2016-02-23 - RIG EK DATA DUMP

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2016-02-23-Rig-EK-data-dump-5-pcaps.zip  1.6 MB (1,562,588 bytes)
• 2016-02-23-Rig-EK-data-dump-malware-and-artifacts.zip  1.4 MB (1,388,423 bytes)

 

NOTES:

• I've documented this activity in two diaries at the Internet Storm Center (ISC).  These two diaries should explain the traffic below (how the gate is used by this particular actor).

• https://isc.sans.edu/diary/Actor+using+Rig+EK+to+deliver+Qbot/20513
• https://isc.sans.edu/diary/Actor+using+Rig+EK+to+deliver+Qbot+update/20551

 

DETAILS

DATE/TIME: 2016-02-23 15:56 UTC

• www.theprojectgirl[.]com - Compromised website
• www.theprojectgirl[.]com - GET /wp-includes/js/jquery/jquery.js?ver=1.11.3   [ .js file with malicious script ]
• 198.2.206[.]238 port 80 - xb.mylifeisnerdy[.]com - GET /cozbviewforummejvz.php   [ gate URL ]
• 188.227.18[.]157 port 80 - rg.tampahousefinancing[.]com - Rig EK

DATE/TIME: 2016-02-23 18:19 UTC

• www.planetside[.]co[.]uk - Compromised website
• www.planetside[.]co[.]uk - GET /media/system/js/mootools-core.js   [ .js file with malicious script ]
• 198.2.206[.]238 port 80 - xb.mylifeisnerdy[.]com - GET /oxviewforumzkv.php   [ gate URL ]
• 188.227.18[.]157 port 80 - ef.glocktracker[.]net - Rig EK

DATE/TIME: 2016-02-23 18:41 UTC

• www.cyclocamping[.]com - Compromised website
• www.cyclocamping[.]com - GET /js/jquery.min.js   [ .js file with malicious script ]
• 198.2.206[.]238 port 80 - xb.mylifeisnerdy[.]com - GET /vjiviewforumyrjy.php   [ gate URL ]
• 188.227.18[.]157 port 80 - jy.glocktracker.org - Rig EK

DATE/TIME: 2016-02-23 19:01 UTC

• www.pavtube[.]com - Compromised website
• www.pavtube[.]com - GET /public/temp/js/jquery.js   [ .js file with malicious script ]
• 198.2.206[.]238 port 80 - xb.mylifeisnerdy[.]com - GET /ulmcviewforumqz.php   [ gate URL ]
• 188.227.18[.]157 port 80 - jy.glocktracker[.]org - Rig EK

DATE/TIME: 2016-02-23 19:53 UTC

• www.ancientbathsny[.]com - Compromised website
• www.ancientbathsny[.]com - GET /wp-includes/js/jquery/jquery.js?ver=1.11.3   [ .js file with malicious script ]
• 198.2.206[.]238 port 80 - xb.mylifeisnerdy[.]com - GET /mjixviewforumeamm.php   [ gate URL ]
• 188.227.18[.]157 port 80 - df.glocktracker[.]us - Rig EK

EXPLOITS AND MALWARE:

(read: MD5 hash   file name)

• 7fa1700cee2769afbe427ec8cb233cbf   2016-02-23-Rig-EK-malware-payload-after-ancientbathsny_com.exe
• 2914443bb7808be89d717ba28378c853   2016-02-23-Rig-EK-payload-after-cyclocamping_com.exe
• 61f47a8a2e46e851b01743591e29d8cb   2016-02-23-Rig-EK-payload-after-pavtube_com.exe
• c4077ff57fb9256562ffe3b8378a213a   2016-02-23-Rig-EK-payload-after-planetside_co_uk.exe
• ca0e148da4af25a1d5c1f055ec664725   2016-02-23-Rig-EK-payload-after-theprojectgirl_com.exe

• c59db4ab55a9895706d5f59cc66c7a15   2016-02-23-Rig-EK-flash-exploit-after-ancientbathsny_com.swf
• c59db4ab55a9895706d5f59cc66c7a15   2016-02-23-Rig-EK-flash-exploit-after-cyclocamping_com.swf
• c59db4ab55a9895706d5f59cc66c7a15   2016-02-23-Rig-EK-flash-exploit-after-pavtube_com.swf
• c59db4ab55a9895706d5f59cc66c7a15   2016-02-23-Rig-EK-flash-exploit-after-planetside_co_uk.swf
• dac4eae4fda6693fa56d2a6126ff02df   2016-02-23-Rig-EK-flash-exploit-after-theprojectgirl_com.swf

 

Click here to return to the main page.