Rig Exploit Kit via Seamless malvertising delivers Ramnit banking malware

I have added a zipped pcap file for your analysis. The password for the zipped pcap is infected all lowercase.

PCAP file of the infection traffic:
2017-11-10-Rig-EK-pcap.zip

 

ASSOCIATED DOMAINS AND IP ADDRESSES:

  • 18.195.19.123 – flinsheer-perreene.com – GET /voluum/ – SEAMLESS REDIRECT
  • 52.58.173.25 – kcsmj.redirectvoluum.com – SEAMLESS REDIRECT
  • 194.58.40.193 – GET /test22.php – SEAMLESS REDIRECT
  • 176.57.214.216 – RIG EK LANDING PAGE
  • 194.87.145.189 Port 443 – guaevvaxrujnobfytud.com – RAMNIT C2

 

IMAGES AND DETAILS OF INFECTION CHAIN:

Shown above: Network traffic  associated with the Rig exploit and the delivery of Ramnit banking malware

 

MALICIOUS PAYLOAD ASSOCIATED WITH RIG EXPLOIT: