2016-11-30 - RIG EK DATA DUMP

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2016-11-30-Rig-EK-data-dump-all-6-pcaps.zip   3.1 MB (3,052,838 bytes)

• 2016-11-29-1st-run-EITest-Rig-E-traffic.pcap   (1,005,331 bytes)
• 2016-11-29-2nd-run-pseudoDarkleech-Rig-V-sends-Cerber-ransomware.pcap   (456,397 bytes)
• 2016-11-29-3rd-run-pseudoDarkleech-Rig-V-sends-Cerber-ransomware.pcap   (496,604 bytes)
• 2016-11-30-1st-run-pseudoDarkleech-Rig-V-sends-Cerber-ransomware.pcap   (472,537 bytes)
• 2016-11-30-2nd-run-pseudoDarkleech-Rig-V-sends-Cerber-ransomware.pcap   (379,189 bytes)
• 2016-11-30-3rd-run-EITest-Rig-E-traffic.pcap   (905,031 bytes)

• 2016-11-30-Rig-EK-data-dump-malware-and-artifacts.zip   1.6 MB (1,610,411 bytes)

• 2016-11-29-1st-run-EITest-Rig-E-artifact-MXj6sFosp.txt   (1,137 bytes)
• 2016-11-29-1st-run-EITest-Rig-E-flash-exploit.swf   (40,141 bytes)
• 2016-11-29-1st-run-EITest-Rig-E-landing-page.txt   (85,248 bytes)
• 2016-11-29-1st-run-EITest-Rig-E-payload-rad65C7C.tmp.exe   (285,696 bytes)
• 2016-11-29-1st-run-page-from-abogadoszurbanocaracas_com-with-injected-script.txt   (15,604 bytes)
• 2016-11-29-2nd-run-page-from-fundeun_es-with-injected-script.txt   (126,143 bytes)
• 2016-11-29-2nd-run-psuedoDarkleech-Rig-V-artifact-MXj6sFosp.txt   (1,137 bytes)
• 2016-11-29-2nd-run-psuedoDarkleech-Rig-V-flash-exploit.swf   (12,394 bytes)
• 2016-11-29-2nd-run-psuedoDarkleech-Rig-V-landing-page.txt   (90,078 bytes)
• 2016-11-29-2nd-run-psuedoDarkleech-Rig-V-payload-Cerber-ransomware-rad6F670.tmp.exe   (217,323 bytes)
• 2016-11-29-3rd-run-page-from-lavozdeltrubia_es-with-injected-script.txt   (72,753 bytes)
• 2016-11-29-3rd-run-psuedoDarkleech-Rig-V-artifact-MXj6sFosp.txt   (1,137 bytes)
• 2016-11-29-3rd-run-psuedoDarkleech-Rig-V-flash-exploit.swf   (12,394 bytes)
• 2016-11-29-3rd-run-psuedoDarkleech-Rig-V-landing-page.txt   (90,068 bytes)
• 2016-11-29-3rd-run-psuedoDarkleech-Rig-V-payload-Cerber-ransomware-radC816F.tmp.exe   (265,910 bytes)
• 2016-11-30-1st-run-page-from-immigrationsolutions_com-with-injected-script.txt   (22,110 bytes)
• 2016-11-30-1st-run-pseudoDarkleech-Rig-V-artifact-MXj6sFosp.txt   (1,137 bytes)
• 2016-11-30-1st-run-pseudoDarkleech-Rig-V-flash-exploit.swf   (9,884 bytes)
• 2016-11-30-1st-run-pseudoDarkleech-Rig-V-landing-page.txt   (90,253 bytes)
• 2016-11-30-1st-run-pseudoDarkleech-Rig-V-payload-Cerber-ransomware-rad4B90E.tmp.exe   (263,794 bytes)
• 2016-11-30-2nd-run-page-from-joellipman_com-with-injected-script.txt   (68,857 bytes)
• 2016-11-30-2nd-run-pseudoDarkleech-Rig-V-artifact-MXj6sFosp.txt   (1,137 bytes)
• 2016-11-30-2nd-run-pseudoDarkleech-Rig-V-flash-exploit.swf   (9,884 bytes)
• 2016-11-30-2nd-run-pseudoDarkleech-Rig-V-landing-page.txt   (90,173 bytes)
• 2016-11-30-2nd-run-pseudoDarkleech-Rig-V-payload-Cerber-ransomware-rad5FFAA.tmp.exe   (216,997 bytes)
• 2016-11-30-3rd-run-EITest-Rig-E-artifact-MXj6sFosp.txt   (1,137 bytes)
• 2016-11-30-3rd-run-EITest-Rig-E-flash-exploit.swf   (40,141 bytes)
• 2016-11-30-3rd-run-EITest-Rig-E-landing-page.txt   (85,276 bytes)
• 2016-11-30-3rd-run-EITest-Rig-E-payload-8E5.tmp   (89,780 bytes)
• 2016-11-30-3rd-run-page-from-abogadoszurbanocaracas_com-with-injected-script.txt   (15,601 bytes)

NOTE:

• What do you do when you have a lot of intercepted traffic but no time to post in detail?  You dump it!

