A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #29512  by xors
 Sat Nov 05, 2016 8:21 pm
Config, removed the public key because of the length of the config
Code: Select all
{"blacklist":{"files":["bootsect.bak","iconcache.db","ntuser.dat","thumbs.db"],"folders":[":\\$recycle.bin\\",":\\$windows.~bt\\",":\\boot\\",":\\documents and settings\\all users\\",":\\documents and settings\\default user\\",":\\documents and settings\\localservice\\",":\\documents and settings\\networkservice\\",":\\program files\\",":\\program files (x86)\\",":\\programdata\\",":\\recovery\\",":\\recycler\\",":\\users\\all users\\",":\\windows\\",":\\windows.old\\","\\appdata\\local\\","\\appdata\\locallow\\","\\appdata\\roaming\\adobe\\flash player\\","\\appData\\roaming\\apple computer\\safari\\","\\appdata\\roaming\\ati\\","\\appdata\\roaming\\intel\\","\\appdata\\roaming\\intel corporation\\","\\appdata\\roaming\\google\\","\\appdata\\roaming\\macromedia\\flash player\\","\\appdata\\roaming\\mozilla\\","\\appdata\\roaming\\nvidia\\","\\appdata\\roaming\\opera\\","\\appdata\\roaming\\opera software\\","\\appdata\\roaming\\microsoft\\internet explorer\\","\\appdata\\roaming\\microsoft\\windows\\","\\application data\\microsoft\\","\\local settings\\","\\public\\music\\sample music\\","\\public\\pictures\\sample pictures\\","\\public\\videos\\sample videos\\","\\tor browser\\"],"languages":[1049,1058,1059,1064,1067,1068,1079,1087,1088,1090,1091,1092,2072,2073,2092,2115]},"check":{"language":1},"close_process":{"close_process":1,"process":["msftesql.exe","sqlagent.exe","sqlbrowser.exe","sqlservr.exe","sqlwriter.exe","oracle.exe","ocssd.exe","dbsnmp.exe","synctime.exe","mydesktopqos.exe","agntsvc.exeisqlplussvc.exe","xfssvccon.exe","mydesktopservice.exe","ocautoupds.exe","agntsvc.exeagntsvc.exe","agntsvc.exeencsvc.exe","firefoxconfig.exe","tbirdconfig.exe","ocomm.exe","mysqld.exe","mysqld-nt.exe","mysqld-opt.exe","dbeng50.exe","sqbcoreservice.exe"]},"debug":0,"default":{"site_1":"onion.to","site_2":"onion.cab","site_3":"onion.nu","site_4":"onion.link","site_5":"tor2web.org","tor":"zutzt67dcxr6mxcn"},"encrypt":{"bytes_skip":512,"encrypt":1,"files":[[".accdb",".mdb",".mdf",".dbf",".vpd",".sdf",".sqlitedb",".sqlite3",".sqlite",".sql",".sdb",".doc",".docx",".odt",".xls",".xlsx",".ods",".ppt",".pptx",".odp",".pst",".dbx",".wab",".tbk",".pps",".ppsx",".pdf",".jpg",".tif",".pub",".one",".rtf",".csv",".docm",".xlsm",".pptm",".ppsm",".xlsb",".dot",".dotx",".dotm",".xlt",".xltx",".xltm",".pot",".potx",".potm",".xps",".wps",".xla",".xlam",".erbsql",".sqlite-shm",".sqlite-wal",".litesql",".ndf",".ost",".pab",".oab",".contact",".jnt",".mapimail",".msg",".prf",".rar",".txt",".xml",".zip",".1cd",".3ds",".3g2",".3gp",".7z",".7zip",".aoi",".asf",".asp",".aspx",".asx",".avi",".bak",".cer",".cfg",".class",".config",".css",".dds",".dwg",".dxf",".flf",".flv",".html",".idx",".js",".key",".kwm",".laccdb",".ldf",".lit",".m3u",".mbx",".md",".mid",".mlb",".mov",".mp3",".mp4",".mpg",".obj",".pages",".php",".psd",".pwm",".rm",".safe",".sav",".save",".srt",".swf",".thm",".vob",".wav",".wma",".wmv",".3dm",".aac",".ai",".arw",".c",".cdr",".cls",".cpi",".cpp",".cs",".db3",".drw",".dxb",".eps",".fla",".flac",".fxg",".java",".m",".m4v",".max",".pcd",".pct",".pl",".ppam",".ps",".pspimage",".r3d",".rw2",".sldm",".sldx",".svg",".tga",".xlm",".xlr",".xlw",".act",".adp",".al",".bkp",".blend",".cdf",".cdx",".cgm",".cr2",".crt",".dac",".dcr",".ddd",".design",".dtd",".fdb",".fff",".fpx",".h",".iif",".indd",".jpeg",".mos",".nd",".nsd",".nsf",".nsg",".nsh",".odc",".oil",".pas",".pat",".pef",".pfx",".ptx",".qbb",".qbm",".sas7bdat",".say",".st4",".st6",".stc",".sxc",".sxw",".tlg",".wad",".xlk",".aiff",".bin",".bmp",".cmt",".dat",".dit",".edb",".flvv",".gif",".groups",".