Tag: EITest

EITest Leads to RIG EK at 188.225.36.251. EK Drops CryptoShield 2.0 Ransomware.

IOCs: 104.28.18.48 – amaz0ns.com – Compromised website 188.225.36.251 – 3tre.sicafnicaragua.com – RIG EK 188.225.36.251 – 3fds.tbsistemas.com – RIG EK (second run) 5.154.191.90 – GET /images/products-over.php – ET TROJAN CryptoShield Ransomware Checkin Traffic: Hashes: SHA256: 9a750f27dfc05d5d41d9da4106ecb71be414538eff3eb3bc8ecca01f5a9aad9b File name: Landing Page.html SHA256: 5628e6cdecc617c18137ff132cda600c72baf23f824fbae5c81a8034a9ba3554 File name: RIG EK v4.0 Flash Exploit.swf SHA256: e142f06a2e96f7a0c6eb046a79b85bc24e79e66c5c2bc12e144285c23fc89b69 File name: o32.tmp SHA256: e2387bcd3d274f5b4d0353edff2755d39d66afedda1d47f7548391c5d4238f52 File ...

EITest Leads to RIG-v EK at 217.107.34.241 and Drops Dreambot.

IOCs: 192.99.46.21 – littleinspiration.com – Compromised website 217.107.34.241 – zone.klynnholding.com – RIG EK 5.196.159.175 – GET /images/[removed]/.avi – CnC traffic 5.196.159.175 – GET /tor/t64.dll – Tor module download 37.48.122.26 – curlmyip.net – External IP lookup Post-infection Tor traffic via TCP port 443 and 9001 SSH connections to 91.239.232.81, which also host one or more Tor relays according to https://exonerator.torproject.org Additional DNS ...

EITest Script Leads to RIG-v EK at 92.53.120.4. EK Drops “CryptoShield 2.0 Dangerous” Ransomware.

IOCs: 104.28.31.109 – lepatek.com – Compromised website 92.53.120.4 – key.benslocksmithaddison.info – RIG-v EK 109.236.87.84 – 109.236.87.84 – POST /images/slideshow/info.php – ET TROJAN CryptoShield Ransomware Checkin. Traffic: Hashes: SHA256: 55ee40cb99efa1f3811b6e4459d43b8c4e4d53771f2557e4ade67356d395aef8 File name: RIG-v EK Flash Exploit.swf SHA256: e2cea84c5f4826455d7fc9f1619607a2d82bdb1ee122ec501e4633450263f5ea File name: QTTYUADAF SHA256: e680fae09e442833699d9e6e8363f08cca7d8bd92d7abc86027d6a14c88a5c4e File name: rad26801.tmp.exe Hybrid-Analysis Report Infection Chain: Loading the website in my browser and ...

EITest Leads to RIG-v EK at 185.159.130.122. Ursnif Variant Dreambot.

IOCs: 92.243.23.204 – www[.]caltech[.]fr – Compromised website 185.159.130.122 – more.THEBESTDALLASFLORISTS.COM – RIG-v EK 5.196.159.175 – GET /images/[removed]/KTDEi/.avi – CnC traffic 46.4.99.46 – GET /tor/t64.dll – ET CURRENT_EVENTS Possible Malicious Tor Module Download 37.48.122.26 – curlmyip.net – External IP lookup Post-Infection DNS Queries: resolver1.opendns.com – ET POLICY OpenDNS IP Lookup curlmyip.net 222.222.67.208.in-addr.arpa myip.opendns.com nod32s.com Traffic: Hashes: SHA256: 37f7e78080f85e6f98136e927a69a72ea7d619f230b476b5d6826ebc1eee29a0 ...

EITest Leads to RIG-v EK at 194.87.145.225, Drops CryptoShield 1.1 Ransomware

IOCs: 212.166.71.52 – blog.masmovil.es – Compromised website 194.87.145.225 – sound.formpools.co – RIG-v EK 45.76.81.110 – POST /test_site_scripts/moduls/connects/mailsupload.php – Callback Traffic: Hashes: SHA256: dc837458d43126eb135816c0e3a3d8b8d0a557f89a9240b12319073e4fcc4449 File name: EITest RIG-v EK Flash Exploit.swf SHA256: 3f517c7bf5176614ff11f3fc275849155c5bfede0b7a7748781b8aaf36fc6650 File name: QTTYUADAF SHA256: a73c0538ad23bf6b092e6109d990802fefe549b0532bf39dc704a88198b8eebb File name: rad871F7.tmp.exe and SmartScreen.exe Hybrid-Analysis Report Infection Chain: I want to give a shout-out to @FreeBSDfan for ...

