2017-03-14 - "BLANK SLATE" CAMPAIGN SENDS CERBER RANSOMWARE

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2017-03-14-Cerber-ransomware-infections-6-pcaps.zip   1.4 MB (1,352,422 bytes)
• 2017-03-14-Blank-Slate-malspam-tracker.csv.zip   1.3 kB (1,267 bytes)
• 2017-03-14-Blank-Slate-emails-and-Cerber-ransomware.zip   2.2 MB (2,183,840 bytes)

 

NOTES:

• For background on this campaign, see the Palo Alto Networks Unit 42 Blog:  "Blank Slate" Campaign Takes Advantage of Hosting Providers to Spread Ransomware.

 

EMAILS

Shown above:  Information from the spreadsheet tracker (part 1 of 2).

 

Shown above:  Information from the spreadsheet tracker (part 2 of 2).

 

EMAILS GATHERED:

(Read: Date/Time   --   Sending mail server   --   Sending email (spoofed)   --   Subject   --   Attached zip   --   Extracted file)

• 2017-03-13 05:27 UTC -- sky[.]com -- dsteenhuisen@highstreamnet -- 3156 [recipient] -- 4448031853.zip -- 9523.js
• 2017-03-13 05:53 UTC -- hinet[.]net -- ennerson@iusd[.]org -- (none) -- 89722.zip -- 12564.js
• 2017-03-13 14:46 UTC -- 188.248.155[.]181 -- [spoofed as recipient's address] -- (none) -- 7205050638636.zip -- 6453.doc
• 2017-03-13 17:23 UTC -- 41.60.232[.]215 -- honigbiermeier@t-online[.]de -- 49655 [recipient] -- 362288.zip -- 12664.js
• 2017-03-13 22:05 UTC -- 183.248.251[.]242 -- cancillo@ua[.]es -- 44415 [recipient] -- 45520430308666.zip -- 30201.js
• 2017-03-13 23:09 UTC -- telkomsa[.]net -- [removed]@pearlresearch[.]com -- (none) -- 6215369796.zip -- 9797.js
• 2017-03-14 00:03 UTC -- ttknet[.]ru -- kasserer@villingevand[.]dk -- 48592 [recipient] -- 57291814.zip -- 25329.js
• 2017-03-14 07:33 UTC -- hinet[.]net -- [removed]@pearlresearch[.]com -- (none) -- 213826.zip -- 18636.js
• 2017-03-14 09:46 UTC -- 188.18.194[.]101 -- info@snowandice[.]com -- 42551 [recipient] -- 5151046.zip -- 16113.js
• 2017-03-14 11:37 UTC -- aamranetworks[.]com -- juyesaka@cox[.]net -- (none) -- 379708945.zip -- 32767.js
• 2017-03-14 13:43 UTC -- plateautel[.]net -- tenders@it5[.]co[.]za -- (none) -- 05213290175358.zip -- 30346.js
• 2017-03-14 14:52 UTC -- zaural[.]ru -- krankenzusatz@preisvergleich[.]de -- (none) -- EMAIL_3545_[recipient].zip -- 22760.js

 

TRAFFIC

Shown above:  Example from an infection filtered in Wireshark (clicked on all of the decryption instruction links).

 

HTTP REQUESTS FOR THE CERBER RANSOMWARE:

• 104.199.9[.]203 port 80 - citointechnologiesalefor[.]top - GET /search.php
• 104.199.9[.]203 port 80 - ponmaredimare[.]top - GET /search.php
• 104.199.9[.]203 port 80 - toytyaclucomunit[.]top - GET /search.php
• 69.90.132[.]93 port 80 - www.fkauueeepla[.]top - GET /user.php?f=1.gif
• 130.211.103[.]246 port 80 - www.fkauueeepla[.]top - GET /user.php?f=1.gif
• 69.90.132[.]93 port 80 - www.googlefoad[.]top - GET /user.php?f=1.gif
• 130.211.103[.]246 port 80 - www.googlefoad[.]top - GET /user.php?f=1.gif
• 69.90.132[.]93 port 80 - www.weekendlk[.]top - GET /user.php?f=1.gif
• 130.211.103[.]246 port 80 - www.weekendlk[.]top - GET /user.php?f=1.gif

CERBER RANSOMWARE POST-INFECTION TRAFFIC ON 2017-03-14:

• 11.11.127[.]0 to 11.11.127[.]31 (11.11.127[.]0/27) UDP port 6892 - Cerber ransomware post-infection UDP traffic
• 14.77.242[.]0 to 14.77.242[.]31 (14.77.242[.]0/27) UDP port 6892 - Cerber ransomware post-infection UDP traffic
• 87.98.148[.]0 to 87.98.151[.]255 (87.98.148[.]0/22) UDP port 6892 - Cerber ransomware post-infection UDP traffic

• 104.232.37[.]30 port 80 - p27dokhpz2n7nvgr.1apkjn[.]top - Cerber ransomware post-infection HTTP traffic
• 104.232.37[.]30 port 80 - p27dokhpz2n7nvgr.16qpet[.]top - Cerber ransomware post-infection HTTP traffic
• 104.232.37[.]30 port 80 - p27dokhpz2n7nvgr.1jhnvt[.]top - Cerber ransomware post-infection HTTP traffic
• 104.232.37[.]30 port 80 - p27dokhpz2n7nvgr.1dsdm4[.]top - Cerber ransomware post-infection HTTP traffic
• 104.232.37[.]30 port 80 - p27dokhpz2n7nvgr.14udep[.]top - Cerber ransomware post-infection HTTP traffic

