Rig Exploit Kit via EITEST delivers Crypt2 ransomware C2 5.39.93.43

October 17, 2016 Analysis

0 Comment

EITEST, Ransomware, Rig Exploit Kit

NOTES:

Today I captured traffic from the Rig Exploit Kit (EK) which delivered Crypt2 ransomware via the EITEST campaign.
The EiTest campaign was last seen delivering Crypt2 ransomware on October 5th, 2016 before switching to Cerber ransomware.
Once again thanks to @CyberScimitar for finding and sharing compromised site.

I have added a zipped pcap file for your analysis. The password for the zipped pcap is infected all lowercase.

PCAP file of the infection traffic:
2016-10-17-Rig-EK-2-pcap.zip

ASSOCIATED DOMAINS AND IP ADDRESSES:

www.thescarefactor.com – COMPROMISED SITE
195.133.201.121 – add.francafranca.com – RIG EK LANDING PAGE
5.39.93.43 – GET /index.jpg – CRYPT2 COMMAND and CONTROL
5.39.93.43 – POST /u/affer.php – CRYPT2 COMMAND and CONTROL

ASSOCIATED EMAILS FOR RANSOM PAYMENT:

E-MAIL1: enc6@usa.com
E-MAIL2: enc6@dr.com

IMAGES AND DETAILS OF ORIGINAL INFECTION CHAIN:

Shown above: Network traffic associated with the Rig exploit and the delivery of Crypt2 ransomware

Shown above: Injected script found on index page of compromised site which redirects visitor to the Rig EK landing page to start infection chain – Web page source code can be found by right clicking on web page and selecting “View source”

Shown above: HELP_DECRYPT_YOUR_FILES.TXT ransom note and payment instruction associated with Crypt2 ransomware

MALICIOUS PAYLOAD ASSOCIATED WITH RIG EXPLOIT:

2016-10-15-Rig-EK.swf
Virus Total Link
2016-10-15-ACD5.tmp
Virus Total Link

BroadAnalysis

Rig Exploit Kit via EITEST delivers Crypt2 ransomware C2 5.39.93.43