2017-01-31 - "BLANK SLATE" CAMPAIGN SENDS CERBER RANSOMWARE
NOTICE:
- The zip archives on this page have been updated, and they now use the new password scheme. For the new password, see the "about" page of this website.
ASSOCIATED FILES:
- 2017-01-31-Cerber-ransomware-infections-3-pcaps.zip 887.9 kB (887,943 bytes)
- 2017-01-31-Blank-Slate-malspam-tracker.csv.zip 1.0 kB (974 bytes)
- 2017-01-31-Blank-Slate-emails-and-Cerber-ransomware.zip 1.4 MB (1,426,125 bytes)
NOTES:
- For background on this campaign, see the Palo Alto Networks Unit 42 Blog: "Blank Slate" Campaign Takes Advantage of Hosting Providers to Spread Ransomware.
EMAILS
EMAILS GATHERED:
Shown above: Spreadsheet tracker, part 1 of 2.
Shown above: Spreadsheet tracker, part 2 of 2.
(Read: Date/Time -- Sending mail server -- Sending address (spoofed) -- Attachment -- Extracted file)
- 2017-01-29 02:00 UTC -- 176.210.138[.]110 -- eforney@elon[.]edu -- 2033974900.zip -- 19303.js
- 2017-01-29 06:21 UTC -- verizon[.]net -- dan.contini@bellsouth[.]net -- 62707.zip -- 32239.js
- 2017-01-29 17:55 UTC -- 88.201.79[.]15 -- honigbiermeier@t-online[.]de -- 87318.zip -- 11653.js
- 2017-01-29 18:13 UTC -- vivozap[.]com[.]br -- la.piscine.technique@free[.]fr -- COMPANY-2-[recipient].zip -- 5884.doc
- 2017-01-29 18:58 UTC -- hinet[.]net -- ennerson@iusd[.]org -- 92276335921.zip -- 6959.js
- 2017-01-29 20:46 UTC -- 90.57.230[.]206 -- highlandersboxingclub@live[.]com -- 17231.zip -- 25147.js
- 2017-01-29 23:22 UTC -- bright[.]net -- mail@panorama-europe[.]eu -- 229487.zip -- 7973.js
- 2017-01-30 18:50 UTC -- 200.87.40[.]94 -- [recipient]@siteminis[.]com -- 5422279365004.zip -- 16631.js
ATTACHED ZIP ARCHIVES AND EXTRACTED FILES
SHA256 HASHES FOR THE EMAIL ATTACHMENTS:
- 423a6281a7fc407c8175c17387f4112b25fd0e1eae44b2dde989214078ec814a - 17231.zip (5,003 bytes)
- 20aae649e8e2505971736bc746126e2ef5380b8a1d1b5df389d0a6216fd975b8 - 2033974900.zip (4,120 bytes)
- 33a3c443b1ce4aa64fc850d0eb84b10b53d3d3e8dc6f33265d6cae8170ea143f - 229487.zip (5,780 bytes)
- 33b30ec07a2fd20cfde1b5515cef801546c6bceefc7d92473ccea1301f35185c - 5422279365004.zip (6,560 bytes)
- 863fa74055f9f410e897405196bce1749b91cf26d35f0158a8933edbcdf04433 - 62707.zip (2,791 bytes)
- 0d436f3a33b0f271461f2d43bc3dbb3126ee9b185f3583ec5a42de2d867c5c1a - 87318.zip (3,195 bytes)
- 66d063086c5312ed36c1a68e12d93d750fc53943b1517acc641f3ccf606f8a0f - 92276335921.zip (3,190 bytes)
- 836ef24ec9697cae96a9479374b93384323ea4b47baf487eb8ee370f24d67385 - COMPANY-2-[recipient].zip (60,852 bytes)
SHA256 HASHES FOR THE EXTRACTED WORD DOCUMENT AND .JS FILES:
- 3bf4ec3e1792207bef35434f481114a68e6f3fb0d1828171fa6c339e389df75c - 11653.js (10,747 bytes)
