Malware-Traffic-Analysis.net - 2017-04-13 - "Blank Slate" campaign still pushing Cerber ransomware, still using fake Chrome page

2017-04-13 - "BLANK SLATE" CAMPAIGN STILL PUSHING CERBER RANSOMWARE, STILL USING FAKE CHROME PAGE

NOTICE:

The zip archives on this page have been updated, and they now use the new password scheme. For the new password, see the "about" page of this website.

ASSOCIATED FILES:

2017-04-13-Cerber-ransomware-infection-traffic.pcap.zip 385.2 kB (385,212 bytes)

2017-04-13-Cerber-ransomware-infection-traffic.pcap (536,245 bytes)

2017-04-13-Blank-Slate-emails-and-Cerber-ransomware.zip 366.8 kB (366,829 bytes)

2017-04-13-Cerber-ransomware-from-testgojale_com.exe (334,506 bytes)

2017-04-13-blank-slate-malspam-1005-UTC.eml (4,245 bytes)

2017-04-13-blank-slate-malspam-1330-UTC.eml (4,170 bytes)

48.js (8,502 bytes)

_READ_THI$_FILE_2DKNJ_.hta (77,078 bytes)

_READ_THI$_FILE_JUTNOHS_.txt (1,378 bytes)

chrome_update.zip (3,940 bytes)

BACKGROUND:

For background on this campaign, see the Palo Alto Networks Unit 42 Blog: "Blank Slate" Campaign Takes Advantage of Hosting Providers to Spread Ransomware.
I wrote a follow-up for the Internet Storm Center (ISC) titled: "Blank Slate" malspam still pushing Cerber ransomware.

OTHER NOTES:

This blog post documents a slight variation on the fake Microsoft emails leading to a fake Google Chrome page sent from this campaign.
Of course, the vast majority of Blank Slate malspam is still blank emails only consisting of attachments that are zip archives containing .js files.
I just haven't had time lately to document the normal Blank Slate emails.

FAKE CHROME PAGE

Shown above: Screen shot from the fake Microsoft email.

Shown above: Letting the fake Chrome page send a fake Chrome update as a zip archive.

Shown above: Zip acrhive sent by the fake Chrome page.

TRAFFIC

Shown above: Traffic from the infection filtered in Wireshark.

FAKE GOOGLE CHROME PAGE AND ZIP DOWNLOAD:

47.91.76[.]28 port 80 - doomnooaxc[.]top - GET /site/chrome_update_zip.html
47.91.76[.]28 port 80 - doomnooaxc[.]top - GET /site/download_zip.php

EXTRACTED .JS FILE GRABBING CERBER RANSOMWARE:

47.91.76[.]28 port 80 - testgojale[.]com - GET /admin.php?f=3.gif

CERBER RANSOMWARE POST-INFECTION TRAFFIC:

94.21.172[.]0 - 94.21.172[.]31 (94.21.172[.]0/27) UDP port 6893
94.22.172[.]0 - 94.22.172[.]31 (94.22.172[.]0/27) UDP port 6893
94.23.172[.]0 - 94.23.175[.]255 (94.23.172[.]0/22) UDP port 6893
193.169.135[.]155 port 80 - p27dokhpz2n7nvgr.1nhkou[.]top

MALWARE

SHA256 HASHES:

SHA256 hash: 3de3fd9cda91e91b24c5569e4d2874ed5a8105e28c43dae911ab2b86e87e7505
File name: chrome_update.zip
File description: Downloaded from fake Google Chrome page at doomnooaxc[.]top on 2017-04-13

SHA256 hash: cdd6286df651a213d2e13253ea67602db628fb1a8625ca4e308a0766866373ec
File name: 48.js
File description: Malicious .js file extracted from chrome_update.zip

SHA256 hash: 5d947667bb754a1e1716bec2f86fb82ed5cc8dc5bf8d5c34d15ef232f8f6feb4
File description: Cerber ransomware downloaded by 48.js from testgojale.com on 2017-04-13

IMAGES

Shown above: Desktop of an infected Windows host. Still using dollar signs in _READ_THI$_FILE_ for file names. No more images with the instructions, though.

Click here to return to the main page.