2017-03-28 - EITEST RIG EK FROM 46.173.214.185 SENDS (SOME SORT OF) RANSOMWARE

ASSOCIATED FILES:

• ZIP archive of the pcap:  2017-03-28-EITest-Rig-EK.pcap.zip   967 kB (966,738 bytes)

• 2017-03-28-EITest-Rig-EK.pcap   (1,129,240 bytes)

ZIP archive of the malware:  2017-03-28-EITest-Rig-EK-malware-and-artifacts.zip   445 kB (445,317 bytes)

• 2017-03-28-DpgvQeBMapb33zFU.hta.txt   (35,342 bytes)
• 2017-03-28-EITest-Rig-EK-J3KXzbhL.exe   (461,312 bytes)
• 2017-03-28-EITest-Rig-EK-artifact-o32.tmp.txt   (1,141 bytes)
• 2017-03-28-EITest-Rig-EK-flash-exploit.swf   (15,736 bytes)
• 2017-03-28-EITest-Rig-EK-landing-page.txt   (57,838 bytes)
• 2017-03-28-WhatHappenedWithMyFiles.rtf   (5,682 bytes)
• 2017-03-28-page-from-activaclinics.com-with-injected-EITest-script.txt   (58,153 bytes)

BACKGROUND ON THE EITEST CAMPAIGN:

• My most recent write-up on the EITest campaign can be found here.

EK PAYLOAD NOTES:

• The EITest payload from Rig EK is some sort of ransomware.
• I saw alerts for MSIL/Matrix ransomware, but this appears to be a new variant.
• Names for any of the encrypted files do not change with this ransomware.
• There's an HTA file that's in the registry for persistence during rebooting.
• The HTA file sets itself as the desktop background (something I hadn't seen before).
• See the images section for more details.

Shown above:  Flowchart for this infection traffic.

 

TRAFFIC

Shown above:  Injected script from the EITest campaign in a page from the compromised site.

 

Shown above:  Pcap of the infection traffic filtered in Wireshark.

 

ASSOCIATED DOMAINS:

• www.activaclinics.com - Compromised website
• 46.173.214.185 port 80 - help.whatizzzit.com - Rig EK
• 31.41.216.90 port 80 - stat2.s76.r53.com.ua - Post-infection ransomware HTTP traffic
• 31.41.217.90 port 80 - stat2.s76.r53.com.ua - Post-infection ransomware HTTP traffic
• 148.251.13.83 port 80 - stat2.s76.r53.com.ua - Post-infection ransomware HTTP traffic
• 195.248.235.240 port 80 - stat2.s76.r53.com.ua - Post-infection ransomware HTTP traffic
• 195.248.235.241 port 80 - stat2.s76.r53.com.ua - Post-infection ransomware HTTP traffic

 

EMAIL ADDRESSES FROM THE DECRYPTION INSTRUCTIONS:

• bluetablet9643@yahoo.com - Primary email
• decodedecode@yandex.ru - Backup email

 

FILE HASHES

FLASH EXPLOIT:

• SHA256 hash:  8411ffb402372f51fbcc5f4d80f23eaf79871650d5cbbac8597c3667a49870b6
  File size:  15,736 bytes
  File description:  Rig EK flash exploit seen on 2017-03-28

PAYLOAD (RANSOMWARE):

• SHA256 hash:  25b36b3ae96b38259cb473df2b0d02fe94135b8d53b960dc95315567590c683c
  File size:  461,312 bytes
  File location:  C:\Users\[username]\AppData\Local\Temp\J3KXzbhL.exe

 

IMAGES

Shown above:  Some alerts on the traffic from the Emerging Threats and ETPRO rulesets using Sguil on Security Onion.

 

Shown above:  Desktop of an infected windows host.

 

Shown above:  No file name changes, and the directions are in an RTF file.

 

Shown above:  Registry entry made for persistence of the HTA file.

 

FINAL NOTES

Once again, here are the associated files:

• ZIP archive of the pcap:  2017-03-28-EITest-Rig-EK.pcap.zip   967 kB (966,738 bytes)
• ZIP archive of the malware:  2017-03-28-EITest-Rig-EK-malware-and-artifacts.zip   445 kB (445,317 bytes)

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.