From 79804435aa460d13571fa16e260eabbfd36d0142 Mon Sep 17 00:00:00 2001 From: Sam Sneed <163201376+sam-sneed@users.noreply.github.com> Date: Wed, 24 Jul 2024 17:45:31 -0500 Subject: [PATCH] add yara functionality See LICENSE-YARA-RULES for the license --- main.py | 133 +- .../ByteCode.MSIL.Backdoor.AgentRacoon.yara | 128 + .../ByteCode.MSIL.Backdoor.AsyncRAT.yara | 149 + .../ByteCode.MSIL.Backdoor.LimeRAT.yara | 91 + .../ByteCode.MSIL.Backdoor.Menorah.yara | 169 + yara/backdoor/Linux.Backdoor.Krasue.yara | 127 + yara/backdoor/Linux.Backdoor.Linodas.yara | 216 + yara/backdoor/Win32.Backdoor.Konni.yara | 190 + yara/backdoor/Win64.Backdoor.Konni.yara | 205 + yara/backdoor/Win64.Backdoor.Minodo.yara | 110 + yara/backdoor/Win64.Backdoor.SideTwist.yara | 154 + yara/certificate/blocklist.yara | 17288 ++++++++++++++++ .../Win32.Downloader.dlMarlboro.yara | 79 + yara/exploit/Win32.Exploit.CVE20200601.yara | 253 + .../Win32.Infostealer.LumarStealer.yara | 190 + .../Win32.Infostealer.MultigrainPOS.yara | 88 + .../Win32.Infostealer.ProjectHookPOS.yara | 98 + .../infostealer/Win32.Infostealer.StealC.yara | 57 + yara/pua/Win32.PUA.Domaiq.yara | 169 + .../ByteCode.MSIL.Ransomware.Apis.yara | 75 + .../ByteCode.MSIL.Ransomware.ChupaCabra.yara | 90 + .../ByteCode.MSIL.Ransomware.Cring.yara | 66 + .../ByteCode.MSIL.Ransomware.Dusk.yara | 73 + .../ByteCode.MSIL.Ransomware.EAF.yara | 89 + .../ByteCode.MSIL.Ransomware.Eternity.yara | 74 + .../ByteCode.MSIL.Ransomware.Fantom.yara | 97 + ...teCode.MSIL.Ransomware.GhosTEncryptor.yara | 69 + .../ByteCode.MSIL.Ransomware.Ghostbin.yara | 61 + .../ByteCode.MSIL.Ransomware.GoodWill.yara | 89 + ...yteCode.MSIL.Ransomware.HarpoonLocker.yara | 96 + .../ByteCode.MSIL.Ransomware.Hog.yara | 70 + .../ByteCode.MSIL.Ransomware.Invert.yara | 66 + .../ByteCode.MSIL.Ransomware.Janelle.yara | 96 + .../ByteCode.MSIL.Ransomware.Khonsari.yara | 68 + .../ByteCode.MSIL.Ransomware.McBurglar.yara | 75 + .../ByteCode.MSIL.Ransomware.Moisha.yara | 86 + .../ByteCode.MSIL.Ransomware.Namaste.yara | 81 + .../ByteCode.MSIL.Ransomware.Oct.yara | 68 + .../ByteCode.MSIL.Ransomware.Pacman.yara | 68 + ...yteCode.MSIL.Ransomware.PoliceRecords.yara | 79 + .../ByteCode.MSIL.Ransomware.Povlsomware.yara | 64 + .../ByteCode.MSIL.Ransomware.Retis.yara | 74 + .../ByteCode.MSIL.Ransomware.TaRRaK.yara | 96 + .../ByteCode.MSIL.Ransomware.Thanos.yara | 106 + .../ByteCode.MSIL.Ransomware.TimeCrypt.yara | 69 + .../ByteCode.MSIL.Ransomware.TimeTime.yara | 75 + .../ByteCode.MSIL.Ransomware.Venom.yara | 68 + .../ByteCode.MSIL.Ransomware.WildFire.yara | 77 + .../ByteCode.MSIL.Ransomware.WormLocker.yara | 69 + .../ByteCode.MSIL.Ransomware.ZeroLocker.yara | 70 + .../Bytecode.MSIL.Ransomware.CobraLocker.yara | 59 + .../Linux.Ransomware.GwisinLocker.yara | 354 + .../ransomware/Linux.Ransomware.KillDisk.yara | 144 + .../ransomware/Linux.Ransomware.LuckyJoe.yara | 146 + .../ransomware/Linux.Ransomware.RedAlert.yara | 146 + yara/ransomware/Win32.Ransomware.5ss5c.yara | 267 + .../Win32.Ransomware.ASN1Encoder.yara | 136 + yara/ransomware/Win32.Ransomware.Acepy.yara | 69 + .../ransomware/Win32.Ransomware.Afrodita.yara | 119 + yara/ransomware/Win32.Ransomware.Ako.yara | 152 + .../ransomware/Win32.Ransomware.Alcatraz.yara | 91 + .../Win32.Ransomware.AnteFrigus.yara | 210 + .../Win32.Ransomware.Archiveus.yara | 50 + yara/ransomware/Win32.Ransomware.Armage.yara | 128 + yara/ransomware/Win32.Ransomware.Atlas.yara | 99 + yara/ransomware/Win32.Ransomware.Avaddon.yara | 148 + .../Win32.Ransomware.AvosLocker.yara | 108 + .../Win32.Ransomware.BKRansomware.yara | 79 + yara/ransomware/Win32.Ransomware.Babuk.yara | 117 + .../ransomware/Win32.Ransomware.BadBlock.yara | 100 + .../Win32.Ransomware.Badbeeteam.yara | 137 + .../Win32.Ransomware.Balaclava.yara | 113 + yara/ransomware/Win32.Ransomware.Bam2021.yara | 167 + .../Win32.Ransomware.BananaCrypt.yara | 103 + .../Win32.Ransomware.BandarChor.yara | 97 + .../ransomware/Win32.Ransomware.BitCrypt.yara | 112 + .../Win32.Ransomware.BlackBasta.yara | 531 + .../ransomware/Win32.Ransomware.BlackCat.yara | 109 + .../Win32.Ransomware.BlackMoon.yara | 70 + .../Win32.Ransomware.Blitzkrieg.yara | 127 + .../Win32.Ransomware.BlueLocker.yara | 130 + .../Win32.Ransomware.BrainCrypt.yara | 121 + yara/ransomware/Win32.Ransomware.Buran.yara | 91 + yara/ransomware/Win32.Ransomware.ChiChi.yara | 66 + yara/ransomware/Win32.Ransomware.Cincoo.yara | 78 + yara/ransomware/Win32.Ransomware.Clop.yara | 109 + yara/ransomware/Win32.Ransomware.Conti.yara | 74 + yara/ransomware/Win32.Ransomware.Cryakl.yara | 64 + yara/ransomware/Win32.Ransomware.Crypmic.yara | 56 + yara/ransomware/Win32.Ransomware.Crypren.yara | 144 + .../Win32.Ransomware.CryptoBit.yara | 113 + .../Win32.Ransomware.CryptoFortress.yara | 162 + .../Win32.Ransomware.CryptoJoker.yara | 140 + .../Win32.Ransomware.CryptoLocker.yara | 154 + .../Win32.Ransomware.CryptoWall.yara | 312 + yara/ransomware/Win32.Ransomware.Crysis.yara | 108 + yara/ransomware/Win32.Ransomware.Cuba.yara | 126 + .../Win32.Ransomware.DMALocker.yara | 149 + yara/ransomware/Win32.Ransomware.DMR.yara | 214 + .../ransomware/Win32.Ransomware.DarkSide.yara | 94 + yara/ransomware/Win32.Ransomware.DearCry.yara | 96 + yara/ransomware/Win32.Ransomware.Defray.yara | 157 + .../Win32.Ransomware.Delphimorix.yara | 67 + .../Win32.Ransomware.DenizKizi.yara | 88 + .../Win32.Ransomware.DesuCrypt.yara | 93 + yara/ransomware/Win32.Ransomware.Dharma.yara | 108 + .../Win32.Ransomware.DirtyDecrypt.yara | 112 + .../ransomware/Win32.Ransomware.District.yara | 194 + .../Win32.Ransomware.DogeCrypt.yara | 114 + yara/ransomware/Win32.Ransomware.Dragon.yara | 149 + .../ransomware/Win32.Ransomware.Dualshot.yara | 112 + .../Win32.Ransomware.Encoded01.yara | 141 + yara/ransomware/Win32.Ransomware.Erica.yara | 76 + yara/ransomware/Win32.Ransomware.FCT.yara | 86 + yara/ransomware/Win32.Ransomware.FLKR.yara | 71 + .../Win32.Ransomware.FarAttack.yara | 93 + .../Win32.Ransomware.FenixLocker.yara | 143 + .../ransomware/Win32.Ransomware.Ferrlock.yara | 131 + .../ransomware/Win32.Ransomware.Flamingo.yara | 54 + yara/ransomware/Win32.Ransomware.FuxSocy.yara | 114 + .../Win32.Ransomware.GPGQwerty.yara | 83 + .../ransomware/Win32.Ransomware.GandCrab.yara | 892 + .../Win32.Ransomware.GarrantyDecrypt.yara | 79 + yara/ransomware/Win32.Ransomware.Gibon.yara | 122 + .../Win32.Ransomware.GlobeImposter.yara | 171 + yara/ransomware/Win32.Ransomware.Gomer.yara | 106 + yara/ransomware/Win32.Ransomware.Good.yara | 82 + yara/ransomware/Win32.Ransomware.Gpcode.yara | 67 + .../Win32.Ransomware.GusCrypter.yara | 129 + .../Win32.Ransomware.HDDCryptor.yara | 157 + yara/ransomware/Win32.Ransomware.HDMR.yara | 161 + .../Win32.Ransomware.HakunaMatata.yara | 373 + yara/ransomware/Win32.Ransomware.Henry.yara | 80 + .../Win32.Ransomware.HentaiOniichan.yara | 140 + yara/ransomware/Win32.Ransomware.Hermes.yara | 284 + .../Win32.Ransomware.Horsedeal.yara | 106 + .../Win32.Ransomware.HowAreYou.yara | 205 + .../Win32.Ransomware.HydraCrypt.yara | 174 + yara/ransomware/Win32.Ransomware.IFN643.yara | 90 + yara/ransomware/Win32.Ransomware.InfoDot.yara | 115 + yara/ransomware/Win32.Ransomware.JSWorm.yara | 93 + yara/ransomware/Win32.Ransomware.Jamper.yara | 110 + yara/ransomware/Win32.Ransomware.Jemd.yara | 105 + .../Win32.Ransomware.Jormungand.yara | 135 + .../Win32.Ransomware.JuicyLemon.yara | 116 + .../ransomware/Win32.Ransomware.Kangaroo.yara | 91 + .../Win32.Ransomware.KawaiiLocker.yara | 135 + .../ransomware/Win32.Ransomware.KillDisk.yara | 80 + yara/ransomware/Win32.Ransomware.Knot.yara | 118 + yara/ransomware/Win32.Ransomware.Kovter.yara | 141 + yara/ransomware/Win32.Ransomware.Koxic.yara | 87 + yara/ransomware/Win32.Ransomware.Kraken.yara | 151 + yara/ransomware/Win32.Ransomware.Ladon.yara | 101 + .../Win32.Ransomware.LeChiffre.yara | 123 + yara/ransomware/Win32.Ransomware.LockBit.yara | 282 + yara/ransomware/Win32.Ransomware.Lolkek.yara | 106 + .../Win32.Ransomware.LooCipher.yara | 87 + yara/ransomware/Win32.Ransomware.Lorenz.yara | 252 + yara/ransomware/Win32.Ransomware.MRAC.yara | 69 + yara/ransomware/Win32.Ransomware.MZP.yara | 147 + yara/ransomware/Win32.Ransomware.Mafia.yara | 142 + .../ransomware/Win32.Ransomware.Magniber.yara | 114 + yara/ransomware/Win32.Ransomware.Major.yara | 261 + yara/ransomware/Win32.Ransomware.Makop.yara | 99 + yara/ransomware/Win32.Ransomware.Maktub.yara | 116 + .../ransomware/Win32.Ransomware.Marlboro.yara | 117 + .../ransomware/Win32.Ransomware.MarsJoke.yara | 157 + yara/ransomware/Win32.Ransomware.Matsnu.yara | 116 + .../Win32.Ransomware.MedusaLocker.yara | 174 + yara/ransomware/Win32.Ransomware.Meow.yara | 84 + .../ransomware/Win32.Ransomware.Monalisa.yara | 83 + .../Win32.Ransomware.Montserrat.yara | 118 + yara/ransomware/Win32.Ransomware.Motocos.yara | 75 + .../Win32.Ransomware.MountLocker.yara | 86 + yara/ransomware/Win32.Ransomware.NB65.yara | 68 + .../Win32.Ransomware.NanoLocker.yara | 79 + yara/ransomware/Win32.Ransomware.Nefilim.yara | 150 + yara/ransomware/Win32.Ransomware.Nemty.yara | 205 + yara/ransomware/Win32.Ransomware.Networm.yara | 103 + .../ransomware/Win32.Ransomware.NotPetya.yara | 73 + yara/ransomware/Win32.Ransomware.Oni.yara | 82 + .../Win32.Ransomware.OphionLocker.yara | 105 + .../Win32.Ransomware.Ouroboros.yara | 175 + .../ransomware/Win32.Ransomware.Outsider.yara | 88 + yara/ransomware/Win32.Ransomware.PXJ.yara | 158 + .../ransomware/Win32.Ransomware.Paradise.yara | 81 + yara/ransomware/Win32.Ransomware.Pay2Key.yara | 99 + yara/ransomware/Win32.Ransomware.Petya.yara | 58 + .../ransomware/Win32.Ransomware.Plague17.yara | 263 + .../Win32.Ransomware.PrincessLocker.yara | 92 + .../ransomware/Win32.Ransomware.Prometey.yara | 156 + .../Win32.Ransomware.RagnarLocker.yara | 108 + .../ransomware/Win32.Ransomware.Ragnarok.yara | 110 + yara/ransomware/Win32.Ransomware.Ransoc.yara | 114 + .../Win32.Ransomware.RansomPlus.yara | 95 + .../Win32.Ransomware.Ransomexx.yara | 147 + .../ransomware/Win32.Ransomware.Redeemer.yara | 105 + .../Win32.Ransomware.RegretLocker.yara | 206 + .../Win32.Ransomware.RetMyData.yara | 79 + yara/ransomware/Win32.Ransomware.Reveton.yara | 118 + yara/ransomware/Win32.Ransomware.Revil.yara | 101 + yara/ransomware/Win32.Ransomware.Rokku.yara | 147 + yara/ransomware/Win32.Ransomware.Ryuk.yara | 199 + yara/ransomware/Win32.Ransomware.Sage.yara | 77 + yara/ransomware/Win32.Ransomware.Sanwai.yara | 71 + yara/ransomware/Win32.Ransomware.Sarbloh.yara | 88 + yara/ransomware/Win32.Ransomware.Satan.yara | 152 + yara/ransomware/Win32.Ransomware.Satana.yara | 123 + yara/ransomware/Win32.Ransomware.Saturn.yara | 105 + yara/ransomware/Win32.Ransomware.Sepsis.yara | 126 + yara/ransomware/Win32.Ransomware.Serpent.yara | 122 + .../Win32.Ransomware.SevenSevenSeven.yara | 148 + .../Win32.Ransomware.ShadowCryptor.yara | 89 + .../Win32.Ransomware.Sherminator.yara | 157 + .../Win32.Ransomware.Sifrelendi.yara | 67 + yara/ransomware/Win32.Ransomware.Sifreli.yara | 119 + yara/ransomware/Win32.Ransomware.Sigrun.yara | 111 + .../ransomware/Win32.Ransomware.Skystars.yara | 97 + yara/ransomware/Win32.Ransomware.Spora.yara | 124 + .../ransomware/Win32.Ransomware.TBLocker.yara | 85 + .../Win32.Ransomware.TargetCompany.yara | 141 + .../Win32.Ransomware.TechandStrat.yara | 106 + .../Win32.Ransomware.TeleCrypt.yara | 109 + yara/ransomware/Win32.Ransomware.Termite.yara | 151 + .../Win32.Ransomware.Teslacrypt.yara | 665 + .../Win32.Ransomware.Teslarvng.yara | 137 + .../ransomware/Win32.Ransomware.Thanatos.yara | 85 + .../Win32.Ransomware.TorrentLocker.yara | 98 + .../Win32.Ransomware.VHDLocker.yara | 152 + .../Win32.Ransomware.VegaLocker.yara | 100 + yara/ransomware/Win32.Ransomware.Velso.yara | 230 + .../ransomware/Win32.Ransomware.WannaCry.yara | 135 + .../Win32.Ransomware.WaspLocker.yara | 76 + .../Win32.Ransomware.Wastedlocker.yara | 86 + .../Win32.Ransomware.WinWord64.yara | 215 + yara/ransomware/Win32.Ransomware.WsIR.yara | 73 + yara/ransomware/Win32.Ransomware.Xorist.yara | 150 + .../ransomware/Win32.Ransomware.Zeoticus.yara | 90 + .../ransomware/Win32.Ransomware.Zeppelin.yara | 109 + .../Win32.Ransomware.ZeroCrypt.yara | 94 + yara/ransomware/Win32.Ransomware.Zhen.yara | 176 + yara/ransomware/Win32.Ransomware.Zoldon.yara | 107 + yara/ransomware/Win64.Ransomware.Ako.yara | 173 + yara/ransomware/Win64.Ransomware.Albabat.yara | 139 + yara/ransomware/Win64.Ransomware.AntiWar.yara | 146 + .../Win64.Ransomware.AwesomeScott.yara | 101 + .../Win64.Ransomware.BlackBasta.yara | 293 + yara/ransomware/Win64.Ransomware.Cactus.yara | 190 + yara/ransomware/Win64.Ransomware.Curator.yara | 94 + yara/ransomware/Win64.Ransomware.DST.yara | 170 + .../Win64.Ransomware.HermeticRansom.yara | 105 + .../Win64.Ransomware.HotCoffee.yara | 111 + .../ransomware/Win64.Ransomware.Nokoyawa.yara | 104 + yara/ransomware/Win64.Ransomware.Pandora.yara | 95 + .../ransomware/Win64.Ransomware.RedRoman.yara | 82 + yara/ransomware/Win64.Ransomware.Rook.yara | 122 + .../Win64.Ransomware.SeedLocker.yara | 91 + yara/ransomware/Win64.Ransomware.Seth.yara | 122 + yara/ransomware/Win64.Ransomware.Solaso.yara | 171 + yara/ransomware/Win64.Ransomware.Vovalex.yara | 81 + .../Win64.Ransomware.WhiteBlackCrypt.yara | 91 + .../ransomware/Win64.Ransomware.Wintenzz.yara | 83 + yara/trojan/Linux.Trojan.AcidRain.yara | 67 + yara/trojan/Linux.Trojan.BiBiWiper.yara | 76 + yara/trojan/Win32.Trojan.BiBiWiper.yara | 102 + yara/trojan/Win32.Trojan.CaddyWiper.yara | 95 + yara/trojan/Win32.Trojan.Dridex.yara | 80 + yara/trojan/Win32.Trojan.Emotet.yara | 182 + yara/trojan/Win32.Trojan.HermeticWiper.yara | 50 + yara/trojan/Win32.Trojan.IsaacWiper.yara | 76 + yara/trojan/Win32.Trojan.TrickBot.yara | 46 + yara/virus/Linux.Virus.Vit.yara | 36 + yara/virus/Win32.Virus.Awfull.yara | 33 + yara/virus/Win32.Virus.Cmay.yara | 73 + yara/virus/Win32.Virus.DeadCode.yara | 76 + yara/virus/Win32.Virus.Elerad.yara | 33 + yara/virus/Win32.Virus.Greenp.yara | 46 + yara/virus/Win32.Virus.Mocket.yara | 58 + yara/virus/Win32.Virus.Negt.yara | 94 + 279 files changed, 51622 insertions(+), 52 deletions(-) create mode 100644 yara/backdoor/ByteCode.MSIL.Backdoor.AgentRacoon.yara create mode 100644 yara/backdoor/ByteCode.MSIL.Backdoor.AsyncRAT.yara create mode 100644 yara/backdoor/ByteCode.MSIL.Backdoor.LimeRAT.yara create mode 100644 yara/backdoor/ByteCode.MSIL.Backdoor.Menorah.yara create mode 100644 yara/backdoor/Linux.Backdoor.Krasue.yara create mode 100644 yara/backdoor/Linux.Backdoor.Linodas.yara create mode 100644 yara/backdoor/Win32.Backdoor.Konni.yara create mode 100644 yara/backdoor/Win64.Backdoor.Konni.yara create mode 100644 yara/backdoor/Win64.Backdoor.Minodo.yara create mode 100644 yara/backdoor/Win64.Backdoor.SideTwist.yara create mode 100644 yara/certificate/blocklist.yara create mode 100644 yara/downloader/Win32.Downloader.dlMarlboro.yara create mode 100644 yara/exploit/Win32.Exploit.CVE20200601.yara create mode 100644 yara/infostealer/Win32.Infostealer.LumarStealer.yara create mode 100644 yara/infostealer/Win32.Infostealer.MultigrainPOS.yara create mode 100644 yara/infostealer/Win32.Infostealer.ProjectHookPOS.yara create mode 100644 yara/infostealer/Win32.Infostealer.StealC.yara create mode 100644 yara/pua/Win32.PUA.Domaiq.yara create mode 100644 yara/ransomware/ByteCode.MSIL.Ransomware.Apis.yara create mode 100644 yara/ransomware/ByteCode.MSIL.Ransomware.ChupaCabra.yara create mode 100644 yara/ransomware/ByteCode.MSIL.Ransomware.Cring.yara create mode 100644 yara/ransomware/ByteCode.MSIL.Ransomware.Dusk.yara create mode 100644 yara/ransomware/ByteCode.MSIL.Ransomware.EAF.yara create mode 100644 yara/ransomware/ByteCode.MSIL.Ransomware.Eternity.yara create mode 100644 yara/ransomware/ByteCode.MSIL.Ransomware.Fantom.yara create mode 100644 yara/ransomware/ByteCode.MSIL.Ransomware.GhosTEncryptor.yara create mode 100644 yara/ransomware/ByteCode.MSIL.Ransomware.Ghostbin.yara create mode 100644 yara/ransomware/ByteCode.MSIL.Ransomware.GoodWill.yara create mode 100644 yara/ransomware/ByteCode.MSIL.Ransomware.HarpoonLocker.yara create mode 100644 yara/ransomware/ByteCode.MSIL.Ransomware.Hog.yara create mode 100644 yara/ransomware/ByteCode.MSIL.Ransomware.Invert.yara create mode 100644 yara/ransomware/ByteCode.MSIL.Ransomware.Janelle.yara create mode 100644 yara/ransomware/ByteCode.MSIL.Ransomware.Khonsari.yara create mode 100644 yara/ransomware/ByteCode.MSIL.Ransomware.McBurglar.yara create mode 100644 yara/ransomware/ByteCode.MSIL.Ransomware.Moisha.yara create mode 100644 yara/ransomware/ByteCode.MSIL.Ransomware.Namaste.yara create mode 100644 yara/ransomware/ByteCode.MSIL.Ransomware.Oct.yara create mode 100644 yara/ransomware/ByteCode.MSIL.Ransomware.Pacman.yara create mode 100644 yara/ransomware/ByteCode.MSIL.Ransomware.PoliceRecords.yara create mode 100644 yara/ransomware/ByteCode.MSIL.Ransomware.Povlsomware.yara create mode 100644 yara/ransomware/ByteCode.MSIL.Ransomware.Retis.yara create mode 100644 yara/ransomware/ByteCode.MSIL.Ransomware.TaRRaK.yara create mode 100644 yara/ransomware/ByteCode.MSIL.Ransomware.Thanos.yara create mode 100644 yara/ransomware/ByteCode.MSIL.Ransomware.TimeCrypt.yara create mode 100644 yara/ransomware/ByteCode.MSIL.Ransomware.TimeTime.yara create mode 100644 yara/ransomware/ByteCode.MSIL.Ransomware.Venom.yara create mode 100644 yara/ransomware/ByteCode.MSIL.Ransomware.WildFire.yara create mode 100644 yara/ransomware/ByteCode.MSIL.Ransomware.WormLocker.yara create mode 100644 yara/ransomware/ByteCode.MSIL.Ransomware.ZeroLocker.yara create mode 100644 yara/ransomware/Bytecode.MSIL.Ransomware.CobraLocker.yara create mode 100644 yara/ransomware/Linux.Ransomware.GwisinLocker.yara create mode 100644 yara/ransomware/Linux.Ransomware.KillDisk.yara create mode 100644 yara/ransomware/Linux.Ransomware.LuckyJoe.yara create mode 100644 yara/ransomware/Linux.Ransomware.RedAlert.yara create mode 100644 yara/ransomware/Win32.Ransomware.5ss5c.yara create mode 100644 yara/ransomware/Win32.Ransomware.ASN1Encoder.yara create mode 100644 yara/ransomware/Win32.Ransomware.Acepy.yara create mode 100644 yara/ransomware/Win32.Ransomware.Afrodita.yara create mode 100644 yara/ransomware/Win32.Ransomware.Ako.yara create mode 100644 yara/ransomware/Win32.Ransomware.Alcatraz.yara create mode 100644 yara/ransomware/Win32.Ransomware.AnteFrigus.yara create mode 100644 yara/ransomware/Win32.Ransomware.Archiveus.yara create mode 100644 yara/ransomware/Win32.Ransomware.Armage.yara create mode 100644 yara/ransomware/Win32.Ransomware.Atlas.yara create mode 100644 yara/ransomware/Win32.Ransomware.Avaddon.yara create mode 100644 yara/ransomware/Win32.Ransomware.AvosLocker.yara create mode 100644 yara/ransomware/Win32.Ransomware.BKRansomware.yara create mode 100644 yara/ransomware/Win32.Ransomware.Babuk.yara create mode 100644 yara/ransomware/Win32.Ransomware.BadBlock.yara create mode 100644 yara/ransomware/Win32.Ransomware.Badbeeteam.yara create mode 100644 yara/ransomware/Win32.Ransomware.Balaclava.yara create mode 100644 yara/ransomware/Win32.Ransomware.Bam2021.yara create mode 100644 yara/ransomware/Win32.Ransomware.BananaCrypt.yara create mode 100644 yara/ransomware/Win32.Ransomware.BandarChor.yara create mode 100644 yara/ransomware/Win32.Ransomware.BitCrypt.yara create mode 100644 yara/ransomware/Win32.Ransomware.BlackBasta.yara create mode 100644 yara/ransomware/Win32.Ransomware.BlackCat.yara create mode 100644 yara/ransomware/Win32.Ransomware.BlackMoon.yara create mode 100644 yara/ransomware/Win32.Ransomware.Blitzkrieg.yara create mode 100644 yara/ransomware/Win32.Ransomware.BlueLocker.yara create mode 100644 yara/ransomware/Win32.Ransomware.BrainCrypt.yara create mode 100644 yara/ransomware/Win32.Ransomware.Buran.yara create mode 100644 yara/ransomware/Win32.Ransomware.ChiChi.yara create mode 100644 yara/ransomware/Win32.Ransomware.Cincoo.yara create mode 100644 yara/ransomware/Win32.Ransomware.Clop.yara create mode 100644 yara/ransomware/Win32.Ransomware.Conti.yara create mode 100644 yara/ransomware/Win32.Ransomware.Cryakl.yara create mode 100644 yara/ransomware/Win32.Ransomware.Crypmic.yara create mode 100644 yara/ransomware/Win32.Ransomware.Crypren.yara create mode 100644 yara/ransomware/Win32.Ransomware.CryptoBit.yara create mode 100644 yara/ransomware/Win32.Ransomware.CryptoFortress.yara create mode 100644 yara/ransomware/Win32.Ransomware.CryptoJoker.yara create mode 100644 yara/ransomware/Win32.Ransomware.CryptoLocker.yara create mode 100644 yara/ransomware/Win32.Ransomware.CryptoWall.yara create mode 100644 yara/ransomware/Win32.Ransomware.Crysis.yara create mode 100644 yara/ransomware/Win32.Ransomware.Cuba.yara create mode 100644 yara/ransomware/Win32.Ransomware.DMALocker.yara create mode 100644 yara/ransomware/Win32.Ransomware.DMR.yara create mode 100644 yara/ransomware/Win32.Ransomware.DarkSide.yara create mode 100644 yara/ransomware/Win32.Ransomware.DearCry.yara create mode 100644 yara/ransomware/Win32.Ransomware.Defray.yara create mode 100644 yara/ransomware/Win32.Ransomware.Delphimorix.yara create mode 100644 yara/ransomware/Win32.Ransomware.DenizKizi.yara create mode 100644 yara/ransomware/Win32.Ransomware.DesuCrypt.yara create mode 100644 yara/ransomware/Win32.Ransomware.Dharma.yara create mode 100644 yara/ransomware/Win32.Ransomware.DirtyDecrypt.yara create mode 100644 yara/ransomware/Win32.Ransomware.District.yara create mode 100644 yara/ransomware/Win32.Ransomware.DogeCrypt.yara create mode 100644 yara/ransomware/Win32.Ransomware.Dragon.yara create mode 100644 yara/ransomware/Win32.Ransomware.Dualshot.yara create mode 100644 yara/ransomware/Win32.Ransomware.Encoded01.yara create mode 100644 yara/ransomware/Win32.Ransomware.Erica.yara create mode 100644 yara/ransomware/Win32.Ransomware.FCT.yara create mode 100644 yara/ransomware/Win32.Ransomware.FLKR.yara create mode 100644 yara/ransomware/Win32.Ransomware.FarAttack.yara create mode 100644 yara/ransomware/Win32.Ransomware.FenixLocker.yara create mode 100644 yara/ransomware/Win32.Ransomware.Ferrlock.yara create mode 100644 yara/ransomware/Win32.Ransomware.Flamingo.yara create mode 100644 yara/ransomware/Win32.Ransomware.FuxSocy.yara create mode 100644 yara/ransomware/Win32.Ransomware.GPGQwerty.yara create mode 100644 yara/ransomware/Win32.Ransomware.GandCrab.yara create mode 100644 yara/ransomware/Win32.Ransomware.GarrantyDecrypt.yara create mode 100644 yara/ransomware/Win32.Ransomware.Gibon.yara create mode 100644 yara/ransomware/Win32.Ransomware.GlobeImposter.yara create mode 100644 yara/ransomware/Win32.Ransomware.Gomer.yara create mode 100644 yara/ransomware/Win32.Ransomware.Good.yara create mode 100644 yara/ransomware/Win32.Ransomware.Gpcode.yara create mode 100644 yara/ransomware/Win32.Ransomware.GusCrypter.yara create mode 100644 yara/ransomware/Win32.Ransomware.HDDCryptor.yara create mode 100644 yara/ransomware/Win32.Ransomware.HDMR.yara create mode 100644 yara/ransomware/Win32.Ransomware.HakunaMatata.yara create mode 100644 yara/ransomware/Win32.Ransomware.Henry.yara create mode 100644 yara/ransomware/Win32.Ransomware.HentaiOniichan.yara create mode 100644 yara/ransomware/Win32.Ransomware.Hermes.yara create mode 100644 yara/ransomware/Win32.Ransomware.Horsedeal.yara create mode 100644 yara/ransomware/Win32.Ransomware.HowAreYou.yara create mode 100644 yara/ransomware/Win32.Ransomware.HydraCrypt.yara create mode 100644 yara/ransomware/Win32.Ransomware.IFN643.yara create mode 100644 yara/ransomware/Win32.Ransomware.InfoDot.yara create mode 100644 yara/ransomware/Win32.Ransomware.JSWorm.yara create mode 100644 yara/ransomware/Win32.Ransomware.Jamper.yara create mode 100644 yara/ransomware/Win32.Ransomware.Jemd.yara create mode 100644 yara/ransomware/Win32.Ransomware.Jormungand.yara create mode 100644 yara/ransomware/Win32.Ransomware.JuicyLemon.yara create mode 100644 yara/ransomware/Win32.Ransomware.Kangaroo.yara create mode 100644 yara/ransomware/Win32.Ransomware.KawaiiLocker.yara create mode 100644 yara/ransomware/Win32.Ransomware.KillDisk.yara create mode 100644 yara/ransomware/Win32.Ransomware.Knot.yara create mode 100644 yara/ransomware/Win32.Ransomware.Kovter.yara create mode 100644 yara/ransomware/Win32.Ransomware.Koxic.yara create mode 100644 yara/ransomware/Win32.Ransomware.Kraken.yara create mode 100644 yara/ransomware/Win32.Ransomware.Ladon.yara create mode 100644 yara/ransomware/Win32.Ransomware.LeChiffre.yara create mode 100644 yara/ransomware/Win32.Ransomware.LockBit.yara create mode 100644 yara/ransomware/Win32.Ransomware.Lolkek.yara create mode 100644 yara/ransomware/Win32.Ransomware.LooCipher.yara create mode 100644 yara/ransomware/Win32.Ransomware.Lorenz.yara create mode 100644 yara/ransomware/Win32.Ransomware.MRAC.yara create mode 100644 yara/ransomware/Win32.Ransomware.MZP.yara create mode 100644 yara/ransomware/Win32.Ransomware.Mafia.yara create mode 100644 yara/ransomware/Win32.Ransomware.Magniber.yara create mode 100644 yara/ransomware/Win32.Ransomware.Major.yara create mode 100644 yara/ransomware/Win32.Ransomware.Makop.yara create mode 100644 yara/ransomware/Win32.Ransomware.Maktub.yara create mode 100644 yara/ransomware/Win32.Ransomware.Marlboro.yara create mode 100644 yara/ransomware/Win32.Ransomware.MarsJoke.yara create mode 100644 yara/ransomware/Win32.Ransomware.Matsnu.yara create mode 100644 yara/ransomware/Win32.Ransomware.MedusaLocker.yara create mode 100644 yara/ransomware/Win32.Ransomware.Meow.yara create mode 100644 yara/ransomware/Win32.Ransomware.Monalisa.yara create mode 100644 yara/ransomware/Win32.Ransomware.Montserrat.yara create mode 100644 yara/ransomware/Win32.Ransomware.Motocos.yara create mode 100644 yara/ransomware/Win32.Ransomware.MountLocker.yara create mode 100644 yara/ransomware/Win32.Ransomware.NB65.yara create mode 100644 yara/ransomware/Win32.Ransomware.NanoLocker.yara create mode 100644 yara/ransomware/Win32.Ransomware.Nefilim.yara create mode 100644 yara/ransomware/Win32.Ransomware.Nemty.yara create mode 100644 yara/ransomware/Win32.Ransomware.Networm.yara create mode 100644 yara/ransomware/Win32.Ransomware.NotPetya.yara create mode 100644 yara/ransomware/Win32.Ransomware.Oni.yara create mode 100644 yara/ransomware/Win32.Ransomware.OphionLocker.yara create mode 100644 yara/ransomware/Win32.Ransomware.Ouroboros.yara create mode 100644 yara/ransomware/Win32.Ransomware.Outsider.yara create mode 100644 yara/ransomware/Win32.Ransomware.PXJ.yara create mode 100644 yara/ransomware/Win32.Ransomware.Paradise.yara create mode 100644 yara/ransomware/Win32.Ransomware.Pay2Key.yara create mode 100644 yara/ransomware/Win32.Ransomware.Petya.yara create mode 100644 yara/ransomware/Win32.Ransomware.Plague17.yara create mode 100644 yara/ransomware/Win32.Ransomware.PrincessLocker.yara create mode 100644 yara/ransomware/Win32.Ransomware.Prometey.yara create mode 100644 yara/ransomware/Win32.Ransomware.RagnarLocker.yara create mode 100644 yara/ransomware/Win32.Ransomware.Ragnarok.yara create mode 100644 yara/ransomware/Win32.Ransomware.Ransoc.yara create mode 100644 yara/ransomware/Win32.Ransomware.RansomPlus.yara create mode 100644 yara/ransomware/Win32.Ransomware.Ransomexx.yara create mode 100644 yara/ransomware/Win32.Ransomware.Redeemer.yara create mode 100644 yara/ransomware/Win32.Ransomware.RegretLocker.yara create mode 100644 yara/ransomware/Win32.Ransomware.RetMyData.yara create mode 100644 yara/ransomware/Win32.Ransomware.Reveton.yara create mode 100644 