Notes
  • This sample originally came from Threatglass on 04/30
  • I re-ran the domain in a lab and found it was now hosting RIG EK
  • The Threatglass sample from 04/30 showed Angler EK with a Gamarue Payload
  • The Lab run on 05/02 yielded RIG EK with an unknown payload
  • RIG EK Payload was XOR'd with nkiOaWsg / 0x6e, 0x6b, 0x69, 0x4f, 0x61, 0x57, 0x73, 0x67
PCAP and Malware
Network Traffic
RIG EK Compromised Domain and Redirection

2015-05-02 17:37:24 UTC - 192.52.166.56 - cupidfunda.com - GET /

RIG EK Traffic

2015-05-02 17:37:27 UTC - 95.128.182.61 - gone.sensoryglobes.com - GET /?w3eKdbGfLRfHCoY=l3SKfP[long string of text]
2015-05-02 17:37:29 UTC - 95.128.182.61 - gone.sensoryglobes.com - GET /index.php?w3eKdbGfLRfHC[long string of text]
2015-05-02 17:37:34 UTC - 95.128.182.61 - gone.sensoryglobes.com - GET /?w3eKdbGfLRfHCoY=l3SKfP[long string of text]

RIG EK Flash Exploit:

Angler EK Compromised Domain and Redirection

2015-04-30 22:09:05 UTC - 192.52.166.56 - cupidfunda.com - GET /

Angler EK Traffic

2015-04-30 22:09:09 UTC - 92.222.6.239 - name.monitorproviders.xyz - GET /approximations-fouling-neurological-mongoose/65688319741091503
2015-04-30 22:09:11 UTC - 92.222.6.239 - name.monitorproviders.xyz - GET /ayzo _ SBdmyOc-ywTCK01xZ1HyhAzHlXHcK2cOtmZ _ lwFmt5d
2015-04-30 22:09:12 UTC - 92.222.6.239 - name.monitorproviders.xyz - GET /emSbWFr _ Q7TbJIaM6PLgsOzACBNumWTRW1O3JJ7MWuH-r5tw

Angler EK Post-Infection Traffic

2015-04-30 22:09:22 UTC - 91.232.105.94 - and9.themainnotmainstreet1.com - POST /bla09/gate.php
2015-04-30 22:09:22 UTC - 155.133.18.45 - 155.133.18.45 - GET /dqfjr48.exe
2015-04-30 22:09:24 UTC - 91.232.105.94 - and9.themainnotmainstreet1.com - POST /bla09/gate.php
2015-04-30 22:09:25 UTC - 155.133.18.45 - 155.133.18.45 - GET /85fjr48.exe
2015-04-30 22:09:27 UTC - 91.232.105.94 - and9.themainnotmainstreet1.com - POST /bla09/gate.php
2015-04-30 22:09:27 UTC - 155.133.18.45 - 155.133.18.45 - GET /109fjr48.exe
2015-04-30 22:09:29 UTC - 91.232.105.94 - and9.themainnotmainstreet1.com - POST /bla09/gate.php
2015-04-30 22:09:30 UTC - 155.133.18.45 - 155.133.18.45 - GET /121fjr48.exe
2015-04-30 22:09:31 UTC - 91.232.105.94 - and9.themainnotmainstreet1.com - POST /bla09/gate.php
2015-04-30 22:09:32 UTC - 155.133.18.45 - 155.133.18.45 - GET /112fjr48.exe
2015-04-30 22:09:34 UTC - 91.232.105.94 - and9.themainnotmainstreet1.com - POST /bla09/gate.php
2015-04-30 22:09:34 UTC - 155.133.18.45 - 155.133.18.45 - GET /127fjr48.exe
2015-04-30 22:09:36 UTC - 91.232.105.94 - and9.themainnotmainstreet1.com - POST /bla09/gate.php
2015-04-30 22:09:37 UTC - 155.133.18.45 - 155.133.18.45 - GET /107fjr48.exe
2015-04-30 22:09:38 UTC - 91.232.105.94 - and9.themainnotmainstreet1.com - POST /bla09/gate.php
2015-04-30 22:09:39 UTC - 155.133.18.45 - 155.133.18.45 - GET /dq110fjr48.exe
2015-04-30 22:09:40 UTC - 91.232.105.94 - and9.themainnotmainstreet1.com - POST /bla09/gate.php
2015-04-30 22:09:41 UTC - 155.133.18.45 - 155.133.18.45 - GET /dq113fjr48.exe
2015-04-30 22:09:42 UTC - 91.232.105.94 - and9.themainnotmainstreet1.com - POST /bla09/gate.php
2015-04-30 22:09:43 UTC - 155.133.18.45 - 155.133.18.45 - GET /dq227fjr48.exe
2015-04-30 22:09:45 UTC - 91.232.105.94 - and9.themainnotmainstreet1.com - POST /bla09/gate.php
2015-04-30 22:09:46 UTC - 155.133.18.45 - 155.133.18.45 - GET /dqfjr48.exe
2015-04-30 22:09:47 UTC - 91.232.105.94 - and9.themainnotmainstreet1.com - POST /bla09/gate.php
2015-04-30 22:09:48 UTC - 155.133.18.45 - 155.133.18.45 - GET /dqfjr48.exe
2015-04-30 22:09:50 UTC - 91.232.105.94 - and9.themainnotmainstreet1.com - POST /bla09/gate.php
2015-04-30 22:09:50 UTC - 155.133.18.45 - 155.133.18.45 - GET /dqfjr48.exe
2015-04-30 22:09:52 UTC - 91.232.105.94 - and9.themainnotmainstreet1.com - POST /bla09/gate.php

