2017-03-15 - "BLANK SLATE" CAMPAIGN SENDS CERBER RANSOMWARE

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2017-03-15-Cerber-ransomware-infection-3-pcaps.zip   685.5 kB (685,477 bytes)
• 2017-03-15-Blank-Slate-malspam-tracker.csv.zip   1.3 kB (1,334 bytes)
• 2017-03-15-Blank-Slate-emails-and-Cerber-ransomware.zip   2.1 MB (2,126,564 bytes)

 

NOTES:

• For background on this campaign, see the Palo Alto Networks Unit 42 Blog:  "Blank Slate" Campaign Takes Advantage of Hosting Providers to Spread Ransomware.

 

EMAILS

EMAILS GATHERED:

(Read: Date/Time   --   Sending mail server   --   Sending email (spoofed)   --   Subject   --   Attached zip   --   Extracted file)

• 2017-03-15 01:32 UTC -- zapnetms[.]com[.]br -- linkedin@joekatz[.]com -- (none) -- 43336834502446.zip -- 30371.doc
• 2017-03-15 02:49 UTC -- hinet[.]net -- vermert@seznam[.]cz -- (none) -- EMAIL_98_[recipient].zip -- 21066.js
• 2017-03-15 05:24 UTC -- 188.18.239[.]205 -- rcoburn@partners[.]org -- (none) -- EMAIL_513819782095_[recipient].zip -- 14504.js
• 2017-03-15 06:02 UTC -- hinet[.]ne -- kasia_094@wp[.]pl -- (none) -- EMAIL_01042653_[recipient].zip -- 16044.js
• 2017-03-15 06:40 UTC -- 31.162.16[.]214 -- jennifer.rose@davey[.]com -- (none) -- EMAIL_7688592831105_[recipient].zip -- 12856.js
• 2017-03-15 09:49 UTC -- 188.18.92[.]38 -- ount@abilenetx[.]com -- (none) -- EMAIL_74749_[recipient].zip -- 11604.js
• 2017-03-15 10:05 UTC -- sura[.]ru -- schulzova@performia[.]cz -- (none) -- EMAIL_261_[recipient].zip -- 17736.js
• 2017-03-15 11:32 UTC -- 109.168.133[.]195 -- webmaster@tecoluca[.]com -- (none) -- EMAIL_6154388606399_[recipient].zip -- 448.js
• 2017-03-15 11:55 UTC -- 94.78.212[.]109 -- fridah@birdswillsingforyou[.]com -- (none) -- EMAIL_281856769_[recipient].zip -- 9188.js
• 2017-03-15 13:06 UTC -- 188.248.179[.]240 -- ajapanfomr@availabledatingworld[.]biz -- (none) -- EMAIL_668403790854085_[recipient].zip -- 32680.js
• 2017-03-15 18:36 UTC -- vnpt[.]vn -- jbies@uscupstate[.]edu -- (none) -- 7469186953683.zip -- 9784.doc
• 2017-03-15 19:25 UTC -- 117.35.207[.]102 -- skabova.k@seznam[.]cz -- 31388 [recipient] -- 636065.zip -- 9566.js
• 2017-03-15 19:25 UTC -- 77.34.165[.]189 -- gianluigi.benini@tiscali[.]it -- (none) -- 1123083233755.zip -- 30469.doc
• 2017-03-15 19:35 UTC -- zaural[.]ru -- honigbiermeier@t-online[.]de -- 11009 [recipient] -- 972482.zip -- 19917.js

 

TRAFFIC

HTTP REQUESTS FOR THE CERBER RANSOMWARE:

• 130.211.103.246 port 80 - www.fkauueeepla[.]top - GET /admin.php?f=1.gif
• 130.211.103.246 port 80 - www.fkauueeepla[.]top - GET /user.php?f=1.gif
• 104.199.9.203 port 80 - ponmaredimare[.]top - GET /search.php
• 104.199.9.203 port 80 - ubisortdasert[.]top - GET /search.php

 

MALWARE

ATTACHMENETS:

