{"id":2549,"date":"2016-07-13T13:31:36","date_gmt":"2016-07-13T06:31:36","guid":{"rendered":"https:\/\/humanit.asia\/?p=2549"},"modified":"2019-07-22T14:22:36","modified_gmt":"2019-07-22T07:22:36","slug":"a-look-at-the-cerber-office-365-ransomware","status":"publish","type":"post","link":"https:\/\/old.humanit.asia\/th\/a-look-at-the-cerber-office-365-ransomware\/","title":{"rendered":"A Look at the Cerber Office 365 Ransomware"},"content":{"rendered":"
\n

Reports of a Zero-day attack affecting numerous Office 365 users emerged late last month (hat tip to the researchers at Avanan<\/a>), and the culprit was a new variant of the Cerber ransomware discovered earlier this year. As with the other Zero-day threats that have been popping-up like mushrooms of late, the main methods of infection is through the use of Office\u00a0macros.<\/p>\n

This blog provides an analysis on the Cerber variant using traditional reverse-engineering and ThreatTrack\u2019s newest version of our malware analysis sandbox<\/a>, ThreatAnalyzer 6.1.<\/p>\n

Analyzing Cerber<\/strong><\/p>\n

Reverse engineering in general, more often than not, requires that one gets a broad view as to what the target is doing. Whether you\u2019re analyzing a malware sample or trying to figure what a function does from an obfuscated code, it is best to get the general \u201cfeel\u201d of your target before narrowing down to the specifics.<\/p>\n

ThreatAnalyzer<\/em> is a sandbox that executes a program, file or URL in a controlled, monitored environment and provides a detailed report enabling the researcher or analyst to get a good look as to what the sample will do at run time. It is also worth noting that a sandbox is a good tool for generating Threat Intelligence to quickly get IOCs (Indicators of Compromise). The latest version of this sandbox, ThreatAnalyzer 6.1, has a built-in behavioral detection mechanism that enables users to see the general behavior of a sample and based on those particular set of behaviors, predict if the program in question is malicious or benign in nature.<\/p>\n

\n

\"Fig:<\/a><\/p>\n

Fig: ThreatAnalyzer\u2019s unique behavior determination engine<\/p>\n<\/div>\n

\n

\"Fig<\/a><\/p>\n

Fig 1: ThreatAnalyzer 6.1 in action<\/p>\n<\/div>\n

Looking at the figure above, on the analysis screen, ThreatAnalyzer 6.1 has provided the following vital information on this particular sample:<\/p>\n

    \n
  1. Determine that the sample is detected as malicious on 3 different fronts:\n
      \n
    1. ThreatIQ (our integrated threat intelligence server<\/a>) observers the sample trying to beacon to blacklisted URLs<\/li>\n
    2. The sample is detected by at least 1 or multiple antivirus engine(s)<\/li>\n
    3. Based on the behavior that it performed, has a high probability that the sample is malicious<\/li>\n<\/ol>\n<\/li>\n
    4. Shows the researcher\/user the changes in Registry, IO (File), Network attempts it made, and processes that it spawned<\/li>\n
    5. Compacts all detailed information that it has gathered into a downloadable PDF or XML report. If a user chooses, he can download the archive which includes the detailed report, any significant files that was generated, screenshots of the windows spawned and a copy of the PCAP file if any network activities were logged<\/li>\n<\/ol>\n

      ThreatAnalyzer also provides a detailed report of the sample you analyzed in XML, JSON or PDF format. These reports contain the processes that were spawned, what files were modified, created or accessed, registries that were manipulated, objects that were created and any network connections that were made.<\/p>\n

      If we look further at the particular XML file of the sample we analyzed, we can gather the following activities:<\/p>\n