{
	"id": "debadea6-2116-4f37-a097-e0195320dca6",
	"created_at": "2026-04-06T00:08:24.046088Z",
	"updated_at": "2026-04-10T03:21:55.457323Z",
	"deleted_at": null,
	"sha1_hash": "151b786b5e67ea5008ab88aa22ad92e9f675f3ab",
	"title": "Reversing Cerber - RaaS",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 14367775,
	"plain_text": "Reversing Cerber - RaaS\r\nBy James Haughom\r\nPublished: 2018-08-07 · Archived: 2026-04-05 15:55:49 UTC\r\nCerber has established itself as one of the most successful ransomware families to date. Distributed as Raas\r\n(Ransomware as a Service), the malware has retained popularity with over 6 known variants.\r\nThe malware is packed with Nullsoft PiMP (plugin Mini Packager) which hides much of the malware's true\r\nfunctionality.\r\nAs a whole, the malware's entropy is quite high (6.1), indicating packed code.\r\nhttps://rinseandrepeatanalysis.blogspot.com/2018/08/reversing-cerber-raas.html\r\nPage 1 of 16\n\nThe malware contains an anomalous PE section \".ndata\" which has a virtual size much higher than its\r\nphysical/raw size.  This indicates that there is a good chunk of code that won't present itself until runtime, once the\r\nmalware is loaded in memory.\r\npestudio marks the .text/.code section as highly entropic (6.4), this is where the actual code/instructions are stored\r\nin a PE.\r\nhttps://rinseandrepeatanalysis.blogspot.com/2018/08/reversing-cerber-raas.html\r\nPage 2 of 16\n\nI conducted this analysis in a host-only virtual network with a Windows 10 VM routing its network traffic to a\r\nREMnux VM running fakedns, iNetSim, and Wireshark. The malware happily runs in the VM with security tools\r\nrunning, dropping several files to disk. The number of bytes written to the file 'collages.dll' is the same as the\r\nvirtual size of the '.ndata' section. \r\nThe malware then makes a few modifications to the registry. A couple of these modifications have to do with what\r\nthe user is presented with (Wallpaper), the rest have to do with network activity. This malware (interestingly\r\nenough) does not establish persistence, just encrypts and exits.\r\nThe malware spawns an instance of itself, which then opens the ransom note\r\n'_HELP_DECRYPT_N0BR8ST0_.hta'. The filename for this ransom note appears to be unique to the system,\r\nhttps://rinseandrepeatanalysis.blogspot.com/2018/08/reversing-cerber-raas.html\r\nPage 3 of 16\n\nformat is '_HELP_DECRYPT_[A-Z0-9]{8}_.hta' \u003c- simple regex for the 8 digit alphanumeric string.\r\nLike most ransomware, a ransom note is dropped to the desktop, the Wallpaper is changed, and encrypted files are\r\ntagged with a weird file extension '.94d4'.  Another file extension found during analysis was '.bde6' - this value\r\nappears to be randomly generated.\r\nThe malware contacts hundreds of hosts over port 6892.\r\nhttps://rinseandrepeatanalysis.blogspot.com/2018/08/reversing-cerber-raas.html\r\nPage 4 of 16\n\nhttps://rinseandrepeatanalysis.blogspot.com/2018/08/reversing-cerber-raas.html\r\nPage 5 of 16\n\nThe same UDP packet is sent over and over.\r\nThe first half of the string is the same as the unique string at the end of the provided URL in the ransom note.\r\nhttps://rinseandrepeatanalysis.blogspot.com/2018/08/reversing-cerber-raas.html\r\nPage 6 of 16\n\nLET THE REVERSING COMMENCE!!!\r\nThe process tree from behavioral analysis showed the original instance of cerber launching a new cerber, this\r\nturned out to be pretty interesting. Notice the sixth value pushed onto the stack for the CreateProcess API Call, the\r\nvalue 4 is passed for the dwCreationFlags argument. The 4 indicates that this process is created in a suspended\r\nstate.  Do I sense code injection?\r\nThe malware then takes a fairly common path for the injection. Reads memory of the newly spawned\r\ncerber.exe, the parameter '2F4' is a handle to said cerber.\r\nThe malware then hollows out the suspended process through the WinAPI call 'UnMapViewOfSection'. The\r\nparameter '400000' is passed as the base address as to where begin hollowing/unmapping, which is the very\r\nbeginning/start of the PE.\r\nhttps://rinseandrepeatanalysis.blogspot.com/2018/08/reversing-cerber-raas.html\r\nPage 7 of 16\n\nA buffer is then filled via 'RtlDecompressBuffer', which stores the contents that will be injected into the suspended\r\nprocess. Notice the 'MZ' header, this an executable that will be injected into the target process.\r\nThe buffer is then written to the target process via 'WriteProcessMemory'.  A pointer to the executable seen in the\r\ndump window is passed as the data to be written.  The base address '400000', which was the start address of the\r\nhollowing, is now passed as the base address for this executable to be written to in the hollowed out process.\r\nhttps://rinseandrepeatanalysis.blogspot.com/2018/08/reversing-cerber-raas.html\r\nPage 8 of 16\n\nTo intercept this executable, I followed the base address in the memory map and then dumped it. When attempting\r\nto load it into IDA, it is not recognized as a valid PE. Looking at the file in HxD, there are around 32 bytes of\r\nnoise before the magic bytes of the executable.\r\nDeleting up until the 'MZ'/'4D5A' fixes the problem. This looks to be where the true payload/ransomware code\r\nlies, this is the first time we have seen crypt-related APIs. So essentially, the malware uses code injection as a way\r\nto unpack itself.\r\nhttps://rinseandrepeatanalysis.blogspot.com/2018/08/reversing-cerber-raas.html\r\nPage 9 of 16\n\nNow that the code has been injected/written, the malware must start a thread of execution to invoke the code. The\r\ncontext of the thread is set via 'SetThreadContext'.\r\nAnd finally, the thread is resumed and the code begins executing in the target process.\r\nJust before taking the instruction to allow 'ResumeThread' to execute, I spawned a new instance of x64dbg and\r\nattached to the still suspended cerber.exe.  I then set breakpoints on thread entry and thread start to halt execution\r\nonce 'ResumeThread' is called. Next, I set break points on all crypt-related APIs, as well as GetProcAddress, so\r\nthat I can identify any additional code that may be dynamically loaded.  The first function to be dynamically\r\nresolved via 'GetProcAddress' is 'CryptEncrypt'.\r\nhttps://rinseandrepeatanalysis.blogspot.com/2018/08/reversing-cerber-raas.html\r\nPage 10 of 16\n\nThe next interesting code block was the usage of the API 'CryptStringToBinary'.  This API converts a string to an\r\narray of bytes.  The data to be converted is a very long base64 string.\r\nDecoded, the string looks to be a hard-coded Public Key.\r\nhttps://rinseandrepeatanalysis.blogspot.com/2018/08/reversing-cerber-raas.html\r\nPage 11 of 16\n\nThe Public Key Info suggests that this is 'RSA 1.2.840.113549.1.1 - PKCS-1' encryption.\r\nNext, the malware creates a directory in the AppData folder where it stores some housekeeping data.\r\nThen a mutex is created. The name of the mutex is resolved dynamically ---- 'shell.{FB79CB8E-F0B4-4B09-\r\nA183-601B6025EC35}' and is created just before network activity occurs ('WSAStartup').\r\nhttps://rinseandrepeatanalysis.blogspot.com/2018/08/reversing-cerber-raas.html\r\nPage 12 of 16\n\nA UDP socket is created and will be used to blast that single string to hundreds of IPs.\r\n'sendto' function is included in a loop to contact the external hosts.\r\nhttps://rinseandrepeatanalysis.blogspot.com/2018/08/reversing-cerber-raas.html\r\nPage 13 of 16\n\nNext, the encryption commences.  Traversing directories via 'FindFirstFile' and 'FindNextFile'.  The malware also\r\nlooks for network resources to encrypt via 'WNetOpenEnum'.\r\nOnce encryption completes, the ransom note is opened via 'ShellExecute' with parameters 'Open' and\r\n'_HELP_DECRYPT_N0BR8ST0_.hta'.  