{
	"id": "2f5a39e1-ab82-4dc2-9669-3403aad1f324",
	"created_at": "2026-04-06T00:09:34.887048Z",
	"updated_at": "2026-04-10T03:20:39.920751Z",
	"deleted_at": null,
	"sha1_hash": "4b8e7c5175746ee9c5266d3b4861cbc5d76f0de7",
	"title": "Cerber Starts Evading Machine Learning",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 68650,
	"plain_text": "Cerber Starts Evading Machine Learning\r\nBy By: Trend Micro Mar 28, 2017 Read time: 3 min (906 words)\r\nPublished: 2017-03-28 · Archived: 2026-04-05 19:56:39 UTC\r\nThe CERBER family of ransomware has been found to have adopted a new technique to make itself harder to\r\ndetect: it is now using a new loader that appears to be designed to evade detection by machine learning solutions.\r\nThis loader is designed to hollow out a normal process where the code of CERBER is instead run.\r\nBehavior and Analysis\r\nRansomware typically arrives via email, and these new CERBER variants are no exception. Emails that claim to\r\nbe from various utilities may have been used. The emails contain a link to a self-extracting archive, which has\r\nbeen uploaded to a Dropbox account controlled by the attackers. The target then downloads and opens it to infect\r\na system. The following flow chart shows what happens next.\r\nintel\r\nFigure 1. Cerber behavior flowchart\r\nThe downloaded file is a self-extracting archive that contains three files: a Visual Basic script, a DLL file, and a\r\nbinary file that looks like a configuration file. In one sample we saw, these files are named 38oDr5.vbs, 8ivq.dll,\r\nand x, respectively. Other cases with the same behavior may have different file names, however.\r\nintel\r\nFigure 2. Contents of self-extracting archive\r\nFirst, the script is run using the Windows Script Host. The script, in turn, loads the DLL file using\r\nrundll32.exe with the DLL's filename and exports as the arguments.\r\nThe DLL file itself is simple and straightforward. All it does is read the configuration file (file x), decrypts part of\r\nit, and execute whatever it decrypts. The DLL file is not packed or encrypted; however, the code that it decrypted\r\nfrom file x is definitely malicious.\r\nintel\r\nFigure 3. Start of binary file in X\r\nX contains the loader, as well as various configuration settings. The loader has features that check if it is running\r\nin a virtual machine (VM), if it is running in a sandbox, if certain analysis tools are running on the machine, or if\r\ncertain AV products are present. If any of these checks fail, the malware stops running. The lists below highlight\r\nthe specific tools and products this software checks for:\r\nAnalysis Tools\r\nhttp://blog.trendmicro.com/trendlabs-security-intelligence/cerber-starts-evading-machine-learning/\r\nPage 1 of 3\n\nMsconfig\r\nSandboxes\r\nRegedit\r\nTask Manager\r\nVirtual Machines\r\nWireshark\r\nSecurity vendors\r\n360\r\nAVG\r\nBitdefender\r\nDr. Web\r\nKaspersky\r\nNorton\r\nTrend Micro\r\nThe main payload of the loader is the injection of code in another process. In this case, the injected code is the\r\nwhole Cerber binary, and it can be injected into any of the following processes:\r\nC:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\csc.exe\r\nC:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\regasm.exe\r\nC:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe\r\nC:\\Windows\\SysWow64\\WerFault.exe\r\nC:\\Windows\\System32\\WerFault.exe\r\nPlease note that we have provided a list of the Dropbox URLs to their security team. The URLs in question are no\r\nlonger functional, and the accounts involved have been banned from the service.\r\nMachine Learning and Evasion\r\nAs a threat, Cerber has already been blocked by earlier advances in security solutions. Running Cerber in a normal\r\nprocess (as done by the loader) can help evade behavioral monitoring, but why go to the trouble of repackaging\r\nCerber and using a separate loader? Earlier versions of Cerber already had a code injection routine which could\r\nmimic that particular behavior, so why was the separate loader necessary?