EITest Leads to RIG EK at 188.225.36.196 And Drops Quant Loader. Downloads ZLoader/Zbot.

IOCs

Traffic 1

  • 199.116.248.108 – saywitzproperties.com – Compromised website (shout-out to  who gave me the site)
  • 188.225.36.196 – fds.japanbioenergy.org – RIG Exploit Kit
  • 52.90.24.205 – unisdr.top – GET /mail.index.php – Response contains download locations for additional malware at trackerhost.us
  • 52.90.24.205 – trackerhost.us – GET /drop/lsmk.exe – Additional malware
  • 52.90.24.205 – gerber.gdn – POST / info.php – Post-infection traffic

DNS Queries:

  • corpconor-daily.pw
  • sorrycorpmail.site

Tor Traffic:

  • 91.219.237.244 – 7houbwgmwbc5wyg2dz.com
  • 178.62.22.36 – 6f44k7fi7cun.com
  • 138.201.169.12 – rfkuhvuj2m.com

Hashes:

SHA256: 940f86837bf6c6420873e89fd3b925f0549a258e920fe51eb5f5b8b4953e3567
File name: RIG EK landing page 042117.txt

SHA256: 021e5a8ac070ff34aace3b1dbef6ee383f3dbf418c56efda6f4211eb75f0a482
File name: RIG EK Flash Exploit 042117.swf

SHA256: dc0a483dac2554b8c0682f39762762f79a48383e5f2cbf71238222137089a265
File name: o32.tmp

SHA256: 2875dcec3a20dbdff5baa8ac0b5135ac094f39f146840900252203993e3f64b8
File name: izz9290g.exe
Hybrid-Analysis Report

SHA256: 38ed182b79fd68482d97d4fe1b3c6749380fd989a4a332c6d1174bae23450fe9
File name: 115919.exe
Hybrid-Analysis Report

SHA256: 08166a3d90a2437444adf9d39ba7e5bc9c8cd579f54362e56681cea74bf6d664
File name: 115657.exe
Hybrid-Analysis Report

SHA256: 37c95a909836b641c11067384ebe50ac92a057a8f9fec150e6546c68b725d75f
File name: 16930.exe
Hybrid-Analysis Report

Analyzed Processes for izz9290g.exe:

Processes

EITest script found in compromised website:

EITest script

The malware payload is dropped and executed in %Temp%. It also copies itself to %AppData%:

You can also see the secondary downloads are dropped in %Temp% as well. Instructions for the secondary downloads are found in unisdr.top – GET /mail.index.php. For example:

GET

We also see it create various folders and files in %AppData%:

Registry:

Rules Triggered by the IDS:

  • ET DNS Query to a *.top domain – Likely Hostile
  • ET DNS Query to a *.pw domain – Likely Hostile
  • ET TROJAN Quant Loader Download Request
  • ET INFO HTTP Request to a *.top domain
  • ET TROJAN Generic – POST To .php w/Extended ASCII Characters (Likely Zeus Derivative)
  • ET INFO Executable Retrieved With Minimal HTTP Headers – Potential Second Stage Download
  • ET POLICY TLS possible TOR SSL traffic

The samples can be downloaded from the Hybrid-Analysis reports. I am also attaching the RIG EK landing page and Flash exploit. Password is “infected”.

Malicious Artifacts 042117.zip

Other References:

Until next time!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: