Tag: Ransomware

R

Rig Exploit Kit Switches From CryptMIC to Cerber

IOCs: 50.63.43.8 – thekingstreetgrille.com – Compromised site 194.87.146.233 – rew.usaviatorfinancing.com – Rig EK 31.184.234.0/24 and 31.184.235.0/24 – UDP traffic via dst. port 6892 45.59.114.125 and 173.254.231.11 – Cerber Decryptor payment site(s): ffoqr3ug7m726zou.5ggovj.bid ffoqr3ug7m726zou.1nkkem.top ffoqr3ug7m726zou.d4u711.bid ffoqr3ug7m726zou.y7603i.bid ffoqr3ug7m726zou.onion 148.251.6.214 – btc.blockr.io – Bitcoin blockchain explorer Traffic: Hashes: SHA256: bd0fd45d9424075870b108526f18db71ce7f7e5e741336c056c08c13ba40693a File name: RigEK Landing Page.html SHA256: cabb797012864750b80b2942ebfcfdedcb3ef6b4a510b4d28c9389a69f4d010a File ...

R

Rig EK at 109.234.37.218 Drops Cerber

IOCs: 162.144.210.253 – armyaviationmagazine.com – Compromised Site 109.234.37.218 – re.flighteducationfinancecompany.com – Rig EK 31.184.234.0/24 and 31.184.235.0/24 – UDP traffic via port 6892 Traffic Associated With Cerber Compromise: 148.251.6.214 – btc.blockr.io – Bitcoin blockchain explorer 173.254.231.111 – ffoqr3ug7m726zou.fwzxnb.bid – Page for Cerber Decryptor 173.254.231.111 – ffoqr3ug7m726zou.ywoi5n.bid – Page for Cerber Decryptor 173.254.231.111 – ffoqr3ug7m726zou.8dlgyg.bid – Page ...

p

pseudoDarkleech Leads to Rig EK at 164.132.88.59 Which Drops CryptMIC Ransomware

IOCs: 50.87.151.118 – fourcornersbc.com – Compromised Site 164.132.88.59 – betonmaustanfordin.freshstyleapparel.com – Rig EK 162.244.35.19 – CryptMIC post-infection traffic via TCP port 443 Traffic: Hashes: SHA256: 38ff6f31844f6ce957c9b8fe3b42ac157e3f5b9e77ba86c83bd3165a5ffdac7f File name: RigEK Landing Page.html SHA256: dde4ec698a206614b0cce449493f72ae16be7867f0a9b76d40b192dd5ce003f5 File name: RigEK Flash Exploit.swf SHA256: b4ed980b3bac17066661433f6f2ab58e370cf75f453baadd4322a3c53a9c28da File name: rad57379.tmp.exe Infection Chain: The infection chain started with me browsing to the compromised ...

p

pseudoDarkleech Leads to Rig EK at 137.74.61.215 and Drops CryptMIC

IOCs: 206.188.193.161 – gallolocomexican.com – Compromised Website 137.74.61.215 – barkatullavbwait.ernestboaten.com – Rig EK 162.244.35.19 – CryptMIC C2 via TCP port 443 – Traffic sent in the clear Traffic: Hashes: SHA256: 1e20d2cb0ad52d1dbead4d7f029921d9cc6fb541e11fac6a899bf33b86577656 File name: RigEK Landing Page.html SHA256: 25ea816e89234c1974e791b04eb83280c92296500fa9fbbdae24056d0b7a8bfe File name: RigEK Flash Exploit.swf SHA256: 293e77ff35ff9482c1ea58025f8ddd9b2bf09b4d08dc1202794e1ba193d7c511 File name: IIj6sFosp SHA256: 1fbfd0132f0ca12a41fec858e065763fc5d1b7a282b24e6cb5f45be2bbe02b1b File name: rad84159.tmp.exe Infection Chain: ...

p

pseudoDarkleech Leads to Rig EK at 5.196.126.82 Which Delivers CryptMIC

IOCs: 162.144.62.185 – tygerauto.com – Compromised Website 5.196.126.167 – aufrufenderasamblea.cyclemanagementassociates.info – Rig EK 91.121.74.154 – CryptMIC post-infection traffic via TCP port 443 (not encrypted) Traffic: Hashes: SHA256: b7911fe9343c681b9ed5cc34f9489d4b82d8dc2aaf1136c05ba44d9546707687 File name: RigEK Landing Page.html SHA256: dbb2d959adc4986c43b6e9279d90ceb55a3b1686a0ac229575dc0f8dcac2e26f File name: RigEK Flash Exploit.swf SHA256: e1c7071c4449b043d2d57f6501f463481f79b49e2cc4f75b4df5acf862b03f4d File name: rad68A3A.tmp.exe Infection Chain: Below is an image grab from the compromised ...

