Let’s Code: Cerber Extension Finder in FASM

Inspiration: https://twitter.com/VK_Intel/status/875247835880534017

Goal: Identify Cerber ransomware extension on any machine based on MachineGuid’s value.

Here is the ASM code in FASM:
format pe gui 4.0
include ‘win32ax.inc’
entry cerber_ext
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; CERBER Extension Finder ;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; by @VK_Intel ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
section ‘.text’ code readable executable
   invoke RegOpenKeyExA, HKEY_LOCAL_MACHINE,CryptoReg,NULL,KEY_READ,ckey
   invoke VirtualAlloc, NULL, 24, MEM_COMMIT, PAGE_READWRITE
   mov [RegBuffer], eax
   invoke RegQueryValueExA, [ckey], MachineGuid, NULL,dword_type,[RegBuffer],RegSize
   invoke lstrlen, [RegBuffer]
   mov ebx, [RegBuffer]
   add ebx, eax
   dec ebx
   mov edx, [ebx]
   cmp dl, 2dh ; “-” in hex
   je one_more
   jmp start_find
   dec ebx
   mov edx, [ebx]
   cmp dl, 2dh ; “-” in hex
   je final
   jmp one_more
   inc ebx
   invoke VirtualAlloc, NULL, 4, MEM_COMMIT, PAGE_READWRITE
   mov [fourthGuid], eax
   invoke lstrcpyn,[fourthGuid],ebx,5
   invoke MessageBox, 0, [fourthGuid], Cerber_Ext, MB_OK
   invoke ExitProcess, 0
section ‘.data’ data readable writable
CryptoReg           db ‘SOFTWARE\Microsoft\Cryptography’,0
MachineGuid      db ‘MachineGuid’,0
ckey                    dd ?
dword_type        dd REG_DWORD
RegBuffer          dd ?
RegSize              dd 256
fourthGuid         dd ?
Cerber_Ext        db ‘==> Your Cerber Extension <==', 0
section ‘.itable’ import data readable
        library  kernel32,’kernel32.dll’,\
                     user32, ‘user32.dll’
        import user32,\
         import  kernel32,\
                 lstrlen, ‘lstrlenA’,\
                 lstrcpyn, ‘lstrcpynA’,\
                 VirtualAlloc, ‘VirtualAlloc’
         import  advapi32,\
                 RegOpenKeyExA, ‘RegOpenKeyExA’,\
                 RegQueryValueExA, ‘RegQueryValueExA’

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: