2017-01-20 - EITEST RIG-V FROM 92.53.120.142 SENDS CERBER RANSOMWARE

ASSOCIATED FILES:

  • 2017-01-20-EITest-Rig-V-sends-Cerber-ransomware.pcap   (729,857 bytes)
  • 2017-01-20-Cerber_HELP_HELP_HELP_XZILQ.hta   (75,794 bytes)
  • 2017-01-20-Cerber_HELP_HELP_HELP_XZILQ.jpg   (230,523 bytes)
  • 2017-01-20-EITest-Rig-V-artifact-QTTYUADAF.txt   (1,137 bytes)
  • 2017-01-20-EITest-Rig-V-flash-exploit.swf   (38,165 bytes)
  • 2017-01-20-EITest-Rig-V-landing-page.txt   (5,185 bytes)
  • 2017-01-20-EITest-Rig-V-payload-Cerber-rad12A26.tmp.exe   (279,012 bytes)
  • 2017-01-20-page-from-activaclinics.com-wtih-injected-EITest-script.txt   (59,338 bytes)

BACKGROUND ON RIG EXPLOIT KIT:

BACKGROUND ON THE EITEST CAMPAIGN:


Shown above:  Flowchart for this infection traffic.

 

TRAFFIC

ASSOCIATED DOMAINS:

 

FILE HASHES

FLASH EXPLOIT:

PAYLOAD (CERBER RANSOMWARE):

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.