2017-07-17 - RIG EK DATA DUMP (HOOKADS AND SEAMLESS CAMPAIGNS)

ASSOCIATED FILES:

  • 2017-07-17-1st-run-HookAds-Rig-EK-sends-Dreambot.pcap   (348,094 bytes)
  • 2017-07-17-2nd-run-HookAds-Rig-EK-sends-Dreambot-with-post-infection-traffic.pcap   (6,668,017 bytes)
  • 2017-07-17-3rd-run-HookAds-Rig-EK-sends-Dreambot.pcap   (390,804 bytes)
  • 2017-07-17-4th-run-Seamless-Rig-EK-sends-Ramnit-with-post-infection-traffic.pcap   (2,002,338 bytes)
  • 2017-07-17-5th-run-Seamless-Rig-EK-sends-Ramnit-with-post-infection-traffic.pcap   (1,794,866 bytes)
  • 2017-07-17-6th-run-HookAds-Rig-EK-sends-Dreambot.pcap   (562,903 bytes)
  • 2017-07-17-1st-run-HookAds-Rig-EK-payload-Dreambot.exe   (232,448 bytes)
  • 2017-07-17-1st-run-HookAds-gate-at-experimea.info-countryhits.txt   (6,429 bytes)
  • 2017-07-17-1st-run-Rig-EK-landing-page.txt   (122,643 bytes)
  • 2017-07-17-1st-run-popunder.php.txt   (1,255 bytes)
  • 2017-07-17-2nd-run-HookAds-Rig-EK-payload-Dreambot.exe   (231,936 bytes)
  • 2017-07-17-2nd-run-HookAds-gate-at-experimea.info-countryhits.txt   (6,429 bytes)
  • 2017-07-17-2nd-run-Rig-EK-landing-page.txt   (61,820 bytes)
  • 2017-07-17-2nd-run-popunder.php.txt   (1,255 bytes)
  • 2017-07-17-3rd-run-HookAds-Rig-EK-payload-Dreambot.exe   (310,272 bytes)
  • 2017-07-17-3rd-run-HookAds-gate-at-experimea.info-countryhits.txt   (6,501 bytes)
  • 2017-07-17-3rd-run-Rig-EK-landing-page.txt   (61,802 bytes)
  • 2017-07-17-3rd-run-popunder.php.txt   (1,255 bytes)
  • 2017-07-17-4th-run-Rig-EK-landing-page.txt   (61,741 bytes)
  • 2017-07-17-4th-run-Seamless-Rig-EK-payload-Ramnit.exe   (241,664 bytes)
  • 2017-07-17-5th-run-Rig-EK-landing-page.txt   (122,525 bytes)
  • 2017-07-17-5th-run-Seamless-Rig-EK-payload-Ramnit.exe   (230,400 bytes)
  • 2017-07-17-6th-run-HookAds-Rig-EK-payload-Dreambot.exe   (219,136 bytes)
  • 2017-07-17-6th-run-HookAds-gate-at-experimea.info-countryhits.txt   (6,504 bytes)
  • 2017-07-17-6th-run-Rig-EK-landing-page.txt   (122,450 bytes)
  • 2017-07-17-6th-run-popunder.php.txt   (1,255 bytes)
  • 2017-07-17-Ramnit-post-infection-binary-from-steelskull.com-AU2_EXEsd.exe   (509,952 bytes)
  • 2017-07-17-Ramnit-post-infection-binary-from-steelskull.com-satbin.exe   (173,056 bytes)
  • 2017-07-17-Rig-EK-artifact-o32.tmp.txt   (1,141 bytes)
  • 2017-07-17-Rig-EK-flash-exploit.swf   (15,472 bytes)

 

ASSOCIATED FILES:


Rig EK:  New URL patterns, same garbage.

 

TRAFFIC


Shown above:  Traffic from one of the HookAds Rig EK pcaps, filtered in Wireshark.

 


Shown above:  Traffic from one of the Seamless Rig EK pcaps, filtered in Wireshark.

 

ASSOCIATED DOMAINS FOR HOOKADS CAMPAIGN USING RIG EK TO DELIVER DREAMBOT:

 

ASSOCIATED DOMAINS FOR SEAMLESS CAMPAIGN USING RIG EK TO DELIVER RAMNIT:

 

FILE HASHES

FLASH EXPLOIT:

MALWARE RETRIEVED FROM THE INFECTED HOST:

 

FINAL NOTES

Once again, here are the associated files:

Zip archives are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.