2016-11-08 - RIG EK/RIG-V DATA DUMP

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

 

ASSOCIATED FILES:

• 2016-11-08-Rig-EK-and-RIGv-data-dump-all-6-pcaps.zip   2.0 MB (2,048,226 bytes)

• 2016-11-08-1st-run-EITest-Rig-EK-sends-Vawtrak.pcap   (363,860 bytes)
• 2016-11-08-2nd-run-pseudoDarkleech-RIGv-sends-Cerber-ransomware.pcap   (747,480 bytes)
• 2016-11-08-3rd-run-EITest-Rig-EK-sends-CryptFile2-ransomware.pcap   (160,323 bytes)
• 2016-11-08-4th-run-EITest-Rig-EK-sends-Terdot-or-Zloader.pcap   (226,467 bytes)
• 2016-11-08-5th-run-pseudoDarkleech-RIGv-sends-Cerber.pcap   (620,286 bytes)
• 2016-11-08-6th-run-EITest-Rig-EK-sends-Gootkit.pcap   (674,388 bytes)

• 2016-11-08-Rig-EK-and-RIGv-data-dump-malware-and-artifacts.zip   1.4 MB (1,441,312 bytes)

• 2016-11-08-1st-run-EITest-Rig-EK-flash-exploit.swf   (52,582 bytes)
• 2016-11-08-1st-run-EITest-Rig-EK-landing-page.txt   (3,300 bytes)
• 2016-11-08-1st-run-EITest-Rig-EK-payload-Vawtrak.exe   (184,320 bytes)
• 2016-11-08-1st-run-page-from-cavallinomotorsport_com-with-injected-script.txt   (18,610 bytes)
• 2016-11-08-2nd-run-page-from-radiochiclana_com-with-injected-script.txt   (29,246 bytes)
• 2016-11-08-2nd-run-pseudoDarkleech-RIGv-flash-exploit.swf   (51,785 bytes)
• 2016-11-08-2nd-run-pseudoDarkleech-RIGv-landing-page.txt   (5,170 bytes)
• 2016-11-08-2nd-run-pseudoDarkleech-RIGv-payload-Cerber-ransomware.exe   (533,886 bytes)
• 2016-11-08-3rd-run-EITest-Rig-EK-flash-exploit.swf   (51,972 bytes)
• 2016-11-08-3rd-run-EITest-Rig-EK-landing-page.txt   (3,153 bytes)
• 2016-11-08-3rd-run-EITest-Rig-EK-payload-CryptFile2-ransomware.exe   (89,088 bytes)
• 2016-11-08-3rd-run-page-from-cavallinomotorsport_com-with-injected-script.txt   (18,641 bytes)
• 2016-11-08-4th-run-EITest-Rig-EK-flash-exploit.swf   (52,582 bytes)
• 2016-11-08-4th-run-EITest-Rig-EK-landing-page.txt   (3,282 bytes)
• 2016-11-08-4th-run-EITest-Rig-EK-payload-Terdot-or-Zloader.exe   (110,453 bytes)
• 2016-11-08-4th-run-page-from-cavallinomotorsport_com-with-injected-script.txt   (18,607 bytes)
• 2016-11-08-5th-run-page-from-modelocontrato_net-with-injected-script.txt   (27,236 bytes)
• 2016-11-08-5th-run-pseudoDarkleech-RIGv-flash-exploit.swf   (51,785 bytes)
• 2016-11-08-5th-run-pseudoDarkleech-RIGv-landing-page.txt   (5,159 bytes)
• 2016-11-08-5th-run-pseudoDarkleech-RIGv-payload-Cerber-ransomware.exe   (266,494 bytes)
• 2016-11-08-6th-run-EITest-Rig-EK-flash-exploit.swf   (52,582 bytes)
• 2016-11-08-6th-run-EITest-Rig-EK-landing-page.txt   (3,284 bytes)
• 2016-11-08-6th-run-EITest-Rig-EK-payload-Gootkit.exe   (244,578 bytes)
• 2016-11-08-6th-run-page-from-cavallinomotorsport_com-with-injected-script.txt   (18,614 bytes)

 

TRAFFIC

1ST RUN:

• cavallinomotorsport[.]com - Compromised site
• 89.35.178[.]125 port 80 - kuwad.gerabearsout[.]cf - Rig EK
• 95.213.134[.]124 port 443 - olacwimsu[.]com - Vawtrak HTTPS/SSL/TLS post-infection traffic
• 92.53.96[.]84 port 80 - ice-baby[.]ru - Vawtrak HTTP post-infection traffic
• 91.219.31[.]14 port 443 - brnmsgzc[.]ru - Vawtrak HTTPS/SSL/TLS post-infection traffic

2ND RUN:

• www.radiochiclana[.]es - Compromised site
• 195.133.145[.]84 port 80 - see.steelehendershot[.]com - RIG-v
• 65.55.50[.]0 - 65.55.50[.]31 (65.55.50[.]0/27) port 6892 - UDP traffic caused by Cerber ransomware
• 192.42.118[.]0 - 192.42.118.[31 (192.42.118[.]0/27)port 6892 - UDP traffic caused by Cerber ransomware
• 194.165.16[.]0 - 194.165.19[.]255 (194.165.16[.]0/22) port 6892 - UDP traffic caused by Cerber ransomware
• 190.123.45[.]169 port 80 - vyohacxzoue32vvk.3sc3f8[.]bid - HTTP traffic caused by Cerber ransomware