hdd",".hpp",".m2ts",".m4p",".mkv",".mpeg",".nvram",".ogg",".pdb",".pif",".png",".qed",".qcow",".qcow2",".rvt",".st7",".stm",".vbox",".vdi",".vhd",".vhdx",".vmdk",".vmsd",".vmx",".vmxf",".3fr",".3pr",".ab4",".accde",".accdr",".accdt",".ach",".acr",".adb",".ads",".agdl",".ait",".apj",".asm",".awg",".back",".backup",".backupdb",".bank",".bay",".bdb",".bgt",".bik",".bpw",".cdr3",".cdr4",".cdr5",".cdr6",".cdrw",".ce1",".ce2",".cib",".craw",".crw",".csh",".csl",".db_journal",".dc2",".dcs",".ddoc",".ddrw",".der",".des",".dgc",".djvu",".dng",".drf",".dxg",".eml",".erf",".exf",".ffd",".fh",".fhd",".gray",".grey",".gry",".hbk",".ibank",".ibd",".ibz",".iiq",".incpas",".jpe",".kc2",".kdbx",".kdc",".kpdx",".lua",".mdc",".mef",".mfw",".mmw",".mny",".moneywell",".mrw",".myd",".ndd",".nef",".nk2",".nop",".nrw",".ns2",".ns3",".ns4",".nwb",".nx2",".nxl",".nyf",".odb",".odf",".odg",".odm",".orf",".otg",".oth",".otp",".ots",".ott",".p12",".p7b",".p7c",".pdd",".mts",".plus_muhd",".plc",".psafe3",".py",".qba",".qbr",".qbw",".qbx",".qby",".raf",".rat",".raw",".rdb",".rwl",".rwz",".s3db",".sd0",".sda",".sr2",".srf",".srw",".st5",".st8",".std",".sti",".stw",".stx",".sxd",".sxg",".sxi",".sxm",".tex",".wallet",".wb2",".wpd",".x11",".x3f",".xis",".ycbcra",".yuv",".mab",".json",".msf",".jar",".cdb",".srb",".abd",".qtb",".cfn",".info",".info_",".flb",".def",".atb",".tbn",".tbb",".tlx",".pml",".pmo",".pnx",".pnc",".pmi",".pmm",".lck",".pm!",".pmr",".usr",".pnd",".pmj",".pm",".lock",".srs",".pbf",".omg",".wmf",".sh",".war",".ascx",".k2p",".apk",".asset",".bsa",".d3dbsp",".das",".forge",".iwi",".lbf",".litemod",".ltx",".m4a",".re4",".slm",".tiff",".upk",".xxx",".money",".cash",".private",".cry",".vsd",".tax",".gbr",".dgn",".stl",".gho",".ma",".acc",".db"]],"max_block_size":2,"max_blocks":5,"min_file_size":1024,"multithread":1,"network":1,"rc4_key_size":256,"rsa_key_size":880},","file_extension":".hta"}],"files_name":"README","run_by_the_end":1},"remove_shadows":1,"self_deleting":1,"servers":{"statistics":{"data_finish":"e01ENV9LRVl9","data_start":"e01ENV9LRVl9e1BBUlRORVJfSUR9e09TfXtJU19YNjR9e0lTX0FETUlOfXtDT1VOVF9GSUxFU317U1RPUF9SRUFTT059","ip":"194.165.16.0/22","knock":"aGl7UEFSVE5FUl9JRH17U1RBVFVTfQ==","port":6892,"send_stat":1,"timeout":255}},"speaker":{"speak":1,"text":[{"repeat":1,"text":"Attention! Attention! Attention!"},{"repeat":5,"text":"Your documents, photos, databases and other important files have been encrypted!"}]},"wallpaper":{"change_wallpaper":1,"background":0,"color":65280,"size":13,"text":" Your documents, photos, databases and other important files \r\n have been encrypted by \"Cerber Ransomware 4.1.1\"! \r\n\r\n If you understand all importance of the situation \r\n then we propose to you to go directly to your personal page \r\n where you will receive the complete instructions \r\n and guarantees to restore your files. \r\n\r\n There is a list of temporary addresses \r\n to go on your personal page below: \r\n\r\n _________________________ \r\n\r\n http://{TOR}.{SITE_1}/{PC_ID} \r\n\r\n http://{TOR}.{SITE_2}/{PC_ID} \r\n\r\n http://{TOR}.{SITE_3}/{PC_ID} \r\n\r\n _________________________ \r\n\r\n http://{TOR}.onion/{PC_ID} (TOR) "},"whitelist":{"folders":[":\\documents and settings\\all users\\documents\\","\\appdata\\roaming\\microsoft\\office\\","\\excel\\","\\microsoft sql server\\","\\onenote\\","\\outlook\\","\\powerpoint\\","\\steam\\","\\the bat!\\","\\thunderbird\\"]}}
You do not have the required permissions to view the files attached to this post.
 #29619  by xors
 Fri Nov 25, 2016 7:39 pm
In the attachment
You do not have the required permissions to view the files attached to this post.
 #29679  by syntx
 Fri Dec 02, 2016 10:09 pm
Macro downloading XOR-encoded payload from 93.170.123[.]96/one.txt

