2016-09-21 - TWO EXAMPLES OF EITEST RIG EK
NOTICE:
- The zip archives on this page have been updated, and they now use the new password scheme. For the new password, see the "about" page of this website.
ASSOCIATED FILES:
- Zip archive of the pcaps: 2016-09-21-EITest-Rig-EK-both-pcaps.zip 702.9 kB (702,914 bytes)
- 2016-09-21-EITest-Rig-EK-sends-CryptFile2-after-germansuppliesinc_com.pcap (174,049 bytes)
- 2016-09-21-EITest-Rig-EK-sends-Vawtrak-after-imr-racing_com.pcap (825,547 bytes)
- Zip archive of the malware: 2016-09-21-EITest-Rig-EK-malware-and-artifacts.zip 346.6 kB (346,558 bytes)
- 2016-09-21-EITest-Rig-EK-flash-exploit-after-germansuppliesinc_com.swf (25,205 bytes)
- 2016-09-21-EITest-Rig-EK-flash-exploit-after-imr-racing_com.swf (25,205 bytes)
- 2016-09-21-EITest-Rig-EK-landing-page-after-germansuppliesinc_com.txt (3,536 bytes)
- 2016-09-21-EITest-Rig-EK-landing-page-after-imr-racing_com.txt (3,440 bytes)
- 2016-09-21-EITest-Rig-EK-payload-CryptFile2-after-germansuppliesinc_com.exe (86,016 bytes)
- 2016-09-21-EITest-Rig-EK-payload-Vawtrak-after-imr-racing_com.exe (320,512 bytes)
- 2016-09-21-EITest-flash-redirect-from-avtex_top.swf (4,439 bytes)
- 2016-09-21-EITest-flash-redirect-from-sqlbackupandftp_top.swf (4,439 bytes)
- 2016-09-21-page-from-germansuppliesinc_com-with-injected-EITest-script.txt (67,198 bytes)
- 2016-09-21-page-from-imr-racing_com-with-injected-EITest-script.txt (62,685 bytes)
NOTES:
- Found these compromised sites by looking through old tweets from @FreeBSDfan.
BACKGROUND ON THE EITEST CAMPAIGN:
- Something I wrote on exploit kit (EK) fundamentals: link
- 2016-03-31 - Palo Alto Networks Unit 42 blog: How the EITest Campaign's Path to Angler EK Evolved Over Time.
- 2016-06-08 - SANS ISC diary: Neutrino EK and CryptXXX (campaigns using Angler EK switch to Neutrino EK)
- 2016-08-18 - SANS ISC diary: 1 compromised site - 2 campaigns (EITest campaign switched to Rig EK)
Shown above: Flowchart for this infection traffic.
TRAFFIC
Shown above: Traffic from the first pcap filtered in Wireshark.
Shown above: Traffic from the second pcap filtered in Wireshark.
FIRST PCAP:
- www.germansuppliesinc[.]com - Compromised site
- 31.184.193[.]179 port 80 - avtex[.]top - EITest gate
- 109.234.35[.]23 port 80 - art.jumpstartyourhomesearch[.]com - Rig EK
- 176.31.127[.]110 port 80 - 176.31.127[.]110 - GET /headers.jpg [post-infection traffic from CryptFile2 ransomware]
- 176.31.127[.]110 port 80 - 176.31.127[.]110 - POST /zig/offers.php [post-infection traffic from CryptFile2 ransomware]
SECOND PCAP:
- imr-racing[.]com - Compromised site
- 31.184.193.179 port 80 - sqlbackupandftp[.]top - EITest gate
- 185.141.25.46 port 80 - hgfxvjl.jr9wts9[.]top - Rig EK
- Post-infection traffic after Rig EK delivered the Vawtrak malware:
- 198.105.254[.]228 port 443 - ctwruhwdk[.]com - HTTPS/SSL/TLS traffic
- 198.105.254[.]228 port 443 - apgtsdeh[.]com - HTTPS/SSL/TLS traffic
- 81.177.13[.]242 port 443 - lkfiravihg[.]com - HTTPS/SSL/TLS traffic
- 212.116.113[.]163 port 443 - apparatusou[.]bid - HTTPS/SSL/TLS traffic
- 185.36.102[.]164 port 80 - 185.36.102[.]164 - GET /module/272a5ad4a1b97a2ac874d6d3e5fff01d
- 185.36.102[.]164 port 80 - 185.36.102[.]164 - GET /module/[various other hexadecimal strings]
FILE HASHES
FLASH FILES:
- SHA256 hash: 3721ad6922a035c127b35365ac5476b0772a5172c8716b6fee2851284927caeb
File name: 2016-09-21-EITest-flash-redirect-from-avtex_top.swf
File name: 2016-09-21-EITest-flash-redirect-from-sqlbackupandftp_top.swf
- SHA256 hash: 945ea5134ffbdf24d4fa8e141e85fbfec82aa04185201f6bc6228517b8dd8d64
File name: 2016-09-21-EITest-Rig-EK-flash-exploit-after-germansuppliesinc_com.swf
File name: 2016-09-21-EITest-Rig-EK-flash-exploit-after-imr-racing_com.swf
PAYLOADS:
- SHA256 hash: 8f9a62a9e43ed55f0fa810737facc6460dc89c41f16f4d610debc8a35babe6b9
File name: 2016-09-21-EITest-Rig-EK-payload-CryptFile2-after-germansuppliesinc_com.exe
- SHA256 hash: 22bcd3bfada03fa9223d4494a5433e6525ffe39256cee572859c58eae71cd559
File name: 2016-09-21-EITest-Rig-EK-payload-Vawtrak-after-imr-racing_com.exe
Click here to return to the main page.