(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

SSMA is handy tool for quickly getting an idea if a file is malicious.

Install

sudo apt-get install python3-pip

git clone https://github.com/secrary/SSMA

cd SSMA

sudo pip3 install -r requirements.txt


Usage

To use, just run the command along with your VirusTotal API key and the file to get the results. After each test, it will ask you if you want to continue analysis. In this example I used a version mebroot for testing.

python3 ssma.py -h

python3 /home/twebb/Downloads/SSMA/ssma.py -k VT_API_KEY 00000025.exe


Results

???????????????????? ???? ??????

????????????????????? ????????????? Simple

??????????????????????????????????? Static

??????????????????????????????????? Malware

??????????????????? ??? ?????? ??? Analyzer

??????????????????? ?????? ???

File Details:

File: /home/twebb/malware/2-mar-2010 torpig/00000025.exe

Size: 280960 bytes

Type: application/x-dosexec

MD5: ae26e139311e2cacef53cce6d8da09da

SHA1: b9942fd44e798073821dd4b1d9b21f1814d766ad

Date: Fri Nov 28 00:33:22 2003

PE file entropy: 7.618302492203651

Very high or very low entropy means that file is compressed or encrypted since truly random data is not common.

================================================================================

Continue? [Y/n] y

Number of Sections: 5

Section VirtualAddress VirtualSize SizeofRawData Entropy

.code 0x480 26965 27008 6.511691201650016

.rdata 0x6e00 152 256 2.401459977262458

.data 0x6f00 251148 251264 7.654305920976193

INIT 0x44480 306 384 4.063770965426124

.reloc 0x44600 854 896 1.656681300794013

Very high or very low entropy means that file/section is compressed or encrypted since truly random data is not common.

SUSPICIOUS section names: INIT

================================================================================

Continue? [Y/n] y

Virustotal:

F-Secure - Gen:[email protected]!sLed

NOD32 - a variant of Win32/Mebroot.CK

Ikarus - Backdoor.Win32.Sinowal

McAfee-GW-Edition - Trojan.Crypt.ZPACK.Gen

Symantec - Suspicious.Insight

BitDefender - Gen:[email protected]!sLed

AntiVir - TR/Crypt.ZPACK.Gen

GData - Gen:[email protected]!sLed

nProtect - Gen:[email protected]!sLed

a-squared - Backdoor.Win32.Sinowal!IK

================================================================================

Continue? [Y/n] y

Scan file using Yara-rules.

With Yara rules you can create a description of malware families to detect new samples.

For more information: https://virustotal.github.io/yara/

Downloading Yara-rules...


These Yara rules specialised on the identification of well-known malware.

Result:

QuarianCode - Quarian code features

Quarian - Quarian

================================================================================

Continue? [Y/n] y

These Yara Rules aimed to detect well-known software packages, that can be used by malware to hide itself.

Result:

Visual_Cpp_2003_DLL_Microsoft

================================================================================

Continue? [Y/n] y

These Yara rules aimed to detect the existence of cryptographic algorithms.

Detected cryptographic algorithms:

contentis_base64 - This rule finds for base64 strings

================================================================================

Continue? [Y/n] y



There are lots of tools like this, but this one is worth giving a try due to how quick and easy the install was. What yours favorite static analysis tool?


--

Tom Webb

@twsecblog

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
APPLE-SA-2017-03-22-1 iTunes for Windows 12.6
 
Cisco Application-Hosting Framework CVE-2017-3851 Directory Traversal Vulnerability
 
Multiple Cisco Products CVE-2017-3853 Stack Buffer Overflow Vulnerability
 
Cisco IOS and IOS XE Software CVE-2017-3864 Denial of Service Vulnerability
 
Cisco Application-Hosting Framework CVE-2017-3852 Arbitrary File Creation Vulnerability
 
Cisco IOS XE Software CVE-2017-3856 Denial of Service Vulnerability
 
libavcodec CVE-2017-7208 Out of Bounds Read Denial of Service Vulnerability
 
Microsoft Internet Explorer CVE-2016-0164 Remote Memory Corruption Vulnerability
 
Microsoft Internet Explorer CVE-2016-0162 Information Disclosure Vulnerability
 
imdbphp CVE-2017-7204 Cross Site Scripting Vulnerability
 
Rockwell Automation Connected Components Workbench DLL Loading Local Code Execution Vulnerability
 
D-Link DAP-1320 CVE-2015-2050 Remote Command Injection Vulnerability
 

2017-03-22 Update: This diary was posted earlier, but we had some technical issues, and the previous diary disappeared. I had to re-post this as a new diary with a new story ID and URL.

