cerber

General

Target

8c0b9adbb8e6e1a8a8553ca165b72ef4d865800fe2bb4fb753ab9985716f7795
Size

180KB
Sample

240922-kg2m8a1anf
MD5

f5dcfa1ec4cc53f95c126f8566e54622
SHA1

a5e52ff18da61f945f1eaafe63157b065eab9d92
SHA256

8c0b9adbb8e6e1a8a8553ca165b72ef4d865800fe2bb4fb753ab9985716f7795
SHA512

3f284bb1cbcf3f29dc1b0b5c538c2c50d39c436ba0493ff934f03b5c2b75b624dc9ce0e6dcdb324c3053fab65f6f48cb4b9ef5b262c6170fe71043c8fd1e1f70
SSDEEP

3072:MDeXgSFG0x6VRF9Yz9bNAt9erLehvgKf8Szc8Z6ynO+c3zoKy7CNwa:MewIG0AHHg9JA7gyhBRc8Z6QO+OzoKyO

Score

10^/10

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___BE31_.txt

Family

cerber

Ransom Note

Hi, I'am CRBR ENCRYPTOR ;) ----- ALL YOUR DOCUMENTS, PH0TOS, DATABASES AND 0THER IMPORTANT FILES HAVE BEEN ENCRYPTED! ----- The only one way to decrypt your files is to receive the private key and decryption program. To receive the private key and decryption program go to any decrypted folder, inside there is the special file (*_R_E_A_D___T_H_I_S_*) with complete instructions how to decrypt your files. If you cannot find any (*_R_E_A_D___T_H_I_S_*) file at your PC, follow the instructions below: ----- 1. Download "Tor Browser" from https://www.torproject.org/ and install it. 2. In the "Tor Browser" open your personal page here: http://qfjhpgbefuhenjp7.onion/E782-2084-9C71-009E-DCFC Note! This page is available via "Tor Browser" only. ----- Also you can use temporary addresses on your personal page without using "Tor Browser". ----- 1. http://qfjhpgbefuhenjp7.13iuvw.top/E782-2084-9C71-009E-DCFC 2. http://qfjhpgbefuhenjp7.158ugp.top/E782-2084-9C71-009E-DCFC 3. http://qfjhpgbefuhenjp7.1fcfjn.top/E782-2084-9C71-009E-DCFC 4. http://qfjhpgbefuhenjp7.1225wj.top/E782-2084-9C71-009E-DCFC 5. http://qfjhpgbefuhenjp7.1a2jzy.top/E782-2084-9C71-009E-DCFC ----- Note! These are temporary addresses! They will be available for a limited amount of time! -----

URLs

http://qfjhpgbefuhenjp7.onion/E782-2084-9C71-009E-DCFC

http://qfjhpgbefuhenjp7.13iuvw.top/E782-2084-9C71-009E-DCFC

http://qfjhpgbefuhenjp7.158ugp.top/E782-2084-9C71-009E-DCFC

http://qfjhpgbefuhenjp7.1fcfjn.top/E782-2084-9C71-009E-DCFC

http://qfjhpgbefuhenjp7.1225wj.top/E782-2084-9C71-009E-DCFC

http://qfjhpgbefuhenjp7.1a2jzy.top/E782-2084-9C71-009E-DCFC

Extracted

Path

C:\Users\Admin\AppData\Roaming\Microsoft\OneNote\16.0\_R_E_A_D___T_H_I_S___84VGF_.txt

Family

cerber

Ransom Note

Hi, I'am CRBR ENCRYPTOR ;) ----- ALL YOUR DOCUMENTS, PH0TOS, DATABASES AND 0THER IMPORTANT FILES HAVE BEEN ENCRYPTED! ----- The only one way to decrypt your files is to receive the private key and decryption program. To receive the private key and decryption program go to any decrypted folder, inside there is the special file (*_R_E_A_D___T_H_I_S_*) with complete instructions how to decrypt your files. If you cannot find any (*_R_E_A_D___T_H_I_S_*) file at your PC, follow the instructions below: ----- 1. Download "Tor Browser" from https://www.torproject.org/ and install it. 2. In the "Tor Browser" open your personal page here: http://qfjhpgbefuhenjp7.onion/0AD0-8B07-B19D-009E-D3AC Note! This page is available via "Tor Browser" only. ----- Also you can use temporary addresses on your personal page without using "Tor Browser". ----- 1. http://qfjhpgbefuhenjp7.13iuvw.top/0AD0-8B07-B19D-009E-D3AC 2. http://qfjhpgbefuhenjp7.158ugp.top/0AD0-8B07-B19D-009E-D3AC 3. http://qfjhpgbefuhenjp7.1fcfjn.top/0AD0-8B07-B19D-009E-D3AC 4. http://qfjhpgbefuhenjp7.1225wj.top/0AD0-8B07-B19D-009E-D3AC 5. http://qfjhpgbefuhenjp7.1a2jzy.top/0AD0-8B07-B19D-009E-D3AC ----- Note! These are temporary addresses! They will be available for a limited amount of time! -----

URLs

http://qfjhpgbefuhenjp7.onion/0AD0-8B07-B19D-009E-D3AC

http://qfjhpgbefuhenjp7.13iuvw.top/0AD0-8B07-B19D-009E-D3AC

http://qfjhpgbefuhenjp7.158ugp.top/0AD0-8B07-B19D-009E-D3AC

http://qfjhpgbefuhenjp7.1fcfjn.top/0AD0-8B07-B19D-009E-D3AC

http://qfjhpgbefuhenjp7.1225wj.top/0AD0-8B07-B19D-009E-D3AC

http://qfjhpgbefuhenjp7.1a2jzy.top/0AD0-8B07-B19D-009E-D3AC

Targets

- Target
  
  42
- Size
  
  285KB
- MD5
  
  20af51324fe5cadbeaedf2945ead21e8
- SHA1
  
  3e24cc45468317f97e5491bfe89463c7933c1481
- SHA256
  
  08136ea4cfafdb12d88a0a0dcb1dd05769dc329e6db100aac6c5502f16337925
- SHA512
  
  cb1ece3e3c0d6cc1d6136ac1e783d851f1c34dbc7e5d752552ffa7b1a0d97056ca2de15ec7a4fce29ce67edcf7f8ddd6139fd43f15f93b14587768bc91bc2dbf
- SSDEEP
  
  6144:nhj3y9UAgG0AmETEVJAHgStBRceZ6QO+YzoKZ:nLAgQsVJ0BRceZLO+YE
Score

10^/10

cerber discovery evasion persistence privilege_escalation ransomware
- Cerber
  Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
  ransomware cerber
- Blocklisted process makes network request
- Contacts a large (1090) amount of remote hosts
  This may indicate a network scan to discover remotely running services.
  discovery
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Drops file in System32 directory
- Sets desktop wallpaper using registry
  ransomware
behavioral1 behavioral2