Below is a partial and edited flowchart of the malvertising chain that I got during this infection:

An edited image of the infection chain is shown below:

You can see that the Ramnit sample seems to check for Internet connectivity before making DNS queries for ujndhe7382uryhf.com, which resolves to 46.173.214.170. Following the DNS resolutions is the C2 traffic via TCP port 443.

The static properties of this Ramnit sample can be found at https://pastebin.com/VgjwKuDV

Dynamic analysis of the sample shows file system changes that are to be expected from Ramnit:

We also see modifications to the registry that are used for persistence on the system:

IOCs

Pre-infection:

194.58.47.235 – IP literal hostname used by the Seamless campaign

188.225.76.65 – IP literal hostname used by RIG EK

Post-infection:

DNS queries for ujndhe7382uryhf.com

Connections to 46.173.214.170 via TCP port 443

Hashes:

SHA256: 4c13e9bf12e2e370239a0eecda5a26aed4591d54981918bd36468cdfe8edbf3f

File name: RigEK landing page at 188.225.76.65.txt

SHA256: cbf7dfc2226e592149ef45539c9a4f109c4e66533fe061037241fb88c245ce57

File name: RigEK Flash exploit from 188.225.76.65.swf

SHA256: 6ada3771c54a461324b57dce99a59f74eb1a045ca279e25a76e2f1d7ca642742

File name: 20etyh0j.exe

Imphash: 4cb4666d64e85218df03f899472bde6c

ssdeep: 6144:pAOWNuZ4rgsTJ5gW7sVxdSCUshGOuGacgFeTqkuyJlzZr:pEvrn118eshGBCgFeTqkuyJDr

Downloads

Seamless RigEK Ramnit Artifacts from 082117.zip

password is “infected”

Until next time my friends!

Like this: Like Loading...