Rig EK at 91.121.208.103 Drops CryptMIC

IOCs: 65.254.227.224 – zurnyachts[.]com – Compromised Site 91.121.208.103 – butterteigenpassionisten.loganslittleangels.org – Rig EK 91.121.74.154 – CryptMIC post-infection traffic via TCP port 443 Traffic: Video of Infection: Sorry in advance if you don’t like my music selection! I will take song requests for $10! 😉 Hashes: SHA256: 00895735b2297cd73b723f27120bd86c56957e069156050a8eabf3e8a3811fa4 File name: RigEK Landing Page.html SHA256: dbb2d959adc4986c43b6e9279d90ceb55a3b1686a0ac229575dc0f8dcac2e26f File ...

R

Rig EK at 149.202.239.50 Drops CryptMIC Ransomware

IOCs: 192.185.112.45 – 101beautytricks.com – Compromised Site 149.202.239.50 – dissect.theawesomestmusic.com – Rig EK 91.121.74.154 – CryptMIC post-infection callback traffic via TCP port 443 (sent in the clear) Traffic: Hashes: SHA256: 101504d805174416b51f601dfb5ab626e8eea9504306a36bf5bb3ad2f8d30230 File name: RigEK Landing Page.html SHA256: a09f4f8ab6d93995398320c9406a3502fee8d6116f0e7a8bf1b1c030dec555ff File name: RigEK Flash Exploit.swf SHA256: e5df732f8fca61061901a1f56cd7c2dbcb8bd2422ace9c2e9237250fc2179331 File name: IIj6sFosp SHA256: aed87c57ed65adfaba258d48bbad1f9d2f9bc2f0e404b3badff246b504bae8dc File name: rad8035D.tmp.exe Infection Chain: ...

R

Rig EK at 149.202.239.54 Drops CryptMIC Ransomware

IOCs: 69.195.124.229 – friedchickenfestival.com – Compromised Site 149.202.239.54 – alveraverticaltotal.jacobeachquadplex.info – Rig EK 91.121.74.154 – CryptMIC post-infection callback traffic via TCP port 443 (sent in the clear) Traffic: Hashes: SHA256: 02bbe8a5e930508263776e2efbe0d3bd1a4c01d42fa7ee4906cf735a91e29853 File name: RigEK Landing Page.html SHA256: c9b281940374a6b02349c8804b6f58ae1faec061dccd346118acdf68c050824d File name: RigEK Flash Exploit.swf SHA256: e5df732f8fca61061901a1f56cd7c2dbcb8bd2422ace9c2e9237250fc2179331 File name: IIj6sFosp SHA256: ba664c151f312b4d249fbee2863984aea4d3725b97065095b63729fe1f3fabfd File name: radDA159.tmp.exe Infection Chain: ...

R

Rig EK at 74.208.147.73 Drops CryptMIC Ransomware

IOCs: 181.224.139.64 – stjoeschool.org – Compromised Site 74.208.147.73 – vaippaandedicators.reducemycard.com – Rig EK 91.121.74.154 – CryptMIC C2 communications via TCP port 443 (in clear text) Traffic: Hashes: SHA256: 0e78c0dc543ae85b59d60d6a0de3986cb4cab1640cb0809a3e9ce10657a71851 File name: RigEK Landing Page.html SHA256: c9b281940374a6b02349c8804b6f58ae1faec061dccd346118acdf68c050824d File name: RigEK SWF Exploit.swf SHA256: e5df732f8fca61061901a1f56cd7c2dbcb8bd2422ace9c2e9237250fc2179331 File name: IIj6sFosp SHA256: 0e9bedc57f97bb2c7119ad4713b03fc9b10df09202fb7a237b610aec4687b736 File name: radDC17B.tmp.exe Infection Chain: The infection ...

J

JScript Downloads Locky Ransomware

IOCs: 166.62.27.144 – kothagudemtv.com – GET /g38f3fg?QWXPpShGH=jFGcsuhLD 216.87.185.25 – paintingoregon[.]com – GET /g38f3fg?QWXPpShGH=jFGcsuhLD 51.254.108.40 – Locky callback traffic – POST / data/info.php Traffic: Hashes: SHA256: 839f8914a9e951e8ccf32ab284675fc7e1099914457356d7cb0a606962f501f6 File name: DuINsSc1 SHA256: bb39ae9ae9e383ff8154fb7475842dbf40d4f35e37af9144560a4904203c7b75 File name: DuINsSc2 SHA256: 899818264bc620c39932db8945fd98ff98e1cd6fff761d5424bd9860e62a5859 File name: DuINsSc2.dll Infection Chain: This is a pretty standard infection chain for Locky right now. The malspam was ...