IDS alerts using the Emerging Threats Pro Ruleset (ET POLICY and ET INFO disabled) on Snort 2.9.7

Lab - RIG EK PCAP

2015-05-02 17:37:27 UTC - 192.168.40.14:49366 -> 95.128.182.61:80 - ET CURRENT EVENTS RIG Landing URI Struct March 20 2015
2015-05-02 17:37:28 UTC - 95.128.182.61:80 -> 192.168.40.14:49366 - ET CURRENT EVENTS RIG EK Landing March 20 2015
2015-05-02 17:37:28 UTC - 95.128.182.61:80 -> 192.168.40.14:49366 - ET CURRENT EVENTS RIG EK Landing March 20 2015 M2
2015-05-02 17:37:29 UTC - 95.128.182.61:80 -> 192.168.40.14:49366 - ET CURRENT EVENTS RIG EK Landing March 20 2015 M2
2015-05-02 17:37:29 UTC - 192.168.40.14:49367 -> 95.128.182.61:80 - ET CURRENT EVENTS RIG Exploit URI Struct March 20 2015
2015-05-02 17:37:34 UTC - 192.168.40.14:49366 -> 95.128.182.61:80 - ET CURRENT EVENTS RIG Payload URI Struct March 20 2015

Threatglass - Angler EK PCAP:

