Malware-Traffic-Analysis.net - 2016-10-20 - pseudoDarkleech Rig EK data dump

2016-10-20 - PSEUDO-DARKLEECH RIG EK DATA DUMP

ASSOCIATED FILES:

ZIP archive of the pcaps: 2016-10-20-pseudoDarkleech-Rig-EK-all-8-pcaps.zip 4.1 MB (4,070,113 bytes)

2016-10-20-pseudoDarkleech-Rig-EK-sends-Cerber-1st-run.pcap (548,622 bytes)

2016-10-20-pseudoDarkleech-Rig-EK-sends-Cerber-2nd-run.pcap (604,862 bytes)

2016-10-20-pseudoDarkleech-Rig-EK-sends-Cerber-3rd-run.pcap (672,151 bytes)

2016-10-20-pseudoDarkleech-Rig-EK-sends-Cerber-4th-run.pcap (723,938 bytes)

2016-10-20-pseudoDarkleech-Rig-EK-sends-Cerber-5th-run.pcap (587,060 bytes)

2016-10-20-pseudoDarkleech-Rig-EK-sends-Cerber-6th-run.pcap (607,791 bytes)

2016-10-20-pseudoDarkleech-Rig-EK-sends-Cerber-7th-run.pcap (550,371 bytes)

2016-10-20-pseudoDarkleech-Rig-EK-sends-Cerber-8th-run.pcap (551,727 bytes)

ZIP archive of the malware: 2016-10-20-pseudoDarkleech-Rig-EK-malware-and-artifacts.zip 4.4 MB (4,444,731 bytes)

2016-10-20-Cerber-decryption-instructions-README.hta (63,059 bytes)

2016-10-20-Cerber-decryption-instructions.bmp (1,920,054 bytes)

2016-10-20-page-from-recetasenthermomix.com-with-injected-script-1st-run.txt (29,955 bytes)

2016-10-20-page-from-recetasenthermomix.com-with-injected-script-2nd-run.txt (29,948 bytes)

2016-10-20-page-from-recetasenthermomix.com-with-injected-script-3rd-run.txt (29,958 bytes)

2016-10-20-page-from-recetasenthermomix.com-with-injected-script-4th-run.txt (29,968 bytes)

2016-10-20-page-from-recetasenthermomix.com-with-injected-script-5th-run.txt (29,960 bytes)

2016-10-20-page-from-recetasenthermomix.com-with-injected-script-6th-run.txt (29,957 bytes)

2016-10-20-page-from-recetasenthermomix.com-with-injected-script-7th-run.txt (29,959 bytes)

2016-10-20-page-from-recetasenthermomix.com-with-injected-script-8th-run.txt (29,956 bytes)

2016-10-20-pseudoDarkleech-Rig-EK-flash-exploit-1st-run.swf (51,802 bytes)

2016-10-20-pseudoDarkleech-Rig-EK-flash-exploit-2nd-run.swf (51,802 bytes)

2016-10-20-pseudoDarkleech-Rig-EK-flash-exploit-3rd-run.swf (51,802 bytes)

2016-10-20-pseudoDarkleech-Rig-EK-flash-exploit-4th-run.swf (51,802 bytes)

2016-10-20-pseudoDarkleech-Rig-EK-flash-exploit-5th-run.swf (51,802 bytes)

2016-10-20-pseudoDarkleech-Rig-EK-flash-exploit-6th-run.swf (51,802 bytes)

2016-10-20-pseudoDarkleech-Rig-EK-flash-exploit-7th-run.swf (51,802 bytes)

2016-10-20-pseudoDarkleech-Rig-EK-flash-exploit-8th-run.swf (51,802 bytes)

2016-10-20-pseudoDarkleech-Rig-EK-landing-page-1st-run.txt (30,337 bytes)

2016-10-20-pseudoDarkleech-Rig-EK-landing-page-2nd-run.txt (30,326 bytes)

2016-10-20-pseudoDarkleech-Rig-EK-landing-page-3rd-run.txt (30,391 bytes)

2016-10-20-pseudoDarkleech-Rig-EK-landing-page-4th-run.txt (30,400 bytes)

2016-10-20-pseudoDarkleech-Rig-EK-landing-page-5th-run.txt (30,293 bytes)

2016-10-20-pseudoDarkleech-Rig-EK-landing-page-6th-run.txt (30,285 bytes)

2016-10-20-pseudoDarkleech-Rig-EK-landing-page-7th-run.txt (30,412 bytes)

2016-10-20-pseudoDarkleech-Rig-EK-landing-page-8th-run.txt (30,360 bytes)

2016-10-20-pseudoDarkleech-Rig-EK-payload-Cerber-1st-run.exe (467,707 bytes)

2016-10-20-pseudoDarkleech-Rig-EK-payload-Cerber-2nd-run.exe (467,707 bytes)

2016-10-20-pseudoDarkleech-Rig-EK-payload-Cerber-3rd-run.exe (467,707 bytes)

2016-10-20-pseudoDarkleech-Rig-EK-payload-Cerber-4th-run.exe (467,707 bytes)

2016-10-20-pseudoDarkleech-Rig-EK-payload-Cerber-5th-run.exe (467,707 bytes)

2016-10-20-pseudoDarkleech-Rig-EK-payload-Cerber-6th-run.exe (467,707 bytes)

2016-10-20-pseudoDarkleech-Rig-EK-payload-Cerber-7th-run.exe (467,707 bytes)

2016-10-20-pseudoDarkleech-Rig-EK-payload-Cerber-8th-run.exe (467,707 bytes)

NOTES:

Thanks to @FreeBSDfan for his tweet about the compromised site.

