2017-03-20 - EITEST RIG EK FROM 92.53.104.78 SENDS CERBER RANSOMWARE
ASSOCIATED FILES:
- ZIP archive of the pcap: 2017-03-20-EITest-Rig-EK-sends-Cerber-ransomware.pcap.zip 585 kB (584,676 bytes)
- 2017-03-20-EITest-Rig-EK-sends-Cerber-ransomware.pcap (825,380 bytes)
- 2017-03-20-Cerber_READ_THIS_FILE_5JBDOT_.txt (1,337 bytes)
- 2017-03-20-Cerber_READ_THIS_FILE_O9EALHF_.jpeg (239,134 bytes)
- 2017-03-20-Cerber_READ_THIS_FILE_SRBVX_.hta (76,770 bytes)
- 2017-03-20-EITest-Rig-EK-artifact-o32.tmp.txt (1,141 bytes)
- 2017-03-20-EITest-Rig-EK-flash-exploit.swf (15,010 bytes)
- 2017-03-20-EITest-Rig-EK-landing-page.txt (57,621 bytes)
- 2017-03-20-EITest-Rig-EK-payload-Cerber-2isifsc1.exe (286,921 bytes)
- 2017-03-20-page-from-regenairgy.com-wtih-injected-EITest-script.txt (23,105 bytes)
BACKGROUND ON THE EITEST CAMPAIGN:
- My most recent write-up on the EITest campaign can be found here.
OTHER NOTES:
- Got the compromised sites from one of @nao_sec's recent tweets.
Shown above: Flowchart for this infection traffic.
TRAFFIC
Shown above: Injected script from the EITest campaign in a page from the compromised site.
Shown above: Pcap of the infection traffic filtered in Wireshark.
ASSOCIATED DOMAINS:
- regenairgy.com - Compromised site
- 92.53.104.78 port 80 - acc.mobilalibey.com - Rig EK
- 149.202.64.0 to 149.202.64.31 (149.202.64.0/27) UDP port 6892 - Cerber post-infection UDP traffic
- 149.202.122.0 to 149.202.122.31 (149.202.122.0/27) UDP port 6892 - Cerber post-infection UDP traffic
- 149.202.248.0 to 149.202.251.255 (149.202.248.0/22) UDP port 6892 - Cerber post-infection UDP traffic
- 216.170.119.139 port 80 - p27dokhpz2n7nvgr.1cewld.top - Cerber post-infection HTTP traffic
FILE HASHES
FLASH EXPLOIT:
- SHA256 hash: ccd2a5c27c92ed489287d7c9d48c42c8c0c12902ad598ac51458e388e22c4385
File size: 15,010 bytes
File description: Rig EK flash exploit seen on 2017-03-20
PAYLOAD:
- SHA256 hash: 409a71c97dee87fbafa63e8d9025f63e7eb21dce3239b4952296db217a744264
File size: 286,921 bytes
File location: C:\Users\[username]\AppData\Local\Temp\2isifsc1.exe
IMAGES
Shown above: Desktop of an infected Windows host.
FINAL NOTES
Once again, here are the associated files:
- ZIP archive of the pcap: 2017-03-20-EITest-Rig-EK-sends-Cerber-ransomware.pcap.zip 585 kB (584,676 bytes)
- ZIP archive of the malware: 2017-03-20-EITest-Rig-EK-sends-Cerber-malware-and-artifacts.zip 551 kB (551,319 bytes)
ZIP files are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
Click here to return to the main page.