2016-10-05 - EITEST RIG EK FROM 194.87.239.148 SENDS CRYPTFILE2 RANSOMWARE

ASSOCIATED FILES:

• ZIP archive of the pcap:  2016-10-05-EITest-Rig-EK-sends-CryptFile2-ransomware.pcap.zip   110.2 kB (110,191 bytes)

• 2016-10-05-EITest-Rig-EK-sends-CryptFile2-ransomware.pcap   (156,754 bytes)

• ZIP archive of the malware:  2016-10-05-EITest-Rig-EK-sends-CryptFile2-malware-and-artifacts.zip   80.6 kB (80,641 bytes)

• 2016-10-05-CryptFile2-HELP_DECRYPT_YOUR_FILES.TXT   (3,347 bytes)
• 2016-10-05-EITest-Rig-EK-flash-exploit.swf   (25,642 bytes)
• 2016-10-05-EITest-Rig-EK-landing-page.txt   (21,523 bytes)
• 2016-10-05-EITest-Rig-EK-payload-CryptFile2.exe   (89,600 bytes)
• 2016-10-05-page-from-distripol.com-with-injected-script.txt   (52,082 bytes)

 

NOTES:

• This morning I noticed the injected script from this campaign has changed.
• I checked the compromised site that generated EITest traffic from 2016-09-29, and I saw the same new type of injected script in that EITest-compromised site too.
• Then I found out my cyber comrade at Broad Analysis had already posted about it.  Mad props to that site and the person who runs it!  Whoo!

• Thanks to @FreeBSDfan for information on the compromised website.

 

BACKGROUND ON THE EITEST CAMPAIGN:

• Something I wrote on exploit kit (EK) fundamentals:  link
• 2016-10-03 - Palo Alto Networks Unit 42 blog:  EITest Campaign Evolution: From Angler EK to Neutrino and Rig.
• 2016-10-03 - Broadanalysis.com:  EITest campaign stopped using a gate (the same day my Palo Alto Networks Unit 42 blog went live).

 

Shown above:  Flowchart for this infection traffic.

 

TRAFFIC

Shown above:  Injected EITest script in a page from the compromised website.

 

Shown above:  Traffic from the pcap filtered in Wireshark.

 

ASSOCIATED DOMAINS:

• www.distripol.com - Compromised website
• 194.87.239.148 port 80 - rec.3dprintingformanufacturing.com - Rig EK
• 37.59.39.53 port 80 - 37.59.39.53 - CryptFile2 post-infection traffic

 

FILE HASHES

FLASH EXPLOIT:

• SHA256 hash:  a05e1537586b892a5f95ab1bfdde5ab196be0386ae48e63c85cce1c1f28be6e8
  File name: 2016-10-05-EITest-Rig-EK-flash-exploit.swf   (25,642 bytes)

PAYLOAD:

• SHA256 hash:  1445d1d97f2700ab8335af641b50395522381fa1d06a12770987350fcca97c8a
  File name:  2016-10-05-EITest-Rig-EK-payload-CryptFile2.exe   (89,600 bytes)

 

IMAGES

Shown above:  Desktop of an infected Windows host after rebooting.

 

FINAL NOTES

Once again, here are the associated files:

• ZIP archive of the pcap:  2016-10-05-EITest-Rig-EK-sends-CryptFile2-ransomware.pcap.zip   110.2 kB (110,191 bytes)
• ZIP archive of the malware:  2016-10-05-EITest-Rig-EK-sends-CryptFile2-malware-and-artifacts.zip   80.6 kB (80,641 bytes)

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.