A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #30481  by p1nk
 Sat Jun 17, 2017 1:16 am
PDB paths:

I:\projects\Erebus\Boost\boost/filesystem/operations.hpp
tI:\projects\Erebus\crypto\modes.h
I:\projects\Erebus\Boost\boost/smart_ptr/shared_ptr.hpp

Contains a Tor onion address: erebus5743lnq6db.onion
 #30482  by p1nk
 Sat Jun 17, 2017 1:47 am
Screenshot from 2017-06-16 21-45-41.png
Screenshot from 2017-06-16 21-45-41.png (38.06 KiB) Viewed 820 times
Screenshot of the message. Also dumped the config from one of the Linux samples.
Code: Select all
{
   "i" : "B0884334",
   "c" : [
      {
         "bu" : "/",
         "tg" : "216.126.224.128/24",
         "t" : 3
      }
   ],
   "p" : "6V5LvugJGoKeCppKe0duIM2sV0",
   "cts" : 36,
   "a" : "[{\"d\":\"<html><head> <style> body { font-family:\\\"Helvetica Neue\\\",Helvetica,Hiragino Sans GB,Microsoft Yahei,WenQuanYi Micro Hei,sans-serif !important; font-size:16px; line-height:1.42857143; color:#333; background-color:#fff; text-align:center; } a { color:#337ab7; text-decoration:none; } a:focus,a:hover { color:#23527c; text-decoration:none; } .tc{ text-align:center; } .ta { color:#a94442; } .j { text-align:left; padding:48px; background-color:#f7f7f9; border:1px solid #e1e1e8; border-radius:6px; width:80%; margin:auto; } .s{ margin-top:20px; margin-bottom:10px; } .fc { display:block; width:100%; height:34px; padding:6px 12px; font-size:14px; line-height:1.42857143; color:#555; background-color:#fff; background-image:none; border:1px solid #ccc; border-radius:4px; -webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,.075); box-shadow:inset 0 1px 1px rgba(0,0,0,.075); -webkit-transition:border-color ease-in-out .15s,-webkit-box-shadow ease-in-out .15s; -o-transition:border-color ease-in-out .15s,box-shadow ease-in-out .15s; transition:border-color ease-in-out .15s,box-shadow ease-in-out .15s } <\\/style><\\/head><body><div class=\\\"j\\\"> <div class=\\\"s tc ta\\\"> <h1>Warning!!<\\/h1> <h3>Your documents, photos, databases, important files have been encrypted!<\\/h3> <h2>If you modify any file, it may cause make you cannot decrypt!!!<\\/h2> <\\/div> <div class=\\\"s\\\"> <h3>To decrypt your files please visit the following website:<\\/h3> ${url} <\\/div> <div class=\\\"s\\\"> <h3>If the above address will be unable to open or very slow, follow these steps:<\\/h3> 1. Download and install the tor browser. <a target=\\\"_blank\\\" href=\\\"https:\\/\\/www.torproject.org\\/download\\/download-easy.html\\\">Download Tor<\\/a><br\\/> 2. After successful installation, run the browser, waiting to initialize.<br\\/> 3. In the address bar enter:<br\\/><br\\/> ${url_dn} <\\/div> <div class=\\\"s\\\"> <h3>Machine ID:<\\/h3> <input class=\\\"fc\\\" type=\\\"text\\\" value=\\\"${mid}\\\"\\/> <\\/div> <div class=\\\"s\\\"> <h3>Offline ID:<\\/h3> <textarea class=\\\"fc\\\" style=\\\"height:500px;\\\">${oid}<\\/textarea> <\\/div><\\/div><\\/body><\\/html>\",\"uf\":\"<a href=\\\"http:\\/\\/%s\\/purchase?mid=${mid}\\\">http:\\/\\/%s\\/purchase?mid=${mid}<\\/a><br\\/>\",\"udf\":\"http:\\/\\/%s\\/purchase?mid=${mid}<br\\/>\",\"f\":\"X0RFQ1JZUFRfRklMRS5odG1s\",\"if\":null},{\"d\":\"\\r\\nWarning!!\\r\\n\\r\\nYour documents, photos, databases, important files have been encrypted!\\r\\nIf you modify any file, it may cause make you cannot decrypt!!!\\r\\n\\r\\n\\r\\nTo decrypt your files please visit the following website:\\r\\n${url}\\r\\n\\r\\nIf the above address will be unable to open or very slow, follow these steps:\\r\\n\\r\\n\\t1. Download and install the tor browser.\\r\\n\\t\\thttps:\\/\\/www.torproject.org\\/download\\/download-easy.html\\r\\n\\r\\n\\t2. After successful installation, run the browser, waiting to initialize.\\r\\n\\t3. In the address bar enter:\\r\\n\\r\\n${url_dn}\\r\\n\\r\\nMachine ID:\\r\\n\\r\\n${mid}\\r\\n\\r\\nOffline ID:\\r\\n\\r\\n${oid}\\r\\n\\r\\n\",\"uf\":\"\\thttp:\\/\\/%s\\/purchase?mid=${mid}\\r\\n\",\"udf\":\"\\thttp:\\/\\/%s\\/purchase?mid=${mid}\\r\\n\",\"f\":\"X0RFQ1JZUFRfRklMRS50eHQ=\",\"if\":null},{\"d\":\"\\r\\nWarning!!\\r\\n\\r\\nYour documents, photos, databases, important files have been encrypted!\\r\\nIf you modify any file, it may cause make you cannot decrypt!!!\\r\\n\\r\\n\\r\\nTo decrypt your files please visit the following website:\\r\\n${url}\\r\\n\\r\\nIf the above address will be unable to open or very slow, follow these steps:\\r\\n\\r\\n\\t1. Download and install the tor browser.\\r\\n\\t\\thttps:\\/\\/www.torproject.org\\/download\\/download-easy.html\\r\\n\\r\\n\\t2. After successful installation, run the browser, waiting to initialize.\\r\\n\\t3. In the address bar enter:\\r\\n\\r\\n${url_dn}\\r\\n\\r\\nMachine ID:\\r\\n\\r\\n${mid}\\r\\n\\r\\n\",\"uf\":\"\\thttp:\\/\\/%s\\/purchase?mid=${mid}\\r\\n\",\"udf\":\"\\thttp:\\/\\/%s\\/purchase?mid=${mid}\\r\\n\",\"f\":\"\",\"if\":true}]",
   "ctoc" : 10,
