Malware-Traffic-Analysis.net - 2016-09-16 - EK data dump - EITest and pseudoDarkleech Rig EK, Afraidgate Neutrino EK

2016-09-16 - EK DATA DUMP - EITEST AND PSEUDODARKLEECH RIG EK, AFRAIDGATE NEUTRINO EK

ASSOCIATED FILES:

ZIP archive of the pcaps: 22016-09-16-EK-data-dump.pcap.zip 2.1 MB (2,122,632 bytes)
ZIP archive of the malware: 2016-09-16-EK-data-dump-malware-and-artifacts.zip 1.1 MB (1,093,495 bytes)

NOTES:

Thanks to Baber for the emails he sends me about compromised websites.
I also found some other compromised sites by reviewing old tweets from @FreeBSDfan.

TRAFFIC

ASSOCIATED DOMAINS:

blog.sewmucheasier.com - Compromised site
31.184.192.188 port 80 - iiofuro.top - EITest gate
185.117.73.195 port 80 - zxzdo.y4z6rp59a.top - Rig EK
Bart ransomware payload - no callback traffic

www.converterlist.com - Compromised site
74.208.205.36 port 80 - syrtibusquepivsakko.letloosevip.com - Rig EK
65.49.8.96 port 443 - CrypMIC calback traffic, plain text and custom encoded, not HTTPS/SSL/TLS

www.dilmotioncontrol.com - Compromised site
74.208.205.36 port 80 - syrtibusquepivsakko.letloosevip.com - Rig EK
65.49.8.96 port 443 - CrypMIC calback traffic, plain text and custom encoded, not HTTPS/SSL/TLS

revistaelobservador.com - Compromised site
31.184.192.188 port 80 - kumaconexion.top - EITest gate
185.117.73.195 port 80 - zxzdo.y4z6rp59a.top - Rig EK
Bart ransomware payload - no callback traffic

www.avanzagrupo.com - Compromised site
83.217.27.178 port 80 - jjadfhcyxu.ddnsking.com - GET /wordpress/?ARX8 - gate/decirect
74.208.193.71 port 80 - groepleier.702guru.com - Rig EK
65.49.8.96 port 443 - CrypMIC calback traffic, plain text and custom encoded, not HTTPS/SSL/TLS

picmania.garcia-cuervo.net - Compromised site
178.62.23.109 port 80 - lin.portalsmk.com - GET /jquery.file.js - Afraidgate redirect
137.74.148.232 port 80 - mlylrqaa.nowmalawi.top - Neutrino EK
Payload not sent

picmania.garcia-cuervo.net - Compromised site
178.62.23.109 port 80 - knight.manex.us - GET /jquery.colorbox-min.js - Afraidgate redirect
Did not make it to the EK landing page

picmania.garcia-cuervo.net - Compromised site
178.62.23.109 port 80 - knight.manex.us - GET /scripts/advertising.js - Afraidgate redirect
137.74.148.232 port 80 - fnszgx.nowmalawi.top - Neutrino EK
185.75.46.29 port 80 - 185.75.46.29 - GET /tt.php - Locky downloader calling for Locky
51.255.105.2 port 80 - 51.255.105.2 - POST /data/info.php - Locky post-infection callback

FINAL NOTES

Once again, here are the associated files:

ZIP archive of the pcaps: 22016-09-16-EK-data-dump.pcap.zip 2.1 MB (2,122,632 bytes)
ZIP archive of the malware: 2016-09-16-EK-data-dump-malware-and-artifacts.zip 1.1 MB (1,093,495 bytes)

ZIP files are password-protected with the standard password. If you don't know it, look at the "about" page of this website.

Click here to return to the main page.