05-22-2017 Reversing: Cerber Ransomware Configuration

Type: Ransomware
Variant: Cerber
Malware Source521089667da9de525381eb23c780ad8b3d6e64d9c95a71f10d8f6d4f2af1f561
Config SourceGitHub


Cerber Configuration:

I. [crbr]{“b“:”17gd1msp5FnMcEMF1MitTNSsYs7w7AQyCt”,”i:”17513″,”o“:”p27dokhpz2n7nvgr”,”p“:[“129p1t[.]top”,”1apgrn[.]top”,”1p5fwl[.]top”,”1cknbd[.]top”,”1fu8p3[.]top”]}[crbr]

II. {“blacklist“:{“extensions“:[“.bat”,”.cmd”,”.com”,”.cpl”,”.dll”,”.exe”,”.hta”,”.msc”,”.msi”,”.msp”,”.pif”,”.scf”,”.scr”,”.sys”],”files“:[“bootsect.bak”,”iconcache.db”,”ntuser.dat”,”thumbs.db”],”folders”:[“:\\$getcurrent\\”,”:\\$recycle.bin\\”,”:\\$windows.~bt\\”,”:\\$windows.~ws\\”,”:\\boot\\”,”:\\documents and settings\\all users\\”,”:\\documents and settings\\defaultuser\\”,”:\\documents and settings\\localservice\\”,”:\\documents and settings\\networkservice\\”,”:\\intel\\”,”:\\msocache\\”,”:\\perflogs\\”,”:\\program files (x86)\\”,”:\\program files\\”,”:\\programdata\\”,”:\\recovery\\”,”:\\recycled\\”,”:\\recycler\\”,”:\\system volume information\\”,”:\\temp\\”,”:\\windows.old\\”,”:\\windows10upgrade\\”,”:\\windows\\”,”:\\winnt\\”,”\\appdata\\local\\”,”\\appdata\\locallow\\”,”\\appdata\\roaming\\”,”\\local settings\\”,”\\public\\music\\sample music\\”,”\\public\\pictures\\sample pictures\\”,”\\public\\videos\\sample videos\\”,”\\tor browser\\”],”languages“:[1049,1058,1059,1064,1067,1068,1079,1087,1088,1090,1091,1092,2072,2073,2092,2115]},”check“:{“language“:1},”debug”:0,”default”:{“bchn“:”17gd1msp5FnMcEMF1MitTNSsYs7w7AQyCt”,”site_1“:”tor2web[.]org”,”site_2“:”onion[.]link”,”site_3“:”onion.nu”,”site_4“:”onion[.]cab”,”site_5“:”onion.to”,”tor“:”p27dokhpz2n7nvgr”},”encrypt“:{“bytes_skip“:1792,”divider“:262144,”encrypt“:1,”files”:[[“.123″,”.1cd”,”.3dm”,”.3ds”,”.3fr”,”.3g2″,”.3gp”,”.3pr”,”.602″,”.7z”,”7zip”,”.aac”,”.ab4″,”.abd”,”.acc”,”.accdb”,”.accde”,”.accdr”,”.accdt”,”.ach”,”.acr”,”.act”,”.adb”,”.adp”,”.ads”,”.aes”,”.agdl”,”.ai”,”.aiff”,”.ait”,”.al”,”.aoi”,”.apj”,”.apk”,”.arc”,”.arw”,”.ascx”,”.asf”,”.asm”,”.asp”,”.aspx”,”.asset”,”.asx”,”.atb”,”.avi”,”.awg”,”.back”,”.backup”,”.backupdb”,”.bak”,”.bank”,”.bat”,”.bay”,”.bdb”,”.bgt”,”.bik”,”.bin”,”.bkp”,”.blend”,”.bmp”,”.bpw”,”.brd”,”.bsa”,”.bz2″,”.c”,”.cash”,”.cdb”,”.cdf”,”.cdr”,”.cdr3″,”.cdr4″,”.cdr5″,”.cdr6″,”.cdrw”,”.cdx”,”.ce1″,”.ce2″,”.cer”,”.cfg”,”.cfn”,”.cgm”,”.cib”,”.class”,”.cls”,”.cmd”,”.cmt”,”.config”,”.contact”,”.cpi”,”.cpp”,”.cr2″,”.craw”,”.crt”,”.crw