2017-01-11 - RIG-V FROM 109.234.38[.]150

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2017-01-11-Rig-V-activity-5-pcaps.zip   1.7 MB (1,696,258 bytes)

• 2017-01-11-EITest-Rig-V-sends-CryptoMix-ransomware-1st-run.pcap   (265,815 bytes)
• 2017-01-11-EITest-Rig-V-sends-CryptoMix-ransomware-2nd-run.pcap   (318,367 bytes)
• 2017-01-11-pseudoDarkleech-Rig-V-sends-Cerber-ransomware-1st-run.pcap   (513,487 bytes)
• 2017-01-11-pseudoDarkleech-Rig-V-sends-Cerber-ransomware-2nd-run.pcap   (415,050 bytes)
• 2017-01-11-pseudoDarkleech-Rig-V-sends-Cerber-ransomware-3rd-run.pcap   (689,751 bytes)

• 2017-01-11-Rig-V-artifacts-and-associated-malware.zip   1.3 MB (1,265,898 bytes)

• 2017-01-11-Cerber-ransomware_HELP_DECRYPT_P0M4FLVC_.hta   (67,682 bytes)
• 2017-01-11-Cerber-ransomware_HELP_DECRYPT_P0M4FLVC_.jpg   (237,109 bytes)
• 2017-01-11-CryptoMix-ransomwawre-decryption-instructions.txt   (1,480 bytes)
• 2017-01-11-EITest-Rig-V-1st-run-payload-CryptoMix-ransomware-rad9F7AB.tmp.exe   (99,328 bytes)
• 2017-01-11-EITest-Rig-V-2nd-run-payload-CryptoMix-ransomware-radEC302.tmp.exe   (98,816 bytes)
• 2017-01-11-Rig-V-artifact-QTTYUADAF.txt   (1,137 bytes)
• 2017-01-11-Rig-V-flash-exploit.swf   (16,946 bytes)
• 2017-01-11-Rig-V-landing-page-pseudoDarkleech-1st-run.txt   (5,184 bytes)
• 2017-01-11-Rig-V-landing-page-pseudoDarkleech-2nd-run.txt   (5,187 bytes)
• 2017-01-11-Rig-V-run-landing-page-EITest-1st-run.txt   (5,187 bytes)
• 2017-01-11-Rig-V-run-landing-page-EITest-2nd-run.txt   (5,189 bytes)
• 2017-01-11-Rig-V-run-landing-page-EITest-3rd-run.txt   (5,192 bytes)
• 2017-01-11-page-from-activaclinics_com-with-injected-EITest-script.txt   (59,303 bytes)
• 2017-01-11-page-from-alleghenyhomehealth_com-with-injected-pseudoDarkleech-script.txt   (23,818 bytes)
• 2017-01-11-page-from-gardencityhall_com-with-injected-pseudoDarkleech-script.txt   (27,801 bytes)
• 2017-01-11-page-from-grillo-designs_com-with-injected-EITest-script.txt   (97,506 bytes)
• 2017-01-11-page-from-joellipman_com-with-injected-pseudoDarkleech-script.txt   (66,791 bytes)
• 2017-01-11-pseudoDarkleech-Rig-V-1st-run-payload-Cerber-ransomware-radE9100.tmp.exe   (325,350 bytes)
• 2017-01-11-pseudoDarkleech-Rig-V-2nd-run-payload-Cerber-ransomware-rad21C56.tmp.exe   (310,858 bytes)
• 2017-01-11-pseudoDarkleech-Rig-V-3rd-run-payload-Cerber-ransomware-rad8077D.tmp.exe   (300,772 bytes)

BACKGROUND ON RIG EXPLOIT KIT:

• I usually run across 2 versions of Rig EK:  Rig-V (Rig 4.0) and Rig-E (Empire Pack).
• Rig-V is what security researchers called Rig EK version 4 when it was only accessible by "VIP" customers, while the old version (Rig 3) was still in use (reference).
• I currently call it "Rig-V" out of habit.
• The proper name for Rig-E is "Empire Pack".  Empire Pack a variant of Rig EK as described by Kafeine here.
• I haven't seen Empire Pack traffic in 2017 yet, but I often see it from the EITest campaign (when EITest is distributing something other than CryptoMix/CryptFile2 or Cerber).

