2017-03-28 - EITEST RIG EK FROM 46.173.214.185 SENDS (SOME SORT OF) RANSOMWARE

ASSOCIATED FILES:

  • 2017-03-28-EITest-Rig-EK.pcap   (1,129,240 bytes)
  • ZIP archive of the malware:  2017-03-28-EITest-Rig-EK-malware-and-artifacts.zip   445 kB (445,317 bytes)
    • 2017-03-28-DpgvQeBMapb33zFU.hta.txt   (35,342 bytes)
    • 2017-03-28-EITest-Rig-EK-J3KXzbhL.exe   (461,312 bytes)
    • 2017-03-28-EITest-Rig-EK-artifact-o32.tmp.txt   (1,141 bytes)
    • 2017-03-28-EITest-Rig-EK-flash-exploit.swf   (15,736 bytes)
    • 2017-03-28-EITest-Rig-EK-landing-page.txt   (57,838 bytes)
    • 2017-03-28-WhatHappenedWithMyFiles.rtf   (5,682 bytes)
    • 2017-03-28-page-from-activaclinics.com-with-injected-EITest-script.txt   (58,153 bytes)

    BACKGROUND ON THE EITEST CAMPAIGN:

    EK PAYLOAD NOTES:


    Shown above:  Flowchart for this infection traffic.

     

    TRAFFIC


    Shown above:  Injected script from the EITest campaign in a page from the compromised site.

     


    Shown above:  Pcap of the infection traffic filtered in Wireshark.

     

    ASSOCIATED DOMAINS:

     

    EMAIL ADDRESSES FROM THE DECRYPTION INSTRUCTIONS:

     

    FILE HASHES

    FLASH EXPLOIT:

    PAYLOAD (RANSOMWARE):

     

    IMAGES


    Shown above:  Some alerts on the traffic from the Emerging Threats and ETPRO rulesets using Sguil on Security Onion.

     


    Shown above:  Desktop of an infected windows host.

     


    Shown above:  No file name changes, and the directions are in an RTF file.

     


    Shown above:  Registry entry made for persistence of the HTA file.

     

    FINAL NOTES

    Once again, here are the associated files:

    ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

    Click here to return to the main page.