2017-08-01 - RIG EK FROM THE HOOKADS CAMPAIGN SENDS DREAMBOT

ASSOCIATED FILES:

  • 2017-08-01-1st-run-HookAds-Rig-EK-sends-Dreambot.pcap   (393,266 bytes)
  • 2017-08-01-2nd-run-HookAds-Rig-EK-sends-Drembot-with-post-infection-traffic.pcap   (8,660,170 bytes)
  • 2017-08-01-3rd-run-HookAds-Rig-EK-sends-Dreambot.pcap   (420,082 bytes)
  • 2017-08-01-4th-run-HookAds-Rig-EK-sends-Dreambot.pcap   (728,508 bytes)
  • 2017-08-01-5th-run-HookAds-Rig-EK-sends-Dreambot.pcap   (758,882 bytes)
  • 2017-08-01-1st-run-Rig-EK-landing-page.txt   (61,659 bytes)
  • 2017-08-01-1st-run-amand.info-banners-countryhits.txt   (6,417 bytes)
  • 2017-08-01-1st-run-popunder.php-from-HookAds-related-site.txt   (1,251 bytes)
  • 2017-08-01-2nd-run-Rig-EK-landing-page.txt   (122,407 bytes)
  • 2017-08-01-2nd-run-amand.info-banners-countryhits.txt   (6,417 bytes)
  • 2017-08-01-2nd-run-popunder.php-from-HookAds-related-site.txt   (1,251 bytes)
  • 2017-08-01-3rd-run-Rig-EK-landing-page.txt   (122,496 bytes)
  • 2017-08-01-3rd-run-amand.info-banners-countryhits.txt   (6,421 bytes)
  • 2017-08-01-3rd-run-popunder.php-from-HookAds-related-site.txt   (1,251 bytes)
  • 2017-08-01-4th-run-Rig-EK-landing-page.txt   (61,573 bytes)
  • 2017-08-01-4th-run-amand.info-banners-countryhits.txt   (6,445 bytes)
  • 2017-08-01-4th-run-popunder.php-from-HookAds-related-site.txt   (1,251 bytes)
  • 2017-08-01-5th-run-Rig-EK-landing-page.txt   (122,590 bytes)
  • 2017-08-01-5th-run-amand.info-banners-countryhits.txt   (6,421 bytes)
  • 2017-08-01-5th-run-popunder.php-from-HookAds-related-site.txt   (1,251 bytes)
  • 2017-08-01-HookAds-payload-from-Rig-EK-Dreambot.exe   (315,392 bytes)
  • 2017-08-01-Rig-EK-artifact-o32.tmp.txt   (1,141 bytes)
  • 2017-08-01-Rig-EK-flash-exploit.swf   (13,747 bytes)

 

BACKGROUND ON THE HOOKADS CAMPAIGN:


Shown above:  Chain of events for today's infection traffic.  The portion outlined in red
represents what I have in today's pcaps.

 

TRAFFIC


Shown above:  Traffic from the one of the pcaps filtered in Wireshark.

 


Shown above:  Alerts on the above pcap in Security Onion with Sguil using Suricata and the Emerging Threats Pro (ETPRO) ruleset.

 

ASSOCIATED DOMAINS AND URLS:

 

FILE HASHES

FLASH EXPLOIT:

MALWARE RETRIEVED FROM THE INFECTED HOST:


Shown above:  Dreambot made persistent on the infected Windows host.

 

FINAL NOTES

Once again, here are the associated files:

Zip archives are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.