Wasn't this something they did in earlier versions as well? (Know I've seen CryptEncrypt for decryption in a "recent" sample)xors wrote: Edit: If I am not mistaken,they also changed the way that they decrypt the config. It looks like they use 'CryptEncrypt' WINAPI
Win32/Cerber
Re: Win32/Cerber
Have anyone speculated how the ranges are picked to where it sends stats? The early versions was kind of easy to follow as it was only acquire a server in the IP-range, the past few months have however showed ranges without hosting providers which points to that the author uses hacked servers as relays(?).
Re: Malware collection
You do not have the required permissions to view the files attached to this post.
Re: Malware collection
Check the comment, Locky encoded...
BR,
Antelox
BR,
Antelox
Re: Malware collection
check contents.It is something else ?
Re: Malware collection
Nop, it's Locky Xored, Unxored: https://www.virustotal.com/fr/file/610e ... /analysis/ikolor wrote:check contents.It is something else ?
Re: Malware collection
You do not have the required permissions to view the files attached to this post.
-
maddog4012
- Posts: 75
- Joined: Mon Aug 04, 2014 6:53 pm
Re: Malware collection
Code: Select all
1001.exe CERBER
Event Type Details Parent PID PID
Detection
Threat characteristic: Attempts to connect to malicious host
Host: 208.83.223.34
Threat Name: CALLBACK_CRYPTOLOCK.WRS
Detection
Threat characteristic: Rare executable file
Global Detections: 0
Call System API API Name: LdrLoadDll Args: ( 195fe4, 0, %windir%\system32\uxtheme.dll, 73f40000 ) Return: 0 2784
Call System API API Name: LdrLoadDll Args: ( 195fe4, 0, %windir%\system32\userenv.dll, 74790000 ) Return: 0 2784
Call System API API Name: LdrLoadDll Args: ( 195fe4, 0, %windir%\system32\setupapi.dll, 75a30000 ) Return: 0 2784
Call System API API Name: LdrLoadDll Args: ( 195fe4, 0, %windir%\system32\apphelp.dll, 71760000 ) Return: 0 2784
Call System API API Name: LdrLoadDll Args: ( 16ef14, 0, advapi32.dll, 76be0000 ) Return: 0 2784
Call System API API Name: LdrLoadDll Args: ( 195fe4, 0, %windir%\system32\propsys.dll, 73f80000 ) Return: 0 2784
Call System API API Name: LdrLoadDll Args: ( 195fe4, 0, %windir%\system32\dwmapi.dll, 73c10000 ) Return: 0 2784
Call System API API Name: LdrLoadDll Args: ( 195fe4, 0, %windir%\system32\cryptbase.dll, 75030000 ) Return: 0 2784
Call System API API Name: LdrLoadDll Args: ( 195fe4, 0, %windir%\system32\oleacc.dll, 723b0000 ) Return: 0 2784
Call System API API Name: LdrLoadDll Args: ( 195fe4, 0, %windir%\system32\clbcatq.dll, 75480000 ) Return: 0 2784
Call System API API Name: LdrLoadDll Args: ( 195fe4, 0, %windir%\system32\version.dll, 74630000 ) Return: 0 2784
Call System API API Name: LdrLoadDll Args: ( 195fe4, 0, %windir%\system32\shfolder.dll, 6b260000 ) Return: 0 2784
Call System API API Name: LdrLoadDll Args: ( 16ef14, 0, cryptbase.dll, 75030000 ) Return: 0 2784
Call System API API Name: LdrLoadDll Args: ( 1dda6c, 0, %windir%\system32\uxtheme.dll, 73f40000 ) Return: 0 2784
