{
	"id": "fd65f437-d4f5-42e9-8046-0dd10ba39c55",
	"created_at": "2026-04-06T00:15:48.929115Z",
	"updated_at": "2026-04-10T03:20:40.391034Z",
	"deleted_at": null,
	"sha1_hash": "8cf40c629dea7c4e1b28cd665602d01589d9fbed",
	"title": "Malware-Traffic-Analysis.net - 2017-10-13 - Blank Slate campaign stops pushing Locky ransomware, starts pushing Sage 2.2 ransomware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 4779355,
	"plain_text": "Malware-Traffic-Analysis.net - 2017-10-13 - Blank Slate campaign\r\nstops pushing Locky ransomware, starts pushing Sage 2.2\r\nransomware\r\nArchived: 2026-04-05 15:27:47 UTC\r\nNOTICE:\r\nThe zip archives on this page have been updated, and they now use the new password scheme.  For the new\r\npassword, see the \"about\" page of this website.\r\nASSOCIATED FILES:\r\n2017-10-13-Blank-Slate-campaign-pushes-Sage-2.2-ransomware.pcap.zip   1.6 MB (1,592,055 bytes)\r\n2017-10-13-Blank-Slate-malspam-tracker.csv.zip   1.4 kB (1,390 bytes)\r\n2017-10-13-email-and-malware-from-Blank-Slate-campaign-and-Sage-ransomware.zip   4.6 MB\r\n(4,600,704 bytes)\r\nSOME BACKGROUND:\r\n2017-03-02 - Palo Alto Networks Unit 42 Blog:  \"Blank Slate\" Campaign Takes Advantage of Hosting\r\nProviders to Spread Ransomware.\r\n2017-03-22 - Internet Storm Center (ISC):  \"Blank Slate\" malspam still pushing Cerber ransomware.\r\n2017-06-29 - ISC:  Catching up with Blank Slate: a malspam campaign still going strong.\r\n2017-07-31 - Bleeping Computer:  Crypt GlobeImposter Ransomware Distributed via Blank Slate\r\nMalspam.\r\n2017-08-02 - Malware-Traffic-Analysis.net:  \"Blank Slate\" malspam pushing Gryphon ransomware (a\r\nBTCware variant).\r\n2017-09-11 - Malware-Traffic-Analysis.net:  Blank Slate malspam pushes \"Lukitus\" variant Locky\r\nransomware.\r\n2017-10-04 - Malware-Traffic-Analysis.net:  Blank Slate malspam pushes \"ykcol\" variant Locky\r\nransomware.\r\nINTRODUCTION\r\nAttachments from Blank Slate malspam have been pushing the \".asasin\" variant of Locky ransomware, since that\r\nvariant first appeared on Tuesday 2017-10-10.  However, sometime on Friday 2017-10-13, Blank Slate malspam\r\nstopped pushing Locky.  The most recent Locky I found from Blank Slate is SHA256 hash\r\n51c73af1811c47fca69ea1de7d794d07090b4c892632529ea86ea9cee73779ce originally submitted to VirusTotal\r\non 2017-10-13 at 09:57 UTC.\r\nSince then, Blank Slate has been pushing Sage 2.2 ransomware.  The 2.2 version has been around for months now.\r\nhttp://malware-traffic-analysis.net/2017/10/13/index.html\r\nPage 1 of 11\n\nADDITIONAL NOTES:\r\nThanks to @unixronin who tipped me off to the changes today (link to Twitter thread).\r\nThe HTA file with the decryption instructions states this is Sage 2.2, while the decryptor page states Sage\r\n2.0.  Despite the decryptor page, this appears to be Sage 2.2.\r\nEMAILS\r\nShown above:  Screenshot from the spreadsheet tacker.  Some have .zip attachments, while other have .doc\r\nattachments.\r\nShown above:  Screen shot from one of the emails.