Can you positively identify tampered and untampered files for me?

[NonConvergentWaveform]

Can you classify this files into:

• tampered
• untampered
• associated(packaged in the same installer, etc..) with tampered file, but not in itself tampered

Also the default file name. 

SHA256 hash of files I am asking about:
A013538E96CD5D71DD5642D7FDCE053BB63D3134962E2305F47CE4932A0E54AF
276936C38BD8AE2F26AAB14ABFF115EA04F33F262A04609D77B0874965EF7012
BD1C9D48C3D8A199A33D0B11795FF7346EDF9D0305A666CAA5323D7F43BDCFE9
C92ACB88D618C55E865AB29CAAFB991E0A131A676773EF2DA71DC03CC6B8953E
04BED8E35483D50A25AD8CF203E6F157E0F2FE39A762F5FBACD672A3495D6A11
0564718B3778D91EFD7A9972E11852E29F88103A10CB8862C285B924BC412013
1A4A5123D7B2C534CB3E3168F7032CF9EBF38B9A2A97226D0FDB7933CF6030FF
2FE8CFEEB601F779209925F83C6248FB4F3BFB3113AC43A3B2633EC9494DCEE0
4F8F49E4FC71142036F5788219595308266F06A6A737AC942048B15D8880364A
E338C420D9EDC219B45A81FE0CCF077EF8D62A4BA8330A327C183E4069954CE1
3C0BC541EC149E29AFB24720ABC4916906F6A0FA89A83F5CB23AED8F7F1146C3
7BC0EAF33627B1A9E4FF9F6DD1FA9CA655A98363B69441EFD3D4ED503317804D
36B36EE9515E0A60629D2C722B006B33E543DCE1C8C2611053E0651A0BFDB2E9
6F7840C77F99049D788155C1351E1560B62B8AD18AD0E9ADDA8218B9F432F0A9
A3E619CD619AB8E557C7D1C18FC7EA56EC3DFD13889E3A9919345B78336EFDB2
0D4F12F4790D2DFEF2D6F3B3BE74062AAD3214CB619071306E98A813A334D7B8
9C205EC7DA1FF84D5AA0A96A0A77B092239C2BB94BCB05DB41680A9A718A01EB
BEA487B2B0370189677850A9D3F41BA308D0DBD2504CED1E8957308C43AE4913

[Nergal]

What in blazes are you talking about. What does tampered mean here? What is the (I assume is) hashcode a hash of. What does this have to do with ccleaner?

[NonConvergentWaveform]

What in blazes are you talking about. What does tampered mean here? What is the (I assume is) hashcode a hash of. What does this have to do with ccleaner?

Tampered with in the recent ccleaner malware issue. Aka infected. There were several versions of ccleaner released that were infected, most had an installer.

 

Example:

CCleaner setup v5.33.0.6162 contains among other things:

ccleaner (32-bit)

ccleaner (64-bit)

 

 

ccleaner (32-bit) = tampered (file has been tampered with by the bad guys)

ccleaner (64-bit) = untampered (file is as intended by the author)

CCleaner setup v5.33.0.6162 = associated with tampered file (contains ccleaner 32-bit v5.33.0.6162)

 

I'm trying to determine which files were actually tampered with and which files were not tampered with and also any installer which contained such a tampered with file(s).

[Nergal]

You don't need to figure it out. The ccleaner.exe file, from only the 5.33.6162 build, had a backdoor installed. The developers released a .6163 version with the backdoor removed. They then released 5.34 and 5.35 as more secure versions (see their relevant change logs).

 

As you well know, since your involved in it, there's a active thread on this that explains all of this https://forum.piriform.com/index.php?showtopic=48869

 

It would be better to continue that thread than to open multiple new threads.

 

That said, the forensics on this are pretty done. There's not been any action beyond what the main thread has in it.

[NonConvergentWaveform]

You don't need to figure it out. The ccleaner.exe file, from only the 5.33.6162 build, had a backdoor installed. The developers released a .6163 version with the backdoor removed. They then released 5.34 and 5.35 as more secure versions (see their relevant change logs). As you well know, since your involved in it, there's a active thread on this that explains all of this https://forum.piriform.com/index.php?showtopic=48869 It would be better to continue that thread than to open multiple new threads. That said, the forensics on this are pretty done. There's not been any action beyond what the main thread has in it.

There seems to be a lot of missing information. I asked here why there are two infected builds made just minutes apart. No answer. This blog post mentions files one would think are innocent (not tampered) as indicators of compromise (IOCs).

 

I just want to get correct and accurate answers so that others who are asking (directly and indirectly) can be given full and complete answers.

 

Instead we have to resort to educated guesses (some of which were thankfully confirmed) and lingering uncertainty.

[Nergal]

It's clear, from the second link you gave, that the 2nd stage was on a few computers, and targeted.

 

Worth noting is that about 40 PCs out of 2.27M had the compromised version of CCleaner product installed, i.e. 0.0018% of the total -- a truly targeted attack.

As far as the variants, who knows that's why you got no answer, what're your sources on this or did you just happen to download and hash the file twice. I've forwarded to the admin because maybe they know but I'd rather see where your info comes from first, honestly.

[NonConvergentWaveform]

It's clear, from the second link you gave, that the 2nd stage was on a few computers, and targeted.

Seems probable. Then again the info came from a server under the attacker's control. I'd be interested in what the attacker was doing at piriform all the time he had control, and if it is normal to compile another copy of ccleaner again only 16 minutes later.

 

As far as the variants, who knows that's why you got no answer[..]

The files I am asking about were built, digitally signed, packaged into an installer, and digitally signed again at piriform. Somehow the attacker tampered with that process. I was asking for more info about the normal build process too. Someone should know about one or both of those procedures.

 

[..]what're your sources on this or did you just happen to download and hash the file twice. I've forwarded to the admin because maybe they know but I'd rather see where your info comes from first, honestly.

I'm not sure what you are asking...

 

"download and hash the file twice" -- if you hash a file twice (and nothing goes majorly wrong with your computer) it should be the same every time.

 

"I'd rather see where your info comes from first, honestly." -- What info specifically? If you ask a specific question I can give a specific answer.

[Nergal]

Info= the times dates and hashes, what are their origins. From where do you get this information?

I asked if it was first person (you downloaded the installer twice) or third party (you read it somewhere).

Remember ccleaner isn't open source so if you're expecting that level detail it probably won't be forthcoming.

 

[login123]

All those hashes and some others are listed in this Avast blog, they all come back bad.  They are all associated with ver 5.33.6162 or Agomo.  They are also searchable at Virustotal except for one. 

https://blog.avast.com/additional-information-regarding-the-recent-ccleaner-apt-security-incident

The Avast blog entry is already posted on this forum at:

https://forum.piriform.com/index.php?showtopic=48869&page=11#entry286957

[Nergal]

Sorry I should have been more clear. The info is for the two uploads (the two installers posted within minutes of each other) in his other thread. This Is why one thread is better than three.

[login123]

It's pretty well answered in post #4 above, but just for grins I checked those hashes, can't sleep anyway.  To be fair to NonConvergentWaveform, there has been a LOT of confusing stuff written, 32 bit vs 64 bit vs 1 stage vs 2 stage, etc yada yada.  I think it's a bunch simpler than that but can't say so for sure so won't. 

[NonConvergentWaveform]

Sorry I should have been more clear. The info is for the two uploads (the two installers posted within minutes of each other) in his other thread. This Is why one thread is better than three.

That info came from the blog post from avast and a little bit of research about which files(installers) contain which files. My question on that thread was answered. (hurray!)

