2016-11-08 - RIG EK/RIG-V DATA DUMP

 

ASSOCIATED FILES:

• ZIP archive of the pcaps:  2016-11-08-Rig-EK-and-RIGv-data-dump-all-6-pcaps.zip   2.0 MB (2,047,346 bytes)

• 2016-11-08-1st-run-EITest-Rig-EK-sends-Vawtrak.pcap   (363,860 bytes)
• 2016-11-08-2nd-run-pseudoDarkleech-RIGv-sends-Cerber.pcap   (747,480 bytes)
• 2016-11-08-3rd-run-EITest-Rig-EK-sends-CryptFile2.pcap   (160,323 bytes)
• 2016-11-08-4th-run-EITest-Rig-EK-sends-Terdot-or-Zloader.pcap   (226,467 bytes)
• 2016-11-08-5th-run-pseudoDarkleech-RIGv-sends-Cerber.pcap   (620,286 bytes)
• 2016-11-08-6th-run-EITest-Rig-EK-sends-Gootkit.pcap   (674,388 bytes)

• ZIP archive of the malware:  2016-11-08-Rig-EK-and-RIGv-data-dump-malware-and-artifacts.zip   1.4 MB (1,438,168 bytes)

• 2016-11-08-1st-run-EITest-Rig-EK-flash-exploit.swf   (52,582 bytes)
• 2016-11-08-1st-run-EITest-Rig-EK-landing-page.txt   (3,300 bytes)
• 2016-11-08-1st-run-EITest-Rig-EK-payload-Vawtrak.exe   (184,320 bytes)
• 2016-11-08-1st-run-page-from-cavallinomotorsport.com-with-injected-script.txt   (18,610 bytes)
• 2016-11-08-2nd-run-page-from-radiochiclana.com-with-injected-script.txt   (29,246 bytes)
• 2016-11-08-2nd-run-pseudoDarkleech-RIGv-flash-exploit.swf   (51,785 bytes)
• 2016-11-08-2nd-run-pseudoDarkleech-RIGv-landing-page.txt   (5,170 bytes)
• 2016-11-08-2nd-run-pseudoDarkleech-RIGv-payload-Cerber.exe   (533,886 bytes)
• 2016-11-08-3rd-run-EITest-Rig-EK-flash-exploit.swf   (51,972 bytes)
• 2016-11-08-3rd-run-EITest-Rig-EK-landing-page.txt   (3,153 bytes)
• 2016-11-08-3rd-run-EITest-Rig-EK-payload-CryptFile2.exe   (89,088 bytes)
• 2016-11-08-3rd-run-page-from-cavallinomotorsport.com-with-injected-script.txt   (18,641 bytes)
• 2016-11-08-4th-run-EITest-Rig-EK-flash-exploit.swf   (52,582 bytes)
• 2016-11-08-4th-run-EITest-Rig-EK-landing-page.txt   (3,282 bytes)
• 2016-11-08-4th-run-EITest-Rig-EK-payload-Terdot-or-Zloader.exe   (110,453 bytes)
• 2016-11-08-4th-run-page-from-cavallinomotorsport.com-with-injected-script.txt   (18,607 bytes)
• 2016-11-08-5th-run-page-from-modelocontrato.net-with-injected-script.txt   (27,236 bytes)
• 2016-11-08-5th-run-pseudoDarkleech-RIGv-flash-exploit.swf   (51,785 bytes)
• 2016-11-08-5th-run-pseudoDarkleech-RIGv-landing-page.txt   (5,159 bytes)
• 2016-11-08-5th-run-pseudoDarkleech-RIGv-payload-Cerber.exe   (266,494 bytes)
• 2016-11-08-6th-run-EITest-Rig-EK-flash-exploit.swf   (52,582 bytes)
• 2016-11-08-6th-run-EITest-Rig-EK-landing-page.txt   (3,284 bytes)
• 2016-11-08-6th-run-EITest-Rig-EK-payload-Gootkit.exe   (244,578 bytes)
• 2016-11-08-6th-run-page-from-cavallinomotorsport.com-with-injected-script.txt   (18,614 bytes)

 

TRAFFIC

1ST RUN:

• cavallinomotorsport.com - Compromised site
• 89.35.178.125 port 80 - kuwad.gerabearsout.cf - Rig EK
• 95.213.134.124 port 443 - olacwimsu.com - Vawtrak HTTPS/SSL/TLS post-infection traffic
• 92.53.96.84 port 80 - ice-baby.ru - Vawtrak HTTP post-infection traffic
• 91.219.31.14 port 443 - brnmsgzc.ru - Vawtrak HTTPS/SSL/TLS post-infection traffic

2ND RUN:

• www.radiochiclana.es - Compromised site
• 195.133.145.84 port 80 - see.steelehendershot.com - RIG-v
• 65.55.50.0 - 65.55.50.31 (65.55.50.0/27) port 6892 - UDP traffic caused by Cerber
• 192.42.118.0 - 192.42.118.31 (192.42.118.0/27)port 6892 - UDP traffic caused by Cerber
• 194.165.16.0 - 194.165.19.255 (194.165.16.0/22) port 6892 - UDP traffic caused by Cerber
• 190.123.45.169 port 80 - vyohacxzoue32vvk.3sc3f8.bid - HTTP traffic caused by Cerber