Call System API API Name: LdrLoadDll Args: ( 1dda6c, 0, %windir%\system32\uxtheme.dll, 73f40000 ) Return: 0 2784
Call System API API Name: LdrLoadDll Args: ( 1dda6c, 0, %windir%\system32\uxtheme.dll, 73f40000 ) Return: 0 2784
Call System API API Name: LdrLoadDll Args: ( 1dda6c, 0, %windir%\system32\uxtheme.dll, 73f40000 ) Return: 0 2784
Call Window API API Name: CreateWindowExW Args: ( 0, c03b, OleMainThreadWndName, 88000000, 80000000, 80000000, 80000000, 80000000, fffffffd, 0, 758d0000, 0 ) Return: 201d4 2784
Call System API API Name: LdrLoadDll Args: ( 16ef14, 0, ole32.dll, 758d0000 ) Return: 0 2784
Call System API API Name: LdrLoadDll Args: ( 16ef14, 0, ole32.dll, 758d0000 ) Return: 0 2784
Call System API API Name: LdrLoadDll Args: ( 16ef14, 0, comctl32.dll, 740c0000 ) Return: 0 2784
Call System API API Name: LdrLoadDll Args: ( 16ef14, 0, comctl32.dll, 740c0000 ) Return: 0 2784
Call System API API Name: LdrLoadDll Args: ( 16ef14, 0, oleaut32.dll, 756a0000 ) Return: 0 2784
Call System API API Name: LdrLoadDll Args: ( 16ef14, 0, advapi32.dll, 76be0000 ) Return: 0 2784
Call System API API Name: LdrLoadDll Args: ( 16ef14, 0, clbcatq.dll, 75480000 ) Return: 0 2784
Call System API API Name: LdrLoadDll Args: ( 1e24a4, 0, %windir%\system32\propsys.dll, 73f80000 ) Return: 0 2784
Call Filesystem API API Name: CreateDirectoryW Args: ( %USERPROFILE%\AppData\Local\Microsoft\Windows\Caches, 0 ) Return: 0 2784
Call System API API Name: LdrLoadDll Args: ( 16ef14, 0, ntmarta.dll, 71e90000 ) Return: 0 2784
Call System API API Name: LdrLoadDll Args: ( 16ef14, 0, advapi32.dll, 76be0000 ) Return: 0 2784
Call System API API Name: LdrLoadDll Args: ( 16ef14, 0, shell32.dll, 75bf0000 ) Return: 0 2784
Call System API API Name: LdrLoadDll Args: ( 16ef14, 0, api-ms-win-security-sddl-l1-1-0.dll, 75bd0000 ) Return: 0 2784
Call System API API Name: LdrLoadDll Args: ( 16ef14, 0, profapi.dll, 750e0000 ) Return: 0 2784
Call System API API Name: LdrLoadDll Args: ( 16ef14, 0, setupapi.dll, 75a30000 ) Return: 0 2784
Call System API API Name: LdrLoadDll Args: ( 16ef14, 0, apphelp.dll, 71760000 ) Return: 0 2784
Call System API API Name: LdrLoadDll Args: ( 200f14, 0, %windir%\system32\shdocvw.dll, 71210000 ) Return: 0 2784
Call System API API Name: LdrLoadDll Args: ( 200f14, 0, %windir%\system32\shell32.dll, 75bf0000 ) Return: 0 2784
Call System API API Name: LdrLoadDll Args: ( 16ef14, 0, propsys.dll, 73f80000 ) Return: 0 2784
Call System API API Name: LdrLoadDll Args: ( 16ef14, 0, oleaut32.dll, 756a0000 ) Return: 0 2784
Call Filesystem API API Name: CreateDirectoryW Args: ( %TEMP%\, 0 ) Return: 0 2784
Add File Path: %TEMP%\nsl9D47.tmp Type: VSDT_EMPTY 2784
Delete File Path: %TEMP%\nsl9D47.tmp Type: VSDT_EMPTY 2784
Detection
Threat characteristic: Deletes file to compromise the system or to remove traces of the infection
Process ID: 2784
File: %TEMP%\nsl9D47.tmp
Type: VSDT_EMPTY
