2016-11-22 - RIG EK DATA DUMP

ASSOCIATED FILES:

• ZIP archive of the pcaps:  2016-11-22-Rig-EK-data-dump-all-4-pcaps.zip   1.4 MB (1,400,648 bytes)

• 2016-11-22-1st-run-EITest-Rig-E-traffic.pcap   (662,419 bytes)
• 2016-11-22-2nd-run-EITest-Rig-standard-sends-CryptFile2-ransomware.pcap   (173,971 bytes)
• 2016-11-22-3rd-run-pseudoDarkleech-Rig-V-sends-Cerber-ransomware.pcap   (601,911 bytes)
• 2016-11-22-4th-run-Afraidgate-Rig-V-causes-Locky-infection.pcap   (358,995 bytes)

• ZIP archive of the malware:  2016-11-22-Rig-EK-data-dump-malware-and-artifacts.zip   880 kB (879,957 bytes)

• 2016-11-22-1st-run-EITest-Rig-E-artifact-MXj6sFosp.txt   (1,137 bytes)
• 2016-11-22-1st-run-EITest-Rig-E-flash-exploit.swf   (40,141 bytes)
• 2016-11-22-1st-run-EITest-Rig-E-landing-page.txt   (85,260 bytes)
• 2016-11-22-1st-run-EITest-Rig-E-payload-radAA63F.tmp.exe   (261,632 bytes)
• 2016-11-22-1st-run-page-from-cavallinomotorsport.com-with-injected-script.txt   (18,804 bytes)
• 2016-11-22-2nd-run-EITest-Rig-standard-flash-exploit.swf   (39,147 bytes)
• 2016-11-22-2nd-run-EITest-Rig-standard-landing-page.txt   (3,138 bytes)
• 2016-11-22-2nd-run-EITest-Rig-standard-payload-CryptFile2-3274.tmp   (85,504 bytes)
• 2016-11-22-2nd-run-page-from-cavallinomotorsport.com-with-injected-script.txt   (18,812 bytes)
• 2016-11-22-3rd-run-page-from-wordtemplates.org-with-injected-script.txt   (54,474 bytes)
• 2016-11-22-3rd-run-pseudoDarkleech-Rig-V-artifact-MXj6sFosp.txt   (1,137 bytes)
• 2016-11-22-3rd-run-pseudoDarkleech-Rig-V-flash-exploit.swf   (37,559 bytes)
• 2016-11-22-3rd-run-pseudoDarkleech-Rig-V-landing-page.txt   (5,,192 bytes)
• 2016-11-22-3rd-run-pseudoDarkleech-Rig-V-payload-Cerber-radCC957.tmp.exe   (260,298 bytes)
• 2016-11-22-4th-run-Afraidgate-Rig-V-artifact-MXj6sFosp.txt   (1,137 bytes)
• 2016-11-22-4th-run-Afraidgate-Rig-V-flash-exploit.swf   (3,7559 bytes)
• 2016-11-22-4th-run-Afraidgate-Rig-V-landing-page.txt   (5,192 bytes)
• 2016-11-22-4th-run-Afraidgate-Rig-V-payload-radCD4C2.tmp.exe   (78,848 bytes)
• 2016-11-22-4th-run-Afraidgate-redirect-openair.mirceasandu.ro-shortcuts.js.txt   (415 bytes)
• 2016-11-22-4th-run-page-from-ardenne.org-with-injected-script.txt   (18,666 bytes)
• 2016-11-22-4th-run-post-infection-download-Locky-jtqaLMMFNErRMgrba8hW2Al3B.exe   (211,456 bytes)

BACKGROUND:

• I'm currently tracking 3 versions of Rig EK as classified in an October 2016 blog post by Kafeine.
• Rig-V: a "VIP version" with new URL patterns, different landing page obfuscation, and RC4 encryption for the payload.  Used by the Afraidgate & pseudoDarkleech campaigns.
• Rig-E: a variant with old URL patterns, now with with RC4 encryption for the payload.  Also known as Empire Pack.  I often see Rig-E used by the EITest campaign.
• Rig standard: uses new URL patterns introduced by Rig-V, but old obfuscation (ASCII string to XOR the payload binary)  The EITest campaign uses Rig standard to send CryptFile2 ransomware.

 

TRAFFIC

Shown above:  Traffic from the 1st infection filtered in Wireshark.

Shown above:  Traffic from the 2nd infection filtered in Wireshark.

Shown above:  Traffic from the 3rdd infection filtered in Wireshark.