- 21048b243d1eb1e0e9c24b277db13a1b2b1e7e77ed4b5b254754ad02f8f9ea47 - 16631.js (21,552 bytes)
- 13f19590bd15df49677e859a6acd14aa409f4bf0a6cb34d036f5d1ad4d9d65b3 - 19303.js (14,560 bytes)
- 7f7237ee738349473ccf926b0d5338a4d015c58e9c18a81981923911e464e868 - 25147.js (16,127 bytes)
- 343f85fb8d91c723acdfd78f92310538b3492c0fd87283311f37aac626739c28 - 32239.js (7,839 bytes)
- bf87804e1f9e09d29f3515b52d11a1a69cda9ca2efb1cb814cd4cb91449eeeda - 5884.doc (146,944 bytes)
- 3bf4ec3e1792207bef35434f481114a68e6f3fb0d1828171fa6c339e389df75c - 6959.js (10,747 bytes)
- d846a22c7e09123eec77b10f4d1499b0e65f14056ecb09214d25624a90ac6b59 - 7973.js (25,627 bytes)
TRAFFIC
Shown above: Pcap of the infection traffic (1 of 3).
Shown above: Pcap of the infection traffic (2 of 3).
Shown above: Pcap of the infection traffic (3 of 3).
HTTP REQUESTS FOR CERBER RANSOMWARE:
- 35.165.86[.]173 port 80 - footarepu[.]top - GET /read.php?f=0.dat
- 35.165.251[.]241 port 80 - ibm-technoligi[.]top - GET /search.php
- 35.165.251[.]241 port 80 - polkiuj[.]top - GET /search.php
CERBER RANSOMWARE POST-INFECTION TRAFFIC:
- 91.117.40[.]0 to 91.117.40[.]31 (91.117.40[.]0/27) UDP port 6892 - Cerber ransomware post-infection UDP traffic
- 91.119.40[.]0 to 91.119.40[.]31 (91.119.40[.]0/27) UDP port 6892 - Cerber ransomware post-infection UDP traffic
- 91.121.40[.]0 to 91.121.43[.]255 (91.239.24[.]0/22) UDP port 6892 - Cerber ransomware post-infection UDP traffic
- 198.105.121[.]51 port 80 - p27dokhpz2n7nvgr.13gmvm[.]top - HTTP post-infection traffic from Cerber decryption link
- 198.105.121[.]51 port 80 - p27dokhpz2n7nvgr.1jw2lx[.]top - HTTP post-infection traffic from Cerber decryption link
- 198.105.121[.]51 port 80 - p27dokhpz2n7nvgr.1plugt[.]top - HTTP post-infection traffic from Cerber decryption link
- 198.105.121[.]51 port 80 - p27dokhpz2n7nvgr.1plugt[.]top - HTTP post-infection traffic from Cerber decryption link
- 198.105.121[.]51 port 80 - p27dokhpz2n7nvgr.1cpy1q[.]top - HTTP post-infection traffic from Cerber decryption link
- 198.105.121[.]51 port 80 - p27dokhpz2n7nvgr.15nhsf[.]top - HTTP post-infection traffic from Cerber decryption link
MALWARE
CERBER RANSOMWARE SAMPLES:
- 52f203c7051ad72b7ec55c5c35bd1efb1a6ff327a0d3bb675196abc6538f276b - Roaming.eXe (665,321 bytes)
- 7e99f3b1ed0427e2a3b004b427b8fee3a8d648cb990ba98ca88bb6c605174115 - Tempnecsazt.exe (422,272 bytes)
- 9cc8007854e0d7d40bab3e19ceece3e82444ccaa409fafea16d797bb3f9b2b56 - Tempzolifge.exe (422,272 bytes)
IMAGES
Shown above: Screenshot of an infected Windows host after rebooting.
Click here to return to the main page.