Win32/Cerber

Forum for analysis and discussion about malware.

Re: Win32/Cerber

Postby tim » Tue Sep 06, 2016 8:30 am

Cerber contains a JSON config that is encrypted in the unpacked binary. Full config here - http://pastebin.com/VdtR9kaE

Code: Select all
{
  "blacklist": {
    "files": [
      "bootsect.bak",
      "iconcache.db",
      "ntuser.dat",
      "thumbs.db"
    ],
    "folders": [
      ":\\$recycle.bin\\",
      ":\\$windows.~bt\\",
      ":\\boot\\",
      ":\\documents and settings\\all users\\",
      ":\\documents and settings\\default user\\",
      ":\\documents and settings\\localservice\\",
      ":\\documents and settings\\networkservice\\",
      ":\\program files\\",
      ":\\program files (x86)\\",
      ":\\programdata\\",
      ":\\recovery\\",
      ":\\recycler\\",
      ":\\users\\all users\\",
      ":\\windows\\",
      ":\\windows.old\\",
      "\\appdata\\local\\",
      "\\appdata\\locallow\\",
      "\\appdata\\roaming\\adobe\\flash player\\",
      "\\appData\\roaming\\apple computer\\safari\\",
      "\\appdata\\roaming\\ati\\",
      "\\appdata\\roaming\\intel\\",
      "\\appdata\\roaming\\intel corporation\\",
      "\\appdata\\roaming\\google\\",
      "\\appdata\\roaming\\macromedia\\flash player\\",
      "\\appdata\\roaming\\mozilla\\",
      "\\appdata\\roaming\\nvidia\\",
      "\\appdata\\roaming\\opera\\",
      "\\appdata\\roaming\\opera software\\",
      "\\appdata\\roaming\\microsoft\\internet explorer\\",
      "\\appdata\\roaming\\microsoft\\windows\\",
      "\\application data\\microsoft\\",
      "\\local settings\\",
      "\\public\\music\\sample music\\",
      "\\public\\pictures\\sample pictures\\",
      "\\public\\videos\\sample videos\\",
      "\\tor browser\\"
    ],
    "languages": [
      1049,
      1058,
      1059,
      1064,
      1067,
      1068,
      1079,
      1087,
      1088,
      1090,
      1091,
      1092,
      2072,
      2073,
      2092,
      2115
    ]
  },
  "check": {
    "language": 1
  },
  "debug": 0,
  "default": {
    "site_1": "onion.to",
    "site_2": "onion.cab",
    "site_3": "onion.nu",
    "site_4": "onion.link",
    "site_5": "tor2web.org",
    "tor": "6liso4fbnupevqsn"
  },
  "encrypt": {
    "bytes_skip": 512,
    "encrypt": 1,
    "files": [
      [
        ".accdb",
        ".mdb",
        ".mdf",
        ".dbf",
        ".vpd",
        ".sdf",
        ".sqlitedb",
        ".sqlite3",
        ".sqlite",
        ".sql",
        ".sdb",
        ".doc",
        ".docx",
        ".odt",
        ".xls",
        ".xlsx",
        ".ods",
        ".ppt",
        ".pptx",
        ".odp",
        ".pst",
        ".dbx",
        ".wab",
        ".tbk",
        ".pps",
        ".ppsx",
        ".pdf",
        ".jpg",
        ".tif",
        ".pub",
        ".one",
        ".rtf",
        ".csv",
        ".docm",
        ".xlsm",
        ".pptm",
        ".ppsm",
        ".xlsb",
        ".dot",
        ".dotx",
        ".dotm",
        ".xlt",
        ".xltx",
        ".xltm",
        ".pot",
        ".potx",
        ".potm",
        ".xps",
        ".wps",
        ".xla",
        ".xlam",
        ".erbsql",
        ".sqlite-shm",
        ".sqlite-wal",
