Shout-out to thlnk3r for giving me the referer!
Using the referer qstoo.voluumtrk[.]com redirected my host to the Seamless gate at 193.124.89.196:
The Seamless gate returns a “302 Found” that points to the RIG exploit kit landing page at 80.93.187.194:
The Ramnit malware payload was dropped in %Temp% and then copied to %AppData% in the folder mykemfpi:
I have received multiple payloads because I did multiple runs. All the payloads were Ramnit.
Numerous log files are written, including one that is hidden (44a0e233f.log).
There is also a log file containing a 64 character alphanumeric string written to ProgramData:
Writes to a start menu file:
Registry entries:
HKCUSoftwareAppDataLow
HKCUSoftwareMicrosoftWindowsCurrentVersionRun
HKLMSoftwareMicrosoftWindows NTCurrentVersionWinlogon
Below is an image of the network traffic filtered in Wireshark:
You can see the DNS request for hdyejdn638ir8.com at 134.0.117.8. Post-infection traffic to 134.0.117.8 via TCP port 443:
Another obvious sign of a Ramnit infection is that the host will be making an obscene amount of ARP and POP3 requests. The POP3 requests caused the following ET rule to trigger on my IDS:
- ET SCAN Rapid POP3 Connections – Possible Brute Force Attack
There was also another ET rule that triggered:
- ET SCAN Behavioral Unusual Port 139 traffic, Potential Scan or Infection
Hashes:
SHA256: 238e6aa527f414d630198ae8534555eb5994446d60a0982e0371e4bef4813f1b
File name: RIG EK landing page.txt
SHA256: 4a768366efed47b2fcda2afdfa47d4959a06de7ec30a8b2077940a4be3269ab9
File name: RIG EK Flash exploit.swf
SHA256: 721796597134733a1efcada14152d960ce52404af1f93f4ac1162f59e443e6a7
File name: opn23cus.exe
Hybrid-Analysis Report
SHA256: 6c114c8669a18aec0282d7fdf19d06ee0eb196fc9643b1072edbfe2b30a653f2
File name: opn23cus.exe
Hybrid-Analysis Report
Files (password is “infected”):
Landing Page and Flash Exploit.zip
The malware payloads can be downloaded from either VirusTotal or the Hybrid-Analysis reports located in the Hashes section above.
Until next time!
Malware breakdown 