2017-02-02 - "BLANK SLATE" CAMPAIGN SENDS CERBER RANSOMWARE

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2017-02-02-Cerber-ransomware-infections-8-pcaps.zip   2.1 MB (2,097,793 bytes)
• 2017-02-02-Blank-Slate-malspam-tracker.csv.zip   2.0 kB (1,949 bytes)
• 2017-02-02-Blank-Slate-emails-and-Cerber-ransomware.zip   3.7 MB (3,679,596 bytes)

 

NOTES:

• For background on this campaign, see the Palo Alto Networks Unit 42 Blog:  "Blank Slate" Campaign Takes Advantage of Hosting Providers to Spread Ransomware.

 

EMAILS

EMAILS GATHERED:

(Read: Date/Time -- Sending mail server -- Sending address (spoofed) -- Subject --- Attachment -- Extracted file)

• 2017-01-31 06:49 UTC -- sherryloveless@gmail[.]com -- (none) -- 32078.zip -- 14786.js
• 2017-01-31 15:11 UTC -- chazy@baby200.wanadoo[.]co[.]uk -- (none) -- NATASHA-0758166912792-[recipient].zip -- 19943.js
• 2017-01-31 19:54 UTC -- carol@mirror[.]co[.]uk -- (none) -- EMAIL-261102143-[recipient].zip -- 1937.js
• 2017-01-31 23:26 UTC -- [recipient]@siteminis[.]com -- (none) -- 837803.zip -- 10788.js
• 2017-02-01 02:33 UTC -- [recipient]@walthamstowvillage[.]net -- (none) -- 7446478870788.zip -- 5795.js
• 2017-02-01 08:19 UTC -- vacancy@africa-re[.]com -- (none) -- EURO-86073411546162-[recipient].zip -- 21492.js
• 2017-02-01 08:37 UTC -- sherryloveless@gmail[.]com -- (none) -- 082820209.zip -- 31237.js
• 2017-02-01 10:49 UTC -- [recipient's email address] -- (none) -- 01074.zip -- 29662.js
• 2017-02-01 11:12 UTC -- xiayaoyao@lansing[.]cn -- (none) -- EMAIL-1-[recipient].zip -- 6020.js
• 2017-02-01 13:00 UTC -- la.piscine.technique@free[.]fr -- (none) -- 31969.zip -- 10560.js
• 2017-02-01 13:13 UTC -- tjld@knology[.]net -- (none) -- BUY-18793-[recipient].zip -- 3141.js
• 2017-02-01 13:51 UTC -- tbullard@umassd[.]edu -- (none) -- 13965649237.zip -- 2446.js
• 2017-02-01 17:19 UTC -- gracedsenoglu@gmail[.]com -- (none) -- 730916376328.zip -- 13038.js
• 2017-02-01 22:49 UTC -- yoga.zehentner@aon[.]at -- (none) -- 7962292742767.zip -- 15992.js
• 2017-02-02 00:07 UTC -- cettina81@alice[.]it -- (none) -- EMAIL_2366569_[recipient].zip -- 31282.js
• 2017-02-02 08:11 UTC -- dayachuhan214@yopmail[.]com -- (none) -- EMAIL_406295777_[recipient].zip -- 21608.js
• 2017-02-02 10:45 UTC -- p_reilly@pacbell[.]net -- 63394 [recipient] -- EMAIL_63394_[recipient].zip -- 9348.js
• 2017-02-02 15:17 UTC -- tiergirly10@diddlpost[.]de -- 29034 [recipient] -- EMAIL_29034_[recipient].zip -- 1059.js
• 2017-02-02 15:49 UTC -- sadie@rootsthesalon[.]com -- (none) -- 898752962501308.zip -- 24428.js
• 2017-02-02 16:31 UTC -- tosbik21@indowslive[.]com -- 37173 [recipient] -- EMAIL_37173_[recipient].zip -- 1187.js
• 2017-02-02 17:02 UTC -- alexandra.franco@srmmlaw[.]com -- 59918 [recipient] -- EMAIL_59918_[recipient].zip -- 32255.js
• 2017-02-02 17:10 UTC -- vokurkova@af.czu[.]cz -- 1633 [recipient] -- EMAIL_1633_[recipient].zip -- 19669.js
• 2017-02-02 19:23 UTC -- ticao2@ig[.]com[.]br -- 27699 [recipient] -- EMAIL_27699_[recipient].zip -- 18791.js
• 2017-02-02 19:39 UTC -- association@wlpga[.]org -- 58597 [recipient] -- EMAIL_58597_[recipient].zip -- 19851.js
• 2017-02-02 19:40 UTC -- pquinn@seven[.]com[.]au -- 3935 [recipient] -- EMAIL_3935_[recipient].zip -- 19851.js
• 2017-02-02 20:56 UTC -- dan_calkin@maysoft[.]com -- (none) -- 6984079248.zip -- 1864.js

 

ATTACHED ZIP ARCHIVES AND EXTRACTED FILES

SHA256 HASHES FOR THE EMAIL ATTACHMENTS:

• d29e1fe9b37a6d4035445087d602f46245c10837888daa212b02ec63c8b7ee2f - 01074.zip
• 57dc406b134e1c41c0540caa7c0a2a34bbd86e6412e4bfa478b00dd708774398 - 082820209.zip
• 0afe1fcc88a68df44b77bae862c9ebdb0b9ef78afd95a15d78514f4a91565244 - 13965649237.zip
• 150c40d42192c4d1d630b7d55f6054de171867a69dbfb5ce2c65915ba2197ec2 - 31969.zip
• 9b404c5ba9befc3e329dc9b79ae331d312641b6d984da2402d67e276e981c73e - 32078.zip
• bf655b39e2699c9dd8f994c0096620420ef512b2af0c7f1913621980aa5ae19f - 6984079248.zip
• 159bb8eda1e84dfc1eccd7ce90c9c093c50a3d59bd5e4fb4edd68e56987fe8e1 - 730916376328.zip
• ecd9399f9edad93f15721ed8a332f39075a543029fe313656bfbc6f630cc87a3 - 7446478870788.zip
• 1c34547f8373d0afcb0f5c7ab3ab7a6ff4516707be54a22b60f4190e4ab10f73 - 7962292742767.zip
• 20501299404369b0acae6da12ae43480669fbd2016b675eb8e40a94b0d7cc0d4 - 837803.zip
• 8314d30cafb012072df661056ef056cef4557b242b39e6bf94f1505941182456 - 898752962501308.zip
• 05df5aaf9882f7e976f4b50f15425602b7aa6b8a9ea8f6139f7c1b55134f9e69 - BUY-18793-[recipient].zip
• ba3da073fc6239129163967c0bff113ad234c76d515bd08f89f8a683ba951d31 - EMAIL-1-[recipient].zip
• 6c171351cb348af407cb305df941ce827c523c86ce3083a6df02a047845a2748 - EMAIL-261102143-[recipient].zip
• e55698c13bee94b817cce761b58d989ec2ca1f0ebd4c757096a6a2e465479cd7 - EMAIL_1633_[recipient].zip
• 1f4a0191e94b308e217a6c09e6193227694009c175b26ceb124135394b0c7cb8 - EMAIL_2366569_[recipient].zip
• bb9ec9d15805956c08b61550108bc1b6a2df2b3430fff73ed3080f20289db7a7 - EMAIL_27699_[recipient].zip
• e5be13450ca054480510ddcc7e8bd4c4f56a17cc10a1bcca9c659b1a42eb7f24 - EMAIL_29034_[recipient].zip
• f104fd0795b6d75ee4f72b9b41070f7b8c74a523a96af93dd6f0cb6e918e9813 - EMAIL_37173_[recipient].zip
• 57f625ff7743b6bc834f4e610d0e23d5e1a5c1b18e74c2b28fc3cc1593d09d86 - EMAIL_3935_[recipient].zip
• 2d9d45f6886d7c78f19d2f50ac7009186ae9590f9d589c06618968e5779148ad - EMAIL_406295777_[recipient].zip
• 57f625ff7743b6bc834f4e610d0e23d5e1a5c1b18e74c2b28fc3cc1593d09d86 - EMAIL_58597_[recipient].zip
• 7e89b98e36d591fb0e561651aab387f5d6f09d6cd043b09fddf6f22b841bafbe - EMAIL_59918_[recipient].zip
• 9dc715e5a00e0f0074be902b60be3bb0bede5fbeb8f4435c65dbeb83c2ba40a0 - EMAIL_63394_[recipient].zip
• 1cff25c37a657be0fb08305a5f160025c597bd3ef1f1963b9b9a75620a51c704 - EURO-86073411546162-[recipient].zip
• 10ead7a2699e611c2591383c45b4ae47ad87170d5526ff4415b49ae437247f51 - NATASHA-0758166912792-[recipient].zip

 

SHA256 HASHES FOR THE EXTRACTED .JS FILES:

• 4b639532a1b6b8b8d324a010f56759118ab168223bbc3a520d01d1bc7f6668a0 - 10560.js
• 9ebe67c8c4f942858e4a933a6c8b8b32e76be974f8525366a04faf2298713460 - 1059.js
• 2fda80bfa544f75f1669f313502242b7ef4818b476a78a9eed65119f218f7262 - 10788.js
• 3cd1807d1411067d5f3ac895a574d154e411fc460a45bfd49d24a3f5be33fff0 - 1187.js
• 779dcf654d8269dd470d234f9d3989a5cda4485feee39392b24e2ef911dc8d0b - 13038.js
• a8f12f9edcbc06e622b4c5e1af8c691cdafd99868584234a3e7c9c9854b976e6 - 14786.js
• 40de7317f63792df7153c439fa774db90136febbf54191fd7b341bd80525e360 - 15992.js
• 60f310cef9e8b7b75427afb4a87ba77c9db13cbc5adc90228a3bc692c9146cb6 - 1864.js
• fa6fe87a4300f2c9b19338ea5595a5854550f169bf2ddd964a2cf33fcfe902d6 - 18791.js
• 0fcdee80dd202b207a3955dc3dcb7ae45170b78c72ab013fa0a6aa6a5b01d5cf - 1937.js
• dc2965ebb153623451b5c62d90a75243cba96dcf1ad2bbd380722438d99b7c58 - 19669.js
• 5d3439c8e19a4fb8f615746c3c7ed3b899c1b7005d3a12e0b39bb914f556e5c4 - 19851.js
• 8bef95150567be06dabd056c8aed72e68a8fc76a4412a34eac382ff46e758675 - 19943.js
• f927f99510870b7d307ceeebf818ddd133a9e804329b7f46bc9fdd0e3d6cfabc - 21492.js
• f3a6066e9a3320cc66ce94ce1b02a18eef9157efef8e7953e8a1adcdf3948b87 - 21608.js
• 0ace9f1e63ff7c0340abf36a6eb38c404c7f72b82fb23d9a19fc9deebc93f521 - 24428.js
• 40de7317f63792df7153c439fa774db90136febbf54191fd7b341bd80525e360 - 2446.js
• 0547e101ec43a5aff7dcf04dc9e1b672f7135fbf63190613e1e53cf2fac59cf2 - 29662.js
• ebc8b3c8b09fc5787053b046e9724638b5f436a46685c92302bd01196b4a794d - 31237.js
• 4c4390bdb4333770168f2109114c493ea441085b41fddfbbe4a8bd27557e8ef8 - 31282.js
• 76d28debd5ff6ae3d7e64b425dfbe26772e7db0f8c350f9defcd693c02ebcb20 - 3141.js
• 1e7e8fdc055505b9b236dc8d3c2a7439b26405f6f7c8a9527bda56c7f1cbd392 - 32255.js
• 33a139ca303f425f764a56c1bed2d06d8f9ac1d464f364db3ae171549bfd86a9 - 5795.js
• 7e480f808c64928697c5c0f78777ba8b68c5860814cf53b222fb87ae32dbb375 - 6020.js
• 8eaf7015e708146700e037b926244ece5f62d35a1adf9f6a6d3cd7badde07eb9 - 9348.js

 

TRAFFIC

HTTP REQUESTS FOR THE CERBER RANSOMWARE:

• 46.173.219[.]161 port 80 - adibas[.]top - GET /search.php       (Russia: Garant-Park-Internet LLC)
• 35.163.101[.]72 port 80 - guntergoner[.]top - GET /admin.php?f=1.dat       (US: Amazon Web Services)
• 185.159.130[.]89 port 80 - guntergoner[.]top - GET /user.php?f=1.dat       (Russia: IT Outsourcing LLC)
• 62.109.29[.]26 port 80 - ibm-technoligi[.]top - GET /search.php       (Russia: FirstVDS)
• 46.173.219[.]161 port 80 - polkiuj[.]top - GET /search.php       (Russia: Garant-Park-Internet LLC)
• 35.163.101[.]72 port 80 - suzemodels[.]top - GET /admin.php?f=1.dat       (US: Amazon Web Services)
• 185.159.130[.]89 port 80 - www.astrovoerta[.]top - GET /admin.php?f=1.dat       (Russia: IT Outsourcing LLC)
• 35.163.101[.]72 port 80 - zofelaseo[.]top - GET /admin.php?f=1.dat       (US: Amazon Web Services)

CERBER RANSOMWARE POST-INFECTION TRAFFIC:

• 91.117.40[.]0 to 91.117.40.31 (91.117.40[.]0/27) UDP port 6892 - Cerber ransomware post-infection UDP traffic
• 91.119.40[.]0 to 91.119.40.31 (91.119.40[.]0/27) UDP port 6892 - Cerber ransomware post-infection UDP traffic
• 91.121.40[.]0 to 91.121.43.255 (91.239.24[.]0/22) UDP port 6892 - Cerber ransomware post-infection UDP traffic
• 23.163[.]0.114 port 80 - p27dokhpz2n7nvgr.1cq7dg[.]top - HTTP post-infection traffic from Cerber

 

MALWARE

CERBER RANSOMWARE SAMPLES:

• 43f63836a14320c6f93331d9e236720d757e5c0fcacc990d0ab4befd3ebb3c02 - Cerber ransomware from adibas[.]top (301,803 bytes)
• b2d244291a87b8abd7c405f76423e94b53fe7d152856fcdbfba169d971d99ff1 - Cerber ransomware from guntergoner[.]top and www.astrovoerta[.]top (301,804 bytes)
• cf5498f400af82a0786bb9a428944178925ee59d76c2dd881fce3a05087a04e4 - Cerber ransomware from ibm-technoligi[.]top (347,865 bytes)
• 999d19249d1072fcd698e1ede998aab0a64e9a752176a65e44ef340757d26639 - Cerber ransomware from polkiuj[.]top (244,798 bytes)
• 939d68580cc29a708a6830bc62bda3ec31afb83299c0686c32cf9f8d06ebfdc3 - Cerber ransomware from suzemodels[.]top (244,799 bytes)
• 59b1af473edf5bacf31eb7c47871886ec03a3d48ab664ded29f3410205744ce9 - Cerber ransomware from zofelaseo[.]top (244,799 bytes)

 

Click here to return to the main page.