This ransom note is far more robust than most. Most ransom notes are a\r\nsimple text file, this is an .hta that has several functions, and is apparently quite universally accommodating. The\r\nransom note even has a button to change the language.\r\nAnother interesting code segment is that the .hta file checks the victim's MAC address against a few MAC\r\naddresses associated with VMware and some popular network technology companies.  If there is a match, the\r\nhttps://rinseandrepeatanalysis.blogspot.com/2018/08/reversing-cerber-raas.html\r\nPage 14 of 16\n\nURL in the ransom note is updated to English. Interesting!\r\nThe most interesting part of this malware to me was how it unpacked itself through code injection and process\r\nhollowing. This malware just performs the encryption and then exits, no persistence! Most filenames are\r\nrandomized to evade signature based detection, so regex will be our friends when sweeping for/detecting these\r\nartifacts. A Snort rule may be plausible due to the port (6892), but UDP can be noisy. The rule would use PCRE to\r\nmatch the unique long string passed over 6892.\r\nKey Takeaways:\r\n- Encrypts files on disk and in network shares\r\n- Modifies registry\r\n- Drops files on disk\r\n- Performs code injection\r\n- Contacts external hosts\r\nHost-based IOCs:\r\ncerber.exe\r\n2d6ace7910f84eb775272a6590453a0e - md5\r\n\\AppData\\Local\\Temp\\collages.dll\r\n2A4BF3D01B6C84A2130C110D02C772AC - md5\r\n\\AppData\\Local\\Temp\\floppy_disk.png\r\n\\AppData\\Local\\Temp\\floppy_disk_disabled.png\r\n\\AppData\\Local\\Temp\\flat.xsl\r\n\\AppData\\Local\\Temp\\tmpCBD8.bmp\r\n\\AppData\\Local\\Temp\\0ad3e319\\4f11.tmp\r\n\\AppData\\Local\\Temp\\0ad3e319\\280c.tmp\r\n\\AppData\\Local\\Temp\\nshBD76.tmp\\System.dll\r\n3E6BF00B3AC976122F982AE2AADB1C51 - md5\r\n\\Desktop\\_HELP_DECRYPT_N0BR8ST0_.hta - Ransom note\r\n\\Desktop\\_HELP_DECRYPT_N0BR8ST0_.jpg - Wallpaper\r\n*.94d4 - file extension tagged onto encrypted files (randomly generated)\r\nhttps://rinseandrepeatanalysis.blogspot.com/2018/08/reversing-cerber-raas.html\r\nPage 15 of 16\n\n*.bde6 - file extension tagged onto encrypted files (randomly generated)\r\n*.[a-z0-9]{4} - regex for file extension\r\nshell.{FB79CB8E-F0B4-4B09-A183-601B6025EC35} - Mutex\r\n\\Sessions\\1\\BaseNamedObjects\\SM0:6064:168:WilStaging_02 - Based named object\r\nHKEY_CURRENT_USER\\Control Panel\\Desktop\\WallPaper -REG_SZ -\r\nC:\\Users\\REM\\AppData\\Local\\Temp\\tmpCBD8.bmp\r\nHard-coded Public Key:\r\n-----BEGIN PUBLIC KEY-----\r\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvkty5qhqEydR9076Fevp\r\n0uMP7IZNms1AA7GPQUThMWbYiEYIhBKcT0/nwYrBq0Ogv79K1tta04EHTrXgcAp/\r\nOJgBhz9N58aewd4yZBm2coeaDGvcGRAc9e72ObFQ/TME/Io7LZ5qXDWzDafI8LA8\r\nJQmSz0L+/G+LPTWg7kPOpJT7WSkRb9T8w5QgZRJuvvhErHM83kO3ELTH+SoEI53p\r\n4ENVwfNNEpOpnpOOSKQobtIw56CsQFrhac0sQlOjek/muVluxjiEmc0fszk2WLSn\r\nqryiMyzaI5DWBDjYKXA1tp2h/ygbkYdFYRbAEqwtLxT2wMfWPQI5OkhTa9tZqD0H\r\nnQIDAQAB\r\n-----END PUBLIC KEY-----\r\nNetwork-based IOCs:\r\n91.239.24.xxx: 6892 - UDP\r\nxxx.12.15.97: 6892 - UDP\r\nxxx.24.239.91: 6892 - UDP\r\nSource: https://rinseandrepeatanalysis.blogspot.com/2018/08/reversing-cerber-raas.html\r\nhttps://rinseandrepeatanalysis.blogspot.com/2018/08/reversing-cerber-raas.html\r\nPage 16 of 16",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://rinseandrepeatanalysis.blogspot.com/2018/08/reversing-cerber-raas.html"
	],
	"report_names": [
		"reversing-cerber-raas.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434104,
	"ts_updated_at": 1775791315,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/151b786b5e67ea5008ab88aa22ad92e9f675f3ab.pdf",
		"text": "https://archive.orkl.eu/151b786b5e67ea5008ab88aa22ad92e9f675f3ab.txt",
		"img": "https://archive.orkl.eu/151b786b5e67ea5008ab88aa22ad92e9f675f3ab.jpg"
	}
}