2017-06-20 - RIG EK FROM HOOKADS CAMPAIGN SENDS DREAMBOT & CHTHONIC

ASSOCIATED FILES:

• ZIP archive of the pcaps:  2017-06-20-HookAds-Rig-EK-pcaps.zip   5.2 MB (5,231,863 bytes)

• 2017-06-20-1st-run-HookAds-Rig-EK-sends-Dreambot-and-Chthonic.pcap   (1,888,062 bytes)
• 2017-06-20-2nd-run-HookAds-Rig-EK-sends-Dreambot.pcap   (3,694,234 bytes)

• ZIP archive of the artifacts and malware:  2017-06-20-HookAds-Rig-EK-artifacts-and-malware.zip   501 kB (500,959 bytes)

• 2017-06-20-1st-and-2nd-runs-HookAds-Rig-EK-payload-Dreambot.exe   (218,624 bytes)
• 2017-06-20-1st-and-2nd-runs-Rig-EK-artifact-o32.tmp.txt   (1,141 bytes)
• 2017-06-20-1st-and-2nd-runs-Rig-EK-flash-exploit.swf   (16,299 bytes)
• 2017-06-20-1st-run-HookAds-Rig-EK-payload-Chthonic.exe   (351,232 bytes)
• 2017-06-20-1st-run-Rig-EK-landing-page.txt   (121,380 bytes)
• 2017-06-20-2nd-run-Rig-EK-landing-page.txt   (121,419 bytes)

 

BACKGROUND ON THE HOOKADS CAMPAIGN:

• 2016-11-01 - Malwarebytes Blog:  The HookAds malvertising campaign   (link)
• 2017-02-19 through 2017-06-20 - Malware Breakdown:  various blog posts tagged "HookAds"   (link)

OTHER NOTES:

• The first run has two instances of Rig EK from the HookAds campaign.
• The first run also has two different payloads: Dreambot and Chthonic
• No post-infection was seen from Dreambot in the first run.

 

TRAFFIC

Shown above:  Traffic from the 1st run filtered in Wireshark.

 

Shown above:  Traffic from the 2nd run filtered in Wireshark.

 

ASSOCIATED DOMAINS:

• 80.77.82.41 port 80 - observice.info - GET /banners/uaps   [HookAds redirect]
• 80.85.158.121 port 80 - 80.85.158.121 - Rig EK (1st run)
• 185.159.131.240 port 80 - 185.159.131.240 - Rig EK (2nd run)
• 47.91.121.220 port 80 - multifest.bit - POST /   [Chthonic post-infection traffic]
• 47.91.121.220 port 80 - multifest.bit - POST /com/   [Chthonic post-infection traffic]
• 52.174.55.168 port 53 - DNS queries for multifest.bit   [Chthonic post-infection traffic]
• 51.255.48.78 port 53 - DNS queries for A multifest.bit   [Chthonic post-infection traffic]
• 144.168.45.110 port 80 - 144.168.45.110 - GET /images/[long string of characters].avi - [Dreambot post-infection traffic]
• 144.168.45.110 port 80 - 144.168.45.110 - GET /tor/voip2.rar - [Dreambot post-infection traffic]
• ipinfo.io - GET /ip - [Dreambot post-infection location check]
• DNS query for wdwefwefwwfewdefewfwefw.onion - did not resolve - [Dreambot post-infection location check]
• Various IP addresses various ports - Tor traffic - [Dreambot post-infection]

 

FILE HASHES

FLASH EXPLOITS:

• SHA256 hash:  892b3990a09bb3391c5a1a591d9908a0e77db7385addc2c38cfcb32db265a970
  File size:  16,299 bytes
  File description:  Rig EK flash exploit on 2017-06-20 (1st and 2nd runs)

MALWARE RETRIEVED FROM THE INFECTED HOSTS:

• SHA256 hash:  1fd7b6b244cbcac394452f540ef373fd5bfaa402273b29252f06edf2fd0432b7
  File size:  218,624 bytes
  File location:  C:\Users\[username]\AppData\Local\Temp\[random characters].exe
  File description:  HookAds campaign Rig EK payload of Dreambot on 2017-06-20 (1st and 2nd runs) - Dreambot

• SHA256 hash:  192c3580b679a1c4e82f428e85d098d9b866676073d083b1eb312ead8d01ca39
  File size:  351,232 bytes
  File location:  C:\Users\[username]\AppData\Local\Temp\[random characters].exe
  File description:  HookAds campaign Rig EK payload of Chthonic on 2017-06-20 (1st run) - Dreambot

 

FINAL NOTES

Once again, here are the associated files:

• ZIP archive of the pcaps:  2017-06-20-HookAds-Rig-EK-pcaps.zip   5.2 MB (5,231,863 bytes)
• ZIP archive of the artifacts and malware:  2017-06-20-HookAds-Rig-EK-artifacts-and-malware.zip   501 kB (500,959 bytes)

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.