2018-03-15 - GRANDSOFT EK SENDS AZORULT

ASSOCIATED FILES:

• Zip archive of the traffic:  2018-03-15-GrandSoft-EK-four-pcaps.zip   2.9 MB (2,871,736 bytes)

• 2018-03-15-GrandSoft-EK-1st-run-traffic.pcap   (797,486 bytes)
• 2018-03-15-GrandSoft-EK-2nd-run-traffic.pcap   (796,263 bytes)
• 2018-03-15-GrandSoft-EK-3rd-run-traffic.pcap   (823,982 bytes)
• 2018-03-15-GrandSoft-EK-4th-run-traffic.pcap   (871,289 bytes)

• Zip archive of the associated malware and artifacts:  2018-03-15-GrandSoft-EK-malware-and-artifacts.zip   428 kB (428142 bytes)

• 2018-03-15-GrandSoft-EK-1st-3rd-and-4th-runs-10A0A0A0.txt   (18,153 bytes)
• 2018-03-15-GrandSoft-EK-1st-3rd-and-4th-runs-dwie.hta.txt   (6,492 bytes)
• 2018-03-15-GrandSoft-EK-2nd-run-8A1A0A0.txt   (18,120 bytes)
• 2018-03-15-GrandSoft-EK-all-4-runs-EK-payload-AZORult.exe   (712,704 bytes)
• 2018-03-15-GrandSoft-EK-all-4-runs-landing-page.txt   (49,073 bytes)

 

WEB TRAFFIC BLOCK LIST

Indicators are not a block list.  If you feel the need to block web traffic, I suggest the following domains and partial URL:

• lookatmyhorse.cf
• infra.creationskvu.xyz
• asserts.miltondaza.xyz
• misinterpreting.ktmcmoderatorqzu.xyz
• bgmystorches.ktmcmoderatorqzu.xyz
• hxxp://doueven.click/nonono/

 

TRAFFIC

Shown above:  Infection traffic filtered in Wireshark (image 1 of 4).

 

Shown above:  Infection traffic filtered in Wireshark (image 2 of 4).

 

Shown above:  Infection traffic filtered in Wireshark (image 3 of 4).

 

Shown above:  Infection traffic filtered in Wireshark (image 4 of 4).

 

GATE LEADING TO GRANDSOFT EK:

• 167.99.82.8 port 443 - lookatmyhorse.cf - GET /   [HTTPS, but can be tested using HTTP]

GRANDSOFT EK:

• 62.109.4.135 port 80 - infra.creationskvu.xyz
• 62.109.4.135 port 80 - asserts.miltondaza.xyz
• 62.109.4.135 port 80 - misinterpreting.ktmcmoderatorqzu.xyz
• 62.109.4.135 port 80 - bgmystorches.ktmcmoderatorqzu.xyz

POST-INFECTION TRAFFIC FROM AZORULT:

• 191.101.245.46 port 80 - doueven.click - POST /nonono/gegejokoew.php

 

FILE HASHES

MALWARE PAYLOAD - AZORULT:

• SHA256 hash:  ee305a8295212f8a8f7eda9590a1f498ef3ec064a8bcd4bbc4df9383ea5b4b37
  File size:  712,704 bytes
  File description:  GrandSoft EK payload: AZORult

 

FINAL NOTES

Once again, here are the associated files:

• Zip archive of the traffic:  2018-03-15-GrandSoft-EK-four-pcaps.zip   2.9 MB (2,871,736 bytes)
• Zip archive of the associated malware and artifacts:  2018-03-15-GrandSoft-EK-malware-and-artifacts.zip   428 kB (428142 bytes)

Zip archives are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.