Rig via PseudoDarkleech delivers Cerber Ransomware


Another Cerber from Rig EK. I’ve actually done several of these runs since my last post. I only really like to post if I can contribute something to the community. In this case I noticed the payload going idle for almost 10 minutes before the UDP requests began. I believe this could be an anti-sandbox evasion technique as often sandboxes have a default time out period.

Other than that, it’s the same old Cerber 🙂

Background Information:

  • A few articles on Rig exploit kit and it’s evolution:


  • Article on the PseudoDarkleech campaign and its history:



Notable Details:

  • – golanguages[.]es – COMPROMISED WEBSITE
  • – park.medlawtalk[.]tv – RIG-V
  • -> UDP port 6892 – Cerber Check In IP Range
  • -> – UDP port 6892 – Cerber Check In IP Range
  • -> – UDP port 6892 – Cerber Check In IP Range
  • -> – UDP port 6892 – Cerber Check In IP Range
  • -> – UDP port 6892 – Cerber Check In IP Range
  • -> – UDP port 6892 – Cerber Check In IP Range
  • Payload was rad69926.tmp.exe -> VirusTotal
  • Had a time delay before UDP traffic occurred of almost 10 minutes indicating a possible sandbox evasion technique.

Details of infection chain:


Cerber encrypts with a .ba89 extension. Note the time delay between the payload and the first UDP check in.

Full Details:

  • Compromised site redirects to Rig-V EK via PseudoDarkleech iframe.
  • park.medlawtalk[.]tv is Rig EK, from top to bottom -> Pre-Landing -> Landing Page -> Flash  -> Payload
  • UDP traffic port 6892 all contained the data”fd6b47b9da60f3
  • Dropped payload “rad69926.tmp.exe”.
  • SHA256: bdba80fe4638b8ec8d0cde505cfd62ba89d90c86d856e409cabc032a34ec5750
    File name: rad69926.tmp.exe
    Detection ratio: 26 / 56
  • Payload encrypted files with a  “.ba89” extension.
  • The payload appeared to be idle for almost 10 minutes. After this the usual UDP and Nbstat requests occurred and the encryption completed.
  • Cerber is likely waiting for Nbstat responses before it proceeds.
  • Emerging Threat signatures for Cerber and NBTStat query response.
  • Cerber changes the background and loads a HTA file containing instructions on how to decrypt your files. It also plays an eerie audio stating that your files have been encrypted in the Windows 7 female USA voice.
  • I recorded the voice: https://instaud.io/JUA#0:00.1

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s