Win32/Filecoder.Cerber [Threat Name] go to Threat

Win32/Filecoder.Cerber.A [Threat Variant Name]

Category trojan
Size 114688 B
Detection created Mar 03, 2016
Detection database version 13124
Aliases Trojan.Win32.SelfDel.buhy (Kaspersky)
  Ransom:.Win32/Cerber.A (Microsoft)
  Trojan.Cryptolocker.AH (Symantec)
  Trojan.Encoder.4171 (Dr.Web)
Short description

Win32/Filecoder.Cerber.A is a trojan that encrypts files on fixed, removable and network drives. To decrypt files the user is requested to comply with given conditions in exchange for a password/instructions.

Installation

When executed, the trojan copies itself into the following location:

  • %appdata%\­%guid%\­%pickedfilenamefromsystem32folder%

The trojan creates the following files:

  • %startup%\­%pickedfilenamefromsystem32folder%.lnk

The file is a shortcut to a malicious file.


After the installation is complete, the trojan deletes the original executable file.


In order to be executed on every system start, the trojan sets the following Registry entries:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "%pickedfilenamefromsystem32folder%" = "%appdata%\­%guid%\­%pickedfilenamefromsystem32folder%"
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­RunOnce]
    • "%pickedfilenamefromsystem32folder%" = "%appdata%\­%guid%\­%pickedfilenamefromsystem32folder%"
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Policies\­Explorer]
    • "Run" = "%appdata%\­%guid%\­%pickedfilenamefromsystem32folder%"
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Command Processor]
    • "AutoRun" = "%appdata%\­%guid%\­%pickedfilenamefromsystem32folder%"
  • [HKEY_CURRENT_USER\­Control Panel\­Desktop]
    • "SCRNSAVE.EXE" = "%appdata%\­%guid%\­%pickedfilenamefromsystem32folder%"

The trojan schedules a task that causes the following file to be executed repeatedly:

  • %appdata%\­%guid%\­%pickedfilenamefromsystem32folder%
Payload information

Win32/Filecoder.Cerber.A is a trojan that encrypts files on fixed, removable and network drives.


To decrypt files the user is requested to comply with given conditions in exchange for a password/instructions.


The trojan searches for files with the following file extensions:

  • .1cd
  • .3dm
  • .3ds
  • .3fr
  • .3g2
  • .3gp
  • .3pr
  • .7z
  • .7zip
  • .aac
  • .ab4
  • .accdb
  • .accde
  • .accdr
  • .accdt
  • .ach
  • .acr
  • .act
  • .adb
  • .adp
  • .ads
  • .agdl
  • .ai
  • .aiff
  • .ait
  • .al
  • .aoi
  • .apj
  • .arw
  • .asf
  • .asm
  • .asp
  • .aspx
  • .asx
  • .avi
  • .awg
  • .back
  • .backup
  • .backupdb
  • .bak
  • .bank
  • .bay
  • .bdb
  • .bgt
  • .bik
  • .bin
  • .bkp
  • .blend
  • .bmp
  • .bpw
  • .c
  • .cdf
  • .cdr
  • .cdr3
  • .cdr4
  • .cdr5
  • .cdr6
  • .cdrw
  • .cdx
  • .ce1
  • .ce2
  • .cer
  • .cfg
  • .cgm
  • .cib
  • .class
  • .cls
  • .cmt
  • .config
  • .contact
  • .cpi
  • .cpp
  • .cr2
  • .craw
  • .crt
  • .crw
  • .cs
  • .csh
  • .csl
  • .css
  • .csv
  • .dac
  • .dat
  • .db
  • .db_journal
  • .db3
  • .dbf
  • .dbx
  • .dc2
  • .dcr
  • .dcs
  • .ddd
  • .ddoc
  • .ddrw
  • .dds
  • .der
  • .des
  • .design
  • .dgc
  • .dit
  • .djvu
  • .dng
  • .doc
  • .docm
  • .docx
  • .dot
  • .dotm
  • .dotx
  • .drf
  • .drw
  • .dtd
  • .dwg
  • .dxb
  • .dxf
  • .dxg
  • .edb
  • .eml
  • .eps
  • .erbsql
  • .erf
  • .exf
  • .fdb
  • .ffd
  • .fff
  • .fh
  • .fhd
  • .fla
  • .flac
  • .flf
  • .flv
  • .flvv
  • .fpx
  • .fxg
  • .gif
  • .gray
  • .grey
  • .groups
  • .gry
  • .h
  • .hbk
  • .hdd
  • .hpp
  • .html
  • .ibank
  • .ibd
  • .ibz
  • .idx
  • .iif
  • .iiq
  • .incpas
  • .indd
  • .java
  • .jnt
  • .jpe
  • .jpeg
  • .jpg
  • .js
  • .kc2
  • .kdbx
  • .kdc
  • .key
  • .kpdx
  • .kwm
  • .laccdb
  • .ldf
  • .lit
  • .log
  • .lua
  • .m
  • .m2ts
  • .m3u
  • .m4p
  • .m4v
  • .mapimail
  • .max
  • .mbx
  • .md
  • .mdb
  • .mdc
  • .mdf
  • .mef
  • .mfw
  • .mid
  • .mkv
  • .mlb
  • .mmw
  • .mny
  • .moneywell
  • .mos
  • .mov
  • .mp3
  • .mp4
  • .mpeg
  • .mpg
  • .mrw
  • .msg
  • .myd
  • .nd
  • .ndd
  • .ndf
  • .nef
  • .nk2
  • .nop
  • .nrw
  • .ns2
  • .ns3
  • .ns4
  • .nsd
  • .nsf
  • .nsg
  • .nsh
  • .nvram
  • .nwb
  • .nx2
  • .nxl
  • .nyf
  • .oab
  • .obj
  • .odb
  • .odc
  • .odf
  • .odg
  • .odm
  • .odp
  • .ods
  • .odt
  • .ogg
  • .oil
  • .orf
  • .ost
  • .otg
  • .oth
  • .otp
  • .ots
  • .ott
  • .p12
  • .p7b
  • .p7c
  • .pab
  • .pages
  • .pas
  • .pat
  • .pcd
  • .pct
  • .pdb
  • .pdd
  • .pdf
  • .pef
  • .pem
  • .pfx
  • .php
  • .pif
  • .pl
  • .plc
  • .plus_muhd
  • .png
  • .pot
  • .potm
  • .potx
  • .ppam
  • .pps
  • .ppsm
  • .ppsm
  • .ppsx
  • .ppt
  • .pptm
  • .pptm
  • .pptx
  • .prf
  • .ps
  • .psafe3
  • .psd
  • .pspimage
  • .pst
  • .ptx
  • .pwm
  • .py
  • .qba
  • .qbb
  • .qbm
  • .qbr
  • .qbw
  • .qbx
  • .qby
  • .qcow
  • .qcow2
  • .qed
  • .r3d
  • .raf
  • .rar
  • .rat
  • .raw
  • .rdb
  • .rm
  • .rtf
  • .rvt
  • .rw2
  • .rwl
  • .rwz
  • .s3db
  • .safe
  • .sas7bdat
  • .sav
  • .save
  • .say
  • .sd0
  • .sda
  • .sdf
  • .sldm
  • .sldx
  • .sql
  • .sqlite
  • .sqlite3
  • .sqlitedb
  • .sr2
  • .srf
  • .srt
  • .srw
  • .st4
  • .st5
  • .st6
  • .st7
  • .st8
  • .stc
  • .std
  • .sti
  • .stm
  • .stw
  • .stx
  • .svg
  • .swf
  • .sxc
  • .sxd
  • .sxg
  • .sxi
  • .sxm
  • .sxw
  • .tex
  • .tga
  • .thm
  • .tlg
  • .txt
  • .vbox
  • .vdi
  • .vhd
  • .vhdx
  • .vmdk
  • .vmsd
  • .vmx
  • .vmxf
  • .vob
  • .wab
  • .wad
  • .wallet
  • .wav
  • .wb2
  • .wma
  • .wmv
  • .wpd
  • .wps
  • .x11
  • .x3f
  • .xis
  • .xla
  • .xlam
  • .xlk
  • .xlm
  • .xlr
  • .xls
  • .xlsb
  • .xlsm
  • .xlsx
  • .xlt
  • .xltm
  • .xltx
  • .xlw
  • .xml
  • .ycbcra
  • .yuv
  • .zip

