2017-08-04 - MAGNITUDE EK DATA DUMP

ASSOCIATED FILES:

  • 2017-08-03-Magnitude-EK-sends-Cerber-ransomware-1st-run.pcap   (663,717 bytes)
  • 2017-08-03-Magnitude-EK-sends-Cerber-ransomware-2nd-run.pcap   (785,769 bytes)
  • 2017-08-03-Magnitude-EK-sends-Cerber-ransomware-3rd-run.pcap   (762,633 bytes)
  • 2017-08-04-Magnitude-EK-sends-Cerber-ransomware-1st-run.pcap   (768,245 bytes)
  • 2017-08-04-Magnitude-EK-sends-Cerber-ransomware-2nd-run.pcap   (774,780 bytes)
  • 2017-08-04-Magnitude-EK-sends-Cerber-ransomware-3rd-run.pcap   (765,124 bytes)
  • 2017-08-03-Cerber-decryption-instructions.bmp   (3,145,782 bytes)
  • 2017-08-03-Cerber-decryption-instructions.hta   (78,098 bytes)
  • 2017-08-03-Cerber-decryption-instructions.txt   (1,389 bytes)
  • 2017-08-03-Mangitude-EK-payload-Cerber-1st-run.exe   (488,960 bytes)
  • 2017-08-03-Mangitude-EK-payload-Cerber-2nd-run.exe   (562,176 bytes)
  • 2017-08-03-Mangitude-EK-payload-Cerber-3rd-run.exe   (562,176 bytes)
  • 2017-08-04-Cerber-decryption-instructions.bmp   (3,145,782 bytes)
  • 2017-08-04-Cerber-decryption-instructions.hta   (77,947 bytes)
  • 2017-08-04-Cerber-decryption-instructions.txt   (1,383 bytes)
  • 2017-08-04-Mangitude-EK-payload-Cerber-1st-run.exe   (562,176 bytes)
  • 2017-08-04-Mangitude-EK-payload-Cerber-2nd-run.exe   (568,320 bytes)
  • 2017-08-04-Mangitude-EK-payload-Cerber-3rd-run.exe   (568,320 bytes)

NOTES:

 

TRAFFIC


Shown above:  Traffic from an infected host filtered in Wireshark (1 of 6).

 


Shown above:  Traffic from an infected host filtered in Wireshark (2 of 6).

 


Shown above:  Traffic from an infected host filtered in Wireshark (3 of 6).

 


Shown above:  Traffic from an infected host filtered in Wireshark (4 of 6).

 


Shown above:  Traffic from an infected host filtered in Wireshark (5 of 6).

 


Shown above:  Traffic from an infected host filtered in Wireshark (6 of 6).

 

"MAGNIGATE" DOMAINS:

MAGNITUDE EK DOMAINS:

CERBER POST-INFECTION TRAFFIC (2017-08-03 SAMPLES AND FIRST 2017-08-04 SAMPLE):

CERBER POST-INFECTION TRAFFIC (LAST TWO 2017-08-04 SAMPLES):

 


Shown above:  Some of the UDP traffic caused by a Cerber sample from 2017-08-04.

 

SHA256 HASHES

CERBER SAMPLES FROM MAGNITUDE EK:

 

IMAGES


Shown above:  Desktop of an infected Windows host.

 


Shown above:  Cerber decryptor seen on 2017-08-04.

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.