Malware-Traffic-Analysis.net - 2017-04-03 - EITest Rig EK from 5.101.77[.]137 sends MSIL/Matrix ransomware variant

2017-04-03 - EITEST RIG EK FROM 5.101.77[.]137 SENDS MSIL/MATRIC RANSOMWARE VARIANT

NOTICE:

The zip archives on this page have been updated, and they now use the new password scheme. For the new password, see the "about" page of this website.

ASSOCIATED FILES:

2017-04-03-EITest-Rig-EK-sends-Matrix-ransomware-variant.pcap.zip 1.0 MB (1,023,195 bytes)

2017-04-03-EITest-Rig-EK-sends-Matrix-ransomware-variant.pcap (1,225,906 bytes)

2017-04-03-EITest-Rig-EK-malware-and-artifacts.zip 1.4 MB (1,350,303 bytes)

2017-04-03-Bl0cked-ReadMe.rtf (5,682 bytes)

2017-04-03-EITest-Rig-EK-artifact-o32.tmp.txt (1,141 bytes)

2017-04-03-EITest-Rig-EK-flash-exploit.swf (15,690 bytes)

2017-04-03-EITest-Rig-EK-landing-page.txt (57,705 bytes)

2017-04-03-EITest-Rig-EK-payload-Matrix-ransomware-variant.exe (513,536 bytes)

2017-04-03-Matrix-ransomware-variant-decryption-instructions.hta (35,342 bytes)

2017-04-03-Matrix-ransomware-variant-decryption-instructions.jpg (872,407 bytes)

2017-04-03-page-from-activaclinics_com-with-injected-EITest-script.txt (59,273 bytes)

BACKGROUND ON THE EITEST CAMPAIGN:

My most recent write-up on the EITest campaign can be found here.

MSIL/MATRIX RANSOMWARE VARIANT NOTES:

This is the same ransomware I saw last week from the EITest campaign using Rig EK on 2017-03-28.
Haven't seen much about this one yet, so I'm calling it an "MSIL/Matrix variant."
Today's sample used .bl0cked as a file extension for any encrypted files.
Last week's sample didn't change any of the file extensions for encrypted files.

Shown above: Flowchart for this infection traffic.

TRAFFIC

Shown above: Injected script from the EITest campaign in a page from the compromised site.

Shown above: Pcap of the infection traffic filtered in Wireshark.

ASSOCIATED DOMAINS:

www.activaclinics[.]com - Compromised website
46.173.214[.]185 port 80 - open.auctionforintros[.]com - Rig EK
31.41.216[.]90 port 80 - statcs.s76.r53[.]com[.]ua - Post-infection ransomware HTTP traffic
195.248.235[.]240 port 80 - statcs.s76.r53[.]com[.]ua - Post-infection ransomware HTTP traffic

EMAIL ADDRESSES FROM THE DECRYPTION INSTRUCTIONS:

bluetablet9643@yahoo[.]com - Primary email
decodedecode@yandex[.]ru - Backup email

FILE HASHES

FLASH EXPLOIT:

SHA256 hash: 9c18ef0d4b441cdcefcdbaceeb111a207dc1460ac2a082785cc028551606a5de
File size: 15,690 bytes
File description: Rig EK flash exploit seen on 2017-04-03

PAYLOAD (MSIL/MATRIX VARIANT):

SHA256 hash: e7b3102e3e49c6c3611353d704aae797923b699227df92d97987a2e012ba3f25
File size: 513,536 bytes
File location: C:\Users\[username]\AppData\Local\Temp\[various alphanumeric characters].exe

IMAGES

Shown above: Some alerts on the traffic from the Emerging Threats and ETPRO rulesets using Sguil on Security Onion.

Shown above: Desktop of an infected windows host.

Click here to return to the main page.