malware | Hacking Book | Free Online Hacking Learning

2017-01-11 - RIG-V FROM 109.234.38.150 ASSOCIATED FILES: ZIP archive of the pcaps: 2017-01-11-Rig-V-traffic-all-pcaps.zip 1.7 MB (1,695,990 bytes) 2017-01-11-EITest-Rig-V-sends-CryptoMix-ransomware-1st-run.pcap (265,815 bytes) 2017-01-11-EITest-Rig-V-sends-CryptoMix-ransomware-2nd-run.pcap (318,367 bytes) 2017-01-11-pseudoDarkleech-Rig-V-sends-Cerber-ransomware-1st-run.pcap (513,487 bytes) 2017-01-11-pseudoDarkleech-Rig-V-sends-Cerber-ransomware-2nd-run.pcap (415,050 bytes) 2017-01-11-pseudoDarkleech-Rig-V-sends-Cerber-ransomware-3rd-run.pcap (689,751 bytes) ZIP archive of the malware: 2017-01-11-Rig-V-malware-and-artifacts.zip 1.3 MB (1,263,494 bytes) 2017-01-11-Cerber_HELP_DECRYPT_P0M4FLVC_.hta (67,682 bytes) 2017-01-11-Cerber_HELP_DECRYPT_P0M4FLVC_.jpg (237,109 bytes) 2017-01-11-CryptoMix-decryption-instructions.txt (1,480 bytes) 2017-01-11-EITest-Rig-V-1st-run-payload-CryptoMix-rad9F7AB.tmp.exe (99,328 bytes) 2017-01-11-EITest-Rig-V-2nd-run-payload-CryptoMix-radEC302.tmp.exe (98,816 bytes) 2017-01-11-Rig-V-artifact-QTTYUADAF.txt (1,137 bytes) 2017-01-11-Rig-V-flash-exploit.swf (16,946 bytes) 2017-01-11-Rig-V-landing-page-pseudoDarkleech-1st-run.txt (5,184 bytes) 2017-01-11-Rig-V-landing-page-pseudoDarkleech-2nd-run.txt (5,187 bytes) 2017-01-11-Rig-V-run-landing-page-EITest-1st-run.txt (5,187 bytes) 2017-01-11-Rig-V-run-landing-page-EITest-2nd-run.txt (5,189 bytes) 2017-01-11-Rig-V-run-landing-page-EITest-3rd-run.txt (5,192 bytes) 2017-01-11-page-from-activaclinics.com-with-injected-EITest-script.txt (59,303 bytes) 2017-01-11-page-from-alleghenyhomehealth.com-with-injected-pseudoDarkleech-script.txt (23,818 bytes) 2017-01-11-page-from-gardencityhall.com-with-injected-pseudoDarkleech-script.txt (27,801 bytes) 2017-01-11-page-from-grillo-designs.com-with-injected-EITest-script.txt (97,506 bytes) 2017-01-11-page-from-joellipman.com-with-injected-pseudoDarkleech-script.txt (66,791 bytes) 2017-01-11-pseudoDarkleech-Rig-V-1st-run-payload-Cerber-radE9100.tmp.exe (325,350 bytes) 2017-01-11-pseudoDarkleech-Rig-V-2nd-run-payload-Cerber-rad21C56.tmp.exe (310,858 bytes) 2017-01-11-pseudoDarkleech-Rig-V-3rd-run-payload-Cerber-rad8077D.tmp.exe (300,772 bytes) BACKGROUND ON RIG EXPLOIT KIT: I usually run across 2 versions of Rig EK: Rig-V (Rig 4.0) and Rig-E (Empire Pack). Rig-V is what security researchers called Rig EK version 4 when it was only accessible by "VIP" customers, while the old version (Rig 3) was still in use (reference). I currently call it "Rig-V" out of habit. The proper name for Rig-E is "Empire Pack". Empire Pack a variant of Rig EK as described by Kafeine here. I haven't seen Empire Pack traffic in 2017 yet, but I often see it from the EITest campaign (when EITest is distributing something other than CryptoMix/CryptFile2 or Cerber). OTHER NOTES: My thanks to everyone who