Rig-E Exploit Kit delivers ransomware and more from 86.106.93.98

NOTES:

  • Today I captured traffic from the Rig-E Exploit Kit (EK) which delivered the ransomware Shade or Troldesh and more via the EITEST campaign.
  • The pcap file shows an addition layer in the landing page. For reasons unknown the exploit delivered two identical payloads.
  • Presently there are 3 versions of the Rig Exploit Kit. For more details on the versions see malware-traffic-analysis.net

I have added a zipped pcap file for your analysis. The password for the zipped pcap is infected all lowercase.

PCAP file of the infection traffic:
2016-12-20-Rig-EK-pcap.zip

 

ASSOCIATED DOMAINS AND IP ADDRESSES:

  • cedar.igrooveweb.com – COMPROMISED SITE
  • 86.106.93.98 – uuu1v.jytreoasid.top – RIG-E LANDING PAGE
  • 131.188.40.189 Port 443 – POST INFECT TRAFFIC
  • 81.17.17.131 Port 443 – POST INFECT TRAFFIC
  • 144.76.163.93 Port 9001 – POST INFECT TRAFFIC
  • 51.254.115.225 Port 9001 – POST INFECT TRAFFIC
  • 104.74.80.55 – whatismyipaddress.com – IP ADDRESS CHECK
  • 185.68.16.158 – ipieceofcake.com POST /wp-content/uploads/2016/04/gate.php –
    POST INFECT TRAFFIC
  • 194.109.206.212 Port 443 – POST INFECT TRAFFIC
  • 93.170.77.148 Port 21828 – POST INFECT TRAFFIC
  • 185.130.207.151 Port 443 – POST INFECT TRAFFIC
  • 163.172.21.96 Port 9001 – POST INFECT TRAFFIC

DNS TRAFFIC:

  • simaran.xyz – Server Failure
  • mulleroil.trade – 46.4.37.41

EMAIL ADDRESS FOR RANSOM PAYMENT:

2Lynness.Taftfera1990@gmail.com

 

IMAGES AND DETAILS OF INFECTION CHAIN:

Shown above: Network traffic  associated with the Rig-E exploit and the delivery of ransomware and more

 

Shown above: DNS traffic associated with infection

 

Shown above: Injected script found on index page of compromised site associated with the EiTest campaign which redirects visitors to the Rig-E EK landing page – Web page source code can be found by right clicking on web page and selecting “View source”

 

Shown above: Desktop ransom note associated with infection

 

MALICIOUS PAYLOAD ASSOCIATED WITH RIG-E EXPLOIT: