2017-03-15 - EITEST RIG EK SENDS REVENGE RANSOMWARE

ASSOCIATED FILES:

  • 2017-03-15-EITest-Rig-EK-sends-Revenge-ransomware.pcap   (241,884 bytes)
  • 2017-03-15-EITest-Rig-EK-flash-exploit.swf   (14,942 bytes)
  • 2017-03-15-EITest-Rig-EK-landing-page.txt   (118,021 bytes)
  • 2017-03-15-EITest-Rig-EK-payload-Revenge-ransomware-5uhcwesi.exe   (116,224 bytes)
  • 2017-03-15-Revenge-Ransomware-decryption-instructions.txt   (7,116 bytes)
  • 2017-03-15-page-from-activaclinics.com-with-injected-EITest-script.txt   (59,358 bytes)

 

DETAILS

NOTES:

 

ASSOCIATED DOMAINS:

  • www.activaclinics.com - compromised side
  • 188.227.75.37 port 80 - try.bannerautoservice.com - Rig EK
  • 91.207.7.77 port 80 - 91.207.7.77 - POST /images/temp/4gallery/temp_reserv/gallery.php   [Revenge ransomware post-infection traffic]

 

FILE HASHES:

  • SHA256 hash:  3ff2b1e57b82789084f722fb22388af0d79dc3340325d8db83e63c1a2a42da79
    File description:  Rig EK Flash exploit seen on 2017-03-15
  • SHA256 hash:  8ab65ceef6b8a5d2d0c0fb3ddbe1c1756b5c224bafc8065c161424d63937721c
    File location:  C:\Users\[username]\AppData\Local\Temp\5uhcwesi.exe
    File description:  EITest Rig EK payload, Revenge ransomware

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.