A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #29790  by syntx
 Mon Dec 26, 2016 11:11 pm
Have anyone speculated how the ranges are picked to where it sends stats? The early versions was kind of easy to follow as it was only acquire a server in the IP-range, the past few months have however showed ranges without hosting providers which points to that the author uses hacked servers as relays(?).
xors wrote: Edit: If I am not mistaken,they also changed the way that they decrypt the config. It looks like they use 'CryptEncrypt' WINAPI
Wasn't this something they did in earlier versions as well? (Know I've seen CryptEncrypt for decryption in a "recent" sample)
 #29847  by maddog4012
 Wed Jan 11, 2017 6:20 pm
Code: Select all
1001.exe  CERBER
Event Type	Details	Parent PID	PID
Detection	
Threat characteristic: Attempts to connect to malicious host
Host: 208.83.223.34
Threat Name: CALLBACK_CRYPTOLOCK.WRS
		
Detection	
Threat characteristic: Rare executable file
Global Detections: 0
		
Call System API	API Name: LdrLoadDll Args: ( 195fe4, 0, %windir%\system32\uxtheme.dll, 73f40000 ) Return: 0		2784
Call System API	API Name: LdrLoadDll Args: ( 195fe4, 0, %windir%\system32\userenv.dll, 74790000 ) Return: 0		2784
Call System API	API Name: LdrLoadDll Args: ( 195fe4, 0, %windir%\system32\setupapi.dll, 75a30000 ) Return: 0		2784
Call System API	API Name: LdrLoadDll Args: ( 195fe4, 0, %windir%\system32\apphelp.dll, 71760000 ) Return: 0		2784
Call System API	API Name: LdrLoadDll Args: ( 16ef14, 0, advapi32.dll, 76be0000 ) Return: 0		2784
Call System API	API Name: LdrLoadDll Args: ( 195fe4, 0, %windir%\system32\propsys.dll, 73f80000 ) Return: 0		2784
Call System API	API Name: LdrLoadDll Args: ( 195fe4, 0, %windir%\system32\dwmapi.dll, 73c10000 ) Return: 0		2784
Call System API	API Name: LdrLoadDll Args: ( 195fe4, 0, %windir%\system32\cryptbase.dll, 75030000 ) Return: 0		2784
Call System API	API Name: LdrLoadDll Args: ( 195fe4, 0, %windir%\system32\oleacc.dll, 723b0000 ) Return: 0		2784
Call System API	API Name: LdrLoadDll Args: ( 195fe4, 0, %windir%\system32\clbcatq.dll, 75480000 ) Return: 0		2784
Call System API	API Name: LdrLoadDll Args: ( 195fe4, 0, %windir%\system32\version.dll, 74630000 ) Return: 0		2784
Call System API	API Name: LdrLoadDll Args: ( 195fe4, 0, %windir%\system32\shfolder.dll, 6b260000 ) Return: 0		2784
Call System API	API Name: LdrLoadDll Args: ( 16ef14, 0, cryptbase.dll, 75030000 ) Return: 0		2784
Call System API	API Name: LdrLoadDll Args: ( 1dda6c, 0, %windir%\system32\uxtheme.dll, 73f40000 ) Return: 0		2784
Call System API	API Name: LdrLoadDll Args: ( 1dda6c, 0, %windir%\system32\uxtheme.dll, 73f40000 ) Return: 0		2784
Call System API	API Name: LdrLoadDll Args: ( 1dda6c, 0, %windir%\system32\uxtheme.dll, 73f40000 ) Return: 0		2784
Call System API	API Name: LdrLoadDll Args: ( 1dda6c, 0, %windir%\system32\uxtheme.dll, 73f40000 ) Return: 0		2784
Call Window API	API Name: CreateWindowExW Args: ( 0, c03b, OleMainThreadWndName, 88000000, 80000000, 80000000, 80000000, 80000000, fffffffd, 0, 758d0000, 0 ) Return: 201d4		2784
Call System API	API Name: LdrLoadDll Args: ( 16ef14, 0, ole32.dll, 758d0000 ) Return: 0		2784
Call System API	API Name: LdrLoadDll Args: ( 16ef14, 0, ole32.dll, 758d0000 ) Return: 0		2784
Call System API	API Name: LdrLoadDll Args: ( 16ef14, 0, comctl32.dll, 740c0000 ) Return: 0		2784
Call System API	API Name: LdrLoadDll Args: ( 16ef14, 0, comctl32.dll, 740c0000 ) Return: 0		2784
Call System API	API Name: LdrLoadDll Args: ( 16ef14, 0, oleaut32.dll, 756a0000 ) Return: 0		2784
Call System API	API Name: LdrLoadDll Args: ( 16ef14, 0, advapi32.dll, 76be0000 ) Return: 0		2784
Call System API	API Name: LdrLoadDll Args: ( 16ef14, 0, clbcatq.dll, 75480000 ) Return: 0		2784
Call System API	API Name: LdrLoadDll Args: ( 1e24a4, 0, %windir%\system32\propsys.dll, 73f80000 ) Return: 0		2784
Call Filesystem API	API Name: CreateDirectoryW Args: ( %USERPROFILE%\AppData\Local\Microsoft\Windows\Caches, 0 ) Return: 0		2784
Call System API	API Name: LdrLoadDll Args: ( 16ef14, 0, ntmarta.dll, 71e90000 ) Return: 0		2784
Call System API	API Name: LdrLoadDll Args: ( 16ef14, 0, advapi32.dll, 76be0000 ) Return: 0		2784
Call System API	API Name: LdrLoadDll Args: ( 16ef14, 0, shell32.dll, 75bf0000 ) Return: 0		2784
Call System API	API Name: LdrLoadDll Args: ( 16ef14, 0, api-ms-win-security-sddl-l1-1-0.dll, 75bd0000 ) Return: 0		2784
Call System API	API Name: LdrLoadDll Args: ( 16ef14, 0, profapi.dll, 750e0000 ) Return: 0		2784
Call System API	API Name: LdrLoadDll Args: ( 16ef14, 0, setupapi.dll, 75a30000 ) Return: 0		2784
Call System API	API Name: LdrLoadDll Args: ( 16ef14, 0, apphelp.dll, 71760000 ) Return: 0		2784
Call System API	API Name: LdrLoadDll Args: ( 200f14, 0, %windir%\system32\shdocvw.dll, 71210000 ) Return: 0		2784
Call System API	API Name: LdrLoadDll Args: ( 200f14, 0, %windir%\system32\shell32.dll, 75bf0000 ) Return: 0		2784
Call System API	API Name: LdrLoadDll Args: ( 16ef14, 0, propsys.dll, 73f80000 ) Return: 0		2784
Call System API	API Name: LdrLoadDll Args: ( 16ef14, 0, oleaut32.dll, 756a0000 ) Return: 0		2784
Call Filesystem API	API Name: CreateDirectoryW Args: ( %TEMP%\, 0 ) Return: 0		2784
Add File	Path: %TEMP%\nsl9D47.tmp Type: VSDT_EMPTY		2784
Delete File	Path: %TEMP%\nsl9D47.tmp Type: VSDT_EMPTY		2784
Detection	
Threat characteristic: Deletes file to compromise the system or to remove traces of the infection
Process ID: 2784
File: %TEMP%\nsl9D47.tmp
Type: VSDT_EMPTY
		
