2016-11-15 - RIG EK DATA DUMP

ASSOCIATED FILES:

• ZIP archive of the pcaps:  2016-11-15-Rig-EK-data-dump-all-4-pcaps.zip   954 kB (954,266 bytes)

• 2016-11-15-1st-run-EITest-Rig-E-traffic.pcap   (293,770 bytes)
• 2016-11-15-2nd-run-EITest-Rig-standard-sends-CryptFile2-ransomware.pcap   (165,702 bytes)
• 2016-11-15-3rd-run-pseudoDarkleech-Rig-V-sends-Cerber-ransomware.pcap   (598,684 bytes)
• 2016-11-15-4th-run-EITest-Rig-E-traffic.pcap   (523,184 bytes)

• ZIP archive of the malware:  2016-11-15-Rig-EK-data-dump-malware-and-artifacts.zip   991 kB (991,104 bytes)

• 2016-11-15-1st-run-Rig-E-flash-exploit.swf   (52,582 bytes)
• 2016-11-15-1st-run-Rig-E-landing-page.txt   (3,300 bytes)
• 2016-11-15-1st-run-Rig-E-payload.exe   (214,016 bytes)
• 2016-11-15-1st-run-page-from-cavallinomotorsport.com-with-injected-EITest-script.txt   (18,810 bytes)
• 2016-11-15-2nd-run-CryptFile2-decryption-instructions.txt   (3,236 bytes)
• 2016-11-15-2nd-run-Rig-standard-flash-exploit.swf   (48,722 bytes)
• 2016-11-15-2nd-run-Rig-standard-landing-page.txt   (3,47 bytes)
• 2016-11-15-2nd-run-Rig-standard-payload-CryptFile2.exe   (78,336 bytes)
• 2016-11-15-2nd-run-page-from-cavallinomotorsport.com-with-injected-EITest-script.txt   (18,823 bytes)
• 2016-11-15-3rd-run-Cerber-decryption-instructions-README.hta   (67,712 bytes)
• 2016-11-15-3rd-run-Cerber-decryption-instructions.bmp   (1,920,054 bytes)
• 2016-11-15-3rd-run-Rig-V-artifact-MXj6sFosp.txt   (1,137 bytes)
• 2016-11-15-3rd-run-Rig-V-flash-exploit.swf   (51,787 bytes)
• 2016-11-15-3rd-run-Rig-V-landing-page.txt   (5,183 bytes)
• 2016-11-15-3rd-run-Rig-V-payload-Cerber.exe   (265,417 bytes)
• 2016-11-15-3rd-run-page-from-joellipman.com-with-injected-pseudoDarkleech-script.txt   (68,392 bytes)
• 2016-11-15-4th-run-Rig-E-flash-exploit.swf   (52,582 bytes)
• 2016-11-15-4th-run-Rig-E-landing-page.txt   (21,192 bytes)
• 2016-11-15-4th-run-Rig-E-payload.exe   (214,016 bytes)
• 2016-11-15-4th-run-page-from-cavallinomotorsport.com-with-injected-EITest-script.txt   (18,800 bytes)

 

BACKGROUND:

• I'm currently tracking 3 versions of Rig EK as classified in an October 2016 blog post by Kafeine.
• Rig-V: a "VIP version" with new URL patterns, different landing page obfuscation, and RC4 encoding for the payload.  Used by the Afraidgate & pseudoDarkleech campaigns.
• Rig-E: a variant with old URL patterns, landing page structure, and payload obfuscation.  Also known as Empire Pack.  I often see Rig-E used by the EITest campaign.
• Rig standard: a standard version (like Rig-E) but uses new URL patterns introduced by Rig-V.  The EITest campaign uses Rig standard to send CryptFile2 ransomware.

 

TRAFFIC

Shown above:  Injected script from the EITest campaign in a page from a compromised site.

Shown above:  Injected script from the pseudoDarkleech campaign in a page from a compromised site.

Shown above:  Traffic from the 1st infection filtered in Wireshark.

Shown above:  Traffic from the 2nd infection filtered in Wireshark.

Shown above:  Traffic from the 3rd infection filtered in Wireshark.

Shown above:  Traffic from the 4th infection filtered in Wireshark.

 

ASSOCIATED DOMAINS:

• 104.168.132.122 port 80 - math.scientistwh.top - Rig-E (Empire Pack) from 1st infection
• 104.168.132.123 port 80 - tj00qxj.l9fmia.top - Rig-E (Empire Pack) from 4th infection
• 109.234.34.144 port 80 - add.quickstartcharts.com - Rig-V from 3rd infection
• 195.133.144.147 port 80 - new.liveinthelot.com - Rig standard from 2nd infection

• 185.153.197.66 port 80 - 185.153.197.66 - Cryptfile2 ransomware callback from 2nd infection

• 65.55.50.0 - 65.55.50.31 (65.55.50.0/27) port 6892 - UDP traffic caused by Cerber ransomware from 3rd infection
• 192.42.118.0 - 192.42.118.31 (192.42.118.0/27)port 6892 - UDP traffic caused by Cerber ransomware from 3rd infection
• 194.165.16.0 - 194.165.19.255 (194.165.16.0/22) port 6892 - UDP traffic caused by Cerber ransomware from 3rd infection
• 104.238.215.11 port 80 - lfdachijzuwx4bc4.tjdup0.top - HTTP traffic caused by Cerber ransomware from 3rd infection

 

FILE HASHES

FLASH EXPLOITS:

• SHA256 hash:  1613acd34bfb85121bef0cd7a5cc572967912f9f674eefd7175f42ad2099e3d1
  File name:  2016-11-15-1st-run-Rig-E-flash-exploit.swf   (52,582 bytes)
  File name:  2016-11-15-4th-run-Rig-E-flash-exploit.swf   (52,582 bytes)

• SHA256 hash:  f33cf0ec177338f7d583b47ac4e127e44d1fa7322111db523bb4ecd6c393374f
  File name:  2016-11-15-2nd-run-Rig-standard-flash-exploit.swf   (48,722 bytes)

• SHA256 hash:  83f623627fc0d87a588bc3b4ab5090caf959cef4c6035226d710375c09ef499f
  File name:  2016-11-15-3rd-run-Rig-V-flash-exploit.swf   (51,787 bytes)

PAYLOADS:

• SHA256 hash:  9e8880f6c6ccd93425298c7881e28535f31a59eafda8fc476163b0b795afbf5f
  File name:  2016-11-15-1st-run-Rig-E-payload.exe   (214,016 bytes)

• SHA256 hash:  ab112b5cee5725be8ec1c6c3f13ac498da3b70bdf03162e0f1208c93338546f5
  File name:  2016-11-15-2nd-run-Rig-standard-payload-CryptFile2.exe   (78,336 bytes)

• SHA256 hash:  2bc4a7f6b3bbc905e6c51a59ca872696b0a219953edf2a3ebb64339dfca6a770
  File name:  2016-11-15-3rd-run-Rig-V-payload-Cerber.exe   (265,417 bytes)

• SHA256 hash:  d52659289f320f7fb86108fc3c6aee07b372f6d81c16b711fa982fe0b8dc0f91
  File name:  2016-11-15-4th-run-Rig-E-payload.exe   (214,016 bytes)

 

FINAL NOTES

Once again, here are the associated files:

• ZIP archive of the pcaps:  2016-11-15-Rig-EK-data-dump-all-4-pcaps.zip   954 kB (954,266 bytes)
• ZIP archive of the malware:  2016-11-15-Rig-EK-data-dump-malware-and-artifacts.zip   991 kB (991,104 bytes)

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.