Malware-Traffic-Analysis.net - 2017-03-07 - EITest Rig EK from 188.225.32[.]10 sends Dreambot

2017-03-07 - EITEST RIG EK FROM 188.225.32[.]10 SENDS DREAMBOT

NOTICE:

The zip archives on this page have been updated, and they now use the new password scheme. For the new password, see the "about" page of this website.

ASSOCIATED FILES:

2017-03-07-EITest-Rig-EK-sends-Dreambot.pcap.zip 4.9 MB (4,910,562 bytes)

2017-03-07-EITest-Rig-EK-sends-Dreambot.pcap (5,265,561 bytes)

2017-03-07-EITest-Rig-EK-artifacts-and-Dreambot-malware.zip 173.2 kB (173,244 bytes)

2017-03-07-EITest-Rig-EK-payload-Dreambot-ao82qwq9.exe (190,464 bytes)

2017-03-07-Rig-EK-artifact-o32.tmp.txt (1,141 bytes)

2017-03-07-Rig-EK-flash-exploit.swf (15,500 bytes)

2017-03-07-Rig-EK-landing-page.txt (57,203 bytes)

2017-03-07-page-from-activaclinics_com-with-injected-EITest-script.txt (59,260 bytes)

BACKGROUND ON THE EITEST CAMPAIGN AND RIG EXPLOIT KIT:

My most recent write-up on the EITest campaign can be found here.
A more in-depth write-up is on the Billantit Blog titled: Exposing EITest campaign
Rig-V is actually the current version of Rig EK (Rig 4.0), so I've stopped calling it "Rig-V." Now I'm just calling it "Rig EK."

BACKGROUND ON DREAMBOT:

Dreambot is a banking Trojan sometimes referred to as Ursnif or Gozi ISFB.
Proofpoint published an article about it in Aug 2016 named "Nightmare on Tor Street: Ursnif variant Dreambot adds Tor functionality"

Shown above: Flowchart for this infection traffic.

TRAFFIC

Shown above: Injected script from the EITest campaign in a page from the compromised site.

Shown above: Traffic from the infection filtered in Wireshark.

COMRPOMISED WEBSITE AND RIG EK:

www.activaclinics[.]com - Compromised site (used by EITest campaign)
188.225.32[.]10 port 80 - art.locksmithcarolstream[.]info - Rig EK

POST-INFECTION TRAFFIC:

5.196.159[.]173 port 80 - 5.196.159[.]173 - GET /images/[long string of characters]
5.196.159[.]173 port 80 - 5.196.159[.]173 - GET /tor/t64.dll
curlmyip[.]net - GET /
176.31.62[.]78 port 80 - nod32s[.]com - GET /images/[long string of characters]
Various IP addresses on various ports - various domains - Tor traffic

SHA256 FILE HASHES

FLASH EXPLOIT:

0de926b547aedb8016c6d06099f9518cbf53f60ef00081f4c1dd4168f38fc84b - 15,500 bytes - Rig EK flash exploit

PAYLOAD:

ef444f0d8e5ffd93998061920c7f865887592548f7d7171df8e4c2be1534e6af - 190,464 bytes - Dreambot

IMAGES

Shown above: Some alerts on the traffic from the Emerging Threats and ETPRO rulesets using Sguil on Security Onion.

Click here to return to the main page.