Aug 26, 2016 by Analysis in EITESTNOTES: On August 25th, 2016 I captured traffic from the Rig Exploit Kit (EK) via the EITEST campaign which delivered a malicious file [Payload] which failed to execute. I uploaded the payload to Hybrid-Analysis.com which returned minimal results. @CyberScimitar ran an analysis on the payload. His findings are provided below. The downloadable zip file contains the 3 pcap files associated with the infection chain. Reference: Proofpoint Nightmare on Tor Street: New Ursnif Variant Dreambot Adds Tor Functionality
I have added a zipped pcap file for your analysis. The password is the usual used by malware researchers. If you do not know it please email me.
PCAP file of the infection traffic:2016-08-25-Rig-EK-Smokebot-pcap.zip ASSOCIATED DOMAINS AND IP ADDRESSES ORIGINAL INFECTION: 188.8.131.52 cutil.xyz EITEST GATE 184.108.40.206 nxiymnj8ap.top Rig EK LANDING PAGE IMAGES AND DETAILS OF ORIGINAL INFECTION CHAIN:
Shown above: Network traffic associated with the Rig exploit and the delivery of the malicious payload which failed to execute.
Shown above: Injected script found on index page of compromised site which redirects visitor to the EITEST gate to start infection chain Web page source code can be found by right clicking on web page and selecting “View source”
Shown above: Script found on EITEST gate redirecting to the Rig exploit landing page
Shown above: Partital contents of malicious payload delivered by the Rig EK which failed to execute. Payload was found in the C:\Users\%UserName%\AppData\Local\Temp directory named 315E.tmp. DOMAINS AND IP ADDRESSES ASSOCIATED WITH @CyberScimitar ANALYSIS:
220.127.116.11 www.msn.com GET / Smokebot Connection Check 18.104.22.168 www.microsoft.com GET / Smokebot Connection Check 22.214.171.124 www.adobe.com POST / Smokebot Connection Check 126.96.36.199 loremipsumdolorsitamet.pw POST / Smokebot C&C 188.8.131.52 java.com POST / Smokebot Connection Check 184.108.40.206 GET /banner/1200.exe Dreambot Download 220.127.116.11 korats.com GET /Sunkats/images/tr_w.so Dreambot Post Infection Traffic 18.104.22.168 curlmyip.net Dreambot IP Address Check 22.214.171.124 updates.merqurio.it GET /iphone/Pdr94.so Dreambot Post Infection Download 126.96.36.199 particolardesign.it GET /wp-includes/ID3/ts/904855tos.so Dreambot Post Infection Traffic 188.8.131.52 www.particolardesign.it GET /wp-includes/ID3/ts/904855tos.so Dreambot Post Infection Traffic IMAGES AND DETAILS OF POST INFECTION CHAIN:
Shown Above: Network traffic associated with the Smokebot and Dreambot infection
Shown Above: Network traffic associated with the Dreambot infection
Shown above: Smokebot C&C redirecting to Dreambot download file 1200.exe
Shown above: Smokebot post infection download associated with Dreambot
Shown above: Partial contents of file download associated with Dreambot Tor Client
MALICIOUS PAYLOAD ASSOCIATED WITH RIG EXPLOIT:Original Payload 315E.tmp
Virus Total Link 1200.exe
Virus Total Link
FINAL NOTES: The above information is to provide Indicators of Compromise (IOC). Hope this helps. Again thanks to @CyberScimitar for his post infection analysis.
Tagged with: Dreambot , Smokebot