Page 6 of 8

Re: Malware collection

PostPosted:Tue Oct 18, 2016 8:25 am
by EP_X0FF
ikolor wrote:Thanks for analyze

https://www.virustotal.com/en/file/9680 ... 469821993/



https://www.virustotal.com/en/file/5b61 ... 469821611/
keen2go-installer.exe - installs shortcut Ken2Go Games. Trashware, attach removed.
scvhost.exe - Ransom/Cerber

Posts moved.

Re: Win32/Cerber

PostPosted:Sat Nov 05, 2016 8:21 pm
by xors
Config, removed the public key because of the length of the config
Code: Select all
{"blacklist":{"files":["bootsect.bak","iconcache.db","ntuser.dat","thumbs.db"],"folders":[":\\$recycle.bin\\",":\\$windows.~bt\\",":\\boot\\",":\\documents and settings\\all users\\",":\\documents and settings\\default user\\",":\\documents and settings\\localservice\\",":\\documents and settings\\networkservice\\",":\\program files\\",":\\program files (x86)\\",":\\programdata\\",":\\recovery\\",":\\recycler\\",":\\users\\all users\\",":\\windows\\",":\\windows.old\\","\\appdata\\local\\","\\appdata\\locallow\\","\\appdata\\roaming\\adobe\\flash player\\","\\appData\\roaming\\apple computer\\safari\\","\\appdata\\roaming\\ati\\","\\appdata\\roaming\\intel\\","\\appdata\\roaming\\intel corporation\\","\\appdata\\roaming\\google\\","\\appdata\\roaming\\macromedia\\flash player\\","\\appdata\\roaming\\mozilla\\","\\appdata\\roaming\\nvidia\\","\\appdata\\roaming\\opera\\","\\appdata\\roaming\\opera software\\","\\appdata\\roaming\\microsoft\\internet explorer\\","\\appdata\\roaming\\microsoft\\windows\\","\\application data\\microsoft\\","\\local settings\\","\\public\\music\\sample music\\","\\public\\pictures\\sample pictures\\","\\public\\videos\\sample videos\\","\\tor browser\\"],"languages":[1049,1058,1059,1064,1067,1068,1079,1087,1088,1090,1091,1092,2072,2073,2092,2115]},"check":{"language":1},"close_process":{"close_process":1,"process":["msftesql.exe","sqlagent.exe","sqlbrowser.exe","sqlservr.exe","sqlwriter.exe","oracle.exe","ocssd.exe","dbsnmp.exe","synctime.exe","mydesktopqos.exe","agntsvc.exeisqlplussvc.exe","xfssvccon.exe","mydesktopservice.exe","ocautoupds.exe","agntsvc.exeagntsvc.exe","agntsvc.exeencsvc.exe","firefoxconfig.exe","tbirdconfig.exe","ocomm.exe","mysqld.exe","mysqld-nt.exe","mysqld-opt.exe","dbeng50.exe","sqbcoreservice.exe"]},"debug":0,"default":{"site_1":"onion.to","site_2":"onion.cab","site_3":"onion.nu","site_4":"onion.link","site_5":"tor2web.org","tor":"zutzt67dcxr6mxcn"},"encrypt":{"bytes_skip":512,"encrypt":1,"files":[[".accdb",".mdb",".mdf",".dbf",".vpd",".sdf",".sqlitedb",".sqlite3",".sqlite",".sql",".sdb",".doc",".docx",".odt",".xls",".xlsx",".ods",".ppt",".pptx",".odp",".pst",".dbx",".wab",".tbk",".pps",".ppsx",".pdf",".jpg",".tif",".pub",".one",".rtf",".csv",".docm",".xlsm",".pptm",".ppsm",".xlsb",".dot",".dotx",".dotm",".xlt",".xltx",".xltm",".pot",".potx",".potm",".xps",".wps",".xla",".xlam",".erbsql",".sqlite-shm",".sqlite-wal",".litesql",".ndf",".ost",".pab",".oab",".contact",".jnt",".mapimail",".msg",".prf",".rar",".txt",".xml",".zip",".1cd",".3ds",".3g2",".3gp",".7z",".7zip",".aoi",".asf",".asp",".aspx",".asx",".avi",".bak",".cer",".cfg",".class",".config",".css",".dds",".dwg",".dxf",".flf",".flv",".html",".idx",".js",".key",".kwm",".laccdb",".ldf",".lit",".m3u",".mbx",".md",".mid",".mlb",".mov",".mp3",".mp4",".mpg",".obj",".pages",".php",".psd",".pwm",".rm",".safe",".sav",".save",".srt",".swf",".thm",".vob",".wav",".wma",".wmv",".3dm",".aac",".ai",".arw",".c",".cdr",".cls",".cpi",".cpp",".cs",".db3",".drw",".dxb",".eps",".fla",".flac",".fxg",".java",".m",".m4v",".max",".pcd",".pct",".pl",".ppam",".ps",".pspimage",".r3d",".rw2",".sldm",".sldx",".svg",".tga",".xlm",".xlr",".xlw",".act",".adp",".al",".bkp",".blend",".cdf",".cdx",".cgm",".cr2",".crt",".dac",".dcr",".ddd",".design",".dtd",".fdb",".fff",".fpx",".h",".iif",".indd",".jpeg",".mos",".nd",".nsd",".nsf",".nsg",".nsh",".odc",".oil",".pas",".pat",".pef",".pfx",".ptx",".qbb",".qbm",".sas7bdat",".say",".st4",".st6",".stc",".sxc",".sxw",".tlg",".wad",".xlk",".aiff",".bin",".bmp",".cmt",".dat",".dit",".edb",".flvv",".gif",".groups",".hdd",".hpp",".m2ts",".m4p",".mkv",".mpeg",".nvram",".ogg",".pdb",".pif",".png",".qed",".qcow",".qcow2",".rvt",".st7",".stm",".vbox",".vdi",".vhd",".vhdx",".vmdk",".vmsd",".vmx",".vmxf",".3fr",".3pr",".ab4",".accde",".accdr",".accdt",".ach",".acr",".adb",".ads",".agdl",".ait",".apj",".asm",".awg",".back",".backup",".backupdb",".bank",".bay",".bdb",".bgt",".bik",".bpw",".cdr3",".cdr4",".cdr5",".cdr6",".cdrw",".ce1",".ce2",".cib",".craw",".crw",".csh",".csl",".db_journal",".dc2",".dcs",".ddoc",".ddrw",".der",".des",".dgc",".djvu",".dng",".drf",".dxg",".eml",".erf",".exf",".ffd",".fh",".fhd",".gray",".grey",".gry",".hbk",".ibank",".ibd",".ibz",".iiq",".incpas",".jpe",".kc2",".kdbx",".kdc",".kpdx",".lua",".mdc",".mef",".mfw",".mmw",".mny",".moneywell",".mrw",".myd",".ndd",".nef",".nk2",".nop",".nrw",".ns2",".ns3",".ns4",".nwb",".nx2",".nxl",".nyf",".odb",".odf",".odg",".odm",".orf",".otg",".oth",".otp",".ots",".ott",".p12",".p7b",".p7c",".pdd",".mts",".plus_muhd",".plc",".psafe3",".py",".qba",".qbr",".qbw",".qbx",".qby",".raf",".rat",".raw",".rdb",".rwl",".rwz",".s3db",".sd0",".sda",".sr2",".srf",".srw",".st5",".st8",".std",".sti",".stw",".stx",".sxd",".sxg",".sxi",".sxm",".tex",".wallet",".wb2",".wpd",".x11",".x3f",".xis",".ycbcra",".yuv",".mab",".json",".msf",".jar",".cdb",".srb",".abd",".qtb",".cfn",".info",".info_",".flb",".def",".atb",".tbn",".tbb",".tlx",".pml",".pmo",".pnx",".pnc",".pmi",".pmm",".lck",".pm!",".pmr",".usr",".pnd",".pmj",".pm",".lock",".srs",".pbf",".omg",".wmf",".sh",".war",".ascx",".k2p",".apk",".asset",".bsa",".d3dbsp",".das",".forge",".iwi",".lbf",".litemod",".ltx",".m4a",".re4",".slm",".tiff",".upk",".xxx",".money",".cash",".private",".cry",".vsd",".tax",".gbr",".dgn",".stl",".gho",".ma",".acc",".db"]],"max_block_size":2,"max_blocks":5,"min_file_size":1024,"multithread":1,"network":1,"rc4_key_size":256,"rsa_key_size":880},","file_extension":".hta"}],"files_name":"README","run_by_the_end":1},"remove_shadows":1,"self_deleting":1,"servers":{"statistics":{"data_finish":"e01ENV9LRVl9","data_start":"e01ENV9LRVl9e1BBUlRORVJfSUR9e09TfXtJU19YNjR9e0lTX0FETUlOfXtDT1VOVF9GSUxFU317U1RPUF9SRUFTT059","ip":"194.165.16.0/22","knock":"aGl7UEFSVE5FUl9JRH17U1RBVFVTfQ==","port":6892,"send_stat":1,"timeout":255}},"speaker":{"speak":1,"text":[{"repeat":1,"text":"Attention! Attention! Attention!"},{"repeat":5,"text":"Your documents, photos, databases and other important files have been encrypted!"}]},"wallpaper":{"change_wallpaper":1,"background":0,"color":65280,"size":13,"text":" Your documents, photos, databases and other important files \r\n have been encrypted by \"Cerber Ransomware 4.1.1\"! \r\n\r\n If you understand all importance of the situation \r\n then we propose to you to go directly to your personal page \r\n where you will receive the complete instructions \r\n and guarantees to restore your files. \r\n\r\n There is a list of temporary addresses \r\n to go on your personal page below: \r\n\r\n _________________________ \r\n\r\n http://{TOR}.{SITE_1}/{PC_ID} \r\n\r\n http://{TOR}.{SITE_2}/{PC_ID} \r\n\r\n http://{TOR}.{SITE_3}/{PC_ID} \r\n\r\n _________________________ \r\n\r\n http://{TOR}.onion/{PC_ID} (TOR) "},"whitelist":{"folders":[":\\documents and settings\\all users\\documents\\","\\appdata\\roaming\\microsoft\\office\\","\\excel\\","\\microsoft sql server\\","\\onenote\\","\\outlook\\","\\powerpoint\\","\\steam\\","\\the bat!\\","\\thunderbird\\"]}}

Re: Win32/Cerber

PostPosted:Fri Nov 25, 2016 7:39 pm
by xors
In the attachment

Re: Win32/Cerber

PostPosted:Fri Dec 02, 2016 10:09 pm
by syntx
Macro downloading XOR-encoded payload from 93.170.123[.]96/one.txt

Attach decoded + unpacked

Re: Win32/Cerber

PostPosted:Thu Dec 08, 2016 11:13 am
by g00dv1n

Re: Win32/Cerber

PostPosted:Mon Dec 12, 2016 10:06 pm
by xors
Added one layer of packing (with UPX). Also some additional strings can be seen like
Code: Select all
"Encrypting starting."
"Encrypting done. Time left: %dms"
 "Searching starting."
"Searching done. Time left: %dms"
"Network searching starting."
 "Network searching done. Time left: %dms"
 "CryptImportKey failed, GetLastError == %x"
Edit: If I am not mistaken,they also changed the way that they decrypt the config. It looks like they use 'CryptEncrypt' WINAPI

Re: Win32/Cerber

PostPosted:Tue Dec 13, 2016 5:45 pm
by xors
Hello all again,

My question might be stupid but i am quite confused

We have the following sample from here https://www.hybrid-analysis.com/sample/ ... mentId=100

Which as you can see on the screenshots, its locky. However, if you proceed further,download the 'roaming.exe' file and then unpack, you will end up with cerber ransomware. Also if you look at the traffic, the malware uses
Code: Select all
/checkupdate
and
Code: Select all
/read.php?f=404
. As far as i know, the first one is for locky, but the second one is only for cerber. Also, if i am not mistaken, cerber doesn't use any POST requests.

Probably i am missing something, so any help is welcome :)

Re: Win32/Cerber

PostPosted:Tue Dec 13, 2016 9:55 pm
by Antelox
xors wrote:Hello all again,

My question might be stupid but i am quite confused

We have the following sample from here https://www.hybrid-analysis.com/sample/ ... mentId=100

Which as you can see on the screenshots, its locky. However, if you proceed further,download the 'roaming.exe' file and then unpack, you will end up with cerber ransomware. Also if you look at the traffic, the malware uses
Code: Select all
/checkupdate
and
Code: Select all
/read.php?f=404
. As far as i know, the first one is for locky, but the second one is only for cerber. Also, if i am not mistaken, cerber doesn't use any POST requests.

Probably i am missing something, so any help is welcome :)
It's a while that the group behind Cerber is playing also with Locky, so you see same URI to download the payload as the one with which is downloaded also Cerber. It's not the first time that I observed this behavior. What you attached here is Cerber, in fact the hashes is different from the one downloaded in the Hybrid-Analysis sandbox.

BR,

Antelox

Re: Win32/Cerber

PostPosted:Wed Dec 14, 2016 5:33 pm
by sysopfb
Code: Select all
/read.php?f=404
That is more associated with the delivery mechanism than directly with Cerber. They could push whatever malware they want as a response to that request

Re: Win32/Cerber

PostPosted:Wed Dec 21, 2016 9:25 pm
by xors
Typical injection. Same lame things