Malware-Traffic-Analysis.net - 2017-02-27 - Rig EK examples (pseudoDarkleech and EITest campaigns)

2017-02-27 - RIG EK EXAMPLES (PSEUDO-DARKLEECH AND EITEST CAMPAIGNS)

NOTICE:

The zip archives on this page have been updated, and they now use the new password scheme. For the new password, see the "about" page of this website.

ASSOCIATED FILES:

2017-02-27-Rig-EK-activity-2-pcaps.zip 1.0 MB (1,024,972 bytes)

2017-02-26-pseudoDarkleech-Rig-EK-sends-Cerber-ransomware.pcap (711,243 bytes)

2017-02-27-EITest-Rig-EK.pcap (579,067 bytes)

2017-02-27-Rig-EK-malware-and-artifacts.zip 838.6 kB (838,560 bytes)

2017-02-26-Cerber-ransomware_HELP_HELP_HELP_EFX5Q_.png (360,498 bytes)

2017-02-26-Cerber-ransomware_HELP_HELP_HELP_K4G4EG_.hta (75,862 bytes)

2017-02-26-page-from-biversum_com-with-injected-pseudoDarkleech-script.txt (26,244 bytes)

2017-02-26-pseudoDarkleech-Rig-EK-artifact-o32.tmp.txt (1,141 bytes)

2017-02-26-pseudoDarkleech-Rig-EK-flash-exploit.swf (15,097 bytes)

2017-02-26-pseudoDarkleech-Rig-EK-landing-page.txt (30,987 bytes)

2017-02-26-pseudoDarkleech-Rig-EK-payload-Cerber-ransomware-b5vaoogh.exe (257,504 bytes)

2017-02-27-EITest-Rig-EK-artifact-o32.tmp.txt (1,141 bytes)

2017-02-27-EITest-Rig-EK-flash-exploit.swf (15,097 bytes)

2017-02-27-EITest-Rig-EK-landing-page.txt (30,956 bytes)

2017-02-27-EITest-Rig-EK-payload-l5pf16w8.exe (215,552 bytes)

2017-02-27-page-from-protoday_uz-with-injected-EITest-script.txt (72,816 bytes)

BACKGROUND ON THE CAMPAIGNS:

My most recent write-up on the EITest campaign can be found here.
My most recent in-depth write-up on the pseudoDarkleech campaign can be found here.
What people have been calling Rig-V is actually the current version of Rig EK (Rig 4.0), so I've stopped calling it "Rig-V." Now I'm just calling it "Rig EK."

OTHER NOTES:

Got the compromised sites from one of @nao_sec's latest tweets.

Shown above: Flow charts for this traffic.

TRAFFIC

Shown above: Pcap of the first infection (pseudoDarkleech campaign) filtered in Wireshark.

Shown above: Pcap of the second infection (EITest campaign) filtered in Wireshark.

TRAFFIC FROM THE INFECTIONS:

biversum[.]com - Compromised site (pseudoDarkleech campaign)
protoday[.]uz - Compromised site (EITest campaign)
81.177.140[.]74 port 80 - red.johnvaux[.]com - Rig EK (pseudoDarkleech campaign)
81.177.140[.]149 port 80 - dfg.o2thief[.]com - Rig EK (EITest campaign)

91.119.216[.]0 to 91.119.216.31 (91.119.216[.]0/27) UDP port 6892 - Cerber ransomware post-infection UDP traffic
91.120.216[.]0 to 91.120.216.31 (91.120.216[.]0/27) UDP port 6892 - Cerber ransomware post-infection UDP traffic
91.121.216[.]0 to 91.121.219.255(91.121.56[.]0/22) UDP port 6892 - Cerber ransomware post-infection UDP traffic
185.183.96[.]77 port 80 - p27dokhpz2n7nvgr.14kfoz[.]top - Cerber ransomware post-infection HTTP traffic

5.196.159[.]175 port 80 - 5.196.159[.]175 - TCP SYN segments caused by EITest malware payload (no response from the server)

FILE HASHES

RIG EK FLASH EXPLOIT:

SHA256 hash: 566c60f87528fc0f245b3cb98e35af01b365a4183fc024610d03928ebd28315c (15,097 bytes)
File description: Rig EK Flash exploit seen on 2017-02-27

RIG EK PAYLOAD FROM PSEUDO-DARKLEECH CAMPAIGN:

SHA256 hash: f7124736a95c472f4c98835786daccdbe751bbd0da4cb500fa0b35d7700d46ef (257,504 bytes)
File location: C:\Users\[username]\AppData\Local\Temp\b5vaoogh.exe
File description: Cerber ransomware

RIG EK PAYLOAD FROM EITEST CAMPAIGN:

SHA256 hash: cec0a5b62eab199796b0b1f2732f40d70c7a7ad47a1bbe508e69a33528f7d4e5 (215,552 bytes)
File location: C:\Users\[username]\AppData\Local\Temp\l5pf16w8.exe
File description: Unknown (didn't have time to look into this one)

Click here to return to the main page.