2017-07-17 - RIG EK DATA DUMP (HOOKADS AND SEAMLESS CAMPAIGNS)

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2017-07-17-Rig-EK-data-dump-6-pcaps.zip   10.2 MB (10,179,016 bytes)

• 2017-07-17-1st-run-HookAds-Rig-EK-sends-Dreambot.pcap   (348,094 bytes)
• 2017-07-17-2nd-run-HookAds-Rig-EK-sends-Dreambot-with-post-infection-traffic.pcap   (6,668,017 bytes)
• 2017-07-17-3rd-run-HookAds-Rig-EK-sends-Dreambot.pcap   (390,804 bytes)
• 2017-07-17-4th-run-Seamless-Rig-EK-sends-Ramnit-with-post-infection-traffic.pcap   (2,002,338 bytes)
• 2017-07-17-5th-run-Seamless-Rig-EK-sends-Ramnit-with-post-infection-traffic.pcap   (1,794,866 bytes)
• 2017-07-17-6th-run-HookAds-Rig-EK-sends-Dreambot.pcap   (562,903 bytes)

• 2017-07-17-Rig-EK-data-dump-artifacts-and-malware.zip   1.6 MB (1,597,114 bytes)

• 2017-07-17-1st-run-HookAds-Rig-EK-payload-Dreambot.exe   (232,448 bytes)
• 2017-07-17-1st-run-HookAds-gate-at-experimea_info-countryhits.txt   (6,429 bytes)
• 2017-07-17-1st-run-Rig-EK-landing-page.txt   (122,643 bytes)
• 2017-07-17-1st-run-popunder.php.txt   (1,255 bytes)
• 2017-07-17-2nd-run-HookAds-Rig-EK-payload-Dreambot.exe   (231,936 bytes)
• 2017-07-17-2nd-run-HookAds-gate-at-experimea_info-countryhits.txt   (6,429 bytes)
• 2017-07-17-2nd-run-Rig-EK-landing-page.txt   (61,820 bytes)
• 2017-07-17-2nd-run-popunder.php.txt   (1,255 bytes)
• 2017-07-17-3rd-run-HookAds-Rig-EK-payload-Dreambot.exe   (310,272 bytes)
• 2017-07-17-3rd-run-HookAds-gate-at-experimea_info-countryhits.txt   (6,501 bytes)
• 2017-07-17-3rd-run-Rig-EK-landing-page.txt   (61,802 bytes)
• 2017-07-17-3rd-run-popunder.php.txt   (1,255 bytes)
• 2017-07-17-4th-run-Rig-EK-landing-page.txt   (61,741 bytes)
• 2017-07-17-4th-run-Seamless-Rig-EK-payload-Ramnit.exe   (241,664 bytes)
• 2017-07-17-5th-run-Rig-EK-landing-page.txt   (122,525 bytes)
• 2017-07-17-5th-run-Seamless-Rig-EK-payload-Ramnit.exe   (230,400 bytes)
• 2017-07-17-6th-run-HookAds-Rig-EK-payload-Dreambot.exe   (219,136 bytes)
• 2017-07-17-6th-run-HookAds-gate-at-experimea_info-countryhits.txt   (6,504 bytes)
• 2017-07-17-6th-run-Rig-EK-landing-page.txt   (122,450 bytes)
• 2017-07-17-6th-run-popunder.php.txt   (1,255 bytes)
• 2017-07-17-Ramnit-post-infection-binary-from-steelskull_com-AU2_EXEsd.exe   (509,952 bytes)
• 2017-07-17-Ramnit-post-infection-binary-from-steelskull_com-satbin.exe   (173,056 bytes)
• 2017-07-17-Rig-EK-artifact-o32.tmp.txt   (1,141 bytes)
• 2017-07-17-Rig-EK-flash-exploit.swf   (15,472 bytes)

 

ASSOCIATED FILES:

• Yesterday, @VK_Intel tweeted about a change in Rig EK URL patterns, noting base64 strings used in the HTTP GET requests (link).
• I did data dump in case anyone needs a few examples of the new URL patterns.
• Apart from the URL patterns, this is basically more of the same garbage we've seen from Rig EK in the past 2 to 3 months.

