2019-05-22 - RIG EK FROM UNKNOWN CAMPAIGN SENDS GANDCRAB RANSOMWARE
NOTICE:
- The zip archives on this page have been updated, and they now use the new password scheme. For the new password, see the "about" page of this website.
ASSOCIATED FILES:
- Zip archive of the infection traffic: 2019-05-22-Rig-EK-sends-Gandcrab-ransomware.pcap.zip 749 kB (749,459 bytes)
- 2019-05-22-Rig-EK-sends-Gandcrab-ransomware.pcap (786,909 bytes)
- Zip archive of the malware & artifacts: 2019-05-22-Rig-EK-malware-and-artifacts.zip 496 kB (496,495 bytes)
- 2019-05-22-Gandcrab-ransomware-decryption-instructions.txt (2,914 bytes)
- 2019-05-22-Rig-EK-artifact-T.t.txt (1,149 bytes)
- 2019-05-22-Rig-EK-flash-exploit.swf (9,367 bytes)
- 2019-05-22-Rig-EK-landing-page.txt (114,013 bytes)
- 2019-05-22-Rig-EK-payload-Gandcrab-ransomware.exe (671,744 bytes)
NOTES:
- Found letsdoitquick[.]site, which is a gate leading to Rig exploit kit (EK), from a tweet in April 2019 sent by @david_jursa.
WEB TRAFFIC BLOCK LIST
Indicators are not a block list. If you feel the need to block web traffic, I suggest the following domain:
- letsdoitquick[.]site
TRAFFIC
Shown above: Traffic from the infection filtered in Wireshark.
GATE DOMAIN THAT LED TO RIG EK:
- 91.235.129[.]60 port 80 - letsdoitquick[.]site - GET /
RIG EK:
- 5.23.49[.]81 port 80 - 5.23.49[.]81
TRAFFIC CAUSED BY GANDCRAB RANSOMWARE (POSSIBLE CONNECTIVITY CHECK, NOT INHERENTLY MALICIOUS):
- port 80 - www.kakaocorp[.]link - GET /
- port 443 - www.kakaocorp[.]link - HTTPS/SSL/TLS traffic
FILE HASHES
RIG EK FLASH EXPLOIT:
- SHA256 hash: a21ca5124a51eb5633c51b05e40ac2f68d5364af23d64ca67ff1ee043b8eb436
File size: 9,367 bytes
File description: Rig EK flash exploit seen on 2019-05-22
RIG EK PAYLOAD (GANDCRAB VERSION 5.2 RANSOMWARE):
- SHA256 hash: af8e74d00babaae01b6f3b137cff7b6a6951456c66ffa95122695dad6c7b41a9
File size: 671,744 bytes
File description: Gandcrab ransomware sent by Rig EK on 2019-05-22
Click here to return to the main page.