Grandsoft Exploit Kit delivers malware

I have added a zipped pcap file for your analysis. The password for the zipped pcap is infected all lowercase.

PCAP file of the infection traffic:
2018-08-05-Grandsoft-EK-pcap.zip

 

ASSOCIATED DOMAINS AND IP ADDRESSES:

  • 185.17.122.166 – concluding.vanillanyn.xyz – POST /narcoticsweight.htm – Grandsoft EK
  • 185.17.122.166 – concluding.vanillanyn.xyz – GET /getversoinpd/1/2/3/4 – Grandsoft EK
  • 185.17.122.166 – concluding.vanillanyn.xyz – GET /dwie.hta – Grandsoft EK
  • 169.239.129.108 – berengolisk.bid – POST /forum/topic.php- Malware Downloader
  • 169.239.129.28 – spacex2112.ru – POST /blog/index.php – Post Infection C2

 

IMAGES AND DETAILS OF INFECTION CHAIN:

Shown above: Network traffic associated with the Grandsoft Exploit Kit (EK) and post infection traffic

 

MALICIOUS PAYLOAD ASSOCIATED WITH GRANDSOFT EK:

2018-08-05-raise.exe – Original Payload
SHA-256 7715731ac0c7e248c09f2d29121d26aac48deae9909516ba38b880f17c517bfd
Virus Total Link

2018-08-05-1B3D.tmp.exe – Secondary Payload
SHA-256 21346ee8bd7b4811e123004c408b87300b5f77c31cc06666e3ba26a0b9c908f1
Virus Total Link