Malware-Traffic-Analysis.net - 2017-01-19 - EITest Rig-V from 92.53.119[.]137 sends Cerber ransomware

2017-01-19 - EITEST RIG-V FROM 92.53.119[.]137 SENDS CERBER RANSOMWARE

NOTICE:

The zip archives on this page have been updated, and they now use the new password scheme. For the new password, see the "about" page of this website.

ASSOCIATED FILES:

2017-01-19-EITest-Rig-V-sends-Cerber-ransomware.pcap.zip 1.1 MB (1,120,836 bytes)

2017-01-19-EITest-Rig-V-sends-Cerber-ransomware.pcap (1,244,877 bytes)

2017-01-19-EITest-Rig-V-artifacts-and-Cerber-ransomware.zip 658.0 kB (658,030 bytes)

2017-01-19-Cerber-ransomware_HELP_HELP_HELP_GTJK.hta (75,787 bytes)

2017-01-19-Cerber-ransomware_HELP_HELP_HELP_GTJK.jpg (239,008 bytes)

2017-01-19-EITest-Rig-V-artifact-QTTYUADAF.txt (1,137 bytes)

2017-01-19-EITest-Rig-V-flash-exploit.swf (38,321 bytes)

2017-01-19-EITest-Rig-V-landing-page.txt (5,187 bytes)

2017-01-19-EITest-Rig-V-payload-Cerber-ransomware-radF2A80.tmp.exe (516,467 bytes)

2017-01-19-page-from-activaclinics_com-with-injected-EITest-script.txt (59,324 bytes)

BACKGROUND ON RIG EXPLOIT KIT:

Rig-V is what security researchers called Rig EK version 4 when it was only accessible by "VIP" customers, while the old version (Rig 3) was still in use.
I currently call it "Rig-V" out of habit. You can probably just call it Rig EK now.
Before 2017, I used to see Empire Pack (Rig-E) which is a variant of Rig EK with older-style URLs as described by Kafeine here.
I haven't seen anything other than Rig-V (Rig 4.0) when looking at Rig EK-based campaigns so far in 2017.

BACKGROUND ON THE EITEST CAMPAIGN:

My most recent write-up on the EITest campaign can be found here.

Shown above: Flowchart for this infection traffic.

TRAFFIC

Shown above: Injected script from the EITest campaign from the compromised site.

Shown above: Pcap of the infection traffic filtered in Wireshark.

ASSOCIATED TRAFFIC:

activaclinics[.]com - Compromised site
92.53.119[.]137 port 80 - 4rl.sensorigames[.]com - Rig-V

90.2.1[.]0 to 90.2.1[.]31 (90.2.1[.]0/27) UDP port 6892 - Cerber ransomware post-infection UDP traffic
90.3.1[.]0 to 90.3.1[.]31 (90.3.1[.]0/27) UDP port 6892 - Cerber ransomware post-infection UDP traffic
91.239.24[.]0 to 91.239.25[.]255 (91.239.24[.]0/23) UDP port 6892 - Cerber ransomware post-infection UDP traffic
162.220.244[.]29 port 80 - p27dokhpz2n7nvgr.1kja1j[.]top - HTTP post-infection traffic caused by Cerber ransomware

FILE HASHES

FLASH EXPLOIT:

SHA256 hash: 48b4ead5c286c616d7cb11900ef01b41893aae710c255ffd4b12933d7d5cbcbc (38,321 bytes)
File description: Rig-V Flash exploit seen on 2017-01-19

PAYLOAD (CERBER RANSOMWARE):

SHA256 hash: 872d8c03172435bda8f5a4beae2453220bff64fb83e97a3662ab570dab50e94e (516,467 bytes)
File path example: C:\Users\[username]\AppData\Local\Temp\radF2A80.tmp.exe

IMAGES

Shown above: Desktop of the infected Windows host.

Click here to return to the main page.