Malware-Traffic-Analysis.net - 2016-10-04 - pseudoDarkleech Rig EK from 194.87.239[.]147 sends Cerber ransomware

2016-10-04 - PSEUDO-DARKLEECH RIG EK FROM 194.87.239[.]147 SENDS CERBER RANSOMWARE

NOTICE:

The zip archives on this page have been updated, and they now use the new password scheme. For the new password, see the "about" page of this website.

ASSOCIATED FILES:

2016-10-04-pseudoDarkleech-Rig-EK-sends-Cerber-ransomware.pcap.zip 308.0 kB (307,985 bytes)

2016-10-04-pseudoDarkleech-Rig-EK-sends-Cerber-ransomware.pcap (426,779 bytes)

2016-10-04-pseudoDarkleech-Rig-EK-and-Cerber-ransomware-files.zip 1.1 MB (1,067,372 bytes)

2016-10-04-page-from-securechicago_com-with-injected-script.txt (42,985 bytes)

2016-10-04-pseudoDarkleech-Cerber-ransomware-README.hta (63,059 bytes)

2016-10-04-pseudoDarkleech-Cerber-ransomware-decrypt-instructions.bmp (1,440,054 bytes)

2016-10-04-pseudoDarkleech-Rig-EK-flash-exploit.swf (25,548 bytes)

2016-10-04-pseudoDarkleech-Rig-EK-landing-page.txt (30,042 bytes)

2016-10-04-pseudoDarkleech-Rig-EK-payload-Cerber-ransomware.exe (244,896 bytes)

BACKGROUND ON THE PSEUDO-DARKLEECH CAMPAIGN:

Something I wrote on exploit kit (EK) fundamentals: link
2016-03-22 - PaloAlto Networks Unit 42 blog: Campaign Evolution: Darkleech to Pseudo-Darkleech and Beyond
2016-07-02 - SANS ISC diary: Change in patterns for the pseudoDarkleech campaign
2016-09-14 - Malware-traffic-analysis.net: The pseudoDarkleech campaign starts using Rig EK instead of Neutrino EK
2016-10-03 - Malware-traffic-analysis.net: The pseudoDarkleech campaign stops sending CryptXXX, starts sending Cerber ransomware

Thanks to @killamjr for information on the compromised website.

Shown above: Flowchart for this infection traffic.

TRAFFIC

Shown above: Injected script from the pseudoDarkleech campaign in page from the compromised site.

Shown above: Traffic from the pcap filtered in Wireshark.

ASSOCIATED DOMAINS:

securechicago[.]com - Compromised website
194.87.239[.]147 port 80 - sd.contentwize[.]com - Rig EK
31.184.234[.]0 - 31.184.235[.]255 port 6892 (UDP) - UDP traffic caused by Cerber ransomware
173.254.231[.]111 port 80 - ffoqr3ug7m726zou.zxtezv[.]bid - HTTP traffic caused by Cerber ransomware

DOMAINS FROM THE DECRYPT INSTRUCTIONS:

ffoqr3ug7m726zou.zxtezv[.]bid
ffoqr3ug7m726zou.e6cf2t[.]bid
ffoqr3ug7m726zou[.]onion[.]to

FILE HASHES

FLASH EXPLOIT:

SHA256 hash: 6bd5397728e394a3902b264ecbb1e7900f5b19cfe5725a4be38b6f273785d295
File name: 2016-10-04-pseudoDarkleech-Rig-EK-flash-exploit.swf (25,548 bytes)

PAYLOAD:

SHA256 hash: 1e6b1907bced23bba9db02c0678518bd09dbb48fca9187159e41d6e50e827f16
File name: 2016-10-04-pseudoDarkleech-Rig-EK-payload-Cerber-ransomware.exe (244,896 bytes)

Click here to return to the main page.