[2018-04-19] Fobos->RigEK->Bunitu

April 19, 2018

Overview

Saz file is 2018-04-19_01-43-36.saz

(↓Analysis result using EKFiddle)

Malware

Bunitu

ec819f1338e86b9e73db4ce462f82dc5135b94120388c9f22977d7a353783390
[Hybrid-Analysis] [VirusTotal]

Traffic-Chain

[Fobos]
http[:]//baosailiwatch.net
↓
[Fobos]
http[:]//jblchar1.info/lutasfqan/index.php?s=1103239653?
↓
[RigEK][Landing Page]
http[:]//185.154.53.223/?NTc2ODUz&wtXWeGImlpFo&QzGoZcuOmD=Y2F0cw==&xVWlyvkF=cmVzb3J0&fdg3f=wn3QMvXcKRXQFYbDKuXDSKdDKU7WGUaVw4-ahMG3YprNfynz0uzURnLxtASVVFmRrbM&DzZhsivWzAAtf=Zmx5&dcDJQWKBO=c3BvcnQ=&gSXCJwjXwl=bW9uZXk=&t4aaf=dL7cDPwHg3xGEfwQ3noYLUVwX9q-v3xTSnBedhJPX_xeNMwJH-sPDHbIL6G2xzPNRcw&HpteyrAKJLiE=Zmx5&bKRBllGRK=cmVzb3J0
↓
[RigEK][SWF Payload]
http[:]//185.154.53.223/?Mzk3ODE1&bQAzOeB&rOXDdreJgI=Y2F0cw==&nUcgJa=c3BvcnQ=&t4aaf=cDPwHl3xGEfwQ3noYLVlwX9q-s3xTSnBWdhJPX_xeNMwJE-sPDHbML0F39zbAdQIgkgECy&bktDDJYKJmM=c2hha2U=&IhAsojdElr=c2Vh&boTLmDvyq=cmVzb3J0&ELBKvBRTTF=cmVzb3J0&EcsdskCWVdHrEyk=c2Vh&fdg3f=wn_QMvXcKRXQFYbCKuXDSKRDKU7WHkaVw4-dhMG3Yp3Nfynz0-zURnLytASVVFmRrbMdKb
↓
[RigEK][Malware Payload]
http[:]//185.154.53.223/?NTkxNDI4&GBJGtebb&PGwsXM=c2hha2U=&t4aaf=BSbwC1iUHWeQdpyohZU1sVpvyp20DUzRLJgpWCrx2IMAsT9qKcHbIy0VT8xrMdQJZnxBWy&tubPWtorbylY=cmVzb3J0&BsyvHkUXwI=c2Vh&fdg3f=w3zQMvXcJxvQFYbGMvnDSKNbNkzWHViPxoyG9MildZyqZGX_k7DDfF-qoV7cCgWRxfcofr&LzplOuqb=c2hha2U=&xlfsmUZImWuRYZ=c2Vh&FBxBZc=cmVzb3J0&JUEhfKzrEyaRu=c2Vh