2016-12-05 - RIG EK DATA DUMP

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2016-12-05-Rig-EK-data-dump-5-pcaps.zip   5.8 MB (5,806,678 bytes)

• 2016-12-05-1st-run-EITest-Rig-E-sends-Gootkit.pcap   (284,311 bytes)
• 2016-12-05-1st-run-Gootkit-post-infection-traffic.pcap   (4,068,785 bytes)
• 2016-12-05-2nd-run-EITest-Rig-E-sends-Chthonic-banking-trojan.pcap   (1,363,685 bytes)
• 2016-12-05-3rd-run-EITest-Rig-EK-sends-Quant-Loader.pcap   (146,575 bytes)
• 2016-12-05-4th-run-pseudoDarkleech-Rig-V-sends-Cerber-ransomware.pcap   (487,881 bytes)

• 2016-12-05-Rig-EK-data-dump-malware-and-artifacts.zip   709.1 kB (709,139 bytes)

• 2016-12-05-1st-run-EITest-Rig-E-artifact-MXj6sFosp.txt   (1,137 bytes)
• 2016-12-05-1st-run-EITest-Rig-E-flash-exploit.swf   (40,141 bytes)
• 2016-12-05-1st-run-EITest-Rig-E-landing-page.txt   (3,428 bytes)
• 2016-12-05-1st-run-EITest-Rig-E-payload-Gootkit-rad0260A.tmp.exe   (200,704 bytes)
• 2016-12-05-1st-run-page-from-cavallinomotorsport_com-with-injected-script.txt   (18,829 bytes)
• 2016-12-05-2nd-run-EITest-Rig-E-artifact-MXj6sFosp.txt   (1,137 bytes)
• 2016-12-05-2nd-run-EITest-Rig-E-flash-exploit.swf   (40,141 bytes)
• 2016-12-05-2nd-run-EITest-Rig-E-landing-page.txt   (3,422 bytes)
• 2016-12-05-2nd-run-EITest-Rig-E-payload-Chthonic-rad952F6.tmp.exe   (188,416 bytes)
• 2016-12-05-2nd-run-page-from-cavallinomotorsport_com-with-injected-script.txt   (18,847 bytes)
• 2016-12-05-3rd-run-EITest-Rig-E-artifact-MXj6sFosp.txt   (1,137 bytes)
• 2016-12-05-3rd-run-EITest-Rig-E-flash-exploit.swf   (40,141 bytes)
• 2016-12-05-3rd-run-EITest-Rig-E-landing-page.txt   (3,416 bytes)
• 2016-12-05-3rd-run-EITest-Rig-E-payload-Quant-Loader-rad633D8.tmp.exe   (59,129 bytes)
• 2016-12-05-3rd-run-page-from-cavallinomotorsport_com-with-injected-script.txt   (18,847 bytes)
• 2016-12-05-4th-run-page-from-wordtemplates_org-with-injected-script.txt   (54,507 bytes)
• 2016-12-05-4th-run-pseudoDarkleech-Rig-V-artifact-MXj6sFosp.txt   (1,137 bytes)
• 2016-12-05-4th-run-pseudoDarkleech-Rig-V-artifact-landing-page.txt   (5,405 bytes)
• 2016-12-05-4th-run-pseudoDarkleech-Rig-V-flash-exploit.swf   (10,226 bytes)
• 2016-12-05-4th-run-pseudoDarkleech-Rig-V-payload-Cerber-ransomware-rad8C7CF.tmp.exe   (267,079 bytes)

 

TRAFFIC

Shown above:  Traffic from the 1st infection filtered in Wireshark.

Shown above:  Traffic from the 2nd infection filtered in Wireshark.

Shown above:  Traffic from the 3rd infection filtered in Wireshark.

Shown above:  Traffic from the 4th infection filtered in Wireshark.

