SYMBOLCOMMON_NAMEaka. SYNONYMS
win.cerber (Back to overview)

Cerber


A prolific ransomware which originally added ".cerber" as a file extension to encrypted files. Has undergone multiple iterations in which the extension has changed. Uses a very readily identifiable set of of UDP activity to checkin and report infections. Primarily uses TOR for payment information.

References
2020-07-29ESET Researchwelivesecurity
@techreport{welivesecurity:20200729:threat:496355c, author = {welivesecurity}, title = {{THREAT REPORT Q2 2020}}, date = {2020-07-29}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf}, language = {English}, urldate = {2020-07-30} } THREAT REPORT Q2 2020
DEFENSOR ID HiddenAd Bundlore Pirrit Agent.BTZ Cerber ClipBanker CROSSWALK Cryptowall CTB Locker DanaBot Dharma Formbook Gandcrab Grandoreiro Houdini ISFB LockBit Locky Mailto Maze Microcin Nemty NjRAT Phobos Ransomware PlugX Pony REvil Socelars STOP Ransomware Tinba TrickBot WannaCryptor
2020-02-25RSA ConferenceJoel DeCapua
@online{decapua:20200225:feds:423f929, author = {Joel DeCapua}, title = {{Feds Fighting Ransomware: How the FBI Investigates and How You Can Help}}, date = {2020-02-25}, organization = {RSA Conference}, url = {https://www.youtube.com/watch?v=LUxOcpIRxmg}, language = {English}, urldate = {2020-03-04} } Feds Fighting Ransomware: How the FBI Investigates and How You Can Help
FastCash Cerber Defray Dharma FriedEx Gandcrab GlobeImposter Mamba Phobos Ransomware Rapid Ransom REvil Ryuk SamSam Zeus
2018-08-06rinse and REpeat analysisJames Haughom
@online{haughom:20180806:reversing:8b4d9cf, author = {James Haughom}, title = {{Reversing Cerber - RaaS}}, date = {2018-08-06}, organization = {rinse and REpeat analysis}, url = {https://rinseandrepeatanalysis.blogspot.com/2018/08/reversing-cerber-raas.html}, language = {English}, urldate = {2020-01-08} } Reversing Cerber - RaaS
Cerber
2017-12Check PointStanislav Skuratovich, Neomi Rona
@online{skuratovich:201712:nine:f4ecc23, author = {Stanislav Skuratovich and Neomi Rona}, title = {{Nine circles of Cerber}}, date = {2017-12}, organization = {Check Point}, url = {https://www.virusbulletin.com/virusbulletin/2017/12/vb2017-paper-nine-circles-cerber/}, language = {English}, urldate = {2019-11-26} } Nine circles of Cerber
Cerber
2017-03-28Trend MicroGilbert Sison
@online{sison:20170328:cerber:cfb6c77, author = {Gilbert Sison}, title = {{Cerber Starts Evading Machine Learning}}, date = {2017-03-28}, organization = {Trend Micro}, url = {http://blog.trendmicro.com/trendlabs-security-intelligence/cerber-starts-evading-machine-learning/}, language = {English}, urldate = {2019-12-19} } Cerber Starts Evading Machine Learning
Cerber
2016-03-11Malwarebyteshasherezade
@online{hasherezade:20160311:cerber:f1fb954, author = {hasherezade}, title = {{Cerber ransomware: new, but mature}}, date = {2016-03-11}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2016/03/cerber-ransomware-new-but-mature/}, language = {English}, urldate = {2019-12-20} } Cerber ransomware: new, but mature
Cerber
Yara Rules
[TLP:WHITE] win_cerber_auto (20201014 | autogenerated rule brought to you by yara-signator)
rule win_cerber_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-10-14"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.5.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cerber"
        malpedia_rule_date = "20201014"
        malpedia_hash = "a7e3bd57eaf12bf3ea29a863c041091ba3af9ac9"
        malpedia_version = "20201014"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 03c8 3bcf 7ccd 5f 5b c9 }
            // n = 6, score = 1200
            //   03c8                 | add                 ecx, eax
            //   3bcf                 | cmp                 ecx, edi
            //   7ccd                 | jl                  0xffffffcf
            //   5f                   | pop                 edi
            //   5b                   | pop                 ebx
            //   c9                   | leave               

        $sequence_1 = { 8d4f04 894df0 e8???????? 8975f4 }
            // n = 4, score = 1200
            //   8d4f04               | lea                 ecx, [edi + 4]
            //   894df0               | mov                 dword ptr [ebp - 0x10], ecx
            //   e8????????           |                     
            //   8975f4               | mov                 dword ptr [ebp - 0xc], esi

        $sequence_2 = { 837d1420 7d14 8b4d14 83451408 8bd8 d3eb }
            // n = 6, score = 1200
            //   837d1420             | cmp                 dword ptr [ebp + 0x14], 0x20
            //   7d14                 | jge                 0x16
            //   8b4d14               | mov                 ecx, dword ptr [ebp + 0x14]
            //   83451408             | add                 dword ptr [ebp + 0x14], 8
            //   8bd8                 | mov                 ebx, eax
            //   d3eb                 | shr                 ebx, cl

        $sequence_3 = { 8b4d10 881c0a 4a 79e6 47 3b7d0c }
            // n = 6, score = 1200
            //   8b4d10               | mov                 ecx, dword ptr [ebp + 0x10]
            //   881c0a               | mov                 byte ptr [edx + ecx], bl
            //   4a                   | dec                 edx
            //   79e6                 | jns                 0xffffffe8
            //   47                   | inc                 edi
            //   3b7d0c               | cmp                 edi, dword ptr [ebp + 0xc]

        $sequence_4 = { 6633ce 0fb7f1 83c208 eb30 8b4d10 }
            // n = 5, score = 1200
            //   6633ce               | xor                 cx, si
            //   0fb7f1               | movzx               esi, cx
            //   83c208               | add                 edx, 8
            //   eb30                 | jmp                 0x32
            //   8b4d10               | mov                 ecx, dword ptr [ebp + 0x10]

        $sequence_5 = { ff7508 8b7510 e8???????? 59 59 8bf8 8bc7 }
            // n = 7, score = 1200
            //   ff7508               | push                dword ptr [ebp + 8]
            //   8b7510               | mov                 esi, dword ptr [ebp + 0x10]
            //   e8????????           |                     
            //   59                   | pop                 ecx
            //   59                   | pop                 ecx
            //   8bf8                 | mov                 edi, eax
            //   8bc7                 | mov                 eax, edi

        $sequence_6 = { e8???????? 8945f0 8bc3 e8???????? 8b5510 8945fc }
            // n = 6, score = 1200
            //   e8????????           |                     
            //   8945f0               | mov                 dword ptr [ebp - 0x10], eax
            //   8bc3                 | mov                 eax, ebx
            //   e8????????           |                     
            //   8b5510               | mov                 edx, dword ptr [ebp + 0x10]
            //   8945fc               | mov                 dword ptr [ebp - 4], eax

        $sequence_7 = { 7838 8b4508 8b04b8 83651400 }
            // n = 4, score = 1200
            //   7838                 | js                  0x3a
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   8b04b8               | mov                 eax, dword ptr [eax + edi*4]
            //   83651400             | and                 dword ptr [ebp + 0x14], 0

    condition:
        7 of them and filesize < 573440
}
Download all Yara Rules