2017-08-25 - SEAMLESS CAMPAIGN RIG EK SENDS RAMNIT

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2017-08-25-Seamless-campaign-Rig-EK-sends-Ramnit.pcap.zip   894 kB (893,960 bytes)

• 2017-08-25-Seamless-campaign-Rig-EK-sends-Ramnit.pcap   (959,167 bytes)

• 2017-08-25-Seamless-campaign-Rig-EK-malware-and-artifacts.zip   283.6 kB (283,567 bytes)

• 2017-08-25-194.58.40_48-signu4.php.txt   (328 bytes)
• 2017-08-25-Rig-EK-artifacts-o32.tmp.txt   (1,141 bytes)
• 2017-08-25-Rig-EK-flash-exploit.swf   (14,679 bytes)
• 2017-08-25-Rig-EK-landing-page.txt   (122,438 bytes)
• 2017-08-25-Seamless-campaign-Rig-EK-payload-Ramnit.exe   (288,256 bytes)

 

TRAFFIC

Shown above:  Traffic from the infection filtered in Wireshark.

 

ASSOCIATED DOMAINS:

• 194.58.40[.]48 port 80 - 194.58.40[.]48 - GET /signu4.php   [Seamless campaign gate]
• 188.225.27[.]148 port 80 - 188.225.27[.]148 - Rig EK
• 194.87.110[.]148 port 443 - encrypted traffic (not HTTPS/SSL/TLS)   [Ramnit post-infection traffic]
• 174.137.132[.]45 port 80 - w.bustbuy[.]com - GET /   [post-infection traffic from the infected Windows host]
• 54.72.11[.]253 port 80 - ww7.bustbuy[.]com - GET /   [post-infection traffic from the infected Windows host]

 

FILE HASHES

RIG EK FLASH EXPLOIT:

• SHA256 hash:  0f6a98038d73293c55e551d14751ec99ebf03d197a299a7bedc53cc5f9f059e1
  File size:  14,679 bytes
  File description:  Rig EK flash exploit seen on 2017-08-25

MALWARE RETRIEVED FROM THE INFECTED HOST:

• SHA256 hash:  48d89a7362109171bcb16ac5e851f17807fe7b0cc855082d1069b6521906582d
  File location:  C:\Users\[username]\AppData\Local\Temp\[random characters].exe
  File size:  288,256 bytes
  File description:  Ramnit

 

Click here to return to the main page.