Call Filesystem API	API Name: DeleteFileW Args: ( %TEMP%\nsl9D47.tmp ) Return: 1		2784
Call Filesystem API	API Name: NtReadFile Args: ( 24c, , , , , , 200, , ) Return: 0		2784
Call Filesystem API	API Name: NtReadFile Args: ( 24c, , , , , , 200, , ) Return: 0		2784
Call Filesystem API	API Name: NtReadFile Args: ( 24c, , , , , , 200, , ) Return: 0		2784
Call Filesystem API	API Name: NtReadFile Args: ( 24c, , , , , , 200, , ) Return: 0		2784
Call Filesystem API	API Name: NtReadFile Args: ( 24c, , , , , , 200, , ) Return: 0		2784
Call Filesystem API	API Name: NtReadFile Args: ( 24c, , , , , , 200, , ) Return: 0		2784
Call Filesystem API	API Name: NtReadFile Args: ( 24c, , , , , , 200, , ) Return: 0		2784
Call Filesystem API	API Name: NtReadFile Args: ( 24c, , , , , , 200, , ) Return: 0		2784
Call Filesystem API	API Name: NtReadFile Args: ( 24c, , , , , , 200, , ) Return: 0		2784
Call Filesystem API	API Name: NtReadFile Args: ( 24c, , , , , , 200, , ) Return: 0		2784
Call Filesystem API	API Name: NtReadFile Args: ( 24c, , , , , , 200, , ) Return: 0		2784
Call Filesystem API	API Name: NtReadFile Args: ( 24c, , , , , , 200, , ) Return: 0		2784
Call Filesystem API	API Name: NtReadFile Args: ( 24c, , , , , , 200, , ) Return: 0		2784
Call Filesystem API	API Name: NtReadFile Args: ( 24c, , , , , , 200, , ) Return: 0		2784
Call Filesystem API	API Name: NtReadFile Args: ( 24c, , , , , , 200, , ) Return: 0		2784
Call Filesystem API	API Name: NtReadFile Args: ( 24c, , , , , , 200, , ) Return: 0		2784
Call Filesystem API	API Name: CreateDirectoryW Args: ( C:\Users, 0 ) Return: 0		2784
Call Filesystem API	API Name: CreateDirectoryW Args: ( C:\Users\ADMINI~1, 0 ) Return: 0		2784
Call Filesystem API	API Name: CreateDirectoryW Args: ( %USERPROFILE%\AppData, 0 ) Return: 0		2784
Call Filesystem API	API Name: CreateDirectoryW Args: ( %USERPROFILE%\AppData\Local, 0 ) Return: 0		2784
Call Filesystem API	API Name: CreateDirectoryW Args: ( %TEMP%, 0 ) Return: 0		2784
Call Filesystem API	API Name: SetFileTime Args: ( 8, 2017-00-11/11:13:50, NULL, 2017-00-11/11:13:50 ) Return: 1		2784
Add File	Path: %TEMP%\ie7.css Type: VSDT_ASCII		2784
Write File	Path: %TEMP%\ie7.css Type: VSDT_ASCII		2784
Call Filesystem API	API Name: SetFileTime Args: ( 8, 2017-00-11/11:33:40, NULL, 2017-00-11/11:33:40 ) Return: 1		2784
Add File	Path: %TEMP%\home Type: VSDT_TEXT_HTML		2784
Write File	Path: %TEMP%\home Type: VSDT_TEXT_HTML		2784
Call Filesystem API	API Name: SetFileTime Args: ( 248, 2017-00-11/11:53:28, NULL, 2017-00-11/11:53:28 ) Return: 1		2784
Add File	Path: %TEMP%\xspSF.css Type: VSDT_ASCII		2784
Write File	Path: %TEMP%\xspSF.css Type: VSDT_ASCII		2784
Call Filesystem API	API Name: SetFileTime Args: ( 248, 2017-00-11/11:32:16, NULL, 2017-00-11/11:32:16 ) Return: 1		2784
Add File	Path: %TEMP%\favicon.ico959834085.x-icon Type: VSDT_COM_DOS		2784
Write File	Path: %TEMP%\favicon.ico959834085.x-icon Type: VSDT_COM_DOS		2784
Call Filesystem API	API Name: SetFileTime Args: ( 248, 2017-00-11/12:05:26, NULL, 2017-00-11/12:05:26 ) Return: 1		2784
Add File	Path: %TEMP%\facebook.png Type: VSDT_PNG		2784
Write File	Path: %TEMP%\facebook.png Type: VSDT_PNG		2784
Call Filesystem API	API Name: SetFileTime Args: ( 248, 2017-00-11/11:13:40, NULL, 2017-00-11/11:13:40 ) Return: 1		2784
Add File	Path: %TEMP%\feed Type: VSDT_TEXT_HTML		2784
Write File	Path: %TEMP%\feed Type: VSDT_TEXT_HTML		2784
Call Filesystem API	API Name: SetFileTime Args: ( 248, 2017-00-11/12:05:30, NULL, 2017-00-11/12:05:30 ) Return: 1		2784
Add File	Path: %TEMP%\print1777536650.css Type: VSDT_ASCII		2784
Write File	Path: %TEMP%\print1777536650.css Type: VSDT_ASCII		2784
Call Filesystem API	API Name: SetFileTime Args: ( 248, 2017-00-11/12:25:22, NULL, 2017-00-11/12:25:22 ) Return: 1		2784
Add File	Path: %TEMP%\defense.7Bt Type: VSDT_COM_DOS		2784
Write File	Path: %TEMP%\defense.7Bt Type: VSDT_COM_DOS		2784
Add File	Path: %TEMP%\nsg9EFD.tmp Type: VSDT_EMPTY		2784
Delete File	Path: %TEMP%\nsg9EFD.tmp Type: VSDT_EMPTY		2784
Detection	
Threat characteristic: Deletes file to compromise the system or to remove traces of the infection
Process ID: 2784
File: %TEMP%\nsg9EFD.tmp
Type: VSDT_EMPTY
		
