[Can you positively identify tampered and untampered files for me?]

It's clear, from the second link you gave, that the 2nd stage was on a few computers, and targeted.

Seems probable. Then again the info came from a server under the attacker's control. I'd be interested in what the attacker was doing at piriform all the time he had control, and if it is normal to compile another copy of ccleaner again only 16 minutes later.

 

As far as the variants, who knows that's why you got no answer[..]

The files I am asking about were built, digitally signed, packaged into an installer, and digitally signed again at piriform. Somehow the attacker tampered with that process. I was asking for more info about the normal build process too. Someone should know about one or both of those procedures.

 

[..]what're your sources on this or did you just happen to download and hash the file twice. I've forwarded to the admin because maybe they know but I'd rather see where your info comes from first, honestly.

I'm not sure what you are asking...

 

"download and hash the file twice" -- if you hash a file twice (and nothing goes majorly wrong with your computer) it should be the same every time.

 

"I'd rather see where your info comes from first, honestly." -- What info specifically? If you ask a specific question I can give a specific answer.

[Can you positively identify tampered and untampered files for me?]

You don't need to figure it out. The ccleaner.exe file, from only the 5.33.6162 build, had a backdoor installed. The developers released a .6163 version with the backdoor removed. They then released 5.34 and 5.35 as more secure versions (see their relevant change logs). As you well know, since your involved in it, there's a active thread on this that explains all of this https://forum.piriform.com/index.php?showtopic=48869 It would be better to continue that thread than to open multiple new threads. That said, the forensics on this are pretty done. There's not been any action beyond what the main thread has in it.

There seems to be a lot of missing information. I asked here why there are two infected builds made just minutes apart. No answer. This blog post mentions files one would think are innocent (not tampered) as indicators of compromise (IOCs).

 

I just want to get correct and accurate answers so that others who are asking (directly and indirectly) can be given full and complete answers.

 

Instead we have to resort to educated guesses (some of which were thankfully confirmed) and lingering uncertainty.

[Can you positively identify tampered and untampered files for me?]

What in blazes are you talking about. What does tampered mean here? What is the (I assume is) hashcode a hash of. What does this have to do with ccleaner?

Tampered with in the recent ccleaner malware issue. Aka infected. There were several versions of ccleaner released that were infected, most had an installer.

 

Example:

CCleaner setup v5.33.0.6162 contains among other things:

ccleaner (32-bit)

ccleaner (64-bit)

 

 

ccleaner (32-bit) = tampered (file has been tampered with by the bad guys)

ccleaner (64-bit) = untampered (file is as intended by the author)

CCleaner setup v5.33.0.6162 = associated with tampered file (contains ccleaner 32-bit v5.33.0.6162)

 

I'm trying to determine which files were actually tampered with and which files were not tampered with and also any installer which contained such a tampered with file(s).

[Can you positively identify tampered and untampered files for me?]

Can you classify this files into:

• tampered
• untampered
• associated(packaged in the same installer, etc..) with tampered file, but not in itself tampered

Also the default file name. 

SHA256 hash of files I am asking about:
A013538E96CD5D71DD5642D7FDCE053BB63D3134962E2305F47CE4932A0E54AF
276936C38BD8AE2F26AAB14ABFF115EA04F33F262A04609D77B0874965EF7012
BD1C9D48C3D8A199A33D0B11795FF7346EDF9D0305A666CAA5323D7F43BDCFE9
C92ACB88D618C55E865AB29CAAFB991E0A131A676773EF2DA71DC03CC6B8953E
04BED8E35483D50A25AD8CF203E6F157E0F2FE39A762F5FBACD672A3495D6A11
0564718B3778D91EFD7A9972E11852E29F88103A10CB8862C285B924BC412013
1A4A5123D7B2C534CB3E3168F7032CF9EBF38B9A2A97226D0FDB7933CF6030FF
2FE8CFEEB601F779209925F83C6248FB4F3BFB3113AC43A3B2633EC9494DCEE0
4F8F49E4FC71142036F5788219595308266F06A6A737AC942048B15D8880364A
E338C420D9EDC219B45A81FE0CCF077EF8D62A4BA8330A327C183E4069954CE1
3C0BC541EC149E29AFB24720ABC4916906F6A0FA89A83F5CB23AED8F7F1146C3
7BC0EAF33627B1A9E4FF9F6DD1FA9CA655A98363B69441EFD3D4ED503317804D
36B36EE9515E0A60629D2C722B006B33E543DCE1C8C2611053E0651A0BFDB2E9
6F7840C77F99049D788155C1351E1560B62B8AD18AD0E9ADDA8218B9F432F0A9
A3E619CD619AB8E557C7D1C18FC7EA56EC3DFD13889E3A9919345B78336EFDB2
0D4F12F4790D2DFEF2D6F3B3BE74062AAD3214CB619071306E98A813A334D7B8
9C205EC7DA1FF84D5AA0A96A0A77B092239C2BB94BCB05DB41680A9A718A01EB
BEA487B2B0370189677850A9D3F41BA308D0DBD2504CED1E8957308C43AE4913

[hxxps://www.beetleforum.net ?]

