Rig Exploit Kit via EITEST gate 31.184.193.187 delivers Crypt2 Ransomware

NOTES:

  • Today I captured traffic from the Rig Exploit Kit (EK) which delivered Crypt2 ransomware via the EITEST campaign.
  • EITEST campaign has again changed its gate from IP address 31.184.192.188 to 31.184.193.187
  • EITEST gate has changed it’s domain naming to the .party domain

I have added a zipped pcap file for your analysis. The password is the usual used by malware researchers. If you do not know it please email me.
info@broadanalysis.com

PCAP file of the infection traffic:
2016-09-19-Rig-EK-pcap.zip

 

ASSOCIATED DOMAINS AND IP ADDRESSES:

  • 31.184.193.187 – www.autogrs.party – EITEST GATE
  • 109.234.36.38 – add.arielcatering.com – RIG EK LANDING PAGE
  • 176.31.127.110 – Crypt2 COMMAND and CONTROL

 

DETAILS OF INFECTION CHAIN FOR RIG EK:

Shown above: Network traffic  associated with the Rig exploit and Crypt2 ransomware

 

Shown above: Obfuscated injected script found on index page of compromised site which redirects visitor to the EITEST gate to start infection chain – Web page source code can be found by right clicking on web page and selecting “View source”.

 

Shown above: Decoding injected obfuscated script by replacing “-” with “%” in a text editor

 

Shown above: Paste script into http://jsunpack.jeek.org decoder

 

Shown above: Decoded script shows redirect to EITEST redirect gate

 

Shown above: Post infection traffic associated with Crypt2 ransomware

 

Shown above: HELP_DECRYPT_YOUR_FILES.TXT and HELP_DECRYPT_YOUR_FILES.HTML ransom notes and payment instructions associated with Crypt2 ransomware

 

MALICIOUS PAYLOAD ASSOCIATED WITH RIG EXPLOIT: