Cerber is an executable program, its infection after the behavior is not cryptxxx so hidden, it can be said that the analysis of its behavior is not difficult, but it is better to protect the internal data than cryptxxx do. For example, I could write a simple inverse algorithm to extract all the encrypted data from the cryptxxx, but for Cerber it obviously worked well enough to protect the internal data, but it didn't stop me from extracting all of its internal data. The following is a detailed analysis of how it protects the logic of internal data.
It also needs to be understood that Cerber is implemented in C and it does not use Microsoft's runtime, in other words, it does not adopt Microsoft's compiler, most likely an Intel compiler or a cross-compiler gcc, I am not sure. To be sure it is 2 points, did not adopt the Microsoft compiler, did not use the C + + standard library.
2016-7-8
Update, I originally through analysis cryptxxx, feel cryptxxx logic design is very ingenious, its infection way is dispersed to many export functions. Now through the latest analysis of Cerber, found that Cerber is also designed very cleverly, it to do some specific operations will invoke other command-line processes to hide themselves. You can see how deeply the author understands the Windows system and should be an advanced player.
Cryptxxx has a variety of beautifully designed blackmail, which are html,bmp,txt, have 2 Web server nodes, interact very frequently with the web, and do backup to each other. It takes a lot of people and energy to maintain these things, it's like a team doing it.
Cerber is more like a person doing, its blackmail page is very simple and not beautiful, it also has no interaction with the web, should be no energy to maintain the Web site, or better hide themselves. But the author should be a senior Windows player.
Why, because I found out that cerber will give me the right to check the current state of UAC, and use a lot of Windows built-in variables (%xxxx%) In this form, I feel that the author used to be a virus.
Global Data Structure
Named |
Imageoffset |
Size |
Description |
G_lpmodulefullpath |
0x41b760 |
4 |
Cerber current directory with filename |
G_lpmodulepath |
0x41b440 |
4 |
The directory where Cerber is located |
G_paddrcontainmeta |
0x41b43c |
0x124 |
A data structure contains meta information |
G_hevent |
0x41b438 |
4 |
Global event, Manual set initial no signal |
G_szcercoprotmutex |
0x41b648 |
4 |
Name of global Mutex |
G_hheap |
0x419a50 |
4 |
Global objects, private heap handles |
G_dwcurrentpid |
0x419a54 |
4 |
Current Process ID |
G_dwimmmap |
0x419a3c |
0x10 |
A set of constants used to compute strings |
G_bencryptdone |
0x41bf61 |
4 |
Whether the encryption completes the flag |
G_hcryptprov |
0x41a168 |
4 |
Cryptographic service Provider |
G_szmodulefilename |
0x41b970 |
4 |
File name of the current process |
G_tedglobalmeta |
0x41a0f8 |
|
Global Meta data structure |
G_bmultithread |
0x41a12c |
4 |
Global flag, whether multithreading encryption |
G_dwmaxblocksize |
0x41a14c |
4 |
The size of the biggest chunk |
G_dwmaxblocks |
0x41a12d |
4 |
Maximum block quantity |
G_dqminfilesize |
0x41a138 |
8 |
Minimum file size |
G_dwrsakeysize |
0x41a154 |
4 |
The size of the Rsakey |
G_cerber_key_place |
0x41beb8 |
4 |
|
G_pjsonobject |
0x41a134 |