Showing posts tagged #ransomware

Return Home

Cerber is a popular ransomware that it's still active. In this blogpost, we will analyze and dump Cerber's config using the Cuckoo Sandbox for it.

Prior analysis of Cerber already exist (like this one by Hasherezade).
As state by Hasherezade, Cerber stores it's configuration in an RCDATA resource bundled in the PE header. This RCDATA resource is encrypted and cerber uses a dedicated function to decrypt it.

We will begin analyzing said binary.

CRC32: EF4C42F6
MD5: 9A7F87C91BF7E602055A5503E80E2313
SHA-1: 193F407A2F0C7E1EAA65C54CD9115C418881DE42

If we analyze the function after which call a clear-text configuration is loaded in memory we can see it is using

Read More