2016-11-30 - RIG EK DATA DUMP

ASSOCIATED FILES:

• ZIP archive of the pcaps:  2016-11-30-Rig-EK-data-dump-all-6-pcaps.zip   3.1 MB (3,052,062 bytes)

• 2016-11-29-1st-run-EITest-Rig-E-traffic.pcap   (1,005,331 bytes)
• 2016-11-29-2nd-run-pseudoDarkleech-Rig-V-sends-Cerber.pcap   (456,397 bytes)
• 2016-11-29-3rd-run-pseudoDarkleech-Rig-V-sends-Cerber.pcap   (496,604 bytes)
• 2016-11-30-1st-run-pseudoDarkleech-Rig-V-sends-Cerber.pcap   (472,537 bytes)
• 2016-11-30-2nd-run-pseudoDarkleech-Rig-V-sends-Cerber.pcap   (379,189 bytes)
• 2016-11-30-3rd-run-EITest-Rig-E-traffic.pcap   (905,031 bytes)

• ZIP archive of the malware:  2016-11-30-Rig-EK-data-dump-malware-and-artifacts.zip   1.6 MB (1,607,095 bytes)

• 2016-11-29-1st-run-EITest-Rig-E-artifact-MXj6sFosp.txt   (1,137 bytes)
• 2016-11-29-1st-run-EITest-Rig-E-flash-exploit.swf   (40,141 bytes)
• 2016-11-29-1st-run-EITest-Rig-E-landing-page.txt   (85,248 bytes)
• 2016-11-29-1st-run-EITest-Rig-E-payload-rad65C7C.tmp.exe   (285,696 bytes)
• 2016-11-29-1st-run-page-from-abogadoszurbanocaracas.com-with-injected-script.txt   (15,604 bytes)
• 2016-11-29-2nd-run-page-from-fundeun.es-with-injected-script.txt   (126,143 bytes)
• 2016-11-29-2nd-run-psuedoDarkleech-Rig-V-artifact-MXj6sFosp.txt   (1,137 bytes)
• 2016-11-29-2nd-run-psuedoDarkleech-Rig-V-flash-exploit.swf   (12,394 bytes)
• 2016-11-29-2nd-run-psuedoDarkleech-Rig-V-landing-page.txt   (90,078 bytes)
• 2016-11-29-2nd-run-psuedoDarkleech-Rig-V-payload-Cerber-rad6F670.tmp.exe   (217,323 bytes)
• 2016-11-29-3rd-run-page-from-lavozdeltrubia.es-with-injected-script.txt   (72,753 bytes)
• 2016-11-29-3rd-run-psuedoDarkleech-Rig-V-artifact-MXj6sFosp.txt   (1,137 bytes)
• 2016-11-29-3rd-run-psuedoDarkleech-Rig-V-flash-exploit.swf   (12,394 bytes)
• 2016-11-29-3rd-run-psuedoDarkleech-Rig-V-landing-page.txt   (90,068 bytes)
• 2016-11-29-3rd-run-psuedoDarkleech-Rig-V-payload-Cerber-radC816F.tmp.exe   (265,910 bytes)
• 2016-11-30-1st-run-page-from-immigrationsolutions.com-with-injected-script.txt   (22,110 bytes)
• 2016-11-30-1st-run-pseudoDarkleech-Rig-V-artifact-MXj6sFosp.txt   (1,137 bytes)
• 2016-11-30-1st-run-pseudoDarkleech-Rig-V-flash-exploit.swf   (9,884 bytes)
• 2016-11-30-1st-run-pseudoDarkleech-Rig-V-landing-page.txt   (90,253 bytes)
• 2016-11-30-1st-run-pseudoDarkleech-Rig-V-payload-Cerber-rad4B90E.tmp.exe   (263,794 bytes)
• 2016-11-30-2nd-run-page-from-joellipman.com-with-injected-script.txt   (68,857 bytes)
• 2016-11-30-2nd-run-pseudoDarkleech-Rig-V-artifact-MXj6sFosp.txt   (1,137 bytes)
• 2016-11-30-2nd-run-pseudoDarkleech-Rig-V-flash-exploit.swf   (9,884 bytes)
• 2016-11-30-2nd-run-pseudoDarkleech-Rig-V-landing-page.txt   (90,173 bytes)
• 2016-11-30-2nd-run-pseudoDarkleech-Rig-V-payload-Cerber-rad5FFAA.tmp.exe   (216,997 bytes)
• 2016-11-30-3rd-run-EITest-Rig-E-artifact-MXj6sFosp.txt   (1,137 bytes)
• 2016-11-30-3rd-run-EITest-Rig-E-flash-exploit.swf   (40,141 bytes)
• 2016-11-30-3rd-run-EITest-Rig-E-landing-page.txt   (85,276 bytes)
• 2016-11-30-3rd-run-EITest-Rig-E-payload-8E5.tmp   (89,780 bytes)
• 2016-11-30-3rd-run-page-from-abogadoszurbanocaracas.com-with-injected-script.txt   (15,601 bytes)