 

Variant A was the release build, Variant B was a in house test build which is sometimes made. (both were, of course tampered with)

 "From time to time we build a second set of binaries for testing purposes"

 

All my info comes from official posts, info from talos, or direct first hand info (I have one or more tampered files which are digitally signed by piriform)

 

SHA256 hash of files I am (still) asking about:

A013538E96CD5D71DD5642D7FDCE053BB63D3134962E2305F47CE4932A0E54AF
BD1C9D48C3D8A199A33D0B11795FF7346EDF9D0305A666CAA5323D7F43BDCFE9
C92ACB88D618C55E865AB29CAAFB991E0A131A676773EF2DA71DC03CC6B8953E
04BED8E35483D50A25AD8CF203E6F157E0F2FE39A762F5FBACD672A3495D6A11
0564718B3778D91EFD7A9972E11852E29F88103A10CB8862C285B924BC412013
2FE8CFEEB601F779209925F83C6248FB4F3BFB3113AC43A3B2633EC9494DCEE0
4F8F49E4FC71142036F5788219595308266F06A6A737AC942048B15D8880364A
E338C420D9EDC219B45A81FE0CCF077EF8D62A4BA8330A327C183E4069954CE1
3C0BC541EC149E29AFB24720ABC4916906F6A0FA89A83F5CB23AED8F7F1146C3
7BC0EAF33627B1A9E4FF9F6DD1FA9CA655A98363B69441EFD3D4ED503317804D
A3E619CD619AB8E557C7D1C18FC7EA56EC3DFD13889E3A9919345B78336EFDB2
0D4F12F4790D2DFEF2D6F3B3BE74062AAD3214CB619071306E98A813A334D7B8
9C205EC7DA1FF84D5AA0A96A0A77B092239C2BB94BCB05DB41680A9A718A01EB
BEA487B2B0370189677850A9D3F41BA308D0DBD2504CED1E8957308C43AE4913

*resolved*:
1A4A5123D7B2C534CB3E3168F7032CF9EBF38B9A2A97226D0FDB7933CF6030FF (tampered -- contains tampered file, but not known to be otherwise modified)
6F7840C77F99049D788155C1351E1560B62B8AD18AD0E9ADDA8218B9F432F0A9 (tampered)
276936C38BD8AE2F26AAB14ABFF115EA04F33F262A04609D77B0874965EF7012 (tampered -- contains tampered file, but not known to be otherwise modified)
36B36EE9515E0A60629D2C722B006B33E543DCE1C8C2611053E0651A0BFDB2E9 (tampered)
:*resolved* -- these have been answered

[login123]

All those hashes listed in post #12 are listed, identified, and classified in the Avast blog linked in post #9. 

 

All except one give a result on Virustotal, that one has no matches just now. 

 

What other information do you seek? 

[NonConvergentWaveform]

All those hashes listed in post #12 are listed, identified, and classified in the Avast blog linked in post #9. 

 

All except one give a result on Virustotal, that one has no matches just now. 

 

What other information do you seek? 

 

Only the 32-bit version was tampered, yet multiple files are listed in the blog post. Files one would think are fine and not messed with. Yet they are listed in the blog post and have detections on VT

 

Which is right:

 

CCleaner.exe 32-bit (and installer containing it) Variant A

CCleaner.exe 32-bit (and installer containing it) Variant B

and possibly some other installers also containing A or B are therefore flagged.

 

OR

 

Other files other than CCleaner.exe 32-bit (excluding installers) are compromised such as:

CCleanerCloudHealthCheck.exe

9C205EC7DA1FF84D5AA0A96A0A77B092239C2BB94BCB05DB41680A9A718A01EB

[login123]

Hi, NonConvergentWaveform.

All the questions in your post #14 are already answered, as I think you already know.

The questions about Variant A & Variant B were answered in a post you started, read, and acknowledged here:

https://forum.piriform.com/index.php?showtopic=48916&hl=

The question about CCleanerCloudHealthCheck was answered in post #9 above. 

 

As far as the existence of "Files one would think are fine and not messed with" that issue is rendered moot by the information you have already read. 

In other words, it doesn't matter a whit what one thinks.  If Virustotal says a file is bad it is.  If a virus checker flags it, it is bad.

