2018-01-30 - RIG EK SENDS RAMNIT, FOLLOW-UP MALWARE: AZORULT
ASSOCIATED FILES:
- Zip archive of the pcaps: 2018-01-30-Rig-EK-pcaps.zip 6.0 MB (6,005,438 bytes)
- 2018-01-28-Ngay-campaign-Rig-EK-traffic.pcap (2,363,533 bytes)
- 2018-01-29-Ngay-campaign-Rig-EK-traffic.pcap (2,257,781 bytes)
- 2018-01-30-Ngay-campaign-Rig-EK-traffic.pcap (2,588,932 bytes)
- Zip archive of the malware: 2018-01-30-Rig-EK-malware-and-artifacts.zip 1.1 MB (1,054,283 bytes)
- 2018-01-28-Rig-EK-artifact-u32.tmp.txt (1,141 bytes)
- 2018-01-28-Rig-EK-flash-exploit.swf (11,909 bytes)
- 2018-01-28-Rig-EK-landing-page.txt (95,611 bytes)
- 2018-01-28-thru-30-Rig-EK-payload.exe (428,544 bytes)
- 2018-01-28-thru-30-follow-up-malware-prink.exe (909,312 bytes)
- 2018-01-29-Rig-EK-landing-page.txt (95,553 bytes)
- 2018-01-29-and-30-Rig-EK-artifact-u32.tmp.txt (1,141 bytes)
- 2018-01-29-and-30-Rig-EK-flash-exploit.swf (13,780 bytes)
- 2018-01-30-Rig-EK-landing-page.txt (95,534 bytes)
NOTES:
WEB TRAFFIC BLOCK LIST
The following block list is based on URLs and domains from the infection traffic. See the traffic images for more details.
- pumpme.ga
- jr753gey6528iyehd.com
- mdgoixkousej.com
- jinrdvvggkqsbafam.com
- http://31.31.203.14/prink.exe
- doueven.click
- gtlijnbttxtstnisew.com
- hndhysdogmddmlbms.com
- jblciykrcfxyymxwgdd.com
- okqigyiadj.com
- rgaonnkejei.com
- scihytydbukstbtwok.com
- xegrplmhtvfevx.com
- xvlaykoevuesourj.com
- yxvcjnrx.com
TRAFFIC
Shown above: Rig EK infection traffic from 2018-01-30 (part 1 of 2).
Shown above: Rig EK infection traffic from 2018-01-30 (part 2 of 2).
ASSOCIATED DOMAINS AND URLS:
- 88.99.48.65 port 80 - pumpme.ga - GET / (gate used by this campaign)
- 88.99.48.65 port 443 - pumpme.ga - HTTPS traffic
- 176.57.208.59 port 80 - 176.57.208.59 - Rig EK
- 194.87.99.20 port 443 - jr753gey6528iyehd.com - attempted TCP connections caused by Ramnit, but no response from the server
- 194.87.96.214 port 443 - mdgoixkousej.com - encrypted traffic caused by Ramnit
- 208.117.44.161 port 443 - jinrdvvggkqsbafam.com - encrypted traffic caused by Ramnit
- 31.31.203.14 port 80 - 31.31.203.14 - GET /prink.exe (AZORult follow-up malware)
- 191.101.245.101 port 80 - doueven.click - POST /gate.php (AZORult callback)
- DNS query for gtlijnbttxtstnisew.com - response: No such name (SOA a.gtld-servers.net)
- DNS query for hndhysdogmddmlbms.com - response: No such name (SOA a.gtld-servers.net)
- DNS query for jblciykrcfxyymxwgdd.com - response: No such name (SOA a.gtld-servers.net)
- DNS query for okqigyiadj.com - response: No such name (SOA a.gtld-servers.net)
- DNS query for rgaonnkejei.com - response: No such name (SOA a.gtld-servers.net)
- DNS query for scihytydbukstbtwok.com - response: No such name (SOA a.gtld-servers.net)
- DNS query for xegrplmhtvfevx.com - response: No such name (SOA a.gtld-servers.net)
- DNS query for xvlaykoevuesourj.com - response: No such name (SOA a.gtld-servers.net)
- DNS query for yxvcjnrx.com - response: No such name (SOA a.gtld-servers.net)
MALWARE
RIG EK FLASH EXPLOITS:
- 6a19146eb0ae8a352b166454f69bf95b4152f43b9692b4c014f9258f43be8d02 - 2018-01-28 Rig EK flash exploit
- 92c5c223db18b03e1630070d606fc3a2143fd8d637dddb6617615277b892204e - 2018-01-29 and 30 Rig EK flash exploit
MALWARE BINARIES:
- 726b21fde2206f9c8cf6e4ee75ccea70684ad2548f98aab8a42f53c7575a582f - 2018-01-28 thru 30 Rig EK payload (Ramnit)
- b0c91214a3ed6af1fb66938c96881af0b0633ce6f439ac9b9c6469c9dd770074 - 2018-01-28 thru 30 follow-up malware (AZORult)
IMAGES
Shown above: Alerts from Sguil in Security Onion using Suricata and the EmergingThreats Pro (ETPRO) ruleset.
Shown above: Malware (Ramnit) persistent on the infected Windows host.
FINAL NOTES
Once again, here are the associated files:
- Zip archive of the pcaps: 2018-01-30-Rig-EK-pcaps.zip 6.0 MB (6,005,438 bytes)
- Zip archive of the malware: 2018-01-30-Rig-EK-malware-and-artifacts.zip 1.1 MB (1,054,283 bytes)
All zip archives are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
Click here to return to the main page.