The payload was Pushdo dropping Cutwail. Thanks to @Antelox for the identification. Although this is an old botnet/spammer it had been spotted by @DynamicAnalysis late last year (https://malwarebreakdown.com/2016/10/20/eitest-leads-to-rig-ek-at-185-45-193-52-which-drops-cutwailpushdo-botnet/).
The malware aggressively spammed POST requests and SMTP eating up my disk space rapidly. There is an interesting deep dive by Trend and Blueliv regarding this malware below.
- A few articles on Rig exploit kit and it’s evolution:
- Article on Pushdo/Cutwail
(in password protected zip)
- 22-June-2017-Rig-Pushdo-PCAP -> Pcap
- 22-June-2017-Rig-Pushdo-CSV> CSV of traffic for IOC’s
- 22-June-17-Pushdo-Cutwail -> Pushdo/Cutwail ( 93b920e774874615c40b0b59149ea0200f2c23ece5e27ca1230ffa4d646c45b2)
Details of infection chain:
(click to enlarge!)
I found this website through malvertising. It appears to be an old probably compromised or even fake website that contains a script that appears harmless at a glance.
The script appears at the bottom of the page and appears to be named similar to a legitimate script called “js/wp-emoji-release.min.js?ver=4.4.10”
The payload was Pushdo dropping Cutwail. Pushdo is a downloader dropping Cutwail which refers to the spamming module of the Pushdo botnet.
|Detection ratio:||11 / 60|
Although my PCAP will have most of not all the traffic, VT also seemed to capture the POST requests in the Behaviour Section which is useful for IOC’s.
The malware created multiple svchost processes and a startup entry. The processes began to multiply as time went on. It does not do a great job at hiding itself and did not delete itself from temp.
It then began violently spamming POST requests and SMTP.
Here is a sample POST request which appears to return a website.