        ".litesql",
        ".ndf",
        ".ost",
        ".pab",
        ".oab",
        ".contact",
        ".jnt",
        ".mapimail",
        ".msg",
        ".prf",
        ".rar",
        ".txt",
        ".xml",
        ".zip",
        ".1cd",
        ".3ds",
        ".3g2",
        ".3gp",
        ".7z",
        ".7zip",
        ".aoi",
        ".asf",
        ".asp",
        ".aspx",
        ".asx",
        ".avi",
        ".bak",
        ".cer",
        ".cfg",
        ".class",
        ".config",
        ".css",
        ".dds",
        ".dwg",
        ".dxf",
        ".flf",
        ".flv",
        ".html",
        ".idx",
        ".js",
        ".key",
        ".kwm",
        ".laccdb",
        ".ldf",
        ".lit",
        ".m3u",
        ".mbx",
        ".md",
        ".mid",
        ".mlb",
        ".mov",
        ".mp3",
        ".mp4",
        ".mpg",
        ".obj",
        ".pages",
        ".php",
        ".psd",
        ".pwm",
        ".rm",
        ".safe",
        ".sav",
        ".save",
        ".srt",
        ".swf",
        ".thm",
        ".vob",
        ".wav",
        ".wma",
        ".wmv",
        ".3dm",
        ".aac",
        ".ai",
        ".arw",
        ".c",
        ".cdr",
        ".cls",
        ".cpi",
        ".cpp",
        ".cs",
        ".db3",
        ".drw",
        ".dxb",
        ".eps",
        ".fla",
        ".flac",
        ".fxg",
        ".java",
        ".m",
        ".m4v",
        ".max",
        ".pcd",
        ".pct",
        ".pl",
        ".ppam",
        ".ps",
        ".pspimage",
        ".r3d",
        ".rw2",
        ".sldm",
        ".sldx",
        ".svg",
        ".tga",
        ".xlm",
        ".xlr",
        ".xlw",
        ".act",
        ".adp",
        ".al",
        ".bkp",
        ".blend",
        ".cdf",
        ".cdx",
        ".cgm",
        ".cr2",
        ".crt",
        ".dac",
        ".dcr",
        ".ddd",
        ".design",
        ".dtd",
        ".fdb",
        ".fff",
        ".fpx",
        ".h",
        ".iif",
        ".indd",
        ".jpeg",
        ".mos",
        ".nd",
        ".nsd",
        ".nsf",
        ".nsg",
        ".nsh",
        ".odc",
        ".oil",
        ".pas",
        ".pat",
        ".pef",
        ".pfx",
        ".ptx",
        ".qbb",
        ".qbm",
        ".sas7bdat",
        ".say",
        ".st4",
        ".st6",
        ".stc",
        ".sxc",
        ".sxw",
        ".tlg",
        ".wad",
        ".xlk",
        ".aiff",
        ".bin",
        ".bmp",
        ".cmt",
        ".dat",
        ".dit",
        ".edb",
        ".flvv",
        ".gif",
        ".groups",
        ".hdd",
        ".hpp",
        ".m2ts",
        ".m4p",
        ".mkv",
        ".mpeg",
        ".nvram",
        ".ogg",
        ".pdb",
        ".pif",
        ".png",
        ".qed",
        ".qcow",
        ".qcow2",
        ".rvt",
        ".st7",
        ".stm",
        ".vbox",
        ".vdi",
        ".vhd",
        ".vhdx",
        ".vmdk",
        ".vmsd",
        ".vmx",
        ".vmxf",
        ".3fr",
        ".3pr",
        ".ab4",
        ".accde",
        ".accdr",
        ".accdt",
        ".ach",
        ".acr",
        ".adb",
        ".ads",
