[2017-12-25] Seamless->RigEK->Ramnit

December 25, 2017

Overview

Saz file is 2017-12-25_19-53-56.saz

(↓Analysis result using EKFiddle)

Malware

Ramnit (for USA)

307d836b5e7a37a401cf3a7e22cb5730b960bc1050fa084fb9b6ccffa83cd6bd
[Hybrid-Analysis] [VirusTotal]

Modules

Config (for USA)

https://gist.github.com/anonymous/cc3ff0bfe4a869d6737886781c44de7b

C2: lillliliiliiilliillil.com (194.87.102.205)

Traffic-Chain

[Seamless]
http[:]//5.63.154.8/trus/
↓
http[:]//conkey-teapected.com/voluum/407f56f4-fb01-4443-bcd8-f0633dd3fcbd
↓
http[:]//redirect.conkey-teapected.com/redirect?target=BASE64aHR0cDovLzE3OC4yMS4xMC42OC80NDQucGhw&ts=1514199340244&hash=Jd4RN1gaZXDVmDOcddbQ0iTKIRbgEsmHn1MSWpDce1o&rm=DJ
↓
[Seamless]
http[:]//178.21.10.68/444.php
↓
[RigEK][Landing Page]
http[:]//5.23.48.146/?MzQzMDYw&oJYyPKMyAc3Rvcm1lZHp3VG5zb2FHaHVHaw==bWlzc2luZw==&RIfBbthaq=bWlzc2luZw==&sdffghfgf=RDVXmjkaJLgFmldpeUF9F9K_9jkSHmBOficPU_0OMZgtF-MSQRbZq2lzzzbUkQPskg1TH7WI&IQAiYjmO=cmVwb3J0&xTDclaGMPc=cmVwb3J0&WXSKXoiVMk=ZGVub21pbmF0aW9ucw==&ogFrwDBPvkUWloe=YXR0YWNrcw==&YiYdvDHeeiFq=bG9jYXRlZA==&KcXpzujdxu=ZGVub21pbmF0aW9ucw==&ideJdpY=YXR0YWNrcw==&iIdPMiYryGN=YXR0YWNrcw==&KzhfIlCdoFkg=bG9jYXRlZA==&dfsdfsdf=xX_QMvWfbRXQD53EKvrcT6NAMVHRH0CL2Y2dmrHUefjaelWkzrfFTF_yozKATgSG6_dtdfJ&gSfeCe=YXR0YWNrcw==&DIBBBmzPuuC=Y2FwaXRhbA==&MHiXcAmMzbG9jYXRlZA==
↓
[RigEK][SWF Payload]
http[:]//5.23.48.146/?MzMxMTEx&arvWxEPGvshnxbG9jYXRlZEZQUk5yTllHdmVVbWlzc2luZw==&VKgnBRPWjPmtQJ=bWlzc2luZw==&DWrdQXKWfi=dW5rbm93bg==&sdffghfgf=XmjEaJLgRmldpfUF9F9q_9jkKHmBOYicPU-EOMZglF-MSWRbZq21zzzbMkc8kmwxGF7FETi-lL&rZqkbweKSb=bWlzc2luZw==&CyWUMdoaRmL=bG9jYXRlZA==&rwjDGyV=dW5rbm93bg==&jzpsRL=Y2FwaXRhbA==&LcaGDveO=Y2FwaXRhbA==&cDXZxJdMKU=cmVwb3J0&VATGGghyVeHKrbB=ZGVub21pbmF0aW9ucw==&nguoNXKRL=YXR0YWNrcw==&QDARfBq=YXR0YWNrcw==&dfsdfsdf=xXzQMvWdbRXQC53EKvncT6NEMVHRH0CL2YydmrHTefjaeFWkzrHFTF_yozKATgSG6_FtdfJRDV&gTIvXL=bWlzc2luZw==&eSyekUbHzQoUjbWlzc2luZw==