Rig Exploit Kit from 188.225.35.86 delivers CryptoShield and Cerber ransomwares

I have added a zipped pcap file for your analysis. The password for the zipped pcap is infected all lowercase.

PCAP file of the infection traffic:
2017-02-06-Rig_EK-EITEST-pcap.zip
2017-02-06-Rig-EK-PS-pcap.zip

 

EITEST ASSOCIATED DOMAINS AND IP ADDRESSES:

  • cedar.igrooveweb.com – COMPROMISED SITE
  • 188.225.35.86 – one.overnightsuccess.life – RIG-EK LANDING PAGE
  • 104.238.188.209 – POST /css/js/jave_scirpt/jave_script.php – CRYPTOSHIELD CHECK-IN

 

IMAGES AND DETAILS OF INFECTION CHAIN:

Shown above: Network traffic  associated with the Rig exploit and the delivery of CryptoShield ransomware via the  EiTest campaign

 

Shown above: # RESTORING FILES #.HTML ransom note and payment instruction associated with CryptoShield ransomware

 

MALICIOUS PAYLOAD ASSOCIATED WITH RIG EXPLOIT:

 

pseudoDarkleech ASSOCIATED DOMAINS AND IP ADDRESSES:

  • betongstudio.no – COMPROMISED SITE
  • 188.225.35.86 – past.overnightsuccess.solutions – RIG-EK LANDING PAGE
  • 109.230.199.212 – p27dokhpz2n7nvgr.145rzb.top – CERBER CHECK-IN

 

Shown above: Network traffic  associated with the Rig exploit and the delivery of Cerber ransomware via the  pseudoDarkleech campaign

 

Shown above: Infected host desktop ransom note and payment instructions associated with Cerber Ransomware

 

MALICIOUS PAYLOAD ASSOCIATED WITH RIG EXPLOIT: