2017-02-08 - "BLANK SLATE" CAMPAIGN SENDS CERBER RANSOMWARE

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2017-02-08-Cerber-ransomware-infections-8-pcaps.zip   1.8 MB (1,759,605 bytes)
• 2017-02-08-Blank-Slate-malspam-tracker.csv.zip   1.4 kB (1,374 bytes)
• 2017-02-08-Blank-Slate-emails-and-Cerber-ransomware.zip   3.0 MB (3,017,772 bytes)

 

NOTES:

• For background on this campaign, see the Palo Alto Networks Unit 42 Blog:  "Blank Slate" Campaign Takes Advantage of Hosting Providers to Spread Ransomware.

 

EMAILS

Shown above:  Information from the spreadsheet tracker (part 1 of 2).

 

Shown above:  Information from the spreadsheet tracker (part 2 of 2).

 

EMAILS GATHERED:

(Read: Date/Time -- Sending address (spoofed) -- Subject --- Attachment -- Extracted file)

• 2017-02-06 19:25 UTC -- association@wlpga[.]org -- 37525 [recipient] -- 37525.zip -- 12522.doc
• 2017-02-06 23:03 UTC -- roar@skaje[.]no -- (none) -- 6702547222.zip -- 18298.doc
• 2017-02-07 05:23 UTC -- tdory@avaya[.]com -- (none) -- 5146819558.zip -- 31099.doc
• 2017-02-07 05:39 UTC -- dan.contini@bellsouth[.]net -- (none) -- 67084822703.zip -- 27839.doc
• 2017-02-07 12:01 UTC -- jaapvanzessen@hotmail[.]com -- (none) -- 86303.zip -- 19136.js
• 2017-02-07 13:32 UTC -- evelyne@bodegaselosegi[.]com -- (none) -- 313560966364.zip -- 15827.js
• 2017-02-07 15:11 UTC -- thuri@hvolsvollur[.]is -- (none) -- 35924.zip -- 12375.js
• 2017-02-07 15:23 UTC -- brianmatthews3@talktalk[.]net -- (none) -- 2908891933301.zip -- 28503.js
• 2017-02-07 16:22 UTC -- info@gcplayers[.]com -- (none) -- 13483456070.zip -- 29612.js
• 2017-02-07 22:05 UTC -- jitka.seidlova@nobilis[.]cz -- 28092 [recipient] -- 28092.zip -- 31087.doc
• 2017-02-07 22:18 UTC -- pichat@club-internet[.]fr -- 37948 [recipient] -- 37948.zip -- 2544.doc
• 2017-02-07 22:24 UTC -- carol-belland@sbcglobal[.]net -- (none) -- 23473385819951.zip -- 29729.doc
• 2017-02-08 07:45 UTC -- andrew@mckindland[.]co[.]uk -- 40485 [recipient] -- 40485.zip -- 10885.doc
• 2017-02-08 10:22 UTC -- sharon.wampler@bio4front[.]com -- 27092 [recipient] -- 27092.zip -- 28126.doc
• 2017-02-08 14:58 UTC -- lnekia@verizon[.]net -- (none) -- 2428882.zip -- 21777.doc
• 2017-02-08 16:50 UTC -- kathannejones@gmail[.]com -- (none) -- 87669314.zip -- 7356.doc

 

ATTACHED ZIP ARCHIVES AND EXTRACTED FILES

SHA256 HASHES FOR THE EMAIL ATTACHMENTS:

• 06fe8fb8f8682047e200ef9544ae1fda7f49636a53d61c85457da1a0fccbb451 - 27092.zip
• a76f1f97323d57205e83f573771e556db4e7c905bb589d1d719868401d27721e - 28092.zip
• 8ea9647f921a979687b1161a1f73de941e0222475f6c27620a7b8e958993d2af - 35924.zip
• 566cfc3c8e5c1d210b96de301b759387d746d5e88d3a9ef72422e021a28b7e78 - 37525.zip
• 36f465b0804cb41dc3edf5ca93be4ff6113eea65556527e27865922f2ef6ee0d - 37948.zip
• 5895901e1367131b0efa2f77752fc659c369ed44d6e2fa81164a95faefa4628f - 40485.zip
• a63176a071c2f8558cd319dd797a04643b521e092fff42998b85497b36cae330 - 86303.zip
• 623d1357e1283bbe9af455c27855ae65c6877ce94058bf7e83dc6ee25223750e - 2428882.zip
• e8a88016c5973b5cf4cc4321a85d230e8da476511db14c4197f4418c89125dc6 - 87669314.zip
• 0ff5ef4d3a9329f34efe7f985c54c5ac907ab7bef2869fda3df887d9bea2573a - 5146819558.zip
• 4f5c38f1a897baa1734b135e1333b5ea798eb101e9fcf454e73f75fb58c632a1 - 6702547222.zip
• 9753437657ca1bd4a41e6b39ad7ab5886294a050a1e7639df17f0b86981d3693 - 13483456070.zip
• e60da23963572f27c4a0bf17f9615fb86175ceaa4227f5d60cb02ebece7288db - 67084822703.zip
• b04339e3930a2527f9e7125b975a35b33db05069ab8fcfd3f6be84eb83cc075c - 313560966364.zip
• e5f4683027ea1fb7feb01264e0ff8d25f9a8c02e18eec87041f2b552a245f113 - 2908891933301.zip
• 1b5de8a60fdbb1bf3287129ad317936302520cc7eeca8660d2acdfb61faaa4b1 - 23473385819951.zip

 

SHA256 HASHES FOR THE EXTRACTED WORD DOCUMENTS AND .JS FILES:

