Month: January 2017

RIG-v at 194.87.144.170. EK Drops Dreambot.

IOCs: 88.214.225.168 – duckporno.com – Decoy site 80.77.82.42 – walterboroads.info – GET /rotation/hits? – Malicious redirect 194.87.144.170 – mail.mobildugun.com – RIG-v EK Post-Infection Traffic: 94.23.186.184 – GET /images/[truncated]/MK/.avi – ET TROJAN Ursnif Variant CnC Beacon 94.23.186.184 – GET /tor/t32.dll – ET CURRENT_EVENTS Possible Malicious Tor Module Download 37.48.122.26 – curlmyip.net – GET for external IP Outbound ...

Iframe Redirects Host to RIG-v EK at 92.53.97.168. TOR Client and Ursnif Variant Dreambot.

IOCs: 88.214.225.168 – amateur.duckporno.com – Compromised adult website 80.77.82.42 – sumterads.info – GET /rotation/hits? 92.53.97.168 – zag.2043kutahya.net – RIG-v EK Post-Infection Traffic: 94.23.186.184 – GET /images/[truncated]/y/.avi 91.228.166.47 – nod32.com – GET /images/[truncated]/zpyxRby.jpeg 91.228.166.47 – nod32.com – GET /images/[truncated]/K04.gif 94.23.186.184 – GET /tor/t32.dll – Tor client 37.48.122.26 – curlmyip.net – GETs external IP of host Outbound ...

Sundown EK using 40.69.68.179, Which is Assigned to Microsoft Corporation (MSFT).

Here is a picture of traffic collected during some of my investigations today: I didn’t think to look at the Whois information belonging to 40.69.68.179 until one of my friends, @Ledtech3, pointed this out: Checking the IPs resolution history shows the first time a domain resolved to it was today, 01/25/17. All of the domains appear to ...

Keitaro TDS Used to Redirect Hosts to Sundown EK and RIG-v EK.

IOCs: 88.99.41.189 – qj.fse.mobi – Sundown EK 86.106.131.137 – badboys.net.in – Delivering FlashPlayer.exe – Ursnif variant #dreambot 93.190.143.82 – mhn.jku.mobi – Sundown EK 93.190.143.82 – nso.fzo.mobi – Sundown EK 93.158.215.169 – domainfilsdomainc.study – RIG-v EK Sundown EK Traffic Run 1 (Traffic exported from SIEM): FlashPlayer.exe Run 2: Sundown EK Traffic Run 3: RIG-v EK Traffic Run ...

Sundown EK: Pre-Landing Page.

IOCs: 93.190.143.82 – dp.jev.mobi and nso.fzo.mobi – Sundown EK Traffic: Hashes: SHA256: 37d479720f7d5f5bc2ec8ff93568798ba891bc35514925f4969cbc5a48c869c0 File name: iedetector.js SHA256: 1230ef25fd9d4238ad80d5e4a0e5d489075edfe9b7321c691f99972de640541b File name: index2.php.html SHA256: 0744ba67c5f8210fcdcf4acb328df68780e96d10f2c68b8eddbb9a355bca213e File name: 9643522803.swf SHA256: 5aaaa4f18ff200eb46f8be49f720f2462e954c2ef216d1258c6c3ed99ec1d4bf File name: 947545190441&id=257.swf SHA256: 67d598c6acbd6545ab24bbd44cedcb825657746923f47473dc40d0d1f122abb6 File name: 78493521.swf Today I saw Sundown EK using a “pre-landing” page containing script pointing to JavaScript files via relative paths. File /trafficScript/iedetector.js contains ...

Iframe Points to RIG-v EK at 93.158.215.169. EK Drops Spora Ransomware.

IOCs: 93.158.215.169 – fredomasearchdsd.top – RIG-v EK 186.2.163.47 – spora.biz – Spora ransomware domain Traffic: Hashes: SHA256: ae7073760a86f38b29d6399a91dda6507237b420c5f4d386de3b5c1c3cf111f5 File name: Landing Page.html SHA256: 840ce47e94db6dae302dddbfe33f9548a47541a0917def5e2e5644fc2965ba52 File name: Flash Exploit.swf SHA256: 175a8c92c16d6104dab04fb9e93c2ab3245d2888773abc903f013f4530f61911 File name: radF0D46.tmp.exe Hybrid-Analysis Report Infection Chain: I found a website with an iframe containing a URL for a RIG-v EK landing page: It doesn’t ...

EITest Leads to Sundown EK at 93.190.143.82 and Drops Cerber

IOCs: 93.190.143.82 – cfx.hvb.mobi – Sundown EK 93.190.143.82 – hxrheg.fve.mobi – Sundown EK Cerber check-in traffic via UDP port 6892: 90.2.1.0/27 90.3.1.0/27 91.239.24.0/23 (CIDR Address Range: 91.239.24.0 – 91.239.25.255) 162.220.244.29 – p27dokhpz2n7nvgr.onion – Cerber Decryptor page 162.220.244.29 – p27dokhpz2n7nvgr.1kja1j.top – Cerber Decryptor page 162.220.244.29 – p27dokhpz2n7nvgr.1dlcbk.top – Cerber Decryptor page 162.220.244.29 – p27dokhpz2n7nvgr.15l2ub.top – Cerber Decryptor page HTTP Method and URIs: GET ...

EITest Leads to RIG-v EK at 92.53.120.233 Drops CryptoMix

IOCs: 68.178.254.116 – westwoodenabler.com – Compromised website 92.53.120.233 – top.tbn1.us – RIG-v EK 91.121.244.84 – CryptoMix callback traffic Traffic: Hashes: SHA256: 76cd48af0b8a0dbaa9260996cd4347a811bc0a09efce18c9d25f7cc59828d335 File name:RIG-v Flash Exploit.swf SHA256: 3ff4c80212d97aa64154dc3bd6a361766286c5073d15ec65cb32fe2755f8a703 File name: QTTYUADAF SHA256: 038bfb53f45a596762be789c66663966ef9bf04c1c80aae339f40e9a5fe3088c File name: “radC79C9.tmp.exe” and “Spy Security SoftWare_91bf6e5_aed68d54.exe” Hybrid-Analysis Report Infection Chain: The infection chain started off with me browsing to the compromised ...

Afraidgate at 178.62.242.179 Leads to RIG-v EK at 92.53.120.233, Godzilla Loader Grabs Locky (.osiris)

IOCs: 138.128.171.35 – northcoastmed.com – Compromised website 178.62.242.179 – dropname.syncroweb.com – Afraidgate subdomain 92.53.120.233 – red.telco.news – RIG-v EK 200.7.102.105 – lingvitopr.com – Godzilla loader GET for Locky 188.127.239.53 – Locky post-infection traffic – POST /checkupdate Traffic: Hashes: SHA256: 443b3bb140553acc8c861ddc2a0275936a5a26489030b424703775d2f3242ae8 File name: northcoastmed.com.html SHA256: cebd2b86b7830c3b11414581de5068d6d152873731a4a1f3fa7270d21a7a3fb2 File name: dropname.syncroweb.com Afraidgate.js SHA256: eb8fb3f87093c0a9e24047cee0f472373d3d78212ced708d235825b31a70df4b File name: RIG-v Pre-Landing ...

Advertisement Domain Led to BossTDS, Which Redirected Host to RIG-v Exploit Kit at 92.53.120.207

IOCs: 92.53.120.207 – good.chronic.news – RIG-v EK 79.134.225.49 – hpservice.zapto.org – Post-infection traffic via TCP port 5044 DNS query for hpservice.zapto.org, response from authoritative NS: nf1.no-ip.com nf2.no-ip.com nf3.no-ip.com nf4.no-ip.com Traffic: Hashes: SHA256: 7334e5f058f0ae9a0bbe073da49bb155255855705907ea84fa40098994ba3c27 File name: Flash Exploit RIG-v.swf SHA256: 51ce2615b3b0784f55d03d1ba3f77d13aaca40931c72df750b0e298edaf6e3c4 File name: ETTYUADAF SHA256: 01028a0702188f86b8c743cb3af891073df63310e4f3013ae7aeba0aee01e40e File name: rad94DC8.tmp.exe, drivupdater.exe Hybrid-Analysis Submission Infection Chain: I have ...