Malware-Traffic-Analysis.net - 2017-02-28 - EITest Rig EK from 81.177.140[.]75 sends CryptoShield ransomware

2017-02-28 - EITEST RIG EK FROM 81.177.140[.]75 SENDS CRYPTOSHIELD RANSOMWARE

NOTICE:

The zip archives on this page have been updated, and they now use the new password scheme. For the new password, see the "about" page of this website.

ASSOCIATED FILES:

2017-02-28-EITest-Rig-EK-sends-CryptoShield-ransomware.pcap.zip 315.4 kB (315,390 bytes)

2017-02-28-EITest-Rig-EK-sends-CryptoShield-ransomware.pcap (475,941 bytes)

2017-02-28-EITest-Rig-EK-artifacts-and-CryptoShield-ransomware.zip 133.9 kB (133,914 bytes)

2017-02-28-CryptoShield-ransomware-decryption-instructions.html (3,020 bytes)

2017-02-28-CryptoShield-ransomware-decryption-instructions.txt (1,750 bytes)

2017-02-28-EITest-Rig-EK-payload-9lvn0467.exe (119,296 bytes)

2017-02-28-Rig-EK-artifact-o32.tmp.txt (1,141 bytes)

2017-02-28-Rig-EK-flash-exploit.swf (15,105 bytes)

2017-02-28-Rig-EK-landing-page.txt (31,016 bytes)

2017-02-28-page-from-zonadjsperu_com-with-injected-EITest-script.txt (158,301 bytes)

BACKGROUND ON THE CAMPAIGN:

My most recent write-up on the EITest campaign can be found here.
What people have been calling Rig-V is actually the current version of Rig EK (Rig 4.0), so I've stopped calling it "Rig-V." Now I'm just calling it "Rig EK."

BACKGROUND ON CRYPTOSHIELD RANSOMWARE:

On 2017-01-31, CryptFile2/CryptoMix got a facelift and is now calling itself CryptoShield.
BleepingComputer posted a great writeup of CryptoShield ransomware (link).
I also did an ISC diary recently about CryptoShield from Rig EK here.
On 2017-02-28, CryptoShield ransomware changed from version 1.2 to version 2.0.

OTHER NOTES:

Got the compromised sites from one of @nao_sec's latest tweets.

Shown above: Flowchart for this infection traffic.

TRAFFIC

Shown above: Injected script from the EITest campaign in a page from the compromised site.

Shown above: Pcap of the infection traffic filtered in Wireshark.

ASSOCIATED DOMAINS:

www.zonadjsperu[.]com - Compromised site
81.177.140[.]75 port 80 - cxz.localgeniuses[.]net - Rig EK
185.125.32[.]2 port 80 - 185.125.32[.]2 - CryptoShield ransomware post-infection traffic

r_sp@india[.]com - first email from CryptoShield ransomware decryption instructions
r_sp@computer4u[.]com - second email from CryptoShield ransomware decryption instructions
res_reserve@india[.]com - third email from CryptoShield ransomware decryption instructions

FILE HASHES

FLASH EXPLOIT:

SHA256 hash: 4dfa96253c8f60437cb965c44ad5814ef235ae7822be2e8819b530e984b4a746
File size: 15,105 bytes
File description: Rig EK flash exploit seen on 2017-02-28

PAYLOAD:

SHA256 hash: 177782be48ed39b66a70c51f592f0b3ac31a8aefe5f809eb45ee9d8bb18c2946
File size: 119,296 bytes
File location: C:\Users\[username]\AppData\Local\Temp\9lvn0467.exe
File location: C:\ProgramData\MicroSoftTMP\system32\conhost.exe
File description: Rig EK payload from EITest campaign (CryptoShield ransomware) seen on 2017-02-28

IMAGES

Shown above: Desktop of an infected Windows host.

Shown above: CryptoShield ransomware made persistent on the infected host.

Click here to return to the main page.