2017-04-27 - "BLANK SLATE" MALSPAM STILL PUSHING CERBER, ALSO TRYING CVE-2017-0199

ASSOCIATED FILES:

BACKGROUND:

TODAY'S NOTES:

 


Shown above:  Flow chart for these emails.

 

EMAILS


Shown above:  Data from the spreadsheet tracker (image 1 of 3).

 


Shown above:  Data from spreadsheet (image 2 of 3) CVE-2017-0199 files highlighted in yellow.

 


Shown above:  Data from the spreadsheet tracker (image 3 of 3) CVE-2017-0199 files highlighted in yellow.

 

(READ: Date/Time   --   Sending address (spoofed)   --   Subject   --   Attachment)

 

TRAFFIC


Shown above:  Traffic from a .js file-based infection filtered in Wireshark.

 


Shown above:  Traffic when I tried one of the .doc files (CVE-2017-0199 RTF files) filtered in Wireshark.

 

URLS GENERATED BY THE EXTRACTED FILES:

CERBER POST-INFECTION TRAFFIC:

 

SHA256 HASHES

EMAIL ATTACHMENTS:

 

EXTRACTED .JS FILES:

 

EXTRACTED RTF FILES DESIGNED TO EXPLOIT CVE-2017-0199:

 

CERBER RANSOMWARE SAMPLES:

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.