Call Filesystem API	API Name: DeleteFileW Args: ( %TEMP%\nsg9EFD.tmp ) Return: 1		2784
Call Filesystem API	API Name: CreateDirectoryW Args: ( C:\Users, 0 ) Return: 0		2784
Call Filesystem API	API Name: CreateDirectoryW Args: ( C:\Users\ADMINI~1, 0 ) Return: 0		2784
Call Filesystem API	API Name: CreateDirectoryW Args: ( %USERPROFILE%\AppData, 0 ) Return: 0		2784
Call Filesystem API	API Name: CreateDirectoryW Args: ( %USERPROFILE%\AppData\Local, 0 ) Return: 0		2784
Call Filesystem API	API Name: CreateDirectoryW Args: ( %TEMP%, 0 ) Return: 0		2784
Call Filesystem API	API Name: CreateDirectoryW Args: ( %TEMP%\nsg9EFD.tmp, 12f6b4 ) Return: 1		2784
Add File	Path: %TEMP%\nsg9EFD.tmp\System.dll Type: VSDT_DLL_W32		2784
Detection	
Threat characteristic: Drops executable during installation
Dropping Process ID: 2784
File: %TEMP%\nsg9EFD.tmp\System.dll
Type: VSDT_DLL_W32
		
Write File	Path: %TEMP%\nsg9EFD.tmp\System.dll Type: VSDT_DLL_W32		2784
Detection	
Threat characteristic: Modifies file that can be used to infect systems
%TEMP%\nsg9EFD.tmp\System.dll
		
