2016-09-14: PSEUDO-DARKLEECH CAMPAIGN SWITCHED TO RIG EK - CRYPMIC RANSOMWARE SENT AS EXE

ASSOCIATED FILES:

  • 2016-09-14-pseudoDarkleech-Rig-EK-first-example.pcap   (541,132 bytes)
  • 2016-09-14-pseudoDarkleech-Rig-EK-second-example.pcap   (82,080 bytes)
  • 2016-09-14-pseudoDarkleech-Rig-EK-third-example.pcap   (86,377 bytes)
  • 2016-09-14-CrypMIC-decryptor-style.css   (20,552 bytes)
  • 2016-09-14-CrypMIC-decryptor.html   (13,375 bytes)
  • 2016-09-14-CrypMIC-instructions.bmp   (2,457,654 bytes)
  • 2016-09-14-CrypMIC-instructions.html   (1,660 bytes)
  • 2016-09-14-CrypMIC-instructions.txt   (1,662 bytes)
  • 2016-09-14-page-from-party-buses-rentals.com-with-injected-script-first-example.txt   (54,667 bytes)
  • 2016-09-14-page-from-party-buses-rentals.com-with-injected-script-second-example.txt   (54,649 bytes)
  • 2016-09-14-page-from-party-buses-rentals.com-with-injected-script-third-example.txt   (55,154 bytes)
  • 2016-09-14-pseudoDarkleech-Rig-EK-flash-exploit-first-and-second-examples.swf   (25,565 bytes)
  • 2016-09-14-pseudoDarkleech-Rig-EK-flash-exploit-third-example.swf   (25,757 bytes)
  • 2016-09-14-pseudoDarkleech-Rig-EK-payload-CrypMIC-from-first-example.exe   (102,400 bytes)
  • 2016-09-14-pseudoDarkleech-Rig-EK-landing-page-first-example.txt   (61,979 bytes)
  • 2016-09-14-pseudoDarkleech-Rig-EK-landing-page-second-example.txt   (61,898 bytes)
  • 2016-09-14-pseudoDarkleech-Rig-EK-landing-page-third-example.txt   (61,851 bytes)

 

NOTES:

 

BACKGROUND ON THE PSEUDO-DARKLEECH CAMPAIGN:

 

BACKGROUND ON CRYPMIC RANSOMWARE:

 


Shown above:  Flowchart for this infection traffic.

 

TRAFFIC


Shown above:  Injected script from the pseudoDarkleech campaign in page from the compromised site (first example).

 


Shown above:  Traffic from the first example filtered in Wireshark.   Wireshark filter: http.request or (!(tcp.port eq 80) and tcp.flags eq 0x0002)

 

ASSOCIATED DOMAINS:

DOMAINS FROM THE DECRYPT INSTRUCTIONS:

 

FILE HASHES

FLASH EXPLOITS:

PAYLOAD:

 

IMAGES


Shown above:  Desktop of an infected Windows host (first example).

 


Shown above:  Desktop of an infected Windows host (first example).

 


Shown above:  Saw a lot of this today when Rig EK attempted to retrieve the malware payload.

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.