In this video walkthrough, we covered how to investigate the Cerber Ransomware and find its related artifacts in Windows machines.

Challenge Description

Part of the Blue Primer series, learn how to use Splunk to search through massive amounts of information.

One of your users at Wayne Enterprises has managed to get their machine infected, work your way through this second scenario to discover how it happened!┬áDon’t hesitate to use the material provided to give you a nudge!

Task Questions

What was the most likely IP address of we8105desk on 24AUG2016?

What is the name of the USB key inserted by Bob Smith?

After the USB insertion, a file execution occurs that is the initial Cerber infection. This file execution creates two additional processes. What is the name of the file?

During the initial Cerber infection a VB script is run. The entire script from this execution, pre-pended by the name of the launching .exe, can be found in a field in Splunk. What is the length in characters of this field?

Bob Smith’s workstation (we8105desk) was connected to a file server during the ransomware outbreak. What is the IP address of the file server?

What was the first suspicious domain visited by we8105desk on 24AUG2016?

The malware downloads a file that contains the Cerber ransomware cryptor code. What is the name of that file?

What is the parent process ID of 121214.tmp?

Amongst the Suricata signatures that detected the Cerber malware, which signature ID alerted the fewest number of times?

The Cerber ransomware encrypts files located in Bob Smith’s Windows profile. How many .txt files does it encrypt?

How many distinct PDFs did the ransomware encrypt on the remote file server?

What fully qualified domain name (FQDN) does the Cerber ransomware attempt to direct the user to at the end of its encryption phase?

Video Walkthrough


About the Author

Cybersecurity Trainer MS in Cybersecurity Expertise in Healthcare and Finance Industries Penetration tester and compliance auditor

View Articles