2017-03-20 - PSEUDO-DARKLEECH RIG EK FROM 92.53.104.78 SENDS CERBER RANSOMWARE

ASSOCIATED FILES:

• ZIP archive of the pcaps:  2017-03-20-pseudoDarkleech-Rig-EK-sends-Cerber-ransomware.pcap.zip   407 kB (406,554 bytes)

• 2017-03-20-pseudoDarkleech-Rig-EK-sends-Cerber-ransomware.pcap   (607,945 bytes)

• ZIP archive of the malware:  2017-03-20-pseudoDarkleech-Rig-EK-sends-Cerber-malware-and-artifacts.zip   644 kB (643,666 bytes)

• 2017-03-20-Cerber_READ_THIS_FILE_ARCYL40_.txt   (1,337 bytes)
• 2017-03-20-Cerber_READ_THIS_FILE_U7IP_.hta   (76,791 bytes)
• 2017-03-20-Cerber_READ_THIS_FILE_WEF70_.jpeg   (287,672 bytes)
• 2017-03-20-page-from-simply-vegan.org-with-injected-pseudoDarkleech-script.txt   (48,664 bytes)
• 2017-03-20-pseudoDarkleech-Rig-EK-artifact-o32.tmp.txt   (1,141 bytes)
• 2017-03-20-pseudoDarkleech-Rig-EK-flash-exploit.swf   (15,010 bytes)
• 2017-03-20-pseudoDarkleech-Rig-EK-landing-page.txt   (117,653 bytes)
• 2017-03-20-pseudoDarkleech-Rig-EK-payload-Cerber-4tjgwc3p.exe   (270,347 bytes)

BACKGROUND ON THE PSEUDO-DARKLEECH CAMPAIGN:

• My most recent in-depth write-up on the pseudoDarkleech campaign can be found here.

OTHER NOTES:

• Got the compromised sites from one of @nao_sec's recent tweets.

Shown above:  Flowchart for this infection traffic.

 

TRAFFIC

Shown above:  Injected pseudoDarkleech script in a page from the compromised site leading to Rig EK.

 

Shown above:  Traffic from the pcap filtered in Wireshark.

 

ASSOCIATED DOMAINS:

• www.simply-vegan.org - Compromised site
• 92.53.104.78 port 80 - acc.mobilalibey.com - Rig EK

• 149.202.64.0 to 149.202.64.31 (149.202.64.0/27) UDP port 6892 - Cerber post-infection UDP traffic
• 149.202.122.0 to 149.202.122.31 (149.202.122.0/27) UDP port 6892 - Cerber post-infection UDP traffic
• 149.202.248.0 to 149.202.251.255 (149.202.248.0/22) UDP port 6892 - Cerber post-infection UDP traffic
• 216.170.119.139 port 80 - p27dokhpz2n7nvgr.1cewld.top - Cerber post-infection HTTP traffic

 

FILE HASHES

FLASH EXPLOIT:

• SHA256 hash:  ccd2a5c27c92ed489287d7c9d48c42c8c0c12902ad598ac51458e388e22c4385
  File size:  15,010 bytes
  File description:  Rig EK flash exploit seen on 2017-03-20

PAYLOAD:

• SHA256 hash:  1c693f3448d0bd9f300f9f8d752f50db352aea7a8c1961f369291d8e6010fd0d
  File size:  270,347 bytes
  File location:  C:\Users\[username]\AppData\Local\Temp\4tjgwc3p.exe

 

IMAGES

Shown above:  Desktop of the infected Windows host after rebooting.

 

FINAL NOTES

Once again, here are the associated files:

• ZIP archive of the pcaps:  2017-03-20-pseudoDarkleech-Rig-EK-sends-Cerber-ransomware.pcap.zip   407 kB (406,554 bytes)
• ZIP archive of the malware:  2017-03-20-pseudoDarkleech-Rig-EK-sends-Cerber-malware-and-artifacts.zip   644 kB (643,666 bytes)

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.