Tag: Ransomware

SAGE 2.2 Ransomware from Good Man Gate

IOCs: 86.106.93.230 – datsonsdaughter.com – Good Man gate 109.234.37.212 – see.letsown.com – RIG EK 34.207.223.86 – mbfce24rgn65bx3g.2kzm0f.com – POST requests to C2 34.207.223.86 – 7gie6ffnkrjykggd.2kzm0f.com – SAGE Decryption site 34.207.223.86 – 7gie6ffnkrjykggd.6t4u2p.net – SAGE Decryption site 34.207.223.86 – 7gie6ffnkrjykggd.jpo2z1.net – SAGE Decryption site Tor Browser – 7gie6ffnkrjykggd.onion/login/[personal key] Traffic: Hashes: SHA256: d5ee007a06cc4b8c0100ed4950a4350c0e8e4ad17fe5417de2c2231f48a6021f File name: RIG EK Flash Exploit.swf SHA256: ...

RIG EK at 92.53.105.43 Drops ASN1 Ransomware

IOCs: 80.77.82.40 – wrapsing.gdn – GET /rotation/exoclick – Fake ad server points to RIG EK 92.53.105.43 – far.temperedgraces.com – RIG EK dxostywsduvmn6ra.onion – Payment domain Uses HKLM\Software\Microsoft\Windows\CurrentVersion\Run for persistence Ransom notes = !!!!!readme!!!!!.htm Filenames aren’t changed and encrypted files aren’t appended with a new extension SHA256: b14ffe0bdadfbab0de8b5ef1b5d078a7c500e5f4e164d771163171e1ed170542 File name: RIG EK Flash Exploit.swf SHA256: 2f51e6819a2dff508dae58abf95b5d381801debe0cd52b88d6ac05ad05531ba9 ...

EITest Leads to RIG EK at 188.225.36.251. EK Drops CryptoShield 2.0 Ransomware.

IOCs: 104.28.18.48 – amaz0ns.com – Compromised website 188.225.36.251 – 3tre.sicafnicaragua.com – RIG EK 188.225.36.251 – 3fds.tbsistemas.com – RIG EK (second run) 5.154.191.90 – GET /images/products-over.php – ET TROJAN CryptoShield Ransomware Checkin Traffic: Hashes: SHA256: 9a750f27dfc05d5d41d9da4106ecb71be414538eff3eb3bc8ecca01f5a9aad9b File name: Landing Page.html SHA256: 5628e6cdecc617c18137ff132cda600c72baf23f824fbae5c81a8034a9ba3554 File name: RIG EK v4.0 Flash Exploit.swf SHA256: e142f06a2e96f7a0c6eb046a79b85bc24e79e66c5c2bc12e144285c23fc89b69 File name: o32.tmp SHA256: e2387bcd3d274f5b4d0353edff2755d39d66afedda1d47f7548391c5d4238f52 File ...

EITest Script Leads to RIG-v EK at 92.53.120.4. EK Drops “CryptoShield 2.0 Dangerous” Ransomware.

IOCs: 104.28.31.109 – lepatek.com – Compromised website 92.53.120.4 – key.benslocksmithaddison.info – RIG-v EK 109.236.87.84 – 109.236.87.84 – POST /images/slideshow/info.php – ET TROJAN CryptoShield Ransomware Checkin. Traffic: Hashes: SHA256: 55ee40cb99efa1f3811b6e4459d43b8c4e4d53771f2557e4ade67356d395aef8 File name: RIG-v EK Flash Exploit.swf SHA256: e2cea84c5f4826455d7fc9f1619607a2d82bdb1ee122ec501e4633450263f5ea File name: QTTYUADAF SHA256: e680fae09e442833699d9e6e8363f08cca7d8bd92d7abc86027d6a14c88a5c4e File name: rad26801.tmp.exe Hybrid-Analysis Report Infection Chain: Loading the website in my browser and ...

EITest Leads to RIG-v EK at 194.87.145.225, Drops CryptoShield 1.1 Ransomware

IOCs: 212.166.71.52 – blog.masmovil.es – Compromised website 194.87.145.225 – sound.formpools.co – RIG-v EK 45.76.81.110 – POST /test_site_scripts/moduls/connects/mailsupload.php – Callback Traffic: Hashes: SHA256: dc837458d43126eb135816c0e3a3d8b8d0a557f89a9240b12319073e4fcc4449 File name: EITest RIG-v EK Flash Exploit.swf SHA256: 3f517c7bf5176614ff11f3fc275849155c5bfede0b7a7748781b8aaf36fc6650 File name: QTTYUADAF SHA256: a73c0538ad23bf6b092e6109d990802fefe549b0532bf39dc704a88198b8eebb File name: rad871F7.tmp.exe and SmartScreen.exe Hybrid-Analysis Report Infection Chain: I want to give a shout-out to @FreeBSDfan for ...

