IOCs
- 199.116.248.108 – saywitzproperties.com – Compromised website (shout-out to thlnk3r who gave me the site)
- 188.225.36.196 – fds.japanbioenergy.org – RIG Exploit Kit
- 52.90.24.205 – unisdr.top – GET /mail.index.php – Response contains download locations for additional malware at trackerhost.us
- 52.90.24.205 – trackerhost.us – GET /drop/lsmk.exe – Additional malware
- 52.90.24.205 – gerber.gdn – POST / info.php – Post-infection traffic
DNS Queries:
- corpconor-daily.pw
- sorrycorpmail.site
Tor Traffic:
- 91.219.237.244 – 7houbwgmwbc5wyg2dz.com
- 178.62.22.36 – 6f44k7fi7cun.com
- 138.201.169.12 – rfkuhvuj2m.com
Hashes:
SHA256: 940f86837bf6c6420873e89fd3b925f0549a258e920fe51eb5f5b8b4953e3567
File name: RIG EK landing page 042117.txt
SHA256: 021e5a8ac070ff34aace3b1dbef6ee383f3dbf418c56efda6f4211eb75f0a482
File name: RIG EK Flash Exploit 042117.swf
SHA256: dc0a483dac2554b8c0682f39762762f79a48383e5f2cbf71238222137089a265
File name: o32.tmp
SHA256: 2875dcec3a20dbdff5baa8ac0b5135ac094f39f146840900252203993e3f64b8
File name: izz9290g.exe
Hybrid-Analysis Report
SHA256: 38ed182b79fd68482d97d4fe1b3c6749380fd989a4a332c6d1174bae23450fe9
File name: 115919.exe
Hybrid-Analysis Report
SHA256: 08166a3d90a2437444adf9d39ba7e5bc9c8cd579f54362e56681cea74bf6d664
File name: 115657.exe
Hybrid-Analysis Report
SHA256: 37c95a909836b641c11067384ebe50ac92a057a8f9fec150e6546c68b725d75f
File name: 16930.exe
Hybrid-Analysis Report
Analyzed Processes for izz9290g.exe:
EITest script found in compromised website:
The malware payload is dropped and executed in %Temp%. It also copies itself to %AppData%:
You can also see the secondary downloads are dropped in %Temp% as well. Instructions for the secondary downloads are found in unisdr.top – GET /mail.index.php. For example:
We also see it create various folders and files in %AppData%:
Registry:
Rules Triggered by the IDS:
- ET DNS Query to a *.top domain – Likely Hostile
- ET DNS Query to a *.pw domain – Likely Hostile
- ET TROJAN Quant Loader Download Request
- ET INFO HTTP Request to a *.top domain
- ET TROJAN Generic – POST To .php w/Extended ASCII Characters (Likely Zeus Derivative)
- ET INFO Executable Retrieved With Minimal HTTP Headers – Potential Second Stage Download
- ET POLICY TLS possible TOR SSL traffic
The samples can be downloaded from the Hybrid-Analysis reports. I am also attaching the RIG EK landing page and Flash exploit. Password is “infected”.
Malicious Artifacts 042117.zip
Other References:
- http://www.broadanalysis.com/2017/04/18/rig-ek-from-92-53-104-104-delivers-quant-loader-ursnif-and-more/
- http://www.malware-traffic-analysis.net/2017/04/20/index.html
Until next time!