2017-04-03 - EITEST RIG EK FROM 5.101.77.137 SENDS MSIL/MATRIC RANSOMWARE VARIANT

ASSOCIATED FILES:

  • 2017-04-03-EITest-Rig-EK-sends-matrix-ransomware-variant.pcap   (1,225,906 bytes)
  • 2017-04-03-Bl0cked-ReadMe.rtf   (5,682 bytes)
  • 2017-04-03-EITest-Rig-EK-artifact-o32.tmp.txt   (1,141 bytes)
  • 2017-04-03-EITest-Rig-EK-flash-exploit.swf   (15,690 bytes)
  • 2017-04-03-EITest-Rig-EK-landing-page.txt   (57,705 bytes)
  • 2017-04-03-EITest-Rig-EK-payload-matrix-ransomware-variant.exe   (513,536 bytes)
  • 2017-04-03-decryption-instructions.hta   (35,342 bytes)
  • 2017-04-03-decryption-instructions.jpg   (872,407 bytes)
  • 2017-04-03-page-from-activaclinics.com-with-injected-EITest-script.txt   (59,273 bytes)

BACKGROUND ON THE EITEST CAMPAIGN:

MSIL/MATRIX RANSOMWARE VARIANT NOTES:


Shown above:  Flowchart for this infection traffic.

 

TRAFFIC


Shown above:  Injected script from the EITest campaign in a page from the compromised site.

 


Shown above:  Pcap of the infection traffic filtered in Wireshark.

 

ASSOCIATED DOMAINS:

 

EMAIL ADDRESSES FROM THE DECRYPTION INSTRUCTIONS:

 

FILE HASHES

FLASH EXPLOIT:

PAYLOAD (MSIL/MATRIX VARIANT):

 

IMAGES


Shown above:  Some alerts on the traffic from the Emerging Threats and ETPRO rulesets using Sguil on Security Onion.

 


Shown above:  Desktop of an infected windows host.

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.