2017-08-02 - MAGNITUDE EK SENDS CERBER RANSOMWARE
ASSOCIATED FILES:
- Zip archive of the pcap: 2017-08-02-Magnitude-EK-sends-Cerber-ransomware.pcap.zip 768 kB (768,068 bytes)
- 2017-08-02-Magnitude-EK-sends-Cerber-ransomware.pcap (942,407 bytes)
- Zip archive of the malware: 2017-08-02-Magnitude-EK-artifacts-and-malware.zip 918 kB (918,486 bytes)
- 2017-08-02-Cerber-decryption-instructions.bmp (1,920,054 bytes)
- 2017-08-02-Cerber-decryption-instructions_R_E_A_D___T_H_I_S___0AK861OQ_.txt (1,383 bytes)
- 2017-08-02-Cerber-decryption-instructions_R_E_A_D___T_H_I_S___DSJR_.hta (77,982 bytes)
- 2017-08-02-Magnitude-EK-payload-Cerber.exe (249,856 bytes)
- 2017-08-02-Mangitude-EK-flash-exploit.swf (37,564 bytes)
- 2017-08-02-Mangitude-EK-landing-page.txt (7,315 bytes)
- 2017-08-02-Mangitude-EK-returned-XML-script.txt (1,343 bytes)
- 2017-08-02-response-from-b16eauf5z38u9l.ourspen.com.txt (2,570 bytes)
- 2017-08-02-response-from-gate-domain-leading-to-Magnitude-EK.txt (1,204 bytes)
NOTES:
- I accidentally filtered out the Cerber post-infection UDP port 6893 traffic from the pcap.
- For more info, see the August 2017 Malwarebytes blog post, Enemy at the gates: Reviewing the Magnitude exploit kit redirection chain
TRAFFIC
Shown above: Traffic from the infection filtered in Wireshark.
ASSOCIATED DOMAINS AND URLS:
- [redacted] port 80 - [one of the "magnigate" domains] - GET /
- 145.239.190.18 port 80 - b16eauf5z38u9l.ourspen.com - [another "magnigate" URL]
- 188.165.92.24 port 80 - d84d21ud9dm9a74y.keyvote.webcam - [Magnitude EK]
- 188.165.92.24 port 80 - 188.165.92.24 - [Magnitude EK sending payload]
- 5.196.128.254 port 80 - 5.196.128.254 - [Magnitude EK sending payload - 404 not found]
- 73.107.12.0 - 73.107.12.31 (73.107.12.0/27) UDP port 6893 [Cerber post-infection UDP scan]
- 75.1.200.0 - 75.1.200.31 (75.1.200.0/27) UDP port 6893 [Cerber post-infection UDP scan]
- 87.98.176.0 - 87.98.179.255 (87.98.176.0/22) UDP port 6893 [Cerber post-infection UDP scan]
- 86.110.119.251 port 80 - oqwygprskqv65j72.1hbdbx.top - [Cerber post-infection HTTP traffic]
FILE HASHES
FLASH EXPLOIT:
- SHA256 hash: 9cf8ed1111cb5b04b040ad57dcf87225659a6cb4ac10e7cf4381d397b5f67c89
File size: 37,564 bytes
File description: Flash exploit seen from Magnitude EK on 2017-08-02
MAGNITUDE EK PAYLOAD (CERBER RANSOMWARE):
- SHA256 hash: cee87e61f13e50217169e338342370aa94e31f0bacdf3d1b901e1dd79c9f8d87
File size: 249,856 bytes
File description: Cerber ransomware sent by Magnitude EK on 2017-08-02
IMAGES
Shown above: Desktop of the infected Windows host.
Shown above: Cerber decryption instructions.
FINAL NOTES
Once again, here are the associated files:
- Zip archive of the pcap: 2017-08-02-Magnitude-EK-sends-Cerber-ransomware.pcap.zip 768 kB (768,068 bytes)
- Zip archive of the malware: 2017-08-02-Magnitude-EK-artifacts-and-malware.zip 918 kB (918,486 bytes)
Zip archives are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
Click here to return to the main page.