Malware-Traffic-Analysis.net - 2017-01-13 - "Blank Slate" campaign sends Cerber ransomware

2017-01-13 - "BLANK SLATE" CAMPAIGN SENDS CERBER RANSOMWARE

NOTICE:

The zip archives on this page have been updated, and they now use the new password scheme. For the new password, see the "about" page of this website.

ASSOCIATED FILES:

2017-01-13-Cerber-ransomware-infection-traffic.pcap.zip 856.3 kB (856,274 bytes)

2017-01-13-Cerber-ransomware-infection-traffic.pcap (1,040,210 bytes)

2017-01-13-Blank-Slate-emails-and-Cerber-ransomware.zip 1.9 MB (1,903,475 bytes)

2017-01-13-Blank-Slate-malspam-0007-UTC.eml (60,258 bytes)

2017-01-13-Blank-Slate-malspam-0837-UTC.eml (52,969 bytes)

2017-01-13-Blank-Slate-malspam-1049-UTC.eml (62,599 bytes)

2017-01-13-Blank-Slate-malspam-1428-UTC.eml (39,344 bytes)

2017-01-13-Blank-Slate-malspam-1607-UTC.eml (60,538 bytes)

2017-01-13-Blank-Slate-malspam-1715-UTC.eml (45,145 bytes)

2017-01-13-Blank-Slate-malspam-1854-UTC.eml (66,499 bytes)

2017-01-13-Blank-Slate-malspam-tracker.csv (1,543 bytes)

332101.zip (33,128 bytes)

62274826.zip (48,923 bytes)

793186269136.zip (44,507 bytes)

6225549306381.zip (28,811 bytes)

09488786419-[recipient].zip (38,860 bytes)

INFO_60191_[recipient].zip (46,026 bytes)

$MONEY-86635301206-[recipient].zip (44,293 bytes)

2589.doc (102,912 bytes)

5274.doc (79,360 bytes)

6254.doc (86,016 bytes)

10803.doc (116,224 bytes)

21457.doc (115,200 bytes)

23183.doc (123,392 bytes)

29546.doc (118,784 bytes)

2017-01-13-Cerber-ransomware-1st-example.exe (275,484 bytes)

2017-01-13-Cerber-ransomware-2nd-example.exe (275,484 bytes)

2017-01-13-Cerber-ransomware-3rd-example.exe (271,954 bytes)

2017-01-13-Cerber-ransomware-4th-example.exe (275,484 bytes)

NOTES:

For background on this campaign, see the Palo Alto Networks Unit 42 Blog: "Blank Slate" Campaign Takes Advantage of Hosting Providers to Spread Ransomware.
The Cerber ransomware is downloaded from IP addresses belonging to Amazon Web Services (AWS).
Several of these Word documents had an error in the macro that prevented them from working.

Shown above: Error seen when enabling macros on some of these Word documents.

EMAILS

Read: date/time -- received from mailserver at -- sender (spoofed) -- subject -- zip attachment name -- extracted doc

2017-01-13 00:07 UTC -- 186.117.249[.]226 -- <atie121609@gmail[.]com> -- (none) -- $MONEY-86635301206-[recipient].zip -- 21457.doc
2017-01-13 08:37 UTC -- 111.194.131[.]109 -- <[recipient's name]@pearlresearch[.]com> -- 35571 [recipient's name from email address] -- 09488786419-[recipient].zip -- 2589.doc
2017-01-13 10:49 UTC -- telebucaramanga[.]net[.]co -- <carol@mirror[.]co[.]uk> -- (none) -- INFO_60191_[recipient's name from email address].zip -- 29546.doc
2017-01-13 14:28 UTC -- 117.255.233[.]191 -- <mathias.heinrich@web[.]de> -- (none) -- 6225549306381.zip -- 5274.doc
2017-01-13 16:07 UTC -- 94.51.8[.]224 -- <marycris-paccia@libero[.]it> -- (none) -- 793186269136.zip -- 10803.doc
2017-01-13 17:15 UTC -- rdtc[.]ru -- <eforney@elon[.]edu> -- (none) -- 332101.zip -- 6254.doc
2017-01-13 18:54 UTC -- hinet[.]net -- <andreas.nilsson@norstat[.]se> -- (none) -- 62274826.zip -- 23183.doc

TRAFFIC

Shown above: URLs for all the Word documents filtered in Wireshark.

