Win32/Cerber

Forum for analysis and discussion about malware.

Re: Malware collection

Postby EP_X0FF » Tue Oct 18, 2016 8:25 am

Ring0 - the source of inspiration
User avatar
EP_X0FF
Global Moderator
 
Posts: 4749
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Reputation point: 562

Re: Win32/Cerber

Postby xors » Sat Nov 05, 2016 8:21 pm

Config, removed the public key because of the length of the config
Code: Select all
{"blacklist":{"files":["bootsect.bak","iconcache.db","ntuser.dat","thumbs.db"],"folders":[":\\$recycle.bin\\",":\\$windows.~bt\\",":\\boot\\",":\\documents and settings\\all users\\",":\\documents and settings\\default user\\",":\\documents and settings\\localservice\\",":\\documents and settings\\networkservice\\",":\\program files\\",":\\program files (x86)\\",":\\programdata\\",":\\recovery\\",":\\recycler\\",":\\users\\all users\\",":\\windows\\",":\\windows.old\\","\\appdata\\local\\","\\appdata\\locallow\\","\\appdata\\roaming\\adobe\\flash player\\","\\appData\\roaming\\apple computer\\safari\\","\\appdata\\roaming\\ati\\","\\appdata\\roaming\\intel\\","\\appdata\\roaming\\intel corporation\\","\\appdata\\roaming\\google\\","\\appdata\\roaming\\macromedia\\flash player\\","\\appdata\\roaming\\mozilla\\","\\appdata\\roaming\\nvidia\\","\\appdata\\roaming\\opera\\","\\appdata\\roaming\\opera software\\","\\appdata\\roaming\\microsoft\\internet explorer\\","\\appdata\\roaming\\microsoft\\windows\\","\\application data\\microsoft\\","\\local settings\\","\\public\\music\\sample music\\","\\public\\pictures\\sample pictures\\","\\public\\videos\\sample videos\\","\\tor browser\\"],"languages":[1049,1058,1059,1064,1067,1068,1079,1087,1088,1090,1091,1092,2072,2073,2092,2115]},"check":{"language":1},"close_process":{"close_process":1,"process":["msftesql.exe","sqlagent.exe","sqlbrowser.exe","sqlservr.exe","sqlwriter.exe","oracle.exe","ocssd.exe","dbsnmp.exe","synctime.exe","mydesktopqos.exe","agntsvc.exeisqlplussvc.exe","xfssvccon.exe","mydesktopservice.exe","ocautoupds.exe","agntsvc.exeagntsvc.exe","agntsvc.exeencsvc.exe","firefoxconfig.exe","tbirdconfig.exe","ocomm.exe","mysqld.exe","mysqld-nt.exe","mysqld-opt.exe","dbeng50.exe","sqbcoreservice.exe"]},"debug":0,"default":{"site_1":"onion.to","site_2":"onion.cab","site_3":"onion.nu","site_4":"onion.link","site_5":"tor2web.org","tor":"zutzt67dcxr6mxcn"},"encrypt":{"bytes_skip":512,"encrypt":1,"files":[[".accdb",".mdb",".mdf",".dbf",".vpd",".sdf",".sqlitedb",".sqlite3",".sqlite",".sql",".sdb",".doc",".docx",".odt",".xls",".xlsx",".ods",".ppt",".pptx",".odp",".pst",".dbx",".wab",".tbk",".pps",".ppsx",".pdf",".jpg",".tif",".pub",".one",".rtf",".csv",".docm",".xlsm",".pptm",".ppsm",".xlsb",".dot",".dotx",".dotm",".xlt",".xltx",".xltm",".pot",".potx",".potm",".xps",".wps",".xla",".xlam",".erbsql",".sqlite-shm",".sqlite-wal",".litesql",".ndf",".ost",".pab",".oab",".contact",".jnt",".mapimail",".msg",".prf",".rar",".txt",".xml",".zip",".1cd",".3ds",".3g2",".3gp",".7z",".7zip",".aoi",".asf",".asp",".aspx",".asx",".avi",".bak",".cer",".cfg",".class",".config",".css",".dds",".dwg",".dxf",".flf",".flv",".html",".idx",".js",".key",".kwm",".laccdb",".ldf",".lit",".m3u",".mbx",".md",".mid",".mlb",".mov",".mp3",".mp4",".mpg",".obj",".pages",".php",".psd",".pwm",".rm",".safe",".sav",".save",".srt",".swf",".thm",".vob",".wav",".wma",".wmv",".3dm",".aac",".ai",".arw",".c",".cdr",".cls",".cpi",".cpp",".cs",".db3",".drw",".dxb",".eps",".fla",".flac",".fxg",".java",".m",".m4v",".max",".pcd",".pct",".pl",".ppam",".ps",".pspimage",".r3d",".rw2",".sldm",".sldx",".svg",".tga",".xlm",".xlr",".xlw",".act",".adp",".al",".bkp",".blend",".cdf",".cdx",".cgm",".cr2",".crt",".dac",".dcr",".ddd",".design",".dtd",".fdb",".fff",".fpx",".h",".iif",".indd",".jpeg",".mos",".nd",".