2017-08-02 - MAGNITUDE EK SENDS CERBER RANSOMWARE
NOTICE:
- The zip archives on this page have been updated, and they now use the new password scheme. For the new password, see the "about" page of this website.
ASSOCIATED FILES:
- 2017-08-02-Magnitude-EK-sends-Cerber-ransomware.pcap.zip 768.1 kB (768,068 bytes)
- 2017-08-02-Magnitude-EK-sends-Cerber-ransomware.pcap (942,407 bytes)
- 2017-08-02-Magnitude-EK-and-Cerber-ransomware-artifacts-and-malware.zip 920.0 kB (919,974 bytes)
- 2017-08-02-Cerber-decryption-instructions.bmp (1,920,054 bytes)
- 2017-08-02-Cerber-decryption-instructions_R_E_A_D___T_H_I_S___0AK861OQ_.txt (1,383 bytes)
- 2017-08-02-Cerber-decryption-instructions_R_E_A_D___T_H_I_S___DSJR_.hta (77,982 bytes)
- 2017-08-02-Magnitude-EK-payload-Cerber.exe (249,856 bytes)
- 2017-08-02-Mangitude-EK-flash-exploit.swf (37,564 bytes)
- 2017-08-02-Mangitude-EK-landing-page.txt (7,315 bytes)
- 2017-08-02-Mangitude-EK-returned-XML-script.txt (1,343 bytes)
- 2017-08-02-response-from-b16eauf5z38u9l.ourspen_com.txt (2,570 bytes)
- 2017-08-02-response-from-gate-domain-leading-to-Magnitude-EK.txt (1,204 bytes)
NOTES:
- I accidentally filtered out the Cerber ransomware post-infection UDP port 6893 traffic from the pcap.
- For more info, see the August 2017 Malwarebytes blog post, Enemy at the gates: Reviewing the Magnitude exploit kit redirection chain
TRAFFIC
Shown above: Traffic from the infection filtered in Wireshark.
ASSOCIATED DOMAINS AND URLS:
- [redacted] port 80 - [one of the "magnigate" domains] - GET /
- 145.239.190[.]18 port 80 - b16eauf5z38u9l.ourspen[.]com - [another "magnigate" URL]
- 188.165.92[.]24 port 80 - d84d21ud9dm9a74y.keyvote[.]webcam - [Magnitude EK]
- 188.165.92[.]24 port 80 - 188.165.92[.]24 - [Magnitude EK sending payload]
- 5.196.128[.]254 port 80 - 5.196.128[.]254 - [Magnitude EK sending payload - 404 not found]
- 73.107.12[.]0 - 73.107.12[.]31 (73.107.12[.]0/27) UDP port 6893 [Cerber post-infection UDP scan]
- 75.1.200[.]0 - 75.1.200[.]31 (75.1.200[.]0/27) UDP port 6893 [Cerber post-infection UDP scan]
- 87.98.176[.]0 - 87.98.179[.]255 (87.98.176[.]0/22) UDP port 6893 [Cerber post-infection UDP scan]
- 86.110.119[.]251 port 80 - oqwygprskqv65j72.1hbdbx[.]top - [Cerber post-infection HTTP traffic]
FILE HASHES
FLASH EXPLOIT:
- SHA256 hash: 9cf8ed1111cb5b04b040ad57dcf87225659a6cb4ac10e7cf4381d397b5f67c89
File size: 37,564 bytes
File description: Flash exploit seen from Magnitude EK on 2017-08-02
MAGNITUDE EK PAYLOAD (CERBER RANSOMWARE):
- SHA256 hash: cee87e61f13e50217169e338342370aa94e31f0bacdf3d1b901e1dd79c9f8d87
File size: 249,856 bytes
File description: Cerber ransomware sent by Magnitude EK on 2017-08-02
IMAGES
Shown above: Desktop of the infected Windows host.
Shown above: Cerber decryption instructions.
Click here to return to the main page.