Malware-Traffic-Analysis.net - 2017-01-01 - pseudoDarkleech Rig-V from 109.234.36.133 sends Cerber ransomware

2017-01-01 - PSEUDO-DARKLEECH RIG-V FROM 109.234.36.133 SENDS CERBER RANSOMWARE

ASSOCIATED FILES:

ZIP archive of the pcaps: 2017-01-01-pseudoDarkleech-Rig-V-sends-Cerber-ransomware.pcap.zip 2.9 MB (2,876,879 bytes)

2017-01-01-pseudoDarkleech-Rig-V-sends-Cerber-ransomware.pcap (3,147,060 bytes)

ZIP archive of the malware: 2017-01-01-pseudoDarkleech-Rig-V-sends-Cerber-malware-and-flash-exploit.zip 898 kB (897,842 bytes)

2017-01-01-pseudoDarkleech-Rig-V-flash-exploit.swf (37,722 bytes)

2017-01-01-pseudoDarkleech-Rig-V-payload-Cerber-rad53AB9.tmp.exe (231,624 bytes)

2017-01-01-pseudoDarkleech-Rig-V-payload-Cerber-rad83D45.tmp.exe (231,624 bytes)

2017-01-01-pseudoDarkleech-Rig-V-payload-Cerber-radA2306.tmp.exe (231,624 bytes)

2017-01-01-pseudoDarkleech-Rig-V-payload-Cerber-radC28C1.tmp.exe (231,624 bytes)

BACKGROUND ON RIG EXPLOIT KIT:

I'm routinely intercepting 2 versions of Rig EK as classified in an October 2016 blog post by Kafeine.
Rig-V: a "VIP version" with new URL patterns and RC4 encryption for the payload. Used by the Afraidgate, EITest, and pseudoDarkleech campaigns.
Rig-E: a variant with old URL patterns, but uses with RC4 encryption for the payload. Also known as Empire Pack. I often see Rig-E used by the EITest campaign.

BACKGROUND ON THE PSEUDO-DARKLEECH CAMPAIGN:

My most recent in-depth write-up on the pseudoDarkleech campaign can be found here.

OTHER NOTES:

Just a quick check on the first day of the new year to see what's going on with Rig-V from the pseudoDarkleech campaign.

Shown above: Flowchart for this infection traffic.

TRAFFIC

Shown above: Traffic from the pcap filtered in Wireshark.

ASSOCIATED DOMAINS:

109.234.36.133 port 80 - dad.tangouniformfirearms.com - Rig-V

FILE HASHES

RIG-V FLASH EXPLOIT:

SHA256 hash: 8f3c7c6189367ad85d3bed9a159203948603870f01f095a787cd85bdd4e3bf41 (37,722 bytes)
File description: Rig-V Flash exploit seen on 2017-01-01

RIG-V PAYLOAD (CERBER):

SHA256 hash: 993a83e4930edf11d5d8bde9ce803ce9948776457f77530079692ca7541aebd2 (231,624 bytes)
File location: C:\Users\[username]\AppData\Local\Temp\rad53AB9.tmp.exe

SHA256 hash: c6cb420c856ae673bd7d7585bf078b14e53be798e5013579309fe6c3e9edab66 (231,624 bytes)
File location: C:\Users\[username]\AppData\Local\Temp\rad83D45.tmp.exe

SHA256 hash: aceac1915f214f9d075751092dd8c4ea3ebde5da355ebeffce5ddee6c3e4fe48 (231,624 bytes)
File location: C:\Users\[username]\AppData\Local\Temp\radA2306.tmp.exe

SHA256 hash: d2f22af28c20a89aea20de312002a30df8433c86e915bb550972cdf150c0d9c9 (231,624 bytes)
File location: C:\Users\[username]\AppData\Local\Temp\radC28C1.tmp.exe

FINAL NOTES

Once again, here are the associated files:

ZIP archive of the pcaps: 2017-01-01-pseudoDarkleech-Rig-V-sends-Cerber-ransomware.pcap.zip 2.9 MB (2,876,879 bytes)
ZIP archive of the malware: 2017-01-01-pseudoDarkleech-Rig-V-sends-Cerber-malware-and-flash-exploit.zip 898 kB (897,842 bytes)

ZIP files are password-protected with the standard password. If you don't know it, look at the "about" page of this website.

Click here to return to the main page.