2017-01-27 - "BLANK SLATE" CAMPAIGN SENDS CERBER RANSOMWARE

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2017-01-27-Cerber-ransomware-traffic-4-pcaps.zip   1.4 MB (1,429,922 bytes)
• 2017-01-27-Blank-Slate-malspam-tracker.csv.zip   1.3 kB (1,257 bytes)
• 2017-01-27-Blank-Slate-emails-and-Cerber-ransomware.zip   1.1 MB (1,125,721 bytes)

 

NOTES:

• For background on this campaign, see the Palo Alto Networks Unit 42 Blog:  "Blank Slate" Campaign Takes Advantage of Hosting Providers to Spread Ransomware.

 

EMAILS

Shown above:  Information from the spreadsheet tracker (part 1 of 2).

 

Shown above:  Information from the spreadsheet tracker (part 2 of 2).

 

EMAILS GATHERED:

(Read: Date/Time -- Sending address (spoofed) -- Attachment)

• 2017-01-24 16:14 UTC -- sherryloveless@gmail[.]com -- NATASHA-12367-[recipient].zip
• 2017-01-24 18:25 UTC -- vroak@otmail[.]it -- DOLLARS-24646259-[recipient].zip
• 2017-01-24 19:47 UTC -- bundzinieks@inbox[.]lv -- MESSAGE-7201949-[recipient].zip
• 2017-01-24 20:49 UTC -- kathannejones@gmail[.]com -- BILL-2213141293-[recipient].zip
• 2017-01-24 21:14 UTC -- z.etiquette@emesafze[.]com -- EMAIL-4308991848-[recipient].zip
• 2017-01-25 00:08 UTC -- dicts@centrum[.]cz -- 304586736.zip
• 2017-01-25 11:13 UTC -- milanista2004@web[.]de -- SALE-5105695901-[recipient].zip
• 2017-01-25 14:09 UTC -- honigbiermeier@t-online[.]de -- 93430830.zip
• 2017-01-25 17:08 UTC -- dukes@johncarroll[.]org -- 07054378.zip
• 2017-01-25 17:23 UTC -- balaji@mcs.anl[.]gov -- 67697344.zip
• 2017-01-25 18:39 UTC -- gracedsenoglu@gmail[.]com -- 14772001230606.zip
• 2017-01-25 21:04 UTC -- marek85a@libero[.]it -- NATASHA-37898265949436-[recipient].zip
• 2017-01-26 09:21 UTC -- lu.giudice@tiscali[.]it -- EMAIL-02043253-[recipient].zip
• 2017-01-26 09:43 UTC -- uskorenie70035@datingeurope[.]net -- INFO-4188697524-[recipient].zip
• 2017-01-26 09:47 UTC -- vlachos1@auth[.]gr -- 770685376.zip

 

ATTACHED ZIP ARCHIVES AND EXTRACTED FILES

SHA256 HASHES FOR THE EMAIL ATTACHMENTS:

• 3841e3eb6db6f0e59d3b11755bae3fefa237ce683115e2b2b9e2bb56db254b2e - 07054378.zip
• 480d08e71671b913cba9a315e3bd51bb8384b1eb2692f9001a82af1b5a28c4ab - 14772001230606.zip
• 4223c066205f9dbcfead3b0c7857d9aae90bee3bbe16863251acb5fd6f2e34e7 - 304586736.zip
• fd3ba432620c1d79f3169a9b691ef0f5689c1baff78e600b0975787d29f0bd03 - 67697344.zip
• 0b9e99ca471e962f08d2586fd0a0a6f1d8248aa1c6cf5df2c86694bcfeda8294 - 770685376.zip
• 7005fc94b792aee0353fe29926ad8ecf273fd10d335b0c033af217effee0dee9 - 93430830.zip
• 64f0874da267bbe63c104fd8b63bda2e9ff4840e37fc62ac6afccb8c5eb7f35c - BILL-2213141293-[recipient].zip
• 4325ec0ec1a25c8aabffde7eb5075949b7df78f101d930c0916e095c80c0970a - DOLLARS-24646259-[recipient].zip
• 4cb6604de77d76a326eeb51b2135415fb5153f006aa1c1f4c9ecb68990b81639 - EMAIL-02043253-[recipient].zip
• 276f2a899810935c2f2ac04bd3fcaa1ddfec115eff5193698fd519919f02b7cb - EMAIL-4308991848-[recipient].zip
• b1d90a5ae9a45d61ded21cbcd202c005bcda0efe332f9cd0cdd7f084d6ec6430 - INFO-4188697524-[recipient].zip
• 03dcffc47b06669da5526c35fc87a823dcd6259bfaba60dc3176c93b4a96bab1 - MESSAGE-7201949-[recipient].zip
• 16340705f3ad760ae9625e681eab2126fb1a7c31277c6cb6ac66151253737ab5 - NATASHA-12367-[recipient].zip
• 7b8c1dc60410c3dc843149a3c89dbba3b3ece52d056f08df5b78769e1a511bca - NATASHA-37898265949436-[recipient].zip
• 0e5759120d1c11c55ff2cab2139b29211c1c95fb851a0dbb424d86bc7e5d0ad7 - SALE-5105695901-[recipient].zip

