2019-12-23 - RIG EK SENDS MALWARE PAYLOAD I CANNOT IDENTIFY

NOTICE:

ASSOCIATED FILES:

  • 2019-12-23-Rig-EK-sends-a-payload-I-cannot-identify.pcap   (6,837,996 bytes)
  • 2019-12-23-Rig-EK-artifact-n.t.txt
  • 2019-12-23-Rig-EK-landing-page.txt
  • 2019-12-23-Rig-EK-malware-payload.exe
  • 2019-12-23-registry-entry-for-the-malware.txt
  • Users/username/AppData/Roaming/Cugifo/
  • Users/username/AppData/Roaming/Dahag/efobba.uf
  • Users/username/AppData/Roaming/Ofeb/ygebe.dei
  • Users/username/AppData/Roaming/Uggeeh/ubugce.hagoi
  • Users/username/AppData/Roaming/Acadh/duygoboh.fub
  • Users/username/AppData/Roaming/Ecuf/ofca.hahe
  • Users/username/AppData/Roaming/Ciog/
  • Users/username/AppData/Roaming/Geca/cuefc.od
  • Users/username/AppData/Roaming/Ybcide/guag.exe
  • Users/username/AppData/Roaming/Cacoce/difaadu.ech
  • Users/username/AppData/Roaming/Udech/offyb.efeh
  • Users/username/AppData/Roaming/Abba/efcahoe.yb
  • 2019-12-23-post-infection-traffic-from-malware-MITM-for-HTTPS-traffic.pcap   (9,009,575 bytes)
  • SSLKeysLogFile.txt   (3,894 bytes)

NOTES:

 

IMAGES


Shown above:  Traffic from my lab infection filtered in Wireshark.

 


Shown above:  HTTPS traffic caused by the malware (ran through the Any.Run sandbox) decrypted and filtered in Wireshark.

 


Shown above:  One of the decrypted GET requests in HTTPS traffic caused by the malware.

 

Click here to return to the main page.