2017-03-15 - EITEST RIG EK SENDS REVENGE RANSOMWARE

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2017-03-15-EITest-Rig-EK-sends-Revenge-ransomware.pcap.zip   187 kB (187,246 bytes)

• 2017-03-15-EITest-Rig-EK-sends-Revenge-ransomware.pcap   (241,884 bytes)

• 2017-03-15-EITest-Rig-EK-artifacts-and-Revenge-ransomware.zip   164.3 kB (164,259 bytes)

• 2017-03-15-EITest-Rig-EK-flash-exploit.swf   (14,942 bytes)
• 2017-03-15-EITest-Rig-EK-landing-page.txt   (118,021 bytes)
• 2017-03-15-EITest-Rig-EK-payload-Revenge-ransomware-5uhcwesi.exe   (116,224 bytes)
• 2017-03-15-Revenge-Ransomware-decryption-instructions.txt   (7,116 bytes)
• 2017-03-15-page-from-activaclinics_com-with-injected-EITest-script.txt   (59,358 bytes)

 

DETAILS

NOTES:

• Revenge ransomware is a variant of CryptoMix ransomware.
• Read more from BleepingComputer:  Revenge Ransomware, a CryptoMix Variant, Being Distributed by RIG Exploit Kit

 

TRAFFIC FROM AN INFECTION:

• www.activaclinics[.]com - compromised side
• 188.227.75[.]37 port 80 - try.bannerautoservice[.]com - Rig EK
• 91.207.7[.]77 port 80 - 91.207.7[.]77 - POST /images/temp/4gallery/temp_reserv/gallery.php   [Revenge ransomware post-infection traffic]

 

FILE HASHES:

• SHA256 hash:  3ff2b1e57b82789084f722fb22388af0d79dc3340325d8db83e63c1a2a42da79
  File description:  Rig EK Flash exploit seen on 2017-03-15

• SHA256 hash:  8ab65ceef6b8a5d2d0c0fb3ddbe1c1756b5c224bafc8065c161424d63937721c
  File location:  C:\Users\[username]\AppData\Local\Temp\5uhcwesi.exe
  File description:  EITest Rig EK payload, Revenge ransomware

 

FINAL NOTES

Click here to return to the main page.