2018-03-15 - GRANDSOFT EK SENDS AZORULT
ASSOCIATED FILES:
- Zip archive of the traffic: 2018-03-15-GrandSoft-EK-four-pcaps.zip 2.9 MB (2,871,736 bytes)
- 2018-03-15-GrandSoft-EK-1st-run-traffic.pcap (797,486 bytes)
- 2018-03-15-GrandSoft-EK-2nd-run-traffic.pcap (796,263 bytes)
- 2018-03-15-GrandSoft-EK-3rd-run-traffic.pcap (823,982 bytes)
- 2018-03-15-GrandSoft-EK-4th-run-traffic.pcap (871,289 bytes)
- Zip archive of the associated malware and artifacts: 2018-03-15-GrandSoft-EK-malware-and-artifacts.zip 428 kB (428142 bytes)
- 2018-03-15-GrandSoft-EK-1st-3rd-and-4th-runs-10A0A0A0.txt (18,153 bytes)
- 2018-03-15-GrandSoft-EK-1st-3rd-and-4th-runs-dwie.hta.txt (6,492 bytes)
- 2018-03-15-GrandSoft-EK-2nd-run-8A1A0A0.txt (18,120 bytes)
- 2018-03-15-GrandSoft-EK-all-4-runs-EK-payload-AZORult.exe (712,704 bytes)
- 2018-03-15-GrandSoft-EK-all-4-runs-landing-page.txt (49,073 bytes)
WEB TRAFFIC BLOCK LIST
Indicators are not a block list. If you feel the need to block web traffic, I suggest the following domains and partial URL:
- lookatmyhorse.cf
- infra.creationskvu.xyz
- asserts.miltondaza.xyz
- misinterpreting.ktmcmoderatorqzu.xyz
- bgmystorches.ktmcmoderatorqzu.xyz
- hxxp://doueven.click/nonono/
TRAFFIC
Shown above: Infection traffic filtered in Wireshark (image 1 of 4).
Shown above: Infection traffic filtered in Wireshark (image 2 of 4).
Shown above: Infection traffic filtered in Wireshark (image 3 of 4).
Shown above: Infection traffic filtered in Wireshark (image 4 of 4).
GATE LEADING TO GRANDSOFT EK:
- 167.99.82.8 port 443 - lookatmyhorse.cf - GET / [HTTPS, but can be tested using HTTP]
GRANDSOFT EK:
- 62.109.4.135 port 80 - infra.creationskvu.xyz
- 62.109.4.135 port 80 - asserts.miltondaza.xyz
- 62.109.4.135 port 80 - misinterpreting.ktmcmoderatorqzu.xyz
- 62.109.4.135 port 80 - bgmystorches.ktmcmoderatorqzu.xyz
POST-INFECTION TRAFFIC FROM AZORULT:
- 191.101.245.46 port 80 - doueven.click - POST /nonono/gegejokoew.php
FILE HASHES
MALWARE PAYLOAD - AZORULT:
- SHA256 hash: ee305a8295212f8a8f7eda9590a1f498ef3ec064a8bcd4bbc4df9383ea5b4b37
File size: 712,704 bytes
File description: GrandSoft EK payload: AZORult
FINAL NOTES
Once again, here are the associated files:
- Zip archive of the traffic: 2018-03-15-GrandSoft-EK-four-pcaps.zip 2.9 MB (2,871,736 bytes)
- Zip archive of the associated malware and artifacts: 2018-03-15-GrandSoft-EK-malware-and-artifacts.zip 428 kB (428142 bytes)
Zip archives are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
Click here to return to the main page.