2016-08-05 - MAGNITUDE EK FROM 185.30.232.65 SENDS CERBER RANSOMWARE

ASSOCIATED FILES:

  • 2016-08-03-Magnitude-EK-sends-Cerber-from-Threatglass-post.pcap   (621,587 bytes)
  • 2016-08-05-Magnitude-EK-sends-Cerber.pcap   (1,284,310 bytes)
  • 2016-08-03-Magnitude-EK-flash-redirect.swf   (697 bytes)
  • 2016-08-03-Magnitude-EK-landing-page.txt   (665 bytes)
  • 2016-08-03-Magnitude-EK-more-html.txt   (7,017 bytes)
  • 2016-08-05-Cerber-decrypt-instructions.bmp   (3,145,782 bytes)
  • 2016-08-05-Cerber-decrypt-instructions.html   (19,720 bytes)
  • 2016-08-05-Cerber-decrypt-instructions.txt   (10,508 bytes)
  • 2016-08-05-Cerber-decrypt-instructions.vbs   (246 bytes)
  • 2016-08-05-Magnitude-EK-flash-exploit.swf   (58,606 bytes)
  • 2016-08-05-Magnitude-EK-flash-redirect.swf   (700 bytes)
  • 2016-08-05-Magnitude-EK-landing-page.txt   (658 bytes)
  • 2016-08-05-Magnitude-EK-more-html.txt   (23,279 bytes)
  • 2016-08-05-Magnitude-EK-payload-Cerber.exe   (315,528 bytes)

NOTES:


Shown above:  Threatglass post with the pcap containing Magnitude EK traffic.

 

TRAFFIC


Shown above:  Infection traffic from the Threatglass pcap on 2016-08-03 filtered in Wireshark.

 


Shown above:  Infection traffic from my pcap on 2016-08-05 filtered in Wireshark.

 

ASSOCIATED DOMAINS:

OTHER DOMAINS FROM THE CERBER DECRYPT INSTRUCTIONS:

 

FILE HASHES

FLASH REDIRECTS AND FLASH EXPLOIT:

MALWARE PAYLOAD:

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.