2016-09-26 - PSEUDO-DARKLEECH RIG EK FROM 5.196.126.167 SENDS CRYPMIC RANSOMWARE

ASSOCIATED FILES:

• ZIP archive of the pcap:  2016-09-26-pseudoDarkleech-Rig-EK-sends-CrypMIC.pcap.zip   197.5 kB (197,520 bytes)

• 2016-09-26-pseudoDarkleech-Rig-EK-sends-CrypMIC.pcap   (436,291 bytes)

• ZIP archive of the malware:  2016-09-26-pseudoDarkleech-Rig-EK-sends-CrypMIC-malware-and-artifacts.zip   164.7 kB (164,651 bytes)

• 2016-09-26-page-from-avantiscare.com-with-injected-script.txt (63,299 bytes)
• 2016-09-26-pseudoDarkleech-CrypMIC-decrypt-instructions.bmp (3,276,854 bytes)
• 2016-09-26-pseudoDarkleech-CrypMIC-decrypt-instructions.html (238,164 bytes)
• 2016-09-26-pseudoDarkleech-CrypMIC-decrypt-instructions.txt (1,628 bytes)
• 2016-09-26-pseudoDarkleech-Rig-EK-flash-exploit.swf (25,525 bytes)
• 2016-09-26-pseudoDarkleech-Rig-EK-landing-page.txt (3,0049 bytes)
• 2016-09-26-pseudoDarkleech-Rig-EK-payload-CrypMIC.exe   (95,232 bytes)

 

NOTES:

• Found this compromised website from a tweet by @Sec_She_Lady last week.

 

BACKGROUND ON THE PSEUDO-DARKLEECH CAMPAIGN:

• Something I wrote on exploit kit (EK) fundamentals:  link
• 2016-03-22 - PaloAlto Networks Unit 42 blog:  Campaign Evolution: Darkleech to Pseudo-Darkleech and Beyond
• 2016-07-02 - SANS ISC diary:  Change in patterns for the pseudoDarkleech campaign
• 2016-09-14 - Malware-traffic-analysis.net:  The pseudoDarkleech campaign starts using Rig EK instead of Neutrino EK

 

BACKGROUND ON CRYPMIC RANSOMWARE:

• 2016-07-06 - SANS ISC diary:  CryptXXX ransomware updated   [The date I first noticed this new branch of ransomware.]

• 2016-07-14 - From the Proofpoint blog [link]: "We believe that CryptXXX is in active development and possibly split off into two branches. The original branch is now up to version 5.001 (we wrote about the upgrade to version 3.100 near the end of May), while the new branch uses a different format for versioning and will require further analysis."

• 2016-07-20 - TrendLabs Security Intelligence Blog - CrypMIC Ransomware Wants to Follow CryptXXX's Footsteps   [TrendLabs analyzes the new branch and names it.]

 

Shown above:  Flowchart for this infection traffic.

 

TRAFFIC

Shown above:  Injected script from the pseudoDarkleech campaign in page from the compromised site.

 

Shown above:  Traffic from the first pcap filtered in Wireshark.   Wireshark filter: http.request or (!(tcp.port eq 80) and tcp.flags eq 0x0002)

 

ASSOCIATED DOMAINS:

• avantiscare.com - Compromised site
• 5.196.126.167 port 80 - ipname.cyclemanagementassociates.info - Rig EK
• 91.121.74.154 port 443 - post-infection CrypMIC callback, custom encoded and clear text, not HTTPS/SSL/TLS (both infections)

DOMAINS FROM THE DECRYPT INSTRUCTIONS:

• ccjlwb22w6c22p2k.onion.to
• ccjlwb22w6c22p2k.onion.city

 

FILE HASHES

FLASH EXPLOIT:

• SHA256 hash:  dbb2d959adc4986c43b6e9279d90ceb55a3b1686a0ac229575dc0f8dcac2e26f
  File name:  2016-09-26-pseudoDarkleech-Rig-EK-flash-exploit.swf

PAYLOAD:

• SHA256 hash:  e1c7071c4449b043d2d57f6501f463481f79b49e2cc4f75b4df5acf862b03f4d
  File name:  2016-09-26-pseudoDarkleech-Rig-EK-payload-CrypMIC.exe

 

IMAGES

Screenshot of the infected Windows host.

 

FINAL NOTES

Once again, here are the associated files:

• ZIP archive of the pcap:  2016-09-26-pseudoDarkleech-Rig-EK-sends-CrypMIC.pcap.zip   197.5 kB (197,520 bytes)
• ZIP archive of the malware:  2016-09-26-pseudoDarkleech-Rig-EK-sends-CrypMIC-malware-and-artifacts.zip   164.7 kB (164,651 bytes)

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.