Win32/Cerber

Forum for analysis and discussion about malware.
User avatar
EP_X0FF
Global Moderator
Posts: 4806
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Re: Malware collection

Post by EP_X0FF » Tue Oct 18, 2016 8:25 am

keen2go-installer.exe - installs shortcut Ken2Go Games. Trashware, attach removed.
scvhost.exe - Ransom/Cerber

Posts moved.
Ring0 - the source of inspiration

User avatar
xors
Posts: 158
Joined: Mon May 23, 2016 2:01 am

Re: Win32/Cerber

Post by xors » Sat Nov 05, 2016 8:21 pm

Config, removed the public key because of the length of the config

Code: Select all

{"blacklist":{"files":["bootsect.bak","iconcache.db","ntuser.dat","thumbs.db"],"folders":[":\\$recycle.bin\\",":\\$windows.~bt\\",":\\boot\\",":\\documents and settings\\all users\\",":\\documents and settings\\default user\\",":\\documents and settings\\localservice\\",":\\documents and settings\\networkservice\\",":\\program files\\",":\\program files (x86)\\",":\\programdata\\",":\\recovery\\",":\\recycler\\",":\\users\\all users\\",":\\windows\\",":\\windows.old\\","\\appdata\\local\\","\\appdata\\locallow\\","\\appdata\\roaming\\adobe\\flash player\\","\\appData\\roaming\\apple computer\\safari\\","\\appdata\\roaming\\ati\\","\\appdata\\roaming\\intel\\","\\appdata\\roaming\\intel corporation\\","\\appdata\\roaming\\google\\","\\appdata\\roaming\\macromedia\\flash player\\","\\appdata\\roaming\\mozilla\\","\\appdata\\roaming\\nvidia\\","\\appdata\\roaming\\opera\\","\\appdata\\roaming\\opera software\\","\\appdata\\roaming\\microsoft\\internet explorer\\","\\appdata\\roaming\\microsoft\\windows\\","\\application data\\microsoft\\","\\local settings\\","\\public\\music\\sample music\\","\\public\\pictures\\sample pictures\\","\\public\\videos\\sample videos\\","\\tor browser\\"],"languages":[1049,1058,1059,1064,1067,1068,1079,1087,1088,1090,1091,1092,2072,2073,2092,2115]},"check":{"language":1},"close_process":{"close_process":1,"process":["msftesql.exe","sqlagent.exe","sqlbrowser.exe","sqlservr.exe","sqlwriter.exe","oracle.exe","ocssd.exe","dbsnmp.exe","synctime.exe","mydesktopqos.exe","agntsvc.exeisqlplussvc.exe","xfssvccon.exe","mydesktopservice.exe","ocautoupds.exe","agntsvc.exeagntsvc.exe","agntsvc.exeencsvc.exe","firefoxconfig.exe","tbirdconfig.exe","ocomm.exe","mysqld.exe","mysqld-nt.exe","mysqld-opt.exe","dbeng50.exe","sqbcoreservice.exe"]},"debug":0,"default":{"site_1":"onion.to","site_2":"onion.cab","site_3":"onion.nu","site_4":"onion.link","site_5":"tor2web.org","tor":"zutzt67dcxr6mxcn"},"encrypt":{"bytes_skip":512,"encrypt":1,"files":[[".accdb",".mdb",".mdf",".dbf",".vpd",".sdf",".sqlitedb",".sqlite3",".sqlite",".sql",".sdb",".doc",".docx",".odt",".xls",".xlsx",".ods",".ppt",".pptx",".odp",".pst",".dbx",".wab",".tbk",".pps",".ppsx",".pdf",".jpg",".tif",".pub",".one",".rtf",".csv",".docm",".xlsm",".pptm",".ppsm",".xlsb",".dot",".dotx",".dotm",".xlt",".xltx",".xltm",".pot",".potx",".potm",".xps",".wps",".xla",".xlam",".erbsql",".sqlite-shm",".sqlite-wal",".litesql",".ndf",".ost",".pab",".oab",".contact",".jnt",".mapimail",".msg",".prf",".rar",".txt",".xml",".zip",".1cd",".3ds",".3g2",".3gp",".7z",".7zip",".aoi",".asf",".asp",".aspx",".asx",".avi",".bak",".cer",".cfg",".class",".config",".css",".dds",".dwg",".dxf",".flf",".flv",".html",".idx",".js",".key",".kwm",".laccdb",".ldf",".lit",".m3u",".mbx",".md",".mid",".mlb",".mov",".mp3",".mp4",".mpg",".obj",".pages",".php",".psd",".pwm",".rm",".safe",".sav",".save",".srt",".swf",".thm",".vob",".wav",".wma",".wmv",".3dm",".aac",".ai",".arw",".c",".cdr",".cls",".cpi",".cpp",".cs",".db3",".drw",".dxb",".eps",".fla",".flac",".fxg",".java",".m",".m4v",".max",".pcd",".pct",".pl",".ppam",".ps",".pspimage",".r3d",".rw2",".sldm",".sldx",".svg",".tga",".xlm",".xlr",".xlw",".act",".adp",".al",".bkp",".blend",".cdf",".cdx",".cgm",".cr2",".crt",".dac",".dcr",".ddd",".design",".dtd",".fdb",".fff",".fpx",".h",".iif",".indd",".jpeg",".mos",".nd",".nsd",".nsf",".nsg",".nsh",".odc",".oil",".pas",".pat",".pef",".pfx",".ptx",".qbb",".qbm",".sas7bdat",".say",".st4",".st6",".stc",".sxc",".sxw",".tlg",".wad",".xlk",".aiff",".bin",".bmp",".cmt",".dat",".dit",".edb",".flvv",".gif",".groups",".hdd",".hpp",".m2ts",".m4p",".mkv",".mpeg",".nvram",".ogg",".pdb",".pif",".png",".qed",".qcow",".qcow2",".rvt",".st7",".stm",".vbox",".vdi",".vhd",".vhdx",".vmdk",".vmsd",".vmx",".vmxf",".3fr",".3pr",".ab4",".accde",".accdr",".accdt",".ach",".acr",".adb",".ads",".agdl",".ait",".apj",".asm",".awg",".back",".backup",".backupdb",".bank",".bay",".bdb",".bgt",".bik",".bpw",".cdr3",".cdr4",".cdr5",".cdr6",".cdrw",".ce1",".ce2",".cib",".craw",".crw",".csh",".csl",".db_journal",".dc2",".dcs",".ddoc",".ddrw",".der",".des",".dgc",".djvu",".dng",".drf",".dxg",".eml",".erf",".exf",".ffd",".fh",".fhd",".gray",".grey",".gry",".hbk",".ibank",".ibd",".ibz",".iiq",".incpas",".jpe",".kc2",".kdbx",".kdc",".kpdx",".lua",".mdc",".mef",".mfw",".mmw",".mny",".moneywell",".mrw",".myd",".ndd",".nef",".nk2",".nop",".nrw",".ns2",".ns3",".ns4",".nwb",".nx2",".nxl",".nyf",".odb",".odf",".odg",".odm",".orf",".otg",".oth",".otp",".ots",".ott",".p12",".p7b",".p7c",".pdd",".mts",".plus_muhd",".plc",".psafe3",".py",".qba",".qbr",".qbw",".qbx",".qby",".raf",".rat",".raw",".rdb",".rwl",".rwz",".s3db",".sd0",".sda",".sr2",".srf",".srw",".st5",".st8",".std",".sti",".stw",".stx",".sxd",".sxg",".sxi",".sxm",".tex",".wallet",".wb2",".wpd",".x11",".x3f",".xis",".ycbcra",".yuv",".mab",".json",".msf",".jar",".cdb",".srb",".abd",".qtb",".cfn",".info",".info_",".flb",".def",".atb",".tbn",".tbb",".tlx",".pml",".pmo",".pnx",".pnc",".pmi",".pmm",".lck",".pm!",".pmr",".usr",".pnd",".pmj",".pm",".lock",".srs",".pbf",".omg",".wmf",".sh",".war",".ascx",".k2p",".apk",".asset",".bsa",".d3dbsp",".das",".forge",".iwi",".lbf",".litemod",".ltx",".m4a",".re4",".slm",".tiff",".upk",".xxx",".money",".cash",".private",".cry",".vsd",".tax",".gbr",".dgn",".stl",".gho",".ma",".acc",".db"]],"max_block_size":2,"max_blocks":5,"min_file_size":1024,"multithread":1,"network":1,"rc4_key_size":256,"rsa_key_size":880},","file_extension":".hta"}],"files_name":"README","run_by_the_end":1},"remove_shadows":1,"self_deleting":1,"servers":{"statistics":{"data_finish":"e01ENV9LRVl9","data_start":"e01ENV9LRVl9e1BBUlRORVJfSUR9e09TfXtJU19YNjR9e0lTX0FETUlOfXtDT1VOVF9GSUxFU317U1RPUF9SRUFTT059","ip":"194.165.16.0/22","knock":"aGl7UEFSVE5FUl9JRH17U1RBVFVTfQ==","port":6892,"send_stat":1,"timeout":255}},"speaker":{"speak":1,"text":[{"repeat":1,"text":"Attention! Attention! Attention!"},{"repeat":5,"text":"Your documents, photos, databases and other important files have been encrypted!"}]},"wallpaper":{"change_wallpaper":1,"background":0,"color":65280,"size":13,"text":" Your documents, photos, databases and other important files \r\n have been encrypted by \"Cerber Ransomware 4.1.1\"! \r\n\r\n If you understand all importance of the situation \r\n then we propose to you to go directly to your personal page \r\n where you will receive the complete instructions \r\n and guarantees to restore your files. \r\n\r\n There is a list of temporary addresses \r\n to go on your personal page below: \r\n\r\n _________________________ \r\n\r\n http://{TOR}.{SITE_1}/{PC_ID} \r\n\r\n http://{TOR}.{SITE_2}/{PC_ID} \r\n\r\n http://{TOR}.{SITE_3}/{PC_ID} \r\n\r\n _________________________ \r\n\r\n http://{TOR}.onion/{PC_ID} (TOR) "},"whitelist":{"folders":[":\\documents and settings\\all users\\documents\\","\\appdata\\roaming\\microsoft\\office\\","\\excel\\","\\microsoft sql server\\","\\onenote\\","\\outlook\\","\\powerpoint\\","\\steam\\","\\the bat!\\","\\thunderbird\\"]}}
You do not have the required permissions to view the files attached to this post.
@xorsthingsv2

