2017-04-03 - EITEST RIG EK FROM 5.101.77.137 SENDS MSIL/MATRIC RANSOMWARE VARIANT

ASSOCIATED FILES:

• ZIP archive of the pcap:  2017-04-03-EITest-Rig-EK-sends-matrix-ransomware-variant.pcap.zip   1.0 MB (1,023,195 bytes)

• 2017-04-03-EITest-Rig-EK-sends-matrix-ransomware-variant.pcap   (1,225,906 bytes)

• ZIP archive of the malware:  2017-04-03-EITest-Rig-EK-malware-and-artifacts.zip   1.3 MB (1,349,225 bytes)

• 2017-04-03-Bl0cked-ReadMe.rtf   (5,682 bytes)
• 2017-04-03-EITest-Rig-EK-artifact-o32.tmp.txt   (1,141 bytes)
• 2017-04-03-EITest-Rig-EK-flash-exploit.swf   (15,690 bytes)
• 2017-04-03-EITest-Rig-EK-landing-page.txt   (57,705 bytes)
• 2017-04-03-EITest-Rig-EK-payload-matrix-ransomware-variant.exe   (513,536 bytes)
• 2017-04-03-decryption-instructions.hta   (35,342 bytes)
• 2017-04-03-decryption-instructions.jpg   (872,407 bytes)
• 2017-04-03-page-from-activaclinics.com-with-injected-EITest-script.txt   (59,273 bytes)

BACKGROUND ON THE EITEST CAMPAIGN:

• My most recent write-up on the EITest campaign can be found here.

MSIL/MATRIX RANSOMWARE VARIANT NOTES:

• This is the same ransomware I saw last week from the EITest campaign using Rig EK on 2017-03-28.
• Haven't seen much about this one yet, so I'm calling it an "MSIL/Matrix variant."
• Today's sample used .bl0cked as a file extension for any encrypted files.
• Last week's sample didn't change any of the file extensions for encrypted files.

Shown above:  Flowchart for this infection traffic.

 

TRAFFIC

Shown above:  Injected script from the EITest campaign in a page from the compromised site.

 

Shown above:  Pcap of the infection traffic filtered in Wireshark.

 

ASSOCIATED DOMAINS:

• www.activaclinics.com - Compromised website
• 46.173.214.185 port 80 - open.auctionforintros.com - Rig EK
• 31.41.216.90 port 80 - statcs.s76.r53.com.ua - Post-infection ransomware HTTP traffic
• 195.248.235.240 port 80 - statcs.s76.r53.com.ua - Post-infection ransomware HTTP traffic

 

EMAIL ADDRESSES FROM THE DECRYPTION INSTRUCTIONS:

• bluetablet9643@yahoo.com - Primary email
• decodedecode@yandex.ru - Backup email

 

FILE HASHES

FLASH EXPLOIT:

• SHA256 hash:  9c18ef0d4b441cdcefcdbaceeb111a207dc1460ac2a082785cc028551606a5de
  File size:  15,690 bytes
  File description:  Rig EK flash exploit seen on 2017-04-03

PAYLOAD (MSIL/MATRIX VARIANT):

• SHA256 hash:  e7b3102e3e49c6c3611353d704aae797923b699227df92d97987a2e012ba3f25
  File size:  513,536 bytes
  File location:  C:\Users\[username]\AppData\Local\Temp\[various alphanumeric characters].exe

 

IMAGES

Shown above:  Some alerts on the traffic from the Emerging Threats and ETPRO rulesets using Sguil on Security Onion.

 

Shown above:  Desktop of an infected windows host.

 

FINAL NOTES

Once again, here are the associated files:

• ZIP archive of the pcap:  2017-04-03-EITest-Rig-EK-sends-matrix-ransomware-variant.pcap.zip   1.0 MB (1,023,195 bytes)
• ZIP archive of the malware:  2017-04-03-EITest-Rig-EK-malware-and-artifacts.zip   1.3 MB (1,349,225 bytes)

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.