Rig EK at Drops CryptMIC Ransomware

Rig EK at Drops CryptMIC Ransomware


  • – standiferplace.org – Compromised Site
  • – gissendannerkudosta.cyclemanagementassociates.org – Rig EK
  • – CryptMIC post-infection callback traffic via TCP port 443


  1. SHA256: eb68b4c9ef550aa2cb0304ee866cf65cb9df0dacaeb37f89417ab8c3eacbe7ee
    File name: RigEK Landing Page.html
  2. SHA256: cc1002a14db7ccf59b7320b49a5dfc0995a6ad6895bfaab4de1a296756020fe6
    File name: RigEK Flash Exploit.swf
  3. SHA256: bd98b94ec01df8a3391af1203f662225a4734c154ee58a739cd4af5328ff0823
    File name: IIj6sFosp
  4. SHA256: a14720c38e5317d2616697d16a8c46532ddf6a183bc1d3276cbf936d9bba5e4d
    File name: radD66CA.tmp.exe



Infection Chain:

The infection chain starts off with the pseudoDarkleech script redirecting the host to the Rig Exploit Kit landing page. Below is the injected script found within the iframe tags:


Once the browser loads the compromised site the iframe generates a GET request from the host to the Rig Exploit Kit landing page:


The Rig Exploit Kit landing page contains malicious code that when successfully loaded will initiate another GET request for a Flash exploit:


And finally we see the GET request for the payload via application/x-msdownload:


As with my previous post found HERE I didn’t get compromised on my first run. Initially, the first file that was dropped in %TEMP% was a .dll. It wasn’t until my second run when an executable named “radD66CA.tmp.exe” was dropped that my host was compromised.

Proceeding radD66CA.tmp.exe dropping in %TEMP% was a file named “IIj6sFosp”. This file deletes itself before the .dll’s and .exe’s are dropped. Here is a look at IIj6sFosp:


Here are the files located in %TEMP%:


We can see that ransom notes (Bitmap, HTML, and Text) are dropped in various folder and on the Desktop:


My recommendation is to block both the Rig Exploit Kit IP and post-infection IP at your perimeter firewall(s).

Leave a Comment

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: