Seamless Campaign Uses RIG EK to Drop Ramnit Trojan

Below is a partial and edited flowchart of the malvertising chain that I got during this infection:

An edited image of the infection chain is shown below:

You can see that the Ramnit sample seems to check for Internet connectivity before making DNS queries for ujndhe7382uryhf.com, which resolves to 46.173.214.170. Following the DNS resolutions is the C2 traffic via TCP port 443.

The static properties of this Ramnit sample can be found at https://pastebin.com/VgjwKuDV

Dynamic analysis of the sample shows file system changes that are to be expected from Ramnit:

The Ramnit payload is dropped and detonated in %Temp%

Numerous .log files are created

The malware copies itself to %LocalAppData% in the folder mykemfpi

Malware is set to run at startup

.log file is created in %ProgramData% and contains 64 characters

We also see modifications to the registry that are used for persistence on the system:

SETVAL; Path: HKCUSOFTWAREMICROSOFTWINDOWSCURRENTVERSIONRUN; Key: ufyqwfyv; Value: %LOCALAPPDATA%mykemfpiufyqwfyv.exe

SETVAL; Path: HKLMSOFTWAREMICROSOFTWINDOWS NTCURRENTVERSIONWINLOGON; Key: USERINIT; Value: %WINDIR%system32userinit.exe,,%LOCALAPPDATA%mykemfpiufyqwfyv.exe

IOCs

Pre-infection:
194.58.47.235 – IP literal hostname used by the Seamless campaign
188.225.76.65 – IP literal hostname used by RIG EK

Post-infection:
DNS queries for ujndhe7382uryhf.com
Connections to 46.173.214.170 via TCP port 443

Hashes:

SHA256: 4c13e9bf12e2e370239a0eecda5a26aed4591d54981918bd36468cdfe8edbf3f
File name: RigEK landing page at 188.225.76.65.txt

SHA256: cbf7dfc2226e592149ef45539c9a4f109c4e66533fe061037241fb88c245ce57
File name: RigEK Flash exploit from 188.225.76.65.swf

SHA256: 62687447bd28623e2a584e4c0e761b5ed365bfe057621523a29025d4210fcada
File name: o32.tmp

SHA256: 6ada3771c54a461324b57dce99a59f74eb1a045ca279e25a76e2f1d7ca642742
File name: 20etyh0j.exe
Imphash: 4cb4666d64e85218df03f899472bde6c
ssdeep: 6144:pAOWNuZ4rgsTJ5gW7sVxdSCUshGOuGacgFeTqkuyJlzZr:pEvrn118eshGBCgFeTqkuyJDr

Downloads

Seamless RigEK Ramnit Artifacts from 082117.zip
password is “infected”

Until next time my friends!

Category: Exploit Kit
Tag: IOCs, Malvertising, Ramnit, Rig Exploit Kit, Seamless Campaign

Published by malwarebreakdown

Just a normal person who spends their free time infecting systems with malware. View all posts by malwarebreakdown

IOCs

Pre-infection: 194.58.47.235 – IP literal hostname used by the Seamless campaign 188.225.76.65 – IP literal hostname used by RIG EK

Post-infection: DNS queries for ujndhe7382uryhf.com Connections to 46.173.214.170 via TCP port 443

Hashes:

SHA256: 4c13e9bf12e2e370239a0eecda5a26aed4591d54981918bd36468cdfe8edbf3f File name: RigEK landing page at 188.225.76.65.txt

SHA256: cbf7dfc2226e592149ef45539c9a4f109c4e66533fe061037241fb88c245ce57 File name: RigEK Flash exploit from 188.225.76.65.swf

SHA256: 62687447bd28623e2a584e4c0e761b5ed365bfe057621523a29025d4210fcada File name: o32.tmp

SHA256: 6ada3771c54a461324b57dce99a59f74eb1a045ca279e25a76e2f1d7ca642742 File name: 20etyh0j.exe Imphash: 4cb4666d64e85218df03f899472bde6c ssdeep: 6144:pAOWNuZ4rgsTJ5gW7sVxdSCUshGOuGacgFeTqkuyJlzZr:pEvrn118eshGBCgFeTqkuyJDr

Downloads

Like this:

Share this: