Rig Exploit Kit via the EiTest delivers ransomware from 126.96.36.199
- Today I captured traffic from the Rig Exploit Kit (EK) which delivered ransomware via the EITEST campaign.
- Files on the infected host were encrypted and the file extensions were changed to .crypted
I have added a zipped pcap file for your analysis. The password for the zipped pcap is infected all lowercase.
PCAP file of the infection traffic:
ASSOCIATED DOMAINS AND IP ADDRESSES:
- cedar.igrooveweb.com – COMPROMISED SITE
- 188.8.131.52 – america.folkartinamerica.com – RIG EK LANDING PAGE
- 184.108.40.206 – RANSOMWARE CHECK-IN
IMAGES AND DETAILS OF INFECTION CHAIN:
MALICIOUS PAYLOAD ASSOCIATED WITH RIG EXPLOIT: