EITest Gate at 194.165.16.204 Leads to Rig EK at 195.133.201.44 and Drops CryptFile2 Ransomware

IOCs:

184.106.55.122 – deadendbbq[.]com – Compromised Website
194.165.16.204 – nohydyc.top – EITest Gate
195.133.201.44 – rty.exploredowntownwestpalmbeach.com – Rig Exploit Kit
5.39.86.86 – GET /default.jpg
5.39.86.86 – POST /z/setting.php

Hashes:
SHA256: f0a8452419edab4ad295d9488759f887a37ceeed7a4a0459b07bcf0490736c34
File name: EITest SWF Redirect.swf

SHA256: 028df23609481aeaad07f2ab02b934191f0d90930dfee42ab5ccf845dafc44e9
File name: EITest Gate.html

SHA256: 896ba2463377dedaa01b1d5a1634db0dc8daac4fed7804e142a7b176cf81377a
File name: RigEK Landing Page.html

SHA256: b533cff02059e37a312d59ec4e985e4d3d9578853817818e2743a52d9b2b71c6
File name: RigEK SWF Exploit.swf

SHA256: 496a18a47299fe2fb1a46d93d1f2182369d064e9384059dec652d95021c93af0
File name: ChromeFlashPlayer_92a53f98836d2e1.exe AND A09A.tmp

Landing Page Code:
http://pastebin.com/1CktSU1f

The infection chain starts with the user visiting the compromised site. Below is the compromised site containing the EITest script:

The EITest script makes a GET for a Flash file:

The Flash file is responsible for redirecting the host to the EITest gate. Below is the HTML on the EITest gate:

There is a script on the EITest gate that contains the URL for the Rig EK landing page. Below is the GET and response for the Rig EK landing page:

The response from the server shows that the file is being compressed. Below is a response that I was able to capture:

It is being encoded with base64. Decoding the first chunk of encoded data gives me this:

The second chunk of decoded data was too long to put into one picture. I did my best trying to capture it in as few pictures as possible.

Once on the victims reach the landing page the EK server checks the system and sends a Flash exploit:

This Flash exploit is followed by the CryptFile2 ransomware payload:

Once the server returns the payload we can see the file “409A.tmp” (126 KB) created in the user’s AppData\Local\Temp folder as well as the file “ChromeFlashPlayer_92a53f98836d2e1” in the user’s AppData\Roaming folder:

Below you can see the Run and RunOnce registry keys created for persistence:

Now for the post-infection traffic. I found a GET request and POST requests:

Last but not least we have the ransom notes being dropped in both HTML and .TXT format. The ransom notes are dropped on the Desktop and in folders containing encrypted files. The naming convention for these ransom notes are HELP_DECRYPT_YOUR_FILES.

Also, the encrypted files are appended with your personal ID and an email address. The format is as follows: .id_YOUR ID_email_enc2@dr.com_.scl

Below are some pictures of the ransom notes and the encrypted files:

malwarebreakdown

Just a normal person who spends their free time infecting systems with malware.

Leave a Comment

%d bloggers like this: