Rig Exploit Kit via the EiTest delivers ransomware from 18.104.22.168
- Today I captured traffic from the Rig Exploit Kit (EK) which delivered ransomware via the EITEST campaign.
- Files on the infected host were encrypted and the file extensions were changed to .crypted
I have added a zipped pcap file for your analysis. The password for the zipped pcap is infected all lowercase.
PCAP file of the infection traffic:
ASSOCIATED DOMAINS AND IP ADDRESSES:
- cedar.igrooveweb.com – COMPROMISED SITE
- 22.214.171.124 – america.folkartinamerica.com – RIG EK LANDING PAGE
- 126.96.36.199 – RANSOMWARE CHECK-IN
IMAGES AND DETAILS OF INFECTION CHAIN:
MALICIOUS PAYLOAD ASSOCIATED WITH RIG EXPLOIT: