Month: September 2016

p

pseudoDarkleech Leads to Rig EK at 164.132.88.58 And Drops CryptMIC

IOCs: 50.22.5.55 – gendisasters.com – Compromised Website 164.132.88.58 – consulavissem-descorderar.navyamateurradioclub.org – Rig EK 162.244.35.19 – CryptMIC post-infection traffic via TCP port 443 (not encrypted) Traffic: Hashes: SHA256: eff15c0ede4f784532fd933843a2bf4dda86c92dbed785b979af50b7c808e34e File name: RigEK Landing Page.html SHA256: 744744db513250c8ddeef12d4998d339beac5cabc02a1d10f304e105462d4008 File name: RigEK Flash Exploit.swf SHA256: d9553d2651fd05d98dbb551ed32f5875b73010b0387a487e3410ca75486c5d79 File name: radF7DD3.tmp.exe Infection Chain: The user would browse to the compromised website. ...

p

pseudoDarkleech Leads to Rig EK at 164.132.88.59 Which Drops CryptMIC Ransomware

IOCs: 50.87.151.118 – fourcornersbc.com – Compromised Site 164.132.88.59 – betonmaustanfordin.freshstyleapparel.com – Rig EK 162.244.35.19 – CryptMIC post-infection traffic via TCP port 443 Traffic: Hashes: SHA256: 38ff6f31844f6ce957c9b8fe3b42ac157e3f5b9e77ba86c83bd3165a5ffdac7f File name: RigEK Landing Page.html SHA256: dde4ec698a206614b0cce449493f72ae16be7867f0a9b76d40b192dd5ce003f5 File name: RigEK Flash Exploit.swf SHA256: b4ed980b3bac17066661433f6f2ab58e370cf75f453baadd4322a3c53a9c28da File name: rad57379.tmp.exe Infection Chain: The infection chain started with me browsing to the compromised ...

p

pseudoDarkleech Leads to Rig EK at 137.74.61.215 and Drops CryptMIC

IOCs: 206.188.193.161 – gallolocomexican.com – Compromised Website 137.74.61.215 – barkatullavbwait.ernestboaten.com – Rig EK 162.244.35.19 – CryptMIC C2 via TCP port 443 – Traffic sent in the clear Traffic: Hashes: SHA256: 1e20d2cb0ad52d1dbead4d7f029921d9cc6fb541e11fac6a899bf33b86577656 File name: RigEK Landing Page.html SHA256: 25ea816e89234c1974e791b04eb83280c92296500fa9fbbdae24056d0b7a8bfe File name: RigEK Flash Exploit.swf SHA256: 293e77ff35ff9482c1ea58025f8ddd9b2bf09b4d08dc1202794e1ba193d7c511 File name: IIj6sFosp SHA256: 1fbfd0132f0ca12a41fec858e065763fc5d1b7a282b24e6cb5f45be2bbe02b1b File name: rad84159.tmp.exe Infection Chain: ...

E

EITest Gate at 31.184.192.173 Leads to Rig EK at 185.141.25.28 and Drops… ?

IOCs: 66.84.14.125 – orfab.com – Compromised Site 31.184.192.173 – piperandscoot.top – EITest Gate 185.141.25.28 – jxlyv.xajee73.top – Rig EK 185.146.171.131/bt/logout.php – post infection callback traffic Hashes: SHA256: cc21bee629f99e6a5e5b433f593670b2dea4075b6252fb04fd1bfbb40fbf8e80 File name: EITest Flash Redirect.swf SHA256: bf9cda2afc425019312f8c4bc5856ad8378ea980dcd3e195e615224c6777eb5c File name: EITest Gate.html SHA256: c73c63f4b5ebd3ebe7c4de16a99519c876a93c50b12b1a3406c28c2929752d68 File name: RigEK Landing Page.html SHA256: 970491ca792332f3479200c94dddfe7d77112beb0b879d5becb279010860b487 File name: RigEK Flash Exploit.swf Traffic: As ...

p

pseudoDarkleech Leads to Rig EK at 5.196.126.82 Which Delivers CryptMIC

IOCs: 162.144.62.185 – tygerauto.com – Compromised Website 5.196.126.167 – aufrufenderasamblea.cyclemanagementassociates.info – Rig EK 91.121.74.154 – CryptMIC post-infection traffic via TCP port 443 (not encrypted) Traffic: Hashes: SHA256: b7911fe9343c681b9ed5cc34f9489d4b82d8dc2aaf1136c05ba44d9546707687 File name: RigEK Landing Page.html SHA256: dbb2d959adc4986c43b6e9279d90ceb55a3b1686a0ac229575dc0f8dcac2e26f File name: RigEK Flash Exploit.swf SHA256: e1c7071c4449b043d2d57f6501f463481f79b49e2cc4f75b4df5acf862b03f4d File name: rad68A3A.tmp.exe Infection Chain: Below is an image grab from the compromised ...

