2017-01-12 - MALSPAM SPREADING CERBER RANSOMWARE FROM AWS IP ADDRESSES

ASSOCIATED FILES:

  • 2017-01-12-Cerber-malspam-traffic-all-examples.pcap   (1,956,943 bytes)
  • 2017-01-12-Cerber-maslpam-tracker.csv   (992 bytes)
  • 2017-01-12-Cerber-malspam-0712-UTC.eml   (64,983 bytes)
  • 2017-01-12-Cerber-malspam-1006-UTC.eml   (43,899 bytes)
  • 2017-01-12-Cerber-malspam-1331-UTC.eml   (59,956 bytes)
  • 2017-01-12-Cerber-malspam-1363-UTC.eml   (42,923 bytes)
  • 2017-01-12-Cerber-malspam-1809-UTC.eml   (46,496 bytes)
  • 2017-01-12-Cerber-malspam-2004-UTC.eml   (45,169 bytes)
  • 859214.zip   (34,114 bytes)
  • 236247851.zip   (44,081 bytes)
  • 434359441.zip   (32,187 bytes)
  • 7663013333.zip   (47,800 bytes)
  • 1617772479879.zip   (33,133 bytes)
  • 654700336027276.zip   (31,459 bytes)
  • 5770.doc   (77,824 bytes)
  • 11796.doc   (79,360 bytes)
  • 20431.doc   (118,784 bytes)
  • 20629.doc   (80,896 bytes)
  • 21040.doc   (81,408 bytes)
  • 32703.doc   (109,568 bytes)
  • 2017-01-12-Cerber-from-11796.doc.exe   (293,984 bytes)
  • 2017-01-12-Cerber-from-20431.doc.exe   (300,773 bytes)
  • 2017-01-12-Cerber-from-20629.doc.exe   (296,260 bytes)
  • 2017-01-12-Cerber-from-32703.doc.exe   (293,458 bytes)
  • 2017-01-12-Cerber-from-5770.doc.exe   (293,458 bytes)

NOTES:

 

EMAILS

Read: date/time -- received from mailserver at -- sender (spoofed) -- subject -- attachment name -- extracted zip -- extracted doc

 

TRAFFIC


Shown above:  Traffic from all the infections filtered in Wireshark.

 

ASSOCIATED DOMAINS:

 

FILE HASHES

ATTACHED ZIP ARCHIVES:

EXTRACTED MICROSOFT WORD DOCUMENTS:

DOWNLOADED CERBER RANSOMWARE SAMPLES:

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.