2016-10-04 - AFRAIDGATE RIG EK FROM 194.87.239.147 SENDS LOCKY RANSOMWARE

ASSOCIATED FILES:

• ZIP archive of the pcaps:  2016-10-04-Afraidgate-Rig-EK-sends-Locky-ransomware.pcap.zip   294.5 kB (294,495 bytes)

• 2016-10-04-Afraidgate-Rig-EK-sends-Locky-ransomware.pcap   (345,313 bytes)

• ZIP archive of the malware:  2016-10-04-Afraidgate-Rig-EK-sends-Locky-malware-and-artifacts.zip   275.2 kB (275,208 bytes)

• 2016-10-04-Afraidgate-Rig-EK-flash-exploit.swf   (25,548 bytes)
• 2016-10-04-Afraidgate-Rig-EK-landing-page.txt   (30,048 bytes)
• 2016-10-04-Afraidgate-Rig-EK-payload-Locky-downloader.exe   (61,440 bytes)
• 2016-10-04-followup-download-Locky.exe   (194,048 bytes)
• 2016-10-04-page-from-peterluger.com-with-injected-script.txt   (18,944 bytes)
• 2016-10-04-street.fngogo.com-engine-lib-internal-template-js-topic.js.txt   (386 bytes)
• _HOWDO_text.bmp   (3,864,030 bytes)
• _HOWDO_text.html   (9,369 bytes)

NOTES:

• My most recent report on the Afraidgate campaign can be found here.

• Thanks to @killamjr for information on the compromised website.

 

Shown above:  Flowchart for this infection traffic.

 

TRAFFIC

Shown above:  Injected script in page from compromised site pointing to the Afraidgate URL.

 

Shown above:  Afraidgate URL returns iframe pointing to Rig EK landing page.

 

Shown above:  Traffic from the pcap filtered in Wireshark.

 

ASSOCIATED DOMAINS:

• peterluger.com - Compromised website
• 138.68.135.68 port 80 - street.fngogo.com - GET /engine/lib/internal/template/js/topic.js - Afraidgate gate/redirect
• 194.87.239.147 port 80 - sd.contentwize.com - Rig EK
• 104.36.83.174 port 80 - conradname.com - GET /forum.php?g=&k=udVVMqO9bkpEx2HWi5RVN4RTE - Locky downloader
• 88.214.236.36 port 80 - 88.214.236.36 - POST /apache_handler.php - post-infection Locky callback

DOMAINS FROM THE DECRYPT INSTRUCTIONS:

• jhomitevd2abj3fk.tor2web.org
• jhomitevd2abj3fk.onion.to

 

FILE HASHES

RIG EK FLASH EXPLOIT:

• SHA256 hash:  6bd5397728e394a3902b264ecbb1e7900f5b19cfe5725a4be38b6f273785d295
  File name:  2016-10-04-Afraidgate-Rig-EK-flash-exploit.swf   (25,548 bytes)

RIG EK PAYLOAD (DOWNLOADER FOR LOCKY):

• SHA256 hash:  179d1e27ac9a38b78cdc7c23bb3145f09fbaf7dc1fc975d5238e1f3f262dcc8e
  File name:  2016-10-04-Afraidgate-Rig-EK-payload-Locky-downloader.exe   (61,440 bytes)

FOLLOW-UP MALWARE (LOCKY):

• SHA256 hash:  86474a2d876fabddce0bfa9886148ba4134a95442fa1f4d7c3ead5bef964e5b1
  File name:  2016-10-04-followup-download-Locky.exe   (194,048 bytes)

IMAGES

Shown above:  Desktop of the infected Windows host.

 

FINAL NOTES

Once again, here are the associated files:

• ZIP archive of the pcaps:  2016-10-04-Afraidgate-Rig-EK-sends-Locky-ransomware.pcap.zip   294.5 kB (294,495 bytes)
• ZIP archive of the malware:  2016-10-04-Afraidgate-Rig-EK-sends-Locky-malware-and-artifacts.zip   275.2 kB (275,208 bytes)

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.