2016-11-17 - RIG-E UPDATES PAYLOAD ENCRYPTION, SENDS CHIP RANSOMWARE

ASSOCIATED FILES:

  • 2016-11-17-EITest-Rig-E-sends-CHIP-ransomware.pcap   (284,102 bytes)
  • 2016-11-17-Rig-E-artifact-MXj6sFosp.txt   (1,137 bytes)
  • 2016-11-17-Rig-E-flash-exploit.swf   (10,636 bytes)
  • 2016-11-17-Rig-E-landing-page.txt   (3,418 bytes)
  • 2016-11-17-Rig-E-payload-CHIP-ransomware.exe   (223,744 bytes)
  • 2016-11-17-cavallinomotorsport.com-with-injected-EITest-script.txt   (18,804 bytes)
  • 2016-11-17-CHIP_FILES.txt   (790 bytes)

BACKGROUND:

NOTES:


Shown above:  Chain of events for this infection.

 

TRAFFIC


Shown above:  Injected script in a page from the compromised website.


Shown above:  Traffic from the infection filtered in Wireshark.

 

ASSOCIATED DOMAINS:

 

FILE HASHES

FLASH EXPLOIT:

PAYLOADS (CHIP RANSOMWARE):

 

IMAGES


Shown above:  An infected Windows host with a folder showing the encrypted files and CHIP_FILES.txt decryption instructions.

 


Shown above:  Viewing the decryption instructions in a Tor browser.

 


Shown above:  Alerts using tcpreplay on the pcap with the Emerging Threats Pro (ETPRO) ruleset using Sguil on Security Onion.

 


Shown above:  Hits from Snort 2.9.8.3 using the Snort subscription ruleset.

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.