2016-12-06 - RIG EK DATA DUMP

NOTES:

• Sometime today, Rig-E switched from the old 40 kB Flash exploits to the same 15 kB Flash exploit as Rig-V.
• At the same time, Rig-E landing pages went from approximately 3 kB to approximately 85 kB in size.

ASSOCIATED FILES:

• ZIP archive of the pcap:  2016-12-06-Rig-EK-data-dump-all-pcaps.zip   2.5 MB (2,488,525 bytes)

• 2016-12-06-1st-run-EITest-Rig-E-sends-Chthonic.pcap   (806,307 bytes)
• 2016-12-06-2nd-run-EITest-Rig-E-sends-Gootkit.pcap   (201,607 bytes)
• 2016-12-06-3rd-run-pseudoDarkleech-Rig-V-sends-Cerber.pcap   (413,749 bytes)
• 2016-12-06-4th-run-EITest-Rig-E-sends-Quant-loader.pcap   (141,193 bytes)
• 2016-12-06-5th-run-EITest-Rig-E-sends-Chthonic.pcap   (1,279,665 bytes)

• ZIP archive of the malware:  2016-12-06-Rig-EK-data-dump-malware-and-artifacts.zip   1.2 MB (1,164,637 bytes)

• 2016-12-06-1st-run-EITest-Rig-E-artifact-MXj6sFosp.txt   (1,137 bytes)
• 2016-12-06-1st-run-EITest-Rig-E-flash-exploit.swf   (40,141 bytes)
• 2016-12-06-1st-run-EITest-Rig-E-landing-page.txt   (3,416 bytes)
• 2016-12-06-1st-run-EITest-Rig-E-payload-Chthonic.exe   (393,216 bytes)
• 2016-12-06-1st-run-page-from-cavallinomotorsport.com-with-injected-script.txt   (18,835 bytes)
• 2016-12-06-2nd-run-EITest-Rig-E-artifact-MXj6sFosp.txt   (1,137 bytes)
• 2016-12-06-2nd-run-EITest-Rig-E-flash-exploit.swf   (40,141 bytes)
• 2016-12-06-2nd-run-EITest-Rig-E-landing-page.txt   (3,410 bytes)
• 2016-12-06-2nd-run-EITest-Rig-E-payload-Gootkit.exe   (294,912 bytes)
• 2016-12-06-2nd-run-page-from-cavallinomotorsport.com-with-injected-script.txt   (18,839 bytes)
• 2016-12-06-3rd-run-page-from-joellipman.com-with-injected-script.txt   (68,856 bytes)
• 2016-12-06-3rd-run-pseudoDarkleech-Rig-V-artifact-MXj6sFosp.txt   (1,137 bytes)
• 2016-12-06-3rd-run-pseudoDarkleech-Rig-V-flash-exploit.swf   (15,043 bytes)
• 2016-12-06-3rd-run-pseudoDarkleech-Rig-V-landing-page.txt   (5,376 bytes)
• 2016-12-06-3rd-run-pseudoDarkleech-Rig-V-payload-Cerber.exe   (267,894 bytes)
• 2016-12-06-4th-run-EITest-Rig-E-flash-exploit.swf   (15,043 bytes)
• 2016-12-06-4th-run-EITest-Rig-E-landing-page.txt   (85,255 bytes)
• 2016-12-06-4th-run-EITest-Rig-E-payload-Quant-loader.exe   (70,393 bytes)
• 2016-12-06-4th-run-page-from-cavallinomotorsport.com-with-injected-script.txt   (18,826 bytes)
• 2016-12-06-5th-run-EITest-Rig-E-flash-exploit.swf   (15,043 bytes)
• 2016-12-06-5th-run-EITest-Rig-E-landing-page.txt   (85,243 bytes)
• 2016-12-06-5th-run-EITest-Rig-E-payload-Chthonic.exe   (393,216 bytes)
• 2016-12-06-5th-run-page-from-cavallinomotorsport.com-with-injected-script.txt   (18,830 bytes)

BACKGROUND ON RIG EXPLOIT KIT:

• I'm currently tracking 3 versions of Rig EK as classified in an October 2016 blog post by Kafeine.
• Rig-V: a "VIP version" with new URL patterns, different landing page obfuscation, and RC4 encryption for the payload.  Used by the Afraidgate & pseudoDarkleech campaigns.
• Rig-E: a variant with old URL patterns, now with with RC4 encryption for the payload.  Also known as Empire Pack.  I often see Rig-E used by the EITest campaign.
• Rig standard: uses new URL patterns introduced by Rig-V, but old obfuscation (ASCII string to XOR the payload binary)  The EITest campaign formerly used Rig standard to send CryptFile2 (CryptoMix) ransomware before switching to Rig-V for that purpose.

BACKGROUND ON THE EITEST CAMPAIGN:

• Something I wrote on exploit kit (EK) fundamentals:  link
• 2016-10-03 - Palo Alto Networks Unit 42 blog:  EITest Campaign Evolution: From Angler EK to Neutrino and Rig.
• 2016-10-03 - Broadanalysis.com:  EITest campaign stopped using a gate.
• 2016-10-15 - Broadanalysis.com:  EITest campaing stops using obfuscation for injected script in pages from compromised websites.

