2017-04-13 - "BLANK SLATE" MALSPAM STILL PUSHING CERBER, STILL USING FAKE CHROME PAGE
ASSOCIATED FILES:
- ZIP archive of the pcap: 2017-04-13-blank-slate-malspam-sends-Cerber-ransomware.pcap.zip 385 kB (385,228 bytes)
- 2017-04-13-blank-slate-malspam-sends-Cerber-ransomware.pcap (536,245 bytes)
- ZIP archive of the malware: 2017-04-13-blank-slate-malspam-and-artifacts.zip 366 kB (365,869 bytes)
- 2017-04-13-Cerber-ransomware-from-testgojale.com.exe (334,506 bytes)
- 2017-04-13-blank-slate-malspam-1005-UTC.eml (4,245 bytes)
- 2017-04-13-blank-slate-malspam-1330-UTC.eml (4,170 bytes)
- 48.js (8,502 bytes)
- _READ_THI$_FILE_2DKNJ_.hta (77,078 bytes)
- _READ_THI$_FILE_JUTNOHS_.txt (1,378 bytes)
- chrome_update.zip (3,940 bytes)
BACKGROUND:
- For background on this campaign, see the Palo Alto Networks Unit 42 Blog: "Blank Slate" Campaign Takes Advantage of Hosting Providers to Spread Ransomware.
- I wrote a follow-up for the Internet Storm Center (ISC) titled: "Blank Slate" malspam still pushing Cerber ransomware.
OTHER NOTES:
- This blog post documents a slight variation on the fake Microsoft emails leading to a fake Google Chrome page sent from this campaign.
- Of course, the vast majority of Blank Slate malspam is still blank emails only consisting of attachments that are zip archives containing .js files.
- I just haven't had time lately to document the normal Blank Slate emails.
FAKE CHROME PAGE
Shown above: Screen shot from the fake Microsoft email.
Shown above: Letting the fake Chrome page send a fake Chrome update as a zip archive.
Shown above: Zip acrhive sent by the fake Chrome page.
TRAFFIC
Shown above: Traffic from the infection filtered in Wireshark.
FAKE GOOGLE CHROME PAGE AND ZIP DOWNLOAD:
- 47.91.76.28 port 80 - doomnooaxc.top - GET /site/chrome_update_zip.html
- 47.91.76.28 port 80 - doomnooaxc.top - GET /site/download_zip.php
EXTRACTED .JS FILE GRABBING CERBER RANSOMWARE:
- 47.91.76.28 port 80 - testgojale.com - GET /admin.php?f=3.gif
CERBER POST-INFECTION TRAFFIC:
- 94.21.172.0 - 94.21.172.31 (94.21.172.0/27) UDP port 6893
- 94.22.172.0 - 94.22.172.31 (94.22.172.0/27) UDP port 6893
- 94.23.172.0 - 94.23.175.255 (94.23.172.0/22) UDP port 6893
- 193.169.135.155 port 80 - p27dokhpz2n7nvgr.1nhkou.top
MALWARE
SHA256 HASHES:
- SHA256 hash: 3de3fd9cda91e91b24c5569e4d2874ed5a8105e28c43dae911ab2b86e87e7505
File name: chrome_update.zip
File description: Downloaded from fake Google Chrome page at doomnooaxc.top on 2017-04-13
- SHA256 hash: cdd6286df651a213d2e13253ea67602db628fb1a8625ca4e308a0766866373ec
File name: 48.js
File description: Malicious .js file extracted from chrome_update.zip
- SHA256 hash: 5d947667bb754a1e1716bec2f86fb82ed5cc8dc5bf8d5c34d15ef232f8f6feb4
File description: Cerber ransomware downloaded by 48.js from testgojale.com on 2017-04-13
IMAGES
Shown above: Desktop of an infected Windows host. Still using dollar signs in _READ_THI$_FILE_ for file names. No more images with the instructions, though.
FINAL NOTES
Once again, here are the associated files:
- ZIP archive of the pcap: 2017-04-13-blank-slate-malspam-sends-Cerber-ransomware.pcap.zip 385 kB (385,228 bytes)
- ZIP archive of the malware: 2017-04-13-blank-slate-malspam-and-artifacts.zip 366 kB (365,869 bytes)
ZIP files are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
Click here to return to the main page.