[2018-01-09] Seamless->RigEK->Ramnit

January 09, 2018

Overview

Saz file is 2018-01-09_00-24-45.saz

(↓Analysis result using EKFiddle)

Malware

Ramnit

da369d4ee267fdddeabd7ef98d8302413b2ce8c9322e00b349624ef9ec16c554
[Hybrid-Analysis] [VirusTotal]

Traffic-Chain

[Seamless]
http[:]//xn--b1aanbnczd5ie1bf.xn--p1ai/redirect.php
↓
http[:]//turself-josented.com/voluum/247ac801-6d02-4f27-b6ea-05decb49b6ab
↓
http[:]//redirect.turself-josented.com/redirect?target=BASE64aHR0cDovL3huLS1iMWFhbmJib2MzYWQ4amVlNGJmZi54bi0tcDFhaS9nYXYxLnBocA&ts=1515425180046&hash=yz-rg9LDKalynix302HS5d3sIvcr_0gmTW9WqUjRYMI&rm=DJ
↓
[Seamless]
http[:]//xn--b1aanbboc3ad8jee4bff.xn--p1ai/gav1.php
↓
[RigEK][Landing Page]
http[:]//188.225.86.154/?NTc3NjEy&UdvdmxpQkMJFN&hnJYQylJewFaA=c3Rvcm1lZA==&UmzKAOjOTg=c3Rvcm1lZA==&TGkVWeLh=c3Rvcm1lZA==&SYrTTZa=bG9jYXRlZA==&IUVehbPoozneXzO=ZGVub21pbmF0aW9ucw==&WOVteQuswx=bG9jYXRlZA==&vWNbkqUhXRD=dW5rbm93bg==&Lszs68sd=wHvQMvXcJwDJFYbGMvrETaNbNknQA0WPxpH2_drUdZqxKGni1-b5UUSk6FmCEh3&jaVHgPZIlWvn=ZGVub21pbmF0aW9ucw==&jicmEMxTvaaX=Y2FwaXRhbA==&tcvKloIDhCChlCQ=ZGVub21pbmF0aW9ucw==&vAElGnDSXHWvRv=c3Rvcm1lZA==&gdP183=hoPUoJecDO1ewiE3SL1QzyIsIAAkb9qGr3EGBmETJhJCBrheENA91z6LRVvQ_2w&XbpUQlnVbIoygU=c3Rvcm1lZA==
↓
[RigEK][SWF Payload]
http[:]//188.225.86.154/?MzAyMTI1&dlbEiB&SRSARIZiJU=cmVwb3J0&lVIjtZA=dW5rbm93bg==&fTZRQGjGK=YXR0YWNrcw==&tgWRAwIZQ=bWlzc2luZw==&eFxXXD=bWlzc2luZw==&PeYytxtTs=YXR0YWNrcw==&wAQhIUmn=c3Rvcm1lZA==&Lszs68sd=w3vQMvXcJxnQFYbGMv_DSKNbNkvWHViPxo2G9MildZqqZGX_k7DDfF-qoVvcCgWRxfB&aURtZeBQhEf=cmVwb3J0&aURRczLoM=ZGVub21pbmF0aW9ucw==&yqryuToCxtAQztP=c3Rvcm1lZA==&XYhgsgHlAb=c3Rvcm1lZA==&WzlklpJjoQq=bG9jYXRlZA==&gdP183=4K7oFbgDn2RSIKQE1zdwJB1xBpKGvhkeHyULN0pTX-hbeYwxMqqKUErQ_3VXFjLRTJvs