2017-08-28 - FOBOS CAMPAIGN RIG EK SENDS BUNITU
ASSOCIATED FILES:
- Zip archive of the pcap: 2017-08-28-Fobos-campaign-Rig-EK-sends-Bunitu.pcap.zip 527 kB (527,142 bytes)
- 2017-08-28-Fobos-campaign-Rig-EK-sends-Bunitu.pcap (595,648 bytes)
- Zip archive of the malware: 2017-08-28-Fobos-campaign-Rig-EK-malware-and-artifacts.zip 177 kB (177,245 bytes)
- 2017-08-28-Fobos-campaing-Rig-EK-payload-Bunitu.exe (252,928 bytes)
- 2017-08-28-Rig-EK-flash-exploit.swf (14,673 bytes)
- 2017-08-28-Rig-EK-landing-page.txt (61,637 bytes)
- 2017-08-28-gamebingfree.info.txt (17,123 bytes)
- 2017-08-28-trext-returned-from-212jhhhvvhhvvhv.cf.txt (540 bytes)
BACKGROUND:
- 2017-03-15 - FireEye Blog: Still Getting Served: A Look at Recent Malvertising Campaigns Involving Exploit Kits
- 2017-08-16 - MalwareBreakdown.com: Fobos Campaign Using RIG EK to Drop Bunitu Trojan
TRAFFIC
Shown above: Traffic from the infection filtered in Wireshark focusing on Bunitu post-infection traffic.
Shown above: Traffic from the infection filtered in Wireshark showing HTTP click-fraud traffic.
Shown above: Some alerts on the traffic from the Emerging Threats and ETPRO rulesets using Sguil and tcpreplay on Security Onion.
ASSOCIATED DOMAINS:
- 78.47.1.212 port 80 - gamebingfree.info - Domain used by Fobos campaign
- 78.47.1.212 port 80 - 212jhhhvvhhvvhv.cf - GET /craff/index.php?ps=494054757037 [redirect/gate]
- 188.225.73.49 port 80 - 188.225.73.49 - Rig EK
- 216.58.206.78 port 443 - 216.58.206.78 - Bunitu post-infection traffic (encrypted)
- 62.212.66.85 port 443 - 62.212.66.85 - Bunitu post-infection traffic (encrypted)
- Various IP addresses port 80 and 443 - various domains - Post-infection click-fraud traffic
FILE HASHES
RIG EK FLASH EXPLOIT:
- SHA256 hash: 79110cca9c884606f8c753c76a6a25ba1933ff2f98add2f2f8977b020baf9aab
File size: 14,673 bytes
File description: Rig EK flash exploit seen on 2017-08-28
MALWARE RETRIEVED FROM THE INFECTED HOST:
- SHA256 hash: 9b7a49b36e7900286e9f371894557f081204b313085a7e03199ede054cfbf6c0
File location: C:\Users\[username]\AppData\Local\Temp\[random characters].exe
File size: 252,928 bytes
File description: Bunitu
FINAL NOTES
Once again, here are the associated files:
- Zip archive of the pcap: 2017-08-28-Fobos-campaign-Rig-EK-sends-Bunitu.pcap.zip 527 kB (527,142 bytes)
- Zip archive of the malware: 2017-08-28-Fobos-campaign-Rig-EK-malware-and-artifacts.zip 177 kB (177,245 bytes)
Zip archives are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
Click here to return to the main page.