Cerber Ransomware Analysis

Summary(TeslaCrypt Ransomware Time table)

Cerber.exe - Process create(3892)
 [+]Regisrtry => KHLM\SOFTWARE\Microsoft\Cryptography\MachineGuid
 [+]Regisrtry => KHLM\System\CurrentControlSet\Control\ComputerName
 [+]File Drop(not copy): C:\Users\kimhy\Desktop\malware\Ransomware.Cerber\Cerber.exe => C:\Users\kimhy\AppData\Roaming\CondSlate.dizL
 [+]File Drop(not copy): C:\Users\kimhy\Desktop\malware\Ransomware.Cerber\Cerber.exe => C:\Users\kimhy\AppData\Roaming\intoxicant.dll

+ Cerber.exe - Child Process Create(1664)
  [+] Network Connection => 91.119.56.0 ~ 91.119.58.255:6892 (BitTorrent)
  [+] Encrypt files
  [+] File Create => _HELP_HELP_HELP_GFN6S1US_.hta, .png
      + mshta.exe - Child Process Create(8700)
       -> C:\Windows\System32\mshta.exe "C:\Users\kimhy\Desktop\_HELP_HELP_HELP_C32RV_.hta"
      + cmd.exe - Child Process Create(5772)
           + taskkill.exe - Child Process Create(4812)
             -> taskkill /f /im "Cerber.exe" 
           + PING.exe - Child Process Create(8448)
            -> ping -n 127.0.0.1

 

 

Symptoms of compromise

# change background

# Create encrypted files in Desktop and _HELP_HELP_HELP file 

 

# Instructions ==> 돈을 요구 

 

 

Analysis tool

1. sysmon

2. regshot, Autoruns

3. wireshark

4. procmon

 

1. sysmon

 

1). Process create

Cerber.exe(SHA1=2F9B021F59B23B45813FBF5FB39AC44A639AB04F) UtcTime: 2018-02-20 06:45:32.603 ProcessId: 3892 Image: C:\Users\kimhy\Desktop\malware\Ransomware.Cerber\Cerber.exe CommandLine: "C:\Users\kimhy\Desktop\malware\Ransomware.Cerber\Cerber.exe" ParentProcessId: 1968 ParentImage: C:\Windows\explorer.exe

▶Cerber.exe 실행

 

UtcTime: 2018-02-20 06:45:37.751 ProcessId: 1664 Image: C:\Users\kimhy\Desktop\malware\Ransomware.Cerber\Cerber.exe CommandLine: "C:\Users\kimhy\Desktop\malware\Ransomware.Cerber\Cerber.exe" ParentProcessId: 3892 ParentImage: C:\Users\kimhy\Desktop\malware\Ransomware.Cerber\Cerber.exe

▶Cerber.exe self copy

 

UtcTime: 2018-02-20 06:45:52.306 ProcessId: 8700 Image: C:\Windows\System32\mshta.exe CommandLine: "C:\Windows\System32\mshta.exe" "C:\Users\kimhy\Desktop\_HELP_HELP_HELP_C32RV_.hta" ParentProcessId: 1664 ParentImage: C:\Users\kimhy\Desktop\malware\Ransomware.Cerber\Cerber.exe

▶mshta.exe Create _HELP_HELP_HELP.C32RV_hta in Desktop.

 

UtcTime: 2018-02-20 06:46:43.074 ProcessId: 5772 Image: C:\Windows\System32\cmd.exe CommandLine: "C:\Windows\system32\cmd.exe" ParentProcessId: 1664 ParentImage: C:\Users\kimhy\Desktop\malware\Ransomware.Cerber\Cerber.exe

▶cmd.exe

 

UtcTime: 2018-02-20 06:46:43.292 rocessId: 4812 Image: C:\Windows\System32\taskkill.exe CommandLine: taskkill  /f /im "Cerber.exe"  ParentProcessId: 5772 ParentImage: C:\Windows\System32\cmd.exe

▶taskkill  /f /im "Cerber.exe"

 

UtcTime: 2018-02-20 06:46:43.464 ProcessId: 8448 Image: C:\Windows\System32\PING.EXE CommandLine: ping  -n 1 127.0.0.1  ParentProcessId: 5772 ParentImage: C:\Windows\System32\cmd.exe

▶ping -n 1 127.0.0.1

 

2). Network Connection

UtcTime: 2018-02-10 06:03:01.295 ProcessId: 1664 Image: C:\Users\kimhy\Desktop\malware\Ransomware.Cerber\Cerber.exe DestinationIp: 91.119.56.0 DestinationPort: 6892

▶Network Connection DestinationIp: 91.119.56.0~31 // 91.120.56.0~255 // 91.121.56.255 // 91.121.57.0~255 // 91.121.58.0~255// 91.121.59.0~254

 

2. Procmon

 

 

File Drop(not copy): C:\Users\kimhy\Desktop\malware\Ransomware.Cerber\Cerber.exe => C:\Users\kimhy\AppData\Roaming\CondSlate.dizL

File Drop(not copy): C:\Users\kimhy\Desktop\malware\Ransomware.Cerber\Cerber.exe => C:\Users\kimhy\AppData\Roaming\intoxicant.dll

 

copy self

 

Encryption files => filename change and create _HELP_HELP_HELP .hta , png in Encrypted files of folders

 

Find MachineGuid(hardware id) and computer name