Fake Flash and Chrome updates lead to Ramnit Trojan

I have added a zipped pcap file for your analysis. The password for the zipped pcap is infected all lowercase.

PCAP file of the infection traffic:
2018-03-03-Ramnit-pcap.zip

 

ASSOCIATED DOMAINS AND IP ADDRESSES:

  • www.projectmanagementdocs.com – COMPROMISED SITE
  • 23.152.0.118 – connect.clevelandskin.com –REDIRECT TO FAKE FLASH PAGE
  • 84.200.17.21 – klao.fincruit.co – DOMAIN HOSTING FAKE FLASH AND CHROME
  • DROPBOX – JAVASCRIPT TO DOWNLOAD RAMNIT PAYLOAD
  • 185.243.112.38 – pn.dr906090.com POST /index.aspx – RAMNIT PAYLOAD
  • 95.213.199.132 – trumplines.bit POST /en/ – RAMNIT C2
  • 87.98.175.85 – DNS QUERY FOR TO RESOLVE trumplines.bit
  • 139.59.23.241 – DNS QUERY FOR TO RESOLVE trumplines.bit
  • 51.255.48.78 – DNS QUERY FOR TO RESOLVE trumplines.bit
  • 202.58.192.10 – DNS QUERY FOR TO RESOLVE trumplines.bit
  • 188.165.200.156 – DNS QUERY FOR TO RESOLVE trumplines.bit

 

IMAGES AND DETAILS OF INFECTION CHAIN:

Shown above: Network traffic associated with the fake Flash and fake Chrome updates leading to Ramnit Trojan

 

Shown above: Fake Flash Player redirect which leads to Ramnit Trojan

 

Shown above: Fake Chrome update redirect which leads to Ramnit Trojan

 

MALICIOUS PAYLOAD ASSOCIATED WITH FAKE FLASH AND CHROME UPDATE:

  • flashplayer_33.9.22_plugin.js –JAVASCRIPT TO DOWNLOAD RAMNIT PAYLOAD
    SHA-256: ffd3d2366611c9e5808de315d7e4f73484cdce6780a4d6ed42bd046a4ec435f4
    VirusTotal Link
  • flashplayer_33.9.22_plugin.exe – RAMNIT TROJAN INSTALLER
    SHA-256: 067077146af899de1d3f4854db548d2e7d4560b1409374c422114398d866cfff
    VirusTotal Link
  • MozillaMaintenanceServiceb.exe – RAMNIT TROJAN
    C:\Users\USERNAME\AppData\Roaming\MozillaMaintenanceServiceb
    SHA-256: fc71e703446561fef83041b3273c9a4f42874d25f8556771a5776054cb6b2996
    VirusTotal Link