2017-08-28 - FOBOS CAMPAIGN RIG EK SENDS BUNITU

ASSOCIATED FILES:

  • 2017-08-28-Fobos-campaign-Rig-EK-sends-Bunitu.pcap   (595,648 bytes)
  • 2017-08-28-Fobos-campaing-Rig-EK-payload-Bunitu.exe   (252,928 bytes)
  • 2017-08-28-Rig-EK-flash-exploit.swf   (14,673 bytes)
  • 2017-08-28-Rig-EK-landing-page.txt   (61,637 bytes)
  • 2017-08-28-gamebingfree.info.txt   (17,123 bytes)
  • 2017-08-28-trext-returned-from-212jhhhvvhhvvhv.cf.txt   (540 bytes)

 

BACKGROUND:

 

TRAFFIC


Shown above:  Traffic from the infection filtered in Wireshark focusing on Bunitu post-infection traffic.

 


Shown above:  Traffic from the infection filtered in Wireshark showing HTTP click-fraud traffic.

 


Shown above:  Some alerts on the traffic from the Emerging Threats and ETPRO rulesets using Sguil and tcpreplay on Security Onion.

 

ASSOCIATED DOMAINS:

 

FILE HASHES

RIG EK FLASH EXPLOIT:

MALWARE RETRIEVED FROM THE INFECTED HOST:

 

FINAL NOTES

Once again, here are the associated files:

Zip archives are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.