2016-05-27 - RIG EK SENDS TOFSEE

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2016-05-27-Rig-EK-traffic-3-pcaps.zip   308.2 kB (308,168 bytes)

• 2016-05-26-Rig-EK-traffic.pcap   (231,993 bytes)
• 2016-05-27-Rig-EK-traffic-first-run.pcap   (47,826 bytes)
• 2016-05-27-Rig-EK-traffic-second-run.pcap   (251,008 bytes)

• 2016-05-27-Rig-EK-malware-and-artifacts.zip   244.6 kB (244,648 bytes)

• 2016-05-26-Rig-EK-flash-exploit.swf   (182,13 bytes)
• 2016-05-26-Rig-EK-landing-page.txt   (4,990 bytes)
• 2016-05-26-Rig-EK-payload-Tofsee.exe   (188,416 bytes)
• 2016-05-27-Rig-EK-flash-exploit.swf   (37,906 bytes)
• 2016-05-27-Rig-EK-landing-page-first-run.txt   (4,982 bytes)
• 2016-05-27-Rig-EK-landing-page-second-run.txt   (4,982 bytes)
• 2016-05-27-Rig-EK-payload-Tofsee.exe   (184,320 bytes)

 

TRAFFIC

Shown above:  Pcap of the 2016-05-26 traffic filtered in Wireshark.

Shown above:  Pcap of the 2016-05-27 traffic (first run) filtered in Wireshark.

Shown above:  Pcap of the 2016-05-27 traffic (second run) filtered in Wireshark.

ASSOCIATED DOMAINS:

• 109.95.159[.]1 port 80 - questart[.]com[.]pl - GET /wp-content/themes/twentyfourteen/xtrfgdb7.php?id=15768376   [gate to Rig EK]
• 46.30.43[.]128 port 80 - ds.filipinoaustralianforum[.]com - Rig EK (2016-05-26)
• 46.30.43[.]249 port 80 - mj.philippinesgetaway[.]com[.]au - Rig EK (2016-05-27)

 

Click here to return to the main page.