2016-10-17 - EITEST RIG EK FROM 195.133.201.121 SENDS CRYPTFILE2 RANSOMWARE

ASSOCIATED FILES:

  • 2016-10-17-EITest-Rig-EK-first-run.pcap   (220,965 bytes)
  • 2016-10-17-EITest-Rig-EK-second-run.pcap   (207,436 bytes)
  • 2016-10-17-EITest-Rig-EK-third-run.pcap   (269,756 bytes)
  • 2016-10-17-CryptFile2-HELP_DECRYPT_YOUR_FILES.TXT   (3,219 bytes)
  • 2016-10-17-EITest-Rig-EK-flash-exploit-all-three-runs.swf   (77,118 bytes)
  • 2016-10-17-EITest-Rig-EK-landing-page-first-run.txt   (3,516 bytes)
  • 2016-10-17-EITest-Rig-EK-landing-page-second-run.txt   (3,516 bytes)
  • 2016-10-17-EITest-Rig-EK-landing-page-third-run.txt   (3,517 bytes)
  • 2016-10-17-EITest-Rig-EK-payload-CryptFile2-first-and-second-run.exe   (75,776 bytes)
  • 2016-10-17-EITest-Rig-EK-payload-CryptFile2-third-run.exe   (75,264 bytes)
  • 2016-10-17-page-from-blog.masmovil.es-with-injected-EITest-script.txt   (63,910 bytes)
  • 2016-10-17-page-from-interlinetravel.com-with-injected-EITest-script.txt   (83,703 bytes)
  • 2016-10-17-page-from-sandiegomonsterbash.com-with-injected-EITest-script.txt   (34,130 bytes)

 

NOTES:

 

BACKGROUND ON THE EITEST CAMPAIGN:

 


Shown above:  Flowchart for this infection traffic.

 

TRAFFIC


Shown above:  Injected script from the EITest campaign in a page from the first compromised site.


Shown above:  Traffic from the first pcap filtered in Wireshark.


Shown above:  Injected script from the EITest campaign in a page from the second compromised site.


Shown above:  Traffic from the second pcap filtered in Wireshark.


Shown above:  Injected script from the EITest campaign in a page from the third compromised site.


Shown above:  Traffic from the third pcap filtered in Wireshark.

 

ASSOCIATED DOMAINS:

EMAILS ADDRESSES FROM THE DECRYPT INSTRUCTIONS:

 

FILE HASHES

FLASH EXPLOIT:

PAYLOADS:

 

IMAGES


Shown above:  Desktop of an infected Windows host after rebooting.

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.