Rig Exploit Kit delivers malware

I have added a zipped pcap file for your analysis. The password for the zipped pcap is infected all lowercase.

PCAP file of the infection traffic:

2018-07-13-Rig-Ek-pcap.zip
2018-07-14-Rig-Ek-pcap.zip

 

ASSOCIATED DOMAINS AND IP ADDRESSES 2018-07-13:

  • 5.23.54.142 – Rig Exploit Kit Landing page
  • 178.210.89.119 – ionoiddi.mangyshlak.su – POST / – Post Infection Traffic

DNS QUERIES:

milliaoin.info
lionoi.adygeya.su
ionoiddi.mangyshlak.su
missidiowi.xyz
io90s8dudi.xyz

Shown above: Network traffic associated with the Rig exploit and the delivery of malware

 

Shown above: DNS traffic associated with the Rig exploit and the delivery of malware

 

ASSOCIATED DOMAINS AND IP ADDRESSES 2018-07-14:

  • 92.53.107.71 – Rig Exploit Kit Landing Page
  • 213.183.51.8 – lionoi.adygeya.su – POST/ – Post Infection Traffic
  • 31.31.196.163 – oo00mika84.website – GET /Osiris_jmjp_auto2_noinj.exe – Secondary Payload
  • 154.35.175.225 GET /tor/status-vote/current/consensus – P2P TOR Checkin
  • 51.255.26.152 GET /tor/server/fp/ – P2P TOR Check in
  • 199.184.246.250 Port 443 – P2P TOR Traffic

Shown above: Network traffic associated with the Rig exploit and the delivery of malware

 

MALICIOUS PAYLOAD ASSOCIATED WITH RIG EXPLOIT:

2018-07-13-Rig-EK.swf – Rig EK Flash Exploit
SHA-256 2739f6e76386d3d16ad55b3b6af71f33ec934424753ad573b64a6443b7e0bac0
Virus Total Link

2018-07-14-Rig-EK.swf – Rig EK Flash Exploit
SHA-256 2739f6e76386d3d16ad55b3b6af71f33ec934424753ad573b64a6443b7e0bac0
Virus Total Link

Osiris_jmjp_auto2_noinj.exe – Secondary Payload 2018-07-14
SHA-256 db6c30f7af5075d6d32a721f77c6e2774889173b1ace8634cad63cbb9d2b1078
Virus Total Link