2016-11-16 - RIG EK DATA DUMP

ASSOCIATED FILES:

  • 2016-11-16-1st-run-pseudoDarkleech-Rig-V-sends-Cerber-ransomware.pcap   (587,033 bytes)
  • 2016-11-16-2nd-run-EITest-Rig-E-sends-Terdot.A-or-Zloader.pcap   (6,926,217 bytes)
  • 2016-11-16-3rd-run-EITest-Rig-E-sends-Quant-Loader.pcap   (8,987,574 bytes)
  • 2016-11-16-4th-run-EITest-Rig-standard-sends-CryptFile2-ransomware.pcap   (170,733 bytes)
  • 2016-11-16-6th-run-pseudoDarkleech-Rig-V-sends-Cerber-ransomware.pcap   (581,120 bytes)
  • 2016-11-16-7th-run-EITest-Rig-E-sends-Cerber-ransomware.pcap   (559,793 bytes)
  • 2016-11-16-8th-run-EITest-Rig-E-sends-Qadars.pcap   (771,317 bytes)
  • 2016-11-16-1st-run-Rig-V-flash-exploit.swf   (50,816 bytes)
  • 2016-11-16-1st-run-Rig-V-landing-page.txt   (5,209 bytes)
  • 2016-11-16-1st-run-Rig-V-payload-Cerber.exe   (255,192 bytes)
  • 2016-11-16-1st-run-page-from-joellipman.com-with-injected-pseudoDarkleech-script.txt   (68,382 bytes)
  • 2016-11-16-2nd-run-Rig-E-flash-exploit.swf   (52,582 bytes)
  • 2016-11-16-2nd-run-Rig-E-landing-page.txt   (32,82 bytes)
  • 2016-11-16-2nd-run-page-from-cavallinomotorsport.com-with-injected-EITest-script.txt   (18,612 bytes)
  • 2016-11-16-3rd-run-Rig-E-flash-exploit.swf   (52,582 bytes)
  • 2016-11-16-3rd-run-Rig-E-landing-page.txt   (3,281 bytes)
  • 2016-11-16-3rd-run-Rig-E-payload-Quant-Loader.exe   (156,672 bytes)
  • 2016-11-16-3rd-run-follow-up-malware.exe   (434,176 bytes)
  • 2016-11-16-3rd-run-page-from-cavallinomotorsport.com-with-injected-EITest-script.txt   (18,597 bytes)
  • 2016-11-16-4th-run-Rig-standard-flash-exploit.swf   (48,722 bytes)
  • 2016-11-16-4th-run-Rig-standard-landing-page.txt   (3,140 bytes)
  • 2016-11-16-4th-run-Rig-standard-payload-CryptFile2.exe   (80,896 bytes)
  • 2016-11-16-6th-run-Rig-V-flash-exploit.swf   (50,816 bytes)
  • 2016-11-16-6th-run-Rig-V-landing-page.txt   (5,179 bytes)
  • 2016-11-16-6th-run-Rig-V-payload-Cerber.exe   (237,902 bytes)
  • 2016-11-16-6th-run-page-from-wordtemplates.org-with-injected-pseudoDarkleech-script.txt   (54,199 bytes)
  • 2016-11-16-7th-run-Rig-E-flash-exploit.swf   (52,582 bytes)
  • 2016-11-16-7th-run-Rig-E-landing-page.txt   (3,278 bytes)
  • 2016-11-16-7th-run-Rig-E-payload-Cerber.exe   (266,430 bytes)
  • 2016-11-16-7th-run-page-from-cavallinomotorsport.com-with-injected-EITest-script.txt   (18,603 bytes)
  • 2016-11-16-8th-run-Rig-E-flash-exploit.swf   (52,582 bytes)
  • 2016-11-16-8th-run-Rig-E-landing-page.txt   (3,283 bytes)
  • 2016-11-16-8th-run-Rig-E-payload-Qadars.exe   (343,552 bytes)
  • 2016-11-16-8th-run-page-from-cavallinomotorsport.com-with-injected-EITest-script.txt   (18,613 bytes)

 

NOTES:

 

TRAFFIC


Shown above:  Traffic from the 1st run in Wireshark.


Shown above:  Traffic from the 2nd run in Wireshark.


Shown above:  Traffic from the 3rd run in Wireshark.


Shown above:  Traffic from the 4th run in Wireshark.


Shown above:  Traffic from the 6th run in Wireshark.


Shown above:  Traffic from the 7th run in Wireshark.


Shown above:  Traffic from the 8th run in Wireshark.

 

ASSOCIATED DOMAINS:

 

FILE HASHES

FLASH EXPLOITS:

PAYLOADS (READ: SHA256 HASH - FILE NAME):

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.