Tag: CryptoMix

Exploit Kit

EITest Leads to RIG-v EK at 92.53.120.233 Drops CryptoMix

IOCs: 68.178.254.116 – westwoodenabler.com – Compromised website 92.53.120.233 – top.tbn1.us – RIG-v EK 91.121.244.84 – CryptoMix callback traffic Traffic: Hashes: SHA256: 76cd48af0b8a0dbaa9260996cd4347a811bc0a09efce18c9d25f7cc59828d335 File name:RIG-v Flash Exploit.swf SHA256: 3ff4c80212d97aa64154dc3bd6a361766286c5073d15ec65cb32fe2755f8a703 File name: QTTYUADAF SHA256: 038bfb53f45a596762be789c66663966ef9bf04c1c80aae339f40e9a5fe3088c File name: “radC79C9.tmp.exe” and “Spy Security SoftWare_91bf6e5_aed68d54.exe” Hybrid-Analysis Report Infection Chain: The infection chain started off with me browsing to the compromised ...

By malwarebreakdown on January 15, 2017

T
Exploit Kit

The University of South Florida: Subdomain Injected with EITest Script That Points to Both Rig-V and Rig-E EK. Dropped CryptoMix (CryptFile2) Ransomware.

IOCs: 131.247.120.45 – etc.usf.edu – Compromised subdomain on usf.edu 217.107.37.39 – red.wellnesswatchersmd.net – Rig-V EK 93.115.38.112 – d4sna.rithiperdien.top – Rig-E EK 5.39.84.236 – GET /validator_os/master_valid_os/ms_statistic_os_key.php?info=SCmvxag30Y35DIy7JTzxsJSTLJzUe67VbrPhiiCr4iIe 5.39.84.236 – POST /validator_os/master_valid_os/microsoft_osINFO.php – POSTs files to webserver Traffic: Hashes: SHA256: 36fecf334a7be0e9c33c7a745c09e5daf775438e4018cc7de26e5d056ff9ec0f File name: RigV UA check page.html SHA256: ef89449250ff7e297300bd1bf1c5ca1c4de691b8d23727e481b24121985f69ad File name: RigV Landing Page.html SHA256: 65e938972896e4ffb6c4de3f8314e1a2acd8da5f86fee94f34d35a5d334723e6 File name: ...

By malwarebreakdown on December 17, 2016