 

1ST INFECTION:

• cavallinomotorsport[.]com - Compromised site
• 81.95.7[.]32 port 80 - adwd.yboa97qr6[.]xyz - Rig-E
• 5.39.48[.]106 port 80 - vnoskokos[.]win - Gootkit post-infection HTTPS/SSL/TLS traffic over TCP port 80
• 5.39.48[.]106 port 443 - Gootkit post-infection HTTPS/SSL/TLS traffic over TCP port 443

 

2ND INFECTION:

• cavallinomotorsport[.]com - Compromised site
• 81.95.7[.]32 port 80 - adwd.yboa97qr6[.]xyz - Rig-E
• 31.3.135[.]232 port 53 - TCP traffic of DNS queries for scenabit[.]bit
• 195.123.210[.]75 port 80 - scenabit[.]bit - Chthonic post-infection HTTP traffic

 

3RD INFECTION:

• cavallinomotorsport[.]com - Compromised site
• 185.162.8[.]79 port 80 - mrmisrh.qx33wu[.]xyz - Rig-E
• 81.4.108[.]169 port 80 - vitaetortorvitaesuscipit[.]us - Quant Loader post-infection HTTP traffic

 

4TH INFECTION:

• www.wordtemplate[.]org - Compromised site
• 194.87.232[.]99 port 80 - tree.qunnybuzzhandlebarfoamgripsreplacement[.]com - Rig-V
• 15.49.2[.]0 to 15.49.2[.]31 (15.49.2[.]0/27) UDP port 6892 - Cerber ransomware post-infection UDP traffic
• 122.1.13[.]0 to 122.1[.]31 (122.1.13[.]0/27) UDP port 6892 - Cerber ransomware post-infection UDP traffic
• 194.165.16[.]0 to 194.165.17[.]255 (194.165.16[.]0/23) UDP port 6892 - Cerber ransomware post-infection UDP traffic
• 185.101.218[.]230 port 80 - ffoqr3ug7m726zou.pa5z2s[.]top - Cerber ransomware post-infection HTTP traffic

 

FILE HASHES

FLASH EXPLOITS:

• SHA256 hash:  b73dd34e63a001b3be1e809c889df4a075162891034404e4d344d7cfafb1bc0e   (40,141 bytes)
  File name:  2016-12-05-1st-run-EITest-Rig-E-flash-exploit.swf
  File name:  2016-12-05-2nd-run-EITest-Rig-E-flash-exploit.swf
  File name:  2016-12-05-3rd-run-EITest-Rig-E-flash-exploit.swf

• SHA256 hash:  d0000aeae613ca0b19b19029fb7d57eddf3c02b39061468fd3597da04f85ecf7   (10,226 bytes)
  File name:  2016-12-05-4th-run-pseudoDarkleech-Rig-V-flash-exploit.swf

PAYLOADS:

• SHA256 hash:  eb56feab7dbe3e511af771186f826a65207a43e973a0cf3f68e531bd7408b9b9   (200,704 bytes)
  File name:  C:\Users\[Username]\AppData\Local\Temp\rad0260A.tmp.exe   (Gootkit)

• SHA256 hash:  d36c9d4a3b9132d6c0918b6b9d41563839d2812e13b22a16cd2545d12ba431de   (188,416 bytes)
  File name:  C:\Users\[Username]\AppData\Local\Temp\rad952F6.tmp.exe   (Chthonic)

• SHA256 hash:  0bc96069b1cd6f9e61c9f70d04dfa6c3dcef39c43be8f6bf0e4ceec4994f0160   (59,129 bytes)
  File name:  C:\Users\[Username]\AppData\Local\Temp\rad633D8.tmp.exe   (Quant Loader)

• SHA256 hash:  549c43688f63aac152ba6e2179cd3e3f4913551bd7759b10e5d5c943fcf7e83b   (267,079 bytes)
  File name:  C:\Users\[Username]\AppData\Local\Temp\rad8C7CF.tmp.exe   (Cerber ransomware)

 

Click here to return to the main page.