Keitaro TDS Leads to RIG-v EK at 188.225.36.231

IOCs: 188.225.36.231 – hand.stayatsouthpadre.com – RIG-v EK 31.11.32.225 – www pivesso.us – GET /Img/Gif/oni64.gif – Tor client 37.48.122.26 – curlmyip.net – Used for host IP lookup Post-infection Tor traffic going over TCP port 9001 – ET POLICY TLS possible TOR SSL traffic DNS Queries: resolver1.opendns.com – ET POLICY OpenDNS IP Lookup 222.222.67.208.in-addr.arpa myip.opendns.com Traffic: Hashes: SHA256: 0c1b3a0131c98032141d2315902b546bd926d5d4365628dafbbfca165f934f12 ...

Decoy Site Leads to RIG-v EK at 194.87.237.240. Post-Infection Traffic: Ursnif Variant Dreambot.

IOCs: 88.214.225.168 – duckporno.com – Decoy site 80.77.82.42 – bethanyads.info – GET /rotation/hits? – Fake ad server 194.87.237.240 – sell.underinsuredinamerica.com – RIG-v EK Post-Infection Traffic: 89.223.31.51 – GET /images/[truncated]/f2NJW2/.avi – ET TROJAN Ursnif Variant CnC Beacon 89.223.31.51 – GET /tor/t64.dll – ET CURRENT_EVENTS Possible Malicious Tor Module Download 37.48.122.26 – curlmyip.net – GET for external IP Outbound ...

EITest Leads to RIG-v EK at 194.87.145.225, Drops CryptoShield 1.1 Ransomware

IOCs: 212.166.71.52 – blog.masmovil.es – Compromised website 194.87.145.225 – sound.formpools.co – RIG-v EK 45.76.81.110 – POST /test_site_scripts/moduls/connects/mailsupload.php – Callback Traffic: Hashes: SHA256: dc837458d43126eb135816c0e3a3d8b8d0a557f89a9240b12319073e4fcc4449 File name: EITest RIG-v EK Flash Exploit.swf SHA256: 3f517c7bf5176614ff11f3fc275849155c5bfede0b7a7748781b8aaf36fc6650 File name: QTTYUADAF SHA256: a73c0538ad23bf6b092e6109d990802fefe549b0532bf39dc704a88198b8eebb File name: rad871F7.tmp.exe and SmartScreen.exe Hybrid-Analysis Report Infection Chain: I want to give a shout-out to @FreeBSDfan for ...

BossTDS and Exploit Kits

Download the Appendix – bosstds-and-exploit-kits.xlsx Appendix A – DNS resolutions for 188.68.252.146. Appendix B – Advetisement page Whois information. Appendix C – Host pairs. Appendix D – Summary of investigations: IPs, domains, redirection methods, EKs, hashes. Appendix E – BossTDS Whois information. Appendix F – Additional IP Whois information. BossTDS Capabilities Traffic control software, like BossTDS, offers users highly ...

RIG-v at 194.87.144.170. EK Drops Dreambot.

IOCs: 88.214.225.168 – duckporno.com – Decoy site 80.77.82.42 – walterboroads.info – GET /rotation/hits? – Malicious redirect 194.87.144.170 – mail.mobildugun.com – RIG-v EK Post-Infection Traffic: 94.23.186.184 – GET /images/[truncated]/MK/.avi – ET TROJAN Ursnif Variant CnC Beacon 94.23.186.184 – GET /tor/t32.dll – ET CURRENT_EVENTS Possible Malicious Tor Module Download 37.48.122.26 – curlmyip.net – GET for external IP Outbound ...

Iframe Redirects Host to RIG-v EK at 92.53.97.168. TOR Client and Ursnif Variant Dreambot.

IOCs: 88.214.225.168 – amateur.duckporno.com – Compromised adult website 80.77.82.42 – sumterads.info – GET /rotation/hits? 92.53.97.168 – zag.2043kutahya.net – RIG-v EK Post-Infection Traffic: 94.23.186.184 – GET /images/[truncated]/y/.avi 91.228.166.47 – nod32.com – GET /images/[truncated]/zpyxRby.jpeg 91.228.166.47 – nod32.com – GET /images/[truncated]/K04.gif 94.23.186.184 – GET /tor/t32.dll – Tor client 37.48.122.26 – curlmyip.net – GETs external IP of host Outbound ...

Sundown EK using 40.69.68.179, Which is Assigned to Microsoft Corporation (MSFT).

Here is a picture of traffic collected during some of my investigations today: I didn’t think to look at the Whois information belonging to 40.69.68.179 until one of my friends, @Ledtech3, pointed this out: Checking the IPs resolution history shows the first time a domain resolved to it was today, 01/25/17. All of the domains appear to ...

Keitaro TDS Used to Redirect Hosts to Sundown EK and RIG-v EK.

IOCs: 88.99.41.189 – qj.fse.mobi – Sundown EK 86.106.131.137 – badboys.net.in – Delivering FlashPlayer.exe – Ursnif variant #dreambot 93.190.143.82 – mhn.jku.mobi – Sundown EK 93.190.143.82 – nso.fzo.mobi – Sundown EK 93.158.215.169 – domainfilsdomainc.study – RIG-v EK Sundown EK Traffic Run 1 (Traffic exported from SIEM): FlashPlayer.exe Run 2: Sundown EK Traffic Run 3: RIG-v EK Traffic Run ...

Sundown EK: Pre-Landing Page.

IOCs: 93.190.143.82 – dp.jev.mobi and nso.fzo.mobi – Sundown EK Traffic: Hashes: SHA256: 37d479720f7d5f5bc2ec8ff93568798ba891bc35514925f4969cbc5a48c869c0 File name: iedetector.js SHA256: 1230ef25fd9d4238ad80d5e4a0e5d489075edfe9b7321c691f99972de640541b File name: index2.php.html SHA256: 0744ba67c5f8210fcdcf4acb328df68780e96d10f2c68b8eddbb9a355bca213e File name: 9643522803.swf SHA256: 5aaaa4f18ff200eb46f8be49f720f2462e954c2ef216d1258c6c3ed99ec1d4bf File name: 947545190441&id=257.swf SHA256: 67d598c6acbd6545ab24bbd44cedcb825657746923f47473dc40d0d1f122abb6 File name: 78493521.swf Today I saw Sundown EK using a “pre-landing” page containing script pointing to JavaScript files via relative paths. File /trafficScript/iedetector.js contains ...

Iframe Points to RIG-v EK at 93.158.215.169. EK Drops Spora Ransomware.

IOCs: 93.158.215.169 – fredomasearchdsd.top – RIG-v EK 186.2.163.47 – spora.biz – Spora ransomware domain Traffic: Hashes: SHA256: ae7073760a86f38b29d6399a91dda6507237b420c5f4d386de3b5c1c3cf111f5 File name: Landing Page.html SHA256: 840ce47e94db6dae302dddbfe33f9548a47541a0917def5e2e5644fc2965ba52 File name: Flash Exploit.swf SHA256: 175a8c92c16d6104dab04fb9e93c2ab3245d2888773abc903f013f4530f61911 File name: radF0D46.tmp.exe Hybrid-Analysis Report Infection Chain: I found a website with an iframe containing a URL for a RIG-v EK landing page: It doesn’t ...

Browse Categories