Magnitude EK delivers Cerber


Perseverance is the key sometimes. I finally got Magnitude to drop a payload so yes Cerber is back on the EK table after the PseudoDarkleech gate seemed to vanish.

This is a very interesting sample. Aside from the usual scriptlet and sctask I also saw powershell and several new URL’s using a user agent named “contype”. There is lots to review here to determine what exactly happened which I will look into in the future.

For now hope you enjoy digging through the PCAP. Note I used a proxy so the destination IP addresses are not all accurate.

Downloads (in password protected zip)

Malvertising, Gates, Magnitude EK and Cerber Ransomware

UDP 6893 Len=14 –,,,,,

Details of infection chain:

(click to enlarge!)


Magnitude drops Cerber. A lot is going on here including some powershell.

Full Details:

Please refer to this post for more details on magnitude Magnitude EK URL’s from 14-20 April. I will describe in brief some notable changes. Other than these changes, I still witnessed the scriptlet and the scheduled tasks as well as multiple failed payloads.

First I noticed the Flash file called a URL. In past examples I have looked at this was not seen. The URL uses an IP instead of the host name the rest of the EK is on. This then downloads the payload.FlashToPayload

After this small payload runs it calls another URL which is an executable (Cerber)PayloadExecutes

Other than this there is notable differences:

  • Different obfuscation on the second landing page. There may even be new code here.
  • I also noticed powershell was running though did not capture what was run.
  • The user agent “contype” was used for the new URL’s.
  • The payload was called “a.exe”.

There is lots to review and I will take a deeper dive into it in the future.

If you don’t know about Cerber Ransomware then where have you been! Probably the one of the most mature ransomwares, Cerber encrypts files and requests bitcoin in order to decrypt them. This sample encrypted files with the .ba89 extension.


SHA256: 01d934d41965248241ab941ef3a8b75314637e0aa50ce506cc76b67f506be901
File name: a.exe
Detection ratio: 14 / 61
TrendMicro-HouseCall Ransom_HPCERBER.SMONT3

Here are the VirusTotal report on the Flash exploit 59l8x35td53g4256.swf. Magnitude’s Flash exploits always have a very low detection rate. I’m surprised to see McAfee is the only one to detect this.

SHA256: feff4b90fd5cf172c5422f63ecafcecc71877931038708ef745e205e7c763f2a
File name: 59l8x35td53g4256.swf
Detection ratio: 1 / 56
McAfee-GW-Edition BehavesLike.Flash.Exploit.zl

4 thoughts on “Magnitude EK delivers Cerber

  1. Pingback: Multiple Magnitude EK drops Cerber Ransomware Samples | Zerophage Malware

  2. Pingback: Magnitude EK via Malvertising drops Cerber Ransomware | Zerophage Malware

  3. Pingback: Magnitude EK via malvertising delivers Cerber Ransomware | Zerophage Malware

  4. Pingback: Magnitude EK via RoughTed drops Cerber Ransomware | Zerophage Malware

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s