2017-01-05 - "BLANK SLATE" CAMPAIGN SENDS CERBER RANSOMWARE
NOTICE:
- The zip archives on this page have been updated, and they now use the new password scheme. For the new password, see the "about" page of this website.
ASSOCIATED FILES:
- 2017-01-05-Cerber-ransomware-infection-traffic.pcap.zip 235.4 kB (235,446 bytes)
- 2017-01-05-Cerber-ransomware-infection-traffic.pcap (332,731 bytes)
- 2017-01-05-Blank-Slate-emails-and-Cerber-ransomware.zip 651.9 kB (651,891 bytes)
- 2017-01-04-Blank-Slate-malspam-2312-UTC.eml (36,691 bytes)
- 2017-01-04-Blank-Slate-malspam-2327-UTC.eml (45,945 bytes)
- 2017-01-05-Blank-Slate-malspam-0859-UTC.eml (38,580 bytes)
- 402402188984588.zip (28,241 bytes)
- 7318620611899.zip (26,845 bytes)
- 954461.zip (33,708 bytes)
- Roaming.exE (231,530 bytes)
- 2017-01-05-Cerber-ransomware_NQIB7_README_.hta (67,448 bytes)
- 2017-01-05-Cerber-ransomware_NQIB7_README_.jpg (229,420 bytes)
NOTES:
- For background on this campaign, see the Palo Alto Networks Unit 42 Blog: "Blank Slate" Campaign Takes Advantage of Hosting Providers to Spread Ransomware.
EMAILS
Read: date/time -- received from mailserver at -- message-ID -- sender (spoofed) -- subject -- attachment name -- extracted file
2017-01-04 23:12 UTC -- skyonline[.]net[.]ar -- <148357156002.25068.7364238338216249641@skyonline[.]net[.]ar>
<ej.hartstra@dienst.vu.nl> -- (no subject) -- 7318620611899.zip -- 12027.doc
2017-01-04 23:26 UTC -- 175.202.17[.]89 -- <148357240588.3135.1777837317377017010@175.202.17[.]89>
<gracedsenoglu@gmail.com> -- (no subject) -- 954461.zip -- 24591.doc
2017-01-05 08:59 UTC -- skyonline[.]net[.]ar -- <148360676836.3137.13620895256758905128@skyonline[.]net[.]ar>
<andreas.nilsson@norstat.se> -- (no subject) -- 402402188984588.zip -- 31879.doc
TRAFFIC
Shown above: Pcap of the infection traffic filtered in Wireshark.
ASSOCIATED DOMAINS:
- 54.145.159[.]172 port 80 - randoz-pandom[.]wang - GET /search.php - Word macro downloading the Cerber ransomware
- 15.44.20[.]0 to 15.44.20[.]31 (15.44.20[.]0/27) UDP port 6892 - Cerber ransomware post-infection UDP traffic
- 16.43.12[.]0 to 16.43.12[.]31 (16.43.12[.]0/27) UDP port 6892 - Cerber ransomware post-infection UDP traffic
- 91.239.24[.]0 to 91.239.25[.]255 (91.239.24[.]0/23) UDP port 6892 - Cerber ransomware post-infection UDP traffic
- 91.134.123[.]56 port 80 - p27dokhpz2n7nvgr.1bwh8a[.]top - Cerber ransomware post-infection HTTP traffic
FILE HASHES
EXTRACTED WORD DOCUMENTS:
- SHA256 hash: 748a3c119026f2579867763c33f6fd16375e8f62a38be580654c726709484b94 (65,024 bytes)
File name: 12027.doc
- SHA256 hash: 8745da2b43f07167e6f2c2eb84a646c0feb236671f206047fc2cdc1081b3f982 (79,360 bytes)
File name: 24591.doc
- SHA256 hash: b36bb18faa7adea81436651e6062df0200dca5a578842dc5d6ea03377c4775e9 (68,096 bytes)
File name: 31879.doc
DOWNLOADED MALWARE (CERBER RANSOMWARE):
- SHA256 hash: aeab730e99827a820e318f43a57463f3dcdcb5182b4e41e71a4d5f436623e792 (231,530 bytes)
File path: C:\Users\[username]\Roaming\Roaming.exE
Click here to return to the main page.