Malware-Traffic-Analysis.net - 2017-04-25 - "Good Man"
campaign Rig EK sends Latentbot
Archived: 2026-04-05 20:11:20 UTC
NOTICE:
The zip archives on this page have been updated, and they now use the new password scheme.  For the new
password, see the "about" page of this website.
ASSOCIATED FILES:
2017-04-25-Good-Man-campaign-Rig-EK-sends-Latentbot.pcap.zip   1.1 MB (1,074,308 bytes)
2017-04-25-Good-Man-campaign-Rig-EK-sends-Latentbot.pcap   (1,145,861 bytes)
Z2017-04-25-Good-Man-campaign-Rig-EK-and-Latentbot-malware-and-artifacts.zip   319.6 kB (319,550
bytes)
2017-04-25-Goodma-campaign-Rig-EK-payload-Latentbot.exe   (312,832 bytes)
2017-04-25-Rig-EK-artifact-o32.tmp.txt   (1,141 bytes)
2017-04-25-Rig-EK-flash-exploit.swf   (16,428 bytes)
2017-04-25-Rig-EK-landing-page.txt   (117,853 bytes)
2017-04-25-page-from-hurtmehard_net-with-injected-script-for-Rig-EK-landing-page.txt  
(54,882 bytes)
BACKGROUND ON THE "GOOD MAN" CAMPAIGN:
"Good Man" domains used as gates in this campaign all have a registrant email of:
goodmandilaltain@gmail[.]com
Hurtmehard[.]net is one of the "Good Man" domains.
Background on this campaign was posted on 2017-03-10 on the Malware Breakdown site in an article
titled "Finding A 'Good Man'" (Internet Archive link).
BACKGROUND ON LATENTBOT:
Although post-infection traffic triggers alerts for the GrayBird Trojan on the EmergingThreats ruleset,
more recent variants have been dubbed "Latentbot."
FireEye published an analysis of Latentbot named "LATENTBOT: Trace Me If You Can."
http://malware-traffic-analysis.net/2017/04/25/index.html
Page 1 of 5

Shown above:  Flowchart for this infection traffic.
TRAFFIC
Shown above:  Injected script in a page from the "Good Man" domain.
http://malware-traffic-analysis.net/2017/04/25/index.html
Page 2 of 5

Shown above:  Pcap of the infection traffic filtered in Wireshark.
ASSOCIATED DOMAINS:
hurtmehard[.]net - "Good Man" gate
188.225.72[.]88 port 80 - end.chaggama[.]com - Rig EK
37.72.175[.]221 port 80 - 37.72.175[.]221 - Latentbot post-infection traffic
FILE HASHES
FLASH EXPLOIT:
SHA256 hash:  9d56d491f0fca9a16daeb0ce5ef6ba96206fea93b5b12f42c442aa10a0d487ea
File size:  16,428 bytes
File description:  Rig EK flash exploit seen on 2017-04-25
PAYLOAD (LATENTBOT):
SHA256 hash:  092fd4caf46ec36e07fdc9c8b156ce05cda0fb2abd7c49ba8dddfe8ac6cdbb67
File size:  312,832 bytes
File location:  C:\Users\[username]\AppData\Local\Temp\[various alphanumeric characters].exe
File location:  C:\Users\[username]\AppData\Local\Microsoft\Windows\mxcyvqu.exe
IMAGES
http://malware-traffic-analysis.net/2017/04/25/index.html
Page 3 of 5

Shown above:  Latentbot malware made persistent on the infected Windows host.
Shown above:  Some alerts on the traffic from the Emerging Threats and ETPRO rulesets using Sguil on Security
Onion.
http://malware-traffic-analysis.net/2017/04/25/index.html
Page 4 of 5

Shown above:  Some alerts after reading the pcap with Snort 2.9.9.0 on Debian 7 using the Snort Subscription
ruleset.
Click here to return to the main page.
Source: http://malware-traffic-analysis.net/2017/04/25/index.html
http://malware-traffic-analysis.net/2017/04/25/index.html
Page 5 of 5

  http://malware-traffic-analysis.net/2017/04/25/index.html  
Shown above: Flowchart for this infection traffic. 
TRAFFIC    
Shown above: Injected script in a page from the "Good Man" domain.
   Page 2 of 5