\r\nEMAILS NOTED:\r\nhttp://malware-traffic-analysis.net/2017/10/13/index.html\r\nPage 2 of 11\n\n2017-10-13 00:01 UTC   --   From (spoofed): chazy@baby200.wanadoo[.]co[.]uk   --   Attachment name:\r\n208221626.zip\r\n2017-10-13 02:12 UTC   --   From (spoofed): gangster911@bigmir[.]net   --   Attachment name:\r\n144294.zip\r\n2017-10-13 02:34 UTC   --   From (spoofed): atie121609@gmail[.]com   --   Attachment name:\r\n8686927439.zip\r\n2017-10-13 03:43 UTC   --   From (spoofed): daberle@abm[.]com   --   Attachment name:\r\n5637406077862.zip\r\n2017-10-13 05:07 UTC   --   From (spoofed): blackmailergp500@sheinlaw[.]com   --   Attachment name:\r\n84519555680060.zip\r\n2017-10-13 06:10 UTC   --   From (spoofed): [recipient's name]@mail2travis[.]com   --   Attachment name:\r\n198946214360482.zip\r\n2017-10-13 06:20 UTC   --   From (spoofed): ppp_productions@drillmec[.]com   --   Attachment name:\r\n35665301.zip\r\n2017-10-13 06:46 UTC   --   From (spoofed): x81@84[.]8m   --   Attachment name: 119110093.zip\r\n2017-10-13 06:58 UTC   --   From (spoofed): ffffjxs@rciap[.]com   --   Attachment name:\r\n3211643664315.zip\r\n2017-10-13 06:59 UTC   --   From (spoofed): [recipient's name]@hii[.]net   --   Attachment name:\r\n985635388572802.zip\r\n2017-10-13 08:13 UTC   --   From (spoofed): gracedsenoglu@gmail[.]com   --   Attachment name:\r\n13552145.doc\r\n2017-10-13 08:28 UTC   --   From (spoofed): sueli@sgmturismo[.]com[.]br   --   Attachment name:\r\n9422241891502.doc\r\n2017-10-13 08:54 UTC   --   From (spoofed): mary.a.hopkins@nasa[.]gov   --   Attachment name:\r\n6053275.doc\r\n2017-10-13 09:05 UTC   --   From (spoofed): roger.dhondt41@telenet[.]be   --   Attachment name:\r\n00256228970790.zip\r\n2017-10-13 09:35 UTC   --   From (spoofed): x9azfcyjd@163[.]com   --   Attachment name:\r\n6923637232.zip\r\n2017-10-13 10:14 UTC   --   From (spoofed): lofotseminaret@europharma[.]no   --   Attachment name:\r\n30652568754119.zip\r\n2017-10-13 11:42 UTC   --   From (spoofed): mathias.heinrich@web[.]de   --   Attachment name:\r\n915034748342236.zip\r\n2017-10-13 11:56 UTC   --   From (spoofed): fotoportret@poczta[.]fm   --   Attachment name:\r\n8535688411.zip\r\n2017-10-13 12:33 UTC   --   From (spoofed): ole.jorgen.etholm@arendal.kommune[.]no   --   Attachment\r\nname: 10915849.zip\r\n2017-10-13 15:16 UTC   --   From (spoofed): jtrois57@orange[.]fr   --   Attachment name:\r\n591790149701.zip\r\n2017-10-13 15:20 UTC   --   From (spoofed): br.camus@free[.]fr   --   Attachment name:\r\n003154376010488.zip\r\nhttp://malware-traffic-analysis.net/2017/10/13/index.html\r\nPage 3 of 11\n\n2017-10-13 16:18 UTC   --   From (spoofed): [recipient's name]@mail2herman[.]com   --   Attachment\r\nname: 88507.zip\r\n2017-10-13 17:30 UTC   --   From (spoofed): studentassistance@oregonstate[.]edu   --   Attachment name:\r\n402663106880419.zip\r\nZIP ATTACHMENT INFO:\r\n88507.zip   --\u003e   9660.zip   --\u003e   9660.js\r\n67214604.zip   --\u003e   29219.zip   --\u003e   29219.js\r\n92181052.zip   --\u003e   29459.zip   --\u003e   29459.js\r\n31084472583.zip   --\u003e   940.zip   --\u003e   940.js\r\n525463435470.zip   --\u003e   28588.zip   --\u003e   28588.js\r\n599450048391.zip   --\u003e   22032.zip   --\u003e   22032.js\r\n58843249449955.zip   --\u003e   3832.zip   --\u003e   3832.js\r\n004765275711512.zip   --\u003e   3902.zip   --\u003e   3902.js\r\nShown above:  If the attachment is a zip archive, it contains another zip archive with a malicious JavaScript (.js)\r\nfile inside.\r\nhttp://malware-traffic-analysis.net/2017/10/13/index.html\r\nPage 4 of 11\n\nShown above:  If the attachment is a Word document, it has malcious macros.