2018-01-29 - THREE DAYS OF SEAMLESS CAMPAIGN RIG EK pUSHING GANDCRAB RANSOMWARE
ASSOCIATED FILES:
- Zip archive of the pcaps: 2018-01-29-pcaps-from-Seamless-Rig-EK-sending-GandCrab-ransomware.zip 851 lB (850,897 bytes)
- 2018-01-27-Seamless-Rig-EK-sends-GandCrab-ransomware.pcap (339,191 bytes)
- 2018-01-28-Seamless-Rig-EK-sends-GandCrab-ransomware.pcap (267,865 bytes)
- 2018-01-29-Seamless-Rig-EK-sends-GandCrab-ransomware.pcap (317,434 bytes)
- Zip archive of the email and malware: 2018-01-29-Seamless-campaign-Rig-EK-malware-and-artifacts.zip 506 kB (506,333 bytes)
- 2018-01-27-GDCB-DECRYPT.txt (2,774 bytes)
- 2018-01-27-Rig-EK-artifact-o32.tmp.txt (1,141 bytes)
- 2018-01-27-Rig-EK-flash-exploit.swf (11,917 bytes)
- 2018-01-27-Rig-EK-landing-page.txt (97,376 bytes)
- 2018-01-27-Seamless-campaign-Rig-EK-payload-GandCrab-ransomware.exe (221,184 bytes)
- 2018-01-28-GDCB-DECRYPT.txt (2,774 bytes)
- 2018-01-28-Rig-EK-artifact-u32.tmp.txt (1,141 bytes)
- 2018-01-28-Rig-EK-flash-exploit.swf (11,909 bytes)
- 2018-01-28-Rig-EK-landing-page.txt (95,204 bytes)
- 2018-01-28-Seamless-campaign-Rig-EK-payload-GandCrab-ransomware.exe (148,992 bytes)
- 2018-01-29-Rig-EK-artifact-u32.tmp.txt (1,141 bytes)
- 2018-01-29-Rig-EK-flash-exploit.swf (11,909 bytes)
- 2018-01-29-Rig-EK-landing-page.txt (95,583 bytes)
- 2018-01-29-Seamless-campaign-Rig-EK-payload-GandCrab-ransomware.exe (235,520 bytes)
NOTES:
- Gandcrab is a ransomware that first appeared from Rig exploit kit (EK) on Friday, 2018-01-26.
- This was Rig EK used by the Seamless campaign, which has been pushing Ramnit for several months until this activity.
- 2018-01-26 - Twitter thread.
- 2018-01-27 - Unpacking GandCrab Ransomware by @_qaz_qaz.
WEB TRAFFIC BLOCK LIST
The following block list is based on URLs and domains from the infection traffic. See the traffic images for more details.
- hxxp://xn--80abmi5aecft.xn--p1acf/gav4.php
- hxxp://92.53.66.11/curl.php?token=1019
- hxxp://78.155.206.6/curl.php?token=1019
- gdcbghvjyqy7jclk.onion.top
- gdcbghvjyqy7jclk.onion.casa
- gdcbghvjyqy7jclk.onion.guide
- gdcbghvjyqy7jclk.onion.rip
- gdcbghvjyqy7jclk.onion.plus
- gandcrab.bit
- nomoreransom.bit
TRAFFIC
Shown above: Seamless campaign Rig EK from 2018-01-27.
Shown above: Seamless campaign Rig EK from 2018-01-28.
Shown above: Seamless campaign Rig EK from 2018-01-29.
MALWARE
RIG EK FLASH EXPLOITS:
- SHA256 hash: 496a5f41e206b552c93690926d6678b2f2550fe14db8dbdc42e6532353735c13
File description: Rig EK flash exploit seen on 2018-01-27
- SHA256 hash: 6a19146eb0ae8a352b166454f69bf95b4152f43b9692b4c014f9258f43be8d02
File description: Rig EK flash exploit seen on 2018-01-28 and 2018-01-29
GANDCRAB RANSOMWARE:
- SHA256 hash: 69f55139df165bea1fcada0b0174d01240bc40bc21aac4b42992f2e0a0c2ea1d
File description: Gandcrab ransomware from Seamless campaign Rig EK on 2018-01-27
- SHA256 hash: 0e47b58d99eaf5ca77f7c1b4e03e779992c7e9bf7860ec5e6cd817b4d9199b63
File description: Gandcrab ransomware from Seamless campaign Rig EK on 2018-01-28
- SHA256 hash: 3e2e881ec6fcfb6329cad95c15de4a90aef1032550176c7c7729c0a0e383c615
File description: Gandcrab ransomware from Seamless campaign Rig EK on 2018-01-29
GANDCRAB RANSOMWARE PERSISTENT ON AN INFECTED WINDOWS HOST ON 2018-01-29:
- Registry key: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
Value name: yitjigcgcmp
Value type: REG_SZ
Value data: C:\Users\[username]\AppData\Roaming\Microsoft\yfibhp.exe
IMAGES
Shown above: Encrypted files on an infected Windows host.
Shown above: Gandcrab decryptor.
FINAL NOTES
Once again, here are the associated files:
- Zip archive of the pcaps: 2018-01-29-pcaps-from-Seamless-Rig-EK-sending-GandCrab-ransomware.zip 851 lB (850,897 bytes)
- Zip archive of the email and malware: 2018-01-29-Seamless-campaign-Rig-EK-malware-and-artifacts.zip 506 kB (506,333 bytes)
ZIP files are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
Click here to return to the main page.