2017-04-13 - "BLANK SLATE" MALSPAM STILL PUSHING CERBER, STILL USING FAKE CHROME PAGE

ASSOCIATED FILES:

  • 2017-04-13-blank-slate-malspam-sends-Cerber-ransomware.pcap   (536,245 bytes)
  • 2017-04-13-Cerber-ransomware-from-testgojale.com.exe   (334,506 bytes)
  • 2017-04-13-blank-slate-malspam-1005-UTC.eml   (4,245 bytes)
  • 2017-04-13-blank-slate-malspam-1330-UTC.eml   (4,170 bytes)
  • 48.js   (8,502 bytes)
  • _READ_THI$_FILE_2DKNJ_.hta   (77,078 bytes)
  • _READ_THI$_FILE_JUTNOHS_.txt   (1,378 bytes)
  • chrome_update.zip   (3,940 bytes)

 

BACKGROUND:

OTHER NOTES:

 

FAKE CHROME PAGE


Shown above:  Screen shot from the fake Microsoft email.

 


Shown above:  Letting the fake Chrome page send a fake Chrome update as a zip archive.

 


Shown above:  Zip acrhive sent by the fake Chrome page.

 

TRAFFIC


Shown above:  Traffic from the infection filtered in Wireshark.

 

FAKE GOOGLE CHROME PAGE AND ZIP DOWNLOAD:

EXTRACTED .JS FILE GRABBING CERBER RANSOMWARE:

CERBER POST-INFECTION TRAFFIC:

 

MALWARE

SHA256 HASHES:

 

IMAGES


Shown above:  Desktop of an infected Windows host.  Still using dollar signs in _READ_THI$_FILE_ for file names.  No more images with the instructions, though.

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.