\r\nTRAFFIC\r\nShown above:  HTTP traffic from an infection filtered in Wireshark.\r\nShown above:  UDP traffic from an infection filtered in Wireshark.\r\nhttp://malware-traffic-analysis.net/2017/10/13/index.html\r\nPage 5 of 11\n\nTRAFFIC GENERATED BY .JS/.DOC FILES TO DOWNLOAD SAGE RANSOMWARE:\r\ngonesalejk[.]info - GET /admin.php?a=1\r\njohnmoplan[.]top - GET /1.txt\r\njohnmoplan[.]top - GET /admin.php?a=1\r\njovolewnac[.]info - GET /admin.php?a=1\r\nsutranjdf[.]info - GET /admin.php?a=2\r\nSAGE POST-INFECTION TRAFFIC:\r\n49.51.33[.]228 port 80 - mbfce24rgn65bx3g.hp8ewo[.]net - POST /\r\n49.51.33[.]228 port 80 - mbfce24rgn65bx3g.0ny42p[.]com - POST /\r\nUDP connections to over 7,000 random-looking IP addresses over port 13655\r\nDOMAINS FROM THE DECRYPTION INSTRUCTIONS:\r\nz5dq36kjy5swjtmr.hp8ewo[.]net\r\nz5dq36kjy5swjtmr.0ny42p[.]com\r\nz5dq36kjy5swjtmr[.]onion\r\nASSOCIATED FILES\r\nATTACHMENTS:\r\nb0aed0e368425dfe126491b71546ad27061a1c4346b4de51202766b4113620a7 - 4846.doc\r\n55d6e3ed606acddf3c4112ffe4b4447f4bfacda9d03d187cbc2374b6048f5712 - 28255.doc\r\nda8db4d594370f36b93d4121897d4056cf2f36e61b55b6e8a9569e3121fad1df - 88507.zip\r\n13584b8ab9b4c5cb7c89e60ca2fd46e0ce3771d50c0e9a5402415580179a13e0 - 67214604.zip\r\n26ad4cf58b40b2df9ff39ab302d7bf15bbd4a7e064f614015797a13631160ee8 - 92181052.zip\r\nb9216e8e5201a8fc2433ce60cd379077c60c11c888edffc5d130e328ed2c7ffb - 31084472583.zip\r\n12f96c81580efc35193561fd45e51abd9b742df11777a198d0df9e6800ce1c15 - 525463435470.zip\r\ndd18a44aa3166de08c77083dde6b0d697fde882a38a95f749a451b52c4eac4bc - 599450048391.zip\r\ncaf07e4e2670dc3c6b824a1fdb0a0de90a00b0759e95c97e88d07f65d646769b - 58843249449955.zip\r\n3528de5cdcf6529e1dd7f0e24ead27c0ae360f311e877530f98fb2ac9367c5cc - 004765275711512.zip\r\nEXTRACTED .JS FILES:\r\nb1ae04485794079bc11902bcd56f4b36408fdedb18c44a55d2d919c65fab577a - 940.js\r\n35abf5d73f96856c535499f04771f27103fdb1275e0e74bd4c963b9c3225e94e - 3832.js\r\nbab55dc85f006ae26ed5ad447089eb1be80cac75519a199d94620a01651cad13 - 3902.js\r\ne89ffc61e3c79115bfc3d855227405a850eb7a8fa3ac5c4bdd77389ba6945e31 - 9660.js\r\naba9d22dd3573f0902a7219790915de8dbb0b07b5e25ed28c6a87b4acfaa0c39 - 22032.js\r\n6bcb0a226921fc1a9e6bebd92dffd5dd528937e6bde50bbcc08fd7593e9da27c - 28588.js\r\n942f64e913a1f3781adecd88e47f8da75981f69d20ce9206e3374f5331a54e0f - 29219.js\r\n24fc14ae2bfa634a54cafc6b22a596ad2b85dba621388255d3e0eb6294cd03ae - 29459.js\r\nhttp://malware-traffic-analysis.net/2017/10/13/index.html\r\nPage 6 of 11\n\nFOLLOW-UP MALWARE (SAGE 2.2 BINARIES):\r\n6132c32a717ff1d5f5ff86ce0d4a27d59b332ec1f5e75f12c1346c0ab3fbda0c - 2017-10-13-Sage-ransomware-example-1-of-9.exe\r\nb16eea3a52ad7ffe0b18309395da9394982b6219f16e021e43ce57731d29a0ec - 2017-10-13-Sage-ransomware-example-2-of-9.exe\r\n81609d5cdc5068ffd5975c1045710cecdbaa33a2eed682894322847e93c9cb21 - 2017-10-13-Sage-ransomware-example-3-of-9.exe\r\ncb219bf88ceeb2ecf95072576148e17e52e56e5f02876ac00a204a3bcb9352cc - 2017-10-13-Sage-ransomware-example-4-of-9.exe\r\n008484650884010ac949d1041e48dd0abf4967c9ddf305a971ddfc32f9d4cfeb - 2017-10-13-Sage-ransomware-example-5-of-9.exe\r\n5a99897d463f1685b83b2d017dc734ba657fe3f612a74fcba730b826fce5e44c - 2017-10-13-Sage-ransomware-example-6-of-9.exe\r\n64978bc162765959aa0c3de15f4fce90041bf3bc01e668ba649eb7e686222a30 - 