2017-01-04 - "BLANK SLATE" CAMPAIGN SENDS CERBER RANSOMWARE

ASSOCIATED FILES:

NOTICE:

  • 2017-01-04-Cerber-ransomware-infection-traffic.pcap   (304,487 bytes)
  • 15010386517237.zip   (25,491 bytes)
  • 19206.doc   (62,464 bytes)
  • 2017-01-04-Blank-Slate-malspam-0724-UTC.eml   (34,863 bytes)
  • 2017-01-04-Cerber-ransomware-decryption-instructions_7A7N_README_.hta   (67,448 bytes)
  • 2017-01-04-Cerber-ransomware-decryption-instructions_7A7N_README_.jpg   (226,029 bytes)
  • Roaming.exE   (229,661 bytes)

NOTES:

 

EMAIL


Shown above:  Screenshot of the email.

NOTE:  The sender's address was spoofed--the message did not come from a gmail account.

 

EMAIL


Shown above:  Malicious word document extracted from the email attachment.

NOTE:  Enabling macros on that Word document will download and run Cerber ransomware.

 

EMAIL


Shown above:  Pcap of the infection traffic filtered in Wireshark.

 

ASSOCIATED DOMAINS:

 

FILE HASHES

ATTACHMENT AND EXTRACTED WORD DOCUMENT:

 

DOWNLOADED MALWARE (CERBER RANSOMWARE):


Shown above:  A copy of the malware before it deleted itself.

 

Click here to return to the main page.