Attach decoded + unpacked
You do not have the required permissions to view the files attached to this post.
 #29710  by xors
 Mon Dec 12, 2016 10:06 pm
Added one layer of packing (with UPX). Also some additional strings can be seen like
Code: Select all
"Encrypting starting."
"Encrypting done. Time left: %dms"
 "Searching starting."
"Searching done. Time left: %dms"
"Network searching starting."
 "Network searching done. Time left: %dms"
 "CryptImportKey failed, GetLastError == %x"
Edit: If I am not mistaken,they also changed the way that they decrypt the config. It looks like they use 'CryptEncrypt' WINAPI
You do not have the required permissions to view the files attached to this post.
 #29715  by xors
 Tue Dec 13, 2016 5:45 pm
Hello all again,

My question might be stupid but i am quite confused

We have the following sample from here https://www.hybrid-analysis.com/sample/ ... mentId=100

Which as you can see on the screenshots, its locky. However, if you proceed further,download the 'roaming.exe' file and then unpack, you will end up with cerber ransomware. Also if you look at the traffic, the malware uses
Code: Select all
/checkupdate
and
Code: Select all
/read.php?f=404
. As far as i know, the first one is for locky, but the second one is only for cerber. Also, if i am not mistaken, cerber doesn't use any POST requests.

Probably i am missing something, so any help is welcome :)
You do not have the required permissions to view the files attached to this post.
 #29716  by Antelox
 Tue Dec 13, 2016 9:55 pm
xors wrote:Hello all again,

My question might be stupid but i am quite confused

We have the following sample from here https://www.hybrid-analysis.com/sample/ ... mentId=100

Which as you can see on the screenshots, its locky. However, if you proceed further,download the 'roaming.exe' file and then unpack, you will end up with cerber ransomware. Also if you look at the traffic, the malware uses
Code: Select all
/checkupdate
and
Code: Select all
/read.php?f=404
. As far as i know, the first one is for locky, but the second one is only for cerber. Also, if i am not mistaken, cerber doesn't use any POST requests.

Probably i am missing something, so any help is welcome :)
It's a while that the group behind Cerber is playing also with Locky, so you see same URI to download the payload as the one with which is downloaded also Cerber. It's not the first time that I observed this behavior. What you attached here is Cerber, in fact the hashes is different from the one downloaded in the Hybrid-Analysis sandbox.

BR,

Antelox
 #29724  by sysopfb
 Wed Dec 14, 2016 5:33 pm
Code: Select all
/read.php?f=404
That is more associated with the delivery mechanism than directly with Cerber. They could push whatever malware they want as a response to that request
 #29766  by xors
 Wed Dec 21, 2016 9:25 pm
Typical injection. Same lame things
You do not have the required permissions to view the files attached to this post.
  • 1
  • 4
  • 5
  • 6
  • 7
  • 8