2016-07-25 - MAGNITUDE EK FROM 51.254.181.39 SENDS CERBER RANSOMWARE
ASSOCIATED FILES:
- ZIP archive of the pcaps: 2016-07-25-Magnitude-EK-sends-Cerber.pcap.zip 827.6 kB (827,624 bytes)
- 2016-07-25-Magnitude-EK-sends-Cerber.pcap (2,388,621 bytes)
- ZIP archive of the malware: 2016-07-25-Magnitude-EK-sends-Cerber-malware-and-artifacts.zip 1.5 MB (1,524,641 bytes)
- 2016-07-25-Cerber-decryption-instructions.bmp (2,825,394 bytes)
- 2016-07-25-Cerber-decryption-instructions.html (12,171 bytes)
- 2016-07-25-Cerber-decryption-instructions.txt (10,393 bytes)
- 2016-07-25-Magnitude-EK-flash-exploit.swf (58,683 bytes)
- 2016-07-25-Magnitude-EK-flash-redirect-file.swf (718 bytes)
- 2016-07-25-Magnitude-EK-landing-page.txt (670 bytes)
- 2016-07-25-Magnitude-EK-more-html.txt (23,011 bytes)
- 2016-07-25-Magnitude-EK-payload-Cerber.exe (668,298 bytes)
NOTES:
- Big thanks, as always, to @malekal_morte for the Twitter posts that help me get this sort of traffic.
Shown above: Tweet from @malekal_morte on 2016-07-25.
TRAFFIC
Shown above: Traffic from this infection filtered in Wireshark.
ASSOCIATED DOMAINS:
- 185.143.240.105 port 80 - foundationarcet.org - First gate
- 185.143.243.66 port 80 - spoketext.vip - Second gate
- 51.254.181.39 port 80 - fw7v77fxd8bbz5ej6e.dropsfry.gdn - Magnitude EK
- 51.254.181.39 port 80 - 51.254.181.39 - Magnitude EK
- ipinfo.io - GET /json - Connectivity check by the Cerber ransomware
- 104.238.215.110 port 80 - 4kqd3hmqgptupi3p.worsemine.pro - Post-infection traffic from the infected host
- 31.184.234.0 - 31.184.235.255 (31.184.234.0/23) port 6892 - UDP scan from the infected host
OTHER DOMAINS FROM THE DECRYPT INSTRUCTIONS:
- 4kqd3hmqgptupi3p.fishtotal.bid
- 4kqd3hmqgptupi3p.hurryball.asia
- 4kqd3hmqgptupi3p.innerband.lol
- 4kqd3hmqgptupi3p.onion.to
FILE HASHES
FLASH REDIRECT AND EXPLOIT:
- SHA256 hash: 12fe73f4e50d7f7ad82167ebc13121177b6c493671bd9ed18ed634226a46ebd1
File name: 2016-07-25-Magnitude-EK-flash-redirect-file.swf
- SHA256 hash: c6b2dcd7a28210fcaac6545b6ffcd4b9807c79ab2819cbecf12deb19ddd8b1b0
File name: 2016-07-25-Magnitude-EK-flash-exploit.swf
MALWARE PAYLOAD:
- SHA256 hash: 8c0d32db20dcd1ec3a9ef4c036747493df85613019167b376a68b8d244d28b5b
File name: 2016-07-25-Magnitude-EK-payload-Cerber.exe
FINAL NOTES
Once again, here are the associated files:
- ZIP archive of the pcaps: 2016-07-25-Magnitude-EK-sends-Cerber.pcap.zip 827.6 kB (827,624 bytes)
- ZIP archive of the malware: 2016-07-25-Magnitude-EK-sends-Cerber-malware-and-artifacts.zip 1.5 MB (1,524,641 bytes)
ZIP files are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
Click here to return to the main page.