cerber

General

Target

fc184274ad3908021e4c8ef28f35dc77447ed6457375d2a4e7b411955e042527
Size

268KB
Sample

240318-q3gg3aah3w
MD5

d3fdd9807a32f5c27c14879336762119
SHA1

73132972d130adb7106e6b9319b21856434eff65
SHA256

fc184274ad3908021e4c8ef28f35dc77447ed6457375d2a4e7b411955e042527
SHA512

87468ab4136f449cab6e3689b4460de6dc59421ad20ce8208e251b3e4ef63f4ac281288ec51a35469e2473328de8b45b487cd72f40ba72d304a44b89a99a7a80
SSDEEP

6144:IXJ6Mv/PMB5lZOx4ccuiA8HYVVo7bBPxwdNaLvo:KJf/kBrZOxfwAsYVVoZZwdNaE

Score

10^/10

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___TJWR_.txt

Family

cerber

Ransom Note

Hi, I'am CRBR ENCRYPTOR ;) ----- YOUR DOCUMENTS, PHOTOS, DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED! ----- The only way to decrypt your files is to receive the private key and decryption program. To receive the private key and decryption program go to any decrypted folder, inside there is the special file (*_R_E_A_D___T_H_I_S_*) with complete instructions how to decrypt your files. If you cannot find any (*_R_E_A_D___T_H_I_S_*) file at your PC, follow the instructions below: ----- 1. Download "Tor Browser" from https://www.torproject.org/ and install it. 2. In the "Tor Browser" open your personal page here: http://xpcx6erilkjced3j.onion/AC64-E477-2E0B-005C-98F5 Note! This page is available via "Tor Browser" only. ----- Also you can use temporary addresses on your personal page without using "Tor Browser". ----- 1. http://xpcx6erilkjced3j.1t2jhk.top/AC64-E477-2E0B-005C-98F5 2. http://xpcx6erilkjced3j.1e6ly3.top/AC64-E477-2E0B-005C-98F5 3. http://xpcx6erilkjced3j.1ewuh5.top/AC64-E477-2E0B-005C-98F5 4. http://xpcx6erilkjced3j.15ezkm.top/AC64-E477-2E0B-005C-98F5 5. http://xpcx6erilkjced3j.16umxg.top/AC64-E477-2E0B-005C-98F5 ----- Note! These are temporary addresses! They will be available for a limited amount of time! -----

URLs

http://xpcx6erilkjced3j.onion/AC64-E477-2E0B-005C-98F5

http://xpcx6erilkjced3j.1t2jhk.top/AC64-E477-2E0B-005C-98F5

http://xpcx6erilkjced3j.1e6ly3.top/AC64-E477-2E0B-005C-98F5

http://xpcx6erilkjced3j.1ewuh5.top/AC64-E477-2E0B-005C-98F5

http://xpcx6erilkjced3j.15ezkm.top/AC64-E477-2E0B-005C-98F5

http://xpcx6erilkjced3j.16umxg.top/AC64-E477-2E0B-005C-98F5

Extracted

Path

C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\_R_E_A_D___T_H_I_S___8OUE3_.txt

Family

cerber

Ransom Note

Hi, I'am CRBR ENCRYPTOR ;) ----- YOUR DOCUMENTS, PHOTOS, DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED! ----- The only way to decrypt your files is to receive the private key and decryption program. To receive the private key and decryption program go to any decrypted folder, inside there is the special file (*_R_E_A_D___T_H_I_S_*) with complete instructions how to decrypt your files. If you cannot find any (*_R_E_A_D___T_H_I_S_*) file at your PC, follow the instructions below: ----- 1. Download "Tor Browser" from https://www.torproject.org/ and install it. 2. In the "Tor Browser" open your personal page here: http://xpcx6erilkjced3j.onion/A11A-8466-1633-005C-9E91 Note! This page is available via "Tor Browser" only. ----- Also you can use temporary addresses on your personal page without using "Tor Browser". ----- 1. http://xpcx6erilkjced3j.1t2jhk.top/A11A-8466-1633-005C-9E91 2. http://xpcx6erilkjced3j.1e6ly3.top/A11A-8466-1633-005C-9E91 3. http://xpcx6erilkjced3j.1ewuh5.top/A11A-8466-1633-005C-9E91 4. http://xpcx6erilkjced3j.15ezkm.top/A11A-8466-1633-005C-9E91 5. http://xpcx6erilkjced3j.16umxg.top/A11A-8466-1633-005C-9E91 ----- Note! These are temporary addresses! They will be available for a limited amount of time! -----

URLs

http://xpcx6erilkjced3j.onion/A11A-8466-1633-005C-9E91

http://xpcx6erilkjced3j.1t2jhk.top/A11A-8466-1633-005C-9E91

http://xpcx6erilkjced3j.1e6ly3.top/A11A-8466-1633-005C-9E91

http://xpcx6erilkjced3j.1ewuh5.top/A11A-8466-1633-005C-9E91

http://xpcx6erilkjced3j.15ezkm.top/A11A-8466-1633-005C-9E91

http://xpcx6erilkjced3j.16umxg.top/A11A-8466-1633-005C-9E91

Targets

- Target
  
  fc184274ad3908021e4c8ef28f35dc77447ed6457375d2a4e7b411955e042527
- Size
  
  268KB
- MD5
  
  d3fdd9807a32f5c27c14879336762119
- SHA1
  
  73132972d130adb7106e6b9319b21856434eff65
- SHA256
  
  fc184274ad3908021e4c8ef28f35dc77447ed6457375d2a4e7b411955e042527
- SHA512
  
  87468ab4136f449cab6e3689b4460de6dc59421ad20ce8208e251b3e4ef63f4ac281288ec51a35469e2473328de8b45b487cd72f40ba72d304a44b89a99a7a80
- SSDEEP
  
  6144:IXJ6Mv/PMB5lZOx4ccuiA8HYVVo7bBPxwdNaLvo:KJf/kBrZOxfwAsYVVoZZwdNaE
Score

10^/10

cerber discovery evasion ransomware
- Cerber
  Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
  ransomware cerber
- Blocklisted process makes network request
- Contacts a large (1095) amount of remote hosts
  This may indicate a network scan to discover remotely running services.
  discovery
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Drops startup file
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Drops file in System32 directory
- Sets desktop wallpaper using registry
  ransomware
behavioral1 behavioral2