Cerber Ransomware: Unpacking Malware from Memory and Extracting Its Configuration



I. Steps:
(1) Debug a CERBER ransomware variant in Immunity Debugger or OllyDbg;
(2) Set up “Debugging Option” making a first pause on WinMain (if available) with “Break on New Module (DLL)“;
(3) Obtain an “MZ” header file from memory dump of the suspicious DLL injection;
(4) Carve this file and make sure it has necessary Crypto API characteristic of CERBER;
(5) Run the file in Immunity Debugger or OllyDbg setting up a breakpoint on “GetFileSize” function and stepping into this WinAPI call until you see an ASCII JSON config of CERBER;
(6) Carve the config by following in dump and beautifying its JSON;
(7) Obtain C2 data by breaking “sendto” call;
(8) Obtain network protocol; and
(9) Obtain its local RSA key.


II. CERBER Configuration:


{
    “blacklist”: {
        “extensions”: [“.hta”],
        “files”: [“bootsect.bak”, “iconcache.db”, “ntuser.dat”, “thumbs.db”],
        “folders”: [“:\\$getcurrent\\”, “:\\$recycle.bin\\”, “:\\$windows.~bt\\”, “:\\$windows.~ws\\”, “:\\boot\\”, “:\\documents and settings\\all users\\”, “:\\documents and settings\\default user\\”, “:\\documents and settings\\localservice\\”, “:\\documents and settings\\networkservice\\”, “:\\intel\\”, “:\\msocache\\”, “:\\perflogs\\”, “:\\program files (x86)\\”, “:\\program files\\”, “:\\programdata\\”, “:\\recovery\\”, “:\\recycled\\”, “:\\recycler\\”, “:\\system volume information\\”, “:\\temp\\”, “:\\windows.old\\”, “:\\windows10upgrade\\”, “:\\windows\\”, “:\\winnt\\”, “\\appdata\\local\\”, “\\appdata\\locallow\\”, “\\appdata\\roaming\\”, “\\local settings\\”, “\\public\\music\\sample music\\”, “\\public\\pictures\\sample pictures\\”, “\\public\\videos\\sample videos\\”, “\\tor browser\\”],
        “languages”: [1049, 1058, 1059, 1064, 1067, 1068, 1079, 1087, 1088, 1090, 1091, 1092, 2072, 2073, 2092, 2115]
    },
    “check”: {
        “language”: 1
    },
    “close_process”: {
        “close_process”: 1,
        “process”: [“agntsvc.exeagntsvc.exe”, “agntsvc.exeencsvc.exe”, “agntsvc.exeisqlplussvc.exe”, “dbeng50.exe”, “dbsnmp.exe”, “fbserver.exe”, “firefoxconfig.exe”, “msftesql.exe”, “mydesktopqos.exe”, “mydesktopservice.exe”, “mysqld-nt.exe”, “mysqld-opt.exe”, “mysqld.exe”, “ocautoupds.exe”, “ocomm.exe”, “ocssd.exe”, “oracle.exe”, “sqbcoreservice.exe”, “sqlagent.exe”, “sqlbrowser.exe”, “sqlservr.exe”, “sqlwriter.exe”, “synctime.exe”, “tbirdconfig.exe”, “xfssvccon.exe”]
    },
    “debug”: 0,
    “default”: {
        “site_1”: “onion.to”,
        “site_2”: “onion.cab”,
        “site_3”: “onion.nu”,
        “site_4”: “onion.link”,
        “site_5”: “tor2web.org”,
        “tor”: “zutzt67dcxr6mxcn”
    },
    “encrypt”: {
        “bytes_skip”: 512,
        “divider”: 262144,
        “encrypt”: 1,
        “files”: [

p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 12.0px Helvetica}

                [“.123”, “.1cd”, “.3dm”, “.3ds”, “.3fr”, “.3g2”, “.3gp”, “.3pr”, “.602”, “.7z”, “.7zip”, “.aac”, “.ab4”, “.abd”, “.acc”, “.accdb”, “.accde”, “.accdr”, “.accdt”, “.ach”, “.acr”, “.act”, “.adb”, “.adp”, “.ads”, “.aes”, “.agdl”, “.ai”, “.aiff”, “.ait”, “.al”, “.aoi”, “.apj”, “.apk”, “.arc”, “.arw”, “.ascx”, “.asf”, “.asm”, “.asp”, “.aspx”, “.asset”, “.asx”, “.atb”, “.avi”, “.awg”, “.back”, “.backup”, “.backupdb”, “.bak”, “.bank”, “.bat”, “.bay”, “.bdb”, “.bgt”, “.bik”, “.bin”, “.bkp”, “.blend”, “.bmp”, “.bpw”, “.brd”, “.bsa”, “.bz2”, “.c”, “.cash”, “.cdb”, “.cdf”, “.cdr”, “.cdr3”, “.cdr4”, “.cdr5”, “.cdr6”, “.cdrw”, “.cdx”, “.ce1”, “.ce2”, “.cer”, “.cfg”, “.cfn”, “.cgm”, “.cib”, “.class”, “.cls”, “.cmd”, “.cmt”, “.config”, “.contact”, “.cpi”, “.cpp”, “.cr2”, “.craw”, “.crt”, “.crw”, “.cry”, “.cs”, “.csh”, “.csl”, “.csr”, “.css”, “.csv”, “.d3dbsp”, “.dac”, “.das”, “.dat”, “.db”, “.db3”, “.db_journal”, “.dbf”, “.dbx”, “.dc2”, “.dch”, “.dcr”, “.dcs”, “.ddd”, “.ddoc”, “.ddrw”, “.dds”, “.def”, “.der”, “.des”, “.design”, “.dgc”, “.dgn”, “.dif”, “.dip”, “.dit”, “.djv”, “.djvu”, “.dng”, “.doc”, “.docb”, “.docm”, “.docx”, “.dot”, “.dotm”, “.dotx”, “.drf”, “.drw”, “.dtd”, “.dwg”, “.dxb”, “.dxf”, “.dxg”, “.edb”, “.eml”, “.eps”, “.erbsql”, “.erf”, “.exf”, “.fdb”, “.ffd”, “.fff”, “.fh”, “.fhd”, “.fla”, “.flac”, “.flb”, “.flf”, “.flv”, “.forge”, “.fpx”, “.frm”, “.fxg”, “.gbr”, “.gho”, “.gif”, “.gpg”, “.gray”, “.grey”, “.groups”, “.gry”, “.gz”, “.h”, “.hbk”, “.hdd”, “.hpp”, “.html”, “.hwp”, “.ibank”, “.ibd”, “.ibz”, “.idx”, “.iif”, “.iiq”, “.incpas”, “.indd”, “.info”, “.info_”, “.iwi”, “.jar”, “.java”, “.jnt”, “.jpe”, “.jpeg”, “.jpg”, “.js”, “.json”, “.k2p”, “.kc2”, “.kdbx”, “.kdc”, “.key”, “.kpdx”, “.kwm”, “.laccdb”, “.lay”, “.lay6”, “.lbf”, “.lck”, “.ldf”, “.lit”, “.litemod”, “.litesql”, “.lock”, “.ltx”, “.lua”, “.m”, “.m2ts”, “.m3u”, “.m4a”, “.m4p”, “.m4u”, “.m4v”, “.ma”, “.mab”, “.mapimail”, “.max”, “.mbx”, “.md”, “.mdb”, “.mdc”, “.mdf”, “.mef”, “.mfw”, “.mid”, “.mkv”, “.mlb”, “.mml”, “.mmw”, “.mny”, “.money”, “.moneywell”, “.mos”, “.mov”, “.mp3”, “.mp4”, “.mpeg”, “.mpg”, “.mrw”, “.ms11”, “.msf”, “.msg”, “.mts”, “.myd”, “.myi”, “.nd”, “.ndd”, “.ndf”, “.nef”, “.nk2”, “.nop”, “.nrw”, “.ns2”, “.ns3”, “.ns4”, “.nsd”, “.nsf”, “.nsg”, “.nsh”, “.nvram”, “.nwb”, “.nx2”, “.nxl”, “.nyf”, “.oab”, “.obj”, “.odb”, “.odc”, “.odf”, “.odg”, “.odm”, “.odp”, “.ods”, “.odt”, “.ogg”, “.oil”, “.omg”, “.one”, “.onenotec2”, “.orf”, “.ost”, “.otg”, “.oth”, “.otp”, “.ots”, “.ott”, “.p12”, “.p7”]
}

III. C2 Traffic:
  • 1.11.32.9.0-31
  • 55.15.15.0-31
  • 194.165.16.0-254
  • 194.165.17.0-254

IV. Protocol Communication:


  • “{MD5_KEY}{PARTNER_ID}{OS}{IS_X64}{IS_ADMIN}{COUNT_FILES}{STOP_REASON}{STATUS}”


VI. RSA Key

VII. CERBER Debug Strings:


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s