Malware Traffic Analysis — RIG Exploit Kit

This sample, questions, and answers are based off the post on Malware Traffic Analysis.

LEVEL 1 QUESTIONS:

The host most likely is infected via the internet so we can filter wireshark by http.request and see that almost all requests have 172.16.165.165 as the source:

What is the host name of the Windows VM that gets infected

K34EN6W3N-PC

f0:19:af:02:9b:f1

We can get the hostname, IP, and MAC address from the details. If the host used DHCP to we can get that info:

What is the IP address of the compromised web site?

We can see that the infected host is reaching out to the website ciniholland

82.150.140.30

www[.]ciniholland[.]nl

What is the IP address and domain name that delivered the exploit kit and malware?

The last http request is most likely where the exploit kit is delievered, we can see that there are multiple GET requests to this domain

37.200.69.143 or stand[.]trustandprobaterealty[.]com

LEVEL 2 QUESTIONS:

Referer is found inside one of the GET requests from stand[.]trustandprobaterealty[.]com

http://24corp-shop[.]com/

Besided the landing page (which contains the CVE-2013–2551 IE exploit), what other exploit(s) sent by the EK?

From the export HTTP objects we can see that there is a x-shockwave-flash and java-archive

How many times was the payload delivered?

The main payload was x-msdownload which was delivered 3 times

Submit the pcap to VirusTotal and find out what snort alerts triggered. What are the EK names are shown in the Suricata alerts

https://www.virustotal.com/gui/file/0e3fac547536f773bf1a21180a2294a10be97e956f091d24e168f147ecf5fafd/details

LEVEL 3 QUESTIONS:

Following the stream for ciniholland and searching for corp, we can see that the url redirect has 24corp

Extract the exploit file(s). What is(are) the md5 file hash(es)?

shockwave:

7b3baa7d6bb3720f369219789e38d6ab

java-archive:

1e34fdebbf655cebea78b45e43520ddf

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store