2016-10-31 - PSEUDO-DARKLEECH RIG-V SENDS DDOS BOTNET MALWARE

ASSOCIATED FILES:

  • 2016-10-31-pseudoDarkleech-RIGv-sends-ddos-botnet-malware.pcap   (243,816 bytes)
  • 2016-10-31-page-from-joellipman.com-with-injected-script.txt   (68,385 bytes)
  • 2016-10-31-pseudoDarkleech-RIGv-flash-exploit.swf   (51,801 bytes)
  • 2016-10-31-pseudoDarkleech-RIGv-landing-page.txt   (4,810 bytes)
  • 2016-10-31-pseudoDarkleech-RIGv-payload.exe   (147,456 bytes)

 

NOTES:

 

BACKGROUND ON THE PSEUDO-DARKLEECH CAMPAIGN:

 


Shown above:  Flowchart for this infection traffic.

 

TRAFFIC


Shown above:  Injected script from the pseudoDarkleech campaign in a page from the compromised site.


Shown above:  Traffic from the infection filtered in Wireshark.

 

ASSOCIATED DOMAINS:

 

FILE HASHES

FLASH EXPLOIT:

PAYLOAD (DARKNESS/MADNESS DDOS BOTNET MALWARE):

 

IMAGES


Shown above:  Malware made persistent on the infected host.

 


Shown above:  Alerts on the pcap from the Emerging Threats Pro (ETPRO) ruleset using Sguil on Security Onion.  Alerts for Darkness and Madness are noted.

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.