Jump to content
Tuts 4 You

cerber ransomware reverse question


Recommended Posts

Guest kinn7s
Posted (edited)

Hi, I'm reversing this ransomware after an interesting reading found surfing the net.

hxxps://blog.malwarebytes.com/threat-analysis/2016/03/cerber-ransomware-new-but-mature/

What I'm trying to do is reversing the file encryption routines.

Found where key is generated, buffer encrypted ecc.

Can't undestand how the key is encrypted and stored into the file! (decrypt the original key)

If someone is really interested, I'll share my findings (malware authors read this forum too I guess...)

I'm doing this only because it' become a big challange to me and can't move on...

sorry for my english

Edited by kinn7s
Guest kinn7s
Posted
7 minutes ago, kao said:

It's encrypted using RSA-2048, using public key that's embedded in the malware binary. This report explains how it works in sufficient details: https://www.checkpoint.com/downloads/resources/cerber-report.pdf

 

true, changed the public key at runtime with one created by myself.

still can't decrypt file headers.

From what I found, it never encrypt data with pubblic key.

embedded key in the malware is used to encrypt a new generated rc4 master key (malware encrypt data using rc4)

Guest kinn7s
Posted (edited)

I was wrong

creates a rsa public/private pair on first run

encrypts previous keys using embedded 2048 rsa public key

result is reversed, encoded using base64, and saved to "Component_01"

then, for every file, encrypts 0x6E byte using rsa public from first step

(this buffer holds 0x20 rc4 per file encryption key)

still can't decrypt !!! (can't load a valid rsa blob using python RSA.importKey)

 

this is how decrypted and reversed "Component_01" looks like

highlight part is rsa public key

c01.png

Edited by kinn7s
edit

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...