ransomware Cerber Analysis__ransomware

Source: Internet
Author: User

Cerber is an executable program, its infection after the behavior is not cryptxxx so hidden, it can be said that the analysis of its behavior is not difficult, but it is better to protect the internal data than cryptxxx do. For example, I could write a simple inverse algorithm to extract all the encrypted data from the cryptxxx, but for Cerber it obviously worked well enough to protect the internal data, but it didn't stop me from extracting all of its internal data. The following is a detailed analysis of how it protects the logic of internal data.

It also needs to be understood that Cerber is implemented in C and it does not use Microsoft's runtime, in other words, it does not adopt Microsoft's compiler, most likely an Intel compiler or a cross-compiler gcc, I am not sure. To be sure it is 2 points, did not adopt the Microsoft compiler, did not use the C + + standard library.

2016-7-8

Update, I originally through analysis cryptxxx, feel cryptxxx logic design is very ingenious, its infection way is dispersed to many export functions. Now through the latest analysis of Cerber, found that Cerber is also designed very cleverly, it to do some specific operations will invoke other command-line processes to hide themselves. You can see how deeply the author understands the Windows system and should be an advanced player.

Cryptxxx has a variety of beautifully designed blackmail, which are html,bmp,txt, have 2 Web server nodes, interact very frequently with the web, and do backup to each other. It takes a lot of people and energy to maintain these things, it's like a team doing it.

Cerber is more like a person doing, its blackmail page is very simple and not beautiful, it also has no interaction with the web, should be no energy to maintain the Web site, or better hide themselves. But the author should be a senior Windows player.

Why, because I found out that cerber will give me the right to check the current state of UAC, and use a lot of Windows built-in variables (%xxxx%) In this form, I feel that the author used to be a virus.

Global Data Structure

Named Imageoffset Size Description
G_lpmodulefullpath 0x41b760 4 Cerber current directory with filename
G_lpmodulepath 0x41b440 4 The directory where Cerber is located
G_paddrcontainmeta 0x41b43c 0x124 A data structure contains meta information
G_hevent 0x41b438 4 Global event, Manual set initial no signal
G_szcercoprotmutex 0x41b648 4 Name of global Mutex
G_hheap 0x419a50 4 Global objects, private heap handles
G_dwcurrentpid 0x419a54 4 Current Process ID
G_dwimmmap 0x419a3c 0x10 A set of constants used to compute strings
G_bencryptdone 0x41bf61 4 Whether the encryption completes the flag
G_hcryptprov 0x41a168 4 Cryptographic service Provider
G_szmodulefilename 0x41b970 4 File name of the current process
G_tedglobalmeta 0x41a0f8 Global Meta data structure
G_bmultithread 0x41a12c 4 Global flag, whether multithreading encryption
G_dwmaxblocksize 0x41a14c 4 The size of the biggest chunk
G_dwmaxblocks 0x41a12d 4 Maximum block quantity
G_dqminfilesize 0x41a138 8 Minimum file size
G_dwrsakeysize 0x41a154 4 The size of the Rsakey
G_cerber_key_place 0x41beb8 4
G_pjsonobject 0x41a134

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.