2016-10-20 - PSEUDO-DARKLEECH RIG EK DATA DUMP

ASSOCIATED FILES:

  • 2016-10-20-pseudoDarkleech-Rig-EK-sends-Cerber-1st-run.pcap   (548,622 bytes)
  • 2016-10-20-pseudoDarkleech-Rig-EK-sends-Cerber-2nd-run.pcap   (604,862 bytes)
  • 2016-10-20-pseudoDarkleech-Rig-EK-sends-Cerber-3rd-run.pcap   (672,151 bytes)
  • 2016-10-20-pseudoDarkleech-Rig-EK-sends-Cerber-4th-run.pcap   (723,938 bytes)
  • 2016-10-20-pseudoDarkleech-Rig-EK-sends-Cerber-5th-run.pcap   (587,060 bytes)
  • 2016-10-20-pseudoDarkleech-Rig-EK-sends-Cerber-6th-run.pcap   (607,791 bytes)
  • 2016-10-20-pseudoDarkleech-Rig-EK-sends-Cerber-7th-run.pcap   (550,371 bytes)
  • 2016-10-20-pseudoDarkleech-Rig-EK-sends-Cerber-8th-run.pcap   (551,727 bytes)
  • 2016-10-20-Cerber-decryption-instructions-README.hta   (63,059 bytes)
  • 2016-10-20-Cerber-decryption-instructions.bmp   (1,920,054 bytes)
  • 2016-10-20-page-from-recetasenthermomix.com-with-injected-script-1st-run.txt   (29,955 bytes)
  • 2016-10-20-page-from-recetasenthermomix.com-with-injected-script-2nd-run.txt   (29,948 bytes)
  • 2016-10-20-page-from-recetasenthermomix.com-with-injected-script-3rd-run.txt   (29,958 bytes)
  • 2016-10-20-page-from-recetasenthermomix.com-with-injected-script-4th-run.txt   (29,968 bytes)
  • 2016-10-20-page-from-recetasenthermomix.com-with-injected-script-5th-run.txt   (29,960 bytes)
  • 2016-10-20-page-from-recetasenthermomix.com-with-injected-script-6th-run.txt   (29,957 bytes)
  • 2016-10-20-page-from-recetasenthermomix.com-with-injected-script-7th-run.txt   (29,959 bytes)
  • 2016-10-20-page-from-recetasenthermomix.com-with-injected-script-8th-run.txt   (29,956 bytes)
  • 2016-10-20-pseudoDarkleech-Rig-EK-flash-exploit-1st-run.swf   (51,802 bytes)
  • 2016-10-20-pseudoDarkleech-Rig-EK-flash-exploit-2nd-run.swf   (51,802 bytes)
  • 2016-10-20-pseudoDarkleech-Rig-EK-flash-exploit-3rd-run.swf   (51,802 bytes)
  • 2016-10-20-pseudoDarkleech-Rig-EK-flash-exploit-4th-run.swf   (51,802 bytes)
  • 2016-10-20-pseudoDarkleech-Rig-EK-flash-exploit-5th-run.swf   (51,802 bytes)
  • 2016-10-20-pseudoDarkleech-Rig-EK-flash-exploit-6th-run.swf   (51,802 bytes)
  • 2016-10-20-pseudoDarkleech-Rig-EK-flash-exploit-7th-run.swf   (51,802 bytes)
  • 2016-10-20-pseudoDarkleech-Rig-EK-flash-exploit-8th-run.swf   (51,802 bytes)
  • 2016-10-20-pseudoDarkleech-Rig-EK-landing-page-1st-run.txt   (30,337 bytes)
  • 2016-10-20-pseudoDarkleech-Rig-EK-landing-page-2nd-run.txt   (30,326 bytes)
  • 2016-10-20-pseudoDarkleech-Rig-EK-landing-page-3rd-run.txt   (30,391 bytes)
  • 2016-10-20-pseudoDarkleech-Rig-EK-landing-page-4th-run.txt   (30,400 bytes)
  • 2016-10-20-pseudoDarkleech-Rig-EK-landing-page-5th-run.txt   (30,293 bytes)
  • 2016-10-20-pseudoDarkleech-Rig-EK-landing-page-6th-run.txt   (30,285 bytes)
  • 2016-10-20-pseudoDarkleech-Rig-EK-landing-page-7th-run.txt   (30,412 bytes)
  • 2016-10-20-pseudoDarkleech-Rig-EK-landing-page-8th-run.txt   (30,360 bytes)
  • 2016-10-20-pseudoDarkleech-Rig-EK-payload-Cerber-1st-run.exe   (467,707 bytes)
  • 2016-10-20-pseudoDarkleech-Rig-EK-payload-Cerber-2nd-run.exe   (467,707 bytes)
  • 2016-10-20-pseudoDarkleech-Rig-EK-payload-Cerber-3rd-run.exe   (467,707 bytes)
  • 2016-10-20-pseudoDarkleech-Rig-EK-payload-Cerber-4th-run.exe   (467,707 bytes)
  • 2016-10-20-pseudoDarkleech-Rig-EK-payload-Cerber-5th-run.exe   (467,707 bytes)
  • 2016-10-20-pseudoDarkleech-Rig-EK-payload-Cerber-6th-run.exe   (467,707 bytes)
  • 2016-10-20-pseudoDarkleech-Rig-EK-payload-Cerber-7th-run.exe   (467,707 bytes)
  • 2016-10-20-pseudoDarkleech-Rig-EK-payload-Cerber-8th-run.exe   (467,707 bytes)

 

NOTES:

 

BACKGROUND ON THE PSEUDO-DARKLEECH CAMPAIGN:

 


Shown above:  Flowchart for this infection traffic.

 

TRAFFIC


Shown above:  Example of injected script from the pseudoDarkleech campaign in a page from the compromised site.


Shown above:  Traffic from the 1st infection filtered in Wireshark.


Shown above:  Traffic from the 2nd infection filtered in Wireshark.


Shown above:  Traffic from the 3rd infection filtered in Wireshark.


Shown above:  Traffic from the 4th infection filtered in Wireshark.


Shown above:  Traffic from the 5th infection filtered in Wireshark.


Shown above:  Traffic from the 6th infection filtered in Wireshark.


Shown above:  Traffic from the 7th infection filtered in Wireshark.


Shown above:  Traffic from the 8th infection filtered in Wireshark.

 

ASSOCIATED DOMAINS:

 

FILE HASHES

FLASH EXPLOITS:

PAYLOADS:

 

IMAGES


Shown above:  Desktop of an infected Windows host after rebooting and getting to the Cerber decryptor.

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.