2014-10-05 - RIG EK FROM 37.200.69[.]87 - CONTACT.COLLEGEMOTORSLTD[.]COM

NOTICE:

ASSOCIATED FILES:

 

NOTES:

 

MY BLOG ENTRIES ON THE WINDIGO GROUP SERVING RIG EK:

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

 

COMPROMISED WEBSITE AND REDIRECT:

 

RIG EK:

 

PRELIMINARY MALWARE ANALYSIS

FLASH EXPLOIT:

File name:  2014-10-05-Rig-EK-flashe-exploit.swf
File size:  4,238 bytes
MD5 hash:  1ca3694873a7975dc4a286e11799a004
Detection ratio:  8 / 55
First submission:  2014-10-02 07:51:57 UTC
VirusTotal link:  https://www.virustotal.com/en/file/3f0c210787ecd044c48792635998e4574a4c5abed1b150c02c62083b757b02f9/analysis/

 

SILVERLIGHT EXPLOIT:

File name:  2014-10-05-Rig-EK-silverlight-exploit.xap
File size:  3,7375 bytes
MD5 hash:  ab716b15872a59d913a7e98d57629705
Detection ratio:  2 / 55
First submission:  2014-10-05 00:46:08 UTC
VirusTotal link:  https://www.virustotal.com/en/file/46c2ff09e2be2d7af005679e364a92ca6d437aa40a24ccefd688a05dd79c4898/analysis/

 

MALWARE PAYLOAD:

File name:  2014-10-05-Rig-EK-malware-payload.exe
File size:  112,270 bytes
MD5 hash:  8bb314e3b027f08891db469edb61e584
Detection ratio:  3 / 55
First submission:  2014-10-05 00:42:12 UTC
VirusTotal link:  https://www.virustotal.com/en/file/54850b1dff3148f999959d59c34e2d1be488a3d60be493261249e09ef22fde89/analysis/

 

SNORT EVENTS

Emerging Threats and ETPRO rulesets from Sguil on Security Onion (without ET POLICY or ET INFO events):

Sourcefire VRT ruleset from Snort 2.9.6.2 on Ubuntu 14.04 LTS (not including preprocessor events):

 

SCREENSHOTS FROM THE TRAFFIC

Compromised website redirects when reached through a Google search:

 

Cushion redirect:

 

Redirect points to Rig EK:

 

Rig EK sends Silverlight exploit:

 

Rig EK sends malware payload:

 

Click here to return to the main page.