2017-01-18 - PSEUDO-DARKLEECH RIG-V AND MALSPAM CAMPAIGN BACK TO SENDING CERBER

NOTES:

 

ASSOCIATED FILES:

  • 2017-01-18-malspam-campaign-switches-back-to-Cerber.pcap   (308,492 bytes)
  • 2017-01-18-2245-UTC.eml   (3,614 bytes)
  • 6504.js   (4,966 bytes)
  • EMAIL_0813708854967_[recipient].zip   (2,329 bytes)
  • Tempzusiti.exe   (262,785 bytes)
  • 2017-01-18-EITest-Rig-V-sends-Cerber-ransomware-1st-run.pcap   (537,999 bytes)
  • 2017-01-18-EITest-Rig-V-sends-Cerber-ransomware-2nd-run.pcap   (885,529 bytes)
  • 2017-01-18-pseudoDarkleech-Rig-V-sends-Cerber-ransomware.pcap   (503,969 bytes)
  • 2017-01-18-page-from-activaclinics.com-with-injected-EITest-script.txt   (59,343 bytes)
  • 2017-01-18-page-from-conservativesunited.com-with-injected-EITest-script.txt   (39,105 bytes)
  • 2017-01-18-page-from-joellipman.com-with-injected-EITest-script-2nd-run.txt   (66,789 bytes)
  • 2017-01-18-EITest-Rig-V-landing-page-1st-run.txt   (5,188 bytes)
  • 2017-01-18-EITest-Rig-V-landing-page-2nd-run.txt   (5,183 bytes)
  • 2017-01-18-EITest-Rig-V-payload-Cerber-rad2E374.tmp-1st-run.exe   (333,538 bytes)
  • 2017-01-18-EITest-Rig-V-payload-Cerber-rad826BF.tmp-2nd-run.exe   (333,538 bytes)
  • 2017-01-18-pseudoDarkleech-Rig-V-payload-Cerber-radE4420.tmp-2nd-run.exe   (333,538 bytes)
  • 2017-01-18-pseudoDarkleech-Rig-V-text-returned-from-POST-2nd-run.txt   (30,739 bytes)
  • 2017-01-18-Rig-V-artifact-QTTYUADAF.txt   (1,137 bytes)
  • 2017-01-18-Rig-V-flash-exploit.swf   (37,456 bytes)
  • 2017-01-18-Cerber_HELP_HELP_HELP_SUP5Y5.hta   (75,787 bytes)
  • 2017-01-18-Cerber_HELP_HELP_HELP_SUP5Y5.jpg   (231,544 bytes)

 

THE EK CAMPAIGNS


Shown above:  Flow chart for the EK infection traffic.

 


Shown above:  Injected script from the compromised site (1st infection)

 


Shown above:  Injected script from the compromised site (2nd infection)

 


Shown above:  Injected script from the compromised site (3rd infection)

 


Shown above:  Traffic from the 1st EK infection filtered in Wireshark.

 


Shown above:  Traffic from the 2nd EK infection filtered in Wireshark.

 


Shown above:  Traffic from the 3rd EK infection filtered in Wireshark.

 


Shown above:  Desktop of an infected Windows host.

 

ASSOCIATED DOMAINS:

 

CERBER POST-INFECTION TRAFFIC:

 

FILE HASHES:

 

THE MALSPAM CAMPAIGN (NOT ASSOCIATED WITH THE EK CAMPAIGNS)


Shown above:  Example of an email from the malspam campaign.

 


Shown above:  Extracted .js file from the attachment.

 


Shown above:  Traffic from running the .js file on a Windows host, filtered in Wireshark.

 


Shown above:  The Cerber ransomware stored on the local host (before it deleted itself).

 

URL FROM THE .JS FILE TO RETRIEVE CERBER:

 

FILE HASHES:

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.