        ".agdl",
        ".ait",
        ".apj",
        ".asm",
        ".awg",
        ".back",
        ".backup",
        ".backupdb",
        ".bank",
        ".bay",
        ".bdb",
        ".bgt",
        ".bik",
        ".bpw",
        ".cdr3",
        ".cdr4",
        ".cdr5",
        ".cdr6",
        ".cdrw",
        ".ce1",
        ".ce2",
        ".cib",
        ".craw",
        ".crw",
        ".csh",
        ".csl",
        ".db_journal",
        ".dc2",
        ".dcs",
        ".ddoc",
        ".ddrw",
        ".der",
        ".des",
        ".dgc",
        ".djvu",
        ".dng",
        ".drf",
        ".dxg",
        ".eml",
        ".erf",
        ".exf",
        ".ffd",
        ".fh",
        ".fhd",
        ".gray",
        ".grey",
        ".gry",
        ".hbk",
        ".ibank",
        ".ibd",
        ".ibz",
        ".iiq",
        ".incpas",
        ".jpe",
        ".kc2",
        ".kdbx",
        ".kdc",
        ".kpdx",
        ".lua",
        ".mdc",
        ".mef",
        ".mfw",
        ".mmw",
        ".mny",
        ".moneywell",
        ".mrw",
        ".myd",
        ".ndd",
        ".nef",
        ".nk2",
        ".nop",
        ".nrw",
        ".ns2",
        ".ns3",
        ".ns4",
        ".nwb",
        ".nx2",
        ".nxl",
        ".nyf",
        ".odb",
        ".odf",
        ".odg",
        ".odm",
        ".orf",
        ".otg",
        ".oth",
        ".otp",
        ".ots",
        ".ott",
        ".p12",
        ".p7b",
        ".p7c",
        ".pdd",
        ".pem",
        ".plus_muhd",
        ".plc",
        ".psafe3",
        ".py",
        ".qba",
        ".qbr",
        ".qbw",
        ".qbx",
        ".qby",
        ".raf",
        ".rat",
        ".raw",
        ".rdb",
        ".rwl",
        ".rwz",
        ".s3db",
        ".sd0",
        ".sda",
        ".sr2",
        ".srf",
        ".srw",
        ".st5",
        ".st8",
        ".std",
        ".sti",
        ".stw",
        ".stx",
        ".sxd",
        ".sxg",
        ".sxi",
        ".sxm",
        ".tex",
        ".wallet",
        ".wb2",
        ".wpd",
        ".x11",
        ".x3f",
        ".xis",
        ".ycbcra",
        ".yuv",
        ".mab",
        ".json",
        ".msf",
        ".jar",
        ".cdb",
        ".srb",
        ".abd",
        ".qtb",
        ".cfn",
        ".info",
        ".info_",
        ".flb",
        ".def",
        ".atb",
        ".tbn",
        ".tbb",
        ".tlx",
        ".pml",
        ".pmo",
        ".pnx",
        ".pnc",
        ".pmi",
        ".pmm",
        ".lck",
        ".pm!",
        ".pmr",
        ".usr",
        ".pnd",
        ".pmj",
        ".pm",
        ".lock",
        ".srs",
        ".pbf",
        ".omg",
        ".wmf",
        ".sh",
        ".war",
        ".ascx",
        ".k2p",
        ".apk",
        ".asset",
        ".bsa",
        ".d3dbsp",
        ".das",
        ".forge",
        ".iwi",
        ".lbf",
        ".litemod",
        ".ltx",
        ".m4a",
        ".re4",
        ".slm",
        ".tiff",
        ".upk",
        ".xxx",
        ".money",
        ".cash",
        ".private",
        ".cry",
        ".vsd",
        ".tax",
        ".gbr",
