Malware-Traffic-Analysis.net - 2017-04-13 - What seems like Rig EK sends possible Smoke Loader payload

2017-04-13 - WHAT SEEMS LIKE RIG EK SENDS POSSIBLE SMOKE LOADER PAYLOAD

NOTICE:

The zip archives on this page have been updated, and they now use the new password scheme. For the new password, see the "about" page of this website.

ASSOCIATED FILES:

2017-04-13-what-seems-like-Rig-EK-both-pcaps.zip 1.1 MB (1,149,282 bytes)

2017-04-13-what-seems-like-Rig-EK-1st-run.pcap (497,511 bytes)

2017-04-13-what-seems-like-Rig-EK-2nd-run.pcap (787,133 bytes)

2017-04-13-what-seems-like-Rig-EK-malware-and-artifacts.zip 178.4 kB (178,420 bytes)

2017-04-13-microfitsecuretest_info-swapmappppsw.js-1st-run.txt (280 bytes)

2017-04-13-microfitsecuretest_info-swapmappppsw.js-2nd-run.txt (264 bytes)

2017-04-13-what-seems-like-Rig-EK-artifact-o32.tmp-both-runs.txt (1,141 bytes)

2017-04-13-what-seems-like-Rig-EK-flash-exploit-both-runs.swf (18,497 bytes)

2017-04-13-what-seems-like-Rig-EK-landing-page-1st-run.txt (57,903 bytes)

2017-04-13-what-seems-like-Rig-EK-landing-page-2nd-run.txt (117,797 bytes)

2017-04-13-what-seems-like-Rig-EK-payload-both-runs.exe (206,336 bytes)

NOTES:

I saw an example Rig EK on 2017-04-13, but after the landing page, it used an IP address instead of a domain name, and it was on a different IP address than the landing page.
This is also a different campaign that I haven't noticed before, and I find it somewhat unusual.
From what I understand, the payload is Smoke Loader, but I was unable to get any post-infection traffic during this infection.

TRAFFIC

Shown above: Injected script in page from compromised site.

Shown above: Traffic from the 1st run filtered in Wireshark.

Shown above: Traffic from the 2nd run filtered in Wireshark.

ASSOCIATED DOMAINS:

[info redacted] port 80 - [info redacted] - Compromised website
185.58.225[.]60 port 80 - microfitsecuretest[.]info - /iframe/swapmappppsw.js [redirect/gate to what seems like Rig EK]
217.23.1[.]61 port 80 - microfitsecuretest[.]trade - What seems like Rig EK - landing page
185.158.112[.]49 port 80 - 185.158.112[.]49 - What seems like Rig EK - exploits and payload

FILE HASHES

MALWARE FROM THE INFECTED HOST:

SHA256 hash: 569f6656fa51ac2606e61fcc2a30f61873c1d04aa4e60ede6c86f9315620b9b7
File size: 18,497 bytes
File description: What seems like a Rig EK flash exploit on 2017-04-13

SHA256 hash: 561d0b5a38d4a3aa8ce4b168f29a40cf1ec6e13074f144c57f4ddcbcac94dee6
File size: 206,336 bytes
File description: What seems like Rig EK's payload on 2017-04-13, possibly SmokeLoader

Click here to return to the main page.