2016-10-18 - EITEST RIG EK FROM 195.133.201.133 SENDS CRYPTFILE2 RANSOMWARE

ASSOCIATED FILES:

• ZIP archive of the pcap:  2016-10-18-EITest-Rig-EK-sends-CryptFile2-ransomware.pcap.zip   154.4 kB (154,437 bytes)

• 2016-10-18-EITest-Rig-EK-sends-CryptFile2-ransomware.pcap   (235,671 bytes)

• ZIP archive of the malware:  2016-10-18-EITest-Rig-EK-sens-CryptFile2-malware-and-artifacts.zip   132.9 kB (132,913 bytes)

• 2016-10-18-CryptFile2-HELP_DECRYPT_YOUR_FILES.TXT   (32,20 bytes)
• 2016-10-18-EITest-Rig-EK-flash-exploit.swf   (77,137 bytes)
• 2016-10-18-EITest-Rig-EK-landing-page.txt   (3,501 bytes)
• 2016-10-18-EITest-Rig-EK-payload-CryptFile2.exe   (76,288 bytes)
• 2016-10-18-page-from-translation.ie-with-injected-script.txt   (47,052 bytes)

 

NOTES:

• I already documented today's compromised website on 2016-10-10 based on a 2016-10-07 tweet from @Sec_She_Lady.

 

BACKGROUND ON THE EITEST CAMPAIGN:

• Something I wrote on exploit kit (EK) fundamentals:  link
• 2016-10-03 - Palo Alto Networks Unit 42 blog:  EITest Campaign Evolution: From Angler EK to Neutrino and Rig.
• 2016-10-03 - Broadanalysis.com:  EITest campaign stopped using a gate.
• 2016-10-15 - Broadanalysis.com:  EITest campaing stops using obfuscation for injected script in pages from compromised websites.

 

Shown above:  Flowchart for this infection traffic.

 

TRAFFIC

Shown above:  Injected script from the EITest campaign in a page from the compromised site.

Shown above:  Traffic from the infection filtered in Wireshark.

 

ASSOCIATED DOMAINS:

• www.translation.ie - Compromised site
• 195.133.201.133 port 80 - as.cubabueno.com - Rig EK
• 195.154.122.33 port 80 - 195.154.122.33 - CryptFile2 post-infection traffic

EMAILS ADDRESSES FROM THE DECRYPT INSTRUCTIONS:

• enc6@usa.com
• enc6@dr.com

 

FILE HASHES

FLASH EXPLOIT:

• SHA256 hash:  0efdec1735156965a0418f27c9b88e8115319837ebe9a79be53a578bc6b99a91
  File name:  2016-10-18-EITest-Rig-EK-flash-exploit.swf   (77,137 bytes)

PAYLOAD:

• SHA256 hash:  c9fa0be3995834ccc51ea05f02b948904d4a8ee027fc86febfd11eb2612f5cd4
  File name:  2016-10-18-EITest-Rig-EK-payload-CryptFile2.exe   (76,288 bytes)

 

IMAGES

Shown above:  Malware made persistent on the infected host.

 

FINAL NOTES

Once again, here are the associated files:

• ZIP archive of the pcap:  2016-10-18-EITest-Rig-EK-sends-CryptFile2-ransomware.pcap.zip   154.4 kB (154,437 bytes)
• ZIP archive of the malware:  2016-10-18-EITest-Rig-EK-sens-CryptFile2-malware-and-artifacts.zip   132.9 kB (132,913 bytes)

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.