A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #4342  by nullptr
 Sat Jan 08, 2011 3:10 am
Written in Delphi, internal string CERBERUS. Old known trojan recrypted.

Files:
* System32\sysanalizer\dll.exe (copy of original file)
* System32\sysanalizer\logs.dat
* System32\sysanalizer\plugin.dat

Reg Start:
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{J5TI3541-8564-5174-YJ71-14T58LY72400}
* StubPath = "C:\Windows\System32\sysanalizer\dll.exe Restart"

Injects code into Internet Explorer and calls home.

Units used:
WinSvc
System
SysInit
KWindows
UTypes
BUnitTranslations
UnitVariables
UnitCryptString
uRC4
kRC4
Utils
TlHelp32
EditSvr
UnitServices
UnitSandBox
DLLUnit
UnitInjectLibrary
Attachments
pass : malware
(455.34 KiB) Downloaded 46 times
 #5205  by EP_X0FF
 Mon Feb 28, 2011 2:29 pm
markusg wrote:Gold Gen 2.26.exe
http://www.virustotal.com/file-scan/rep ... 1298896309
Trojan Cerberus.
In attach decrypted dropper and some payload code extracted from it.

Posts merged with old Cerberus thread.
Attachments
pass: malware
(106.49 KiB) Downloaded 40 times