Videos
RIG EK at 5.200.52.238 Drops Ransom Locker
The infection chain started with recreating a portion of a malvertising chain. The malvertising chain redirected the host to a RIG exploit kit landing page. Below is the infection chain: You can see in the infection chain above that I visited a decoy site. This decoy site contained an iframe pointing to a fake ad ...
EITest Leads to RIG EK at 188.225.36.251. EK Drops CryptoShield 2.0 Ransomware.
IOCs: 104.28.18.48 – amaz0ns.com – Compromised website 188.225.36.251 – 3tre.sicafnicaragua.com – RIG EK 188.225.36.251 – 3fds.tbsistemas.com – RIG EK (second run) 5.154.191.90 – GET /images/products-over.php – ET TROJAN CryptoShield Ransomware Checkin Traffic: Hashes: SHA256: 9a750f27dfc05d5d41d9da4106ecb71be414538eff3eb3bc8ecca01f5a9aad9b File name: Landing Page.html SHA256: 5628e6cdecc617c18137ff132cda600c72baf23f824fbae5c81a8034a9ba3554 File name: RIG EK v4.0 Flash Exploit.swf SHA256: e142f06a2e96f7a0c6eb046a79b85bc24e79e66c5c2bc12e144285c23fc89b69 File name: o32.tmp SHA256: e2387bcd3d274f5b4d0353edff2755d39d66afedda1d47f7548391c5d4238f52 File ...
Thousands of Compromised Websites Leading to Fake Flash Player Update Sites. Payload is Qadars Banking Trojan.
Traffic: Infection Chain (Run on 02/10/17): There appears to be thousands of websites that were compromised and had been redirecting users to fake Flash Player update sites. For the most part they seem to be delivering Qadars banking malware. I was originally tipped off to a potentially compromised site a couple weeks ago by somebody ...
RIG-v at 194.87.144.170. EK Drops Dreambot.
IOCs: 88.214.225.168 – duckporno.com – Decoy site 80.77.82.42 – walterboroads.info – GET /rotation/hits? – Malicious redirect 194.87.144.170 – mail.mobildugun.com – RIG-v EK Post-Infection Traffic: 94.23.186.184 – GET /images/[truncated]/MK/.avi – ET TROJAN Ursnif Variant CnC Beacon 94.23.186.184 – GET /tor/t32.dll – ET CURRENT_EVENTS Possible Malicious Tor Module Download 37.48.122.26 – curlmyip.net – GET for external IP Outbound ...
Rig EK at 91.121.208.103 Drops CryptMIC
IOCs: 65.254.227.224 – zurnyachts[.]com – Compromised Site 91.121.208.103 – butterteigenpassionisten.loganslittleangels.org – Rig EK 91.121.74.154 – CryptMIC post-infection traffic via TCP port 443 Traffic: Video of Infection: Sorry in advance if you don’t like my music selection! I will take song requests for $10! 😉 Hashes: SHA256: 00895735b2297cd73b723f27120bd86c56957e069156050a8eabf3e8a3811fa4 File name: RigEK Landing Page.html SHA256: dbb2d959adc4986c43b6e9279d90ceb55a3b1686a0ac229575dc0f8dcac2e26f File ...
Malware breakdown 