2017-04-05 - CERBER/KOVTER MALSPAM - SUBJECT: DELIVERY NOTIFICATION

ASSOCIATED FILES:

• ZIP archive of the pcap:  2017-04-05-Cerber-Kovter-malspam-traffic.pcap.zip   782 kB (782,194 bytes)

• 2017-04-05-Cerber-Kovter-malspam-traffic.pcap   (1,277,728 bytes)

• ZIP archive of the malware:  2017-04-05-Cerber-Kovter-malspam-and-artifacts.zip   1.1 MB (1,058,848 bytes)

• 2017-04-05-Cerber-Kovter-malspam.eml   (4,424 bytes)
• 4503.tmp   (344 bytes)
• 6fee.fe612   (15,984 bytes)
• 84e9.tmp   (130 bytes)
• FedEx-Package-ID-ETUV9Y4U.doc.js   (1,218 bytes)
• FedEx-Package-ID-ETUV9Y4U.zip   (1,083 bytes)
• _READ_THI$_FILE_JIUG_.jpeg   (462,645 bytes)
• _READ_THI$_FILE_JSDUA_.txt   (1,337 bytes)
• _READ_THI$_FILE_O070JFHE_.hta   (77,047 bytes)
• a.doc   (8,589 bytes)
• a1.exe   (273,065 bytes)
• a2.exe   (363,983 bytes)
• c65e.bat   (61 bytes)

NOTES:

• Cerber is now using a dollar sign for the letter S in file names dropped to the desktop.  It's also used in the title from the decyrption instructions text file.

Shown above:  Cerber now showing some bling.

 

EMAIL

Shown above:  Screen shot of the email.

 

EMAIL HEADERS:

• Date/Time:  Wednesday 2017-04-05 at 21:43 UTC
• From:  maraton1@vps-944527-x.dattaweb.com
• Subject:  Delivery Notification
• Attachment name:  FedEx-Package-ID-ETUV9Y4U.zip
• Extracted file name:  FedEx-Package-ID-ETUV9Y4U.doc.js

 

Shown above:  Attachment taken from the malspam.

 

TRAFFIC

Shown above:  Traffic from the infection filtered in Wireshark.

 

TRAFFIC CAUSED BY THE .JS FILE:

• 92.53.96.173 port 80 - malibu-omsk.ru - GET /counter/?0000001BtDCPeYZyG[long string]
• 173.201.167.66 port 80 - qikpages.com - GET /counter/?0000001BtDCPeYZyG[long string]
• 50.63.47.1 port 80 - bettyjudy.com - GET /counter/?1
• 50.63.47.1 port 80 - bettyjudy.com - GET /counter/?2

OTHER DOMAINS FROM THE .JS FILE:

• 2guns.ru - GET /counter/?0000001BtDCPeYZyG[long string]
• austinshortterm.com - GET /counter/?0000001BtDCPeYZyG[long string]
• adrianacampos.com.br - GET /counter/?0000001BtDCPeYZyG[long string]

CERBER POST-INFECTION HTTP TRAFFIC:

• 193.169.135.166 port 80 - p27dokhpz2n7nvgr.1czh7o.top

CERBER POST-INFECTION UDP TRAFFIC:

• 149.202.64.0 to 149.202.64.31 (149.202.64.0/27) UDP port 6892
• 149.202.122.0 to 149.202.122.31 (149.202.122.0/27) UDP port 6892
• 149.202.248.0 to 149.202.251.255 (149.202.248.0/22) UDP port 6892

KOVTER POST-INFECTION HTTP TRAFFIC:

• 95.160.59.82 port 80 - 95.160.59.82 - POST /
• 109.68.75.17 port 80 - 109.68.75.17 - POST /
• 185.4.73.34 port 80 - 185.4.73.34 - POST /

KOVTER POST-INFECTION HTTPS/SSL/TLS TRAFFIC:

• 84.18.198.196 port 443 - HTTPS/SSL/TLS traffic
• 31.27.151.174 port 443 - HTTPS/SSL/TLS traffic
• Various other IP addresses over TCP ports 443 and 8080 - HTTPS/SSL/TLS traffic or attempted connections

 

FILE HASHES

ZIP ATTACHMENT FROM THE EMAIL:

• SHA256 hash:  97fdc3afb9aba4927d6c7a07a546007f3c9a96ded1e788415136bbe03b918cf8
  File name:  FedEx-Package-ID-ETUV9Y4U.zip

.JS FILE EXTRACTED FROM THE ZIP ATTACHMENT:

• SHA256 hash:  f493ed24c5032a4df1c76fb18ca666164b9f11d410204422a1bc761ad0b4fc7b
  File name:  FedEx-Package-ID-ETUV9Y4U.doc.js

CERBER AND KOVTER BINARIES:

• SHA256 hash:  35b817d542dd8ac9f51336b908331f0a9192c666cf7c95f5063d7eec3400301b
  File location:  C:\Users\[username]\AppData\Local\Temp\a1.exe
  File description:  Cerber ransomware

• SHA256 hash:  fa096cfd9b1a9e9b09b360c74e07f6870d399873f2d19b283de098f3b35b7535
  File location:  C:\Users\[username]\AppData\Local\Temp\a2.exe
  File description:  Kovter malware

 

ARFICACTS FOUND ON THE INFECTED WINDOWS HOST:

• C:\Users\[username]\AppData\Local\c4ff\6fee.fe612   [dropped during Kovter infection]
• C:\Users\[username]\AppData\Local\c4ff\c65e.bat   [dropped during Kovter infection]
• C:\Users\[username]\AppData\Local\Temp\a.doc   [data, not an actual document]
• C:\Users\[username]\AppData\Local\Temp\a1.exe   [Cerber binary]
• C:\Users\[username]\AppData\Local\Temp\a2.exe   [Kovter binary]
• C:\Users\[username]\AppData\Local\Temp\tmp6D04.bmp   [Cerber instructions for desktop background]
• C:\Users\[username]\AppData\Local\Temp\d72cb2f8\84e9.tmp   [dropped during Cerber infection]
• C:\Users\[username]\AppData\Local\Temp\d72cb2f8\4503.tmp   [dropped during Cerber infection]

 

IMAGES

Shown above:  Desktop of an infected Windows host.

 

FINAL NOTES

Once again, here are the associated files:

• ZIP archive of the pcap:  2017-04-05-Cerber-Kovter-malspam-traffic.pcap.zip   782 kB (782,194 bytes)
• ZIP archive of the malware:  2017-04-05-Cerber-Kovter-malspam-and-artifacts.zip   1.1 MB (1,058,848 bytes)

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.