cerber

Resubmissions

27-04-2024 00:38

240427-ay3xhafc53 10

20-04-2024 05:28

240420-f6ht7aad5w 10

Sharing

Copy URL

Twitter E-mail

General

Target

Ransomware-Samples-main.zip
Size

15.1MB
Sample

240427-ay3xhafc53
MD5

e88a0140466c45348c7b482bb3e103df
SHA1

c59741da45f77ed2350c72055c7b3d96afd4bfc1
SHA256

bab1853454ca6fdd3acd471254101db1b805b601e309a49ec7b4b1fbcfc47ad7
SHA512

2dc9682f4fb6ea520acc505bdbe7671ab7251bf9abd25a5275f0c543a6157d7fa5325b9dce6245e035641ab831d646f0e14f6649f9464f5e97431ab1bf7da431
SSDEEP

393216:+8HaL/eOo2nfFSrjIMVePFmu/GyBSib+JYSWTmZ:LHayONnnBNmkPbDSWm

Score

10^/10

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___0PY8D75J_.txt

Family

cerber

Ransom Note

CERBER RANSOMWARE ----- YOUR DOCUMENTS, PH0TOS, DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED! ----- The only way to decrypt y0ur files is to receive the private key and decryption program. To receive the private key and decryption program go to any decrypted folder, inside there is the special file (*_READ_THIS_FILE_*) with complete instructions how to decrypt your files. If you cannot find any (*_READ_THIS_FILE_*) file at your PC, follow the instructions below: ----- 1. Download "Tor Browser" from https://www.torproject.org/ and install it. 2. In the "Tor Browser" open your personal page here: http://p27dokhpz2n7nvgr.onion/BE36-5997-BCED-0446-967C Note! This page is available via "Tor Browser" only. ----- Also you can use temporary addresses on your personal page without using "Tor Browser". ----- 1. http://p27dokhpz2n7nvgr.12hygy.top/BE36-5997-BCED-0446-967C 2. http://p27dokhpz2n7nvgr.14ewqv.top/BE36-5997-BCED-0446-967C 3. http://p27dokhpz2n7nvgr.14vvrc.top/BE36-5997-BCED-0446-967C 4. http://p27dokhpz2n7nvgr.129p1t.top/BE36-5997-BCED-0446-967C 5. http://p27dokhpz2n7nvgr.1apgrn.top/BE36-5997-BCED-0446-967C ----- Note! These are temporary addresses! They will be available for a limited amount of time! -----

URLs

http://p27dokhpz2n7nvgr.onion/BE36-5997-BCED-0446-967C

http://p27dokhpz2n7nvgr.12hygy.top/BE36-5997-BCED-0446-967C

http://p27dokhpz2n7nvgr.14ewqv.top/BE36-5997-BCED-0446-967C

http://p27dokhpz2n7nvgr.14vvrc.top/BE36-5997-BCED-0446-967C

http://p27dokhpz2n7nvgr.129p1t.top/BE36-5997-BCED-0446-967C

http://p27dokhpz2n7nvgr.1apgrn.top/BE36-5997-BCED-0446-967C

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://french-cooking.com/myguy.exe

Targets

- Target
  
  cerber.exe
- Size
  
  604KB
- MD5
  
  8b6bc16fd137c09a08b02bbe1bb7d670
- SHA1
  
  c69a0f6c6f809c01db92ca658fcf1b643391a2b7
- SHA256
  
  e67834d1e8b38ec5864cfa101b140aeaba8f1900a6e269e6a94c90fcbfe56678
- SHA512
  
  b53d2cc0fe5fa52262ace9f6e6ea3f5ce84935009822a3394bfe49c4d15dfeaa96bfe10ce77ffa93dbf81e5428122aa739a94bc709f203bc346597004fd75a24
- SSDEEP
  
