2016-08-30 - EITEST RIG EK SENDS CRYPTFILE2 RANSOMWARE

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2016-08-30-EITest-Rig-EK-sends-CryptFile2-ransomware.pcap.zip   165.4 kB (165,398 bytes)

• 2016-08-30-EITest-Rig-EK-sends-CryptFile2-ransomware.pcap   (234,013 bytes)

• 2016-08-30-EITest-Rig-EK-and-CryptFile2-ransomware-files.zip   156.7 kB (156,699 bytes)

• 2016-08-30-CryptFile2-ransomware-decrypt-instruction.TXT   (3,175 bytes)
• 2016-08-30-CryptFile2-ransomware-decrypt-instructions.HTML   (2,124 bytes)
• 2016-08-30-EITest-Rig-EK-flash-exploit-after-cairvest_com.swf   (46,163 bytes)
• 2016-08-30-EITest-Rig-EK-landing-page-after-cairvest_com.txt   (3,791 bytes)
• 2016-08-30-EITest-Rig-EK-payload-CryptFile2-ransomware.exe   (135,168 bytes)
• 2016-08-30-EITest-flash-redirect-from-ogimac_xyz.swf   (5,762 bytes)
• 2016-08-30-page-from-clairvest_com-with-injected-EITest-script.txt   (27,589 bytes)

 

2016-08-31 UPDATE:

• I originally mis-identified the payload as Bandarchor ransomware, when it's actually CryptFile2.
• Thanks to Jack for kindly setting me straight on this.
• Background on CryptFile2 ransomware can be found here.

 

Shown above:  My original mistake and subsequent change for identification of the malware payload.

 

MY PREVIOUS DOCUMENTATION ON CRYPTFILE2 RANSOMWARE:

• 2016-08-26 (also from the EITest campaign)

 

Shown above:  Flowchart for this infection traffic.

 

TRAFFIC

Shown above:  Injected script in page from the compromised site pointing to the EITest gate.

 

Shown above:  Traffic from the pcap filtered in Wireshark.

 

Shown above:  EmergingThreats alerts (that I originally ignored) calling this ransomware CryptFile2.

 

ASSOCIATED DOMAINS:

• www.clairvest[.]com - Compromised site
• 194.165.16[.]202 port 80 - ogimac[.]xyz - EITest gate
• 109.234.36[.]132 port 80 - top.203kcontractorswashington[.]com - Rig EK
• 5.39.86[.8]6 port 80 - 5.39.86[.]86 - GET /default.jpg - Post-infection traffic caused by the CryptFile2 ransomware
• 5.39.86[.]86 port 80 - 5.39.86[.]86 - POST /z/setting.php - Post-infection traffic caused by the CryptFile2 ransomware

EMAILS TO GET THE DECRYPT INSTRUCTIONS:

• enc2@usa[.]com - First email address generated by the CryptFile2 ransomware
• enc2@dr[.]com - Second email address generated by the CryptFile2 ransomware

 

FILE HASHES

FLASH FILES:

• SHA256 hash:  7123dd9744fe6e55796819b8890682395b2ebea72c0c2c5ab60f26594b6d5a43
  File name:  2016-08-30-EITest-flash-redirect-from-ogimac_xyz.swf

• SHA256 hash:  1f655e31dc4d092c34bd3033427f1540ae3db4467b5d6380f63ded0cce62e807
  File name:  2016-08-30-EITest-Rig-EK-flash-exploit-after-cairvest_com.swf

PAYLOAD (CRYPTFILE2 RANSOMWARE):

• SHA256 hash:  51dbbfc5afb2b6e9f4ca37906d84b4f3807d7c79727c71d6ee5827a197644580
  File name:  2016-08-30-EITest-Rig-EK-payload-CryptFile2.exe
  File name:  C:\Users\[username]\AppData\Local\Temp\5697.tmp
  File name:  C:\Users\[username]\AppData\Roaming\ChromeFlashPlayer_64c7afbe684395ac.exe

 

IMAGES

Shown above:  The infected Windows desktop after rebooting.

 

Shown above:  Example of the encrypted file names from an infected host.

 

Shown above:  Registry entries showing how the CryptFile2 ransomware stays persistent on an infected Windows host.

 

Click here to return to the main page.