• 55860bccdb63dcb59a313b072d2f37dbebb56a4f98a385d895ee4a95da791ece - 2544.doc
• 6b85708dbb1cc2409045ed6349febb56c0d5412d07629e7bc6db8fc727f7070e - 7356.doc
• 4d3f4e1880b15641bda4e1b6cf6d0f1639e30a879c9fa20801c6fd16adca2073 - 10885.doc
• a466a415e4bed890e8cc75775a5b20f113865f2e218077e152f4a83d5684967d - 12522.doc
• 711b2f7edb9587d8625920e0e01757f315cf86a7690c49f11e8e1120849c4f70 - 18298.doc
• e6f6da8bb04667548d3c5e695f8d3ef0e16bae74211a1db9528ab886f4441ef9 - 21777.doc
• f6dd9b4ebd0dd4ba1b4d7c7e06c30fce90806b3c4b6eae7eb72afc38fa42d7d0 - 27839.doc
• fbe4dc9a616282558053ff3624039b829ff0a5d74b0e78d786921b87294c31c2 - 28126.doc
• 948416a501822e2566b0e26de37e37918e7e2a77b279357418977cd3d9f3e9e0 - 29729.doc
• bc547c1f94110f4928d2c083f759af3d2246dcc6e9e38c4c2b4ef67e2d0f2791 - 31087.doc
• b875c6d896e01fdd33f7a6ddfa929822f7b2af7e436d82155af3a44cd8159898 - 31099.doc
• 6d2d4d540e57a52bc0ec741caf0d1e3e6718affaffacf4cf27e6129192a3f3f7 - 12375.js
• 4018cac1393a1a20c5d7f8bb659d32d6bba804e20552fe8d00c0245c33031cab - 15827.js
• bfd5cba2b41350a1d6145fab8ce0cda51b734a48d6287236459177d93ff0a3b9 - 19136.js
• 099e29953df07da0e45495618e29e0b07684293603fecb430b1e04e0a6fb9f36 - 28503.js
• e7af675844208e6b6acdb3582a29c09f26890faf58675dcc528bce977673a43c - 29612.js

 

TRAFFIC

Shown above:  Example from a full infection chain of traffic filtered in Wireshark.

 

HTTP REQUESTS FOR THE CERBER RANSOMWARE:

• 192.189.25[.]184 port 80 - rapidytrust[.]top - GET /search.php
• 104.155.4[.]180 port 80 - unitystydiying[.]top - GET /search.php
• 192.189.25[.]184 port 80 - unitystydiying[.]top - GET /search.php
• 104.155.4[.]180 port 80 - unityvolverline[.]top - GET /search.php
• 192.189.25[.]184 port 80 - unityvolverline[.]top - GET /search.php
• 62.109.30[.101 port 80 - www.doorasope[.]top - GET /read.php?f=1.gif
• 62.109.30[.]101 port 80 - www.fapoergol[.]top - GET /read.php?f=1.gif

IP INFORMATION FROM THE ABOVE URLS:

• 62.109.30[.]101 - Russia: ISPsystem
• 104.155.4[.]180 - US: 180.4.155[.]104.bc.googleusercontent[.]com
• 192.189.25[.]184 - US: Hostlayer - Hydraburx Corporation

CERBER RANSOMWARE POST-INFECTION TRAFFIC:

• 91.119.56[.]0 to 91.119.56[.]31 (91.119.56[.]0/27) UDP port 6892 - Cerber ransomware post-infection UDP traffic
• 91.120.56[.]0 to 91.120.56[.]31 (91.120.56[.]0/27) UDP port 6892 - Cerber ransomware post-infection UDP traffic
• 91.121.56[.]0 to 91.121.59[.]255 (91.121.56[.]0/22) UDP port 6892 - Cerber ransomware post-infection UDP traffic
• 23.152[.]0.219 port 80 - p27dokhpz2n7nvgr.1d8m97[.]top - Cerber ransomware post-infection HTTP traffic
• 23.152[.]0.219 port 80 - p27dokhpz2n7nvgr.1bj4k9[.]top - Cerber ransomware post-infection HTTP traffic
• 23.152[.]0.219 port 80 - p27dokhpz2n7nvgr.1vjnyh[.]top - Cerber ransomware post-infection HTTP traffic
• 23.152[.]0.219 port 80 - p27dokhpz2n7nvgr.1b3qjy[.]top - Cerber ransomware post-infection HTTP traffic

 

MALWARE

CERBER RANSOMWARE SAMPLES:

• 62c4b3af788dc2d6ab32850a170767a1664f4fca1f1a6180c927068d8811e8c8 - 2017-02-07 Cerber ransomware from doorasope[.]top   (324,852 bytes)
• dc423a0511201832e88f42d0aae587d5fa4ef52ad5ebe7105c29b0573b13f0ac - 2017-02-07 Cerber ransomware from unitystydiying[.]top   (324,851 bytes)
• b621e6fd27d03da165bcd1244e5a37b6db514af8aa96372b02891b2ca6234704 - 2017-02-07 Cerber ransomware from unityvolverline[.]top (1 of 3)   (324,851 bytes)
• 77d690a9ebd865c351705b1611f530a43a33e3b4e31394936b0b9356c48ce86f - 2017-02-07 Cerber ransomware from unityvolverline[.]top (2 of 3)   (246,515 bytes)
• cb97668dea319f38108ed6935b6e2144c2046bb45d044aa7650a336ad78faa17 - 2017-02-08 Cerber ransomware from rapidytrust[.]top   (265,754 bytes)
• 2e2612512de586420185d1390c2bef746eac906d9a0e266c059c3c781eabd3a1 - 2017-02-08 Cerber ransomware from unityvolverline[.]top (3 of 3)   (246,515 bytes)

 

IMAGES

Shown above:  One of the infected hosts after rebooting.

 

Click here to return to the main page.