2016-10-10 - EITEST RIG EK DATA DUMP

ASSOCIATED FILES:

• ZIP archive of the traffic:  2016-10-10-EITest-Rig-EK-all-3-pcaps.zip   6.5 MB (6,479,248 bytes)

• 2016-10-10-EITest-Rig-EK-first-run.pcap   (663,054 bytes)
• 2016-10-10-EITest-Rig-EK-second-run.pcap   (2,238,284 bytes)
• 2016-10-10-EITest-Rig-EK-third-run.pcap   (4,191,610 bytes)

• ZIP archive of the malware, first run:  2016-10-10-EITest-Rig-EK-malware-and-artifacts-first-run.zip   403.9 kB (403,857 bytes)

• 2016-10-10-EITest-Rig-EK-flash-exploit-first-run.swf   (25,045 bytes)
• 2016-10-10-EITest-Rig-EK-landing-page-first-run.txt   (3,452 bytes)
• 2016-10-10-EITest-Rig-EK-payload-first-run.exe   (223,744 bytes)
• 2016-10-10-page-from-wiki.vmug.com-with-injected-script.txt   (23,645 bytes)
• 2016-10-10-scheduled-task-for-ctfreg.dll.txt   (3,346 bytes)
• 2016-10-10-scheduled-task-for-diskja.dll.txt   (3,348 bytes)
• ctfreg.dll   (200,704 bytes)
• diskja.dll   (200,704 bytes)

• ZIP archive of the malware, second run:  2016-10-10-EITest-Rig-EK-malware-and-artifacts-second-run.zip   331.0 kB (331,012 bytes)

• 2016-10-10-EITest-Rig-EK-flash-exploit-second-run.swf   (25,045 bytes)
• 2016-10-10-EITest-Rig-EK-landing-page-second-run.txt   (3,455 bytes)
• 2016-10-10-EITest-Rig-EK-payload-second-run.exe   (400,384 bytes)
• 2016-10-10-page-from-translation.ie-with-injected-script.txt   (48,021 bytes)

• ZIP archive of the malware, third run:  2016-10-10-EITest-Rig-EK-malware-and-artifacts-third-run.zip   167.9 kB (167,942 bytes)

• 2016-10-10-EITest-Rig-EK-flash-exploit-third-run.swf   (25,045 bytes)
• 2016-10-10-EITest-Rig-EK-landing-page-third-run.txt   (3,434 bytes)
• 2016-10-10-EITest-Rig-EK-payload-third-run.exe   (203,575 bytes)
• 2016-10-10-page-from-criticall911.com-with-injected-script.txt   (53,540 bytes)

 

NOTES:

• Thanks to @FreeBSDfan, @Oddly_Normal, and @Sec_She_Lady for their tweets that gave me today's compromised sites.

 

BACKGROUND ON THE EITEST CAMPAIGN:

• Something I wrote on exploit kit (EK) fundamentals:  link
• 2016-10-03 - Palo Alto Networks Unit 42 blog:  EITest Campaign Evolution: From Angler EK to Neutrino and Rig.
• 2016-10-03 - Broadanalysis.com:  EITest campaign stopped using a gate (the same day my Palo Alto Networks Unit 42 blog went live).

 

Shown above:  Flowchart for this infection traffic.

 

TRAFFIC

Shown above:  Injected EITest script in a page from the first compromised website.

Shown above:  Traffic from the first run filtered in Wireshark.

 

Shown above:  Injected EITest script in a page from the second compromised website.

Shown above:  Traffic from the second run filtered in Wireshark.

 

Shown above:  Injected EITest script in a page from the third compromised website.

Shown above:  Traffic from the third run filtered in Wireshark.

 

ASSOCIATED DOMAINS:

• wiki.vmug.com - Compromised site (first run)
• 185.117.73.18 port 80 - b7gqh.inbvq0t.top - Rig EK (first run)
• 79.110.251.102 port 80 - bigikurik.com - post-infection traffic (HTTPS/SSL/TLS over TCP port 80)

• www.translation.ie - Compromised site (second run)
• 185.117.73.18 port 80 - b7gqh.inbvq0t.top - Rig EK (second run)
• 198.12.107.167 port 80 - 198.12.107.167 - post-infection traffic

• criticall911.com - Compromised site (third run)
• 185.117.73.180 port 80 - x0md.r0tfo.top - Rig EK (third run)
• 108.61.174.115 port 443 - sta.grhstchs.com - post-infection traffic (HTTPS/SSL/TLS)

 

FILE HASHES

FLASH EXPLOITS:

• SHA256 hash:  4f3632001131f30bd7d01c4c0c195abb947b5556c34479e5f5a8bde2326dda48
  File name:  2016-10-10-EITest-Rig-EK-flash-exploit-first-run.swf   (25,045 bytes)
  File name:  2016-10-10-EITest-Rig-EK-flash-exploit-second-run.swf   (25,045 bytes)
  File name:  2016-10-10-EITest-Rig-EK-flash-exploit-third-run.swf   (25,045 bytes)

PAYLOADS:

• SHA256 hash:  9a6a920cb20430d33886f007cec6d018f623676b8feda7a7a6fdc739f4768c96
  File name:  2016-10-10-EITest-Rig-EK-payload-first-run.exe   (223,744 bytes)

• SHA256 hash:  7b57138a0db41afe1f1945e8e19dcec58658d32150bb273001a417d79afa56ae
  File name:  2016-10-10-EITest-Rig-EK-payload-second-run.exe   (400,384 bytes)

• SHA256 hash:  5b9fb08816666fedbe24cfc89e212faf3d04c8445c54e2d12454e424f38b972b
  File name:  2016-10-10-EITest-Rig-EK-payload-third-run.exe   (203,575 bytes)

DROPPED MALWARE (FROM FIRST RUN):

• SHA256 hash:  9f5267e1313f83502bff135e928c4804cce7828b7d4fead05a2f95c23df48684
  C:\Users\[username]\AppData\Roaming\Microsoft\Internet Explorer\ctfreg.dll   (200,704 bytes)
  C:\Users\[username]\AppData\Roaming\Microsoft\Internet Explorer\diskja.dll   (200,704 bytes)

 

FINAL NOTES

Once again, here are the associated files:

• ZIP archive of the traffic:  2016-10-10-EITest-Rig-EK-all-3-pcaps.zip   6.5 MB (6,479,248 bytes)
• ZIP archive of the malware, first run:  2016-10-10-EITest-Rig-EK-malware-and-artifacts-first-run.zip   403.9 kB (403,857 bytes)
• ZIP archive of the malware, second run:  2016-10-10-EITest-Rig-EK-malware-and-artifacts-second-run.zip   331.0 kB (331,012 bytes)
• ZIP archive of the malware, third run:  2016-10-10-EITest-Rig-EK-malware-and-artifacts-third-run.zip   167.9 kB (167,942 bytes)

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.