[2018-06-29] Unknown->RigEK->AZORult

June 29, 2018

Overview

Saz file is 2018-06-29_00-36-56.saz

(↓Analysis result using EKFiddle)

Malware

AZORult

caf48e73c4362cab82891c79f4cf30a9f6fb5c5bb8317353c0c7d327a167b552
[Hybrid-Analysis] [VirusTotal]

Traffic-Chain

http[:]//www.blogus.info/blog_plus/1.php
↓
[RIG Exploit Kit][Landing Page]
http[:]//188.225.56.252/?MzcxOTAw&RYNYUIBLQZE&fdfdf=x3rQdfWfaRuPDojEM__dTaFGMUzOHkePwYqfmLDSF5qoeDajz7eSFxzw6V6tTjvSgfBOLrZTIgCyjhqEOQE0mOFeEFlK8_6qkEKVzU6fwJ&xTkANRH=cmVzb3J0&KKGMGDUmPyoQedn=bW9uZXk=&QWibvFrBLvTm=c2My&NJZKYogdvXHYd=Zmx5&emwdWCStrHB=c3BvcnQ=&fPxOOiNcoRyl=c2Vh&OnuvQpHGOWwS=c2My&ccTHgf=c3BvcnQ=&pffesAzjQh=c2My&tahfd4=Sy-UeJMg5B-8SWELJo2wz2yrIVc5gklRWH6mZTyekbVlsTtA4Rn_3PHqXArhV0XUY3VQrKfppzpU_GWSPhMm531POLRAtxq-qK8rV32ZQu&cGdvYKX=c3BvcnQ=&NZDPvjhWVC=cmVzb3J0
↓
[RIG Exploit Kit][SWF Payload]
http[:]//188.225.56.252/?MTA4ODcz&neiEZk&tahfd4=OMglB-8SWELJo3Az2yrIVdJgjlRWH6mZTyekbUVsTtA4Rn_3IHqLAqRVzXUE3VQrKfppzok_BWSPhMm531PSLRDx2merP9fB3nJQd1l2vgAt_bhw&wyflMtJlbs=c3BvcnQ=&luDZEJ=c3BvcnQ=&UCJVJJqDvgIvthP=bW9uZXk=&zuZSvbDN=bWF0Y2h1cA==&lPBoLe=c3BvcnQ=&FhsbDRg=cmVzb3J0&pLDwwhIYiqVbA=cmVzb3J0&fdfdf=x3rQcvWfaRuPCYjDM_jdSqFGMUzOHkeIwYqfmLDVF52ofzajz7CSEBzw6V6tTjvSgfBOLrZTIgeyiRqDOQY0n-FeEF5K9P6tkEWVzU6fwJSy-Ue&gKDmCaHXTjahfl=c3BvcnQ=&kzeoFdjiN=bWF0Y2h1cA==&xvuSCdnWldploK=cmVzb3J0&oyyHIXMX=c2hha2U=
↓
[RIG Exploit Kit][Malware Payload]
http[:]//188.225.56.252/?NDM3NTA4&hmpSOKTTQwXfO&tahfd4=ZBF4XpK3_i0XUmhXOhZOF-BaLYA4Q_ZHGHLIyjV78yrITIchylRKL4GUEmektW14Z6A4ala3CH6XAnUMtFEYxYQ&rSyZFenEg=bWF0Y2h1cA==&NGnZbShuBcQZ=Y2F0cw==&DepsuQZ=c3BvcnQ=&DBBrTiLKDEKBub=c3BvcnQ=&ieXVOEaVSF=c3BvcnQ=&PziBWqGUmvz=c3BvcnQ=&BHOrGuRvTZXQq=Zmx5&CZjOpBHOAmTOR=c3BvcnQ=&egoFnPhxFmvE=c3BvcnQ=&fNdNInspYWEAsAN=Y2F0cw==&JUwxDJPTH=Y2F0cw==&fdfdf=xH3QMrLYbRzFFYbfKPjEUKFEMUvWA0WKwY2Zha3VF5qxFDLGpbD1FxnspVmdCF6EmvdvdLEHIweh1UHASwYzz4p