Where do I find the Cerber executable and Registry entries?

1

A server I am administrating has been infected by a ransomware named Cerber. They demand a payment (as is the point of such viruses).

As of now I have narrowed the infection source down and removed it. I googled around a bit and found multiple articles on how to remove it from the system. Especially the one at bleepingcomputer was rather enlightening.

They say the virus is located at %AppData%\{2ED2A2FE-872C-D4A0-17AC-E301404F1CBA}\[random].exe. Unfortunately that folder does not exist on the infected system :(
They also provide multiple registry keys where the virus executable is started:

HKCU\Control Panel\Desktop\SCRNSAVE.EXE "%AppData%\{2ED2A2FE-872C-D4A0-17AC-E301404F1CBA}\[random].exe"
HKCU\Software\Microsoft\Command Processor\AutoRun   "%AppData%\{2ED2A2FE-872C-D4A0-17AC-E301404F1CBA}\[random].exe"
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run    "%AppData%\{2ED2A2FE-872C-D4A0-17AC-E301404F1CBA}\[random].exe"
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\[random] "%AppData%\{2ED2A2FE-872C-D4A0-17AC-E301404F1CBA}\[random].exe"
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\[random] "%AppData%\{2ED2A2FE-872C-D4A0-17AC-E301404F1CBA}\[random].exe"

None of these entries exist either.
Where (or even how) do I find the executable of the virus so I can clear it out of the system?

Vogel612

Posted 2016-06-24T18:59:04.993

Reputation: 452

2

The proper way to deal with a compromised server is to reinstall it from scratch, as the attackers may have left some other "present" besides the ransomware that will allow them to get back in. More info on ServerFault: https://serverfault.com/questions/218005/how-do-i-deal-with-a-compromised-server

– André Borie – 2016-06-24T19:23:11.903

@AndréBorie boy am I lucky that this was ad 1) not a root compromization, ad 2) not on a publicly facing webservice and ad 3) only on a single user account on the server that also affected shared resources. I'm quite sure that there was no manual access from the attacker's side. The whole attack was aimed at a single-user home-system where recovering from this would've been a bigger problem than it was. Just because the word server appears in this post, that doesn't mean that this was a webserver. – Vogel612 – 2016-06-24T19:35:33.667

2Web server or no, anything short of a clean install is unwise. – Alexander O'Mara – 2016-06-24T20:23:54.653

1You need to reinstall from scratch. You have no idea what havoc that thing wreaked. – cat – 2016-06-24T20:27:50.770

2You can never be sure, that's the issue. For all you know it's a custom made rootkit that just uses the ransomware as a decoy, hoping for people like you to just remove the ransomware while leaving the rootkit alone. – André Borie – 2016-06-24T21:49:48.047

Answers

4

There seems to be a new strand of the virus that places itself in a slightly different location and uses different registry keys.

You should be able to find the virus under %AppData%\{7DD25B43-EDEC-C6A2-4E97-EB6E11BD11CD3}.

Especially interesting: The virus can only access the registry of it's current user. It accordingly has nested into the HKEY_USERS/[...]/ hive instead of HKEY_CURRENT_USER sometimes. The registry entries in the respective hives are the same though.

How do I find this if I don't know the path, or the "publicized" paths don't work?

I was able to nail the virus down by carefully checking the TaskManager from the Administrator account when the infected user logged in. To simplify this you may want to display the columns "Image Path Name" and "Command Line" in the Details-Tab of TaskManager.
In this case anything disguising as Windows-executable or SCRNSAVE.EXE from \AppData\Roaming is highly suspicious and should be investigated.

Vogel612

Posted 2016-06-24T18:59:04.993

Reputation: 452

Asked: 2016-06-24T18:59:04.993

Viewed: 342 times

Active: 2016-06-24T19:07:16.103