2016-09-29 - EITEST RIG EK DATA DUMP (CERBER, CRYPTFILE2, OTHER PAYLOADS)

ASSOCIATED FILES:

  • 2016-09-29-EITest-Rig-EK-1st-run.pcap   (218,047 bytes)
  • 2016-09-29-EITest-Rig-EK-2nd-run.pcap   (496,884 bytes)
  • 2016-09-29-EITest-Rig-EK-3rd-run.pcap   (3,697,649 bytes)
  • 2016-09-29-EITest-Rig-EK-4th-run.pcap   (286,926 bytes)
  • 2016-09-29-EITest-Rig-EK-5th-run.pcap   (326,861 bytes)
  • 2016-09-29-EITest-Rig-EK-6th-run.pcap   (690,930 bytes)
  • 2016-09-29-EITest-Rig-EK-7th-run.pcap   (477,689 bytes)
  • 2016-09-29-EITest-Rig-EK-8th-run.pcap   (236,548 bytes)
  • 2016-09-29-Cerber-decryption-instructions.txt   (10,621 bytes)
  • 2016-09-29-CryptFile2-decryption-instructions.txt   (3,354 bytes)
  • 2016-09-29-EITest-Rig-EK-flash-exploit.swf   (25,590 bytes)
  • 2016-09-29-EITest-Rig-EK-landing-page-1st-run.txt   (3,509 bytes)
  • 2016-09-29-EITest-Rig-EK-landing-page-2nd-run.txt   (3,428 bytes)
  • 2016-09-29-EITest-Rig-EK-landing-page-3rd-run.txt   (3,428 bytes)
  • 2016-09-29-EITest-Rig-EK-landing-page-4th-run.txt   (3,432 bytes)
  • 2016-09-29-EITest-Rig-EK-landing-page-5th-run.txt   (3,431 bytes)
  • 2016-09-29-EITest-Rig-EK-landing-page-6th-run.txt   (3,430 bytes)
  • 2016-09-29-EITest-Rig-EK-landing-page-7th-run.txt   (3,431 bytes)
  • 2016-09-29-EITest-Rig-EK-landing-page-8th-run.txt   (3,507 bytes)
  • 2016-09-29-EITest-Rig-EK-payload-1st-run-CryptFile2.exe   (89,600 bytes)
  • 2016-09-29-EITest-Rig-EK-payload-2nd-run-Cerber.exe   (251,598 bytes)
  • 2016-09-29-EITest-Rig-EK-payload-3rd-run.exe   (147,253 bytes)
  • 2016-09-29-EITest-Rig-EK-payload-4th-run.exe   (186,368 bytes)
  • 2016-09-29-EITest-Rig-EK-payload-5th-run.exe   (159,744 bytes)
  • 2016-09-29-EITest-Rig-EK-payload-6th-run.exe   (209,408 bytes)
  • 2016-09-29-EITest-Rig-EK-payload-7th-run-Cerber.exe   (235,134 bytes)
  • 2016-09-29-EITest-Rig-EK-payload-8th-run-CryptFile2.exe   (102,400 bytes)
  • 2016-09-29-EITest-flash-redirect-from-edu.governmentsolutions.com.swf   (4,580 bytes)
  • 2016-09-29-EITest-flash-redirect-from-en.langitmusik.us.swf   (4,580 bytes)
  • 2016-09-29-page-from-889yoga.com-with-injected-script-1st-run.txt   (76,172 bytes)
  • 2016-09-29-page-from-889yoga.com-with-injected-script-2nd-run.txt   (76,168 bytes)
  • 2016-09-29-page-from-889yoga.com-with-injected-script-3rd-run.txt   (76,106 bytes)
  • 2016-09-29-page-from-889yoga.com-with-injected-script-4th-run.txt   (76,114 bytes)
  • 2016-09-29-page-from-889yoga.com-with-injected-script-5th-run.txt   (76,114 bytes)
  • 2016-09-29-page-from-889yoga.com-with-injected-script-6th-run.txt   (76,120 bytes)
  • 2016-09-29-page-from-889yoga.com-with-injected-script-7th-run.txt   (76,118 bytes)
  • 2016-09-29-page-from-889yoga.com-with-injected-script-8th-run.txt   (76,114 bytes)

 

NOTES:

 

BACKGROUND ON THE EITEST CAMPAIGN:

 


Shown above:  Flowchart for this infection traffic.

 

TRAFFIC


Shown above:  An example of injected EITest script in a page from the compromised website.

 


Traffic from the 1st pcap filtered in Wireshark.


Traffic from the 2nd pcap filtered in Wireshark.


Traffic from the 3rd pcap filtered in Wireshark.


Traffic from the 4th pcap filtered in Wireshark.


Traffic from the 5th pcap filtered in Wireshark.


Traffic from the 6th pcap filtered in Wireshark.


Traffic from the 7th pcap filtered in Wireshark.


Traffic from the 8th pcap filtered in Wireshark.

 

ASSOCIATED DOMAINS:

 

FILE HASHES

FLASH FILES:

PAYLOADS:

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.