Malware-Traffic-Analysis.net - 2017-06-19 - Rig EK from the HookAds campaign sends Dreambot

2017-06-19 - RIG EK FROM THE HOOKADS CAMPAIGN SENDS DREAMBOT

NOTICE:

The zip archives on this page have been updated, and they now use the new password scheme. For the new password, see the "about" page of this website.

ASSOCIATED FILES:

2017-06-19-HookAds-Rig-EK-sends-Dreambot.pcap.zip 2.7 MB (2,703,789 bytes)

2017-06-19-HookAds-Rig-EK-sends-Dreambot.pcap (2,839,777 bytes)

2017-06-19-HookAds-Rig-EK-artifacts-and-malware.zip 297.4 kB (297,428 bytes)

2017-06-19-HookAds-Rig-EK-payload-Dreambot-2nxu57tc.exe (350,208 bytes)

2017-06-19-Rig-EK-artifact-o32.tmp.txt (1,141 bytes)

2017-06-19-Rig-EK-flash-exploit.swf (16,296 bytes)

2017-06-19-Rig-EK-landing-page.txt (60,928 bytes)

2017-06-19-original-site-popunder.php.txt (603 bytes)

2017-06-19-sungary.info-uaps.txt (5,736 bytes)

BACKGROUND ON THE HOOKADS CAMPAIGN:

2016-11-01 - Malwarebytes Blog: The HookAds malvertising campaign (link)

TRAFFIC

Shown above: Traffic from the infection filtered in Wireshark.

ASSOCIATED DOMAINS:

[ip address redacted] port 80 - [domain redacted] - GET /js/popunder.php - Injected code from original site
80.77.82[.]41 port 80 - sungary[.]info - GET /banners/uaps - HookAds redirect
92.53.119[.]254 port 80 - 92.53.119[.]254 - Rig EK
144.168.45[.]110 port 80 - 144.168.45[.]110 - GET /images/[long string of characters].avi - Dreambot post-infection traffic
144.168.45[.]110 port 80 - 144.168.45[.]110 - GET /tor/voip2.rar - Dreambot post-infection traffic
ipinfo[.]io - GET /ip - Dreambot post-infection location check
DNS query for wdwefwefwwfewdefewfwefw[.]onion - did not resolve
Some attempted Tor connections on TCP port 9090 and 443, but no response from the servers

FILE HASHES

FLASH EXPLOIT:

SHA256 hash: f27d2c74b94d9f08fee0e166472b6275613e04e955ea631d06e63ac11e9badd3
File size: 16,296 bytes
File description: Rig EK flash exploit on 2017-06-19

MALWARE RETRIEVED FROM THE INFECTED HOST:

SHA256 hash: 320da7b8f30c94a14159d3de36a1e21594424ba37c6885bedc1a26ab52ab38a5
File size: 350,208 bytes
File location: C:\Users\[username]\AppData\Local\Temp\2nxu57tc.exe
File description: HookAds campaign Rig EK payload on 2017-06-19 - Dreambot

Click here to return to the main page.