[2018-03-15] FlashOffer->RigEK->Miner

March 15, 2018

Overview

Saz file is 2018-03-15_01-25-18.saz

(↓Analysis result using EKFiddle)

Malware

Coin Miner

86f76e86cd6ed5a374bdee2e06e7397c8633fc74929274929f2df207373cfe78
[Hybrid-Analysis] [VirusTotal]

Traffic-Chain

[FlashOffer]
http[:]//laquinsetoders.stream/lp/flash/index.php?subid=30tvgggdg9q9lv0q6f
↓
[FlashOffer]
http[:]//laquinsetoders.stream/lp/flash/offer.php
↓
[RigEK][Landing Page]
http[:]//46.229.213.34/?Njc0ODQ=&QcCfXB&SOEQHKpW=dGFraW5n&YieBKowpSUtn=dW5rbm93bg==&nx52sdfgdfgbs=xXrQMvWabRXQDp3EKv3cT6NGMVHRGUCL2Y2dmrHUefjaeFWkzrXFTF_wozKATgSG6_dtdfJ&thdd3sdfd2d=UDVLhjkfUfwBmyN9YUAwU9Kr9j0WBnReficLW-BzeMglCq5eWRuA63lv9zbQkQPsig1TH7WI&FiqXTfzoEzAuzNR=Y29uc2lkZXI=&xJnlAUVzdZbOn=bG9jYXRlZA==&ZtUahixmpPKINwV=dW5rbm93bg==&qcuarrpgPZuaz=bG9jYXRlZA==&grxtYM=Y2FwaXRhbA==
↓
[RigEK][SWF Payload]
http[:]//46.229.213.34/?NTQxOTcw&qQSfMzigpwzDLmV&JMLPlqM=dW5rbm93bg==&thdd3sdfd2d=9fUvebZXaVLjixOHeFZgyNpZU1NGo6D93ULSnRPO0ZaE_h2PUQ1E_5qREIF4nwvF&YBoNuFjNGC=bWlsaw==&zFWyztN=dW5rbm93bg==&ooMrxUbjF=cmVwb3J0&nx52sdfgdfgbs=wXjQMvXcJwDQDobGMvrESLtBNknQA0KK2I32_dqyEoH9fmnihNzUSkrw6B2aCm2A&xjmZyZtd=Y2FwaXRhbA==&gwyhwfYUOVGctQ=bG9jYXRlZA==&ZHQyJX=Y29uc2lkZXI=
↓
[RigEK][Malware Payload]
http[:]//46.229.213.34/?Mjk5OTg3&oYNWEvXm&nx52sdfgdfgbs=wXjQMvXcJwDQDIbGMvrESLtGNknQA0KK2Ij2_dqyEoH9eGnihNzUSkr26B2aCm2A9fA&fbweGUwcOjbs=bG9jYXRlZA==&upnxNYjsyPW=dGhpbmdz&tbxZPYF=bG9jYXRlZA==&LLFzGDFpwW=dGFraW5n&eDsdNLBCHGI=Y2FwaXRhbA==&OAFIuQwuCJCN=dW5rbm93bg==&thdd3sdfd2d=vebZXaVLjjhOHeFZgyNpeU1NGo6D93ULSnRPO0ZaE-x2PUQNM9puQHbgy0W2oj7QXQA&vUMYDpMoQ=Y2FwaXRhbA==