Shown above: One of the URLs hosted on AWS that served Cerber ransomware (1 of 3).

Shown above: One of the URLs hosted on AWS that served Cerber ransomware (2 of 3).

Shown above: One of the URLs hosted on AWS that served Cerber ransomware (3 of 3).

ASSOCIATED DOMAINS:

35.161.229[.]79 port 80 - bobobmdola[.]top - GET /read.php?f=0.dat [Cerber ransomware download from the Word macro]
35.161.229[.]79 port 80 - zonexxopera[.]top - GET /read.php?f=0.dat [Cerber ransomware download from the Word macro]
54.186.16[.]83 port 80 - dogtosamdnc[.]top - GET /search.php [Cerber ransomware download from the Word macro]

97.15.12[.]0 to 97.15.12[.]31 (97.15.12[.]0/27) UDP port 6892 - Cerber ransomware post-infection UDP traffic
97.2.48[.]0 to 97.2.48[.]31 (97.2.48[.]0/27) UDP port 6892 - Cerber ransomware post-infection UDP traffic
91.239.24[.]0 to 91.239.25[.]255 (91.239.24[.]0/23) UDP port 6892 - Cerber ransomware post-infection UDP traffic
173.254.204[.]104 port 80 - p27dokhpz2n7nvgr.15rnwa[.]top - Cerber ransomware post-infection HTTP traffic

FILE HASHES

ATTACHED ZIP ARCHIVES:

e788983d8f103c103bd581dbd6c6891328d70772f252e61c98c367cdcb4b5659 - 332101.zip
e177b2a050c3a52247c87e9cce1d4fb3b02efc0a6a0c4d51bb818289a4fb8649 - 62274826.zip
0ea9690b79dd5c6ebe83b9539c619ce2057bf3715ff62e5e84599513a0970d78 - 793186269136.zip
8b9295f0960bd1d05c4da8330cba0cb9e73700a587a7aba91c1faf3c0bfbdb74 - 6225549306381.zip
1e5d324318dd3c9afca69db65871721b9350caed4f12102af259feffecebd193 - 09488786419-[recipient].zip
a8c5459e332d2d61913b5d6498600e91a08c49692335ea4b716b3a726d192f53 - INFO_60191_[recipient].zip
dce63003d79768b117b197b318f7650a744c1d94ce765795373c5e8a5889ec82 - $MONEY-86635301206-[recipient].zip

EXTRACTED MICROSOFT WORD DOCUMENTS:

7b3eed96748e306eb81ae4775965aec6aaf0b85bc220af5d47e2b117a3072fa7 - 2589.doc
2ec865098724f3a662dbf72b1723b3e0f4d26309723e3278614641a0dc248daa - 5274.doc
c287e5df8f25d10d7f1e5f621877ced9e78771f6a6032d5672d61d3dfde3e0ed - 6254.doc
13f3a9a8fe4782b5d0b606893fce3c44b20e0e30d802783ff2b40a3b9f3782bf - 10803.doc
e129eb25c397963f4d1eb2f4b1060d40554d54572431f14b28f6f3c57941a6a0 - 21457.doc
da55f6b61d5740e91ba677e0afc075a671b9dc63f6bf6209bf2025c4725b75c0 - 23183.doc
0dd91d57db4753d0813f1587a0b41881a2175571dbc3e67d10ac6581b80441e5 - 29546.doc

DOWNLOADED CERBER RANSOMWARE SAMPLES:

8e1e7ea8aa4cc443f5b5231ecb2fd45acca4570c73d8963b8817ea692d951639 - Cerber ransomware 1st example/li>
81dcfc070e35ce217ba829cd400598da209e0953df0bc365c06ab21bceee98e0 - Cerber ransomware 2nd example/li>
8d5ecc4948096e3ff5570608f8b539c3f8249671f86a63b52791a5f83c71eeeb - Cerber ransomware 3rd example/li>
09e632cde8db7e70a37965b5faea2644d0a13b97a9526c12ae51a3cae11f2642 - Cerber ransomware 4th example/li>

Click here to return to the main page.