2017-03-28 - EITEST RIG EK FROM 46.173.214.185 SENDS (SOME SORT OF) RANSOMWARE
ASSOCIATED FILES:
- ZIP archive of the pcap: 2017-03-28-EITest-Rig-EK.pcap.zip 967 kB (966,738 bytes)
- 2017-03-28-EITest-Rig-EK.pcap (1,129,240 bytes)
- 2017-03-28-DpgvQeBMapb33zFU.hta.txt (35,342 bytes)
- 2017-03-28-EITest-Rig-EK-J3KXzbhL.exe (461,312 bytes)
- 2017-03-28-EITest-Rig-EK-artifact-o32.tmp.txt (1,141 bytes)
- 2017-03-28-EITest-Rig-EK-flash-exploit.swf (15,736 bytes)
- 2017-03-28-EITest-Rig-EK-landing-page.txt (57,838 bytes)
- 2017-03-28-WhatHappenedWithMyFiles.rtf (5,682 bytes)
- 2017-03-28-page-from-activaclinics.com-with-injected-EITest-script.txt (58,153 bytes)
BACKGROUND ON THE EITEST CAMPAIGN:
- My most recent write-up on the EITest campaign can be found here.
EK PAYLOAD NOTES:
- The EITest payload from Rig EK is some sort of ransomware.
- I saw alerts for MSIL/Matrix ransomware, but this appears to be a new variant.
- Names for any of the encrypted files do not change with this ransomware.
- There's an HTA file that's in the registry for persistence during rebooting.
- The HTA file sets itself as the desktop background (something I hadn't seen before).
- See the images section for more details.
Shown above: Flowchart for this infection traffic.
TRAFFIC
Shown above: Injected script from the EITest campaign in a page from the compromised site.
Shown above: Pcap of the infection traffic filtered in Wireshark.
ASSOCIATED DOMAINS:
- www.activaclinics.com - Compromised website
- 46.173.214.185 port 80 - help.whatizzzit.com - Rig EK
- 31.41.216.90 port 80 - stat2.s76.r53.com.ua - Post-infection ransomware HTTP traffic
- 31.41.217.90 port 80 - stat2.s76.r53.com.ua - Post-infection ransomware HTTP traffic
- 148.251.13.83 port 80 - stat2.s76.r53.com.ua - Post-infection ransomware HTTP traffic
- 195.248.235.240 port 80 - stat2.s76.r53.com.ua - Post-infection ransomware HTTP traffic
- 195.248.235.241 port 80 - stat2.s76.r53.com.ua - Post-infection ransomware HTTP traffic
EMAIL ADDRESSES FROM THE DECRYPTION INSTRUCTIONS:
- bluetablet9643@yahoo.com - Primary email
- decodedecode@yandex.ru - Backup email
FILE HASHES
FLASH EXPLOIT:
- SHA256 hash: 8411ffb402372f51fbcc5f4d80f23eaf79871650d5cbbac8597c3667a49870b6
File size: 15,736 bytes
File description: Rig EK flash exploit seen on 2017-03-28
PAYLOAD (RANSOMWARE):
- SHA256 hash: 25b36b3ae96b38259cb473df2b0d02fe94135b8d53b960dc95315567590c683c
File size: 461,312 bytes
File location: C:\Users\[username]\AppData\Local\Temp\J3KXzbhL.exe
IMAGES
Shown above: Some alerts on the traffic from the Emerging Threats and ETPRO rulesets using Sguil on Security Onion.
Shown above: Desktop of an infected windows host.
Shown above: No file name changes, and the directions are in an RTF file.
Shown above: Registry entry made for persistence of the HTA file.
FINAL NOTES
Once again, here are the associated files:
- ZIP archive of the pcap: 2017-03-28-EITest-Rig-EK.pcap.zip 967 kB (966,738 bytes)
- ZIP archive of the malware: 2017-03-28-EITest-Rig-EK-malware-and-artifacts.zip 445 kB (445,317 bytes)
ZIP files are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
Click here to return to the main page.