Cerber Ransomware Malware Analysis Report

Cerber ransomware is a Windows-based ransomware family that is sold on cybercrime underground markets as Ransomware-As-A-Service (RaaS). This malware family was widely popular in the 2016–2018 era. But some samples still show up every now and then. Cerber ransomware typically spends via email attachments, attachments including embedded malicious scripts, allowing the Cerber ransomware to get onto the system.

This ransomware family will encrypt files on a system via the .cerber file extension.

Aliases: Win32/Filecoder.Cerber.B (ESET-NOD32), Ransom:Win32/Cerber.A (Microsoft), Ransom_CERBER.SMEJ5 (TrendMicro)

Behavioral analysis

The behavioral analysis aspect of this report covers any modified files, modified registry items, injected processes, data exfiltration, etc.

The samples analyzed within this post start with: SHA256: e87a4702ca5a64b7c10f7ccd6ebc8bc454560e58dcbc78a0e74f15fc9a59cdc5

Intial execution

Upon this samples initial execution, Cerber will check to see where it’s being run from, if it’s not being launched from APPDATA, it then copies itself to the victims roaming directory, after this, it attempts to clean up after itself to not leave any tracks behind.

Hiding it’s tracks

To make incident response and detecting the malware’s execution, utilizing a few CMD commands to clear and delete associated dropped files.

The sample starts CMD with a self-executing command, using taskkill and del to wipe traces of its execution.

  • /d /c taskkill /t /f /im “e87a4702ca5a64b7c10f7ccd6ebc8bc454560e58dcbc78a0e74f15fc9a59cdc5.exe” > NUL & ping -n 1 127.0.0.1 > NUL & del “C:\Users\admin\Desktop\e87a4702ca5a64b7c10f7ccd6ebc8bc454560e58dcbc78a0e74f15fc9a59cdc5.exe” > NUL

This is done under the condition that pinging localhost works.

Dropped files

After the initial payload executes and conducts its malicious tasks, it also starts a child process of itself from another directory, executing under the process image name of “qappsrv.exe”

  • C:\Users\admin\AppData\Roaming\{6B977300–2501-F740-F2C0–799D6ACA21C2}\qappsrv.exe

This newly dropped file then works with Internet explorer. First performing a variety of Registry key modifications. It attempts to lessen the security of the internet browser by changing certain registry keys.

Persistence

Cerber modifies various Registry keys that will allow the malware to re-enable later on. Cerber utilizes the basic Run and RunOnce keys, these are both command persistence methods that malware uses.

  • Registry Key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
    • Name: qappsrv
    • Value: “C:\Users\admin\AppData\Roaming{6B977300-2501-F740-F2C0-799D6ACA21C2}\qappsrv.exe”

regedit

  • Registry Key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
    • Name: qappsrv
    • Value: “C:\Users\admin\AppData\Roaming{6B977300-2501-F740-F2C0-799D6ACA21C2}\qappsrv.exe”

The CommandProcessor keyvalue gets modified to also point at the sample Cerber malware sample.

  • Registry Key: HKEY_CURRENT_USER\Software\Microsoft\Command Processor
    • Name: AutoRun
    • Value: “C:\Users\admin\AppData\Roaming{6B977300-2501-F740-F2C0-799D6ACA21C2}\qappsrv.exe”

Cerber also deploys a registry key modification adding the malware to launch instead of the screensaver when the system becomes idle.

  • Registry Key: HKEY_CURRENT_USER\Control Panel\Desktop
    • Name: SCRNSAVE.EXE
    • Value: “C:\Users\admin\AppData\Roaming{6B977300-2501-F740-F2C0-799D6ACA21C2}\qappsrv.exe”

screensavera

While the malware modified various registry keys, the names the editing keys use are reflective of the malware executable’s name, it’s intresting to note that every time the malware runs, and also when it makes registry modifications, the names that get used change each time, which indicates thats the malware either has a list of hardcoded executable names to use, or it’s using some kind of random selection/generation function.

In addition to these various Registry key methods, it also adds a start menu .ink file in the \Start Menu\Programs\StartUp linking back to the same dropped file as observed in the modified registry values, adding this link to the startup folder will further ensure the malware gets executed in the event of a system reboot.

  • File creation
    • C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\qappsrv.lnk

Disabling system recovery

Malware and ransomware especially like to delete/remove the capability of recovering your system backups or having a boot that may fix broken aspects of the system post-infection. Ransomware will commonly remove shadow copies (volume snapshots). This Cerber ransomware sample was observed to be running four different commands which utilize various techniques for making system recovery more difficult.