Call Filesystem API API Name: DeleteFileW Args: ( %TEMP%\nsl9D47.tmp ) Return: 1 2784
Call Filesystem API API Name: NtReadFile Args: ( 24c, , , , , , 200, , ) Return: 0 2784
Call Filesystem API API Name: NtReadFile Args: ( 24c, , , , , , 200, , ) Return: 0 2784
Call Filesystem API API Name: NtReadFile Args: ( 24c, , , , , , 200, , ) Return: 0 2784
Call Filesystem API API Name: NtReadFile Args: ( 24c, , , , , , 200, , ) Return: 0 2784
Call Filesystem API API Name: NtReadFile Args: ( 24c, , , , , , 200, , ) Return: 0 2784
Call Filesystem API API Name: NtReadFile Args: ( 24c, , , , , , 200, , ) Return: 0 2784
Call Filesystem API API Name: NtReadFile Args: ( 24c, , , , , , 200, , ) Return: 0 2784
Call Filesystem API API Name: NtReadFile Args: ( 24c, , , , , , 200, , ) Return: 0 2784
Call Filesystem API API Name: NtReadFile Args: ( 24c, , , , , , 200, , ) Return: 0 2784
Call Filesystem API API Name: NtReadFile Args: ( 24c, , , , , , 200, , ) Return: 0 2784
Call Filesystem API API Name: NtReadFile Args: ( 24c, , , , , , 200, , ) Return: 0 2784
Call Filesystem API API Name: NtReadFile Args: ( 24c, , , , , , 200, , ) Return: 0 2784
Call Filesystem API API Name: NtReadFile Args: ( 24c, , , , , , 200, , ) Return: 0 2784
Call Filesystem API API Name: NtReadFile Args: ( 24c, , , , , , 200, , ) Return: 0 2784
Call Filesystem API API Name: NtReadFile Args: ( 24c, , , , , , 200, , ) Return: 0 2784
Call Filesystem API API Name: NtReadFile Args: ( 24c, , , , , , 200, , ) Return: 0 2784
Call Filesystem API API Name: CreateDirectoryW Args: ( C:\Users, 0 ) Return: 0 2784
Call Filesystem API API Name: CreateDirectoryW Args: ( C:\Users\ADMINI~1, 0 ) Return: 0 2784
Call Filesystem API API Name: CreateDirectoryW Args: ( %USERPROFILE%\AppData, 0 ) Return: 0 2784
Call Filesystem API API Name: CreateDirectoryW Args: ( %USERPROFILE%\AppData\Local, 0 ) Return: 0 2784
Call Filesystem API API Name: CreateDirectoryW Args: ( %TEMP%, 0 ) Return: 0 2784
Call Filesystem API API Name: SetFileTime Args: ( 8, 2017-00-11/11:13:50, NULL, 2017-00-11/11:13:50 ) Return: 1 2784
Add File Path: %TEMP%\ie7.css Type: VSDT_ASCII 2784
Write File Path: %TEMP%\ie7.css Type: VSDT_ASCII 2784
Call Filesystem API API Name: SetFileTime Args: ( 8, 2017-00-11/11:33:40, NULL, 2017-00-11/11:33:40 ) Return: 1 2784
Add File Path: %TEMP%\home Type: VSDT_TEXT_HTML 2784
Write File Path: %TEMP%\home Type: VSDT_TEXT_HTML 2784
Call Filesystem API API Name: SetFileTime Args: ( 248, 2017-00-11/11:53:28, NULL, 2017-00-11/11:53:28 ) Return: 1 2784
Add File Path: %TEMP%\xspSF.css Type: VSDT_ASCII 2784
Write File Path: %TEMP%\xspSF.css Type: VSDT_ASCII 2784
Call Filesystem API API Name: SetFileTime Args: ( 248, 2017-00-11/11:32:16, NULL, 2017-00-11/11:32:16 ) Return: 1 2784
Add File Path: %TEMP%\favicon.ico959834085.x-icon Type: VSDT_COM_DOS 2784
Write File Path: %TEMP%\favicon.ico959834085.x-icon Type: VSDT_COM_DOS 2784
Call Filesystem API API Name: SetFileTime Args: ( 248, 2017-00-11/12:05:26, NULL, 2017-00-11/12:05:26 ) Return: 1 2784