BACKGROUND ON THE PSEUDO-DARKLEECH CAMPAIGN:

Something I wrote on exploit kit (EK) fundamentals: link
2016-03-22 - PaloAlto Networks Unit 42 blog: Campaign Evolution: Darkleech to Pseudo-Darkleech and Beyond
2016-07-02 - SANS ISC diary: Change in patterns for the pseudoDarkleech campaign
2016-09-14 - Malware-traffic-analysis.net: The pseudoDarkleech campaign starts using Rig EK instead of Neutrino EK
2016-10-03 - Malware-traffic-analysis.net: The pseudoDarkleech campaign stops sending CryptXXX, starts sending Cerber ransomware

Shown above: Flowchart for this infection traffic.

TRAFFIC

Shown above: Example of injected script from the pseudoDarkleech campaign in a page from the compromised site.

Shown above: Traffic from the 1st infection filtered in Wireshark.

Shown above: Traffic from the 2nd infection filtered in Wireshark.

Shown above: Traffic from the 3rd infection filtered in Wireshark.

Shown above: Traffic from the 4th infection filtered in Wireshark.

Shown above: Traffic from the 5th infection filtered in Wireshark.

Shown above: Traffic from the 6th infection filtered in Wireshark.

Shown above: Traffic from the 7th infection filtered in Wireshark.

Shown above: Traffic from the 8th infection filtered in Wireshark.

ASSOCIATED DOMAINS:

recetasenthermomix.com - Compromised site

188.227.19.223 port 80 - add.diamonvest.com - Rig EK, 1st infection
188.227.19.223 port 80 - we.dwairyz.com - Rig EK, 2nd infection
188.227.19.223 port 80 - cx.getleadsfx.com - Rig EK, 3rd infection
188.227.19.223 port 80 - free.hotfinancialleads.com - Rig EK, 4th infection
188.227.19.223 port 80 - ds.oasisoptions.com - Rig EK, 5th infection
188.227.19.223 port 80 - re.solidiamond.com - Rig EK, 6th infection
188.227.19.223 port 80 - try.swiss-trees.com - Rig EK, 7th infection
188.227.19.223 port 80 - we.swisstrees.com - Rig EK, 8th infection

31.184.234.0 - 31.184.235.255 port 6892 (UDP) - UDP traffic caused by Cerber
46.22.220.22 port 80 - ffoqr3ug7m726zou.zn90h4.bid - HTTP traffic caused by Cerber
136.243.157.171 port 80 - ffoqr3ug7m726zou.zn90h4.bid - HTTP traffic caused by Cerber

FILE HASHES

FLASH EXPLOITS:

SHA256 hash: 77ead0dc5047870e422462b844e9422ce82d481d79d3a4cca4eae5ba775ed899
File name: 2016-10-20-pseudoDarkleech-Rig-EK-flash-exploit-1st-run.swf (51,802 bytes)
File name: 2016-10-20-pseudoDarkleech-Rig-EK-flash-exploit-2nd-run.swf (51,802 bytes)
File name: 2016-10-20-pseudoDarkleech-Rig-EK-flash-exploit-3rd-run.swf (51,802 bytes)
File name: 2016-10-20-pseudoDarkleech-Rig-EK-flash-exploit-4th-run.swf (51,802 bytes)
File name: 2016-10-20-pseudoDarkleech-Rig-EK-flash-exploit-5th-run.swf (51,802 bytes)
File name: 2016-10-20-pseudoDarkleech-Rig-EK-flash-exploit-6th-run.swf (51,802 bytes)
File name: 2016-10-20-pseudoDarkleech-Rig-EK-flash-exploit-7th-run.swf (51,802 bytes)
File name: 2016-10-20-pseudoDarkleech-Rig-EK-flash-exploit-8th-run.swf (51,802 bytes)

PAYLOADS:

SHA256 hash: e14f32bdfbb2dc1117736029677effdedec2f570d73092261ba98f040a1b282f
File name: 2016-10-20-pseudoDarkleech-Rig-EK-payload-Cerber-1st-run.exe (467,707 bytes)
File name: 2016-10-20-pseudoDarkleech-Rig-EK-payload-Cerber-2nd-run.exe (467,707 bytes)
File name: 2016-10-20-pseudoDarkleech-Rig-EK-payload-Cerber-3rd-run.exe (467,707 bytes)
File name: 2016-10-20-pseudoDarkleech-Rig-EK-payload-Cerber-4th-run.exe (467,707 bytes)
File name: 2016-10-20-pseudoDarkleech-Rig-EK-payload-Cerber-5th-run.exe (467,707 bytes)
File name: 2016-10-20-pseudoDarkleech-Rig-EK-payload-Cerber-6th-run.exe (467,707 bytes)
File name: 2016-10-20-pseudoDarkleech-Rig-EK-payload-Cerber-7th-run.exe (467,707 bytes)
File name: 2016-10-20-pseudoDarkleech-Rig-EK-payload-Cerber-8th-run.exe (467,707 bytes)

IMAGES

Shown above: Desktop of an infected Windows host after rebooting and getting to the Cerber decryptor.

FINAL NOTES

Once again, here are the associated files:

ZIP archive of the pcaps: 2016-10-20-pseudoDarkleech-Rig-EK-all-8-pcaps.zip 4.1 MB (4,070,113 bytes)
ZIP archive of the malware: 2016-10-20-pseudoDarkleech-Rig-EK-malware-and-artifacts.zip 4.4 MB (4,444,731 bytes)

ZIP files are password-protected with the standard password. If you don't know it, look at the "about" page of this website.

Click here to return to the main page.