2017-06-20 - RIG EK FROM HOOKADS CAMPAIGN SENDS DREAMBOT & CHTHONIC
ASSOCIATED FILES:
- ZIP archive of the pcaps: 2017-06-20-HookAds-Rig-EK-pcaps.zip 5.2 MB (5,231,863 bytes)
- 2017-06-20-1st-run-HookAds-Rig-EK-sends-Dreambot-and-Chthonic.pcap (1,888,062 bytes)
- 2017-06-20-2nd-run-HookAds-Rig-EK-sends-Dreambot.pcap (3,694,234 bytes)
- ZIP archive of the artifacts and malware: 2017-06-20-HookAds-Rig-EK-artifacts-and-malware.zip 501 kB (500,959 bytes)
- 2017-06-20-1st-and-2nd-runs-HookAds-Rig-EK-payload-Dreambot.exe (218,624 bytes)
- 2017-06-20-1st-and-2nd-runs-Rig-EK-artifact-o32.tmp.txt (1,141 bytes)
- 2017-06-20-1st-and-2nd-runs-Rig-EK-flash-exploit.swf (16,299 bytes)
- 2017-06-20-1st-run-HookAds-Rig-EK-payload-Chthonic.exe (351,232 bytes)
- 2017-06-20-1st-run-Rig-EK-landing-page.txt (121,380 bytes)
- 2017-06-20-2nd-run-Rig-EK-landing-page.txt (121,419 bytes)
BACKGROUND ON THE HOOKADS CAMPAIGN:
- 2016-11-01 - Malwarebytes Blog: The HookAds malvertising campaign (link)
- 2017-02-19 through 2017-06-20 - Malware Breakdown: various blog posts tagged "HookAds" (link)
OTHER NOTES:
- The first run has two instances of Rig EK from the HookAds campaign.
- The first run also has two different payloads: Dreambot and Chthonic
- No post-infection was seen from Dreambot in the first run.
TRAFFIC
Shown above: Traffic from the 1st run filtered in Wireshark.
Shown above: Traffic from the 2nd run filtered in Wireshark.
ASSOCIATED DOMAINS:
- 80.77.82.41 port 80 - observice.info - GET /banners/uaps [HookAds redirect]
- 80.85.158.121 port 80 - 80.85.158.121 - Rig EK (1st run)
- 185.159.131.240 port 80 - 185.159.131.240 - Rig EK (2nd run)
- 47.91.121.220 port 80 - multifest.bit - POST / [Chthonic post-infection traffic]
- 47.91.121.220 port 80 - multifest.bit - POST /com/ [Chthonic post-infection traffic]
- 52.174.55.168 port 53 - DNS queries for multifest.bit [Chthonic post-infection traffic]
- 51.255.48.78 port 53 - DNS queries for A multifest.bit [Chthonic post-infection traffic]
- 144.168.45.110 port 80 - 144.168.45.110 - GET /images/[long string of characters].avi - [Dreambot post-infection traffic]
- 144.168.45.110 port 80 - 144.168.45.110 - GET /tor/voip2.rar - [Dreambot post-infection traffic]
- ipinfo.io - GET /ip - [Dreambot post-infection location check]
- DNS query for wdwefwefwwfewdefewfwefw.onion - did not resolve - [Dreambot post-infection location check]
- Various IP addresses various ports - Tor traffic - [Dreambot post-infection]
FILE HASHES
FLASH EXPLOITS:
- SHA256 hash: 892b3990a09bb3391c5a1a591d9908a0e77db7385addc2c38cfcb32db265a970
File size: 16,299 bytes
File description: Rig EK flash exploit on 2017-06-20 (1st and 2nd runs)
MALWARE RETRIEVED FROM THE INFECTED HOSTS:
- SHA256 hash: 1fd7b6b244cbcac394452f540ef373fd5bfaa402273b29252f06edf2fd0432b7
File size: 218,624 bytes
File location: C:\Users\[username]\AppData\Local\Temp\[random characters].exe
File description: HookAds campaign Rig EK payload of Dreambot on 2017-06-20 (1st and 2nd runs) - Dreambot
- SHA256 hash: 192c3580b679a1c4e82f428e85d098d9b866676073d083b1eb312ead8d01ca39
File size: 351,232 bytes
File location: C:\Users\[username]\AppData\Local\Temp\[random characters].exe
File description: HookAds campaign Rig EK payload of Chthonic on 2017-06-20 (1st run) - Dreambot
FINAL NOTES
Once again, here are the associated files:
- ZIP archive of the pcaps: 2017-06-20-HookAds-Rig-EK-pcaps.zip 5.2 MB (5,231,863 bytes)
- ZIP archive of the artifacts and malware: 2017-06-20-HookAds-Rig-EK-artifacts-and-malware.zip 501 kB (500,959 bytes)
ZIP files are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
Click here to return to the main page.