2016-08-10 - MAGNITUDE EK FROM 185.30.232[.]85 SENDS CERBER RANSOMWARE

ASSOCIATED FILES:

• 2016-08-10-Magnitude-EK-sends-Cerber-ransomware.pcap.zip   466.6 kB (466,572 bytes)

• 2016-08-10-Magnitude-EK-sends-Cerber-ransomware.pcap   (740,242 bytes)

• Z2016-08-10-Magnitude-EK-and-Cerber-ransomware-files.zip   378.2 kB (378,156 bytes)

• 2016-08-10-Cerber-ransomware-decryption-instructions.bmp   (1,920,054 bytes)
• 2016-08-10-Cerber-ransomware-decryption-instructions.html   (19,994 bytes)
• 2016-08-10-Cerber-ransomware-decryption-instructions.txt   (10,645 bytes)
• 2016-08-10-Cerber-ransomware-decryption-instructions.vbs   (249 bytes)
• 2016-08-10-Magnitude-EK-flash-exploit.swf   (40,523 bytes)
• 2016-08-10-Magnitude-EK-flash-redirector.swf   (708 bytes)
• 2016-08-10-Magnitude-EK-landing-page.txt   (688 bytes)
• 2016-08-10-Magnitude-EK-more-html.txt   (23,254 bytes)
• 2016-08-10-Magnitude-EK-payload-Cerber-ransomware.exe   (204,944 bytes)

 

TRAFFIC

Shown above:  Traffic from the infection filtered in Wireshark.

 

ASSOCIATED DOMAINS:

• 185.143.240[.]111 port 80 - bestgoodautoparts[.]org - First gate
• 185.143.243[.]67 port 80 - digitjobs[.]casa - Second gate
• 185.30.232[.]85 port 80 - 2bobfewbd7.fellfelt[.]gdn - Magnitude EK on 2016-08-03
• ip-api[.]com - GET /json - Connectivity/IP check by the Cerber ransomware
• 91.223.89[.]201 port 80 - unocl45trpuoefft.heardbids[.]date - Cerber decrypt instructions
• 31.184.234[.]0 - 31.184.235[.]255 (31.184.234[.]0/23) port 6892 - UDP scan from the host infected by Cerber ransomware

OTHER DOMAINS FROM THE CERBER RANSOMWARE DECRYPT INSTRUCTIONS:

• unocl45trpuoefft.eventsresg[.]info
• unocl45trpuoefft.itdrink[.]club
• unocl45trpuoefft.variedtax[.]kim
• unocl45trpuoefft[.]onion[.]to

 

FILE HASHES

FLASH REDIRECTS AND FLASH EXPLOIT:

• SHA256 hash:  18dfdfaf76550a0c4630070e39add570ffdbfca62a59c3a2c800ce4c88bfe2eb
  File name:  2016-08-10-Magnitude-EK-flash-redirector.swf

• SHA256 hash:  22ad3c0cfc888344f7ee69662db8e2bc7c01bd7d24f8cf8a38502662bbfff6eb
  File name:  2016-08-10-Magnitude-EK-flash-exploit.swf

MALWARE PAYLOAD:

• SHA256 hash:  d62a006998dced36c30a435c22b0c6b130c918125efd79c7098318a6fa631a60
  File name:  2016-08-10-Magnitude-EK-payload-Cerber-ransomware.exe

 

IMAGES

Shown above:  Desktop of a Windows host infected with this Cerber ransomware sample.

 

Click here to return to the main page.