        ".dgn",
        ".stl",
        ".gho",
        ".ma",
        ".acc",
        ".db"
      ]
    ],
    "max_block_size": 2,
    "max_blocks": 5,
    "min_file_size": 1024,
    "multithread": 1,
    "network": 1,
    "new_extension": ".cerber3",
    "rc4_key_size": 256,
    "rsa_key_size": 880
  },
  "global_public_key": "LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUF2a3R5NXFocUV5ZFI5MDc2RmV2cAowdU1QN0laTm1zMUFBN0dQUVVUaE1XYllpRVlJaEJLY1QwL253WXJCcTBPZ3Y3OUsxdHRhMDRFSFRyWGdjQXAvCk9KZ0JoejlONThhZXdkNHlaQm0yY29lYURHdmNHUkFjOWU3Mk9iRlEvVE1FL0lvN0xaNXFYRFd6RGFmSThMQTgKSlFtU3owTCsvRytMUFRXZzdrUE9wSlQ3V1NrUmI5VDh3NVFnWlJKdXZ2aEVySE04M2tPM0VMVEgrU29FSTUzcAo0RU5Wd2ZOTkVwT3BucE9PU0tRb2J0SXc1NkNzUUZyaGFjMHNRbE9qZWsvbXVWbHV4amlFbWMwZnN6azJXTFNuCnFyeWlNeXphSTVEV0JEallLWEExdHAyaC95Z2JrWWRGWVJiQUVxd3RMeFQyd01mV1BRSTVPa2hUYTl0WnFEMEgKblFJREFRQUIKLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tCg==",
  "help_files": {
    "files": [
      {
        "file_body": "",
        "file_extension": ".html",
        "base64": 1
      },
      {
        "file_body": "",
        "file_extension": ".txt",
        "base64": 1
      },
      {
        "file_body": "W0ludGVybmV0U2hvcnRjdXRdDQpVUkw9aHR0cDovL3tUT1J9LntTSVRFXzF9L3tQQ19JRH0/YXV0bw0K",
        "file_extension": ".url",
        "base64": 1
      }
    ],
    "files_name": "# HELP DECRYPT #",
    "run_by_the_end": 1
  },
  "remove_shadows": 1,
  "self_deleting": 1,
  "servers": {
    "statistics": {
      "data_finish": "{MD5_KEY}",
      "data_start": "{MD5_KEY}{PARTNER_ID}{OS}{IS_X64}{IS_ADMIN}{COUNT_FILES}{STOP_REASON}",
      "ip": "31.184.234.0/23",
      "knock": "hi{PARTNER_ID}",
      "port": 6892,
      "send_stat": 1,
      "timeout": 255
    }
  },
  "speaker": {
    "speak": 1,
    "text": [
      {
        "repeat": 1,
        "text": "Attention! Attention! Attention!"
      },
      {
        "repeat": 5,
        "text": "Your documents, photos, databases and other important files have been encrypted!"
      }
    ]
  },
  "wallpaper": {
    "change_wallpaper": 1,
    "background": 0,
    "color": 65280,
    "size": 13,
    "text": " Your documents, photos, databases and other important files \r\n have been encrypted! \r\n\r\n If you understand all importance of the situation then we propose to you \r\n to go directly to your personal page where you will receive the complete \r\n instructions and guarantees to restore your files. \r\n\r\n There is a list of temporary addresses to go on your personal page below: \r\n\r\n ---------------------------------------------------------------------- \r\n\r\n 1.  http://{TOR}.{SITE_1}/{PC_ID} \r\n\r\n 2.  http://{TOR}.{SITE_2}/{PC_ID} \r\n\r\n 3.  http://{TOR}.{SITE_3}/{PC_ID} \r\n\r\n 4.  http://{TOR}.{SITE_4}/{PC_ID} \r\n\r\n 5.  http://{TOR}.{SITE_5}/{PC_ID} \r\n\r\n 6.  http://{TOR}.onion/{PC_ID} (TOR) "
  },
  "whitelist": {
    "folders": [
      ":\\documents and settings\\all users\\documents\\",
      "\\appdata\\roaming\\microsoft\\office\\",
      "\\excel\\",
      "\\microsoft sql server\\",
      "\\onenote\\",
      "\\outlook\\",
      "\\powerpoint\\",
      "\\steam\\",
      "\\the bat!\\",
      "\\thunderbird\\"
    ]
  }
}
tim
 
