2016-09-21 - TWO EXAMPLES OF EITEST RIG EK

ASSOCIATED FILES:

  • 2016-09-21-EITest-Rig-EK-sends-CryptFile2-after-germansuppliesinc.com.pcap   (174,049 bytes)
  • 2016-09-21-EITest-Rig-EK-sends-Vawtrak-after-imr-racing.com.pcap   (825,547 bytes)
  • 2016-09-21-EITest-Rig-EK-flash-exploit-after-germansuppliesinc.com.swf   (25,205 bytes)
  • 2016-09-21-EITest-Rig-EK-flash-exploit-after-imr-racing.com.swf   (25,205 bytes)
  • 2016-09-21-EITest-Rig-EK-landing-page-after-germansuppliesinc.com.txt   (3,536 bytes)
  • 2016-09-21-EITest-Rig-EK-landing-page-after-imr-racing.com.txt   (3,440 bytes)
  • 2016-09-21-EITest-Rig-EK-payload-CryptFile2-after-germansuppliesinc.com.exe   (86,016 bytes)
  • 2016-09-21-EITest-Rig-EK-payload-Vawtrak-after-imr-racing.com.exe   (320,512 bytes)
  • 2016-09-21-EITest-flash-redirect-from-avtex.top.swf   (4,439 bytes)
  • 2016-09-21-EITest-flash-redirect-from-sqlbackupandftp.top.swf   (4,439 bytes)
  • 2016-09-21-page-from-germansuppliesinc.com-with-injected-EITest-script.txt   (67,198 bytes)
  • 2016-09-21-page-from-imr-racing.com-with-injected-EITest-script.txt   (62,685 bytes)

 

NOTES:

 

BACKGROUND ON THE EITEST CAMPAIGN:

 


Shown above:  Flowchart for this infection traffic.

 

TRAFFIC


Shown above:  Traffic from the first pcap filtered in Wireshark.

 


Shown above:  Traffic from the second pcap filtered in Wireshark.

 

FIRST PCAP:

 

SECOND PCAP:

  • 198.105.254.228 port 443 - ctwruhwdk.com - HTTPS/SSL/TLS traffic
  • 198.105.254.228 port 443 - apgtsdeh.com - HTTPS/SSL/TLS traffic
  • 81.177.13.242 port 443 - lkfiravihg.com - HTTPS/SSL/TLS traffic
  • 212.116.113.163 port 443 - apparatusou.bid - HTTPS/SSL/TLS traffic
  • 185.36.102.164 port 80 - 185.36.102.164 - GET /module/272a5ad4a1b97a2ac874d6d3e5fff01d
  • 185.36.102.164 port 80 - 185.36.102.164 - GET /module/[various other hexadecimal strings]

 

FILE HASHES

FLASH FILES:

PAYLOADS:

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.