2017-01-13 - "BLANK SLATE" CAMPAIGN SENDS CERBER RANSOMWARE

NOTICE:

ASSOCIATED FILES:

  • 2017-01-13-Cerber-ransomware-infection-traffic.pcap   (1,040,210 bytes)
  • 2017-01-13-Blank-Slate-malspam-0007-UTC.eml   (60,258 bytes)
  • 2017-01-13-Blank-Slate-malspam-0837-UTC.eml   (52,969 bytes)
  • 2017-01-13-Blank-Slate-malspam-1049-UTC.eml   (62,599 bytes)
  • 2017-01-13-Blank-Slate-malspam-1428-UTC.eml   (39,344 bytes)
  • 2017-01-13-Blank-Slate-malspam-1607-UTC.eml   (60,538 bytes)
  • 2017-01-13-Blank-Slate-malspam-1715-UTC.eml   (45,145 bytes)
  • 2017-01-13-Blank-Slate-malspam-1854-UTC.eml   (66,499 bytes)
  • 2017-01-13-Blank-Slate-malspam-tracker.csv   (1,543 bytes)
  • 332101.zip   (33,128 bytes)
  • 62274826.zip   (48,923 bytes)
  • 793186269136.zip   (44,507 bytes)
  • 6225549306381.zip   (28,811 bytes)
  • 09488786419-[recipient].zip   (38,860 bytes)
  • INFO_60191_[recipient].zip   (46,026 bytes)
  • $MONEY-86635301206-[recipient].zip   (44,293 bytes)
  • 2589.doc   (102,912 bytes)
  • 5274.doc   (79,360 bytes)
  • 6254.doc   (86,016 bytes)
  • 10803.doc   (116,224 bytes)
  • 21457.doc   (115,200 bytes)
  • 23183.doc   (123,392 bytes)
  • 29546.doc   (118,784 bytes)
  • 2017-01-13-Cerber-ransomware-1st-example.exe   (275,484 bytes)
  • 2017-01-13-Cerber-ransomware-2nd-example.exe   (275,484 bytes)
  • 2017-01-13-Cerber-ransomware-3rd-example.exe   (271,954 bytes)
  • 2017-01-13-Cerber-ransomware-4th-example.exe   (275,484 bytes)

NOTES:

 


Shown above:  Error seen when enabling macros on some of these Word documents.

 

EMAILS

Read: date/time -- received from mailserver at -- sender (spoofed) -- subject -- zip attachment name -- extracted doc

 

TRAFFIC


Shown above:  URLs for all the Word documents filtered in Wireshark.


Shown above:  One of the URLs hosted on AWS that served Cerber ransomware (1 of 3).


Shown above:  One of the URLs hosted on AWS that served Cerber ransomware (2 of 3).


Shown above:  One of the URLs hosted on AWS that served Cerber ransomware (3 of 3).

 

ASSOCIATED DOMAINS:

 

FILE HASHES

ATTACHED ZIP ARCHIVES:

EXTRACTED MICROSOFT WORD DOCUMENTS:

DOWNLOADED CERBER RANSOMWARE SAMPLES:

 

Click here to return to the main page.