Tag: EITest

T

The University of South Florida: Subdomain Injected with EITest Script That Points to Both Rig-V and Rig-E EK. Dropped CryptoMix (CryptFile2) Ransomware.

IOCs: 131.247.120.45 – etc.usf.edu – Compromised subdomain on usf.edu 217.107.37.39 – red.wellnesswatchersmd.net – Rig-V EK 93.115.38.112 – d4sna.rithiperdien.top – Rig-E EK 5.39.84.236 – GET /validator_os/master_valid_os/ms_statistic_os_key.php?info=SCmvxag30Y35DIy7JTzxsJSTLJzUe67VbrPhiiCr4iIe 5.39.84.236 – POST /validator_os/master_valid_os/microsoft_osINFO.php – POSTs files to webserver Traffic: Hashes: SHA256: 36fecf334a7be0e9c33c7a745c09e5daf775438e4018cc7de26e5d056ff9ec0f File name: RigV UA check page.html SHA256: ef89449250ff7e297300bd1bf1c5ca1c4de691b8d23727e481b24121985f69ad File name: RigV Landing Page.html SHA256: 65e938972896e4ffb6c4de3f8314e1a2acd8da5f86fee94f34d35a5d334723e6 File name: ...

E

EITest Leads to Rig EK 185.141.26.72, 185.141.25.207 and 185.141.25.234

IOCs: 46.252.207.1 – amberhsu.com – Compromised site 185.141.25.207 – za95uur.ag0clk.top – Rig EK run #1 (blocked by ESET) 185.141.25.234 – h01wi.d7riwiu.top – Rig EK run #2 185.141.26.72 – gyu1f1.eowjl2.top – Rig EK run #3 222.206.156.2, 208.73.206.179, 23.108.245.93 – post infection DNS queries shown below. Domains resolving to the above IPs include: nitrrotetris.com monsterkillyep444.net blintyris.net lamerpamer.org ...

E

EITest Leads to Rig EK at 176.223.111.152. Malicious SSL Certificate Detected.

IOCs: 216.17.111.107 – theconservativeclub.us – Compromised website 176.223.111.152 – bj4lr.xl2sz08.top – Rig EK 222.206.156.2 and 208.73.206.179 – post infection DNS queries (shown below) and contacted both IPs via TCP port 80. Domains resolving to the above IPs include: nitrrotetris.com monsterkillyep444.net blintyris.net lamerpamer.org monertee39.com Traffic: Hashes: SHA256: 92594f381dec2034ef0e0f53d0c5dbe8b8f706d36460e84172e9de9a08d3dec3 File name: RigEK Landing Page.html SHA256: 49d5fd5a5b0058eccd888a149f6f995e7c160dd3973c0c0edebf0311365847cd File ...

E

EITest Leads to Rig EK at 176.223.111.33 and 176.223.111.77, Malicious SSL Certificate Detected

IOCs: 184.168.152.59 – abc-imports.com – Compromised website 176.223.111.33 – hs0ql.hd9ads4fb.top – Rig EK 176.223.111.77 – wub2v.pgpbpgu.top – Rig EK (second run) 222.206.156.2 and 208.73.206.179 – post infection DNS queries (shown below) and contacted both IPs via TCP port 80. Domains resolving to the above IPs include: nitrrotetris.com monsterkillyep444.net blintyris.net lamerpamer.org monertee39.com Traffic (first run): Hashes: ...

E

EITest Leads to Rig EK at 192.99.197.128

IOCs: 160.153.75.199 – stampscraparttour.com – Compromised website 192.99.197.128 – qca7.rsecx.top – Rig EK 194.58.108.203 – GET /drb3.php?a=n [truncated] 185.49.68.167 – srugbah.com GET /d8/u1.php?a=n [truncated] 192.168.175.135 and 104.24.28.9 – whoer.net – IP check There were also GET requests to cl.com, craigslist.org, google.com, yahoomail.com, mail.aol.com, and lolvn.gameinfo.garenanow.com. Furthermore, a lot of the request being made are using port ...

E

EITest Leads to Rig EK at 185.45.193.52 Which Drops PushDo/Cutwail

IOCs: 198.23.50.198 – luxurenailbar.com – Compromised website 185.45.193.52 – jw1f0y.wkfroa.top – Rig EK Post infection POST requests: 62.129.220.170 – infotech.pl 76.12.115.26 – leapc.com 50.63.46.84 – 2print.com 104.25.146.12 – dayvo.com 219.122.1.240 – ex-olive.com 103.241.2.201 – pb-games.com 193.34.148.140 – stnic.co.uk 77.66.54.114 – valdal.com 72.3.177.107 – owsports.ca 23.229.223.161 – nunomira.com 46.30.59.13 – com-sit.com 118.23.162.86 – ora.ecnet.jp 69.163.218.51 – ...

E

EITest Leads to Rig EK at 195.133.201.68 and Drops CryptFile2 Ransomware

IOCs: 69.80.203.8 – criticall911.com – Compromised site 195.133.201.68 – add.lovegivedo.com – Rig EK 37.59.39.53 – GET /index.jpg and POST /brows/setup.php – CryptFile2 post-infection traffic Traffic: Hashes: SHA256: 0a6260e81a8eb7c2221da7431f0468f703fe047478de315d8023f8fe1be8ddb2 File name: RigEK Landing Page.html SHA256: 4f3632001131f30bd7d01c4c0c195abb947b5556c34479e5f5a8bde2326dda48 File name: RigEK Flash Exploit.swf SHA256: efdf104d92509f8f1084125b1f6235fca2c6ae8863e7c5d08c556ee91a446b1c File name(s): 77B6.tmp and ChromeFlashPlayer_[id].exe Infection Chain: The infection chain begins when the ...

E

EITest Leads to Rig EK at 185.117.73.96 Which Sends H1N1

IOCs: 159.203.83.164 – theglades-newlaunch.com – Compromised Site 185.117.73.96 – dqxwriw.rfasy90.top – Rig EK 185.93.185.3 – POST and GET requests via direct IP – H1N1 traffic POST 185.93.185.3/h/gate.php GET 185.93.185.3/zp/1bc.php?[truncated] Traffic: Hashes: SHA256: f0a89d5750ba6da934ac7cd680aad81b8b53c1647605ee325186d7e1009de79c File name: RigEK Landing Page.html SHA256: cff2e04045c905426c4e1974f591ce45011b21ac82f8880ab8ede85175427db6 File name: RigEK Flash Exploit.swf SHA256: 540148c35dd8fb861e5472f68224f899dd7bea4c9216ed6fdcda430c5632b3b5 File name: svcxdcl32.exe SHA256: e9b48129a44804a0e2140e6f1a66621816e95e5786f41d2f0afe8403b63f4a6b File name: svcxdcl32.dat ...