Posts: 21
Joined: Sat Aug 31, 2013 8:38 am
Reputation point: 5

Re: Win32/Cerber

Postby waffles2.0 » Tue Sep 13, 2016 7:36 am

Looks like there has been a large increase in Cerber since cerber3 came out. Anyone got any recent sample (last few days)?

https://twitter.com/MalwareTechBlog/sta ... 6988222465

EDIT: Also it seems Cerber has changed its ransom message file name to @__README__@.txt
waffles2.0
 
Posts: 21
Joined: Mon Aug 01, 2016 9:49 am
Reputation point: 7

Re: Win32/Cerber

Postby syntx » Wed Sep 14, 2016 2:25 pm

waffles2.0 wrote:Looks like there has been a large increase in Cerber since cerber3 came out. Anyone got any recent sample (last few days)?

https://twitter.com/MalwareTechBlog/sta ... 6988222465

EDIT: Also it seems Cerber has changed its ransom message file name to @__README__@.txt


From Antelox (https://twitter.com/antelox/status/776056354586947584). Attached sample + unpacked
Config:
Code: Select all
{   "blacklist": {      "files": ["bootsect.bak", "iconcache.db", "ntuser.dat", "thumbs.db"],      "folders": [":\\$recycle.bin\\", ":\\$windows.~bt\\", ":\\boot\\", ":\\documents and settings\\all users\\", ":\\documents and settings\\default user\\", ":\\documents and settings\\localservice\\", ":\\documents and settings\\networkservice\\", ":\\program files\\", ":\\program files (x86)\\", ":\\programdata\\", ":\\recovery\\", ":\\recycler\\", ":\\users\\all users\\", ":\\windows\\", ":\\windows.old\\", "\\appdata\\local\\", "\\appdata\\locallow\\", "\\appdata\\roaming\\adobe\\flash player\\", "\\appData\\roaming\\apple computer\\safari\\", "\\appdata\\roaming\\ati\\", "\\appdata\\roaming\\intel\\", "\\appdata\\roaming\\intel corporation\\", "\\appdata\\roaming\\google\\", "\\appdata\\roaming\\macromedia\\flash player\\", "\\appdata\\roaming\\mozilla\\", "\\appdata\\roaming\\nvidia\\", "\\appdata\\roaming\\opera\\", "\\appdata\\roaming\\opera software\\", "\\appdata\\roaming\\microsoft\\internet explorer\\", "\\appdata\\roaming\\microsoft\\windows\\", "\\application data\\microsoft\\", "\\local settings\\", "\\public\\music\\sample music\\", "\\public\\pictures\\sample pictures\\", "\\public\\videos\\sample videos\\", "\\tor browser\\"],      "languages": [1049, 1058, 1059, 1064, 1067, 1068, 1079, 1087, 1088, 1090, 1091, 1092, 2072, 2073, 2092, 2115]   },   "check": {      "language": 1   },   "debug": 0,   "default": {      "site_1": "onion.to",      "site_2": "onion.cab",      "site_3": "onion.nu",      "site_4": "onion.link",      "site_5": "tor2web.org",      "tor": "6liso4fbnupevqsn"   },   "encrypt": {      "bytes_skip": 512,      "encrypt": 1,      "files": [         [".accdb", ".mdb", ".mdf", ".dbf", ".vpd", ".sdf", ".sqlitedb", ".sqlite3", ".sqlite", ".sql", ".sdb", ".doc", ".docx", ".odt", ".xls", ".xlsx", ".ods", ".ppt", ".pptx", ".odp", ".pst", ".dbx", ".wab", ".tbk", ".pps", ".ppsx", ".pdf", ".jpg", ".tif", ".pub", ".one", ".rtf", ".csv", ".docm", ".xlsm", ".pptm", ".ppsm", ".xlsb", ".dot", ".dotx", ".dotm", ".xlt", ".xltx", ".xltm", ".pot", ".potx", ".potm", ".xps", ".wps", ".xla", ".xlam", ".erbsql", ".sqlite-shm", ".sqlite-wal", ".litesql", ".ndf", ".ost", ".pab", ".oab", ".contact", ".jnt", ".mapimail", ".msg", ".prf", ".rar", ".txt", ".xml", ".zip", ".1cd", ".3ds", ".3g2", ".3gp", ".7z", ".7zip", ".aoi", ".asf", ".asp", ".aspx", ".asx", ".avi", ".bak", ".cer", ".cfg", ".class", ".config", ".css", ".dds", ".dwg", ".dxf", ".flf", ".flv", ".html", ".idx", ".js", ".key", ".kwm", ".laccdb", ".ldf", ".lit", ".m3u", ".mbx", ".md", ".mid", ".mlb", ".mov", ".mp3", ".mp4", ".mpg", ".obj", ".pages", ".php", ".psd", ".pwm", ".rm", ".safe", ".sav", ".save", ".srt", ".swf", ".thm", ".vob", ".wav", ".wma", ".wmv", ".3dm", ".aac", ".ai", ".arw", ".c", ".cdr", ".cls", ".cpi", ".cpp", ".cs", ".db3", ".drw", ".dxb", ".eps", ".fla", ".flac", ".fxg", ".java", ".m", ".m4v", ".max", ".pcd", ".pct", ".pl", ".ppam", ".ps", ".pspimage", ".r3d", ".rw2", ".sldm", ".sldx", ".svg", ".tga", ".xlm", ".xlr", ".xlw", ".act", ".adp", ".al", ".bkp", ".blend", ".cdf", ".cdx", ".cgm", ".cr2", ".crt", ".dac", ".dcr", ".ddd", ".design", ".dtd", ".fdb", ".fff", ".fpx", ".h", ".iif", ".indd", ".jpeg", ".mos", ".nd", ".nsd", ".nsf", ".nsg", ".nsh", ".odc", ".oil", ".pas", ".pat", ".pef", ".pfx", ".ptx", ".qbb", ".qbm", ".sas7bdat", ".say", ".st4", ".st6", ".stc", ".sxc", ".sxw", ".tlg", ".wad", ".xlk", ".aiff", ".bin", ".bmp", ".cmt", ".dat", ".dit", ".edb", ".flvv", ".gif", ".groups", ".hdd", ".hpp", ".m2ts", ".m4p", ".mkv", ".mpeg", ".nvram", ".ogg", ".pdb", ".pif", ".png", ".qed", ".qcow", ".qcow2", ".rvt", ".st7", ".stm", ".vbox", ".vdi", ".vhd", ".vhdx", ".vmdk", ".vmsd", ".vmx", ".vmxf", ".3fr", ".3pr", ".ab4", ".accde", ".accdr", ".accdt", ".ach", ".acr", ".adb", ".ads", ".agdl", ".ait", ".apj", ".asm", ".awg", ".back", ".backup", ".backupdb", ".bank", ".bay", ".bdb", ".bgt", ".bik", ".bpw", ".cdr3", ".cdr4", ".cdr5", ".cdr6", ".cdrw", ".ce1", ".ce2", ".cib", ".craw", ".crw", ".csh", ".csl", ".db_journal", ".dc2", ".dcs", ".ddoc", ".ddrw", ".der", ".des", ".dgc", ".djvu", ".dng", ".drf", ".dxg", ".eml", ".erf", ".exf", ".ffd", ".fh", ".fhd", ".gray", ".grey", ".gry", ".hbk", ".ibank", ".ibd", ".ibz", ".iiq", ".incpas", ".jpe", ".kc2", ".kdbx", ".kdc", ".kpdx", ".lua", ".mdc", ".mef", ".mfw", ".mmw", ".mny", ".moneywell", ".mrw", ".myd", ".ndd", ".nef", ".nk2", ".nop", ".nrw", ".ns2", ".ns3", ".ns4", ".nwb", ".nx2", ".nxl", ".nyf", ".odb", ".odf", ".odg", ".odm", ".orf", ".otg", ".oth", ".otp", ".ots", ".ott", ".p12", ".p7b", ".p7c", ".pdd", ".pem", ".plus_muhd", ".plc", ".psafe3", ".py", ".qba", ".qbr", ".qbw", ".qbx", ".qby", ".raf", ".rat", ".raw", ".rdb", ".rwl", ".rwz", ".s3db", ".sd0", ".sda", ".sr2", ".srf", ".srw", ".st5", ".st8", ".std", ".sti", ".stw", ".stx", ".sxd", ".sxg", ".sxi", ".sxm", ".tex", ".wallet", ".wb2", ".wpd", ".x11", ".x3f", ".xis", ".ycbcra", ".yuv", ".mab", ".json", ".msf", ".jar", ".cdb", ".srb", ".abd", ".qtb", ".cfn", ".info", ".info_", ".flb", ".def", ".atb", ".tbn", ".tbb", ".tlx", ".pml", ".pmo", ".pnx", ".pnc", ".pmi", ".pmm", ".lck", ".pm!", ".pmr", ".usr", ".pnd", ".pmj", ".pm", ".lock", ".srs", ".pbf", ".omg", ".wmf", ".sh", ".war", ".ascx", ".k2p", ".apk", ".asset", ".bsa", ".d3dbsp", ".das", ".forge", ".iwi", ".lbf", ".litemod", ".ltx", ".m4a", ".re4", ".slm", ".tiff", ".upk", ".xxx", ".money", ".cash", ".private", ".cry", ".vsd", ".tax", ".gbr", ".dgn", ".stl", ".gho", ".ma", ".acc", ".db"]      ],      "max_block_size": 2,      "max_blocks": 5,      "min_file_size": 1024,      "multithread": 1,      "network": 1,      "new_extension": ".cerber3",      "rc4_key_size": 256,      "rsa_key_size": 880   },   "global_public_key": "LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUF2a3R5NXFocUV5ZFI5MDc2RmV2cAowdU1QN0laTm1zMUFBN0dQUVVUaE1XYllpRVlJaEJLY1QwL253WXJCcTBPZ3Y3OUsxdHRhMDRFSFRyWGdjQXAvCk9KZ0JoejlONThhZXdkNHlaQm0yY29lYURHdmNHUkFjOWU3Mk9iRlEvVE1FL0lvN0xaNXFYRFd6RGFmSThMQTgKSlFtU3owTCsvRytMUFRXZzdrUE9wSlQ3V1NrUmI5VDh3NVFnWlJKdXZ2aEVySE04M2tPM0VMVEgrU29FSTUzcAo0RU5Wd2ZOTkVwT3BucE9PU0tRb2J0SXc1NkNzUUZyaGFjMHNRbE9qZWsvbXVWbHV4amlFbWMwZnN6azJXTFNuCnFyeWlNeXphSTVEV0JEallLWEExdHAyaC95Z2JrWWRGWVJiQUVxd3RMeFQyd01mV1BRSTVPa2hUYTl0WnFEMEgKblFJREFRQUIKLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tCg==",   "help_files": {      "files": [{         "file_body": "",         "file_extension": ".html",         "base64": 1      }, {         "file_body": "",         "file_extension": ".txt",         "base64": 1      }, {         "file_body": "W0ludGVybmV0U2hvcnRjdXRdDQpVUkw9aHR0cDovL3tUT1J9LntTSVRFXzF9L3tQQ19JRH0/YXV0bw0K",         "file_extension": ".url",         "base64": 1      }],      "files_name": "@___README___@",      "run_by_the_end": 1   },   "remove_shadows": 1,   "self_deleting": 1,   "servers": {      "statistics": {         "data_finish": "e01ENV9LRVl9",         "data_start": "e01ENV9LRVl9e1BBUlRORVJfSUR9e09TfXtJU19YNjR9e0lTX0FETUlOfXtDT1VOVF9GSUxFU317U1RPUF9SRUFTT059",         "ip": "31.184.234.0/23",         "knock": "aGl7UEFSVE5FUl9JRH0=",         "port": 6892,         "send_stat": 1,         "timeout": 255      }   },   "speaker": {      "speak": 1,      "text": [{         "repeat": 1,         "text": "Attention! Attention! Attention!"      }, {         "repeat": 5,         "text": "Your documents, photos, databases and other important files have been encrypted!"      }]   },   "wallpaper": {      "change_wallpaper": 1,      "background": 0,      "color": 65280,      "size": 13,      "text": " Your documents, photos, databases and other important files \r\n have been encrypted! \r\n\r\n If you understand all importance of the situation then we propose to you \r\n to go directly to your personal page where you will receive the complete \r\n instructions and guarantees to restore your files. \r\n\r\n There is a list of temporary addresses to go on your personal page below: \r\n\r\n ---------------------------------------------------------------------- \r\n\r\n 1.  http://{TOR}.{SITE_1}/{PC_ID} \r\n\r\n 2.  http://{TOR}.{SITE_2}/{PC_ID} \r\n\r\n 3.  http://{TOR}.{SITE_3}/{PC_ID} \r\n\r\n 4.  http://{TOR}.{SITE_4}/{PC_ID} \r\n\r\n 5.  http://{TOR}.{SITE_5}/{PC_ID} \r\n\r\n 6.  http://{TOR}.onion/{PC_ID} (TOR) "   },   "whitelist": {      "folders": [":\\documents and settings\\all users\\documents\\", "\\appdata\\roaming\\microsoft\\office\\", "\\excel\\", "\\microsoft sql server\\", "\\onenote\\", "\\outlook\\", "\\powerpoint\\", "\\steam\\", "\\the bat!\\", "\\thunderbird\\"]   }}