BACKGROUND ON THE PSEUDO-DARKLEECH CAMPAIGN:

• Something I wrote on exploit kit (EK) fundamentals:  link
• 2016-03-22 - PaloAlto Networks Unit 42 blog:  Campaign Evolution: Darkleech to Pseudo-Darkleech and Beyond
• 2016-07-02 - SANS ISC diary:  Change in patterns for the pseudoDarkleech campaign
• 2016-09-14 - Malware-traffic-analysis.net:  The pseudoDarkleech campaign starts using Rig EK instead of Neutrino EK
• 2016-10-03 - Malware-traffic-analysis.net:  The pseudoDarkleech campaign stops sending CryptXXX, starts sending Cerber ransomware

 

TRAFFIC

Shown above:  Flow chart for today's infection traffic.

Shown above:  Traffic from the 1st infection filtered in Wireshark.

Shown above:  Traffic from the 2nd infection filtered in Wireshark.

Shown above:  Traffic from the 3rd infection filtered in Wireshark.

Shown above:  Traffic from the 4th infection filtered in Wireshark.

Shown above:  Traffic from the 5th infection filtered in Wireshark.

 

ASSOCIATED DOMAINS:

• 185.162.8.114 port 80 - ibbb.wgls8ofrd.xyz - Rig-E (1st infection)
• 185.162.8.114 port 80 - p5upl8.oi76ijh.xyz - Rig-E (2nd infection)
• 194.87.146.145 port 80 - far.herculesbrand.com - Rig-V (3rd infection)
• 185.162.8.114 port 80 - m7jfc.etyvi0.xyz - Rig-E (4th infection)
• 185.162.8.116 port 80 - vsus5.a6fm5g.xyz - Rig-E (5th infection)

• 31.3.135.232 port 53 - DNS queries for scenabit.bit from the Chthonic post-infection traffic
• 195.123.210.75 port 80 - scenabit.bit - Chthonic post-infection HTTP traffic

• 83.243.40.105 port 80 - inc.granoladadgear.com - Gootkit post-infection traffic via HTTS/SSL/TLS over TCP port 80

• 15.49.2.0 to 15.49.2.31 (15.49.2.0/27) UDP port 6892 - Cerber post-infection UDP traffic
• 122.1.13.0 to 122.1.1331 (122.1.13.0/27) UDP port 6892 - Cerber post-infection UDP traffic
• 194.165.16.0 to 194.165.17.255 (194.165.16.0/23) UDP port 6892 - Cerber post-infection UDP traffic
• 185.98.87.153 port 80 - ffoqr3ug7m726zou.u8yz5b.top - Cerber post-infection HTTP traffic

• 81.4.108.169 port 80 - vitaetortorvitaesuscipit.us - Quant Loader post-infection HTTP traffic

 

FILE HASHES

FLASH EXPLOITS (READ: SHA256 HASH - FILE NAME - FILE SIZE)

• b73dd34e63a001b3be1e809c889df4a075162891034404e4d344d7cfafb1bc0e - 2016-12-06-1st-run-EITest-Rig-E-flash-exploit.swf - 40,141 bytes
• b73dd34e63a001b3be1e809c889df4a075162891034404e4d344d7cfafb1bc0e - 2016-12-06-2nd-run-EITest-Rig-E-flash-exploit.swf - 40,141 bytes
• fb9eb0a848cba0eb9c706287194b76fa9b72d3843b1b94296e9003ccb5c27dfd - 2016-12-06-3rd-run-pseudoDarkleech-Rig-V-flash-exploit.swf - 15,043 bytes
• fb9eb0a848cba0eb9c706287194b76fa9b72d3843b1b94296e9003ccb5c27dfd - 2016-12-06-4th-run-EITest-Rig-E-flash-exploit.swf - 15,043 bytes
• fb9eb0a848cba0eb9c706287194b76fa9b72d3843b1b94296e9003ccb5c27dfd - 2016-12-06-5th-run-EITest-Rig-E-flash-exploit.swf - 15,043 bytes

PAYLOADS:

• 99c610031b3710cb6c58b4045239701093ae4b96ca5dfa96fd175ef6accc1f10 - 2016-12-06-1st-run-EITest-Rig-E-payload-Chthonic.exe - 393,216 bytes
• 65c4866588dd84db00f79a4707c7521cfd941ac254a0149c98b062310fc77060 - 2016-12-06-2nd-run-EITest-Rig-E-payload-Gootkit.exe - 294,912 bytes
• 1ccf8c29844dc295649c0fe170ded98fe63f380614bef467a887275be75ecd26 - 2016-12-06-3rd-run-pseudoDarkleech-Rig-V-payload-Cerber.exe - 267,894 bytes
• 26b2cd43577993e8f2a36c9f73134393aed073ffef2548f7bc7d547c1735d4d7 - 2016-12-06-4th-run-EITest-Rig-E-payload-Quant-loader.exe - 70,393 bytes
• 99c610031b3710cb6c58b4045239701093ae4b96ca5dfa96fd175ef6accc1f10 - 2016-12-06-5th-run-EITest-Rig-E-payload-Chthonic.exe - 393,216 bytes

 

FINAL NOTES

Once again, here are the associated files:

• ZIP archive of the pcap:  2016-12-06-Rig-EK-data-dump-all-pcaps.zip   2.5 MB (2,488,525 bytes)
• ZIP archive of the malware:  2016-12-06-Rig-EK-data-dump-malware-and-artifacts.zip   1.2 MB (1,164,637 bytes)

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.