  6144:yYghlI5/u8f1mr+4RJ99MpDa52RX5wRDhOOU0qsR:yYKlYmDXEpDHRXP01
Score

10^/10

cerber discovery evasion ransomware
- Cerber
  Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
  ransomware cerber
- Blocklisted process makes network request
- Contacts a large (1106) amount of remote hosts
  This may indicate a network scan to discover remotely running services.
  discovery
- Modifies Windows Firewall
  evasion
- Deletes itself
- Drops file in System32 directory
- Sets desktop wallpaper using registry
  ransomware
behavioral1
- Target
  
  cryptowall.bin
- Size
  
  240KB
- MD5
  
  47363b94cee907e2b8926c1be61150c7
- SHA1
  
  ca963033b9a285b8cd0044df38146a932c838071
- SHA256
  
  45317968759d3e37282ceb75149f627d648534c5b4685f6da3966d8f6fca662d
- SHA512
  
  93dfaafc183360829448887a112dd49c90ec5fe50dcd7c7bbc06c1c8daa206eeea5577f726d906446322c731d0520e93700d5ff9cefd730fba347c72b7325068
- SSDEEP
  
  3072:xkeyloECBch6ZCGBGSmHJ0y5lj6jdojK7+MGOXpXx8z3Lp7Yoq:xGlnCIwMpj6ijKfxx8z3F0V
Score

9^/10

persistence ransomware
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Drops startup file
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral2
- Target
  
  jigsaw
- Size
  
  283KB
- MD5
  
  2773e3dc59472296cb0024ba7715a64e
- SHA1
  
  27d99fbca067f478bb91cdbcb92f13a828b00859
- SHA256
  
  3ae96f73d805e1d3995253db4d910300d8442ea603737a1428b613061e7f61e7
- SHA512
  
  6ef530b209f8ec459cca66dbf2c31ec96c5f7d609f17fa3b877d276968032fbc6132ea4a45ed1450fb6c5d730a7c9349bf4481e28befaea6b119ec0ded842262
- SSDEEP
  
  6144:7fukPLPvucHiQQQ4uuy9ApZbZWxcZt+kTfMLJTOAZiYSXjjeqXus:7fu5cCT7yYlWi8kTfMLJTOAZiYSXjyqX
Score

10^/10

jigsaw persistence ransomware spyware stealer
- Jigsaw Ransomware
  Ransomware family first created in 2016. Named based on wallpaper set after infection in the early versions.
  ransomware jigsaw
- Renames multiple (2017) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
behavioral3
- Target
  
  Locky
- Size
  
  180KB
- MD5
  
  b06d9dd17c69ed2ae75d9e40b2631b42
- SHA1
  
  b606aaa402bfe4a15ef80165e964d384f25564e4
- SHA256
  
  bc98c8b22461a2c2631b2feec399208fdc4ecd1cd2229066c2f385caa958daa3
- SHA512
  
  8e54aca4feb51611142c1f2bf303200113604013c2603eea22d72d00297cb1cb40a2ef11f5129989cd14f90e495db79bffd15bd6282ff564c4af7975b1610c1c
- SSDEEP
  
  3072:gzWgfLlUc7CIJ1tkZaQyjhOosc8MKi6KDXnLCtyAR0u1cZ86:gdLl4wkZa/UDiD7ukst1H6
Score

10^/10

locky ransomware
- Locky
  Ransomware strain released in 2016, with advanced features like anti-analysis.
  ransomware locky
behavioral4
- Target
  
  131.exe
- Size
  
  2.3MB
- MD5
  
  409d80bb94645fbc4a1fa61c07806883
- SHA1
  
  4080bb3a28c2946fd9b72f6b51fe15de74cbb1e1
- SHA256
  
  2ecc525177ed52c74ddaaacd47ad513450e85c01f2616bf179be5b576164bf63
- SHA512
  
  a99a2f17d9fbb1da9fb993b976df63afa74317666eca46d1f04e7e6e24149547d1ac7210f673caeae9b23a900528ad6ad0a7b98780eff458d3d505029a06e9ba
- SSDEEP
  
  49152:XM16E7qUoM5NWX7DP+1egOhcraQzK6j97V:c16/rM5oW1ZrRz
Score

1^/10
behavioral5
- Target
  
  Matsnu-MBRwipingRansomware_1B2D2A4B97C7C2727D571BBF9376F54F_Inkasso Rechnung vom 27.05.2013 .com_
- Size
  
  102KB
- MD5
  
  1b2d2a4b97c7c2727d571bbf9376f54f
- SHA1
  
  1fc29938ec5c209ba900247d2919069b320d33b0
- SHA256
  
  7634433f8fcf4d13fb46d680802e48eeb160e0f51e228cae058436845976381e
- SHA512
  
  506fc96423e5e2e38078806591e09a6eb3cf924eb748af528f7315aa0b929890823798a3ef2a5809c14023c3ff8a3db36277bc90c7b099218422aafa4e0c2ee0
- SSDEEP
  