Introduction

Cerber ransomware has been a constant presence since it was first discovered in February 2016. Since then, Ive seen it consistently pushed by exploit kits (like Rig and Magnitude) from the pseudoDarkleech and other campaigns. Ive also been tracking Cerber on a daily basis from malicious spam (malspam).

Some malspam pushing Cerber is part of the Blank Slate campaign. Why call it Blank Slate? Because the emails have no message text, and theres nothing to indicate what, exactly, the attachments are. Subject lines and attachment names are vague and usually consist of random numbers.

An interesting aspect of this campaign is that the file attachments are double-zipped. Theres a zip archive within the zip archive. Within that second zip archive, youll find a malicious JavaScript (.js) file or a Microsoft Word document. These files are designed to infect a computer with ransomware.

Blank Slate has pushed different types of ransomware. However, the vast majority of ransomware from this campaign has been Cerber. I wrote an in-depth article about Blank Slate earlier this month, and it border-width:2px" />
Shown above: Chain of events for a Blank Slate Cerber infection.

Lets look at some examples from Monday and Tuesday of this week (2017-03-20 and 2017-03-21).

The emails

Like other malspam campaigns, Blank Slate emails come from numerous hosts across the globe. I always think of this as botnet-based malspam, but I dont have any visibility on the sending side. border-width:2px" />
Shown above: Ten emails from this campaign on 2017-03-20 and 03-21.

Sending email addresses are always spoofed. The only reliable source data consists of IP addresses for sending mail servers, specifically the one that directly contacted the recipients mail server, as noted in the email headers. Everything else in an email can probably be spoofed.

What does one of these emails look like? Below is a screen shot with the recipient border-width:2px" />
Shown above: An email from the Blank Slate campaign.

Whats in the zip file attachment? width:615px" />
Shown above: Contents of the zip attachment from a Blank Slate campaign email.

Whats in that zip within the zip? Its either a Microsoft Word document, or its a .js file. In this case its a .js file. I border-width:2px" />
Shown above: Contents of the zip archive within the zip archive.

The .js file contains obfuscated script. border-width:2px" />
Shown above: Start of obfuscated script in the .js file.

The traffic

On Monday 2017-03-20, I ran one of the extracted .js files on a vulnerable Windows host. After an initial HTTP GET request for the ransomware binary, post-infection traffic was similar to several other recent examples of Cerber. Youll see UDP traffic from the infected host over port 6892. Thats followed by HTTP traffic to a domain starting with p27dokhpz2n7nvgr and ending with .top. IP addresses for the UDP traffic changes every week or two (or longer). border-width:2px" />
Shown above: Infection traffic from Monday 2017-03-20.

The infected Windows host acted similar to other hosts Ive infected in previous months. Along with the desktop background, decryption instructions were dropped to the desktop in three different files. border-width:2px" />
Shown above: An infected Windows host from Monday 2017-03-20.

The decryption process hasnt changed in recent months. Recently, whenever Ive checked Cerber decryption instructions, the ransom was consistently $500 US dollars. The bitcoin amount had always reflected that $500 dollar value. But this weeks example was different. border-width:2px" />
Shown above: Cerber decryptor page with the ransom cost.

Indicators of Compromise (IoC)

The following IP is traffic generated by the extracted .js files that downloaded Cerber:

  • 54.68.27.226 or 104.154.199.132 - sonicfopase.top - GET /admin.php?f=2.gif
  • 54.68.27.226 or 104.154.199.132 - bobdomjda.top - GET /admin.php?f=2.gif
  • 54.68.27.226 or 104.154.199.132 - dboosajqn.top - GET /user.php?f=2.gif
  • 104.199.9.203 - letrockstadawsa.top - GET /search.php
  • 104.199.9.203 - yunityreyrehol.top - GET /search.php

Post-infection Cerber traffic:

  • 149.202.64.0 to 149.202.64.31 (149.202.64.0/27) UDP port 6892
  • 149.202.122.0 to 149.202.122.31 (149.202.122.0/27) UDP port 6892
  • 149.202.248.0 to 149.202.251.255 (149.202.248.0/22) UDP port 6892
  • HTTP traffic to a domain starting with p27dokhpz2n7nvgr and ending with .top

