2017-06-20 - RIG EK FROM HOOKADS CAMPAIGN SENDS DREAMBOT & CHTHONIC

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2017-06-20-HookAds-Rig-EK-two-pcaps.zip   5.2 MB (5,232,207 bytes)

• 2017-06-20-1st-run-HookAds-Rig-EK-sends-Dreambot-and-Chthonic.pcap   (1,888,062 bytes)
• 2017-06-20-2nd-run-HookAds-Rig-EK-sends-Dreambot.pcap   (3,694,234 bytes)

• 2017-06-20-HookAds-Rig-EK-artifacts-and-malware.zip   501.8 kB (501,759 bytes)

• 2017-06-20-1st-and-2nd-runs-HookAds-Rig-EK-payload-Dreambot.exe   (218,624 bytes)
• 2017-06-20-1st-and-2nd-runs-Rig-EK-artifact-o32.tmp.txt   (1,141 bytes)
• 2017-06-20-1st-and-2nd-runs-Rig-EK-flash-exploit.swf   (16,299 bytes)
• 2017-06-20-1st-run-HookAds-Rig-EK-payload-Chthonic.exe   (351,232 bytes)
• 2017-06-20-1st-run-Rig-EK-landing-page.txt   (121,380 bytes)
• 2017-06-20-2nd-run-Rig-EK-landing-page.txt   (121,419 bytes)

 

BACKGROUND ON THE HOOKADS CAMPAIGN:

• 2016-11-01 - Malwarebytes Blog:  The HookAds malvertising campaign   (link)

OTHER NOTES:

• The first run has two instances of Rig EK from the HookAds campaign.
• The first run also has two different payloads: Dreambot and Chthonic
• No post-infection was seen from Dreambot in the first run.

 

TRAFFIC

Shown above:  Traffic from the 1st run filtered in Wireshark.

 

Shown above:  Traffic from the 2nd run filtered in Wireshark.

 

ASSOCIATED DOMAINS:

• 80.77.82[.]41 port 80 - observice[.]info - GET /banners/uaps   [HookAds redirect]
• 80.85.158[.]121 port 80 - 80.85.158[.]121 - Rig EK (1st run)
• 185.159.131[.]240 port 80 - 185.159.131[.]240 - Rig EK (2nd run)
• 47.91.121[.]220 port 80 - multifest[.]bit - POST /   [Chthonic post-infection traffic]
• 47.91.121[.]220 port 80 - multifest[.]bit - POST /com/   [Chthonic post-infection traffic]
• 52.174.55[.]168 port 53 - DNS queries for multifest[.]bit   [Chthonic post-infection traffic]
• 51.255.48[.]78 port 53 - DNS queries for A multifest[.]bit   [Chthonic post-infection traffic]
• 144.168.45[.]110 port 80 - 144.168.45[.]110 - GET /images/[long string of characters].avi - [Dreambot post-infection traffic]
• 144.168.45[.]110 port 80 - 144.168.45[.]110 - GET /tor/voip2.rar - [Dreambot post-infection traffic]
• ipinfo[.]io - GET /ip - [Dreambot post-infection location check]
• DNS query for wdwefwefwwfewdefewfwefw[.]onion - did not resolve - [Dreambot post-infection location check]
• Various IP addresses various ports - Tor traffic - [Dreambot post-infection]

 

FILE HASHES

FLASH EXPLOITS:

• SHA256 hash:  892b3990a09bb3391c5a1a591d9908a0e77db7385addc2c38cfcb32db265a970
  File size:  16,299 bytes
  File description:  Rig EK flash exploit on 2017-06-20 (1st and 2nd runs)

MALWARE RETRIEVED FROM THE INFECTED HOSTS:

• SHA256 hash:  1fd7b6b244cbcac394452f540ef373fd5bfaa402273b29252f06edf2fd0432b7
  File size:  218,624 bytes
  File location:  C:\Users\[username]\AppData\Local\Temp\[random characters].exe
  File description:  HookAds campaign Rig EK payload of Dreambot on 2017-06-20 (1st and 2nd runs) - Dreambot

• SHA256 hash:  192c3580b679a1c4e82f428e85d098d9b866676073d083b1eb312ead8d01ca39
  File size:  351,232 bytes
  File location:  C:\Users\[username]\AppData\Local\Temp\[random characters].exe
  File description:  HookAds campaign Rig EK payload of Chthonic on 2017-06-20 (1st run) - Dreambot

 

Click here to return to the main page.