So, what is hxxps://www.beetleforum.net and what does it have to do with piriform?

 

[Announcement: Security Notification for CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191]

[...]

On an unrelated note, why does CCleaner 5.35 try to connect to 151.101.112.64 when I run it? Is it a Piriform/Avast server?

It comes back to a company called "Fastly" in San Francisco, CA. They are listed only by a PO Box. Their allocation is named "SKYCA-3". Never heard of them.

https://whois.arin.net/rest/net/NET-151-101-0-0-1/pft?s=151.101.112.64

[CCleaner options/users problem]

CC = V.5.33.6162 (64 bit)

OS = Windows 7 64-bit SP1

I could almost read some of the file you attached...

List the contents of c:\Users\

One way to do that (from command prompt):

dir /a c:\Users\

[Get rid of obsolete desktop icons.]

What is the name of the icon? Maybe it is not a shortcut but some sort of special file (like the recycle bin on the desktop that isn't really on the desktop).

[Announcement: Security Notification for CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191]

64bit users

Installed and ran ccleaner v5.33.0.6162 before September 16th, and did use the skip User Account Control (UAC) feature But run only 64bit version?

 

I only use 64bit version But have The Uac feature active But don t have any Agomo Keys or Webemperf 1-4

If you are on a windows 64-bit be sure to check the 32-bit registry as if a 32-bit program wrote to:

HKEY_LOCAL_MACHINE\SOFTWARE\Piriform\Agomo

and you checked it with regedit it would actually end up here:

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Piriform\Agomo

[Version 5.35 info]

That page gives ccleaner64.exe

 

This matches the result the member above stated. Are you saying you have a ccleaner 64.exe with a different sha256?

 

Looks like someone independently discovered and fixed the mistake without mentioning it in this thread.

[hxxps://www.beetleforum.net ?]

Oops sorry wrong thread

Which post? The one asking for seemingly very relevant info?

 

Or do you mean the post I quoted? (who's only content strangely explains that it shouldn't have existed in the first place...)

[Version 5.35 info]

I don't see this mistake, could you post a link?

CCleaner64.exe - 64-bit CCleaner executable
MD5:                  e6f5ad3fd6d0f64ec88357fc481a71ab
SHA256:               06b27f68366f8d25a599c3ad8b1d23f18158f4edddee3174a22d3698089a8bc3

["This process will permanently delete files from your system. Are you sure you wish to proceed?"]

Here is the screenshot of what I have available...

untitled.bmp

This appears to be Windows XP, which does not have UAC.

 

Post a screenshot of the error? (please use PNG or JPG, not BMP)

[Announcement: Security Notification for CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191]

I Read The news in The avast blog And It confirms that The Trojan create The Agomo Keys in registry so without Them The system was Not affected, right?

As long as the 2nd stage virus (and any other viruses it downloaded later) didn't delete that key and/or itself before you checked.

 

 

Didn't run CCleaner v5.33.0.6162 (or CCleanerCloud v1.7.0.3191) at any point = not infected

Installed but didn't run CCleaner v5.33.0.6162 (or CCleanerCloud v1.7.0.3191) before September 16th = not infected (this assumes the installer doesn't run the main exe files at all after installing)

Installed and ran CCleaner v5.33.0.6162 before September 16th, but firewall rules denied CCleaner.exe all network access = not infected

Installed and ran CCleaner v5.33.0.6162 (or CCleanerCloud v1.7.0.3191) after September 15th = not infected (malware server disabled)

 

CCleanerCloud users (64-bit and 32-bit OSes):

Installed and ran CCleanerCloud v1.7.0.3191 before September 16th = Stage 2 possible

 

64-bit users:

Installed and ran CCleaner v5.33.0.6162 before September 16th, but did not use the skip User Account Control (UAC) feature and did not run the 32-bit main exe = not infected

Installed and ran CCleaner v5.33.0.6162 before September 16th, and did use the skip User Account Control (UAC) feature OR ran the 32-bit main exe = status unclear (see note A1)

Note A1: If the tampered 32-bit main exe file (CCleaner.exe) exits after running the untampered 64-bit main exe = not infected

Note A1_*_: If the tampered 32-bit main exe file (CCleaner.exe) persists while waiting for the 10 minute delay after passing control to the untampered 64-bit main exe = Stage 2 possible

_*_ -- There is no way (currently known) for the line above happen in any normal situation.

32-bit users:

Installed and ran CCleaner v5.33.0.6162 before September 16th = Stage 2 possible

 

 

If Stage 2 possible:

The attackers probably decided not to infect your computer. They had the option to infect you, but they passed. (this info comes from the attacker's captured server, info could have been tampered with)

 

For those few machines that were passed stage 2, this malware could have taken any action(s), including downloading more malware, stealing info, and deleting all traces of infection.

