2017-06-19 - RIG EK FROM THE HOOKADS CAMPAIGN SENDS DREAMBOT
ASSOCIATED FILES:
- ZIP archive of the pcap: 2017-06-19-HookAds-Rig-EK-sends-Dreambot.pcap.zip 2.7 MB (2,703,789 bytes)
- 2017-06-19-HookAds-Rig-EK-sends-Dreambot.pcap (2,839,777 bytes)
- ZIP archive of the artifacts and malware: 2017-06-19-HookAds-Rig-EK-artifacts-and-malware.zip 297 kB (296,628 bytes)
- 2017-06-19-HookAds-Rig-EK-payload-Dreambot-2nxu57tc.exe (350,208 bytes)
- 2017-06-19-Rig-EK-artifact-o32.tmp.txt (1,141 bytes)
- 2017-06-19-Rig-EK-flash-exploit.swf (16,296 bytes)
- 2017-06-19-Rig-EK-landing-page.txt (60,928 bytes)
- 2017-06-19-original-site-popunder.php.txt (603 bytes)
- 2017-06-19-sungary.info-uaps.txt (5,736 bytes)
BACKGROUND ON THE HOOKADS CAMPAIGN:
- 2016-11-01 - Malwarebytes Blog: The HookAds malvertising campaign (link)
- 2017-02-19 through 2017-06-06 - Malware Breakdown: various blog posts tagged "HookAds" (link)
TRAFFIC
Shown above: Traffic from the infection filtered in Wireshark.
ASSOCIATED DOMAINS:
- [ip address redacted] port 80 - [domain redacted] - GET /js/popunder.php - Injected code from original site
- 80.77.82.41 port 80 - sungary.info - GET /banners/uaps - HookAds redirect
- 92.53.119.254 port 80 - 92.53.119.254 - Rig EK \
- 144.168.45.110 port 80 - 144.168.45.110 - GET /images/[long string of characters].avi - Dreambot post-infection traffic
- 144.168.45.110 port 80 - 144.168.45.110 - GET /tor/voip2.rar - Dreambot post-infection traffic
- ipinfo.io - GET /ip - Dreambot post-infection location check
- DNS query for wdwefwefwwfewdefewfwefw.onion - did not resolve
- Some attempted Tor connections on TCP port 9090 and 443, but no response from the servers
FILE HASHES
FLASH EXPLOIT:
- SHA256 hash: f27d2c74b94d9f08fee0e166472b6275613e04e955ea631d06e63ac11e9badd3
File size: 16,296 bytes
File description: Rig EK flash exploit on 2017-06-19
MALWARE RETRIEVED FROM THE INFECTED HOST:
- SHA256 hash: 320da7b8f30c94a14159d3de36a1e21594424ba37c6885bedc1a26ab52ab38a5
File size: 350,208 bytes
File location: C:\Users\[username]\AppData\Local\Temp\2nxu57tc.exe
File description: HookAds campaign Rig EK payload on 2017-06-19 - Dreambot
FINAL NOTES
Once again, here are the associated files:
- ZIP archive of the pcap: 2017-06-19-HookAds-Rig-EK-sends-Dreambot.pcap.zip 2.7 MB (2,703,789 bytes)
- ZIP archive of the artifacts and malware: 2017-06-19-HookAds-Rig-EK-artifacts-and-malware.zip 297 kB (296,628 bytes)
ZIP files are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
Click here to return to the main page.