yara/ransomware/Win32.Ransomware.Revil.yara create mode 100644 yara/ransomware/Win32.Ransomware.Rokku.yara create mode 100644 yara/ransomware/Win32.Ransomware.Ryuk.yara create mode 100644 yara/ransomware/Win32.Ransomware.Sage.yara create mode 100644 yara/ransomware/Win32.Ransomware.Sanwai.yara create mode 100644 yara/ransomware/Win32.Ransomware.Sarbloh.yara create mode 100644 yara/ransomware/Win32.Ransomware.Satan.yara create mode 100644 yara/ransomware/Win32.Ransomware.Satana.yara create mode 100644 yara/ransomware/Win32.Ransomware.Saturn.yara create mode 100644 yara/ransomware/Win32.Ransomware.Sepsis.yara create mode 100644 yara/ransomware/Win32.Ransomware.Serpent.yara create mode 100644 yara/ransomware/Win32.Ransomware.SevenSevenSeven.yara create mode 100644 yara/ransomware/Win32.Ransomware.ShadowCryptor.yara create mode 100644 yara/ransomware/Win32.Ransomware.Sherminator.yara create mode 100644 yara/ransomware/Win32.Ransomware.Sifrelendi.yara create mode 100644 yara/ransomware/Win32.Ransomware.Sifreli.yara create mode 100644 yara/ransomware/Win32.Ransomware.Sigrun.yara create mode 100644 yara/ransomware/Win32.Ransomware.Skystars.yara create mode 100644 yara/ransomware/Win32.Ransomware.Spora.yara create mode 100644 yara/ransomware/Win32.Ransomware.TBLocker.yara create mode 100644 yara/ransomware/Win32.Ransomware.TargetCompany.yara create mode 100644 yara/ransomware/Win32.Ransomware.TechandStrat.yara create mode 100644 yara/ransomware/Win32.Ransomware.TeleCrypt.yara create mode 100644 yara/ransomware/Win32.Ransomware.Termite.yara create mode 100644 yara/ransomware/Win32.Ransomware.Teslacrypt.yara create mode 100644 yara/ransomware/Win32.Ransomware.Teslarvng.yara create mode 100644 yara/ransomware/Win32.Ransomware.Thanatos.yara create mode 100644 yara/ransomware/Win32.Ransomware.TorrentLocker.yara create mode 100644 yara/ransomware/Win32.Ransomware.VHDLocker.yara create mode 100644 yara/ransomware/Win32.Ransomware.VegaLocker.yara create mode 100644 yara/ransomware/Win32.Ransomware.Velso.yara create mode 100644 yara/ransomware/Win32.Ransomware.WannaCry.yara create mode 100644 yara/ransomware/Win32.Ransomware.WaspLocker.yara create mode 100644 yara/ransomware/Win32.Ransomware.Wastedlocker.yara create mode 100644 yara/ransomware/Win32.Ransomware.WinWord64.yara create mode 100644 yara/ransomware/Win32.Ransomware.WsIR.yara create mode 100644 yara/ransomware/Win32.Ransomware.Xorist.yara create mode 100644 yara/ransomware/Win32.Ransomware.Zeoticus.yara create mode 100644 yara/ransomware/Win32.Ransomware.Zeppelin.yara create mode 100644 yara/ransomware/Win32.Ransomware.ZeroCrypt.yara create mode 100644 yara/ransomware/Win32.Ransomware.Zhen.yara create mode 100644 yara/ransomware/Win32.Ransomware.Zoldon.yara create mode 100644 yara/ransomware/Win64.Ransomware.Ako.yara create mode 100644 yara/ransomware/Win64.Ransomware.Albabat.yara create mode 100644 yara/ransomware/Win64.Ransomware.AntiWar.yara create mode 100644 yara/ransomware/Win64.Ransomware.AwesomeScott.yara create mode 100644 yara/ransomware/Win64.Ransomware.BlackBasta.yara create mode 100644 yara/ransomware/Win64.Ransomware.Cactus.yara create mode 100644 yara/ransomware/Win64.Ransomware.Curator.yara create mode 100644 yara/ransomware/Win64.Ransomware.DST.yara create mode 100644 yara/ransomware/Win64.Ransomware.HermeticRansom.yara create mode 100644 yara/ransomware/Win64.Ransomware.HotCoffee.yara create mode 100644 yara/ransomware/Win64.Ransomware.Nokoyawa.yara create mode 100644 yara/ransomware/Win64.Ransomware.Pandora.yara create mode 100644 yara/ransomware/Win64.Ransomware.RedRoman.yara create mode 100644 yara/ransomware/Win64.Ransomware.Rook.yara create mode 100644 yara/ransomware/Win64.Ransomware.SeedLocker.yara create mode 100644 yara/ransomware/Win64.Ransomware.Seth.yara create mode 100644 yara/ransomware/Win64.Ransomware.Solaso.yara create mode 100644 yara/ransomware/Win64.Ransomware.Vovalex.yara create mode 100644 yara/ransomware/Win64.Ransomware.WhiteBlackCrypt.yara create mode 100644 yara/ransomware/Win64.Ransomware.Wintenzz.yara create mode 100644 yara/trojan/Linux.Trojan.AcidRain.yara create mode 100644 yara/trojan/Linux.Trojan.BiBiWiper.yara create mode 100644 yara/trojan/Win32.Trojan.BiBiWiper.yara create mode 100644 yara/trojan/Win32.Trojan.CaddyWiper.yara create mode 100644 yara/trojan/Win32.Trojan.Dridex.yara create mode 100644 yara/trojan/Win32.Trojan.Emotet.yara create mode 100644 yara/trojan/Win32.Trojan.HermeticWiper.yara create mode 100644 yara/trojan/Win32.Trojan.IsaacWiper.yara create mode 100644 yara/trojan/Win32.Trojan.TrickBot.yara create mode 100644 yara/virus/Linux.Virus.Vit.yara create mode 100644 yara/virus/Win32.Virus.Awfull.yara create mode 100644 yara/virus/Win32.Virus.Cmay.yara create mode 100644 yara/virus/Win32.Virus.DeadCode.yara create mode 100644 yara/virus/Win32.Virus.Elerad.yara create mode 100644 yara/virus/Win32.Virus.Greenp.yara create mode 100644 yara/virus/Win32.Virus.Mocket.yara create mode 100644 yara/virus/Win32.Virus.Negt.yara diff --git a/main.py b/main.py index f00f974..b7526e4 100644 --- a/main.py +++ b/main.py @@ -9,17 +9,33 @@ from watchdog.observers import Observer from watchdog.events import FileSystemEventHandler from selenium import webdriver from selenium.webdriver.chrome.service import Service as ChromeService -from selenium.webdriver.chrome.options import Options as ChromeOptions from selenium.webdriver.firefox.service import Service as FirefoxService -from selenium.webdriver.firefox.options import Options as FirefoxOptions +from selenium.webdriver.common.desired_capabilities import DesiredCapabilities +from selenium.webdriver.chrome.service import Service as ChromeService from pathlib import Path import requests import certifi import getpass import tensorflow as tf # TensorFlow for GPU monitoring import re # Regular expressions for address detection -from webdriver_manager.chrome import ChromeDriverManager -from webdriver_manager.firefox import GeckoDriverManager +import yara # YARA for malware scanning + +# YARA Rules +def load_yara_rules(): + yara_rules = [] + yara_dir = Path('yara') + if yara_dir.exists() and yara_dir.is_dir(): + for yara_file in yara_dir.rglob('*.yar'): + try: + rule = yara.compile(filepath=str(yara_file)) + yara_rules.append(rule) + except Exception as e: + print(f"Error compiling YARA rule {yara_file}: {e}") + else: + print(f"YARA rules directory not found: {yara_dir}") + return yara_rules + +yara_rules = load_yara_rules() # Regular expressions for detecting crypto addresses bitcoin_regex = re.compile(r'[13][a-km-zA-HJ-NP-Z1-9]{25,34}', re.IGNORECASE) @@ -63,11 +79,10 @@ def get_folders_to_monitor(): # Common user directories user_dirs = ['Downloads', 'Documents', 'Pictures', 'Videos'] - for d in user_dirs: - user_folder = Path.home() - for folder in user_folder.iterdir(): - if folder.is_dir() and any(d.lower() in folder.name.lower() for d in user_dirs): - folders.append(str(folder)) + user_folder = Path.home() + for folder in user_folder.iterdir(): + if folder.is_dir() and any(d.lower() in folder.name.lower() for d in user_dirs): + folders.append(str(folder)) # System directories if os.name == 'nt': # Windows @@ -98,18 +113,20 @@ class SuspiciousFileHandler(FileSystemEventHandler): def on_any_event(self, event): if event.event_type in ['created', 'modified', 'deleted']: file_owner = get_file_owner(event.src_path) - current_user = getpass.getuser() # Get current user + current_user = get_current_user() if file_owner.lower() not in [current_user.lower(), "trustedinstaller"]: print(f"Suspicious file operation: {event.event_type} {event.src_path} by {file_owner}") def get_file_owner(file_path): try: - if os.name == 'nt': # Windows + # On Windows, use the current user’s name + if os.name == 'nt': sd = win32security.GetFileSecurity(file_path, win32security.OWNER_SECURITY_INFORMATION) owner_sid = sd.GetSecurityDescriptorOwner() owner, _ = win32security.LookupAccountSid(None, owner_sid) return owner - else: # Unix-like systems + else: + # On Unix-like systems, use the owner of the file import pwd file_stat = os.stat(file_path) return pwd.getpwuid(file_stat.st_uid).pw_name @@ -117,6 +134,9 @@ def get_file_owner(file_path): print(f"Error getting file owner: {e}") return "Unknown" +def get_current_user(): + return getpass.getuser() + def start_file_system_monitor(): observer = Observer() event_handler = SuspiciousFileHandler() @@ -130,6 +150,15 @@ def start_file_system_monitor(): observer.stop() observer.join() +def scan_for_malware(file_path): + if yara_rules: + for rule in yara_rules: + matches = rule.match(filepath=file_path) + if matches: + print(f"Malware detected in file: {file_path}") + return True + return False + # Detect Excessive CPU Workloads def monitor_cpu_gpu_usage(): while True: @@ -171,12 +200,20 @@ def kill_suspicious_processes(): proc.terminate() proc.wait() + # Check for crypto addresses in command line arguments if (bitcoin_regex.search(cmdline) or ethereum_regex.search(cmdline) or monero_regex.search(cmdline)) and proc_name not in bypassed_processes: print(f"Terminating process with crypto address: {proc.info['name']} (PID: {proc.info['pid']})") proc.terminate() proc.wait() + + # Scan files for malware + for file_path in proc.info.get('cmdline', []): + if os.path.isfile(file_path): + if scan_for_malware(file_path): + proc.terminate() + proc.wait() except (psutil.NoSuchProcess, psutil.AccessDenied) as e: print(f"Error terminating process: {e}") @@ -190,10 +227,11 @@ def monitor_registry_changes(): for i in range(winreg.QueryInfoKey(registry_key)[1]): # Number of subkeys subkey_name = winreg.EnumKey(registry_key, i) print(f"Registry subkey detected: {subkey_name}") - + time.sleep(10) except WindowsError as e: print(f"Registry monitoring error: {e}") + finally: winreg.CloseKey(registry_key) @@ -206,27 +244,12 @@ def verify_tls_cert(url): print(f"TLS certificate error for {url}: {e}") def monitor_tls_certificates(): + urls = monitored_urls while True: - for url in monitored_urls: + for url in urls: verify_tls_cert(url) time.sleep(3600) # Check every hour -# Browser WebDriver Setup Functions -def setup_chrome_driver(): - chrome_options = ChromeOptions() - chrome_options.add_argument('--enable-logging') - chrome_options.add_argument('--v=1') - service = ChromeService(ChromeDriverManager().install()) - driver = webdriver.Chrome(service=service, options=chrome_options) - return driver - -def setup_firefox_driver(): - firefox_options = FirefoxOptions() - firefox_options.log.level = "TRACE" - service = FirefoxService(GeckoDriverManager().install()) - driver = webdriver.Firefox(service=service, options=firefox_options) - return driver - # Detecting Suspicious Browser Activity def monitor_browser(browser='chrome'): if browser == 'chrome': @@ -236,29 +259,35 @@ def monitor_browser(browser='chrome'): else: raise ValueError("Unsupported browser!") - try: - while True: - logs = [] - if browser == 'chrome': - logs = driver.get_log('browser') - elif browser == 'firefox': - logs = driver.get_log('browser') + while True: + logs = driver.get_log('performance') + for entry in logs: + for url in monitored_urls: + if url in entry['message']: + print(f'Alert: Potential cookie or token theft attempt detected on {url}!') - for entry in logs: - for url in monitored_urls: - if url in entry['message']: - print(f'Alert: Potential cookie or token theft attempt detected on {url}!') - # Kill process involved in suspicious browser activity - for proc in psutil.process_iter(['pid', 'name', 'connections']): - if any(url in conn.raddr for conn in proc.info['connections']): - if proc.info['name'].lower() not in bypassed_processes: - print(f'Alert: Killing suspicious process {proc.info["name"]} (PID: {proc.info["pid"]})') - proc.terminate() - proc.wait() - except Exception as e: - print(f"Error in browser monitoring: {e}") - finally: - driver.quit() + # Kill process involved in suspicious browser activity + for proc in psutil.process_iter(['pid', 'name', 'connections']): + if any(url in conn.raddr for conn in proc.info['connections']): + if proc.info['name'].lower() not in bypassed_processes: + print(f'Alert: Killing suspicious process {proc.info["name"]} (PID: {proc.info["pid"]})') + proc.terminate() + proc.wait() + time.sleep(1) + driver.quit() + +# Setup Chrome and Firefox Drivers +def setup_chrome_driver(): + options = webdriver.ChromeOptions() + options.add_argument("--headless") # Run in headless mode + service = ChromeService() + return webdriver.Chrome(service=service, options=options) + +def setup_firefox_driver(): + options = webdriver.FirefoxOptions() + options.add_argument("--headless") # Run in headless mode + service = FirefoxService() + return webdriver.Firefox(service=service, options=options) # Start Monitoring in Threads threads = [ diff --git a/yara/backdoor/ByteCode.MSIL.Backdoor.AgentRacoon.yara b/yara/backdoor/ByteCode.MSIL.Backdoor.AgentRacoon.yara new file mode 100644 index 0000000..bf9d392 --- /dev/null +++ b/yara/backdoor/ByteCode.MSIL.Backdoor.AgentRacoon.yara @@ -0,0 +1,128 @@ +rule ByteCode_MSIL_Backdoor_AgentRacoon: tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "AGENTRACOON" + description = "Yara rule that detects AgentRacoon backdoor." + + tc_detection_type = "Backdoor" + tc_detection_name = "AgentRacoon" + tc_detection_factor = 5 + + strings: + + $unpack_response_p1 = { + 17 8D ?? ?? ?? ?? 13 ?? 11 ?? 16 03 18 91 9C 11 ?? 73 ?? ?? ?? ?? 0A 06 16 6F ?? ?? + ?? ?? 2D ?? 73 ?? ?? ?? ?? 7A 17 8D ?? ?? ?? ?? 13 ?? 11 ?? 16 03 19 91 9C 11 ?? 73 + ?? ?? ?? ?? 0A 06 1A 6F ?? ?? ?? ?? 2C ?? 06 1B 6F ?? ?? ?? ?? 2C ?? 06 1C 6F ?? ?? + ?? ?? 2C ?? 06 1D 6F ?? ?? ?? ?? 2C ?? 73 ?? ?? ?? ?? 7A 1F ?? 0B 2B ?? 07 17 58 0B + 03 07 91 2D ?? 07 17 58 0B 03 8E 69 07 59 0C 08 8D ?? ?? ?? ?? 0D 03 07 09 16 08 28 + ?? ?? ?? ?? 1A 13 ?? 2B ?? 11 ?? 17 58 13 ?? 09 11 ?? 91 2D ?? 11 ?? 17 58 13 ?? 09 + 8E 69 11 ?? 59 0C 08 8D ?? ?? ?? ?? 13 ?? 09 11 ?? 11 ?? 16 08 28 ?? ?? ?? ?? 02 12 + ?? FE 15 ?? ?? ?? ?? 12 ?? 18 8D ?? ?? ?? ?? 7D ?? ?? ?? ?? 12 ?? 18 8D ?? ?? ?? ?? + 7D ?? ?? ?? ?? 12 ?? 18 8D ?? ?? ?? ?? 7D ?? ?? ?? ?? 12 ?? 18 8D ?? ?? ?? ?? 7D ?? + ?? ?? ?? 12 ?? 18 8D ?? ?? ?? ?? 7D ?? ?? ?? ?? 12 ?? 18 8D ?? ?? ?? ?? 7D ?? ?? ?? + ?? 12 ?? 07 1F ?? 59 8D ?? ?? ?? ?? 7D ?? ?? ?? ?? 12 ?? 18 8D ?? ?? ?? ?? 7D ?? ?? + ?? ?? 12 ?? 18 8D ?? ?? ?? ?? 7D ?? ?? ?? ?? 12 ?? 11 ?? 1A 59 8D ?? ?? ?? ?? 7D ?? + ?? ?? ?? 12 ?? 18 8D ?? ?? ?? ?? 7D ?? ?? ?? ?? 12 ?? 18 8D ?? ?? ?? ?? 7D ?? ?? ?? + ?? 12 ?? 1A 8D ?? ?? ?? ?? 7D ?? ?? ?? ?? 12 ?? 18 8D ?? ?? ?? ?? 7D ?? ?? ?? ?? 11 + ?? 7D ?? ?? ?? ?? 03 16 02 7C ?? ?? ?? ?? 7B ?? ?? ?? ?? 16 18 28 ?? ?? ?? ?? 03 18 + } + + $unpack_response_p2 = { + 02 7C ?? ?? ?? ?? 7B ?? ?? ?? ?? 16 18 28 ?? ?? ?? ?? 03 1A 02 7C ?? ?? ?? ?? 7B ?? + ?? ?? ?? 16 18 28 ?? ?? ?? ?? 03 1C 02 7C ?? ?? ?? ?? 7B ?? ?? ?? ?? 16 18 28 ?? ?? + ?? ?? 03 1E 02 7C ?? ?? ?? ?? 7B ?? ?? ?? ?? 16 18 28 ?? ?? ?? ?? 03 1F ?? 02 7C ?? + ?? ?? ?? 7B ?? ?? ?? ?? 16 18 28 ?? ?? ?? ?? 03 1F ?? 02 7C ?? ?? ?? ?? 7B ?? ?? ?? + ?? 16 07 1F ?? 59 28 ?? ?? ?? ?? 09 16 02 7C ?? ?? ?? ?? 7B ?? ?? ?? ?? 16 18 28 ?? + ?? ?? ?? 09 18 02 7C ?? ?? ?? ?? 7B ?? ?? ?? ?? 16 18 28 ?? ?? ?? ?? 09 1A 02 7C ?? + ?? ?? ?? 7B ?? ?? ?? ?? 16 11 ?? 1A 59 28 ?? ?? ?? ?? 11 ?? 16 02 7C ?? ?? ?? ?? 7B + ?? ?? ?? ?? 16 18 28 ?? ?? ?? ?? 11 ?? 18 02 7C ?? ?? ?? ?? 7B ?? ?? ?? ?? 16 18 28 + ?? ?? ?? ?? 11 ?? 1A 02 7C ?? ?? ?? ?? 7B ?? ?? ?? ?? 16 1A 28 ?? ?? ?? ?? 11 ?? 1E + 02 7C ?? ?? ?? ?? 7B ?? ?? ?? ?? 16 18 28 ?? ?? ?? ?? 7E ?? ?? ?? ?? 2C ?? 02 7C ?? + ?? ?? ?? 7B ?? ?? ?? ?? 28 ?? ?? ?? ?? 11 ?? 1F ?? 91 13 ?? 02 7C ?? ?? ?? ?? 11 ?? + 8D ?? ?? ?? ?? 7D ?? ?? ?? ?? 11 ?? 1F ?? 02 7C ?? ?? ?? ?? 7B ?? ?? ?? ?? 16 11 ?? + 28 ?? ?? ?? ?? 2A + } + + $upload = { + 28 ?? ?? ?? ?? 0A 02 7C ?? ?? ?? ?? 7B ?? ?? ?? ?? 2D ?? DD ?? ?? ?? ?? 16 0B 38 ?? + ?? ?? ?? 02 7C ?? ?? ?? ?? 7B ?? ?? ?? ?? 07 6F ?? ?? ?? ?? 0C 06 02 7C ?? ?? ?? ?? + 7B ?? ?? ?? ?? 07 6F ?? ?? ?? ?? 28 ?? ?? ?? ?? 08 28 ?? ?? ?? ?? 02 7C ?? ?? ?? ?? + 7B ?? ?? ?? ?? 1B 8D ?? ?? ?? ?? 13 ?? 11 ?? 16 72 ?? ?? ?? ?? A2 11 ?? 17 02 7C ?? + ?? ?? ?? 7B ?? ?? ?? ?? 07 6F ?? ?? ?? ?? A2 11 ?? 18 72 ?? ?? ?? ?? A2 11 ?? ?? 06 + A2 11 ?? 1A 72 ?? ?? ?? ?? A2 11 ?? 28 ?? ?? ?? ?? 6F ?? ?? ?? ?? 02 7C ?? ?? ?? ?? + 7B ?? ?? ?? ?? 07 72 ?? ?? ?? ?? 6F ?? ?? ?? ?? 02 7C ?? ?? ?? ?? 7B ?? ?? ?? ?? 07 + 14 6F ?? ?? ?? ?? 07 17 58 0B 07 02 7C ?? ?? ?? ?? 7B ?? ?? ?? ?? 6F ?? ?? ?? ?? 3F + ?? ?? ?? ?? 02 7C ?? ?? ?? ?? 73 ?? ?? ?? ?? 7D ?? ?? ?? ?? 02 7C ?? ?? ?? ?? 73 ?? + ?? ?? ?? 7D ?? ?? ?? ?? DE 23 0D 02 7C ?? ?? ?? ?? 7B ?? ?? ?? ?? 72 ?? ?? ?? ?? 09 + 6F ?? ?? ?? ?? 28 ?? ?? ?? ?? 6F ?? ?? ?? ?? DE ?? 2A + } + + $perform_request = { + 05 6F ?? ?? ?? ?? 0A 06 04 3D ?? ?? ?? ?? 06 04 19 5B 18 5A 3F ?? ?? ?? ?? 05 16 06 + 19 5B 6F ?? ?? ?? ?? 0B 05 06 19 5B 06 19 5B 6F ?? ?? ?? ?? 0C 05 06 19 5B 18 5A 6F + ?? ?? ?? ?? 0D 02 07 28 ?? ?? ?? ?? 0B 02 08 28 ?? ?? ?? ?? 0C 02 09 28 ?? ?? ?? ?? + 0D 1F ?? 8D ?? ?? ?? ?? 13 ?? 11 ?? 16 03 A2 11 ?? 17 72 ?? ?? ?? ?? A2 11 ?? 18 07 + A2 11 ?? 19 72 ?? ?? ?? ?? A2 11 ?? 1A 08 A2 11 ?? 1B 72 ?? ?? ?? ?? A2 11 ?? 1C 09 + A2 11 ?? 1D 72 ?? ?? ?? ?? A2 11 ?? 1E 02 28 ?? ?? ?? ?? A2 11 ?? 1F ?? 72 ?? ?? ?? + ?? A2 11 ?? 1F ?? 02 7B ?? ?? ?? ?? A2 11 ?? 28 ?? ?? ?? ?? 10 ?? 38 ?? ?? ?? ?? 06 + 04 19 5B 18 5A 3D ?? ?? ?? ?? 06 04 19 5B 3F ?? ?? ?? ?? 05 16 06 18 5B 6F ?? ?? ?? + ?? 13 ?? 05 06 18 5B 6F ?? ?? ?? ?? 13 ?? 02 11 ?? 28 ?? ?? ?? ?? 13 ?? 02 11 ?? 28 + ?? ?? ?? ?? 13 ?? 1F ?? 8D ?? ?? ?? ?? 13 ?? 11 ?? 16 03 A2 11 ?? 17 72 ?? ?? ?? ?? + A2 11 ?? 18 11 ?? A2 11 ?? 19 72 ?? ?? ?? ?? A2 11 ?? 1A 11 ?? A2 11 ?? 1B 72 ?? ?? + ?? ?? A2 11 ?? 1C 02 28 ?? ?? ?? ?? A2 11 ?? 1D 72 ?? ?? ?? ?? A2 11 ?? 1E 02 7B ?? + ?? ?? ?? A2 11 ?? 28 ?? ?? ?? ?? 10 ?? 2B ?? 02 05 28 ?? ?? ?? ?? 13 ?? 1D 8D ?? ?? + ?? ?? 13 ?? 11 ?? 16 03 A2 11 ?? 17 72 ?? ?? ?? ?? A2 11 ?? 18 11 ?? A2 11 ?? 19 72 + ?? ?? ?? ?? A2 11 ?? 1A 02 28 ?? ?? ?? ?? A2 11 ?? 1B 72 ?? ?? ?? ?? A2 11 ?? 1C 02 + 7B ?? ?? ?? ?? A2 11 ?? 28 ?? ?? ?? ?? 10 ?? 05 2A + } + + $get_txt_record = { + 14 0A 03 73 ?? ?? ?? ?? 0B 07 6F ?? ?? ?? ?? 0C 7E ?? ?? ?? ?? 1F ?? 73 ?? ?? ?? ?? + 0D 09 08 08 8E 69 6F ?? ?? ?? ?? 26 09 6F ?? ?? ?? ?? 20 ?? ?? ?? ?? 6F ?? ?? ?? ?? + 09 12 ?? 6F ?? ?? ?? ?? 13 ?? 09 6F ?? ?? ?? ?? 07 11 ?? 6F ?? ?? ?? ?? 07 6F ?? ?? + ?? ?? 13 ?? 28 ?? ?? ?? ?? 12 ?? 7B ?? ?? ?? ?? 6F ?? ?? ?? ?? 13 ?? DE ?? 26 72 ?? + ?? ?? ?? 13 ?? DE ?? 11 ?? 2A + } + + $main_loop = { + 73 ?? ?? ?? ?? 80 ?? ?? ?? ?? 7E ?? ?? ?? ?? 7E ?? ?? ?? ?? 73 ?? ?? ?? ?? 80 ?? ?? + ?? ?? 73 ?? ?? ?? ?? 80 ?? ?? ?? ?? 7E ?? ?? ?? ?? 18 16 16 6F ?? ?? ?? ?? 0A 06 28 + ?? ?? ?? ?? 2D ?? 2A 7E ?? ?? ?? ?? 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 2C ?? 2A 7E ?? ?? + ?? ?? 7E ?? ?? ?? ?? 6F ?? ?? ?? ?? 0B 7E ?? ?? ?? ?? 7E ?? ?? ?? ?? 07 6F ?? ?? ?? + ?? 6F ?? ?? ?? ?? 7E ?? ?? ?? ?? 6F ?? ?? ?? ?? 0C 12 ?? 7B ?? ?? ?? ?? 0D 12 ?? 7B + ?? ?? ?? ?? 13 ?? 72 ?? ?? ?? ?? 13 ?? 16 13 ?? 2B ?? 7E ?? ?? ?? ?? 19 11 ?? 11 ?? + 6F ?? ?? ?? ?? 28 ?? ?? ?? ?? 2D ?? 14 80 ?? ?? ?? ?? 2A 11 ?? 7E ?? ?? ?? ?? 28 ?? + ?? ?? ?? 13 ?? 7E ?? ?? ?? ?? 20 ?? ?? ?? ?? 20 ?? ?? ?? ?? 6F ?? ?? ?? ?? 28 ?? ?? + ?? ?? 11 ?? 17 58 13 ?? 11 ?? 09 32 ?? 7E ?? ?? ?? ?? 11 ?? 6F ?? ?? ?? ?? 0B 73 ?? + ?? ?? ?? 80 ?? ?? ?? ?? 7E ?? ?? ?? ?? 7E ?? ?? ?? ?? 07 6F ?? ?? ?? ?? 6F ?? ?? ?? + ?? 7E ?? ?? ?? ?? 6F ?? ?? ?? ?? 7E ?? ?? ?? ?? 6F ?? ?? ?? ?? 0B 7E ?? ?? ?? ?? 07 + 17 6F ?? ?? ?? ?? 13 ?? 11 ?? 7E ?? ?? ?? ?? 1A 16 16 6F ?? ?? ?? ?? 6F ?? ?? ?? ?? + 11 ?? 6F ?? ?? ?? ?? 28 ?? ?? ?? ?? 26 DD ?? ?? ?? ?? 26 DE ?? 2A + } + + condition: + uint16(0) == 0x5A4D and + ( + all of ($unpack_response_p*) + ) and + ( + $upload + ) and + ( + $perform_request + ) and + ( + $get_txt_record + ) and + ( + $main_loop + ) +} \ No newline at end of file diff --git a/yara/backdoor/ByteCode.MSIL.Backdoor.AsyncRAT.yara b/yara/backdoor/ByteCode.MSIL.Backdoor.AsyncRAT.yara new file mode 100644 index 0000000..7d9e195 --- /dev/null +++ b/yara/backdoor/ByteCode.MSIL.Backdoor.AsyncRAT.yara @@ -0,0 +1,149 @@ +rule ByteCode_MSIL_Backdoor_AsyncRAT : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "ASYNCRAT" + description = "Yara rule that detects AsyncRAT backdoor." + + tc_detection_type = "Backdoor" + tc_detection_name = "AsyncRAT" + tc_detection_factor = 5 + + strings: + + $read_server_data_v1 = { + 28 ?? ?? ?? ?? 6F ?? ?? ?? ?? 39 ?? ?? ?? ?? 28 ?? ?? ?? ?? 3A ?? ?? ?? ?? 16 28 ?? + ?? ?? ?? DD ?? ?? ?? ?? 28 ?? ?? ?? ?? 02 6F ?? ?? ?? ?? 0A 06 16 3E ?? ?? ?? ?? 28 + ?? ?? ?? ?? 06 6A 58 28 ?? ?? ?? ?? 28 ?? ?? ?? ?? 06 6A 59 28 ?? ?? ?? ?? 28 ?? ?? + ?? ?? 3A ?? ?? ?? ?? 28 ?? ?? ?? ?? 16 28 ?? ?? ?? ?? 6A 28 ?? ?? ?? ?? 28 ?? ?? ?? + ?? 16 6A 3E ?? ?? ?? ?? 16 6A 28 ?? ?? ?? ?? 28 ?? ?? ?? ?? D4 8D ?? ?? ?? ?? 28 ?? + ?? ?? ?? 38 ?? ?? ?? ?? 28 ?? ?? ?? ?? 28 ?? ?? ?? ?? 28 ?? ?? ?? ?? 69 28 ?? ?? ?? + ?? 69 6F ?? ?? ?? ?? 0B 07 16 3D ?? ?? ?? ?? 16 28 ?? ?? ?? ?? DD ?? ?? ?? ?? 28 ?? + ?? ?? ?? 07 6A 58 28 ?? ?? ?? ?? 28 ?? ?? ?? ?? 07 6A 59 28 ?? ?? ?? ?? 28 ?? ?? ?? + ?? 16 6A 3C ?? ?? ?? ?? 16 28 ?? ?? ?? ?? DD ?? ?? ?? ?? 28 ?? ?? ?? ?? 16 6A 30 ?? + 14 (FE | 06) ?? ?? ?? ?? ?? 73 ?? ?? ?? ?? 73 ?? ?? ?? ?? 28 ?? ?? ?? ?? 6F ?? ?? ?? + ?? 16 6A 28 ?? ?? ?? ?? 1A 6A 28 ?? ?? ?? ?? 28 ?? ?? ?? ?? D4 8D ?? ?? ?? ?? 28 ?? + ?? ?? ?? 38 ?? ?? ?? ?? 1A 6A 28 ?? ?? ?? ?? 28 ?? ?? ?? ?? D4 8D ?? ?? ?? ?? 28 ?? + ?? ?? ?? 16 6A 28 ?? ?? ?? ?? 38 ?? ?? ?? ?? 28 ?? ?? ?? ?? 16 6A 3C ?? ?? ?? ?? 16 + 28 ?? ?? ?? ?? DD ?? ?? ?? ?? 28 ?? ?? ?? ?? 28 ?? ?? ?? ?? 28 ?? ?? ?? ?? 69 28 ?? + ?? ?? ?? 69 14 (FE | 06) ?? ?? ?? ?? ?? 73 ?? ?? ?? ?? 14 6F ?? ?? ?? ?? 26 38 ?? ?? + ?? ?? 16 28 ?? ?? ?? ?? DD ?? ?? ?? ?? 26 16 28 ?? ?? ?? ?? DD + } + + $send_v1 = { + 28 ?? ?? ?? ?? 0A 16 0B 06 12 ?? 28 ?? ?? ?? ?? 28 ?? ?? ?? ?? 3A ?? ?? ?? ?? DD ?? + ?? ?? ?? 02 8E 69 28 ?? ?? ?? ?? 0C 28 ?? ?? ?? ?? 15 17 6F ?? ?? ?? ?? 26 28 ?? ?? + ?? ?? 08 16 08 8E 69 6F ?? ?? ?? ?? 02 8E 69 20 ?? ?? ?? ?? 3E ?? ?? ?? ?? 02 73 ?? + ?? ?? ?? 0D 16 13 ?? 09 16 6A 6F ?? ?? ?? ?? 20 ?? ?? ?? ?? 8D ?? ?? ?? ?? 13 ?? 38 + ?? ?? ?? ?? 28 ?? ?? ?? ?? 15 17 6F ?? ?? ?? ?? 26 28 ?? ?? ?? ?? 11 ?? 16 11 ?? 6F + ?? ?? ?? ?? 28 ?? ?? ?? ?? 6F ?? ?? ?? ?? 09 11 ?? 16 11 ?? 8E 69 6F ?? ?? ?? ?? 25 + 13 ?? 16 30 ?? DD ?? ?? ?? ?? 09 39 ?? ?? ?? ?? 09 6F ?? ?? ?? ?? DC 28 ?? ?? ?? ?? + 15 17 6F ?? ?? ?? ?? 26 28 ?? ?? ?? ?? 02 16 02 8E 69 6F ?? ?? ?? ?? 28 ?? ?? ?? ?? + 6F ?? ?? ?? ?? DD ?? ?? ?? ?? 26 16 28 ?? ?? ?? ?? DD ?? ?? ?? ?? 07 39 ?? ?? ?? ?? + 06 28 ?? ?? ?? ?? DC + } + + $read_packet_v1_p1 = { + 73 ?? ?? ?? ?? 0A 06 73 ?? ?? ?? ?? 7D ?? ?? ?? ?? 06 7B ?? ?? ?? ?? 02 74 ?? ?? ?? + ?? 6F ?? ?? ?? ?? 06 7B ?? ?? ?? ?? 72 ?? ?? ?? ?? 6F ?? ?? ?? ?? 6F ?? ?? ?? ?? 0B + 07 28 ?? ?? ?? ?? 0C 08 20 4F 01 89 64 42 ?? ?? ?? ?? 08 20 7A 39 BA 13 42 ?? ?? ?? + ?? 08 20 D4 CA CD 0C 3B ?? ?? ?? ?? 08 20 7A 39 BA 13 3B ?? ?? ?? ?? 38 ?? ?? ?? ?? + 08 20 2B C2 32 1B 3B ?? ?? ?? ?? 08 20 E2 A2 F4 57 3B ?? ?? ?? ?? 08 20 4F 01 89 64 + 3B ?? ?? ?? ?? 38 ?? ?? ?? ?? 08 20 5A 15 79 D9 42 ?? ?? ?? ?? 08 20 B7 16 DB 7A 3B + ?? ?? ?? ?? 08 20 39 20 3F B2 3B ?? ?? ?? ?? 08 20 5A 15 79 D9 3B ?? ?? ?? ?? 38 ?? + ?? ?? ?? 08 20 1E CA D2 DC 3B ?? ?? ?? ?? 08 20 45 FD B6 E0 3B ?? ?? ?? ?? 08 20 D0 + 5E 9B FA 3B ?? ?? ?? ?? 38 ?? ?? ?? ?? 07 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 3A ?? ?? ?? + ?? 38 ?? ?? ?? ?? 07 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 3A ?? ?? ?? ?? 38 ?? ?? ?? ?? 07 + 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 3A ?? ?? ?? ?? 38 ?? ?? ?? ?? 07 72 ?? ?? ?? ?? 28 ?? + ?? ?? ?? 3A ?? ?? ?? ?? 38 ?? ?? ?? ?? 07 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 3A ?? ?? ?? + ?? 38 ?? ?? ?? ?? 07 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 3A ?? ?? ?? ?? 38 ?? ?? ?? ?? 07 + 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 3A ?? ?? ?? ?? 38 ?? ?? ?? ?? 07 72 ?? ?? ?? ?? 28 ?? + ?? ?? ?? 3A ?? ?? ?? ?? 38 ?? ?? ?? ?? 07 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 3A ?? ?? ?? + ?? 38 ?? ?? ?? ?? 07 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 3A ?? ?? ?? ?? 38 ?? ?? ?? ?? 07 + } + + $read_packet_v1_p2 = { + 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 3A ?? ?? ?? ?? 38 ?? ?? ?? ?? 16 28 ?? ?? ?? ?? 73 ?? + ?? ?? ?? 25 72 ?? ?? ?? ?? 6F ?? ?? ?? ?? 72 ?? ?? ?? ?? 6F ?? ?? ?? ?? 25 72 ?? ?? + ?? ?? 6F ?? ?? ?? ?? 28 ?? ?? ?? ?? 6A 6F ?? ?? ?? ?? 6F ?? ?? ?? ?? 28 ?? ?? ?? ?? + 16 28 ?? ?? ?? ?? 38 ?? ?? ?? ?? 00 06 7B ?? ?? ?? ?? 72 ?? ?? ?? ?? 6F ?? ?? ?? ?? + 6F ?? ?? ?? ?? 28 ?? ?? ?? ?? 3A ?? ?? ?? ?? 7E ?? ?? ?? ?? 06 7B ?? ?? ?? ?? 6F ?? + ?? ?? ?? 73 ?? ?? ?? ?? 25 72 ?? ?? ?? ?? 6F ?? ?? ?? ?? 72 ?? ?? ?? ?? 6F ?? ?? ?? + ?? 25 72 ?? ?? ?? ?? 6F ?? ?? ?? ?? 06 7B ?? ?? ?? ?? 72 ?? ?? ?? ?? 6F ?? ?? ?? ?? + 6F ?? ?? ?? ?? 6F ?? ?? ?? ?? 6F ?? ?? ?? ?? 28 ?? ?? ?? ?? 38 ?? ?? ?? ?? 06 7B ?? + ?? ?? ?? 28 ?? ?? ?? ?? DD ?? ?? ?? ?? 6F ?? ?? ?? ?? 28 ?? ?? ?? ?? DD ?? ?? ?? ?? + 06 7B ?? ?? ?? ?? 72 ?? ?? ?? ?? 6F ?? ?? ?? ?? 6F ?? ?? ?? ?? 06 7B ?? ?? ?? ?? 72 + ?? ?? ?? ?? 6F ?? ?? ?? ?? 6F ?? ?? ?? ?? 28 ?? ?? ?? ?? 26 7E ?? ?? ?? ?? 28 ?? ?? + ?? ?? 6F ?? ?? ?? ?? 0D 38 ?? ?? ?? ?? 12 ?? 28 ?? ?? ?? ?? 13 ?? 11 ?? 72 ?? ?? ?? + ?? 6F ?? ?? ?? ?? 6F ?? ?? ?? ?? 06 7B ?? ?? ?? ?? 72 ?? ?? ?? ?? 6F ?? ?? ?? ?? 6F + ?? ?? ?? ?? 28 ?? ?? ?? ?? 39 ?? ?? ?? ?? 11 ?? 28 ?? ?? ?? ?? 7E ?? ?? ?? ?? 11 ?? + 6F ?? ?? ?? ?? 26 12 ?? 28 ?? ?? ?? ?? 2D ?? DD ?? ?? ?? ?? 12 ?? (FE | 16) ?? ?? ?? + ?? ?? 6F ?? ?? ?? ?? DC 73 ?? ?? ?? ?? 26 06 (FE | 06) ?? ?? ?? ?? ?? 73 ?? ?? ?? ?? + 73 ?? ?? ?? ?? 25 16 6F ?? ?? ?? ?? 25 6F ?? ?? ?? ?? 6F ?? ?? ?? ?? 38 ?? ?? ?? ?? + 7E ?? ?? ?? ?? 25 3A ?? ?? ?? ?? 26 7E ?? ?? ?? ?? (FE | 06) ?? ?? ?? ?? ?? 73 + } + + $send_v2 = { + 7E ?? ?? ?? ?? 13 ?? 11 ?? 28 ?? ?? ?? ?? 16 13 ?? 11 ?? 12 ?? 28 ?? ?? ?? ?? 7E ?? + ?? ?? ?? 39 ?? ?? ?? ?? 73 ?? ?? ?? ?? 0A 02 28 ?? ?? ?? ?? 28 ?? ?? ?? ?? 0B 07 8E + B7 28 ?? ?? ?? ?? 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 28 ?? ?? ?? ?? 0C 06 08 16 08 8E B7 + 6F ?? ?? ?? ?? 06 07 16 07 8E B7 6F ?? ?? ?? ?? 7E ?? ?? ?? ?? 15 17 6F ?? ?? ?? ?? + 26 7E ?? ?? ?? ?? 06 6F ?? ?? ?? ?? 16 06 6F ?? ?? ?? ?? B7 16 14 (FE | 06) ?? ?? ?? + ?? ?? 73 ?? ?? ?? ?? 14 6F ?? ?? ?? ?? 26 DE ?? 06 2C ?? 06 6F ?? ?? ?? ?? DC DE ?? + 25 28 ?? ?? ?? ?? 0D 16 80 ?? ?? ?? ?? 28 ?? ?? ?? ?? DE ?? DE ?? 11 ?? 2C ?? 11 ?? + 28 ?? ?? ?? ?? DC + } + + $open_url_v2 = { + 03 39 ?? ?? ?? ?? 17 28 ?? ?? ?? ?? 20 00 0C 00 00 28 ?? ?? ?? ?? 20 0F 27 00 00 28 + ?? ?? ?? ?? DE ?? 28 ?? ?? ?? ?? 28 ?? ?? ?? ?? DE ?? 02 28 ?? ?? ?? ?? 74 ?? ?? ?? + ?? 0A 06 7E ?? ?? ?? ?? 73 ?? ?? ?? ?? 7E ?? ?? ?? ?? 8E B7 6F ?? ?? ?? ?? 9A 6F ?? + ?? ?? ?? 06 17 6F ?? ?? ?? ?? 06 20 10 27 00 00 6F ?? ?? ?? ?? 06 72 ?? ?? ?? ?? 6F + ?? ?? ?? ?? 06 6F ?? ?? ?? ?? 74 ?? ?? ?? ?? 0B DE ?? 07 2C ?? 07 6F ?? ?? ?? ?? DC + 2B ?? 02 28 ?? ?? ?? ?? 26 + } + + $monitoring_v2 = { + 73 ?? ?? ?? ?? 0C 02 72 ?? ?? ?? ?? 15 16 28 ?? ?? ?? ?? 13 ?? 16 13 ?? 2B ?? 11 ?? + 11 ?? 9A 0B 08 07 14 72 ?? ?? ?? ?? 16 8D ?? ?? ?? ?? 14 14 14 28 ?? ?? ?? ?? 28 ?? + ?? ?? ?? 6F ?? ?? ?? ?? 11 ?? 17 D6 13 ?? 11 ?? 11 ?? 8E B7 32 ?? 1F ?? 0A 38 ?? ?? + ?? ?? 28 ?? ?? ?? ?? 13 ?? 16 13 ?? 2B ?? 11 ?? 11 ?? 9A 0D 09 6F ?? ?? ?? ?? 28 ?? + ?? ?? ?? 2C ?? 2B ?? 08 09 6F ?? ?? ?? ?? 6F ?? ?? ?? ?? 25 (FE | 07) ?? ?? ?? ?? ?? + 73 ?? ?? ?? ?? 28 ?? ?? ?? ?? 2C ?? 06 1F ?? 31 ?? 16 0A 72 ?? ?? ?? ?? 