2016-12-07 - RIG EK DATA DUMP

ASSOCIATED FILES:

  • 2016-12-07-1st-run-EITest-Rig-E-sends-Gootkit.pcap   (511,118 bytes)
  • 2016-12-07-2nd-run-EITest-Rig-E-sends-Smoke-Loader.pcap   (167,116 bytes)
  • 2016-12-07-3rd-run-pseudoDarkleech-Rig-V-sends-Cerber.pcap   (637,182 bytes)
  • 2016-12-07-4th-run-pseudoDarkleech-Rig-V-sends-Cerber.pcap   (651,266 bytes)
  • 2016-12-07-5th-run-EITest-Rig-E-sends-Smoke-Loader.pcap   (147,121 bytes)
  • 2016-12-07-1st-run-EITest-Rig-E-artifact-MXj6sFosp.txt   (1,137 bytes)
  • 2016-12-07-1st-run-EITest-Rig-E-flash-exploit.swf   (17,657 bytes)
  • 2016-12-07-1st-run-EITest-Rig-E-landing-page.txt   (85,199 bytes)
  • 2016-12-07-1st-run-EITest-Rig-E-payload-Gootkit-rad0BCCB.tmp.exe   (237,568 bytes)
  • 2016-12-07-1st-run-page-from-cavallinomotorsport.com-with-injected-script.txt   (18,838 bytes)
  • 2016-12-07-1st-run-post-infection-follow-up-malware.exe   (397,824 bytes)
  • 2016-12-07-2nd-run-EITest-Rig-E-artifact-MXj6sFosp.txt   (1,137 bytes)
  • 2016-12-07-2nd-run-EITest-Rig-E-flash-exploit.swf   (17,657 bytes)
  • 2016-12-07-2nd-run-EITest-Rig-E-landing-page.txt   (85,251 bytes)
  • 2016-12-07-2nd-run-EITest-Rig-E-payload-Smoke-Loader-rad79415.tmp.exe   (43,520 bytes)
  • 2016-12-07-2nd-run-page-from-cavallinomotorsport.com-with-injected-script.txt   (18,844 bytes)
  • 2016-12-07-3rd-run-page-from-joellipman.com-with-injected-script.txt   (68,908 bytes)
  • 2016-12-07-3rd-run-pseudoDarkleech-Rig-V-artifact-MXj6sFosp.txt   (1,137 bytes)
  • 2016-12-07-3rd-run-pseudoDarkleech-Rig-V-flash-exploit.swf   (17,618 bytes)
  • 2016-12-07-3rd-run-pseudoDarkleech-Rig-V-landing-page.txt   (5,375 bytes)
  • 2016-12-07-3rd-run-pseudoDarkleech-Rig-V-payload-Cerber-rad30C82.tmp.exe   (264,228 bytes)
  • 2016-12-07-4th-run-pseudoDarkleech-Rig-V-artifact-MXj6sFosp.txt   (1,137 bytes)
  • 2016-12-07-4th-run-pseudoDarkleech-Rig-V-flash-exploit.swf   (17,618 bytes)
  • 2016-12-07-4th-run-pseudoDarkleech-Rig-V-landing-page.txt   (5,380 bytes)
  • 2016-12-07-4th-run-pseudoDarkleech-Rig-V-payload-Cerber-rad6EB28.tmp.exe   (264,228 bytes)
  • 2016-12-07-4th-run-wordtemplates.org-with-injected-script.txt   (54,484 bytes)
  • 2016-12-07-5th-run-EITest-Rig-E-artifact-MXj6sFosp.txt   (1,137 bytes)
  • 2016-12-07-5th-run-EITest-Rig-E-flash-exploit.swf   (17,657 bytes)
  • 2016-12-07-5th-run-EITest-Rig-E-landing-page.txt   (85,229 bytes)
  • 2016-12-07-5th-run-EITest-Rig-E-payload-Smoke-Loader-radE32E0.tmp.exe   (43,520 bytes)
  • 2016-12-07-5th-run-page-from-cavallinomotorsport.com-with-injected-script.txt   (18,841 bytes)

BACKGROUND ON RIG EXPLOIT KIT:

BACKGROUND ON THE EITEST CAMPAIGN:

BACKGROUND ON THE PSEUDO-DARKLEECH CAMPAIGN:

OTHER NOTES:

 

TRAFFIC


Shown above:  Flow chart for today's infection traffic.


Shown above:  Traffic from the 1st infection filtered in Wireshark.


Shown above:  Traffic from the 2nd infection filtered in Wireshark.


Shown above:  Traffic from the 3rd infection filtered in Wireshark.


Shown above:  Traffic from the 4th infection filtered in Wireshark.


Shown above:  Traffic from the 5th infection filtered in Wireshark.

 

ASSOCIATED DOMAINS:

 

FILE HASHES

FLASH EXPLOITS:

PAYLOADS (READ: SHA256 HASH - FILE NAME - FILE SIZE):

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.