2016-10-13 - EITEST RIG EK FROM 185.141.26.108

ASSOCIATED FILES:

• ZIP archive of the traffic:  2016-10-13-EITest-Rig-EK.pcap.zip   254.8 kB (254,847 bytes)

• 2016-10-13-EITest-Rig-EK.pcap   (384,054 bytes)

• ZIP archive of the malware, first run:  2016-10-13-EITest-Rig-EK-malware-and-artifacts.zip   206.8 kB (206,786 bytes)

• 2016-10-13-EITest-Rig-EK-flash-exploit.swf   (75,171 bytes)
• 2016-10-13-EITest-Rig-EK-landing-page.txt   (3,451 bytes)
• 2016-10-13-EITest-Rig-EK-payload.exe   (211,456 bytes)
• 2016-10-13-page-from-computersupportservicesnj.com-with-injected-EITest-script.txt   (44,440 bytes)

 

NOTES:

• As always, thanks to everyone who tweets about the compromised websites they run across.
• I found today's compromised website in a tweet from @Sec_She_Lady on 2016-10-11 (link).

 

BACKGROUND ON THE EITEST CAMPAIGN:

• Something I wrote on exploit kit (EK) fundamentals:  link
• 2016-10-03 - Palo Alto Networks Unit 42 blog:  EITest Campaign Evolution: From Angler EK to Neutrino and Rig.
• 2016-10-03 - Broadanalysis.com:  EITest campaign stopped using a gate (the same day my Palo Alto Networks Unit 42 blog went live).

 

Shown above:  Flowchart for this infection traffic.

 

TRAFFIC

Shown above:  An example of injected EITest script in a page from the compromised website.

 

Shown above:  Traffic from the infection filtered traffic in Wireshark.

ASSOCIATED DOMAINS:

• www.computersupportservicesnj.com - Compromised website
• 185.141.26.108 port 80 - p7bd.uob4am2vl.top - Rig EK
• 104.238.131.117 port 80 - loremipsumdolorsitamet.pw - Post-infection callback

 

FILE HASHES

FLASH EXPLOIT:

• SHA256 hash:  5c8f0691718a0c55a68789e94f72d956e4c655df0fed7f84245e2e9498f5ca13
  File name:  2016-10-13-EITest-Rig-EK-flash-exploit.swf   (75,171 bytes)

PAYLOAD:

• SHA256 hash:  d4068c7e5ad4f82ed81449f9ab887e8ac2f06c034ebf92f595b086ec23b6077d
  File name:  2016-10-13-EITest-Rig-EK-payload.exe   (211,456 bytes)

 

IMAGES

Shown above:  Malware the infection made persistent on the Windows host.

 

FINAL NOTES

Once again, here are the associated files:

• ZIP archive of the traffic:  2016-10-13-EITest-Rig-EK.pcap.zip   254.8 kB (254,847 bytes)
• ZIP archive of the malware, first run:  2016-10-13-EITest-Rig-EK-malware-and-artifacts.zip   206.8 kB (206,786 bytes)

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.