2016-09-26 - EITEST RIG EK FROM 185.141.25.151

ASSOCIATED FILES:

• ZIP archive of the pcap:  2016-09-26-EITest-Rig-EK.pcap.zip   176.2 kB (176,197 bytes)

• 2016-09-26-EITest-Rig-EK.pcap   (299,133 bytes)

• ZIP archive of the malware:  2016-09-26-EITest-Rig-EK-malware-and-artifacts.zip   209.4 kB (209,363 bytes)

• 2016-09-26-EITest-Rig-EK-flash-exploit.swf   (25,590 bytes)
• 2016-09-26-EITest-Rig-EK-landing-page.txt   (3,409 bytes)
• 2016-09-26-EITest-Rig-EK-payload.exe   (258,048 bytes)
• 2016-09-26-EITest-flash-redirect-from-laptopking.top.swf   (4,595 bytes)
• 2016-09-26-page-from-agers.es-wth-injected-EITest-script.txt   (63,773 bytes)

 

NOTES:

• Thanks to @FreeBSDfan for information on today's compromised website.

 

BACKGROUND ON THE EITEST CAMPAIGN:

• Something I wrote on exploit kit (EK) fundamentals:  link
• 2016-03-31 - Palo Alto Networks Unit 42 blog:  How the EITest Campaign's Path to Angler EK Evolved Over Time.
• 2016-06-08 - SANS ISC diary:  Neutrino EK and CryptXXX  (campaigns using Angler EK switch to Neutrino EK)
• 2016-08-18 - SANS ISC diary:  1 compromised site - 2 campaigns  (EITest campaign switched to Rig EK)

 

Shown above:  Flowchart for this infection traffic.

 

TRAFFIC

Shown above:  Injected script in page from the compromised site pointing to an EITest gate.

 

Shown above:  Traffic from the pcap filtered in Wireshark.

 

ASSOCIATED DOMAINS:

• www.agers.es - Compromised site
• 31.184.192.173 port 80 - www.laptopking.top - EITest gate
• 185.141.25.151 port 80 - u7pm.lreis.top - Rig EK

 

FILE HASHES

FLASH FILES:

• SHA256 hash:  cc21bee629f99e6a5e5b433f593670b2dea4075b6252fb04fd1bfbb40fbf8e80
  File name:  2016-09-26-EITest-flash-redirect-from-laptopking.top.swf
  

• SHA256 hash:  970491ca792332f3479200c94dddfe7d77112beb0b879d5becb279010860b487
  File name:  2016-09-26-EITest-Rig-EK-flash-exploit.swf
  

PAYLOAD:

• SHA256 hash:  d6c919919b8b5de2d226512445f959763567b1bcfebd3f1387316609f6086aa3
  File name:  2016-09-26-EITest-Rig-EK-payload.exe
  

 

FINAL NOTES

Once again, here are the associated files:

• ZIP archive of the pcap:  2016-09-26-EITest-Rig-EK.pcap.zip   176.2 kB (176,197 bytes)
• ZIP archive of the malware:  2016-09-26-EITest-Rig-EK-malware-and-artifacts.zip   209.4 kB (209,363 bytes)

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.