2017-01-04 - "BLANK SLATE" CAMPAIGN SENDS CERBER RANSOMWARE

ASSOCIATED FILES:

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

• 2017-01-04-Cerber-ransomware-infection-traffic.pcap.zip   208.3 kB (208,323 bytes)

• 2017-01-04-Cerber-ransomware-infection-traffic.pcap   (304,487 bytes)

• 2017-01-04-Blank-Slate-email-and-Cerber-ransomware.zip   541.7 kB (541,663 bytes)

• 15010386517237.zip   (25,491 bytes)
• 19206.doc   (62,464 bytes)
• 2017-01-04-Blank-Slate-malspam-0724-UTC.eml   (34,863 bytes)
• 2017-01-04-Cerber-ransomware-decryption-instructions_7A7N_README_.hta   (67,448 bytes)
• 2017-01-04-Cerber-ransomware-decryption-instructions_7A7N_README_.jpg   (226,029 bytes)
• Roaming.exE   (229,661 bytes)

NOTES:

• For background on this campaign, see the Palo Alto Networks Unit 42 Blog:  "Blank Slate" Campaign Takes Advantage of Hosting Providers to Spread Ransomware.

 

EMAIL

Shown above:  Screenshot of the email.

NOTE:  The sender's address was spoofed--the message did not come from a gmail account.

 

EMAIL

Shown above:  Malicious word document extracted from the email attachment.

NOTE:  Enabling macros on that Word document will download and run Cerber ransomware.

 

EMAIL

Shown above:  Pcap of the infection traffic filtered in Wireshark.

 

ASSOCIATED DOMAINS:

• 54.212.239[.]185 port 80 - randoz-pandom[.]wang - GET /search.php - Word macro downloading the Cerber ransomware
• 15.44.20[.]0 to 15.44.20[.]31 (15.44.20[.]0/27) UDP port 6892 - Cerber ransomware post-infection UDP traffic
• 16.43.12[.]0 to 16.43.12[.]31 (16.43.12[.]0/27) UDP port 6892 - Cerber ransomware post-infection UDP traffic
• 91.239.24[.]0 to 91.239.25[.]255 (91.239.24[.]0/23) UDP port 6892 - Cerber ransomware post-infection UDP traffic
• 91.134.123[.]56 port 80 - p27dokhpz2n7nvgr.1fpeer[.]top - Cerber ransomware post-infection HTTP traffic

 

FILE HASHES

ATTACHMENT AND EXTRACTED WORD DOCUMENT:

• SHA256 hash:  4fb39a97721f066af6a551274550461874138683977bf5e52acd937ea19bfc0c   (25,491 bytes)
  File name:  15010386517237.zip

• SHA256 hash:  b8658a91138b7be842293612c1c1d9dad873ed4638f84262cb58fcee60eab8a4   (62,464 bytes)
  File name:  19206.doc

• NOTE:  The document was double-zipped.  It was a zip archive containing a zip archive of the Word document.

 

DOWNLOADED MALWARE (CERBER RANSOMWARE):

• SHA256 hash:  03aa2410d07ea49dd6f05f2e0b0815ad400a83725ac88281b5f85ee7a7314bc7   (229,661 bytes)
  File path:  C:\Users\[username]\Roaming\Roaming.exE

Shown above:  A copy of the malware before it deleted itself.

 

Click here to return to the main page.