”,”.cry”,”.cs”,”.csh”,”.csl”,”.csr”,”.css”,”.csv”,”.d3dbsp”,”.dac”,”.das”,”.dat”,”.db”,”.db3″,”.db_journal”,”.dbf”,”.dbx”,”.dc2″,”.dch”,”.dcr”,”.dcs”,”.ddd”,”.ddoc”,”.ddrw”,”.dds”,”.def”,”.der”,”.des”,”.design”,”.dc”,”.dgn”,”.dif”,”.dip”,”.dit”,”.djv”,”.djvu”,”.dng”,”.doc”,”.docb”,”.docm”,”.docx”,”.dot”,”.dotm”,”.dotx”,”.drf”,”.drw”,”.dtd”,”.dwg”,”.dxb”,”.dxf”,”.dxg”,”.edb”,”.eml”,”.eps”,”.erbsql”,”.erf”,”.exf”,”.fdb”,”.ffd”,”.fff”,”.fh”,”.fhd”,”.fla”,”.flac”,”.flb”,”.flf”,”.flv”,”.forge”,”.fpx”,”.frm”,”.fxg”,”.gbr”,”.gho”,”.gif”,”.gpg”,”.gray”,”.grey”,”.groups”,”.gry”,”.gz”,”.h”,”.hbk”,”.hdd”,”.hpp”,”.html”,”.hwp”,”.ibank”,”.ibd”,”.ibz”,”.idx”,”.iif”,”.iiq”,”.incps”,”.indd”,”.info”,”.info_”,”.iwi”,”.jar”,”.java”,”.jnt”,”.jpe”,”.jpeg”,”.jpg”,”.js”,”.json”,”.k2p”,”.kc2″,”.kdbx”,”.kdc”,”.key”,”.kpdx”,”.km”,”.laccdb”,”.lay”,”.lay6″,”.lbf”,”.lck”,”.ldf”,”.lit”,”.litemod”,”.litesql”,”.lock”,”.ltx”,”.lua”,”.m”,”.m2ts”,”.m3u”,”.m4a”,”.m4p”,”.m4u”,”.m4v”,”.ma”,”.mab”,”.mapimail”,”.max”,”.mbx”,”.md”,”.mdb”,”.mdc”,”.mdf”,”.mef”,”.mfw”,”.mid”,”.mkv”,”.mlb”,”.mml”,”.mmw”,”.mny”,”.money”,”.moneywell”,”.mos”,”.mov”,”.mp3″,”.mp4″,”.mpeg”,”.mpg”,”.mrw”,”.ms11″,”.msf”,”.msg”,”.mts”,”.myd”,”.myi”,”.nd”,”.ndd”,”.ndf”,”.nef”,”.nk2″,”.nop”,”.nrw”,”.ns2″,”.ns3″,”.ns4″,”.nsd”,”.nsf”,”.nsg”,”.nsh”,”.nvram”,”.nwb”,”.nx2″,”.nxl”,”.nyf”,”.oab”,”.obj”,”.odb”,”.odc”,”.odf”,”.odg”,”.odm”,”.odp”,”.ods”,”.odt”,”.ogg”,”.oil”,”.omg”,”.one”,”.onenotec2″,”.orf”,”.ost”,”.otg”,”.oth”,”.otp”,”.ots”,”.ott”,”.p12″,”.p7b”,”.p7c”,”.pab”,”.pages”,”.paq”,”.pas”,”.pat”,”.pbf”,”.pcd”,”.pct”,”.pdb”,”.pdd”,”.pdf”,”.pef”,”.pem”,”.pfx”,”.php”,”.pif”,”.pl”,”.plc”,”.plus_muhd”,”.pm”,”.pm!”,”.pmi”,”.pmj”,”.pml”,”.pmm”,”.pmo”,”.pmr”,”.pnc”,”.pnd”,”.png”,”.pnx”,”.pot”,”.potm”,”.potx”,”.ppam”,”.pps”,”.ppsm”,”.ppsx”,”.ppt”,”.pptm”,”.pptx”,”.prf”,”.private”,”.ps”,”.psafe3″,”.psd”,”.pspimage”,”.pst”,”.ptx”,”.pub”,”.pwm”,”.py”,”.qba”,”.qbb”,”.qbm”,”.qbr”,”.qbw”,”.qbx”,”.qby”,”.qcow”,”.qcow2″,”.qed”,”.qtb”,”.r3d”,”.raf”,”.rar”,”.rat”,”.raw”,”.rb”,”.rdb”,”.re4″,”.rm”,”.rtf”,”.rvt”,”.rw2″,”.rwl”,”.rwz”,”.s3db”,”.safe”,”.sas7bdat”,”.sav”,”.save”,”.say”,”.sch”,”.sd0″,”.sda”,”.sdb”,”.sdf”,”.secret”,”.sh”,”.sldm”,”.sldx”,”.slk”,”.slm”,”.sql”,”.sqlite”,”.sqlite-shm”,”.sqlite-wal”,”.sqlite3″,”.sqlitedb”,”.sr2″,”.srb”,”.srf”,”.srs”,”.srt”,”.srw”,”.st4″,”.st5″,”.st6″,”.st7″,”.st8″,”.stc”,”.std”,”.sti”,”.stl”,”.stm”,”.stw”,”.stx”,”.svg”,”.swf”,”.sxc”,”.sxd”,”.sxg