[2018-06-30] Slyip->RigEK->Ursnif
Overview
Saz file is 2018-06-30_00-23-39.saz
(↓Analysis result using EKFiddle)
Malware
Ursnif
c2d3e343ec696eb762bec9e33617372747ba803622e747e947562b66ac87568c
[Hybrid-Analysis] [VirusTotal]
Traffic-Chain
[Slyip Campaign]
http[:]//appsforpc.etowns.net/XghLjD
↓
[Slyip Campaign]
http[:]//jsdfa.dtdns.net/Cn5CJF
↓
[RIG Exploit Kit][Landing Page]
http[:]//188.225.24.183/?NTg4NTA5&ItaGZFW&VhbOrPoTxTYG=Zmx5&EejKruJdsxEk=Zmx5&tahfd4=SwE0zopeW1kapqqr3UKHzRLKhpSH9BHZZQ5G95GdRrI7317ynrIUJs8nwhLQ7mJTnuktYlkgpQlR2a3I&BgmkYMYOBRo=c2hha2U=&ztTjNA=c2hha2U=&nPoPjT=Zmx5&IAiEAaPOfXpeKgs=bW9uZXk=&cKISzOPOTzVl=Y2F0cw==&nABSPepOvdAOIzx=c3BvcnQ=&fdfdf=xH3QMrLYbRzFFYbfKPjEUKZEMUzWA0WKwY2ZharVF5qxFDXGpbD1Fx7spVmdCFmEmvBvdLYHIweh1UHA&dnBtET=c2Vh&anttLYDxa=cmVzb3J0&yqrrfwGTSJuGsU=c3BvcnQ=
↓
[RIG Exploit Kit][SWF Payload]
http[:]//188.225.24.183/?MTI4NTQ4&YYspjxFuD&hdRbrlf=c2Vh&SMqkhmHDmCmoaim=c2Vh&twMAzhUjez=c2Vh&tIHAsJwY=Y2F0cw==&RnhcutKXFmkTns=c3BvcnQ=&tahfd4=zopeW14apq2r3UWHzRLKhpSH9BbZZQlG95GdRrU7317ynrIUJsgnwhLQ7mVTnuktVlkS5g4Vlar7VaKO-0NA&gROHMPVi=c2Vh&LLFkPqdtc=Y2F0cw==&PWbBIGLxWPQZ=c2hha2U=&nudYZbBEBVanvz=c2Vh&IzQeOjMwK=c3BvcnQ=&bWGcxoIjLFYC=c2hha2U=&fdfdf=xH3QMrLYbRzFFYHfKPjEUKZEMUvWA0WKwYqZharVF5qxFDLGpbD1FxnspV6dCF6EmvBvdLEHIwCh1UHASwE0
↓
[RIG Exploit Kit][Malware Payload]
http[:]//188.225.24.183/?NTAyMTk4&pyofhb&VuggQWCGml=Y2F0cw==&QmKJmPI=Zmx5&fdfdf=x3rQdfWfaRuPCYjDM__dSqFGMUzOHkeIwY2fmLDVF52oeDakz7CSFxzw6V6tSTvSgfBOKbZUIgCyiRqEOQY0mOFeEFlK9P6tkEKVyk6fwJOy_kCJMw5&JarPfQDKZ=cmVzb3J0&tZhmhgfzaSVV=bW9uZXk=&npMEZlWURq=c2My&AZXPLCPXyJOO=c2hha2U=&rDTZeZABaoafe=c2Vh&tahfd4=G-5uRHbVq3Fj2nLVGc88jkRWE6mRTxelJVl4U4gkbn6bPRKXJrkdzU0ZjUg3NeZ0mpRjBAiPvNTlw0_SLQzJ2ku3H9f53lZQk1hevzgsZaXG7u_PI-Wg&CbfIAfAwbNzeQyJ=Zmx5&FipEgfqIUogEd=cmVzb3J0&yorKyr=cmVzb3J0&cdZFKl=cmVzb3J0