2019-12-23 - RIG EK SENDS MALWARE PAYLOAD I CANNOT IDENTIFY
NOTICE:
- The zip archives on this page have been updated, and they now use the new password scheme. For the new password, see the "about" page of this website.
ASSOCIATED FILES:
- 2019-12-23-Rig-EK-sends-a-payload-I-cannot-identify.pcap.zip 6.5 MB (6,475,956 bytes)
- 2019-12-23-Rig-EK-sends-a-payload-I-cannot-identify.pcap (6,837,996 bytes)
- 2019-12-23-malware-and-artifacts-from-Rig-EK-infection.zip 5.6 MB (5,612,175 bytes)
- 2019-12-23-Rig-EK-artifact-n.t.txt
- 2019-12-23-Rig-EK-landing-page.txt
- 2019-12-23-Rig-EK-malware-payload.exe
- 2019-12-23-registry-entry-for-the-malware.txt
- Users/username/AppData/Roaming/Cugifo/
- Users/username/AppData/Roaming/Dahag/efobba.uf
- Users/username/AppData/Roaming/Ofeb/ygebe.dei
- Users/username/AppData/Roaming/Uggeeh/ubugce.hagoi
- Users/username/AppData/Roaming/Acadh/duygoboh.fub
- Users/username/AppData/Roaming/Ecuf/ofca.hahe
- Users/username/AppData/Roaming/Ciog/
- Users/username/AppData/Roaming/Geca/cuefc.od
- Users/username/AppData/Roaming/Ybcide/guag.exe
- Users/username/AppData/Roaming/Cacoce/difaadu.ech
- Users/username/AppData/Roaming/Udech/offyb.efeh
- Users/username/AppData/Roaming/Abba/efcahoe.yb
- 2019-12-23-post-infection-traffic-from-malware-MITM-for-HTTPS-traffic.zip 8.6 MB (8,580,237 bytes)
- 2019-12-23-post-infection-traffic-from-malware-MITM-for-HTTPS-traffic.pcap (9,009,575 bytes)
- SSLKeysLogFile.txt (3,894 bytes)
NOTES:
- I got the pcap with MitM for HTTPS traffic from the Any.Run sandobx and sanitized it for this blog post.
IMAGES
Shown above: Traffic from my lab infection filtered in Wireshark.
Shown above: HTTPS traffic caused by the malware (ran through the Any.Run sandbox) decrypted and filtered in Wireshark.
Shown above: One of the decrypted GET requests in HTTPS traffic caused by the malware.
Click here to return to the main page.