[2018-03-20] HookAds->RigEK->Miner

March 20, 2018

Overview

Saz file is 2018-03-20_19-23-31.saz

(↓Analysis result using EKFiddle)

Malware

Coin Miner

99891aab5ec0b43b076c40c34e1d493972fa007877312ee8cbbe9674d163d8af
[Hybrid-Analysis] [VirusTotal]

Traffic-Chain

[HookAds]
http[:]//piquantvideo.info/?pop
↓
[HookAds]
http[:]//piquantvideo.info/popunder.php
↓
[HookAds]
http[:]//slimepoptop.info/banners/advertising
↓
[RigEK][Landing Page]
http[:]//176.57.217.33/?MTkyMzU4&EwfBPvr&QmJtHjvSjYJZ=cmVwb3J0&BqjVXtqPCpy=dW5rbm93bg==&wCfIkHke=Y2FwaXRhbA==&oZSpIK=bG9jYXRlZA==&OJBIrbDuzblaDQ=cG9wdWxhcg==&thdsG2d=xfYvLLFVPAa0jxeEKQFjzY5VU1kV9ayrikeHy0TJgZSG-BGJMgxDqqKlJLJ_mhj2&ZRmIBBTAjXMDiSL=Y2FwaXRhbA==&nx52dgs=w3rQMvXcJxvQFYbGMv_DSKNbNkvWHViPxoqG9MildZuqZGX_k7XDfF-qoVvcCgWR&YIemtlfh=cG9wdWxhcg==
↓
[RigEK][SWF Payload]
http[:]//176.57.217.33/?MTI2MTc5&bkGyKbzFw&TIVBsBDtBglNGas=cmVwb3J0&pBERfXtm=Y2FwaXRhbA==&thdsG2d=vLLFVPAa0jxeEKQNjzY5VU1kV9ayrikWHy0TJgZGG-BGJMg9DqqKcErU43FjFjLdTJvs&bYBdnxAuaUvmkX=cmVwb3J0&evinQMJbpVxhDu=dGhpbmdz&cOvoXD=Y2FwaXRhbA==&SjzOcEk=Y2FwaXRhbA==&nx52dgs=w33QMvXcJxzQFYbGMv3DSKNbNkrWHViPxouG9MildZuqZGX_k7DDfF-qoV7cCgWRxfU&iuDwlCmvR=Y29uc2lkZXI=
↓
[RigEK][Malware Payload]
http[:]//176.57.217.33/?NDYzMjc1&JMuZclQkf&yEptehaOdW=Y2FwaXRhbA==&RiULeeHQtyCAmN=bG9jYXRlZA==&WzRFgkbRGiUvii=cG9wdWxhcg==&oRMhNlYtsjukQ=dW5rbm93bg==&svKwgdPantjU=bWlsaw==&lLnbdq=bG9jYXRlZA==&coNAScUWk=cmVwb3J0&nx52dgs=w33QMvXcJxrQFYbGMvjDSKNbNkzWHViPxouG9MildZ2qZGX_k7XDfF-qoVvcCgWRxfYvLL&thdsG2d=FVPAW0jxeEKQBjzY5VU18V9ayrikeHy0TJgZGG-BGJMglDqqKcHbcy0VT8xrIdQJZnxBKy