Rig Exploit Kit via the EiTest delivers ransomware from 185.159.128.165

NOTES:

  • Today I captured traffic from the Rig Exploit Kit (EK) which delivered ransomware via the EITEST campaign.
  • Files on the infected host were encrypted and the file extensions were changed to .crypted

I have added a zipped pcap file for your analysis. The password for the zipped pcap is infected all lowercase.

PCAP file of the infection traffic:
2017-03-25-Rig-EK-pcap2.zip

 

ASSOCIATED DOMAINS AND IP ADDRESSES:

  • cedar.igrooveweb.com – COMPROMISED SITE
  • 185.159.128.165 – america.folkartinamerica.com – RIG EK LANDING PAGE
  • 170.254.236.102 – RANSOMWARE CHECK-IN

 

IMAGES AND DETAILS OF INFECTION CHAIN:

Shown above: Network traffic  associated with the Rig exploit and the delivery of .crypted ransomware

 

Shown above: Infected host desktop ransom note and payment instructions associated with .crypted Ransomware

 

MALICIOUS PAYLOAD ASSOCIATED WITH RIG EXPLOIT: