Cerber Ransomeware Sample

Cerber Ransomware

Being interested in malware analyses I set myself the challenge of reversing a malware sample a week and posting about it on my blog. Being a perfectionist, it’s a bit difficult to post these struggles because I want it to come out as the malware reports being posted at Kaspersky Labs. However I should be very realisic here and take it step by step. Luckily there are a lot of online resources which help one battle the learning curve. There is also a vivid community out there that is always willing to help. Hasherezade is a perfect example if this. She is always willing to help. For this Cerber sample I reached out to here which resulted in a video about unpacking this Cerber variant.

The first lesson (previous post) learned is to have a working sample. Just run it on a machine and see if it behaves as expected. The torrentlocker sample in the previous post worked on malwr.com but not on my windows 10 or windows 7 machine. Couldn’t get it to work. Hence I started to work on another sample, namely this Cerber variant.

As far as I know there is no decryption possible of files encrypted by this Cerber Ransomware sample.

This Cerber ransomware sample has the following hash (packed)


AegisLab = Troj.W32.Generic!c
AhnLab-V3 = Win-Trojan/Cerber.Gen
AVware = Trojan.Win32.Generic.pak!cobra
Baidu = Win32.Trojan.Kryptik.anp
CrowdStrike = malicious_confidence_100% (W)
Endgame = malicious (moderate confidence)
Fortinet = W32/Kryptik.FPZX!tr
Invincea = virus.win32.ramnit.j
Kaspersky = HEUR:Trojan.Win32.Generic
McAfee-GW-Edition = BehavesLike.Win32.Ransomware.fh
McAfee = Artemis!410F7621BD5B
Rising = Trojan.Kryptik!8.8 (cloud:EDndvVDzOVF) 
SentinelOne = static engine - malicious
Sophos = Mal/Cerber-B
Symantec = Trojan.Gen.8!cloud
TrendMicro-HouseCall = Ransom_CERBER.SMEJ5
VIPRE = Trojan.Win32.Generic.pak!cobra
Webroot = W32.Trojan.Gen
ZoneAlarm = HEUR:Trojan.Win32.Generic

This time I have checked if it’s working 🙂


Updated on this Cerber Sample:

I asked hasherezade for help after playing around for a few days trying to dump a valid executable from the process. I dumped some executables but probably to early in the process or the wrong ones. I think most of my time waste comes from setting breakpoints on the wrong locations which leads to stepping through code endlessly.

Now that I have an unpacked sample, I will glance at how the file encryption is done by this sample. Next again is to get another sample and set myself to the task again to dump a valid unpacked/unencrypted binary.

Below the video made by hasherezade. She makes this look really easy.

Unpacking Cerber Ransomware

Leave a Reply

Your email address will not be published. Required fields are marked *

four × 3 =