2016-07-25 - MAGNITUDE EK FROM 51.254.181.39 SENDS CERBER RANSOMWARE

ASSOCIATED FILES:

• ZIP archive of the pcaps:  2016-07-25-Magnitude-EK-sends-Cerber.pcap.zip   827.6 kB (827,624 bytes)

• 2016-07-25-Magnitude-EK-sends-Cerber.pcap   (2,388,621 bytes)

• ZIP archive of the malware:  2016-07-25-Magnitude-EK-sends-Cerber-malware-and-artifacts.zip   1.5 MB (1,524,641 bytes)

• 2016-07-25-Cerber-decryption-instructions.bmp   (2,825,394 bytes)
• 2016-07-25-Cerber-decryption-instructions.html   (12,171 bytes)
• 2016-07-25-Cerber-decryption-instructions.txt   (10,393 bytes)
• 2016-07-25-Magnitude-EK-flash-exploit.swf   (58,683 bytes)
• 2016-07-25-Magnitude-EK-flash-redirect-file.swf   (718 bytes)
• 2016-07-25-Magnitude-EK-landing-page.txt   (670 bytes)
• 2016-07-25-Magnitude-EK-more-html.txt   (23,011 bytes)
• 2016-07-25-Magnitude-EK-payload-Cerber.exe   (668,298 bytes)

NOTES:

• Big thanks, as always, to @malekal_morte for the Twitter posts that help me get this sort of traffic.

Shown above:  Tweet from @malekal_morte on 2016-07-25.

 

TRAFFIC

Shown above:  Traffic from this infection filtered in Wireshark.

 

ASSOCIATED DOMAINS:

• 185.143.240.105 port 80 - foundationarcet.org - First gate
• 185.143.243.66 port 80 - spoketext.vip - Second gate
• 51.254.181.39 port 80 - fw7v77fxd8bbz5ej6e.dropsfry.gdn - Magnitude EK
• 51.254.181.39 port 80 - 51.254.181.39 - Magnitude EK
• ipinfo.io - GET /json - Connectivity check by the Cerber ransomware
• 104.238.215.110 port 80 - 4kqd3hmqgptupi3p.worsemine.pro - Post-infection traffic from the infected host
• 31.184.234.0 - 31.184.235.255 (31.184.234.0/23) port 6892 - UDP scan from the infected host

OTHER DOMAINS FROM THE DECRYPT INSTRUCTIONS:

• 4kqd3hmqgptupi3p.fishtotal.bid
• 4kqd3hmqgptupi3p.hurryball.asia
• 4kqd3hmqgptupi3p.innerband.lol
• 4kqd3hmqgptupi3p.onion.to

 

FILE HASHES

FLASH REDIRECT AND EXPLOIT:

• SHA256 hash:  12fe73f4e50d7f7ad82167ebc13121177b6c493671bd9ed18ed634226a46ebd1
  File name:  2016-07-25-Magnitude-EK-flash-redirect-file.swf

• SHA256 hash:  c6b2dcd7a28210fcaac6545b6ffcd4b9807c79ab2819cbecf12deb19ddd8b1b0
  File name:  2016-07-25-Magnitude-EK-flash-exploit.swf

MALWARE PAYLOAD:

• SHA256 hash:  8c0d32db20dcd1ec3a9ef4c036747493df85613019167b376a68b8d244d28b5b
  File name:  2016-07-25-Magnitude-EK-payload-Cerber.exe

 

FINAL NOTES

Once again, here are the associated files:

• ZIP archive of the pcaps:  2016-07-25-Magnitude-EK-sends-Cerber.pcap.zip   827.6 kB (827,624 bytes)
• ZIP archive of the malware:  2016-07-25-Magnitude-EK-sends-Cerber-malware-and-artifacts.zip   1.5 MB (1,524,641 bytes)

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.