 

I tell my friends and family this.  For any other files in question, perform a malware check using a quality antivirus, or a quality online scanner, or go here and read item #10:

https://forum.piriform.com/index.php?showannouncement=15&f=5

I don't work for Piriform, or Avast, but I have some time available, so have followed this pretty closely. 

I think it's time to realize that this malware has been brought under control. 

These folks have been remarkably open and above board about it. 

Any suggestion that there are other malicious files floating around is not supported by presently available evidence. 

 

EDIT 05 Oct 17: 

Should make it clear that my comments do not apply to the big organizations like Microsoft & Cisco that may have been target by later stages of this malware.  Those folks have been contacted by Piriform & Avast to make sure they are OK. 

[NonConvergentWaveform]

Hi, NonConvergentWaveform.

All the questions in your post #14 are already answered, as I think you already know.

 

The questions about Variant A & Variant B were answered in a post you started, read, and acknowledged here:

https://forum.piriform.com/index.php?showtopic=48916&hl=

The question about CCleanerCloudHealthCheck was answered in post #9 above. 

 

As far as the existence of "Files one would think are fine and not messed with" that issue is rendered moot by the information you have already read. 

In other words, it doesn't matter a whit what one thinks.  If Virustotal says a file is bad it is.  If a virus checker flags it, it is bad.

 

I tell my friends and family this.  For any other files in question, perform a malware check using a quality antivirus, or a quality online scanner, or go here and read item #10:

https://forum.piriform.com/index.php?showannouncement=15&f=5

I don't work for Piriform, or Avast, but I have some time available, so have followed this pretty closely. 

I think it's time to realize that this malware has been brought under control. 

These folks have been remarkably open and above board about it. 

Any suggestion that there are other malicious files floating around is not supported by presently available evidence. 

 

EDIT 05 Oct 17: 

Should make it clear that my comments do not apply to the big organizations like Microsoft & Cisco that may have been target by later stages of this malware.  Those folks have been contacted by Piriform & Avast to make sure they are OK.

 

 

If the only file "CCleaner.exe" 32-bit (which we know there are two) was all that was messed with (and ignoring the installers which contain said files), then what is going on with (for example) "CCleanerCloudHealthCheck.exe" which is not an installer, not "CCleaner.exe" 32-bit, and is also in your opinion "bad".

• "Don't worry, only CCleaner.exe 32-bit is tampered with, if you didn't run it you are fine, there are no other tampered files, well expect for some other files (maybe.. or not) just ignore those."

This is the answer I feel I have now, which doesn't seem to close the case.

[Nergal]

It is the case though.

 

Where do you see ccleanercloudhealthcheck.exe is flagged as virus. Where did you even get that file if you aren't using ccleaner cloud. It was announced that the cloud version of the time was infected, idk if the file ccleaner.exe is the same or different for cloud but both of those were infected, as we've constantly stated

[login123]

Wellll, I think maybe the OP has three possible agendas. 

 

1. To appear clever by asking questions which seem clever,

or

2. To continue to promote the idea that malicious files are floating around unidentified,

or

3. To continue to control the attention of forum members and readers and moderators.  

 

Neither of the three is likely to succeed. 

1. Asking the same questions repeatedly is a waste of time.  Same for quarreling with the answers.

2. Piriform & Avast have posted much information about this event.  Very technical explanations are available for any who search.

3. Unless something important develops I shall retire from this topic. 

[NonConvergentWaveform]

It is the case though. Where do you see ccleanercloudhealthcheck.exe is flagged as virus. Where did you even get that file if you aren't using ccleaner cloud. It was announced that the cloud version of the time was infected, idk if the file ccleaner.exe is the same or different for cloud but both of those were infected, as we've constantly stated

It appears that "CCleanerCloudAgent.exe" is the main exe file for that version. But it seems that all 3 of the internal programs that come CCleanerCloud were infected including "CCleanerCloudAgentHealtCheck.exe" and "CCleanerCloudTray.exe". Apparently the payload in the cloud version was created slightly later and was adjusted to run even without administrative privileges.

 

I wonder when the bug that caused all version to prompt to auto-update regardless of the setting (even the free version -- which doesn't auto update) was introduced?

