2016-11-22 - RIG EK DATA DUMP

ASSOCIATED FILES:

  • 2016-11-22-1st-run-EITest-Rig-E-traffic.pcap   (662,419 bytes)
  • 2016-11-22-2nd-run-EITest-Rig-standard-sends-CryptFile2-ransomware.pcap   (173,971 bytes)
  • 2016-11-22-3rd-run-pseudoDarkleech-Rig-V-sends-Cerber-ransomware.pcap   (601,911 bytes)
  • 2016-11-22-4th-run-Afraidgate-Rig-V-causes-Locky-infection.pcap   (358,995 bytes)
  • 2016-11-22-1st-run-EITest-Rig-E-artifact-MXj6sFosp.txt   (1,137 bytes)
  • 2016-11-22-1st-run-EITest-Rig-E-flash-exploit.swf   (40,141 bytes)
  • 2016-11-22-1st-run-EITest-Rig-E-landing-page.txt   (85,260 bytes)
  • 2016-11-22-1st-run-EITest-Rig-E-payload-radAA63F.tmp.exe   (261,632 bytes)
  • 2016-11-22-1st-run-page-from-cavallinomotorsport.com-with-injected-script.txt   (18,804 bytes)
  • 2016-11-22-2nd-run-EITest-Rig-standard-flash-exploit.swf   (39,147 bytes)
  • 2016-11-22-2nd-run-EITest-Rig-standard-landing-page.txt   (3,138 bytes)
  • 2016-11-22-2nd-run-EITest-Rig-standard-payload-CryptFile2-3274.tmp   (85,504 bytes)
  • 2016-11-22-2nd-run-page-from-cavallinomotorsport.com-with-injected-script.txt   (18,812 bytes)
  • 2016-11-22-3rd-run-page-from-wordtemplates.org-with-injected-script.txt   (54,474 bytes)
  • 2016-11-22-3rd-run-pseudoDarkleech-Rig-V-artifact-MXj6sFosp.txt   (1,137 bytes)
  • 2016-11-22-3rd-run-pseudoDarkleech-Rig-V-flash-exploit.swf   (37,559 bytes)
  • 2016-11-22-3rd-run-pseudoDarkleech-Rig-V-landing-page.txt   (5,,192 bytes)
  • 2016-11-22-3rd-run-pseudoDarkleech-Rig-V-payload-Cerber-radCC957.tmp.exe   (260,298 bytes)
  • 2016-11-22-4th-run-Afraidgate-Rig-V-artifact-MXj6sFosp.txt   (1,137 bytes)
  • 2016-11-22-4th-run-Afraidgate-Rig-V-flash-exploit.swf   (3,7559 bytes)
  • 2016-11-22-4th-run-Afraidgate-Rig-V-landing-page.txt   (5,192 bytes)
  • 2016-11-22-4th-run-Afraidgate-Rig-V-payload-radCD4C2.tmp.exe   (78,848 bytes)
  • 2016-11-22-4th-run-Afraidgate-redirect-openair.mirceasandu.ro-shortcuts.js.txt   (415 bytes)
  • 2016-11-22-4th-run-page-from-ardenne.org-with-injected-script.txt   (18,666 bytes)
  • 2016-11-22-4th-run-post-infection-download-Locky-jtqaLMMFNErRMgrba8hW2Al3B.exe   (211,456 bytes)

BACKGROUND:

 

TRAFFIC


Shown above:  Traffic from the 1st infection filtered in Wireshark.


Shown above:  Traffic from the 2nd infection filtered in Wireshark.


Shown above:  Traffic from the 3rdd infection filtered in Wireshark.


Shown above:  Traffic from the bonus infection filtered in Wireshark.

 

ASSOCIATED DOMAINS:

 

FILE HASHES

FLASH EXPLOITS (SHA256 HASH - FILE NAME):

MALWARE (SHA256 HASH - FILE NAME):

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.