09 6F ?? ?? + ?? ?? 6F ?? ?? ?? ?? 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 28 ?? ?? ?? ?? 11 ?? 17 D6 13 ?? + 11 ?? 11 ?? 8E B7 32 ?? 06 17 D6 0A 20 ?? ?? ?? ?? 28 ?? ?? ?? ?? 7E ?? ?? ?? ?? 3A + } + + condition: + uint16(0) == 0x5A4D and + ( + ( + ( + $read_server_data_v1 + ) and + ( + $send_v1 + ) and + ( + all of ($read_packet_v1_p*) + ) + ) or + ( + ( + $send_v2 + ) and + ( + $open_url_v2 + ) and + ( + $monitoring_v2 + ) + ) + ) +} \ No newline at end of file diff --git a/yara/backdoor/ByteCode.MSIL.Backdoor.LimeRAT.yara b/yara/backdoor/ByteCode.MSIL.Backdoor.LimeRAT.yara new file mode 100644 index 0000000..a0479ca --- /dev/null +++ b/yara/backdoor/ByteCode.MSIL.Backdoor.LimeRAT.yara @@ -0,0 +1,91 @@ +rule ByteCode_MSIL_Backdoor_LimeRAT : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "LIMERAT" + description = "Yara rule that detects LimeRAT backdoor." + + tc_detection_type = "Backdoor" + tc_detection_name = "LimeRAT" + tc_detection_factor = 5 + + strings: + + $persistence_mechanism = { + 02 2C ?? 72 ?? ?? ?? ?? 7E ?? ?? ?? ?? 28 ?? ?? ?? ?? 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? + 28 ?? ?? ?? ?? 16 16 15 28 ?? ?? ?? ?? 26 2B ?? 7E ?? ?? ?? ?? 72 ?? ?? ?? ?? 6F ?? + ?? ?? ?? 7E ?? ?? ?? ?? 7E ?? ?? ?? ?? 28 ?? ?? ?? ?? 6F ?? ?? ?? ?? DE ?? 28 ?? ?? + ?? ?? 28 ?? ?? ?? ?? DE + } + + $crypto_miner = { + 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 8E 69 16 31 ?? 72 ?? ?? ?? ?? 72 ?? ?? ?? ?? 28 ?? ?? + ?? ?? 0B 07 73 ?? ?? ?? ?? 6F ?? ?? ?? ?? 0C 08 6F ?? ?? ?? ?? 0D 2B ?? 09 6F ?? ?? + ?? ?? 74 ?? ?? ?? ?? 72 ?? ?? ?? ?? 6F ?? ?? ?? ?? 6F ?? ?? ?? ?? 72 ?? ?? ?? ?? 6F + ?? ?? ?? ?? 2C ?? 72 ?? ?? ?? ?? 0A DE ?? 09 6F ?? ?? ?? ?? 2D ?? DE ?? 09 2C ?? 09 + 6F ?? ?? ?? ?? DC DE ?? 25 28 ?? ?? ?? ?? 13 ?? 28 ?? ?? ?? ?? DE ?? 28 ?? ?? ?? ?? + 0A DE ?? 25 28 ?? ?? ?? ?? 13 ?? 28 ?? ?? ?? ?? DE ?? 06 + } + + $downloader = { + 73 ?? ?? ?? ?? 0A 28 ?? ?? ?? ?? 7E ?? ?? ?? ?? 28 ?? ?? ?? ?? 28 ?? ?? ?? ?? 0B 7E + ?? ?? ?? ?? 72 ?? ?? ?? ?? 16 28 ?? ?? ?? ?? 2C ?? 7E ?? ?? ?? ?? 2C ?? 72 ?? ?? ?? + ?? 28 ?? ?? ?? ?? 72 ?? ?? ?? ?? 16 28 ?? ?? ?? ?? 2C ?? 06 7E ?? ?? ?? ?? 07 6F ?? + ?? ?? ?? 07 28 ?? ?? ?? ?? 26 72 ?? ?? ?? ?? 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 26 2B ?? + 06 7E ?? ?? ?? ?? 07 6F ?? ?? ?? ?? 07 28 ?? ?? ?? ?? 26 00 06 6F ?? ?? ?? ?? 14 0A + DE ?? 25 28 ?? ?? ?? ?? 0C 28 ?? ?? ?? ?? DE ?? DE ?? 25 28 ?? ?? ?? ?? 0D 28 ?? ?? + ?? ?? DE + } + + $network_communication_p1 = { + 16 80 ?? ?? ?? ?? 7E ?? ?? ?? ?? 6F ?? ?? ?? ?? DE ?? 25 28 ?? ?? ?? ?? 0B 28 ?? ?? + ?? ?? DE ?? 00 7E ?? ?? ?? ?? 6F ?? ?? ?? ?? DE ?? 25 28 ?? ?? ?? ?? 0C 28 ?? ?? ?? + ?? DE ?? 00 7E ?? ?? ?? ?? 6F ?? ?? ?? ?? DE ?? 25 28 ?? ?? ?? ?? 0D 28 ?? ?? ?? ?? + DE ?? 00 73 ?? ?? ?? ?? 80 ?? ?? ?? ?? 7E ?? ?? ?? ?? 20 ?? ?? ?? ?? 6F ?? ?? ?? ?? + 7E ?? ?? ?? ?? 20 ?? ?? ?? ?? 6F ?? ?? ?? ?? 7E ?? ?? ?? ?? 15 6F ?? ?? ?? ?? 7E ?? + ?? ?? ?? 15 6F ?? ?? ?? ?? 73 ?? ?? ?? ?? 13 ?? 72 ?? ?? ?? ?? 72 ?? ?? ?? ?? 73 ?? + ?? ?? ?? 13 ?? 11 ?? 11 ?? 6F ?? ?? ?? ?? 11 ?? 14 72 ?? ?? ?? ?? 17 8D ?? ?? ?? ?? + 25 16 7E ?? ?? ?? ?? 28 ?? ?? ?? ?? A2 14 14 14 28 ?? ?? ?? ?? 28 ?? ?? ?? ?? 72 ?? + ?? ?? ?? 15 16 28 ?? ?? ?? ?? 13 ?? 11 ?? 16 9A 80 ?? ?? ?? ?? 73 ?? ?? ?? ?? 26 11 + ?? 73 ?? ?? ?? ?? 17 11 ?? 8E 69 6F ?? ?? ?? ?? 9A 28 ?? ?? ?? ?? 80 ?? ?? ?? ?? 11 + ?? 6F ?? ?? ?? ?? DE ?? 25 28 ?? ?? ?? ?? 13 ?? 28 ?? ?? ?? ?? DE ?? DE ?? 11 ?? 2C + ?? 11 ?? 6F ?? ?? ?? ?? DC 7E ?? ?? ?? ?? 7E ?? ?? ?? ?? 7E ?? ?? ?? ?? 6F ?? ?? ?? + ?? 17 80 ?? ?? ?? ?? 73 ?? ?? ?? ?? 80 ?? ?? ?? ?? 1F ?? 8D ?? ?? ?? ?? 25 16 72 ?? + ?? ?? ?? A2 25 17 7E ?? ?? ?? ?? A2 25 18 28 ?? ?? ?? ?? A2 25 19 7E ?? ?? ?? ?? A2 + } + + $network_communication_p2 = { + 25 1A 28 ?? ?? ?? ?? A2 25 1B 7E ?? ?? ?? ?? A2 25 1C 72 ?? ?? ?? ?? A2 25 1D 7E ?? + ?? ?? ?? A2 25 1E 28 ?? ?? ?? ?? A2 25 1F ?? 72 ?? ?? ?? ?? A2 25 1F ?? 28 ?? ?? ?? + ?? A2 25 1F ?? 7E ?? ?? ?? ?? A2 25 1F ?? 28 ?? ?? ?? ?? A2 25 1F ?? 7E ?? ?? ?? ?? + A2 25 1F ?? 28 ?? ?? ?? ?? A2 25 1F ?? 7E ?? ?? ?? ?? A2 25 1F ?? 28 ?? ?? ?? ?? A2 + 25 1F ?? 7E ?? ?? ?? ?? A2 25 1F ?? 28 ?? ?? ?? ?? A2 25 1F ?? 7E ?? ?? ?? ?? A2 25 + 1F ?? 28 ?? ?? ?? ?? A2 25 1F ?? 7E ?? ?? ?? ?? A2 25 1F ?? 7E ?? ?? ?? ?? 8C ?? ?? + ?? ?? A2 25 1F ?? 7E ?? ?? ?? ?? A2 25 1F ?? 28 ?? ?? ?? ?? A2 25 1F ?? 7E ?? ?? ?? + ?? A2 25 1F ?? 72 ?? ?? ?? ?? A2 25 1F ?? 7E ?? ?? ?? ?? A2 25 1F ?? 72 ?? ?? ?? ?? + A2 25 1F ?? 7E ?? ?? ?? ?? A2 25 1F ?? 28 ?? ?? ?? ?? 13 ?? 12 ?? 28 ?? ?? ?? ?? A2 + 25 1F ?? 7E ?? ?? ?? ?? A2 25 1F ?? 7E ?? ?? ?? ?? A2 28 ?? ?? ?? ?? 28 ?? ?? ?? ?? + 7E ?? ?? ?? ?? 2C ?? 7E ?? ?? ?? ?? 2B ?? 7E + } + + condition: + uint16(0) == 0x5A4D and + ( + $persistence_mechanism + ) and + ( + $crypto_miner + ) and + ( + $downloader + ) and + ( + all of ($network_communication_p*) + ) +} \ No newline at end of file diff --git a/yara/backdoor/ByteCode.MSIL.Backdoor.Menorah.yara b/yara/backdoor/ByteCode.MSIL.Backdoor.Menorah.yara new file mode 100644 index 0000000..00642b5 --- /dev/null +++ b/yara/backdoor/ByteCode.MSIL.Backdoor.Menorah.yara @@ -0,0 +1,169 @@ +rule ByteCode_MSIL_Backdoor_Menorah : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "MENORAH" + description = "Yara rule that detects Menorah backdoor." + + tc_detection_type = "Backdoor" + tc_detection_name = "Menorah" + tc_detection_factor = 5 + + strings: + + $send_fingerprint_to_c2_p1 = { + 28 ?? ?? ?? ?? 04 6F ?? ?? ?? ?? 02 7B ?? ?? ?? ?? 28 ?? ?? ?? ?? 28 ?? ?? ?? ?? 0A + 73 ?? ?? ?? ?? 19 1F 0E 6F ?? ?? ?? ?? 17 28 ?? ?? ?? ?? 1F 5B 13 ?? 12 ?? 28 ?? ?? + ?? ?? 1F 40 13 ?? 12 ?? 28 ?? ?? ?? ?? 1F 40 13 ?? 12 ?? 28 ?? ?? ?? ?? 1F 5D 13 ?? + 12 ?? 28 ?? ?? ?? ?? 28 ?? ?? ?? ?? 1B 8D ?? ?? ?? ?? 25 16 1F 5B 13 ?? 12 ?? 28 ?? + ?? ?? ?? A2 25 17 1F 40 13 ?? 12 ?? 28 ?? ?? ?? ?? A2 25 18 06 A2 25 19 1F 40 13 ?? + 12 ?? 28 ?? ?? ?? ?? A2 25 1A 1F 5D 13 ?? 12 ?? 28 ?? ?? ?? ?? A2 28 ?? ?? ?? ?? 6F + ?? ?? ?? ?? 0B 28 ?? ?? ?? ?? 07 6F ?? ?? ?? ?? 0C 72 ?? ?? ?? ?? 0D 1F 3F 13 ?? 12 + ?? 28 ?? ?? ?? ?? 17 16 28 ?? ?? ?? ?? 1F 3D 13 ?? 12 ?? 28 ?? ?? ?? ?? 17 16 28 ?? + ?? ?? ?? 28 ?? ?? ?? ?? 13 ?? 03 11 ?? 28 ?? ?? ?? ?? 28 ?? ?? ?? ?? 74 ?? ?? ?? ?? + 13 ?? 11 ?? 1F 50 13 ?? 12 ?? 28 ?? ?? ?? ?? 1F 4F 13 ?? 12 ?? 28 ?? ?? ?? ?? 1F 53 + 13 ?? 12 ?? 28 ?? ?? ?? ?? 1F 54 13 ?? 12 ?? 28 ?? ?? ?? ?? 28 ?? ?? ?? ?? 6F ?? ?? + ?? ?? 11 ?? 1F 21 8D ?? ?? ?? ?? 25 16 1F 61 13 ?? 12 ?? 28 ?? ?? ?? ?? A2 25 17 1F + 70 13 ?? 12 ?? 28 ?? ?? ?? ?? A2 25 18 1F 70 13 ?? 12 ?? 28 ?? ?? ?? ?? A2 25 19 1F + 6C 13 ?? 12 ?? 28 ?? ?? ?? ?? A2 25 1A 1F 69 13 ?? 12 ?? 28 ?? ?? ?? ?? A2 25 1B 1F + 63 13 ?? 12 ?? 28 ?? ?? ?? ?? A2 25 1C 1F 61 13 ?? 12 ?? 28 ?? ?? ?? ?? A2 25 1D 1F + 74 13 ?? 12 ?? 28 ?? ?? ?? ?? A2 25 1E 1F 69 13 ?? 12 ?? 28 ?? ?? ?? ?? A2 25 1F 09 + } + + $send_fingerprint_to_c2_p2 = { + 1F 6F 13 ?? 12 ?? 28 ?? ?? ?? ?? A2 25 1F 0A 1F 6E 13 ?? 12 ?? 28 ?? ?? ?? ?? A2 25 + 1F 0B 1F 2F 13 ?? 12 ?? 28 ?? ?? ?? ?? A2 25 1F 0C 1F 78 13 ?? 12 ?? 28 ?? ?? ?? ?? + A2 25 1F 0D 1F 2D 13 ?? 12 ?? 28 ?? ?? ?? ?? A2 25 1F 0E 1F 77 13 ?? 12 ?? 28 ?? ?? + ?? ?? A2 25 1F 0F 1F 77 13 ?? 12 ?? 28 ?? ?? ?? ?? A2 25 1F 10 1F 77 13 ?? 12 ?? 28 + ?? ?? ?? ?? A2 25 1F 11 1F 2D 13 ?? 12 ?? 28 ?? ?? ?? ?? A2 25 1F 12 1F 66 13 ?? 12 + ?? 28 ?? ?? ?? ?? A2 25 1F 13 1F 6F 13 ?? 12 ?? 28 ?? ?? ?? ?? A2 25 1F 14 1F 72 13 + ?? 12 ?? 28 ?? ?? ?? ?? A2 25 1F 15 1F 6D 13 ?? 12 ?? 28 ?? ?? ?? ?? A2 25 1F 16 1F + 2D 13 ?? 12 ?? 28 ?? ?? ?? ?? A2 25 1F 17 1F 75 13 ?? 12 ?? 28 ?? ?? ?? ?? A2 25 1F + 18 1F 72 13 ?? 12 ?? 28 ?? ?? ?? ?? A2 25 1F 19 1F 6C 13 ?? 12 ?? 28 ?? ?? ?? ?? A2 + 25 1F 1A 1F 65 13 ?? 12 ?? 28 ?? ?? ?? ?? A2 25 1F 1B 1F 6E 13 ?? 12 ?? 28 ?? ?? ?? + ?? A2 25 1F 1C 1F 63 13 ?? 12 ?? 28 ?? ?? ?? ?? A2 25 1F 1D 1F 6F 13 ?? 12 ?? 28 ?? + ?? ?? ?? A2 25 1F 1E 1F 64 13 ?? 12 ?? 28 ?? ?? ?? ?? A2 25 1F 1F 1F 65 13 ?? 12 ?? + 28 ?? ?? ?? ?? A2 25 1F 20 1F 64 13 ?? 12 ?? 28 ?? ?? ?? ?? A2 28 ?? ?? ?? ?? 6F ?? + ?? ?? ?? 11 ?? 08 8E 69 6A 6F ?? ?? ?? ?? 11 ?? 6F ?? ?? ?? ?? 25 08 16 08 8E 69 6F + ?? ?? ?? ?? 6F ?? ?? ?? ?? 11 ?? 6F ?? ?? ?? ?? 25 6F ?? ?? ?? ?? 73 ?? ?? ?? ?? 25 + 6F ?? ?? ?? ?? 0D 6F ?? ?? ?? ?? 6F ?? ?? ?? ?? 09 13 ?? DE ?? 26 7E ?? ?? ?? ?? 13 + ?? DE ?? 11 + } + + $get_files_and_directories_p1 = { + 11 ?? 28 ?? ?? ?? ?? 13 ?? 28 ?? ?? ?? ?? 6F ?? ?? ?? ?? 13 ?? 11 ?? 8E 69 17 31 ?? + 11 ?? 17 9A 13 ?? 11 ?? 72 ?? ?? ?? ?? 72 ?? ?? ?? ?? 6F ?? ?? ?? ?? 13 ?? 1F 0F 8D + ?? ?? ?? ?? 25 16 1F 44 13 ?? 12 ?? 28 ?? ?? ?? ?? A2 25 17 1F 69 13 ?? 12 ?? 28 ?? + ?? ?? ?? A2 25 18 1F 72 13 ?? 12 ?? 28 ?? ?? ?? ?? A2 25 19 1F 65 13 ?? 12 ?? 28 ?? + ?? ?? ?? A2 25 1A 1F 63 13 ?? 12 ?? 28 ?? ?? ?? ?? A2 25 1B 1F 74 13 ?? 12 ?? 28 ?? + ?? ?? ?? A2 25 1C 1F 6F 13 ?? 12 ?? 28 ?? ?? ?? ?? A2 25 1D 1F 72 13 ?? 12 ?? 28 ?? + ?? ?? ?? A2 25 1E 1F 79 13 ?? 12 ?? 28 ?? ?? ?? ?? A2 25 1F 09 1F 20 13 ?? 12 ?? 28 + ?? ?? ?? ?? A2 25 1F 0A 1F 6F 13 ?? 12 ?? 28 ?? ?? ?? ?? A2 25 1F 0B 1F 66 13 ?? 12 + ?? 28 ?? ?? ?? ?? A2 25 1F 0C 1F 20 13 ?? 12 ?? 28 ?? ?? ?? ?? A2 25 1F 0D 11 ?? A2 + 25 1F 0E 72 ?? ?? ?? ?? A2 28 ?? ?? ?? ?? 13 ?? 11 ?? 28 ?? ?? ?? ?? 13 ?? 11 ?? 28 + ?? ?? ?? ?? 13 ?? 11 ?? 13 ?? 16 13 ?? 38 ?? ?? ?? ?? 11 ?? 11 ?? 9A 73 ?? ?? ?? ?? + 13 ?? 1F 0B 8D ?? ?? ?? ?? 25 16 11 ?? A2 25 17 11 ?? 6F ?? ?? ?? ?? 13 ?? 12 ?? 1F + 16 8D ?? ?? ?? ?? 25 16 1F 4D 13 ?? 12 ?? 28 ?? ?? ?? ?? A2 25 17 1F 4D 13 ?? 12 ?? + 28 ?? ?? ?? ?? A2 25 18 1F 2F 13 ?? 12 ?? 28 ?? ?? ?? ?? A2 25 19 1F 64 13 ?? 12 ?? + 28 ?? ?? ?? ?? A2 25 1A 1F 64 13 ?? 12 ?? 28 ?? ?? ?? ?? A2 25 1B 1F 2F 13 ?? 12 ?? + 28 ?? ?? ?? ?? A2 25 1C 1F 79 13 ?? 12 ?? 28 ?? ?? ?? ?? A2 25 1D 1F 79 13 ?? 12 + } + + $get_files_and_directories_p2 = { + 28 ?? ?? ?? ?? A2 25 1E 1F 79 13 ?? 12 ?? 28 ?? ?? ?? ?? A2 25 1F ?? 1F 79 13 ?? 12 + ?? 28 ?? ?? ?? ?? A2 25 1F 0A 1F 20 13 ?? 12 ?? 28 ?? ?? ?? ?? A2 25 1F 0B 1F 68 13 + ?? 12 ?? 28 ?? ?? ?? ?? A2 25 1F 0C 1F 68 13 ?? 12 ?? 28 ?? ?? ?? ?? A2 25 1F 0D 1F + 3A 13 ?? 12 ?? 28 ?? ?? ?? ?? A2 25 1F 0E 1F 6D 13 ?? 12 ?? 28 ?? ?? ?? ?? A2 25 1F + 0F 1F 6D 13 ?? 12 ?? 28 ?? ?? ?? ?? A2 25 1F 10 1F 3A 13 ?? 12 ?? 28 ?? ?? ?? ?? A2 + 25 1F 11 1F 73 13 ?? 12 ?? 28 ?? ?? ?? ?? A2 25 1F 12 1F 73 13 ?? 12 ?? 28 ?? ?? ?? + ?? A2 25 1F 13 1F 20 13 ?? 12 ?? 28 ?? ?? ?? ?? A2 25 1F 14 1F 74 13 ?? 12 ?? 28 ?? + ?? ?? ?? A2 25 1F 15 1F 74 13 ?? 12 ?? 28 ?? ?? ?? ?? A2 28 ?? ?? ?? ?? 28 ?? ?? ?? + ?? A2 25 18 72 ?? ?? ?? ?? A2 25 19 1F 3C 13 ?? 12 ?? 28 ?? ?? ?? ?? A2 25 1A 1F 44 + 13 ?? 12 ?? 28 ?? ?? ?? ?? A2 25 1B 1F 49 13 ?? 12 ?? 28 ?? ?? ?? ?? A2 25 1C 1F 52 + 13 ?? 12 ?? 28 ?? ?? ?? ?? A2 25 1D 1F 3E 13 ?? 12 ?? 28 ?? ?? ?? ?? A2 25 1E 72 ?? + ?? ?? ?? A2 25 1F 09 11 ?? 6F ?? ?? ?? ?? A2 25 1F 0A 72 ?? ?? ?? ?? A2 28 ?? ?? ?? + ?? 13 ?? 11 ?? 17 58 13 ?? 11 ?? 11 ?? 8E 69 3F ?? ?? ?? ?? 11 ?? 13 ?? 16 13 ?? 38 + ?? ?? ?? ?? 11 ?? 11 ?? 9A 73 ?? ?? ?? ?? 13 ?? 1F 0C 8D ?? ?? ?? ?? 25 16 11 ?? A2 + 25 17 11 ?? 6F ?? ?? ?? ?? 13 ?? 12 ?? 1F 16 8D ?? ?? ?? ?? 25 16 1F 4D 13 ?? 12 ?? + 28 ?? ?? ?? ?? A2 25 17 1F 4D 13 ?? 12 ?? 28 ?? ?? ?? ?? A2 25 18 1F 2F 13 ?? 12 ?? + 28 ?? ?? ?? ?? A2 25 19 1F 64 13 ?? 12 ?? 28 ?? ?? ?? ?? A2 25 1A 1F 64 13 ?? 12 ?? + 28 ?? ?? ?? ?? A2 25 1B 1F 2F 13 ?? 12 ?? 28 ?? ?? ?? ?? A2 25 1C 1F 79 13 ?? 12 ?? + 28 ?? ?? ?? ?? A2 25 1D 1F 79 13 ?? 12 ?? 28 ?? ?? ?? ?? A2 25 1E 1F 79 13 ?? 12 ?? + 28 ?? ?? ?? ?? A2 25 1F 09 1F 79 13 ?? 12 ?? 28 ?? ?? ?? ?? A2 25 1F 0A 1F 20 13 + } + + $get_files_and_directories_p3 = { + 12 ?? 28 ?? ?? ?? ?? A2 25 1F 0B 1F 68 13 ?? 12 ?? 28 ?? ?? ?? ?? A2 25 1F 0C 1F 68 + 13 ?? 12 ?? 28 ?? ?? ?? ?? A2 25 1F 0D 1F 3A 13 ?? 12 ?? 28 ?? ?? ?? ?? A2 25 1F 0E + 1F 6D 13 ?? 12 ?? 28 ?? ?? ?? ?? A2 25 1F 0F 1F 6D 13 ?? 12 ?? 28 ?? ?? ?? ?? A2 25 + 1F 10 1F 3A 13 ?? 12 ?? 28 ?? ?? ?? ?? A2 25 1F 11 1F 73 13 ?? 12 ?? 28 ?? ?? ?? ?? + A2 25 1F 12 1F 73 13 ?? 12 ?? 28 ?? ?? ?? ?? A2 25 1F 13 1F 20 13 ?? 12 ?? 28 ?? ?? + ?? ?? A2 25 1F 14 1F 74 13 ?? 12 ?? 28 ?? ?? ?? ?? A2 25 1F 15 1F 74 13 ?? 12 ?? 28 + ?? ?? ?? ?? A2 28 ?? ?? ?? ?? 28 ?? ?? ?? ?? A2 25 18 72 ?? ?? ?? ?? A2 25 19 1F 46 + 13 ?? 12 ?? 28 ?? ?? ?? ?? A2 25 1A 1F 49 13 ?? 12 ?? 28 ?? ?? ?? ?? A2 25 1B 1F 4C + 13 ?? 12 ?? 28 ?? ?? ?? ?? A2 25 1C 1F 45 13 ?? 12 ?? 28 ?? ?? ?? ?? A2 25 1D 72 ?? + ?? ?? ?? A2 25 1E 11 ?? 6F ?? ?? ?? ?? 13 ?? 12 ?? 28 ?? ?? ?? ?? A2 25 1F 09 72 ?? + ?? ?? ?? A2 25 1F 0A 11 ?? 6F ?? ?? ?? ?? A2 25 1F 0B 72 ?? ?? ?? ?? A2 28 ?? ?? ?? + ?? 13 ?? 11 ?? 17 58 13 ?? 11 ?? 11 ?? 8E 69 3F ?? ?? ?? ?? 1F 0B 8D ?? ?? ?? ?? 25 + 16 11 ?? A2 25 17 72 ?? ?? ?? ?? A2 25 18 11 ?? 8E 69 13 ?? 12 ?? 28 ?? ?? ?? ?? A2 + 25 19 1F 20 13 ?? 12 ?? 28 ?? ?? ?? ?? A2 25 1A 1F 44 13 ?? 12 ?? 28 ?? ?? ?? ?? A2 + 25 1B 1F 69 13 ?? 12 ?? 28 ?? ?? ?? ?? A2 25 1C 1F 72 13 ?? 12 ?? 28 ?? ?? ?? ?? A2 + 25 1D 1F 28 13 ?? 12 ?? 28 ?? ?? ?? ?? A2 25 1E 1F 73 13 ?? 12 ?? 28 ?? ?? ?? ?? A2 + 25 1F 09 1F 29 13 ?? 12 ?? 28 ?? ?? ?? ?? A2 25 1F 0A 72 ?? ?? ?? ?? A2 28 ?? ?? ?? + ?? 13 ?? 1F 0B 8D ?? ?? ?? ?? 25 16 11 ?? A2 25 17 72 ?? ?? ?? ?? A2 25 18 11 ?? 8E + 69 13 ?? 12 ?? 28 ?? ?? ?? ?? A2 25 19 1F 20 13 ?? 12 ?? 28 ?? ?? ?? ?? A2 25 1A 1F + } + + $upload_file_to_c2_p1 = { + 11 ?? 28 ?? ?? ?? ?? 13 ?? 72 ?? ?? ?? ?? 13 ?? 11 ?? 8E 69 17 3E ?? ?? ?? ?? 11 ?? + 17 9A 17 8D ?? ?? ?? ?? 25 16 1F 22 9D 6F ?? ?? ?? ?? 13 ?? 11 ?? 28 ?? ?? ?? ?? 39 + ?? ?? ?? ?? 11 ?? 28 ?? ?? ?? ?? 13 ?? 11 ?? 28 ?? ?? ?? ?? 13 ?? 02 28 ?? ?? ?? ?? + 13 ?? 1F 0D 8D ?? ?? ?? ?? 25 16 1F 75 13 ?? 12 ?? 28 ?? ?? ?? ?? A2 25 17 1F 40 13 + ?? 12 ?? 28 ?? ?? ?? ?? A2 25 18 11 ?? A2 25 19 1F 40 13 ?? 12 ?? 28 ?? ?? ?? ?? A2 + 25 1A 28 ?? ?? ?? ?? A2 25 1B 1F 7C 13 ?? 12 ?? 28 ?? ?? ?? ?? A2 25 1C 28 ?? ?? ?? + ?? A2 25 1D 1F 40 13 ?? 12 ?? 28 ?? ?? ?? ?? A2 25 1E 11 ?? A2 25 1F 09 1F 40 13 ?? + 12 ?? 28 ?? ?? ?? ?? A2 25 1F 0A 1F 32 13 ?? 12 ?? 28 ?? ?? ?? ?? A2 25 1F 0B 1F 40 + 13 ?? 12 ?? 28 ?? ?? ?? ?? A2 25 1F 0C 11 ?? 28 ?? ?? ?? ?? A2 28 ?? ?? ?? ?? 13 ?? + 02 02 7B ?? ?? ?? ?? 11 ?? 28 ?? ?? ?? ?? 26 1F 1E 8D ?? ?? ?? ?? 25 16 1F 66 13 ?? + 12 ?? 28 ?? ?? ?? ?? A2 25 17 1F 69 13 ?? 12 ?? 28 ?? ?? ?? ?? A2 25 18 1F 6C 13 ?? + 12 ?? 28 ?? ?? ?? ?? A2 25 19 1F 65 13 ?? 12 ?? 28 ?? ?? ?? ?? A2 25 1A 1F 5B 13 ?? + 12 ?? 28 ?? ?? ?? ?? A2 25 1B 11 ?? A2 25 1C 1F 5D 13 ?? 12 ?? 28 ?? ?? ?? ?? A2 25 + 1D 1F 20 13 ?? 12 ?? 28 ?? ?? ?? ?? A2 25 1E 1F 69 13 ?? 12 ?? 28 ?? ?? ?? ?? A2 25 + 1F 09 1F 73 13 ?? 12 ?? 28 ?? ?? ?? ?? A2 25 1F 0A 1F 20 13 ?? 12 ?? 28 + } + + $upload_file_to_c2_p2 = { + A2 25 1F 0B 1F 75 13 ?? 12 ?? 28 ?? ?? ?? ?? A2 25 1F 0C 1F 70 13 ?? 12 ?? 28 ?? ?? + ?? ?? A2 25 1F 0D 1F 6C 13 ?? 12 ?? 28 ?? ?? ?? ?? A2 25 1F 0E 1F 6F 13 ?? 12 ?? 28 + ?? ?? ?? ?? A2 25 1F 0F 1F 61 13 ?? 12 ?? 28 ?? ?? ?? ?? A2 25 1F 10 1F 64 13 ?? 12 + ?? 28 ?? ?? ?? ?? A2 25 1F 11 1F 65 13 ?? 12 ?? 28 ?? ?? ?? ?? A2 25 1F 12 1F 64 13 + ?? 12 ?? 28 ?? ?? ?? ?? A2 25 1F 13 1F 20 13 ?? 12 ?? 28 ?? ?? ?? ?? A2 25 1F 14 1F + 74 13 ?? 12 ?? 28 ?? ?? ?? ?? A2 25 1F 15 1F 6F 13 ?? 12 ?? 28 ?? ?? ?? ?? A2 25 1F + 16 1F 20 13 ?? 12 ?? 28 ?? ?? ?? ?? A2 25 1F 17 1F 73 13 ?? 12 ?? 28 ?? ?? ?? ?? A2 + 25 1F 18 1F 65 13 ?? 12 ?? 28 ?? ?? ?? ?? A2 25 1F 19 1F 72 13 ?? 12 ?? 28 ?? ?? ?? + ?? A2 25 1F 1A 1F 76 13 ?? 12 ?? 28 ?? ?? ?? ?? A2 25 1F 1B 1F 65 13 ?? 12 ?? 28 ?? + ?? ?? ?? A2 25 1F 1C 1F 72 13 ?? 12 ?? 28 ?? ?? ?? ?? A2 25 1F 1D 1F 2E 13 ?? 12 ?? + 28 ?? ?? ?? ?? A2 28 ?? ?? ?? ?? 13 ?? 38 ?? ?? ?? ?? 1F 0F 8D ?? ?? ?? ?? 25 16 1F + 66 13 ?? 12 ?? 28 ?? ?? ?? ?? A2 25 17 1F 69 13 ?? 12 ?? 28 ?? ?? ?? ?? A2 25 18 1F + 6C 13 ?? 12 ?? 28 ?? ?? ?? ?? A2 25 19 1F 65 13 ?? 12 ?? 28 ?? ?? ?? ?? A2 25 1A 1F + 20 13 ?? 12 ?? 28 ?? ?? ?? ?? A2 25 1B 1F 6E 13 ?? 12 ?? 28 ?? ?? ?? ?? A2 25 1C 1F + } + + condition: + uint16(0) == 0x5A4D and + ( + all of ($send_fingerprint_to_c2_p*) + ) and + ( + all of ($get_files_and_directories_p*) + ) and + ( + all of ($upload_file_to_c2_p*) + ) +} \ No newline at end of file diff --git a/yara/backdoor/Linux.Backdoor.Krasue.yara b/yara/backdoor/Linux.Backdoor.Krasue.yara new file mode 100644 index 0000000..b67d788 --- /dev/null +++ b/yara/backdoor/Linux.Backdoor.Krasue.yara @@ -0,0 +1,127 @@ +rule Linux_Backdoor_Krasue : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "KRASUE" + description = "Yara rule that detects Krasue backdoor." + + tc_detection_type = "Backdoor" + tc_detection_name = "Krasue" + tc_detection_factor = 5 + + strings: + + $switch_server = { + 8B 05 ?? ?? ?? ?? FF C0 3B 05 ?? ?? ?? ?? 89 05 ?? ?? ?? ?? 7C ?? C7 05 ?? ?? ?? ?? + ?? ?? ?? ?? 48 63 05 ?? ?? ?? ?? 85 C0 75 ?? C7 05 ?? ?? ?? ?? ?? ?? ?? ?? EB ?? 8B + 15 ?? ?? ?? ?? C7 05 ?? ?? ?? ?? ?? ?? ?? ?? C6 05 ?? ?? ?? ?? ?? C6 05 ?? ?? ?? ?? + ?? 89 15 ?? ?? ?? ?? 8B 15 ?? ?? ?? ?? 66 89 15 ?? ?? 23 00 48 8B 04 C5 ?? ?? ?? ?? + 66 C7 05 ?? ?? 23 00 ?? ?? 8B 10 89 15 ?? ?? ?? ?? 66 8B 40 ?? 66 89 05 ?? ?? 23 00 + C3 + } + + $get_hostname = { + 41 55 41 54 31 F6 55 53 31 C0 BF ?? ?? ?? ?? 48 81 EC ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 + C0 0F 88 ?? ?? ?? ?? 48 89 E6 89 C7 89 C3 E8 ?? ?? ?? ?? 48 8B 6C 24 ?? 45 31 C9 31 + FF 41 89 D8 B9 ?? ?? ?? ?? BA ?? ?? ?? ?? 41 89 EC 48 63 ED 48 89 EE E8 ?? ?? ?? ?? + BE ?? ?? ?? ?? 48 89 C7 49 89 C5 E8 ?? ?? ?? ?? 83 F8 ?? 74 ?? 48 63 D0 49 8D 74 15 + ?? 8D 50 ?? 48 63 D2 44 39 E2 41 89 D0 7D ?? 48 FF C2 41 80 7C 15 ?? ?? 75 ?? 44 89 + C1 41 FF C8 BA ?? ?? ?? ?? 29 C1 4D 63 C0 48 89 D7 83 E9 ?? 48 63 C9 F3 A4 41 C6 80 + ?? ?? ?? ?? ?? 4C 89 EF 48 89 EE E8 ?? ?? ?? ?? 89 DF E8 ?? ?? ?? ?? 48 81 C4 ?? ?? + ?? ?? 5B 5D 41 5C 41 5D C3 + } + + $start_server_p1 = { + 41 57 41 56 31 D2 41 55 41 54 BE ?? ?? ?? ?? 55 53 89 FB BF ?? ?? ?? ?? 48 81 EC ?? + ?? ?? ?? E8 ?? ?? ?? ?? 85 C0 89 05 ?? ?? ?? ?? 79 ?? 83 CF ?? E9 ?? ?? ?? ?? 48 8D + 4C 24 ?? 41 B8 ?? ?? ?? ?? BE ?? ?? ?? ?? BA ?? ?? ?? ?? 89 C7 C7 44 24 ?? ?? ?? ?? + ?? E8 ?? ?? ?? ?? BA ?? ?? ?? ?? 31 C0 B9 ?? ?? ?? ?? 48 89 D7 F3 AB 31 FF 66 C7 05 + ?? ?? 23 00 ?? ?? E8 ?? ?? ?? ?? 0F B7 FB 89 05 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 3D ?? + ?? ?? ?? BA ?? ?? ?? ?? BE ?? ?? ?? ?? 66 89 05 ?? ?? 23 00 E8 ?? ?? ?? ?? 85 C0 78 + ?? 4C 8D A4 24 ?? ?? ?? ?? 4C 8D AC 24 ?? ?? ?? ?? 4C 8D 74 24 ?? C7 05 ?? ?? ?? ?? + ?? ?? ?? ?? 8B 3D ?? ?? ?? ?? 31 C9 41 B9 ?? ?? ?? ?? 41 B8 ?? ?? ?? ?? BA ?? ?? ?? + ?? BE ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 C0 48 89 C3 0F 88 ?? ?? ?? ?? 31 C0 B9 ?? ?? ?? + ?? 4C 89 E7 83 FB ?? F3 AB 7E ?? BA ?? ?? ?? ?? BE ?? ?? ?? ?? 4C 89 E7 E8 ?? ?? ?? + ?? 85 C0 75 ?? B8 ?? ?? ?? ?? 8B 3D ?? ?? ?? ?? 41 B8 ?? ?? ?? ?? 44 8D 08 31 C9 BA + ?? ?? ?? ?? BE ?? ?? ?? ?? E8 ?? ?? ?? ?? EB ?? 83 FB ?? 75 ?? BE ?? ?? ?? ?? 4C 89 + E7 E8 ?? ?? ?? ?? 85 C0 75 ?? 8B 05 ?? ?? ?? ?? C7 05 ?? ?? ?? ?? ?? ?? ?? ?? 89 05 + ?? ?? ?? ?? E9 ?? ?? ?? ?? 89 DA BE ?? ?? ?? ?? 4C 89 E7 E8 ?? ?? ?? ?? 4C 89 E6 89 + C2 8A 06 89 F5 44 29 E5 3C ?? 75 ?? 80 7E ?? ?? 75 ?? 48 83 C6 ?? EB ?? 3C ?? 75 ?? + 80 7E ?? ?? 75 ?? 41 B8 ?? ?? ?? ?? 31 C0 B9 ?? ?? ?? ?? 4C 89 C7 4C 8B 05 ?? ?? ?? + ?? F3 AB 8B 7E ?? 66 8B 4E ?? 4C 89 06 C6 06 ?? 45 31 C0 C6 46 ?? ?? BE + } + + $start_server_p2 = { + 66 C7 05 ?? ?? 23 00 ?? ?? 89 3D ?? ?? ?? ?? 66 89 0D ?? ?? 23 00 89 3D ?? ?? ?? ?? + 66 89 0D ?? ?? 23 00 48 89 F7 B9 ?? ?? ?? ?? 4C 89 E6 F3 AB E9 ?? ?? ?? ?? 85 ED 75 + ?? 48 63 DD BA ?? ?? ?? ?? BE ?? ?? ?? ?? 4C 01 E3 48 89 DF E8 ?? ?? ?? ?? 85 C0 75 + ?? 48 8D 7B ?? E8 ?? ?? ?? ?? 6B C0 ?? B9 ?? ?? ?? ?? BE ?? ?? ?? ?? 4C 89 EF 99 F7 + F9 31 C0 E8 ?? ?? ?? ?? EB ?? 8D 45 ?? 48 8D 54 24 ?? 48 98 85 C0 78 ?? 49 8B 0C 04 + 48 83 C2 ?? 48 83 E8 ?? 48 89 4A ?? C6 42 ?? ?? C6 42 ?? ?? EB ?? BA ?? ?? ?? ?? BE + ?? ?? ?? ?? 48 89 DF E8 ?? ?? ?? ?? 85 C0 75 ?? 48 8B 05 ?? ?? ?? ?? 89 E9 4C 89 F6 + 89 2D ?? ?? ?? ?? C7 05 ?? ?? ?? ?? ?? ?? ?? ?? 48 89 05 ?? ?? ?? ?? B8 ?? ?? ?? ?? + 48 89 C7 F3 A4 BE ?? ?? ?? ?? 4C 89 EF E8 ?? ?? ?? ?? 31 C0 48 83 C9 ?? 4C 89 EF F2 + AE 48 89 C8 48 F7 D0 48 8D 50 ?? E9 ?? ?? ?? ?? BA ?? ?? ?? ?? BE ?? ?? ?? ?? 48 89 + DF E8 ?? ?? ?? ?? 85 C0 0F 85 ?? ?? ?? ?? 8B 0D ?? ?? ?? ?? 44 8B 0D ?? ?? ?? ?? 44 + 8B 3D ?? ?? ?? ?? 8B 1D ?? ?? ?? ?? 89 4C 24 ?? 44 89 4C 24 ?? E8 ?? ?? ?? ?? 48 83 + EC ?? 41 89 C0 BA ?? ?? ?? ?? 8B 4C 24 ?? 4C 89 EF BE ?? ?? ?? ?? 31 C0 51 8B 0D ?? + ?? ?? ?? 41 57 53 44 8B 4C 24 ?? E8 ?? ?? ?? ?? 31 C0 48 83 C9 ?? 4C 89 EF F2 AE 48 + 83 C4 ?? 48 89 C8 48 F7 D0 48 8D 50 ?? 41 89 E8 4C 89 F1 4C 89 EE 8B 3D ?? ?? ?? ?? + E8 ?? ?? ?? ?? E9 ?? ?? ?? ?? BA ?? ?? ?? ?? BE ?? ?? ?? ?? 48 89 DF E8 + } + + $start_server_p3 = { + 85 C0 75 ?? 31 FF E8 ?? ?? ?? ?? BA ?? ?? ?? ?? BE ?? ?? ?? ?? 48 89 DF E8 ?? ?? ?? + ?? 85 C0 75 ?? BF ?? ?? ?? ?? EB ?? BA ?? ?? ?? ?? BE ?? ?? ?? ?? 48 89 DF E8 ?? ?? + ?? ?? 85 C0 75 ?? BF ?? ?? ?? ?? EB ?? BA ?? ?? ?? ?? BE ?? ?? ?? ?? 48 89 DF E8 ?? + ?? ?? ?? 85 C0 0F 85 ?? ?? ?? ?? E8 ?? ?? ?? ?? 41 89 C7 E8 ?? ?? ?? ?? 45 85 FF 0F + 85 ?? ?? ?? ?? 48 8D 7C 24 ?? E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 C0 41 89 C4 75 ?? 8B + 7C 24 ?? E8 ?? ?? ?? ?? 8B 7C 24 ?? BE ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 7C 24 ?? BE ?? + ?? ?? ?? E8 ?? ?? ?? ?? 8B 7C 24 ?? E8 ?? ?? ?? ?? 48 8D 4B ?? 45 31 C0 BA ?? ?? ?? + ?? BE ?? ?? ?? ?? BF ?? ?? ?? ?? 31 C0 E8 ?? ?? ?? ?? E9 ?? ?? ?? ?? 8B 7C 24 ?? E8 + ?? ?? ?? ?? 8B 7C 24 ?? 48 8D B4 24 ?? ?? ?? ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 C0 + 89 C3 7E ?? 4C 8D AC 24 ?? ?? ?? ?? 8D 04 2B 3D ?? ?? ?? ?? 7E ?? 8B 3D ?? ?? ?? ?? + BA ?? ?? ?? ?? 48 8D 4C 24 ?? 4C 89 EE 29 EA 41 89 E8 49 81 C5 ?? ?? ?? ?? 81 EB ?? + ?? ?? ?? E8 ?? ?? ?? ?? EB ?? 8B 3D ?? ?? ?? ?? 48 8D 4C 24 ?? 41 89 E8 89 DA 4C 89 + EE E8 ?? ?? ?? ?? EB ?? 31 F6 BA ?? ?? ?? ?? 44 89 E7 E8 ?? ?? ?? ?? 85 C0 0F 85 + } + + $send_encrypt = { + E8 ?? ?? ?? ?? 41 8D 7E ?? 49 89 C5 48 63 FF E8 ?? ?? ?? ?? 48 63 54 24 ?? 48 89 C7 + 4C 89 FE 48 8D 0C 13 C6 04 08 ?? 89 D1 48 01 C2 F3 A4 48 89 D7 48 89 EE 48 89 D9 44 + 89 F2 F3 A4 48 89 C6 EB ?? 8D 7B ?? 48 63 FF E8 ?? ?? ?? ?? 89 DA 49 89 C5 48 89 EE + 4C 89 EF E8 ?? ?? ?? ?? 44 8B 0D ?? ?? ?? ?? 4C 89 EE 44 89 E7 48 63 D0 41 B8 ?? ?? + ?? ?? 31 C9 E8 ?? ?? ?? ?? 48 83 C4 ?? 5B 5D 41 5C 41 5D 41 5E 41 5F C3 + } + + $notify_server = { + 48 81 EC ?? ?? ?? ?? 8B 15 ?? ?? ?? ?? 48 89 E0 85 D2 7E ?? BE ?? ?? ?? ?? 89 D1 48 + 89 E7 F3 A4 48 63 D2 BE ?? ?? ?? ?? B9 ?? ?? ?? ?? 4C 8D 04 10 41 B9 ?? ?? ?? ?? 48 + 83 C2 ?? 4C 89 C7 41 B8 ?? ?? ?? ?? F3 A4 8B 3D ?? ?? ?? ?? 48 89 C6 E8 ?? ?? ?? ?? + 8B 05 ?? ?? ?? ?? 89 05 ?? ?? ?? ?? 48 81 C4 ?? ?? ?? ?? C3 + } + + condition: + uint32(0) == 0x464C457F and + ( + $switch_server + ) and + ( + $get_hostname + ) and + ( + all of ($start_server_p*) + ) and + ( + $send_encrypt + ) and + ( + $notify_server + ) +} \ No newline at end of file diff --git a/yara/backdoor/Linux.Backdoor.Linodas.yara b/yara/backdoor/Linux.Backdoor.Linodas.yara new file mode 100644 index 0000000..1531e1b --- /dev/null +++ b/yara/backdoor/Linux.Backdoor.Linodas.yara @@ -0,0 +1,216 @@ +rule Linux_Backdoor_Linodas : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "LINODAS" + description = "Yara rule that detects Linodas backdoor." + + tc_detection_type = "Backdoor" + tc_detection_name = "Linodas" + tc_detection_factor = 5 + + strings: + + $persistence_mechanism_ubuntu = { + 41 54 BE ?? ?? ?? ?? 55 53 48 81 EC ?? ?? ?? ?? 48 8D 6C 24 ?? 48 8D 54 24 ?? 48 89 + EF E8 ?? ?? ?? ?? 48 8B 7C 24 ?? 31 F6 E8 ?? ?? ?? ?? 85 C0 74 ?? 48 8D 5C 24 ?? 48 + 89 EE 48 89 DF E8 ?? ?? ?? ?? 48 89 DF E8 ?? ?? ?? ?? 48 8B 5C 24 ?? 48 83 EB ?? 48 + 81 FB ?? ?? ?? ?? 0F 85 ?? ?? ?? ?? 48 8D 6C 24 ?? 48 8D 54 24 ?? BE ?? ?? ?? ?? 48 + 89 EF E8 ?? ?? ?? ?? 48 8B 7C 24 ?? 31 F6 E8 ?? ?? ?? ?? 85 C0 74 ?? 48 8D 5C 24 ?? + 48 89 EE 48 89 DF E8 ?? ?? ?? ?? 48 89 DF E8 ?? ?? ?? ?? 48 8B 5C 24 ?? 48 83 EB ?? + 48 81 FB ?? ?? ?? ?? 0F 85 ?? ?? ?? ?? 48 8D 5C 24 ?? 48 89 EE 48 89 DF E8 ?? ?? ?? + ?? 48 89 DF E8 ?? ?? ?? ?? 48 8B 5C 24 ?? 41 BC ?? ?? ?? ?? 48 83 EB ?? 4C 39 E3 0F + 85 ?? ?? ?? ?? 4C 8B 44 24 ?? B9 ?? ?? ?? ?? BA ?? ?? ?? ?? BE ?? ?? ?? ?? 48 89 E7 + E8 ?? ?? ?? ?? 48 89 E7 E8 ?? ?? ?? ?? BE ?? ?? ?? ?? 48 89 E7 E8 ?? ?? ?? ?? 85 C0 + 74 ?? 48 8B 4C 24 ?? BA ?? ?? ?? ?? BE ?? ?? ?? ?? BF ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 + 8D 5C 24 ?? 4C 8B 44 24 ?? B9 ?? ?? ?? ?? BA ?? ?? ?? ?? BE ?? ?? ?? ?? 48 89 DF E8 + ?? ?? ?? ?? 48 89 DE 48 89 E7 E8 ?? ?? ?? ?? 48 8B 5C 24 ?? 48 83 EB ?? 49 39 DC 0F + 85 ?? ?? ?? ?? BE ?? ?? ?? ?? 48 89 E7 E8 ?? ?? ?? ?? 85 C0 74 ?? 48 8B 4C 24 ?? BA + ?? ?? ?? ?? BE ?? ?? ?? ?? BF ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 8D 5C 24 ?? 4C 8B 44 24 + ?? B9 ?? ?? ?? ?? BA ?? ?? ?? ?? BE ?? ?? ?? ?? 48 89 DF E8 ?? ?? ?? ?? 48 89 DE 48 + 89 E7 E8 ?? ?? ?? ?? 48 8B 5C 24 ?? 48 83 EB ?? 49 39 DC 0F 85 ?? ?? ?? ?? BE ?? ?? + ?? ?? 48 89 E7 E8 ?? ?? ?? ?? 85 C0 74 ?? 48 8B 4C 24 ?? BA ?? ?? ?? ?? BE ?? ?? ?? + ?? BF ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 8B 1C 24 48 83 EB ?? 49 39 DC 0F 85 ?? ?? ?? ?? + 48 8B 5C 24 ?? 48 83 EB ?? 49 39 DC 0F 85 ?? ?? ?? ?? 48 8B 5C 24 ?? 48 83 EB ?? 49 + 39 DC 0F 85 ?? ?? ?? ?? 48 81 C4 ?? ?? ?? ?? 5B 5D 41 5C C3 + } + + $network_communication_1 = { + 48 89 5C 24 ?? 48 89 6C 24 ?? 48 89 F3 4C 89 64 24 ?? 4C 89 6C 24 ?? 48 81 EC ?? ?? + ?? ?? 48 8B 06 48 89 FD 89 54 24 ?? 45 89 C4 48 83 78 ?? ?? 0F 84 ?? ?? ?? ?? 4C 8D + 6C 24 ?? 48 8B 33 4C 89 EF E8 ?? ?? ?? ?? 48 8B 44 24 ?? 48 83 78 ?? ?? 0F 84 ?? ?? + ?? ?? 45 84 E4 0F 85 ?? ?? ?? ?? BE ?? ?? ?? ?? BF ?? ?? ?? ?? E8 ?? ?? ?? ?? 88 45 + ?? 80 7D ?? ?? 0F 84 ?? ?? ?? ?? C6 45 ?? ?? BA ?? ?? ?? ?? BE ?? ?? ?? ?? BF ?? ?? + ?? ?? E8 ?? ?? ?? ?? 83 F8 ?? 89 C5 0F 84 ?? ?? ?? ?? 48 8D 4C 24 ?? 41 B8 ?? ?? ?? + ?? BA ?? ?? ?? ?? BE ?? ?? ?? ?? 89 C7 48 C7 44 24 ?? ?? ?? ?? ?? 48 C7 44 24 ?? ?? + ?? ?? ?? 48 8D 5C 24 ?? E8 ?? ?? ?? ?? 48 8D 4C 24 ?? BA ?? ?? ?? ?? BE ?? ?? ?? ?? + 41 B8 ?? ?? ?? ?? 89 EF 48 C7 44 24 ?? ?? ?? ?? ?? 48 C7 44 24 ?? ?? ?? ?? ?? E8 ?? + ?? ?? ?? 48 8B 7C 24 ?? 48 C7 44 24 ?? ?? ?? ?? ?? 8B 44 24 ?? 48 C7 44 24 ?? ?? ?? + ?? ?? 66 C1 C8 ?? 66 C7 44 24 ?? ?? ?? 66 89 44 24 ?? E8 ?? ?? ?? ?? BA ?? ?? ?? ?? + 89 44 24 ?? 48 89 DE 89 EF E8 ?? ?? ?? ?? 83 C0 ?? 0F 84 ?? ?? ?? ?? 0F 1F 44 00 ?? + 48 8B 5C 24 ?? 48 83 EB ?? 48 81 FB ?? ?? ?? ?? 0F 85 ?? ?? ?? ?? 89 E8 48 8B 5C 24 + ?? 48 8B 6C 24 ?? 4C 8B 64 24 ?? 4C 8B AC 24 ?? ?? ?? ?? 48 81 C4 ?? ?? ?? ?? C3 + } + + $network_communication_2 = { + 48 89 5C 24 ?? 48 89 6C 24 ?? 48 89 FB 4C 89 64 24 ?? BE ?? ?? ?? ?? 48 83 EC ?? BF + ?? ?? ?? ?? E8 ?? ?? ?? ?? 84 C0 74 ?? BF ?? ?? ?? ?? E8 ?? ?? ?? ?? 84 C0 0F 84 ?? + ?? ?? ?? 48 8D 73 ?? 48 8D 53 ?? BF ?? ?? ?? ?? 48 8D 6C 24 ?? 45 31 E4 E8 ?? ?? ?? + ?? 48 89 DF E8 ?? ?? ?? ?? 48 8B 73 ?? 48 89 EF E8 ?? ?? ?? ?? 48 8B 44 24 ?? 48 83 + 78 ?? ?? 74 ?? BE ?? ?? ?? ?? BF ?? ?? ?? ?? E8 ?? ?? ?? ?? 84 C0 0F 84 ?? ?? ?? ?? + 4C 8D 64 24 ?? 48 89 EE 4C 89 E7 E8 ?? ?? ?? ?? 4C 89 E6 48 89 DF E8 ?? ?? ?? ?? 48 + 8B 6C 24 ?? 41 89 C4 48 83 ED ?? 48 81 FD ?? ?? ?? ?? 0F 85 ?? ?? ?? ?? 45 84 E4 74 + ?? 80 7B ?? ?? 0F 84 ?? ?? ?? ?? 90 48 89 DF E8 ?? ?? ?? ?? 48 8B 5C 24 ?? 41 0F B6 + EC 48 83 EB ?? 48 81 FB ?? ?? ?? ?? 0F 85 ?? ?? ?? ?? 89 E8 48 8B 5C 24 ?? 48 8B 6C + 24 ?? 4C 8B 64 24 ?? 48 83 C4 ?? C3 + } + + $persistence_mechanism_redhat_v11 = { + 41 57 41 56 41 55 41 54 55 53 48 83 EC ?? 48 8D 7C 24 ?? E8 ?? ?? ?? ?? 48 8B 6C 24 + ?? 8B 7D ?? 4C 8D 7D ?? 81 C7 ?? ?? ?? ?? 48 63 FF E8 ?? ?? ?? ?? 48 89 C3 48 8D 7C + 24 ?? 48 89 EE E8 ?? ?? ?? ?? 4C 8B 6C 24 ?? BE ?? ?? ?? ?? 48 89 DF 31 C0 4C 8D 74 + 24 ?? 4C 89 EA E8 ?? ?? ?? ?? 48 98 48 8D 54 24 ?? 