2017-01-11 - RIG-V FROM 109.234.38.150

ASSOCIATED FILES:

  • 2017-01-11-EITest-Rig-V-sends-CryptoMix-ransomware-1st-run.pcap   (265,815 bytes)
  • 2017-01-11-EITest-Rig-V-sends-CryptoMix-ransomware-2nd-run.pcap   (318,367 bytes)
  • 2017-01-11-pseudoDarkleech-Rig-V-sends-Cerber-ransomware-1st-run.pcap   (513,487 bytes)
  • 2017-01-11-pseudoDarkleech-Rig-V-sends-Cerber-ransomware-2nd-run.pcap   (415,050 bytes)
  • 2017-01-11-pseudoDarkleech-Rig-V-sends-Cerber-ransomware-3rd-run.pcap   (689,751 bytes)
  • 2017-01-11-Cerber_HELP_DECRYPT_P0M4FLVC_.hta   (67,682 bytes)
  • 2017-01-11-Cerber_HELP_DECRYPT_P0M4FLVC_.jpg   (237,109 bytes)
  • 2017-01-11-CryptoMix-decryption-instructions.txt   (1,480 bytes)
  • 2017-01-11-EITest-Rig-V-1st-run-payload-CryptoMix-rad9F7AB.tmp.exe   (99,328 bytes)
  • 2017-01-11-EITest-Rig-V-2nd-run-payload-CryptoMix-radEC302.tmp.exe   (98,816 bytes)
  • 2017-01-11-Rig-V-artifact-QTTYUADAF.txt   (1,137 bytes)
  • 2017-01-11-Rig-V-flash-exploit.swf   (16,946 bytes)
  • 2017-01-11-Rig-V-landing-page-pseudoDarkleech-1st-run.txt   (5,184 bytes)
  • 2017-01-11-Rig-V-landing-page-pseudoDarkleech-2nd-run.txt   (5,187 bytes)
  • 2017-01-11-Rig-V-run-landing-page-EITest-1st-run.txt   (5,187 bytes)
  • 2017-01-11-Rig-V-run-landing-page-EITest-2nd-run.txt   (5,189 bytes)
  • 2017-01-11-Rig-V-run-landing-page-EITest-3rd-run.txt   (5,192 bytes)
  • 2017-01-11-page-from-activaclinics.com-with-injected-EITest-script.txt   (59,303 bytes)
  • 2017-01-11-page-from-alleghenyhomehealth.com-with-injected-pseudoDarkleech-script.txt   (23,818 bytes)
  • 2017-01-11-page-from-gardencityhall.com-with-injected-pseudoDarkleech-script.txt   (27,801 bytes)
  • 2017-01-11-page-from-grillo-designs.com-with-injected-EITest-script.txt   (97,506 bytes)
  • 2017-01-11-page-from-joellipman.com-with-injected-pseudoDarkleech-script.txt   (66,791 bytes)
  • 2017-01-11-pseudoDarkleech-Rig-V-1st-run-payload-Cerber-radE9100.tmp.exe   (325,350 bytes)
  • 2017-01-11-pseudoDarkleech-Rig-V-2nd-run-payload-Cerber-rad21C56.tmp.exe   (310,858 bytes)
  • 2017-01-11-pseudoDarkleech-Rig-V-3rd-run-payload-Cerber-rad8077D.tmp.exe   (300,772 bytes)

BACKGROUND ON RIG EXPLOIT KIT:


Shown above:  Login panels for each exploit kit.  Images from malware.dontneedcoffee.com (link).

OTHER NOTES:


Shown above:  I will never get tired of ".news" puns.

 

TRAFFIC

 

ASSOCIATED DOMAINS:

 

FILE HASHES

FLASH EXPLOIT:

PAYLOADS:

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.