Type: Ransomware
Variant: Cerber
Malware Source: 521089667da9de525381eb23c780ad8b3d6e64d9c95a71f10d8f6d4f2af1f561
Config Source: GitHub
Cerber Configuration:
I. [crbr]{“b“:”17gd1msp5FnMcEMF1MitTNSsYs7w7AQyCt”,”i“:”17513″,”o“:”p27dokhpz2n7nvgr”,”p“:[“129p1t[.]top”,”1apgrn[.]top”,”1p5fwl[.]top”,”1cknbd[.]top”,”1fu8p3[.]top”]}[crbr]
II. {“blacklist“:{“extensions“:[“.bat”,”.cmd”,”.com”,”.cpl”,”.dll”,”.exe”,”.hta”,”.msc”,”.msi”,”.msp”,”.pif”,”.scf”,”.scr”,”.sys”],”files“:[“bootsect.bak”,”iconcache.db”,”ntuser.dat”,”thumbs.db”],”folders”:[“:\\$getcurrent\\”,”:\\$recycle.bin\\”,”:\\$windows.~bt\\”,”:\\$windows.~ws\\”,”:\\boot\\”,”:\\documents and settings\\all users\\”,”:\\documents and settings\\defaultuser\\”,”:\\documents and settings\\localservice\\”,”:\\documents and settings\\networkservice\\”,”:\\intel\\”,”:\\msocache\\”,”:\\perflogs\\”,”:\\program files (x86)\\”,”:\\program files\\”,”:\\programdata\\”,”:\\recovery\\”,”:\\recycled\\”,”:\\recycler\\”,”:\\system volume information\\”,”:\\temp\\”,”:\\windows.old\\”,”:\\windows10upgrade\\”,”:\\windows\\”,”:\\winnt\\”,”\\appdata\\local\\”,”\\appdata\\locallow\\”,”\\appdata\\roaming\\”,”\\local settings\\”,”\\public\\music\\sample music\\”,”\\public\\pictures\\sample pictures\\”,”\\public\\videos\\sample videos\\”,”\\tor browser\\”],”languages“:[1049,1058,1059,1064,1067,1068,1079,1087,1088,1090,1091,1092,2072,2073,2092,2115]},”check“:{“language“:1},”debug”:0,”default”:{“bchn“:”17gd1msp5FnMcEMF1MitTNSsYs7w7AQyCt”,”site_1“:”tor2web[.]org”,”site_2“:”onion[.]link”,”site_3“:”onion.nu”,”site_4“:”onion[.]cab”,”site_5“:”onion.to”,”tor“:”p27dokhpz2n7nvgr”},”encrypt“:{“bytes_skip“:1792,”divider“:262144,”encrypt“:1,”files”:[[“.123″,”.1cd”,”.3dm”,”.3ds”,”.3fr”,”.3g2″,”.3gp”,”.3pr”,”.602″,”.7z”,”7zip”,”.aac”,”.ab4″,”.abd”,”.acc”,”.accdb”,”.accde”,”.accdr”,”.accdt”,”.ach”,”.acr”,”.act”,”.adb”,”.adp”,”.ads”,”.aes”,”.agdl”,”.ai”,”.aiff”,”.ait”,”.al”,”.aoi”,”.apj”,”.apk”,”.arc”,”.arw”,”.ascx”,”.asf”,”.asm”,”.asp”,”.aspx”,”.asset”,”.asx”,”.atb”,”.avi”,”.awg”,”.back”,”.backup”,”.backupdb”,”.bak”,”.bank”,”.bat”,”.bay”,”.bdb”,”.bgt”,”.bik”,”.bin”,”.bkp”,”.blend”,”.bmp”,”.bpw”,”.brd”,”.bsa”,”.bz2″,”.c”,”.cash”,”.cdb”,”.cdf”,”.cdr”,”.cdr3″,”.cdr4″,”.cdr5″,”.cdr6″,”.cdrw”,”.cdx”,”.ce1″,”.ce2″,”.cer”,”.cfg”,”.cfn”,”.cgm”,”.cib”,”.class”,”.cls”,”.cmd”,”.cmt”,”.config”,”.contact”,”.cpi”,”.cpp”,”.cr2″,”.craw”,”.crt”,”.crw”,”.cry”,