2017-02-27 - RIG EK EXAMPLES (PSEUDO-DARKLEECH AND EITEST CAMPAIGNS)

ASSOCIATED FILES:

  • 2017-02-26-pseudoDarkleech-Rig-EK-sends-Cerber-ransomware.pcap   (711,243 bytes)
  • 2017-02-27-EITest-Rig-EK.pcap   (579,067 bytes)
  • 2017-02-26-Cerber_HELP_HELP_HELP_EFX5Q_.png   (360,498 bytes)
  • 2017-02-26-Cerber_HELP_HELP_HELP_K4G4EG_.hta   (75,862 bytes)
  • 2017-02-26-page-from-biversum.com-with-injected-pseudoDarkleech-script.txt   (26,244 bytes)
  • 2017-02-26-pseudoDarkleech-Rig-EK-artifact-o32.tmp.txt   (1,141 bytes)
  • 2017-02-26-pseudoDarkleech-Rig-EK-flash-exploit.swf   (15,097 bytes)
  • 2017-02-26-pseudoDarkleech-Rig-EK-landing-page.txt   (30,987 bytes)
  • 2017-02-26-pseudoDarkleech-Rig-EK-payload-Cerber-b5vaoogh.exe   (257,504 bytes)
  • 2017-02-27-EITest-Rig-EK-artifact-o32.tmp.txt   (1,141 bytes)
  • 2017-02-27-EITest-Rig-EK-flash-exploit.swf   (15,097 bytes)
  • 2017-02-27-EITest-Rig-EK-landing-page.txt   (30,956 bytes)
  • 2017-02-27-EITest-Rig-EK-payload-l5pf16w8.exe   (215,552 bytes)
  • 2017-02-27-page-from-protoday.uz-with-injected-EITest-script.txt   (72,816 bytes)

BACKGROUND ON THE CAMPAIGNS:

OTHER NOTES:


Shown above:  Flow charts for this traffic.

 

TRAFFIC


Shown above:  Pcap of the first infection (pseudoDarkleech campaign) filtered in Wireshark.

 


Shown above:  Pcap of the second infection (EITest campaign) filtered in Wireshark.

 

ASSOCIATED DOMAINS:

 

FILE HASHES

RIG EK FLASH EXPLOIT:

 

RIG EK PAYLOAD FROM PSEUDO-DARKLEECH CAMPAIGN:

 

RIG EK PAYLOAD FROM EITEST CAMPAIGN:

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.