2017-06-21 - RIG EK SENDS BUNITU

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2017-06-21-Rig-EK-sends-Bunitu.pcap.zip   274 kB (273,571 bytes)

• 2017-06-21-Rig-EK-sends-Bunitu.pcap   (294,060 bytes)

• 2017-06-21-Rig-EK-artifacts-and-malware.zip   253.1 kB (253,105 bytes)

• 2017-06-21-Rig-EK-flash-exploit.swf   (16,299 bytes)
• 2017-06-21-Rig-EK-landing-page.txt   (121,339 bytes)
• 2017-06-21-Rig-EK-payload-Bunitu.exe   (177,498 bytes)
• 2017-06-21-post-infection-artifact-drudppf.dll   (13,312 bytes)

 

OTHER NOTES:

• This traffic has the same characteristics as I saw on 2017-05-09 (same type of redirect, same type of payload).

 

TRAFFIC

Shown above:  Traffic from the infection filtered in Wireshark.

 

ASSOCIATED DOMAINS:

• 78.47.1[.222 port 80 - jackpotfr22[.]cf - GET /yo/?   [gate to Rig EK]
• 188.225.79[.]216 port 80 - 188.225.79[.]216 - Rig EK
• 5.79.85[.]218 port 443 - Post-infection Bunitu traffic (encrypted but not HTTPS/SSL/TLS)
• 62.75.222[.]235 port 443 - Post-infection Bunitu traffic (encrypted but not HTTPS/SSL/TLS)
• 66.199.231[.]77 port 443 - Post-infection Bunitu traffic (encrypted but not HTTPS/SSL/TLS)
• 209.85.144[.]100 port 443 - Post-infection Bunitu traffic (encrypted but not HTTPS/SSL/TLS)
• DNS query for i.demblickfine[.]com - resolved to 63.136.150[.]200 but no follow-up traffic
• DNS query for v.demblickfine[.]com - resolved to 4.140.29[.]249 but no follow-up traffic
• google[.]com - Post-infection check by infected host - follow-up TCP connection but no HTTP traffic

 

FILE HASHES

FLASH EXPLOITS:

• SHA256 hash:  892b3990a09bb3391c5a1a591d9908a0e77db7385addc2c38cfcb32db265a970
  File size:  16,299 bytes
  File description:  Rig EK flash exploit on 2017-06-21 (1st and 2nd runs)

MALWARE RETRIEVED FROM THE INFECTED HOST:

• SHA256 hash:  e7049140f7f07a48406a7de2e3a08fc8759af9f94de533210e99f69c34bc27aa
  File size:  177,498 bytes
  File location:  C:\Users\[username]\AppData\Local\Temp\[random characters].exe
  File description:  Rig EK payload of Bunitu on 2017-06-21

Shown above:  The malware payload (re-named for today's malware archive).

 

• SHA256 hash:  951d15d83264c1ffd387fd871d3f0776e0016b00bc353e17c6911562da6e2169
  File size:  13,312 bytes
  File location:  C:\Users\[username]\AppData\Local\drudppf.dll
  File description:  Post-infection artifact

Shown above:  Windows registry update for persistence.

 

Click here to return to the main page.