2016-10-10 - PSEUDO-DARKLEECH RIG EK FROM 195.133.48.98 SENDS CERBER RANSOMWARE

ASSOCIATED FILES:

• ZIP archive of the pcap:  2016-10-10-pseudoDarkleech-Rig-EK-sends-Cerber-all-3-pcaps.zip   1.0 MB (1,020,916 bytes)

• 2016-10-10-pseudoDarkleech-Rig-EK-sends-Cerber-ransomware-first-run.pcap   (617,500 bytes)
• 2016-10-10-pseudoDarkleech-Rig-EK-sends-Cerber-ransomware-second-run.pcap   (640,730 bytes)
• 2016-10-10-pseudoDarkleech-Rig-EK-sends-Cerber-ransomware-third-run.pcap   (553,307 bytes)

• ZIP archive of the malware:  2016-10-10-pseudoDarkleech-Rig-EK-sends-Cerber-malware-and-artifacts.zip   1.5 MB (1,548,325 bytes)

• 2016-10-10-Cerber-decryption-instructions-first-run-README.hta   (63,059 bytes)
• 2016-10-10-Cerber-decryption-instructions-first-run.bmp   (1,920,054 bytes)
• 2016-10-10-Cerber-decryption-instructions-second-run-README.hta   (63,059 bytes)
• 2016-10-10-Cerber-decryption-instructions-second-run.bmp   (1,922,454 bytes)
• 2016-10-10-Cerber-decryption-instructions-third-run-README.hta   (63,059 bytes)
• 2016-10-10-Cerber-decryption-instructions-third-run.bmp   (1,920,054 bytes)
• 2016-10-10-page-from-quanmei.com.sg-with-injected-script-first-run.txt   (186,099 bytes)
• 2016-10-10-page-from-quanmei.com.sg-with-injected-script-second-run.txt   (186,093 bytes)
• 2016-10-10-page-from-quanmei.com.sg-with-injected-script-third-run.txt   (186,099 bytes)
• 2016-10-10-pseudoDarkleech-Rig-EK-flash-exploit-all-3-runs.swf   (24,553 bytes)
• 2016-10-10-pseudoDarkleech-Rig-EK-landing-page-first-run.txt   (30,135 bytes)
• 2016-10-10-pseudoDarkleech-Rig-EK-landing-page-second-run.txt   (30,130 bytes)
• 2016-10-10-pseudoDarkleech-Rig-EK-landing-page-third-run.txt   (30,170 bytes)
• 2016-10-10-pseudoDarkleech-Rig-EK-payload-Cerber-first-run.exe   (267,858 bytes)
• 2016-10-10-pseudoDarkleech-Rig-EK-payload-Cerber-second-run.exe   (267,858 bytes)
• 2016-10-10-pseudoDarkleech-Rig-EK-payload-Cerber-third-run.exe   (245,887 bytes)

 

NOTES:

• Thanks to @Sec_She_Lady for her tweet that gave me today's compromised site.

 

BACKGROUND ON THE PSEUDO-DARKLEECH CAMPAIGN:

• Something I wrote on exploit kit (EK) fundamentals:  link
• 2016-03-22 - PaloAlto Networks Unit 42 blog:  Campaign Evolution: Darkleech to Pseudo-Darkleech and Beyond
• 2016-07-02 - SANS ISC diary:  Change in patterns for the pseudoDarkleech campaign
• 2016-09-14 - Malware-traffic-analysis.net:  The pseudoDarkleech campaign starts using Rig EK instead of Neutrino EK
• 2016-10-03 - Malware-traffic-analysis.net:  The pseudoDarkleech campaign sends Cerber ransomware instead of CryptXXX

 

Shown above:  Flowchart for this infection traffic.

 

TRAFFIC

Shown above:  Example of injected script from the pseudoDarkleech campaign in a page from the compromised site.

 

Shown above:  Traffic from the first run filtered in Wireshark.

Shown above:  Traffic from the second run filtered in Wireshark.

Shown above:  Traffic from the third run filtered in Wireshark.

 

ASSOCIATED DOMAINS:

• quanmei.com.sg - Compromised site

• 195.133.48.98 port 80 - xd.achildsheartphoto.com - Rig EK (first run)
• 195.133.48.98 port 80 - see.achvillages.com - Rig EK (second run)
• 195.133.48.98 port 80 - tr.andrewmillarfineart.com - Rig EK (third run)

• 173.254.231.111 port 80 - ffoqr3ug7m726zou.e6cf2t.bid - HTTP traffic caused by Cerber (first run)
• 107.161.95.138 port 80 - ffoqr3ug7m726zou.re2b6k.bid - HTTP traffic caused by Cerber (second run)
• 173.254.231.111 port 80 - ffoqr3ug7m726zou.6tjvli.bid - HTTP traffic caused by Cerber (third run)

• 31.184.234.0 - 31.184.235.255 port 6892 (UDP) - UDP traffic caused by Cerber (all 3 runs)

OTHER DOMAINS FROM THE DECRYPT INSTRUCTIONS:

• ffoqr3ug7m726zou.8dlgyg.bid
• ffoqr3ug7m726zou.g0lpn5.bid
• ffoqr3ug7m726zou.dmhl2o.bid
• ffoqr3ug7m726zou.onion.to

 

FILE HASHES

FLASH EXPLOIT:

• SHA256 hash:  fe238c9ab14290c228221091573e65befa908292e566099778e7139179928d25
  File name:  2016-10-10-pseudoDarkleech-Rig-EK-flash-exploit-all-3-runs.swf   (24,553 bytes)

PAYLOADS:

• SHA256 hash:  897d677e23842fd79a8915856e2f53c121131194d94691a342b579a4be7770b6
  File name:  2016-10-10-pseudoDarkleech-Rig-EK-payload-Cerber-first-run.exe   (267,858 bytes)

• SHA256 hash:  10455a7c0abab629cd54a731ba4d1d829ceaad408d63245749b39da6e1d58a56
  File name:  2016-10-10-pseudoDarkleech-Rig-EK-payload-Cerber-second-run.exe   (267,858 bytes)

• SHA256 hash:  ead14a346a8f2d95ef17c9cf70d17cdeca0aa87958a8a371c12281546adb4056
  File name:  2016-10-10-pseudoDarkleech-Rig-EK-payload-Cerber-third-run.exe   (245,887 bytes)

 

IMAGES

Shown above:  Desktop of an infected Windows host after rebooting and checking one of the links in the Decrypt instructions.

 

FINAL NOTES

Once again, here are the associated files:

• ZIP archive of the pcap:  2016-10-10-pseudoDarkleech-Rig-EK-sends-Cerber-all-3-pcaps.zip   1.0 MB (1,020,916 bytes)
• ZIP archive of the malware:  2016-10-10-pseudoDarkleech-Rig-EK-sends-Cerber-malware-and-artifacts.zip   1.5 MB (1,548,325 bytes)

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.