# 2017-04-25 - "GOOD MAN" CAMPAIGN RIG EK SENDS LATENTBOT **malware-traffic-analysis.net/2017/04/25/index.html** ASSOCIATED FILES: ZIP archive of the pcap: 2017-04-25-Good-man-campaign-Rig-EK-sendsLatentbot.pcap.zip 1.1 MB (1,074,308 bytes) 2017-04-25-Good-man-campaign-Rig-EK-sends-Latentbot.pcap (1,145,861 bytes) ZIP archive of the malware: 2017-04-25-Good-man-campaign-Rig-EK-sendsLatentbot-malware-and-artifacts.zip 319 kB (318,558 bytes) 2017-04-25-Goodma-campaign-Rig-EK-payload-Latentbot.exe (312,832 bytes) 2017-04-25-Rig-EK-artifact-o32.tmp.txt (1,141 bytes) 2017-04-25-Rig-EK-flash-exploit.swf (16,428 bytes) 2017-04-25-Rig-EK-landing-page.txt (117,853 bytes) 2017-04-25-page-from-hurtmehard.net-with-injected-script-for-Rig-EK-landingpage.txt (54,882 bytes) BACKGROUND ON THE "GOOD MAN" CAMPAIGN: "Good Man" domains used as gates in this campaign all have a registrant email of: goodmandilaltain@gmail.com Hurtmehard.net is one of the "Good Man" domains. A background on this campaign was posted on 2017-03-10 by Malware Breakdown in the article: [Finding A 'Good Man'.](https://malwarebreakdown.com/2017/03/10/finding-a-good-man/) BACKGROUND ON LATENTBOT: Although post-infection traffic triggers alerts for the GrayBird Trojan on the EmergingThreats ruleset, more recent variants have been dubbed "Latentbot". [FireEye wrote an analysis of Latentbot at: LATENTBOT: Trace Me If You Can](https://www.fireeye.com/blog/threat-research/2015/12/latentbot_trace_me.html) [I've documented this malware before in 2016 (link), and so has Broadanalysis.com](http://malware-traffic-analysis.net/2016/08/26/index.html) [(link).](http://www.broadanalysis.com/2016/10/26/rig-exploit-kit-via-EITest-delivers-latentbot/) ----- _Shown above: Flowchart for this infection traffic._ ## TRAFFIC _Shown above: Injected script in a page from the "Good Man" domain._ ----- _Shown above: Pcap of the infection traffic filtered in Wireshark._ ASSOCIATED DOMAINS: **hurtmehard.net - "Good Man" gate** 188.225.72.88 port 80 - end.chaggama.com - Rig EK 37.72.175.221 port 80 - 37.72.175.221 - Latentbot post-infection traffic ## FILE HASHES FLASH EXPLOIT: SHA256 hash: 9d56d491f0fca9a16daeb0ce5ef6ba96206fea93b5b12f42c442aa10a0d487ea File size: 16,428 bytes File description: Rig EK flash exploit seen on 2017-04-25 PAYLOAD (LATENTBOT): SHA256 hash: 092fd4caf46ec36e07fdc9c8b156ce05cda0fb2abd7c49ba8dddfe8ac6cdbb67 File size: 312,832 bytes File location: C:\Users\[username]\AppData\Local\Temp\[various alphanumeric _characters].exe_ File location: C:\Users\[username]\AppData\Local\Microsoft\Windows\mxcyvqu.exe ## IMAGES ----- _Shown above: Latentbot malware made persistent on the infected Windows host._ _[Shown above: Some alerts on the traffic from the Emerging Threats and ETPRO rulesets](http://docs.emergingthreats.net/bin/view/Main/WebSearch)_ _[using Sguil on Security Onion.](https://securityonion.net/)_ ----- _Shown above: Some alerts after reading the pcap with Snort 2.9.9.0 on Debian 7 using the_ _[Snort Subscription ruleset.](https://snort.org/downloads/#rule-downloads)_ ## FINAL NOTES Once again, here are the associated files: ZIP archive of the pcap: 2017-04-25-Good-man-campaign-Rig-EK-sendsLatentbot.pcap.zip 1.1 MB (1,074,308 bytes) ZIP archive of the malware: 2017-04-25-Good-man-campaign-Rig-EK-sendsLatentbot-malware-and-artifacts.zip 319 kB (318,558 bytes) ZIP files are password-protected with the standard password. If you don't know it, look at the "about" page of this website. [Click here to return to the main page.](http://malware-traffic-analysis.net/index.html) -----