2017-01-18 - PSEUDO-DARKLEECH RIG-V AND quot;BLANK SLATE" MALSPAM STOP SENDING CERBER RANSOMWARE

NOTICE:

NOTES:

ASSOCIATED FILES:

  • 2017-01-17-pseudoDarkleech-Rig-V-sends-Cerber-ransomware.pcap   (3,313,157 bytes)
  • 2017-01-18-Locky-ransomware-infection-example-1.pcap   (211,983 bytes)
  • 2017-01-18-Locky-ransomware-infection-example-2.pcap   (222,016 bytes)
  • 2017-01-18-Locky-ransomware-infection-example-3.pcap   (246,548 bytes)
  • 2017-01-18-pseudoDarkleech-Rig-V-sends-Darkness-Madness-DDoS-botnet-malware.pcap   (1,325,943 bytes)
  • 2017-01-17-page-from-joellipman_com-with-injected-pseudoDarkleech-script.txt   (66,814 bytes)
  • 2017-01-17-pseudoDarkleech-Rig-V-landing-page.txt   (5,210 bytes)
  • 2017-01-17-pseudoDarkleech-Rig-V-flash-exploit.swf   (37,436 bytes)
  • 2017-01-17-pseudoDarkleech-Rig-V-artifact-QTTYUADAF.txt   (1,137 bytes)
  • 2017-01-17-pseudoDarkleech-Rig-V-payload-Cerber-ransomware-rad0F304.tmp.exe   (943,232 bytes)
  • 2017-01-18-page-from-joellipman_com-with-injected-pseudoDarkleech-script.txt   (66,792 bytes)
  • 2017-01-18-pseudoDarkleech-Rig-V-landing-page.txt   (5,207 bytes)
  • 2017-01-18-pseudoDarkleech-Rig-V-artifact-QTTYUADAF.txt   (11,37 bytes)
  • 2017-01-18-pseudoDarkleech-Rig-V-flash-exploit.swf   (37,456 bytes)
  • 2017-01-18-pseudoDarkleech-Rig-V-payload-DDoS-botnet-malware-rad625BE.tmp.exe   (39,936 bytes)
  • 2017-01-18-pseudoDarkleech-Rig-V-post-infection-download-bs.dll   (59,392 bytes)
  • 2017-01-18-pseudoDarkleech-Rig-V-post-infection-download-sql.dll   (522,752 bytes)
  • 2017-01-18-pseudoDarkleech-Rig-V-post-infection-download-zs.dll   (927,744 bytes)
  • 2017-01-18-Blank-Slate-malspam-0353-UTC.eml   (59,305 bytes)
  • 2017-01-18-Blank-Slate-malspam-0411-UTC.eml   (63,820 bytes)
  • 2017-01-18-Blank-Slate-malspam-1512-UTC.eml   (3,894 bytes)
  • 2017-01-18-Blank-Slate-malspam-1527-UTC.eml   (5,607 bytes)
  • 2017-01-18-Blank-Slate-malspam-tracker.csv   (959 bytes)
  • EMAIL_0217865_[recipient].zip   (3,797 bytes)
  • EMAIL_040615_[recipient].zip   (46,911 bytes)
  • EMAIL_735326679120_[recipient].zip   (43,556 bytes)
  • EMAIL_89868_[recipient].zip   (2,490 bytes)
  • 6669.js   (9,058 bytes)
  • 8989.doc   (111,616 bytes)
  • 23079.js   (9,157 bytes)
  • 13787.doc   (117,760 bytes)
  • 2017-01-18-Locky-ransomware-example-1-Roaming.EXe   (205,766 bytes)
  • 2017-01-18-Locky-ransomware-example-2-Roaming.ExE   (205,766 bytes)
  • 2017-01-18-Locky-ransomware-example-3-Temp_segaxy.exe   (205,766 bytes)
  • 2017-01-18-Locky-ransomware-example-4-Tempagato.exe   (205,766 bytes)
  • 2017-01-18-Locky-ransomware-DesktopOSIRIS.bmp   (3,721,466 bytes)
  • 2017-01-18-Locky-ransomware-DesktopOSIRIS.htm   (8,244 bytes)

 

FROM "BLANK SLATE" MALSPAM


Shown above:  Spreadsheet tracking the malspam (1 of 2).

 


Shown above:  Spreadsheet tracking the malspam (2 of 2).

 


Shown above:  Traffic of a Locky ransomware infection from "Blank Slate" malspam filtered in Wireshark.

 


Shown above:  Desktop of an Windows host infected by Locky ransomware from "Blank Slate" malspam.

 

ASSOCIATED DOMAINS:

 

FILE HASHES:

 

THE EK TRAFFIC


Shown above:  Guess I'll have to update my flow chart...

 


Shown above:  Injected script in page from the compromised website.

 


Shown above:  Infection traffic filtered in Wireshark.

 


Shown above:  Malware persistent on the infected host.

 


Shown above:  Using tcpreplay in Security Onion to veiw the alerts on Sguil using Suricata and the Emerging Threats Pro (ETPRO) ruleset.

 

ASSOCIATED DOMAINS:

POST-INFECTION TRAFFIC:

 

FILE HASHES:

NOTE: I've included a pcap/malware of the previous pseudoDarkleech Rig-V infection I saw yesterday (2017-01-17) for comparison.  However, I didn't cover any of the traffic indicators for the 2017-01-17 Cerber ransomware infection in this blog post.

 

Click here to return to the main page.