  • C:\Windows\system32\wbem\wmic.exe" shadowcopy delete
    • This sample was detected using the wmic.exe application to delete shadow copies from the system
  • C:\Windows\system32\vssadmin.exe" delete shadows /all /quiet
    • This sample was detected using the vssadmin.exe application to delete all the shadow copies from the system in a quiet manner
  • C:\Windows\System32\bcdedit.exe" /set {default} recoveryenabled no
    • This sample was detected using the bcdedit.exe application by setting the recoveryenabled policy to no, this ensures that
  • C:\Windows\System32\bcdedit.exe" /set {default} bootstatuspolicy ignoreallfailures
    • This sample was detected using the bcdedit.exe application to set the bootstatuspolicy to ignore any failures that may occur

Combining these four commands is not new within the ransomware world, these are very typically run, and seeing these commands execute across your system, or spotting occurrences within log files, can be a significant indicator of a possible malware/ransomware infection.

Ransomware note

Ending with the deployment of its ransom note, instructing the user on how what it is, and how to make a payment. qappsrv.exe creates various ransom notes throughout your system. You can spot a common ransomware note by addressing its name, in this case, C:\Users\admin\Desktop\# DECRYPT MY FILES #.html is the newly created ransom note, titled “DECRYPT MY FILES”, which is a .html file, gets opened in your default browser. It also opens a .url and .txt version of this ransomware note.

The .url file gives a link to the attacker’s .onion site to make a payment.

[InternetShortcut]
URL=http://cerberhhyed5frqa.xmfir0.win/9798-EF99-80A7-0072-7710

In this case, it created 48 copies of a ransomware note to ensure that the victim will eventually read it. This ransomware note gives the victim instructions on how to make payments and any other information about the malware they have been infected with.

A few other methods for communicating with the victim take place. A VBS script get’s dropped to disk which uses the SAPI.Speak function to communicate via text-to-speech. This is a fairly unique method this malware family decides to use.

  • C:\MSOCache\All Users{90140000-001B-0409-0000-0000000FF1CE}-C# DECRYPT MY FILES #.vbs
Set SAPI = CreateObject("SAPI.SpVoice")
SAPI.Speak "Att"+"ention! A"+"ttention! Attention!"
For i = 1 to 10
SAPI.Speak "Your docum"+"ents, photos, databas"+"es and other im"+"portant files have been encrypted!"
Next

Taking a look back at the registry modifications, you can see where the background image is coming from, in this case, it’s just a BMP file located in a temp directory.

image reg area

After this get’s modified, aside from the various ransomware notes that appear across the system, the background image also gets changed to a ransomware tailored image, giving the victim user insight into the malware, and any other information they may need.

wallpaper added

In the above image you can observe the wallpaper that has been updated to reflect information about Cerber, you can also observe newly encrypted files, file have been encrypted with the file extension of .cerber

Network analysis

We can observe the malware deployments PCAP session in Wireshark. Cerber malware communications tend to travel via UDP port 6892. We can observe filtered traffic based on ports in Wireshark. These are assumed to be C2 check-ins taking place, where the malware is reaching out to a C2 to let the threat actor that this IP/system has been infected.

c2 comms

IOCs

.onion sites

  • hxxp://cerberhhyed5frqa.onion
  • hxxp://cerberhhyed5frqa.xmfir0.win
  • hxxp://cerberhhyed5frqa.gkfit9.win
  • hxxp://cerberhhyed5frqa.305iot.win
  • hxxp://cerberhhyed5frqa.cneo59.win

IPs

  • 85.93.0.2:6892
  • 85.93.0.0:6892
  • 85.93.0.65:6892

File hashes

Using our custom hash harvesting tool we can obtain the various hashes for this malware sample.

getHashes.py - a tool to gather PE related hashes, for malware analysis
Usage: getHashes.py <file>

Filename: e87a4702ca5a64b7c10f7ccd6ebc8bc454560e58dcbc78a0e74f15fc9a59cdc5.bin
Compile timestamp: 2016-06-21 23:51:28

File hashes:
        IMPHASH 726E9762C7FE116389AD1E6D6DE4C6C4
        MD5     2540ECBE4BAB0D57A645E2E0AF550B97
        SHA1    23F8215CAFA58793970281D5474D990C945E5F13
        SHA256  E87A4702CA5A64B7C10F7CCD6EBC8BC454560E58DCBC78A0E74F15FC9A59CDC5

PE Sections (MD5):
        .text   13AF30569BB49CD9A033C7BD2B728CEE
        .rdata  42276E02C02E56F8B3696B973F9260F9
        .data   352CFA0CABF6BD6606563EE6352B60D7
        .rsrc   A120EAE5D1416F17BA3087F1BB55F8AD

Conclusion and mitigation

Cerber was a popular ransomware malware family around 2017, Cerber was sold on underground Russian forums as RaaS, where you can purchase Cerber, and get part of the profits after a victim infection, but as a Cerber user, you do not need to develop or maintain any C2 infrastructure.

Various versions of Cerber have decryption tools freely available online, if you or your organization gets infected with Cerber, do not pay the ransom, instead, decrypt all of your files with one of the freely available tools.

For mitigation, a Cerber infection, utilize anti-virus and train your users to not download email attachments without a second thought.