2016-08-30 - EITEST CAMPAIGN USES RIG EK OR NEUTRINO EK

ASSOCIATED FILES:

  • 2016-08-30-EITest-Neutrino-EK-sends-CrypMIC.pcap   (430,599 bytes)
  • 2016-08-30-EITest-Rig-EK-sends-Vawtrak.pcap   (567,081 bytes)
  • 2016-08-30-EITest-CrypMIC-decrypt-instructions.BMP   (457,654 bytes)
  • 2016-08-30-EITest-CrypMIC-decrypt-instructions.HTML   (238,187 bytes)
  • 2016-08-30-EITest-CrypMIC-decrypt-instructions.TXT   (1,659 bytes)
  • 2016-08-30-EITest-Neutrino-EK-flash-exploit.swf   (77,587 bytes)
  • 2016-08-30-EITest-Neutrino-EK-landing-page.txt   (2,502 bytes)
  • 2016-08-30-EITest-Neutrino-EK-payload-CrypMIC.dll   (73,728 bytes)
  • 2016-08-30-EITest-Rig-EK-flash-exploit.swf   (46,163 bytes)
  • 2016-08-30-EITest-Rig-EK-landing-page.txt   (3,679 bytes)
  • 2016-08-30-EITest-Rig-EK-payload-Vawtrak.exe   (159,744 bytes)
  • 2016-08-30-EITest-flash-redirect-from-ugady.xyz-both-runs.swf   (5,762 bytes)
  • 2016-08-30-page-from-adaptive-business.com-with-injected-EITest-script-first.run.txt   (34,525 bytes)
  • 2016-08-30-page-from-adaptive-business.com-with-injected-EITest-script-second-run.txt   (34,482 bytes)

 

BACKGROUND ON THE EITEST CAMPAIGN:

 


Shown above:  Flowcharts for this infection traffic.

 

TRAFFIC FOR RIG EK INFECTION


Shown above:  Injected EITest script in page from the compromised website.

 


Shown above:  Traffic from the EITest Rig EK infection filtered in Wireshark.

 


Shown above:  Alerts on this traffic for Vawtrak in Security Onion using Suricata and the ET Pro ruleset.

 

ASSOCIATED DOMAINS:

 

TRAFFIC FOR NEUTRINO EK INFECTION


Shown above:  Injected EITest script in page from the compromised website.

 


Shown above:  Traffic from the EITest Neutrino EK infection filtered in Wireshark.

 


Shown above:  The infected Windows host after rebooting.

 

ASSOCIATED DOMAINS:

DOMAINS FROM THE CRYPMIC DECRYPT INSTRUCTIONS:

 

FILE HASHES

FLASH FILES:

PAYLOADS:

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.