2016-12-06 - RIG EK DATA DUMP

NOTES:

ASSOCIATED FILES:

  • 2016-12-06-1st-run-EITest-Rig-E-sends-Chthonic.pcap   (806,307 bytes)
  • 2016-12-06-2nd-run-EITest-Rig-E-sends-Gootkit.pcap   (201,607 bytes)
  • 2016-12-06-3rd-run-pseudoDarkleech-Rig-V-sends-Cerber.pcap   (413,749 bytes)
  • 2016-12-06-4th-run-EITest-Rig-E-sends-Quant-loader.pcap   (141,193 bytes)
  • 2016-12-06-5th-run-EITest-Rig-E-sends-Chthonic.pcap   (1,279,665 bytes)
  • 2016-12-06-1st-run-EITest-Rig-E-artifact-MXj6sFosp.txt   (1,137 bytes)
  • 2016-12-06-1st-run-EITest-Rig-E-flash-exploit.swf   (40,141 bytes)
  • 2016-12-06-1st-run-EITest-Rig-E-landing-page.txt   (3,416 bytes)
  • 2016-12-06-1st-run-EITest-Rig-E-payload-Chthonic.exe   (393,216 bytes)
  • 2016-12-06-1st-run-page-from-cavallinomotorsport.com-with-injected-script.txt   (18,835 bytes)
  • 2016-12-06-2nd-run-EITest-Rig-E-artifact-MXj6sFosp.txt   (1,137 bytes)
  • 2016-12-06-2nd-run-EITest-Rig-E-flash-exploit.swf   (40,141 bytes)
  • 2016-12-06-2nd-run-EITest-Rig-E-landing-page.txt   (3,410 bytes)
  • 2016-12-06-2nd-run-EITest-Rig-E-payload-Gootkit.exe   (294,912 bytes)
  • 2016-12-06-2nd-run-page-from-cavallinomotorsport.com-with-injected-script.txt   (18,839 bytes)
  • 2016-12-06-3rd-run-page-from-joellipman.com-with-injected-script.txt   (68,856 bytes)
  • 2016-12-06-3rd-run-pseudoDarkleech-Rig-V-artifact-MXj6sFosp.txt   (1,137 bytes)
  • 2016-12-06-3rd-run-pseudoDarkleech-Rig-V-flash-exploit.swf   (15,043 bytes)
  • 2016-12-06-3rd-run-pseudoDarkleech-Rig-V-landing-page.txt   (5,376 bytes)
  • 2016-12-06-3rd-run-pseudoDarkleech-Rig-V-payload-Cerber.exe   (267,894 bytes)
  • 2016-12-06-4th-run-EITest-Rig-E-flash-exploit.swf   (15,043 bytes)
  • 2016-12-06-4th-run-EITest-Rig-E-landing-page.txt   (85,255 bytes)
  • 2016-12-06-4th-run-EITest-Rig-E-payload-Quant-loader.exe   (70,393 bytes)
  • 2016-12-06-4th-run-page-from-cavallinomotorsport.com-with-injected-script.txt   (18,826 bytes)
  • 2016-12-06-5th-run-EITest-Rig-E-flash-exploit.swf   (15,043 bytes)
  • 2016-12-06-5th-run-EITest-Rig-E-landing-page.txt   (85,243 bytes)
  • 2016-12-06-5th-run-EITest-Rig-E-payload-Chthonic.exe   (393,216 bytes)
  • 2016-12-06-5th-run-page-from-cavallinomotorsport.com-with-injected-script.txt   (18,830 bytes)

BACKGROUND ON RIG EXPLOIT KIT:

BACKGROUND ON THE EITEST CAMPAIGN:

BACKGROUND ON THE PSEUDO-DARKLEECH CAMPAIGN:

 

TRAFFIC


Shown above:  Flow chart for today's infection traffic.


Shown above:  Traffic from the 1st infection filtered in Wireshark.


Shown above:  Traffic from the 2nd infection filtered in Wireshark.


Shown above:  Traffic from the 3rd infection filtered in Wireshark.


Shown above:  Traffic from the 4th infection filtered in Wireshark.


Shown above:  Traffic from the 5th infection filtered in Wireshark.

 

ASSOCIATED DOMAINS:

 

FILE HASHES

FLASH EXPLOITS (READ: SHA256 HASH - FILE NAME - FILE SIZE)

PAYLOADS:

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.