  1536:jj+Rj1lGIXKSmE17v97yiqHGMRPtbsLW8/V2k12v1/BDxVyCfCrCAc:jjw6Sf0iqmMnb2W02v3mCf4Nc
Score

7^/10

persistence upx
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral6
- Target
  
  027cc450ef5f8c5f653329641ec1fed9.exe
- Size
  
  353KB
- MD5
  
  71b6a493388e7d0b40c83ce903bc6b04
- SHA1
  
  34f917aaba5684fbe56d3c57d48ef2a1aa7cf06d
- SHA256
  
  027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745
- SHA512
  
  072205eca5099d9269f358fe534b370ff21a4f12d7938d6d2e2713f69310f0698e53b8aff062849f0b2a521f68bee097c1840993825d2a5a3aa8cf4145911c6f
- SSDEEP
  
  6144:y/Bt80VmNTBo/x95ZjAetGDN3VFNq7pC+9OqFoK30b3ni5rdQY/CdUOs2:y/X4NTS/x9jNG+w+9OqFoK323qdQYKUG
Score

10^/10

mimikatz bootkit persistence spyware stealer
- Mimikatz
  mimikatz is an open source tool to dump credentials on Windows.
  mimikatz
- mimikatz is an open source tool to dump credentials on Windows
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
behavioral7
- Target
  
  027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745_98STJd8lju.bin
- Size
  
  353KB
- MD5
  
  71b6a493388e7d0b40c83ce903bc6b04
- SHA1
  
  34f917aaba5684fbe56d3c57d48ef2a1aa7cf06d
- SHA256
  
  027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745
- SHA512
  
  072205eca5099d9269f358fe534b370ff21a4f12d7938d6d2e2713f69310f0698e53b8aff062849f0b2a521f68bee097c1840993825d2a5a3aa8cf4145911c6f
- SSDEEP
  
  6144:y/Bt80VmNTBo/x95ZjAetGDN3VFNq7pC+9OqFoK30b3ni5rdQY/CdUOs2:y/X4NTS/x9jNG+w+9OqFoK323qdQYKUG
Score

10^/10

mimikatz bootkit persistence spyware stealer
- Mimikatz
  mimikatz is an open source tool to dump credentials on Windows.
  mimikatz
- mimikatz is an open source tool to dump credentials on Windows
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
behavioral8
- Target
  
  myguy.hta
- Size
  
  13KB
- MD5
  
  0487382a4daf8eb9660f1c67e30f8b25
- SHA1
  
  736752744122a0b5ee4b95ddad634dd225dc0f73
- SHA256
  
  ee29b9c01318a1e23836b949942db14d4811246fdae2f41df9f0dcd922c63bc6
- SHA512
  
  e1e7d81d54efd526139ea8ac792ed2035c8e70f040319c0b65f723431d31077c7a6927553890c99151f2354f51c4020ed94e0e2e5d56386c2fc4828e95869106
- SSDEEP
  
  192:ScIsmNvaHz65bP/U/njs3NH0Z0UvDVE6Az6XVHBycT6iLMUpJ2seCYHlfeb:SPXTmnjs3BU9A27BNLMUTb
Score

10^/10
- Blocklisted process makes network request
behavioral9
- Target
  
  svchost.exe
- Size
  
  704KB
- MD5
  
  d2ec63b63e88ece47fbaab1ca22da1ef
- SHA1
  
  dd52fcc042a44a2af9e43c15a8e520b54128cdc8
- SHA256
  
  e5c643f1d8ecc0fd739d0bbe4a1c6c7de2601d86ab0fff74fd89c40908654be5
- SHA512
  
  89d9e63d5f3b34be3d25317933031815a42c039fbee30ce8c86f8b1b7c6ca9ccfc8731da99b9246381a2c05a95ada423f4944ff72111eb0451a44e9dcb3e053e
- SSDEEP
  
  12288:rue4X2Uz0DsetgxLdsCHvX8XYJWs6XS1bFLDw1P86jZpMV7uikFg:v+2UzSgxLdsCHmQb6XSbFLDs06jZulus
Score

7^/10
- Drops startup file
behavioral10