Shown above:  Traffic from the bonus infection filtered in Wireshark.

 

ASSOCIATED DOMAINS:

• cavallinomotorsport.com - Compromised site that led to EITest Rig-E (1st run) and EITest Rig standard (2nd run)
• www.wordtemplates.org - Compromised site that led to pseudoDarkleech Rig-V (3rd run)
• ardenne.org - Compromised site that led to Afraidgate Rig-V (4th run)

• 185.153.198.126 port 80 - h4fbec.xpfhtb.top - Rig-E (1st run)
• 46.30.46.65 port 80 - art.aizona.com - Rig standard (2nd run)
• 46.30.46.51 port 80 - acc.kutahya2043.com - Rig-V (3rd run)
• 46.30.46.51 port 80 - see.kutahya2043.info - Rig-V (4th run)

• 217.23.12.131 port 80 - 217.23.12.131 - CryptFile2 ransomware post-infection traffic (2nd run)

• 65.55.50.0 - 65.55.50.31 (65.55.50.0/27) port 6892 - UDP traffic caused by Cerber ransomware (3rd run)
• 192.42.118.0 - 192.42.118.31 (192.42.118.0/27)port 6892 - UDP traffic caused by Cerber ransomware (3rd run)
• 194.165.16.0 - 194.165.19.255 (194.165.16.0/22) port 6892 - UDP traffic caused by Cerber ransomware (3rd run)
• 104.223.3.114 port 80 - ffoqr3ug7m726zou.tep6xb.top - HTTP traffic caused by Cerber ransomware (3rd run)

• 159.203.18.229 port 80 - openair.mirceasandu.ro - Afraidgate redirect (4th run)
• 185.162.8.48 port 80 - heathbloginfo.com - Domain contacted to download Locky (4th run)
• 94.242.55.81 port 80 - 94.242.55.81 - Lock post-infection traffic (4th run)
• 95.46.114.205 port 80 - 95.46.114.205 - Lock post-infection traffic (4th run)
• 80.87.202.49 port 80 - 80.87.202.49 - Lock post-infection traffic (4th run)

 

FILE HASHES

FLASH EXPLOITS (SHA256 HASH - FILE NAME):

• b73dd34e63a001b3be1e809c889df4a075162891034404e4d344d7cfafb1bc0e - 2016-11-22-1st-run-EITest-Rig-E-flash-exploit.swf
• 8794626ca0160b5be2965240fdfd05d0c4818d6f72a4ddffbc7a6f48c0460094 - 2016-11-22-2nd-run-EITest-Rig-standard-flash-exploit.swf
• 3faf0f278306eaca73f7b6d6f20ea64522e03e56192df6aee561e9359f1d2948 - 2016-11-22-3rd-run-pseudoDarkleech-Rig-V-flash-exploit.swf
• 3faf0f278306eaca73f7b6d6f20ea64522e03e56192df6aee561e9359f1d2948 - 2016-11-22-4th-run-Afraidgate-Rig-V-flash-exploit.swf

MALWARE (SHA256 HASH - FILE NAME):

• 45a1a265bb27ee8f05b0835db2efa89bd88d0ec3aecfb1b3a922f26602535654 - 2016-11-22-1st-run-EITest-Rig-E-payload-radAA63F.tmp.exe
• d26d94b3f2148b818969a692efa8fccab2f8476d06b7119e2996108aefc47981 - 2016-11-22-2nd-run-EITest-Rig-standard-payload-CryptFile2-3274.tmp
• 30ed67ed6e182b925a5f891abf0bc0c68e8712bc9eea33561d30a18efd33db62 - 2016-11-22-3rd-run-pseudoDarkleech-Rig-V-payload-Cerber-radCC957.tmp.exe
• cf0ddff94b84954900457f39b209c5aab6e5c46d723d5afdf310032a6e650cc3 - 2016-11-22-4th-run-Afraidgate-Rig-V-payload-radCD4C2.tmp.exe
• d319d46e713f1ec1f1f1bb7473af606eff38912dc0e84ddce9063fa60f95a900 - 2016-11-22-4th-run-post-infection-download-Locky-jtqaLMMFNErRMgrba8hW2Al3B.exe

 

FINAL NOTES

Once again, here are the associated files:

• ZIP archive of the pcaps:  2016-11-22-Rig-EK-data-dump-all-4-pcaps.zip   1.4 MB (1,400,648 bytes)
• ZIP archive of the malware:  2016-11-22-Rig-EK-data-dump-malware-and-artifacts.zip   880 kB (879,957 bytes)

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.