48 89 DE C6 04 18 ?? 4C 89 F7 E8 + ?? ?? ?? ?? 48 8B 7C 24 ?? 31 F6 E8 ?? ?? ?? ?? 85 C0 74 ?? 4C 89 E9 4C 89 EA BE ?? + ?? ?? ?? 48 89 DF 49 89 E9 4D 89 E8 31 C0 E8 ?? ?? ?? ?? 48 8B 7C 24 ?? 41 89 C4 B9 + ?? ?? ?? ?? 89 C2 48 89 DE E8 ?? ?? ?? ?? 48 8B 7C 24 ?? 31 F6 E8 ?? ?? ?? ?? 85 C0 + 0F 85 ?? ?? ?? ?? 48 8B 54 24 ?? 48 89 DF BE ?? ?? ?? ?? 31 C0 E8 ?? ?? ?? ?? 48 89 + DF E8 ?? ?? ?? ?? 4C 89 EA BE ?? ?? ?? ?? 48 89 DF 31 C0 48 8D 6C 24 ?? E8 ?? ?? ?? + ?? 48 98 48 8D 54 24 ?? 48 89 DE C6 04 18 ?? 48 89 EF E8 ?? ?? ?? ?? 48 89 E7 31 C9 + BA ?? ?? ?? ?? 48 89 EE E8 ?? ?? ?? ?? 48 8B 6C 24 ?? 41 BE ?? ?? ?? ?? 4C 8B 24 24 + 48 83 ED ?? 4C 39 F5 0F 85 ?? ?? ?? ?? BE ?? ?? ?? ?? 4C 89 E7 E8 ?? ?? ?? ?? 48 85 + C0 0F 84 ?? ?? ?? ?? 48 89 DF 49 8D 5C 24 ?? E8 ?? ?? ?? ?? 49 39 DE 0F 85 ?? ?? ?? + ?? 48 8B 5C 24 ?? 48 83 EB ?? 49 39 DE 0F 85 ?? ?? ?? ?? 49 8D 5D ?? 49 39 DE 0F 85 + ?? ?? ?? ?? 49 81 FF ?? ?? ?? ?? 0F 85 ?? ?? ?? ?? 48 83 C4 ?? 5B 5D 41 5C 41 5D 41 + 5E 41 5F C3 + } + + $change_timestamp_and_read_config_v11 = { + 55 53 48 83 EC ?? 48 8D 5C 24 ?? 48 89 E7 E8 ?? ?? ?? ?? 48 89 E6 48 89 DF E8 ?? ?? + ?? ?? 48 89 DF E8 ?? ?? ?? ?? 48 8B 5C 24 ?? 48 83 EB ?? 48 81 FB ?? ?? ?? ?? 0F 85 + ?? ?? ?? ?? 48 89 E6 BF ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 8B 1C 24 BE ?? ?? ?? ?? 48 89 + DF E8 ?? ?? ?? ?? 48 85 C0 74 ?? 48 83 C0 ?? 89 C5 29 DD 8D 7D ?? 48 63 FF E8 ?? ?? + ?? ?? 48 63 D5 48 89 C3 48 89 C7 C6 04 02 ?? 48 8B 34 24 E8 ?? ?? ?? ?? 48 89 DF E8 + ?? ?? ?? ?? 48 89 DE 48 89 C2 BF ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 89 DF E8 ?? ?? ?? ?? + BA ?? ?? ?? ?? BE ?? ?? ?? ?? BF ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 8B 1C 24 B8 ?? ?? ?? + ?? 48 83 EB ?? 48 39 D8 75 ?? 48 83 C4 ?? 5B 5D C3 + } + + $generate_machine_id_v11 = { + 41 57 BE ?? ?? ?? ?? 49 89 FF 41 56 41 55 41 54 55 53 48 81 EC ?? ?? ?? ?? 48 8D 9C + 24 ?? ?? ?? ?? 48 8D 94 24 ?? ?? ?? ?? 48 89 DF E8 ?? ?? ?? ?? 4C 8D AC 24 ?? ?? ?? + ?? 31 C9 BA ?? ?? ?? ?? 48 89 DE 4C 89 EF E8 ?? ?? ?? ?? 48 8B 9C 24 ?? ?? ?? ?? 41 + BE ?? ?? ?? ?? 48 83 EB ?? 4C 39 F3 0F 85 ?? ?? ?? ?? 4C 8D A4 24 ?? ?? ?? ?? 48 8B + B4 24 ?? ?? ?? ?? B9 ?? ?? ?? ?? BA ?? ?? ?? ?? 4C 89 E7 E8 ?? ?? ?? ?? 48 8B 84 24 + ?? ?? ?? ?? 48 83 78 ?? ?? 0F 84 ?? ?? ?? ?? 48 8D 9C 24 ?? ?? ?? ?? 48 8D 94 24 ?? + ?? ?? ?? BE ?? ?? ?? ?? 48 89 DF E8 ?? ?? ?? ?? 48 8D AC 24 ?? ?? ?? ?? 31 C9 BA ?? + ?? ?? ?? 48 89 DE 48 89 EF E8 ?? ?? ?? ?? 48 8B 9C 24 ?? ?? ?? ?? 48 83 EB ?? 49 39 + DE 0F 85 ?? ?? ?? ?? 48 89 EE 4C 89 E7 E8 ?? ?? ?? ?? 48 8B B4 24 ?? ?? ?? ?? 48 8D + BC 24 ?? ?? ?? ?? 48 8B 56 ?? E8 ?? ?? ?? ?? 31 FF 4C 8B AC 24 ?? ?? ?? ?? E8 ?? ?? + ?? ?? 89 C7 E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? BA ?? ?? ?? ?? 89 C6 48 8D BC 24 ?? ?? ?? + ?? F7 EA 89 F1 89 F5 C1 F9 ?? C1 FA ?? 29 CA 69 D2 ?? ?? ?? ?? 29 D5 E8 ?? ?? ?? ?? + 48 8B 9C 24 ?? ?? ?? ?? 41 89 E8 31 C0 4C 89 E9 BE ?? ?? ?? ?? 48 89 E7 48 89 DA 48 + 83 EB ?? E8 ?? ?? ?? ?? 49 39 DE 89 C5 0F 85 ?? ?? ?? ?? 48 63 C5 48 8D 94 24 ?? ?? + ?? ?? 48 8D BC 24 ?? ?? ?? ?? C6 04 04 ?? 48 89 E6 E8 ?? ?? ?? ?? 48 8D 94 24 ?? ?? + ?? ?? 48 89 E6 4C 89 FF E8 ?? ?? ?? ?? 48 8B 9C 24 ?? ?? ?? ?? 48 83 EB ?? 49 39 DE + 0F 85 ?? ?? ?? ?? 49 8D 5D ?? 49 39 DE 0F 85 ?? ?? ?? ?? 48 8B 9C 24 ?? ?? ?? ?? 48 + 83 EB ?? 49 39 DE 0F 85 ?? ?? ?? ?? 48 8B 9C 24 ?? ?? ?? ?? 48 83 EB ?? 49 39 DE 0F + 85 ?? ?? ?? ?? 48 8B 9C 24 ?? ?? ?? ?? 48 83 EB ?? 49 39 DE 0F 85 ?? ?? ?? ?? 48 81 + C4 ?? ?? ?? ?? 4C 89 F8 5B 5D 41 5C 41 5D 41 5E 41 5F C3 + } + + $persistence_mechanism_redhat_v7 = { + 48 89 6C 24 ?? 4C 89 7C 24 ?? 48 89 5C 24 ?? 4C 89 64 24 ?? 4C 89 6C 24 ?? 4C 89 74 + 24 ?? 48 81 EC ?? ?? ?? ?? 48 8D 7C 24 ?? E8 ?? ?? ?? ?? 48 8B 6C 24 ?? 8B 7D ?? 4C + 8D 7D ?? 81 C7 ?? ?? ?? ?? 48 63 FF E8 ?? ?? ?? ?? 48 89 C3 48 8D 7C 24 ?? 48 89 EE + E8 ?? ?? ?? ?? 4C 8B 64 24 ?? BE ?? ?? ?? ?? 48 89 DF 31 C0 4C 8D 74 24 ?? 4C 89 E2 + E8 ?? ?? ?? ?? 48 98 48 8D 54 24 ?? 48 89 DE C6 04 18 ?? 4C 89 F7 E8 ?? ?? ?? ?? 48 + 8B 7C 24 ?? 31 F6 E8 ?? ?? ?? ?? 85 C0 74 ?? 4C 89 E1 4C 89 E2 BE ?? ?? ?? ?? 48 89 + DF 49 89 E9 4D 89 E0 31 C0 E8 ?? ?? ?? ?? 48 8B 7C 24 ?? 41 89 C5 B9 ?? ?? ?? ?? 89 + C2 48 89 DE E8 ?? ?? ?? ?? 48 8B 7C 24 ?? 31 F6 E8 ?? ?? ?? ?? 85 C0 0F 85 ?? ?? ?? + ?? 48 8B 54 24 ?? 48 89 DF BE ?? ?? ?? ?? 31 C0 E8 ?? ?? ?? ?? 48 89 DF E8 ?? ?? ?? + ?? 4C 89 E2 BE ?? ?? ?? ?? 48 89 DF 31 C0 E8 ?? ?? ?? ?? 48 98 48 89 E7 31 C9 C6 04 + 18 ?? BA ?? ?? ?? ?? 48 89 DE E8 ?? ?? ?? ?? 48 8B 2C 24 BE ?? ?? ?? ?? 48 89 EF E8 + ?? ?? ?? ?? 48 85 C0 0F 84 ?? ?? ?? ?? 48 89 DF 48 8D 5D ?? BD ?? ?? ?? ?? E8 ?? ?? + ?? ?? 48 39 EB 0F 85 ?? ?? ?? ?? 48 8B 5C 24 ?? 48 83 EB ?? 48 39 DD 0F 85 ?? ?? ?? + ?? 49 8D 5C 24 ?? 48 39 DD 0F 85 ?? ?? ?? ?? 49 81 FF ?? ?? ?? ?? 0F 85 ?? ?? ?? ?? + 48 8B 5C 24 ?? 48 8B 6C 24 ?? 4C 8B 64 24 ?? 4C 8B AC 24 ?? ?? ?? ?? 4C 8B B4 24 ?? + ?? ?? ?? 4C 8B BC 24 ?? ?? ?? ?? 48 81 C4 ?? ?? ?? ?? C3 + } + + $get_device_name_v7 = { + 48 89 5C 24 ?? 48 89 6C 24 ?? BE ?? ?? ?? ?? 4C 89 64 24 ?? 4C 89 6C 24 ?? B9 ?? ?? + ?? ?? 4C 89 74 24 ?? 48 81 EC ?? ?? ?? ?? 4C 8B 05 ?? ?? ?? ?? 48 8D 5C 24 ?? BA ?? + ?? ?? ?? 48 89 DF E8 ?? ?? ?? ?? 48 89 DE BF ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 8B 5C 24 + ?? 41 BD ?? ?? ?? ?? 48 83 EB ?? 4C 39 EB 0F 85 ?? ?? ?? ?? 48 8B 05 ?? ?? ?? ?? 48 + 83 78 ?? ?? 75 ?? 48 8D 5C 24 ?? 48 89 DF E8 ?? ?? ?? ?? 48 89 DE BF ?? ?? ?? ?? E8 + ?? ?? ?? ?? 48 8B 5C 24 ?? 48 83 EB ?? 49 39 DD 0F 85 ?? ?? ?? ?? 48 8B 0D ?? ?? ?? + ?? 48 8B 15 ?? ?? ?? ?? BE ?? ?? ?? ?? BF ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 8D 7C 24 ?? + E8 ?? ?? ?? ?? 4C 8B 64 24 ?? 48 89 E7 E8 ?? ?? ?? ?? 48 8B 2C 24 48 8D 5C 24 ?? 41 + B8 ?? ?? ?? ?? 4C 89 E2 BE ?? ?? ?? ?? 31 C0 48 89 DF 48 89 E9 E8 ?? ?? ?? ?? 48 89 + DE BF ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 8B 5C 24 ?? 48 83 EB ?? 49 39 DD 0F 85 ?? ?? ?? + ?? E8 ?? ?? ?? ?? 48 8D 5D ?? 49 39 DD 0F 85 ?? ?? ?? ?? 49 8D 5C 24 ?? 49 39 DD 0F + 85 ?? ?? ?? ?? 48 8B 5C 24 ?? 48 8B 6C 24 ?? 4C 8B 64 24 ?? 4C 8B 6C 24 ?? 4C 8B B4 + 24 ?? ?? ?? ?? 48 81 C4 ?? ?? ?? ?? C3 + } + + $generate_machine_id_v7 = { + 41 57 31 C9 BA ?? ?? ?? ?? BE ?? ?? ?? ?? 49 89 FF 41 56 41 55 41 54 55 53 48 81 EC + ?? ?? ?? ?? 4C 8D A4 24 ?? ?? ?? ?? 48 8D AC 24 ?? ?? ?? ?? 4C 89 E7 E8 ?? ?? ?? ?? + 48 8B B4 24 ?? ?? ?? ?? B9 ?? ?? ?? ?? BA ?? ?? ?? ?? 48 89 EF E8 ?? ?? ?? ?? 48 8B + 84 24 ?? ?? ?? ?? 48 83 78 ?? ?? 0F 84 ?? ?? ?? ?? 48 8D 9C 24 ?? ?? ?? ?? 31 C9 BA + ?? ?? ?? ?? BE ?? ?? ?? ?? 48 89 DF E8 ?? ?? ?? ?? 48 89 DE 48 89 EF E8 ?? ?? ?? ?? + 48 8B B4 24 ?? ?? ?? ?? 48 8D BC 24 ?? ?? ?? ?? 48 8B 56 ?? E8 ?? ?? ?? ?? 31 FF 4C + 8B B4 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 C7 E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? BA ?? ?? ?? + ?? 89 C6 48 8D BC 24 ?? ?? ?? ?? F7 EA 89 F1 89 F5 C1 F9 ?? C1 FA ?? 29 CA 69 D2 ?? + ?? ?? ?? 29 D5 E8 ?? ?? ?? ?? 48 8B 9C 24 ?? ?? ?? ?? 41 89 E8 31 C0 4C 89 F1 BE ?? + ?? ?? ?? 48 89 E7 41 BD ?? ?? ?? ?? 48 89 DA 48 83 EB ?? E8 ?? ?? ?? ?? 4C 39 EB 89 + C5 0F 85 ?? ?? ?? ?? 48 63 C5 48 8D 94 24 ?? ?? ?? ?? 48 8D BC 24 ?? ?? ?? ?? C6 04 + 04 ?? 48 89 E6 E8 ?? ?? ?? ?? 48 8D 94 24 ?? ?? ?? ?? 48 89 E6 4C 89 FF E8 ?? ?? ?? + ?? 48 8B 9C 24 ?? ?? ?? ?? 48 83 EB ?? 49 39 DD 0F 85 ?? ?? ?? ?? 49 8D 5E ?? 49 39 + DD 0F 85 ?? ?? ?? ?? 48 8B 9C 24 ?? ?? ?? ?? 48 83 EB ?? 49 39 DD 0F 85 ?? ?? ?? ?? + 48 8B 9C 24 ?? ?? ?? ?? 48 83 EB ?? 49 39 DD 0F 85 ?? ?? ?? ?? 48 8B 9C 24 ?? ?? ?? + ?? 48 83 EB ?? 49 39 DD 0F 85 ?? ?? ?? ?? 48 81 C4 ?? ?? ?? ?? 4C 89 F8 5B 5D 41 5C + 41 5D 41 5E 41 5F C3 + } + + condition: + uint32(0) == 0x464C457F and + ( + ( + $persistence_mechanism_ubuntu + ) and + ( + all of ($network_communication_*) + ) and + ( + ( + ( + $change_timestamp_and_read_config_v11 + ) and + ( + $persistence_mechanism_redhat_v11 + ) and + ( + $generate_machine_id_v11 + ) + ) or + ( + ( + $persistence_mechanism_redhat_v7 + ) and + ( + $get_device_name_v7 + ) and + ( + $generate_machine_id_v7 + ) + ) + ) + ) +} \ No newline at end of file diff --git a/yara/backdoor/Win32.Backdoor.Konni.yara b/yara/backdoor/Win32.Backdoor.Konni.yara new file mode 100644 index 0000000..05ce1bc --- /dev/null +++ b/yara/backdoor/Win32.Backdoor.Konni.yara @@ -0,0 +1,190 @@ +rule Win32_Backdoor_Konni : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "KONNI" + description = "Yara rule that detects Konni backdoor." + + tc_detection_type = "Backdoor" + tc_detection_name = "Konni" + tc_detection_factor = 5 + + strings: + + $network_communication_p1 = { + 55 8B EC 83 EC ?? 53 56 8B 35 ?? ?? ?? ?? 57 33 FF 68 ?? ?? ?? ?? 8D 9E ?? ?? ?? ?? + 57 53 89 7D ?? 89 7D ?? 89 7D ?? 89 7D ?? 89 7D ?? 89 5D ?? E8 ?? ?? ?? ?? 8B 45 ?? + 50 56 8D 8E ?? ?? ?? ?? 51 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 53 E8 ?? ?? ?? ?? 83 C4 ?? + 81 C6 ?? ?? ?? ?? 56 E8 ?? ?? ?? ?? 57 57 57 6A ?? 57 FF 15 ?? ?? ?? ?? 8B D8 3B DF + 0F 84 ?? ?? ?? ?? 57 57 6A ?? 57 57 6A ?? 56 53 C7 45 ?? ?? ?? ?? ?? FF 15 ?? ?? ?? + ?? 8B F8 89 7D ?? 85 FF 75 ?? 53 FF 15 ?? ?? ?? ?? 8D 47 ?? 5F 5E 5B 8B E5 5D C2 ?? + ?? 8B 55 ?? 6A ?? 68 ?? ?? ?? ?? 6A ?? 6A ?? 6A ?? 52 68 ?? ?? ?? ?? 57 C7 45 ?? ?? + ?? ?? ?? FF 15 ?? ?? ?? ?? 8B F0 85 F6 75 ?? 8B 35 ?? ?? ?? ?? 57 FF D6 53 FF D6 5F + 5E B8 ?? ?? ?? ?? 5B 8B E5 5D C2 ?? ?? 6A ?? 6A ?? 6A ?? 6A ?? 56 FF 15 ?? ?? ?? ?? + 6A ?? 6A ?? 85 C0 74 ?? 8D 45 ?? 50 56 FF 15 ?? ?? ?? ?? 85 C0 75 ?? 50 50 6A ?? 56 + FF 15 ?? ?? ?? ?? 56 8B 35 ?? ?? ?? ?? FF D6 57 FF D6 53 FF D6 5F 5E B8 ?? ?? ?? ?? + 5B 8B E5 5D C2 ?? ?? 8B 45 ?? 85 C0 75 ?? 50 50 50 56 FF 15 ?? ?? ?? ?? 56 8B 35 ?? + ?? ?? ?? FF D6 57 FF D6 53 FF D6 5F 5E 83 C8 ?? 5B 8B E5 5D C2 ?? ?? 40 50 6A ?? 89 + } + + $network_communication_p2 = { + 45 ?? FF 15 ?? ?? ?? ?? 8B F8 85 FF 75 ?? 50 50 50 56 FF 15 ?? ?? ?? ?? 56 8B 35 ?? + ?? ?? ?? FF D6 8B 4D ?? 51 FF D6 53 FF D6 5F 5E 83 C8 ?? 5B 8B E5 5D C2 ?? ?? 8B 55 + ?? 52 6A ?? 57 E8 ?? ?? ?? ?? 83 C4 ?? 6A ?? 68 ?? ?? ?? ?? 6A ?? 6A ?? 6A ?? 68 ?? + ?? ?? ?? 68 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 89 45 ?? 83 F8 ?? 75 ?? 6A ?? 6A ?? 6A ?? + 56 FF 15 ?? ?? ?? ?? 56 8B 35 ?? ?? ?? ?? FF D6 8B 45 ?? 50 FF D6 53 FF D6 5F 5E 83 + C8 ?? 5B 8B E5 5D C2 ?? ?? 8B 55 ?? 8D 4D ?? 51 52 57 56 FF 15 ?? ?? ?? ?? 85 C0 74 + ?? 83 7D ?? ?? 74 ?? 68 ?? ?? ?? ?? 57 C7 45 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? + 85 C0 B8 ?? ?? ?? ?? 75 ?? 8B 45 ?? 89 45 ?? 83 F8 ?? 74 ?? 8B 4D ?? 8B 55 ?? 6A ?? + 8D 45 ?? 50 51 57 52 FF 15 ?? ?? ?? ?? 8B 4D ?? 8B 45 ?? 01 45 ?? 51 6A ?? 57 E8 ?? + ?? ?? ?? 8B 45 ?? 83 C4 ?? 8D 55 ?? 52 50 57 56 FF 15 ?? ?? ?? ?? 85 C0 75 ?? 8B 4D + ?? 51 FF 15 ?? ?? ?? ?? 57 FF 15 ?? ?? ?? ?? 6A ?? 6A ?? 6A ?? 56 FF 15 ?? ?? ?? ?? + 56 8B 35 ?? ?? ?? ?? FF D6 8B 55 ?? 52 FF D6 53 FF D6 83 7D ?? ?? 0F 84 ?? ?? ?? ?? + 8B 45 ?? 5F 5E 5B 8B E5 5D C2 + } + + $handle_c2_commands_p1 = { + 55 8B EC 81 EC ?? ?? ?? ?? A1 ?? ?? ?? ?? 33 C5 89 45 ?? 53 56 57 8D 85 ?? ?? ?? ?? + 50 33 FF 68 ?? ?? ?? ?? 89 BD ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 8B F0 89 B5 ?? ?? ?? ?? + 3B F7 75 ?? 83 C8 ?? 5F 5E 5B 8B 4D ?? 33 CD E8 ?? ?? ?? ?? 8B E5 5D C3 8B 0D ?? ?? + ?? ?? 8B 16 51 52 E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 0F 85 ?? ?? ?? ?? A1 ?? ?? ?? ?? 8B + 4E ?? 50 51 E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 75 ?? 8B 56 ?? 68 ?? ?? ?? ?? 52 E8 ?? ?? + ?? ?? 83 C4 ?? 85 C0 75 ?? 8B 4E ?? 6A ?? E8 ?? ?? ?? ?? 83 C4 ?? E9 ?? ?? ?? ?? 8B + 5E ?? 68 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? 33 C0 57 51 66 89 85 ?? ?? ?? ?? E8 ?? ?? ?? + ?? 83 C4 ?? E8 ?? ?? ?? ?? E9 ?? ?? ?? ?? 8B 15 ?? ?? ?? ?? 8B 46 ?? 52 50 E8 ?? ?? + ?? ?? 83 C4 ?? 85 C0 75 ?? 8B 4E ?? 57 51 68 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 68 ?? ?? + ?? ?? FF 15 ?? ?? ?? ?? E9 ?? ?? ?? ?? 8B 15 ?? ?? ?? ?? 8B 46 ?? 52 50 E8 ?? ?? ?? + ?? 83 C4 ?? 85 C0 75 ?? 8B 46 ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 69 C0 ?? ?? ?? ?? A3 ?? + ?? ?? ?? E9 ?? ?? ?? ?? 8B 0D ?? ?? ?? ?? 8B 56 ?? 51 52 E8 ?? ?? ?? ?? 83 C4 ?? 85 + } + + $handle_c2_commands_p2 = { + C0 75 ?? 8B 46 ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 69 C0 ?? ?? ?? ?? A3 ?? ?? ?? ?? E9 ?? + ?? ?? ?? 8B 85 ?? ?? ?? ?? 8B 4C 86 ?? 68 ?? ?? ?? ?? 51 E8 ?? ?? ?? ?? 83 C4 ?? BE + ?? ?? ?? ?? 85 C0 75 ?? 8D 78 ?? E8 ?? ?? ?? ?? 8B B5 ?? ?? ?? ?? E9 ?? ?? ?? ?? 33 + FF E8 ?? ?? ?? ?? 8B B5 ?? ?? ?? ?? E9 ?? ?? ?? ?? 8B 15 ?? ?? ?? ?? 8B 06 52 50 E8 + ?? ?? ?? ?? 83 C4 ?? 85 C0 0F 85 ?? ?? ?? ?? 8B 0D ?? ?? ?? ?? 8B 95 ?? ?? ?? ?? 8B + 44 96 ?? 51 50 E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 74 ?? 8B 8D ?? ?? ?? ?? 8B 54 8E ?? 68 + ?? ?? ?? ?? 52 E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 74 ?? 8B 06 8D 50 ?? 8B FF 66 8B 08 83 + C0 ?? 66 3B CF 75 ?? 2B C2 D1 F8 57 8D 3C 45 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? EB + ?? 8B 06 8D 50 ?? 66 8B 08 83 C0 ?? 66 3B CF 75 ?? 2B C2 D1 F8 6A ?? 8D 3C 45 ?? ?? + ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? EB ?? A1 ?? ?? ?? ?? 8B 8D ?? ?? ?? ?? 8B 54 8E ?? 50 + 52 E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 75 ?? 8D 48 ?? EB ?? 33 C9 E8 ?? ?? ?? ?? 8B F8 56 + FF 15 ?? ?? ?? ?? 8B 4D ?? 8B C7 5F 5E 33 CD 5B E8 ?? ?? ?? ?? 8B E5 5D C3 + } + + $create_cab_file_and_upload_p1 = { + 55 8B EC 81 EC ?? ?? ?? ?? A1 ?? ?? ?? ?? 33 C5 89 45 ?? A1 ?? ?? ?? ?? 53 56 57 33 + FF 68 ?? ?? ?? ?? 8B F1 8D 95 ?? ?? ?? ?? 33 C9 57 52 89 85 ?? ?? ?? ?? 89 BD ?? ?? + ?? ?? 89 BD ?? ?? ?? ?? 89 BD ?? ?? ?? ?? 89 BD ?? ?? ?? ?? 66 89 8D ?? ?? ?? ?? E8 + ?? ?? ?? ?? 83 C4 ?? 68 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? 33 C0 57 51 66 89 85 ?? ?? ?? + ?? E8 ?? ?? ?? ?? 33 C0 89 85 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 66 89 + 85 ?? ?? ?? ?? 83 C4 ?? 8D 85 ?? ?? ?? ?? 33 D2 50 66 89 95 ?? ?? ?? ?? FF 15 ?? ?? + ?? ?? 0F B7 8D ?? ?? ?? ?? 0F B7 95 ?? ?? ?? ?? 0F B7 85 ?? ?? ?? ?? 51 0F B7 8D ?? + ?? ?? ?? 52 0F B7 95 ?? ?? ?? ?? 50 51 52 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 85 ?? ?? + ?? ?? 68 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 68 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? 57 + 51 E8 ?? ?? ?? ?? 83 C4 ?? 8D 95 ?? ?? ?? ?? 52 68 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 8D + 85 ?? ?? ?? ?? 50 57 68 ?? ?? ?? ?? 8B C8 51 FF 15 ?? ?? ?? ?? 8D 95 ?? ?? ?? ?? 52 + FF 15 ?? ?? ?? ?? 6A ?? 56 E8 ?? ?? ?? ?? 8B D8 68 ?? ?? ?? ?? 53 E8 ?? ?? ?? ?? 83 + C4 ?? 85 C0 0F 84 ?? ?? ?? ?? 68 ?? ?? ?? ?? 53 E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 74 ?? + 68 ?? ?? ?? ?? 53 E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 74 ?? 68 ?? ?? ?? ?? 53 E8 ?? ?? ?? + ?? 83 C4 ?? 85 C0 74 ?? 68 ?? ?? ?? ?? 53 E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 74 ?? 68 ?? + ?? ?? ?? 53 E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 74 ?? 8B CE 8D BD ?? ?? ?? ?? E8 ?? ?? ?? + ?? 83 F8 ?? 75 ?? 83 C8 ?? 5F 5E 5B 8B 4D ?? 33 CD E8 ?? ?? ?? ?? 8B E5 5D C3 57 8D + } + + $create_cab_file_and_upload_p2 = { + 85 ?? ?? ?? ?? 50 56 FF 15 ?? ?? ?? ?? EB ?? 33 FF 8D 9D ?? ?? ?? ?? 8D 85 ?? ?? ?? + ?? E8 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 3B C7 74 ?? 8D 8D ?? ?? ?? ?? 51 FF 15 ?? ?? ?? + ?? 8B B5 ?? ?? ?? ?? 83 C6 ?? 56 6A ?? FF 15 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 3B C7 74 + ?? 56 57 50 E8 ?? ?? ?? ?? 83 C4 ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B D8 83 C4 ?? 3B + DF 74 ?? 8D 85 ?? ?? ?? ?? 8D 50 ?? EB ?? 8D 9B ?? ?? ?? ?? 66 8B 08 83 C0 ?? 66 3B + CF 75 ?? 2B C2 8D 93 ?? ?? ?? ?? D1 F8 8D 0C 00 33 C0 89 02 89 42 ?? 89 42 ?? 89 42 + ?? 89 42 ?? 89 42 ?? 89 42 ?? 89 42 ?? 3B CF 74 ?? 51 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? + ?? 83 C4 ?? 8B CB EB ?? 33 C9 8B 95 ?? ?? ?? ?? 89 8A ?? ?? ?? ?? 3B CF 0F 84 ?? ?? + ?? ?? 8B 85 ?? ?? ?? ?? 8B BD ?? ?? ?? ?? 8B 9D ?? ?? ?? ?? 56 50 E8 ?? ?? ?? ?? 8B + BD ?? ?? ?? ?? 8B 87 ?? ?? ?? ?? 85 C0 74 ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 53 C7 87 ?? + ?? ?? ?? ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 8D 50 ?? 8D 9B ?? ?? ?? ?? + 66 8B 08 83 C0 ?? 66 85 C9 75 ?? 2B C2 D1 F8 8D 84 46 ?? ?? ?? ?? 50 6A ?? 89 85 ?? + ?? ?? ?? FF 15 ?? ?? ?? ?? 8B D8 85 DB 0F 84 ?? ?? ?? ?? 8B 8D ?? ?? ?? ?? 51 6A ?? + 53 E8 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 83 C4 ?? 8D 95 ?? ?? ?? ?? 52 68 ?? ?? ?? ?? 50 + 53 E8 ?? ?? ?? ?? 8B 8D ?? ?? ?? ?? 56 89 85 ?? ?? ?? ?? 51 03 C3 50 E8 ?? ?? ?? ?? + 8B BD ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 03 FB 83 C4 ?? 03 FE B9 ?? ?? ?? ?? BE ?? ?? ?? + ?? 50 F3 A5 FF 15 ?? ?? ?? ?? 8B B5 ?? ?? ?? ?? 81 C6 ?? ?? ?? ?? 56 E8 + } + + $create_cab_file_and_upload_p3 = { + 6A ?? 6A ?? 6A ?? 6A ?? 6A ?? FF 15 ?? ?? ?? ?? 8B F8 85 FF 0F 84 ?? ?? ?? ?? 6A ?? + 6A ?? 6A ?? 6A ?? 6A ?? 6A ?? 56 57 C7 85 ?? ?? ?? ?? ?? ?? ?? ?? FF 15 ?? ?? ?? ?? + 89 85 ?? ?? ?? ?? 85 C0 75 ?? 57 FF 15 ?? ?? ?? ?? B8 ?? ?? ?? ?? 5F 5E 5B 8B 4D ?? + 33 CD E8 ?? ?? ?? ?? 8B E5 5D C3 8B B5 ?? ?? ?? ?? 68 ?? ?? ?? ?? 81 C6 ?? ?? ?? ?? + 6A ?? 56 E8 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 83 C4 ?? 50 05 ?? ?? ?? ?? 50 68 ?? ?? ?? + ?? 68 ?? ?? ?? ?? 56 E8 ?? ?? ?? ?? 8B 8D ?? ?? ?? ?? 83 C4 ?? 6A ?? 68 ?? ?? ?? ?? + 6A ?? 6A ?? 6A ?? 56 68 ?? ?? ?? ?? 51 C7 85 ?? ?? ?? ?? ?? ?? ?? ?? FF 15 ?? ?? ?? + ?? 8B F0 85 F6 75 ?? 8B 95 ?? ?? ?? ?? 8B 35 ?? ?? ?? ?? 52 FF D6 57 FF D6 B8 ?? ?? + ?? ?? 5F 5E 5B 8B 4D ?? 33 CD E8 ?? ?? ?? ?? 8B E5 5D C3 8B 85 ?? ?? ?? ?? 50 53 6A + ?? 68 ?? ?? ?? ?? 56 FF 15 ?? ?? ?? ?? 85 C0 75 ?? 50 50 50 56 FF 15 ?? ?? ?? ?? 56 + 8B 35 ?? ?? ?? ?? FF D6 8B 8D ?? ?? ?? ?? 51 FF D6 57 FF D6 B8 ?? ?? ?? ?? 5F 5E 5B + 8B 4D ?? 33 CD E8 ?? ?? ?? ?? 8B E5 5D C3 53 FF 15 ?? ?? ?? ?? 6A ?? 6A ?? 8D 95 ?? + ?? ?? ?? 52 56 FF 15 ?? ?? ?? ?? 85 C0 75 ?? 50 50 50 56 FF 15 ?? ?? ?? ?? 56 8B 35 + ?? ?? ?? ?? FF D6 8B 85 ?? ?? ?? ?? 50 FF D6 57 FF D6 B8 ?? ?? ?? ?? 5F 5E 5B 8B 4D + ?? 33 CD E8 ?? ?? ?? ?? 8B E5 5D C3 8B 85 ?? ?? ?? ?? 85 C0 75 ?? 50 50 50 56 FF 15 + ?? ?? ?? ?? 56 8B 35 ?? ?? ?? ?? FF D6 8B 8D ?? ?? ?? ?? 51 FF D6 57 FF D6 83 C8 + } + + $create_cab_file_and_upload_p4 = { + 5F 5E 5B 8B 4D ?? 33 CD E8 ?? ?? ?? ?? 8B E5 5D C3 40 50 6A ?? 89 85 ?? ?? ?? ?? FF + 15 ?? ?? ?? ?? 8B D8 85 DB 75 ?? 50 50 50 56 FF 15 ?? ?? ?? ?? 56 8B 35 ?? ?? ?? ?? + FF D6 8B 95 ?? ?? ?? ?? 52 FF D6 57 FF D6 83 C8 ?? 5F 5E 5B 8B 4D ?? 33 CD E8 ?? ?? + ?? ?? 8B E5 5D C3 8B 85 ?? ?? ?? ?? 50 6A ?? 53 E8 ?? ?? ?? ?? 8B 95 ?? ?? ?? ?? 83 + C4 ?? 8D 8D ?? ?? ?? ?? 51 52 53 56 FF 15 ?? ?? ?? ?? 85 C0 74 ?? 68 ?? ?? ?? ?? 53 + E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 75 ?? 89 85 ?? ?? ?? ?? EB ?? C7 85 ?? ?? ?? ?? ?? ?? + ?? ?? 53 FF 15 ?? ?? ?? ?? 6A ?? 6A ?? 6A ?? 56 FF 15 ?? ?? ?? ?? 56 8B 35 ?? ?? ?? + ?? FF D6 8B 85 ?? ?? ?? ?? 50 FF D6 57 FF D6 8B 4D ?? 8B 85 ?? ?? ?? ?? 5F 5E 33 CD + 5B E8 ?? ?? ?? ?? 8B E5 5D C3 + } + + $cmd_expand_payload = { + 55 8B EC 81 EC ?? ?? ?? ?? A1 ?? ?? ?? ?? 33 C5 89 45 ?? 53 56 57 68 ?? ?? ?? ?? 8B + D9 33 FF 8D 8D ?? ?? ?? ?? 33 C0 57 51 66 89 85 ?? ?? ?? ?? E8 ?? ?? ?? ?? 68 ?? ?? + ?? ?? 8D 85 ?? ?? ?? ?? 33 D2 57 50 66 89 95 ?? ?? ?? ?? E8 ?? ?? ?? ?? 6A ?? 8D 8D + ?? ?? ?? ?? 57 51 89 BD ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 57 68 ?? ?? ?? ?? 6A ?? + 57 6A ?? 33 C0 68 ?? ?? ?? ?? 53 89 BD ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 89 85 ?? ?? ?? + ?? 89 85 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 8B F0 83 FE ?? 74 ?? 57 57 57 6A ?? 57 56 FF + 15 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 3B C7 75 ?? 56 FF 15 ?? ?? ?? ?? 83 C8 ?? 5F 5E 5B + 8B 4D ?? 33 CD E8 ?? ?? ?? ?? 8B E5 5D C3 57 57 57 6A ?? 50 FF 15 ?? ?? ?? ?? 8B F8 + 85 FF 74 ?? 68 ?? ?? ?? ?? 8D 95 ?? ?? ?? ?? 52 6A ?? 8D 47 ?? 50 6A ?? 6A ?? FF 15 + ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 68 ?? ?? ?? + ?? 68 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? 51 68 ?? ?? ?? ?? 68 ?? ?? ?? + ?? E8 ?? ?? ?? ?? 8B 57 ?? 83 C4 ?? 57 89 95 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 8B 85 ?? + ?? ?? ?? 8B 3D ?? ?? ?? ?? 50 FF D7 56 FF D7 68 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? 6A ?? + 51 E8 ?? ?? ?? ?? 53 68 ?? ?? ?? ?? 8D 95 ?? ?? ?? ?? 68 ?? ?? ?? ?? 52 E8 ?? ?? ?? + ?? 83 C4 ?? 33 C0 8D 8D ?? ?? ?? ?? 51 8D 95 ?? ?? ?? ?? 52 50 50 68 ?? ?? ?? ?? 50 + 50 50 66 89 85 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 6A ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? + FF 15 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? 8B 1D ?? ?? ?? ?? 68 ?? ?? ?? ?? FF D3 6A + ?? 68 ?? ?? ?? ?? 6A ?? 6A ?? 6A ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? + 8B F0 83 FE ?? 75 ?? FF 15 ?? ?? ?? ?? 83 F8 ?? 75 ?? 56 FF D7 8B 4D ?? 8B 85 ?? ?? + ?? ?? 5F 5E 33 CD 5B E8 ?? ?? ?? ?? 8B E5 5D C3 + } + + condition: + uint16(0) == 0x5A4D and + ( + all of ($network_communication_p*) + ) and + ( + all of ($handle_c2_commands_p*) + ) and + ( + all of ($create_cab_file_and_upload_p*) + ) and + ( + $cmd_expand_payload + ) +} \ No newline at end of file diff --git a/yara/backdoor/Win64.Backdoor.Konni.yara b/yara/backdoor/Win64.Backdoor.Konni.yara new file mode 100644 index 0000000..c7990e9 --- /dev/null +++ b/yara/backdoor/Win64.Backdoor.Konni.yara @@ -0,0 +1,205 @@ +rule Win64_Backdoor_Konni : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "KONNI" + description = "Yara rule that detects Konni backdoor." + + tc_detection_type = "Backdoor" + tc_detection_name = "Konni" + tc_detection_factor = 5 + + strings: + + $network_communication_p1 = { + 48 8B C4 53 55 57 41 54 41 55 41 56 41 57 48 83 EC ?? 48 8B 3D ?? ?? ?? ?? 45 33 FF + 48 8B D9 4C 8D A7 ?? ?? ?? ?? 33 D2 41 B8 ?? ?? ?? ?? 49 8B CC 44 89 78 ?? 44 89 78 + ?? 45 8B F7 44 89 78 ?? 41 8B EF E8 ?? ?? ?? ?? 4C 8D 8F ?? ?? ?? ?? 4C 8D 05 ?? ?? + ?? ?? BA ?? ?? ?? ?? 49 8B CC 48 89 5C 24 ?? 48 89 7C 24 ?? E8 ?? ?? ?? ?? 48 8D 9F + ?? ?? ?? ?? 48 8B CB E8 ?? ?? ?? ?? 41 BD ?? ?? ?? ?? 45 33 C9 45 33 C0 33 C9 41 8B + D5 44 89 7C 24 ?? FF 15 ?? ?? ?? ?? 48 8B F8 48 89 44 24 ?? 48 85 C0 75 ?? 83 C8 ?? + 48 83 C4 ?? 41 5F 41 5E 41 5D 41 5C 5F 5D 5B C3 4C 89 7C 24 ?? 44 89 7C 24 ?? 41 B8 + ?? ?? ?? ?? 45 33 C9 48 8B D3 48 8B C8 C7 44 24 ?? ?? ?? ?? ?? 48 89 B4 24 ?? ?? ?? + ?? C7 84 24 ?? ?? ?? ?? ?? ?? ?? ?? 4C 89 7C 24 ?? FF 15 ?? ?? ?? ?? 48 8B F0 48 85 + C0 0F 84 ?? ?? ?? ?? 4C 89 7C 24 ?? C7 44 24 ?? ?? ?? ?? ?? 48 8D 15 ?? ?? ?? ?? 45 + 33 C9 4D 8B C4 48 8B C8 4C 89 7C 24 ?? C7 84 24 ?? ?? ?? ?? ?? ?? ?? ?? 4C 89 7C 24 + ?? FF 15 ?? ?? ?? ?? 48 8B D8 48 85 C0 74 ?? 45 33 C9 45 33 C0 33 D2 48 8B C8 44 89 + 7C 24 ?? FF 15 ?? ?? ?? ?? 45 33 C9 45 33 C0 48 8B CB 85 C0 74 ?? 48 8D 94 24 ?? ?? + ?? ?? FF 15 ?? ?? ?? ?? 85 C0 75 ?? 45 33 C9 48 8B CB 45 33 C0 33 D2 FF 15 ?? ?? ?? + ?? 48 8B CB FF 15 ?? ?? ?? ?? 48 8B CE FF 15 ?? ?? ?? ?? 48 8B CF FF 15 ?? ?? ?? ?? + 41 8B C5 E9 ?? ?? ?? ?? 8B 84 24 ?? ?? ?? ?? 85 C0 75 ?? 48 8B CB EB ?? FF C0 B9 ?? + ?? ?? ?? 8B D0 89 84 24 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 4C 8B E0 48 85 C0 74 ?? 44 8B + } + + $network_communication_p2 = { + 84 24 ?? ?? ?? ?? 33 D2 48 8B C8 E8 ?? ?? ?? ?? 45 33 C9 4C 89 7C 24 ?? 48 8D 0D ?? + ?? ?? ?? 45 8D 41 ?? BA ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? + FF 15 ?? ?? ?? ?? 4C 8B E8 48 8B CB 48 83 F8 ?? 75 ?? 45 33 C9 45 33 C0 33 D2 FF 15 + ?? ?? ?? ?? 48 8B CB FF 15 ?? ?? ?? ?? 48 8B CE FF 15 ?? ?? ?? ?? 48 8B CF FF 15 ?? + ?? ?? ?? 83 C8 ?? E9 ?? ?? ?? ?? 44 8B 84 24 ?? ?? ?? ?? 4C 8D 8C 24 ?? ?? ?? ?? 49 + 8B D4 FF 15 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? BF ?? ?? ?? ?? 0F 1F 00 44 39 BC 24 + ?? ?? ?? ?? 74 ?? 48 8D 15 ?? ?? ?? ?? 49 8B CC 41 8B EF E8 ?? ?? ?? ?? 48 85 C0 0F + 45 EF 3B EF 74 ?? 44 8B 84 24 ?? ?? ?? ?? 4C 8D 8C 24 ?? ?? ?? ?? 49 8B D4 49 8B CD + 4C 89 7C 24 ?? FF 15 ?? ?? ?? ?? 44 8B 84 24 ?? ?? ?? ?? 44 03 B4 24 ?? ?? ?? ?? 33 + D2 49 8B CC E8 ?? ?? ?? ?? 44 8B 84 24 ?? ?? ?? ?? 4C 8D 8C 24 ?? ?? ?? ?? 49 8B D4 + 48 8B CB FF 15 ?? ?? ?? ?? 85 C0 0F 85 ?? ?? ?? ?? 48 8B 7C 24 ?? 49 8B CD FF 15 ?? + ?? ?? ?? 49 8B CC FF 15 ?? ?? ?? ?? 45 33 C9 45 33 C0 33 D2 48 8B CB FF 15 ?? ?? ?? + ?? 48 8B CB FF 15 ?? ?? ?? ?? 48 8B CE FF 15 ?? ?? ?? ?? 48 8B CF FF 15 ?? ?? ?? ?? + 83 C8 ?? 45 85 F6 0F 44 E8 8B C5 48 8B B4 24 ?? ?? ?? ?? 48 83 C4 ?? 41 5F 41 5E 41 + 5D 41 5C 5F 5D 5B C3 + } + + $handle_c2_commands_p1 = { + 48 89 5C 24 ?? 48 89 74 24 ?? 57 48 81 EC ?? ?? ?? ?? 48 8B 05 ?? ?? ?? ?? 48 33 C4 + 48 89 84 24 ?? ?? ?? ?? 48 8D 35 ?? ?? ?? ?? 48 8D 54 24 ?? 33 FF 48 8B CE 89 7C 24 + ?? FF 15 ?? ?? ?? ?? 48 8B D8 48 85 C0 75 ?? 83 C8 ?? E9 ?? ?? ?? ?? 48 8B 15 ?? ?? + ?? ?? 48 8B 08 E8 ?? ?? ?? ?? 85 C0 0F 85 ?? ?? ?? ?? 48 8B 15 ?? ?? ?? ?? 48 8B 4B + ?? E8 ?? ?? ?? ?? 85 C0 75 ?? 48 8B 4B ?? 48 8D 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 C0 + 75 ?? 48 8B 4B ?? 8D 50 ?? E8 ?? ?? ?? ?? E9 ?? ?? ?? ?? 48 8D 4C 24 ?? 33 D2 41 B8 + ?? ?? ?? ?? 66 89 7C 24 ?? E8 ?? ?? ?? ?? 48 8B 4B ?? E8 ?? ?? ?? ?? E9 ?? ?? ?? ?? + 48 8B 15 ?? ?? ?? ?? 48 8B 4B ?? E8 ?? ?? ?? ?? 85 C0 75 ?? 48 8B 53 ?? 48 8D 0D ?? + ?? ?? ?? 45 33 C0 FF 15 ?? ?? ?? ?? 48 8D 0D ?? ?? ?? ?? FF 15 ?? ?? ?? ?? E9 ?? ?? + ?? ?? 48 8B 15 ?? ?? ?? ?? 48 8B 4B ?? E8 ?? ?? ?? ?? 85 C0 75 ?? 48 8B 4B ?? E8 ?? + ?? ?? ?? 69 C0 ?? ?? ?? ?? 89 05 ?? ?? ?? ?? E9 ?? ?? ?? ?? 48 8B 15 ?? ?? ?? ?? 48 + 8B 4B ?? E8 ?? ?? ?? ?? 85 C0 75 ?? 48 8B 4B ?? E8 ?? ?? ?? ?? 69 C0 ?? ?? ?? ?? 89 + } + + $handle_c2_commands_p2 = { + 05 ?? ?? ?? ?? E9 ?? ?? ?? ?? 48 63 4C 24 ?? 48 8D 15 ?? ?? ?? ?? 48 8B 4C CB ?? E8 + ?? ?? ?? ?? 48 8B CE 85 C0 75 ?? 8D 50 ?? E8 ?? ?? ?? ?? E9 ?? ?? ?? ?? 33 D2 E8 ?? + ?? ?? ?? E9 ?? ?? ?? ?? 48 8B 15 ?? ?? ?? ?? 48 8B 0B E8 ?? ?? ?? ?? 48 63 4C 24 ?? + 48 8B 15 ?? ?? ?? ?? 48 8B 4C CB ?? 85 C0 75 ?? E8 ?? ?? ?? ?? 85 C0 74 ?? 48 63 4C + 24 ?? 48 8D 15 ?? ?? ?? ?? 48 8B 4C CB ?? E8 ?? ?? ?? ?? 85 C0 74 ?? 48 8B 3B 48 83 + C9 ?? 33 C0 66 F2 AF 33 D2 48 F7 D1 48 8D 0C 4E E8 ?? ?? ?? ?? EB ?? 48 8B 3B 48 83 + C9 ?? 33 C0 66 F2 AF 8D 50 ?? 48 F7 D1 48 8D 0C 4E E8 ?? ?? ?? ?? EB ?? E8 ?? ?? ?? + ?? 85 C0 75 ?? 8D 48 ?? EB ?? 33 C9 E8 ?? ?? ?? ?? 8B F8 48 8B CB FF 15 ?? ?? ?? ?? + 8B C7 48 8B 8C 24 ?? ?? ?? ?? 48 33 CC E8 ?? ?? ?? ?? 4C 8D 9C 24 ?? ?? ?? ?? 49 8B + 5B ?? 49 8B 73 ?? 49 8B E3 5F C3 + } + + $create_cab_file_and_upload_p1 = { + 48 89 5C 24 ?? 55 56 57 41 54 41 57 48 8D AC 24 ?? ?? ?? ?? 48 81 EC ?? ?? ?? ?? 48 + 8B 05 ?? ?? ?? ?? 48 33 C4 48 89 85 ?? ?? ?? ?? 4C 8B 3D ?? ?? ?? ?? 33 DB 48 8B F1 + 48 8D 4D ?? 33 D2 41 B8 ?? ?? ?? ?? 44 8B E3 89 5C 24 ?? 89 5C 24 ?? 66 89 5D ?? E8 + ?? ?? ?? ?? 48 8D 8D ?? ?? ?? ?? 33 D2 41 B8 ?? ?? ?? ?? 66 89 9D ?? ?? 00 00 E8 ?? + ?? ?? ?? 33 C0 48 8D 4C 24 ?? 66 89 5C 24 ?? 48 89 44 24 ?? 89 44 24 ?? 66 89 44 24 + ?? FF 15 ?? ?? ?? ?? 0F B7 54 24 ?? 0F B7 4C 24 ?? 44 0F B7 44 24 ?? 0F B7 44 24 ?? + 0F B7 7C 24 ?? 89 54 24 ?? 89 44 24 ?? 89 4C 24 ?? 89 7C 24 ?? 44 89 44 24 ?? 4C 8D + 05 ?? ?? ?? ?? 4C 8D 0D ?? ?? ?? ?? 48 8D 8D ?? ?? ?? ?? BA ?? ?? ?? ?? E8 ?? ?? ?? + ?? 48 8D 4D ?? 33 D2 41 B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 8D 55 ?? B9 ?? ?? ?? ?? FF + 15 ?? ?? ?? ?? 4C 8D 4D ?? 48 8D 15 ?? ?? ?? ?? 48 8D 4D ?? 45 33 C0 FF 15 ?? ?? ?? + ?? 48 8D 4D ?? FF 15 ?? ?? ?? ?? 8D 53 ?? 48 8B CE E8 ?? ?? ?? ?? 48 8D 15 ?? ?? ?? + ?? 48 8B C8 48 8B F8 E8 ?? ?? ?? ?? 85 C0 74 ?? 48 8D 15 ?? ?? ?? ?? 48 8B CF E8 ?? + ?? ?? ?? 85 C0 74 ?? 48 8D 15 ?? ?? ?? ?? 48 8B CF E8 ?? ?? ?? ?? 85 C0 74 ?? 48 8D + 15 ?? ?? ?? ?? 