{"id":52010,"date":"2016-08-15T17:47:32","date_gmt":"2016-08-16T00:47:32","guid":{"rendered":"https:\/\/blogs.mcafee.com\/?p=52010"},"modified":"2025-05-28T23:10:39","modified_gmt":"2025-05-29T06:10:39","slug":"cerber-ransomware-updates-configuration-file","status":"publish","type":"post","link":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/cerber-ransomware-updates-configuration-file\/","title":{"rendered":"Cerber Ransomware Updates Configuration File"},"content":{"rendered":"

This blog post was written by Sudhanshu Dubey.<\/em><\/p>\n

McAfee Labs has recently analyzed Version 2 of Cerber, one of the leading ransomware programs. Cerber infects systems via social media tricks such as spam email with malicious links or documents, malvertising campaigns, exploits of vulnerable websites, and also takes advantages of exploit kits like Angler, Nuclear, and others.<\/p>\n

During our analysis of the new version, we found some new fields in the configuration file. In this post, we highlight the changes in the configuration files of Cerber Versions 1 and 2.
\nThis snapshot shows a machine infected with Cerber 2.<\/p>\n

\"20160815<\/a><\/p>\n

Machine infected with Cerber Version 2.<\/em><\/p>\n

The extensions of encrypted files has changed from .cerber to .cerber2.<\/p>\n

\"20160815<\/a>\"20160815<\/a><\/p>\n

Partial lists of files infected with Cerber 1 and 2.<\/em><\/p>\n

Why an update?<\/strong><\/h2>\n

The ransomware author may have upgraded the malware because of the release of a decryption tool. The ransomware\u2019s detection rate may have also increased; this version has a new packer (wrapper) to make it harder for security products and analysts to find and examine the malware.<\/p>\n

Our analysis did not find many significant changes. This version likes to keep its component files (containing the public key and other data) on disk after the encryption process, whereas the previous version kept the component files only in the registry entries. Files and registry entries have the same content.<\/p>\n

\"20160815<\/a><\/p>\n

Version 2\u2019s component files in %appdata% and registry entries.<\/em><\/p>\n

The location of the encrypted configuration file is updated from the resource section to the last section. We will discuss this further in a future post.<\/p>\n

The configuration file<\/strong><\/h2>\n

We observed some changes in the configuration files of the two versions. Most are related to encryption tags and antimalware products.<\/p>\n

The first change that caught our eye is the addition of rc4_key_size in the encrypt tag. This value was previously calculated at runtime but now is included in the file. The author also updated the infected-files extension to .cerber2 and also modified the value of the rsa_key_size field. The following snippets show some of the changes.<\/p>\n

\"20160815<\/a>\"20160815<\/a><\/p>\n

Version 1 (left) and Version 2 encryption tags.<\/em><\/p>\n

Version 2 includes a blacklist to fight against the security products. The av_blacklist tag in the configuration file contains a list of several vendors\u2019 names.<\/p>\n

\"20160815<\/a><\/p>\n

Version 2\u2019s av_blacklist tag.<\/em><\/p>\n

The new av_blacklist tag is reflected in the check tag as a flag in the configuration file.<\/p>\n

\"20160815<\/a><\/p>\n

Check tag in Version 1.<\/em><\/p>\n

\"20160815<\/a><\/p>\n

Check tag in Version 2.<\/em><\/p>\n

Close_process list enhancements<\/strong><\/p>\n

Some applications use a locking mechanism to prevent other application from accessing or making changes in the files they access to maintain data integrity. Word for Windows does this, for example. To stop a locking mechanism from preventing the encryption of files, Cerber terminates such processes. The list of these processes is kept under the close_process list tag. In this version, Cerber enhances this list significantly, as shown below:<\/p>\n

\"20160815<\/a><\/p>\n

The close_process tag in Version 1.<\/em><\/p>\n

\"20160815<\/a><\/p>\n

The close_process tag in Version 2.<\/em><\/p>\n

Wallpaper template<\/strong>
\nVersion 2 adds a wallpaper tag, which is a template to create the desktop background on the victim\u2019s machine. The variable fields\u2014including TOR, SITE_N, and PC_ID\u2014is updated at runtime.<\/p>\n

\"20160815<\/a><\/p>\n

The wallpaper tag in Version 2.<\/em><\/p>\n

Anti-VM techniques<\/strong>
\nCerber is one of the most comprehensive malware in fighting virtual machines. Cerber detects popular VMs such as Parallel, QEMU, VMware, and VBox. One of the most interesting techniques (in both versions) is Cerber\u2019s enumeration of the registry key \u201cHKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Enum\\\\PCI\u201d:<\/p>\n

\"20160815<\/a>
\nAccessing the registry: HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Enum\\\\PCI.<\/em><\/p>\n

Each subkey of HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Enum\\\\PCI represents a PCI-bus connected device with the following format:<\/p>\n