Sponsored by..

Monday, 21 August 2017

Cerber spam: "please print", "images etc"

I only have a couple of samples of this spam, but I suspect it comes in many different flavours..

Subject:       images
From:       "Sophia Passmore" [Sophia5555@victimdomain.tld]
Date:       Fri, May 12, 2017 7:18 pm


*Sophia Passmore*

Subject:       please print
From:       "Roberta Pethick" [Roberta5555@victimdomain.tld]
Date:       Fri, May 12, 2017 7:18 pm

*Roberta Pethick*

In these two samples there is an attached .7z archive (MD5 31c144629bfdc6c8011c492e06fe914d) with a VirusTotal detection rate of 18/58. Both samples contained a malicious Javascript named 20170821_08914700.js that looks like this [pastebin].

Automated analysis [1] [2] shows a download from the following locations:

gel-batterien-agm-batterien.de/65JKjbh??TqCRhOAQ=TqCRhOAQ [ - Hetzner, Germany]
droohsdronfhystgfh.info/af/65JKjbh?TqCRhOAQ=TqCRhOAQ [ - Tencent, China]

The Hybrid Analysis report shows an executable being dropped which is Ceber Ransomware (MD5 c7d79f5d830b1b67c5eb11de40a721b4), with a VT detection of 22/64.

Recommended blocklist:

No comments: