Rig Exploit Kit via Seamless malvertising delivers Ramnit banking malware

I have added a zipped pcap file for your analysis. The password for the zipped pcap is infected all lowercase.

PCAP file of the infection traffic:
2017-10-31-Rig-EK-pcap.zip

 

ASSOCIATED DOMAINS AND IP ADDRESSES:

  • 35.157.93.206 – jj3et.redirectvoluum.com – SEAMLESS REDIRECT
  • 194.58.40.193 – GET /test33.php – SEAMLESS REDIRECT
  • 188.225.10.19 – RIG EK LANDING PAGE
  • 194.87.236.22 – tcp Port 443 – fxophxmrry.com – RAMNIT C2

 

IMAGES AND DETAILS OF INFECTION CHAIN:

Shown above: Network traffic  associated with the Rig exploit and the delivery of Ramnit banking malware

 

Shown above: DNS traffic  associated with Ramnit banking malware – jifgmeoa.com appears to be sinkholed to torpig-sinkhole.org

 

MALICIOUS PAYLOAD ASSOCIATED WITH RIG EXPLOIT: