# 2017-05-09 - RIG EK SENDS BUNITU TROJAN **malware-traffic-analysis.net/2017/05/09/index.html** ASSOCIATED FILES: [Zip archive of the email and malware: 2017-05-09-Rig-EK-sends-Bunitu.pcap.zip 462](http://malware-traffic-analysis.net/2017/05/09/2017-05-09-Rig-EK-sends-Bunitu.pcap.zip) kB (462,078 bytes) 2017-05-09-Rig-EK-sends-Bunitu.pcap (554,307 bytes) [Zip archive of the malware: 2017-05-09-Rig-EK-sends-Bunitu-artifacts.zip 247 kB](http://malware-traffic-analysis.net/2017/05/09/2017-05-09-Rig-EK-sends-Bunitu-artifacts.zip) (246,889 bytes) 2017-05-09-Rig-EK-artifact-o32.tmp.txt (1,141 bytes) 2017-05-09-Rig-EK-flash-exploit.swf (16,500 bytes) 2017-05-09-Rig-EK-landing-page.txt (118,254 bytes) 2017-05-09-Rig-EK-payload.exe (172,512 bytes) 2017-05-09-slotdown.info.txt (59,757 bytes) 2017-05-09-slotdown3.info-1945.txt (578 bytes) airzaxz.dll (26,624 bytes) NOTES: [I generated traffic baseed on a blog post by @Zerophage1337 about Rig EK (link)](https://twitter.com/Zerophage1337) because I wanted to catch the Rig EK malware payload. [The Rig EK payload seems to be Bunitu based on the post-infection traffic.](https://blog.malwarebytes.com/threat-analysis/2015/07/revisiting-the-bunitu-trojan/) [This is similar to a post from Zerophage on 2017-03-20 and appears to be the same](https://zerophagemalware.com/2017/03/20/rig-ek-delivers-bunitu-proxy-trojan/) campaign. ----- _Shown above: Tweet by @Zerophage1337 about this activity._ ## TRAFFIC _Shown above: Script in possible gate leading to the next step._ ----- _Shown above: Script leading to Rig EK landing page._ _Shown above: Traffic from the infection filtered in Wireshark._ ASSOCIATED DOMAINS: 78.46.232.211 port 80 - slotdown.info - GET / What appears to 78.46.232.211 port 80 - slotdown3.info - GET /1945/? 109.234.36.216 port 80 - free.420native.org - Rig EK 209.85.144.100 port 443 - encrypted/encoded post-infection traffic 85.25.110.235 port 443 - encrypted/encoded post-infection traffic 217.118.19.171 port 443 - encrypted/encoded post-infection traffic 96.44.144.181 port 443 - encrypted/encoded post-infection traffic DNS query for b.trabiudsfaum.net - resolved to 84.218.38.200 but no follow-up traffic DNS query for l.trabiudsfaum.net - resolved to 216.181.91.136 but no follow-up traffic ----- ICMP ping requests to 52.173.193.166 but no response ## FILE HASHES RIG EK FLASH EXPLOIT: SHA256 hash: 81549d2ea47649a750bd4fc6e7be0b971c3fc6711a31af2f77ba437218ff63d1 File size: 16,500 bytes RIG EK PAYLOAD (BUNITU): SHA256 hash: b27b370597fc8155f518dbc07f188c30ebc8e1d210f181acaf36ddb20714d64e File location: C:\Users\[Username]\AppData\Local\Temp\[random characters].exe File size: 172,512 bytes ARTIFACT FROM THE INFECTED HOST: SHA256 hash: 43be87120cbd555dc926becbe92fd7a0b2a43d1dd0418b3184d59c676c81eaf6 File location: C:\Users\[Username]\AppData\Local\airzaxz.dll File size: 26,624 bytes _Shown above: Malware persistent on the infected Windows host._ ## IMAGES _[Shown above: Some alerts on the traffic from the Emerging Threats and ETPRO rulesets](http://docs.emergingthreats.net/bin/view/Main/WebSearch)_ _[using Sguil and tcpreplay on Security Onion.](https://securityonion.net/)_ ----- _Shown above: Escalating the Bunitu events reveals individual IP addresses that were_ _contacted._ _Shown above: Alerts from the_ _[Snort subscriber ruleset using Snort 2.9.9.0 on Debian 7.](http://snort.org/talos)_ ## FINAL NOTES Once again, here are the associated files: [Zip archive of the email and malware: 2017-05-09-Rig-EK-sends-Bunitu.pcap.zip 462](http://malware-traffic-analysis.net/2017/05/09/2017-05-09-Rig-EK-sends-Bunitu.pcap.zip) kB (462,078 bytes) [Zip archive of the malware: 2017-05-09-Rig-EK-sends-Bunitu-artifacts.zip 247 kB](http://malware-traffic-analysis.net/2017/05/09/2017-05-09-Rig-EK-sends-Bunitu-artifacts.zip) (246,889 bytes) ZIP files are password-protected with the standard password. If you don't know it, look at the "about" page of this website. [Click here to return to the main page.](http://malware-traffic-analysis.net/index.html) -----