2017-01-23 - "BLANK SLATE" CAMPAIGN SENDS CERBER OR SAGE 2.0 RANSOMWARE

NOTICE:

ASSOCIATED FILES:

 

NOTES:

 

EMAILS


Shown above:  Information from the spreadsheet tracker (part 1 of 3).

 


Shown above:  Information from the spreadsheet tracker (part 2 of 3).

 


Shown above:  Information from the spreadsheet tracker (part 3 of 3).

 

EMAILS GATHERED:

(Read: Date/Time -- Sending mail server -- Sending address (spoofed) -- Attachment)

 

ATTACHED ZIP ARCHIVES AND EXTRACTED FILES

SHA256 HASHES FOR THE EMAIL ATTACHMENTS:

 

SHA256 HASHES FOR THE EXTRACTED WORD DOCUMENTS AND .JS FILES:

 

TRAFFIC


Shown above:  Example of a Cerber ransomware infection from this campaign, filtered in Wireshark.

 


Shown above:  Example of a Sage 2.0 ransomware infection from this campaign, filtered in Wireshark.

 

HTTP REQUESTS FOR THE CERBER RANSOMWARE:

HTTP REQUESTS FOR THE SAGE 2.0 RANSOMWARE:

CERBER RANSOMWARE POST-INFECTION TRAFFIC:

SAGE 2.0 RANSOMWARE POST-INFECTION TRAFFIC:

DOMAINS FROM THE SAGE 2.0 RANSOMWARE DECRYPTION INSTRUCTIONS:

 

MALWARE

CERBER AND SAGE 2.0 RANSOMWARE SAMPLES:

 

IMAGES


Shown above:  Example of a desktop infected with Cerber ransomware from one of the email attachments.

 


Shown above:  Example of a desktop infected with Sage 2.0 ransomware from one of the email attachments.

 

Click here to return to the main page.