Malware-Traffic-Analysis.net - 2016-06-26 - Rig EK from 46.30.42.236 sends Cerber ransomware

2016-06-26 - RIG EK FROM 46.30.42.236 SENDS CERBER RANSOMWARE

ASSOCIATED FILES:

ZIP archive of the pcaps: 2016-06-26-Rig-EK-sends-Cerber-ransomware-pcaps.zip 2.2 MB (2,188,385 bytes)

2016-06-25-Rig-EK-sends-Cerber-ransomware-after-southcoastdrones.com.au.pcap (4,261,866 bytes)

2016-06-26-Rig-EK-sends-Cerber-ransomware-after-southcoastdrones.com.au.pcap (4,752,659 bytes)

ZIP archive of the malware and artifacts: 2016-06-26-Rig-EK-sends-Cerber-ransomware-malware-and-artifacts.zip 2.7 MB (2,703,738 bytes)

2016-06-25-Cerber-decryption-instructions.bmp (2,647,454 bytes)

2016-06-25-Cerber-decryption-instructions.html (12,389 bytes)

2016-06-25-Cerber-decryption-instructions.txt (10,514 bytes)

2016-06-25-Cerber-decryption-instructions.vbs (225 bytes)

2016-06-25-Rig-EK-flash-exploit-after-southcoastdrones.com.au.swf (24,439 bytes)

2016-06-25-Rig-EK-landing-page-after-southcoastdrones.com.au.txt (5,282 bytes)

2016-06-25-Rig-EK-payload-Cerber-ransomware-after-southcoastdrones.com.au.exe (204,017 bytes)

2016-06-26-Cerber-decryption-instructions.bmp (1,986,214 bytes)

2016-06-26-Cerber-decryption-instructions.html (12,389 bytes)

2016-06-26-Cerber-decryption-instructions.txt (10,514 bytes)

2016-06-26-Cerber-decryption-instructions.vbs (225 bytes)

2016-06-26-Rig-EK-flash-exploit-after-southcoastdrones.com.au.swf (24,439 bytes)

2016-06-26-Rig-EK-landing-page-after-southcoastdrones.com.au.txt (5,326 bytes)

2016-06-26-Rig-EK-payload-Cerber-ransomware-after-southcoastdrones.com.au.exe (631,072 bytes)

NOTES:

Thanks again to @broadanalysis for notifying me about today's compromised website.
Broadanalysis.com already has a blog for Saturday 2016-06-25 with the same type of Rig EK/Cerber traffic kicked off by a different compromised website (link).
That post also has information about DoSWF being used to encrypt Rig EK flash exploits (also seen in my traffic here).

TRAFFIC

ASSOCIATED DOMAINS:

85.25.95.39 port 80 - realstatistics.info - gate used in this campaign
46.30.42.236 port 80 - df.jerseyalmanac.com - Rig EK traffic from 2016-06-25
46.30.42.236 port 80 - jy.infogiovaninebrodi.info - Rig EK traffic from 2016-06-26
ipinfo.io - GET /json - IP address check by Cerber (not inherently malicious)
Infected hosts also scanned 85.93.0.0 through 85.93.63.255 over UDP port 6892

cerberhhyed5frqa.easypaybtc.com - Domain for payment instructions from the 2016-06-25 infection
cerberhhyed5frqa.ti4wic.win - Domain for payment instructions from the 2016-06-25 infection
cerberhhyed5frqa.we34re.win - Domain for payment instructions from the 2016-06-25 infection
cerberhhyed5frqa.xltnet.win - Domain for payment instructions from the 2016-06-25 infection
cerberhhyed5frqa.xmfir0.top - Domain for payment instructions from the 2016-06-25 infection

cerberhhyed5frqa.fastpaybtc.com - Domain for payment instructions from the 2016-06-26 infection
cerberhhyed5frqa.gkfit9.win - Domain for payment instructions from the 2016-06-26 infection
cerberhhyed5frqa.raress.win - Domain for payment instructions from the 2016-06-26 infection
cerberhhyed5frqa.workju.win - Domain for payment instructions from the 2016-06-26 infection
cerberhhyed5frqa.zgf48j.win - Domain for payment instructions from the 2016-06-26 infection