Cerber Ransomware & Trojan.Injector

[EdS]

Windows 7.  Malwarebytes Premium 3.0.6.  Only files on flash drive encrypted by Cerber.  Files on hard drive not affected.

MB scan shows Trojan.Injector and only threat found.

What is the best way to proceed?

Any idea why Malwarebytes didn't stop the ransomware?

[Aura]

Hi again EdS

Is this the same computer that we worked on in your previous thread? Or a different one?

[EdS]

This is a different computer.  There is no backup of the data.

[Aura]

Unfortunately files encrypted by recent variants of Cerber cannot be decrypted for free. Is it possible to have the log where the Trojan.Infector detection appears?

[EdS]

Here's a screen shot of the scan.  I haven't quarantined yet.

Not worried about the flash drive data.  Just surprised that the data on the hard drive wasn't encrypted. 

[Aura]

If you can, upload that file to the link below so I can check it out.

https://www.bleepingcomputer.com/submit-malware.php?channel=194

Also, is it possible that the flash drive was infected on another computer?

[EdS]

File uploaded.

No, the flash drive is never in another computer.

[Aura]

Weird. Please run FRST like you did on the previous computer, and attach the FRST.txt and Addition.txt files after.

Thank you for the upload.

[EdS]

Here are the files.

Addition.txt

FRST.txt

[Aura]

I think I found the Cerber payload. Can you upload the file below to the same link I gave you previously?

Quote

C:\Users\Barbara\AppData\Roaming\svc-qxpf.exe

 

[EdS]

That file doesn't appear to be there...

[Aura]

If you enable Hidden Files, and System Files (if you know how, if you don't, let me know), do you see it?

[EdS]

What am I missing?

[Aura]

Nothing, it might be gone by now. The startup entry for it is still there. The cinch.dll file is the patched .dll it used for its UAC Bypass. Also look at this, files have been encrypted on the system and ransom notes dropped.

