ransomware Cerber Analysis__ransomware

Cerber is an executable program, its infection after the behavior is not cryptxxx so hidden, it can be said that the analysis of its behavior is not difficult, but it is better to protect the internal data than cryptxxx do. For example, I could write a simple inverse algorithm to extract all the encrypted data from the cryptxxx, but for Cerber it obviously worked well enough to protect the internal data, but it didn't stop me from extracting all of its internal data. The following is a detailed analysis of how it protects the logic of internal data.

It also needs to be understood that Cerber is implemented in C and it does not use Microsoft's runtime, in other words, it does not adopt Microsoft's compiler, most likely an Intel compiler or a cross-compiler gcc, I am not sure. To be sure it is 2 points, did not adopt the Microsoft compiler, did not use the C + + standard library.

2016-7-8

Update, I originally through analysis cryptxxx, feel cryptxxx logic design is very ingenious, its infection way is dispersed to many export functions. Now through the latest analysis of Cerber, found that Cerber is also designed very cleverly, it to do some specific operations will invoke other command-line processes to hide themselves. You can see how deeply the author understands the Windows system and should be an advanced player.

Cryptxxx has a variety of beautifully designed blackmail, which are html,bmp,txt, have 2 Web server nodes, interact very frequently with the web, and do backup to each other. It takes a lot of people and energy to maintain these things, it's like a team doing it.

Cerber is more like a person doing, its blackmail page is very simple and not beautiful, it also has no interaction with the web, should be no energy to maintain the Web site, or better hide themselves. But the author should be a senior Windows player.

Why, because I found out that cerber will give me the right to check the current state of UAC, and use a lot of Windows built-in variables (%xxxx%) In this form, I feel that the author used to be a virus.

Global Data Structure

Named	Imageoffset	Size	Description
G_lpmodulefullpath	0x41b760	4	Cerber current directory with filename
G_lpmodulepath	0x41b440	4	The directory where Cerber is located
G_paddrcontainmeta	0x41b43c	0x124	A data structure contains meta information
G_hevent	0x41b438	4	Global event, Manual set initial no signal
G_szcercoprotmutex	0x41b648	4	Name of global Mutex
G_hheap	0x419a50	4	Global objects, private heap handles
G_dwcurrentpid	0x419a54	4	Current Process ID
G_dwimmmap	0x419a3c	0x10	A set of constants used to compute strings
G_bencryptdone	0x41bf61	4	Whether the encryption completes the flag
G_hcryptprov	0x41a168	4	Cryptographic service Provider
G_szmodulefilename	0x41b970	4	File name of the current process
G_tedglobalmeta	0x41a0f8		Global Meta data structure
G_bmultithread	0x41a12c	4	Global flag, whether multithreading encryption
G_dwmaxblocksize	0x41a14c	4	The size of the biggest chunk
G_dwmaxblocks	0x41a12d	4	Maximum block quantity
G_dqminfilesize	0x41a138	8	Minimum file size
G_dwrsakeysize	0x41a154	4	The size of the Rsakey
G_cerber_key_place	0x41beb8	4
G_pjsonobject	0x41a134