2017-03-24 - "BLANK SLATE" MALSPAM TRIES FAKE CHROME INSTALL PAGE

ASSOCIATED FILES:

 

NOTES:

 

EMAILS


Shown above:  Information from the spreadsheet tracker (part 1 of 2).

 


Shown above:  Information from the spreadsheet tracker (part 2 of 2).

 


Shown above:  Example of a Blank Slate email that wasn't blank.

 

EMAILS GATHERED:

(Read: Date/Time     --     Sending mail server     --     Sending email (spoofed)     --     Subject     --     Attached zip or URL from email link)

 

TRAFFIC


Shown above:  Pcap of the infection traffic filtered in Wireshark.

 

HTTP TRAFFIC FOR THE RANSOMWARE:

CERBER POST-INFECTION TRAFFIC:

LOCKY POST-INFECTION TRAFFIC:

 

MALWARE

ATTACHMENETS:

 

EXTRACTED FILES:

 

RANSOMWARE SAMPLES:

 

IMAGES


Shown above:  The fake Google Chrome installation page.

 


Shown above:  If you wait without clicking anything, you're presented with the ransomware named chrome_update.exe.

 


Shown above:  If you click to download, you get the actual Google Chrome installer from Google.

 


Shown above:  My first chrome_update.exe download (the one I lost my pcap for) was Locky ransomware.  Fortunately, I'd taken some images and saved the binary.

 

I would normally show an image of a Cerber-infected desktop, but I'm about sick of seeing Cerber every day.

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.