   "k" : "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0mDwKc/bFuaFql5gKqaO\niBUNJXcd6qzLbZ+OiPDjHmDz42EsPYQctBxf59RGROpKajHq4LYl7ZLFEsX5ioyC\npTSBuUtdE+hBv/pDnNlKZzcmSb84Lm1lzkGk9cry1vHwbQ39MpsrlICk3ELgKUhQ\nBxi8NpdZ1jlVL2IoiFtHhCYfk65wKzgJVQjYfGs2FIVAn4IM3Vbdi+vkvwQC71gh\n0WHbHyyD/9e95NoJjo1sKDvhkiBL30h16To01RMR1e8tlYa/H1AKHjvFabWINdLv\nlcwRnw8L1h1W0F2NA9NCpK/cWUl0lNKRUgZkpSTv4o0Xo5KCZ33Vlwx/7+ssp3o6\nqQIDAQAB\n-----END PUBLIC KEY-----\n",
   "fsc" : "{\"max_size_mb\":\"10240\",\"include_dir\":[\"var\\/www\\/\"],\"include_file\":[\"ibdata0\",\"ibdata1\",\"ibdata2\",\"ibdata3\",\"ibdata4\",\"ibdata5\",\"ibdata6\",\"ibdata7\",\"ibdata8\",\"ibdata9\",\"ib_logfile0\",\"ib_logfile1\",\"ib_logfile2\",\"ib_logfile3\",\"ib_logfile4\",\"ib_logfile5\",\"ib_logfile6\",\"ib_logfile7\",\"ib_logfile8\",\"ib_logfile9\"],\"exclude_dir\":[\"$\\/bin\\/\",\"$\\/boot\\/\",\"$\\/dev\\/\",\"$\\/etc\\/\",\"$\\/lib\\/\",\"$\\/lib64\\/\",\"$\\/proc\\/\",\"$\\/run\\/\",\"$\\/sbin\\/\",\"$\\/srv\\/\",\"$\\/sys\\/\",\"$\\/tmp\\/\",\"$\\/usr\\/\",\"$\\/var\\/\",\"\\/.gem\\/\",\"\\/.bundle\\/\",\"\\/.nvm\\/\",\"\\/.npm\\/\"],\"exclude_file\":[],\"ext\":[\"tar\",\"gz\",\"tgz\",\"taz\",\"bz\",\"tbz\",\"bz2\",\"lz\",\"lzma\",\"lz4\",\"contact\",\"dbx\",\"doc\",\"docx\",\"jnt\",\"jpg\",\"mapimail\",\"msg\",\"oab\",\"ods\",\"pdf\",\"pps\",\"ppsm\",\"ppt\",\"pptm\",\"prf\",\"pst\",\"rar\",\"rtf\",\"txt\",\"wab\",\"xls\",\"xlsx\",\"xml\",\"zip\",\"1cd\",\"3ds\",\"3g2\",\"3gp\",\"7z\",\"7zip\",\"accdb\",\"aoi\",\"asf\",\"asp\",\"aspx\",\"asx\",\"avi\",\"bak\",\"cer\",\"cfg\",\"class\",\"config\",\"css\",\"csv\",\"db\",\"dds\",\"dwg\",\"dxf\",\"flf\",\"flv\",\"html\",\"idx\",\"js\",\"key\",\"kwm\",\"laccdb\",\"ldf\",\"lit\",\"m3u\",\"mbx\",\"md\",\"mdf\",\"mid\",\"mlb\",\"mov\",\"mp3\",\"mp4\",\"mpg\",\"obj\",\"odt\",\"pages\",\"php\",\"psd\",\"pwm\",\"rm\",\"safe\",\"sav\",\"save\",\"sql\",\"srt\",\"swf\",\"thm\",\"vob\",\"wav\",\"wma\",\"wmv\",\"xlsb\",\"3dm\",\"aac\",\"ai\",\"arw\",\"c\",\"cdr\",\"cls\",\"cpi\",\"cpp\",\"cs\",\"db3\",\"docm\",\"dot\",\"dotm\",\"dotx\",\"drw\",\"dxb\",\"eps\",\"fla\",\"flac\",\"fxg\",\"java\",\"m\",\"m4v\",\"max\",\"mdb\",\"pcd\",\"pct\",\"pl\",\"potm\",\"potx\",\"ppam\",\"ppsm\",\"ppsx\",\"pptm\",\"ps\",\"pspimage\",\"r3d\",\"rw2\",\"sldm\",\"sldx\",\"svg\",\"tga\",\"wps\",\"xla\",\"xlam\",\"xlm\",\"xlr\",\"xlsm\",\"xlt\",\"xltm\",\"xltx\",\"xlw\",\"act\",\"adp\",\"al\",\"bkp\",\"blend\",\"cdf\",\"cdx\",\"cgm\",\"cr2\",\"crt\",\"dac\",\"dbf\",\"dcr\",\"ddd\",\"design\",\"dtd\",\"fdb\",\"fff\",\"fpx\",\"h\",\"iif\",\"indd\",\"jpeg\",\"mos\",\"nd\",\"nsd\",\"nsf\",\"nsg\",\"nsh\",\"odc\",\"odp\",\"oil\",\"pas\",\"pat\",\"pef\",\"pfx\",\"ptx\",