Cerber samples collected using this batch of emails:

SHA256 hash: 92135e39f2e0db1aaf6605446e24fc9aedc36eb4bed9e7cdad1e92e4d387ed04

  • File description: Cerber sample from bobdomjda.top on 2017-03-20
  • File size: 264,378 bytes

SHA256 hash: 035d137592a7f6ce707739ceecb09db517587bcb0100254c3dd8ee4a262603af

  • File description: Cerber sample from letrockstadawsa.top on 2017-03-20
  • File size: 264,377 bytes

SHA256 hash: ee6b4e29aac7ca55a19265728d484221956b1b11c4961b60dd70137316bde245

  • File description: Cerber sample from sonicfopase.top on 2017-03-20
  • File size: 264,378 bytes

SHA256 hash: 0456237db4444582d94f4231824bdc09475d844820f14fcd2172ccdc13bddbf3

  • File description: Cerber sample from dboosajqn.top on 2017-03-21
  • File size: 273,618 bytes

SHA256 hash: d3a6ab8e8f6eb49cba032208d04d7105ac764982ca56fcaf1a421396e1adadfa

  • File description: Cerber sample from yunityreyrehol.top on 2017-03-21
  • File size: 273,617 bytes

Final words

I always wonder how effective campaigns like this are. Potential victims must open an attachment from a blank email, go through two zip archives, then double-click the final file. If the final file is a Word document, the victim must also enable macros.

And that works on default Windows configurations. But properly-administered Windows hosts and decent email filtering are enough, I think, to keep most people from worring about it. Im far more interested in the cycle of abuse targeting hosting providers. Without web servers to host ransomware binaries, Blank Slate cannot continue its current method of operations.

For more details on Blank Slate, see my previous writeup about it. Pcap and malware samples for this ISC diary can be found here.

---
Brad Duncan
brad [at] malware-traffic-analysis.net

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

Introduction

Cerber ransomware has been a constant presence since it was first discovered in February 2016. Since then, Ive seen it consistently pushed by exploit kits (like Rig and Magnitude) from the pseudoDarkleech and other campaigns. Ive also been tracking Cerber on a daily basis from malicious spam (malspam).

Some malspam pushing Cerber is part of the Blank Slate campaign. Why call it Blank Slate? Because the emails have no message text, and theres nothing to indicate what, exactly, the attachments are. Subject lines and attachment names are vague and usually consist of random numbers.

An interesting aspect of this campaign is that the file attachments are double-zipped. Theres a zip archive within the zip archive. Within that second zip archive, youll find a malicious JavaScript (.js) file or a Microsoft Word document. These files are designed to infect a computer with ransomware.

Blank Slate has pushed different types of ransomware. However, the vast majority of ransomware from this campaign has been Cerber. I wrote an in-depth article about Blank Slate earlier this month, and it border-width:2px" />
Shown above: Chain of events for a Blank Slate Cerber infection.

Lets look at some examples from Monday and Tuesday of this week (2017-03-20 and 2017-03-21).

The emails

Like other malspam campaigns, Blank Slate emails come from numerous hosts across the globe. I always think of this as botnet-based malspam, but I dont have any visibility on the sending side. border-width:2px" />
Shown above: Ten emails from this campaign on 2017-03-20 and 03-21.

Sending email addresses are always spoofed. The only reliable source data consists of IP addresses for sending mail servers, specifically the one that directly contacted the recipients mail server, as noted in the email headers. Everything else in an email can probably be spoofed.

What does one of these emails look like? Below is a screen shot with the recipient border-width:2px" />
Shown above: An email from the Blank Slate campaign.

Whats in the zip file attachment? width:615px" />
Shown above: Contents of the zip attachment from a Blank Slate campaign email.

Whats in that zip within the zip? Its either a Microsoft Word document, or its a .js file. In this case its a .js file. I border-width:2px" />
Shown above: Contents of the zip archive within the zip archive.

The .js file contains obfuscated script. border-width:2px" />
Shown above: Start of obfuscated script in the .js file.

The traffic

On Monday 2017-03-20, I ran one of the extracted .js files on a vulnerable Windows host. After an initial HTTP GET request for the ransomware binary, post-infection traffic was similar to several other recent examples of Cerber. Youll see UDP traffic from the infected host over port 6892. Thats followed by HTTP traffic to a domain starting with p27dokhpz2n7nvgr and ending with .top. IP addresses for the UDP traffic changes every week or two (or longer). border-width:2px" />
Shown above: Infection traffic from Monday 2017-03-20.