NOTE:

• What do you do when you have a lot of intercepted traffic but no time to post in detail?  You dump it!

BACKGROUND ON RIG EXPLOIT KIT:

• I'm currently tracking 3 versions of Rig EK as classified in an October 2016 blog post by Kafeine.
• Rig-V: a "VIP version" with new URL patterns, different landing page obfuscation, and RC4 encryption for the payload.  Used by the Afraidgate & pseudoDarkleech campaigns.
• Rig-E: a variant with old URL patterns, now with with RC4 encryption for the payload.  Also known as Empire Pack.  I often see Rig-E used by the EITest campaign.
• Rig standard: uses new URL patterns introduced by Rig-V, but old obfuscation (ASCII string to XOR the payload binary)  The EITest campaign formerly used Rig standard to send CryptFile2 (CryptoMix) ransomware before switching to Rig-V for that purpose.

BACKGROUND ON THE EITEST CAMPAIGN:

• Something I wrote on exploit kit (EK) fundamentals:  link
• 2016-10-03 - Palo Alto Networks Unit 42 blog:  EITest Campaign Evolution: From Angler EK to Neutrino and Rig.
• 2016-10-03 - Broadanalysis.com:  EITest campaign stopped using a gate.
• 2016-10-15 - Broadanalysis.com:  EITest campaing stops using obfuscation for injected script in pages from compromised websites.

BACKGROUND ON THE PSEUDO-DARKLEECH CAMPAIGN:

• Something I wrote on exploit kit (EK) fundamentals:  link
• 2016-03-22 - PaloAlto Networks Unit 42 blog:  Campaign Evolution: Darkleech to Pseudo-Darkleech and Beyond
• 2016-07-02 - SANS ISC diary:  Change in patterns for the pseudoDarkleech campaign
• 2016-09-14 - Malware-traffic-analysis.net:  The pseudoDarkleech campaign starts using Rig EK instead of Neutrino EK
• 2016-10-03 - Malware-traffic-analysis.net:  The pseudoDarkleech campaign stops sending CryptXXX, starts sending Cerber ransomware

 

TRAFFIC

ASSOCIATED DOMAINS:

• abogadoszurbanocaracas.com - Compromised site (2016-11-29)
• 191.101.31.25 port 80 - ywom0.vzvajzr.top - Rig-E
• 146.0.77.16 port 80 - 146.0.77.16 - Post-infection HTTP traffic



• fundeun.es - Compromised site (2016-11-29)
• 194.87.145.56 port 80 - new.yoncalivillas.com - Rig-V
• 210.16.101.23 port 80 - ffoqr3ug7m726zou.zee0xr.top - Post-infection HTTP traffic



• lavozdeltrubia.es - Compromised site (2016-11-29)
• 194.87.145.56 port 80 - new.yoncalivillas.com - Rig-V
• 210.16.101.23 port 80 - avsxrcoq2q5fgrw2.34efzl.top - Post-infection HTTP traffic



• immigrationsolutions.com - Compromised site (2016-11-30)
• 194.87.238.156 port 80 - see.pooldecksealer.com - Rig-V
• 185.109.144.18 port 80 - avsxrcoq2q5fgrw2.vth4o4.bid - Post-infection HTTP traffic



