2017-01-23 - ONGOING MALSPAM CAMPAIGN SPREADING CERBER AND SAGE 2.0 RANSOMWARE

ASSOCIATED FILES:

 

NOTES:

 

EMAILS


Shown above:  Information from the spreadsheet tracker (part 1 of 3).

 


Shown above:  Information from the spreadsheet tracker (part 2 of 3).

 


Shown above:  Information from the spreadsheet tracker (part 3 of 3).

 

EMAILS GATHERED:

(Read: Date/Time -- Sending mail server -- Sending address (spoofed) -- Attachment)

 

ATTACHED ZIP ARCHIVES AND EXTRACTED FILES

SHA256 HASHES FOR THE EMAIL ATTACHMENTS:

 

SHA256 HASHES FOR THE EXTRACTED WORD DOCUMENTS AND .JS FILES:

 

TRAFFIC


Shown above:  Example of a Cerber infection from this malspam, filtered in Wireshark.

 


Shown above:  Example of a Sage 2.0 infection from this malspam, filtered in Wireshark.

 

HTTP REQUESTS FOR THE CERBER RANSOMWARE:

HTTP REQUESTS FOR THE SAGE 2.0 RANSOMWARE:

CERBER POST-INFECTION TRAFFIC:

SAGE 2.0 POST-INFECTION TRAFFIC:

SAGE 2.0 DOMAINS FROM THE DECRYPTION INSTRUCTIONS:

 

MALWARE

CERBER AND SAGE 2.0 SAMPLES:

 

IMAGES


Shown above:  Example of a desktop infected with Cerber from one of the malspam attachments.

 


Shown above:  Example of a desktop infected with Sage 2.0 from one of the malspam attachments.

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.