cerber ransomware reverse question

[Guest kinn7s]

Hi, I'm reversing this ransomware after an interesting reading found surfing the net.

hxxps://blog.malwarebytes.com/threat-analysis/2016/03/cerber-ransomware-new-but-mature/

What I'm trying to do is reversing the file encryption routines.

Found where key is generated, buffer encrypted ecc.

Can't undestand how the key is encrypted and stored into the file! (decrypt the original key)

If someone is really interested, I'll share my findings (malware authors read this forum too I guess...)

I'm doing this only because it' become a big challange to me and can't move on...

sorry for my english

Edited August 18, 2016 by kinn7s

[kao]

It's encrypted using RSA-2048, using public key that's embedded in the malware binary. This report explains how it works in sufficient details: https://www.checkpoint.com/downloads/resources/cerber-report.pdf

 

[Guest kinn7s]

7 minutes ago, kao said:

It's encrypted using RSA-2048, using public key that's embedded in the malware binary. This report explains how it works in sufficient details: https://www.checkpoint.com/downloads/resources/cerber-report.pdf

 

true, changed the public key at runtime with one created by myself.

still can't decrypt file headers.

From what I found, it never encrypt data with pubblic key.

embedded key in the malware is used to encrypt a new generated rc4 master key (malware encrypt data using rc4)

[Guest kinn7s]

I was wrong

creates a rsa public/private pair on first run

encrypts previous keys using embedded 2048 rsa public key

result is reversed, encoded using base64, and saved to "Component_01"

then, for every file, encrypts 0x6E byte using rsa public from first step

(this buffer holds 0x20 rc4 per file encryption key)

still can't decrypt !!! (can't load a valid rsa blob using python RSA.importKey)

 

this is how decrypted and reversed "Component_01" looks like

highlight part is rsa public key

Edited August 20, 2016 by kinn7s
edit