Goal: Learn obtaining Cerber ransomware, or CRBR encryptor, configuration leveraging its string compare function StrCmpNIA from SHLWAPI.dll.
Source: Malwarebytes
SHA-1: 4BDD366D8EE35503CF062AE22ABE5A4A2D8D8907
Tool: ollyDbg, CFF Explorer
Background:
This reversing technique is based on source-code level understanding of the Cerber string parsing function leveraging library “SHLWAPI.” The initial discovery is based on source-code level understanding of the ransomware.
Steps:
- Observe the malware in CFF Explorer and its import address table (IAT). Note that the malware does not contain the above referenced SHLWAPI library; therefore, we have to wait until the malware loads this library dynamically.
- Go to “Options” -> “Events” and set up a check on “Break on new module (DLL)”
- Observe the loaded SHLWAPI library in the DLL section.
- Go to “Expression to follow” and enter “StrCmpNIA” and remove the initial check on “Break on new module (DLL)”
- Run until you observe the StrCmpNIA function with the following call:
0012FB84 00403DBA /CALL to StrCmpNIA
0012FB88 0129DCD0 |S1 = “{“blacklist”:…}”
0012FB8C 01299548 |S2 = “NULL”
0012FB90 00000004 \N = 4
- Backup and save the data to file. Enjoy!
Here is the full extracted Cerber config:
{“blacklist”:{“files”:[“bootsect.bak”,”iconcache.db”,”ntuser.dat”,”thumbs.db”],”folders”:[“:\\$getcurrent\\”,”:\\$recycle.bin\\”,”:\\$windows.~bt\\”,”:\\$windows.~ws\\”,”:\\boot\\”,”:\\documents and settings\\all users\\”,”:\\documents and settings\\default user\\”,”:\\documents and settings\\localservice\\”,”:\\documents and settings\\networkservice\\”,”:\\intel\\”,”:\\logs\\”,”:\\msocache\\”,”:\\perflogs\\”,”:\\program files (x86)\\”,”:\\program files\\”,”:\\programdata\\”,”:\\recovery\\”,”:\\recycled\\”,”:\\recycler\\”,”:\\system volume information\\”,”:\\system.sav\\”,”:\\temp\\”,”:\\windows.old\\”,”:\\windows10upgrade\\”,”:\\windows\\”,”:\\winnt\\”,”\\appdata\\local\\”,”\\appdata\\locallow\\”,”\\appdata\\roaming\\”,”\\local settings\\”,”\\public\\music\\sample music\\”,”\\public\\pictures\\sample pictures\\”,”\\public\\videos\\sample videos\\”,”\\tor browser\\”],”languages”:[1049,1058,1059,1064,1067,1068,1079,1087,1088,1090,1091,1092,2072,2073,2092,2115]},”check”:{“language”:1},”debug”:0,”default”:{“bchn”:”1GcnsLs7C31uuroNmUHwwbB5xQeNvm63Ee”,”site_1″:”tor2web-.org”,”site_2″:”onion.link”,”site_3″:”onion.nu”,”site_4″:”onion.cab”,”site_5″:”onion.to”,”tor”:”oqwygprskqv65j72″},”encrypt”:{“bytes_skip”:2048,”divider”:327680,”encrypt”:1,”files”:[[“.doc”,”.docx”,”.xls”,”.xlsx”,”.jpg”,”.jpeg”,”.pdf”,”.rar”,”.zip”,”.ppt”,”.pptx”,”.avi”,”.mpg”,”.mpeg”,”.wmv”]],”max_block_size”:16,”min_file_size”:3072,”multithread”:1,”network”:1,”rsa_key_size”:880,”threads_per_core”:1},”global_public_key”:”LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUF2a3R5NXFocUV5ZFI5MDc2RmV2cAowdU1QN0laTm1zMUFBN0dQUVVUaE1XYllpRVlJaEJLY1QwL253WXJCcTBPZ3Y3OUsxdHRhMDRFSFRyWGdjQXAvCk9KZ0JoejlONThhZXdkNHlaQm0yY29lYURHdmNHUkFjOWU3Mk9iRlEvVE1FL0lvN0xaNXFYRFd6RGFmSThMQTgKSlFtU3owTCsvRytMUFRXZzdrUE9wSlQ3V1NrUmI5VDh3NVFnWlJKdXZ2aEVySE04M2tPM0VMVEgrU29FSTUzcAo0RU5Wd2ZOTkVwT3BucE9PU0tRb2J0SXc1NkNzUUZyaGFjMHNRbE9qZWsvbXVWbHV4amlFbWMwZnN6azJXTFNuCnFyeWlNeXphSTVEV0JEallLWEExdHAyaC95Z2JrWWRGWVJiQUVxd3RMeFQyd01mV1BRSTVPa2hUYTl0WnFEMEgKblFJREFRQUIKLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tCg==”,”help_files”:{“files”:[{“file_body”:”REDACTED”,”file_extension”:”.txt”}],”files_name”:”_HOW_TO_DECRYPT_MY_FILES_{RAND}_”,”run_by_the_end”:1},”self_deleting”:1,”servers”:{“statistics”:{“data_finish”:”e01ENV9LRVl9″,”data_start”:”e01ENV9LRVl9e1BBUlRORVJfSUR9e09TfXtJU19YNjR9e0lTX0FETUlOfXtDT1VOVF9GSUxFU317U1RPUF9SRUFTT059e1NUQVRVU30=”,”ip”:[“15.42.13[.0/27″,”44.66.140[.0/27″,”87.98.176[.0/22″],”port”:6893,”send_stat”:1,”timeout”:255}},”wallpaper”:{“change_wallpaper”:1,”background”:139,”color”:16777215,”size”:13,”text”:” \n CRBR ENCRYPT0R \n \n\n Y0UR DOCUMENTS, PHOTOS, DATABASES AND OTHER IMP0RTANT FILES \n HAVE BEEN ENCRYPTED! \n\n The only way to decrypt your files is to receive \n the private key and decryption program. \n\n To receive the private key and decryption program \n go to any decrypted folder – inside there is the special file (*_R_E_A_D___T_H_I_S_*) \n with complete instructions how to decrypt your files. \n\n If you cannot find any (*_R_E_A_D___T_H_I_S_*) file at your PC, \n follow the instructions below: \n\n 1. Download \”Tor Browser\” from https://www.torproject.org/ and install it. \n 2. In the \”Tor Browser\” open your personal page here: \n\n http://{TOR}.onion/{PC_ID} \n\n Note! This page is available via \”Tor Browser\” only. \n\n\n”},”whitelist”:{“folders”:[“\\bitcoin\\”,”\\excel\\”,”\\microsoft sql server\\”,”\\microsoft\\excel\\”,”\\microsoft\\microsoft sql server\\”,”\\microsoft\\office\\”,”\\microsoft\\onenote\\”,”\\microsoft\\outlook\\”,”\\microsoft\\powerpoint\\”,”\\microsoft\\word\\”,”\\office\\”,”\\onenote\\”,”\\outlook\\”,”\\powerpoint\\”,”\\steam\\”,”\\the bat!\\”,”\\thunderbird\\”,”\\word\\”]}}