Rig EK:  New URL patterns, same garbage.

 

TRAFFIC

Shown above:  Traffic from one of the HookAds Rig EK pcaps, filtered in Wireshark.

 

Shown above:  Traffic from one of the Seamless Rig EK pcaps, filtered in Wireshark.

 

ASSOCIATED DOMAINS FOR HOOKADS CAMPAIGN USING RIG EK TO DELIVER DREAMBOT:

• [recacted] port 80 - [recacted] - GET /popunder.php
• 80.77.82[.]41 port 80 - experimea[.]info - GET /banners/countryhits
• 188.225.78[.]136 port 80 - 188.225.78[.]136 - Rig EK (first few times)
• 185.159.128[.]207 port 80 - 185.159.128[.]207 - Rig EK (last time)
• 142.91.104[.]107 port 80 - 142.91.104[.]107 - GET /images/[long string of characters]/.avi
• 142.91.104[.]107 port 80 - 142.91.104[.]107 - GET /windowsxp/t3.css
• ipinfo[.]io - GET /ip
• various IP addresses - various ports - Tor traffic

 

ASSOCIATED DOMAINS FOR SEAMLESS CAMPAIGN USING RIG EK TO DELIVER RAMNIT:

• An IP in the range 194.58.0[.]0/16 port 80 - 194.58.??.?? - GET /signup4.php
• 188.225.78[.]136 port 80 - 188.225.78[.]136 - Rig EK (first time)
• 185.159.128[.]207 port 80 - 185.159.128[.]207 - Rig EK (second time)
• google[.]com - Connectivity check - DNS queries and TCP connections, but no HTTP or HTTPS traffic
• 46.105.57[.]169 port 80 - www.steelskull[.]com - GET /wp-content/themes/twentyfifteen/satbin.exe
• 46.105.57[.]169 port 80 - www.steelskull[.]com - GET /wp-content/themes/twentyfifteen/AU2_EXEsd.exe
• 185.100.222[.]41 port 80 - parking-services[.]us - POST /gate.php
• api.ipify[.]org - Connectivity/IP address check over HTTPS/SSL/TLS
• 185.100.222[.]41 port 80 - parking-services[.]us - POST /teststeal/gate.php
• 185.118.65[.]143 port 443 - hdyejdn638ir8[.]com - Ramnit post-infection traffic

 

FILE HASHES

FLASH EXPLOIT:

• SHA256 hash:  644b6905a1a1b35620c5dd44bfd30e039bbeaa54799853b4b93ee7ee51bbbe0e
  File size:  15,472 bytes
  File description:  Rig EK flash exploit seen on 2017-07-17

MALWARE RETRIEVED FROM THE INFECTED HOST:

• SHA256 hash:  8c9566ff0ab6df29f5d879e26d294e5836e3741b269a644ce497440a5e380164   -   Dreambot (1st run)
• SHA256 hash:  8bc2a1f203d87c731d036130c419ae6c7ad85eca159fe9c0effa32e5f97514ad   -   Dreambot (2nd run)
• SHA256 hash:  db6c76521f9adfbadd0f8bb54277d81fa784025dc9e0250d50e92f4742f0b669   -   Dreambot (3rd run)
• SHA256 hash:  515739205714a47c92e117342abdb1a7afa16747816a935bcb7b4a9ce7405401   -   Ramnit (4th run)
• SHA256 hash:  16aa9721fc22325227e041a7bc7a6a32b7523dc986c20a0f62513abe7261a8d9   -   Ramnit (5th run)
• SHA256 hash:  46a6356f31fc40cf9d5adc5ded0d56fc595b13154045b11e86882b5fbf62aa5d   -   Dreambot (6th run)

• SHA256 hash:  cf3459cf29125101f5bea3f4206d8e43dbe097dd884ebf3155c49b276736f727   -   Post-infection binary after Ramint infection (1st of 2 files)
• SHA256 hash:  ec01ef73e22bb706baa87f994397d827b0cfeae0cc6bb8e9d5785e8171ed785c   -   Post-infection binary after Ramint infection (2nd of 2 files)

 

Click here to return to the main page.