Aug 26, 2016 by Analysis in EITEST
NOTES: On August 25th, 2016 I captured traffic from the Rig Exploit Kit (EK) via the EITEST campaign which delivered a malicious file [Payload] which failed to execute. I uploaded the payload to Hybrid-Analysis.com which returned minimal results. @CyberScimitar ran an analysis on the payload. His findings are provided below. The downloadable zip file contains the 3 pcap files associated with the infection chain. Reference: Proofpoint Nightmare on Tor Street: New Ursnif Variant Dreambot Adds Tor FunctionalityI have added a zipped pcap file for your analysis. The password is the usual used by malware researchers. If you do not know it please email me.
info@broadanalysis.com
PCAP file of the infection traffic:
2016-08-25-Rig-EK-Smokebot-pcap.zip ASSOCIATED DOMAINS AND IP ADDRESSES ORIGINAL INFECTION: 85.93.0.13 cutil.xyz EITEST GATE 178.32.92.114 nxiymnj8ap.top Rig EK LANDING PAGE IMAGES AND DETAILS OF ORIGINAL INFECTION CHAIN:Shown above: Network traffic associated with the Rig exploit and the delivery of the malicious payload which failed to execute.
Shown above: Injected script found on index page of compromised site which redirects visitor to the EITEST gate to start infection chain Web page source code can be found by right clicking on web page and selecting “View source”
Shown above: Script found on EITEST gate redirecting to the Rig exploit landing page
Shown above: Partital contents of malicious payload delivered by the Rig EK which failed to execute. Payload was found in the C:\Users\%UserName%\AppData\Local\Temp directory named 315E.tmp. DOMAINS AND IP ADDRESSES ASSOCIATED WITH @CyberScimitar ANALYSIS:
204.79.197.203 www.msn.com GET / Smokebot Connection Check 23.72.208.160 www.microsoft.com GET / Smokebot Connection Check 23.72.192.132 www.adobe.com POST / Smokebot Connection Check 104.238.131.117 loremipsumdolorsitamet.pw POST / Smokebot C&C 23.72.204.132 java.com POST / Smokebot Connection Check 185.141.25.64 GET /banner/1200.exe Dreambot Download 216.99.193.149 korats.com GET /Sunkats/images/tr_w.so Dreambot Post Infection Traffic 37.48.122.26 curlmyip.net Dreambot IP Address Check 5.39.55.14 updates.merqurio.it GET /iphone/Pdr94.so Dreambot Post Infection Download 62.149.128.160 particolardesign.it GET /wp-includes/ID3/ts/904855tos.so Dreambot Post Infection Traffic 62.149.140.195 www.particolardesign.it GET /wp-includes/ID3/ts/904855tos.so Dreambot Post Infection Traffic IMAGES AND DETAILS OF POST INFECTION CHAIN:
Shown Above: Network traffic associated with the Smokebot and Dreambot infection
Shown Above: Network traffic associated with the Dreambot infection
Shown above: Smokebot C&C redirecting to Dreambot download file 1200.exe
Shown above: Smokebot post infection download associated with Dreambot
Shown above: Partial contents of file download associated with Dreambot Tor Client
MALICIOUS PAYLOAD ASSOCIATED WITH RIG EXPLOIT:
Original Payload 315E.tmpVirus Total Link 1200.exe
Virus Total Link
FINAL NOTES: The above information is to provide Indicators of Compromise (IOC). Hope this helps. Again thanks to @CyberScimitar for his post infection analysis.
Tagged with: Dreambot , Smokebot