2017-03-20 - EITEST RIG EK FROM 92.53.104.78 SENDS CERBER RANSOMWARE

ASSOCIATED FILES:

  • 2017-03-20-EITest-Rig-EK-sends-Cerber-ransomware.pcap   (825,380 bytes)
  • ZIP archive of the malware:  2017-03-20-EITest-Rig-EK-sends-Cerber-malware-and-artifacts.zip   551 kB (551,319 bytes)
    • 2017-03-20-Cerber_READ_THIS_FILE_5JBDOT_.txt   (1,337 bytes)
    • 2017-03-20-Cerber_READ_THIS_FILE_O9EALHF_.jpeg   (239,134 bytes)
    • 2017-03-20-Cerber_READ_THIS_FILE_SRBVX_.hta   (76,770 bytes)
    • 2017-03-20-EITest-Rig-EK-artifact-o32.tmp.txt   (1,141 bytes)
    • 2017-03-20-EITest-Rig-EK-flash-exploit.swf   (15,010 bytes)
    • 2017-03-20-EITest-Rig-EK-landing-page.txt   (57,621 bytes)
    • 2017-03-20-EITest-Rig-EK-payload-Cerber-2isifsc1.exe   (286,921 bytes)
    • 2017-03-20-page-from-regenairgy.com-wtih-injected-EITest-script.txt   (23,105 bytes)

    BACKGROUND ON THE EITEST CAMPAIGN:

    OTHER NOTES:


    Shown above:  Flowchart for this infection traffic.

     

    TRAFFIC


    Shown above:  Injected script from the EITest campaign in a page from the compromised site.

     


    Shown above:  Pcap of the infection traffic filtered in Wireshark.

     

    ASSOCIATED DOMAINS:

     

    FILE HASHES

    FLASH EXPLOIT:

    PAYLOAD:

     

    IMAGES


    Shown above:  Desktop of an infected Windows host.

     

    FINAL NOTES

    Once again, here are the associated files:

    ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

    Click here to return to the main page.