2017-08-25 - SEAMLESS CAMPAIGN RIG EK SENDS RAMNIT
ASSOCIATED FILES:
- Zip archive of the pcap: 2017-08-25-Seamless-campaign-Rig-EK-sends-Ramnit.pcap.zip 894 kB (893,960 bytes)
- 2017-08-25-Seamless-campaign-Rig-EK-sends-Ramnit.pcap (959,167 bytes)
- Zip archive of the malware: 2017-08-25-Seamless-campaign-Rig-EK-malware-and-artifacts.zip 283 kB (282,743 bytes)
- 2017-08-25-194.58.40.48-signu4.php.txt (328 bytes)
- 2017-08-25-Rig-EK-artifacts-o32.tmp.txt (1,141 bytes)
- 2017-08-25-Rig-EK-flash-exploit.swf (14,679 bytes)
- 2017-08-25-Rig-EK-landing-page.txt (122,438 bytes)
- 2017-08-25-Seamless-campaign-Rig-EK-payload-Ramnit.exe (288,256 bytes)
BACKGROUND:
- 2017-03-29 - Cisco Umbrella Blog: 'Seamless' Campaign Delivers Ramnit via Rig EK
- Also see blog posts by @DynamicAnalysis on MalwareBreakdown.com tagged "Seamless Campaign" (link)
TRAFFIC
Shown above: Traffic from the infection filtered in Wireshark.
ASSOCIATED DOMAINS:
- 194.58.40.48 port 80 - 194.58.40.48 - GET /signu4.php [Seamless campaign gate]
- 188.225.27.148 port 80 - 188.225.27.148 - Rig EK
- 194.87.110.148 port 443 - encrypted traffic (not HTTPS/SSL/TLS) [Ramnit post-infection traffic]
- 174.137.132.45 port 80 - w.bustbuy.com - GET / [post-infection traffic from the infected Windows host]
- 54.72.11.253 port 80 - ww7.bustbuy.com - GET / [post-infection traffic from the infected Windows host]
FILE HASHES
RIG EK FLASH EXPLOIT:
- SHA256 hash: 0f6a98038d73293c55e551d14751ec99ebf03d197a299a7bedc53cc5f9f059e1
File size: 14,679 bytes
File description: Rig EK flash exploit seen on 2017-08-25
MALWARE RETRIEVED FROM THE INFECTED HOST:
- SHA256 hash: 48d89a7362109171bcb16ac5e851f17807fe7b0cc855082d1069b6521906582d
File location: C:\Users\[username]\AppData\Local\Temp\[random characters].exe
File size: 288,256 bytes
File description: Ramnit
FINAL NOTES
Once again, here are the associated files:
- Zip archive of the pcap: 2017-08-25-Seamless-campaign-Rig-EK-sends-Ramnit.pcap.zip 894 kB (893,960 bytes)
- Zip archive of the malware: 2017-08-25-Seamless-campaign-Rig-EK-malware-and-artifacts.zip 283 kB (282,743 bytes)
Zip archives are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
Click here to return to the main page.