Jump to content

Cerber Ransomware & Trojan.Injector


Recommended Posts

Windows 7.  Malwarebytes Premium 3.0.6.  Only files on flash drive encrypted by Cerber.  Files on hard drive not affected.

MB scan shows Trojan.Injector and only threat found.

What is the best way to proceed?

Any idea why Malwarebytes didn't stop the ransomware?

Link to post
Share on other sites

Nothing, it might be gone by now. The startup entry for it is still there. The cinch.dll file is the patched .dll it used for its UAC Bypass. Also look at this, files have been encrypted on the system and ransom notes dropped.

2017-02-28 12:57 - 2017-01-20 23:14 - 00012661 _____ C:\Users\Barbara\Documents\QCOcJ4guKr.95b6
2017-02-28 12:57 - 2016-12-06 15:33 - 00013299 _____ C:\Users\Barbara\Documents\PuatcaxSKY.95b6
2017-02-28 12:57 - 2016-09-09 23:43 - 00012911 _____ C:\Users\Barbara\Documents\ZOswJO764c.95b6
2017-02-28 12:57 - 2016-08-20 23:52 - 00012127 _____ C:\Users\Barbara\Documents\PbMUGvLIQc.95b6
2017-02-28 12:57 - 2016-08-18 23:36 - 00013569 _____ C:\Users\Barbara\Documents\Rr473v1Wta.95b6
2017-02-28 12:57 - 2016-07-18 13:57 - 00653296 _____ C:\Users\Barbara\Documents\OBA0aojr9A.95b6
2017-02-28 12:57 - 2016-06-08 23:25 - 00018918 _____ C:\Users\Barbara\Documents\DDODX11c0g.95b6
2017-02-28 12:57 - 2016-05-13 15:35 - 00014188 _____ C:\Users\Barbara\Documents\HfV-GgvfhG.95b6
2017-02-28 12:57 - 2016-04-17 23:55 - 00012918 _____ C:\Users\Barbara\Documents\gkbC-FTOs-.95b6
2017-02-28 12:57 - 2016-03-07 23:14 - 00013337 _____ C:\Users\Barbara\Documents\G5kLaMcbRC.95b6
2017-02-28 12:57 - 2016-01-10 21:18 - 00013222 _____ C:\Users\Barbara\Documents\IIiC3Pagqu.95b6
2017-02-28 12:57 - 2016-01-06 13:24 - 00153562 _____ C:\Users\Barbara\Documents\N5oShS8BaW.95b6
2017-02-28 12:57 - 2016-01-02 21:18 - 00012237 _____ C:\Users\Barbara\Documents\IUNwaWkHlp.95b6
2017-02-28 12:57 - 2015-09-09 15:43 - 00013799 _____ C:\Users\Barbara\Documents\x76pPm5DDU.95b6
2017-02-28 12:57 - 2015-08-10 00:14 - 00013159 _____ C:\Users\Barbara\Documents\STLUk6d5YT.95b6
2017-02-28 12:57 - 2015-07-21 14:13 - 00013320 _____ C:\Users\Barbara\Documents\8SDmaqa6Gz.95b6
2017-02-28 12:57 - 2015-06-01 21:17 - 00036792 _____ C:\Users\Barbara\Documents\ikBztXWInB.95b6
2017-02-28 12:57 - 2015-05-31 00:07 - 00084948 _____ C:\Users\Barbara\Documents\qTXQ9RNYqE.95b6
2017-02-28 12:57 - 2015-02-26 10:49 - 00150006 _____ C:\Users\Barbara\Documents\IM0zyYdknW.95b6
2017-02-28 12:57 - 2015-02-26 10:48 - 00123823 _____ C:\Users\Barbara\Documents\0dVuJcWrit.95b6
2017-02-28 12:57 - 2015-02-16 15:02 - 00014279 _____ C:\Users\Barbara\Documents\suYuCOX14G.95b6
2017-02-28 12:57 - 2014-11-14 12:05 - 00000000 ____D C:\Users\Barbara\Documents\ATK to move its third HQ to Utah  The Salt Lake Tribune_files
2017-02-28 12:57 - 2014-10-29 00:34 - 00012204 _____ C:\Users\Barbara\Documents\R42Dn9mlc9.95b6
2017-02-28 12:57 - 2014-08-04 15:13 - 00523642 _____ C:\Users\Barbara\Documents\SbiDOyN-KS.95b6
2017-02-28 12:57 - 2014-08-04 15:11 - 00973319 _____ C:\Users\Barbara\Documents\YnZkbpwvpL.95b6
2017-02-28 12:57 - 2014-05-11 00:02 - 00029746 _____ C:\Users\Barbara\Documents\x-KkBy4ooA.95b6
2017-02-28 12:57 - 2014-02-22 00:24 - 00013179 _____ C:\Users\Barbara\Documents\6N2qOCIIln.95b6
2017-02-28 12:57 - 2013-11-06 14:49 - 00224718 _____ C:\Users\Barbara\Documents\x20oUi48Ah.95b6
2017-02-28 12:57 - 2013-11-06 00:01 - 00176808 _____ C:\Users\Barbara\Documents\WwkzXbTv7p.95b6
2017-02-28 12:57 - 2013-07-20 00:02 - 01653439 _____ C:\Users\Barbara\Documents\-rVqQTNrVh.95b6
2017-02-28 12:57 - 2004-02-19 00:13 - 01498574 _____ C:\Users\Barbara\Documents\uc56I8nZx0.95b6
2017-02-28 12:57 - 2004-02-19 00:13 - 00385621 _____ C:\Users\Barbara\Documents\auicjeVLTJ.95b6
2017-02-28 12:57 - 2004-02-19 00:13 - 00338390 _____ C:\Users\Barbara\Documents\NC4Wg76zJO.95b6
2017-02-28 12:57 - 2004-02-19 00:13 - 00331704 _____ C:\Users\Barbara\Documents\RnGbtJsH5C.95b6
2017-02-28 12:57 - 2004-02-19 00:13 - 00174041 _____ C:\Users\Barbara\Documents\ousSVJbErO.95b6
2017-02-28 12:57 - 2004-02-19 00:13 - 00126138 _____ C:\Users\Barbara\Documents\0PNRM3wo4A.95b6
2017-02-28 12:57 - 2004-02-19 00:13 - 00078248 _____ C:\Users\Barbara\Documents\ibzW47U1dG.95b6
2017-02-28 12:57 - 2004-02-19 00:13 - 00067516 _____ C:\Users\Barbara\Documents\v55GDOvlfH.95b6
2017-02-28 12:57 - 2004-02-19 00:13 - 00061617 _____ C:\Users\Barbara\Documents\eVE7qD1-lq.95b6
2017-02-28 12:57 - 2004-02-19 00:13 - 00052666 _____ C:\Users\Barbara\Documents\nmbNol0hWD.95b6
2017-02-28 12:57 - 2004-02-19 00:13 - 00040366 _____ C:\Users\Barbara\Documents\2QxtlIlE84.95b6
2017-02-28 12:57 - 2004-02-19 00:13 - 00027576 _____ C:\Users\Barbara\Documents\Vewrcmjolf.95b6
2017-02-28 12:57 - 2004-02-19 00:13 - 00027058 _____ C:\Users\Barbara\Documents\bsj85FxX8F.95b6
2017-02-28 12:57 - 2004-02-19 00:13 - 00026072 _____ C:\Users\Barbara\Documents\GnqFKd3HIQ.95b6
2017-02-28 12:57 - 2004-02-19 00:13 - 00025530 _____ C:\Users\Barbara\Documents\ck24CvdnDa.95b6
2017-02-28 12:57 - 2004-02-19 00:13 - 00025052 _____ C:\Users\Barbara\Documents\qqXhH5zjsg.95b6
2017-02-28 12:57 - 2004-02-19 00:13 - 00025032 _____ C:\Users\Barbara\Documents\V4FYGbmZsM.95b6
2017-02-28 12:57 - 2004-02-19 00:13 - 00025000 _____ C:\Users\Barbara\Documents\b-fLrNbfSX.95b6
2017-02-28 12:57 - 2004-02-19 00:13 - 00024496 _____ C:\Users\Barbara\Documents\pfdBd1RJeq.95b6
2017-02-28 12:57 - 2004-02-19 00:13 - 00021924 _____ C:\Users\Barbara\Documents\c6KTOA4Z90.95b6
2017-02-28 12:57 - 2004-02-19 00:13 - 00016165 _____ C:\Users\Barbara\Documents\vNRFrN11T3.95b6
2017-02-28 12:57 - 2004-02-19 00:13 - 00003926 _____ C:\Users\Barbara\Documents\MFlYLvoQvX.95b6
2017-02-28 12:57 - 2017-02-28 12:57 - 00075877 _____ C:\Users\Barbara\Documents\_HELP_HELP_HELP_GOA7XW_.hta

