Malware-Traffic-Analysis.net - 2016-09-30 - pseudoDarkleech Rig EK from 51.255.213[.]167 sends CrypMIC ransomware

2016-09-30 - PSEUDO-DARKLEECH RIG EK FROM 51.255.213[.]167 SENDS CRYPMIC RANSOMWARE

NOTICE:

The zip archives on this page have been updated, and they now use the new password scheme. For the new password, see the "about" page of this website.

ASSOCIATED FILES:

2016-09-30-pseudoDarkleech-Rig-EK-sends-CrypMIC-ransomware.pcap.zip 141.8 kB (141,754 bytes)

2016-09-30-pseudoDarkleech-Rig-EK-sends-CrypMIC-ransomware.pcap (366,751 bytes)

2016-09-30-pseudoDarkleech-Rig-EK-and-CrypMIC-ransomware-files.zip 95.8 kB (95,838 bytes)

2016-09-30-page-from-joellipman_com-with-injected-script.txt (67,887 bytes)

2016-09-30-pseudoDarkleech-CrypMIC-ransomware-decrypt-instructions.txt (1,659 bytes)

2016-09-30-pseudoDarkleech-Rig-EK-flash-exploit.swf (21,706 bytes)

2016-09-30-pseudoDarkleech-Rig-EK-landing-page.txt (30,081 bytes)

2016-09-30-pseudoDarkleech-Rig-EK-payload-CrypMIC-ransomware.exe (50,176 bytes)

BACKGROUND ON THE PSEUDO-DARKLEECH CAMPAIGN:

Something I wrote on exploit kit (EK) fundamentals: link
2016-03-22 - PaloAlto Networks Unit 42 blog: Campaign Evolution: Darkleech to Pseudo-Darkleech and Beyond
2016-07-02 - SANS ISC diary: Change in patterns for the pseudoDarkleech campaign
2016-09-14 - Malware-traffic-analysis.net: The pseudoDarkleech campaign starts using Rig EK instead of Neutrino EK

BACKGROUND ON CRYPMIC RANSOMWARE:

2016-07-06 - SANS ISC diary: CryptXXX ransomware updated [The date I first noticed this new branch of ransomware.]

2016-07-14 - From the Proofpoint blog [link]: "We believe that CryptXXX is in active development and possibly split off into two branches. The original branch is now up to version 5.001 (we wrote about the upgrade to version 3.100 near the end of May), while the new branch uses a different format for versioning and will require further analysis."

2016-07-20 - TrendLabs Security Intelligence Blog - CrypMIC Ransomware Wants to Follow CryptXXX's Footsteps [TrendLabs analyzes the new branch and names it.]

Shown above: Flowchart for this infection traffic.

TRAFFIC

Shown above: Injected script from the pseudoDarkleech campaign in page from the compromised site.

Shown above: Traffic from the first pcap filtered in Wireshark. Wireshark filter: http.request or (!(tcp.port eq 80) and tcp.flags eq 0x0002)

ASSOCIATED DOMAINS:

joellipman[.]com - Compromised site
51.255.213[.]167 port 80 - miejskahelotages.victorylifestyle[.]net - Rig EK
162.244.35[.]19 port 443 - post-infection CrypMIC callback, custom encoded and clear text, not HTTPS/SSL/TLS (both infections)

DOMAINS FROM THE DECRYPT INSTRUCTIONS:

ccjlwb22w6c22p2k.onion[.]to
ccjlwb22w6c22p2k[.]onion[.]city

FILE HASHES

FLASH EXPLOIT:

SHA256 hash: 744744db513250c8ddeef12d4998d339beac5cabc02a1d10f304e105462d4008
File name: 2016-09-30-pseudoDarkleech-Rig-EK-flash-exploit.swf

PAYLOAD:

SHA256 hash: b2bcfc4c5d1d60f7ea4298d32dcfff303f4db4b1ba89a8b6d24b7ccfe883e45a
File name: 2016-09-30-pseudoDarkleech-Rig-EK-payload-CrypMIC-ransomware.exe

Click here to return to the main page.