2017-03-13 "GOOD MAN" CAMPAIGN RIG EK --> GODZILLA LOADER --> ZBOT
NOTICE:
- The zip archives on this page have been updated, and they now use the new password scheme. For the new password, see the "about" page of this website.
ASSOCIATED FILES:
- 2017-03-13-Good-Man-Rig-EK-to-Godzilla-Loader-to-Zbot.pcap.zip 902.3 kB (902,310 bytes)
- 2017-03-13-malware-from-Good-Man-Rig-EK-activity.zip 443.3 kB (443,305 bytes)
NOTES:
- This is the "Good Man" campaign using Rig EK as described here
- I found another gate for this campaign (previously it was hurtmehard[.]net, but that's off-line now).
- I tried the "Good Man gate" at perfectgirlss[.]org but had issues the first time, so I tried it again and got infected.
- Both attempts are in the pcap.
Shown above: Flowchart for the infection traffic.
TRAFFIC
Shown above: Traffic from the infection filtered in Wireshark.
TRAFFIC FROM AN INFECTION:
- 85.204.74[.]238 port 80 - perfectgirlss[.]org - Goodman campaign gate
- 217.23.2[.]108 port 80 - remote.wames[.]xyz - Rig EK
- 185.140.114[.]172 port 80 - forum.alterna[.]pw GET /forum.php?g=773621049&k=qfQlodgR0jhoe4Qv2N8Ym9aco
- 85.217.170[.]81 port 80 - 85.217.170[.]81 POST /Bwt4nCeYpiHsDUe/file.php
- 85.217.170[.]81 port 80 - 85.217.170[.]81 POST /Bwt4nCeYpiHsDUe/dsjfgah.php
- 31.31.204[.]161 port 80 - portalcentr[.]ru POST /Bwt4nCeYpiHsDUe/file.php
- www.google[.]com - GET /webhp
Shown above: Some alerts on the traffic from the Emerging Threats and ETPRO rulesets using Sguil on Security Onion.
FILE HASHES
FLASH EXPLOIT:
- SHA256 hash: 9371888ec860d6083bebd2966ed6ad136527242c68405128121310c1b965d41f
File description: 2017-03-13 Rig EK flash exploit
MALWARE:
- SHA256 hash: 261e2d1eab2af48a416252416a1a1d529fc48d939e09fd7d43609505ee1336ec
File description: 2017-03-13 Rig EK payload (Godzilla loader)
- SHA256 hash: 30f342741c0224b152c4d6d6cc91af5458649eedd0ad848beb2aa38cf9d79423
File description: 2017-03-13 follow-up malware YQFXJKzLIwR4pdb0vnSTNdswR.exe (Zbot)
Click here to return to the main page.