The infected Windows host acted similar to other hosts Ive infected in previous months. Along with the desktop background, decryption instructions were dropped to the desktop in three different files. border-width:2px" />
Shown above: An infected Windows host from Monday 2017-03-20.

The decryption process hasnt changed in recent months. Recently, whenever Ive checked Cerber decryption instructions, the ransom was consistently $500 US dollars. The bitcoin amount had always reflected that $500 dollar value. But this weeks example was different. border-width:2px" />
Shown above: Cerber decryptor page with the ransom cost.

Indicators of Compromise (IoC)

The following IP is traffic generated by the extracted .js files that downloaded Cerber:

  • 54.68.27.226 or 104.154.199.132 - sonicfopase.top - GET /admin.php?f=2.gif
  • 54.68.27.226 or 104.154.199.132 - bobdomjda.top - GET /admin.php?f=2.gif
  • 54.68.27.226 or 104.154.199.132 - dboosajqn.top - GET /user.php?f=2.gif
  • 104.199.9.203 - letrockstadawsa.top - GET /search.php
  • 104.199.9.203 - yunityreyrehol.top - GET /search.php

Post-infection Cerber traffic:

  • 149.202.64.0 to 149.202.64.31 (149.202.64.0/27) UDP port 6892
  • 149.202.122.0 to 149.202.122.31 (149.202.122.0/27) UDP port 6892
  • 149.202.248.0 to 149.202.251.255 (149.202.248.0/22) UDP port 6892
  • HTTP traffic to a domain starting with p27dokhpz2n7nvgr and ending with .top

Cerber samples collected using this batch of emails:

SHA256 hash: 92135e39f2e0db1aaf6605446e24fc9aedc36eb4bed9e7cdad1e92e4d387ed04

  • File description: Cerber sample from bobdomjda.top on 2017-03-20
  • File size: 264,378 bytes

SHA256 hash: 035d137592a7f6ce707739ceecb09db517587bcb0100254c3dd8ee4a262603af

  • File description: Cerber sample from letrockstadawsa.top on 2017-03-20
  • File size: 264,377 bytes

SHA256 hash: ee6b4e29aac7ca55a19265728d484221956b1b11c4961b60dd70137316bde245

  • File description: Cerber sample from sonicfopase.top on 2017-03-20
  • File size: 264,378 bytes

SHA256 hash: 0456237db4444582d94f4231824bdc09475d844820f14fcd2172ccdc13bddbf3

  • File description: Cerber sample from dboosajqn.top on 2017-03-21
  • File size: 273,618 bytes

SHA256 hash: d3a6ab8e8f6eb49cba032208d04d7105ac764982ca56fcaf1a421396e1adadfa

  • File description: Cerber sample from yunityreyrehol.top on 2017-03-21
  • File size: 273,617 bytes

Final words

I always wonder how effective campaigns like this are. Potential victims must open an attachment from a blank email, go through two zip archives, then double-click the final file. If the final file is a Word document, the victim must also enable macros.

And that works on default Windows configurations. But properly-administered Windows hosts and decent email filtering are enough, I think, to keep most people from worring about it. Im far more interested in the cycle of abuse targeting hosting providers. Without web servers to host ransomware binaries, Blank Slate cannot continue its current method of operations.

For more details on Blank Slate, see my previous writeup about it. Pcap and malware samples for this ISC diary can be found here.

---
Brad Duncan
brad [at] malware-traffic-analysis.net

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
D-Link DIR-600M CVE-2017-5874 Cross Site Request Forgery Vulnerability
 
Malware Information Sharing Platform CVE-2017-7215 Multiple Cross Site Scripting Vulnerabilities
 
Ghostscript CVE-2017-7207 Denial of Service Vulnerability
 
OpenStack Nova CVE-2017-7214 Information Disclosure Vulnerability
 
SEC Consult SA-20170322-0 :: Multiple vulnerabilities in Solare Datensysteme Solar-Log devices
 
Printing Communications Association Rawether CVE-2017-3196 Local Privilege Escalation Vulnerability
 
Binutils CVE-2017-7209 Remote Denial of Service Vulnerability
 
Binutils CVE-2017-7210 Multiple Remote Denial of Service Vulnerabilities
 
Internet Storm Center Infocon Status