2019-01-04 - HOOKADS CAMPAIGN RIG EK PUSHES SMOKELOADER

ASSOCIATED FILES:

  • 2019-01-04-HookAds-campaign-Rig-EK-sends-SmokeLoader.pcap   (800,333 bytes)
  • Zip archive of the malware & artifacts:  2019-01-04-HookAds-Rig-EK-malware-and-artifacts.zip   535 kB (534,672 bytes)
    • 2019-01-04-HookAds-campaign-Rig-EK-payload.exe   (291,328 bytes)
    • 2019-01-04-Rig-EK-artifact-a.e.txt   (1,149 bytes)
    • 2019-01-04-Rig-EK-flash-exploit.swf   (32,313 bytes)
    • 2019-01-04-Rig-EK-landing-page.txt   (136,345 bytes)
    • 2019-01-04-Scheduled-task-Opera_scheduled_Autoupdate_3830086449.xml.txt   (3,504 bytes)
    • 2019-01-04-SmokeLoader-artifact-fcifrjgj.bin   (321,738 bytes)

    NOTES:

     

    WEB TRAFFIC BLOCK LIST

    Indicators are not a block list.  If you feel the need to block web traffic, I suggest the following domains:

     

    TRAFFIC


    Shown above:  Infection traffic filtered in Wireshark.

     

    TRAFFIC TO DECOY DATING SITE USED BY HOOKADS AND REDIRECT LEADING TO RIG EK:

    RIG EK:

    SMOKELOADER POST-INFECTION TRAFFIC:

     

    FILE HASHES

    RIG EK FLASH EXPLOIT:

    HOOKADS CAMPAIGN PAYLOAD FROM RIG EK:

     

    IMAGES


    Shown above:  SmokeLoader persistent on the infected Windows host.

     

    FINAL NOTES

    Once again, here are the associated files:

    Zip archives are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

    Click here to return to the main page.