2016-10-10 - PSEUDO-DARKLEECH RIG EK FROM 195.133.48.98 SENDS CERBER RANSOMWARE

ASSOCIATED FILES:

  • 2016-10-10-pseudoDarkleech-Rig-EK-sends-Cerber-ransomware-first-run.pcap   (617,500 bytes)
  • 2016-10-10-pseudoDarkleech-Rig-EK-sends-Cerber-ransomware-second-run.pcap   (640,730 bytes)
  • 2016-10-10-pseudoDarkleech-Rig-EK-sends-Cerber-ransomware-third-run.pcap   (553,307 bytes)
  • 2016-10-10-Cerber-decryption-instructions-first-run-README.hta   (63,059 bytes)
  • 2016-10-10-Cerber-decryption-instructions-first-run.bmp   (1,920,054 bytes)
  • 2016-10-10-Cerber-decryption-instructions-second-run-README.hta   (63,059 bytes)
  • 2016-10-10-Cerber-decryption-instructions-second-run.bmp   (1,922,454 bytes)
  • 2016-10-10-Cerber-decryption-instructions-third-run-README.hta   (63,059 bytes)
  • 2016-10-10-Cerber-decryption-instructions-third-run.bmp   (1,920,054 bytes)
  • 2016-10-10-page-from-quanmei.com.sg-with-injected-script-first-run.txt   (186,099 bytes)
  • 2016-10-10-page-from-quanmei.com.sg-with-injected-script-second-run.txt   (186,093 bytes)
  • 2016-10-10-page-from-quanmei.com.sg-with-injected-script-third-run.txt   (186,099 bytes)
  • 2016-10-10-pseudoDarkleech-Rig-EK-flash-exploit-all-3-runs.swf   (24,553 bytes)
  • 2016-10-10-pseudoDarkleech-Rig-EK-landing-page-first-run.txt   (30,135 bytes)
  • 2016-10-10-pseudoDarkleech-Rig-EK-landing-page-second-run.txt   (30,130 bytes)
  • 2016-10-10-pseudoDarkleech-Rig-EK-landing-page-third-run.txt   (30,170 bytes)
  • 2016-10-10-pseudoDarkleech-Rig-EK-payload-Cerber-first-run.exe   (267,858 bytes)
  • 2016-10-10-pseudoDarkleech-Rig-EK-payload-Cerber-second-run.exe   (267,858 bytes)
  • 2016-10-10-pseudoDarkleech-Rig-EK-payload-Cerber-third-run.exe   (245,887 bytes)

 

NOTES:

 

BACKGROUND ON THE PSEUDO-DARKLEECH CAMPAIGN:

 


Shown above:  Flowchart for this infection traffic.

 

TRAFFIC


Shown above:  Example of injected script from the pseudoDarkleech campaign in a page from the compromised site.

 


Shown above:  Traffic from the first run filtered in Wireshark.


Shown above:  Traffic from the second run filtered in Wireshark.


Shown above:  Traffic from the third run filtered in Wireshark.

 

ASSOCIATED DOMAINS:

OTHER DOMAINS FROM THE DECRYPT INSTRUCTIONS:

 

FILE HASHES

FLASH EXPLOIT:

PAYLOADS:

 

IMAGES


Shown above:  Desktop of an infected Windows host after rebooting and checking one of the links in the Decrypt instructions.

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.