2017-01-05 - MALSPAM SPREADING CERBER RANSOMWARE

ASSOCIATED FILES:

• ZIP archive of the pcap:  2017-01-05-Cerber-malspam-traffic.pcap.zip   235 kB (235,420 bytes)

• 2017-01-05-Cerber-malspam-traffic.pcap   (332,731 bytes)

• ZIP archive of the malware:  2017-01-05-Cerber-malspam-and-artifacts.zip   651 kB (650,701 bytes)

• 2017-01-04-Cerber-malspam-2312-UTC.eml   (36,691 bytes)
• 2017-01-04-Cerber-malspam-2327-UTC.eml   (45,945 bytes)
• 2017-01-05-Cerber-malspam-0859-UTC.eml   (38,580 bytes)
• 402402188984588.zip   (28,241 bytes)
• 7318620611899.zip   (26,845 bytes)
• 954461.zip   (33,708 bytes)
• Roaming.exE   (231,530 bytes)
• 2017-01-05-Cerber-from-malspam_NQIB7_README_.hta   (67,448 bytes)
• 2017-01-05-Cerber-from-malspam_NQIB7_README_.jpg   (229,420 bytes)

NOTES:

• This is the same type of malspam I documented yesterday (link)
• The attachments are zip archives of a zip archive that contains a Word document with a malicious macro.
• If enabled, the macro will download and run Cerber ransomware.
• The same domain as yesterday is hosting the Cerber ransomware (randoz-pandom.wang) but from a different IP address.

 

EMAILS

 

Read: date/time -- received from mailserver at -- message-ID -- sender (spoofed) -- subject -- attachment name -- extracted file

2017-01-04 23:12 UTC -- skyonline.net.ar -- <148357156002.25068.7364238338216249641@skyonline.net.ar>
<ej.hartstra@dienst.vu.nl> -- (no subject) -- 7318620611899.zip -- 12027.doc

2017-01-04 23:26 UTC -- 175.202.17.89 -- <148357240588.3135.1777837317377017010@175.202.17.89>
<gracedsenoglu@gmail.com> -- (no subject) -- 954461.zip -- 24591.doc

2017-01-05 08:59 UTC -- skyonline.net.ar -- <148360676836.3137.13620895256758905128@skyonline.net.ar>
<andreas.nilsson@norstat.se> -- (no subject) -- 402402188984588.zip -- 31879.doc

 

TRAFFIC

Shown above:  Pcap of the infection traffic filtered in Wireshark.

 

ASSOCIATED DOMAINS:

• 54.145.159.172 port 80 - randoz-pandom.wang - GET /search.php - Word macro downloading the Cerber ransomware
• 15.44.20.0 to 15.44.20.31 (15.44.20.0/27) UDP port 6892 - Cerber post-infection UDP traffic
• 16.43.12.0 to 16.43.12.31 (16.43.12.0/27) UDP port 6892 - Cerber post-infection UDP traffic
• 91.239.24.0 to 91.239.25.255 (91.239.24.0/23) UDP port 6892 - Cerber post-infection UDP traffic
• 91.134.123.56 port 80 - p27dokhpz2n7nvgr.1bwh8a.top - Cerber post-infection HTTP traffic

 

FILE HASHES

EXTRACTED WORD DOCUMENTS:

• SHA256 hash:  748a3c119026f2579867763c33f6fd16375e8f62a38be580654c726709484b94   (65,024 bytes)
  File name:  12027.doc

• SHA256 hash:  8745da2b43f07167e6f2c2eb84a646c0feb236671f206047fc2cdc1081b3f982   (79,360 bytes)
  File name:  24591.doc

• SHA256 hash:  b36bb18faa7adea81436651e6062df0200dca5a578842dc5d6ea03377c4775e9   (68,096 bytes)
  File name:  31879.doc

 

DOWNLOADED MALWARE (CERBER RANSOMWARE):

• SHA256 hash:  aeab730e99827a820e318f43a57463f3dcdcb5182b4e41e71a4d5f436623e792   (231,530 bytes)
  File path:  C:\Users\[username]\Roaming\Roaming.exE

 

FINAL NOTES

Once again, here are the associated files:

• ZIP archive of the pcap:  2017-01-05-Cerber-malspam-traffic.pcap.zip   235 kB (235,420 bytes)
• ZIP archive of the malware:  2017-01-05-Cerber-malspam-and-artifacts.zip   651 kB (650,701 bytes)

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.