Angler Exploit Kit via EITEST Gate sends Cryptxxx Ransomware

June 5, 2016 Analysis
1 Comment
ANGLER Exploit Kit, EITEST, Ransomware

UPDATE:
Post infection search of infected computer for .exe and .dll files returned negative results. The explorer.exe file below returned no Virus Total results. Please read Virus Total comments associated with below explorer.exe file [HERE].

On June 1st, 2016 I began monitoring an EITEST gate that would redirect to assorted Angler Exploit Kit landing pages. Today this EITEST gate again redirected to an Angler EK landing page sending Cryptxxx.

Past Posts related to this EITEST gate and the Angler EK:
Angler Exploit Kit sends variant of Zeta Ransomware
Angler Exploit Kit from 185.106.122.81 sends Gootkit

 

ASSOCIATED DOMAINS:

  • 85.93.0.72 – losxce.tk –  EITEST GATE
  • 74.208.110.67 – krotensuikermechosa.wkcscotland.com – Angler EK LANDING PAGE
  • 85.25.194.116 PORT 443 – Cryptxxx CHECK-IN CnC

 

IMAGES and DETAILS:

Shown above: EITEST gate redirecting to Angler Exploit Kit landing page

 

Shown above: Injected script on compromised site redirecting to EITEST gate

 

Shown above: Script on EITEST gate redirecting to Angler EK landing page

 

Shown above: Payload in Windows directory “C:\Users\%UserName%\AppData\Local\Temp” associated with Cryptxxx ransomware infection

 

WINDOWS REGISTRY KEYS CREATED DURING INFECTION:

  • HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage2

 

Shown above: After encrypting files Cryptxxx adds the .crypz file extension

 

Shown above: Cryptxxx did not encrypt the Windows default sample pictures files.

 

Shown above: Cryptxxx .HTML ransom note and De-Crypt instructions

 

Shown above: Cryptxxx .BMP ransom note and De-Crypt instructions

 

Shown above: Cryptxxx .TXT ransom note and De-Crypt instructions

 

MALICIOUS PAYLOAD ASSOCIATED WITH ANGLER EXPLOIT:

 

 

 

 

 

 

 

 

 

 

 

 

 

 

ANGLER Exploit Kit
EITEST