2017-02-06 - EITEST RIG EK SENDS CRYPTOSHIELD RANSOMWARE

ASSOCIATED FILES:

BACKGROUND ON RIG EXPLOIT KIT:

BACKGROUND ON THE EITEST CAMPAIGN:

BACKGROUND ON CRYPTOSHIELD RANSOMWARE:


Shown above:  Flowchart for this infection traffic.

 

TRAFFIC


Shown above:  Example of injected script from the EITest campaign in a page from the compromised site on 2017-02-06.

 


Shown above:  Pcap of the infection traffic from 2017-02-01 filtered in Wireshark.

 


Shown above:  Pcap of the infection traffic from 2017-02-02 filtered in Wireshark.

 


Shown above:  Pcap of the infection traffic from 2017-02-03 filtered in Wireshark.  I forgot to save the pcap from this one, so it's not in the pcap archive.

 


Shown above:  Pcap of the infection traffic from 2017-02-06 filtered in Wireshark.

 

ASSOCIATED DOMAINS:

 

FILE HASHES

FLASH EXPLOITS:

PAYLOADS (CRYPTOSHIELD):

 

IMAGES


Shown above:  Desktop of an infected Windows host on 2017-02-06.

 


Shown above:  Saw EITest script today from holinergroup.com (was trying for the Chrome fake popup window, but no luck).

 


Shown above:  Saw other Rig EK domains kicked off by EITest script from holinergroup.com.  Pcap and malware for this traffic was not included in today's archives.

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.