2015-08-03 - RIG EK FROM 46.30.46[.]26

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2015-08-03-Rig-EK-traffic.pcap.zip
• 2015-08-03-Rig-EK-malware-and-artifacts.zip

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

• www.unitedmedia-llc[.]com - Compromised website
• 223.130.27[.]185 port 80 - clubberz[.]com[.]au - Redirect/gate
• 46.30.46[.]26 port 80 - call.conceptualviz[.]com - Nuclear EK

 

SCREENSHOTS FOR SCRIPT FROM COMPROMISED WEBSITE AND REDIRECT:

 

TRAFFIC:

• 2015-08-03 13:41:00 UTC - www.unitedmedia-llc[.]com - GET /

• 2015-08-03 13:41:01 UTC - clubberz[.]com[.]au - GET /pro___/wp-content/themes/rttheme17/ckv4dlmt.php?id=8149734

• 2015-08-03 13:41:02 UTC - call.conceptualviz[.]com - GET /?w3eKdbGUKx_MDYU=l3SKfPrfJxzFGMSUb-nJDa9GPkXCRQLPh4SGhKrXCJ-
  ofSih17OIFxzsmTu2KV_OpqxveN0SZFT_zR3AaQ4ilotXQB5MrPzwnEqWwxWeioWE9EeINA5ErMCQHORt2VzyzbdAecl0x0LWuGlSnbwdVkgbrA

• 2015-08-03 13:41:03 UTC - call.conceptualviz[.]com - GET /index.php?w3eKdbGUKx_MDYU=l3SMfPrfJxzFGMSUb-nJDa9GPkXCRQLPh4SGhKrXCJ-
  ofSih17OIFxzsmTu2KV_OpqxveN0SZFT_zR3AaQ4ilotXQB5MrPzwnEqWwxWeioWE9EeINA5ErMCQHORt2VzyzbdAecl0x0LWuGlSnbwdVkgbogAQlryJQ-
  DbpgN6V0ggEkqfPZVlqx7IQnmtayh42P26Rjl-1g

• 2015-08-03 13:41:05 UTC - call.conceptualviz[.]com - GET /index.php?w3eKdbGUKx_MDYU=l3SMfPrfJxzFGMSUb-nJDa9GPkXCRQLPh4SGhKrXCJ-
  ofSih17OIFxzsmTu2KV_OpqxveN0SZFT_zR3AaQ4ilotXQB5MrPzwnEqWwxWeioWE9EeINA5ErMCQHORt2VzyzbdAecl0x0LWuGlSnbwdVkgbogAQlryJQ-
  DbpgN6V0ggDE3KPZVlqx7IQnmtayh42P2-SThznuWD&dop=0340

 

SCREEN SHOTS FOR SOME OF THE POST-INFECTION TRAFFIC:

 

Click here to return to the main page.