2018-03-15 - QUICK POST: RIG EK

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• Zip archive of the traffic:  2018-03-15-Rig-EK-traffic.pcap.zip   271 kB (270,753 bytes)

• 2018-03-15-Rig-EK-traffic.pcap   (279,647 bytes)

• Zip archive of the associated malware and artifacts:  2018-03-15-Rig-EK-and-GandCrab-ransomware-malware-and-artifacts.zip   226 kB (226,065 bytes)

• 2018-03-15-Rig-EK-artifacts-u32.tmp.txt   (1,141 bytes)
• 2018-03-15-Rig-EK-flash-exploit.swf   (15,951 bytes)
• 2018-03-15-Rig-EK-landing-page.txt   (95,708 bytes)
• 2018-03-15-Rig-EK-payload-GandCrab-ransomware.exe   (217,608 bytes)

NOTES:

• This example only contains the Rig EK traffic (no pre- or post-infection activity).
• Not sure which campaign this is from.
• Unfortunately, I cannot share the traffic leading up to this example.
• It didn't look like any of the usual campaigns I've run across before, so I doubt it's from the Fobos, HookAds, or Seamless campaigns.

 

Click here to return to the main page.