EITest Leads to Sundown EK at 93.190.143.82 and Drops Cerber

IOCs: 93.190.143.82 – cfx.hvb.mobi – Sundown EK 93.190.143.82 – hxrheg.fve.mobi – Sundown EK Cerber check-in traffic via UDP port 6892: 90.2.1.0/27 90.3.1.0/27 91.239.24.0/23 (CIDR Address Range: 91.239.24.0 – 91.239.25.255) 162.220.244.29 – p27dokhpz2n7nvgr.onion – Cerber Decryptor page 162.220.244.29 – p27dokhpz2n7nvgr.1kja1j.top – Cerber Decryptor page 162.220.244.29 – p27dokhpz2n7nvgr.1dlcbk.top – Cerber Decryptor page 162.220.244.29 – p27dokhpz2n7nvgr.15l2ub.top – Cerber Decryptor page HTTP Method and URIs: GET ...

EITest Leads to RIG-v EK at 92.53.120.233 Drops CryptoMix

IOCs: 68.178.254.116 – westwoodenabler.com – Compromised website 92.53.120.233 – top.tbn1.us – RIG-v EK 91.121.244.84 – CryptoMix callback traffic Traffic: Hashes: SHA256: 76cd48af0b8a0dbaa9260996cd4347a811bc0a09efce18c9d25f7cc59828d335 File name:RIG-v Flash Exploit.swf SHA256: 3ff4c80212d97aa64154dc3bd6a361766286c5073d15ec65cb32fe2755f8a703 File name: QTTYUADAF SHA256: 038bfb53f45a596762be789c66663966ef9bf04c1c80aae339f40e9a5fe3088c File name: “radC79C9.tmp.exe” and “Spy Security SoftWare_91bf6e5_aed68d54.exe” Hybrid-Analysis Report Infection Chain: The infection chain started off with me browsing to the compromised ...

T

The University of South Florida: Subdomain Injected with EITest Script That Points to Both Rig-V and Rig-E EK. Dropped CryptoMix (CryptFile2) Ransomware.

IOCs: 131.247.120.45 – etc.usf.edu – Compromised subdomain on usf.edu 217.107.37.39 – red.wellnesswatchersmd.net – Rig-V EK 93.115.38.112 – d4sna.rithiperdien.top – Rig-E EK 5.39.84.236 – GET /validator_os/master_valid_os/ms_statistic_os_key.php?info=SCmvxag30Y35DIy7JTzxsJSTLJzUe67VbrPhiiCr4iIe 5.39.84.236 – POST /validator_os/master_valid_os/microsoft_osINFO.php – POSTs files to webserver Traffic: Hashes: SHA256: 36fecf334a7be0e9c33c7a745c09e5daf775438e4018cc7de26e5d056ff9ec0f File name: RigV UA check page.html SHA256: ef89449250ff7e297300bd1bf1c5ca1c4de691b8d23727e481b24121985f69ad File name: RigV Landing Page.html SHA256: 65e938972896e4ffb6c4de3f8314e1a2acd8da5f86fee94f34d35a5d334723e6 File name: ...

E

EITest Leads to Rig EK 185.141.26.72, 185.141.25.207 and 185.141.25.234

IOCs: 46.252.207.1 – amberhsu.com – Compromised site 185.141.25.207 – za95uur.ag0clk.top – Rig EK run #1 (blocked by ESET) 185.141.25.234 – h01wi.d7riwiu.top – Rig EK run #2 185.141.26.72 – gyu1f1.eowjl2.top – Rig EK run #3 222.206.156.2, 208.73.206.179, 23.108.245.93 – post infection DNS queries shown below. Domains resolving to the above IPs include: nitrrotetris.com monsterkillyep444.net blintyris.net lamerpamer.org ...

E

EITest Leads to Rig EK at 176.223.111.152. Malicious SSL Certificate Detected.

IOCs: 216.17.111.107 – theconservativeclub.us – Compromised website 176.223.111.152 – bj4lr.xl2sz08.top – Rig EK 222.206.156.2 and 208.73.206.179 – post infection DNS queries (shown below) and contacted both IPs via TCP port 80. Domains resolving to the above IPs include: nitrrotetris.com monsterkillyep444.net blintyris.net lamerpamer.org monertee39.com Traffic: Hashes: SHA256: 92594f381dec2034ef0e0f53d0c5dbe8b8f706d36460e84172e9de9a08d3dec3 File name: RigEK Landing Page.html SHA256: 49d5fd5a5b0058eccd888a149f6f995e7c160dd3973c0c0edebf0311365847cd File ...