Originally posted at malwarebreakdown.com
Follow me on Twitter
I haven’t posted anything on the HookAds campaign since 09/17/2017. Likewise, checking malware-traffic-analysis.net shows the last write up for HookAds on 08/01/17. According to Jérôme Segura, the campaign went away in late October, 2017, and started to resurface in late February, 2018. This is evident by a recent Twitter post from MrHazumhad which showed an infection chain that led to RIG EK delivering Bunitu. I decided to poke around and see what I would get. Let’s look at the HTTP traffic:
The victim’s host, who would have been redirected to a decoy site through malvertising, would then make a GET request for /click.php. Script found in page source:
click.php returned the following:
After running this, we see a redirect to jhghvhbi3999[.]info GET /banners/advertising, which returns the pre-landing page:
The pre-landing page, having filtered out unwanted traffic, redirects to the RIG EK landing page. RIG EK then delivered Bunitu proxy Trojan. Hasherezade posted a really good write up on the Bunitu Trojan called “Revisiting The Bunitu Trojan”.
The malware payload delivered to %Temp%:
We then see b38.exe detonated (PID: 1856) and setting the following registry keys:
- HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogonNotifyumnixwoImpersonate
- HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogonNotifyumnixwoAsynchronous
- HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogonNotifyumnixwoMaxWait
- HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogonNotifyumnixwoDllName
- HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogonNotifyumnixwoStartup
b38.exe (PID: 1856) creates umnixwo.dll in %LocalAppData%:
Process b38.exe (PID: 1856) then sets autostart registry key HKCUSoftwareMicrosoftWindowsCurrentVersionRunumnixwo:
Process b38.exe (PID: 1856) sets registry key HKLMSystemCurrentControlSetservicesSharedAccessParametersFirewallPolicyStandardProfileAuthorizedApplicationsListC:Windowssystem32rundll32.exe to try and bypass the firewall via the Authorized Applications list.
Process b38.exe (PID: 1856) sets registry key HKCUSoftwareMicrosoftWindowsCurrentVersionInternet SettingsZoneMapUNCAsIntranet and AutoDetect
Process b38.exe (PID: 1856) creates process rundll32.exe (PID: 3212)
Process b38.exe (PID: 1856) creates process netsh.exe (PID: 3052)
Process rundll32.exe (PID: 3212) loads file C:Users[username]AppDataLocalumnixwo.dll as module
Process b38.exe (PID: 1856) creates process netsh.exe (PID: 3568)
Process svchost.exe sets registry key HKLMSystemCurrentControlSetservicesSharedAccessParametersFirewallPolicyFirewallRules to allow traffic inbound and outbound:
After process netsh.exe (PID: 3568 and 3052) and b38.exe (PID: 1856) kills its own process we see rundll32.exe start sending TCP traffic to 216.58.206.79 over port 443.
Network-Based IOCs
HTTP Traffic:
80.77.82.41 – jhghvhbi3999.info GET – /banners/advertising – Pre-Landing Page
176.57.220.137 – GET and POST – RIG EK IP-Literal Hostname
DNS Queries and Responses:
n.paratozix.net – 63.23.10.118
k.paratozix.net – 4.171.174.235
Bunitu Proxy C2 Registration 1:
216.58.206.79:443
62.212.66.85:443
Hashes
SHA256: 707cf01d533ca6a55a4f5af731fadc0546b0c0eb2a00bbaa72a9b592e35f14cb
File name: pre-landing page.txt
SHA256: b26af34ef2e357987a98b1142cf37324f15453b58f876634921fce4737f610c9
File name: RIG EK landing page.txt
SHA256: 22dc4e02126eceafbab0fa9c1dc4d0b60dd83e92effc413bac23b59e01b626fe
File name: RIG EK Flash exploit.swf
SHA256: ea682caa37257a53a7ab0787cfb67859ca9dcf1bf0488e5cb19759edbfcb79b6
File name: b38.exe
Hybrid-Analysis Report
SHA256: 4e7c45d75fae01aaa499917135781c4fde74515679a6c8d12bdea6db3548c85c
File name: umnixwo.dll
Hybrid-Analysis Report
Samples
password is “infected”
Malware breakdown 
[…] after disappearing near the end of 2017. Last week I wrote about it coming back and delivering Bunitu proxy Trojan. This post will go over the infection chain found on […]
LikeLike