2016-05-05 - TWO EXAMPLES OF EXPLOIT KIT (EK) TRAFFIC SENDING RANSOMWARE
NOTICE:
- The zip archives on this page have been updated, and they now use the new password scheme. For the new password, see the "about" page of this website.
ASSOCIATED FILES:
- 2016-05-05-EK-traffic-sending-ransomware-2-pcaps.zip 3.3 MB (3,265,918 bytes)
- 2016-05-05-EITest-Neutrino-EK-sends-Cerber-ransomware.pcap (602,657 bytes)
- 2016-05-05-pseudo-Darkleech-Angler-EK-sends-Bedep-and-CryptXXX-ransomware.pcap (2,896,363 bytes)
- 2016-05-05-files-from-two-EK-infections-sending-ransomwarezip 959.2 kB (959,236 bytes)
- 2016-05-05-Cerber-ransomware-DECRYPT_MY_FILES.html (12,579 bytes)
- 2016-05-05-Cerber-ransomware-DECRYPT_MY_FILES.txt (11,247 bytes)
- 2016-05-05-Cerber-ransomware-DECRYPT_MY_FILES.vbs (204 bytes)
- 2016-05-05-CryptXXX-ransomware-de_crypt_readme.bmp (2,326,734 bytes)
- 2016-05-05-CryptXXX-ransomware-de_crypt_readme.html (3,315 bytes)
- 2016-05-05-CryptXXX-ransomware-de_crypt_readme.txt (1,638 bytes)
- 2016-05-05-CryptXXX-ransomware-ransomware.dll (488,448 bytes)
- 2016-05-05-EITest-Neutrino-EK-flash-exploit.swf (71,047 bytes)
- 2016-05-05-EITest-Neutrino-EK-landing-page.txt (897 bytes)
- 2016-05-05-EITest-Neutrino-EK-payload-Cerber-ransomware.exe (464,896 bytes)
- 2016-05-05-EITest-flash-file-from-newswii_tk.swf (15,596 bytes)
- 2016-05-05-click-fraud-malware.dll (319,648 bytes)
- 2016-05-05-pseudo-Darkleech-Angler-EK-flash-exploit.swf (66,818 bytes)
- 2016-05-05-pseudo-Darkleech-Angler-EK-landing-page.txt (66,350 bytes)
- 2016-05-05-pseudo-Darkllech-script-in-page-from-photobookcanada_com.txt (163,187 bytes)
NOTES:
- Two different EKs today. One was Angler EK from the pseudo-Darkleech campaign sending Bedep and CryptXXX ransomware. The other was Neutrino EK from the EITest campaign sending Cerber.
- Today's Click-fraud malware: C:\ProgramData\{9A88E103-A20A-4EA5-8636-C73B709A5BF8}\fwcfg.dll
- Today's CryptXXX ransomware: C:\Users\[username]\AppData\Local\Temp\{0AE4195D-2F0D-407A-99EB-CF267E04A551}\hid80.dll
- Today's Cerber ransomware: C:\Users\[username]\AppData\Roaming\{A7E83A3F-CCDB-8C32-0024-BDF1A4DE3850}\rdrleakdiag.exe
- Background on the pseudo-Darkleech campaign is available here.
- Proofpoint's blog on Angler EK spreading CryptXXX ransomware can be found here.
- An ISC diary I wrote about pseudo-Darkleech causing Angler EK/Bedep/CryptXXX infections is located here.
- Background on the EITest campaign is available here.
- An ISC diary I wrote about Neutrino EK sending Cerber ransomware is located here.
Shown above: Chain of events for today's infections.
TRAFFIC
Shown above: Pcap of the pseudo-Darkleech example filtered in Wireshark. http.request or (tcp.port eq 443 and tcp.flags eq 0x0002)
Shown above: Pcap of the EITest example filtered in Wireshark.
ASSOCIATED DOMAINS
FIRST INFECTION - PSEUDO-DARKLEECH ANGLER EK SENDS BEDEP AND CRYPTXXX RANSOMWARE:
- 62.75.203[.]68 port 80 - lehtivalokuvaajat.sopotkin[.]com - Angler EK
- 104.193.252[.]241 port 80 - xqvyvibixozap[.]com - Bedep post-infection traffic
- 217.23.6[.]40 port 443 - CryptXXX ransomware custom encoded post-infection traffic
- 5.199.141[.]203 port 80 - ranetardinghap[.]com - Click-fraud traffic
- 93.190.141[.]27 port 80 - cetinhechinhis[.]com - Click-fraud traffic
- 95.211.205[.]218 port 80 - tedgeroatref[.]com - Click-fraud traffic
- 104.193.252[.]236 port 80 - rerobloketbo[.]com - Click-fraud traffic
- 162.244.34[.]11 port 80 - tonthishessici[.]com - Click-fraud traffic
- 188.138.105[.]185 port 80 - kimpelasomasot[.]com - Click-fraud traffic
SECOND INFECTION - EITEST NEUTRINO EK SENDS CERBER RANSOMWARE:
- 85.93.0[.]68 port 80 - newswii[.]tk - EITest gate
- 185.58.227[.]227 port 80 - lwrziawoax.xcaimane[.]top and jtxff.xcaimane[.]top - Neutrino EK
IMAGES
Shown above: Windows desktop after psuedo-Darkleech Angler EK sent Bedep and CryptXXX ransomware.
Shown above: Windows desktop after infecting it with Cerber ransomware sent by today's EITest Neutrino EK.
Click here to return to the main page.