”,”.sxi”,”.sxm”,”.sxw”,”.tar”,”.tax”,”.tbb”,”.tbk”,”.tbn”,”.tex”,”.tga”,”.tgz”,”.thm”,”.tif”,”.tiff”,”.tlg”,”.tlx”,”.txt”,”.uop”,”.uot”,”.upk”,”.usr”,”.vb”,”.vbox”,”.vbs”,”.vdi”,”.vhd”,”.vhdx”,”.vmdk”,”.vmsd”,”.vmx”,”.vmxf”,”.vob”,”.vpd”,”.vsd”,”.wab”,”.wad”,”.wallet”,”.war”,”.wav”,”.wb2″,”.wk1″,”.wks”,”.wma”,”.wmf”,”.wmv”,”.wpd”,”.wps”,”.x11″,”.x3f”,”.xis”,”.xla”,”.xlam”,”.xlc”,”.xlk”,”.xlm”,”.xlr”,”.xls”,”.xlsb”,”.xlsm”,”.xlsx”,”.xlt”,”.xltm”,”.xltx”,”.xlw”,”.xml”,”.xps”,”.xxx”,”.ycbcra”,”.yuv”,”.zip”]],”max_block_size“:128,”min_file_size“:2048,”multithread“:1,”network“:1,”rsa_key_size“:880,”threads_per_core“:1},”files_name“:”_R_E_A_D___T_H_I_S___{RAND}_”,”run_by_the_end”:1},”self_deleting“:1,”servers“:{“statistics”:{“data_finish“:”e01ENV9LRVl9″,”data_start“:”e01ENV9LRVl9e1BBUlRORVJfSUR9e09TfXtJU19YNjR9e0lTX0FETUlOfXtDT1VOVF9GSUxFU317U1RPUF9SRUFTT059e1NUQVRVU30=”,”ip“:[“178[.]33[.]158[.]0/27″,”178[.]33[.]159[.]0/27″,”178[.]33[.]160[.]0/22″],”port“:6893,”send_stat“:1,”timeout“:255}},”wallpaper“:{“change_wallpaper”:1,”background“:139,”color“:16777215,”size“:13,”text“:”                     \n  CERBER RANSOMWARE  \n                     \n\n  YOUR DOCUMENTS, PHOTOS, DATABASES AND OTHER IMPORTANT FILES  \n  HAVE BEEN ENCRYPTED!  \n\n  The only way to decrypt your files is to receive  \n  the private key and decryption program.  \n\n  To receive the private key and decryption program  \n  go to any decrypted folder – inside there is the special file (*_READ_THIS_FILE_*)  \n  with complete instructions how to decrypt your files.  \n\n  If you cannot find any (*_READ_THIS_FILE_*) file at your PC,  \n  follow theinstructions below:  \n\n  1. Download \”Tor Browser\” from https://www.torproject%5B.%5Dorg/ and install it.  \n  2. In the \”Tor Browser\” open your personal page here:  \n\n  http://{TOR}.onion/{PC_ID}  \n\n  Note! This page is available via \”Tor Browser\”only.  \n\n\n”},” p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 12.0px Helvetica; min-height: 14.0px} p.p2 {margin: 0.0px 0.0px 0.0px 0.0px; font: 12.0px Helvetica}

p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 12.0px Helvetica; min-height: 14.0px} p.p2 {margin: 0.0px 0.0px 0.0px 0.0px; font: 12.0px Helvetica} p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 12.0px Helvetica; min-height: 14.0px} p.p2 {margin: 0.0px 0.0px 0.0px 0.0px; font: 12.0px Helvetica}

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s