 

SHA256 HASHES FOR THE EXTRACTED .JS FILES AND WORD DOCUMENTS:

• 1cd832b271894bc2e4e7bdb139732580ec946f66298eecd46e84ad20cfd83cfa - 11113.js
• c92d12190cac4f1b7b80f970cba8495cc3fa562b21f3e11b5cad83f06e545b60 - 11593.doc
• 471b78d2bcf62084e1a2d0e3eddbab5b5f50cf6fd0c449dc151a53509de56a4c - 13967.js
• be74cc0a16fa0d9b966ed13fa9ac35de38137f4b2c8be05451ce733be62d2331 - 1583.doc
• 08a9e15a360f5b708ae5a849f56bdcbba10897c5caab5110e52ab0632740b0a2 - 17599.js
• 729f8ddddc5db353336eae9ebea817cb781efafc8d3ec5cec1eefdbacf782259 - 1994.js
• b619d8b08b666aa78801dcda02a0ff5f2a7f3c6744d3c327870479717e94b13f - 21519.js
• 92fe6be0ce7f0e0c55b6482cd57ac82fe7b4301b27036815be1d23effe452de9 - 22543.js
• a67dfef005e7eb74aff09fc1518781587bcc544c59f5d21cb8b92c01142a006e - 23470.js
• 57283ab9740758dfad7ac8de346508116d4c0e89661344587f846b23f2373f6a - 23788.js
• 97912afcc524fc64aa8289b8cfe05a0684ab1a048ebbf4e4b33e01f0dfd439ee - 24066.js
• e725d05e1ce7ea9d94689e9029911295a39fa832772744911170f33332f954a5 - 4572.js
• 51b0de0d6d632efc12521b42968f4340b3f171eaaed48b0b87919cf8c75d0776 - 6524.js
• 34bbdc4a5847680ed37b23f126cacb9690a0938eae7ad6ae2a206b6c5c8e6e1d - 7905.js
• 8f96cdea2ed5cf951392fbb541252ece9484d0932ecc8d949a047e04e11bdb6f - 9059.js

 

TRAFFIC

HTTP REQUESTS FOR THE CERBER RANSOMWARE:

• 52.203.115[.]53 port 80 - folueopa[.]top - GET /read.php?f=0.dat
• 52.203.115[.]53 port 80 - folueopa[.]top - GET /user?f=0.dat
• 54.200.117[.]224 port 80 - panntyplenty[.]top - GET /search.php
• 52.202.137[.]93 port 80 - pennysgoods[.]top - GET /search.php
• 52.203.115[.]53 port 80 - rootaleyz[.]top - GET /admin.php?f=1.dat
• 52.203.115[.]53 port 80 - rootaleyz[.]top - GET /user.php?f=0.dat
• 54.200.117[.]224 port 80 - sallykandymandy[.]top - GET /search.php
• 52.203.115[.]53 port 80 - toagoores[.]top - GET /user.php?f=0.dat
• 35.165.86[.]173 port 80 - vvorootad[.]top - GET /admin.php?f=1.dat

NOTE:  These domains are all hosted on Amazon Web Services (AWS).  Many of the URLs to download the ransomware are still active as I write this.

 

Click here to return to the main page.