2018-01-30 - RIG EK SENDS RAMNIT, FOLLOW-UP MALWARE: AZORULT

ASSOCIATED FILES:

  • 2018-01-28-Ngay-campaign-Rig-EK-traffic.pcap   (2,363,533 bytes)
  • 2018-01-29-Ngay-campaign-Rig-EK-traffic.pcap   (2,257,781 bytes)
  • 2018-01-30-Ngay-campaign-Rig-EK-traffic.pcap   (2,588,932 bytes)
  • 2018-01-28-Rig-EK-artifact-u32.tmp.txt   (1,141 bytes)
  • 2018-01-28-Rig-EK-flash-exploit.swf   (11,909 bytes)
  • 2018-01-28-Rig-EK-landing-page.txt   (95,611 bytes)
  • 2018-01-28-thru-30-Rig-EK-payload.exe   (428,544 bytes)
  • 2018-01-28-thru-30-follow-up-malware-prink.exe   (909,312 bytes)
  • 2018-01-29-Rig-EK-landing-page.txt   (95,553 bytes)
  • 2018-01-29-and-30-Rig-EK-artifact-u32.tmp.txt   (1,141 bytes)
  • 2018-01-29-and-30-Rig-EK-flash-exploit.swf   (13,780 bytes)
  • 2018-01-30-Rig-EK-landing-page.txt   (95,534 bytes)

NOTES:

 

WEB TRAFFIC BLOCK LIST

The following block list is based on URLs and domains from the infection traffic.  See the traffic images for more details.

 

TRAFFIC


Shown above:  Rig EK infection traffic from 2018-01-30 (part 1 of 2).

 


Shown above:  Rig EK infection traffic from 2018-01-30 (part 2 of 2).

 

ASSOCIATED DOMAINS AND URLS:

 

MALWARE

RIG EK FLASH EXPLOITS:

MALWARE BINARIES:

 

IMAGES


Shown above:  Alerts from Sguil in Security Onion using Suricata and the EmergingThreats Pro (ETPRO) ruleset.

 


Shown above:  Malware (Ramnit) persistent on the infected Windows host.

 

FINAL NOTES

Once again, here are the associated files:

All zip archives are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.