Add File Path: %TEMP%\facebook.png Type: VSDT_PNG 2784
Write File Path: %TEMP%\facebook.png Type: VSDT_PNG 2784
Call Filesystem API API Name: SetFileTime Args: ( 248, 2017-00-11/11:13:40, NULL, 2017-00-11/11:13:40 ) Return: 1 2784
Add File Path: %TEMP%\feed Type: VSDT_TEXT_HTML 2784
Write File Path: %TEMP%\feed Type: VSDT_TEXT_HTML 2784
Call Filesystem API API Name: SetFileTime Args: ( 248, 2017-00-11/12:05:30, NULL, 2017-00-11/12:05:30 ) Return: 1 2784
Add File Path: %TEMP%\print1777536650.css Type: VSDT_ASCII 2784
Write File Path: %TEMP%\print1777536650.css Type: VSDT_ASCII 2784
Call Filesystem API API Name: SetFileTime Args: ( 248, 2017-00-11/12:25:22, NULL, 2017-00-11/12:25:22 ) Return: 1 2784
Add File Path: %TEMP%\defense.7Bt Type: VSDT_COM_DOS 2784
Write File Path: %TEMP%\defense.7Bt Type: VSDT_COM_DOS 2784
Add File Path: %TEMP%\nsg9EFD.tmp Type: VSDT_EMPTY 2784
Delete File Path: %TEMP%\nsg9EFD.tmp Type: VSDT_EMPTY 2784
Detection
Threat characteristic: Deletes file to compromise the system or to remove traces of the infection
Process ID: 2784
File: %TEMP%\nsg9EFD.tmp
Type: VSDT_EMPTY
Call Filesystem API API Name: DeleteFileW Args: ( %TEMP%\nsg9EFD.tmp ) Return: 1 2784
Call Filesystem API API Name: CreateDirectoryW Args: ( C:\Users, 0 ) Return: 0 2784
Call Filesystem API API Name: CreateDirectoryW Args: ( C:\Users\ADMINI~1, 0 ) Return: 0 2784
Call Filesystem API API Name: CreateDirectoryW Args: ( %USERPROFILE%\AppData, 0 ) Return: 0 2784
Call Filesystem API API Name: CreateDirectoryW Args: ( %USERPROFILE%\AppData\Local, 0 ) Return: 0 2784
Call Filesystem API API Name: CreateDirectoryW Args: ( %TEMP%, 0 ) Return: 0 2784
Call Filesystem API API Name: CreateDirectoryW Args: ( %TEMP%\nsg9EFD.tmp, 12f6b4 ) Return: 1 2784
Add File Path: %TEMP%\nsg9EFD.tmp\System.dll Type: VSDT_DLL_W32 2784
Detection
Threat characteristic: Drops executable during installation
Dropping Process ID: 2784
File: %TEMP%\nsg9EFD.tmp\System.dll
Type: VSDT_DLL_W32
Write File Path: %TEMP%\nsg9EFD.tmp\System.dll Type: VSDT_DLL_W32 2784
Detection
Threat characteristic: Modifies file that can be used to infect systems
%TEMP%\nsg9EFD.tmp\System.dll
Call System API API Name: LdrLoadDll Args: ( 20e97c, 0, %TEMP%\nsg9efd.tmp\system.dll, 10000000 ) Return: 0 2784
Call System API API Name: LdrLoadDll Args: ( 16ef14, 0, advapi32.dll, 76be0000 ) Return: 0 2784
Call System API API Name: LdrLoadDll Args: ( 16ef14, 0, advapi32.dll, 76be0000 ) Return: 0 2784
Call System API API Name: LdrLoadDll Args: ( 16ef14, 0, advapi32.dll, 76be0000 ) Return: 0 2784
Call System API API Name: LdrLoadDll Args: ( 16ef14, 0, advapi32.dll, 76be0000 ) Return: 0 2784
Call System API API Name: LdrLoadDll Args: ( 16ef14, 0, advapi32.dll, 76be0000 ) Return: 0 2784
Call System API API Name: LdrLoadDll Args: ( 16ef14, 0, cryptsp.dll, 74b90000 ) Return: 0 2784
Call System API API Name: LdrLoadDll Args: ( 16ef14, 0, %windir%\system32\rsaenh.dll, 74930000 ) Return: 0 2784
