Malware-Traffic-Analysis.net - 2017-05-09 - Rig EK sends Bunitu Archived: 2026-04-05 21:21:03 UTC NOTICE: The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website. ASSOCIATED FILES: 2017-05-09-Rig-EK-sends-Bunitu.pcap.zip   462.1 kB (462,078 bytes) 2017-05-09-Rig-EK-sends-Bunitu.pcap   (554,307 bytes) 2017-05-09-Rig-EK-and-Bunitu-malware-and-artifacts.zip   247.8 kB (247,833 bytes) 2017-05-09-Rig-EK-artifact-o32.tmp.txt   (1,141 bytes) 2017-05-09-Rig-EK-flash-exploit.swf   (16,500 bytes) 2017-05-09-Rig-EK-landing-page.txt   (118,254 bytes) 2017-05-09-Rig-EK-payload.exe   (172,512 bytes) 2017-05-09-slotdown_info.txt   (59,757 bytes) 2017-05-09-slotdown3_info-1945.txt   (578 bytes) airzaxz.dll   (26,624 bytes) NOTES: I generated traffic baseed on a blog post by @Zerophage1337 about Rig EK (link) because I wanted to catch the Rig EK malware payload. The Rig EK payload seems to be Bunitu based on the post-infection traffic. This is similar to a post from Zerophage on 2017-03-20 and appears to be the same campaign. http://malware-traffic-analysis.net/2017/05/09/index.html Page 1 of 5 Shown above:  Tweet by @Zerophage1337 about this activity. TRAFFIC Shown above:  Script in possible gate leading to the next step. http://malware-traffic-analysis.net/2017/05/09/index.html Page 2 of 5 Shown above:  Script leading to Rig EK landing page. Shown above:  Traffic from the infection filtered in Wireshark. ASSOCIATED DOMAINS: 78.46.232[.]211 port 80 - slotdown[.]info - GET /   What appears to 78.46.232[.]211 port 80 - slotdown3[.]info - GET /1945/? 109.234.36[.]216 port 80 - free.420native[.]org - Rig EK 209.85.144[.]100 port 443 - encrypted/encoded post-infection traffic 85.25.110[.]235 port 443 - encrypted/encoded post-infection traffic 217.118.19[.]171 port 443 - encrypted/encoded post-infection traffic 96.44.144[.]181 port 443 - encrypted/encoded post-infection traffic DNS query for b.trabiudsfaum[.]net - resolved to 84.218.38[.]200 but no follow-up traffic DNS query for l.trabiudsfaum[.]net - resolved to 216.181.91[.]136 but no follow-up traffic http://malware-traffic-analysis.net/2017/05/09/index.html Page 3 of 5 ICMP ping requests to 52.173.193[.]166 but no response FILE HASHES RIG EK FLASH EXPLOIT: SHA256 hash:  81549d2ea47649a750bd4fc6e7be0b971c3fc6711a31af2f77ba437218ff63d1 File size:  16,500 bytes RIG EK PAYLOAD (BUNITU): SHA256 hash:  b27b370597fc8155f518dbc07f188c30ebc8e1d210f181acaf36ddb20714d64e File location:  C:\Users\[Username]\AppData\Local\Temp\[random characters].exe File size:  172,512 bytes ARTIFACT FROM THE INFECTED HOST: SHA256 hash:  43be87120cbd555dc926becbe92fd7a0b2a43d1dd0418b3184d59c676c81eaf6 File location:  C:\Users\[Username]\AppData\Local\airzaxz.dll File size:  26,624 bytes Shown above:  Malware persistent on the infected Windows host. IMAGES Shown above:  Some alerts on the traffic from the Emerging Threats and ETPRO rulesets using Sguil and tcpreplay on Security Onion. http://malware-traffic-analysis.net/2017/05/09/index.html Page 4 of 5 Shown above:  Escalating the Bunitu events reveals individual IP addresses that were contacted. Shown above:  Alerts from the Snort subscriber ruleset using Snort 2.9.9.0 on Debian 7. Click here to return to the main page. Source: http://malware-traffic-analysis.net/2017/05/09/index.html http://malware-traffic-analysis.net/2017/05/09/index.html Page 5 of 5