JSE File Downloads Zepto then Cerber 3 Ransomware

It’s like the Russian nesting doll of ransomware. We found this new ransomware delivery tactic particularly interesting and took a deeper look.

Let’s start with some facts about a JSE File. A JSE File is an encoded JScript. The acronym stands for JScript Encoded File. This encoding can be done by the executable “screnc.exe” or by using Microsoft’s Script Encoder and its usage can be seen at: https://msdn.microsoft.com/en-us/library/cbfz3598(v=vs.84).aspx.

In order to analyze this type of file, it should be decoded to obtain the true script readable to the human eye. However, the Windows operating system can execute the JSE file by feeding it as a parameter to WScript.exe and in this case, WScript.exe acts as the interpreter.

Now, let’s discuss the JSE file.

The md5 hash of the JSE File being mentioned in this analysis is: 720FF76FC20BCB15CB01278CDD4CC0F6. When opened in notepad, the contents are seen in the image below.

Once decoded, a part of the script is seen in the image below. It is clear that the script is obfuscated, due to the fact that normal developers will not use variable names like the ones used here.

After decoding, the researcher added a function in this JScript. This function was created to log the Strings used by the JScript. This function was inserted in some lines where there is a hint of String Manipulation or Decryption Routines.

The notable Strings obtained were:

The URL: http://centweek[dot]top/log[dot]php?f=1[dot]jpg
The Path of the Executable: C:\Users\test\AppData\Local\Temp\\rad97F57.tmp.exe

Then the researcher created a simple python script that monitored and gathered the executables from the URL. After investigating the downloaded executables, it was observed that the URL initially provided a specific Zepto sample, and after about 4 hours it was downloading variants of Cerber.

The intial Zepto downloaded MD5: 26A107A1BB552AB8BC6B76E34F7D38AC

One of the Cerber variants, which will be discussed, has the MD5: 4E6E8FC377806B4A914187FB3790B333

A while ago, one of our researchers also looked at a variant of Cerber and it can be seen at https://blog.threattrack.com/closer-look-cerber-office-365-attack/.

Due to the fact that the URL still provides Cerber Ransomware, the researcher has decided to analyze the payload of the Cerber variant. This payload was extracted from 4E6E8FC377806B4A914187FB3790B333.

The payload extracted has the MD5 hash: 8B1AE7AE0B595D17E30E1C12296F152A

The payload is using the C Runtime Library, strongly indicating that it was made from C Language. The sections .data and .cdata both contain encrypted bytes and the .cdata section contains the encrypted JSON configuration file.

The encrypted bytes will be decrypted when the EIP is at RVA 0x1018. The instruction at this RVA will call to the function starting at 0x684C. Follow the EAX at the Olly snapshot below, it contains the decrypted buffer of the JSON configuration file.

The Cerber Configuration File

The JSON file is essential to the payload. It contains the data the payload needs to execute properly and as the payload takes each step, it parses the JSON file to retrieve its contents. The configuration file starts with the object “blacklist” and these are the files, folder and languages that will not be encrypted.

Whitelisted Keyboard Languages

The payload’s function at RVA 0x380A checks the Keyboard Language of the Machine. The whitelist can be seen at the JSON file and if it is one of the languages in the list below, the payload will not continue the encryption.

Languages: [Russian, Ukrainian, Belarusian, Tajik, Armenian, Azeri-Latin, Georgian, Kazakh, Kyrgyz – Cyrillic, Turkmen, Uzbek – Latin, Tatar, Romanian – Moldova, Russian – Moldova, Azeri – Cyrillic, Uzbek – Cyrillic]

Whitelisted Files and Folders

The payload parses through the drives and network resources to find the files to encrypt. It used the APIs GetLogicalDrives, GetDriveTypeW, FindFirstFileW, FindNextFileW to parse through the drives and folders and used the APIs WNetCloseEnum, WNetEnumResourceW, WNetOpenEnumW to parse through the network resources.

