2016-09-16 - PSEUDO-DARKLEECH RIG EK STILL FAILS AT DLL PAYLOAD - CRYPMIC SENT AS EXE

ASSOCIATED FILES:

  • 2016-09-15-pseudoDarkleech-Rig-EK-first-example.pcap   (64,369 bytes)
  • 2016-09-15-pseudoDarkleech-Rig-EK-second-example.pcap   (71,369 bytes)
  • 2016-09-16-pseudoDarkleech-Rig-EK-first-example.pcap   (66,773 bytes)
  • 2016-09-16-pseudoDarkleech-Rig-EK-second-example.pcap   (558,458 bytes)
  • 2016-09-15-page-from-meinwhisky.com-with-injected-script-first-example.txt   (67,513 bytes)
  • 2016-09-15-pseudoDarkleech-Rig-EK-flash-exploit-both-examples.swf   (25,720 bytes)
  • 2016-09-15-pseudoDarkleech-Rig-EK-landing-page-first-example.txt   (29,916 bytes)
  • 2016-09-15-pseudoDarkleech-Rig-EK-landing-page-second-example.txt   (29,952 bytes)
  • 2016-09-16-CrypMIC-decrypt-instructions.bmp   (2,457,654 bytes)
  • 2016-09-16-CrypMIC-decrypt-instructions.html   (1,652 bytes)
  • 2016-09-16-CrypMIC-decrypt-instructions.txt   (1,652 bytes)
  • 2016-09-16-page-from-meinwhisky.com-with-injected-script-first-example.txt   (67,506 bytes)
  • 2016-09-16-page-from-meinwhisky.com-with-injected-script-second-example.txt   (68,073 bytes)
  • 2016-09-16-pseudoDarkleech-Rig-EK-flash-exploit-both-examples.swf   (25,720 bytes)
  • 2016-09-16-pseudoDarkleech-Rig-EK-landing-page-first-example.txt   (29,870 bytes)
  • 2016-09-16-pseudoDarkleech-Rig-EK-landing-page-second-example.txt   (29,928 bytes)
  • 2016-09-16-pseudoDarkleech-Rig-EK-payload-CrypMIC.exe   (103,936 bytes)
  • 2016-09-16-pseudoDarkleech-Rig-EK-payload-failed-attempt.dll   (126 bytes)

 

NOTES:

 

BACKGROUND ON THE PSEUDO-DARKLEECH CAMPAIGN:

 

BACKGROUND ON CRYPMIC RANSOMWARE:

 


Shown above:  Flowchart for this infection traffic.

 

TRAFFIC


Shown above:  An example of injected script in a page from the compromised website.

 

 

ASSOCIATED DOMAINS:

DOMAINS FROM THE DECRYPT INSTRUCTIONS:

 

FILE HASHES

FLASH EXPLOITS:

PAYLOAD:

 

IMAGES


Shown above:  Rig EK tries to send a DLL payload and fails.

 


Shown above:  Rig EK sends a CrypMIC payload as an EXE, and it's successful.

 


Shown above:  Desktop of an infected Windows host.

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.