2016-10-10 - EITEST RIG EK DATA DUMP

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2016-10-10-EITest-Rig-EK-traffic-3-pcaps.zip   6.5 MB (6,479,704 bytes)

• 2016-10-10-EITest-Rig-EK-first-run.pcap   (663,054 bytes)
• 2016-10-10-EITest-Rig-EK-second-run.pcap   (2,238,284 bytes)
• 2016-10-10-EITest-Rig-EK-third-run.pcap   (4,191,610 bytes)

• 2016-10-10-EITest-Rig-EK-malware-and-artifacts-first-run.zip   405.0 kB (405,011 bytes)

• 2016-10-10-EITest-Rig-EK-flash-exploit-first-run.swf   (25,045 bytes)
• 2016-10-10-EITest-Rig-EK-landing-page-first-run.txt   (3,452 bytes)
• 2016-10-10-EITest-Rig-EK-payload-first-run.exe   (223,744 bytes)
• 2016-10-10-page-from-wiki.vmug_com-with-injected-script.txt   (23,645 bytes)
• 2016-10-10-scheduled-task-for-ctfreg.dll.txt   (3,346 bytes)
• 2016-10-10-scheduled-task-for-diskja.dll.txt   (3,348 bytes)
• ctfreg.dll   (200,704 bytes)
• diskja.dll   (200,704 bytes)

• 2016-10-10-EITest-Rig-EK-malware-and-artifacts-second-run.zip   331.7 kB (331,720 bytes)

• 2016-10-10-EITest-Rig-EK-flash-exploit-second-run.swf   (25,045 bytes)
• 2016-10-10-EITest-Rig-EK-landing-page-second-run.txt   (3,455 bytes)
• 2016-10-10-EITest-Rig-EK-payload-second-run.exe   (400,384 bytes)
• 2016-10-10-page-from-translation_ie-with-injected-script.txt   (48,021 bytes)

• 2016-10-10-EITest-Rig-EK-malware-and-artifacts-third-run.zip   168.6 kB (168,640 bytes)

• 2016-10-10-EITest-Rig-EK-flash-exploit-third-run.swf   (25,045 bytes)
• 2016-10-10-EITest-Rig-EK-landing-page-third-run.txt   (3,434 bytes)
• 2016-10-10-EITest-Rig-EK-payload-third-run.exe   (203,575 bytes)
• 2016-10-10-page-from-criticall911_com-with-injected-script.txt   (53,540 bytes)

 

NOTES:

• Thanks to @FreeBSDfan, @Oddly_Normal, and @Sec_She_Lady for their tweets that gave me today's compromised sites.

 

BACKGROUND ON THE EITEST CAMPAIGN:

• Something I wrote on exploit kit (EK) fundamentals:  link
• 2016-10-03 - Palo Alto Networks Unit 42 blog:  EITest Campaign Evolution: From Angler EK to Neutrino and Rig.

 

Shown above:  Flowchart for this infection traffic.

 

TRAFFIC

Shown above:  Injected EITest script in a page from the first compromised website.

Shown above:  Traffic from the first run filtered in Wireshark.

 

Shown above:  Injected EITest script in a page from the second compromised website.

Shown above:  Traffic from the second run filtered in Wireshark.

 

Shown above:  Injected EITest script in a page from the third compromised website.

Shown above:  Traffic from the third run filtered in Wireshark.

 

ASSOCIATED DOMAINS:

• wiki.vmug[.]com - Compromised site (first run)
• 185.117.73[.]18 port 80 - b7gqh.inbvq0t[.]top - Rig EK (first run)
• 79.110.251[.]102 port 80 - bigikurik[.]com - post-infection traffic (HTTPS/SSL/TLS over TCP port 80)

• www.translation[.]ie - Compromised site (second run)
• 185.117.73[.]18 port 80 - b7gqh.inbvq0t[.]top - Rig EK (second run)
• 198.12.107[.]167 port 80 - 198.12.107[.]167 - post-infection traffic

• criticall911[.]com - Compromised site (third run)
• 185.117.73[.]180 port 80 - x0md.r0tfo[.]top - Rig EK (third run)
• 108.61.174[.]115 port 443 - sta.grhstchs[.]com - post-infection traffic (HTTPS/SSL/TLS)

 

FILE HASHES

FLASH EXPLOITS:

• SHA256 hash:  4f3632001131f30bd7d01c4c0c195abb947b5556c34479e5f5a8bde2326dda48
  File name:  2016-10-10-EITest-Rig-EK-flash-exploit-first-run.swf   (25,045 bytes)
  File name:  2016-10-10-EITest-Rig-EK-flash-exploit-second-run.swf   (25,045 bytes)
  File name:  2016-10-10-EITest-Rig-EK-flash-exploit-third-run.swf   (25,045 bytes)

PAYLOADS:

• SHA256 hash:  9a6a920cb20430d33886f007cec6d018f623676b8feda7a7a6fdc739f4768c96
  File name:  2016-10-10-EITest-Rig-EK-payload-first-run.exe   (223,744 bytes)

• SHA256 hash:  7b57138a0db41afe1f1945e8e19dcec58658d32150bb273001a417d79afa56ae
  File name:  2016-10-10-EITest-Rig-EK-payload-second-run.exe   (400,384 bytes)

• SHA256 hash:  5b9fb08816666fedbe24cfc89e212faf3d04c8445c54e2d12454e424f38b972b
  File name:  2016-10-10-EITest-Rig-EK-payload-third-run.exe   (203,575 bytes)

DROPPED MALWARE (FROM FIRST RUN):

• SHA256 hash:  9f5267e1313f83502bff135e928c4804cce7828b7d4fead05a2f95c23df48684
  C:\Users\[username]\AppData\Roaming\Microsoft\Internet Explorer\ctfreg.dll   (200,704 bytes)
  C:\Users\[username]\AppData\Roaming\Microsoft\Internet Explorer\diskja.dll   (200,704 bytes)

 

Click here to return to the main page.