Malware-Traffic-Analysis.net - 2017-03-10 - "Blank Slate" campaign continues sending Cerber ransomware

2017-03-10 - "BLANK SLATE" CAMPAIGN CONTINUES SPREADING CERBER RANSOMWARE

NOTICE:

The zip archives on this page have been updated, and they now use the new password scheme. For the new password, see the "about" page of this website.

ASSOCIATED FILES:

2017-03-10-Cerber-ransomware-from-fordfocuscommunoityesz_top.pcap.zip 291.6 kB (291,620 bytes)
2017-03-10-Blank-Slate-malspam-tracker.csv.zip 1.7 kB (1,712 bytes)
2017-03-10-Blank-Slate-emails-and-Cerber-ransomware.zip 1.6 MB (1,577,580 bytes)

NOTES:

For background on this campaign, see the Palo Alto Networks Unit 42 Blog: "Blank Slate" Campaign Takes Advantage of Hosting Providers to Spread Ransomware.

EMAILS

Shown above: Information from the spreadsheet tracker (part 1 of 2).

Shown above: Information from the spreadsheet tracker (part 2 of 2).

EMAILS GATHERED:

(Read: Date/Time -- Sending mail server -- Sending email (spoofed) -- Subject -- Attached zip -- Extracted file)

2017-03-01 23:32 UTC -- 123.123.112[.]235 -- info@marupei[.]net -- 45200 [recipient] -- 381853.zip -- 19869.js
2017-03-02 13:37 UTC -- perm[.]ru -- chartwig@tayganpoint[.]com -- 6601 [recipient] -- 0188890.zip -- 7211.js
2017-03-02 15:25 UTC -- optix[.]pk -- hazy@baby200.wanadoo[.]co[.]uk -- 32407 [recipient] -- 61.zip -- 19164.js
2017-03-02 15:50 UTC -- 85.172.54[.]45 -- balaji@mcs.anl[.]gov -- 50385 [recipient] -- 39562516250.zip -- 11091.js
2017-03-02 17:09 UTC -- 188.16.75[.]130 -- ikucukyumuk@iics.k12[.]tr -- 3403 [recipient] -- 03193598.zip -- 5726.js
2017-03-02 17:24 UTC -- 5.140.21[.]171 -- jay.handelman@heraldtribune[.]com -- 41778 [recipient] -- 8488.zip -- 18893.js
2017-03-02 17:56 UTC -- 200.63.105[.]58 -- cozmechtopech@wp[.]pl -- 1658 [recipient] -- 7187.zip -- 30351.js
2017-03-02 22:05 UTC -- 5.140.7[.]28 -- rcoburn@partners[.]org -- 45398 [recipient] -- 8126827.zip -- 25174.js
2017-03-02 22:34 UTC -- iol[.]cz -- zippol@libero[.]it -- 16518 [recipient] -- 895473653.zip -- 14505.js
2017-03-02 22:36 UTC -- vnpt[.]vn -- x81@84[.]8m -- 50588 [recipient] -- 21371980.zip -- 5022.js
2017-03-03 08:14 UTC -- perm[.]ru -- [removed]@siteminis[.]com -- 20622 [recipient] -- 112.zip -- 17087.js
2017-03-03 09:15 UTC -- 178.46.114[.]28 -- sales@deltaqua[.]co[.]uk -- (none) -- 481301984222.zip -- 22371.js
2017-03-03 11:14 UTC -- 115.84.70[.]234 -- intensecare@yahoo[.]com -- 58698 [recipient] -- 912909269.zip -- 26894.js
2017-03-03 14:46 UTC -- rt[.]ru -- awlor@bristol[.]ac[.]uk -- 1117 [recipient] -- 509737801454611.zip -- 27200.js
2017-03-03 15:05 UTC -- 153.145.253[.]132 -- amster158@earthlink[.]net -- 62665 [recipient] -- 62437.zip -- 11603.js
2017-03-03 19:14 UTC -- 188.17.37[.]186 -- [removed]@highlandsumc[.]net -- 62489 [recipient] -- 252791429277538.zip -- 29965.js
2017-03-03 22:58 UTC -- 155.0.35[.]110 -- honigbiermeier@t-online[.]de -- 34956 [recipient] -- 533840.zip -- 30588.js
2017-03-04 03:30 UTC -- 123.24.177[.]196 -- lofotseminaret@europharma[.]no -- 34142 [recipient] -- 8791537.zip -- 4009.js
2017-03-09 21:53 UTC -- ucsd[.]edu -- kristinatoye@aim[.]com -- (none) -- 944862394.zip -- 18329.js
2017-03-10 06:56 UTC -- 113.58.117[.]216 -- m.pelc@gallsro[.]cz -- 55597 [recipient] -- 94827519898.zip -- 31694.js
2017-03-10 14:25 UTC -- redfoxtelecom[.]com[.]br -- brothercole@comcast[.]net -- 47599 [removed] -- 78117788.zip -- 27992.js
2017-03-10 14:28 UTC -- cm-84.210.220[.]206.getinternet[.]no -- lsaleh@idealstandard[.]com -- 12999 [recipient] -- 75839.zip -- 18796.js
2017-03-10 17:21 UTC -- 191.243.82[.]3 -- ron.guggenheim@cbhk[.]com -- (none) -- 7244234060.zip -- 9946.js
2017-03-10 20:48 UTC -- ttknet[.]ru -- mik@hartford[.]edu -- 61346 [recipient] -- 0995137708827.zip -- 8767.js

TRAFFIC

Shown above: Example from an infection filtered in Wireshark (clicked on all of the decryption instruction links).