Call System API	API Name: LdrLoadDll Args: ( 20e97c, 0, %TEMP%\nsg9efd.tmp\system.dll, 10000000 ) Return: 0		2784
Call System API	API Name: LdrLoadDll Args: ( 16ef14, 0, advapi32.dll, 76be0000 ) Return: 0		2784
Call System API	API Name: LdrLoadDll Args: ( 16ef14, 0, advapi32.dll, 76be0000 ) Return: 0		2784
Call System API	API Name: LdrLoadDll Args: ( 16ef14, 0, advapi32.dll, 76be0000 ) Return: 0		2784
Call System API	API Name: LdrLoadDll Args: ( 16ef14, 0, advapi32.dll, 76be0000 ) Return: 0		2784
Call System API	API Name: LdrLoadDll Args: ( 16ef14, 0, advapi32.dll, 76be0000 ) Return: 0		2784
Call System API	API Name: LdrLoadDll Args: ( 16ef14, 0, cryptsp.dll, 74b90000 ) Return: 0		2784
Call System API	API Name: LdrLoadDll Args: ( 16ef14, 0, %windir%\system32\rsaenh.dll, 74930000 ) Return: 0		2784
Call System API	API Name: LdrLoadDll Args: ( 16ef14, 0, cryptbase.dll, 75030000 ) Return: 0		2784
Call System API	API Name: CryptDeriveKey Args: ( 1fbb20, 6609, 1a9af8, 1, 12f4b8 ) Return: 1		2784
Call System API	API Name: CryptDecrypt Args: ( 1a9f38, 0, 1, 0, 3240000, c73e3 ) Return: 1		2784
Call Process API	API Name: CreateProcessW Args: ( %WorkingDir%\1001.exe, "%WorkingDir%\1001.exe", , , , CREATE_SUSPENDED, , , , Process:2844:%WorkingDir%\1001.exe ) Return: 1		2784
Call Thread API	API Name: NtGetContextThread Args: ( 580, 12f094 ) Return: 0		2784
Call Thread API	API Name: SetThreadContext Args: ( Process Name:2844:%WorkingDir%\1001.exe ) Return: 1		2784
Detection	
Threat characteristic: Resides in memory to evade detection
Injecting Process ID: 2784
Injected API: SetThreadContext
Target Process ID: 2844
Target Image Path: %WorkingDir%\1001.exe
		
Call Filesystem API	API Name: NtReadFile Args: ( 254, , , , , , 200, , ) Return: 0		2784
Add Registry Key	Key: HKEY_LOCAL_MACHINE\SOFTWARE\System32\ Value: None	2784	2844
Add Registry Key	Key: HKEY_LOCAL_MACHINE\SOFTWARE\System32\Configuration\ Value: None	2784	2844
Write Registry Key	Key: HKEY_LOCAL_MACHINE\SOFTWARE\System32\Configuration\xi Value: 956D951EDA13BC116996	2784	2844
Add File	Path: %ALLUSERSPROFILE%\Windows\csrss.exe Type: VSDT_EXE_W32	2784	2844
Detection	
Threat characteristic: Drops fake system file
%ALLUSERSPROFILE%\Windows\csrss.exe
		
Detection	
Threat characteristic: Drops executable during installation
Dropping Process ID: 2844
File: %ALLUSERSPROFILE%\Windows\csrss.exe
Type: VSDT_EXE_W32
		
Detection	
Threat characteristic: Creates multiple copies of a file
%ALLUSERSPROFILE%\Windows\csrss.exe
		
Detection	
Threat characteristic: Copies self
File is copied from %WorkingDir%\1001.exe to %ALLUSERSPROFILE%\Windows\csrss.exe
		
Write File	Path: %ALLUSERSPROFILE%\Windows\csrss.exe Type: VSDT_EXE_W32	2784	2844
Detection	
Threat characteristic: Modifies file that can be used to infect systems
%ALLUSERSPROFILE%\Windows\csrss.exe
		
Write Registry Key	Key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem Value: "%ALLUSERSPROFILE%\Windows\csrss.exe"	2784	2844
Detection	
Threat characteristic: Adds Autorun in registry
Key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem
Value: "%ALLUSERSPROFILE%\Windows\csrss.exe"
Type: REG_SZ
		
