2017-01-21 - FILES FOR AN ISC DIARY ("BLANK SLATE" CAMPAIGN SENDS CERBER OR SAGE 2.0 RANSOMWARE)

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

NOTES:

• The associated ISC diary is for Saturday 2017-01-21:  Sage 2.0 Ransomware
• The diary investigates the latest version of Sage ransomware I found in a malspam campaign I've been tracking (one that normally sends Cerber ransomware).

2025 UPDATE:

• I subsequently reported this campaign as "Blank Slate" as noted in an article I later wrote for my employer:

• "Blank Slate" Campaign Takes Advantage of Hosting Providers to Spread Ransomware.

 

ASSOCIATED FILES:

• 2017-01-21-Blank-Slate-malspam-tracker.csv.zip   1.1 kB (1,090 bytes)

• 2017-01-21-Blank-Slate-malspam-tracker.csv   (2,330 bytes)

• 2017-01-21-Cerber-or-Sage-2.0-ransomware-infections-6-pcaps.zip   1.7 MB (1,690,665 bytes)

• 2017-01-20-Cerber-ransomware-from-cocalolo_top-full-infection-traffic.pcap   (293,432 bytes)
• 2017-01-20-Cerber-ransomware-from-truepokemonant_top.pcap   (289,837 bytes)
• 2017-01-20-Sage-2.0-ransomware-from-newfoodas_top.pcap   (357,417 bytes)
• 2017-01-20-Sage-2.0-ransomware-from-fortycooola_top-full-infection-traffic.pcap   (7,243,866 bytes)
• 2017-01-20-Sage-2.0-ransomware-from-smoeroota_top-full-infection-traffic.pcap   (347,342 bytes)

• 2017-01-21-Blank-Slate-emails-and-associated-ransomware.zip   2.9 MB (2,922,717 bytes)

• emails / 2017-01-19-Blank-Slate-malspam-0719-UTC.eml   (5,244 bytes)
• emails / 2017-01-19-Blank-Slate-malspam-0751-UTC.eml   (5,702 bytes)
• emails / 2017-01-19-Blank-Slate-malspam-0813-UTC.eml   (4,630 bytes)
• emails / 2017-01-19-Blank-Slate-malspam-1435-UTC.eml   (66,939 bytes)
• emails / 2017-01-19-Blank-Slate-malspam-1553-UTC.eml   (67,927 bytes)
• emails / 2017-01-19-Blank-Slate-malspam-1652-UTC.eml   (71,950 bytes)
• emails / 2017-01-19-Blank-Slate-malspam-1657-UTC.eml   (60,251 bytes)
• emails / 2017-01-20-Blank-Slate-malspam-0016-UTC.eml   (65,847 bytes)
• emails / 2017-01-20-Blank-Slate-malspam-1419-UTC.eml   (55,706 bytes)
• emails / 2017-01-20-Blank-Slate-malspam-1636-UTC.eml   (69,278 bytes)
• attachments / 505635089.zip   (44,303 bytes)
• attachments / 96676808070.zip   (40,921 bytes)
• attachments / EMAIL_0436024153_[recipient].zip   (50,957 bytes)
• attachments / EMAIL_327120_[recipient].zip   (52,907 bytes)
• attachments / EMAIL_42654088199_[recipient].zip   (3,887 bytes)
• attachments / EMAIL_608170693_[recipient].zip   (49,205 bytes)
• attachments / EMAIL_6161214_[recipient].zip   (49,928 bytes)
• attachments / EMAIL_7281945_[recipient].zip   (3,099 bytes)
• attachments / EMAIL_77900715_[recipient].zip   (48,408 bytes)
• attachments / EMAIL_807388025533838_[recipient].zip   (3,531 bytes)
• extracted-files / 380.js   (13,693 bytes)
• extracted-files / 12824.js   (10,065 bytes)
• extracted-files / 22044.js   (11,232 bytes)
• extracted-files / 8970.doc   (110,592 bytes)
• extracted-files / 13622.doc   (105,984 bytes)
• extracted-files / 20703.doc   (105,472 bytes)
• extracted-files / 22230.doc   (116,736 bytes)
• extracted-files / 25862.doc   (112,128 bytes)
• extracted-files / 26922.doc   (99,328 bytes)
• extracted-files / 32449.doc   (109,568 bytes)
• artifacts / 2017-01-20-Cerber-ransomware-_HELP_HELP_HELP_5HF2E.hta   (75,794 bytes)
• artifacts / 2017-01-20-Cerber-ransomware-_HELP_HELP_HELP_5HF2E.jpg   (228,732 bytes)
• artifacts / 2017-01-20-Cerber-ransomware-example-1-of-2.exe   (279,012 bytes)
• artifacts / 2017-01-20-Cerber-ransomware-example-2-of-2.exe   (279,012 bytes)
• artifacts / 2017-01-20-Sage-2.0-ransomware-decryption-page.html   (10,491 bytes)
• artifacts / 2017-01-20-Sage-2.0-ransomware-decryption-page-css-files   (all the .css files for the above HTML page)
• artifacts / 2017-01-20-Sage-2.0-ransowmare-EMf.bmp   (1,766,454 bytes)
• artifacts / 2017-01-20-Sage-2.0-ransomware-example-1-of-5.exe   (352,328 bytes)
• artifacts / 2017-01-20-Sage-2.0-ransomware-example-2-of-5.exe   (352,328 bytes)
• artifacts / 2017-01-20-Sage-2.0-ransomware-example-3-of-5.exe   (352,328 bytes)
• artifacts / 2017-01-20-Sage-2.0-ransomware-example-4-of-5.exe   (352,328 bytes)
• artifacts / 2017-01-20-Sage-2.0-ransomware-example-5-of-5.exe   (352,328 bytes)
• artifacts / 2017-01-20-Sage-2.0-ransomware-Recovery_EMf.html   (9,149 bytes)
• artifacts / 2017-01-20-Sage-2.0-ransomware-scheduled-task-to-stay-persistent.txt   (3,244 bytes)

 

Click here to return to the main page.