Malware-Traffic-Analysis.net - 2016-10-07 - pseudoDarkleech Rig EK from 108.61.167[.]148 sends Cerber ransomware

2016-10-07 - PSEUDO-DARKLEECH RIG EK FROM 108.61.167[.]148 SENDS CERBER RANSOMWARE

NOTICE:

The zip archives on this page have been updated, and they now use the new password scheme. For the new password, see the "about" page of this website.

ASSOCIATED FILES:

2016-10-07-pseudoDarkleech-Rig-EK-sends-Cerber-ransomware.pcap.zip 299.0 kB (299,024 bytes)

2016-10-07-pseudoDarkleech-Rig-EK-sends-Cerber-ransomware.pcap (438,631 bytes)

22016-10-07-pseudoDarkleech-Rig-EK-and-Cerber-ransomware-files.zip 526.7 kB (526,731 bytes)

2016-10-07-Cerber-ransomware-decryption-instructions-README.hta (63,059 bytes)

2016-10-07-Cerber-ransomware-decryption-instructions.bmp (1,920,054 bytes)

2016-10-07-page-from-noblemineral_com-with-injected-script.txt (34,118 bytes)

2016-10-07-pseudoDarkleech-Rig-EK-flash-exploit.swf (24,656 bytes)

2016-10-07-pseudoDarkleech-Rig-EK-landing-page.txt (30,171 bytes)

2016-10-07-pseudoDarkleech-Rig-EK-payload-Cerber-ransomware.exe (267,923 bytes)

BACKGROUND ON THE PSEUDO-DARKLEECH CAMPAIGN:

Something I wrote on exploit kit (EK) fundamentals: link
2016-03-22 - PaloAlto Networks Unit 42 blog: Campaign Evolution: Darkleech to Pseudo-Darkleech and Beyond
2016-07-02 - SANS ISC diary: Change in patterns for the pseudoDarkleech campaign
2016-09-14 - Malware-traffic-analysis.net: The pseudoDarkleech campaign starts using Rig EK instead of Neutrino EK
2016-10-03 - Malware-traffic-analysis.net: The pseudoDarkleech campaign stops sending CryptXXX, starts sending Cerber ransomware

Shown above: Flowchart for this infection traffic.

TRAFFIC

Shown above: Injected script from the pseudoDarkleech campaign in page from the compromised site.

Shown above: Traffic from the pcap filtered in Wireshark.

ASSOCIATED DOMAINS:

noblemineral[.]com - Compromised website
108.61.167[.]148 port 80 - rew.superwealthysecret[.]com - Rig EK
31.184.234[.]0 - 31.184.235[.]255 port 6892 (UDP) - UDP traffic caused by Cerber ransomware
210.16.101[.]69 port 80 - ffoqr3ug7m726zou.x9a6yb[.]bid - HTTP traffic caused by Cerber ransomware

DOMAINS FROM THE DECRYPT INSTRUCTIONS:

ffoqr3ug7m726zou.x9a6yb[.]top
ffoqr3ug7m726zou.crw57p[.]bid
ffoqr3ug7m726zou[.]onion[.]to

FILE HASHES

FLASH EXPLOIT:

SHA256 hash: 117b65e553c16d86d9af1a6796d1378de8c5489b070c4db8df75af3bd50e6671
File name: 2016-10-07-pseudoDarkleech-Rig-EK-flash-exploit.swf (24,656 bytes)

PAYLOAD:

SHA256 hash: 984e42d16a87c20dfbe9f5ce0da83777752669f75a151ece0ba6df94daedc40c
File name: 2016-10-07-pseudoDarkleech-Rig-EK-payload-Cerber-ransomware.exe (267,923 bytes)

Click here to return to the main page.