[2018-07-14] Unknown->RigEK->SmokeLoader->Kronos

July 14, 2018

Overview

Saz file is 2018-07-14_00-46-08.saz

(↓Analysis result using EKFiddle)

Malware

SmokeLoader

11268bd6156fef367ce50abb98512123e3128423a6c21474b90e7248a9b95782
[Hybrid-Analysis] [VirusTotal]

Kronos

75769405a034d7db09b54b9e227722692a106dd5dc4acf48a60c70cbdc8e3f12
[Hybrid-Analysis] [VirusTotal]

Traffic-Chain

http[:]//envirodry.ca
↓
[RIG Exploit Kit][Landing Page]
http[:]//188.225.18.200/?MjkyODQ3&ZFjLHKP&jdMcAd=cmVzb3J0&HsbyeTh=c2Vh&AZqsrxdewUW=bWF0Y2h1cA==&ta24dfgdds4=Oy_kaOZg4R_JKRFrIy3A_xzrJCc50jlBKG6mZUmu4fVgkT5g5Fn67PHqKdrkN0V0FnVQXNKpp3pU_BWSS5MjJ3h_SLQwtxq-2K9bVw2ZMu&ASRMRIjkcPISxrN=c2hha2U=&fd34dfg3f=x3rQcvWfaRyPCYjEM_jdSqFGMUvOGUePwYqfn7DVF52ofzakz7CSEBzw6V6tSTvSgfBOLrZUIgeyiRqDOQY0mOFeEFlK8_6tkEWVyk6fwJ&FwiJpgt=c2Vh&hKNZRSFlI=c2hha2U=&EBTbVlZ=cmVzb3J0&xurXUmtChexbm=c3BvcnQ=&HceSYJhqktL=cmVzb3J0&ClVFpsAluG=cmVzb3J0&ttFxQHJUhj=c2My
↓
[RIG Exploit Kit][SWF Payload]
http[:]//188.225.18.200/?NjE5OTA2&vGojucvThqacP&JlcJTm=c2Vh&fd34dfg3f=xHrQMrLYbRvFFYHfKP_EUKZEMUvWA0KKwY2Zha3VF52xFDXGpbD1FxnspV6dCFmEmvdvdLYHIwCh1UHASwYy&QYoXpzPjgujCw=cmVzb3J0&upWjOz=c2My&XLvlILLyUR=cmVzb3J0&ISXxrPXIBONOl=c2Vh&zCILQUqOAHGek=c2My&ta24dfgdds4=m4oJUl4R_q38j0WDnxLPhJSFqxGPMglCqZaVHLJv21n2mrUcdch2lRKLuGVYyuktVl4Y5QkVn637VaWO-0NA&EXFrRDDo=bW9uZXk=&qMQfmxLrIGP=Zmx5&UgUzyfq=Zmx5&lQbWBzRts=cmVzb3J0&mwPjCEBgrlSTHFZ=c2hha2U=
↓
[RIG Exploit Kit][Malware Payload]
http[:]//188.225.18.200/?MTUwODA4&DCsgYRIUrPn&fd34dfg3f=xH3QMrLYbRvFFYbfKP_EUKZEMUzWA0KKwYqZharVF52xFDXGpbD1FxnspVmdCF6EmvBvdLYHIweh1UbASwEym4o&XAaFxCWpGOVT=c2Vh&ta24dfgdds4=JUl4R_q38j0WDnxLPhJOFqxGPMglCqZaVHLVv2172mrIcdch2lRWLuGVYyu4tW14Z6A4ala3CH6LAnUMtFEYxYQ&XbGYWSSDxOyj=Zmx5&EJEPiybvyleAtRD=c2Vh&UmmZjJchMd=c3BvcnQ=&cYcbUVTysI=cmVzb3J0&PhyytitbggX=bWF0Y2h1cA==&BWAgtcdIJS=Zmx5&mUHEVVMUwsSTHj=Zmx5&BAOjJvxRFAgnbNf=c2My&hjcoIBHR=c2My&rSdRGnBbKtG=bW9uZXk=