2017-06-30 - RIG EK FROM HOOKADS CAMPAIGN SENDS CHTHONIC BANKING TROJAN
NOTICE:
- The zip archives on this page have been updated, and they now use the new password scheme. For the new password, see the "about" page of this website.
ASSOCIATED FILES:
- 2017-06-30-HookAds-Rig-EK-sends-Chthonic.pcap.zip 2.4 MB (2,433,334 bytes)
- 2017-06-30-HookAds-Rig-EK-sends-Chthonic.pcap (2,946,243 bytes)
- 2017-06-30-HookAds-Rig-EK-artifacts-and-malware.zip 230 kB (230,173 bytes)
- 2017-06-30-HookAds-Rig-EK-payload-Chthonic.exe (256,512 bytes)
- 2017-06-30-HookAds-script-from-original-site-popunder.php.txt (1,247 bytes)
- 2017-06-30-Rig-EK-artifact-o32.tmp.txt (1,141 bytes)
- 2017-06-30-Rig-EK-flash-exploit.swf (16,451 bytes)
- 2017-06-30-Rig-EK-landing-page.txt (61,294 bytes)
- 2017-06-30-operty.info-banners-bbwjobs.txt (6,397 bytes)
BACKGROUND ON THE HOOKADS CAMPAIGN:
- 2016-11-01 - Malwarebytes Blog: The HookAds malvertising campaign (link)
- 2017-05-14 - Zerophage Malware: Rig EK delivers Chthonic (link)
- 2017-06-14 - Zerophage Malware: Rig EK via malvertising drops Dreambot (link)
- 2017-06-20 - My previous blog on HookAds: Rig EK from HookAds campaign sends Dreambot and Chthonic (link)
BACKGROUND ON THE CHTHONIC BANKING TROJAN:
- 2014-12-18 - SecureList (run by Kaspserky Lab): Chthonic: a new modification of ZeuS (link)
TRAFFIC
Shown above: Traffic from the infection filtered in Wireshark.
ASSOCIATED DOMAINS:
- [ip address redacted] port 80 - [domain redacted] - GET /popunder.php - Injected code from original site
- 80.77.82[.]41 port 80 - operty.info - GET /banners/bbwjobs - HookAds redirect
- 188.225.79[.]124 port 80 - 188.225.79[.]124 - Rig EK
- Various IP addresses over TCP port 53 - DNS queries for multifest.bit
- 49.51.37[.]177 port 80 - multifest[.]bit - POST / - Chthonic post-infection traffic
- 49.51.37[].177 port 80 - multifest[.]bit - POST /com/ - Chthonic post-infection traffic
- 46.173.218[.]100 port 80 - multifest[].bit - attempted TCP connections, but no response from the server
FILE HASHES
FLASH EXPLOIT:
- SHA256 hash: aaec3850f24c100d0780145fcfb2fd982868f552dd102144c5c933b3b62c406f
File size: 16,451 bytes
File description: Rig EK flash exploit seen on 2017-06-30
MALWARE RETRIEVED FROM THE INFECTED HOST:
- SHA256 hash: 61d8a0ed328566e570b00d224e29994c3f8d70e93e848f98b391d2d9e048c8b8
File size: 256,512 bytes
File location: C:\Users\[username]\AppData\Local\Temp\[random characters].exe
File location: C:\Users\[username]\AppData\Roaming\Windows Mail\WeindowsMailU.exe
File description: HookAds campaign Rig EK payload seen on 2017-06-30 - Chthonic
IMAGES
Shown above: Chthonic banking Trojan made persistent on the infected Windows host.
Click here to return to the main page.