2017-02-28 12:57 - 2017-01-20 23:14 - 00012661 _____ C:\Users\Barbara\Documents\QCOcJ4guKr.95b6
2017-02-28 12:57 - 2016-12-06 15:33 - 00013299 _____ C:\Users\Barbara\Documents\PuatcaxSKY.95b6
2017-02-28 12:57 - 2016-09-09 23:43 - 00012911 _____ C:\Users\Barbara\Documents\ZOswJO764c.95b6
2017-02-28 12:57 - 2016-08-20 23:52 - 00012127 _____ C:\Users\Barbara\Documents\PbMUGvLIQc.95b6
2017-02-28 12:57 - 2016-08-18 23:36 - 00013569 _____ C:\Users\Barbara\Documents\Rr473v1Wta.95b6
2017-02-28 12:57 - 2016-07-18 13:57 - 00653296 _____ C:\Users\Barbara\Documents\OBA0aojr9A.95b6
2017-02-28 12:57 - 2016-06-08 23:25 - 00018918 _____ C:\Users\Barbara\Documents\DDODX11c0g.95b6
2017-02-28 12:57 - 2016-05-13 15:35 - 00014188 _____ C:\Users\Barbara\Documents\HfV-GgvfhG.95b6
2017-02-28 12:57 - 2016-04-17 23:55 - 00012918 _____ C:\Users\Barbara\Documents\gkbC-FTOs-.95b6
2017-02-28 12:57 - 2016-03-07 23:14 - 00013337 _____ C:\Users\Barbara\Documents\G5kLaMcbRC.95b6
2017-02-28 12:57 - 2016-01-10 21:18 - 00013222 _____ C:\Users\Barbara\Documents\IIiC3Pagqu.95b6
2017-02-28 12:57 - 2016-01-06 13:24 - 00153562 _____ C:\Users\Barbara\Documents\N5oShS8BaW.95b6
2017-02-28 12:57 - 2016-01-02 21:18 - 00012237 _____ C:\Users\Barbara\Documents\IUNwaWkHlp.95b6
2017-02-28 12:57 - 2015-09-09 15:43 - 00013799 _____ C:\Users\Barbara\Documents\x76pPm5DDU.95b6
2017-02-28 12:57 - 2015-08-10 00:14 - 00013159 _____ C:\Users\Barbara\Documents\STLUk6d5YT.95b6
2017-02-28 12:57 - 2015-07-21 14:13 - 00013320 _____ C:\Users\Barbara\Documents\8SDmaqa6Gz.95b6
2017-02-28 12:57 - 2015-06-01 21:17 - 00036792 _____ C:\Users\Barbara\Documents\ikBztXWInB.95b6
2017-02-28 12:57 - 2015-05-31 00:07 - 00084948 _____ C:\Users\Barbara\Documents\qTXQ9RNYqE.95b6
2017-02-28 12:57 - 2015-02-26 10:49 - 00150006 _____ C:\Users\Barbara\Documents\IM0zyYdknW.95b6
2017-02-28 12:57 - 2015-02-26 10:48 - 00123823 _____ C:\Users\Barbara\Documents\0dVuJcWrit.95b6
2017-02-28 12:57 - 2015-02-16 15:02 - 00014279 _____ C:\Users\Barbara\Documents\suYuCOX14G.95b6
2017-02-28 12:57 - 2014-11-14 12:05 - 00000000 ____D C:\Users\Barbara\Documents\ATK to move its third HQ to Utah  The Salt Lake Tribune_files
2017-02-28 12:57 - 2014-10-29 00:34 - 00012204 _____ C:\Users\Barbara\Documents\R42Dn9mlc9.95b6
2017-02-28 12:57 - 2014-08-04 15:13 - 00523642 _____ C:\Users\Barbara\Documents\SbiDOyN-KS.95b6
2017-02-28 12:57 - 2014-08-04 15:11 - 00973319 _____ C:\Users\Barbara\Documents\YnZkbpwvpL.95b6
2017-02-28 12:57 - 2014-05-11 00:02 - 00029746 _____ C:\Users\Barbara\Documents\x-KkBy4ooA.95b6
2017-02-28 12:57 - 2014-02-22 00:24 - 00013179 _____ C:\Users\Barbara\Documents\6N2qOCIIln.95b6
2017-02-28 12:57 - 2013-11-06 14:49 - 00224718 _____ C:\Users\Barbara\Documents\x20oUi48Ah.95b6
2017-02-28 12:57 - 2013-11-06 00:01 - 00176808 _____ C:\Users\Barbara\Documents\WwkzXbTv7p.95b6
2017-02-28 12:57 - 2013-07-20 00:02 - 01653439 _____ C:\Users\Barbara\Documents\-rVqQTNrVh.95b6
2017-02-28 12:57 - 2004-02-19 00:13 - 01498574 _____ C:\Users\Barbara\Documents\uc56I8nZx0.95b6
2017-02-28 12:57 - 2004-02-19 00:13 - 00385621 _____ C:\Users\Barbara\Documents\auicjeVLTJ.95b6
2017-02-28 12:57 - 2004-02-19 00:13 - 00338390 _____ C:\Users\Barbara\Documents\NC4Wg76zJO.95b6
2017-02-28 12:57 - 2004-02-19 00:13 - 00331704 _____ C:\Users\Barbara\Documents\RnGbtJsH5C.95b6
2017-02-28 12:57 - 2004-02-19 00:13 - 00174041 _____ C:\Users\Barbara\Documents\ousSVJbErO.95b6
2017-02-28 12:57 - 2004-02-19 00:13 - 00126138 _____ C:\Users\Barbara\Documents\0PNRM3wo4A.95b6
2017-02-28 12:57 - 2004-02-19 00:13 - 00078248 _____ C:\Users\Barbara\Documents\ibzW47U1dG.95b6
2017-02-28 12:57 - 2004-02-19 00:13 - 00067516 _____ C:\Users\Barbara\Documents\v55GDOvlfH.95b6
2017-02-28 12:57 - 2004-02-19 00:13 - 00061617 _____ C:\Users\Barbara\Documents\eVE7qD1-lq.95b6
2017-02-28 12:57 - 2004-02-19 00:13 - 00052666 _____ C:\Users\Barbara\Documents\nmbNol0hWD.95b6
2017-02-28 12:57 - 2004-02-19 00:13 - 00040366 _____ C:\Users\Barbara\Documents\2QxtlIlE84.95b6
2017-02-28 12:57 - 2004-02-19 00:13 - 00027576 _____ C:\Users\Barbara\Documents\Vewrcmjolf.95b6
2017-02-28 12:57 - 2004-02-19 00:13 - 00027058 _____ C:\Users\Barbara\Documents\bsj85FxX8F.95b6
2017-02-28 12:57 - 2004-02-19 00:13 - 00026072 _____ C:\Users\Barbara\Documents\GnqFKd3HIQ.95b6
2017-02-28 12:57 - 2004-02-19 00:13 - 00025530 _____ C:\Users\Barbara\Documents\ck24CvdnDa.95b6
2017-02-28 12:57 - 2004-02-19 00:13 - 00025052 _____ C:\Users\Barbara\Documents\qqXhH5zjsg.95b6
2017-02-28 12:57 - 2004-02-19 00:13 - 00025032 _____ C:\Users\Barbara\Documents\V4FYGbmZsM.95b6
2017-02-28 12:57 - 2004-02-19 00:13 - 00025000 _____ C:\Users\Barbara\Documents\b-fLrNbfSX.95b6
2017-02-28 12:57 - 2004-02-19 00:13 - 00024496 _____ C:\Users\Barbara\Documents\pfdBd1RJeq.95b6
2017-02-28 12:57 - 2004-02-19 00:13 - 00021924 _____ C:\Users\Barbara\Documents\c6KTOA4Z90.95b6
2017-02-28 12:57 - 2004-02-19 00:13 - 00016165 _____ C:\Users\Barbara\Documents\vNRFrN11T3.95b6
2017-02-28 12:57 - 2004-02-19 00:13 - 00003926 _____ C:\Users\Barbara\Documents\MFlYLvoQvX.95b6
2017-02-28 12:57 - 2017-02-28 12:57 - 00075877 _____ C:\Users\Barbara\Documents\_HELP_HELP_HELP_GOA7XW_.hta

