E

EITest Gate at 31.184.193.179 Leads to Rig EK at 185.117.73.220 and Drops What Appears to be Betabot

IOCs: 198.15.70.67 – azarsenalsc[.]org – Compromised Site 31.184.193.179 – aliancaadm.top – EITest Gate 185.117.73.220 – zio11q.oa3ri8.top – Rig EK 103.243.38.25 – b.uandmearertyasport1.com – POST /direct/mail9/order.php – Betabot 103.234.37.4 – GET /rd927.exe – Post infection download 66.55.153.57 – and30.blabladomdom.com – POST /bla30/gate.php 104.223.89.174 – and30.blabladomdom.com – POST /bla30/gate.php 107.155.99.135 – and30.blabladomdom.com – POST /bla30/gate.php Reference for ...

Z

ZIP File Containing HTA File Leads to Locky Ransomware

IOCs: 121.200.60.26 – onushilon.org/56f2gsu782desf – GET request for payload Hashes: SHA256: a48ef938b06ce335f1560836cae24ff11c445a10ccdc75c459507115c9bdf3a7 File name: 20160920034329138280504.zip SHA256: b08bca7d704d2bdf7db5b542eda84f5b9cd27ddfcbea33843ec1c08d7d240f66 File name: QL5LY62838.hta SHA256: ec44b16f4806c37a83fecee4fd68cdea830e046eaa451a212ec519613248c27d File name: iIrfSCB1 SHA256: 60b2d7d1cf0d543b5287088fa5f1d594181a128024770fc6cd08cb414a4ab07e File name: iIrfSCB1.dll Infection Chain: The user received an email from with no subject and no content. The only thing contained in the email was an attached .zip ...

R

Rig EK at 74.208.192.129 Drops CryptMIC Ransomware

Rig EK at 74.208.192.129 Drops CryptMIC Ransomware

R

Rig EK at 74.208.99.252 Drops CryptMIC Ransomware

Rig EK Drops CryptMIC Ransomware

E

EITest Gate at 31.184.192.188 Leads to RigEK 185.117.73.207 and Drops Vawtrak

IOCs: 31.184.192.188 – kinepolis.top – EITest Gate 185.117.73.207 – culxw0.b28zu4.top – Rig Exploit Kit 108.61.99.79 – GET Requests via direct IP with the following URI pattern – “/module/[32 alphanumeric characters]” Post Infection DNS Queries: 95.46.98.89 – ctwruhwdk.com 95.46.98.89 – apgtsdeh.com 81.177.13.242 – lkfiravihg.com Hashes: SHA256: 74690c93ce0fef0c40c842fba6e3963c15a4d3c02e230000c0eb8da83deb22d8 File name: EITest Flash File.swf SHA256: 013c1c061383c27273398da975230a752487ae914bcc03892df905b859800a19 File name: ...

&

“Delivery Confirmation” Leads to Locky Ransomware

IOC: 49.212.150.106 – mochacat.net – GET /hjy93JNBasdas?FSDfsVLeGGr=GRNhTnWl Hashes: SHA256: 405ad2f09856f718fe3fce209c9d9e59ba4e1c2e4f16d0c9385224212103bb29 File name: UCCNTXS1519.js SHA256: c31e83a5b86f4410f1df147ae9717d0c9b69c65dee9fc2f9381ce085f481726a File name: giHhrMNI1.dll ¬† SHA256: e106c1a5f15599fab18934717d36a8e6c8bd8379f9649a565e41bce720fe73f0 File name: giHhrMNI1 The user was sent an email from “ship-confirm@thecabinbreckenridge.com”. The subject of the email was “Delivery Confirmation: 00117932551”. The contents of the email is shown below: Notice how the email contains a ...

p

pseudoDarkleech Leads to Neutrino EK at 188.165.197.194 and Drops CryptMIC Ransomware

IOCs: 184.106.55.84 – busbycabinets.com – Compromised Site 188.165.197.194 – apulaisista.scrubs101webstore.com – Neutrino EK 46.165.246.9 – SSL/HTTPS callback traffic – Contains Ransom Note Hashes: SHA256: fec4923f156bf46563bc8b06e8c9dc4e2ae25799224c0893e01d3f069dd9c7c7 File name: Neutrino EK Landing Page.html SHA256: 71db2bde4b377426657ab5a6554e274bb6fbdffd6b6ed3e7ef51ea48364cb17a File name: Neutrino EK Flash Exploit.swf SHA256: 7d5611e84193bdc10e1a0bf51431eaa76bcd15e51930bf01384c327f763d191d File name: rad432F6.tmp.dll Traffic: The Infection Chain: The infection chain starts off with the ...