nsd",".nsf",".nsg",".nsh",".odc",".oil",".pas",".pat",".pef",".pfx",".ptx",".qbb",".qbm",".sas7bdat",".say",".st4",".st6",".stc",".sxc",".sxw",".tlg",".wad",".xlk",".aiff",".bin",".bmp",".cmt",".dat",".dit",".edb",".flvv",".gif",".groups",".hdd",".hpp",".m2ts",".m4p",".mkv",".mpeg",".nvram",".ogg",".pdb",".pif",".png",".qed",".qcow",".qcow2",".rvt",".st7",".stm",".vbox",".vdi",".vhd",".vhdx",".vmdk",".vmsd",".vmx",".vmxf",".3fr",".3pr",".ab4",".accde",".accdr",".accdt",".ach",".acr",".adb",".ads",".agdl",".ait",".apj",".asm",".awg",".back",".backup",".backupdb",".bank",".bay",".bdb",".bgt",".bik",".bpw",".cdr3",".cdr4",".cdr5",".cdr6",".cdrw",".ce1",".ce2",".cib",".craw",".crw",".csh",".csl",".db_journal",".dc2",".dcs",".ddoc",".ddrw",".der",".des",".dgc",".djvu",".dng",".drf",".dxg",".eml",".erf",".exf",".ffd",".fh",".fhd",".gray",".grey",".gry",".hbk",".ibank",".ibd",".ibz",".iiq",".incpas",".jpe",".kc2",".kdbx",".kdc",".kpdx",".lua",".mdc",".mef",".mfw",".mmw",".mny",".moneywell",".mrw",".myd",".ndd",".nef",".nk2",".nop",".nrw",".ns2",".ns3",".ns4",".nwb",".nx2",".nxl",".nyf",".odb",".odf",".odg",".odm",".orf",".otg",".oth",".otp",".ots",".ott",".p12",".p7b",".p7c",".pdd",".mts",".plus_muhd",".plc",".psafe3",".py",".qba",".qbr",".qbw",".qbx",".qby",".raf",".rat",".raw",".rdb",".rwl",".rwz",".s3db",".sd0",".sda",".sr2",".srf",".srw",".st5",".st8",".std",".sti",".stw",".stx",".sxd",".sxg",".sxi",".sxm",".tex",".wallet",".wb2",".wpd",".x11",".x3f",".xis",".ycbcra",".yuv",".mab",".json",".msf",".jar",".cdb",".srb",".abd",".qtb",".cfn",".info",".info_",".flb",".def",".atb",".tbn",".tbb",".tlx",".pml",".pmo",".pnx",".pnc",".pmi",".pmm",".lck",".pm!",".pmr",".usr",".pnd",".pmj",".pm",".lock",".srs",".pbf",".omg",".wmf",".sh",".war",".ascx",".k2p",".apk",".asset",".bsa",".d3dbsp",".das",".forge",".iwi",".lbf",".litemod",".ltx",".m4a",".re4",".slm",".tiff",".upk",".xxx",".money",".cash",".private",".cry",".vsd",".tax",".gbr",".dgn",".stl",".gho",".ma",".acc",".db"]],"max_block_size":2,"max_blocks":5,"min_file_size":1024,"multithread":1,"network":1,"rc4_key_size":256,"rsa_key_size":880},","file_extension":".hta"}],"files_name":"README","run_by_the_end":1},"remove_shadows":1,"self_deleting":1,"servers":{"statistics":{"data_finish":"e01ENV9LRVl9","data_start":"e01ENV9LRVl9e1BBUlRORVJfSUR9e09TfXtJU19YNjR9e0lTX0FETUlOfXtDT1VOVF9GSUxFU317U1RPUF9SRUFTT059","ip":"194.165.16.0/22","knock":"aGl7UEFSVE5FUl9JRH17U1RBVFVTfQ==","port":6892,"send_stat":1,"timeout":255}},"speaker":{"speak":1,"text":[{"repeat":1,"text":"Attention! Attention! Attention!"},{"repeat":5,"text":"Your documents, photos, databases and other important files have been encrypted!"}]},"wallpaper":{"change_wallpaper":1,"background":0,"color":65280,"size":13,"text":" Your documents, photos, databases and other important files \r\n have been encrypted by \"Cerber Ransomware 4.1.1\"! \r\n\r\n If you understand all importance of the situation \r\n then we propose to you to go directly to your personal page \r\n where you will receive the complete instructions \r\n and guarantees to restore your files. \r\n\r\n There is a list of temporary addresses \r\n to go on your personal page below: \r\n\r\n _________________________ \r\n\r\n http://{TOR}.{SITE_1}/{PC_ID} \r\n\r\n http://{TOR}.{SITE_2}/{PC_ID} \r\n\r\n http://{TOR}.{SITE_3}/{PC_ID} \r\n\r\n _________________________ \r\n\r\n http://{TOR}.onion/{PC_ID} (TOR) "},"whitelist":{"folders":[":\\documents and settings\\all users\\documents\\","\\appdata\\roaming\\microsoft\\office\\","\\excel\\","\\microsoft sql server\\","\\onenote\\","\\outlook\\","\\powerpoint\\","\\steam\\","\\the bat!\\","\\thunderbird\\"]}}
You do not have the required permissions to view the files attached to this post.
@xorsthings
User avatar
xors
 