3RD RUN:

• cavallinomotorsport.com - Compromised site
• 194.87.234.70 port 80 - asd.1010midtownhomeprices.com - Rig EK (with RIGv URL patterns)
• 195.154.117.218 port 80 - CryptFile2 callback traffic (no response from the server)

4TH RUN:

• cavallinomotorsport.com - Compromised site
• 85.204.74.77 port 80 - ml0318.rzhsxs.top - Rig EK
• 93.78.2.231 port 80 - lopybnutur.top - Terdot/Zloader post-infection traffic

5TH RUN:

• www.modelocontrato.net - Compromised site
• 195.133.145.84 port 80 - ex.steeleo.com - RIG-v
• 65.55.50.0 - 65.55.50.31 (65.55.50.0/27) port 6892 - UDP traffic caused by Cerber
• 192.42.118.0 - 192.42.118.31 (192.42.118.0/27)port 6892 - UDP traffic caused by Cerber
• 194.165.16.0 - 194.165.19.255 (194.165.16.0/22) port 6892 - UDP traffic caused by Cerber
• 190.123.45.169 port 80 - ffoqr3ug7m726zou.zh5mu9.bid - HTTP traffic caused by Cerber

6TH RUN:

• cavallinomotorsport.com - Compromised site
• 85.204.74.77 port 80 - yqto5k.rzhsxs.top - Rig EK
• 43.239.221.51 port 80 - jerrufer.com - Gootkit post-infection HTTPS/SSL/TLS traffic over port 80
• DNS query for: brafards.com - server response: No such name
• DNS query for: chirulid.com - server response: No such name
• DNS query for: kardrews.com - server response: No such name
• DNS query for: klepsong.com - server response: No such name
• DNS query for: kraspirt.com - server response: No such name
• DNS query for: lessenso.com - server response: No such name
• DNS query for: leswestr.com - server response: No such name
• DNS query for: manahars.com - server response: No such name
• DNS query for: refartor.com - server response: No such name

 

FILE HASHES

FLASH EXPLOITS (SHA256 HASH - FILE NAME):

• 1613acd34bfb85121bef0cd7a5cc572967912f9f674eefd7175f42ad2099e3d1 - 2016-11-08-1st-run-EITest-Rig-EK-flash-exploit.swf
• 1613acd34bfb85121bef0cd7a5cc572967912f9f674eefd7175f42ad2099e3d1 - 2016-11-08-4th-run-EITest-Rig-EK-flash-exploit.swf
• 1613acd34bfb85121bef0cd7a5cc572967912f9f674eefd7175f42ad2099e3d1 - 2016-11-08-6th-run-EITest-Rig-EK-flash-exploit.swf
• 8e62d6dbf73a9d3af44bf147a365cf847b2e8febba26bd339f54d9f58fbdecc4 - 2016-11-08-2nd-run-pseudoDarkleech-RIGv-flash-exploit.swf
• 8e62d6dbf73a9d3af44bf147a365cf847b2e8febba26bd339f54d9f58fbdecc4 - 2016-11-08-5th-run-pseudoDarkleech-RIGv-flash-exploit.swf
• 965e41d574a02caded034be0db62aa5ab6b9ffdd56de2b44b7c18ea6815b0650 - 2016-11-08-3rd-run-EITest-Rig-EK-flash-exploit.swf

PAYLOAD (SHA256 HASH - FILE NAME):

• 2abf98b69d0691519aab2e37595205eec5803d33d0b4fad98a589a5ae330038a 2016-11-08-1st-run-EITest-Rig-EK-payload-Vawtrak.exe
• 9f2208e1c8a3bcb5771471b2c22732e19516f845b5b70f38630538ad8e8a3262 2016-11-08-2nd-run-pseudoDarkleech-RIGv-payload-Cerber.exe
• 64a7cf0a5c8c4eebd1e2d96c2877623183520afd0e467fc6932664f550597554 2016-11-08-3rd-run-EITest-Rig-EK-payload-CryptFile2.exe
• 416ba4966c0a293662933dd0f91faa24ee40e224e378ce631258d40489354c9b 2016-11-08-4th-run-EITest-Rig-EK-payload-Terdot-or-Zloader.exe
• e4e1343c237047e972096499c9914d3f1eda3935da471b422fb01fd28e85872a 2016-11-08-5th-run-pseudoDarkleech-RIGv-payload-Cerber.exe
• 0f7550abe2eee29f44134e20921378d3c9efd8b9d837ddad34d29e1dca178996 2016-11-08-6th-run-EITest-Rig-EK-payload-Gootkit.exe

 

FINAL NOTES

Once again, here are the associated files:

• ZIP archive of the pcaps:  2016-11-08-Rig-EK-and-RIGv-data-dump-all-6-pcaps.zip   2.0 MB (2,047,346 bytes)
• ZIP archive of the malware:  2016-11-08-Rig-EK-and-RIGv-data-dump-malware-and-artifacts.zip   1.4 MB (1,438,168 bytes)

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.