• joellipman.com - Compromised site (2016-11-30)
• 194.87.238.156 port 80 - see.pooldecksealer.com - Rig-V
• 185.109.144.18 port 80 - ffoqr3ug7m726zou.p93w1x.bid - Post-infection HTTP traffic



• abogadoszurbanocaracas.com - Compromised site (2016-11-30)
• 70.39.115.200 port 80 - tzaz.gql7xjpeq.top - Rig-E
• 203.121.145.40 port 8080 - 203.121.145.40:8080 - Post-infection HTTP traffic

 

FILE HASHES

FLASH EXPLOITS (READ: SHA256 HASH - FILE NAME - FILE SIZE):

• b73dd34e63a001b3be1e809c889df4a075162891034404e4d344d7cfafb1bc0e - 2016-11-29-1st-run-EITest-Rig-E-flash-exploit.swf - 40,141 bytes
• 9a8ba78b2184b3e70bfa97bad9a7f31a9a9f33e4cebf75cf1aff18e127d3305b - 2016-11-29-2nd-run-psuedoDarkleech-Rig-V-flash-exploit.swf - 12,394 bytes
• 9a8ba78b2184b3e70bfa97bad9a7f31a9a9f33e4cebf75cf1aff18e127d3305b - 2016-11-29-3rd-run-psuedoDarkleech-Rig-V-flash-exploit.swf - 12,394 bytes
• 8c448030760ca6a7dffb8d31eaf4c36b25cad520ed3914765685e00e2a39ef2b - 2016-11-30-1st-run-pseudoDarkleech-Rig-V-flash-exploit.swf - 9,884 bytes
• 8c448030760ca6a7dffb8d31eaf4c36b25cad520ed3914765685e00e2a39ef2b - 2016-11-30-2nd-run-pseudoDarkleech-Rig-V-flash-exploit.swf - 9,884 bytes
• b73dd34e63a001b3be1e809c889df4a075162891034404e4d344d7cfafb1bc0e - 2016-11-30-3rd-run-EITest-Rig-E-flash-exploit.swf - 40,141 bytes

FLASH EXPLOITS (READ: SHA256 HASH - MY SAVED NAME FOR IT - FILE SIZE):

• 43a21ea47ec10d813f8252cd7f64394a5059aebe7977febd15d3bd9f887c812f - 2016-11-29-1st-run-EITest-Rig-E-payload-rad65C7C.tmp.exe - 285,696 bytes
• 808c9a9b1253064abd3c7e6617c4ceb4cab17382ca4b8f951d8b5655ff388c67 - 2016-11-29-2nd-run-psuedoDarkleech-Rig-V-payload-Cerber-rad6F670.tmp.exe - 217,323 bytes
• 36825129c4dbd65eab073547cf82f0d458b47b569e40a9be89a40c7cc764b24e - 2016-11-29-3rd-run-psuedoDarkleech-Rig-V-payload-Cerber-radC816F.tmp.exe - 265,910 bytes
• bb121bca1c193ec9165942423b61ec9636ad5ec7a98b563b3fc8a4ce430b1942 - 2016-11-30-1st-run-pseudoDarkleech-Rig-V-payload-Cerber-rad4B90E.tmp.exe - 263,794 bytes
• 072fe4e4ecede73a384de61f3e98518feb8bc0259f9b5c4405d819396ba35f86 - 2016-11-30-2nd-run-pseudoDarkleech-Rig-V-payload-Cerber-rad5FFAA.tmp.exe - 216,997 bytes
• 9ca5498417ca8079358ee0b3199fed991751487c6aa71ef1331d85d4d74b96a6 - 2016-11-30-3rd-run-EITest-Rig-E-payload-8E5.tmp - 89,780 bytes

 

FINAL NOTES

Once again, here are the associated files:

• ZIP archive of the pcaps:  2016-11-30-Rig-EK-data-dump-all-6-pcaps.zip   3.1 MB (3,052,062 bytes)
• ZIP archive of the malware:  2016-11-30-Rig-EK-data-dump-malware-and-artifacts.zip   1.6 MB (1,607,095 bytes)

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.