2016-09-08 - EITEST RIG EK FROM 185.117.73.140

ASSOCIATED FILES:

  • 2016-09-08-EITest-Rig-EK-traffic.pcap   (330,649 bytes)
  • 2016-09-08-EITest-Rig-EK-flash-exploit.swf   (49,157 bytes)
  • 2016-09-08-EITest-Rig-EK-landing-page.txt   (3,412 bytes)
  • 2016-09-08-EITest-Rig-EK-payload.exe   (204,800 bytes)
  • 2016-09-08-EITest-flash-redirect-from-erotic-news.top.swf   (4,733 bytes)
  • 2016-09-08-page-from-kenneymyers.com-with-injected-script.txt   (47,472 bytes)

 

NOTES:


Shown above:  Tweets started by @Simon_Kenin about possible absence of EITest activity.

 


Shown above:  Tweet by @robemtnez after everything went back to normal.

 

BACKGROUND ON THE EITEST CAMPAIGN:

 


Shown above:  Flowchart for this infection traffic.

 

TRAFFIC


Shown above:  Injected script in page from the compromised site pointing to the EITest gate.

 


Shown above:  Traffic from the pcap filtered in Wireshark.

 

ASSOCIATED DOMAINS:

 

FILE HASHES

FLASH FILES:

PAYLOAD:

 

IMAGES


Shown above:  Payload (an executable) sent by Rig EK with fake metadata.

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.