Malware-Traffic-Analysis.net - 2016-09-16 - EK data dump - EITest and pseudoDarkleech Rig EK, Afraidgate Neutrino EK

2016-09-16 - EK DATA DUMP - EITEST AND PSEUDODARKLEECH RIG EK, AFRAIDGATE NEUTRINO EK

NOTICE:

The zip archives on this page have been updated, and they now use the new password scheme. For the new password, see the "about" page of this website.

ASSOCIATED FILES:

2016-09-16-EK-traffic-data-dump.pcap.zip 2.1 MB (2,122,648 bytes)
2016-09-16-EK-data-dump-malware-and-artifacts.zip 1.1 MB (1,097,189 bytes)

NOTES:

Thanks to Baber for the emails he sends me about compromised websites.
I also found some other compromised sites by reviewing old tweets from @FreeBSDfan.

TRAFFIC

ASSOCIATED DOMAINS:

blog.sewmucheasier[.]com - Compromised site
31.184.192[.]188 port 80 - iiofuro[.]top - EITest gate
185.117.73[.]195 port 80 - zxzdo.y4z6rp59a[.]top - Rig EK
Bart ransomware payload - no callback traffic

www.converterlist[.]com - Compromised site
74.208.205[.]36 port 80 - syrtibusquepivsakko.letloosevip[.]com - Rig EK
65.49.8[.]96 port 443 - CrypMIC ransomware calback traffic, plain text and custom encoded, not HTTPS/SSL/TLS

www.dilmotioncontrol[.]com - Compromised site
74.208.205[.]36 port 80 - syrtibusquepivsakko.letloosevip[.]com - Rig EK
65.49.8[.]96 port 443 - CrypMIC ransomware calback traffic, plain text and custom encoded, not HTTPS/SSL/TLS

revistaelobservador[.]com - Compromised site
31.184.192[.]188 port 80 - kumaconexion[.]top - EITest gate
185.117.73[.]195 port 80 - zxzdo.y4z6rp59a[.]top - Rig EK
Bart ransomware payload - no callback traffic

www.avanzagrupo[.]com - Compromised site
83.217.27[.]178 port 80 - jjadfhcyxu.ddnsking[.]com - GET /wordpress/?ARX8 - gate/decirect
74.208.193[.]71 port 80 - groepleier.702guru[.]com - Rig EK
65.49.8[.]96 port 443 - CrypMIC ransomware calback traffic, plain text and custom encoded, not HTTPS/SSL/TLS

picmania.garcia-cuervo[.]net - Compromised site
178.62.23[.]109 port 80 - lin.portalsmk[.]com - GET /jquery.file.js - Afraidgate redirect
137.74.148[.]232 port 80 - mlylrqaa.nowmalawi[.]top - Neutrino EK
Payload not sent

picmania.garcia-cuervo[.]net - Compromised site
178.62.23[.]109 port 80 - knight.manex[.]us - GET /jquery.colorbox-min.js - Afraidgate redirect
Did not make it to the EK landing page

picmania[.]garcia-cuervo.net - Compromised site
178.62.23[.]109 port 80 - knight.manex[.]us - GET /scripts/advertising.js - Afraidgate redirect
137.74.148[.]232 port 80 - fnszgx.nowmalawi[.]top - Neutrino EK
185.75.46[.]29 port 80 - 185.75.46[.]29 - GET /tt.php - downloader calling for Locky ransomware
51.255.105[.]2 port 80 - 51.255.105[.]2 - POST /data/info.php - Locky ransomware post-infection callback

Click here to return to the main page.