HTTP REQUESTS FOR THE CERBER RANSOMWARE:

2017-03-02: 173.254.221[.]115 port 80 - www.hlowdolax[.]top - GET /user.php?f=1.gif
2017-03-02: 173.254.221[.]115 port 80 - www.hjaoopoa[.]top - GET /user.php?f=1.gif
2017-03-04: 173.254.221[.]115 port 80 - www.foolalexas[.]top - GET /user.php?f=1.gif
2017-03-04: 54.202.16[.]39 port 80 - pentsshoperqunity[.]top - GET /search.php
2017-03-10: 104.199.9[.]203 port 80 - nikesportweardewvv[.]top - GET /search.php
2017-03-10: 52.42.5[.]86 port 80 - www.dpooldoopla[.]top - GET /user.php?f=1.gif
2017-03-10: 52.42.5[.]86 port 80 - www.sosgenergalz[.]top - GET /user.php?f=1.gif
2017-03-10: 104.199.9[.]203 port 80 - fordfocuscommunoityesz[.]top - GET /search.php

CERBER RANSOMWARE POST-INFECTION TRAFFIC ON 2017-03-10:

11.11.127[.]0 to 11.11.127.31 (11.11.127[.]0/27) UDP port 6892 - Cerber ransomware post-infection UDP traffic
14.77.242[.]0 to 14.77.242.31 (14.77.242[.]0/27) UDP port 6892 - Cerber ransomware post-infection UDP traffic
87.98.148[.]0 to 87.98.151.255 (87.98.148[.]0/22) UDP port 6892 - Cerber ransomware post-infection UDP traffic

104.232.39.245 port 80 - p27dokhpz2n7nvgr.14udep[.]top - Cerber ransomware post-infection HTTP traffic
104.232.39.245 port 80 - p27dokhpz2n7nvgr.1aweql[.]top - Cerber ransomware post-infection HTTP traffic
104.232.39.245 port 80 - p27dokhpz2n7nvgr.1axzcw[.]top - Cerber ransomware post-infection HTTP traffic
104.232.39.245 port 80 - p27dokhpz2n7nvgr.1jemdr[.]top - Cerber ransomware post-infection HTTP traffic
104.232.39.245 port 80 - p27dokhpz2n7nvgr.1hw36d[.]top - Cerber ransomware post-infection HTTP traffic

MALWARE

ATTACHMENETS:

094c9205fb749f2d035b676e82d6da41811ca385e13efd6e4d9483dd87429bbf - 0188890.zip
62e1792cf30621a021b8218d5948bd8c056acdb203a3cdee2d54c80854a8fa67 - 03193598.zip
ffdd1e50d1addb2ef54b87d34efe313baba997975e52a47ca61ae747b81e4a2e - 0995137708827.zip
4f36015e995f871f5cdad48a7d68d9d4ed086bba79da6c48684c945c63d2194c - 112.zip
e236d8f34c155110025de994a70b1d06af5b8623d594b03cfab43940b78e4c77 - 21371980.zip
adbfbc4f9458f9f7e356916eaf266e11cc86066f5f5021bfb6cbfe1aa98beecd - 252791429277538.zip
39e02055c246b27770baed1dd47f4334fc6f7a24ae162856ec98dce7f6650492 - 381853.zip
14e7fa27f6017110d798c7f49e9716484b0ed2d473128507d92ac5dcc74dea3e - 481301984222.zip
5def6f58859542d040c595c674e0011955aa3e2d457c259c3c59bb250ca00fe1 - 509737801454611.zip
3c7c09f698d618a8e02df5a72967d3c106c4aaeb56e8ed694fa53a5f21dea671 - 533840.zip
dd9f5bc3ae2f004c75969aee50e257a1c32346e20caf5cf0f74d2344c418b815 - 539562516250.zip
e42c3b3a17b291583f3231519cd46fefe4d0764dc7d1285750cd4e211b5e5a1c - 61.zip
82784a7eb5dd76da39a8b5e3e2d79e7f9df39bc98146d91b34871d1bae164ee8 - 62437.zip
5faf01d80a2e0c0b7b72485d1b3af8b45a5b838f4db1fcfbd0cbf2b58ea648ea - 7187.zip
efaa4b704efbcc03d6281c640e8d5850afaacc343aab72a984fda49342910b60 - 7244234060.zip
368a00452a8c67dd46f1577ea09e0fd35dec929793b52bf2fe1ea7946c4f1948 - 75839.zip
2ee55f1f71c03b6081e3f58c63afb56c2bc4940798fc38e5a922777ac1dcba2b - 78117788.zip
92d0ea091f50d8555d80509b72fed453f937899b2262323b6f0c475445442794 - 8126827.zip
788df38b136152bd22708f05205854441c036ca56857387779ea9d0718afc250 - 8488.zip
94ad8b82102e56a5ee2377b46a49b88e869db283fef57ce6d6ff271acc6ad187 - 8791537.zip
ad5a118572624a97cda83915272905c471c6293313f21664866b13752e761c3f - 895473653.zip
3581c0af8de3a68ab63271c94ff8f1a168d1eaa8b70434202fbec2b6d7e78dd1 - 912909269.zip
808d58c580a6652a2cf52fe8ab990aa61dcff3ba41977c5bffb519c2480f007a - 944862394.zip
b0043a3253c8eed6905ce912f5477b875f3e2b0591c859bcb090a31e0976c770 - 94827519898.zip