• 2acedfc0752d3f177567d858270abca282f6bbf72e3ba0fa5f304fdc944282fb - 1123083233755.zip
• 6c1d5ac41564e3ed998ad7f22ea253d5e3f8e6ace4f6a6a817931c802b550548 - 43336834502446.zip
• 721dcf05275f398104c8473c68398db79f280f4b5982bf046ab0f2ff9c231e2a - 636065.zip
• 0f593be25c85405c1d9bdc3c2ea62a30b62306829dd2a676348f739688b5b2fd - 7469186953683.zip
• 2466adb53346c7701fe8ed11e32db750dff29483dc63ec7bc8231ad6df04ee47 - 972482.zip
• 6d17cc1382015d40a4eaa80bcf1722cf825cce7c9dddd17a5bcd6490bc75bd6c - EMAIL_01042653_[recipient].zip
• 22af90d7b8d0a35de09ee7e9a4dbe0cfcf14a19e2a3959325d6a24f51467ea5b - EMAIL_261_[recipient].zip
• 0177bc874752c76ea25e6959e0d6642e6d78ee01adbf2b705fe2a3bbbcd55b20 - EMAIL_281856769_[recipient].zip
• 2f6e792574d59599961174802253f409bd12c8df999c3ca67dc03b2858a74c16 - EMAIL_513819782095_[recipient].zip
• 9e6baf7ff7837f529304ad6008f32d87cdbb5011a4fad0014286bf315724a706 - EMAIL_6154388606399_[recipient].zip
• 59875a61bb6a43e94c95f920787df48f1384f536f1d3a84b233f60e8c321fef5 - EMAIL_668403790854085_[recipient].zip
• 3ee52c790330a5efc671cad3cf5c1214fbfa31a89815ad35cade40cd3dfad101 - EMAIL_74749_[recipient].zip
• 23a4c8f2f89c70c4d29128cbec6e1a95badcb214a5442e5f42390c5ca51f9a46 - EMAIL_7688592831105_[recipient].zip
• 86297bffccd9b1039e42776019c8f0ed6b367b8ae14c8339def57bb1339683a0 - EMAIL_98_[recipient].zip

 

EXTRACTED FILES:

• 36e50b35eaf46f60d8f7b7f74c9a79347f882ac1a3dd9d90100eb20ecee89d40 - 11604.js
• d9c748cd97ab4ef20a76ce59dfe11c75af720aae2ad40f93787112431b5ddbf1 - 12856.js
• 9a5030173334a0a9be63a6c8ba7671f7b717bf3f5db5ad3281ad4cc3a9ab6c39 - 14504.js
• 911917d50a0998137492f33c2d9e758293068a837fa5dce9d61a20a44ba5552b - 16044.js
• d00332f72da97f02b04fd376eb56d42ef9fddf16642a90aba67ab49e85d7eb81 - 17736.js
• 75824652c901ca3e739c2d2a779343d260ad09874e2bb2514dd4bc4e1c15f604 - 19917.js
• 9a5030173334a0a9be63a6c8ba7671f7b717bf3f5db5ad3281ad4cc3a9ab6c39 - 21066.js
• b64cbf393324349974002cb72799464b5af101017911e1a512108a3c674708da - 30371.doc
• d1062a29aa474a14debd7149d780e9e427acc455f3fd87ce49066c1e7338b368 - 30469.doc
• 6f04a1dcf02e49d5178a185d421b4f4746a9ca9a2d56b9a8aaa850f09346defd - 32680.js
• 452a5705334f9cb748662e74f871872535169bb525ca8fe6c204c2ac4b9713db - 448.js
• 3bba49a18cd96ca8624fd37b9aef2062374970d03bc6807a3630496d8a8b3105 - 9188.js
• cd466e88d38f6036585f2258b06c998638cb61da6fc9725fae698af8ee89d2cc - 9566.js
• bff6b0f56fd50918b935478c926ee6fd9ee1bebf24da1c78db0836897aab1def - 9784.doc

 

CERBER RANSOMWARE SAMPLES:

• 0b5d97b9ae0f1e12cb378ba02d6dc3bafed41a032b65c5fdf95dc63ded8cec57 - 2017-03-15 Cerber ransomware from fkauueeepla[.]top
• 7ee0a3db0626d56fa7f8d409631cfc8b88a28992e09c0cba6d1f0162772a484a - 017-03-15 Cerber ransomware from ponmaredimare[.]top
• c880af66245084e0ad721331add5f84e776f7e0cfcd4e417c75becb978612e95 - 2017-03-15 Cerber ransomware from ubisortdasert[.]top

 

Click here to return to the main page.