2017-01-13 - MALSPAM SPREADING CERBER RANSOMWARE FROM AWS IP ADDRESSES

ASSOCIATED FILES:

  • 2017-01-13-Cerber-malspam-traffic-examples.pcap   (1,040,210 bytes)
  • 2017-01-13-tracker.csv   (1,543 bytes)
  • 2017-01-13-Cerber-malspam-0007-UTC.eml   (60,258 bytes)
  • 2017-01-13-Cerber-malspam-0837-UTC.eml   (52,969 bytes)
  • 2017-01-13-Cerber-malspam-1049-UTC.eml   (62,599 bytes)
  • 2017-01-13-Cerber-malspam-1428-UTC.eml   (39,344 bytes)
  • 2017-01-13-Cerber-malspam-1607-UTC.eml   (60,538 bytes)
  • 2017-01-13-Cerber-malspam-1715-UTC.eml   (45,145 bytes)
  • 2017-01-13-Cerber-malspam-1854-UTC.eml   (66,499 bytes)
  • 332101.zip   (33,128 bytes)
  • 62274826.zip   (48,923 bytes)
  • 793186269136.zip   (44,507 bytes)
  • 6225549306381.zip   (28,811 bytes)
  • 09488786419-[recipient].zip   (38,860 bytes)
  • INFO_60191_[recipient].zip   (46,026 bytes)
  • $MONEY-86635301206-[recipient].zip   (44,293 bytes)
  • 2589.doc   (102,912 bytes)
  • 5274.doc   (79,360 bytes)
  • 6254.doc   (86,016 bytes)
  • 10803.doc   (116,224 bytes)
  • 21457.doc   (115,200 bytes)
  • 23183.doc   (123,392 bytes)
  • 29546.doc   (118,784 bytes)
  • 2017-01-13-Cerber-from-malspam-1st-example.exe   (275,484 bytes)
  • 2017-01-13-Cerber-from-malspam-2nd-example.exe   (275,484 bytes)
  • 2017-01-13-Cerber-from-malspam-3rd-example.exe   (271,954 bytes)
  • 2017-01-13-Cerber-from-malspam-4th-example.exe   (275,484 bytes)

NOTES:

 


Shown above:  Error seen when enabling macros on some of these Word documents.

 

EMAILS

Read: date/time -- received from mailserver at -- sender (spoofed) -- subject -- attachment name -- extracted zip -- extracted doc

 

TRAFFIC


Shown above:  URLs for all the Word documents filtered in Wireshark.


Shown above:  One of the URLs hosted on AWS that served Cerber ransomware (1 of 3).


Shown above:  One of the URLs hosted on AWS that served Cerber ransomware (2 of 3).


Shown above:  One of the URLs hosted on AWS that served Cerber ransomware (3 of 3).

 

ASSOCIATED DOMAINS:

 

FILE HASHES

ATTACHED ZIP ARCHIVES:

EXTRACTED MICROSOFT WORD DOCUMENTS:

DOWNLOADED CERBER RANSOMWARE SAMPLES:

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.