2016-11-02 - EITEST RIG EK FROM 185.141.26.17

ASSOCIATED FILES:

  • 2016-11-02-first-run-EITest-Rig-EK-sends-Terdot-Zloader.pcap   (2,862,170 bytes)
  • 2016-11-02-second-run-EITest-Rig-EK-sends-Zeprox.pcap   (238,041 bytes)
  • 2016-11-02-third-run-EITest-Rig-EK-sends-Kronos.pcap   (631,997 bytes)
  • 2016-11-02-all-3-runs-EITest-Rig-EK-flash-exploit.swf   (52,582 bytes)
  • 2016-11-02-first-run-EITest-Rig-EK-landing-page.txt   (3,295 bytes)
  • 2016-11-02-first-run-EITest-Rig-EK-payload-Terdot-Zloader.exe   (102,400 bytes)
  • 2016-11-02-first-run-page-from-cavallinomotorsport.com-with-injected-EITest-script.txt   (18,597 bytes)
  • 2016-11-02-second-run-EITest-Rig-EK-landing-page.txt   (3,292 bytes)
  • 2016-11-02-second-run-EITest-Rig-EK-payload-Zeprox.exe   (141,328 bytes)
  • 2016-11-02-second-run-page-from-xorbin.com-with-injected-EITest-script.txt   (21,828 bytes)
  • 2016-11-02-third-run-EITest-Rig-EK-landing-page.txt   (3,294 bytes)
  • 2016-11-02-third-run-EITest-Rig-EK-payload-Kronos.exe   (450,560 bytes)
  • 2016-11-02-third-run-page-from-xorbin.com-with-injected-EITest-script.txt   (21,827 bytes)

 

NOTES:

 

BACKGROUND ON THE EITEST CAMPAIGN:

 


Shown above:  Flowchart for this infection traffic.

 

TRAFFIC


Shown above:  Injected script from the EITest campaign in a page from the compromised site (first run).


Shown above:  Traffic from the infection filtered in Wireshark (first run).


Shown above:  Injected script from the EITest campaign in a page from the compromised site (second run).


Shown above:  Traffic from the infection filtered in Wireshark. (second run)


Shown above:  Injected script from the EITest campaign in a page from the compromised site (third run).


Shown above:  Traffic from the infection filtered in Wireshark. (third run)

 

ASSOCIATED DOMAINS:

 

FILE HASHES

FLASH EXPLOITS:

PAYLOADS:

 

IMAGES


Shown above:  Alerts using tcpreplay on the first pcap with the Emerging Threats Pro (ETPRO) ruleset from Sguil on Security Onion.

 


Shown above:  Alerts after reading the first pcap with Snort 2.9.8.3 on Debian 7.1.1 using the Snort Subscription ruleset.

 


Shown above:  Alerts using tcpreplay on the second pcap with the Emerging Threats Pro (ETPRO) ruleset from Sguil on Security Onion.

 


Shown above:  Alerts after reading the second pcap with Snort 2.9.8.3 on Debian 7.1.1 using the Snort Subscription ruleset (part 1 of 2).

 


Shown above:  Alerts after reading the second pcap with Snort 2.9.8.3 on Debian 7.1.1 using the Snort Subscription ruleset (part 2 of 2).

 


Shown above:  Alerts using tcpreplay on the third pcap with the Emerging Threats Pro (ETPRO) ruleset from Sguil on Security Onion.

 


Shown above:  Alerts after reading the third pcap with Snort 2.9.8.3 on Debian 7.1.1 using the Snort Subscription ruleset.

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.