2017-10-13-Sage-ransomware-example-7-of-9.exe\r\n046b9330d7da6619ff96ce3c94adc5f35fa2fb26cd1da7d2f57890bfde5e4f59 - 2017-10-13-Sage-ransomware-example-8-of-9.exe\r\n8f1374b432fa7580397e57949b32044e89663215e71ad0252638875a61908323 - 2017-10-13-Sage-ransomware-example-9-of-9.exe\r\nPATHS TO MALWARE:\r\n4846.doc   --\u003e   sutranjdf[.]info/admin.php?a=2   --\u003e   C:\\Users\\\r\n[username]\\AppData\\Local\\Temp\\32148.exe\r\n28255.doc   --\u003e   sutranjdf[.]info/admin.php?a=2   --\u003e   C:\\Users\\\r\n[username]\\AppData\\Local\\Temp\\4051.exe\r\n940.js   --\u003e   gonesalejk[.]info/admin.php?a=1   --\u003e   C:\\Users\\\r\n[username]\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\417187.exe\r\n3832.js   --\u003e   gonesalejk[.]info/admin.php?a=1   --\u003e   C:\\Users\\\r\n[username]\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\220986.exe\r\n3902.js   --\u003e   gonesalejk[.]info/admin.php?a=1   --\u003e   C:\\Users\\\r\n[username]\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\27599.exe\r\n9660.js   --\u003e   gonesalejk[.]info/admin.php?a=1   --\u003e   C:\\Users\\\r\n[username]\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\483882.exe\r\n22032.js   --\u003e   gonesalejk[.]info/admin.php?a=1   --\u003e   C:\\Users\\\r\n[username]\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\636057.exe\r\n28588.js   --\u003e   jovolewnac[.]info/admin.php?a=1   --\u003e   C:\\Users\\\r\n[username]\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\496938.exe\r\n29219.js   --\u003e   gonesalejk[.]info/admin.php?a=1   --\u003e   C:\\Users\\\r\n[username]\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\803051.exe\r\n29459.js   --\u003e   johnmoplan[.]top/1.txt   --\u003e   404 not found (but johnmoplan[.]top/admin.php?a=1 works\r\nfine)\r\nhttp://malware-traffic-analysis.net/2017/10/13/index.html\r\nPage 7 of 11\n\nIMAGES\r\nShown above:  Desktop of an infected Windows host.\r\nhttp://malware-traffic-analysis.net/2017/10/13/index.html\r\nPage 8 of 11\n\nShown above:  When trying to view the decryptor, you first see a CAPTCHA screen to confirm you are not a robot.\r\nShown above:  Selecting your language after the CAPTCHA screen.\r\nhttp://malware-traffic-analysis.net/2017/10/13/index.html\r\nPage 9 of 11\n\nhttp://malware-traffic-analysis.net/2017/10/13/index.html\r\nPage 10 of 11\n\nShown above:  The Sage decryptor showing today's ransom cost.\r\nClick here to return to the main page.\r\nSource: http://malware-traffic-analysis.net/2017/10/13/index.html\r\nhttp://malware-traffic-analysis.net/2017/10/13/index.html\r\nPage 11 of 11\n\n  http://malware-traffic-analysis.net/2017/10/13/index.html \nShown above: The Sage decryptor showing today's ransom cost.\nClick here to return to the main page. \nSource: http://malware-traffic-analysis.net/2017/10/13/index.html   \n   Page 11 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"http://malware-traffic-analysis.net/2017/10/13/index.html"
	],
	"report_names": [
		"index.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434548,
	"ts_updated_at": 1775791240,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/8cf40c629dea7c4e1b28cd665602d01589d9fbed.pdf",
		"text": "https://archive.orkl.eu/8cf40c629dea7c4e1b28cd665602d01589d9fbed.txt",
		"img": "https://archive.orkl.eu/8cf40c629dea7c4e1b28cd665602d01589d9fbed.jpg"
	}
}