Iframe Points to RIG-v EK at 93.158.215.169. EK Drops Spora Ransomware.

IOCs: 93.158.215.169 – fredomasearchdsd.top – RIG-v EK 186.2.163.47 – spora.biz – Spora ransomware domain Traffic: Hashes: SHA256: ae7073760a86f38b29d6399a91dda6507237b420c5f4d386de3b5c1c3cf111f5 File name: Landing Page.html SHA256: 840ce47e94db6dae302dddbfe33f9548a47541a0917def5e2e5644fc2965ba52 File name: Flash Exploit.swf SHA256: 175a8c92c16d6104dab04fb9e93c2ab3245d2888773abc903f013f4530f61911 File name: radF0D46.tmp.exe Hybrid-Analysis Report Infection Chain: I found a website with an iframe containing a URL for a RIG-v EK landing page: It doesn’t ...

EITest Leads to Sundown EK at 93.190.143.82 and Drops Cerber

IOCs: 93.190.143.82 – cfx.hvb.mobi – Sundown EK 93.190.143.82 – hxrheg.fve.mobi – Sundown EK Cerber check-in traffic via UDP port 6892: 90.2.1.0/27 90.3.1.0/27 91.239.24.0/23 (CIDR Address Range: 91.239.24.0 – 91.239.25.255) 162.220.244.29 – p27dokhpz2n7nvgr.onion – Cerber Decryptor page 162.220.244.29 – p27dokhpz2n7nvgr.1kja1j.top – Cerber Decryptor page 162.220.244.29 – p27dokhpz2n7nvgr.1dlcbk.top – Cerber Decryptor page 162.220.244.29 – p27dokhpz2n7nvgr.15l2ub.top – Cerber Decryptor page HTTP Method and URIs: GET ...

Afraidgate at 178.62.242.179 Leads to RIG-v EK at 92.53.120.233, Godzilla Loader Grabs Locky (.osiris)

IOCs: 138.128.171.35 – northcoastmed.com – Compromised website 178.62.242.179 – dropname.syncroweb.com – Afraidgate subdomain 92.53.120.233 – red.telco.news – RIG-v EK 200.7.102.105 – lingvitopr.com – Godzilla loader GET for Locky 188.127.239.53 – Locky post-infection traffic – POST /checkupdate Traffic: Hashes: SHA256: 443b3bb140553acc8c861ddc2a0275936a5a26489030b424703775d2f3242ae8 File name: northcoastmed.com.html SHA256: cebd2b86b7830c3b11414581de5068d6d152873731a4a1f3fa7270d21a7a3fb2 File name: dropname.syncroweb.com Afraidgate.js SHA256: eb8fb3f87093c0a9e24047cee0f472373d3d78212ced708d235825b31a70df4b File name: RIG-v Pre-Landing ...

p

pseudoDarkleech to RIG-v EK’s

IOCs: 107.181.172.103 – lovlose.com – Compromised site 109.234.37.178 – new.buttock.toys – RIG-v EK Cerber check-in traffic via UDP port 6892 1.22.15.0/27 2.23.16.0/27 91.239.24.0/24 91.239.25.0/24 IOCs: 184.168.136.128 – tarboushgrill.com – Compromised site 81.177.139.86 – see.soulartspublishing.com – RIG-v EK Cerber check-in traffic via UDP port 6892 77.4.1.0/27 77.15.1.0/27 91.239.24.0/24 91.239.25.0/24 IOCs: 141.138.168.111 – hoolhoevebriards.com – Compromised site ...

&

“Scanned copy” Malspam Drops Locky Ransomware (.osiris) (/checkupdate)

IOCs: 211.149.241.201 – phpwind.0592yt[.]com/result – Download location 115.29.247.219 – 902f[.]com/result- Download location 176.114.0.20 – shema.org[.]ua/result – Download location 162.144.211.154 – directprotectsolutions.co[.]uk/result – Download location 202.133.118.222 – aqua-inter[.]com/result – Download location 194.28.49.140 – cdsp[.]pl/result – Download location 216.110.144.152 – hanavanpools[.]com/result – Download location 209.126.99.6 – aguamineralsantacruz.com[.]br/result – Download location 193.201.225.124 – POST /checkupdate – Locky C2 ...