2017-05-05 - "BLANK SLATE" CAMPAIGN BACK TO SENDING CERBER RANSOMWARE

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2017-05-05-Blank-Slate-campaign-8-pcaps.zip   2.1 MB (2,125,542 bytes)
• 2017-05-05-Blank-Slate-malspam-tracker.csv.zip   2.2 kB (2,167 bytes)
• 2017-05-05-Blank-Slate-emails-and-Cerber-ransomware.zip   2.7 MB (2,728,966 bytes)

BACKGROUND:

• For background on this campaign, see the Palo Alto Networks Unit 42 Blog:  "Blank Slate" Campaign Takes Advantage of Hosting Providers to Spread Ransomware.
• I wrote a follow-up for the Internet Storm Center (ISC) titled:  "Blank Slate" malspam still pushing Cerber ransomware.

TODAY'S NOTES:

• After trying different types of ransomware on 2017-05-02 (Mordor) and 2017-05-03 (GlobeImposter), Blank Slate is back to pushing Cerber ransomware.
• I saw some Word documents as well as the usual .js files associated with this malspam.

Shown above:  Flow chart for this infection traffic.

 

EMAILS

Shown above:  Screenshot of spreadsheet tracker (1 of 2).

 

Shown above:  Screenshot of spreadsheet tracker (2 of 2).

 

Shown above:  If the zip attachment contains a .js file.

 

Shown above:  If the zip attachment contains a Word document.

 

TRAFFIC

Shown above:  Traffic from one of the infections filtered in Wireshark.

 

URLS GENERATED BY THE EXTRACTED FILES:

• 47.91.76[.]69 port 80 - gangvooloq[.]top - GET /admin.php?f=1.exe
• 47.91.76[.]69 port 80 - gangvooloq[.]top - GET /admin.php?f=404
• 47.91.76[.]69 port 80 - johnalmcx[.]top - GET /admin.php?f=404
• 51.15.77[.]124 port 80 - batypli3werty[.]top - GET /search.php
• 51.15.77[.]124 port 80 - oudiautimativc[.]top - GET /search.php

 

CERBER RANSOMWARE POST-INFECTION TRAFFIC:

• 94.21.172[.]0 - 94.21.172.31 (94.21.172[.]0/27) UDP port 6893
• 94.22.172[.]0 - 94.22.172.31 (94.22.172[.]0/27) UDP port 6893
• 94.23.172[.]0 - 94.23.175.255 (94.23.172[.]0/22) UDP port 6893
• 107.161.145[.]164 port 80 - p27dokhpz2n7nvgr.17gvad[.]top - HTTP traffic for Cerber decryption instructions on 2017-05-04
• 185.141.27[.]24 port 80 - p27dokhpz2n7nvgr.133chr[.]top - HTTP traffic for Cerber decryption instructions on 2017-05-05

 

SHA256 HASHES

ZIP ARCHIVES:

• 4dc6c101d349de5d92db06817a86525bb846bc444dce9d810378895e85130c66 - 4.zip
• da4a203e3a1c17dfcbcea0d0517a2fd9103c4d6025fb2dc7187044d55cf363da - 6.zip
• 0427c88b7a43cf762cce872ca9cc3f4781608eb0b8f4703ffcc02251ffc1a7ed - 99.zip
• 66a514478dbe87f3735847a5f5f41ef984eddcf1a9d50753335e1388c33d2234 - 7444.zip
• a2963468d7cadca806f48b4ff4b27d62414857176e01a576d8acd9501f22b45f - 20865.zip
• bd9908a2a35aca935a19db5ade4c017ac0426001a5981ffba5455bb428cada22 - 47251.zip
• 665389e358810a45b116195811345c73087ce1f90efc195eedb19115e22cd1d2 - 81893.zip
• 810dbe560bd0f852bb3c19f4f96d8bce120017928ccf1ca22ebe1a9b6e626473 - 972875.zip
• e9d82686760c0f8e09feae0700326417f4a526edd2d17ddd37375448071b418d - 8590608.zip
• e03052d2312cc158129925955e10532845cdf756beab79e76d8c83dbb5d8086c - 33289301.zip
• ac68f78d4da242e7889fd4f347146dff349f72c0a6d55f1b6278616bc8282c6b - 125187408.zip
• 4dbe3772b099a2daea3d12dc8dbe835839ceec4479b8c6f650d3d0676f8e36a7 - 563086312.zip
• 7504b773c3335448de59d540cbdc90bdefc15685c2531f03f7e693b62ccefaf1 - 798898546.zip
• 843990aad6992bd29ce8a899282bbe6f41602b89992dc96ebea593ced8e54541 - 848029826.zip
• c7df63231689522751e7f162b7ef1cb3e890cdf4cac68cb63b835af022d514cd - 940939894.zip
• 7c3f1ebc4696fe2513245188498b58e41408e8d156fb3a4a2550ddd81f599c44 - 5517722324.zip
• 01c3e5df5f32b1b29fa50656868800c454573bba1618bae11554b4b351682fdc - 9743166601.zip
• 1893bb52a65d801f4a06776f2d98dba8d948d87ce2d35d08c915fd3d69dfcf60 - 52159458326.zip
• 2da0c4e5ffc21b5ad435b75c2cc7e2b2fb8dd1c7f1e06f4fb0402987c0a7cff5 - 57211943184.zip
• 60973df77bf116fbaf37699979f038d543a53c51d4d46f090eb0f95eb81aa124 - 71669574835.zip
• f46c9bbaaa496850c229c7aec595f4ac9d1e31e4600eb96c78acea2008f245fa - 254889011854.zip
• 2a9db3e65e04e142dec460ace139d5979fd9dae0dd52fdc0ab7b398d6c9077ec - 409749210724.zip
• 3cd8131477c83aea35a629b27f2fb28af4cffb7865aedb35fdc572ca7c0a29ea - 657466850467.zip
• 92954c12a4873eb6545aee2d97d51c3d4d29b6637d424fcbd54a9982ddd40eb5 - 821257292187.zip
• 1b3c46f129de67ddf82110bba122a9b52a6cf564d6622243af22381007a89f45 - 2471407701181.zip
• 810dbe560bd0f852bb3c19f4f96d8bce120017928ccf1ca22ebe1a9b6e626473 - 2505095817304.zip
• ddaf62d80b1a272f148c5833c9d7ccafdd05d503d09ba1d7b1e6e23f9dcbabb4 - 6126705876377.zip
• e0dc329128208e6967b06105a7f4079eb4f64ef090481909f819ac3d9d26c023 - 34010343464599.zip
• 579c56ed658b8a5573fb3283f4659c31a92b4b10d6af38aebde84c2791aa475c - 40411954834814.zip
• 92954c12a4873eb6545aee2d97d51c3d4d29b6637d424fcbd54a9982ddd40eb5 - 859773799209654.zip

 

EXTRACTED .JS FILES:

