Malware-Traffic-Analysis.net - 2017-01-23 - EITest Rig-V from 89.223.29[.]252 sends CryptoMix ransomware

2017-01-23 - EITEST RIG-V FROM 89.223.29[.]252 SENDS CRYPTOMIX RANSOMWARE

ASSOCIATED FILES:

2017-01-23-EITest-Rig-V-sends-CryptoMix-ransomware.pcap.zip 232.7 kB (232,650 bytes)

2017-01-23-EITest-Rig-V-sends-CryptoMix-ransomware.pcap (284,109 bytes)

2017-01-23-EITest-Rig-V-artifacts-and-CryptoMix-ransomware.zip 90.5 kB (90,525 bytes)

2017-01-23-CryptoMix-ransomware-INSTRUCTION_RESTORE_FILE.TXT (1,427 bytes)

2017-01-23-EITest-Rig-V-flash-exploit.swf (14,739 bytes)

2017-01-23-EITest-Rig-V-landing-page-1st-run.txt (5,230 bytes)

2017-01-23-EITest-Rig-V-payload-1st-run-CryptoMix-ransomware-rad29B07.tmp.exe (91,136 bytes)

2017-01-23-page-from-cellar335_com-with-injected-EITest-script-1st-run.txt (41,363 bytes)

BACKGROUND ON RIG EXPLOIT KIT:

I usually run across 2 versions of Rig EK: Rig-V (Rig 4.0) and Rig-E (Empire Pack).
Rig-V is what security researchers called Rig EK version 4 when it was only accessible by "VIP" customers, while the old version (Rig 3) was still in use.
I currently call it "Rig-V" out of habit.
The proper name for Rig-E is "Empire Pack". Empire Pack a variant of Rig EK as described by Kafeine here.
I haven't seen Empire Pack traffic in 2017 yet, but I often see it from the EITest campaign (when EITest is distributing something other than CryptoMix/CryptFile2 ransomware or Cerber ransomware).

BACKGROUND ON THE EITEST CAMPAIGN:

My most recent write-up on the EITest campaign can be found here.

BACKGROUND ON CRYPTOMIX RANSOMWARE:

The ransomware I used to call CryptFile2 is actually CryptoMix. Details can be found here.
The EITest campaign currently uses Rig-V to send this CryptoMix (CryptFile2) ransomware.
The last time I saw CryptoMix ransomware on 2017-01-13, it used .lesli as the file extension for encrypted files. Today I saw .rdmk as the file extension.

OTHER NOTES:

Thanks to @killamjr for tweeting about the compromised website (link).

Shown above: Flowchart for this infection traffic.

TRAFFIC

Shown above: Injected script from the EITest campaign from the compromised site.

Shown above: Pcap of the infection traffic filtered in Wireshark.

ASSOCIATED DOMAINS:

cellar335[.]com - Compromised site
89.223.29[.]252 port 80 - xcv.killinghealth[.]net - Rig-V
188.138.71[.]198 port 80 - 188.138.71[.]198 - CryptoMix ransomware post-infection traffic

supls@post[.]com - first email from CryptoMix ransomware decryption instructions
supls@oath[.]com - second email from CryptoMix ransomware decryption instructions

FILE HASHES

FLASH EXPLOIT:

SHA256 hash: f2ef8c5e7882bef110df4879c4e300405cf6c47affeb73a10dbc40eb1d781cdf (14,739 bytes)
File description: Rig-V Flash exploit seen on 2017-01-23

PAYLOAD (CRYPTOMIX/CRYPTFILE2 RANSOMWARE):

SHA256 hash: c44bf30d044ca1cbb6da72e32a45db1f2e82f437155a7509201c8477eba7c742 (91,136 bytes)
File path example: C:\Users\[username]\AppData\Local\Temp\rad29B07.tmp.exe

IMAGES

Shown above: Desktop of the infected Windows host.

Shown above: Some of alerts from the Emerging Threats and ETPRO rulesets using Sguil on Security Onion.

Click here to return to the main page.