Shown above:  Login panels for each exploit kit.  Images from malware.dontneedcoffee.com (link).

OTHER NOTES:

• My thanks to everyone who continues to inform me about compromised websites.  Without your help, I wouldn't be able to generate most of this traffic.
• Rig EK continues to use .news as a top level domain (TLD).  That's always pun-worthy.

Shown above:  I will never get tired of ".news" puns.

 

TRAFFIC

 

ASSOCIATED DOMAINS:

• activaclinics[.]com - Compromised site used for EITest campaign (1st run)
• grillo-designs[.]com - Compromised site used for EITest campaign (2nd run)
• joellipman[.]com - Compromised site used for pseudoDarkleech campaign (1st run)
• www.gardencityhall[.]com - Compromised site used for pseudoDarkleech campaign (2nd run)
• alleghenyhomehealth[.]com - Compromised site used for pseudoDarkleech campaign (3rd run)

• 109.234.38[.]150 port 80 - this.lung[.]news Rig-V (EITest 1st run and psuedoDarkleech 1st run)
• 109.234.38[.]150 port 80 - new.merlot[.]news Rig-V (EITest 2nd run)
• 109.234.38[.]150 port 80 - sun.myeloma[.]news Rig-V (pseudoDarkleech 2nd and 3rd runs)

• 37.59.39[.]53 port 80 - 37.59.39[.]53 - CryptoMix (CryptFile2) ransomware callback traffic

• 58.43.12[.]0 to 58.43.12[.]31 (58.43.12[.]0/27) UDP port 6892 - Cerber ransomware post-infection UDP traffic
• 91.1.48[.]0 to 91.1.48[.]31 (91.1.48[.]0/27) UDP port 6892 - Cerber ransomware post-infection UDP traffic
• 91.239.24[.]0 to 91.239.25[.]255 (91.239.24[.]0/23) UDP port 6892 - Cerber ransomware post-infection UDP traffic
• 84.200.32[.]186 port 80 - p27dokhpz2n7nvgr.1ja4no[.]top - Cerber ransomwarepost-infection HTTP traffic
• 185.86.149[.]82 port 80 - p27dokhpz2n7nvgr.1kdfj8[.]top - Cerber ransomwarepost-infection HTTP traffic

 

FILE HASHES

FLASH EXPLOIT:

• SHA256 HASH:  16c22d0e03433b80c00cebe4b2b37198eec7f005fd7fba3d4b2f9b822a47dc93   (16,946 bytes)
  
• File description:  Rig-V Flash exploit seen on 2017-01-11

PAYLOADS:

• SHA256 HASH:  e7a98896fa15d359c7fbd9254711f34210fe01286c4c2775086814ff0a4f2dfb   (99,328 bytes)
  
• File description:  EITest Rig-V payload - CryptoMix/CryptFile2 ransomware, .lesli variant (1st run)

• SHA256 HASH:  72bf7a5160606c1ae566fe45e96262f34af0b8204f8bdb79fede2b183c4c9e9f   (99,328 bytes)
  
• File description:  EITest Rig-V payload - CryptoMix/CryptFile2 ransomware, .lesli variant (2nd run)

• SHA256 HASH:  1d92a6c2b5c847353042dc2e57721fa7623b60b432d146e08b1f305ec320eb96   (325,350 bytes)
  
• File description:  pseudoDarkleech Rig-V payload - Cerber ransomware (1st run)

• SHA256 HASH:  2e785f9b988b5f670706b29a2c7f3f081c9d0e0c2924fbf25fcd51fa8a75f10b   (310,858 bytes)
  
• File description:  pseudoDarkleech Rig-V payload - Cerber ransomware (2nd run)

• SHA256 HASH:  9a9f4e6c5e139d8362c57081f90cc4de5c7ba26392313ffc785f5fac4b9cb8f1   (300,772 bytes)
  
• File description:  pseudoDarkleech Rig-V payload - Cerber ransomware (3rd run)

 

Click here to return to the main page.