Malware-Traffic-Analysis.net - 2017-01-24 - EITest Rig-V from 89.223.29[.]254 sends CryptoMix ransomware

2017-01-24 - EITEST RIG-V FROM 89.223.29[.]254 SENDS CRYPTOMIX RANSOMWARE

NOTICE:

The zip archives on this page have been updated, and they now use the new password scheme. For the new password, see the "about" page of this website.

ASSOCIATED FILES:

2017-01-24-EITest-Rig-V-sends-CryptoMix-ransomware.pcap.zip 271 kB (271,437 bytes)

2017-01-24-EITest-Rig-V-sends-CryptoMix-ransomware.pcap (337,035 bytes)

2017-01-24-EITest-Rig-V-artifacts-and-CryptoMix-ransomware.zip 100.6 kB (100,569 bytes)

2017-01-24-CryptoMix-ransomware-INSTRUCTION_RESTORE_FILE.TXT (1,429 bytes)

2017-01-24-EITest-Rig-V-artifact-QTTYUADAF.txt (1,137 bytes)

2017-01-24-EITest-Rig-V-flash-exploit.swf (14,387 bytes)

2017-01-24-EITest-Rig-V-landing-page.txt (5,208 bytes)

2017-01-24-EITest-Rig-V-payload-CryptoMix-ransomware-rad1B3DE.tmp.exe (108,032 bytes)

2017-01-24-page-from-activaclinics_com-with-injected-EITest-script.txt (59,331 bytes)

BACKGROUND ON RIG EXPLOIT KIT:

I usually run across 2 versions of Rig EK: Rig-V (Rig 4.0) and Rig-E (Empire Pack).
Rig-V is what security researchers called Rig EK version 4 when it was only accessible by "VIP" customers, while the old version (Rig 3) was still in use.
I currently call it "Rig-V" out of habit.
The proper name for Rig-E is "Empire Pack". Empire Pack a variant of Rig EK as described by Kafeine here.
I haven't seen Empire Pack traffic in 2017 yet, but I often see it from the EITest campaign (when EITest is distributing something other than CryptoMix/CryptFile2 ransomware or Cerber ransomware).

BACKGROUND ON THE EITEST CAMPAIGN:

My most recent write-up on the EITest campaign can be found here.

BACKGROUND ON CRYPTOMIX RANSOMWARE:

The ransomware I used to call CryptFile2 is actually CryptoMix. Details can be found here.
The EITest campaign currently uses Rig-V to send this CryptoMix (CryptFile2) ransomware.
CryptoMix currently uses .rdmk as the file extension for any encrypted files.

Shown above: Flowchart for this infection traffic.

TRAFFIC

Shown above: Injected script from the EITest campaign from the compromised site.

Shown above: Pcap of the infection traffic filtered in Wireshark.

ASSOCIATED DOMAINS:

activaclinics[.]com - Compromised site
89.223.29[.]254 port 80 - park.hospitality-health[.]us - Rig-V
62.138.9[.]39 port 80 - 62.138.9[.]39 - CryptoMix ransomware post-infection traffic

supls@post[.]com - first email from CryptoMix ransomware decryption instructions
supls@oath[.]com - second email from CryptoMix ransomware decryption instructions

FILE HASHES

FLASH EXPLOIT:

SHA256 hash: 4a0b2c03d76217242a29d7a9bb4f6979d75fab3e40a1c3dbb19a2b5de45e3afb (14,387 bytes)
File description: Rig-V Flash exploit seen on 2017-01-24

PAYLOAD (CRYPTOMIX/CRYPTFILE2 RANSOMWARE):

SHA256 hash: a9a232cbff2c4347c1fcdeb1a3f1a6e45fbd4e93a107c6dd57fb8994df9d3bce (108,032 bytes)
File path example: C:\Users\[username]\AppData\Local\Temp\rad1B3DE.tmp.exe

IMAGES

Shown above: Desktop of the infected Windows host.

Click here to return to the main page.