2017-01-05 - MALSPAM SPREADING CERBER RANSOMWARE
ASSOCIATED FILES:
- ZIP archive of the pcap: 2017-01-05-Cerber-malspam-traffic.pcap.zip 235 kB (235,420 bytes)
- 2017-01-05-Cerber-malspam-traffic.pcap (332,731 bytes)
- ZIP archive of the malware: 2017-01-05-Cerber-malspam-and-artifacts.zip 651 kB (650,701 bytes)
- 2017-01-04-Cerber-malspam-2312-UTC.eml (36,691 bytes)
- 2017-01-04-Cerber-malspam-2327-UTC.eml (45,945 bytes)
- 2017-01-05-Cerber-malspam-0859-UTC.eml (38,580 bytes)
- 402402188984588.zip (28,241 bytes)
- 7318620611899.zip (26,845 bytes)
- 954461.zip (33,708 bytes)
- Roaming.exE (231,530 bytes)
- 2017-01-05-Cerber-from-malspam_NQIB7_README_.hta (67,448 bytes)
- 2017-01-05-Cerber-from-malspam_NQIB7_README_.jpg (229,420 bytes)
NOTES:
- This is the same type of malspam I documented yesterday (link)
- The attachments are zip archives of a zip archive that contains a Word document with a malicious macro.
- If enabled, the macro will download and run Cerber ransomware.
- The same domain as yesterday is hosting the Cerber ransomware (randoz-pandom.wang) but from a different IP address.
EMAILS
Read: date/time -- received from mailserver at -- message-ID -- sender (spoofed) -- subject -- attachment name -- extracted file
2017-01-04 23:12 UTC -- skyonline.net.ar -- <148357156002.25068.7364238338216249641@skyonline.net.ar>
<ej.hartstra@dienst.vu.nl> -- (no subject) -- 7318620611899.zip -- 12027.doc
2017-01-04 23:26 UTC -- 175.202.17.89 -- <148357240588.3135.1777837317377017010@175.202.17.89>
<gracedsenoglu@gmail.com> -- (no subject) -- 954461.zip -- 24591.doc
2017-01-05 08:59 UTC -- skyonline.net.ar -- <148360676836.3137.13620895256758905128@skyonline.net.ar>
<andreas.nilsson@norstat.se> -- (no subject) -- 402402188984588.zip -- 31879.doc
TRAFFIC
Shown above: Pcap of the infection traffic filtered in Wireshark.
ASSOCIATED DOMAINS:
- 54.145.159.172 port 80 - randoz-pandom.wang - GET /search.php - Word macro downloading the Cerber ransomware
- 15.44.20.0 to 15.44.20.31 (15.44.20.0/27) UDP port 6892 - Cerber post-infection UDP traffic
- 16.43.12.0 to 16.43.12.31 (16.43.12.0/27) UDP port 6892 - Cerber post-infection UDP traffic
- 91.239.24.0 to 91.239.25.255 (91.239.24.0/23) UDP port 6892 - Cerber post-infection UDP traffic
- 91.134.123.56 port 80 - p27dokhpz2n7nvgr.1bwh8a.top - Cerber post-infection HTTP traffic
FILE HASHES
EXTRACTED WORD DOCUMENTS:
- SHA256 hash: 748a3c119026f2579867763c33f6fd16375e8f62a38be580654c726709484b94 (65,024 bytes)
File name: 12027.doc
- SHA256 hash: 8745da2b43f07167e6f2c2eb84a646c0feb236671f206047fc2cdc1081b3f982 (79,360 bytes)
File name: 24591.doc
- SHA256 hash: b36bb18faa7adea81436651e6062df0200dca5a578842dc5d6ea03377c4775e9 (68,096 bytes)
File name: 31879.doc
DOWNLOADED MALWARE (CERBER RANSOMWARE):
- SHA256 hash: aeab730e99827a820e318f43a57463f3dcdcb5182b4e41e71a4d5f436623e792 (231,530 bytes)
File path: C:\Users\[username]\Roaming\Roaming.exE
FINAL NOTES
Once again, here are the associated files:
- ZIP archive of the pcap: 2017-01-05-Cerber-malspam-traffic.pcap.zip 235 kB (235,420 bytes)
- ZIP archive of the malware: 2017-01-05-Cerber-malspam-and-artifacts.zip 651 kB (650,701 bytes)
ZIP files are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
Click here to return to the main page.