2017-06-02 - SEAMLESS CAMPAIGN CONTINUES USING RIG EK TO SEND RAMNIT

ASSOCIATED FILES:

  • 2017-06-02-Seamless-Rig-EK-sends-Ramnit-1st-run.pcap   (1,309,272 bytes)
  • 2017-06-02-Seamless-Rig-EK-sends-Ramnit-2nd-run.pcap   (1,070,828 bytes)
  • 2017-06-02-Rig-EK-landing-page-1st-run.txt   (26,904 bytes)
  • 2017-06-02-Rig-EK-landing-page-2nd-run.txt   (26,901 bytes)
  • 2017-06-02-Seamless-Rig-EK-payload-Ramnit-1st-run.exe   (162,816 bytes)
  • 2017-06-02-Seamless-Rig-EK-payload-Ramnit-2nd-run.exe   (162,816 bytes)

NOTES:

 

SOME BACKGROUND ON THE SEAMLESS CAMPAIGN:

 


Shown above:  Tweet from @thlnk3r yesterday with a Seamless campaign URL.

 

TRAFFIC


Shown above:  Traffic from the 1st run filtered in Wireshark.

 


Shown above:  Traffic from the 2nd run filtered in Wireshark.

 

ASSOCIATED DOMAINS:

 

FILE HASHES

MALWARE PAYLOAD (RAMNIT) - 1ST RUN:

MALWARE PAYLOAD (RAMNIT) - 2ND RUN:

 

OTHER IMAGES


Shown above:  Some alerts on the traffic from the Emerging Threats and ETPRO rulesets using Sguil and tcpreplay on Security Onion.

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.