Malware-Traffic-Analysis.net - 2017-02-06 - pseudoDarkleech Rig EK from 194.87.94[.]37 sends Cerber ransomware

2017-02-06 - PSEUDO-DARKLEECH RIG EK FROM 194.87.94[.]37 SENDS CERBER RANSOMWARE

NOTICE:

The zip archives on this page have been updated, and they now use the new password scheme. For the new password, see the "about" page of this website.

ASSOCIATED FILES:

2017-02-06-pseudoDarkleech-Rig-EK-sends-Cerber-ransomware.pcap.zip 646.8 kB (646,756 bytes)

2017-02-06-pseudoDarkleech-Rig-EK-sends-Cerber-ransomware.pcap (873,204 bytes)

2017-02-06-pseudoDarkleech-Rig-EK-artifacts-and-Cerber-ransomware.zip 681.2 kB (681,264 bytes)

2017-02-06-Cerber-ransomware_HELP_HELP_HELP_5ODOEO_.png (360,479 bytes)

2017-02-06-Cerber-ransomware_HELP_HELP_HELP_7AI0I_.hta (75,864 bytes)

2017-02-06-page-from-phoenixkiosk_com-with-injected-pseudoDarkleech-script.txt (126,331 bytes)

2017-02-06-pseudoDarkleech-Rig-EK-artifact-QTTYUADAF.txt (1,137 bytes)

2017-02-06-pseudoDarkleech-Rig-EK-flash-exploit.swf (17,065 bytes)

2017-02-06-pseudoDarkleech-Rig-EK-landing-page.txt (5,233 bytes)

2017-02-06-pseudoDarkleech-Rig-EK-payload-Cerber-ransomware-radAF512.tmp.exe (275,035 bytes)

BACKGROUND ON RIG EXPLOIT KIT:

I haven't seen Empire Pack (also known as Rig-E) so far in 2017.
Rig-V is actually the current version of Rig EK (Rig 4.0), so I've stopped calling it "Rig-V."
Now I'm just calling it "Rig EK."

BACKGROUND ON THE PSEUDO-DARKLEECH CAMPAIGN:

My most recent in-depth write-up on the pseudoDarkleech campaign can be found here.

Shown above: Flowchart for this infection traffic.

TRAFFIC

Shown above: Injected pseudoDarkleech script in a page from the compromised site leading to Rig EK.

Shown above: Traffic from the pcap filtered in Wireshark.

ASSOCIATED DOMAINS:

www.phoenixkiosk[.]com - Compromised site
194.87.94[.]37 port 80 - list.thewakedoctor[.]com - Rig EK

91.119.56[.]0 to 91.119.56[.]31 (91.119.56[.]0/27) UDP port 6892 - Cerber ransomware post-infection UDP traffic
91.120.56[.]0 to 91.120.56[.]31 (91.120.56[.]0/27) UDP port 6892 - Cerber ransomware post-infection UDP traffic
91.121.56[.]0 to 91.121.59[.]255 (91.121.56[.]0/22) UDP port 6892 - Cerber ransomware post-infection UDP traffic
109.230.199[.]212 port 80 - p27dokhpz2n7nvgr.145rzb[.]top - Cerber ransomware post-infection HTTP traffic

FILE HASHES

RIG EK FLASH EXPLOIT:

SHA256 hash: a820bb75a2d6fb069af2afc762ca6e30ab8c8b4d690ff880ed3a0a7b9bad36be (17,065 bytes)
File description: Rig EK Flash exploit seen on 2017-02-06

RIG EK PAYLOAD FROM PSEUDO-DARKLEECH CAMPAIGN:

SHA256 hash: 41089498ab9ae008bb536adcf1e5babafe9f6321481db11777ffabeb823644d2 (275,035 bytes)
File location: C:\Users\[username]\AppData\Local\Temp\radAF512.tmp.exe
File description: Cerber ransomware

IMAGES

Shown above: Desktop of the infected Windows host after rebooting.

Click here to return to the main page.