It avoids files with the following filenames:

  • bootsect.bak
  • iconcache.db
  • thumbs.db
  • wallet.dat

It avoids files which contain any of the following strings in their path:

  • :\­$recycle.bin\­
  • :\­$windows.~bt\­
  • :\­boot\­
  • :\­drivers\­
  • :\­program files\­
  • :\­program files (x86)\­
  • :\­programdata\­
  • :\­users\­all users\­
  • :\­windows\­
  • \­appdata\­local\­
  • \­appdata\­locallow\­
  • \­appdata\­roaming\­
  • \­public\­music\­sample music\­
  • \­public\­pictures\­sample pictures\­
  • \­public\­videos\­sample videos\­
  • \­tor browser\­

The trojan encrypts the file content.


The RSA, RC4 encryption algorithm is used.


The name of the encrypted file is changed to:

  • %11randomchars%.cerber

The following files are dropped in the same folder:

  • # DECRYPT MY FILES #.txt
  • # DECRYPT MY FILES #.html
  • # DECRYPT MY FILES #.vbs

The following files are dropped into the %desktop% folder:

  • # DECRYPT MY FILES #.txt
  • # DECRYPT MY FILES #.html
  • # DECRYPT MY FILES #.vbs

The files are then executed.


The following text is displayed:

C E R B E R ----------- Your documents, photos, databases and other important files have been encrypted! To decrypt your files follow the instructions: --------------------------------------------------------------------------------------- 1.  Download and install the "Tor Browser" from https://www.torproject.org/ 2.  Run it 3.  In the "Tor Browser" open website: http://decrypttozxybarc.onion/%removed% 4.  Follow the instructions at this website --------------------------------------------------------------------------------------- «...Quod me non necat me fortiorem facit.»

The trojan uses the Microsoft Speech technology.


It may play the following text in a spoken voice:

  • Attention! Attention! Attention!
  • Your documents, photos, databases and other important files have been encrypted!

When files encryption is finished, the trojan removes itself from the computer.

Information stealing

The trojan collects the following information:

  • operating system version

The trojan attempts to send gathered information to a remote machine.


The trojan contains a URL address. The HTTP protocol is used in the communication.


Other information

The trojan keeps various information in the following Registry key:

  • [HKEY_CURRENT_USER\­Printers\­Defaults\­%guid%]
    • "Component_00" = "%data1%"
    • "Component_01" = "%data2%"

The trojan executes the following commands:

  • vssadmin.exe Delete Shadows /All /Quiet
  • bcdedit.exe /set {default} recoveryenabled no
  • bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures

Trojan can detect presence of virtual environments and sandboxes.

Please enable Javascript to ensure correct displaying of this content and refresh this page.