Then, as the payload looks for the files to encrypt, it stores the path of the files to a heap block which will be passed to a thread later on. Before a file is selected to be included in this heap block, the payload uses the API PathMatchSpecW at RVA 0x4B17 to check the folder path.

Whitelisted Files: [“bootsect.bak”,”iconcache.db”,”ntuser.dat”,”thumbs.db”]

Whitelisted Folders: [“:\\$recycle.bin\\”, “:\\$windows.~bt\\”, “:\\boot\\”, “:\\documents and settings\\all users\\”, “:\\documents and settings\\default user\\”, “:\\documents and settings\\localservice\\”, “:\\documents and settings\\networkservice\\”, “:\\program files\\”, “:\\program files (x86)\\”, “:\\programdata\\”, “:\\recovery\\”, “:\\recycler\\”, “:\\users\\all users\\”, “:\\windows\\”, “:\\windows.old\\”, “\\appdata\\local\\”, “\\appdata\\locallow\\”, “\\appdata\\roaming\\adobe\\flash player\\”, “\\appData\\roaming\\applecomputer\\safari\\”, “\\appdata\\roaming\\ati\\”, “\\appdata\\roaming\\intel\\”, “\\appdata\\roaming\\intel corporation\\”, “\\appdata\\roaming\\google\\”, “\\appdata\\roaming\\macromedia\\flash player\\”, “\\appdata\\roaming\\mozilla\\”, “\\appdata\\roaming\\nvidia\\”, “\\appdata\\roaming\\opera\\”, “\\appdata\\roaming\\opera software\\”, “\\appdata\\roaming\\microsoft\\internet explorer\\”, “\\appdata\\roaming\\microsoft\\windows\\”, “\\application data\\microsoft\\”, “\\local settings\\”, “\\public\\music\\sample music\\”, “\\public\\pictures\\sample pictures\\”, “\\public\\videos\\sample videos\\”, “\\tor browser\\”]

File Extensions to Encrypt

The payload also uses the API PathMatchSpecW at RVA 0x4B17 to check the file’s extension and consider it to be one of the files to be encrypted. If it matches one on the list, it is added to the heap block which will be passed to a thread for file encryption. The list can be seen at the end of this analysis.

Disabling File Recovery

The payload uses cmd.exe as a sub process to perform commands that will delete shadow copies and disable Startup Repair. The image below shows the APIs and how the process was done.

Commands Executed:

C:\Windows\system32\vssadmin.exe delete shadows /all /quiet
C:\Windows\system32\wbem\wmic.exe shadowcopy delete
C:\Windows\system32\bcdedit.exe /set {default} recoveryenabled no
C:\Windows\system32\bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
exit…

File Encryption Procedure

The Basic Flow of the File Encryption can be seen below. The initial 512 bytes of the File are being skipped by the payload.

More Information about the JSON Configuration File

Global Public Key – it is in base64 encoded form and will be decoded by APIs CryptStringToBinaryA, CryptDecodeObjectEx at RVA 0x8423 and then imported at RVA 0x1C7C as a public key for file encryption.
Unique PC ID – used as id for recovering the files from the malware authors. This is generated at function 0x2674, called at RVA 0x3432. A specific md5 ID is being generated for every machine that gets infected.
Help Files – the body / contents of the help files is also encoded in base64. Three types of help files are created, .html, .txt and .url. File name is “# HELP DECRYPT #“. These files get opened at the end of the payload, by ShellExecuteW API at RVA 0x4853.
Temporary Recovery TOR URLs – The components (http://{TOR}.{SITE_1}/{PC_ID}) of the recovery URLs are all in the JSON configuration file. The JSON is parsed by the function at 0x31FC and the strings are concatenated at 0x31A9.
Desktop Wallpaper and Sound Notification – The payload generates a bitmap file from the “wallpaper” object of the JSON File. This is done at RVA 0x42AC. The payload also generates a sound informing the user that the machine is infected. The message is at the “speaker” object of the JSON File. This is done at RVA 0x2B72.
CnC Server – The payload communicates to the IP address 31.184.234.0, port 6892 and sends the MD5_KEY and two additional digits.

