2016-08-10 - MAGNITUDE EK FROM 185.30.232.85 SENDS CERBER RANSOMWARE

ASSOCIATED FILES:

• ZIP archive of the pcaps:  2016-08-10-Magnitude-EK-sends-Cerber.pcap.zip   466.6 kB (466,550 bytes)

• 2016-08-10-Magnitude-EK-sends-Cerber.pcap   (740,242 bytes)

• ZIP archive of the malware:  2016-08-10-Magnitude-EK-sends-Cerber-malware-and-artifacts.zip   376.9 kB (376,878 bytes)

• 2016-08-10-Cerber-decryption-instructions.bmp   (1,920,054 bytes)
• 2016-08-10-Cerber-decryption-instructions.html   (19,994 bytes)
• 2016-08-10-Cerber-decryption-instructions.txt   (10,645 bytes)
• 2016-08-10-Cerber-decryption-instructions.vbs   (249 bytes)
• 2016-08-10-Magnitude-EK-flash-exploit.swf   (40,523 bytes)
• 2016-08-10-Magnitude-EK-flash-redirector.swf   (708 bytes)
• 2016-08-10-Magnitude-EK-landing-page.txt   (688 bytes)
• 2016-08-10-Magnitude-EK-more-html.txt   (23,254 bytes)
• 2016-08-10-Magnitude-EK-payload-Cerber.exe   (204,944 bytes)

 

TRAFFIC

Shown above:  Traffic from the infection filtered in Wireshark.

 

ASSOCIATED DOMAINS:

• 185.143.240.111 port 80 - bestgoodautoparts.org - First gate
• 185.143.243.67 port 80 - digitjobs.casa - Second gate
• 185.30.232.85 port 80 - 2bobfewbd7.fellfelt.gdn - Magnitude EK on 2016-08-03
• ip-api.com - GET /json - Connectivity/IP check by the Cerber ransomware
• 91.223.89.201 port 80 - unocl45trpuoefft.heardbids.date - Cerber decrypt instructions
• 31.184.234.0 - 31.184.235.255 (31.184.234.0/23) port 6892 - UDP scan from the host infected by Cerber

OTHER DOMAINS FROM THE CERBER DECRYPT INSTRUCTIONS:

• unocl45trpuoefft.eventsresg.info
• unocl45trpuoefft.itdrink.club
• unocl45trpuoefft.variedtax.kim
• unocl45trpuoefft.onion.to

 

FILE HASHES

FLASH REDIRECTS AND FLASH EXPLOIT:

• SHA256 hash:  18dfdfaf76550a0c4630070e39add570ffdbfca62a59c3a2c800ce4c88bfe2eb
  File name:  2016-08-10-Magnitude-EK-flash-redirector.swf

• SHA256 hash:  22ad3c0cfc888344f7ee69662db8e2bc7c01bd7d24f8cf8a38502662bbfff6eb
  File name:  2016-08-10-Magnitude-EK-flash-exploit.swf

MALWARE PAYLOAD:

• SHA256 hash:  d62a006998dced36c30a435c22b0c6b130c918125efd79c7098318a6fa631a60
  File name:  2016-08-10-Magnitude-EK-payload-Cerber.exe

 

IMAGES

Shown above:  Desktop of a Windows host infected with this Cerber sample.

 

FINAL NOTES

Once again, here are the associated files:

• ZIP archive of the pcaps:  2016-08-10-Magnitude-EK-sends-Cerber.pcap.zip   466.6 kB (466,550 bytes)
• ZIP archive of the malware:  2016-08-10-Magnitude-EK-sends-Cerber-malware-and-artifacts.zip   376.9 kB (376,878 bytes)

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.