 

INFORMATION ON THE IP ADDRESSES:

• 69.90.132[.]93 - Peer 1 Network (USA) Inc. - ip-69-90-132-93.chunkhost[.]com
• 104.199.9[.]203 - Google - 203.9.199[.]104.bc.googleusercontent[.]com
• 130.211.103[.]246 - Google - 246.103.211[.]130.bc.googleusercontent[.]com

 

MALWARE

ATTACHMENETS:

• 6178a097f97e791c54d0e89e19e691b52fa4d0c09fe8efb154ddf45a05294f55 - 05213290175358.zip
• 1a8d76445a1c6613f0e37834b05069437466f22ea40cf54ebe6030e468a16d1e - 213826.zip
• 1170de9e47beeab7baa28ed5935a0f130b9146010f22641a39ea45613f8ad370 - 362288.zip
• 0768e7dc13f1a85ef1ccad90b96f6842102ee166762c62cd037f941f96ede0c3 - 379708945.zip
• c1befefeb29263a60ca53a6bdc01feb26f92251680ad8a0ba13121ca807d0793 - 4448031853.zip
• 49121b6315aa6ca0d86333d7e5314b1ea6b6fc2efcc5a73f3bbe5eb29bf99d5a - 45520430308666.zip
• cb4a06bc3da2c7d99fd2a3bcdbfd4389ad162d2bb5ca4cd67e297f7afc958a48 - 5151046.zip
• 81240884a63311f36954ff26f81048dacad1de5d371f2a87fc7d254cf2cffddb - 57291814.zip
• 2a7e40952271116f03eeef91ec9172f90993356a0e82e6607d8fdac7575c2c51 - 6215369796.zip
• 7a121aea03a174ae0d5b34f38303c58e456053b397f9182fb544d7881450e7d7 - 7205050638636.zip
• b1f49c12e58bcfef0d7084a680570045c326ad8c6bd26743e17b81d491bb4648 - 89722.zip
• 12ca1c5dff6811df45b6c740957178010b18a1601c0706d788b263f0c54e9036 - EMAIL_3545_[recipient].zip

 

EXTRACTED FILES:

• 6c93491a7881e3e10618575caaa416c857fd89518cb0e97f7f520240bf7d5840 - 12564.js
• ddade281c715b162a5d9205740abaea19c9d3c01679d2ae1c12ca867223575e6 - 12664.js
• a264231beb943692e4f104f03e8af08f8ef024c24d17f8034fb912912332cc31 - 16113.js
• 3b57cbf789a6c325f4708df3d7540a5d4be2a41eedc4a33975c1d4f552f0f967 - 18636.js
• 0e212d5234283c8e39a5e1d5da08b36e4c9a2b2e3cfc6b939e1974c73baf9369 - 22760.js
• 957c6da56825e312ec00fb795783804e0ae9b22cb8e2c85a98d75d76eccfbede - 25329.js
• 195dbc0e6c49ea3422861c20616eedaee476f50677d020c0ce54e525a35f6fb9 - 30201.js
• 4439771c0136ad5f9b3b4dca104ded3942ffd80058d358151a0287f6a7288283 - 30346.js
• e406f36c5654e83e407d59b3c140514221e45a3f167161465084b9e2426273df - 32767.js
• 7c289ce5e5e063e5ccc7a729e272d660dff8a2b3964f6f740b5c20b6fb258933 - 6453.doc
• d0fff20572639c7262530cee3644123ca8582004e79d36f4a1abffcd9c8cff57 - 9523.js
• 83d856c3a2f2c52484b983c3b24019826439ec9b06f5965afb758d74e2dd7256 - 9797.js

 

CERBER SAMPLES:

• a612542a7f8cffebdc83a3225d62d163554ad91d96743a1a509425e1c8e8b7d7 - 2017-03-14 Cerber ransomware from citointechnologiesalefor[.]top
• d1f053acce7f13a878f19b359ac50963b01c57c258ec3724018268919b89d8b5 - 2017-03-14 Cerber ransomware from fkauueeepla[.]top
• 615a6179146d7ad0404eba2b3047003cbe1786cd22de227135ac9b4ecb7bb1b1 - 2017-03-14 Cerber ransomware from googlefoad[.]top
• 031c5193a690901c89c511a20cc7aa1e86cca50b10ed3f57e5f9f8d7e3379ecf - 2017-03-14 Cerber ransomware from ponmaredimare[.]top
• 7183dd1a8f3a8202f483ba2e23fe26580ca31b940264e6152ed157e218a544f7 - 2017-03-14 Cerber ransomware from toytyaclucomunit[.]top
• 07924ded03352087e96e3e8ca44630bc1154b893d0422d5c532db1cf6fe2bc74 - 2017-03-14 Cerber ransomware from weekendlk[.]top

 

IMAGES

Shown above:  An infected host after rebooting.

 

Click here to return to the main page.