2017-07-10 - RIG EK FROM THE HOOKADS CAMPAIGN

ASSOCIATED FILES:

  • 2017-07-10-1st-run-HookAds-Rig-EK.pcap   (5,353,889 bytes)
  • 2017-07-10-2nd-run-HookAds-Rig-EK.pcap   (3,324,185 bytes)
  • 2017-07-10-3rd-and-4th-run-HookAds-Rig-EK.pcap   (2,823,591 bytes)
  • 2017-07-10-1st-run-Rig-EK-landing-page.txt   (61,281 bytes)
  • 2017-07-10-1st-run-homocyte.info-banners-counterhits.txt   (6,397 bytes)
  • 2017-07-10-1st-run-script-from-HookAds-related-site-popunder.php.txt   (1255 bytes)
  • 2017-07-10-2nd-run-Rig-EK-landing-page.txt   (121,916 bytes)
  • 2017-07-10-2nd-run-homocyte.info-banners-counterhits.txt   (6,465 bytes)
  • 2017-07-10-2nd-run-script-from-HookAds-related-site-popunder.php.txt   (1,255 bytes)
  • 2017-07-10-3rd-run-Rig-EK-landing-page.txt   (121,927 bytes)
  • 2017-07-10-3rd-run-homocyte.info-banners-counterhits.txt   (6,473 bytes)
  • 2017-07-10-3rd-run-script-from-HookAds-related-site-popunder.php.txt   (1,255 bytes)
  • 2017-07-10-4th-run-Rig-EK-landing-page.txt   (121,981 bytes)
  • 2017-07-10-4th-run-homocyte.info-banners-counterhits.txt   (6,377 bytes)
  • 2017-07-10-4th-run-script-from-HookAds-related-site-popunder.php.txt   (1,255 bytes)
  • 2017-07-10-HookAds-Rig-EK-payload-1st-thru-3rd-runs.exe   (291,328 bytes)
  • 2017-07-10-HookAds-Rig-EK-payload-4th-run.exe   (204,800 bytes)
  • 2017-07-10-Rig-EK-artifact-o32.tmp.txt   (1,141 bytes)
  • 2017-07-10-Rig-EK-flash-exploit.swf   (14,732 bytes)

BACKGROUND ON THE HOOKADS CAMPAIGN:

NOTES:

 

TRAFFIC


Shown above:  Traffic from the 1st pcap filtered in Wireshark.

 


Shown above:  Traffic from the 2nd pcap filtered in Wireshark.

 


Shown above:  Traffic from the 3rd pcap filtered in Wireshark.

 

ASSOCIATED DOMAINS:

 

FILE HASHES

FLASH EXPLOIT:

MALWARE RETRIEVED FROM THE INFECTED HOST:

 

FINAL NOTES

Once again, here are the associated files:

Zip archives are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.