2016-10-11 - EITEST RIG EK DATA DUMP (CERBER, URSNIF, AND NEUTRINO PAYLOADS)

ASSOCIATED FILES:

  • 2016-10-11-EITest-Rig-EK-first-run-sends-Cerber-ransomware.pcap   (516,322 bytes)
  • 2016-10-11-EITest-Rig-EK-second-run-sends-Ursnif.pcap   (737,122 bytes)
  • 2016-10-11-EITest-Rig-EK-third-run-sends-Neutrino-malware.pcap   (552,287 bytes)
  • 2016-10-11-Cerber-decryption-instructions-README.hta   (63,059 bytes)
  • 2016-10-11-Cerber-decryption-instructions.bmp   (1,920,054 bytes)
  • 2016-10-11-EITest-Rig-EK-flash-exploit-first-run.swf   (24,781 bytes)
  • 2016-10-11-EITest-Rig-EK-flash-exploit-second-run.swf   (25,565 bytes)
  • 2016-10-11-EITest-Rig-EK-flash-exploit-third-run.swf   (25,565 bytes)
  • 2016-10-11-EITest-Rig-EK-landing-page-first-run.txt   (30,239 bytes)
  • 2016-10-11-EITest-Rig-EK-landing-page-second-run.txt   (3,450 bytes)
  • 2016-10-11-EITest-Rig-EK-landing-page-third-run.txt   (3,449 bytes)
  • 2016-10-11-EITest-Rig-EK-payload-first-run-Cerber.exe   (2549,49 bytes)
  • 2016-10-11-EITest-Rig-EK-payload-second-run-Ursnif.exe   (539,746 bytes)
  • 2016-10-11-EITest-Rig-EK-payload-third-run-Neutrino-malware.exe   (187,626 bytes)
  • 2016-10-11-page-from-mobilecommercedaily.com-with-injected-EITest-script-first-run.txt   (84,179 bytes)
  • 2016-10-11-page-from-mobilecommercedaily.com-with-injected-EITest-script-second-run.txt   (84,104 bytes)
  • 2016-10-11-page-from-mobilecommercedaily.com-with-injected-EITest-script-third-run.txt   (84,097 bytes)

 

NOTES:

 

BACKGROUND ON THE EITEST CAMPAIGN:

 


Shown above:  Flowchart for this infection traffic.

 

TRAFFIC


Shown above:  An example of injected EITest script in a page from the compromised website.

 


Shown above:  Traffic from the first infection filtered in Wireshark.


Shown above:  Traffic from the second infection filtered in Wireshark.


Shown above:  Traffic from the third infection filtered in Wireshark.

 

ASSOCIATED DOMAINS:

NOTE: The additional malware downloaded during the third infection has the same size and hash as the Rig EK payload (the Neutrino malware).  Don't know why it decided to download a copy of itself.

 

FILE HASHES

FLASH EXPLOITS:

PAYLOADS:

 

IMAGES


Shown above:  Desktop of the Windows host after the first infection (showing the payload was Cerber ransomware).

 


Shown above:  Ursnif variant from the second infection made persistent on the Windows host.

 


Shown above:  Alerts on the second pcap from the Emerging Threats & ETPRO rulesets using Sguil on Security Onion.  Shows alerts for Ursnif.

 


Shown above:  Neutrino malware from the third infection made persistent on the Windows host.

 


Shown above:  Alerts on the third pcap from the Emerging Threats & ETPRO rulesets using Sguil on Security Onion.  Shows alert for Neutrino malware.

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.