\r\nThe answer lies in the adoption of the security industry of machine learning solutions. The industry has created\r\nfeatures to proactively detect malicious files based on features instead of signatures. The new packaging and\r\nloading mechanism employed by Cerber can cause problems for static machine learning approaches–i.e, methods\r\nthat analyze a file without any execution or emulation.\r\nSelf-extracting files and simple, straightforward files could pose a problem for static machine learning file\r\ndetection. All self-extracting files may look similar by structure, regardless of the content. Unpacked binaries with\r\nlimited features may not look malicious either. In other words, the way Cerber is packaged could be said to be\r\ndesigned to evade machine learning file detection. For every new malware detection technique, an equivalent\r\nevasion technique is created out of necessity.\r\nhttp://blog.trendmicro.com/trendlabs-security-intelligence/cerber-starts-evading-machine-learning/\r\nPage 2 of 3\n\nThis new evasion technique does not defeat an anti-malware approach that uses multiple layers of protection.\r\nCerber has its weaknesses against other techniques. For instance, having an unpacked .DLL file will make it easy\r\nto create a one-to-many pattern; alternately having a set structure within an archive will make it easier to identify\r\nif a package is suspicious. Solutions that rely on a variety of techniques, and are not overly reliant on machine\r\nlearning, can still protect customers against these threats.\r\nTrend Micro Solutions\r\nThreats will always try to get around the latest solutions, and users should avoid relying on any single approach to\r\nsecurity. A proactive, multilayered approach to security is more effective— from the gatewayproducts,\r\nendpointsproducts, networksproducts, and serversproducts..\r\nEndpoint solutions such as Trend Micro™ Smart Protection Suitesproducts, and Worry-Free™ Business\r\nSecurityworry free services suites can protect users and businesses from these threats by detecting malicious files,\r\nand spammed messages as well as blocking all related malicious URLs. Trend Micro Deep Discovery™products\r\nhas an email inspection layer that can protect enterprises by detecting malicious attachment and URLs.\r\nTrend Micro OfficeScan™products with XGen™ endpoint security infuses high-fidelity machine learning with\r\nother detection technologies and global threat intelligence for comprehensive protection against ransomware and\r\nadvanced malware. Our machine learning capabilities have been tuned to account for attacks using these types of\r\nevasion techniques.\r\nIndicators of Compromise\r\nFiles with the following SHA256 hashes are associated with this threat:\r\n09ef4c6b8a297bf4cf161d4c12260ca58cc7b05eb4de6e728d55a4acd94606d4 (Detected\r\nas VBS_CERBER.DLCYG)\r\na61eb7c8d7a6bc9e3eb2b42e7038a0850c56e68f3fec0378b2738fe3632a7e4c (Detected\r\nas Ransom_CERBER.ENC)\r\ne3e5d9f1bacc4f43af3fab28a905fa4559f98e4dadede376e199360d14b39153 (Detected\r\nas Ransom_CERBER.VSAGD)\r\nf4dbbb2c4d83c2bbdf4faa4cf6b78780b01c2a2c59bc399e5b746567ce6367dd (Detected\r\nas TROJ_CERBER.AL)\r\nAdditional Analysis By Brian Cayanan and Jon Oliver.\r\nSource: http://blog.trendmicro.com/trendlabs-security-intelligence/cerber-starts-evading-machine-learning/\r\nhttp://blog.trendmicro.com/trendlabs-security-intelligence/cerber-starts-evading-machine-learning/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"http://blog.trendmicro.com/trendlabs-security-intelligence/cerber-starts-evading-machine-learning/"
	],
	"report_names": [
		"cerber-starts-evading-machine-learning"
	],
	"threat_actors": [],
	"ts_created_at": 1775434174,
	"ts_updated_at": 1775791239,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/4b8e7c5175746ee9c5266d3b4861cbc5d76f0de7.pdf",
		"text": "https://archive.orkl.eu/4b8e7c5175746ee9c5266d3b4861cbc5d76f0de7.txt",
		"img": "https://archive.orkl.eu/4b8e7c5175746ee9c5266d3b4861cbc5d76f0de7.jpg"
	}
}