2017-04-13 - "BLANK SLATE" MALSPAM STILL PUSHING CERBER, STILL USING FAKE CHROME PAGE

ASSOCIATED FILES:

• ZIP archive of the pcap:  2017-04-13-blank-slate-malspam-sends-Cerber-ransomware.pcap.zip   385 kB (385,228 bytes)

• 2017-04-13-blank-slate-malspam-sends-Cerber-ransomware.pcap   (536,245 bytes)

• ZIP archive of the malware:  2017-04-13-blank-slate-malspam-and-artifacts.zip   366 kB (365,869 bytes)

• 2017-04-13-Cerber-ransomware-from-testgojale.com.exe   (334,506 bytes)
• 2017-04-13-blank-slate-malspam-1005-UTC.eml   (4,245 bytes)
• 2017-04-13-blank-slate-malspam-1330-UTC.eml   (4,170 bytes)
• 48.js   (8,502 bytes)
• _READ_THI$_FILE_2DKNJ_.hta   (77,078 bytes)
• _READ_THI$_FILE_JUTNOHS_.txt   (1,378 bytes)
• chrome_update.zip   (3,940 bytes)

 

BACKGROUND:

• For background on this campaign, see the Palo Alto Networks Unit 42 Blog:  "Blank Slate" Campaign Takes Advantage of Hosting Providers to Spread Ransomware.
• I wrote a follow-up for the Internet Storm Center (ISC) titled:  "Blank Slate" malspam still pushing Cerber ransomware.

OTHER NOTES:

• This blog post documents a slight variation on the fake Microsoft emails leading to a fake Google Chrome page sent from this campaign.
• Of course, the vast majority of Blank Slate malspam is still blank emails only consisting of attachments that are zip archives containing .js files.
• I just haven't had time lately to document the normal Blank Slate emails.

 

FAKE CHROME PAGE

Shown above:  Screen shot from the fake Microsoft email.

 

Shown above:  Letting the fake Chrome page send a fake Chrome update as a zip archive.

 

Shown above:  Zip acrhive sent by the fake Chrome page.

 

TRAFFIC

Shown above:  Traffic from the infection filtered in Wireshark.

 

FAKE GOOGLE CHROME PAGE AND ZIP DOWNLOAD:

• 47.91.76.28 port 80 - doomnooaxc.top - GET /site/chrome_update_zip.html
• 47.91.76.28 port 80 - doomnooaxc.top - GET /site/download_zip.php

EXTRACTED .JS FILE GRABBING CERBER RANSOMWARE:

• 47.91.76.28 port 80 - testgojale.com - GET /admin.php?f=3.gif

CERBER POST-INFECTION TRAFFIC:

• 94.21.172.0 - 94.21.172.31 (94.21.172.0/27) UDP port 6893
• 94.22.172.0 - 94.22.172.31 (94.22.172.0/27) UDP port 6893
• 94.23.172.0 - 94.23.175.255 (94.23.172.0/22) UDP port 6893
• 193.169.135.155 port 80 - p27dokhpz2n7nvgr.1nhkou.top

 

MALWARE

SHA256 HASHES:

• SHA256 hash:  3de3fd9cda91e91b24c5569e4d2874ed5a8105e28c43dae911ab2b86e87e7505
  File name:  chrome_update.zip
  File description:  Downloaded from fake Google Chrome page at doomnooaxc.top on 2017-04-13

• SHA256 hash:  cdd6286df651a213d2e13253ea67602db628fb1a8625ca4e308a0766866373ec
  File name:  48.js
  File description:  Malicious .js file extracted from chrome_update.zip

• SHA256 hash:  5d947667bb754a1e1716bec2f86fb82ed5cc8dc5bf8d5c34d15ef232f8f6feb4
  File description:  Cerber ransomware downloaded by 48.js from testgojale.com on 2017-04-13

 

IMAGES

Shown above:  Desktop of an infected Windows host.  Still using dollar signs in _READ_THI$_FILE_ for file names.  No more images with the instructions, though.

 

FINAL NOTES

Once again, here are the associated files:

• ZIP archive of the pcap:  2017-04-13-blank-slate-malspam-sends-Cerber-ransomware.pcap.zip   385 kB (385,228 bytes)
• ZIP archive of the malware:  2017-04-13-blank-slate-malspam-and-artifacts.zip   366 kB (365,869 bytes)

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.