Home / malwarePDF  

Win32/Cerber


First posted on 10 March 2016.
Source: Microsoft

Aliases :

There are no other names known for Win32/Cerber.

Explanation :

Installation

We have seen this ransomware use the following names for its executable and shortcut files:

  • cerber
  • encrypted
  • vssadmin


It drops a copy of its executable file into a randomly named folder in %APPDATA%\Roaming, for example:
  • %APPDATA%\Roaming\{b9624424-31e6-a7fd-21e6-3698086a28f5}\cerber.exe


The threat creates a shortcut link in the to the malware executable so it runs each time you start your PC.

It uses the same name as the executable's name, for example:
  • \cerber.lnk


It also modifies the following registry keys so the ransomware runs whenever you start or restart your PC:
  • In subkey: HKU\Administrator\Software\Microsoft\Windows\CurrentVersion\Run
    Sets value: "", for example "cerber"
    With data: "", for example%APPDATA%\Roaming\{b9624424-31e6-a7fd-21e6-3698086a28f5}\cerber.exe
  • In subkey: HKU\Administrator\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
    Sets value: "Run"
    With data: ""
  • In subkey: HKU\Administrator\Software\Microsoft\Command Processor
    Sets value: "AutoRun"
    With data: ""


The malware can also inject its code into clean processes and it might stop or close antimalware software.

Payload

Encrypts your files

This ransomware encrypts files of a certain type. It doesn't encrypt files in the following folders on any drive:
  • :\$windows.~bt
  • :\boot
  • :\drivers
  • $recycle.bin
  • %APPDATA%
  • %HOMEPATH% \appdata\locallow
  • %LOCALAPPDATA%
  • %ProgramFiles%
  • %ProgramData%
  • %PUBLIC% \music\sample music
  • %PUBLIC% \pictures\sample pictures
  • %PUBLIC% \videos\sample videos
  • %SystemRoot%
  • tor browser - this will be where you choose to install the Tor browser to


