Derin Analiz - Cerber Ransomware | Tehdit: KRITIK

Dosya Kimligi

SHA2564a2ad49c934f9ae6ca6b5d0c7cc34f5e12d349640012fa8cf8eb7e2d3acd6c9f
Boyut1,978,368 byte PE32 x86, entropi 2.69
AileCerber Ransomware (RaaS - 2016-2017)

Cerber Ransomware Kimlik Dogrulama

CERBER: 2016-2017 yillarinin en buyuk RaaS (Ransomware-as-a-Service) gruplarından biri!
cerber -> .cerber uzantisi (sifrelenenmis dosya uzantisi)\nkf6XBQ_-cB.cerber  <- sifrelenenmis dosya ornegi\nxdf7G7iMQy.cerber  <- rastgele isimlendirilmis sifrelenenmis dosya\n# DECRYPT MY FILES #.vbs <- VBScript fidye notu\n# DECRYPT MY FILES #.html <- HTML fidye notu\n\nKurban ID: 45ED-FB92-752D-26DA-53C8\nGUID: 1A8308C7-90D1-4200-B16E-646F163A08E8

C2 Odeme Sayfasi (Tor2Web Proxyleri)

C2: 4 farkli Tor2Web proxy uzerinden erisilen Cerber odeme paneli!
http://cerberhhyed5frqa.onion.to/45ED-FB92-752D-26DA-53C8\nhttp://cerberhhyed5frqa.onion.cab/45ED-FB92-752D-26DA-53C8\nhttp://cerberhhyed5frqa.onion.nu/45ED-FB92-752D-26DA-53C8\nhttp://cerberhhyed5frqa.onion.link/45ED-FB92-752D-26DA-53C8\nhttp://cerberhhyed5frqa.onion/45ED-FB92-752D-26DA-53C8 <- direkt Tor\n\ncevacont1234@gmail.com  <- fidye notu iletisim emaili

Gelismis Yetenekler

DENETIM LOGU DEVRE DISI:\n  auditpol.exe /set /... <- Windows audit logu kapatilir!\n  AppData\Roaming\{GUID}\auditpol.exe (kalici erisim)\n\nPROCESS ENJEKSIYONU:\n  VirtualAllocEx / WriteProcessMemory\n\nKRIPTO CUZDANI HEDEFE ALMA:\n  wallet.dat / Cookies\n\nDIS IP TESPITI:\n  ipinfo.io <- kurban IP ve lokasyon tespiti\n\nYETKI YUKSELTME:\n  AdjustTokenPrivileges <- NT Authority/NetworkService

IOC

SHA2564a2ad49c934f9ae6ca6b5d0c7cc34f5e12d349640012fa8cf8eb7e2d3acd6c9f
AileCerber Ransomware (RaaS 2016-2017)
Uzanti.cerber
C2 Torcerberhhyed5frqa.onion (4 Tor2Web)
Emailcevacont1234@gmail.com
Kurban ID45ED-FB92-752D-26DA-53C8

CerberRansomware — Malware Profile

Cerber Ransomware - 2016-2017 yillarinin en buyuk RaaS (Ransomware-as-a-Service) platformu. .cerber uzantisi ile dosya sifreleme, 4 Tor2Web proxy uzerinden erisilen odeme paneli, auditpol.exe ile Windows audit logu kapatma, VBScript ve HTML fidye notlari. RSA+RC4 sifrelemesi.

Malware Type
Ransomware
Programming Language
C
C2 Protocol
HTTP/Tor
Target Systems
Kuresel

Capabilities & Behavior

Dosya Şifreleme (AES/RSA)
Gölge Kopya Silme
Yedek Kaldırma
Fidye Notu Oluşturma
Kalıcılık Sağlama
Ağ Paylaşımı Şifreleme
Anti-Analiz Teknikleri
Çift Gasp (Data Leak)

IOC List (6 indicators)

IOC — CerberRansomware
# SHA256 4a2ad49c934f9ae6ca6b5d0c7cc34f5e12d349640012fa8cf8eb7e2d3acd6c9f # EMAIL cevacont1234@gmail.com # URL http://cerberhhyed5frqa.onion.to/45ED-FB92-752D-26DA-53C8 # URL http://cerberhhyed5frqa.onion.cab/45ED-FB92-752D-26DA-53C8 # URL http://cerberhhyed5frqa.onion.nu/45ED-FB92-752D-26DA-53C8 # URL http://cerberhhyed5frqa.onion.link/45ED-FB92-752D-26DA-53C8
TypeValueNote
sha256 4a2ad49c934f9ae6ca6b5d0c7cc34f5e12d349640012fa8cf8eb7e2d3acd6c9f
email cevacont1234@gmail.com
url http://cerberhhyed5frqa.onion.to/45ED-FB92-752D-26DA-53C8
url http://cerberhhyed5frqa.onion.cab/45ED-FB92-752D-26DA-53C8
url http://cerberhhyed5frqa.onion.nu/45ED-FB92-752D-26DA-53C8
url http://cerberhhyed5frqa.onion.link/45ED-FB92-752D-26DA-53C8

C2 Servers (1 recorded servers for this family)

Address Type Port Protocol Status Country
cerberhhyed5frqa.onion domain 80 HTTP inactive &mdash;

C2 addresses are provided only from malware samples manually verified by the KEYDAL team. Commercial use is prohibited.

Tags
cerber-ransomware-raas-2016-2017cerberhhyed5frqa-onion-tor2web-c2dot-cerber-encrypted-extensionauditpol-exe-audit-log-disablevirtualalloc-writeprocess-injectionwallet-dat-crypto-targetingipinfo-io-geolocation-victimcevacont1234-gmail-ransom-emailadjusttokenprivileges-nt-authoritydecrypt-my-files-vbs-html-ransom-noteguid-1a8308c7-persistencersa-key-size-cryptacquirecontext