Rig Exploit Kit via the EiTest delivers ransomware from 185.159.128.165
NOTES:
- Today I captured traffic from the Rig Exploit Kit (EK) which delivered ransomware via the EITEST campaign.
- Files on the infected host were encrypted and the file extensions were changed to .crypted
I have added a zipped pcap file for your analysis. The password for the zipped pcap is infected all lowercase.
PCAP file of the infection traffic:
2017-03-25-Rig-EK-pcap2.zip
ASSOCIATED DOMAINS AND IP ADDRESSES:
- cedar.igrooveweb.com – COMPROMISED SITE
- 185.159.128.165 – america.folkartinamerica.com – RIG EK LANDING PAGE
- 170.254.236.102 – RANSOMWARE CHECK-IN
IMAGES AND DETAILS OF INFECTION CHAIN:
Shown above: Network traffic associated with the Rig exploit and the delivery of .crypted ransomware
Shown above: Infected host desktop ransom note and payment instructions associated with .crypted Ransomware
MALICIOUS PAYLOAD ASSOCIATED WITH RIG EXPLOIT:
- 2017-03-25-Rig-EK.swf
Virus Total Link - 2017-03-25-dxh26wam.exe [.crypted RANSOMWARE]
Hybrid-Analysis Link