 

TRAFFIC

ASSOCIATED DOMAINS:

• abogadoszurbanocaracas[.]com - Compromised site (2016-11-29)
• 191.101.31[.]25 port 80 - ywom0.vzvajzr[.]top - Rig-E
• 146.0.77[.]16 port 80 - 146.0.77[.]16 - Post-infection HTTP traffic

• fundeun[.]es - Compromised site (2016-11-29)
• 194.87.145[.]56 port 80 - new.yoncalivillas[.]com - Rig-V
• 210.16.101[.]23 port 80 - ffoqr3ug7m726zou.zee0xr[.]top - Post-infection HTTP traffic

• lavozdeltrubia[.]es - Compromised site (2016-11-29)
• 194.87.145[.]56 port 80 - new.yoncalivillas[.]com - Rig-V
• 210.16.101[.]23 port 80 - avsxrcoq2q5fgrw2.34efzl[.]top - Post-infection HTTP traffic

• immigrationsolutions[.]com - Compromised site (2016-11-30)
• 194.87.238[.]156 port 80 - see.pooldecksealer[.]com - Rig-V
• 185.109.144[.]18 port 80 - avsxrcoq2q5fgrw2.vth4o4[.]bid - Post-infection HTTP traffic

• joellipman[.]com - Compromised site (2016-11-30)
• 194.87.238[.]156 port 80 - see.pooldecksealer[.]com - Rig-V
• 185.109.144[.]18 port 80 - ffoqr3ug7m726zou.p93w1x[.]bid - Post-infection HTTP traffic

• abogadoszurbanocaracas[.]com - Compromised site (2016-11-30)
• 70.39.115[.]200 port 80 - tzaz.gql7xjpeq[.]top - Rig-E
• 203.121.145[.]40 port 8080 - 203.121.145[.]40:8080 - Post-infection HTTP traffic

 

FILE HASHES

FLASH EXPLOITS (READ: SHA256 HASH - FILE NAME - FILE SIZE):

• b73dd34e63a001b3be1e809c889df4a075162891034404e4d344d7cfafb1bc0e - 2016-11-29-1st-run-EITest-Rig-E-flash-exploit.swf - 40,141 bytes
• 9a8ba78b2184b3e70bfa97bad9a7f31a9a9f33e4cebf75cf1aff18e127d3305b - 2016-11-29-2nd-run-psuedoDarkleech-Rig-V-flash-exploit.swf - 12,394 bytes
• 9a8ba78b2184b3e70bfa97bad9a7f31a9a9f33e4cebf75cf1aff18e127d3305b - 2016-11-29-3rd-run-psuedoDarkleech-Rig-V-flash-exploit.swf - 12,394 bytes
• 8c448030760ca6a7dffb8d31eaf4c36b25cad520ed3914765685e00e2a39ef2b - 2016-11-30-1st-run-pseudoDarkleech-Rig-V-flash-exploit.swf - 9,884 bytes
• 8c448030760ca6a7dffb8d31eaf4c36b25cad520ed3914765685e00e2a39ef2b - 2016-11-30-2nd-run-pseudoDarkleech-Rig-V-flash-exploit.swf - 9,884 bytes
• b73dd34e63a001b3be1e809c889df4a075162891034404e4d344d7cfafb1bc0e - 2016-11-30-3rd-run-EITest-Rig-E-flash-exploit.swf - 40,141 bytes

FLASH EXPLOITS (READ: SHA256 HASH - MY SAVED NAME FOR IT - FILE SIZE):

• 43a21ea47ec10d813f8252cd7f64394a5059aebe7977febd15d3bd9f887c812f - 2016-11-29-1st-run-EITest-Rig-E-payload-rad65C7C.tmp.exe - 285,696 bytes
• 808c9a9b1253064abd3c7e6617c4ceb4cab17382ca4b8f951d8b5655ff388c67 - 2016-11-29-2nd-run-psuedoDarkleech-Rig-V-payload-Cerber-ransomware-rad6F670.tmp.exe - 217,323 bytes
• 36825129c4dbd65eab073547cf82f0d458b47b569e40a9be89a40c7cc764b24e - 2016-11-29-3rd-run-psuedoDarkleech-Rig-V-payload-Cerber-ransomware-radC816F.tmp.exe - 265,910 bytes
• bb121bca1c193ec9165942423b61ec9636ad5ec7a98b563b3fc8a4ce430b1942 - 2016-11-30-1st-run-pseudoDarkleech-Rig-V-payload-Cerber-ransomware-rad4B90E.tmp.exe - 263,794 bytes
• 072fe4e4ecede73a384de61f3e98518feb8bc0259f9b5c4405d819396ba35f86 - 2016-11-30-2nd-run-pseudoDarkleech-Rig-V-payload-Cerber-ransomware-rad5FFAA.tmp.exe - 216,997 bytes
• 9ca5498417ca8079358ee0b3199fed991751487c6aa71ef1331d85d4d74b96a6 - 2016-11-30-3rd-run-EITest-Rig-E-payload-8E5.tmp - 89,780 bytes

 

Click here to return to the main page.