Rig Exploit Kit via the EiTest delivers Dreambot from 217.107.34.86

NOTES:

I have added a zipped pcap file for your analysis. The password for the zipped pcap is infected all lowercase.

PCAP file of the infection traffic:
2017-03-15-Rig-EK-pcap.zip

 

ASSOCIATED DOMAINS AND IP ADDRESSES:

  • www.everythingcebu.com – COMPROMISED SITE
  • 217.107.34.86 – we.winterbluemusic.com – RIG EK LANDING PAGE
  • 5.196.159.173 – GET /[RANDOM DIRECTORIES]/.avi – POST INFECT TRAFFIC
  • 5.196.159.173 – GET [RANDOM DIRECTORIES]/.avi – POST INFECT TRAFFIC
  • 5.196.159.173 – GET /tor/t64.dll – TOR CLIENT
  • 37.48.122.26 – curlmyip.net – COMPROMISED HOST IP ADDRESS CHECK
  • 87.98.254.64 – nod32s.com – POST INFECT TRAFFIC

POST INFECTION TOR TRAFFIC:

86.59.21.38:443 – www.jnpcnlcqapmaapmhbu6jl5.com
194.109.206.212:443 – www.jedbm326wlf4xneubehe63eik.com
199.189.62.251:400 – www.rre463nu.com
84.19.184.129:9001 – www.77klhyrcb4c.com
138.201.211.235:9001 – www.5bzhkbzddyw77l3.com
46.4.57.151:9452 – www.wi2oghwobykct6n2.com
84.80.80.69:9001 – www.kjuyruj6ehyh3hjydntlhp.com
51.254.135.213:9001 – www.yi4zrlgg.com
85.114.133.96:9001 – www.wmrbsnwqrug3baqsb2d3g.com
93.227.128.142:443 – www.fsarenrcdqzzevqxejwjr.com
91.121.82.25:443 – www.miwjqben23icrr.com
95.211.205.138:443 – www.v7clucyiu6jt4k6taw.com
62.141.36.150:9001 – www.fth7zxs.com
163.172.10.208:9001 – www.y7g5so3xoho5fr2zkscn2fgmr.com
91.121.230.216:9001 – www.dhij5pfbapnyb26awpfewa4p2.com
188.40.128.246:9001 – www.g66y.com
91.121.23.100:9001 – www.hbdp6q5j7rs.com
134.130.181.212:9001 – www.qsxrfbn5av.com
88.5.165.223:9002 – www.4qqcez.com
217.12.223.217:443 – www.a5a64ra7rvzscutlnbrcabl5l.com
163.172.157.213:443 – www.slvamdbjh.com
185.96.88.29:443 – www.7hrdh3dqo35s.com
212.83.154.33:8443 – www.6ia5lptponkpny6ui5hm6fli.com
137.74.224.132:443 – www.u4ushxalvkt.com
46.22.212.230:443 – www.7t37u4pwxan7uyl.com
79.137.33.131:443 – www.cfk7w3i5fq736ctyv36fe3hz.com
91.219.28.85:443 – www.y67ofmqc3tsxap5zx2mkiqjw.com
109.70.118.164:9001 – www.nwueihhbx2ixm.com
87.118.123.203:9001 – www.jets7oce.com
88.198.23.221:443 – www.pukxfwte2kohotbefpirgbln.com
151.80.42.103:9001 – www.bbcjfpls.com
88.198.253.13:9001 – www.2tg57.com
212.47.239.163:12000 – www.vu7znneqss7rj.com
195.154.81.227:9001 – www.gnbjzkc7tjbb2xdiwxdubeue.com
51.15.53.75:9001 – www.hb7j5bml3cv.com
37.221.193.195:443 – www.pf3tzalk36gaykqwt.com
198.233.204.165:443 – www.hks2v.com
78.142.19.11:443 – www.6uhx335zzf5r.com
163.172.137.4:9001 – www.z2qyuok36e5ll3.com
46.166.167.46:443 – www.cx7qxkfhnz24iq7ssvibu.com
163.172.21.96:9001 – www.ul4ix5tg5il6uujpgp.com
195.154.108.12:9001 – www.s5iomscrh3qzlkxdgu.com
85.145.173.31:443 – www.y5kxfkk2cjbv3flgi5.com
86.59.119.88:443 – www.eptc6ye5xtk64vpqzlin2gd.com
108.61.99.149:443 – www.22ohd.com
178.156.202.178:443 – www.cqrttzr4ssepb3hzww.com
89.0.108.35:443 – www.76suz.com
85.222.0.229:8080 – www.ky5dp4yffwnn.com
195.154.252.88:443 – www.qhgukaploa5hqlzhslgqjs3.com
202.129.80.154:9001 – www.bchjyznpufeg2g2fikeh.com
95.69.232.24:444 – www.fmnp.com
51.254.209.197:9001 – www.vlv74l6ssdwk4xuv.com
47.148.106.29:9001 – www.ge2mz.com
185.146.170.129:443 – www.t5wr3mlztlas3impjivj7tci2.com
188.166.41.46:9090 – www.jvr7pqlxixatua.com
50.7.115.12:443 – www.h2f5i7gozblpar.com
62.210.92.11:9101 – www.64x5m4akm2lsaa7xewpyl2f.com
5.9.151.241:4223 – www.2lus5bjw7qdtbczofhecb7s6.com
138.68.150.168:995 – www.oasr3v4ufi.com
62.210.206.25:110 – www.a2rip.com

 

IMAGES AND DETAILS OF INFECTION CHAIN:

Shown above: Network traffic  associated with the Rig exploit and the delivery of DreamBot and Tor client

 

MALICIOUS PAYLOAD ASSOCIATED WITH RIG EXPLOIT: