# 2017-01-17 - EITEST RIG-V FROM 92.53.127.86 SENDS SPORA RANSOMWARE **malware-traffic-analysis.net/2017/01/17/index2.html** ASSOCIATED FILES: ZIP archive of the pcaps: [2017-01-17-EITest-Rig-V-sends-Spora-ransomware.pcap.zip](http://malware-traffic-analysis.net/2017/01/17/2017-01-17-EITest-Rig-V-sends-Spora-ransomware.pcap.zip) 294 kB (293,923 bytes) 2017-01-17-EITest-Rig-V-sends-Spora-ransomware.pcap (341,571 bytes) ZIP archive of the malware: 2017-01-17-EITest-Rig-V-sends-Spora-malware-andartifacts.zip 167 kB (168,615 bytes) 2017-01-17-EITest-Rig-V-flash-exploit.swf (37,436 bytes) 2017-01-17-EITest-Rig-V-landing-page.txt (5,198 bytes) 2017-01-17-EITest-Rig-V-payload-Spora-ransomware-radFCDCC.tmp.exe (114,688 bytes) 2017-01-17-Spora-ransomware-US20D-ABCDE-ABCDE-ABCDE.HTML (14,402 bytes) 2017-01-17-Spora-ransomware-payment-page.html (89,552 bytes) 2017-01-17-page-from-naturalhealthonline.com-with-injected-EITest-script.txt (37,961 bytes) BACKGROUND ON RIG EXPLOIT KIT: Rig-V is what security researchers called Rig EK version 4 when it was only accessible [by "VIP" customers, while the old version (Rig 3) was still in use (reference).](https://github.com/MISP/misp-galaxy/blob/master/clusters/exploit-kit.json#L132) I currently call it "Rig-V" out of habit. You can probably just call it Rig EK now. Before 2017, I used to see Empire Pack (Rig-E) which is a variant of Rig EK with older[style URLs as described by Kafeine here.](http://malware.dontneedcoffee.com/2016/10/rig-evolves-neutrino-waves-goodbye.html) I haven't seen anything other than Rig-V (Rig 4.0) when looking at Rig EK-based campaigns so far in 2017. BACKGROUND ON THE EITEST CAMPAIGN: [My most recent write-up on the EITest campaign can be found here.](http://researchcenter.paloaltonetworks.com/2017/01/unit42-campaign-evolution-eitest-october-december-2016/) BACKGROUND ON SPORA RANSOMWARE: Spora ransomware was first spotted last week and reported on 2017-01-10 at [BleepingComputer (link) and other sites quickly picked up on the news.](https://www.bleepingcomputer.com/news/security/spora-ransomware-works-offline-has-the-most-sophisticated-payment-site-as-of-yet/) Apparently, it was being spread through malicious spam (malspam) last week. ----- Now it s also being spread through Rig Exploit Kit by the EITest campaign. Of note, there is no callback traffic by the Spora ransomware. The only post-infection I saw was HTTPS traffic to spora.bz when I followed the link from the decryption instructions. _Shown above: Flowchart for this infection traffic._ ## TRAFFIC _Shown above: Injected script from the EITest campaign from the compromised site._ ----- _Shown above: Pcap of the infection traffic filtered in Wireshark._ ASSOCIATED DOMAINS: **naturalhealthonline.com - Compromised site** 92.53.127.86 port 80 - zome.aplusengineering-gr.com - Rig-V 186.2.161.51 port 443 - spora.bz - HTTPS/SSL/TLS traffic when I checked the Spora ransomware decryption instructions ## FILE HASHES FLASH EXPLOIT: SHA256 hash: 7ef95283a46424a4c8db0d00601f8369831c29d748c6d4dccbf6620dd7558c1c (37,436 bytes) File description: Rig-V Flash exploit seen on 2017-01-17 PAYLOAD (SPORA RANSOMWARE): SHA256 hash: 2637247ad66e6e57a68093528bb137c959cdbb438764318f09326fc8a79bdaaf (114,688 bytes) File path example: C:\Users\[username]\AppData\Local\Temp\radFCDCC.tmp.exe ## IMAGES ----- _Shown above: Desktop of the infected Windows host._ ----- _Shown above: Full view of the decryption instructions._ ----- _Shown above: Going to the link from the decyrption instructions._ ----- _Shown above: The key that was dropped to the desktop along with the decryption_ _instructions._ ## FINAL NOTES Once again, here are the associated files: ZIP archive of the pcaps: [2017-01-17-EITest-Rig-V-sends-Spora-ransomware.pcap.zip](http://malware-traffic-analysis.net/2017/01/17/2017-01-17-EITest-Rig-V-sends-Spora-ransomware.pcap.zip) 294 kB (293,923 bytes) ZIP archive of the malware: 2017-01-17-EITest-Rig-V-sends-Spora-malware-andartifacts.zip 167 kB (168,615 bytes) ZIP files are password-protected with the standard password. If you don't know it, look at the "about" page of this website. [Click here to return to the main page.](http://malware-traffic-analysis.net/index.html) -----