exploit.swf (16,299 bytes)
- 2017-06-16-1st-run-Rig-EK-landing-page.txt (60,820 bytes)
- 2017-06-16-1st-run-Rig-EK-o32.tmp.txt (1,141 bytes)
- 2017-06-16-1st-run-Rig-EK-payload-Dreambot-rp90ecmm.exe (251,392 bytes)
- 2017-06-16-1st-run-popunder.php-from-original-site.txt (6,02 bytes)
- 2017-06-16-1st-run-rabbey.info-bannders-uaps.txt (5,772 bytes)
- 2017-06-16-2nd-run-Rig-EK-flash-exploit.swf (16,296 bytes)
- 2017-06-16-2nd-run-Rig-EK-landing-page.txt (121,687 bytes)
- 2017-06-16-2nd-run-Rig-EK-o32.tmp.txt (1,141 bytes)
- 2017-06-16-2nd-run-Rig-EK-payload-Dreambot-4s0bv9d6.exe (266,752 bytes)
- 2017-06-16-2nd-run-immedience.info-banners-uaps.txt (5,753 bytes)
- 2017-06-16-2nd-run-popunder.php-from-original-site.txt (606 bytes)
BACKGROUND ON THE HOOKADS CAMPAIGN:
- 2016-11-01 - Malwarebytes Blog: The HookAds malvertising campaign (link)
- 2017-02-19 through 2017-06-06 - Malware Breakdown: various blog posts tagged "HookAds" (link)
TRAFFIC
Shown above: Traffic from the 1st run filtered in Wireshark.
Shown above: Traffic from the 2nd run filtered in Wireshark.
ASSOCIATED DOMAINS:
- [ip address redacted] port 80 - [domain redacted] - GET /popunder.php - Injected code from original site (1st run)
- [ip address redacted] port 80 - [domain redacted] - GET /js/popunder.php - Injected code from original site (2nd run)
- 80.77.82.41 port 80 - rabbey.info - GET /banners/uaps - HookAds redirect (1st run)
- 80.77.82.41 port 80 - immedience.info - GET /banners/uaps - HookAds redirect (2nd run)
- 188.225.75.148 port 80 - 188.225.75.148 - Rig EK (1st run)
- 188.225.76.234 port 80 - 188.225.76.234 - Rig EK (2nd run)
- 144.168.45.110 port 80 - 144.168.45.110 - GET /images/[long string of characters].avi - Dreambot post-infection traffic
- 144.168.45.110 port 80 - 144.168.45.110 - GET /tor/voip2.rar - Dreambot post-infection traffic
- ipinfo.io - GET /ip - Dreambot post-infection location check
- 198.105.244.228 port 80 - wdwefwefwwfewdefewfwefw.onion - GET /images/[long string of characters].jpeg - Dreambot post-infection traffic
- 198.105.244.228 port 80 - wdwefwefwwfewdefewfwefw.onion - GET /images/[long string of characters].gif - Dreambot post-infection traffic
- various IP addresses on various ports - various domains - Dreambot post-infection Tor traffic
FILE HASHES
FLASH EXPLOITS:
- SHA256 hash: 14e6a9025e7a268c33c98a6343179efc723a3fca80093f8c4ab58cf4d7c38798
File size: 16,299 bytes
File description: Rig EK flash exploit on 2017-06-16 (1st run)
- SHA256 hash: ecb236418b4f6a294460723a3f19d236ac25df3adfd04cac5ff6a3ebeb1fcd0c
File size: 16,296 bytes
File description: Rig EK flash exploit on 2017-06-16 (2nd run)
MALWARE RETRIEVED FROM THE INFECTED HOSTS:
- SHA256 hash: ca293693efbe0dca2b152e632fc8df70212994f00c471dc994034e53b6364dae
File size: 251,392 bytes
File location: C:\Users\[username]\AppData\Local\Temp\rp90ecmm.exe
File description: HookAds campaign Rig EK payload on 2017-06-16 (1st run) - Dreambot
- SHA256 hash: 455bd97b601ea4048c0237950810e99d7d47710c37f0719ee77f053d0c8fa427
File size: 266,752 bytes
File location: C:\Users\[username]\AppData\Local\Temp\4s0bv9d6.exe
File description: HookAds campaign Rig EK payload on 2017-06-16 (2nd run) - Dreambot
FINAL NOTES
Once again, here are the associated files:
- ZIP archive of the pcaps: 2017-06-16-HookAds-Rig-EK-pcaps.zip 7.3 MB (7,278,465 bytes)
- ZIP archive of the artifacts and malware: 2017-06-16-HookAds-Rig-EK-artifacts-and-malware.zip 495 kB (494,670 bytes)
ZIP files are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
Click here to return to the main page.