[2018-05-11] Slyip->RigEK->Ursnif

May 11, 2018

Overview

Saz file is 2018-05-11_08-55-07.saz

(↓Analysis result using EKFiddle)

Malware

Ursnif

f79de63b1432a95be3002d787bc7cbb3f530a55bc3d27ab3361736b2cfa89d5c
[Hybrid-Analysis] [VirusTotal]

Traffic-Chain

[Slyip Campaign]
http[:]//youtubeconverter.slyip.com/y2mate/index.php?browser=ie&countryname=United+States
↓
[Slyip Campaign]
http[:]//youtubeconverter.slyip.com/y2mate/index.php?browser=ie&countryname=United+States
↓
[Slyip Campaign]
http[:]//youtubeconverter.slyip.net/WpLTQb?browser=ie&countryname=United+States
↓
[RIG Exploit Kit][Landing Page]
http[:]//95.142.39.45/?NDYyMTIx&WKweZSmiTvLMCEW&ezsqHHoUYUFbu=cmVzb3J0&rFKczmWV=c2Vh&t4dsdfa4=TDQLpjkbTegdimNxZUVMX9fyn30WDmhCf1cGD_xLYZwtBrZOURrI_21nyzrMkQPskg1TH6mI&fdfsdf3gf=xXzQMvWdbRXQCZ3EKvncT6NEMVHRH0CL2YydmrHTefjaeVWkzrHFTF_3ozKASASG6_FtdfJ&WSheDmhp=c2My&TkFxRjw=cmVzb3J0&opfurVyJyVX=c2hha2U=&TAZBiovhibjD=cmVzb3J0&przEHEYYzxHYtEt=c3BvcnQ=
↓
[RIG Exploit Kit][SWF Payload]
http[:]//95.142.39.45/?MjgxNzk1&PngJOsLjd&fdfsdf3gf=w3zQMvXcJx3QFYbGMv_DSKNbNkzWHViPxoyG9MildZ2qZGX_k7DDfF-qoVzcCgWRxfI&fSOUBlbvK=cmVzb3J0&xgUzXUaoKeSe=cmVzb3J0&JHxjncoCV=Zmx5&CXNEmpAPsW=cmVzb3J0&LnaQffEFH=Zmx5&t4dsdfa4=sJbEDPADiiReDcgZlyYcMBFlA8fz4j0DSnBCY0pWDrxaJZQ5C_qKXELMz3F7FjLJTJvs&NZvFHbslbQaBqPe=c2hha2U=&vbajbv=Y2F0cw==
↓
[RIG Exploit Kit][Malware Payload]
http[:]//95.142.39.45/?MTcyOTIw&lwnAySHGNEZy&yyZEpcfUDl=Y2F0cw==&t4dsdfa4=NYPlDijEaEKQRilYoIUVNCofqqiBSDyBKb1ZGG_EeMMwlG-5aSFbUL3Fj2zbgcQJYmhxWy&fdfsdf3gf=wn3QMvXcLhXQFYbBKuXDSKFDKU7WHEaVw4-dhMG3YprNfynz1ezURnLytASVVF6RrbMdL7&LkAbbcNOc=cmVzb3J0&gJFrrWeAyVADw=c2Vh&JSOdJf=cmVzb3J0&xoVSNuRrJUxDxIp=bW9uZXk=&CrclGpbFhiU=cmVzb3J0&YShpPlQngqRCMN=cmVzb3J0