2017-03-15 - PSEUDO-DARKLEECH RIG EK SENDS CERBER
ASSOCIATED FILES:
- ZIP archive of the pcap: 2017-03-15-pseudoDarkleech-Rig-EK-sends-Cerber-both-pcaps.zip 3.5 MB (976,342 bytes)
- 2017-03-15-pseudoDarkleech-Rig-EK-sends-Cerber-1st-run.pcap (797,089 bytes)
- 2017-03-15-pseudoDarkleech-Rig-EK-sends-Cerber-2nd-run.pcap (406,889 bytes)
- ZIP archive of the malware: 2017-03-15-pseudoDarkleech-Rig-EK-sends-Cerber-malware-and-artifacts.zip 2.6 MB (2,622,525 bytes)
- 2017-03-12-pseudoDarkleech-Rig-EK-artifact-both-runs-o32.tmp.txt (1,141 bytes)
- 2017-03-15-Cerber_READ_THIS_FILE_KVGVA_.hta (77,345 bytes)
- 2017-03-15-Cerber_READ_THIS_FILE_L5KW_.jpeg (1,975,631 bytes)
- 2017-03-15-Cerber_READ_THIS_FILE_M0761P_.txt (1,337 bytes)
- 2017-03-15-page-from-jesuisanimateur.fr-with-injected-pseudoDarkleech-script-1st-run.txt (157,692 bytes)
- 2017-03-15-page-from-jesuisanimateur.fr-with-injected-pseudoDarkleech-script-2nd-run.txt (156,494 bytes)
- 2017-03-15-pseudoDarkleech-Rig-EK-1st-run-flash-exploit.swf (14,956 bytes)
- 2017-03-15-pseudoDarkleech-Rig-EK-1st-run-landing-page.txt (117,920 bytes)
- 2017-03-15-pseudoDarkleech-Rig-EK-1st-run-payload-Cerber-n0ofzkos.exe (257,225 bytes)
- 2017-03-15-pseudoDarkleech-Rig-EK-2nd-run-flash-exploit.swf (14,942 bytes)
- 2017-03-15-pseudoDarkleech-Rig-EK-2nd-run-landing-page.txt (57,857 bytes)
- 2017-03-15-pseudoDarkleech-Rig-EK-2nd-run-payload-Cerber-wyprkl4v.exe (257,225 bytes)
DETAILS
ASSOCIATED DOMAINS:
- www.jesuisanimateur.fr - compromised side
- 5.200.52.37 port 80 - rew.thebookingsites.com - Rig EK
- 149.202.64.0 - 149.202.64.31 (149.202.64.0/27) UDP port 6892 - Cerber UDP post-infection traffic
- 149.202.122.0 - 149.202.122.31 (149.202.122.0/27) UDP port 6892 - Cerber UDP post-infection traffic
- 149.202.248.0 - 149.202.251.255 (149.202.248.0/22) UDP port 6892 - Cerber UDP post-infection traffic
- 104.232.37.30 port 80 - p27dokhpz2n7nvgr.16bwhs.top - Cerber HTTP post-infection traffic
FILE HASHES:
- SHA256 hash: cc41480100b0fd2e39d4d636fac3d4e682314b4c6b14ecef0d03281c06a7789c
File description: Rig EK Flash exploit seen on 2017-03-15
- SHA256 hash: 3ff2b1e57b82789084f722fb22388af0d79dc3340325d8db83e63c1a2a42da79
File description: Rig EK Flash exploit seen on 2017-03-15 (2nd run)
- SHA256 hash: af53d162953b030e0b81c84f13e33b0378686d214a4a02b05e55218bab2fd609
File location: C:\Users\[username]\AppData\Local\Temp\n0ofzkos.exe
File description: Rig EK payload sent by pseudo-Darkleech campaign - Cerber (1st run)
- SHA256 hash: 00386621b62147ab8fa6c6dc095259a9923b71f97a2c7b323995883b6cf5773b
File location: C:\Users\[username]\AppData\Local\Temp\wyprkl4v.exe
File description: Rig EK payload sent by pseudo-Darkleech campaign - Cerber (2nd run)
FINAL NOTES
Once again, here are the associated files:
- ZIP archive of the pcap: 2017-03-15-pseudoDarkleech-Rig-EK-sends-Cerber-both-pcaps.zip 3.5 MB (976,342 bytes)
- ZIP archive of the malware: 2017-03-15-pseudoDarkleech-Rig-EK-sends-Cerber-malware-and-artifacts.zip 2.6 MB (2,622,525 bytes)
ZIP files are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
Click here to return to the main page.