Wonder if Cerber fell in love with base64 recently...
You do not have the required permissions to view the files attached to this post.
syntx
 
Posts: 5
Joined: Tue Dec 01, 2015 7:30 pm
Reputation point: 0

Re: Malware collection

Postby ikolor » Fri Sep 16, 2016 3:43 pm

You do not have the required permissions to view the files attached to this post.
Last edited by EP_X0FF on Tue Oct 18, 2016 7:14 am, edited 1 time in total.
Reason: attach with trash removed
ikolor
 
Posts: 238
Joined: Thu Jun 05, 2014 2:20 pm
Location: Poland
Reputation point: 16

Re: Win32/Cerber

Postby yaniva » Sat Oct 01, 2016 7:24 pm

Is this UAC bypass method (dll shellcode patching) is well known method ?
Any more malware applies it? Is there any more info that i can read about it plz.
yaniva
 
Posts: 6
Joined: Thu Jan 07, 2016 12:30 pm
Reputation point: 0

Re: Win32/Cerber

Postby EP_X0FF » Sun Oct 02, 2016 4:38 am

yaniva wrote:Is this UAC bypass method (dll shellcode patching) is well known method ?
Any more malware applies it? Is there any more info that i can read about it plz.

Yes it is nothing new. H1N1 loader use similar. Nothing interesting here, they just use uacme 10 concept reimplemented in their own way. Key goal of it: prior to Windows 10 th2 you can move autoelevated applications between Windows directories to create artificial circumstances for dll hijack. This was fixed in 10548 Windows TH2 build by disallowing autoelevation not from secured folders.
Ring0 - the source of inspiration
User avatar
EP_X0FF
Global Moderator
 
Posts: 4744
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Reputation point: 560

Re: Malware collection

Postby ikolor » Tue Oct 11, 2016 12:09 pm

You do not have the required permissions to view the files attached to this post.
ikolor
 
Posts: 238
Joined: Thu Jun 05, 2014 2:20 pm
Location: Poland
Reputation point: 16

Re: Malware collection

Postby Antelox » Tue Oct 11, 2016 12:51 pm

Antelox
 
Posts: 104
Joined: Sun Mar 21, 2010 10:38 pm
Reputation point: 82

Re: Malware collection

Postby xors » Tue Oct 11, 2016 12:54 pm

You do not have the required permissions to view the files attached to this post.
@xorsthings
User avatar
xors
 
Posts: 132
Joined: Mon May 23, 2016 2:01 am
Location: Greece
Reputation point: 63

Re: Malware collection

Postby EP_X0FF » Tue Oct 18, 2016 7:14 am



coades.exe - Ransom/Cerber
host.exe - http://joenord.com/apps/nop/

Code: Select all
int __cdecl main(int argc, const char **argv, const char **envp)
{
  if ( argc > 1 )
  {
    printf("NOP.exe - Does nothing.  Joseph Nord\n");
    printf("Is useful for remarking RUN= on windows startup.\n");
    printf("\n");
  }
  return 0;
}


scvhost.exe - Delphi trash.

Trash removed, Cerber sample moved to Cerber thread.
Ring0 - the source of inspiration
User avatar
EP_X0FF
Global Moderator
 
Posts: 4744
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Reputation point: 560

PreviousNext

Return to Malware

Who is online

Users browsing this forum: Bing [Bot] and 11 guests