2015-04-30 22:09:09 UTC - 92.222.6.239:80 -> 192.168.40.10:1046 - ETPRO CURRENT EVENTS Angler EK Landing T1 March 30 2015 M2
2015-04-30 22:09:09 UTC - 92.222.6.239:80 -> 192.168.40.10:1046 - ETPRO CURRENT EVENTS Angler EK Landing T1 March 30 2015 M2
2015-04-30 22:09:11 UTC - 192.168.40.10:1046 -> 92.222.6.239:80 - ET CURRENT EVENTS Possible Angler EK Flash Exploit URI Structure Jan 21 2015
2015-04-30 22:09:12 UTC - 192.168.40.10:1051 -> 92.222.6.239:80 - ET CURRENT EVENTS Angler EK Payload DL M2 Feb 06 2015
2015-04-30 22:09:12 UTC - 92.222.6.239:80 -> 192.168.40.10:1051 - ETPRO CURRENT EVENTS Angler EK Payload T1 March 30 2015 M2
2015-04-30 22:09:12 UTC - 92.222.6.239:80 -> 192.168.40.10:1051 - ET CURRENT EVENTS Angler EK XTEA encrypted binary (13)
2015-04-30 22:09:22 UTC - 192.168.40.10:1061 -> 91.232.105.94:80 - ETPRO TROJAN Win32/Gamarue.AQ Checkin
2015-04-30 22:09:22 UTC - 192.168.40.10:1061 -> 91.232.105.94:80 - ET MALWARE Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0) (lots of these omitted)
2015-04-30 22:09:22 UTC - 192.168.40.10:1061 -> 91.232.105.94:80 - ET TROJAN Trojan Generic - POST To gate.php with no referer
2015-04-30 22:09:22 UTC - 192.168.40.10:1063 -> 155.133.18.45:80 - ET TROJAN Generic - Mozilla 4.0 EXE Request
2015-04-30 22:09:24 UTC - 192.168.40.10:1066 -> 91.232.105.94:80 - ETPRO TROJAN Win32/Gamarue.AQ Checkin
2015-04-30 22:09:24 UTC - 192.168.40.10:1066 -> 91.232.105.94:80 - ET TROJAN Trojan Generic - POST To gate.php with no referer
2015-04-30 22:09:25 UTC - 192.168.40.10:1068 -> 155.133.18.45:80 - ET TROJAN Generic - Mozilla 4.0 EXE Request
2015-04-30 22:09:27 UTC - 192.168.40.10:1071 -> 91.232.105.94:80 - ETPRO TROJAN Win32/Gamarue.AQ Checkin
2015-04-30 22:09:27 UTC - 192.168.40.10:1071 -> 91.232.105.94:80 - ET TROJAN Trojan Generic - POST To gate.php with no referer
2015-04-30 22:09:27 UTC - 192.168.40.10:1073 -> 155.133.18.45:80 - ET TROJAN Generic - Mozilla 4.0 EXE Request
2015-04-30 22:09:29 UTC - 192.168.40.10:1076 -> 91.232.105.94:80 - ETPRO TROJAN Win32/Gamarue.AQ Checkin
2015-04-30 22:09:29 UTC - 192.168.40.10:1076 -> 91.232.105.94:80 - ET TROJAN Trojan Generic - POST To gate.php with no referer
2015-04-30 22:09:30 UTC - 192.168.40.10:1078 -> 155.133.18.45:80 - ET TROJAN Generic - Mozilla 4.0 EXE Request
2015-04-30 22:09:31 UTC - 192.168.40.10:1081 -> 91.232.105.94:80 - ETPRO TROJAN Win32/Gamarue.AQ Checkin
2015-04-30 22:09:31 UTC - 192.168.40.10:1081 -> 91.232.105.94:80 - ET TROJAN Trojan Generic - POST To gate.php with no referer
2015-04-30 22:09:32 UTC - 192.168.40.10:1083 -> 155.133.18.45:80 - ET TROJAN Generic - Mozilla 4.0 EXE Request
2015-04-30 22:09:34 UTC - 192.168.40.10:1086 -> 91.232.105.94:80 - ETPRO TROJAN Win32/Gamarue.AQ Checkin
2015-04-30 22:09:34 UTC - 192.168.40.10:1086 -> 91.232.105.94:80 - ET TROJAN Trojan Generic - POST To gate.php with no referer
2015-04-30 22:09:34 UTC - 192.168.40.10:1088 -> 155.133.18.45:80 - ET TROJAN Generic - Mozilla 4.0 EXE Request
2015-04-30 22:09:36 UTC - 192.168.40.10:1091 -> 91.232.105.94:80 - ETPRO TROJAN Win32/Gamarue.AQ Checkin

[The alert patterns continue like this until the end of the PCAP]

Preliminary Malware Analysis - RIG EK

RIG EK Flash Exploit

RIG EK Payload

Preliminary Malware Analysis - Angler EK

Angler EK Payload

Angler EK Payload 1

Angler EK Payload 2

Angler EK Payload 3

Angler EK Payload 4

Angler EK Payload 5

Angler EK Payload 6

Angler EK Payload 7

Angler EK Payload 8

PCAP and Malware

If you have any feedback or questions please email me at jack@malwarefor.me.
Additionally, you can reach out on Twitter or follow for for updates