EXTRACTED FILES:

d162befd305176180f52504cb5018f21b1ebaef25fc1324d28d82b6425a03ae6 - 11091.js
79f74371637b7e8f9d90269d307a9f020ae011490206dbff819a2fe40bc35a78 - 11603.js
3f4d57bdbe47d850cc0cbba8dd3e9a6e8efc83e55edc088577655b44f7140923 - 14505.js
a8dbbc5b783ce04b1ca74eecece6720a63fff7a0aea41d2ad5333428093ae0cd - 17087.js
15992fbc8322841364af73205c0287584d6d74bce4d4c425c2c9bec882b9440b - 18329.js
e51c9452897b5b7a88850d1e371a4dd72642122d9eebdecf6dd7c592f09542ef - 18796.js
86cce3d47277f027becd8a3e75d669d15a0c54c319dcc590c393b3bacc5735d3 - 18893.js
1719a0265b60012506c71fdcaf3418c5fbf03245199e8d577c85cc2a97d05e28 - 19164.js
e8dd4cd9849adc906848cf99eedcca20d38d853089cfe207b55f201b8dff424b - 19869.js
feca7cb28ac2413af0eb0e5cda44f65cfd311307501fe04470faea641e353023 - 22371.js
8a7352af6b740313e456145ba6c32625ea017516a6cbb9d6381dbf61a693c565 - 25174.js
a3cc933a54f46377ba5ae9ee8469b4247e2274f36389fdcd12e88b65ecbf1d6c - 26894.js
93b8a6bec052d70ddd1b443ec63cfbc6642913a9ab28d2682f59777a9b57c044 - 27200.js
e51c9452897b5b7a88850d1e371a4dd72642122d9eebdecf6dd7c592f09542ef - 27992.js
325a260aa611812769b882fc2d45253cfcd4886c421e33648a72a67f21440e17 - 29965.js
f6d8bd2280148f4364e599d9a21b1ec40426ce2240671699932e27f32e2e9894 - 30351.js
ac8ff438a184e6639c714583b19e3b8821a9d0d4f039061aaed272c01f88e40a - 30588.js
63d3d454c17c58be2067622b0d05cf26488f04f65e57fcb47fc038cf01520c02 - 31694.js
2093009b92de2bc52638eedb6eb209f763b1fb4e4b5aa405c2a86b7a136426ce - 4009.js
3f4d57bdbe47d850cc0cbba8dd3e9a6e8efc83e55edc088577655b44f7140923 - 5022.js
180df09bd760369f14cb8c2391eff81f7e2a3e7fbf43aaef65d6adb94ec11d77 - 5726.js
70b8ac5e2ee75957e1d8196d5bdcf2b962b6f3cf4f3a33735ea3196edc45349d - 7211.js
c53aab594b875dd01003cc40b22d072b6c8498f66f21e9e18b26253c4626a959 - 8767.js
c8f36d78e77963c99bcf24fedb42bbf7b4453b53698b1061a6ffdd80d919b6d1 - 9946.js

CERBER RANSOMWARE SAMPLES:

22be9e72937361e02b7ef9798eaf25f1fbe50b562b2c0e9c14190f616391abed - Cerber ransomware from dpooldoopla[.]top (324,882 bytes)
74b5818b494654d75dba1862163514c00170f871d13e95bca3dd7b0380282d33 - Cerber ransomware from fordfocuscommunoityesz[.]top (285,087 bytes)
9f9356ecd657cabd1e693b987f3deae9e68b08c2c647f2039247d47541a05f10 - Cerber ransomware from sosgenergalz[.]top (324,882 bytes)

IMAGES

Shown above: An infected host after rebooting.

Click here to return to the main page.