2017-06-19 - RIG EK FROM THE HOOKADS CAMPAIGN SENDS DREAMBOT
NOTICE:
- The zip archives on this page have been updated, and they now use the new password scheme. For the new password, see the "about" page of this website.
ASSOCIATED FILES:
- 2017-06-19-HookAds-Rig-EK-sends-Dreambot.pcap.zip 2.7 MB (2,703,789 bytes)
- 2017-06-19-HookAds-Rig-EK-sends-Dreambot.pcap (2,839,777 bytes)
- 2017-06-19-HookAds-Rig-EK-artifacts-and-malware.zip 297.4 kB (297,428 bytes)
- 2017-06-19-HookAds-Rig-EK-payload-Dreambot-2nxu57tc.exe (350,208 bytes)
- 2017-06-19-Rig-EK-artifact-o32.tmp.txt (1,141 bytes)
- 2017-06-19-Rig-EK-flash-exploit.swf (16,296 bytes)
- 2017-06-19-Rig-EK-landing-page.txt (60,928 bytes)
- 2017-06-19-original-site-popunder.php.txt (603 bytes)
- 2017-06-19-sungary.info-uaps.txt (5,736 bytes)
BACKGROUND ON THE HOOKADS CAMPAIGN:
- 2016-11-01 - Malwarebytes Blog: The HookAds malvertising campaign (link)
TRAFFIC
Shown above: Traffic from the infection filtered in Wireshark.
ASSOCIATED DOMAINS:
- [ip address redacted] port 80 - [domain redacted] - GET /js/popunder.php - Injected code from original site
- 80.77.82[.]41 port 80 - sungary[.]info - GET /banners/uaps - HookAds redirect
- 92.53.119[.]254 port 80 - 92.53.119[.]254 - Rig EK
- 144.168.45[.]110 port 80 - 144.168.45[.]110 - GET /images/[long string of characters].avi - Dreambot post-infection traffic
- 144.168.45[.]110 port 80 - 144.168.45[.]110 - GET /tor/voip2.rar - Dreambot post-infection traffic
- ipinfo[.]io - GET /ip - Dreambot post-infection location check
- DNS query for wdwefwefwwfewdefewfwefw[.]onion - did not resolve
- Some attempted Tor connections on TCP port 9090 and 443, but no response from the servers
FILE HASHES
FLASH EXPLOIT:
- SHA256 hash: f27d2c74b94d9f08fee0e166472b6275613e04e955ea631d06e63ac11e9badd3
File size: 16,296 bytes
File description: Rig EK flash exploit on 2017-06-19
MALWARE RETRIEVED FROM THE INFECTED HOST:
- SHA256 hash: 320da7b8f30c94a14159d3de36a1e21594424ba37c6885bedc1a26ab52ab38a5
File size: 350,208 bytes
File location: C:\Users\[username]\AppData\Local\Temp\2nxu57tc.exe
File description: HookAds campaign Rig EK payload on 2017-06-19 - Dreambot
Click here to return to the main page.