[hxxps://www.beetleforum.net ?]

Juat so you know, moderators are speaking with Admins (Piriform employees) on this topic.

 

In your browser can you provide us with the exact steps you followed to see each separate certificate? I know that's a weird ask but it's what was asked of us.

You'd have to use wireshark or a certificate testing site to see irrelevant certificates sent by the server, it's not a feature many (any?) browsers have.

Also note:

www.beetleforum.net = 52.70.228.38

forum.piriform.com  = 52.70.228.38

Both sites are hosted on the same IP address.

[Addtional CCleaner 5.33.6162 -- unanswered question]

I'm open to non-staff input and speculation. Which ones did you encounter?

[hxxps://www.beetleforum.net ?]

Where did you find in on piriform?

Second SSL certificate (expired) being offered by the website forum.piriform.com (on port 443, standard port). Also it shares the IP address with forum.piriform.com. I figured it was some "owner's secondary interest" kind of thing.

[I can't see a HDD in Win 10.]

Have a read here, it may help

 

https://superuser.com/questions/283930/will-initializing-disk-make-data-unrecoverable

 

"Short answer, 'No, initialization shouldn't make the data unrecoverable' but probably won't make it any easier to recover either."

 

Note that in this user's case the drive is showing up as 0 bytes. Maybe a controller failure, disk surface/head failure, or the firmware couldn't be read off of the platters.

[hxxps://www.beetleforum.net ?]

What is hxxps://www.beetleforum.net?

 

Kind of an odd thing to find here at piriform...

 

[Addtional CCleaner 5.33.6162 -- unanswered question]

Can you clarify why there is a second build of "5.33.6162" signed 16 minutes later? Why was this second copy created? What is changed? Is it typical to build and sign a second copy of the software (and installer) ever? (or not to change the build number?)

 

Is the malware different in version B? Does it connect to another server?

Variant A:

ccsetup533.exe
SHA-256
1A4A5123D7B2C534CB3E3168F7032CF9EBF38B9A2A97226D0FDB7933CF6030FF
Signing date
8/3/2017 10:43 AM

CCleaner.exe (32-bit 5.33.6162)
SHA-256
6F7840C77F99049D788155C1351E1560B62B8AD18AD0E9ADDA8218B9F432F0A9
Signing date
8/3/2017 10:42 AM

Variant B:

ccsetup533.exe
SHA-256
276936C38BD8AE2F26AAB14ABFF115EA04F33F262A04609D77B0874965EF7012
Signing date
8/3/2017 10:59 AM

CCleaner.exe (32-bit 5.33.6162)
SHA-256
36B36EE9515E0A60629D2C722B006B33E543DCE1C8C2611053E0651A0BFDB2E9
Signing date
8/3/2017 10:58 AM

[I can't see a HDD in Win 10.]

Try initializing the disk so that it can be seen, then see if you can get the info off it.

Initialize disk overwrites the MBR (and partition table) or GPT. I don't see how erasing the list of partitions on the disk is going to help with data recovery.

 

If the MBR (and partition table) or GPT is corrupt windows will want to make a new one and assume the disk is blank so you can use it. That's not what he wants.

[TR/CCleanerHKed.533.1.exe (Sep 19, 2017 23.36H)]

Hello,

 

Please rename this .exe file because I don't thrust it. It contains TR and is not acceptable.

 

Regards Niko79

And where is this file? On your computer where only you have control, or somewhere else?

[I can't see a HDD in Win 10.]

Right-click on disc 0 and select initialize.

I don't think he wants to erase or write to the disk, I think he wants his data back from the disk. Besides the drive is showing up with no media / zero size, something is way wrong.

[I can't see a HDD in Win 10.]

This is what Disk Management shows:

 

 

Since I didn't want to risk erasing data or making it harder to recover data, I've turned to Recuva. Please guide me on what to do.

Looks like HD 0 is broken or something. Doesn't seem that the drive is functional. If you bring up the device manager and go to view->"devices by connection" and find your 2-3 hard drives what does it look like?

 

 

Also for some unknown reason you have Disk 1 with an (empty) extended partition taking up most of the space. Extended partition is only necessary on MBR drives where you need MORE than 4 partitions.

[Traces of Floxif Malware From Infected CCleaner v5.33 Installer]

Hi,

 

Can I refer you to this quote from our CTO:

Quote

About 30% of CCleaner users also run Avast security software, which enables us to analyze behavioral, traffic and file/registry data from those machines. Based on the analysis of this data, we believe that the second stage payload never activated, i.e. the only malicious code present on customer machines was the one embedded in the ccleaner.exe binary.

 

 

You can read the full article here: https://blog.avast.com/update-to-the-ccleaner-5.33.6162-security-incident

 

Tom

So what would prevent the malware server (which the infected ccleaner told what software we are running) from NOT deploying phase/stage 2 to ANY of those computers running avast?