2017-01-04 - MALSPAM SPREADING CERBER RANSOMWARE

ASSOCIATED FILES:

  • 2017-01-04-Cerber-from-malspam-traffic.pcap   (304,487 bytes)
  • 15010386517237.zip   (25,491 bytes)
  • 19206.doc   (62,464 bytes)
  • 2017-01-04-Cerber-decryption-instructions_7A7N_README_.hta   (67,448 bytes)
  • 2017-01-04-Cerber-decryption-instructions_7A7N_README_.jpg   (226,029 bytes)
  • 2017-01-04-cerber-malspam-0724-UTC.eml   (34,863 bytes)
  • Roaming.exE   (229,661 bytes)

NOTES:

 

EMAIL


Shown above:  Screenshot of the email.

NOTE:  The sender's address was spoofed--the message did not come from a gmail account.

 

EMAIL


Shown above:  Malicious word document extracted from the email attachment.

NOTE:  Enabling macros on that Word document will download and run Cerber ransomware.

 

EMAIL


Shown above:  Pcap of the infection traffic filtered in Wireshark.

 

ASSOCIATED DOMAINS:

 

FILE HASHES

ATTACHMENT AND EXTRACTED WORD DOCUMENT:

 

DOWNLOADED MALWARE (CERBER RANSOMWARE):


Shown above:  A copy of the malware before it deleted iteself.

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.