Rig EK at 91.121.208.103 Drops CryptMIC

IOCs: 65.254.227.224 – zurnyachts[.]com – Compromised Site 91.121.208.103 – butterteigenpassionisten.loganslittleangels.org – Rig EK 91.121.74.154 – CryptMIC post-infection traffic via TCP port 443 Traffic: Video of Infection: Sorry in advance if you don’t like my music selection! I will take song requests for $10! 😉 Hashes: SHA256: 00895735b2297cd73b723f27120bd86c56957e069156050a8eabf3e8a3811fa4 File name: RigEK Landing Page.html SHA256: dbb2d959adc4986c43b6e9279d90ceb55a3b1686a0ac229575dc0f8dcac2e26f File ...

Malvertising in Action

ShadowGate IOCs: IP = 212.116.121.239 IP = 5.200.55.173 Watch a host be compromised in real time! The original article is from Nick Biasini over at Talos. Click on this link to read more about this particular gate, malvertising, and how ShadowGate was eventually taken down!  

R

Rig EK at 149.202.239.50 Drops CryptMIC Ransomware

IOCs: 192.185.112.45 – 101beautytricks.com – Compromised Site 149.202.239.50 – dissect.theawesomestmusic.com – Rig EK 91.121.74.154 – CryptMIC post-infection callback traffic via TCP port 443 (sent in the clear) Traffic: Hashes: SHA256: 101504d805174416b51f601dfb5ab626e8eea9504306a36bf5bb3ad2f8d30230 File name: RigEK Landing Page.html SHA256: a09f4f8ab6d93995398320c9406a3502fee8d6116f0e7a8bf1b1c030dec555ff File name: RigEK Flash Exploit.swf SHA256: e5df732f8fca61061901a1f56cd7c2dbcb8bd2422ace9c2e9237250fc2179331 File name: IIj6sFosp SHA256: aed87c57ed65adfaba258d48bbad1f9d2f9bc2f0e404b3badff246b504bae8dc File name: rad8035D.tmp.exe Infection Chain: ...

R

Rig EK at 149.202.239.54 Drops CryptMIC Ransomware

IOCs: 69.195.124.229 – friedchickenfestival.com – Compromised Site 149.202.239.54 – alveraverticaltotal.jacobeachquadplex.info – Rig EK 91.121.74.154 – CryptMIC post-infection callback traffic via TCP port 443 (sent in the clear) Traffic: Hashes: SHA256: 02bbe8a5e930508263776e2efbe0d3bd1a4c01d42fa7ee4906cf735a91e29853 File name: RigEK Landing Page.html SHA256: c9b281940374a6b02349c8804b6f58ae1faec061dccd346118acdf68c050824d File name: RigEK Flash Exploit.swf SHA256: e5df732f8fca61061901a1f56cd7c2dbcb8bd2422ace9c2e9237250fc2179331 File name: IIj6sFosp SHA256: ba664c151f312b4d249fbee2863984aea4d3725b97065095b63729fe1f3fabfd File name: radDA159.tmp.exe Infection Chain: ...

R

Rig EK at 74.208.147.73 Drops CryptMIC Ransomware

IOCs: 181.224.139.64 – stjoeschool.org – Compromised Site 74.208.147.73 – vaippaandedicators.reducemycard.com – Rig EK 91.121.74.154 – CryptMIC C2 communications via TCP port 443 (in clear text) Traffic: Hashes: SHA256: 0e78c0dc543ae85b59d60d6a0de3986cb4cab1640cb0809a3e9ce10657a71851 File name: RigEK Landing Page.html SHA256: c9b281940374a6b02349c8804b6f58ae1faec061dccd346118acdf68c050824d File name: RigEK SWF Exploit.swf SHA256: e5df732f8fca61061901a1f56cd7c2dbcb8bd2422ace9c2e9237250fc2179331 File name: IIj6sFosp SHA256: 0e9bedc57f97bb2c7119ad4713b03fc9b10df09202fb7a237b610aec4687b736 File name: radDC17B.tmp.exe Infection Chain: The infection ...