2016-09-28 - EITEST RIG EK DATA DUMP

ASSOCIATED FILES:

  • 2016-09-28-EITest-Rig-EK-sends-Cerber-after-agers.es.pcap   (453,160 bytes)
  • 2016-09-28-EITest-Rig-EK-sends-CryptFile2-after-beyondproxy.com.pcap   (149,307 bytes)
  • 2016-09-28-EITest-Rig-EK-sends-CryptFile2-after-orfab.com.pcap   (156,678 bytes)
  • 2016-09-28-EITest-Rig-EK-sends-Ursnif-after-889yoga.com.pcap   (618,186 bytes)
  • 2016-09-28-Cerber-ransomware-decryption-instructions.txt   (10,621 bytes)
  • 2016-09-28-CryptFile2-ransomware-decryption-instructions.txt   (33,53 bytes)
  • 2016-09-28-EITest-flash-redirect-from-felmausa.top.swf   (4,539 bytes)
  • 2016-09-28-EITest-Rig-EK-flash-exploit.swf   (25,590 bytes)
  • 2016-09-28-EITest-Rig-EK-landing-page-after-889yoga.com.txt   (3,430 bytes)
  • 2016-09-28-EITest-Rig-EK-landing-page-after-agers.es.txt   (3,432 bytes)
  • 2016-09-28-EITest-Rig-EK-landing-page-after-beyondproxy.com.txt   (3,510 bytes)
  • 2016-09-28-EITest-Rig-EK-landing-page-after-orfab.com.txt   (3,510 bytes)
  • 2016-09-28-EITest-Rig-EK-payload-Cerber-after-agers.es.exe   (213,611 bytes)
  • 2016-09-28-EITest-Rig-EK-payload-CryptFile2-after-beyondrpoxy.com.exe   (91,648 bytes)
  • 2016-09-28-EITest-Rig-EK-payload-CryptFile2-after-orfab.com.exe   (91,648 bytes)
  • 2016-09-28-EITest-Rig-EK-payload-Ursnif-after-889yoga.com.exe   (468,517 bytes)
  • 2016-09-28-page-from-889yoga.com-wtih-injected-EITest-script.txt   (76,084 bytes)
  • 2016-09-28-page-from-agers.es-wtih-injected-EITest-script.txt   (63,445 bytes)
  • 2016-09-28-page-from-beyondproxy.com-wtih-injected-EITest-script.txt   (25,190 bytes)
  • 2016-09-28-page-from-orfab.com-wtih-injected-EITest-script.txt   (18,023 bytes)

 

NOTES:

 

BACKGROUND ON THE EITEST CAMPAIGN:

 


Shown above:  Flowchart for this infection traffic.

 

TRAFFIC


Shown above:  Injected script in page from the first compromised site pointing to an EITest gate.

 


Shown above:  Injected script in page from the second compromised site pointing to an EITest gate.

 


Shown above:  Injected script in page from the third compromised site pointing to an EITest gate.

 


Shown above:  Injected script in page from the fourth compromised site pointing to an EITest gate.

 


Shown above:  Traffic from the first pcap filtered in Wireshark.

 


Shown above:  Traffic from the second pcap filtered in Wireshark.

 


Shown above:  Traffic from the third pcap filtered in Wireshark.

 


Shown above:  Traffic from the fourth pcap filtered in Wireshark.

 

ASSOCIATED DOMAINS:

 

FILE HASHES

FLASH FILES:

PAYLOADS:

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.