2017-07-10 - RIG EK FROM THE HOOKADS CAMPAIGN

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2017-07-10-HookAds-Rig-EK-traffic-3-pcaps.zip   10.9 MB (10,861,474 bytes)

• 2017-07-10-1st-run-HookAds-Rig-EK.pcap   (5,353,889 bytes)
• 2017-07-10-2nd-run-HookAds-Rig-EK.pcap   (3,324,185 bytes)
• 2017-07-10-3rd-and-4th-run-HookAds-Rig-EK.pcap   (2,823,591 bytes)

• 2017-07-10-HookAds-Rig-EK-malware-and-artifacts.zip   569.2 kB (569,241 bytes)

• 2017-07-10-1st-run-Rig-EK-landing-page.txt   (61,281 bytes)
• 2017-07-10-1st-run-homocyte_info-banners-counterhits.txt   (6,397 bytes)
• 2017-07-10-1st-run-script-from-HookAds-related-site-popunder.php.txt   (1255 bytes)
• 2017-07-10-2nd-run-Rig-EK-landing-page.txt   (121,916 bytes)
• 2017-07-10-2nd-run-homocyte_info-banners-counterhits.txt   (6,465 bytes)
• 2017-07-10-2nd-run-script-from-HookAds-related-site-popunder.php.txt   (1,255 bytes)
• 2017-07-10-3rd-run-Rig-EK-landing-page.txt   (121,927 bytes)
• 2017-07-10-3rd-run-homocyte_info-banners-counterhits.txt   (6,473 bytes)
• 2017-07-10-3rd-run-script-from-HookAds-related-site-popunder.php.txt   (1,255 bytes)
• 2017-07-10-4th-run-Rig-EK-landing-page.txt   (121,981 bytes)
• 2017-07-10-4th-run-homocyte_info-banners-counterhits.txt   (6,377 bytes)
• 2017-07-10-4th-run-script-from-HookAds-related-site-popunder.php.txt   (1,255 bytes)
• 2017-07-10-HookAds-Rig-EK-payload-1st-thru-3rd-runs.exe   (291,328 bytes)
• 2017-07-10-HookAds-Rig-EK-payload-4th-run.exe   (204,800 bytes)
• 2017-07-10-Rig-EK-artifact-o32.tmp.txt   (1,141 bytes)
• 2017-07-10-Rig-EK-flash-exploit.swf   (14,732 bytes)

BACKGROUND ON THE HOOKADS CAMPAIGN:

• 2016-11-01 - Malwarebytes Blog:  The HookAds malvertising campaign   (link)
• 2017-05-14 - Zerophage Malware:  Rig EK delivers Chthonic   (link)
• 2017-06-14 - Zerophage Malware:  Rig EK via malvertising drops Dreambot   (link)
• 2017-06-30 - My previous blog on HookAds:  Rig EK from HookAds campaign sends Chthonic banking Trojan   (link)

NOTES:

• In the 3rd pcap, the browser crashed and restarted, creating another infection chain with a different malware payload.

 

TRAFFIC

Shown above:  Traffic from the 1st pcap filtered in Wireshark.

 

Shown above:  Traffic from the 2nd pcap filtered in Wireshark.

 

Shown above:  Traffic from the 3rd pcap filtered in Wireshark.

 

ASSOCIATED DOMAINS:

• [information removed] port 80 - [information removed] - GET /popunder.php  [injected script from HookAds-related site]
• 80.77.82[.]41 port 80 - homocyte[.]info - GET /banners/counterhits  [gate/redirect]
• 188.225.79[.]167 port 80 - 188.225.79[.]167 - Rig EK - 1st run
• 188.225.36[.]208 port 80 - 188.225.36[.]208 - Rig EK - 2nd through 4th runs
• 198.55.107[.]156 port 80 - 198.55.107[.]156 - post-infection HTTP traffic
• port 80 - ipinfo[.]io - GET /ip   [post-infection HTTP traffic]
• Various IP addresses and over various ports - Tor traffic

 

FILE HASHES

FLASH EXPLOIT:

• SHA256 hash:  2b9588b100426be65a1805ba825385aa708bc27cabbf07b3a8e9262c760a69ab
  File size:  14,732 bytes
  File description:  Rig EK flash exploit seen on 2017-07-10

MALWARE RETRIEVED FROM THE INFECTED HOST:

• SHA256 hash:  5e09e3f7e8e1f94f1556969a89715f555cff5ff999b2e4402e044d4fb5d60ffc
  File size:  291,328 bytes
  File location:  C:\Users\[username]\AppData\Local\Temp\[random characters].exe
  File description:  HookAds Rig EK payload, 1st through 3rd runs on 2017-07-10

• SHA256 hash:  d3a7e88986498cae0482f1f44d649a3caa8a84eec7721c3f812cc42e4b62f076
  File size:  204,800 bytes
  File location:  C:\Users\[username]\AppData\Local\Temp\[random characters].exe
  File description:  HookAds Rig EK payload, 4th run on 2017-07-10

 

Click here to return to the main page.