2016-12-29 - EITEST RIG-E FROM 191.101.31.114 SENDS CHTHONIC BANKING TROJAN

ASSOCIATED FILES:

  • 2016-12-29-EITest-Rig-E-sends-Chthonic-banking-Trojan-1st-run.pcap   (2,103,541 bytes)
  • 2016-12-29-EITest-Rig-E-sends-Chthonic-banking-Trojan-2nd-run.pcap   (468,509 bytes)
  • 2016-12-29-EITest-Rig-E-artifact-OTTYUADAF.txt   (1,137 bytes)
  • 2016-12-29-EITest-Rig-E-flash-exploit.swf   (13,700 bytes)
  • 2016-12-29-EITest-Rig-E-landing-page-1st-run.txt   (85,337 bytes)
  • 2016-12-29-EITest-Rig-E-landing-page-2nd-run.txt   (85,377 bytes)
  • 2016-12-29-EITest-Rig-E-payload-Chthonic.exe   (163,840 bytes)
  • 2016-12-29-page-from-activaclinics.com-with-injected-EITest-script-1st-run.txt   (58,164 bytes)
  • 2016-12-29-page-from-activaclinics.com-with-injected-EITest-script-2nd-run.txt   (58,160 bytes)

BACKGROUND ON RIG EXPLOIT KIT:

BACKGROUND ON THE EITEST CAMPAIGN:

BACKGROUND ON THE CHTHONIC BANKING TROJAN:


Shown above:  Flowchart for this infection traffic.

 

TRAFFIC


Shown above:  Injected script from the EITest campaign from the compromised site, first run.

 


Shown above:  Injected script from the EITest campaign from the compromised site, second run.

 


Shown above:  Pcap of the infection traffic filtered in Wireshark, first run.

 


Shown above:  Pcap of the infection traffic filtered in Wireshark, second run.

 

ASSOCIATED DOMAINS:

 

FILE HASHES

FLASH EXPLOIT:

PAYLOAD:

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.