continues to inform me about compromised websites. Without your help, I wouldn't be able to generate most of this traffic. Rig EK continues to use .news as a top level domain (TLD). That's always pun-worthy. TRAFFIC ASSOCIATED DOMAINS: activaclinics.com - Compromised site used for EITest campaign (1st run) grillo-designs.com - Compromised site used for EITest campaign (2nd run) joellipman.com - Compromised site used for pseudoDarkleech campaign (1st run) www.gardencityhall.com - Compromised site used for pseudoDarkleech campaign (2nd run) alleghenyhomehealth.com - Compromised site used for pseudoDarkleech campaign (3rd run) 109.234.38.150 port 80 - this.lung.news Rig-V (EITest 1st run and psuedoDarkleech 1st run) 109.234.38.150 port 80 - new.merlot.news Rig-V (EITest 2nd run) 109.234.38.150 port 80 - sun.myeloma.news Rig-V (pseudoDarkleech 2nd and 3rd runs) 37.59.39.53 port 80 - 37.59.39.53 - CryptoMix (CryptFile2) callback traffic 58.43.12.0 to 58.43.12.31 (58.43.12.0/27) UDP port 6892 - Cerber post-infection UDP traffic 91.1.48.0 to 91.1.48.31 (91.1.48/27) UDP port 6892 - Cerber post-infection UDP traffic 91.239.24.0 to 91.239.25.255 (91.239.24.0/23) UDP port 6892 - Cerber post-infection UDP traffic 84.200.32.186 port 80 - p27dokhpz2n7nvgr.1ja4no.top - Cerber post-infection HTTP traffic 185.86.149.82 port 80 - p27dokhpz2n7nvgr.1kdfj8.top - Cerber post-infection HTTP traffic FILE HASHES FLASH EXPLOIT: SHA256 HASH: 16c22d0e03433b80c00cebe4b2b37198eec7f005fd7fba3d4b2f9b822a47dc93 (16,946 bytes) File description: Rig-V Flash exploit seen on 2017-01-11 PAYLOADS: SHA256 HASH: e7a98896fa15d359c7fbd9254711f34210fe01286c4c2775086814ff0a4f2dfb (99,328 bytes) File description: EITest Rig-V payload - CryptoMix/CryptFile2 ransomware, .lesli variant (1st run) SHA256 HASH: 72bf7a5160606c1ae566fe45e96262f34af0b8204f8bdb79fede2b183c4c9e9f (99,328 bytes) File description: EITest Rig-V payload - CryptoMix/CryptFile2 ransomware, .lesli variant (2nd run)

SHA256 HASH: 1d92a6c2b5c847353042dc2e57721fa7623b60b432d146e08b1f305ec320eb96 (325,350 bytes) File description: pseudoDarkleech Rig-V payload - Cerber ransomware (1st run) SHA256 HASH: 2e785f9b988b5f670706b29a2c7f3f081c9d0e0c2924fbf25fcd51fa8a75f10b (310,858 bytes) File description: pseudoDarkleech Rig-V payload - Cerber ransomware (2nd run) SHA256 HASH: 9a9f4e6c5e139d8362c57081f90cc4de5c7ba26392313ffc785f5fac4b9cb8f1 (300,772 bytes) File description: pseudoDarkleech Rig-V payload - Cerber ransomware (3rd run) FINAL NOTES Once again, here are the associated files: ZIP archive of the pcaps: 2017-01-11-Rig-V-traffic-all-pcaps.zip 1.7 MB (1,695,990 bytes) ZIP archive of the malware: 2017-01-11-Rig-V-malware-and-artifacts.zip 1.3 MB (1,263,494 bytes) ZIP files are password-protected with the standard password. If you don't know it, look at the "about" page of this website. Click here to return to the main page.