Quantcast
Channel: CodeSection,代码区,网络安全 - CodeSec
Viewing all articles
Browse latest Browse all 12749

Rig Exploit Kit via EITEST delivers Smokebot and Dreambot

0
0

Aug 26, 2016 by Analysis in EITEST

NOTES: On August 25th, 2016 I captured traffic from the Rig Exploit Kit (EK) via the EITEST campaign which delivered a malicious file [Payload] which failed to execute. I uploaded the payload to Hybrid-Analysis.com which returned minimal results. @CyberScimitar ran an analysis on the payload. His findings are provided below. The downloadable zip file contains the 3 pcap files associated with the infection chain. Reference: Proofpoint Nightmare on Tor Street: New Ursnif Variant Dreambot Adds Tor Functionality

I have added a zipped pcap file for your analysis. The password is the usual used by malware researchers. If you do not know it please email me.

info@broadanalysis.com

PCAP file of the infection traffic:

2016-08-25-Rig-EK-Smokebot-pcap.zip ASSOCIATED DOMAINS AND IP ADDRESSES ORIGINAL INFECTION: 85.93.0.13 cutil.xyz EITEST GATE 178.32.92.114 nxiymnj8ap.top Rig EK LANDING PAGE IMAGES AND DETAILS OF ORIGINAL INFECTION CHAIN:
Rig Exploit Kit via EITEST delivers Smokebot and Dreambot
Shown above: Network traffic associated with the Rig exploit and the delivery of the malicious payload which failed to execute.
Rig Exploit Kit via EITEST delivers Smokebot and Dreambot
Shown above: Injected script found on index page of compromised site which redirects visitor to the EITEST gate to start infection chain Web page source code can be found by right clicking on web page and selecting “View source”
Rig Exploit Kit via EITEST delivers Smokebot and Dreambot
Shown above: Script found on EITEST gate redirecting to the Rig exploit landing page
Rig Exploit Kit via EITEST delivers Smokebot and Dreambot
Shown above: Partital contents of malicious payload delivered by the Rig EK which failed to execute. Payload was found in the C:\Users\%UserName%\AppData\Local\Temp directory named 315E.tmp. DOMAINS AND IP ADDRESSES ASSOCIATED WITH @CyberScimitar ANALYSIS:
204.79.197.203 www.msn.com GET / Smokebot Connection Check 23.72.208.160 www.microsoft.com GET / Smokebot Connection Check 23.72.192.132 www.adobe.com POST / Smokebot Connection Check 104.238.131.117 loremipsumdolorsitamet.pw POST / Smokebot C&C 23.72.204.132 java.com POST / Smokebot Connection Check 185.141.25.64 GET /banner/1200.exe Dreambot Download 216.99.193.149 korats.com GET /Sunkats/images/tr_w.so Dreambot Post Infection Traffic 37.48.122.26 curlmyip.net Dreambot IP Address Check 5.39.55.14 updates.merqurio.it GET /iphone/Pdr94.so Dreambot Post Infection Download 62.149.128.160 particolardesign.it GET /wp-includes/ID3/ts/904855tos.so Dreambot Post Infection Traffic 62.149.140.195 www.particolardesign.it GET /wp-includes/ID3/ts/904855tos.so Dreambot Post Infection Traffic IMAGES AND DETAILS OF POST INFECTION CHAIN:
Rig Exploit Kit via EITEST delivers Smokebot and Dreambot
Shown Above: Network traffic associated with the Smokebot and Dreambot infection
Rig Exploit Kit via EITEST delivers Smokebot and Dreambot
Shown Above: Network traffic associated with the Dreambot infection
Rig Exploit Kit via EITEST delivers Smokebot and Dreambot
Shown above: Smokebot C&C redirecting to Dreambot download file 1200.exe
Rig Exploit Kit via EITEST delivers Smokebot and Dreambot
Shown above: Smokebot post infection download associated with Dreambot
Rig Exploit Kit via EITEST delivers Smokebot and Dreambot
Shown above: Partial contents of file download associated with Dreambot Tor Client

MALICIOUS PAYLOAD ASSOCIATED WITH RIG EXPLOIT:

Original Payload 315E.tmp
Virus Total Link 1200.exe
Virus Total Link
FINAL NOTES: The above information is to provide Indicators of Compromise (IOC). Hope this helps. Again thanks to @CyberScimitar for his post infection analysis.

Tagged with: Dreambot , Smokebot


Viewing all articles
Browse latest Browse all 12749

Latest Images

Trending Articles





Latest Images