2016-08-31 - EITEST RIG EK FROM 185.117.72.99

ASSOCIATED FILES:

  • 2016-08-31-EITest-Rig-EK.pcap   (6,637,812 bytes)
  • 2016-08-31-EITest-Rig-EK-flash-exploit.swf   (45,898 bytes)
  • 2016-08-31-EITest-Rig-EK-landing-page.txt   (3,660 bytes)
  • 2016-08-31-EITest-Rig-EK-payload.exe   (245,760 bytes)
  • 2016-08-31-EITest-flash-redirect-from-pyhem.xyz.swf   (5,753 bytes)
  • 2016-08-31-page-from-bestoflanka.com-with-injected-EITest-script.txt   (75,283 bytes)

 

NOTES:

 

BACKGROUND ON THE EITEST CAMPAIGN:

 


Shown above:  Flowchart for this infection traffic.

 

TRAFFIC


Shown above:  Injected script in page from the compromised site pointing to the EITest gate.

 


Shown above:  Traffic from the pcap filtered in Wireshark (shows post-infection and Tor traffic).

 


Shown above:  Traffic from the pcap filtered in Wireshark showing more of the post-infection Tor traffic.
Wireshark filter:  !(tcp.port eq 80) and !(tcp.port eq 443) and tcp.flags eq 0x0002

 

ASSOCIATED DOMAINS:

 

FILE HASHES

FLASH FILES:

PAYLOAD:

DROPPED MALWARE:

 

IMAGES


Shown above:  Some of the alerts on this traffic in Security Onion using Suricata and the ET Pro ruleset.

 


Shown above:  Malware set up for persistence, as shown by the Windows registry.

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.