2017-01-09 - "BLANK SLATE" CAMPAIGN SENDS CERBER RANSOMWARE

NOTICE:

ASSOCIATED FILES:

  • 2017-01-09-Cerber-ransomware-infection-traffic.pcap   (303,525 bytes)
  • 2017-01-09-Blank-Slate-maslpam-tracker.csv   (857 bytes)
  • emails / 2017-01-06-Blank-Slate-malspam-2127-UTC.eml   (43,717 bytes)
  • emails / 2017-01-07-Blank-Slate-malspam-1319-UTC.eml   (44,224 bytes)
  • emails / 2017-01-07-Blank-Slate-malspam-1519-UTC.eml   (35,996 bytes)
  • emails / 2017-01-07-Blank-Slate-malspam-1829-UTC.eml   (43,448 bytes)
  • emails / 2017-01-07-Blank-Slate-malspam-2136-UTC.eml   (45,077 bytes)
  • emails / 2017-01-08-Blank-Slate-malspam-2133-UTC.eml   (58,928 bytes)
  • emails / 2017-01-08-Blank-Slate-malspam-2238-UTC.eml   (59,681 bytes)
  • emails / 2017-01-09-Blank-Slate-malspam-0112-UTC.eml   (51,706 bytes)
  • emails / 2017-01-09-Blank-Slate-malspam-0119-UTC.eml   (49,647 bytes)
  • emails / 2017-01-09-Blank-Slate-malspam-0154-UTC.eml   (57,251 bytes)
  • emails / 2017-01-09-Blank-Slate-malspam-1047-UTC.eml   (37,889 bytes)
  • emails / 2017-01-09-Blank-Slate-malspam-1106-UTC.eml   (38,115 bytes)
  • emails / 2017-01-09-Blank-Slate-malspam-1624-UTC.eml   (36,090 bytes)
  • attachments / 17463.zip   (27,902 bytes)
  • attachments / 3564149445.zip   (31,847 bytes)
  • attachments / 4820876899.zip   (33,055 bytes)
  • attachments / 04398408565.zip   (32,439 bytes)
  • attachments / 1125380733161.zip   (26,337 bytes)
  • attachments / 11932415970879.zip   (27,738 bytes)
  • attachments / 35957656855277.zip   (32,061 bytes)
  • attachments / 850474845283453.zip   (26,415 bytes)
  • attachments / INFO_602960_[removed].zip   (36,444 bytes)
  • attachments / INFO_694972_[removed].zip   (42,077 bytes)
  • attachments / INFO_619608933_[removed].zip   (43,865 bytes)
  • attachments / INFO_949273973_[removed].zip   (43,310 bytes)
  • attachments / INFO_956010938_[removed].zip   (37,962 bytes)
  • extracted-Word-docs / 2241.doc   (91,648 bytes)
  • extracted-Word-docs / 3423.doc   (107,520 bytes)
  • extracted-Word-docs / 6743.doc   (64,000 bytes)
  • extracted-Word-docs / 13729.doc   (103,424 bytes)
  • extracted-Word-docs / 17807.doc   (78,336 bytes)
  • extracted-Word-docs / 18493.doc   (75,264 bytes)
  • extracted-Word-docs / 19221.doc   (77,312 bytes)
  • extracted-Word-docs / 21458.doc   (75,776 bytes)
  • extracted-Word-docs / 22551.doc   (72,704 bytes)
  • extracted-Word-docs / 22980.doc   (94,720 bytes)
  • extracted-Word-docs / 22987.doc   (78,848 bytes)
  • extracted-Word-docs / 23861.doc   (106,496 bytes)
  • extracted-Word-docs / 26211.doc   (75,776 bytes)
  • Cerber-ransomware-files / 2017-01-07-Cerber-ransomware-example-1-of-3.exe   (240,191 bytes)
  • Cerber-ransomware-files / 2017-01-07-Cerber-ransomware-example-2-of-3.exe   (240,191 bytes)
  • Cerber-ransomware-files / 2017-01-07-Cerber-ransomware-example-3-of-3.exe   (240,191 bytes)
  • Cerber-ransomware-files / 2017-01-08-Cerber-ransomware-example.exe   (245,422 bytes)
  • Cerber-ransomware-files / 2017-01-09-Cerber-ransomware-example-1-of-5.exe   (307,575 bytes)
  • Cerber-ransomware-files / 2017-01-09-Cerber-ransomware-example-2-of-5.exe   (307,575 bytes)
  • Cerber-ransomware-files / 2017-01-09-Cerber-ransomware-example-3-of-5.exe   (263,616 bytes)
  • Cerber-ransomware-files / 2017-01-09-Cerber-ransomware-example-4-of-5.exe   (261,423 bytes)
  • Cerber-ransomware-files / 2017-01-09-Cerber-ransomware-example-5-of-5.exe   (261,423 bytes)

NOTES:

 

TRAFFIC


Shown above:  Pcap from an example of infection traffic filtered in Wireshark

 

DOMAINS FROM THE TRAFFIC EXAMPLE ON 2017-01-09:

URLS FROM THE VARIOUS WORD MACROS TO RETRIEVE CERBER RANSOMWARE:

 


Shown above:  Example of different AWS IP addresses for the same malicious domain.

 

FILE HASHES

EMAIL ATTACHMENTS:

EXTRACTED WORD DOCUMENTS:

CERBER RANSOMWARE SAMPLES RETRIEVED FROM THE WORD MACROS:

 


Shown above:  Desktop of an infected Windows host.

 

Click here to return to the main page.