2017-04-06 - EITEST RIG EK FROM 109.234.36.165 SENDS MATRIX RANSOMWARE VARIANT

ASSOCIATED FILES:

• ZIP archive of the pcap:  2017-04-06-EITest-Rig-EK-sends-matrix-ransomware-variant.pcap.zip   797 kB (796,537 bytes)

• 2017-04-06-EITest-Rig-EK-sends-matrix-ransomware-variant.pcap   (916,311 bytes)

• ZIP archive of the malware:  2017-04-06-EITest-Rig-EK-malware-and-artifacts.zip   1.1 MB (1,052,172 bytes)

• 2017-04-06-EITest-Rig-EK-artifact-o32.tmp.txt   (1,141 bytes)
• 2017-04-06-EITest-Rig-EK-flash-exploit.swf   (40,245 bytes)
• 2017-04-06-EITest-Rig-EK-landing-page.txt   (57,899 bytes)
• 2017-04-06-EITest-Rig-EK-payload-Matrix-variant.exe   (371,712 bytes)
• 2017-04-06-Matrix-variant-decyrption-instructions.hta   (3,231 bytes)
• 2017-04-06-Matrix-variant-decyrption-instructions.jpg   (690,707 bytes)
• 2017-04-06-Matrix-variant-decyrption-instructions.rtf   (5,684 bytes)
• 2017-04-06-page-from-trackingsharks.com-with-injected-EITest-script.txt   (75,714 bytes)

BACKGROUND ON THE EITEST CAMPAIGN:

• My most recent write-up on the EITest campaign can be found here.

NOTES:

• I've seen this ransomware from the EITest campaign using Rig EK on 2017-03-28 and 2017-04-03.
• Haven't seen much about this particular ransomware yet, so I'm calling it a "Matrix variant."
• The 2017-03-28 sample didn't change any file extensions for the encrypted files.
• The 2017-04-03 sample used .bl0cked as a file extension for all encrypted files.
• Today's sample didn't change any file extensions for the encrypted files.
• Shout out to @RagsOTX who tweeted about today's compromised website (link to tweet).

Shown above:  Flowchart for this infection traffic.

 

TRAFFIC

Shown above:  Injected script from the EITest campaign in a page from the compromised site.

 

Shown above:  Pcap of the infection traffic filtered in Wireshark.

 

ASSOCIATED DOMAINS:

• www.trackingsharks.com - Compromised website
• 109.234.36.165 port 80 - fast.app-garden.info - Rig EK
• 31.41.216.90 port 80 - stat3.s76.r53.com.ua - Post-infection ransomware HTTP traffic
• 31.41.217.90 port 80 - stat3.s76.r53.com.ua - Post-infection ransomware HTTP traffic
• 195.248.235.240 port 80 - stat3.s76.r53.com.ua - Post-infection ransomware HTTP traffic
• 195.248.235.241 port 80 - stat3.s76.r53.com.ua - Post-infection ransomware HTTP traffic

 

EMAIL ADDRESSES FROM THE DECRYPTION INSTRUCTIONS:

• redtablet9643@yahoo.com - Primary email
• decodedecode@tutanota.com - Backup email

 

FILE HASHES

FLASH EXPLOIT:

• SHA256 hash:  f5be3eb33c9b6759f3609da0240920184154907f6950e9d885bdf1fd96340e15
  File size:  40,245 bytes
  File description:  Rig EK flash exploit seen on 2017-04-06

PAYLOAD (MATRIX VARIANT):

• SHA256 hash:  467c2b23b785df7b45758143387e9cc5a588718ae0640b3f01b1c19679b011be
  File size:  371,712 bytes
  File location:  C:\Users\[username]\AppData\Local\Temp\[various alphanumeric characters].exe

 

IMAGES

Shown above:  Some alerts on the traffic from the Emerging Threats and ETPRO rulesets using Sguil on Security Onion.

 

Shown above:  Desktop of an infected windows host.

 

FINAL NOTES

Once again, here are the associated files:

• ZIP archive of the pcap:  2017-04-06-EITest-Rig-EK-sends-matrix-ransomware-variant.pcap.zip   797 kB (796,537 bytes)
• ZIP archive of the malware:  2017-04-06-EITest-Rig-EK-malware-and-artifacts.zip   1.1 MB (1,052,172 bytes)

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.