Write Registry Key	Key: HKEY_LOCAL_MACHINE\SOFTWARE\System32\Configuration\xVersion Value: 4.0.0.1	2784	2844
Add File	Path: %TEMP%\6893A5D897\state.tmp Type: VSDT_ASCII	2784	2844
Write File	Path: %TEMP%\6893A5D897\state.tmp Type: VSDT_ASCII	2784	2844
Add File	Path: %TEMP%\6893A5D897\state Type: VSDT_ASCII	2784	2844
Add File	Path: %TEMP%\6893A5D897\unverified-microdesc-consensus.tmp Type: VSDT_ASCII	2784	2844
Write File	Path: %TEMP%\6893A5D897\unverified-microdesc-consensus.tmp Type: VSDT_ASCII	2784	2844
Add File	Path: %TEMP%\6893A5D897\unverified-microdesc-consensus Type: VSDT_ASCII	2784	2844
Add File	Path: %TEMP%\6893A5D897\cached-certs.tmp Type: VSDT_ASCII	2784	2844
Write File	Path: %TEMP%\6893A5D897\cached-certs.tmp Type: VSDT_ASCII	2784	2844
Add File	Path: %TEMP%\6893A5D897\cached-certs Type: VSDT_ASCII	2784	2844
Delete File	Path: %TEMP%\6893A5D897\unverified-microdesc-consensus Type: VSDT_ASCII	2784	2844
Detection	
Threat characteristic: Deletes file to compromise the system or to remove traces of the infection
Process ID: 2844
File: %TEMP%\6893A5D897\unverified-microdesc-consensus
Type: VSDT_ASCII
		
Add File	Path: %TEMP%\6893A5D897\cached-microdesc-consensus.tmp Type: VSDT_ASCII	2784	2844
Write File	Path: %TEMP%\6893A5D897\cached-microdesc-consensus.tmp Type: VSDT_ASCII	2784	2844
Add File	Path: %TEMP%\6893A5D897\cached-microdesc-consensus Type: VSDT_ASCII	2784	2844
Add File	Path: %TEMP%\6893A5D897\cached-microdescs.new Type: VSDT_ASCII	2784	2844
Write File	Path: %TEMP%\6893A5D897\cached-microdescs.new Type: VSDT_ASCII	2784	2844
Write File	Path: %TEMP%\6893A5D897\cached-microdescs.new Type: VSDT_ASCII	2784	2844
Write File	Path: %TEMP%\6893A5D897\cached-microdescs.new Type: VSDT_ASCII	2784	2844
Write File	Path: %TEMP%\6893A5D897\cached-microdescs.new Type: VSDT_ASCII	2784	2844
Write File	Path: %TEMP%\6893A5D897\cached-microdescs.new Type: VSDT_ASCII	2784	2844
Write File	Path: %TEMP%\6893A5D897\cached-microdescs.new Type: VSDT_ASCII	2784	2844
Write File	Path: %TEMP%\6893A5D897\cached-microdescs.new Type: VSDT_ASCII	2784	2844
Write File	Path: %TEMP%\6893A5D897\cached-microdescs.new Type: VSDT_ASCII	2784	2844
Write File	Path: %TEMP%\6893A5D897\cached-microdescs.new Type: VSDT_ASCII	2784	2844
Write File	Path: %TEMP%\6893A5D897\cached-microdescs.new Type: VSDT_ASCII	2784	2844
Write File	Path: %TEMP%\6893A5D897\cached-microdescs.new Type: VSDT_ASCII	2784	2844
Write File	Path: %TEMP%\6893A5D897\cached-microdescs.new Type: VSDT_ASCII	2784	2844
Write File	Path: %TEMP%\6893A5D897\cached-microdescs.new Type: VSDT_ASCII	2784	2844
Write File	Path: %TEMP%\6893A5D897\cached-microdescs.new Type: VSDT_ASCII	2784	2844
Write File	Path: %TEMP%\6893A5D897\cached-microdescs.new Type: VSDT_ASCII	2784	2844
Write File	Path: %TEMP%\6893A5D897\cached-microdescs.new Type: VSDT_ASCII	2784	2844
Last edited by EP_X0FF on Fri Jan 13, 2017 3:45 am, edited 1 time in total. Reason: text wall removed
 #29851  by tWiCe
 Thu Jan 12, 2017 5:39 pm
maddog4012, Could you please use "code" tags for such long logs next time?
  • 1
  • 4
  • 5
  • 6
  • 7
  • 8