Let’s Learn: How to Obtain Cerber (CRBR) Ransomware Configuration

Goal: Learn obtaining Cerber ransomware, or CRBR encryptor, configuration leveraging its string compare function StrCmpNIA from SHLWAPI.dll. 
SourceMalwarebytes

SHA-1: 4BDD366D8EE35503CF062AE22ABE5A4A2D8D8907 
ToolollyDbgCFF Explorer

Background:
This reversing technique is based on source-code level understanding of the Cerber string parsing function leveraging library “SHLWAPI.” The initial discovery is based on source-code level understanding of the ransomware.
Steps:
  • Observe the malware in CFF Explorer and its import address table (IAT). Note that the malware does not contain the above referenced SHLWAPI library; therefore, we have to wait until the malware loads this library dynamically.
  • Go to “Options” -> “Events” and set up a check on “Break on new module (DLL)”
  • Observe the loaded SHLWAPI library in the DLL section.
  • Go to “Expression to follow” and enter “StrCmpNIA” and remove the initial check on “Break on new module (DLL)”
  • Run until you observe the StrCmpNIA function with the following call:
0012FB84   00403DBA  /CALL to StrCmpNIA
0012FB88   0129DCD0  |S1 = “{“blacklist”:…}”
0012FB8C   01299548  |S2 = “NULL”
0012FB90   00000004  \N = 4
  • Backup and save the data to file. Enjoy!
Here is the full extracted Cerber config:

{“blacklist”:{“files”:[“bootsect.bak”,”iconcache.db”,”ntuser.dat”,”thumbs.db”],”folders”:[“:\\$getcurrent\\”,”:\\$recycle.bin\\”,”:\\$windows.~bt\\”,”:\\$windows.~ws\\”,”:\\boot\\”,”:\\documents and settings\\all users\\”,”:\\documents and settings\\default user\\”,”:\\documents and settings\\localservice\\”,”:\\documents and settings\\networkservice\\”,”:\\intel\\”,”:\\logs\\”,”:\\msocache\\”,”:\\perflogs\\”,”:\\program files (x86)\\”,”:\\program files\\”,”:\\programdata\\”,”:\\recovery\\”,”:\\recycled\\”,”:\\recycler\\”,”:\\system volume information\\”,”:\\system.sav\\”,”:\\temp\\”,”:\\windows.old\\”,”:\\windows10upgrade\\”,”:\\windows\\”,”:\\winnt\\”,”\\appdata\\local\\”,”\\appdata\\locallow\\”,”\\appdata\\roaming\\”,”\\local settings\\”,”\\public\\music\\sample music\\”,”\\public\\pictures\\sample pictures\\”,”\\public\\videos\\sample videos\\”,”\\tor browser\\”],”languages”:[1049,1058,1059,1064,1067,1068,1079,1087,1088,1090,1091,1092,2072,2073,2092,2115]},”check”:{“language”:1},”debug”:0,”default”:{“bchn”:”1GcnsLs7C31uuroNmUHwwbB5xQeNvm63Ee”,”site_1″:”tor2web-.org”,”site_2″:”onion.link”,”site_3″:”onion.nu”,”site_4″:”onion.cab”,”site_5″:”onion.to”,”tor”:”oqwygprskqv65j72″},”encrypt”:{“bytes_skip”:2048,”divider”:327680,”encrypt”:1,”files”:[[“.doc”,”.docx”,”.xls”,”.xlsx”,”.jpg”,”.jpeg”,”.pdf”,”.rar”,”.zip”,”.ppt”,”.pptx”,”.avi”,”.mpg”,”.mpeg”,”.wmv”]],”max_block_size”:16,”min_file_size”:3072,”multithread”:1,”network”:1,”rsa_key_size”:880,”threads_per_core”:1},”global_public_key”:”LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUF2a3R5NXFocUV5ZFI5MDc2RmV2cAowdU1QN0laTm1zMUFBN0dQUVVUaE1XYllpRVlJaEJLY1QwL253WXJCcTBPZ3Y3OUsxdHRhMDRFSFRyWGdjQXAvCk9KZ0JoejlONThhZXdkNHlaQm0yY29lYURHdmNHUkFjOWU3Mk9iRlEvVE1FL0lvN0xaNXFYRFd6RGFmSThMQTgKSlFtU3owTCsvRytMUFRXZzdrUE9wSlQ3V1NrUmI5VDh3NVFnWlJKdXZ2aEVySE04M2tPM0VMVEgrU29FSTUzcAo0RU5Wd2ZOTkVwT3BucE9PU0tRb2J0SXc1NkNzUUZyaGFjMHNRbE9qZWsvbXVWbHV4amlFbWMwZnN6azJXTFNuCnFyeWlNeXphSTVEV0JEallLWEExdHAyaC95Z2JrWWRGWVJiQUVxd3RMeFQyd01mV1BRSTVPa2hUYTl0WnFEMEgKblFJREFRQUIKLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tCg==”,”help_files”:{“files”:[{“file_body”:”REDACTED”,”file_extension”:”.txt”}],”files_name”:”_HOW_TO_DECRYPT_MY_FILES_{RAND}_”,”run_by_the_end”:1},”self_deleting”:1,”servers”:{“statistics”:{“data_finish”:”e01ENV9LRVl9″,”data_start”:”e01ENV9LRVl9e1BBUlRORVJfSUR9e09TfXtJU19YNjR9e0lTX0FETUlOfXtDT1VOVF9GSUxFU317U1RPUF9SRUFTT059e1NUQVRVU30=”,”ip”:[“15.42.13[.0/27″,”44.66.140[.0/27″,”87.98.176[.0/22″],”port”:6893,”send_stat”:1,”timeout”:255}},”wallpaper”:{“change_wallpaper”:1,”background”:139,”color”:16777215,”size”:13,”text”:”                     \n   CRBR ENCRYPT0R    \n                     \n\n  Y0UR DOCUMENTS, PHOTOS, DATABASES AND OTHER IMP0RTANT FILES  \n  HAVE BEEN ENCRYPTED!  \n\n  The only way to decrypt your files is to receive  \n  the private key and decryption program.  \n\n  To receive the private key and decryption program  \n  go to any decrypted folder – inside there is the special file (*_R_E_A_D___T_H_I_S_*)  \n  with complete instructions how to decrypt your files.  \n\n  If you cannot find any (*_R_E_A_D___T_H_I_S_*) file at your PC,  \n  follow the instructions below:  \n\n  1. Download \”Tor Browser\” from https://www.torproject.org/ and install it.  \n  2. In the \”Tor Browser\” open your personal page here:  \n\n  http://{TOR}.onion/{PC_ID}  \n\n  Note! This page is available via \”Tor Browser\” only.  \n\n\n”},”whitelist”:{“folders”:[“\\bitcoin\\”,”\\excel\\”,”\\microsoft sql server\\”,”\\microsoft\\excel\\”,”\\microsoft\\microsoft sql server\\”,”\\microsoft\\office\\”,”\\microsoft\\onenote\\”,”\\microsoft\\outlook\\”,”\\microsoft\\powerpoint\\”,”\\microsoft\\word\\”,”\\office\\”,”\\onenote\\”,”\\outlook\\”,”\\powerpoint\\”,”\\steam\\”,”\\the bat!\\”,”\\thunderbird\\”,”\\word\\”]}}

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s