2017-04-14 - GATE LEADS TO TERROR EK, SAME GATE LATER LEADS TO RIG EK

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2017-04-14-Terror-EK-traffic.pcap.zip   334.1 kB (334,131 bytes)

• 2017-04-14-Terror-EK-traffic.pcap   (358,964 bytes)

• 2017-04-14-Terror-EK-malware-and-artifacts.zip   144.7 kB (144,747 bytes)

• 2017-04-14-Terror-EK-flash-exploit-1-of-3.swf   (51,109 bytes)
• 2017-04-14-Terror-EK-flash-exploit-2-of-3.swf   (14,869 bytes)
• 2017-04-14-Terror-EK-flash-exploit-3-of-3.swf   (4,078 bytes)
• 2017-04-14-Terror-EK-landing-page.txt   (23,799 bytes)
• 2017-04-14-Terror-EK-payload-rad364F6.tmp.exe   (192,000 bytes)
• 2017-04-14-Terror-EK-second-page.txt   (7,778 bytes)

• 2017-04-14-Rig-EK-traffic.pcap.zip   283.3 kB (283,321 bytes)

• 2017-04-14-Rig-EK-traffic.pcap   (297,015 bytes)

• 2017-04-14-Rig-EK-malware-and-artifacts.zip   152.0 kB (152,026 bytes)

• 2017-04-14-Rig-EK-artifact-o32.tmp.txt   (1,141 bytes)
• 2017-04-14-Rig-EK-flash-exploit.swf   (19,110 bytes)
• 2017-04-14-Rig-EK-landing-page.txt   (117,916 bytes)
• 2017-04-14-Rig-EK-payload-dcwq06dn.exe   (192,000 bytes)

NOTES:

• This is a follow up to a post by @Zerophage1337 on 2017-04-14 titled: Terror EK via Malvertising drops Smoke Loader
• I got both Terror EK and Rig EK from the same gate URL.
• The payloads didn't do anything in my lab environment, so I haven't been able to identify the malware.

 

TRAFFIC

Shown above:  Traffic from the 1st infection filtered in Wireshark   (Terror EK).

 

Shown above:  Traffic from the 2nd infection filtered in Wireshark   (Rig EK).

 

ASSOCIATED DOMAINS:

• 31.7.63[.]186 port 80 - vicals[.]pw - GET /Xqhy3c   [Gate/redirect]
• 188.166.27[.]60 port 80 - 188.166.27[.]60 - Terror EK
• 86.106.102[.]17 port 80 - alooki[.]accountant - Rig EK

 

FILE HASHES

FLASH EXPLOITS:

• SHA256 hash:  151b5c5a5213a5f7584a6f1a6a4c4705e9e8b938a70080c8e4ecbed7ea7c0609
  File size:  19,110 bytes
  File description:  Rig EK Flash exploit seen on 2017-04-14

• SHA256 hash:  108c5ea094854cac117f3feca1935f6dbed84376c0bec3c410103abbcf57f70e
  File size:  51,109 bytes
  File description:  Terror EK Flash exploit seen on 2017-04-14

• SHA256 hash:  3a2a744baa731e81ca7f21c15b72439173ebe601366c694e53e5b35caaa11c7a
  File size:  14,869 bytes
  File description:  Terror EK Flash exploit seen on 2017-04-14

• SHA256 hash:  ce3c0da64772f3beaf7c0f25a85459d7b82e199eddb56f737c823b2dc51f310d
  File size:  4,078 bytes
  File description:  Terror EK Flash exploit seen on 2017-04-14

PAYLOADS:

• SHA256 hash:  bcb6e5c90885e832c01c0ac4cabd386c917f98b834d55197f71b80b1d17ad40d
  File size:  192,000 bytes
  File description:  Rig EK payload from this campaign on 2017-04-14

• SHA256 hash:  76d6bbf9151a9511eea4709c01e462d98b1a8490321a3f3be504b135e09e75b7
  File size:  192,000 bytes
  File description:  Terror EK payload from this campaign on 2017-04-14

 

Click here to return to the main page.