Fake Flash update leads to Bitcoin Miner

I have added a zipped pcap file for your analysis. The password for the zipped pcap is infected all lowercase.

PCAP file of the infection traffic:
2018-01-18-Bitcoin-Miner-pcap.zip

 

ASSOCIATED DOMAINS AND IP ADDRESSES:

  • 5.187.3.190 – 2chrup56.ru – REDIRECT TO FAKE FLASH
  • github.com/vediwide/cpp/raw/master/bin/flashupdate.exe – BITCOIN MINER MALWARE
  • bit.ly/2mrr5gZ – REDIRECT TO LEGITIMATE ADOBE SITE
  • 5.187.3.190 – 2chrup56.ru GET /tnk.php – REDIRECT TO LEGITIMATE ADOBE SITE
  • 185.26.99.49 – Port 3333 – pumpmywallet.com – BITCOIN MINER C2

 

IMAGES AND DETAILS OF INFECTION CHAIN:

Shown above: Network traffic associated with Fake Flash update and Bitcoin Miner

 

Shown above: C2 traffic associated with Bitcoin miner

 

MALICIOUS PAYLOAD ASSOCIATED WITH RIG EXPLOIT:

2018-01-18-flashupdate.exe – Bitcoin miner malware
VirusTotal Link