Tag: CryptFile2
EITest Leads to RIG-v EK at 92.53.120.233 Drops CryptoMix
IOCs: 68.178.254.116 – westwoodenabler.com – Compromised website 92.53.120.233 – top.tbn1.us – RIG-v EK 91.121.244.84 – CryptoMix callback traffic Traffic: Hashes: SHA256: 76cd48af0b8a0dbaa9260996cd4347a811bc0a09efce18c9d25f7cc59828d335 File name:RIG-v Flash Exploit.swf SHA256: 3ff4c80212d97aa64154dc3bd6a361766286c5073d15ec65cb32fe2755f8a703 File name: QTTYUADAF SHA256: 038bfb53f45a596762be789c66663966ef9bf04c1c80aae339f40e9a5fe3088c File name: “radC79C9.tmp.exe” and “Spy Security SoftWare_91bf6e5_aed68d54.exe” Hybrid-Analysis Report Infection Chain: The infection chain started off with me browsing to the compromised ...
The University of South Florida: Subdomain Injected with EITest Script That Points to Both Rig-V and Rig-E EK. Dropped CryptoMix (CryptFile2) Ransomware.
IOCs: 131.247.120.45 – etc.usf.edu – Compromised subdomain on usf.edu 217.107.37.39 – red.wellnesswatchersmd.net – Rig-V EK 93.115.38.112 – d4sna.rithiperdien.top – Rig-E EK 5.39.84.236 – GET /validator_os/master_valid_os/ms_statistic_os_key.php?info=SCmvxag30Y35DIy7JTzxsJSTLJzUe67VbrPhiiCr4iIe 5.39.84.236 – POST /validator_os/master_valid_os/microsoft_osINFO.php – POSTs files to webserver Traffic: Hashes: SHA256: 36fecf334a7be0e9c33c7a745c09e5daf775438e4018cc7de26e5d056ff9ec0f File name: RigV UA check page.html SHA256: ef89449250ff7e297300bd1bf1c5ca1c4de691b8d23727e481b24121985f69ad File name: RigV Landing Page.html SHA256: 65e938972896e4ffb6c4de3f8314e1a2acd8da5f86fee94f34d35a5d334723e6 File name: ...
EITest Leads to Rig EK at 195.133.201.68 and Drops CryptFile2 Ransomware
IOCs: 69.80.203.8 – criticall911.com – Compromised site 195.133.201.68 – add.lovegivedo.com – Rig EK 37.59.39.53 – GET /index.jpg and POST /brows/setup.php – CryptFile2 post-infection traffic Traffic: Hashes: SHA256: 0a6260e81a8eb7c2221da7431f0468f703fe047478de315d8023f8fe1be8ddb2 File name: RigEK Landing Page.html SHA256: 4f3632001131f30bd7d01c4c0c195abb947b5556c34479e5f5a8bde2326dda48 File name: RigEK Flash Exploit.swf SHA256: efdf104d92509f8f1084125b1f6235fca2c6ae8863e7c5d08c556ee91a446b1c File name(s): 77B6.tmp and ChromeFlashPlayer_[id].exe Infection Chain: The infection chain begins when the ...
EITest Gate at 194.165.16.204 Leads to Rig EK at 195.133.201.44 and Drops CryptFile2 Ransomware
IOCs: 184.106.55.122 – deadendbbq[.]com – Compromised Website 194.165.16.204 – nohydyc.top – EITest Gate 195.133.201.44 – rty.exploredowntownwestpalmbeach.com – Rig Exploit Kit 5.39.86.86 – GET /default.jpg 5.39.86.86 – POST /z/setting.php Hashes: SHA256: f0a8452419edab4ad295d9488759f887a37ceeed7a4a0459b07bcf0490736c34 File name: EITest SWF Redirect.swf SHA256: 028df23609481aeaad07f2ab02b934191f0d90930dfee42ab5ccf845dafc44e9 File name: EITest Gate.html SHA256: 896ba2463377dedaa01b1d5a1634db0dc8daac4fed7804e142a7b176cf81377a File name: RigEK Landing Page.html SHA256: b533cff02059e37a312d59ec4e985e4d3d9578853817818e2743a52d9b2b71c6 File name: RigEK SWF ...
Malware breakdown 