2017-01-04 - MALSPAM SPREADING CERBER RANSOMWARE

ASSOCIATED FILES:

• ZIP archive of the pcaps:  2017-01-04-Cerber-from-malspam-traffic.pcap.zip   208 kB (208,307 bytes)

• 2017-01-04-Cerber-from-malspam-traffic.pcap   (304,487 bytes)

• ZIP archive of the malware:  2017-01-04-Cerber-from-malspam-artifacts.zip   541 kB (540,767 bytes)

• 15010386517237.zip   (25,491 bytes)
• 19206.doc   (62,464 bytes)
• 2017-01-04-Cerber-decryption-instructions_7A7N_README_.hta   (67,448 bytes)
• 2017-01-04-Cerber-decryption-instructions_7A7N_README_.jpg   (226,029 bytes)
• 2017-01-04-cerber-malspam-0724-UTC.eml   (34,863 bytes)
• Roaming.exE   (229,661 bytes)

NOTES:

• I occasionally run across these, with no subject line, a spoofed sender, and no message text.
• The attachment is always a zip archive containing a Word document with a malicoius macro that (if enabled) will download and run Cerber ransomware.

 

EMAIL

Shown above:  Screenshot of the email.

NOTE:  The sender's address was spoofed--the message did not come from a gmail account.

 

EMAIL

Shown above:  Malicious word document extracted from the email attachment.

NOTE:  Enabling macros on that Word document will download and run Cerber ransomware.

 

EMAIL

Shown above:  Pcap of the infection traffic filtered in Wireshark.

 

ASSOCIATED DOMAINS:

• 54.212.239.185 port 80 - randoz-pandom.wang - GET /search.php - Word macro downloading the Cerber ransomware
• 15.44.20.0 to 15.44.20.31 (15.44.20.0/27) UDP port 6892 - Cerber post-infection UDP traffic
• 16.43.12.0 to 16.43.12.31 (16.43.12.0/27) UDP port 6892 - Cerber post-infection UDP traffic
• 91.239.24.0 to 91.239.25.255 (91.239.24.0/23) UDP port 6892 - Cerber post-infection UDP traffic
• 91.134.123.56 port 80 - p27dokhpz2n7nvgr.1fpeer.top - Cerber post-infection HTTP traffic

 

FILE HASHES

ATTACHMENT AND EXTRACTED WORD DOCUMENT:

• SHA256 hash:  4fb39a97721f066af6a551274550461874138683977bf5e52acd937ea19bfc0c   (25,491 bytes)
  File name:  15010386517237.zip

• SHA256 hash:  b8658a91138b7be842293612c1c1d9dad873ed4638f84262cb58fcee60eab8a4   (62,464 bytes)
  File name:  19206.doc

• NOTE:  The document was double-zipped.  It was a zip archive containing a zip archive of the Word document.

 

DOWNLOADED MALWARE (CERBER RANSOMWARE):

• SHA256 hash:  03aa2410d07ea49dd6f05f2e0b0815ad400a83725ac88281b5f85ee7a7314bc7   (229,661 bytes)
  File path:  C:\Users\[username]\Roaming\Roaming.exE

Shown above:  A copy of the malware before it deleted iteself.

 

FINAL NOTES

Once again, here are the associated files:

• ZIP archive of the pcaps:  2017-01-04-Cerber-from-malspam-traffic.pcap.zip   208 kB (208,307 bytes)
• ZIP archive of the malware:  2017-01-04-Cerber-from-malspam-artifacts.zip   541 kB (540,767 bytes)

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.