User avatar
xors
Posts: 158
Joined: Mon May 23, 2016 2:01 am

Re: Win32/Cerber

Post by xors » Fri Nov 25, 2016 7:39 pm

In the attachment
You do not have the required permissions to view the files attached to this post.
@xorsthingsv2

syntx
Posts: 5
Joined: Tue Dec 01, 2015 7:30 pm

Re: Win32/Cerber

Post by syntx » Fri Dec 02, 2016 10:09 pm

Macro downloading XOR-encoded payload from 93.170.123[.]96/one.txt

Attach decoded + unpacked
You do not have the required permissions to view the files attached to this post.

g00dv1n
Posts: 5
Joined: Sat Nov 28, 2015 6:20 pm

Re: Win32/Cerber

Post by g00dv1n » Thu Dec 08, 2016 11:13 am

You do not have the required permissions to view the files attached to this post.

User avatar
xors
Posts: 158
Joined: Mon May 23, 2016 2:01 am

Re: Win32/Cerber

Post by xors » Mon Dec 12, 2016 10:06 pm

Added one layer of packing (with UPX). Also some additional strings can be seen like

Code: Select all

"Encrypting starting."
"Encrypting done. Time left: %dms"
 "Searching starting."
"Searching done. Time left: %dms"
"Network searching starting."
 "Network searching done. Time left: %dms"
 "CryptImportKey failed, GetLastError == %x"
Edit: If I am not mistaken,they also changed the way that they decrypt the config. It looks like they use 'CryptEncrypt' WINAPI
You do not have the required permissions to view the files attached to this post.
@xorsthingsv2

User avatar
xors
Posts: 158
Joined: Mon May 23, 2016 2:01 am

Re: Win32/Cerber

Post by xors » Tue Dec 13, 2016 5:45 pm

Hello all again,

My question might be stupid but i am quite confused

We have the following sample from here https://www.hybrid-analysis.com/sample/ ... mentId=100

Which as you can see on the screenshots, its locky. However, if you proceed further,download the 'roaming.exe' file and then unpack, you will end up with cerber ransomware. Also if you look at the traffic, the malware uses

Code: Select all

/checkupdate
and

Code: Select all

/read.php?f=404
. As far as i know, the first one is for locky, but the second one is only for cerber. Also, if i am not mistaken, cerber doesn't use any POST requests.

Probably i am missing something, so any help is welcome :)
You do not have the required permissions to view the files attached to this post.
@xorsthingsv2

Antelox
Posts: 227
Joined: Sun Mar 21, 2010 10:38 pm
Contact:

Re: Win32/Cerber

Post by Antelox » Tue Dec 13, 2016 9:55 pm

xors wrote:Hello all again,

My question might be stupid but i am quite confused

We have the following sample from here https://www.hybrid-analysis.com/sample/ ... mentId=100

Which as you can see on the screenshots, its locky. However, if you proceed further,download the 'roaming.exe' file and then unpack, you will end up with cerber ransomware. Also if you look at the traffic, the malware uses

Code: Select all

/checkupdate
and

Code: Select all

/read.php?f=404
. As far as i know, the first one is for locky, but the second one is only for cerber. Also, if i am not mistaken, cerber doesn't use any POST requests.

Probably i am missing something, so any help is welcome :)
It's a while that the group behind Cerber is playing also with Locky, so you see same URI to download the payload as the one with which is downloaded also Cerber. It's not the first time that I observed this behavior. What you attached here is Cerber, in fact the hashes is different from the one downloaded in the Hybrid-Analysis sandbox.

BR,

Antelox

sysopfb
Posts: 96
Joined: Thu Oct 23, 2014 1:22 am
Contact:

Re: Win32/Cerber

Post by sysopfb » Wed Dec 14, 2016 5:33 pm

Code: Select all

/read.php?f=404
That is more associated with the delivery mechanism than directly with Cerber. They could push whatever malware they want as a response to that request

User avatar
xors
Posts: 158
Joined: Mon May 23, 2016 2:01 am

Re: Win32/Cerber

Post by xors » Wed Dec 21, 2016 9:25 pm

Typical injection. Same lame things
You do not have the required permissions to view the files attached to this post.
@xorsthingsv2

Post Reply