Posts: 132
Joined: Mon May 23, 2016 2:01 am
Location: Greece
Reputation point: 63

Re: Win32/Cerber

Postby xors » Fri Nov 25, 2016 7:39 pm

In the attachment
You do not have the required permissions to view the files attached to this post.
@xorsthings
User avatar
xors
 
Posts: 132
Joined: Mon May 23, 2016 2:01 am
Location: Greece
Reputation point: 63

Re: Win32/Cerber

Postby syntx » Fri Dec 02, 2016 10:09 pm

Macro downloading XOR-encoded payload from 93.170.123[.]96/one.txt

Attach decoded + unpacked
You do not have the required permissions to view the files attached to this post.
syntx
 
Posts: 5
Joined: Tue Dec 01, 2015 7:30 pm
Reputation point: 0

Re: Win32/Cerber

Postby g00dv1n » Thu Dec 08, 2016 11:13 am

You do not have the required permissions to view the files attached to this post.
g00dv1n
 
Posts: 5
Joined: Sat Nov 28, 2015 6:20 pm
Reputation point: 0

Re: Win32/Cerber

Postby xors » Mon Dec 12, 2016 10:06 pm

Added one layer of packing (with UPX). Also some additional strings can be seen like

Code: Select all
"Encrypting starting."
"Encrypting done. Time left: %dms"
 "Searching starting."
"Searching done. Time left: %dms"
"Network searching starting."
 "Network searching done. Time left: %dms"
 "CryptImportKey failed, GetLastError == %x"


Edit: If I am not mistaken,they also changed the way that they decrypt the config. It looks like they use 'CryptEncrypt' WINAPI
You do not have the required permissions to view the files attached to this post.
@xorsthings
User avatar
xors
 
Posts: 132
Joined: Mon May 23, 2016 2:01 am
Location: Greece
Reputation point: 63

Re: Win32/Cerber

Postby xors » Tue Dec 13, 2016 5:45 pm

Hello all again,

My question might be stupid but i am quite confused

We have the following sample from here https://www.hybrid-analysis.com/sample/0e35cfb9b36389b67c726719eb6f9164c9bead85f41fb3a029231cf280dca014?environmentId=100

Which as you can see on the screenshots, its locky. However, if you proceed further,download the 'roaming.exe' file and then unpack, you will end up with cerber ransomware. Also if you look at the traffic, the malware uses

Code: Select all
/checkupdate
and
Code: Select all
/read.php?f=404
. As far as i know, the first one is for locky, but the second one is only for cerber. Also, if i am not mistaken, cerber doesn't use any POST requests.

Probably i am missing something, so any help is welcome :)
You do not have the required permissions to view the files attached to this post.
@xorsthings
User avatar
xors
 
Posts: 132
Joined: Mon May 23, 2016 2:01 am
Location: Greece
Reputation point: 63

Re: Win32/Cerber

Postby Antelox » Tue Dec 13, 2016 9:55 pm

xors wrote:Hello all again,

My question might be stupid but i am quite confused

We have the following sample from here https://www.hybrid-analysis.com/sample/0e35cfb9b36389b67c726719eb6f9164c9bead85f41fb3a029231cf280dca014?environmentId=100

Which as you can see on the screenshots, its locky. However, if you proceed further,download the 'roaming.exe' file and then unpack, you will end up with cerber ransomware. Also if you look at the traffic, the malware uses

Code: Select all
/checkupdate
and
Code: Select all
/read.php?f=404
. As far as i know, the first one is for locky, but the second one is only for cerber. Also, if i am not mistaken, cerber doesn't use any POST requests.

Probably i am missing something, so any help is welcome :)


It's a while that the group behind Cerber is playing also with Locky, so you see same URI to download the payload as the one with which is downloaded also Cerber. It's not the first time that I observed this behavior. What you attached here is Cerber, in fact the hashes is different from the one downloaded in the Hybrid-Analysis sandbox.

BR,

Antelox
Antelox
 
Posts: 114
Joined: Sun Mar 21, 2010 10:38 pm
Reputation point: 91

Re: Win32/Cerber

Postby sysopfb » Wed Dec 14, 2016 5:33 pm

Code: Select all
/read.php?f=404


That is more associated with the delivery mechanism than directly with Cerber. They could push whatever malware they want as a response to that request
sysopfb
 
Posts: 90
Joined: Thu Oct 23, 2014 1:22 am
Reputation point: 52

Re: Win32/Cerber

Postby xors » Wed Dec 21, 2016 9:25 pm

Typical injection. Same lame things
You do not have the required permissions to view the files attached to this post.
@xorsthings
User avatar
xors
 
Posts: 132
Joined: Mon May 23, 2016 2:01 am
Location: Greece
Reputation point: 63

PreviousNext

Return to Malware

Who is online

Users browsing this forum: Nick1978 and 7 guests