2018-08-07 - HOOKADS RIG EK PUSHES AZORULT, AZORULT PUSHES SMOKELOADER

ASSOCIATED FILES:

  • 2018-08-07-Rig-EK-infection-traffic-1st-run.pcap   (5,193,718 bytes)
  • 2018-08-07-Rig-EK-infection-traffic-2nd-run.pcap   (6,102,865 bytes)
  • Zip archive of the malware & artifacts:  2018-08-07-Rig-EK-malware-and-artifacts.zip   560 kB (559,774 bytes)
    • 2018-08-07-Rig-EK-landing-page-1st-run.txt   (140,787 bytes)
    • 2018-08-07-Rig-EK-landing-page-2nd-run.txt   (140,863 bytes)
    • 2018-08-07-Rig-EK-artifact-sp.txt   (1,151 bytes)
    • 2018-08-07-Rig-EK-flash-exploit.swf   (34,325 bytes)
    • 2018-08-07-Rig-EK-payload-1st-run-AZORult.exe   (134,656 bytes)
    • 2018-08-07-Rig-EK-payload-2nd-run-AZORult.exe   (285,968 bytes)
    • 2018-08-07-Rig-EK-AZORult-infection-follow-up-malware-1-of-2-possibly-SmokeLoader.exe   (54,784 bytes)
    • 2018-08-07-Rig-EK-AZORult-infection-follow-up-malware-2-of-2-possibly-SmokeLoader.exe   (204,560 bytes)

    NOTES:

     

    WEB TRAFFIC BLOCK LIST

    Indicators are not a block list.  If you feel the need to block web traffic, I suggest the following domains and URL:

     

    TRAFFIC


    Shown above:  Infection traffic from the 2nd run filtered in Wireshark.

     


    Shown above:  Alerts from Sguil in Security Onion using Suricata and the EmergingThreats Pro (ETPRO) ruleset.

     

    TRAFFIC TO DECOY DATING DOMAIN AND REDIRECT LEADING TO RIG EK:

    RIG EK:

    POST-INFECTION TRAFFIC:

     

    FILE HASHES

    RIG EK FLASH EXPLOIT:

    RIG EK PAYLOADS:

    FOLLOW-UP MALWARE SEEN DURING THE SECOND RUN:

     

    FINAL NOTES

    Once again, here are the associated files:

    Zip archives are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

    Click here to return to the main page.