2016-10-17 - EITEST RIG EK FROM 195.133.201.121 SENDS CRYPTFILE2 RANSOMWARE
ASSOCIATED FILES:
- ZIP archive of the pcap: 2016-10-17-EITest-Rig-EK-all-3-pcaps.zip 447.7 kB (447,667 bytes)
- 2016-10-17-EITest-Rig-EK-first-run.pcap (220,965 bytes)
- 2016-10-17-EITest-Rig-EK-second-run.pcap (207,436 bytes)
- 2016-10-17-EITest-Rig-EK-third-run.pcap (269,756 bytes)
- ZIP archive of the malware: 2016-10-17-EITest-Rig-EK-malware-and-artifacts.zip 204.2 kB (204,197 bytes)
- 2016-10-17-CryptFile2-HELP_DECRYPT_YOUR_FILES.TXT (3,219 bytes)
- 2016-10-17-EITest-Rig-EK-flash-exploit-all-three-runs.swf (77,118 bytes)
- 2016-10-17-EITest-Rig-EK-landing-page-first-run.txt (3,516 bytes)
- 2016-10-17-EITest-Rig-EK-landing-page-second-run.txt (3,516 bytes)
- 2016-10-17-EITest-Rig-EK-landing-page-third-run.txt (3,517 bytes)
- 2016-10-17-EITest-Rig-EK-payload-CryptFile2-first-and-second-run.exe (75,776 bytes)
- 2016-10-17-EITest-Rig-EK-payload-CryptFile2-third-run.exe (75,264 bytes)
- 2016-10-17-page-from-blog.masmovil.es-with-injected-EITest-script.txt (63,910 bytes)
- 2016-10-17-page-from-interlinetravel.com-with-injected-EITest-script.txt (83,703 bytes)
- 2016-10-17-page-from-sandiegomonsterbash.com-with-injected-EITest-script.txt (34,130 bytes)
NOTES:
- As always, thanks to everyone who tweets about the compromised websites they find.
- I found today's compromised website in tweets from @BiebsMalwareGuy and @FreeBSDfan.
BACKGROUND ON THE EITEST CAMPAIGN:
- Something I wrote on exploit kit (EK) fundamentals: link
- 2016-10-03 - Palo Alto Networks Unit 42 blog: EITest Campaign Evolution: From Angler EK to Neutrino and Rig.
- 2016-10-03 - Broadanalysis.com: EITest campaign stopped using a gate.
- 2016-10-15 - Broadanalysis.com: EITest campaing stops using obfuscation for injected script in pages from compromised websites.
Shown above: Flowchart for this infection traffic.
TRAFFIC
Shown above: Injected script from the EITest campaign in a page from the first compromised site.
Shown above: Traffic from the first pcap filtered in Wireshark.
Shown above: Injected script from the EITest campaign in a page from the second compromised site.
Shown above: Traffic from the second pcap filtered in Wireshark.
Shown above: Injected script from the EITest campaign in a page from the third compromised site.
Shown above: Traffic from the third pcap filtered in Wireshark.
ASSOCIATED DOMAINS:
- blog.masmovil.es - Compromised site (first run)
- www.sandiegomonsterbash.com - Compromised site (second run)
- www.interlinetravel.com - Compromised site (third run)
- 195.133.201.121 port 80 - add.francafranca.com - Rig EK (all 3 runs)
- 5.39.93.43 port 80 - 5.39.93.43 - GET /index.jpg - CryptFile2 intitial checkin (all 3 runs)
- 5.39.93.43 port 80 - 5.39.93.43 - POST /u/affer.php - CryptFile2 post-infection traffic (all 3 runs)
EMAILS ADDRESSES FROM THE DECRYPT INSTRUCTIONS:
- e�n�c�6�@�u�s�a�.�c�o�m
- e�n�c�6�@�d�r�.�c�o�m
FILE HASHES
FLASH EXPLOIT:
- SHA256 hash: 6f39a152ccbb12864ce0ca051eca11113b8b5658bf265abef67d38f977123b55
File name: 2016-10-17-EITest-Rig-EK-flash-exploit-all-three-runs.swf (77,118 bytes)
PAYLOADS:
- SHA256 hash: 92a0df6f1c8f58eaba1cb262085aa099339728be394c211fdaed47c575206f9e
File name: 2016-10-17-EITest-Rig-EK-payload-CryptFile2-first-and-second-run.exe (75,776 bytes)
- SHA256 hash: 80a59ecac1c090c319b193f73fbb9a0d9514c19067981e060051a5ab96d7a437
File name: 2016-10-17-EITest-Rig-EK-payload-CryptFile2-third-run.exe (75,264 bytes)
IMAGES
Shown above: Desktop of an infected Windows host after rebooting.
FINAL NOTES
Once again, here are the associated files:
- ZIP archive of the pcap: 2016-10-17-EITest-Rig-EK-all-3-pcaps.zip 447.7 kB (447,667 bytes)
- ZIP archive of the malware: 2016-10-17-EITest-Rig-EK-malware-and-artifacts.zip 204.2 kB (204,197 bytes)
ZIP files are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
Click here to return to the main page.