2016-11-10 - EITEST RIG-E FROM 70.39.114.226 CAUSES VAWTRAK INFECTION

ASSOCIATED FILES:

  • 2016-11-10-EITest-first-run-RIGe-causes-Vawtrak-infection.pcap   (2,235,029 bytes)
  • 2016-11-10-EITest-first-run-injected-script-in-page-from-compromised-site.txt   (514 bytes)
  • 2016-11-10-EITest-first-run-RIGe-landing-page.txt   (3,282 bytes)
  • 2016-11-10-EITest-first-run-RIGe-flash-exploit.swf   (52,582 bytes)
  • 2016-11-10-EITest-first-run-RIGe-payload.exe   (221,184 bytes)
  • 2016-11-10-EITest-first-run-RIGe-post-infection-follow-up-malware.exe   (2,006,528 bytes)

BACKGROUND:

BACKGROUND ON THE EITEST CAMPAIGN:

 


Shown above:  Flowchart for this infection traffic.

 

TRAFFIC


Shown above:  Injected script from the EITest campaign from the compromised site.


Shown above:  Pcap of the infection traffic filtered in Wireshark.

 

ASSOCIATED DOMAINS:

 

FILE HASHES

FLASH EXPLOIT:

PAYLOAD (VAWTRAK):

FOLLOW-UP MALWARE:

 

IMAGES


Shown above:  Vawtrak malware made persistent on the infected Windows host.

 


Shown above:  Additional malware downloaded and dropped to the Windows host during this infection.

 


Shown above:  Alerts using tcpreplay on the first pcap with the Emerging Threats Pro (ETPRO) ruleset using Sguil on Security Onion.

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.