2016-09-13 - TWO EXAMPLES OF EITEST RIG EK: ONE A SUCCESSFUL EXE AND ONE A FAILED DLL

ASSOCIATED FILES:

  • 2016-09-13-EITest-Rig-EK-first-example.pcap   (412,100 bytes)
  • 2016-09-13-EITest-Rig-EK-second-example.pcap   (80,222 bytes)
  • 2016-09-13-post-infection-traffic-from-first-Rig-EK-payload.pcap   (2,948 bytes)
  • 2016-09-13-EITest-Rig-EK-flash-exploit-first-run.swf   (49,157 bytes)
  • 2016-09-13-EITest-Rig-EK-flash-exploit-second-run.swf   (25,565 bytes)
  • 2016-09-13-EITest-Rig-EK-landing-page-first-run.txt   (3,440 bytes)
  • 2016-09-13-EITest-Rig-EK-landing-page-second-run.txt   (29,788 bytes)
  • 2016-09-13-EITest-Rig-EK-payload-first-run.exe   (283,648 bytes)
  • 2016-09-13-EITest-Rig-EK-payload-second-run.dll   (126 bytes)
  • 2016-09-13-EITest-flash-redirect-from-anuncio.top.swf   (4,423 bytes)
  • 2016-09-13-EITest-flash-redirect-from-echosunhotel.top.swf   (4,423 bytes)
  • 2016-09-13-page-from-bmurilloabogada.com-with-injected-EITest-script.txt   (83,624 bytes)
  • 2016-09-13-page-from-tecnugen.com-with-injected-EITest-script.txt   (18,015 bytes)

 

NOTES:

 

BACKGROUND ON THE EITEST CAMPAIGN:

 


Shown above:  Flowchart for this infection traffic.

 

TRAFFIC


Shown above:  Injected script in page from the first compromised site pointing to the EITest gate.

 


Shown above:  Injected script in page from the second compromised site pointing to the EITest gate.

 


Shown above:  Traffic from the first example filtered in Wireshark.

 


Shown above:  Post-infection traffic from the first payload filtered in Wireshark.

 


Shown above:  Traffic from the second example filtered in Wireshark.

 

FIRST EXAMPLE:

 

SECOND EXAMPLE:

 

FILE HASHES

FLASH FILES:

PAYLOAD:

 

IMAGES FROM THE FIRST EXAMPLE


Shown above:  The first payload caused the following alerts on its post-infection traffic using Suricata with the Emerging Threats Pro ruleset on Security Onion.

 


Shown above:  Alerts on the same traffic from the Snort/Talos subscriber ruleset using Snort 2.9.8.3 on Debian 7.

 


Shown above:  Registry entries caused by the first malware payload.

 

IMAGES FROM THE SECOND EXAMPLE


Shown above:  During the second Rig EK example, a problem happened when sending the payload.

 


Shown above:  Payload from the second example was stored to the user's AppData\Local\Temp directory
as a DLL file, but this was a failed attempt.

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.