2017-05-30 - RIG EK SENDS KOVTER

ASSOCIATED FILES:

  • 2017-05-30-Rig-EK-sends-Kovter-1st-run.pcap   (680,294 bytes)
  • 2017-05-30-Rig-EK-sends-Kovter-2nd-run.pcap   (794,493 bytes)
  • 2017-05-30-Rig-EK-artifact-o32.tmp-both-runs.txt   (1,141 bytes)
  • 2017-05-30-Rig-EK-flash-exploit-both-runs.swf   (14,851 bytes)
  • 2017-05-30-Rig-EK-landing-page-1st-run.txt   (119,209 bytes)
  • 2017-05-30-Rig-EK-landing-page-2nd-run.txt   (119,022 bytes)
  • 2017-05-30-Rig-EK-payload-Kovter-1st-run.exe   (384,070 bytes)
  • 2017-05-30-Rig-EK-payload-Kovter-2nd-run.exe   (388,213 bytes)

NOTES:

 

TRAFFIC


Shown above:  Redirect to Rig EK.

 


Shown above:  Traffic from the 1st run filtered in Wireshark.

 


Shown above:  Traffic from the 2nd run filtered in Wireshark.

 

REDIRECT AND RIG EK:

KOVTER POST-INFECTION TRAFFIC - 1ST RUN:

KOVTER POST-INFECTION TRAFFIC - 2ND RUN:

 

FILE HASHES

RIG EK FLASH EXPLOIT:

MALWARE PAYLOAD (KOVTER) - 1ST RUN:

MALWARE PAYLOAD (KOVTER) - 2ND RUN:

 

OTHER IMAGES


Shown above:  A 3rd run proved I only needed the domain name, not the full URL to get Rig EK.

 


Shown above:  Metadata for both Kovter payloads.

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.