Back to Posts

RIG-v from 194.87.238.156 sends Cerber Ransomware

Posted in ransomware, exploitkit

RIG-v from 194.87.238.156 sends Cerber Ransomware


Domains:

204.62.14.220   mayajnyc.com   Compromised site
194.87.238.156   new.temmuz1516.com   RIG-v EK
194.165.16.0/22      Cerber Checkin
192.168.0.0/27      Why???



Traffic:

image-title-here Evil Redirector


image-title-here RIG-v & Cerber Scanning



Network Signatures:

[1:2022962:3] ET CURRENT_EVENTS Evil Redirector Leading to EK Jul 12 2016
[1:2023401:3] ET CURRENT_EVENTS RIG EK URI struct Oct 24 2016 (RIG-v)
[1:2023196:2] ET CURRENT_EVENTS RIG EK Landing Sep 12 2016 T2
[1:2014726:88] ET POLICY Outdated Windows Flash Version IE
[1:2023401:3] ET CURRENT_EVENTS RIG EK URI struct Oct 24 2016 (RIG-v)
[1:2820989:3] ETPRO CURRENT_EVENTS RIG/Sundown/Xer EK Payload Jul 06 2016 M2
[1:2023453:5] ET TROJAN Ransomware/Cerber Checkin 2
[1:2816808:2] ETPRO CURRENT_EVENTS RIG EK Flash Exploit Mar 29 2016
[1:2816505:2] ETPRO TROJAN Cerber Ransomware UDP Scanning



Process Tree:

image-title-here Exploit and Cerber execution



File Hashes:

Detection ratio: 10 / 54 Link

SHA256: a51c4a6e8797b75620efb64edf297bd2137230a45c18d96f66a3e9edbe988403
File type: Flash


Detection ratio: 8 / 56 Link

SHA256: 87cf0ee7bfd0c089a88809b5236e6398fc2b7c899af61458e357f411983719be
File type: Win32 EXE

image-title-here


Detection ratio: 1 / 56 Link

SHA256: 2e226715419a5882e2e14278940ee8ef0aa648a3ef7af5b3dc252674111962bc
File type: Win32 DLL

image-title-here



associated files:
traffic.zip

This website focuses on the latest malware, exploit kits, spam and phishing attacks that are seen in the wild. Inspired by @malware_traffic, @BroadAnalysis and @malwareforme

Read Next

RIG EK from 174.128.251.30 drops Dreambot