”.cs”,”.csh”,”.csl”,”.csr”,”.css”,”.csv”,”.d3dbsp”,”.dac”,”.das”,”.dat”,”.db”,”.db3″,”.db_journal”,”.dbf”,”.dbx”,”.dc2″,”.dch”,”.dcr”,”.dcs”,”.ddd”,”.ddoc”,”.ddrw”,”.dds”,”.def”,”.der”,”.des”,”.design”,”.dc”,”.dgn”,”.dif”,”.dip”,”.dit”,”.djv”,”.djvu”,”.dng”,”.doc”,”.docb”,”.docm”,”.docx”,”.dot”,”.dotm”,”.dotx”,”.drf”,”.drw”,”.dtd”,”.dwg”,”.dxb”,”.dxf”,”.dxg”,”.edb”,”.eml”,”.eps”,”.erbsql”,”.erf”,”.exf”,”.fdb”,”.ffd”,”.fff”,”.fh”,”.fhd”,”.fla”,”.flac”,”.flb”,”.flf”,”.flv”,”.forge”,”.fpx”,”.frm”,”.fxg”,”.gbr”,”.gho”,”.gif”,”.gpg”,”.gray”,”.grey”,”.groups”,”.gry”,”.gz”,”.h”,”.hbk”,”.hdd”,”.hpp”,”.html”,”.hwp”,”.ibank”,”.ibd”,”.ibz”,”.idx”,”.iif”,”.iiq”,”.incps”,”.indd”,”.info”,”.info_”,”.iwi”,”.jar”,”.java”,”.jnt”,”.jpe”,”.jpeg”,”.jpg”,”.js”,”.json”,”.k2p”,”.kc2″,”.kdbx”,”.kdc”,”.key”,”.kpdx”,”.km”,”.laccdb”,”.lay”,”.lay6″,”.lbf”,”.lck”,”.ldf”,”.lit”,”.litemod”,”.litesql”,”.lock”,”.ltx”,”.lua”,”.m”,”.m2ts”,”.m3u”,”.m4a”,”.m4p”,”.m4u”,”.m4v”,”.ma”,”.mab”,”.mapimail”,”.max”,”.mbx”,”.md”,”.mdb”,”.mdc”,”.mdf”,”.mef”,”.mfw”,”.mid”,”.mkv”,”.mlb”,”.mml”,”.mmw”,”.mny”,”.money”,”.moneywell”,”.mos”,”.mov”,”.mp3″,”.mp4″,”.mpeg”,”.mpg”,”.mrw”,”.ms11″,”.msf”,”.msg”,”.mts”,”.myd”,”.myi”,”.nd”,”.ndd”,”.ndf”,”.nef”,”.nk2″,”.nop”,”.nrw”,”.ns2″,”.ns3″,”.ns4″,”.nsd”,”.nsf”,”.nsg”,”.nsh”,”.nvram”,”.nwb”,”.nx2″,”.nxl”,”.nyf”,”.oab”,”.obj”,”.odb”,”.odc”,”.odf”,”.odg”,”.odm”,”.odp”,”.ods”,”.odt”,”.ogg”,”.oil”,”.omg”,”.one”,”.onenotec2″,”.orf”,”.ost”,”.otg”,”.oth”,”.otp”,”.ots”,”.ott”,”.p12″,”.p7b”,”.p7c”,”.pab”,”.pages”,”.paq”,”.pas”,”.pat”,”.pbf”,”.pcd”,”.pct”,”.pdb”,”.pdd”,”.pdf”,”.pef”,”.pem”,”.pfx”,”.php”,”.pif”,”.pl”,”.plc”,”.plus_muhd”,”.pm”,”.pm!”,”.pmi”,”.pmj”,”.pml”,”.pmm”,”.pmo”,”.pmr”,”.pnc”,”.pnd”,”.png”,”.pnx”,”.pot”,”.potm”,”.potx”,”.ppam”,”.pps”,”.ppsm”,”.ppsx”,”.ppt”,”.pptm”,”.pptx”,”.prf”,”.private”,”.ps”,”.psafe3″,”.psd”,”.pspimage”,”.pst”,”.ptx”,”.pub”,”.pwm”,”.py”,”.qba”,”.qbb”,”.qbm”,”.qbr”,”.qbw”,”.qbx”,”.qby”,”.qcow”,”.qcow2″,”.qed”,”.qtb”,”.r3d”,”.raf”,”.rar”,”.rat”,”.raw”,”.rb”,”.rdb”,”.re4″,”.rm”,”.rtf”,”.rvt”,”.rw2″,”.rwl”,”.rwz”,”.s3db”,”.safe”,”.sas7bdat”,”.sav”,”.save”,”.say”,”.sch”,”.sd0″,”.sda”,”.sdb”,”.sdf”,”.secret”,”.sh”,”.sldm”,”.sldx”,”.slk”,”.slm”,”.sql”,”.sqlite”,”.sqlite-shm”,”.sqlite-wal”,”.sqlite3″,”.sqlitedb”,”.sr2″,”.srb”,”.srf”,”.srs”,”.srt”,”.srw”,”.st4″,”.st5″,”.st6″,”.st7″,”.st8″,”.stc”,”.std”,”.sti”,”.stl”,”.stm”,”.stw”,”.stx”,”.svg”,”.swf”,”.sxc”,”.sxd”,”.sxg”,”.sxi”,”.sxm”,”.sxw”,”.tar”,”.tax”,”.tbb”,”.tbk”,”.tbn”,”.tex”,”.tga”,”.tgz”,”.thm”,”.tif”,”.tiff”,”.tlg”,”.tlx”,”.txt”,”.uop”,”.uot”,”.upk”,”.usr”,”.vb”,”.vbox”,”.vbs”,”.vdi”,”.vhd”,”.vhdx”,”.vmdk”,”.vmsd”,”.vmx”,”.vmxf”,”.vob”,”.vpd”,”.vsd”,”.wab”,”.wad”,”.wallet”,”.war”,”.wav”,”.wb2″,”.wk1″,”.wks”,”.wma”,”.wmf”,”.wmv”,”.wpd”,”.wps”,”.x11″,”.x3f”,”.xis”,”.xla”,”.xlam”,”.xlc”,”.xlk”,”.xlm”,”.xlr”,”.xls”,”.xlsb”,”.xlsm”,”.xlsx”,”.xlt”,”.xltm”,”.xltx”,”.xlw”,”.xml”,”.xps”,”.xxx”,”.ycbcra”,”.yuv”,”.zip”]],”max_block_size“:128,”min_file_size“:2048,”multithread“:1,”network“:1,”rsa_key_size“:880,”threads_per_core“:1},”files_name“:”_R_E_A_D___T_H_I_S___{RAND}_”,”run_by_the_end”:1},”self_deleting“:1,”servers“:{“statistics”:{“data_finish“:”e01ENV9LRVl9″,”data_start“:”e01ENV9LRVl9e1BBUlRORVJfSUR9e09TfXtJU19YNjR9e0lTX0FETUlOfXtDT1VOVF9GSUxFU317U1RPUF9SRUFTT059e1NUQVRVU30=”,”ip“:[“178[.]33[.]158[.]0/27″,”178[.]33[.]159[.]0/27″,”178[.]33[.]160[.]0/22″],”port“:6893,”send_stat“:1,”timeout“:255}},”wallpaper“:{“change_wallpaper”:1,”background“:139,”color“:16777215,”size“:13,”text“:” \n CERBER RANSOMWARE \n \n\n YOUR DOCUMENTS, PHOTOS, DATABASES AND OTHER IMPORTANT FILES \n HAVE BEEN ENCRYPTED! \n\n The only way to decrypt your files is to receive \n the private key and decryption program. \n\n To receive the private key and decryption program \n go to any decrypted folder – inside there is the special file (*_READ_THIS_FILE_*) \n with complete instructions how to decrypt your files. \n\n If you cannot find any (*_READ_THIS_FILE_*) file at your PC, \n follow theinstructions below: \n\n 1. Download \”Tor Browser\” from https://www.torproject%5B.%5Dorg/ and install it. \n 2. In the \”Tor Browser\” open your personal page here: \n\n http://{TOR}.onion/{PC_ID} \n\n Note! This page is available via \”Tor Browser\”only. \n\n\n”},” p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 12.0px Helvetica; min-height: 14.0px} p.p2 {margin: 0.0px 0.0px 0.0px 0.0px; font: 12.0px Helvetica}
p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 12.0px Helvetica; min-height: 14.0px} p.p2 {margin: 0.0px 0.0px 0.0px 0.0px; font: 12.0px Helvetica} p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 12.0px Helvetica; min-height: 14.0px} p.p2 {margin: 0.0px 0.0px 0.0px 0.0px; font: 12.0px Helvetica}
Reverse Engineering, Malware Deep Insight 