Being interested in malware analyses I set myself the challenge of reversing a malware sample a week and posting about it on my blog. Being a perfectionist, it’s a bit difficult to post these struggles because I want it to come out as the malware reports being posted at Kaspersky Labs. However I should be very realisic here and take it step by step. Luckily there are a lot of online resources which help one battle the learning curve. There is also a vivid community out there that is always willing to help. Hasherezade is a perfect example if this. She is always willing to help. For this Cerber sample I reached out to here which resulted in a video about unpacking this Cerber variant.
The first lesson (previous post) learned is to have a working sample. Just run it on a machine and see if it behaves as expected. The torrentlocker sample in the previous post worked on malwr.com but not on my windows 10 or windows 7 machine. Couldn’t get it to work. Hence I started to work on another sample, namely this Cerber variant.
As far as I know there is no decryption possible of files encrypted by this Cerber Ransomware sample.
This Cerber ransomware sample has the following hash (packed)
AegisLab = Troj.W32.Generic!c AhnLab-V3 = Win-Trojan/Cerber.Gen AVware = Trojan.Win32.Generic.pak!cobra Baidu = Win32.Trojan.Kryptik.anp CrowdStrike = malicious_confidence_100% (W) Endgame = malicious (moderate confidence) Fortinet = W32/Kryptik.FPZX!tr Invincea = virus.win32.ramnit.j Kaspersky = HEUR:Trojan.Win32.Generic McAfee-GW-Edition = BehavesLike.Win32.Ransomware.fh McAfee = Artemis!410F7621BD5B Rising = Trojan.Kryptik!8.8 (cloud:EDndvVDzOVF) SentinelOne = static engine - malicious Sophos = Mal/Cerber-B Symantec = Trojan.Gen.8!cloud TrendMicro-HouseCall = Ransom_CERBER.SMEJ5 VIPRE = Trojan.Win32.Generic.pak!cobra Webroot = W32.Trojan.Gen ZoneAlarm = HEUR:Trojan.Win32.Generic
This time I have checked if it’s working 🙂
Updated on this Cerber Sample:
I asked hasherezade for help after playing around for a few days trying to dump a valid executable from the process. I dumped some executables but probably to early in the process or the wrong ones. I think most of my time waste comes from setting breakpoints on the wrong locations which leads to stepping through code endlessly.
Now that I have an unpacked sample, I will glance at how the file encryption is done by this sample. Next again is to get another sample and set myself to the task again to dump a valid unpacked/unencrypted binary.
Below the video made by hasherezade. She makes this look really easy.