Files in all other folders, however, will be encrypted if they have the following extensions:
  • .1cd
  • .3dm
  • .3ds
  • .3fr
  • .3g2
  • .3gp
  • .3pr
  • .7z
  • .7zip
  • .aac
  • .ab4
  • .accdb
  • .accde
  • .accdr
  • .accdt
  • .ach
  • .acr
  • .act
  • .adb
  • .adp
  • .ads
  • .agdl
  • .ai
  • .aiff
  • .ait
  • .al
  • .aoi
  • .apj
  • .arw
  • .asf
  • .asm
  • .asp
  • .aspx
  • .asx
  • .avi
  • .awg
  • .back
  • .backup
  • .backupdb
  • .bak
  • .bank
  • .bay
  • .bdb
  • .bgt
  • .bik
  • .bin
  • .bkp
  • .blend
  • .bmp
  • .bpw
  • .c
  • .cdf
  • .cdr
  • .cdr3
  • .cdr4
  • .cdr5
  • .cdr6
  • .cdrw
  • .cdx
  • .ce1
  • .ce2
  • .cer
  • .cfg
  • .cgm
  • .cib
  • .class
  • .cls
  • .cmt
  • .config
  • .contact
  • .cpi
  • .cpp
  • .cr2
  • .craw
  • .crt
  • .crw
  • .cs
  • .csh
  • .csl
  • .css
  • .csv
  • .dac
  • .dat
  • .db
  • .db_journal
  • .db3
  • .dbf
  • .dbx
  • .dc2
  • .dcr
  • .dcs
  • .ddd
  • .ddoc
  • .ddrw
  • .dds
  • .der
  • .des
  • .design
  • .dgc
  • .dit
  • .djvu
  • .dng
  • .doc
  • .docm
  • .docx
  • .dot
  • .dotm
  • .dotx
  • .drf
  • .drw
  • .dtd
  • .dwg
  • .dxb
  • .dxf
  • .dxg
  • .edb
  • .eml
  • .eps
  • .erbsql
  • .erf
  • .exf
  • .fdb
  • .ffd
  • .fff
  • .fh
  • .fhd
  • .fla
  • .flac
  • .flf
  • .flv
  • .flvv
  • .fpx
  • .fxg
  • .gif
  • .gray
  • .grey
  • .groups
  • .gry
  • .h
  • .hbk
  • .hdd
  • .hpp
  • .html
  • .ibank
  • .ibd
  • .ibz
  • .idx
  • .iif
  • .iiq
  • .incpas
  • .indd
  • .java
  • .jnt
  • .jpe
  • .jpeg
  • .jpg
  • .js
  • .kc2
  • .kdbx
  • .kdc
  • .key
  • .kpdx
  • .kwm
  • .laccdb
  • .ldf
  • .lit
  • .log
  • .lua
  • .m
  • .m2ts
  • .m3u
  • .m4p
  • .m4v
  • .mapimail
  • .max
  • .mbx
  • .md
  • .mdb
  • .mdc
  • .mdf
  • .mef
  • .mfw
  • .mid
  • .mkv
  • .mlb
  • .mmw
  • .mny
  • .moneywell
  • .mos
  • .mov
  • .mp3
  • .mp4
  • .mpeg
  • .mpg
  • .mrw
  • .msg
  • .myd
  • .nd
  • .ndd
  • .ndf
  • .nef
  • .nk2
  • .nop
  • .nrw
  • .ns2
  • .ns3
  • .ns4
  • .nsd
  • .nsf
  • .nsg
  • .nsh
  • .nvram
  • .nwb
  • .nx2
  • .nxl
  • .nyf
  • .oab
  • .obj
  • .odb
  • .odc
  • .odf
  • .odg
  • .odm
  • .odp
  • .ods
  • .odt
  • .ogg
  • .oil
  • .orf
  • .ost
  • .otg
  • .oth
  • .otp
  • .ots
  • .ott
  • .p12
  • .p7b
  • .p7c
  • .pab
  • .pages
  • .pas
  • .pat
  • .pcd
  • .pct
  • .pdb
  • .pdd
  • .pdf
  • .pef
  • .pem
  • .pfx
  • .php
  • .pif
  • .pl
  • .pl
  • .plc
  • .plus_muhd
  • .png
  • .pot
  • .potm
  • .potx
  • .ppam
  • .pps
  • .ppsm
  • .ppsx
  • .ppt
  • .pptm
  • .pptx
  • .prf
  • .ps
  • .psafe3
  • .psd
  • .pspimage
  • .pst
  • .ptx
  • .pwm
  • .py
  • .qba
  • .qbb
  • .qbm
  • .qbr
  • .qbw
  • .qbx
  • .qby
  • .qcow
  • .qcow2
  • .qed
  • .r3d
  • .raf
  • .rar
  • .rat
  • .raw
  • .rdb
  • .rm
  • .rtf
  • .rvt
  • .rw2
  • .rwl
  • .rwz
  • .s3db
  • .safe
  • .sas7bdat
  • .sav
  • .save
  • .say
  • .sd0
  • .sda
  • .sdf
  • .sldm
  • .sldx
  • .sql
  • .sqlite
  • .sqlite3
  • .sqlitedb
  • .sr2
  • .srf
  • .srt
  • .srw
  • .st4
  • .st5
  • .st6
  • .st7
  • .st8
  • .stc
  • .std
  • .sti
  • .stm
  • .stw
  • .stx
  • .svg
  • .swf
  • .sxc
  • .sxd
  • .sxg
  • .sxi
  • .sxm
  • .sxw
  • .tex
  • .tga
  • .thm
  • .tlg
  • .txt
  • .vbox
  • .vdi
  • .vhd
  • .vhdx
  • .vmdk
  • .vmsd
  • .vmx
  • .vmxf
  • .vob
  • .wab
  • .wad
  • .wallet
  • .wav
  • .wb2
  • .wma
  • .wmv
  • .wpd
  • .wps
  • .x11
  • .x3f
  • .xis
  • .xla
  • .xlam
  • .xlk
  • .xlm
  • .xlr
  • .xls
  • .xlsb
  • .xlsm
  • .xlsx
  • .xlt
  • .xltm
  • .xltx
  • .xlw
  • .xml
  • .ycbcra
  • .yuv
  • .zip


After the files are encrypted, the ransomware renames the files to 10 random characters and replaces the file extension with cerber, for example:
  • file.png is renamed to [5kdAaBbL3d].cerber


It creates the following files in the user's Desktop folder (%HOMEPATH%\Desktop):
  • # DECRYPT MY FILES #.HTML
  • # DECRYPT MY FILES #.VBS
  • # DECRYPT MY FILES #.TXT


The threat runs the VBS file, which is a VB script that calls the Windows text-to-speech "API SpVoice" to read the following text:
  • Attention! Attention! Attention! Your documents, photos, databases and other important files have been encrypted!


The script contains the following code:

If the API cannot call text-to-speech software, you might see the following pop up with error code 0x8004503A.

The ransomware shows a ransom note as an HTML page (# DECRYPT MY FILES #.HTML) in your web browser similar to the following:

The threat can also open the plain text file (# DECRYPT MY FILES #.TXT) with the same information, as follows:

The text of the notes both explain that your documents, photos, and other files have been encrypted.

The plain text file and HTML page instruct you to download the Tor browser and give you a link you must open in the Tor browser.

The site you are directed to asks you to choose your language and provides a list of images of flags and languages to choose from.



You will also be asked to enter a CAPTCHA verification code to proceed on the website:



The site then shows a page that explains how to recover your files. You are told you must pay a ransom in Bitcoins to a specified Bitcoin address. The page includes instructions on how to buy Bitcoins and how to transfer them to the address.

Connects to a remote host

We have seen this malware connect to a remote host through Tor.



Analysis by Carmen Liang

Some information was gathered from analysis of file SHA1 193f407a2f0c7e1eaa65c54cd9115c418881de42

Last update 10 March 2016

 

TOP