2016-09-16 - EITEST RIG EK - UPDATED PATTERN FOR INJECTED EITEST SCRIPT

ASSOCIATED FILES:

  • 2016-09-16-EITest-Rig-EK-first-example.pcap   (3,121,739 bytes)
  • 2016-09-16-EITest-Rig-EK-second-example.pcap   (250,011 bytes)
  • 2016-09-16-CryptFile2-decryption-instructions.html   (2,296 bytes)
  • 2016-09-16-CryptFile2-decryption-instructions.txt   (3,365 bytes)
  • 2016-09-16-EITest-Rig-EK-flash-exploit-first-run.swf   (25,317 bytes)
  • 2016-09-16-EITest-Rig-EK-flash-exploit-second-run.swf   (25,317 bytes)
  • 2016-09-16-EITest-Rig-EK-landing-page-first-run.txt   (3,426 bytes)
  • 2016-09-16-EITest-Rig-EK-payload-CryptFile2.exe   (79,360 bytes)
  • 2016-09-16-EITest-Rig-EK-payload-first-run.exe   (248,357 bytes)
  • 2016-09-16-EITest-flash-redirect-from-fuli87.top.swf   (4,332 bytes)
  • 2016-09-16-EITest-flash-redirect-from-marketingwithyou.top.swf   (4,332 bytes)
  • 2016-09-16-page-from-madridsalud.es-with-injected-EITest-script.txt   (147,558 bytes)
  • 2016-09-16-page-from-magnetsource.com-with-injected-script.txt   (18,776 bytes)

 

NOTES:

 

BACKGROUND ON THE EITEST CAMPAIGN:

 


Shown above:  Flowchart for this infection traffic.

 

TRAFFIC


Shown above:  An example of injected script in a page from the first compromised site pointing to an EITest gate.

 


Shown above:  Traffic from the first example filtered in Wireshark.

 


Shown above:  An example of injected script in a page from the second compromised site pointing to an EITest gate.

 


Shown above:  Traffic from the second example filtered in Wireshark.

 

FIRST EXAMPLE:

 

SECOND EXAMPLE:

 

FILE HASHES

FLASH FILES:

PAYLOADS:

 

IMAGES FROM THE FIRST EXAMPLE


Shown above:  Artifacts from the first infected host.

 


Shown above:  Registry key(s) from the first infected host.

 


Shown above:  Alerts on the first example traffic in Security Onion using Suricata and the ET Pro ruleset.

 


Shown above:  Some alerts on the first example using Snort 2.9.7.3 with the Snort/Talos subscriber set.

 

IMAGES FROM THE SECOND EXAMPLE


Shown above:  Examples of names for files encrypted by the CryptFile2 ransomware.
Email addresses from the decryption instructions are:  enc3@usa.com and enc3@dr.com

 


Shown above:  Registry key(s) from the second infected host.

 


Shown above:  Alerts on the second example traffic in Security Onion using Suricata and the ET Pro ruleset.

 


Shown above:  Some alerts on the second example using Snort 2.9.7.3 with the Snort/Talos subscriber set.

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.