Rig EK at Drops CryptMIC Ransomware

IOCs: – friedchickenfestival.com – Compromised Site – alveraverticaltotal.jacobeachquadplex.info – Rig EK – CryptMIC post-infection callback traffic via TCP port 443 (sent in the clear)





  1. SHA256: 02bbe8a5e930508263776e2efbe0d3bd1a4c01d42fa7ee4906cf735a91e29853
    File name: RigEK Landing Page.html
  2. SHA256: c9b281940374a6b02349c8804b6f58ae1faec061dccd346118acdf68c050824d
    File name: RigEK Flash Exploit.swf
  3. SHA256: e5df732f8fca61061901a1f56cd7c2dbcb8bd2422ace9c2e9237250fc2179331
    File name: IIj6sFosp
  4. SHA256: ba664c151f312b4d249fbee2863984aea4d3725b97065095b63729fe1f3fabfd
    File name: radDA159.tmp.exe

Infection Chain:

The infection chain begins with the pseudoDarkleech script being injected into the compromised website. Below is an image of the websites source code which shows the injected script:


The URL within the <iframe> tag is used as the redirection mechanism for the Rig Exploit Kit landing page. Below are the requests and responses for the Exploit Kit landing page, Flash exploit, and payload (in that order):




This time the server sent an executable called “radDA159.tmp.exe”. The file description of the executable is “NirCmd”, which is a Windows command line tool. They are even giving the malicious executable an icon. See the images below:



There were also ransom notes (Bitmap, HTML, and Text) dropped in various folders. Oddly enough I didn’t get the usual .html and .txt ransom notes on the Desktop, only the image changed.


I recommend that the EK IP be blocked at your perimeter firewall.

Leave a Comment

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: