2017-01-09 - MALSPAM SPREADING CERBER RANSOMWARE

ASSOCIATED FILES:

  • 2017-01-09-Cerber-malspam-traffic-example.pcap   (303,525 bytes)
  • 017-01-09-Cerber-maslpam-tracker.csv   (857 bytes)
  • 2017-01-06-Cerber-malspam-2127-UTC.eml   (43,717 bytes)
  • 2017-01-07-Cerber-malspam-1319-UTC.eml   (44,224 bytes)
  • 2017-01-07-Cerber-malspam-1519-UTC.eml   (35,996 bytes)
  • 2017-01-07-Cerber-malspam-1829-UTC.eml   (43,448 bytes)
  • 2017-01-07-Cerber-malspam-2136-UTC.eml   (45,077 bytes)
  • 2017-01-08-Cerber-malspam-2133-UTC.eml   (58,928 bytes)
  • 2017-01-08-Cerber-malspam-2238-UTC.eml   (59,681 bytes)
  • 2017-01-09-Cerber-malspam-0112-UTC.eml   (51,706 bytes)
  • 2017-01-09-Cerber-malspam-0119-UTC.eml   (49,647 bytes)
  • 2017-01-09-Cerber-malspam-0154-UTC.eml   (57,251 bytes)
  • 2017-01-09-Cerber-malspam-1047-UTC.eml   (37,889 bytes)
  • 2017-01-09-Cerber-malspam-1106-UTC.eml   (38,115 bytes)
  • 2017-01-09-Cerber-malspam-1624-UTC.eml   (36,090 bytes)
  • 17463.zip   (27,902 bytes)
  • 3564149445.zip   (31,847 bytes)
  • 4820876899.zip   (33,055 bytes)
  • 04398408565.zip   (32,439 bytes)
  • 1125380733161.zip   (26,337 bytes)
  • 11932415970879.zip   (27,738 bytes)
  • 35957656855277.zip   (32,061 bytes)
  • 850474845283453.zip   (26,415 bytes)
  • INFO_602960_[removed].zip   (36,444 bytes)
  • INFO_694972_[removed].zip   (42,077 bytes)
  • INFO_619608933_[removed].zip   (43,865 bytes)
  • INFO_949273973_[removed].zip   (43,310 bytes)
  • INFO_956010938_[removed].zip   (37,962 bytes)
  • 2241.doc   (91,648 bytes)
  • 3423.doc   (107,520 bytes)
  • 6743.doc   (64,000 bytes)
  • 13729.doc   (103,424 bytes)
  • 17807.doc   (78,336 bytes)
  • 18493.doc   (75,264 bytes)
  • 19221.doc   (77,312 bytes)
  • 21458.doc   (75,776 bytes)
  • 22551.doc   (72,704 bytes)
  • 22980.doc   (94,720 bytes)
  • 22987.doc   (78,848 bytes)
  • 23861.doc   (106,496 bytes)
  • 26211.doc   (75,776 bytes)
  • 2017-01-07-Cerber-ransomware-example-1-of-3.exe   (240,191 bytes)
  • 2017-01-07-Cerber-ransomware-example-2-of-3.exe   (240,191 bytes)
  • 2017-01-07-Cerber-ransomware-example-3-of-3.exe   (240,191 bytes)
  • 2017-01-08-Cerber-ransomware-example.exe   (245,422 bytes)
  • 2017-01-09-Cerber-ransomware-example-1-of-5.exe   (307,575 bytes)
  • 2017-01-09-Cerber-ransomware-example-2-of-5.exe   (307,575 bytes)
  • 2017-01-09-Cerber-ransomware-example-3-of-5.exe   (263,616 bytes)
  • 2017-01-09-Cerber-ransomware-example-4-of-5.exe   (261,423 bytes)
  • 2017-01-09-Cerber-ransomware-example-5-of-5.exe   (261,423 bytes)

NOTES:

 

TRAFFIC


Shown above:  Pcap from an example of infection traffic filtered in Wireshark

 

DOMAINS FROM THE TRAFFIC EXAMPLE ON 2017-01-09:

URLS FROM THE VARIOUS WORD MACROS TO RETRIEVE CERBER RANSOMWARE:

 


Shown above:  Example of different AWS IP addresses for the same malicious domain.

 

FILE HASHES

EMAIL ATTACHMENTS:

EXTRACTED WORD DOCUMENTS:

CERBER RANSOMWARE SAMPLES RETRIEVED FROM THE WORD MACROS:

 

IMAGES


Shown above:  An infected Windows desktop after opening one of the Word documents and enabling macros.

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.