• 23a91c7b0003ee7f537e39bab54c2d2978da7034c5ad7304cc0a04cc958c6a14 - 13.js
• 32e82cce5ca90d609f77fdde7d8fb0fb84b2804f2ae67ff9ad9cccd59132cc9b - 154.js
• f9ecdb08162d9c6b5d179ecb3d2a2dcedbb4bdc61bcad2d32c07d3e3e76c66e4 - 193.js
• 45b55a2c942d715217955a1c0c762a702c85ed83abb2ee50a5344b45f3f5ac96 - 864.js
• 6faaeed56a66de784e18fe8047d04c2194572b2fec7d4cab5bf76f47c3a7a1ce - 1548.js
• 7fdbfce5ab036910409a30b63277eadfc36497a4d240a8dcdbc0f87a4282c540 - 4948.js
• c60888755cea19ba05f34c088ca4594f85c59849c0ac398d2c5dae69f103bd22 - 5109.js
• f4fbbf6e29c98f1959005587109358b397ece6e57a137666be1c82dd511bd680 - 6741.js
• db71396188384f590b97769d190c31c6706b2d7bf135e51bfb2fd8377ce2b6db - 8951.js
• fc976c546c64f5ca95983865bc335c012031e653a0459a1e36e9b7855cac6485 - 10630.js
• a1f64d14e5a11000be0c41e97e31803cd4b5684693129919e4ad2c3998ae703c - 11432.js
• f2da5c149c36ec83ba04c0eae75659a997c51261c9cb92575641d05da928a927 - 12694.js
• 00136bd2ab385ec217ae37dc218a8f23136d96ea2717a3355cc431cb84bd2496 - 17548.js
• aa5b2056ce7bb649da276d19cc79e88dfcc7d13b1bcad44dd8d8152b2f549405 - 20490.js
• 00136bd2ab385ec217ae37dc218a8f23136d96ea2717a3355cc431cb84bd2496 - 20867.js
• b07f1f6bad54088076150bf36a12b2950f2e02e03ed3135fbfcf4b92aaf237f7 - 21346.js
• e5abea93404ee0c18948e97cac5c0171a095cc6254f782f2386b4a862332210c - 23226.js
• 85bf826af477b09a76ccaaf65c4a3d16cc55d6554f846cf3cec2d78cbf949c36 - 24345.js
• 159ff4d5b375a385e07e345a440735fc25e1652fb53500f33dd330efd253749a - 25931.js
• a45026412944e9fb7649e5e60468fdd03c07e52d89b077b6f82e02181ce81980 - 26826.js
• 65b4614c00f5c0095d9700ca35807d55f8cc39988f40b2cda759bce753d1bb56 - 28346.js
• 886ffbee672dca5e7564a5c9cda049ed7fb385807d4eefb683f933ee0d4902ae - 28776.js
• 15b19198218160c9fa9f2072f61701ab2465282f8f7668b16b0740d03ed5b532 - 30625.js
• 9d654c8eaa80fa8d9e7e607cade03431a1089f24476e6fecc3aa5438783b4851 - 32729.js

 

EXTRACTED .DOC FILES:

• ce06d76cd7dea554291a6a8f0e2586bdac91e9e4beebb62b95319a5324869509 - 885.doc
• f5bc035b62f10c4ebf9041c4130f9bba348708f480d7da678fc1ba05c80e0c61 - 2254.doc
• c458434cac6d78a24cbac1921fc7fd2232f19c60c3a27aadd4ee1eaaf462ffd0 - 19644.doc
• 77ce1e23bc0cbe53002d0209c89398f49980510588f53a811ed533951001ed2a - 26383.doc

 

RANSOMWARE SAMPLES:

• 7ff5f326b7fd8303d92d6705958c8435f5827c885e493b9485c29720b7708adb - Cerber from gangvooloq[.]top on 2017-05-04
• 667b421dbb0b82dd05674c6d03db3cdb56e926a8fa9167c13b5f31038ea7233e - Cerber from gangvooloq[.]top on 2017-05-05
• e01ff0bcb5716d80d857ba42fdb94a61bacc9601fa0bd3ff33e1cd580c3ce05f - Cerber from batypli3werty[.]top on 2017-05-05 (1 of 2)
• ee498e84d8e9195226ddc71109aacbcafd64c1e0d9386ae91f54f7d4e2bc34f8 - Cerber from batypli3werty[.]top on 2017-05-05 (2 of 2)
• c90596bc4f495b617c0be157abac41fadbfe1a0495f8f4389546a473b118fb81 - Cerber from johnalmcx[.]top on 2017-05-05 (1 of 2)
• a12d04e3c4a281cc49977f5a40f25dd3956e4ae55241a37c52afa085774190a9 - Cerber from johnalmcx[.]top on 2017-05-05 (2 of 2)
• 622fef095b3fce90084a6b0cded5eb90b4e3a80303e9973cc3e61ea49ae8fa54 - Cerber from 4rebaopfgrewe[.]top on 2017-05-05
• 0e4cedceeca07589beff34be6d77ad69c5b37007a7a76fab6478c80a9a1c06f2 - Cerber from oudiautimativc[.]top on 2017-05-05

 

IMAGES

Shown above:  Desktop of an infected Windows host.

 

Click here to return to the main page.