2016-10-05 - PSEUDO-DARKLEECH RIG EK FROM 195.133.201[.]61 SENDS CERBER RANSOMWARE

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2016-10-05-pseudoDarkleech-Rig-EK-sends-Cerber-ransomware.pcap.zip   326.3 kB (326,311 bytes)

• 2016-10-05-pseudoDarkleech-Rig-EK-sends-Cerber-ransomware.pcap   (550,671 bytes)

• 2016-10-05-pseudoDarkleech-Rig-EK-and-CryptFile2-ransomware-files.zip   513.1 kB (513,101 bytes)

• 2016-10-05-Cerber-ransomware-decryption-instructions-README.hta   (63,059 bytes)
• 2016-10-05-Cerbe-ransomwarer-decryption-instructions.bmp   (1,920,054 bytes)
• 2016-10-05-page-from-nacionaljujuy_com_ar-wtih-injected-script.txt   (115,955 bytes)
• 2016-10-05-pseudoDarkleech-Rig-EK-flash-exploit.swf   (25,548 bytes)
• 2016-10-05-pseudoDarkleech-Rig-EK-landing-page.txt   (30,077 bytes)
• 2016-10-05-pseudoDarkleech-Rig-EK-payload-Cerber-ransomware.exe   (245,145 bytes)
• 2016-10-05-zapcjwyf.ddnsking_com-wordpress-ARX8.txt   (365 bytes)

 

BACKGROUND ON THE PSEUDO-DARKLEECH CAMPAIGN:

• Something I wrote on exploit kit (EK) fundamentals:  link
• 2016-03-22 - PaloAlto Networks Unit 42 blog:  Campaign Evolution: Darkleech to Pseudo-Darkleech and Beyond
• 2016-07-02 - SANS ISC diary:  Change in patterns for the pseudoDarkleech campaign
• 2016-09-14 - Malware-traffic-analysis.net:  The pseudoDarkleech campaign starts using Rig EK instead of Neutrino EK
• 2016-10-03 - Malware-traffic-analysis.net:  The pseudoDarkleech campaign stops sending CryptXXX, starts sending Cerber ransomware

• Thanks to @BroadAnalysis who emailed me about the compromised website.

 

Shown above:  Flowchart for this infection traffic.

 

TRAFFIC

Shown above:  Injected script in a page from the compromised website.

 

Shown above:  Injected script in a page from the compromised website.

 

Shown above:  Traffic from the pcap filtered in Wireshark.

 

ASSOCIATED DOMAINS:

• www.nacionaljujuy[.]com[.]ar - Compromised website
• 83.217.27[.]178 port 80 - zapcjrwyf.ddnsking[.]com - ARX8 redirect/gate
• 195.133.201[.]61 port 80 - vd.dollarfordiamond[.]com - Rig EK
• 31.184.234[.]0 - 31.184.235[.]255 port 6892 (UDP) - UDP traffic caused by Cerber ransomware
• 173.254.231[.]111 port 80 - ffoqr3ug7m726zou.zreknv[.]bid - HTTP traffic caused by Cerber ransomware

 

FILE HASHES

FLASH EXPLOIT:

• SHA256 hash:  6bd5397728e394a3902b264ecbb1e7900f5b19cfe5725a4be38b6f273785d295
  File name:  2016-10-05-pseudoDarkleech-Rig-EK-flash-exploit.swf   (25,548 bytes)

PAYLOAD:

• SHA256 hash:  051413b0e8fb13617e175ffb7d2598c2ca2de5aad67e98f8ef0c97cb989f9a83
  File name:  2016-10-05-pseudoDarkleech-Rig-EK-payload-Cerber-ransomware.exe   (245,145 bytes)

 

IMAGES

Shown above:  Desktop of an infected Windows host after rebooting.

 

Click here to return to the main page.