 

SHA256 hash of files I am only wondering about:

0564718B3778D91EFD7A9972E11852E29F88103A10CB8862C285B924BC412013 (tampered -- contains tampered file) -- auto updater even for free version?

0D4F12F4790D2DFEF2D6F3B3BE74062AAD3214CB619071306E98A813A334D7B8 (tampered, contains payload?)
9C205EC7DA1FF84D5AA0A96A0A77B092239C2BB94BCB05DB41680A9A718A01EB (tampered, contains payload?)
BEA487B2B0370189677850A9D3F41BA308D0DBD2504CED1E8957308C43AE4913 (tampered, contains payload?)

A013538E96CD5D71DD5642D7FDCE053BB63D3134962E2305F47CE4932A0E54AF unclear, probably: (tampered -- contains tampered file)
BD1C9D48C3D8A199A33D0B11795FF7346EDF9D0305A666CAA5323D7F43BDCFE9 unclear, probably: (tampered -- contains tampered file)
C92ACB88D618C55E865AB29CAAFB991E0A131A676773EF2DA71DC03CC6B8953E unclear, probably: (tampered -- contains tampered file)
7BC0EAF33627B1A9E4FF9F6DD1FA9CA655A98363B69441EFD3D4ED503317804D unclear, probably: (tampered -- contains tampered file)

Mostly resolved:
04BED8E35483D50A25AD8CF203E6F157E0F2FE39A762F5FBACD672A3495D6A11 (tampered -- contains tampered file)
2FE8CFEEB601F779209925F83C6248FB4F3BFB3113AC43A3B2633EC9494DCEE0 (tampered -- contains tampered file)
4F8F49E4FC71142036F5788219595308266F06A6A737AC942048B15D8880364A (tampered -- contains tampered file)
E338C420D9EDC219B45A81FE0CCF077EF8D62A4BA8330A327C183E4069954CE1 (tampered -- contains tampered file)
3C0BC541EC149E29AFB24720ABC4916906F6A0FA89A83F5CB23AED8F7F1146C3 (tampered -- contains tampered file)
A3E619CD619AB8E557C7D1C18FC7EA56EC3DFD13889E3A9919345B78336EFDB2 (tampered -- contains tampered file)
:Mostly resolved

*resolved*:
1A4A5123D7B2C534CB3E3168F7032CF9EBF38B9A2A97226D0FDB7933CF6030FF (tampered -- contains tampered file, but not known to be otherwise modified)
6F7840C77F99049D788155C1351E1560B62B8AD18AD0E9ADDA8218B9F432F0A9 (tampered, contains payload)
276936C38BD8AE2F26AAB14ABFF115EA04F33F262A04609D77B0874965EF7012 (tampered -- contains tampered file, but not known to be otherwise modified)
36B36EE9515E0A60629D2C722B006B33E543DCE1C8C2611053E0651A0BFDB2E9 (tampered, contains payload)
:*resolved* -- these have been answered

[NonConvergentWaveform]

Wellll, I think maybe the OP has three possible agendas. 

 

1. To appear clever by asking questions which seem clever,

or

2. To continue to promote the idea that malicious files are floating around unidentified,

or

3. To continue to control the attention of forum members and readers and moderators.  

 

Neither of the three is likely to succeed. 

1. Asking the same questions repeatedly is a waste of time.  Same for quarreling with the answers.

2. Piriform & Avast have posted much information about this event.  Very technical explanations are available for any who search.

3. Unless something important develops I shall retire from this topic.

No, I was trying to get direct clear answers about all the files tied to this incident (not just that they were related to this issue, how they were related). I think I have most of my questions answered most of the way as of my last post. I was trying to rule out #2 to some extent and to be clear on which files were affected so one could tell for sure if they were affected.

 

I still wonder a little bit about the auto update prompt getting stuck on even in the free version right before this incident.

 

Anyway, thank you for your time and sorry to bother you with questions I wanted to get very specific answers to but may not have asked you adequate clarity.