Call System API API Name: LdrLoadDll Args: ( 16ef14, 0, cryptbase.dll, 75030000 ) Return: 0 2784
Call System API API Name: CryptDeriveKey Args: ( 1fbb20, 6609, 1a9af8, 1, 12f4b8 ) Return: 1 2784
Call System API API Name: CryptDecrypt Args: ( 1a9f38, 0, 1, 0, 3240000, c73e3 ) Return: 1 2784
Call Process API API Name: CreateProcessW Args: ( %WorkingDir%\1001.exe, "%WorkingDir%\1001.exe", , , , CREATE_SUSPENDED, , , , Process:2844:%WorkingDir%\1001.exe ) Return: 1 2784
Call Thread API API Name: NtGetContextThread Args: ( 580, 12f094 ) Return: 0 2784
Call Thread API API Name: SetThreadContext Args: ( Process Name:2844:%WorkingDir%\1001.exe ) Return: 1 2784
Detection
Threat characteristic: Resides in memory to evade detection
Injecting Process ID: 2784
Injected API: SetThreadContext
Target Process ID: 2844
Target Image Path: %WorkingDir%\1001.exe
Call Filesystem API API Name: NtReadFile Args: ( 254, , , , , , 200, , ) Return: 0 2784
Add Registry Key Key: HKEY_LOCAL_MACHINE\SOFTWARE\System32\ Value: None 2784 2844
Add Registry Key Key: HKEY_LOCAL_MACHINE\SOFTWARE\System32\Configuration\ Value: None 2784 2844
Write Registry Key Key: HKEY_LOCAL_MACHINE\SOFTWARE\System32\Configuration\xi Value: 956D951EDA13BC116996 2784 2844
Add File Path: %ALLUSERSPROFILE%\Windows\csrss.exe Type: VSDT_EXE_W32 2784 2844
Detection
Threat characteristic: Drops fake system file
%ALLUSERSPROFILE%\Windows\csrss.exe
Detection
Threat characteristic: Drops executable during installation
Dropping Process ID: 2844
File: %ALLUSERSPROFILE%\Windows\csrss.exe
Type: VSDT_EXE_W32
Detection
Threat characteristic: Creates multiple copies of a file
%ALLUSERSPROFILE%\Windows\csrss.exe
Detection
Threat characteristic: Copies self
File is copied from %WorkingDir%\1001.exe to %ALLUSERSPROFILE%\Windows\csrss.exe
Write File Path: %ALLUSERSPROFILE%\Windows\csrss.exe Type: VSDT_EXE_W32 2784 2844
Detection
Threat characteristic: Modifies file that can be used to infect systems
%ALLUSERSPROFILE%\Windows\csrss.exe
Write Registry Key Key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem Value: "%ALLUSERSPROFILE%\Windows\csrss.exe" 2784 2844
Detection
Threat characteristic: Adds Autorun in registry
Key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem
Value: "%ALLUSERSPROFILE%\Windows\csrss.exe"
Type: REG_SZ
Write Registry Key Key: HKEY_LOCAL_MACHINE\SOFTWARE\System32\Configuration\xVersion Value: 4.0.0.1 2784 2844
Add File Path: %TEMP%\6893A5D897\state.tmp Type: VSDT_ASCII 2784 2844
Write File Path: %TEMP%\6893A5D897\state.tmp Type: VSDT_ASCII 2784 2844
Add File Path: %TEMP%\6893A5D897\state Type: VSDT_ASCII 2784 2844
Add File Path: %TEMP%\6893A5D897\unverified-microdesc-consensus.tmp Type: VSDT_ASCII 2784 2844
Write File Path: %TEMP%\6893A5D897\unverified-microdesc-consensus.tmp Type: VSDT_ASCII 2784 2844
Add File Path: %TEMP%\6893A5D897\unverified-microdesc-consensus Type: VSDT_ASCII 2784 2844
Add File Path: %TEMP%\6893A5D897\cached-certs.tmp Type: VSDT_ASCII 2784 2844
