2017-04-05 - CERBER/KOVTER MALSPAM - SUBJECT: DELIVERY NOTIFICATION
ASSOCIATED FILES:
- ZIP archive of the pcap: 2017-04-05-Cerber-Kovter-malspam-traffic.pcap.zip 782 kB (782,194 bytes)
- 2017-04-05-Cerber-Kovter-malspam-traffic.pcap (1,277,728 bytes)
- ZIP archive of the malware: 2017-04-05-Cerber-Kovter-malspam-and-artifacts.zip 1.1 MB (1,058,848 bytes)
- 2017-04-05-Cerber-Kovter-malspam.eml (4,424 bytes)
- 4503.tmp (344 bytes)
- 6fee.fe612 (15,984 bytes)
- 84e9.tmp (130 bytes)
- FedEx-Package-ID-ETUV9Y4U.doc.js (1,218 bytes)
- FedEx-Package-ID-ETUV9Y4U.zip (1,083 bytes)
- _READ_THI$_FILE_JIUG_.jpeg (462,645 bytes)
- _READ_THI$_FILE_JSDUA_.txt (1,337 bytes)
- _READ_THI$_FILE_O070JFHE_.hta (77,047 bytes)
- a.doc (8,589 bytes)
- a1.exe (273,065 bytes)
- a2.exe (363,983 bytes)
- c65e.bat (61 bytes)
NOTES:
- Cerber is now using a dollar sign for the letter S in file names dropped to the desktop. It's also used in the title from the decyrption instructions text file.
Shown above: Cerber now showing some bling.
Shown above: Screen shot of the email.
EMAIL HEADERS:
- Date/Time: Wednesday 2017-04-05 at 21:43 UTC
- From: maraton1@vps-944527-x.dattaweb.com
- Subject: Delivery Notification
- Attachment name: FedEx-Package-ID-ETUV9Y4U.zip
- Extracted file name: FedEx-Package-ID-ETUV9Y4U.doc.js
Shown above: Attachment taken from the malspam.
TRAFFIC
Shown above: Traffic from the infection filtered in Wireshark.
TRAFFIC CAUSED BY THE .JS FILE:
- 92.53.96.173 port 80 - malibu-omsk.ru - GET /counter/?0000001BtDCPeYZyG[long string]
- 173.201.167.66 port 80 - qikpages.com - GET /counter/?0000001BtDCPeYZyG[long string]
- 50.63.47.1 port 80 - bettyjudy.com - GET /counter/?1
- 50.63.47.1 port 80 - bettyjudy.com - GET /counter/?2
OTHER DOMAINS FROM THE .JS FILE:
- 2guns.ru - GET /counter/?0000001BtDCPeYZyG[long string]
- austinshortterm.com - GET /counter/?0000001BtDCPeYZyG[long string]
- adrianacampos.com.br - GET /counter/?0000001BtDCPeYZyG[long string]
CERBER POST-INFECTION HTTP TRAFFIC:
- 193.169.135.166 port 80 - p27dokhpz2n7nvgr.1czh7o.top
CERBER POST-INFECTION UDP TRAFFIC:
- 149.202.64.0 to 149.202.64.31 (149.202.64.0/27) UDP port 6892
- 149.202.122.0 to 149.202.122.31 (149.202.122.0/27) UDP port 6892
- 149.202.248.0 to 149.202.251.255 (149.202.248.0/22) UDP port 6892
KOVTER POST-INFECTION HTTP TRAFFIC:
- 95.160.59.82 port 80 - 95.160.59.82 - POST /
- 109.68.75.17 port 80 - 109.68.75.17 - POST /
- 185.4.73.34 port 80 - 185.4.73.34 - POST /
KOVTER POST-INFECTION HTTPS/SSL/TLS TRAFFIC:
- 84.18.198.196 port 443 - HTTPS/SSL/TLS traffic
- 31.27.151.174 port 443 - HTTPS/SSL/TLS traffic
- Various other IP addresses over TCP ports 443 and 8080 - HTTPS/SSL/TLS traffic or attempted connections
FILE HASHES
ZIP ATTACHMENT FROM THE EMAIL:
- SHA256 hash: 97fdc3afb9aba4927d6c7a07a546007f3c9a96ded1e788415136bbe03b918cf8
File name: FedEx-Package-ID-ETUV9Y4U.zip
.JS FILE EXTRACTED FROM THE ZIP ATTACHMENT:
- SHA256 hash: f493ed24c5032a4df1c76fb18ca666164b9f11d410204422a1bc761ad0b4fc7b
File name: FedEx-Package-ID-ETUV9Y4U.doc.js
CERBER AND KOVTER BINARIES:
- SHA256 hash: 35b817d542dd8ac9f51336b908331f0a9192c666cf7c95f5063d7eec3400301b
File location: C:\Users\[username]\AppData\Local\Temp\a1.exe
File description: Cerber ransomware
- SHA256 hash: fa096cfd9b1a9e9b09b360c74e07f6870d399873f2d19b283de098f3b35b7535
File location: C:\Users\[username]\AppData\Local\Temp\a2.exe
File description: Kovter malware
ARFICACTS FOUND ON THE INFECTED WINDOWS HOST:
- C:\Users\[username]\AppData\Local\c4ff\6fee.fe612 [dropped during Kovter infection]
- C:\Users\[username]\AppData\Local\c4ff\c65e.bat [dropped during Kovter infection]
- C:\Users\[username]\AppData\Local\Temp\a.doc [data, not an actual document]
- C:\Users\[username]\AppData\Local\Temp\a1.exe [Cerber binary]
- C:\Users\[username]\AppData\Local\Temp\a2.exe [Kovter binary]
- C:\Users\[username]\AppData\Local\Temp\tmp6D04.bmp [Cerber instructions for desktop background]
- C:\Users\[username]\AppData\Local\Temp\d72cb2f8\84e9.tmp [dropped during Cerber infection]
- C:\Users\[username]\AppData\Local\Temp\d72cb2f8\4503.tmp [dropped during Cerber infection]
IMAGES
Shown above: Desktop of an infected Windows host.
FINAL NOTES
Once again, here are the associated files:
- ZIP archive of the pcap: 2017-04-05-Cerber-Kovter-malspam-traffic.pcap.zip 782 kB (782,194 bytes)
- ZIP archive of the malware: 2017-04-05-Cerber-Kovter-malspam-and-artifacts.zip 1.1 MB (1,058,848 bytes)
ZIP files are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
Click here to return to the main page.