This was on the 28th of February. So the payload did hit the computer and not only the USB. Seeing as the executable if gone, Cerber did what it had to do and deleted itself after. All we can do now is clean-up the remains.

[EdS]

What's the best way to get the data that hasn't been encrypted?

Any idea why it failed to encrypt every file.  In my past experience all the files were encrypted.

Any chance of further problems.

Barbara has no idea how this happened.  She has opened PDF attachments this week, but nothing else.

Aura, thanks for all of your assistance! 

[Aura]

Quote

What's the best way to get the data that hasn't been encrypted?

Any idea why it failed to encrypt every file.  In my past experience all the files were encrypted.

I don't know of one sadly. I know demonslay released a new tool that helps you finds encrypted files and move them somewhere. You could use it to move all the encrypted files somewhere safe, and then check in the folders if you see any files that weren't hit by Cerber.

https://www.bleepingcomputer.com/forums/t/637463/cryptosearch-find-files-encrypted-by-ransomware/

And it's possible that Malwarebytes killed the infection at some point. You could check the Protection Events to confirm that.

Quote

Any chance of further problems.

Well the main Cerber payload is gone, so no chances of further issues related to that threat. Unless she gets infected again somehow.

Quote

Barbara has no idea how this happened.  She has opened PDF attachments this week, but nothing else.

Cerber Ransomware is also dropped by EKs, so it's possible that she was infected that way.

[EdS]

Thanks again for all the information.

Have a good one.

[Aura]

No problem Ed, you're welcome.

[AdvancedSetup]

Glad we could help. :)If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.Other members who need assistance please start your own topic in a new thread. Thanks!