2017-03-28 - EITEST RIG EK FROM 46.173.214[.]185 SENDS RANSOMWARE

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2017-03-28-EITest-Rig-EK-traffic.pcap.zip   966.8 kB (966,754 bytes)

• 2017-03-28-EITest-Rig-EK-traffic.pcap   (1,129,240 bytes)

• 2017-03-28-EITest-Rig-EK-malware-and-artifacts.zip   446.2 kB (446,197 bytes)

• 2017-03-28-DpgvQeBMapb33zFU.hta.txt   (35,342 bytes)
• 2017-03-28-EITest-Rig-EK-J3KXzbhL.exe   (461,312 bytes)
• 2017-03-28-EITest-Rig-EK-artifact-o32.tmp.txt   (1,141 bytes)
• 2017-03-28-EITest-Rig-EK-flash-exploit.swf   (15,736 bytes)
• 2017-03-28-EITest-Rig-EK-landing-page.txt   (57,838 bytes)
• 2017-03-28-WhatHappenedWithMyFiles.rtf   (5,682 bytes)
• 2017-03-28-page-from-activaclinics_com-with-injected-EITest-script.txt   (58,153 bytes)

BACKGROUND ON THE EITEST CAMPAIGN:

• My most recent write-up on the EITest campaign can be found here.

EK PAYLOAD NOTES:

• The EITest payload from Rig EK is some sort of ransomware.
• I saw alerts for MSIL/Matrix ransomware, but this appears to be a new variant.
• Names for any of the encrypted files do not change with this ransomware.
• There's an HTA file that's in the registry for persistence during rebooting.
• The HTA file sets itself as the desktop background (something I hadn't seen before).
• See the images section for more details.

Shown above:  Flowchart for this infection traffic.

 

TRAFFIC

Shown above:  Injected script from the EITest campaign in a page from the compromised site.

 

Shown above:  Pcap of the infection traffic filtered in Wireshark.

 

ASSOCIATED DOMAINS:

• www.activaclinics[.]com - Compromised website
• 46.173.214[.]185 port 80 - help.whatizzzit[.]com - Rig EK
• 31.41.216[.]90 port 80 - stat2.s76.r53[.]com[.]ua - Post-infection ransomware HTTP traffic
• 31.41.217[.]90 port 80 - stat2.s76.r53[.]com[.]ua - Post-infection ransomware HTTP traffic
• 148.251.13[.]83 port 80 - stat2.s76.r53[.]com[.]ua - Post-infection ransomware HTTP traffic
• 195.248.235[.]240 port 80 - stat2.s76.r53[.]com[.]ua - Post-infection ransomware HTTP traffic
• 195.248.235[.]241 port 80 - stat2.s76.r53[.]com[.]ua - Post-infection ransomware HTTP traffic

 

EMAIL ADDRESSES FROM THE DECRYPTION INSTRUCTIONS:

• bluetablet9643@yahoo[.]com - Primary email
• decodedecode@yandex[.]ru - Backup email

 

FILE HASHES

FLASH EXPLOIT:

• SHA256 hash:  8411ffb402372f51fbcc5f4d80f23eaf79871650d5cbbac8597c3667a49870b6
  File size:  15,736 bytes
  File description:  Rig EK flash exploit seen on 2017-03-28

PAYLOAD (RANSOMWARE):

• SHA256 hash:  25b36b3ae96b38259cb473df2b0d02fe94135b8d53b960dc95315567590c683c
  File size:  461,312 bytes
  File location:  C:\Users\[username]\AppData\Local\Temp\J3KXzbhL.exe

 

IMAGES

Shown above:  Some alerts on the traffic from the Emerging Threats and ETPRO rulesets using Sguil on Security Onion.

 

Shown above:  Desktop of an infected windows host.

 

Shown above:  No file name changes, and the directions are in an RTF file.

 

Shown above:  Registry entry made for persistence of the HTA file.

 

Click here to return to the main page.