2017-05-02 - KEEPING IT 100: "BLANK SLATE" MALSPAM STARTS PUSHING MORDOR RANSOMWARE

ASSOCIATED FILES:

BACKGROUND:

TODAY'S NOTES:

 


Shown above:  Keeping it 100 means too many entries in the spreadsheet for a good screenshot.

 


Shown above:  Mordor ransomware description instructions (image 1 of 2).

 


Shown above:  Mordor ransomware description instructions (image 2 of 2).

 

TRAFFIC


Shown above:  Domain from Blank Slate campaign sending Cerber ransomware.

 


Shown above:  Same domain from Blank Slate campaign sending Mordor ransomware a few hours later.

 

URLS GENERATED BY THE EXTRACTED FILES:

CERBER POST-INFECTION TRAFFIC:

MORDOR POST-INFECTION TRAFFIC:

 

SHA256 HASHES

ATTACHED ZIP ARCHIVES AND EXTRACTED .JS FILES:

 

EXTRACTED RTF FILES DESIGNED TO EXPLOIT CVE-2017-0199:

 

RANSOMWARE SAMPLES:

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.