Malware-Traffic-Analysis.net - 2017-01-13 - EITest Rig-V from 92.53.120[.]233 sends CryptoMix ransomware

2017-01-13 - EITEST RIG-V FROM 92.53.120[.]233 SENDS CRYPTOMIX RANSOMWARE

NOTICE:

The zip archives on this page have been updated, and they now use the new password scheme. For the new password, see the "about" page of this website.

ASSOCIATED FILES:

2017-01-13-EITest-Rig-V-sends-CryptoMix-ransomware.pcap.zip 203 kB (202,655 bytes)

2017-01-13-EITest-Rig-V-sends-CryptoMix-ransomware.pcap (239,575 bytes)

2017-01-13-EITest-Rig-V-artifacts-and-CryptoMix-ransomware.zip 99.6 kB (99,594 bytes)

2017-01-13-CryptoMix-ransomware-decryption-instructions.txt (1,480 bytes)

2017-01-13-EITest-Rig-V-flash-exploit.swf (18,074 bytes)

2017-01-13-EITest-Rig-V-landing-page.txt (5,183 bytes)

2017-01-13-EITest-Rig-V-payload-CryptoMix-ransomware-radBE8B9.tmp.exe (97,792 bytes)

2017-01-13-page-from-activaclinics_com-with-injected-EITest-script.txt (58,231 bytes)

BACKGROUND ON RIG EXPLOIT KIT:

I usually run across 2 versions of Rig EK: Rig-V (Rig 4.0) and Rig-E (Empire Pack).
Rig-V is what security researchers called Rig EK version 4 when it was only accessible by "VIP" customers, while the old version (Rig 3) was still in use.
I currently call it "Rig-V" out of habit.
The proper name for Rig-E is "Empire Pack". Empire Pack a variant of Rig EK as described by Kafeine here.
I haven't seen Empire Pack traffic in 2017 yet, but I often see it from the EITest campaign (when EITest is distributing something other than CryptoMix/CryptFile2 or Cerber).

BACKGROUND ON THE EITEST CAMPAIGN:

My most recent write-up on the EITest campaign can be found here.

BACKGROUND ON CRYPTOMIX RANSOMWARE:

The ransomware I used to call CryptFile2 is actually CryptoMix ransomware. Details can be found here.
The EITest campaign currently uses Rig-V to send this CryptoMix (CryptFile2) ransomware.
Some people might be tempted to call this "Lesli ransomware" based on LESLI SPYING ON YOU in the ransom note and the .lesli file extension it uses for encrypted files.
Don't be fooled. This is actually CryptoMix/CryptFile2 ransomware.
I first saw the .lesli file extension used by CryptoMix ransomware last year on 2016-11-28.

Shown above: Flowchart for this infection traffic.

TRAFFIC

Shown above: Injected script from the EITest campaign from the compromised site.

Shown above: Pcap of the infection traffic filtered in Wireshark.

ASSOCIATED DOMAINS:

activaclinics.com - Compromised site
92.53.120[.]233 port 80 - acc.tps15[.]com - Rig-V
91.121.244[.]84 port 80 - 91.121.244[.]84 - CryptoMix ransomware post-infection traffic

supl@post[.]com - first email from CryptoMix ransomware decryption instructions
supl@oath[.]com - second email from CryptoMix ransomware decryption instructions

FILE HASHES

FLASH EXPLOIT:

SHA256 hash: 76cd48af0b8a0dbaa9260996cd4347a811bc0a09efce18c9d25f7cc59828d335 (18,074 bytes)
File description: Rig-V Flash exploit seen on 2017-01-13

PAYLOAD (CRYPTOMIX/CRYPTFILE2 RANSOMWARE):

SHA256 hash: a7b08131a99195284ae916033f5ae3cc6b7df70cd83540d8eaf34064b65c981a (97,792 bytes)
File path example: C:\Users\[username]\AppData\Local\Temp\radBE8B9.tmp.exe

IMAGES

Shown above: Desktop of the infected Windows host.

Click here to return to the main page.