Guest kinn7s Posted August 18, 2016 Posted August 18, 2016 (edited) Hi, I'm reversing this ransomware after an interesting reading found surfing the net. hxxps://blog.malwarebytes.com/threat-analysis/2016/03/cerber-ransomware-new-but-mature/ What I'm trying to do is reversing the file encryption routines. Found where key is generated, buffer encrypted ecc. Can't undestand how the key is encrypted and stored into the file! (decrypt the original key) If someone is really interested, I'll share my findings (malware authors read this forum too I guess...) I'm doing this only because it' become a big challange to me and can't move on... sorry for my english Edited August 18, 2016 by kinn7s
kao Posted August 18, 2016 Posted August 18, 2016 It's encrypted using RSA-2048, using public key that's embedded in the malware binary. This report explains how it works in sufficient details: https://www.checkpoint.com/downloads/resources/cerber-report.pdf
Guest kinn7s Posted August 18, 2016 Posted August 18, 2016 7 minutes ago, kao said: It's encrypted using RSA-2048, using public key that's embedded in the malware binary. This report explains how it works in sufficient details: https://www.checkpoint.com/downloads/resources/cerber-report.pdf true, changed the public key at runtime with one created by myself. still can't decrypt file headers. From what I found, it never encrypt data with pubblic key. embedded key in the malware is used to encrypt a new generated rc4 master key (malware encrypt data using rc4)
Guest kinn7s Posted August 20, 2016 Posted August 20, 2016 (edited) I was wrong creates a rsa public/private pair on first run encrypts previous keys using embedded 2048 rsa public key result is reversed, encoded using base64, and saved to "Component_01" then, for every file, encrypts 0x6E byte using rsa public from first step (this buffer holds 0x20 rc4 per file encryption key) still can't decrypt !!! (can't load a valid rsa blob using python RSA.importKey) this is how decrypted and reversed "Component_01" looks like highlight part is rsa public key Edited August 20, 2016 by kinn7s edit
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now