\"qbb\",\"qbm\",\"sas7bdat\",\"say\",\"st4\",\"st6\",\"stc\",\"sxc\",\"sxw\",\"tlg\",\"wad\",\"xlk\",\"aiff\",\"bin\",\"bmp\",\"cmt\",\"dat\",\"dit\",\"edb\",\"flvv\",\"gif\",\"groups\",\"hdd\",\"hpp\",\"log\",\"m2ts\",\"m4p\",\"mkv\",\"mpeg\",\"ndf\",\"nvram\",\"ogg\",\"ost\",\"pab\",\"pdb\",\"pif\",\"png\",\"qed\",\"qcow\",\"qcow2\",\"rvt\",\"st7\",\"stm\",\"vbox\",\"vdi\",\"vhd\",\"vhdx\",\"vmdk\",\"vmsd\",\"vmx\",\"vmxf\",\"3fr\",\"3pr\",\"ab4\",\"accde\",\"accdr\",\"accdt\",\"ach\",\"acr\",\"adb\",\"ads\",\"agdl\",\"ait\",\"apj\",\"asm\",\"awg\",\"back\",\"backup\",\"backupdb\",\"bank\",\"bay\",\"bdb\",\"bgt\",\"bik\",\"bpw\",\"cdr3\",\"cdr4\",\"cdr5\",\"cdr6\",\"cdrw\",\"ce1\",\"ce2\",\"cib\",\"craw\",\"crw\",\"csh\",\"csl\",\"db_journal\",\"dc2\",\"dcs\",\"ddoc\",\"ddrw\",\"der\",\"des\",\"dgc\",\"djvu\",\"dng\",\"drf\",\"dxg\",\"eml\",\"erbsql\",\"erf\",\"exf\",\"ffd\",\"fh\",\"fhd\",\"gray\",\"grey\",\"gry\",\"hbk\",\"ibank\",\"ibd\",\"ibz\",\"iiq\",\"incpas\",\"jpe\",\"kc2\",\"kdbx\",\"kdc\",\"kpdx\",\"lua\",\"mdc\",\"mef\",\"mfw\",\"mmw\",\"mny\",\"moneywell\",\"mrw\",\"myd\",\"ndd\",\"nef\",\"nk2\",\"nop\",\"nrw\",\"ns2\",\"ns3\",\"ns4\",\"nwb\",\"nx2\",\"nxl\",\"nyf\",\"odb\",\"odf\",\"odg\",\"odm\",\"orf\",\"otg\",\"oth\",\"otp\",\"ots\",\"ott\",\"p12\",\"p7b\",\"p7c\",\"pdd\",\"pem\",\"plus_muhd\",\"plc\",\"pot\",\"pptx\",\"psafe3\",\"py\",\"qba\",\"qbr\",\"qbw\",\"qbx\",\"qby\",\"raf\",\"rat\",\"raw\",\"rdb\",\"rwl\",\"rwz\",\"s3db\",\"sd0\",\"sda\",\"sdf\",\"sqlite\",\"sqlite3\",\"sqlitedb\",\"sr2\",\"srf\",\"srw\",\"st5\",\"st8\",\"std\",\"sti\",\"stw\",\"stx\",\"sxd\",\"sxg\",\"sxi\",\"sxm\",\"tex\",\"wallet\",\"wb2\",\"wpd\",\"x11\",\"x3f\",\"xis\",\"ycbcra\",\"yuv\",\"mab\",\"json\",\"ini\",\"sdb\",\"sqlite-shm\",\"sqlite-wal\",\"msf\",\"jar\",\"cdb\",\"srb\",\"abd\",\"qtb\",\"cfn\",\"info\",\"info_\",\"flb\",\"def\",\"atb\",\"tbn\",\"tbb\",\"tlx\",\"pml\",\"pmo\",\"pnx\",\"pnc\",\"pmi\",\"pmm\",\"lck\",\"pm!\",\"pmr\",\"usr\",\"pnd\",\"pmj\",\"pm\",\"lock\",\"srs\",\"pbf\",\"omg\",\"wmf\",\"sh\",\"war\",\"ascx\",\"tif\"]}",
   "ks" : 2048,
   "ctm" : 10,
   "cto" : 20,
   "url" : [
      "7fv4vg4n26cxleel.onion.to",
      "7fv4vg4n26cxleel.onion.nu",
      "7fv4vg4n26cxleel.hiddenservice.net",
      "7fv4vg4n26cxleel.gbe0.top",
      "qzjordhlw5mqhcn7.onion.to",
      "qzjordhlw5mqhcn7.onion.nu",
      "qzjordhlw5mqhcn7.hiddenservice.net",
      "qzjordhlw5mqhcn7.gbe0.top"
   ],
   "url_dn" : [
      "7fv4vg4n26cxleel.onion",
      "qzjordhlw5mqhcn7.onion"
   ]
}