2017-01-21 - PCAP AND MALWARE FOR AN ISC DIARY
NOTES:
- The associated ISC diary is for Saturday 2017-01-21: Sage 2.0 Ransomware
- The diary investigates the latest version of Sage ransomware I found in a malspam campaign I've been tracking (one that normally sends Cerber).
- ZIP files are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
ASSOCIATED FILES:
- ZIP archive of email tracking spreadsheet: 2017-01-21-ransomware-campaign-malspam-tracker-for-ISC-diary.csv.zip 1.1 kB (1,134 bytes)
- 2017-01-21-ransomware-campaign-malspam-tracker-for-ISC-diary.csv (2,330 bytes)
- ZIP archive of the pcaps: 2017-01-21-pcaps-for-ISC-diary.zip 1.7 MB (1,689,751 bytes)
- 2017-01-20-Cerber-from-cocalolo.top-full-infection-traffic.pcap (293,432 bytes)
- 2017-01-20-Cerber-from-truepokemonant.top.pcap (289,837 bytes)
- 2017-01-20-Sage-2.0-from-newfoodas.top.pcap (357,417 bytes)
- 2017-01-20-Sage-2.0-ransomware-from-fortycooola.top-full-infection-traffic.pcap (7,243,866 bytes)
- 2017-01-20-Sage-2.0-ransomware-from-smoeroota.top-full-infection-traffic.pcap (347,342 bytes)
- ZIP archive of the emails, malware, etc: 2017-01-21-ISC-diary-malware-and-artifacts.zip 2.9 MB (2,915,043 bytes)
- emails / 2017-01-19-ransomware-malspam-0719-UTC.eml (5,244 bytes)
- emails / 2017-01-19-ransomware-malspam-0751-UTC.eml (5,702 bytes)
- emails / 2017-01-19-ransomware-malspam-0813-UTC.eml (4,630 bytes)
- emails / 2017-01-19-ransomware-malspam-1435-UTC.eml (66,939 bytes)
- emails / 2017-01-19-ransomware-malspam-1553-UTC.eml (67,927 bytes)
- emails / 2017-01-19-ransomware-malspam-1652-UTC.eml (71,950 bytes)
- emails / 2017-01-19-ransomware-malspam-1657-UTC.eml (60,251 bytes)
- emails / 2017-01-20-ransomware-malspam-0016-UTC.eml (65,847 bytes)
- emails / 2017-01-20-ransomware-malspam-1419-UTC.eml (55,706 bytes)
- emails / 2017-01-20-ransomware-malspam-1636-UTC.eml (69,278 bytes)
- attachments / 505635089.zip (44,303 bytes)
- attachments / 96676808070.zip (40,921 bytes)
- attachments / EMAIL_0436024153_[recipient].zip (50,957 bytes)
- attachments / EMAIL_327120_[recipient].zip (52,907 bytes)
- attachments / EMAIL_42654088199_[recipient].zip (3,887 bytes)
- attachments / EMAIL_608170693_[recipient].zip (49,205 bytes)
- attachments / EMAIL_6161214_[recipient].zip (49,928 bytes)
- attachments / EMAIL_7281945_[recipient].zip (3,099 bytes)
- attachments / EMAIL_77900715_[recipient].zip (48,408 bytes)
- attachments / EMAIL_807388025533838_[recipient].zip (3,531 bytes)
- extracted-files / 380.js (13,693 bytes)
- extracted-files / 12824.js (10,065 bytes)
- extracted-files / 22044.js (11,232 bytes)
- extracted-files / 8970.doc (110,592 bytes)
- extracted-files / 13622.doc (105,984 bytes)
- extracted-files / 20703.doc (105,472 bytes)
- extracted-files / 22230.doc (116,736 bytes)
- extracted-files / 25862.doc (112,128 bytes)
- extracted-files / 26922.doc (99,328 bytes)
- extracted-files / 32449.doc (109,568 bytes)
- artifacts / 2017-01-20-malspam-ransomware-Cerber-example-1.exe (279,012 bytes)
- artifacts / 2017-01-20-malspam-ransomware-Cerber-example-2.exe (279,012 bytes)
- artifacts / 2017-01-20-Cerber_HELP_HELP_HELP_5HF2E.hta (75,794 bytes)
- artifacts / 2017-01-20-Cerber_HELP_HELP_HELP_5HF2E.jpg (228,732 bytes)
- artifacts / 2017-01-20-malspam-ransomware-Sage-2.0-example-1.exe (352,328 bytes)
- artifacts / 2017-01-20-malspam-ransomware-Sage-2.0-example-2.exe (352,328 bytes)
- artifacts / 2017-01-20-malspam-ransomware-Sage-2.0-example-3.exe (352,328 bytes)
- artifacts / 2017-01-20-malspam-ransomware-Sage-2.0-example-4.exe (352,328 bytes)
- artifacts / 2017-01-20-malspam-ransomware-Sage-2.0-example-5.exe (352,328 bytes)
- artifacts / 2017-01-20-Sage-2.0-EMf.bmp (1,766,454 bytes)
- artifacts / 2017-01-20-Sage-2.0-Recovery_EMf.html (9,149 bytes)
- artifacts / 2017-01-20-Sage-2.0-decryption-page.html (10,491 bytes)
- artifacts / 2017-01-20-Sage-2.0-decryption-page-css-files (all the .css files for the above HTML page)
- artifacts / 2017-01-20-Sage-2.0-scheduled-task-to-stay-persistent.txt (3,244 bytes)
Click here to return to the main page.