2017-01-27 - MORE MALSPAM SPREADING RANSOMWARE

ASSOCIATED FILES:

• ZIP archive of the spreadsheet tracker:  2017-01-27-ransomware-malspam-tracker-part-2.csv.zip   0.8 kB (847 bytes)
• ZIP archive of the emails and attachments:  2017-01-27-more-ransomware-emails-and-attachments.zip   737 kB (737,170 bytes)

 

NOTES:

• More malspam from an ongoing campaign distributing ransomware as described here.
• Still only seeing Cerber when I checked these URLs, but they may deliver different ransomware at a different date/time.
• NOTE:  Anywhere you see [recipient] is where I removed the recipient's name.

 

EMAILS

Shown above:  Information from the spreadsheet tracker (part 1 of 2).

 

Shown above:  Information from the spreadsheet tracker (part 2 of 2).

 

EMAILS GATHERED:

(Read: Date/Time -- Sending address (spoofed) -- Attachment)

• 2017-01-27 01:57 UTC -- g_yorum35@windowslive.com -- SALE-166-[recipient].zip
• 2017-01-27 03:38 UTC -- honigbiermeier@t-online.de -- NATASHA-64067157003363-[recipient].zip
• 2017-01-27 10:09 UTC -- kasia_094@wp.pl -- BUY-11686413-[recipient].zip
• 2017-01-27 14:09 UTC -- jennifer.rose@davey.com -- 858237242478.zip
• 2017-01-27 15:40 UTC -- ajapanfomr@availabledatingworld.biz -- SALE-63732246665706-[recipient].zip
• 2017-01-27 16:02 UTC -- 54ung41rj0dlrgrjvf45raibnn0jvk6bq3@4ax.com -- 5232752541414.zip
• 2017-01-27 16:09 UTC -- cancillo@ua.es -- BILL-85665-[recipient].zip
• 2017-01-27 20:03 UTC -- carol@mirror.co.uk -- 172136592383831.zip

 

ATTACHED ZIP ARCHIVES AND EXTRACTED FILES

SHA256 HASHES FOR THE EMAIL ATTACHMENTS:

• ad6313c79b1a3a5dcb591082a2e03b6ecc7e4cc45459b009f25a362ca1c5cc52 - 172136592383831.zip
• c2de4713612007798583ce55f65c4fed31f3d6992c1b78525963782a1df90ed0 - 5232752541414.zip
• b465d5863847b960e017ad71976c7ee9ee49563f786955f4e25fc380abe4c853 - 858237242478.zip
• 0c41de0409556cb5a9ad432b2f3a5410c1aa678fb85b52af36c083e6a5d8382b - BILL-85665-[recipient].zip
• 3307344d35279c05ae4ae5c9dcf4d139267b8828e967118a9bd8f47e02cbcf35 - BUY-11686413-[recipient].zip
• fc4997a044eef047c4b154ec5b4fcb8c2d61e5aca731c8cbf6e0ba0af0e9850a - NATASHA-64067157003363-[recipient].zip
• b35b7754c40bffe205193928af6a88346e4b080b0eb7c70d9887f322e7ce9e6a - SALE-166-[recipient].zip
• a2c009051e41c5966e3d0f09b9457367eb5a3bb7b9b1d2eb812d3b5f8748b29e - SALE-63732246665706-[recipient].zip

 

SHA256 HASHES FOR THE EXTRACTED .JS FILES AND WORD DOCUMENTS:

• 9b823af045e0483cdf87f22c2f394907afe93e811ca60489adcc2a7d37540526 - 8606.js
• bab7e52ff13759a5f7a029710a085199599a0943400b58b7a3aeccbbad494901 - 12288.doc
• 71071d494e47ff65139f065b1d16bae16747cf42a7185ba5cd4b456346228b79 - 15067.js
• ba7beb5441f32186299a82feec9e7efa9d11c418c5697e8c8672c1046bd4b8a1 - 16998.js
• a4598424ccad34362b0896f59ff47f0c7bf3101771ecab58bc37e541e18548a8 - 19168.js
• 56af17d39e387442edd039941bfc23b33b65f802510e4790f5b41f7dc99d2c84 - 22159.js
• bab7e52ff13759a5f7a029710a085199599a0943400b58b7a3aeccbbad494901 - 30801.doc
• e357d686c69efbcb653d8c6178a4eeeaf48d65ecfce1decceb7a95fb75ab222a - 31123.doc

 

TRAFFIC

HTTP REQUESTS FOR THE CERBER RANSOMWARE:

• vvorootad.top - GET /admin.php?f=1.dat
• footarepu.top - GET /read.php?f=0.dat
• jhdgh.bid - GET /search.php

NOTE:  These domains were all hosted on Amazon Web Services (AWS), and these URLs were still active as I wrote this.

 

FINAL NOTES

Once again, here are the associated files:

• ZIP archive of the spreadsheet tracker:  2017-01-27-ransomware-malspam-tracker-part-2.csv.zip   0.8 kB (847 bytes)
• ZIP archive of the emails and attachments:  2017-01-27-more-ransomware-emails-and-attachments.zip   737 kB (737,170 bytes)

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.