2016-10-07 - EITEST RIG EK FROM 178.32.92.100

ASSOCIATED FILES:

• ZIP archive of the pcap:  2016-10-07-EITest-Rig-EK-traffic.pcap.zip   423.5 kB (423,512 bytes)

• 2016-10-07-EITest-Rig-EK-traffic.pcap   (564,376 bytes)

• ZIP archive of the malware:  2016-10-07-EITest-Rig-EK-malware-and-artifacts.zip   743.4 kB (743,433 bytes)

• 2016-10-07-EITest-Rig-EK-flash-exploit.swf   (25,334 bytes)
• 2016-10-07-EITest-Rig-EK-landing-page.txt   (3,471 bytes)
• 2016-10-07-EITest-Rig-EK-payload.exe   (465,408 bytes)
• 2016-10-07-page-from-jeanpierrehupkens.be-with-injected-EITest-script.txt   (25,685 bytes)
• ugisorhauwr.exe   (465,408 bytes)

 

NOTES:

• Thanks to @2xyo for a tweet about the compromised website (link).

 

BACKGROUND ON THE EITEST CAMPAIGN:

• Something I wrote on exploit kit (EK) fundamentals:  link
• 2016-10-03 - Palo Alto Networks Unit 42 blog:  EITest Campaign Evolution: From Angler EK to Neutrino and Rig.
• 2016-10-03 - Broadanalysis.com:  EITest campaign stopped using a gate (the same day my Palo Alto Networks Unit 42 blog went live).

 

Shown above:  Flowchart for this infection traffic.

 

TRAFFIC

Shown above:  Injected EITest script in a page from the compromised website.

 

Shown above:  Traffic from the pcap filtered in Wireshark.

 

ASSOCIATED DOMAINS:

• www.jeanpierrehupkens.be - Compromised website
• 178.32.92.100 port 80 - uiwkqj.coreformass.ml - Rig EK
• 190.14.38.68 port 443 - wegas.info - HTTPS/SSL/TLS traffic
• 185.53.168.118 port 80 - cctoday.info - attempted TCP connections, but no response from the server

 

FILE HASHES

FLASH EXPLOIT:

• SHA256 hash:  7499355f001a6da3a3f0fbeffde0e213416a52498ce4211182e058a62705f4cc
  File name:  2016-10-07-EITest-Rig-EK-flash-exploit.swf   (25334 bytes)

PAYLOAD:

• SHA256 hash:  b3893d269483c1d59d46b1bec4cd3ff19e9daa0383580c6fee453005403a7e66
  File name:  2016-10-07-EITest-Rig-EK-payload.exe   (465408 bytes)

DROPPED MALWARE:

• SHA256 hash:  16ce22397e8261714a272d82627bb3a55b65d7f4e65e0d54acfb3c5ed37e68cc
  File name:  C:\Users\[username]\AppData\Roaming\Cyaqypekq\ugisorhauwr.exe   (465408 bytes)

 

IMAGES

Shown above:  Malware made persistent on the infected host.

 

FINAL NOTES

Once again, here are the associated files:

• ZIP archive of the pcap:  2016-10-07-EITest-Rig-EK-traffic.pcap.zip   423.5 kB (423,512 bytes)
• ZIP archive of the malware:  2016-10-07-EITest-Rig-EK-malware-and-artifacts.zip   743.4 kB (743,433 bytes)

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.