{"id":682,"date":"2017-01-25T11:59:24","date_gmt":"2017-01-25T11:59:24","guid":{"rendered":"http:\/\/www.herbiez.com\/?p=682"},"modified":"2017-01-25T12:00:43","modified_gmt":"2017-01-25T12:00:43","slug":"2017-01-25-cerber-infection","status":"publish","type":"post","link":"https:\/\/www.herbiez.com\/?p=682","title":{"rendered":"2017-01-25 Cerber infection"},"content":{"rendered":"

For this blog post, I was able to infect my VM with Cerber from a link that I found via a Tweet<\/a> that @malware_traffic retweeted from @Techhelplistcom. I am not able to determine how a user would get directed to this site though, so that part is a mystery. Overall, this was pretty straight-forward Cerber infection that one has become used to seeing. The artifacts and logs\/pcap for this infection can be found in this repo here<\/a>.<\/p>\n

IOCs:
\n=====
\n92.242.40.154 \/ sallykandymandy[.]top\/search.php
\n11.56.22.0 – 11.56.22.31 (UDP Port 6892)
\n17.35.12.0 – 17.35.12.30 (UDP Port 6892)
\n91.239.24.0 – 91.239.24.255 (UDP Port 6892)
\n91.239.25.0 – 91.239.25.255 (UDP Port 6892)<\/p>\n

Artifacts:
\n==========
\nFile name: 1
\nFile size: 276KB
\nMD5 hash: 470cd3c8eade6de95bec9fd55c608d0a
\nVirustotal: http:\/\/www.virustotal.com\/en\/file\/ddb73ca1570b01593734cea63940a7d09c0eb4aab896d24f8f264871467bbe5a\/analysis\/<\/a>
\nFirst detection: 2017-01-25 10:05:35 UTC
\nDetection rate: 6 \/ 57<\/p>\n

File name: 4f1b.tmp
\nFile size: 344B
\nMD5 hash: bfa0ca8894dee5f00fd3617e513a6ce2
\nVirustotal: NA<\/p>\n

File name: 812b.tmp
\nFile size: 130B
\nMD5 hash: 185aa1b193f0cf9f913fff50633369b5
\nVirustotal: NA<\/p>\n

Analysis:
\n=========
\nBased on what I am seeing, the user would be directed to the site “hxxp:\/\/sallykandymandy[.]top\/search.php” and once there would be asked if they would want to download a file.<\/p>\n

\"\"<\/a><\/p>\n

\"\"<\/a><\/p>\n

Once the file has been downloaded and saved, nothing can be executed since it is not a known-file type to Windows. In order to infect my VM, I had to add the extension of “.exe” to the file. <\/p>\n

\"\"<\/a><\/p>\n

Once renamed, I then executed the binary which caused the usual traffic that we have seen before from Cerber, and the standard notifications as well. <\/p>\n

\"\"<\/a><\/p>\n

\"\"<\/a><\/p>\n

\"\"<\/a><\/p>\n

\"\"<\/a><\/p>\n

\"\"<\/a><\/p>\n

One thing to note here – I did have a new folder created in the “C:\\Users\\%Username%\\AppData\\Local\\Temp” folder called “35ff7078” with two files in it: 4f1b.tmp and 812b.tmp. The “4f1b.tmp” file looks to be base64 encoded:<\/p>\n

\r\nEncoded\r\n\r\nG0o916oXNjlbIjr1JaWhG73gCT8BFZyaUrorLe56kGKnGdPwacgcbamActPI9C5xAGYONy+XOqKe1J6IKmN0CkY3id3mF6iCudbL7oSNBcoSQQ5ygRbqVkWGdZqQ01qXvYzwQg+5tzPS6921Ddh2\/rHZ1rKMfTTJv+DxiKAs+4cuC4hl4OI2iXke65kKcBk+ybzOKrbEdL18N9stoHKVOJX4gtOcNM3YgMR1kKhfr3JVvVW7ArqBpseRMpSSCBb2h35Czs\/G\/WY6szjxDz2tDFuejbXRFUarDbNF8B+vmdD+me2APx406qDhm+x+LZ6V8RGO1lacwr3aaL7tMsKWYg==\r\n\r\n-----\r\n\r\nDecoded\r\n\r\nJ=\u05ea69[":%\t?R+-zbimr.q\ufffdf7\/:\u051e*ct\r\nF7\ue10dArVEuZB3\u0775\r\nv\u05b2}4\u027f,.e6y\r\np>\u027c*t|7-r8\u04dc4\u0600u_rUU\u01d12~Bf:8=[F\r\nE?4~-V\u00bdh2\u0096b<\/pre>\n
The other file (812b.tmp) looks like it could possibly be related to the file encryption since I am seeing the keyword “RSA” when looking at the file in Notepad++.<\/p>\n
\r\n   \u00a4  RSA1p    u\u00adfw\u00d0]\u00b5\u00e6\u00dbZI\u00dc\u02c6\u00e5W\u00b2\u00e6\u00cdp\\\u201e\u00c6\u009d\u2021\u00d7\u00d5,?\u00c7\u00f6X\u00c9n\u00ce\u008f\u00d6c\u2039\u00eaE\u00f7\u00ea\u00a5\r\n\u00daf\u00a1p\u00c0\u00b0\u00d2\u00ce\u00eb\u2021\u00ee\u00de4\u00c8D\u00aa\u00a2+ *$\u02c6\u00f5D\u00c7\u00bb\u00e7.\u00cdF\u0192\u00b0\u00bb\r\nx\u00ec\u00e6\u2021\u00e3\u0161!2\u00e7\u00d5pJ\r\n+>\u00af\u00a2\u00c9\u2019\u00ab\u201d\u00f3<\/pre>\n","protected":false},"excerpt":{"rendered":"
For this blog post, I was able to infect my VM with Cerber from a link that I found via a Tweet that @malware_traffic retweeted from @Techhelplistcom. I am not able to determine how a user would get directed to this site though, so that part is a mystery. Overall, this was pretty straight-forward Cerber infection that one has become used to seeing. The artifacts and logs\/pcap for this infection can be found in this repo here. IOCs: ===== 92.242.40.154 \/ sallykandymandy[.]top\/search.php 11.56.22.0 – 11.56.22.31 (UDP Port 6892) 17.35.12.0 – 17.35.12.30 (UDP Port 6892) 91.239.24.0 – 91.239.24.255 (UDP Port 6892)…<\/p>\n
 Continue reading<\/span><\/i><\/a> <\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[],"class_list":["post-682","post","type-post","status-publish","format-standard","hentry","category-packet-analysis"],"_links":{"self":[{"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/posts\/682","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=682"}],"version-history":[{"count":3,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/posts\/682\/revisions"}],"predecessor-version":[{"id":696,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/posts\/682\/revisions\/696"}],"wp:attachment":[{"href":"https:\/\/www.herbiez.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=682"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=682"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=682"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}