2017-01-26 - PSEUDO-DARKLEECH RIG-V SENDS CERBER RANSOMWARE

ASSOCIATED FILES:

  • 2017-01-25-pseudoDarkleech-Rig-V-sends-Cerber-ransomware.pcap   (654,112 bytes)
  • 2017-01-26-pseudoDarkleech-Rig-V-sends-Cerber-ransomware.pcap   (694,220 bytes)
  • 2017-01-25-Cerber_HELP_HELP_HELP_VDWTIRGL.hta   (75,787 bytes)
  • 2017-01-25-Cerber_HELP_HELP_HELP_VDWTIRGL.jpg   (250,972 bytes)
  • 2017-01-25-pseudoDarkleech-Rig-V-QTTYUADAF.txt   (1,137 bytes)
  • 2017-01-25-pseudoDarkleech-Rig-V-flash-exploit.swf   (14,969 bytes)
  • 2017-01-25-pseudoDarkleech-Rig-V-landing-page.txt   (5,243 bytes)
  • 2017-01-25-pseudoDarkleech-Rig-V-page-from-wordtemplates.org-with-injected-pseudoDarkleech-script.txt   (54,496 bytes)
  • 2017-01-25-pseudoDarkleech-Rig-V-payload-Cerber-rad8A3F0.tmp.exe   (252,861 bytes)
  • 2017-01-26-Cerber_HELP_HELP_HELP_EO3PY5Y.hta   (75,787 bytes)
  • 2017-01-26-Cerber_HELP_HELP_HELP_EO3PY5Y.jpg   (256,497 bytes)
  • 2017-01-26-pseudoDarkleech-Rig-V-QTTYUADAF.txt   (1,137 bytes)
  • 2017-01-26-pseudoDarkleech-Rig-V-flash-exploit.swf   (19,230 bytes)
  • 2017-01-26-pseudoDarkleech-Rig-V-landing-page.txt   (5,211 bytes)
  • 2017-01-26-pseudoDarkleech-Rig-V-page-from-wordtemplates.org-with-injected-pseudoDarkleech-script.txt   (54,521 bytes)
  • 2017-01-26-pseudoDarkleech-Rig-V-payload-Cerber-rad988C0.tmp.exe   (247,874 bytes)

BACKGROUND ON RIG EXPLOIT KIT:

BACKGROUND ON THE PSEUDO-DARKLEECH CAMPAIGN:


Shown above:  Flowchart for this infection traffic.

 

TRAFFIC


Shown above:  Injected script from the pseudoDarkleech campaign from the compromised site on Wednesday 2017-01-25.

 


Shown above:  Pcap of the infection traffic from Wednesday 2017-01-25 filtered in Wireshark.

 


Shown above:  Injected script from the pseudoDarkleech campaign from the compromised site on Thursday 2017-01-26.

 


Shown above:  Pcap of the infection traffic from Thursday 2017-01-26 filtered in Wireshark (1st run).

 

ASSOCIATED DOMAINS:

 

FILE HASHES

FLASH EXPLOITS:

PAYLOADS:

 

IMAGES


Shown above:  Desktop of the infected Windows host on Thursday 2017-01-26.

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.