2017-06-19 - RIG EK FROM THE HOOKADS CAMPAIGN SENDS DREAMBOT

ASSOCIATED FILES:

• ZIP archive of the pcap:  2017-06-19-HookAds-Rig-EK-sends-Dreambot.pcap.zip   2.7 MB (2,703,789 bytes)

• 2017-06-19-HookAds-Rig-EK-sends-Dreambot.pcap   (2,839,777 bytes)

• ZIP archive of the artifacts and malware:  2017-06-19-HookAds-Rig-EK-artifacts-and-malware.zip   297 kB (296,628 bytes)

• 2017-06-19-HookAds-Rig-EK-payload-Dreambot-2nxu57tc.exe   (350,208 bytes)
• 2017-06-19-Rig-EK-artifact-o32.tmp.txt   (1,141 bytes)
• 2017-06-19-Rig-EK-flash-exploit.swf   (16,296 bytes)
• 2017-06-19-Rig-EK-landing-page.txt   (60,928 bytes)
• 2017-06-19-original-site-popunder.php.txt   (603 bytes)
• 2017-06-19-sungary.info-uaps.txt   (5,736 bytes)

 

BACKGROUND ON THE HOOKADS CAMPAIGN:

• 2016-11-01 - Malwarebytes Blog:  The HookAds malvertising campaign   (link)
• 2017-02-19 through 2017-06-06 - Malware Breakdown:  various blog posts tagged "HookAds"   (link)

 

TRAFFIC

Shown above:  Traffic from the infection filtered in Wireshark.

 

ASSOCIATED DOMAINS:

• [ip address redacted] port 80 - [domain redacted] - GET /js/popunder.php - Injected code from original site
• 80.77.82.41 port 80 - sungary.info - GET /banners/uaps - HookAds redirect
• 92.53.119.254 port 80 - 92.53.119.254 - Rig EK
\
• 144.168.45.110 port 80 - 144.168.45.110 - GET /images/[long string of characters].avi - Dreambot post-infection traffic
• 144.168.45.110 port 80 - 144.168.45.110 - GET /tor/voip2.rar - Dreambot post-infection traffic
• ipinfo.io - GET /ip - Dreambot post-infection location check
• DNS query for wdwefwefwwfewdefewfwefw.onion - did not resolve
• Some attempted Tor connections on TCP port 9090 and 443, but no response from the servers

 

FILE HASHES

FLASH EXPLOIT:

• SHA256 hash:  f27d2c74b94d9f08fee0e166472b6275613e04e955ea631d06e63ac11e9badd3
  File size:  16,296 bytes
  File description:  Rig EK flash exploit on 2017-06-19

MALWARE RETRIEVED FROM THE INFECTED HOST:

• SHA256 hash:  320da7b8f30c94a14159d3de36a1e21594424ba37c6885bedc1a26ab52ab38a5
  File size:  350,208 bytes
  File location:  C:\Users\[username]\AppData\Local\Temp\2nxu57tc.exe
  File description:  HookAds campaign Rig EK payload on 2017-06-19 - Dreambot

 

FINAL NOTES

Once again, here are the associated files:

• ZIP archive of the pcap:  2017-06-19-HookAds-Rig-EK-sends-Dreambot.pcap.zip   2.7 MB (2,703,789 bytes)
• ZIP archive of the artifacts and malware:  2017-06-19-HookAds-Rig-EK-artifacts-and-malware.zip   297 kB (296,628 bytes)

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.