3RD RUN:

• cavallinomotorsport[.]com - Compromised site
• 194.87.234[.]70 port 80 - asd.1010midtownhomeprices[.]com - Rig EK (with RIGv URL patterns)
• 195.154.117[.]218 port 80 - CryptFile2 ransomware callback traffic (no response from the server)

4TH RUN:

• cavallinomotorsport[.]com - Compromised site
• 85.204.74[.]77 port 80 - ml0318.rzhsxs[.]top - Rig EK
• 93.78.2[.]231 port 80 - lopybnutur[.]top - Terdot/Zloader post-infection traffic

5TH RUN:

• www.modelocontrato[.]net - Compromised site
• 195.133.145[.]84 port 80 - ex.steeleo[.]com - RIG-v
• 65.55.50[.]0 - 65.55.50[.]31 (65.55.50[.]0/27) port 6892 - UDP traffic caused by Cerber ransomware
• 192.42.118[.]0 - 192.42.118[.]31 (192.42.118[.]0/27)port 6892 - UDP traffic caused by Cerber ransomware
• 194.165.16[.]0 - 194.165.19[.]255 (194.165.16[.]0/22) port 6892 - UDP traffic caused by Cerber ransomware
• 190.123.45[.]169 port 80 - ffoqr3ug7m726zou.zh5mu9[.]bid - HTTP traffic caused by Cerber ransomware

6TH RUN:

• cavallinomotorsport[.]com - Compromised site
• 85.204.74[.]77 port 80 - yqto5k.rzhsxs[.]top - Rig EK
• 43.239.221[.]51 port 80 - jerrufer[.]com - Gootkit post-infection HTTPS/SSL/TLS traffic over port 80
• DNS query for: brafards[.]com - server response: No such name
• DNS query for: chirulid[.]com - server response: No such name
• DNS query for: kardrews[.]com - server response: No such name
• DNS query for: klepsong[.]com - server response: No such name
• DNS query for: kraspirt[.]com - server response: No such name
• DNS query for: lessenso[.]com - server response: No such name
• DNS query for: leswestr[.]com - server response: No such name
• DNS query for: manahars[.]com - server response: No such name
• DNS query for: refartor[.]com - server response: No such name

 

FILE HASHES

FLASH EXPLOITS (SHA256 HASH - FILE NAME):

• 1613acd34bfb85121bef0cd7a5cc572967912f9f674eefd7175f42ad2099e3d1 - 2016-11-08-1st-run-EITest-Rig-EK-flash-exploit.swf
• 1613acd34bfb85121bef0cd7a5cc572967912f9f674eefd7175f42ad2099e3d1 - 2016-11-08-4th-run-EITest-Rig-EK-flash-exploit.swf
• 1613acd34bfb85121bef0cd7a5cc572967912f9f674eefd7175f42ad2099e3d1 - 2016-11-08-6th-run-EITest-Rig-EK-flash-exploit.swf
• 8e62d6dbf73a9d3af44bf147a365cf847b2e8febba26bd339f54d9f58fbdecc4 - 2016-11-08-2nd-run-pseudoDarkleech-RIGv-flash-exploit.swf
• 8e62d6dbf73a9d3af44bf147a365cf847b2e8febba26bd339f54d9f58fbdecc4 - 2016-11-08-5th-run-pseudoDarkleech-RIGv-flash-exploit.swf
• 965e41d574a02caded034be0db62aa5ab6b9ffdd56de2b44b7c18ea6815b0650 - 2016-11-08-3rd-run-EITest-Rig-EK-flash-exploit.swf

PAYLOAD (SHA256 HASH - FILE NAME):

• 2abf98b69d0691519aab2e37595205eec5803d33d0b4fad98a589a5ae330038a 2016-11-08-1st-run-EITest-Rig-EK-payload-Vawtrak.exe
• 9f2208e1c8a3bcb5771471b2c22732e19516f845b5b70f38630538ad8e8a3262 2016-11-08-2nd-run-pseudoDarkleech-RIGv-payload-Cerber-ransomware.exe
• 64a7cf0a5c8c4eebd1e2d96c2877623183520afd0e467fc6932664f550597554 2016-11-08-3rd-run-EITest-Rig-EK-payload-CryptFile2-ransomware.exe
• 416ba4966c0a293662933dd0f91faa24ee40e224e378ce631258d40489354c9b 2016-11-08-4th-run-EITest-Rig-EK-payload-Terdot-or-Zloader.exe
• e4e1343c237047e972096499c9914d3f1eda3935da471b422fb01fd28e85872a 2016-11-08-5th-run-pseudoDarkleech-RIGv-payload-Cerber-ransomware.exe
• 0f7550abe2eee29f44134e20921378d3c9efd8b9d837ddad34d29e1dca178996 2016-11-08-6th-run-EITest-Rig-EK-payload-Gootkit.exe

 

Click here to return to the main page.