2017-01-18 - PSEUDO-DARKLEECH RIG-V AND "BLANK SLATE" MALSPAM BACK TO SENDING CERBER RANSOMWARE

NOTICE:

NOTES:

 

ASSOCIATED FILES:

  • 2017-01-18-Blank-Slate-malspam-switches-back-to-Cerber-ransomware.pcap   (308,492 bytes)
  • 2017-01-18-Blank-Slate-malspam-2245-UTC.eml   (3,614 bytes)
  • 6504.js   (4,966 bytes)
  • EMAIL_0813708854967_[recipient].zip   (2,329 bytes)
  • Tempzusiti.exe   (262,785 bytes)
  • 2017-01-18-EITest-Rig-V-sends-Cerber-ransomware-1st-run.pcap   (537,999 bytes)
  • 2017-01-18-EITest-Rig-V-sends-Cerber-ransomware-2nd-run.pcap   (885,529 bytes)
  • 2017-01-18-pseudoDarkleech-Rig-V-sends-Cerber-ransomware.pcap   (503,969 bytes)
  • 2017-01-18-page-from-activaclinics_com-with-injected-EITest-script.txt   (59,343 bytes)
  • 2017-01-18-page-from-conservativesunited_com-with-injected-EITest-script.txt   (39,105 bytes)
  • 2017-01-18-page-from-joellipman_com-with-injected-EITest-script-2nd-run.txt   (66,789 bytes)
  • 2017-01-18-EITest-Rig-V-landing-page-1st-run.txt   (5,188 bytes)
  • 2017-01-18-EITest-Rig-V-landing-page-2nd-run.txt   (5,183 bytes)
  • 2017-01-18-EITest-Rig-V-payload-Cerber-ransomware-rad2E374.tmp-1st-run.exe   (333,538 bytes)
  • 2017-01-18-EITest-Rig-V-payload-Cerber-ransomware-rad826BF.tmp-2nd-run.exe   (333,538 bytes)
  • 2017-01-18-pseudoDarkleech-Rig-V-payload-Cerber-ransomware-radE4420.tmp-2nd-run.exe   (333,538 bytes)
  • 2017-01-18-pseudoDarkleech-Rig-V-text-returned-from-POST-2nd-run.txt   (30,739 bytes)
  • 2017-01-18-Rig-V-artifact-QTTYUADAF.txt   (1,137 bytes)
  • 2017-01-18-Rig-V-flash-exploit.swf   (37,456 bytes)
  • 2017-01-18-Cerber-ransomware_HELP_HELP_HELP_SUP5Y5.hta   (75,787 bytes)
  • 2017-01-18-Cerber-ransomware_HELP_HELP_HELP_SUP5Y5.jpg   (231,544 bytes)

 

THE EK CAMPAIGNS


Shown above:  Flow chart for the EK infection traffic.

 


Shown above:  Injected script from the compromised site (1st infection)

 


Shown above:  Injected script from the compromised site (2nd infection)

 


Shown above:  Injected script from the compromised site (3rd infection)

 


Shown above:  Traffic from the 1st EK infection filtered in Wireshark.

 


Shown above:  Traffic from the 2nd EK infection filtered in Wireshark.

 


Shown above:  Traffic from the 3rd EK infection filtered in Wireshark.

 


Shown above:  Desktop of an infected Windows host.

 

ASSOCIATED DOMAINS:

 

CERBER RANSOMWARE POST-INFECTION TRAFFIC:

 

FILE HASHES:

 

"BLANK SLATE" MALSPAM (NOT ASSOCIATED WITH THE EK CAMPAIGNS)


Shown above:  Example of an email from the malspam campaign.

 


Shown above:  Extracted .js file from the attachment.

 


Shown above:  Traffic from running the .js file on a Windows host, filtered in Wireshark.

 


Shown above:  The Cerber ransomware stored on the local host (before it deleted itself).

 

URL FROM THE .JS FILE TO RETRIEVE CERBER:

 

FILE HASHES:

 

Click here to return to the main page.