Self-Delete – The payload deletes itself, leaving no trace thus we cannot obtain the global public key and the possible passphrase sent to the CnC Server could not be obtained.
List of Extensions – [“.accdb”,”.mdb”,”.mdf”,”.dbf”,”.vpd”,”.sdf”,”.sqlitedb”,”.sqlite3″,”.sqlite”,”.sql”,”.sdb”,”.doc”,”.docx”,”.odt”,”.xls”,”.xlsx”,”.ods”,”.ppt”,”.pptx”,”.odp”,”.pst”,”.dbx”,”.wab”,”.tbk”,”.pps”,”.ppsx”,”.pdf”,”.jpg”,”.tif”,”.pub”,”.one”,”.rtf”,”.csv”,”.docm”,”.xlsm”,”.pptm”,”.ppsm”,”.xlsb”,”.dot”,”.dotx”,”.dotm”,”.xlt”,”.xltx”,”.xltm”,”.pot”,”.potx”,”.potm”,”.xps”,”.wps”,”.xla”,”.xlam”,”.erbsql”,”.sqlite-shm”,”.sqlite-wal”, “.litesql”,”.ndf”,”.ost”,”.pab”, “.oab”,”.contact”,”.jnt”,”.mapimail”,”.msg”,”.prf”,”.rar”,”.txt”,”.xml”,”.zip”,”.1cd”,”.3ds”,”.3g2″,”.3gp”,”.7z”,”.7zip”,”.aoi”,”.asf”,”.asp”,”.aspx”,”.asx”,”.avi”,”.bak”,”.cer”,”.cfg”,”.class”,”.config”,”.css”,”.dds”,”.dwg”,”.dxf”,”.flf”,”.flv”,”.html”,”.idx”,”.js”,”.key”,”.kwm”,”.laccdb”,”.ldf”,”.lit”,”.m3u”,”.mbx”,”.md”,”.mid”,”.mlb”,”.mov”,”.mp3″,”.mp4″,”.mpg”,”.obj”,”.pages”,”.php”,”.psd”,”.pwm”,”.rm”,”.safe”,”.sav”,”.save”,”.srt”,”.swf”,”.thm”,”.vob”,”.wav”,”.wma”,”.wmv”,”.3dm”,”.aac”,”.ai”,”.arw”,”.c”,”.cdr”,”.cls”,”.cpi”,”.cpp”,”.cs”,”.db3″,”.drw”,”.dxb”,”.eps”,”.fla”,”.flac”,”.fxg”,”.java”,”.m”,”.m4v”,”.max”,”.pcd”,”.pct”,”.pl”,”.ppam”,”.ps”,”.pspimage”,”.r3d”,”.rw2″,”.sldm”,”.sldx”,”.svg”,”.tga”,”.xlm”,”.xlr”,”.xlw”,”.act”,”.adp”,”.al”,”.bkp”,”.blend”,”.cdf”,”.cdx”,”.cgm”,”.cr2″,”.crt”,”.dac”,”.dcr”,”.ddd”,”.design”,”.dtd”,”.fdb”,”.fff”,”.fpx”,”.h”,”.iif”,”.indd”,”.jpeg”,”.mos”,”.nd”,”.nsd”,”.nsf”,”.nsg”,”.nsh”,”.odc”,”.oil”,”.pas”,”.pat”,”.pef”,”.pfx”,”.ptx”,”.qbb”,”.qbm”,”.sas7bdat”,”.say”,”.st4″,”.st6″,”.stc”,”.sxc”,”.sxw”,”.tlg”,”.wad”,”.xlk”,”.aiff”,”.bin”,”.bmp”,”.cmt”,”.dat”,”.dit”,”.edb”,”.flvv”,”.gif”,”.groups”,”.hdd”,”.hpp”,”.m2ts”,”.m4p”,