Write File Path: %TEMP%\6893A5D897\cached-certs.tmp Type: VSDT_ASCII 2784 2844
Add File Path: %TEMP%\6893A5D897\cached-certs Type: VSDT_ASCII 2784 2844
Delete File Path: %TEMP%\6893A5D897\unverified-microdesc-consensus Type: VSDT_ASCII 2784 2844
Detection
Threat characteristic: Deletes file to compromise the system or to remove traces of the infection
Process ID: 2844
File: %TEMP%\6893A5D897\unverified-microdesc-consensus
Type: VSDT_ASCII
Add File Path: %TEMP%\6893A5D897\cached-microdesc-consensus.tmp Type: VSDT_ASCII 2784 2844
Write File Path: %TEMP%\6893A5D897\cached-microdesc-consensus.tmp Type: VSDT_ASCII 2784 2844
Add File Path: %TEMP%\6893A5D897\cached-microdesc-consensus Type: VSDT_ASCII 2784 2844
Add File Path: %TEMP%\6893A5D897\cached-microdescs.new Type: VSDT_ASCII 2784 2844
Write File Path: %TEMP%\6893A5D897\cached-microdescs.new Type: VSDT_ASCII 2784 2844
Write File Path: %TEMP%\6893A5D897\cached-microdescs.new Type: VSDT_ASCII 2784 2844
Write File Path: %TEMP%\6893A5D897\cached-microdescs.new Type: VSDT_ASCII 2784 2844
Write File Path: %TEMP%\6893A5D897\cached-microdescs.new Type: VSDT_ASCII 2784 2844
Write File Path: %TEMP%\6893A5D897\cached-microdescs.new Type: VSDT_ASCII 2784 2844
Write File Path: %TEMP%\6893A5D897\cached-microdescs.new Type: VSDT_ASCII 2784 2844
Write File Path: %TEMP%\6893A5D897\cached-microdescs.new Type: VSDT_ASCII 2784 2844
Write File Path: %TEMP%\6893A5D897\cached-microdescs.new Type: VSDT_ASCII 2784 2844
Write File Path: %TEMP%\6893A5D897\cached-microdescs.new Type: VSDT_ASCII 2784 2844
Write File Path: %TEMP%\6893A5D897\cached-microdescs.new Type: VSDT_ASCII 2784 2844
Write File Path: %TEMP%\6893A5D897\cached-microdescs.new Type: VSDT_ASCII 2784 2844
Write File Path: %TEMP%\6893A5D897\cached-microdescs.new Type: VSDT_ASCII 2784 2844
Write File Path: %TEMP%\6893A5D897\cached-microdescs.new Type: VSDT_ASCII 2784 2844
Write File Path: %TEMP%\6893A5D897\cached-microdescs.new Type: VSDT_ASCII 2784 2844
Write File Path: %TEMP%\6893A5D897\cached-microdescs.new Type: VSDT_ASCII 2784 2844
Write File Path: %TEMP%\6893A5D897\cached-microdescs.new Type: VSDT_ASCII 2784 2844
Last edited by EP_X0FF on Fri Jan 13, 2017 3:45 am, edited 1 time in total.
Reason: text wall removed
Reason: text wall removed
Re: Malware collection
maddog4012, Could you please use "code" tags for such long logs next time?
Re: Win32/Cerber
cerber
You do not have the required permissions to view the files attached to this post.
Re: Win32/Cerber
#Cerber.
https://www.virustotal.com/es/file/f4de ... 485445458/
SHA256: f4dee521502a89bcb0dbce3d894692ca9a37a3578759589d31e6fb5f154f2e7b
Nombre: 1
Detecciones: 9 / 56
Downloader -> hxxp://finestololoki.top/search.php
https://www.virustotal.com/es/file/f4de ... 485445458/
SHA256: f4dee521502a89bcb0dbce3d894692ca9a37a3578759589d31e6fb5f154f2e7b
Nombre: 1
Detecciones: 9 / 56
Downloader -> hxxp://finestololoki.top/search.php
You do not have the required permissions to view the files attached to this post.