2016-12-05 - RIG EK DATA DUMP

ASSOCIATED FILES:

  • 2016-12-05-1st-run-EITest-Rig-E-sends-Gootkit.pcap   (284,311 bytes)
  • 2016-12-05-1st-run-Gootkit-post-infection-traffic.pcap   (4,068,785 bytes)
  • 2016-12-05-2nd-run-EITest-Rig-E-sends-Chthonic-banking-trojan.pcap   (1,363,685 bytes)
  • 2016-12-05-3rd-run-EITest-Rig-EK-sends-Quant-Loader.pcap   (146,575 bytes)
  • 2016-12-05-4th-run-pseudoDarkleech-Rig-V-sends-Cerber-ransomware.pcap   (487,881 bytes)
  • 2016-12-05-1st-run-EITest-Rig-E-artifact-MXj6sFosp.txt   (1,137 bytes)
  • 2016-12-05-1st-run-EITest-Rig-E-flash-exploit.swf   (40,141 bytes)
  • 2016-12-05-1st-run-EITest-Rig-E-landing-page.txt   (3,428 bytes)
  • 2016-12-05-1st-run-EITest-Rig-E-payload-Gootkit-rad0260A.tmp.exe   (200,704 bytes)
  • 2016-12-05-1st-run-page-from-cavallinomotorsport.com-with-injected-script.txt   (18,829 bytes)
  • 2016-12-05-2nd-run-EITest-Rig-E-artifact-MXj6sFosp.txt   (1,137 bytes)
  • 2016-12-05-2nd-run-EITest-Rig-E-flash-exploit.swf   (40,141 bytes)
  • 2016-12-05-2nd-run-EITest-Rig-E-landing-page.txt   (3,422 bytes)
  • 2016-12-05-2nd-run-EITest-Rig-E-payload-Chthonic-rad952F6.tmp.exe   (188,416 bytes)
  • 2016-12-05-2nd-run-page-from-cavallinomotorsport.com-with-injected-script.txt   (18,847 bytes)
  • 2016-12-05-3rd-run-EITest-Rig-E-artifact-MXj6sFosp.txt   (1,137 bytes)
  • 2016-12-05-3rd-run-EITest-Rig-E-flash-exploit.swf   (40,141 bytes)
  • 2016-12-05-3rd-run-EITest-Rig-E-landing-page.txt   (3,416 bytes)
  • 2016-12-05-3rd-run-EITest-Rig-E-payload-Quant-loader-rad633D8.tmp.exe   (59,129 bytes)
  • 2016-12-05-3rd-run-page-from-cavallinomotorsport.com-with-injected-script.txt   (18,847 bytes)
  • 2016-12-05-4th-run-page-from-wordtemplates.org-with-injected-script.txt   (54,507 bytes)
  • 2016-12-05-4th-run-pseudoDarkleech-Rig-V-artifact-MXj6sFosp.txt   (1,137 bytes)
  • 2016-12-05-4th-run-pseudoDarkleech-Rig-V-artifact-landing-page.txt   (5,405 bytes)
  • 2016-12-05-4th-run-pseudoDarkleech-Rig-V-flash-exploit.swf   (10,226 bytes)
  • 2016-12-05-4th-run-pseudoDarkleech-Rig-V-payload-Cerber-rad8C7CF.tmp.exe   (267,079 bytes)

BACKGROUND ON RIG EXPLOIT KIT:

BACKGROUND ON THE EITEST CAMPAIGN:

BACKGROUND ON THE PSEUDO-DARKLEECH CAMPAIGN:

 

TRAFFIC


Shown above:  Traffic from the 1st infection filtered in Wireshark.


Shown above:  Traffic from the 2nd infection filtered in Wireshark.


Shown above:  Traffic from the 3rd infection filtered in Wireshark.


Shown above:  Traffic from the 4th infection filtered in Wireshark.

 

1ST INFECTION:

 

2ND INFECTION:

 

3RD INFECTION:

 

4TH INFECTION:

 

FILE HASHES

FLASH EXPLOITS:

PAYLOADS:

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.