2017-10-24 - COMPROMISED SITE HAS EITEST CAMPAIGN PUSHING FAKE AV, ALSO HAS COINMINER JAVASCRIPT

ASSOCIATED FILES:

  • 2017-10-24-coinminer-javascript-after-pawsprings.ca.pcap   (125,764 bytes)
  • 2017-10-24-EITest-fake-AV-page-after-pawsprings.ca.pcap   (401,123 bytes)
  • 2017-10-24-coinhive.min.js.txt   (139,676 bytes)
  • 2017-10-24-cryptonight-asmjs.min.js.txt   (275,480 bytes)
  • 2017-10-24-fake-AV-audio.mp3   (262,144 bytes)
  • 2017-10-24-fake-AV-page.txt   (4,374 bytes)
  • 2017-10-24-page-from-pawsprings.ca-with-injected-script-for-coinminer.txt   (30,752 bytes)
  • 2017-10-24-page-from-pawsprings.ca-with-injected-EITest-script-for-fake-AV.txt   (30,529 bytes)

 

NOTES:

 

TRAFFIC


Shown above:  Traffic for fake AV filtered in Wireshark.

 


Shown above:  Traffic for coinminer javascript filtered in Wireshark.

 


Shown above:  Traffic for coinminer javascript as recorded by Fiddler.

 

ASSOCIATED DOMAINS AND URLS - FAKE AV PAGE:

 

ASSOCIATED DOMAINS AND URLS - COINMINER JAVASCRIPT:

 

FILE HASHES

MALICIOUS JAVASCRIPT:

 

IMAGES


Shown above:  Injected EITest script in page from compromised website pointing to fake AV page.

 


Shown above:  Fake AV page with phone number for tech support scam.

 


Shown above:  Injected script in page from compromised website pointing to coinminer javascript.

 

FINAL NOTES

Once again, here are the associated files:

Zip and saz files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.