2017-01-17 - "BLANK SLATE" CAMPAIGN SENDS CERBER RANSOMWARE

NOTICE:

ASSOCIATED FILES:

 

NOTES:


Shown above:  New HELP_HELP_HELP message I haven't noticed before.

 

EMAILS


Shown above:  Information from the spreadsheet tracker (part 1 of 2).

 


Shown above:  Information from the spreadsheet tracker (part 2 of 2).

 

SOME OF THE EMAILS NOTED:

(Read: Date/Time -- Sending mail server -- Sending address (spoofed) -- Subject -- Attachment)

 

ATTACHED ZIP ARCHIVES AND EXTRACTED WORD DOCUMENTS

SHA256 HASHES FOR THE EMAIL ATTACHMENTS:

 

SHA256 HASHES FOR THE EXTRACTED WORD DOCUMENTS:

 

TRAFFIC


Shown above:  URLs caused by the Word macros shown in Wireshark.

 


Shown above:  Traffic from an infection example filtered in Wireshark.

 

URLS GENERATED BY THE WORD MACROS TO DOWNLOAD CERBER RANSOMWARE:

 

CERBER RANSOMWARE POST-INFECTION TRAFFIC:

 

DATA RELATED TO THE ACTOR(S) BEHIND THIS CAMPAIGN

IP ADDRESSES HOSTING THE CERBER RANSOMWARE:

 

REGISTRATION INFO FOR THE MALICIOUS DOMAINS:

 

NUMBER OF DOMAINS REGISTERED USING THESE EMAIL ADDRESSES:

 

MALWARE

CERBER RANSOMWARE SAMPLES DOWNLOADED FROM THE URLS:

 

IMAGES


Shown above:  Screenshot with an example of an infected desktop.

 

Click here to return to the main page.