2016-08-30 - EITEST RIG EK SENDS CRYPTFILE2 RANSOMWARE

ASSOCIATED FILES:

• ZIP archive of the pcaps:  2016-08-30-EITest-Rig-EK-sends-CryptFile2-ransomware.pcap.zip   165.4 kB (165,396 bytes)

• 2016-08-30-EITest-Rig-EK-sends-CryptFile2-ransomware.pcap   (234,013 bytes)

• ZIP archive of the malware:  2016-08-30-EITest-Rig-EK-sends-CryptFile2-malware-and-artifacts.zip   155.6 kB (155,637 bytes)

• 2016-08-30-CryptFile2-ransomware-decrypt-instruction.TXT   (3,175 bytes)
• 2016-08-30-CryptFile2-ransomware-decrypt-instructions.HTML   (2,124 bytes)
• 2016-08-30-EITest-Rig-EK-flash-exploit-after-cairvest.com.swf   (46,163 bytes)
• 2016-08-30-EITest-Rig-EK-landing-page-after-cairvest.com.txt   (3,791 bytes)
• 2016-08-30-EITest-Rig-EK-payload-CryptFile2.exe   (135,168 bytes)
• 2016-08-30-EITest-flash-redirect-from-ogimac.xyz.swf   (5,762 bytes)
• 2016-08-30-page-from-clairvest.com-with-injected-EITest-script.txt   (27,589 bytes)

 

2016-08-31 UPDATE:

• I originally mis-identified the payload as Bandarchor ransomware, when it's actually CryptFile2.
• Thanks to Jack for kindly setting me straight on this.
• Background on CryptFile2 ransomware can be found here.

 

Shown above:  My original mistake and subsequent change for identification of the malware payload.

 

MY PREVIOUS DOCUMENTATION ON CRYPTFILE2 RANSOMWARE:

• 2016-08-26 (also from the EITest campaign)

 

Shown above:  Flowchart for this infection traffic.

 

TRAFFIC

Shown above:  Injected script in page from the compromised site pointing to the EITest gate.

 

Shown above:  Traffic from the pcap filtered in Wireshark.

 

Shown above:  EmergingThreats alerts (that I originally ignored) calling this ransomware CryptFile2.

 

ASSOCIATED DOMAINS:

• www.clairvest.com - Compromised site
• 194.165.16.202 port 80 - ogimac.xyz - EITest gate
• 109.234.36.132 port 80 - top.203kcontractorswashington.com - Rig EK
• 5.39.86.86 port 80 - 5.39.86.86 - GET /default.jpg - Post-infection traffic caused by the CryptFile2 ransomware
• 5.39.86.86 port 80 - 5.39.86.86 - POST /z/setting.php - Post-infection traffic caused by the CryptFile2 ransomware

EMAILS TO GET THE DECRYPT INSTRUCTIONS:

• enc2@usa.com - First email address generated by the CryptFile2 ransomware
• enc2@dr.com - Second email address generated by the CryptFile2 ransomware

 

FILE HASHES

FLASH FILES:

• SHA256 hash:  7123dd9744fe6e55796819b8890682395b2ebea72c0c2c5ab60f26594b6d5a43
  File name:  2016-08-30-EITest-flash-redirect-from-ogimac.xyz.swf

• SHA256 hash:  1f655e31dc4d092c34bd3033427f1540ae3db4467b5d6380f63ded0cce62e807
  File name:  2016-08-30-EITest-Rig-EK-flash-exploit-after-cairvest.com.swf

PAYLOAD:

• SHA256 hash:  51dbbfc5afb2b6e9f4ca37906d84b4f3807d7c79727c71d6ee5827a197644580
  File name:  2016-08-30-EITest-Rig-EK-payload-CryptFile2.exe
  File name:  C:\Users\[username]\AppData\Local\Temp\5697.tmp
  File name:  C:\Users\[username]\AppData\Roaming\ChromeFlashPlayer_64c7afbe684395ac.exe

 

IMAGES

Shown above:  The infected Windows desktop after rebooting.

 

Shown above:  Example of the encrypted file names from an infected host.

 

Shown above:  Registry entries showing how the CryptFile2 ransomware stays persistent on an infected Windows host.

 

FINAL NOTES

Once again, here are the associated files:

• ZIP archive of the pcaps:  2016-08-30-EITest-Rig-EK-sends-CryptFile2-ransomware.pcap.zip   165.4 kB (165,396 bytes)
• ZIP archive of the malware:  2016-08-30-EITest-Rig-EK-sends-CryptFile2-malware-and-artifacts.zip   155.6 kB (155,637 bytes)

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.