2017-01-21 - PCAP AND MALWARE FOR AN ISC DIARY

NOTES:

• The associated ISC diary is for Saturday 2017-01-21:  Sage 2.0 Ransomware
• The diary investigates the latest version of Sage ransomware I found in a malspam campaign I've been tracking (one that normally sends Cerber).

• ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

 

ASSOCIATED FILES:

• ZIP archive of email tracking spreadsheet:  2017-01-21-ransomware-campaign-malspam-tracker-for-ISC-diary.csv.zip   1.1 kB (1,134 bytes)

• 2017-01-21-ransomware-campaign-malspam-tracker-for-ISC-diary.csv   (2,330 bytes)

• ZIP archive of the pcaps:  2017-01-21-pcaps-for-ISC-diary.zip   1.7 MB (1,689,751 bytes)

• 2017-01-20-Cerber-from-cocalolo.top-full-infection-traffic.pcap   (293,432 bytes)
• 2017-01-20-Cerber-from-truepokemonant.top.pcap   (289,837 bytes)
• 2017-01-20-Sage-2.0-from-newfoodas.top.pcap   (357,417 bytes)
• 2017-01-20-Sage-2.0-ransomware-from-fortycooola.top-full-infection-traffic.pcap   (7,243,866 bytes)
• 2017-01-20-Sage-2.0-ransomware-from-smoeroota.top-full-infection-traffic.pcap   (347,342 bytes)

• ZIP archive of the emails, malware, etc:  2017-01-21-ISC-diary-malware-and-artifacts.zip   2.9 MB (2,915,043 bytes)

• emails / 2017-01-19-ransomware-malspam-0719-UTC.eml   (5,244 bytes)
• emails / 2017-01-19-ransomware-malspam-0751-UTC.eml   (5,702 bytes)
• emails / 2017-01-19-ransomware-malspam-0813-UTC.eml   (4,630 bytes)
• emails / 2017-01-19-ransomware-malspam-1435-UTC.eml   (66,939 bytes)
• emails / 2017-01-19-ransomware-malspam-1553-UTC.eml   (67,927 bytes)
• emails / 2017-01-19-ransomware-malspam-1652-UTC.eml   (71,950 bytes)
• emails / 2017-01-19-ransomware-malspam-1657-UTC.eml   (60,251 bytes)
• emails / 2017-01-20-ransomware-malspam-0016-UTC.eml   (65,847 bytes)
• emails / 2017-01-20-ransomware-malspam-1419-UTC.eml   (55,706 bytes)
• emails / 2017-01-20-ransomware-malspam-1636-UTC.eml   (69,278 bytes)
• attachments / 505635089.zip   (44,303 bytes)
• attachments / 96676808070.zip   (40,921 bytes)
• attachments / EMAIL_0436024153_[recipient].zip   (50,957 bytes)
• attachments / EMAIL_327120_[recipient].zip   (52,907 bytes)
• attachments / EMAIL_42654088199_[recipient].zip   (3,887 bytes)
• attachments / EMAIL_608170693_[recipient].zip   (49,205 bytes)
• attachments / EMAIL_6161214_[recipient].zip   (49,928 bytes)
• attachments / EMAIL_7281945_[recipient].zip   (3,099 bytes)
• attachments / EMAIL_77900715_[recipient].zip   (48,408 bytes)
• attachments / EMAIL_807388025533838_[recipient].zip   (3,531 bytes)
• extracted-files / 380.js   (13,693 bytes)
• extracted-files / 12824.js   (10,065 bytes)
• extracted-files / 22044.js   (11,232 bytes)
• extracted-files / 8970.doc   (110,592 bytes)
• extracted-files / 13622.doc   (105,984 bytes)
• extracted-files / 20703.doc   (105,472 bytes)
• extracted-files / 22230.doc   (116,736 bytes)
• extracted-files / 25862.doc   (112,128 bytes)
• extracted-files / 26922.doc   (99,328 bytes)
• extracted-files / 32449.doc   (109,568 bytes)
• artifacts / 2017-01-20-malspam-ransomware-Cerber-example-1.exe   (279,012 bytes)
• artifacts / 2017-01-20-malspam-ransomware-Cerber-example-2.exe   (279,012 bytes)
• artifacts / 2017-01-20-Cerber_HELP_HELP_HELP_5HF2E.hta   (75,794 bytes)
• artifacts / 2017-01-20-Cerber_HELP_HELP_HELP_5HF2E.jpg   (228,732 bytes)
• artifacts / 2017-01-20-malspam-ransomware-Sage-2.0-example-1.exe   (352,328 bytes)
• artifacts / 2017-01-20-malspam-ransomware-Sage-2.0-example-2.exe   (352,328 bytes)
• artifacts / 2017-01-20-malspam-ransomware-Sage-2.0-example-3.exe   (352,328 bytes)
• artifacts / 2017-01-20-malspam-ransomware-Sage-2.0-example-4.exe   (352,328 bytes)
• artifacts / 2017-01-20-malspam-ransomware-Sage-2.0-example-5.exe   (352,328 bytes)
• artifacts / 2017-01-20-Sage-2.0-EMf.bmp   (1,766,454 bytes)
• artifacts / 2017-01-20-Sage-2.0-Recovery_EMf.html   (9,149 bytes)
• artifacts / 2017-01-20-Sage-2.0-decryption-page.html   (10,491 bytes)
• artifacts / 2017-01-20-Sage-2.0-decryption-page-css-files   (all the .css files for the above HTML page)
• artifacts / 2017-01-20-Sage-2.0-scheduled-task-to-stay-persistent.txt   (3,244 bytes)

 

Click here to return to the main page.