2017-01-05 - MALSPAM SPREADING CERBER RANSOMWARE

ASSOCIATED FILES:

  • 2017-01-05-Cerber-malspam-traffic.pcap   (332,731 bytes)
  • 2017-01-04-Cerber-malspam-2312-UTC.eml   (36,691 bytes)
  • 2017-01-04-Cerber-malspam-2327-UTC.eml   (45,945 bytes)
  • 2017-01-05-Cerber-malspam-0859-UTC.eml   (38,580 bytes)
  • 402402188984588.zip   (28,241 bytes)
  • 7318620611899.zip   (26,845 bytes)
  • 954461.zip   (33,708 bytes)
  • Roaming.exE   (231,530 bytes)
  • 2017-01-05-Cerber-from-malspam_NQIB7_README_.hta   (67,448 bytes)
  • 2017-01-05-Cerber-from-malspam_NQIB7_README_.jpg   (229,420 bytes)

NOTES:

 

EMAILS

 

Read: date/time -- received from mailserver at -- message-ID -- sender (spoofed) -- subject -- attachment name -- extracted file

2017-01-04 23:12 UTC -- skyonline.net.ar -- <148357156002.25068.7364238338216249641@skyonline.net.ar>
<ej.hartstra@dienst.vu.nl> -- (no subject) -- 7318620611899.zip -- 12027.doc
2017-01-04 23:26 UTC -- 175.202.17.89 -- <148357240588.3135.1777837317377017010@175.202.17.89>
<gracedsenoglu@gmail.com> -- (no subject) -- 954461.zip -- 24591.doc
2017-01-05 08:59 UTC -- skyonline.net.ar -- <148360676836.3137.13620895256758905128@skyonline.net.ar>
<andreas.nilsson@norstat.se> -- (no subject) -- 402402188984588.zip -- 31879.doc

 

TRAFFIC


Shown above:  Pcap of the infection traffic filtered in Wireshark.

 

ASSOCIATED DOMAINS:

 

FILE HASHES

EXTRACTED WORD DOCUMENTS:

 

DOWNLOADED MALWARE (CERBER RANSOMWARE):

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.