”.mkv”,”.mpeg”,”.nvram”,”.ogg”,”.pdb”,”.pif”,”.png”,”.qed”,”.qcow”,”.qcow2″,”.rvt”,”.st7″,”.stm”,”.vbox”,”.vdi”,”.vhd”,”.vhdx”,”.vmdk”,”.vmsd”,”.vmx”,”.vmxf”,”.3fr”,”.3pr”,”.ab4″,”.accde”,”.accdr”,”.accdt”,”.ach”,”.acr”,”.adb”,”.ads”,”.agdl”,”.ait”,”.apj”,”.asm”,”.awg”,”.back”,”.backup”,”.backupdb”,”.bank”,”.bay”,”.bdb”,”.bgt”,”.bik”,”.bpw”,”.cdr3″,”.cdr4″,”.cdr5″,”.cdr6″,”.cdrw”,”.ce1″,”.ce2″,”.cib”,”.craw”,”.crw”,”.csh”,”.csl”,”.db_journal”,”.dc2″,”.dcs”,”.ddoc”,”.ddrw”,”.der”,”.des”,”.dgc”,”.djvu”,”.dng”,”.drf”,”.dxg”,”.eml”,”.erf”,”.exf”,”.ffd”,”.fh”,”.fhd”,”.gray”,”.grey”,”.gry”,”.hbk”,”.ibank”,”.ibd”,”.ibz”,”.iiq”,”.incpas”,”.jpe”,”.kc2″,”.kdbx”,”.kdc”,”.kpdx”,”.lua”,”.mdc”,”.mef”,”.mfw”,”.mmw”,”.mny”,”.moneywell”,”.mrw”,”.myd”,”.ndd”,”.nef”,”.nk2″,”.nop”,”.nrw”,”.ns2″,”.ns3″,”.ns4″,”.nwb”,”.nx2″,”.nxl”,”.nyf”,”.odb”,”.odf”,”.odg”,”.odm”,”.orf”,”.otg”,”.oth”,”.otp”,”.ots”,”.ott”,”.p12″,”.p7b”,”.p7c”,”.pdd”,”.pem”,”.plus_muhd”,”.plc”,”.psafe3″,”.py”,”.qba”,”.qbr”,”.qbw”,”.qbx”,”.qby”,”.raf”,”.rat”,”.raw”,”.rdb”,”.rwl”,”.rwz”,”.s3db”,”.sd0″,”.sda”,”.sr2″,”.srf”,”.srw”,”.st5″,”.st8″,”.std”,”.sti”,”.stw”,”.stx”,”.sxd”,”.sxg”,”.sxi”,”.sxm”,”.tex”,”.wallet”,”.wb2″,”.wpd”,”.x11″,”.x3f”,”.xis”,”.ycbcra”,”.yuv”,”.mab”,”.json”,”.msf”,”.jar”,”.cdb”,”.srb”,”.abd”,”.qtb”,”.cfn”,”.info”,”.info_”,”.flb”,”.def”,”.atb”,”.tbn”,”.tbb”,”.tlx”,”.pml”,”.pmo”,”.pnx”,”.pnc”,”.pmi”,”.pmm”,”.lck”,”.pm!”,”.pmr”,”.usr”,”.pnd”,”.pmj”,”.pm”,”.lock”,”.srs”,”.pbf”,”.omg”,”.wmf”,”.sh”,”.war”,”.ascx”,”.k2p”,”.apk”,”.asset”,”.bsa”,”.d3dbsp”,”.das”,”.forge”,”.iwi”,”.lbf”,”.litemod”,”.ltx”,”.m4a”,”.re4″,”.slm”,”.tiff”,”.upk”,”.xxx”,”.money”,”.cash”,”.private”,”.cry”,”.vsd”,”.tax”,”.gbr”,”.dgn”,”.stl”,”.gho”,”.ma”,”.acc”,”.db”]

The post JSE File Downloads Zepto then Cerber 3 Ransomware appeared first on ThreatTrack Security Labs Blog.