This was on the 28th of February. So the payload did hit the computer and not only the USB. Seeing as the executable if gone, Cerber did what it had to do and deleted itself after. All we can do now is clean-up the remains.

Link to post
Share on other sites

What's the best way to get the data that hasn't been encrypted?

Any idea why it failed to encrypt every file.  In my past experience all the files were encrypted.

Any chance of further problems.

Barbara has no idea how this happened.  She has opened PDF attachments this week, but nothing else.

Aura, thanks for all of your assistance! 

Link to post
Share on other sites

Quote

What's the best way to get the data that hasn't been encrypted?

Any idea why it failed to encrypt every file.  In my past experience all the files were encrypted.

I don't know of one sadly. I know demonslay released a new tool that helps you finds encrypted files and move them somewhere. You could use it to move all the encrypted files somewhere safe, and then check in the folders if you see any files that weren't hit by Cerber.

https://www.bleepingcomputer.com/forums/t/637463/cryptosearch-find-files-encrypted-by-ransomware/

And it's possible that Malwarebytes killed the infection at some point. You could check the Protection Events to confirm that.

Quote

Any chance of further problems.

Well the main Cerber payload is gone, so no chances of further issues related to that threat. Unless she gets infected again somehow.

Quote

Barbara has no idea how this happened.  She has opened PDF attachments this week, but nothing else.

Cerber Ransomware is also dropped by EKs, so it's possible that she was infected that way.

Link to post
Share on other sites

  • Root Admin

Glad we could help. :)If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.