48 8B CF E8 ?? ?? ?? ?? 85 C0 74 ?? 48 8D 15 ?? ?? ?? ?? 48 8B CF E8 + ?? ?? ?? ?? 85 C0 74 ?? 48 8D 15 ?? ?? ?? ?? 48 8B CF E8 ?? ?? ?? ?? 85 C0 74 ?? 48 + } + + $create_cab_file_and_upload_p2 = { + 8D 4D ?? 48 8B D6 E8 ?? ?? ?? ?? 83 F8 ?? 75 ?? 0B C0 E9 ?? ?? ?? ?? 48 8D 55 ?? 45 + 33 C0 48 8B CE FF 15 ?? ?? ?? ?? 45 33 C9 48 89 5C 24 ?? 48 8D 4D ?? 45 8D 41 ?? BA + ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? 4C 89 AC 24 ?? ?? ?? ?? 89 5C 24 ?? C7 44 24 ?? + ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 48 8B F8 48 83 F8 ?? 75 ?? 8B C3 EB ?? 33 D2 48 8B C8 + FF 15 ?? ?? ?? ?? 8B F0 85 C0 75 ?? 48 8B CF FF 15 ?? ?? ?? ?? 8B C3 EB ?? FF C6 B9 + ?? ?? ?? ?? 8B D6 44 8B EE FF 15 ?? ?? ?? ?? 4C 8B E0 48 85 C0 75 ?? 48 8B CF FF 15 + ?? ?? ?? ?? 8B C3 EB ?? 4D 8B C5 33 D2 48 8B C8 E8 ?? ?? ?? ?? 4C 8D 4C 24 ?? 44 8B + C6 49 8B D4 48 8B CF 48 89 5C 24 ?? FF 15 ?? ?? ?? ?? 48 8B CF FF 15 ?? ?? ?? ?? 8B + 44 24 ?? 89 44 24 ?? 85 C0 75 ?? 83 C8 ?? E9 ?? ?? ?? ?? 48 8D 4D ?? 4C 89 B4 24 ?? + ?? ?? ?? FF 15 ?? ?? ?? ?? 44 8B 6C 24 ?? B9 ?? ?? ?? ?? 41 83 C5 ?? 41 8B FD 41 8B + D5 48 89 7C 24 ?? FF 15 ?? ?? ?? ?? 4C 8B F0 48 85 C0 0F 84 ?? ?? ?? ?? 44 8B C7 33 + D2 48 8B C8 E8 ?? ?? ?? ?? B9 ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 8B F0 48 85 C0 74 ?? 33 + C0 48 83 C9 ?? 4C 8D 86 ?? ?? ?? ?? 48 8D BD ?? ?? ?? ?? 66 F2 AF 49 89 00 49 89 40 + ?? 48 F7 D1 49 89 40 ?? 49 89 40 ?? 48 FF C9 03 C9 74 ?? 8B D1 48 8D 8D ?? ?? ?? ?? + E8 ?? ?? ?? ?? EB ?? 48 8B F3 49 89 B7 ?? ?? ?? ?? 48 85 F6 0F 84 ?? ?? ?? ?? 44 8B + } + + $create_cab_file_and_upload_p3 = { + 44 24 ?? 4D 8B CE 49 8B D4 48 8B CE 44 89 6C 24 ?? E8 ?? ?? ?? ?? 49 8B 8F ?? ?? ?? + ?? 48 85 C9 74 ?? E8 ?? ?? ?? ?? 49 8B CC 49 89 9F ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 48 + 83 C9 ?? 33 C0 48 8D BD ?? ?? ?? ?? 66 F2 AF 48 F7 D1 41 8D 84 4D ?? ?? ?? ?? B9 ?? + ?? ?? ?? 8B D0 89 44 24 ?? FF 15 ?? ?? ?? ?? 4C 8B E8 48 85 C0 0F 84 ?? ?? ?? ?? 44 + 8B 44 24 ?? 33 D2 48 8B C8 E8 ?? ?? ?? ?? 8B 54 24 ?? 4C 8D 8D ?? ?? ?? ?? 4C 8D 05 + ?? ?? ?? ?? 49 8B CD E8 ?? ?? ?? ?? 48 8B 7C 24 ?? 49 8B D6 8B C8 4C 8B C7 89 44 24 + ?? 49 03 CD E8 ?? ?? ?? ?? 8B 4C 24 ?? 48 8D 15 ?? ?? ?? ?? 48 03 CF 41 B8 ?? ?? ?? + ?? 49 03 CD E8 ?? ?? ?? ?? 49 8B CE FF 15 ?? ?? ?? ?? 49 8D 8F ?? ?? ?? ?? E8 ?? ?? + ?? ?? 45 33 C9 45 33 C0 41 8D 51 ?? 33 C9 89 5C 24 ?? FF 15 ?? ?? ?? ?? 48 8B F0 48 + 85 C0 0F 84 ?? ?? ?? ?? 48 89 5C 24 ?? 89 5C 24 ?? 49 8D 97 ?? ?? ?? ?? 41 B8 ?? ?? + ?? ?? 45 33 C9 48 8B C8 C7 44 24 ?? ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? 48 89 5C 24 + ?? FF 15 ?? ?? ?? ?? 4C 8B E0 48 85 C0 0F 84 ?? ?? ?? ?? 49 8D 8F ?? ?? ?? ?? 33 D2 + 41 B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 4D 8D 8F ?? ?? ?? ?? 4C 8D 05 ?? ?? ?? ?? 49 8D 8F + ?? ?? ?? ?? BA ?? ?? ?? ?? 4C 89 7C 24 ?? E8 ?? ?? ?? ?? 48 89 5C 24 ?? C7 44 24 ?? + ?? ?? ?? ?? 4D 8D 87 ?? ?? ?? ?? 48 8D 15 ?? ?? ?? ?? 45 33 C9 49 8B CC 48 89 5C 24 + ?? C7 44 24 ?? ?? ?? ?? ?? 48 89 5C 24 ?? FF 15 ?? ?? ?? ?? 48 8B F8 48 85 C0 74 + } + + $create_cab_file_and_upload_p4 = { + 8B 44 24 ?? 48 8D 15 ?? ?? ?? ?? 4D 8B CD 41 B8 ?? ?? ?? ?? 48 8B CF 89 44 24 ?? FF + 15 ?? ?? ?? ?? 85 C0 74 ?? 49 8B CD FF 15 ?? ?? ?? ?? 48 8D 54 24 ?? 45 33 C9 45 33 + C0 48 8B CF FF 15 ?? ?? ?? ?? 85 C0 75 ?? 45 33 C9 45 33 C0 33 D2 48 8B CF FF 15 ?? + ?? ?? ?? 48 8B CF FF 15 ?? ?? ?? ?? 49 8B CC FF 15 ?? ?? ?? ?? 48 8B CE FF 15 ?? ?? + ?? ?? B8 ?? ?? ?? ?? E9 ?? ?? ?? ?? 8B 44 24 ?? 85 C0 74 ?? FF C0 B9 ?? ?? ?? ?? 8B + D0 89 44 24 ?? FF 15 ?? ?? ?? ?? 4C 8B E8 48 85 C0 75 ?? 45 33 C9 45 33 C0 33 D2 48 + 8B CF FF 15 ?? ?? ?? ?? 48 8B CF FF 15 ?? ?? ?? ?? 49 8B CC FF 15 ?? ?? ?? ?? 48 8B + CE FF 15 ?? ?? ?? ?? 83 C8 ?? EB ?? 44 8B 44 24 ?? 33 D2 48 8B C8 E8 ?? ?? ?? ?? 44 + 8B 44 24 ?? 4C 8D 4C 24 ?? 49 8B D5 48 8B CF FF 15 ?? ?? ?? ?? 85 C0 74 ?? 48 8D 15 + ?? ?? ?? ?? 49 8B CD E8 ?? ?? ?? ?? EB ?? BB ?? ?? ?? ?? 49 8B CD FF 15 ?? ?? ?? ?? + 45 33 C9 45 33 C0 33 D2 48 8B CF FF 15 ?? ?? ?? ?? 48 8B CF FF 15 ?? ?? ?? ?? 49 8B + CC FF 15 ?? ?? ?? ?? 48 8B CE FF 15 ?? ?? ?? ?? 8B C3 4C 8B B4 24 ?? ?? ?? ?? 4C 8B + AC 24 ?? ?? ?? ?? 48 8B 8D ?? ?? ?? ?? 48 33 CC E8 ?? ?? ?? ?? 48 8B 9C 24 ?? ?? ?? + ?? 48 81 C4 ?? ?? ?? ?? 41 5F 41 5C 5F 5E 5D C3 + } + + $cmd_expand_payload_p1 = { + 40 53 55 41 55 48 81 EC ?? ?? ?? ?? 48 8B 05 ?? ?? ?? ?? 48 33 C4 48 89 84 24 ?? ?? + ?? ?? 48 8B E9 48 8D 8C 24 ?? ?? ?? ?? 45 33 ED 33 D2 41 B8 ?? ?? ?? ?? 66 44 89 AC + 24 ?? ?? 00 00 E8 ?? ?? ?? ?? 48 8D 8C 24 ?? ?? ?? ?? 33 D2 41 B8 ?? ?? ?? ?? 66 44 + 89 AC 24 ?? ?? 00 00 E8 ?? ?? ?? ?? 45 8D 45 ?? 48 8D 4C 24 ?? 33 D2 44 89 6C 24 ?? + E8 ?? ?? ?? ?? 33 C0 4C 89 6C 24 ?? 45 8D 45 ?? 45 33 C9 BA ?? ?? ?? ?? 48 8B CD C7 + 44 24 ?? ?? ?? ?? ?? 4C 89 6C 24 ?? 48 89 44 24 ?? 48 89 44 24 ?? C7 44 24 ?? ?? ?? + ?? ?? FF 15 ?? ?? ?? ?? 48 8B D8 48 83 F8 ?? 75 ?? 0B C0 E9 ?? ?? ?? ?? 45 33 C9 33 + D2 48 8B C8 45 8D 41 ?? 4C 89 6C 24 ?? 48 89 BC 24 ?? ?? ?? ?? 44 89 6C 24 ?? FF 15 + ?? ?? ?? ?? 48 8B F8 48 85 C0 75 ?? 48 8B CB FF 15 ?? ?? ?? ?? 83 C8 ?? E9 ?? ?? ?? + ?? 45 33 C9 45 33 C0 48 8B C8 41 8D 51 ?? 48 89 B4 24 ?? ?? ?? ?? 4C 89 6C 24 ?? FF + 15 ?? ?? ?? ?? 48 8B F0 48 85 C0 75 ?? 48 8B CB FF 15 ?? ?? ?? ?? 83 C8 ?? E9 ?? ?? + ?? ?? 4C 8D 40 ?? 48 8D 84 24 ?? ?? ?? ?? 41 83 C9 ?? 33 D2 33 C9 C7 44 24 ?? ?? ?? + ?? ?? 48 89 44 24 ?? 4C 89 A4 24 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 48 8D 0D ?? ?? ?? ?? + 33 D2 41 B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 8D 15 ?? ?? ?? ?? B9 ?? ?? ?? ?? FF 15 ?? + ?? ?? ?? 4C 8D 84 24 ?? ?? ?? ?? 48 8D 0D ?? ?? ?? ?? BA ?? ?? ?? ?? E8 + } + + $cmd_expand_payload_p2 = { + 44 8B 66 ?? 48 8B CE FF 15 ?? ?? ?? ?? 48 8B CF FF 15 ?? ?? ?? ?? 48 8B CB FF 15 ?? + ?? ?? ?? 48 8D 8C 24 ?? ?? ?? ?? 33 D2 41 B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 4C 8D 05 ?? + ?? ?? ?? 48 8D 8C 24 ?? ?? ?? ?? 4C 8B CD BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 8D 44 24 + ?? 48 8D 94 24 ?? ?? ?? ?? 48 89 44 24 ?? 48 8D 44 24 ?? 45 33 C9 48 89 44 24 ?? 4C + 89 6C 24 ?? 4C 89 6C 24 ?? 45 33 C0 33 C9 C7 44 24 ?? ?? ?? ?? ?? C7 44 24 ?? ?? ?? + ?? ?? 66 44 89 AC 24 ?? ?? 00 00 44 89 6C 24 ?? FF 15 ?? ?? ?? ?? 85 C0 75 ?? 83 C8 + ?? EB ?? 90 B9 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 45 33 C9 4C 89 6C 24 ?? 48 8D 0D ?? ?? + ?? ?? 45 8D 41 ?? BA ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? FF + 15 ?? ?? ?? ?? 48 8B D8 48 83 F8 ?? 75 ?? FF 15 ?? ?? ?? ?? 83 F8 ?? 75 ?? 48 8B CB + FF 15 ?? ?? ?? ?? 41 8B C4 4C 8B A4 24 ?? ?? ?? ?? 48 8B B4 24 ?? ?? ?? ?? 48 8B BC + 24 ?? ?? ?? ?? 48 8B 8C 24 ?? ?? ?? ?? 48 33 CC E8 ?? ?? ?? ?? 48 81 C4 ?? ?? ?? ?? + 41 5D 5D 5B C3 + } + + condition: + uint16(0) == 0x5A4D and + ( + all of ($network_communication_p*) + ) and + ( + all of ($handle_c2_commands_p*) + ) and + ( + all of ($create_cab_file_and_upload_p*) + ) and + ( + all of ($cmd_expand_payload_p*) + ) +} \ No newline at end of file diff --git a/yara/backdoor/Win64.Backdoor.Minodo.yara b/yara/backdoor/Win64.Backdoor.Minodo.yara new file mode 100644 index 0000000..e11fd88 --- /dev/null +++ b/yara/backdoor/Win64.Backdoor.Minodo.yara @@ -0,0 +1,110 @@ +rule Win32_Backdoor_Minodo : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "MINODO" + description = "Yara rule that detects Minodo backdoor." + + tc_detection_type = "Backdoor" + tc_detection_name = "Minodo" + tc_detection_factor = 5 + + strings: + + $generate_system_id = { + 40 55 53 56 57 41 56 48 8D 6C 24 ?? 48 81 EC ?? ?? ?? ?? 4C 8B F1 48 8D 55 ?? 48 8D + 4D ?? C7 45 ?? ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 33 DB 85 C0 75 ?? 66 C7 45 ?? ?? ?? 4C + 8D 45 ?? 48 8D 55 ?? B9 ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 85 C0 75 + ?? 66 C7 45 ?? ?? ?? 48 83 4D ?? ?? 4C 8D 4D ?? 4C 8D 45 ?? 8B CB 48 8B D3 BE ?? ?? + ?? ?? 48 85 D2 7E ?? 44 8A 54 15 ?? EB ?? 44 8A 95 ?? ?? ?? ?? 41 8A 01 49 FF C1 48 + FF C2 32 44 15 ?? 41 32 C2 41 32 00 49 FF C0 88 44 15 ?? 41 38 19 75 ?? 83 C9 ?? 4C + 8D 4D ?? 41 38 18 75 ?? 83 C9 ?? 4C 8D 45 ?? 48 3B D6 75 ?? 83 C9 ?? 48 8B D3 83 F9 + ?? 75 ?? 48 8D 15 ?? ?? ?? ?? 48 8D 4D ?? FF 15 ?? ?? ?? ?? 48 8D 5D ?? 49 8B FE 44 + 0F B6 03 48 8D 55 ?? 48 8B CF FF 15 ?? ?? ?? ?? 48 83 C7 ?? 48 FF C3 48 FF CE 75 ?? + FF 15 ?? ?? ?? ?? 48 8D 15 ?? ?? ?? ?? 48 8D 4D ?? 8B D8 FF 15 ?? ?? ?? ?? 48 8D 55 + ?? 44 8B CB 4D 8B C6 49 8B CE FF 15 ?? ?? ?? ?? 48 81 C4 ?? ?? ?? ?? 41 5E 5F 5E 5B + 5D C3 + } + + $generate_encrypt_and_send_key = { + 48 8B C4 48 89 58 ?? 48 89 68 ?? 48 89 70 ?? 48 89 78 ?? 41 56 48 81 EC ?? ?? ?? ?? + 8B F2 E8 ?? ?? ?? ?? 48 85 C0 75 ?? 33 C0 E9 ?? ?? ?? ?? 48 8B 40 ?? 48 8B 08 8B 09 + E8 ?? ?? ?? ?? 48 8B F8 48 85 C0 74 ?? 45 33 C0 45 8D 70 ?? 41 8D 50 ?? 41 8B CE E8 + ?? ?? ?? ?? 48 8B D8 83 F8 ?? 74 ?? 41 8D 6E ?? 48 8D 44 24 ?? 8B CD C6 00 ?? 48 FF + C0 48 FF C9 75 ?? 0F B7 CE 66 44 89 74 24 ?? E8 ?? ?? ?? ?? 48 8B CF 66 89 44 24 ?? + E8 ?? ?? ?? ?? 48 63 FB 48 8D 54 24 ?? 48 8B CF 44 8B C5 89 44 24 ?? E8 ?? ?? ?? ?? + 85 C0 74 ?? 48 8B CF E8 ?? ?? ?? ?? E9 ?? ?? ?? ?? 48 8D 2D ?? ?? ?? ?? BE ?? ?? ?? + ?? 48 8B CD 8B D6 E8 ?? ?? ?? ?? 66 C7 44 24 ?? ?? ?? 33 C9 8A 44 29 ?? 48 FF C9 88 + 44 0C ?? 48 FF CE 75 ?? 8D 56 ?? 44 8D 46 ?? 48 8D 4C 24 ?? E8 ?? ?? ?? ?? 48 8B CF + 8B F0 85 C0 74 ?? 48 8D 54 24 ?? 45 33 C9 44 8B C0 E8 ?? ?? ?? ?? 3B C6 74 ?? 48 8B + CF E8 ?? ?? ?? ?? 33 DB 8B C3 4C 8D 9C 24 ?? ?? ?? ?? 49 8B 5B ?? 49 8B 6B ?? 49 8B + 73 ?? 49 8B 7B ?? 49 8B E3 41 5E C3 + } + + $get_encrypt_and_send_system_info = { + 48 89 5C 24 ?? 48 89 74 24 ?? 48 89 7C 24 ?? 55 48 8D 6C 24 ?? 48 81 EC ?? ?? ?? ?? + 8B F1 48 8B CA 48 8B DA FF 15 ?? ?? ?? ?? C6 44 24 ?? ?? 48 63 F8 40 88 7C 24 ?? 4C + 8B C7 85 C0 74 ?? 48 8D 44 24 ?? 48 2B D8 48 8D 4C 24 ?? 49 FF C8 4A 8D 0C 01 8A 04 + 0B 88 01 75 ?? 83 C7 ?? 48 63 DF E8 ?? ?? ?? ?? BA ?? ?? ?? ?? F6 D8 48 8D 45 ?? 1A + C9 80 E1 ?? 80 C9 ?? FF C7 88 4C 1C ?? 8B CA C6 00 ?? 48 FF C0 48 FF C9 75 ?? 48 8D + 4D ?? 89 55 ?? FF 15 ?? ?? ?? ?? 8A 45 ?? 48 63 CF 88 44 0C ?? 8A 45 ?? FF C7 48 63 + CF FF C7 BB ?? ?? ?? ?? 88 44 0C ?? 8A 45 ?? 48 63 CF 88 44 0C ?? 8A 45 ?? FF C7 48 + 63 CF FF C7 4C 8D 85 ?? ?? ?? ?? 88 44 0C ?? 8A 45 ?? 48 63 D7 88 44 14 ?? 8B 45 ?? + FF C7 48 63 D7 8D 4B ?? C6 44 24 ?? ?? 89 44 14 ?? 48 8D 54 24 ?? 83 C7 ?? 89 9D ?? + ?? ?? ?? FF 15 ?? ?? ?? ?? 48 8D 4C 24 ?? FF 15 ?? ?? ?? ?? 44 8B C0 8D 48 ?? 03 CF + 48 63 D1 48 83 FA ?? 76 ?? 44 8D 43 ?? 44 2B C7 48 63 C7 FF C7 4C 8D 54 24 ?? 44 88 + 44 04 ?? 48 63 C7 49 63 D0 4C 03 D0 45 85 C0 74 ?? 4C 8D 4C 24 ?? 4A 8D 0C 12 4D 2B + CA 48 FF C9 41 8A 04 09 88 01 48 FF CA 75 ?? 48 8D 95 ?? ?? ?? ?? 48 8D 4C 24 ?? 41 + 03 F8 C6 44 24 ?? ?? 89 9D ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 48 8D 4C 24 ?? FF 15 ?? ?? + ?? ?? 44 8B C0 8D 48 ?? 03 CF 48 63 D1 48 83 FA ?? 76 ?? 41 B8 ?? ?? ?? ?? 44 2B C7 + 48 63 C7 FF C7 4C 8D 54 24 ?? 44 88 44 04 ?? 48 63 C7 49 63 D0 4C 03 D0 45 85 C0 74 + ?? 4C 8D 4C 24 ?? 4A 8D 0C 12 4D 2B CA 48 FF C9 42 8A 04 09 88 01 48 FF CA 75 ?? 4C + 8D 4C 24 ?? 48 8D 54 24 ?? 44 03 C7 8B CE E8 ?? ?? ?? ?? 4C 8D 9C 24 ?? ?? ?? ?? 49 + 8B 5B ?? 49 8B 73 ?? 49 8B 7B ?? 49 8B E3 5D C3 + } + + $copy_payload_into_allocated_memory = { + 48 89 5C 24 ?? 48 89 6C 24 ?? 56 57 41 56 48 83 EC ?? 49 8B D8 48 63 F2 48 8B F9 41 + C6 00 ?? C7 44 24 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 84 C0 75 ?? 66 C7 03 ?? ?? B8 ?? ?? + ?? ?? E9 ?? ?? ?? ?? 4C 8D 4C 24 ?? 4C 8D 44 24 ?? 48 8B D3 48 8B CF E8 ?? ?? ?? ?? + 8B E8 85 C0 74 ?? 41 B9 ?? ?? ?? ?? 41 B8 ?? ?? ?? ?? 48 8B D6 33 C9 4C 8B F6 FF 15 + ?? ?? ?? ?? 48 8B F0 48 85 C0 75 ?? 66 C7 03 ?? ?? FF 15 ?? ?? ?? ?? 89 43 ?? 8D 46 + ?? EB ?? 4D 8B C6 48 8B D7 48 8B C8 E8 ?? ?? ?? ?? 48 83 64 24 ?? ?? 83 64 24 ?? ?? + 4C 8D 04 2E 45 33 C9 33 D2 33 C9 FF 15 ?? ?? ?? ?? 48 8B C8 FF 15 ?? ?? ?? ?? 8B 44 + 24 ?? 48 8B 5C 24 ?? 48 8B 6C 24 ?? 48 83 C4 ?? 41 5E 5F 5E C3 + } + + $execute_payload_from_temp = { + 40 53 48 81 EC ?? ?? ?? ?? 41 B8 ?? ?? ?? ?? 4C 8B D1 48 8D 44 24 ?? 41 8B D0 33 DB + 88 18 48 FF C0 48 FF CA 75 ?? 48 8D 44 24 ?? 8D 4A ?? 88 18 48 FF C0 48 FF C9 75 ?? + 48 8D 44 24 ?? 44 89 44 24 ?? 45 33 C9 48 89 44 24 ?? 48 8D 44 24 ?? 45 33 C0 48 89 + 44 24 ?? 48 89 5C 24 ?? 48 89 5C 24 ?? 49 8B D2 89 5C 24 ?? C7 84 24 ?? ?? ?? ?? ?? + ?? ?? ?? 89 5C 24 ?? 66 89 9C 24 ?? ?? 00 00 FF 15 ?? ?? ?? ?? 85 C0 74 ?? 48 8B 4C + 24 ?? FF 15 ?? ?? ?? ?? 48 8B 4C 24 ?? FF 15 ?? ?? ?? ?? B0 ?? EB ?? 32 C0 48 81 C4 + ?? ?? ?? ?? 5B C3 + } + + condition: + uint16(0) == 0x5A4D and + ( + $generate_system_id + ) and + ( + $generate_encrypt_and_send_key + ) and + ( + $get_encrypt_and_send_system_info + ) and + ( + $copy_payload_into_allocated_memory + ) and + ( + $execute_payload_from_temp + ) +} \ No newline at end of file diff --git a/yara/backdoor/Win64.Backdoor.SideTwist.yara b/yara/backdoor/Win64.Backdoor.SideTwist.yara new file mode 100644 index 0000000..1f0278b --- /dev/null +++ b/yara/backdoor/Win64.Backdoor.SideTwist.yara @@ -0,0 +1,154 @@ +rule Win64_Backdoor_SideTwist : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "SIDETWIST" + description = "Yara rule that detects SideTwist backdoor." + + tc_detection_type = "Backdoor" + tc_detection_name = "SideTwist" + tc_detection_factor = 5 + + strings: + + $anti_sandbox_detect_environment = { + 55 57 56 53 48 81 EC ?? ?? ?? ?? 48 8D AC 24 ?? ?? ?? ?? 89 4D ?? 48 89 55 ?? E8 ?? + ?? ?? ?? 48 C7 45 ?? ?? ?? ?? ?? 48 C7 45 ?? ?? ?? ?? ?? 48 8D 55 ?? 48 8D 45 ?? 4C + 8D 05 ?? ?? ?? ?? 48 89 C1 48 8B 05 ?? ?? ?? ?? FF D0 85 C0 75 ?? 48 8B 45 ?? 48 85 + C0 74 ?? B8 ?? ?? ?? ?? EB ?? B8 ?? ?? ?? ?? 84 C0 0F 84 ?? ?? ?? ?? 48 8D 45 ?? 48 + 89 C1 E8 ?? ?? ?? ?? 48 8B 55 ?? 48 8D 4D ?? 48 8D 45 ?? 49 89 C8 48 89 C1 E8 ?? ?? + ?? ?? 48 8D 45 ?? 48 8D 55 ?? 4C 8D 05 ?? ?? ?? ?? 48 89 C1 E8 ?? ?? ?? ?? 48 8D 45 + ?? 48 89 C1 E8 ?? ?? ?? ?? 48 8D 45 ?? 48 89 C1 E8 ?? ?? ?? ?? 48 8B 45 ?? 48 89 C1 + E8 ?? ?? ?? ?? 48 8D 45 ?? 48 89 C1 E8 ?? ?? ?? ?? 48 89 C1 48 8B 05 ?? ?? ?? ?? FF + D0 85 C0 0F 94 C0 84 C0 74 ?? 48 8D 05 ?? ?? ?? ?? 48 89 C1 48 8B 05 ?? ?? ?? ?? FF + D0 BB ?? ?? ?? ?? BE ?? ?? ?? ?? EB + } + + $collect_host_information = { + 55 53 48 81 EC ?? ?? ?? ?? 48 8D AC 24 ?? ?? ?? ?? 48 89 4D ?? 48 89 55 ?? C7 45 ?? + ?? ?? ?? ?? 8B 45 ?? 89 C0 48 BA ?? ?? ?? ?? ?? ?? ?? ?? 48 39 C2 72 ?? 48 01 C0 48 + 89 C1 E8 ?? ?? ?? ?? 48 89 45 ?? 48 8D 45 ?? 48 89 C1 E8 ?? ?? ?? ?? 48 8D 55 ?? 48 + 8B 45 ?? 49 89 D0 48 8D 15 ?? ?? ?? ?? 48 89 C1 E8 ?? ?? ?? ?? EB ?? E8 ?? ?? ?? ?? + 48 8D 45 ?? 48 89 C1 E8 ?? ?? ?? ?? 48 8D 55 ?? 48 8B 45 ?? 49 89 D0 48 89 C2 B9 ?? + ?? ?? ?? 48 8B 05 ?? ?? ?? ?? FF D0 85 C0 0F 95 C0 84 C0 0F 84 ?? ?? ?? ?? 48 8D 45 + ?? 48 89 C1 E8 ?? ?? ?? ?? 48 8D 4D ?? 48 8B 55 ?? 48 8D 45 ?? 49 89 C8 48 89 C1 E8 + ?? ?? ?? ?? 48 8D 45 ?? 48 89 C1 E8 ?? ?? ?? ?? 48 8D 45 ?? 48 89 C1 E8 ?? ?? ?? ?? + 48 8D 45 ?? 48 89 C1 E8 ?? ?? ?? ?? 48 89 C3 48 8D 45 ?? 48 89 C1 E8 ?? ?? ?? ?? 48 + 89 C2 48 8D 4D ?? 48 8D 45 ?? 49 89 C9 49 89 D8 48 89 C1 E8 ?? ?? ?? ?? 48 8D 45 ?? + 48 8D 55 ?? 41 B9 ?? ?? ?? ?? 41 B8 ?? ?? ?? ?? 48 89 C1 E8 ?? ?? ?? ?? 48 8D 55 ?? + 48 8B 45 ?? 48 89 C1 E8 ?? ?? ?? ?? 48 8D 45 ?? 48 89 C1 E8 ?? ?? ?? ?? 48 8D 45 ?? + 48 89 C1 E8 ?? ?? ?? ?? 48 8D 45 ?? 48 89 C1 E8 ?? ?? ?? ?? 48 8D 45 ?? 48 89 C1 E8 + ?? ?? ?? ?? 48 8B 45 ?? 48 89 C1 E8 ?? ?? ?? ?? 84 C0 74 ?? 48 8B 45 ?? 48 8D 15 ?? + ?? ?? ?? 48 89 C1 E8 ?? ?? ?? ?? 48 83 7D ?? ?? 0F 84 ?? ?? ?? ?? 48 8B 45 ?? 48 89 + C1 E8 ?? ?? ?? ?? EB ?? 48 89 C3 48 8D 45 ?? 48 89 C1 E8 ?? ?? ?? ?? 48 89 D8 48 89 + C1 E8 ?? ?? ?? ?? 48 89 C3 48 8D 45 ?? 48 89 C1 E8 ?? ?? ?? ?? EB ?? 48 89 C3 48 8D + 45 ?? 48 89 C1 E8 ?? ?? ?? ?? EB ?? 48 89 C3 48 8D 45 ?? 48 89 C1 E8 ?? ?? ?? ?? 48 + 8D 45 ?? 48 89 C1 E8 ?? ?? ?? ?? EB ?? 48 89 C3 48 8B 45 ?? 48 89 C1 E8 ?? ?? ?? ?? + 48 89 D8 48 89 C1 E8 ?? ?? ?? ?? 90 48 8B 45 ?? 48 81 C4 ?? ?? ?? ?? 5B 5D C3 + } + + $contact_c2_server = { + 55 53 48 81 EC ?? ?? ?? ?? 48 8D AC 24 ?? ?? ?? ?? 48 89 4D ?? 48 89 55 ?? 48 8D 45 + ?? 48 89 C1 E8 ?? ?? ?? ?? 48 8D 55 ?? 48 8D 85 ?? ?? ?? ?? 49 89 D0 48 8D 15 ?? ?? + ?? ?? 48 89 C1 E8 ?? ?? ?? ?? 48 8B 45 ?? 48 8D 50 ?? 48 8D 45 ?? 48 89 C1 E8 ?? ?? + ?? ?? 48 8B 55 ?? 48 8D 45 ?? 48 89 C1 E8 ?? ?? ?? ?? 48 8D 85 ?? ?? ?? ?? 4C 8D 45 + ?? 48 8B 55 ?? 48 8D 8D ?? ?? ?? ?? 48 89 4C 24 ?? 48 8D 4D ?? 48 89 4C 24 ?? 4D 89 + C1 4C 8D 05 ?? ?? ?? ?? 48 89 C1 E8 ?? ?? ?? ?? 48 8D 45 ?? 48 89 C1 E8 ?? ?? ?? ?? + 48 8D 45 ?? 48 89 C1 E8 ?? ?? ?? ?? 48 8D 85 ?? ?? ?? ?? 48 89 C1 E8 ?? ?? ?? ?? 48 + 8D 45 ?? 48 89 C1 E8 ?? ?? ?? ?? 48 8D 85 ?? ?? ?? ?? 48 8D 15 ?? ?? ?? ?? 48 89 C1 + E8 ?? ?? ?? ?? 85 C0 0F 95 C0 84 C0 74 ?? 48 8D 85 ?? ?? ?? ?? 48 89 C1 E8 ?? ?? ?? + ?? 48 8D 95 ?? ?? ?? ?? 48 8D 45 ?? 48 89 C1 E8 ?? ?? ?? ?? 48 8B 4D ?? 48 8D 55 ?? + 48 8B 45 ?? 49 89 C8 48 89 C1 E8 ?? ?? ?? ?? 48 8D 45 ?? 48 89 C1 E8 ?? ?? ?? ?? BB + ?? ?? ?? ?? EB ?? BB ?? ?? ?? ?? 48 8D 85 ?? ?? ?? ?? 48 89 C1 E8 ?? ?? ?? ?? 89 D8 + EB ?? 48 89 C3 48 8D 45 ?? 48 89 C1 E8 ?? ?? ?? ?? EB ?? 48 89 C3 48 8D 45 ?? 48 89 + C1 E8 ?? ?? ?? ?? EB ?? 48 89 C3 48 8D 85 ?? ?? ?? ?? 48 89 C1 E8 ?? ?? ?? ?? EB ?? + 48 89 C3 48 8D 45 ?? 48 89 C1 E8 ?? ?? ?? ?? 48 89 D8 48 89 C1 E8 ?? ?? ?? ?? 48 89 + C3 48 8D 45 ?? 48 89 C1 E8 ?? ?? ?? ?? EB ?? 48 89 C3 48 8D 85 ?? ?? ?? ?? 48 89 C1 + E8 ?? ?? ?? ?? 48 89 D8 48 89 C1 E8 ?? ?? ?? ?? 48 81 C4 ?? ?? ?? ?? 5B 5D C3 + } + + $parse_c2_response = { + 55 53 48 83 EC ?? 48 8D 6C 24 ?? 48 89 4D ?? 48 8D 45 ?? 48 89 C1 E8 ?? ?? ?? ?? 48 + 8D 55 ?? 48 8D 45 ?? 49 89 D0 48 8D 15 ?? ?? ?? ?? 48 89 C1 E8 ?? ?? ?? ?? 48 8D 45 + ?? 48 89 C1 E8 ?? ?? ?? ?? 48 8D 55 ?? 48 8B 45 ?? 41 B8 ?? ?? ?? ?? 48 89 C1 E8 ?? + ?? ?? ?? 48 89 45 ?? 48 8B 45 ?? 41 B8 ?? ?? ?? ?? 48 8D 15 ?? ?? ?? ?? 48 89 C1 E8 + ?? ?? ?? ?? 48 89 45 ?? 48 8B 45 ?? 48 89 C1 E8 ?? ?? ?? ?? 48 89 C1 48 8B 55 ?? 48 + 8B 45 ?? 49 89 C8 48 89 C1 E8 ?? ?? ?? ?? 48 8D 45 ?? 48 89 C1 E8 ?? ?? ?? ?? 48 8B + 55 ?? 48 01 C2 48 8B 45 ?? 49 89 D0 BA ?? ?? ?? ?? 48 89 C1 E8 ?? ?? ?? ?? 48 8D 45 + ?? 48 89 C1 E8 ?? ?? ?? ?? EB ?? 48 89 C3 48 8D 45 ?? 48 89 C1 E8 ?? ?? ?? ?? 48 89 + D8 48 89 C1 E8 ?? ?? ?? ?? 48 89 C3 48 8D 45 ?? 48 89 C1 E8 ?? ?? ?? ?? 48 89 D8 48 + 89 C1 E8 ?? ?? ?? ?? 90 48 83 C4 ?? 5B 5D C3 + } + + $download_file_from_c2_p1 = { + 55 53 48 81 EC ?? ?? ?? ?? 48 8D AC 24 ?? ?? ?? ?? 48 89 4D ?? 48 89 55 ?? 4C 89 45 + ?? 4C 89 4D ?? 48 8D 85 ?? ?? ?? ?? 48 89 C1 E8 ?? ?? ?? ?? 48 8B 5D ?? 48 8B 55 ?? + 48 8D 85 ?? ?? ?? ?? 48 89 C1 E8 ?? ?? ?? ?? 48 8D 95 ?? ?? ?? ?? 48 8D 85 ?? ?? ?? + ?? 49 89 D0 48 89 C2 48 89 D9 E8 ?? ?? ?? ?? 85 C0 0F 95 C0 88 45 ?? 48 8D 85 ?? ?? + ?? ?? 48 89 C1 E8 ?? ?? ?? ?? 0F B6 45 ?? 83 F0 ?? 84 C0 0F 84 ?? ?? ?? ?? 48 8D 85 + ?? ?? ?? ?? 48 89 C1 E8 ?? ?? ?? ?? 48 89 45 ?? 48 8B 45 ?? 48 89 C1 E8 ?? ?? ?? ?? + 48 89 C2 48 8D 85 ?? ?? ?? ?? 4C 8D 05 ?? ?? ?? ?? 48 89 C1 48 8B 05 ?? ?? ?? ?? FF + D0 89 45 ?? 83 7D ?? ?? 0F 95 C0 84 C0 74 ?? 48 8D 45 ?? 48 89 C1 E8 ?? ?? ?? ?? 48 + 8D 55 ?? 48 8B 45 ?? 49 89 D0 48 8D 15 ?? ?? ?? ?? 48 89 C1 E8 ?? ?? ?? ?? 48 8D 45 + ?? 48 89 C1 E8 ?? ?? ?? ?? E9 ?? ?? ?? ?? 48 8B 9D ?? ?? ?? ?? 48 8D 85 ?? ?? ?? ?? + 48 89 C1 E8 ?? ?? ?? ?? 48 89 C2 48 8B 45 ?? 49 89 D9 49 89 D0 BA ?? ?? ?? ?? 48 89 + C1 E8 ?? ?? ?? ?? 48 8B 85 ?? ?? ?? ?? 48 89 C1 E8 ?? ?? ?? ?? EB ?? 48 8D 45 ?? 48 + } + + $download_file_from_c2_p2 = { + 89 C1 E8 ?? ?? ?? ?? 48 8D 55 ?? 48 8B 45 ?? 49 89 D0 48 8D 15 ?? ?? ?? ?? 48 89 C1 + E8 ?? ?? ?? ?? 48 8D 45 ?? 48 89 C1 E8 ?? ?? ?? ?? EB ?? 48 8D 45 ?? 48 8B 55 ?? 49 + 89 D0 48 8D 15 ?? ?? ?? ?? 48 89 C1 E8 ?? ?? ?? ?? 48 8D 45 ?? 48 8D 55 ?? 4C 8D 05 + ?? ?? ?? ?? 48 89 C1 E8 ?? ?? ?? ?? 48 8B 45 ?? 48 8B 4D ?? 48 8D 55 ?? 49 89 C8 48 + 89 C1 E8 ?? ?? ?? ?? 90 48 8D 45 ?? 48 89 C1 E8 ?? ?? ?? ?? 48 8D 45 ?? 48 89 C1 E8 + ?? ?? ?? ?? 48 8D 85 ?? ?? ?? ?? 48 89 C1 E8 ?? ?? ?? ?? EB ?? 48 89 C3 48 8D 85 ?? + ?? ?? ?? 48 89 C1 E8 ?? ?? ?? ?? EB ?? 48 89 C3 48 8D 45 ?? 48 89 C1 E8 ?? ?? ?? ?? + EB ?? 48 89 C3 48 8D 45 ?? 48 89 C1 E8 ?? ?? ?? ?? EB ?? 48 89 C3 48 8D 45 ?? 48 89 + C1 E8 ?? ?? ?? ?? EB ?? 48 89 C3 48 8D 45 ?? 48 89 C1 E8 ?? ?? ?? ?? EB ?? 48 89 C3 + 48 8D 85 ?? ?? ?? ?? 48 89 C1 E8 ?? ?? ?? ?? 48 89 D8 48 89 C1 E8 ?? ?? ?? ?? 48 8B + 45 ?? 48 81 C4 ?? ?? ?? ?? 5B 5D C3 + } + + $reply_to_c2_server = { + 55 53 48 81 EC ?? ?? ?? ?? 48 8D AC 24 ?? ?? ?? ?? 48 89 4D ?? 48 89 55 ?? 4C 89 45 + ?? 4C 89 4D ?? 48 8B 55 ?? 48 8B 45 ?? 48 89 C1 E8 ?? ?? ?? ?? 48 8D 85 ?? ?? ?? ?? + 48 8B 55 ?? 41 B8 ?? ?? ?? ?? 48 89 C1 E8 ?? ?? ?? ?? 48 8D 45 ?? 48 8B 55 ?? 49 89 + D0 48 8D 15 ?? ?? ?? ?? 48 89 C1 E8 ?? ?? ?? ?? 48 8D 45 ?? 48 8D 55 ?? 4C 8D 05 ?? + ?? ?? ?? 48 89 C1 E8 ?? ?? ?? ?? 48 8D 45 ?? 48 8D 8D ?? ?? ?? ?? 48 8D 55 ?? 49 89 + C8 48 89 C1 E8 ?? ?? ?? ?? 48 8D 45 ?? 48 8D 55 ?? 4C 8D 05 ?? ?? ?? ?? 48 89 C1 E8 + ?? ?? ?? ?? 48 8D 55 ?? 48 8B 45 ?? 48 89 C1 E8 ?? ?? ?? ?? 48 8D 45 ?? 48 89 C1 E8 + ?? ?? ?? ?? 48 8D 45 ?? 48 89 C1 E8 ?? ?? ?? ?? 48 8D 45 ?? 48 89 C1 E8 ?? ?? ?? ?? + 48 8D 45 ?? 48 89 C1 E8 ?? ?? ?? ?? 48 8D 85 ?? ?? ?? ?? 48 89 C1 E8 ?? ?? ?? ?? EB + ?? 48 89 C3 48 8D 45 ?? 48 89 C1 E8 ?? ?? ?? ?? EB ?? 48 89 C3 48 8D 45 ?? 48 89 C1 + E8 ?? ?? ?? ?? EB ?? 48 89 C3 48 8D 45 ?? 48 89 C1 E8 ?? ?? ?? ?? EB ?? 48 89 C3 48 + 8D 85 ?? ?? ?? ?? 48 89 C1 E8 ?? ?? ?? ?? 48 89 D8 48 89 C1 E8 ?? ?? ?? ?? 90 48 81 + C4 ?? ?? ?? ?? 5B 5D C3 + } + + condition: + uint16(0) == 0x5A4D and + ( + $anti_sandbox_detect_environment + ) and + ( + $collect_host_information + ) and + ( + $contact_c2_server + ) and + ( + $parse_c2_response + ) and + ( + all of ($download_file_from_c2_p*) + ) and + ( + $reply_to_c2_server + ) +} \ No newline at end of file diff --git a/yara/certificate/blocklist.yara b/yara/certificate/blocklist.yara new file mode 100644 index 0000000..18a48f2 --- /dev/null +++ b/yara/certificate/blocklist.yara @@ -0,0 +1,17288 @@ +/* + + YARA doesn't perform complete digital certificate chain validation. + + This can cause unwanted matches for: + a) Files that are signed with non-verified, self-issued, certificates + b) Files that fail integrity validation due to checksum mismatch + c) Files that have extra data appended after the certificate + + It's also worth mentioning that the timestamp value in the condition is only + informative, since YARA doesn't extract timestamping certificate information. + This information could be used in combination with other tools to reduce + potential false positives. + + ReversingLabs recommends using Titanium platform for best results with certificate-based classifications. + + References on importance of certificate verification: + https://blog.reversinglabs.com/blog/tampering-with-signed-objects-without-breaking-the-integrity-seal + https://blog.reversinglabs.com/blog/breaking-the-windows-authenticode-security-model + https://blog.reversinglabs.com/blog/breaking-uefi-firmware-authenticode-security-model + https://blog.reversinglabs.com/blog/breaking-the-linux-authenticode-security-model + +*/ + +import "pe" + +rule cert_blocklist_05e2e6a4cd09ea54d665b075fe22A256 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "The digital certificate has leaked." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "*.google.com" and + pe.signatures[i].serial == "05:e2:e6:a4:cd:09:ea:54:d6:65:b0:75:fe:22:a2:56" and + 1308182400 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_77019a082385e4b73f569569c9f87bb8 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "AND LLC" and + pe.signatures[i].serial == "77:01:9a:08:23:85:e4:b7:3f:56:95:69:c9:f8:7b:b8" and + 1308182400 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_4f2ef29ca5f96e5777b82c62f34fd3a6 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "The digital certificate has leaked." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Bit9, Inc" and + pe.signatures[i].serial == "4f:2e:f2:9c:a5:f9:6e:57:77:b8:2c:62:f3:4f:d3:a6" and + 1342051200 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_7cc1db2ad0a290a4bfe7a5f336d6800c { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "The digital certificate has leaked." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Bit9, Inc" and + pe.signatures[i].serial == "7c:c1:db:2a:d0:a2:90:a4:bf:e7:a5:f3:36:d6:80:0c" and + 1342051200 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_13c8351aece71c731158980f575f4133 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Opera Software ASA" and + pe.signatures[i].serial == "13:c8:35:1a:ec:e7:1c:73:11:58:98:0f:57:5f:41:33" and + 1371513600 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_4531954f6265304055f66ce4f624f95b { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "IDAutomation.com" and + pe.signatures[i].serial == "45:31:95:4f:62:65:30:40:55:f6:6c:e4:f6:24:f9:5b" and + 1384819199 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_0e808f231515bc519eea1a73cdf3266f { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing Careto malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "TecSystem Ltd." and + pe.signatures[i].serial == "0e:80:8f:23:15:15:bc:51:9e:ea:1a:73:cd:f3:26:6f" and + 1468799999 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_36be4ad457f062fa77d87595b8ccc8cf { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing Careto malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "TecSystem Ltd." and + pe.signatures[i].serial == "36:be:4a:d4:57:f0:62:fa:77:d8:75:95:b8:cc:c8:cf" and + 1372377599 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_75a38507bf403b152125b8f5ce1b97ad { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing Zeus malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "isonet ag" and + pe.signatures[i].serial == "75:a3:85:07:bf:40:3b:15:21:25:b8:f5:ce:1b:97:ad" and + 1395359999 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_4effa8b216e24b16202940c1bc2fa8a5 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Henan Maijiamai Technology Co., Ltd." and + pe.signatures[i].serial == "4e:ff:a8:b2:16:e2:4b:16:20:29:40:c1:bc:2f:a8:a5" and + 1404691199 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_57d7153a89bbf4729be87f3c927043aa { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Open Source Developer, zhenganjun" and + pe.signatures[i].serial == "57:d7:15:3a:89:bb:f4:72:9b:e8:7f:3c:92:70:43:aa" and + 1469059200 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_028e1deccf93d38ecf396118dfe908b4 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Fortuna Games Co., Ltd." and + pe.signatures[i].serial == "02:8e:1d:ec:cf:93:d3:8e:cf:39:61:18:df:e9:08:b4" and + 1392163199 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_40575df73eaa1b6140c7ef62c08bf216 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Dali Feifang Tech Co.,LTD." and + pe.signatures[i].serial == "40:57:5d:f7:3e:aa:1b:61:40:c7:ef:62:c0:8b:f2:16" and + 1394063999 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_049ce8c47f1f0e650cb086f0cfa7ca53 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Select'Assistance Pro" and + pe.signatures[i].serial == "04:9c:e8:c4:7f:1f:0e:65:0c:b0:86:f0:cf:a7:ca:53" and + 1393804799 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_29f42680e653cf8fafd0e935553f7e86 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Wemade Entertainment co.,Ltd" and + pe.signatures[i].serial == "29:f4:26:80:e6:53:cf:8f:af:d0:e9:35:55:3f:7e:86" and + 1390175999 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_0c15 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "William Richard John" and + pe.signatures[i].serial == "0c:15" and + 1387324799 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_0c0f { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Dmitry Vasilev" and + pe.signatures[i].serial == "0c:0f" and + 1386719999 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_06a164ec5978497741ee6cec9966871b { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "JOHN WILLIAM RICHARD" and + pe.signatures[i].serial == "06:a1:64:ec:59:78:49:77:41:ee:6c:ec:99:66:87:1b" and + 1385596799 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_1121ed568764e75be35574448feadefcd3bc { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "FRINORTE COMERCIO DE PECAS E SERVICOS LTDA - ME" and + pe.signatures[i].serial == "11:21:ed:56:87:64:e7:5b:e3:55:74:44:8f:ea:de:fc:d3:bc" and + 1385337599 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_6ed2450ceac0f72e73fda1727e66e654 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Hohhot Handing Trade and Business Co., Ltd." and + pe.signatures[i].serial == "6e:d2:45:0c:ea:c0:f7:2e:73:fd:a1:72:7e:66:e6:54" and + 1376092799 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_32665079c5a5854a6833623ca77ff5ac { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Ohanae" and + pe.signatures[i].serial == "32:66:50:79:c5:a5:85:4a:68:33:62:3c:a7:7f:f5:ac" and + 1381967999 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_01a90094c83412c00cf98dd2eb0d7042 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "FreeVox SA" and + pe.signatures[i].serial == "01:a9:00:94:c8:34:12:c0:0c:f9:8d:d2:eb:0d:70:42" and + 1376956799 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_55efe24b9674855baf16e67716479c71 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "S2BVISIO BELGIQUE SA" and + pe.signatures[i].serial == "55:ef:e2:4b:96:74:85:5b:af:16:e6:77:16:47:9c:71" and + 1374451199 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_094bf19d509d3074913995160b195b6c { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Porral Twinware S.L.L." and + pe.signatures[i].serial == "09:4b:f1:9d:50:9d:30:74:91:39:95:16:0b:19:5b:6c" and + 1373241599 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_0a77cf3ba49b64e6cbe5fb4a6a6aacc6 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "I.ST.SAN. Srl" and + pe.signatures[i].serial == "0a:77:cf:3b:a4:9b:64:e6:cb:e5:fb:4a:6a:6a:ac:c6" and + 1371081599 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_1f4c22da1107d20c1eda04569d58e573 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "PlanView, Inc." and + pe.signatures[i].serial == "1f:4c:22:da:11:07:d2:0c:1e:da:04:56:9d:58:e5:73" and + 1366156799 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_4fe68d48634893d18de040d8f1c289d2 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Xinghua Yile Network Tech Co.,Ltd." and + pe.signatures[i].serial == "4f:e6:8d:48:63:48:93:d1:8d:e0:40:d8:f1:c2:89:d2" and + 1371081600 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_6767def972d6ea702d8c8a53af1832d3 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Guangzhou typical corner Network Technology Co., Ltd." and + pe.signatures[i].serial == "67:67:de:f9:72:d6:ea:70:2d:8c:8a:53:af:18:32:d3" and + 1361750400 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_06477e3425f1448995ced539789e6842 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Karim Lammali" and + pe.signatures[i].serial == "06:47:7e:34:25:f1:44:89:95:ce:d5:39:78:9e:68:42" and + 1334275199 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_0450a7c1c36951da09c8ad0e7f716ff2 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "PS Partnership" and + pe.signatures[i].serial == "04:50:a7:c1:c3:69:51:da:09:c8:ad:0e:7f:71:6f:f2" and + 1362182399 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_0f9fbdab9b39645cf3211f87abb5ddb7 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "The Motivo Group, Inc." and + pe.signatures[i].serial == "0f:9f:bd:ab:9b:39:64:5c:f3:21:1f:87:ab:b5:dd:b7" and + 1361318399 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_4211d2e4f0e87127319302c55b85bcf2 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "yinsheng xie" and + pe.signatures[i].serial == "42:11:d2:e4:f0:e8:71:27:31:93:02:c5:5b:85:bc:f2" and + 1360713599 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_07b44cdbfffb78de05f4261672a67312 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Buster Paper Comercial Ltda" and + pe.signatures[i].serial == "07:b4:4c:db:ff:fb:78:de:05:f4:26:16:72:a6:73:12" and + 1359503999 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_4f8b9a1ba5e60c754dbb40ddee7905e2 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "NOX Entertainment Co., Ltd" and + pe.signatures[i].serial == "4f:8b:9a:1b:a5:e6:0c:75:4d:bb:40:dd:ee:79:05:e2" and + 1348617599 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_0a389b95ee736dd13bc0ed743fd74d2f { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "BUSTER ASSISTENCIA TECNICA ELETRONICA LTDA - ME" and + pe.signatures[i].serial == "0a:38:9b:95:ee:73:6d:d1:3b:c0:ed:74:3f:d7:4d:2f" and + 1351814399 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_1a3faaeb3a8b93b2394fec36345996e6 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "salvatore macchiarella" and + pe.signatures[i].serial == "1a:3f:aa:eb:3a:8b:93:b2:39:4f:ec:36:34:59:96:e6" and + 1468454400 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_1a35acce5b0c77206b1c3dc2a6a2417c { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "cd ingegneri associati srl" and + pe.signatures[i].serial == "1a:35:ac:ce:5b:0c:77:20:6b:1c:3d:c2:a6:a2:41:7c" and + 1166054399 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_6eb40ea11eaac847b050de9b59e25bdc { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "My Free Internet Update" and + pe.signatures[i].serial == "6e:b4:0e:a1:1e:aa:c8:47:b0:50:de:9b:59:e2:5b:dc" and + 1062201599 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_6724340ddbc7252f7fb714b812a5c04d { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "YNK JAPAN Inc" and + pe.signatures[i].serial == "67:24:34:0d:db:c7:25:2f:7f:b7:14:b8:12:a5:c0:4d" and + 1306195199 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_0813ee9b7b9d7c46001d6bc8784df1dd { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Les Garcons s'habillent" and + pe.signatures[i].serial == "08:13:ee:9b:7b:9d:7c:46:00:1d:6b:c8:78:4d:f1:dd" and + 1334707199 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_530591c61b5e1212f659138b7cea0a97 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "\\xE6\\x97\\xA5\\xE7\\x85\\xA7\\xE5\\xB3\\xB0\\xE5\\xB7\\x9D\\xE5\\x9B\\xBD\\xE9\\x99\\x85\\xE7\\x9F\\xBF\\xE4\\xB8\\x9A\\xE8\\xB4\\xB8\\xE6\\x98\\x93\\xE6\\x9C\\x89\\xE9\\x99\\x90\\xE5\\x85\\xAC\\xE5\\x8F\\xB8" and + pe.signatures[i].serial == "53:05:91:c6:1b:5e:12:12:f6:59:13:8b:7c:ea:0a:97" and + 1403654399 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_07270ff9 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "The digital certificate has leaked." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "DigiNotar Cyber CA" and + pe.signatures[i].serial == "07:27:0f:f9" and + 1308182400 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_0727100d { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "The digital certificate has leaked." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "DigiNotar Cyber CA" and + pe.signatures[i].serial == "07:27:10:0d" and + 1308182400 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_07271003 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "The digital certificate has leaked." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "DigiNotar Cyber CA" and + pe.signatures[i].serial == "07:27:10:03" and + 1308182400 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_013134bf { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "The digital certificate has leaked." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "DigiNotar PKIoverheid CA Organisatie - G2" and + pe.signatures[i].serial == "01:31:34:bf" and + 1308182400 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_01314476 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "The digital certificate has leaked." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "DigiNotar PKIoverheid CA Overheid" and + pe.signatures[i].serial == "01:31:44:76" and + 1308182400 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_013169b0 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "The digital certificate has leaked." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "DigiNotar PKIoverheid CA Overheid en Bedrijven" and + pe.signatures[i].serial == "01:31:69:b0" and + 1308182400 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_0c76da9c910c4e2c9efe15d058933c4c { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "The digital certificate has leaked." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "DigiNotar Root CA" and + pe.signatures[i].serial == "0c:76:da:9c:91:0c:4e:2c:9e:fe:15:d0:58:93:3c:4c" and + 1308182400 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_469c2caf { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "The digital certificate has leaked." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "DigiNotar Root CA" and + pe.signatures[i].serial == "46:9c:2c:af" and + 1308182400 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_469c3cc9 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "The digital certificate has leaked." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "DigiNotar Root CA" and + pe.signatures[i].serial == "46:9c:3c:c9" and + 1308182400 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_0a82bd1e144e8814d75b1a5527bebf3e { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "The digital certificate has leaked." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "DigiNotar Root CA G2" and + pe.signatures[i].serial == "0a:82:bd:1e:14:4e:88:14:d7:5b:1a:55:27:be:bf:3e" and + 1308182400 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_469c2cb0 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "The digital certificate has leaked." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "DigiNotar Services 1024 CA" and + pe.signatures[i].serial == "46:9c:2c:b0" and + 1308182400 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_4c0e636a { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Digisign Server ID - (Enrich)" and + pe.signatures[i].serial == "4c:0e:63:6a" and + 1320191999 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_072714a9 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Digisign Server ID (Enrich)" and + pe.signatures[i].serial == "07:27:14:a9" and + 1320191999 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_00d8f35f4eb7872b2dab0692e315382fb0 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "global trustee" and ( + pe.signatures[i].serial == "00:d8:f3:5f:4e:b7:87:2b:2d:ab:06:92:e3:15:38:2f:b0" or + pe.signatures[i].serial == "d8:f3:5f:4e:b7:87:2b:2d:ab:06:92:e3:15:38:2f:b0" + ) and + 1300060800 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_750e40ff97f047edf556c7084eb1abfd { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "The digital certificate has leaked." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Microsoft Corporation" and + pe.signatures[i].serial == "75:0e:40:ff:97:f0:47:ed:f5:56:c7:08:4e:b1:ab:fd" and + 980899199 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_1b5190f73724399c9254cd424637996a { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "The digital certificate has leaked." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Microsoft Corporation" and + pe.signatures[i].serial == "1b:51:90:f7:37:24:39:9c:92:54:cd:42:46:37:99:6a" and + 980812799 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_00ebaa11d62e2481081820 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "The digital certificate has leaked." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Microsoft Enforced Licensing Intermediate PCA" and ( + pe.signatures[i].serial == "00:eb:aa:11:d6:2e:24:81:08:18:20" or + pe.signatures[i].serial == "eb:aa:11:d6:2e:24:81:08:18:20" + ) + ) +} + +rule cert_blocklist_3aab11dee52f1b19d056 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "The digital certificate has leaked." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Microsoft Enforced Licensing Intermediate PCA" and + pe.signatures[i].serial == "3a:ab:11:de:e5:2f:1b:19:d0:56" + ) +} + +rule cert_blocklist_6102b01900000000002f { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "The digital certificate has leaked." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Microsoft Enforced Licensing Registration Authority CA (SHA1)" and + pe.signatures[i].serial == "61:02:b0:19:00:00:00:00:00:2f" + ) +} + +rule cert_blocklist_01e2b4f759811c64379fca0be76d2dce { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "The digital certificate has leaked." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Sony Pictures Entertainment Inc." and + pe.signatures[i].serial == "01:e2:b4:f7:59:81:1c:64:37:9f:ca:0b:e7:6d:2d:ce" and + 1417651200 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_03e5a010b05c9287f823c2585f547b80 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "MOCOMSYS INC" and + pe.signatures[i].serial == "03:e5:a0:10:b0:5c:92:87:f8:23:c2:58:5f:54:7b:80" and + 1385423999 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_0fe7df6c4b9a33b83d04e23e98a77cce { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "PIXELPLUS CO., LTD." and + pe.signatures[i].serial == "0f:e7:df:6c:4b:9a:33:b8:3d:04:e2:3e:98:a7:7c:ce" and + 1396310399 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_065569a3e261409128a40affa90d6d10 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Police Mutual Aid Association" and + pe.signatures[i].serial == "06:55:69:a3:e2:61:40:91:28:a4:0a:ff:a9:0d:6d:10" and + 1381795199 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_0979616733e062c544df0abd315e3b92 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Jessica Karam" and + pe.signatures[i].serial == "09:79:61:67:33:e0:62:c5:44:df:0a:bd:31:5e:3b:92" and + 1408319999 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_7d3250b27e0547c77307030491b42802 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Banco do Brasil S.A." and + pe.signatures[i].serial == "7d:32:50:b2:7e:05:47:c7:73:07:03:04:91:b4:28:02" and + 1412207999 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_00d1836bd37c331a67 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "MINDSTORM LLC" and ( + pe.signatures[i].serial == "00:d1:83:6b:d3:7c:33:1a:67" or + pe.signatures[i].serial == "d1:83:6b:d3:7c:33:1a:67" + ) and + 1422835199 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_2ca028d1a4de0eb743135edecf74d7af { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "The digital certificate has leaked." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Adobe Systems" and + pe.signatures[i].serial == "2c:a0:28:d1:a4:de:0e:b7:43:13:5e:de:cf:74:d7:af" and + 1341792000 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_dbb14dcf973eada14ece7ea79c895c11 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "The digital certificate has leaked." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Adobe Systems" and + pe.signatures[i].serial == "db:b1:4d:cf:97:3e:ad:a1:4e:ce:7e:a7:9c:89:5c:11" and + 1341792000 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_f8c2239de3977b8d4a3dcbedc9031a51 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "The digital certificate has leaked." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Adobe Systems" and + pe.signatures[i].serial == "f8:c2:23:9d:e3:97:7b:8d:4a:3d:cb:ed:c9:03:1a:51" and + 1341792000 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_caad8222705d3fb3430e114a31c8c6a4 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "The digital certificate has leaked." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Adobe Systems" and + pe.signatures[i].serial == "ca:ad:82:22:70:5d:3f:b3:43:0e:11:4a:31:c8:c6:a4" and + 1341792000 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_b191812516e6618d49e6ccf5e63dc343 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "The digital certificate has leaked." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Adobe Systems" and + pe.signatures[i].serial == "b1:91:81:25:16:e6:61:8d:49:e6:cc:f5:e6:3d:c3:43" and + 1341792000 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_4ba7fb8ee1deff8f4a1525e1e0580057 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "The digital certificate has leaked." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Adobe Systems" and + pe.signatures[i].serial == "4b:a7:fb:8e:e1:de:ff:8f:4a:15:25:e1:e0:58:00:57" and + 1341792000 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_2df9f7eb6cdc5ca243b33122e3941e25 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "The digital certificate has leaked." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Adobe Systems" and + pe.signatures[i].serial == "2d:f9:f7:eb:6c:dc:5c:a2:43:b3:31:22:e3:94:1e:25" and + 1341792000 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_58a541d50f9e2fab4380c6a2ed433b82 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "The digital certificate has leaked." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Adobe Systems" and + pe.signatures[i].serial == "58:a5:41:d5:0f:9e:2f:ab:43:80:c6:a2:ed:43:3b:82" and + 1341792000 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_5f273626859ae4bc4becbbeb71e2ab2d { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "The digital certificate has leaked." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Adobe Systems" and + pe.signatures[i].serial == "5f:27:36:26:85:9a:e4:bc:4b:ec:bb:eb:71:e2:ab:2d" and + 1341792000 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_b1ad46ce4db160b348c24f66c9663178 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "The digital certificate has leaked." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Adobe Systems" and + pe.signatures[i].serial == "b1:ad:46:ce:4d:b1:60:b3:48:c2:4f:66:c9:66:31:78" and + 1341792000 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_256541e204619033f8b09f9eb7c88ef8 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "HON HAI PRECISION INDUSTRY CO. LTD." and + pe.signatures[i].serial == "25:65:41:e2:04:61:90:33:f8:b0:9f:9e:b7:c8:8e:f8" and + 1424303999 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_00e8cc18cf100b6b27443ef26319398734 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing GovRAT malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Syngenta" and ( + pe.signatures[i].serial == "00:e8:cc:18:cf:10:0b:6b:27:44:3e:f2:63:19:39:87:34" or + pe.signatures[i].serial == "e8:cc:18:cf:10:0b:6b:27:44:3e:f2:63:19:39:87:34" + ) and + 1404172799 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_62af28a7657ba8ab10fa8e2d47250c69 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing GovRAT malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "AFINA Fintek" and + pe.signatures[i].serial == "62:af:28:a7:65:7b:a8:ab:10:fa:8e:2d:47:25:0c:69" and + 1404172799 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_04c8eca7243208a110dea926c7ad89ce { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing GovRAT malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Open Source Developer, SINGH ADITYA" and + pe.signatures[i].serial == "04:c8:ec:a7:24:32:08:a1:10:de:a9:26:c7:ad:89:ce" and + 1404172799 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_157c3a4a6bcf35cf8453e6b6c0072e1d { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing GovRAT malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Favorite-III" and + pe.signatures[i].serial == "15:7c:3a:4a:6b:cf:35:cf:84:53:e6:b6:c0:07:2e:1d" and + 1404172799 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_04422f12037bc2032521dbb6ae02ea0e { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing GovRAT malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Open Source Developer, Muhammad Lee" and + pe.signatures[i].serial == "04:42:2f:12:03:7b:c2:03:25:21:db:b6:ae:02:ea:0e" and + 1404172799 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_65eae6c98111dc40bf4f962bf27227f2 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing GovRAT malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Open Source Developer, BHARATH KUCHANGI" and + pe.signatures[i].serial == "65:ea:e6:c9:81:11:dc:40:bf:4f:96:2b:f2:72:27:f2" and + 1404172799 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_12d5a4b29fe6156d4195fba55ae0d9a9 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing GovRAT malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Open Source Developer, Marc Chapon" and + pe.signatures[i].serial == "12:d5:a4:b2:9f:e6:15:6d:41:95:fb:a5:5a:e0:d9:a9" and + 1404172799 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_0087d60d1e2b9374eb7a735dce4bbdae56 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing GovRAT malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "AMO-K Limited Liability Company" and ( + pe.signatures[i].serial == "00:87:d6:0d:1e:2b:93:74:eb:7a:73:5d:ce:4b:bd:ae:56" or + pe.signatures[i].serial == "87:d6:0d:1e:2b:93:74:eb:7a:73:5d:ce:4b:bd:ae:56" + ) and + 1404172799 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_0860c8a7ed18c3f030a32722fd2b220c { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Open Source Developer, Tony Yeh" and + pe.signatures[i].serial == "08:60:c8:a7:ed:18:c3:f0:30:a3:27:22:fd:2b:22:0c" and + 1404172799 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_2fdadd0740572270203f8138692c4a83 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Open Source Developer, William Zoltan" and + pe.signatures[i].serial == "2f:da:dd:07:40:57:22:70:20:3f:81:38:69:2c:4a:83" and + 1404172799 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_4fc13d6220c629043a26f81b1cad72d8 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Open Source Developer, meicun ge" and + pe.signatures[i].serial == "4f:c1:3d:62:20:c6:29:04:3a:26:f8:1b:1c:ad:72:d8" and + 1404172799 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_3457a918c6d3701b2eaca6a92474a7cc { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "KONSALTING PLUS OOO" and + pe.signatures[i].serial == "34:57:a9:18:c6:d3:70:1b:2e:ac:a6:a9:24:74:a7:cc" and + 1432252799 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_621ed8265b0ad872d9f4b4ed6d560513 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Fan Li" and + pe.signatures[i].serial == "62:1e:d8:26:5b:0a:d8:72:d9:f4:b4:ed:6d:56:05:13" and + 1413183357 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_56e22b992b4c7f1afeac1d63b492bf54 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Open Source Developer, Hetem Ramadani" and + pe.signatures[i].serial == "56:e2:2b:99:2b:4c:7f:1a:fe:ac:1d:63:b4:92:bf:54" and + 1435622399 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_3bc3bae4118d46f3fdd9beeeab749fee { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "\\xE6\\x9D\\x8E\\xE9\\x9B\\xAA\\xE6\\xA2\\x85" and + pe.signatures[i].serial == "3b:c3:ba:e4:11:8d:46:f3:fd:d9:be:ee:ab:74:9f:ee" and + 1442275199 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_0f0449f7691e5b4c8e74e71cae822179 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "SBO INVEST" and + pe.signatures[i].serial == "0f:04:49:f7:69:1e:5b:4c:8e:74:e7:1c:ae:82:21:79" and + 1432079999 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_43db4448d870d7bdc275f36a01fba36f { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "3-T TOV" and + pe.signatures[i].serial == "43:db:44:48:d8:70:d7:bd:c2:75:f3:6a:01:fb:a3:6f" and + 1436227199 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_2880a7f7ff2d334aa08744a8754fab2c { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Garena Online Pte Ltd" and + pe.signatures[i].serial == "28:80:a7:f7:ff:2d:33:4a:a0:87:44:a8:75:4f:ab:2c" and + 1393891199 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_0492f5c18e26fa0cd7e15067674aff1c { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Ghada Saffarini" and + pe.signatures[i].serial == "04:92:f5:c1:8e:26:fa:0c:d7:e1:50:67:67:4a:ff:1c" and + 1445990399 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_6aa668cd6a9de1fdd476ea8225326937 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "BSCP LIMITED" and + pe.signatures[i].serial == "6a:a6:68:cd:6a:9d:e1:fd:d4:76:ea:82:25:32:69:37" and + 1441583999 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_1cb06dccb482255728671ea12ac41620 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Fangzhen Li" and + pe.signatures[i].serial == "1c:b0:6d:cc:b4:82:25:57:28:67:1e:a1:2a:c4:16:20" and + 1445126399 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_370c2467c41d6019bbecd72e00c5d73d { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "UNINFO SISTEMAS LTDA ME" and + pe.signatures[i].serial == "37:0c:24:67:c4:1d:60:19:bb:ec:d7:2e:00:c5:d7:3d" and + 1445299199 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_5067339614c5cc219c489d40420f3bf9 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "The digital certificate has leaked." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "D-LINK CORPORATION" and + pe.signatures[i].serial == "50:67:33:96:14:c5:cc:21:9c:48:9d:40:42:0f:3b:f9" and + 1441238400 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_6e32531ae83992f0573120a5e78de271 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "3 AM CHP" and + pe.signatures[i].serial == "6e:32:53:1a:e8:39:92:f0:57:31:20:a5:e7:8d:e2:71" and + 1451606399 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_6967a89bcf6efef160aaeebbff376c0a { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Chang Yucheng" and + pe.signatures[i].serial == "69:67:a8:9b:cf:6e:fe:f1:60:aa:ee:bb:ff:37:6c:0a" and + 1451174399 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_7473d95405d2b0b3a8f28785ce6e74ca { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Dmitrij Emelyanov" and + pe.signatures[i].serial == "74:73:d9:54:05:d2:b0:b3:a8:f2:87:85:ce:6e:74:ca" and + 1453939199 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_04f380f97579f1702a85e0169bbdfd78 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "GRANIFLOR" and + pe.signatures[i].serial == "04:f3:80:f9:75:79:f1:70:2a:85:e0:16:9b:bd:fd:78" and + 1454889599 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_04d6b8cc6dce353fcf3ae8a532be7255 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "MADERA" and + pe.signatures[i].serial == "04:d6:b8:cc:6d:ce:35:3f:cf:3a:e8:a5:32:be:72:55" and + 1451692799 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_191322a00200f793 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "PRABHAKAR NARAYAN" and + pe.signatures[i].serial == "19:13:22:a0:02:00:f7:93" and + 1442966399 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_451c9d0b413e6e8df175 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "PRASAD UPENDRA" and + pe.signatures[i].serial == "45:1c:9d:0b:41:3e:6e:8d:f1:75" and + 1442275199 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_03943858218f35adb7073a6027555621 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "RuN APps FOrEver lld" and + pe.signatures[i].serial == "03:94:38:58:21:8f:35:ad:b7:07:3a:60:27:55:56:21" and + 1480550399 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_09813ee7318452c28a1f6426d1cee12d { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Saly Younes" and + pe.signatures[i].serial == "09:81:3e:e7:31:84:52:c2:8a:1f:64:26:d1:ce:e1:2d" and + 1455667199 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_476bf24a4b1e9f4bc2a61b152115e1fe { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing Derusbi malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Wemade Entertainment co.,Ltd" and + pe.signatures[i].serial == "47:6b:f2:4a:4b:1e:9f:4b:c2:a6:1b:15:21:15:e1:fe" and + 1414454399 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_7bd55818c5971b63dc45cf57cbeb950b { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing Derusbi malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "XL Games Co.,Ltd." and + pe.signatures[i].serial == "7b:d5:58:18:c5:97:1b:63:dc:45:cf:57:cb:eb:95:0b" and + 1371513599 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_4c0b2e9d2ef909d15270d4dd7fa5a4a5 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing Derusbi malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Fuqing Dawu Technology Co.,Ltd." and + pe.signatures[i].serial == "4c:0b:2e:9d:2e:f9:09:d1:52:70:d4:dd:7f:a5:a4:a5" and + 1372118399 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_5e3d76dc7e273e2f313fc0775847a2a2 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing Sakula and Derusbi malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "NexG" and + pe.signatures[i].serial == "5e:3d:76:dc:7e:27:3e:2f:31:3f:c0:77:58:47:a2:a2" and + 1372723199 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_47d5d5372bcb1562b4c9f4c2bdf13587 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing Sakula malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "DTOPTOOLZ Co.,Ltd." and + pe.signatures[i].serial == "47:d5:d5:37:2b:cb:15:62:b4:c9:f4:c2:bd:f1:35:87" and + 1400803199 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_3ac10e68f1ce519e84ddcd28b11fa542 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing Sakula malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "U-Tech IT service" and + pe.signatures[i].serial == "3a:c1:0e:68:f1:ce:51:9e:84:dd:cd:28:b1:1f:a5:42" and + 1420156799 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_31062e483e0106b18c982f0053185c36 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing Sakula malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "MICRO DIGITAL INC." and + pe.signatures[i].serial == "31:06:2e:48:3e:01:06:b1:8c:98:2f:00:53:18:5c:36" and + 1332287999 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_20d0ee42fc901e6b3a8fefe8c1e6087a { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing Sakula malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "SJ SYSTEM" and + pe.signatures[i].serial == "20:d0:ee:42:fc:90:1e:6b:3a:8f:ef:e8:c1:e6:08:7a" and + 1391299199 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_127251b32b9a50bd { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing OSX DokSpy backdoor." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Developer ID Application: Edouard Roulet (W7J9LRHXTG)" and + pe.signatures[i].serial == "12:72:51:b3:2b:9a:50:bd" and + 1493769599 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_48cad4e6966e22d6 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing OSX DokSpy backdoor." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Developer ID Application: Seven Muller (FUP9692NN6)" and + pe.signatures[i].serial == "48:ca:d4:e6:96:6e:22:d6" and + 1492732799 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_5e15205f180442cc6c3c0f03e1a33d9f { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "The digital certificate has leaked." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Ziber Ltd" and + pe.signatures[i].serial == "5e:15:20:5f:18:04:42:cc:6c:3c:0f:03:e1:a3:3d:9f" and + 1498607999 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_4c8e3b1613f73542f7106f272094eb23 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "The digital certificate has leaked." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "ADD Audit" and + pe.signatures[i].serial == "4c:8e:3b:16:13:f7:35:42:f7:10:6f:27:20:94:eb:23" and + 1472687999 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_2ce2bd0ad3cfde9ea73eec7ca30400da { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "The digital certificate has leaked." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Media Lid" and + pe.signatures[i].serial == "2c:e2:bd:0a:d3:cf:de:9e:a7:3e:ec:7c:a3:04:00:da" and + 1493337599 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_0fbc30db127a536c34d7a0fa81b48193 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "The digital certificate has leaked." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Megabit, OOO" and + pe.signatures[i].serial == "0f:bc:30:db:12:7a:53:6c:34:d7:a0:fa:81:b4:81:93" and + 1466121599 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_08448bd6ee9105ae31228ea5fe496f63 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "The digital certificate has leaked." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Raffaele Carnacina" and + pe.signatures[i].serial == "08:44:8b:d6:ee:91:05:ae:31:22:8e:a5:fe:49:6f:63" and + 1445212799 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_02f17566ef568dc06c9a379ea2f4faea { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "The digital certificate has leaked." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "VALERIANO BEDESCHI" and + pe.signatures[i].serial == "02:f1:75:66:ef:56:8d:c0:6c:9a:37:9e:a2:f4:fa:ea" and + 1441324799 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_7d824ba1f7f730319c50d64c9a7ed507 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "joaweb" and + pe.signatures[i].serial == "7d:82:4b:a1:f7:f7:30:31:9c:50:d6:4c:9a:7e:d5:07" and + 1238025599 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_77a64759f12766e363d779998c71bdc9 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Beijing Gigabit Times Technology Co., Ltd" and + pe.signatures[i].serial == "77:a6:47:59:f1:27:66:e3:63:d7:79:99:8c:71:bd:c9" and + 1301011199 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_0b0d17ec1449b4b2d38fcb0f20fbcd3a { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "WEBPIC DESENVOLVIMENTO DE SOFTWARE LTDA" and + pe.signatures[i].serial == "0b:0d:17:ec:14:49:b4:b2:d3:8f:cb:0f:20:fb:cd:3a" and + 1394150399 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_fe9404dc73cf1c2ba1450b8398305557 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "\\xE5\\x8E\\xA6\\xE9\\x97\\xA8\\xE7\\xBF\\x94\\xE9\\x80\\x9A\\xE4\\xBF\\xA1\\xE6\\x81\\xAF\\xE7\\xA7\\x91\\xE6\\x8A\\x80\\xE6\\x9C\\x89\\xE9\\x99\\x90\\xE5\\x85\\xAC\\xE5\\x8F\\xB8\\xE5\\x8C\\x97\\xE4\\xBA\\xAC\\xE5\\x88\\x86\\xE5\\x85\\xAC\\xE5\\x8F\\xB8" and ( + pe.signatures[i].serial == "00:fe:94:04:dc:73:cf:1c:2b:a1:45:0b:83:98:30:55:57" or + pe.signatures[i].serial == "fe:94:04:dc:73:cf:1c:2b:a1:45:0b:83:98:30:55:57" + ) and + 1287360000 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_1cb2d523a6bf7a066642c578de1c9be4 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Shenzhen Hua\\xE2\\x80\\x99nan Xingfa Electronic Equipment Firm" and + pe.signatures[i].serial == "1c:b2:d5:23:a6:bf:7a:06:66:42:c5:78:de:1c:9b:e4" and + 1400889599 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_3a6ccabb1c62f3be3eb03869fa43dc4a { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "\\xE5\\xB8\\xB8\\xE5\\xB7\\x9E\\xE9\\xAA\\x8F\\xE6\\x99\\xAF\\xE9\\x80\\x9A\\xE8\\x81\\x94\\xE6\\x95\\xB0\\xE5\\xAD\\x97\\xE7\\xA7\\x91\\xE6\\x8A\\x80\\xE6\\x9C\\x89\\xE9\\x99\\x90\\xE5\\x85\\xAC\\xE5\\x8F\\xB8" and + pe.signatures[i].serial == "3a:6c:ca:bb:1c:62:f3:be:3e:b0:38:69:fa:43:dc:4a" and + 1259798399 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_864196f01971dbec7002b48642a7013a { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "WLE DESENVOLVIMENTO DE SOFTWARE E ASSESSORIA LTDA EPP" and ( + pe.signatures[i].serial == "00:86:41:96:f0:19:71:db:ec:70:02:b4:86:42:a7:01:3a" or + pe.signatures[i].serial == "86:41:96:f0:19:71:db:ec:70:02:b4:86:42:a7:01:3a" + ) and + 1384300799 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_4fda1e121b61adeca936a6aebe079303 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Laizhou wanlei stone Co., LTD" and + pe.signatures[i].serial == "4f:da:1e:12:1b:61:ad:ec:a9:36:a6:ae:be:07:93:03" and + 1310687999 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_03866deb183abfbf4ff458d4de7bd73a { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "\\xE9\\x87\\x8D\\xE5\\xBA\\x86\\xE8\\xAF\\x9D\\xE8\\xAF\\xAD\\xE7\\xA7\\x91\\xE6\\x8A\\x80\\xE6\\x9C\\x89\\xE9\\x99\\x90\\xE5\\x85\\xAC\\xE5\\x8F\\xB8" and + pe.signatures[i].serial == "03:86:6d:eb:18:3a:bf:bf:4f:f4:58:d4:de:7b:d7:3a" and + 1371772799 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_1be41b34127ca9e6270830d2070db426 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "\\xE5\\x8C\\x97\\xE4\\xBA\\xAC\\xE8\\x80\\x98\\xE5\\x8D\\x87\\xE5\\xA4\\xA9\\xE4\\xB8\\x8B\\xE7\\xA7\\x91\\xE6\\x8A\\x80\\xE6\\x9C\\x89\\xE9\\x99\\x90\\xE5\\x85\\xAC\\xE5\\x8F\\xB8" and + pe.signatures[i].serial == "1b:e4:1b:34:12:7c:a9:e6:27:08:30:d2:07:0d:b4:26" and + 1352764799 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_9b108b8a1daa0d5581f59fcee0447901 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "CharacTell Ltd" and ( + pe.signatures[i].serial == "00:9b:10:8b:8a:1d:aa:0d:55:81:f5:9f:ce:e0:44:79:01" or + pe.signatures[i].serial == "9b:10:8b:8a:1d:aa:0d:55:81:f5:9f:ce:e0:44:79:01" + ) and + 1380671999 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_5f8203c430fc7db4e61f6684f6829ffc { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Haivision Network Video" and + pe.signatures[i].serial == "5f:82:03:c4:30:fc:7d:b4:e6:1f:66:84:f6:82:9f:fc" and + 1382572799 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_6b6daef5be29f20ddce4b0f5e9fa6ea5 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Calibration Consultants" and + pe.signatures[i].serial == "6b:6d:ae:f5:be:29:f2:0d:dc:e4:b0:f5:e9:fa:6e:a5" and + 1280447999 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_57d6dff1ef96f01b9430666b2733cc87 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Smart Plugin Ltda" and + pe.signatures[i].serial == "57:d6:df:f1:ef:96:f0:1b:94:30:66:6b:27:33:cc:87" and + 1314575999 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_0166b65038d61e5435b48204cae4795a { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "TOLGA KAPLAN" and + pe.signatures[i].serial == "01:66:b6:50:38:d6:1e:54:35:b4:82:04:ca:e4:79:5a" and + 1403999999 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_784f226b45c3bd8e4089243d747d1f59 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "FSPro Labs" and + pe.signatures[i].serial == "78:4f:22:6b:45:c3:bd:8e:40:89:24:3d:74:7d:1f:59" and + 1242777599 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_11690f05604445fae0de539eeeeec584 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Tera information Technology co.Ltd" and + pe.signatures[i].serial == "11:69:0f:05:60:44:45:fa:e0:de:53:9e:ee:ee:c5:84" and + 1294703999 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_aa146bff4b832bdbfe30b84580356763 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Yancheng Peoples Information Technology Service Co., Ltd" and ( + pe.signatures[i].serial == "00:aa:14:6b:ff:4b:83:2b:db:fe:30:b8:45:80:35:67:63" or + pe.signatures[i].serial == "aa:14:6b:ff:4b:83:2b:db:fe:30:b8:45:80:35:67:63" + ) and + 1295481599 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_e86f46b60142092aae81b8f6fa3d9c7c { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Syncode Sistemas e Tecnologia Ltda" and ( + pe.signatures[i].serial == "00:e8:6f:46:b6:01:42:09:2a:ae:81:b8:f6:fa:3d:9c:7c" or + pe.signatures[i].serial == "e8:6f:46:b6:01:42:09:2a:ae:81:b8:f6:fa:3d:9c:7c" + ) and + 1373932799 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_1a0fd2a4ef4c2a36ab9c5e8f792a35e2 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "\\xE5\\x8C\\x97\\xE4\\xBA\\xAC\\xE9\\x87\\x91\\xE5\\x88\\xA9\\xE5\\xAE\\x8F\\xE6\\x98\\x8C\\xE7\\xA7\\x91\\xE6\\x8A\\x80\\xE6\\x9C\\x89\\xE9\\x99\\x90\\xE5\\x85\\xAC\\xE5\\x8F\\xB8" and + pe.signatures[i].serial == "1a:0f:d2:a4:ef:4c:2a:36:ab:9c:5e:8f:79:2a:35:e2" and + 1389311999 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_53bb753b79a99e61a6e822ac52460c70 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "\\xEB\\x8D\\xB0\\xEC\\x8A\\xA4\\xED\\x81\\xAC\\xED\\x83\\x91\\xEC\\x95\\x84\\xEC\\x9D\\xB4\\xEC\\xBD\\x98" and + pe.signatures[i].serial == "53:bb:75:3b:79:a9:9e:61:a6:e8:22:ac:52:46:0c:70" and + 1400543999 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_83f68fc6834bf8bd2c801a2d1f1acc76 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Helpful Technologies, Inc" and ( + pe.signatures[i].serial == "00:83:f6:8f:c6:83:4b:f8:bd:2c:80:1a:2d:1f:1a:cc:76" or + pe.signatures[i].serial == "83:f6:8f:c6:83:4b:f8:bd:2c:80:1a:2d:1f:1a:cc:76" + ) and + 1407715199 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_f385e765acfb95605c9b35ca4c32f80e { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "CWI SOFTWARE LTDA" and ( + pe.signatures[i].serial == "00:f3:85:e7:65:ac:fb:95:60:5c:9b:35:ca:4c:32:f8:0e" or + pe.signatures[i].serial == "f3:85:e7:65:ac:fb:95:60:5c:9b:35:ca:4c:32:f8:0e" + ) and + 1382313599 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_f62c9c4efc81caf0d5a2608009d48018 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "\\xE5\\x94\\x90\\xE5\\xB1\\xB1\\xE4\\xB8\\x87\\xE4\\xB8\\x9C\\xE6\\xB6\\xA6\\xE6\\x92\\xAD\\xE7\\xBD\\x91\\xE7\\xBB\\x9C\\xE6\\x8A\\x80\\xE6\\x9C\\xAF\\xE6\\x9C\\x89\\xE9\\x99\\x90\\xE5\\x85\\xAC\\xE5\\x8F\\xB8" and ( + pe.signatures[i].serial == "00:f6:2c:9c:4e:fc:81:ca:f0:d5:a2:60:80:09:d4:80:18" or + pe.signatures[i].serial == "f6:2c:9c:4e:fc:81:ca:f0:d5:a2:60:80:09:d4:80:18" + ) and + 1292889599 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_cc8d902da36587c9b2113cd76c3c3f8d { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "\\xE4\\xB8\\x8A\\xE6\\xB5\\xB7\\xE9\\x87\\x91\\xE4\\xBF\\x8A\\xE5\\x9D\\xA4\\xE8\\xAE\\xA1\\xE7\\xAE\\x97\\xE6\\x9C\\xBA\\xE6\\x8A\\x80\\xE6\\x9C\\xAF\\xE6\\x9C\\x8D\\xE5\\x8A\\xA1\\xE6\\x9C\\x89\\xE9\\x99\\x90\\xE5\\x85\\xAC\\xE5\\x8F\\xB8" and ( + pe.signatures[i].serial == "00:cc:8d:90:2d:a3:65:87:c9:b2:11:3c:d7:6c:3c:3f:8d" or + pe.signatures[i].serial == "cc:8d:90:2d:a3:65:87:c9:b2:11:3c:d7:6c:3c:3f:8d" + ) and + 1292544000 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_328bdcc0f679c4649147fbb3eb0e9bc6 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Nooly Systems LTD" and + pe.signatures[i].serial == "32:8b:dc:c0:f6:79:c4:64:91:47:fb:b3:eb:0e:9b:c6" and + 1204847999 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_5f78149eb4f75eb17404a8143aaeaed7 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "\\xE4\\xB8\\x8A\\xE6\\xB5\\xB7\\xE5\\x9F\\x9F\\xE8\\x81\\x94\\xE8\\xBD\\xAF\\xE4\\xBB\\xB6\\xE6\\x8A\\x80\\xE6\\x9C\\xAF\\xE6\\x9C\\x89\\xE9\\x99\\x90\\xE5\\x85\\xAC\\xE5\\x8F\\xB8" and + pe.signatures[i].serial == "5f:78:14:9e:b4:f7:5e:b1:74:04:a8:14:3a:ae:ae:d7" and + 1303116124 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_629d120dd84f9c1688d4da40366fab7a { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Delta Controls" and + pe.signatures[i].serial == "62:9d:12:0d:d8:4f:9c:16:88:d4:da:40:36:6f:ab:7a" and + 1306799999 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_039e5d0e3297f574db99e1d9503853d9 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Cigam Software Corporativo LTDA" and + pe.signatures[i].serial == "03:9e:5d:0e:32:97:f5:74:db:99:e1:d9:50:38:53:d9" and + 1378079999 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_bc32bbe5bbb4f06f490c50651cd5da50 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Remedica Medical Education and Publishing Ltd" and ( + pe.signatures[i].serial == "00:bc:32:bb:e5:bb:b4:f0:6f:49:0c:50:65:1c:d5:da:50" or + pe.signatures[i].serial == "bc:32:bb:e5:bb:b4:f0:6f:49:0c:50:65:1c:d5:da:50" + ) and + 1387151999 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_3e1656dfcaacfed7c2d2564355698aa3 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "John W.Richard" and + pe.signatures[i].serial == "3e:16:56:df:ca:ac:fe:d7:c2:d2:56:43:55:69:8a:a3" and + 1385251199 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_4bf1d68e926e2dd8966008c44f95ea1c { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Technical and Commercial Consulting Pvt. Ltd." and + pe.signatures[i].serial == "4b:f1:d6:8e:92:6e:2d:d8:96:60:08:c4:4f:95:ea:1c" and + 1322092799 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_149c12083c145e28155510cfc19db0fe { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "3rd Eye Solutions Ltd" and + pe.signatures[i].serial == "14:9c:12:08:3c:14:5e:28:15:55:10:cf:c1:9d:b0:fe" and + 1209340799 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_77e0117e8b2b8faa84bed961019d5ef8 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Reiner Wodey Informationssysteme" and + pe.signatures[i].serial == "77:e0:11:7e:8b:2b:8f:aa:84:be:d9:61:01:9d:5e:f8" and + 1383695999 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_4f3feb4baf377aea90a463c5dee63884 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "F3D LIMITED" and + pe.signatures[i].serial == "4f:3f:eb:4b:af:37:7a:ea:90:a4:63:c5:de:e6:38:84" and + 1526601599 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_3d2580e89526f7852b570654efd9a8bf { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing LockerGoga ransomware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "MIKL LIMITED" and + pe.signatures[i].serial == "3d:25:80:e8:95:26:f7:85:2b:57:06:54:ef:d9:a8:bf" and + 1529888400 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_0fffe432a53ff03b9223f88be1b83d9d { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing BabyShark malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "EGIS Co., Ltd." and + pe.signatures[i].serial == "0f:ff:e4:32:a5:3f:f0:3b:92:23:f8:8b:e1:b8:3d:9d" and + 1498524050 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_832e161aea5206d815f973e5a1feb3e7 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing SeedLocker ransomware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Project NSRM Ltd" and ( + pe.signatures[i].serial == "00:83:2e:16:1a:ea:52:06:d8:15:f9:73:e5:a1:fe:b3:e7" or + pe.signatures[i].serial == "83:2e:16:1a:ea:52:06:d8:15:f9:73:e5:a1:fe:b3:e7" + ) and + 1549830060 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_09aecea45bfd40ce7d62d7d711916d7d { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "ALINA LTD" and + pe.signatures[i].serial == "09:ae:ce:a4:5b:fd:40:ce:7d:62:d7:d7:11:91:6d:7d" and + 1551052800 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_4ff4eda5fa641e70162713426401f438 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "DUHANEY LIMITED" and + pe.signatures[i].serial == "4f:f4:ed:a5:fa:64:1e:70:16:27:13:42:64:01:f4:38" and + 1555349604 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_067dffc5e3026eb4c62971c98ac8a900 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "DVERI FADO, TOV" and + pe.signatures[i].serial == "06:7d:ff:c5:e3:02:6e:b4:c6:29:71:c9:8a:c8:a9:00" and + 1552176000 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_b1da219688e51fd0bfac2c891d56cbb8 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "FIRNEEZ EUROPE LIMITED" and ( + pe.signatures[i].serial == "00:b1:da:21:96:88:e5:1f:d0:bf:ac:2c:89:1d:56:cb:b8" or + pe.signatures[i].serial == "b1:da:21:96:88:e5:1f:d0:bf:ac:2c:89:1d:56:cb:b8" + ) and + 1542931200 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_7289b0f9bd641e3e352dc3183f8de6be { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "ICE ACTIVATION LIMITED" and + pe.signatures[i].serial == "72:89:b0:f9:bd:64:1e:3e:35:2d:c3:18:3f:8d:e6:be" and + 1557933274 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_fd7b7a8678a67181a54bc7499eba44da { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "IMRAN IT SERVICES LTD" and ( + pe.signatures[i].serial == "00:fd:7b:7a:86:78:a6:71:81:a5:4b:c7:49:9e:ba:44:da" or + pe.signatures[i].serial == "fd:7b:7a:86:78:a6:71:81:a5:4b:c7:49:9e:ba:44:da" + ) and + 1548028800 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_ebbdd6cdeda40ca64513280ecd625c54 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "IT PUT LIMITED" and ( + pe.signatures[i].serial == "00:eb:bd:d6:cd:ed:a4:0c:a6:45:13:28:0e:cd:62:5c:54" or + pe.signatures[i].serial == "eb:bd:d6:cd:ed:a4:0c:a6:45:13:28:0e:cd:62:5c:54" + ) and + 1549238400 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_61da676c1dcfcf188276e2c70d68082e { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "P2N ONLINE LTD" and + pe.signatures[i].serial == "61:da:67:6c:1d:cf:cf:18:82:76:e2:c7:0d:68:08:2e" and + 1552723954 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_767436921b2698bd18400a24b01341b6 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "REBROSE LEISURE LIMITED" and + pe.signatures[i].serial == "76:74:36:92:1b:26:98:bd:18:40:0a:24:b0:13:41:b6" and + 1556284480 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_3e795531b3265510f935187eca59920a { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "sasha catering ltd" and + pe.signatures[i].serial == "3e:79:55:31:b3:26:55:10:f9:35:18:7e:ca:59:92:0a" and + 1557243644 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_8f40b1485309a064a28b96bfa3f55f36 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Singh Agile Content Design Limited" and ( + pe.signatures[i].serial == "00:8f:40:b1:48:53:09:a0:64:a2:8b:96:bf:a3:f5:5f:36" or + pe.signatures[i].serial == "8f:40:b1:48:53:09:a0:64:a2:8b:96:bf:a3:f5:5f:36" + ) and + 1542585600 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_b2120facadbb92cc0a176759604c6a0f { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "SLON LTD" and ( + pe.signatures[i].serial == "00:b2:12:0f:ac:ad:bb:92:cc:0a:17:67:59:60:4c:6a:0f" or + pe.signatures[i].serial == "b2:12:0f:ac:ad:bb:92:cc:0a:17:67:59:60:4c:6a:0f" + ) and + 1554249600 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_4f407eb50803845cc43937823e1344c0 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "SLOW COOKED VENTURES LTD" and + pe.signatures[i].serial == "4f:40:7e:b5:08:03:84:5c:c4:39:37:82:3e:13:44:c0" and + 1556555362 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_6922bb5de88e4127e1ac6969e6a199f5 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "SMACHNA PLITKA, TOV" and + pe.signatures[i].serial == "69:22:bb:5d:e8:8e:41:27:e1:ac:69:69:e6:a1:99:f5" and + 1552692162 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_73065efa163b7901fa1ccb0a54e80540 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "SOVA CONSULTANCY LTD" and + pe.signatures[i].serial == "73:06:5e:fa:16:3b:79:01:fa:1c:cb:0a:54:e8:05:40" and + 1548115200 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_4842afad00904ed8c98811e652ccb3b7 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "\"VERY EXCLUSIVE LTD\"" and + pe.signatures[i].serial == "48:42:af:ad:00:90:4e:d8:c9:88:11:e6:52:cc:b3:b7" and + 1545177600 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_5a59a686b4a904d0fca07153ea6db6cc { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "ABADAN PIZZA LTD" and + pe.signatures[i].serial == "5a:59:a6:86:b4:a9:04:d0:fc:a0:71:53:ea:6d:b6:cc" and + 1563403380 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_0b6d8152f4a06ba781c6677eea5ab74b { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "GLARYSOFT LTD" and + pe.signatures[i].serial == "0b:6d:81:52:f4:a0:6b:a7:81:c6:67:7e:ea:5a:b7:4b" and + 1568246400 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_3ad60cea73e1dd1a3e6c02d9b339c380 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "CUS Software GmbH" and + pe.signatures[i].serial == "3a:d6:0c:ea:73:e1:dd:1a:3e:6c:02:d9:b3:39:c3:80" and + 1567036800 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_7df2dfed47c6fd6542131847cffbc102 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "AFVIMPEX SRL" and + pe.signatures[i].serial == "7d:f2:df:ed:47:c6:fd:65:42:13:18:47:cf:fb:c1:02" and + 1567036800 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_74fedf0f8398060fa8378c6d174465c8 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "DOCS PTY LTD" and + pe.signatures[i].serial == "74:fe:df:0f:83:98:06:0f:a8:37:8c:6d:17:44:65:c8" and + 1566172800 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_3bd6a5bba28e7c1ca44880159dace237 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "TECHNO BEAVERS LIMITED" and + pe.signatures[i].serial == "3b:d6:a5:bb:a2:8e:7c:1c:a4:48:80:15:9d:ac:e2:37" and + 1563408000 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_c04f8f1e00c69e96a51bf14aab1c6ae0 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "CHAIKA, TOV" and ( + pe.signatures[i].serial == "00:c0:4f:8f:1e:00:c6:9e:96:a5:1b:f1:4a:ab:1c:6a:e0" or + pe.signatures[i].serial == "c0:4f:8f:1e:00:c6:9e:96:a5:1b:f1:4a:ab:1c:6a:e0" + ) and + 1551398400 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_23f537ce13c6cccdfd3f8ce81fb981cb { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "ISECURE GROUP PTY LTD" and + pe.signatures[i].serial == "23:f5:37:ce:13:c6:cc:cd:fd:3f:8c:e8:1f:b9:81:cb" and + 1566086400 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_73ecfdbb99aec176ddfcf7958d120e1a { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "MHOW PTY LTD" and + pe.signatures[i].serial == "73:ec:fd:bb:99:ae:c1:76:dd:fc:f7:95:8d:12:0e:1a" and + 1566864000 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_675129bb174a5b05e330cc09f8bbd70a { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "ALEX & CO PTY LIMITED" and + pe.signatures[i].serial == "67:51:29:bb:17:4a:5b:05:e3:30:cc:09:f8:bb:d7:0a" and + 1565568000 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_de13fe2dbb8f890287e1780aff6ffd22 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "LAST TIME PTY LTD" and + pe.signatures[i].serial == "de:13:fe:2d:bb:8f:89:02:87:e1:78:0a:ff:6f:fd:22" and + 1566259200 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_da000d18949c247d4ddfc2585cc8bd0f { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "PORT-SERVIS LTD" and ( + pe.signatures[i].serial == "00:da:00:0d:18:94:9c:24:7d:4d:df:c2:58:5c:c8:bd:0f" or + pe.signatures[i].serial == "da:00:0d:18:94:9c:24:7d:4d:df:c2:58:5c:c8:bd:0f" + ) and + 1564444800 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_06e842d3ea6249d783d6b55e29c060c7 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "PORT-SERVIS LTD, TOV" and + pe.signatures[i].serial == "06:e8:42:d3:ea:62:49:d7:83:d6:b5:5e:29:c0:60:c7" and + 1565568000 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_06473c3c19d9e1a9429b58b6faec2967 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Digital Leadership Solutions Limited" and + pe.signatures[i].serial == "06:47:3c:3c:19:d9:e1:a9:42:9b:58:b6:fa:ec:29:67" and + 1581984001 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_39f56251df2088223cc03494084e6081 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Inter Med Pty. Ltd." and + pe.signatures[i].serial == "39:f5:62:51:df:20:88:22:3c:c0:34:94:08:4e:60:81" and + 1583539200 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_1362e56d34dc7b501e17fa1ac3c3e3d9 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "OOO \"Amaranth\"" and + pe.signatures[i].serial == "13:62:e5:6d:34:dc:7b:50:1e:17:fa:1a:c3:c3:e3:d9" and + 1575936000 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_4b83593fc78d92cfaa9bdf3f97383964 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "OOO Kometa" and + pe.signatures[i].serial == "4b:83:59:3f:c7:8d:92:cf:aa:9b:df:3f:97:38:39:64" and + 1579996800 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_c7505e7464e00ec1dccd8d1b466d15ff { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Ltd. \"Eve Beauty\"" and ( + pe.signatures[i].serial == "00:c7:50:5e:74:64:e0:0e:c1:dc:cd:8d:1b:46:6d:15:ff" or + pe.signatures[i].serial == "c7:50:5e:74:64:e0:0e:c1:dc:cd:8d:1b:46:6d:15:ff" + ) and + 1583824676 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_cbf91988fb83511de1b3a7a520712e9c { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Ltd. \"Eve Beauty\"" and ( + pe.signatures[i].serial == "00:cb:f9:19:88:fb:83:51:1d:e1:b3:a7:a5:20:71:2e:9c" or + pe.signatures[i].serial == "cb:f9:19:88:fb:83:51:1d:e1:b3:a7:a5:20:71:2e:9c" + ) and + 1578786662 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_ce3675ae4abfe688870bcacb63060f4f { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "OOO \"MPS\"" and ( + pe.signatures[i].serial == "00:ce:36:75:ae:4a:bf:e6:88:87:0b:ca:cb:63:06:0f:4f" or + pe.signatures[i].serial == "ce:36:75:ae:4a:bf:e6:88:87:0b:ca:cb:63:06:0f:4f" + ) and + 1582675200 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_9813229efe0046d23542cc7569d5a403 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "OOO \"MPS\"" and ( + pe.signatures[i].serial == "00:98:13:22:9e:fe:00:46:d2:35:42:cc:75:69:d5:a4:03" or + pe.signatures[i].serial == "98:13:22:9e:fe:00:46:d2:35:42:cc:75:69:d5:a4:03" + ) and + 1575849600 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_86e5a9b9e89e5075c475006d0ca03832 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "BlueMarble GmbH" and ( + pe.signatures[i].serial == "00:86:e5:a9:b9:e8:9e:50:75:c4:75:00:6d:0c:a0:38:32" or + pe.signatures[i].serial == "86:e5:a9:b9:e8:9e:50:75:c4:75:00:6d:0c:a0:38:32" + ) and + 1574791194 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_075dca9ca84b93e8a89b775128f90302 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "UAB GT-servis" and + pe.signatures[i].serial == "07:5d:ca:9c:a8:4b:93:e8:a8:9b:77:51:28:f9:03:02" and + 1579305601 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_0ddce8cdc91b5b649bb4b45ffbba6c6c { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "SLIM DOG GROUP SP Z O O" and + pe.signatures[i].serial == "0d:dc:e8:cd:c9:1b:5b:64:9b:b4:b4:5f:fb:ba:6c:6c" and + 1580722435 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_9bd614d5869bb66c96b67e154d517384 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "\"CENTR MBP\"" and ( + pe.signatures[i].serial == "00:9b:d6:14:d5:86:9b:b6:6c:96:b6:7e:15:4d:51:73:84" or + pe.signatures[i].serial == "9b:d6:14:d5:86:9b:b6:6c:96:b6:7e:15:4d:51:73:84" + ) and + 1581618180 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_540cea639d5d48669b7f2f64 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "CENTR MBP LLC" and + pe.signatures[i].serial == "54:0c:ea:63:9d:5d:48:66:9b:7f:2f:64" and + 1570871755 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_03a7748a4355020a652466b5e02e07de { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Teleneras MB" and + pe.signatures[i].serial == "03:a7:74:8a:43:55:02:0a:65:24:66:b5:e0:2e:07:de" and + 1575244801 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_b881a72d4117bbc38b81d3c65c792c1a { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Red GmbH" and ( + pe.signatures[i].serial == "00:b8:81:a7:2d:41:17:bb:c3:8b:81:d3:c6:5c:79:2c:1a" or + pe.signatures[i].serial == "b8:81:a7:2d:41:17:bb:c3:8b:81:d3:c6:5c:79:2c:1a" + ) and + 1581936420 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_08653ef2ed9e6ebb56ffa7e93f963235 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Haw Farm LIMITED" and + pe.signatures[i].serial == "08:65:3e:f2:ed:9e:6e:bb:56:ff:a7:e9:3f:96:32:35" and + 1581465601 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_9c4816d900a6ecdbe54adf72b19ebcf5 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Datamingo Limited" and ( + pe.signatures[i].serial == "00:9c:48:16:d9:00:a6:ec:db:e5:4a:df:72:b1:9e:bc:f5" or + pe.signatures[i].serial == "9c:48:16:d9:00:a6:ec:db:e5:4a:df:72:b1:9e:bc:f5" + ) and + 1557187200 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_269174f9fe7c6ed4e1d19b26c3f5b35f { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "GO ONLINE d.o.o." and + pe.signatures[i].serial == "26:91:74:f9:fe:7c:6e:d4:e1:d1:9b:26:c3:f5:b3:5f" and + 1586386919 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_523fb4036368dc26192d68827f2d889b { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "OOO MEDUZA SERVICE GROUP" and + pe.signatures[i].serial == "52:3f:b4:03:63:68:dc:26:19:2d:68:82:7f:2d:88:9b" and + 1586847880 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_84f842f6d33cd2f25b88dd1710e21137 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "DataNext s.r.o." and ( + pe.signatures[i].serial == "00:84:f8:42:f6:d3:3c:d2:f2:5b:88:dd:17:10:e2:11:37" or + pe.signatures[i].serial == "84:f8:42:f6:d3:3c:d2:f2:5b:88:dd:17:10:e2:11:37" + ) and + 1586775720 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_4fbcaa289ba925b4e247809b6b028202 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Kimjac ApS" and + pe.signatures[i].serial == "4f:bc:aa:28:9b:a9:25:b4:e2:47:80:9b:6b:02:82:02" and + 1588227220 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_1f2e8effbb08c7dbcc7a7f2d835457b5 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "RTI, OOO" and + pe.signatures[i].serial == "1f:2e:8e:ff:bb:08:c7:db:cc:7a:7f:2d:83:54:57:b5" and + 1581382360 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_aeba4c39306fdd022849867801645814 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "SK AI MAS GmbH" and ( + pe.signatures[i].serial == "00:ae:ba:4c:39:30:6f:dd:02:28:49:86:78:01:64:58:14" or + pe.signatures[i].serial == "ae:ba:4c:39:30:6f:dd:02:28:49:86:78:01:64:58:14" + ) and + 1579478400 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_028d50ae0c554b49148e82db5b1c2699 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "VAS CO PTY LTD" and + pe.signatures[i].serial == "02:8d:50:ae:0c:55:4b:49:14:8e:82:db:5b:1c:26:99" and + 1579478400 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_684f478c7259dde0cfe2260112ca9846 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "LLC \"IP EM\"" and + pe.signatures[i].serial == "68:4f:47:8c:72:59:dd:e0:cf:e2:26:01:12:ca:98:46" and + 1584981648 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_0b7c32208a954a483dd102e1be094867 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Win Sp Z O O" and + pe.signatures[i].serial == "0b:7c:32:20:8a:95:4a:48:3d:d1:02:e1:be:09:48:67" and + 1583884800 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_3e72daf2b9a4449e946009e5084a8e76 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "OOO Infoteh63" and + pe.signatures[i].serial == "3e:72:da:f2:b9:a4:44:9e:94:60:09:e5:08:4a:8e:76" and + 1591787570 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_11edd343e21c36ac985555d85c16135f { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Pribyl Handels GmbH" and + pe.signatures[i].serial == "11:ed:d3:43:e2:1c:36:ac:98:55:55:d8:5c:16:13:5f" and + 1589925600 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_093fe63d1a5f68f14ecaac871a03f7a3 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "SPECTACLE IMAGE LTD" and + pe.signatures[i].serial == "09:3f:e6:3d:1a:5f:68:f1:4e:ca:ac:87:1a:03:f7:a3" and + 1562716800 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_bb26b7b6634d5db548c437b5085b01c1 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "OOO \"IT Mott\"" and ( + pe.signatures[i].serial == "00:bb:26:b7:b6:63:4d:5d:b5:48:c4:37:b5:08:5b:01:c1" or + pe.signatures[i].serial == "bb:26:b7:b6:63:4d:5d:b5:48:c4:37:b5:08:5b:01:c1" + ) and + 1591919307 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_29128a56e7b3bfb230742591ac8b4718 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Programavimo paslaugos, MB" and + pe.signatures[i].serial == "29:12:8a:56:e7:b3:bf:b2:30:74:25:91:ac:8b:47:18" and + 1590900909 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_7bfbfdfef43608730ee14779ee3ee2cb { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "CSTech Software Inc." and + pe.signatures[i].serial == "7b:fb:fd:fe:f4:36:08:73:0e:e1:47:79:ee:3e:e2:cb" and + 1590537600 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_62205361a758b00572d417cba014f007 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "UNITEKH-S, OOO" and + pe.signatures[i].serial == "62:20:53:61:a7:58:b0:05:72:d4:17:cb:a0:14:f0:07" and + 1590470683 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_4b47d18dbea57abd1563ddf89f87a6c2 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "KBK, OOO" and + pe.signatures[i].serial == "4b:47:d1:8d:be:a5:7a:bd:15:63:dd:f8:9f:87:a6:c2" and + 1590485607 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_be41e2c7bb2493044b9241abb732599d { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Company Babylon" and ( + pe.signatures[i].serial == "00:be:41:e2:c7:bb:24:93:04:4b:92:41:ab:b7:32:59:9d" or + pe.signatures[i].serial == "be:41:e2:c7:bb:24:93:04:4b:92:41:ab:b7:32:59:9d" + ) and + 1589146251 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_15c5af15afecf1c900cbab0ca9165629 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Kompaniya Auttek" and + pe.signatures[i].serial == "15:c5:af:15:af:ec:f1:c9:00:cb:ab:0c:a9:16:56:29" and + 1586091840 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_476de2f108d20b43ba3bae6f331af8f1 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Digiwill Limited" and + pe.signatures[i].serial == "47:6d:e2:f1:08:d2:0b:43:ba:3b:ae:6f:33:1a:f8:f1" and + 1588135722 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_08ddcc67f8cad6929607e4cda29b3503 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "FAN-CHAI, TOV" and + pe.signatures[i].serial == "08:dd:cc:67:f8:ca:d6:92:96:07:e4:cd:a2:9b:35:03" and + 1564310268 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_052242ace583adf2a3b96adcb04d0812 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "FAN-CHAI, TOV" and + pe.signatures[i].serial == "05:22:42:ac:e5:83:ad:f2:a3:b9:6a:dc:b0:4d:08:12" and + 1573603200 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_bebef5c533ce92efc402fab8605c43ec { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "OOO VEKTOR" and ( + pe.signatures[i].serial == "00:be:be:f5:c5:33:ce:92:ef:c4:02:fa:b8:60:5c:43:ec" or + pe.signatures[i].serial == "be:be:f5:c5:33:ce:92:ef:c4:02:fa:b8:60:5c:43:ec" + ) and + 1587513600 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_1d3f39f481fe067f8a9289bb49e05a04 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "LOGIKA, OOO" and + pe.signatures[i].serial == "1d:3f:39:f4:81:fe:06:7f:8a:92:89:bb:49:e0:5a:04" and + 1592553220 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_7be35d025e65cc7a4ee01f72 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Logika OOO" and + pe.signatures[i].serial == "7b:e3:5d:02:5e:65:cc:7a:4e:e0:1f:72" and + 1594976445 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_351fe2efdc0ac56a0c822cf8 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Logika OOO" and + pe.signatures[i].serial == "35:1f:e2:ef:dc:0a:c5:6a:0c:82:2c:f8" and + 1594976475 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_9cfbb4c69008821aaacecde97ee149ab { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Kivaliz Prest s.r.l." and ( + pe.signatures[i].serial == "00:9c:fb:b4:c6:90:08:82:1a:aa:ce:cd:e9:7e:e1:49:ab" or + pe.signatures[i].serial == "9c:fb:b4:c6:90:08:82:1a:aa:ce:cd:e9:7e:e1:49:ab" + ) and + 1592363914 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_c04f5d17af872cb2c37e3367fe761d0d { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "DES SP Z O O" and ( + pe.signatures[i].serial == "00:c0:4f:5d:17:af:87:2c:b2:c3:7e:33:67:fe:76:1d:0d" or + pe.signatures[i].serial == "c0:4f:5d:17:af:87:2c:b2:c3:7e:33:67:fe:76:1d:0d" + ) and + 1594590024 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_02c5351936abe405ac760228a40387e8 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "RESURS-RM OOO" and + pe.signatures[i].serial == "02:c5:35:19:36:ab:e4:05:ac:76:02:28:a4:03:87:e8" and + 1589932801 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_1ecd829adcc55d9d6afe30dc371ebda6 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "OOO Komp.IT" and ( + pe.signatures[i].serial == "00:1e:cd:82:9a:dc:c5:5d:9d:6a:fe:30:dc:37:1e:bd:a6" or + pe.signatures[i].serial == "1e:cd:82:9a:dc:c5:5d:9d:6a:fe:30:dc:37:1e:bd:a6" + ) and + 1588723200 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_b0167124ca59149e64d292eb4b142014 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Euro May SP Z O O" and ( + pe.signatures[i].serial == "00:b0:16:71:24:ca:59:14:9e:64:d2:92:eb:4b:14:20:14" or + pe.signatures[i].serial == "b0:16:71:24:ca:59:14:9e:64:d2:92:eb:4b:14:20:14" + ) and + 1585267200 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_112613b7b5f696cf377680f6463fcc8c { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Infoware Cloud Limited" and + pe.signatures[i].serial == "11:26:13:b7:b5:f6:96:cf:37:76:80:f6:46:3f:cc:8c" and + 1566518400 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_b3f906e5e6b2cf61c5e51be79b4e8777 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Accelerate Technologies Ltd" and ( + pe.signatures[i].serial == "00:b3:f9:06:e5:e6:b2:cf:61:c5:e5:1b:e7:9b:4e:87:77" or + pe.signatures[i].serial == "b3:f9:06:e5:e6:b2:cf:61:c5:e5:1b:e7:9b:4e:87:77" + ) and + 1594900020 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_566ac16a57b132d3f64dced14de790ee { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Unirad LLC" and + pe.signatures[i].serial == "56:6a:c1:6a:57:b1:32:d3:f6:4d:ce:d1:4d:e7:90:ee" and + 1562889600 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_d2caf7908aaebfa1a8f3e2136fece024 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "FANATOR, OOO" and ( + pe.signatures[i].serial == "00:d2:ca:f7:90:8a:ae:bf:a1:a8:f3:e2:13:6f:ec:e0:24" or + pe.signatures[i].serial == "d2:ca:f7:90:8a:ae:bf:a1:a8:f3:e2:13:6f:ec:e0:24" + ) and + 1599041760 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_e04a344b397f752a45b128a594a3d6b5 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Highweb Ireland Operations Limited" and ( + pe.signatures[i].serial == "00:e0:4a:34:4b:39:7f:75:2a:45:b1:28:a5:94:a3:d6:b5" or + pe.signatures[i].serial == "e0:4a:34:4b:39:7f:75:2a:45:b1:28:a5:94:a3:d6:b5" + ) and + 1597708800 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_3bcaed3ef678f2f9bf38d09e149b8d70 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "StarY Media Inc." and + pe.signatures[i].serial == "3b:ca:ed:3e:f6:78:f2:f9:bf:38:d0:9e:14:9b:8d:70" and + 1599091200 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_56d576a062491ea0a5877ced418203a1 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Silvo LLC" and + pe.signatures[i].serial == "56:d5:76:a0:62:49:1e:a0:a5:87:7c:ed:41:82:03:a1" and + 1596249885 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_0fcba260df7da602ecf4d4d6fc89d5dd { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Gold Stroy SP Z O O" and + pe.signatures[i].serial == "0f:cb:a2:60:df:7d:a6:02:ec:f4:d4:d6:fc:89:d5:dd" and + 1593388801 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_4152169f22454ed604d03555b7afb175 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "SMACKTECH SOFTWARE LIMITED" and + pe.signatures[i].serial == "41:52:16:9f:22:45:4e:d6:04:d0:35:55:b7:af:b1:75" and + 1595808000 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_01c88ccbd219500139d1af138a9e898e { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Raymond Yanagita" and + pe.signatures[i].serial == "01:c8:8c:cb:d2:19:50:01:39:d1:af:13:8a:9e:89:8e" and + 1593041280 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_41d05676e0d31908be4dead3486aeae3 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Rov SP Z O O" and + pe.signatures[i].serial == "41:d0:56:76:e0:d3:19:08:be:4d:ea:d3:48:6a:ea:e3" and + 1594857600 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_8cff807edaf368a60e4106906d8df319 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "KRAFT BOKS OOO" and ( + pe.signatures[i].serial == "00:8c:ff:80:7e:da:f3:68:a6:0e:41:06:90:6d:8d:f3:19" or + pe.signatures[i].serial == "8c:ff:80:7e:da:f3:68:a6:0e:41:06:90:6d:8d:f3:19" + ) and + 1598334455 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_a3e62be1572293ad618f58a8aa32857f { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "ISIDA, TOV" and ( + pe.signatures[i].serial == "00:a3:e6:2b:e1:57:22:93:ad:61:8f:58:a8:aa:32:85:7f" or + pe.signatures[i].serial == "a3:e6:2b:e1:57:22:93:ad:61:8f:58:a8:aa:32:85:7f" + ) and + 1596585600 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_672d4428450afcc24fc60969a5063a3e { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "MEP, OOO" and + pe.signatures[i].serial == "67:2d:44:28:45:0a:fc:c2:4f:c6:09:69:a5:06:3a:3e" and + 1597381260 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_df479e14a70c7970a4de3dd3e4bb0318 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "SOFTWARE HUB IT LTD" and ( + pe.signatures[i].serial == "00:df:47:9e:14:a7:0c:79:70:a4:de:3d:d3:e4:bb:03:18" or + pe.signatures[i].serial == "df:47:9e:14:a7:0c:79:70:a4:de:3d:d3:e4:bb:03:18" + ) and + 1591660800 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_2924785fd7990b2d510675176dae2bed { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Neoopt LLC" and + pe.signatures[i].serial == "29:24:78:5f:d7:99:0b:2d:51:06:75:17:6d:ae:2b:ed" and + 1595000258 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_f4d2def53bccb0dd2b7d54e4853a2fc5 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "PETROYL GROUP, TOV" and ( + pe.signatures[i].serial == "00:f4:d2:de:f5:3b:cc:b0:dd:2b:7d:54:e4:85:3a:2f:c5" or + pe.signatures[i].serial == "f4:d2:de:f5:3b:cc:b0:dd:2b:7d:54:e4:85:3a:2f:c5" + ) and + 1598347687 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_03bf9ef4cf037a2385649026c3da9d3e { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "COLLECTIVE SOFTWARE INC." and + pe.signatures[i].serial == "03:bf:9e:f4:cf:03:7a:23:85:64:90:26:c3:da:9d:3e" and + 1595371955 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_790177a54209d55560a55db97c5900d6 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "MAK GmbH" and + pe.signatures[i].serial == "79:01:77:a5:42:09:d5:55:60:a5:5d:b9:7c:59:00:d6" and + 1594080000 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_048f7b5f67d8e2b3030f75eb7be2713d { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "RITEIL SERVIS, OOO" and + pe.signatures[i].serial == "04:8f:7b:5f:67:d8:e2:b3:03:0f:75:eb:7b:e2:71:3d" and + 1591142400 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_082023879112289bf351d297cc8efcfc { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "STA-R TOV" and + pe.signatures[i].serial == "08:20:23:87:91:12:28:9b:f3:51:d2:97:cc:8e:fc:fc" and + 1573430400 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_0d53690631dd186c56be9026eb931ae2 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "STA-R TOV" and + pe.signatures[i].serial == "0d:53:69:06:31:dd:18:6c:56:be:90:26:eb:93:1a:e2" and + 1592190240 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_32119925a6ce4710aecc4006c28e749f { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Maxiol" and + pe.signatures[i].serial == "32:11:99:25:a6:ce:47:10:ae:cc:40:06:c2:8e:74:9f" and + 1592438400 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_2c90eaf4de3afc03ba924c719435c2a3 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "AntiFIX s.r.o." and ( + pe.signatures[i].serial == "00:2c:90:ea:f4:de:3a:fc:03:ba:92:4c:71:94:35:c2:a3" or + pe.signatures[i].serial == "2c:90:ea:f4:de:3a:fc:03:ba:92:4c:71:94:35:c2:a3" + ) and + 1586293430 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_aff762e907f0644e76ed8a7485fb12a1 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Lets Start SP Z O O" and ( + pe.signatures[i].serial == "00:af:f7:62:e9:07:f0:64:4e:76:ed:8a:74:85:fb:12:a1" or + pe.signatures[i].serial == "af:f7:62:e9:07:f0:64:4e:76:ed:8a:74:85:fb:12:a1" + ) and + 1594882330 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_d8530214ca0f512946496b5164c61201 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "DJ ONLINE MARKETING LIMITED" and ( + pe.signatures[i].serial == "00:d8:53:02:14:ca:0f:51:29:46:49:6b:51:64:c6:12:01" or + pe.signatures[i].serial == "d8:53:02:14:ca:0f:51:29:46:49:6b:51:64:c6:12:01" + ) and + 1595485920 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_661ba8f3c9d1b348413484e9a49502f7 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Unique Digital Services Ltd." and ( + pe.signatures[i].serial == "00:66:1b:a8:f3:c9:d1:b3:48:41:34:84:e9:a4:95:02:f7" or + pe.signatures[i].serial == "66:1b:a8:f3:c9:d1:b3:48:41:34:84:e9:a4:95:02:f7" + ) and + 1594942800 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_51aead5a9ab2d841b449fa82de3a8a00 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Corsair Software Solution Inc." and + pe.signatures[i].serial == "51:ae:ad:5a:9a:b2:d8:41:b4:49:fa:82:de:3a:8a:00" and + 1501577475 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_03b630f9645531f8868dae8ac0f8cfe6 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Geksan LLC" and + pe.signatures[i].serial == "03:b6:30:f9:64:55:31:f8:86:8d:ae:8a:c0:f8:cf:e6" and + 1594252801 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_6f8373cf89f1b49138f4328118487f9e { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "30 PTY LTD" and + pe.signatures[i].serial == "6f:83:73:cf:89:f1:b4:91:38:f4:32:81:18:48:7f:9e" and + 1572566400 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_e38259cf24cc702ce441b683ad578911 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Akhirah Technologies Inc." and ( + pe.signatures[i].serial == "00:e3:82:59:cf:24:cc:70:2c:e4:41:b6:83:ad:57:89:11" or + pe.signatures[i].serial == "e3:82:59:cf:24:cc:70:2c:e4:41:b6:83:ad:57:89:11" + ) and + 1597276800 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_bdc81bc76090dae0eee2e1eb744a4f9a { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "ALM4U GmbH" and ( + pe.signatures[i].serial == "00:bd:c8:1b:c7:60:90:da:e0:ee:e2:e1:eb:74:4a:4f:9a" or + pe.signatures[i].serial == "bd:c8:1b:c7:60:90:da:e0:ee:e2:e1:eb:74:4a:4f:9a" + ) and + 1579824000 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_b2e730b0526f36faf7d093d48d6d9997 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Bamboo Connect s.r.o." and ( + pe.signatures[i].serial == "00:b2:e7:30:b0:52:6f:36:fa:f7:d0:93:d4:8d:6d:99:97" or + pe.signatures[i].serial == "b2:e7:30:b0:52:6f:36:fa:f7:d0:93:d4:8d:6d:99:97" + ) and + 1597276800 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_7156ec47ef01ab8359ef4304e5af1a05 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "BOREC, OOO" and + pe.signatures[i].serial == "71:56:ec:47:ef:01:ab:83:59:ef:43:04:e5:af:1a:05" and + 1597363200 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_13794371c052ec0559e9b492abb25c26 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Carmel group LLC" and + pe.signatures[i].serial == "13:79:43:71:c0:52:ec:05:59:e9:b4:92:ab:b2:5c:26" and + 1599177600 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_5c7e78f53c31d6aa5b45de14b47eb5c4 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Cubic Information Systems, UAB" and + pe.signatures[i].serial == "5c:7e:78:f5:3c:31:d6:aa:5b:45:de:14:b4:7e:b5:c4" and + 1579824000 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_dadf44e4046372313ee97b8e394c4079 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Digital Capital Management Ireland Limited" and ( + pe.signatures[i].serial == "00:da:df:44:e4:04:63:72:31:3e:e9:7b:8e:39:4c:40:79" or + pe.signatures[i].serial == "da:df:44:e4:04:63:72:31:3e:e9:7b:8e:39:4c:40:79" + ) and + 1600244736 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_f8c2e08438bb0e9adc955e4b493e5821 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "DocsGen Software Solutions Inc." and ( + pe.signatures[i].serial == "00:f8:c2:e0:84:38:bb:0e:9a:dc:95:5e:4b:49:3e:58:21" or + pe.signatures[i].serial == "f8:c2:e0:84:38:bb:0e:9a:dc:95:5e:4b:49:3e:58:21" + ) and + 1599523200 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_70e1ebd170db8102d8c28e58392e5632 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Equal Cash Technologies Limited" and + pe.signatures[i].serial == "70:e1:eb:d1:70:db:81:02:d8:c2:8e:58:39:2e:56:32" and + 1599264000 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_09c89de6f64a7fdf657e69353c5fdd44 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "EXON RENTAL SP Z O O" and + pe.signatures[i].serial == "09:c8:9d:e6:f6:4a:7f:df:65:7e:69:35:3c:5f:dd:44" and + 1601337601 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_ffff2ce862378b26440df49ca9175b70 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "F & A.TIM d.o.o." and ( + pe.signatures[i].serial == "00:ff:ff:2c:e8:62:37:8b:26:44:0d:f4:9c:a9:17:5b:70" or + pe.signatures[i].serial == "ff:ff:2c:e8:62:37:8b:26:44:0d:f4:9c:a9:17:5b:70" + ) and + 1576195200 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_3223b4616c2687c04865bee8321726a8 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "FORTUNE STAR TRADING, INC." and + pe.signatures[i].serial == "32:23:b4:61:6c:26:87:c0:48:65:be:e8:32:17:26:a8" and + 1601337600 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_7709d2df39e9a4f7db2f3cbc29b49743 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Grina LLC" and + pe.signatures[i].serial == "77:09:d2:df:39:e9:a4:f7:db:2f:3c:bc:29:b4:97:43" and + 1556353331 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_e29690e14518874d2dcf00234ae94f1f { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "GRIND & TAMP ENTERPRISES PTY LTD" and ( + pe.signatures[i].serial == "00:e2:96:90:e1:45:18:87:4d:2d:cf:00:23:4a:e9:4f:1f" or + pe.signatures[i].serial == "e2:96:90:e1:45:18:87:4d:2d:cf:00:23:4a:e9:4f:1f" + ) and + 1570838400 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_cfac705c7e6845904f99995324f7562c { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "HMWOCFPSDLAFMFZIVD" and ( + pe.signatures[i].serial == "cf:ac:70:5c:7e:68:45:90:4f:99:99:53:24:f7:56:2c" or + pe.signatures[i].serial == "30:53:8f:a3:81:97:ba:6f:b0:66:66:ac:db:08:a9:d4" + ) and + 1601918720 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_a7989f8be0c82d35a19e7b3dd4be30e5 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Instamix Limited" and ( + pe.signatures[i].serial == "00:a7:98:9f:8b:e0:c8:2d:35:a1:9e:7b:3d:d4:be:30:e5" or + pe.signatures[i].serial == "a7:98:9f:8b:e0:c8:2d:35:a1:9e:7b:3d:d4:be:30:e5" + ) and + 1598054400 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_0fa13ae98e17ae23fcfe7ae873d0c120 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "KLAKSON, LLC" and + pe.signatures[i].serial == "0f:a1:3a:e9:8e:17:ae:23:fc:fe:7a:e8:73:d0:c1:20" and + 1597276801 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_3696883055975d571199c6b5d48f3cd5 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Korist Networks Incorporated" and + pe.signatures[i].serial == "36:96:88:30:55:97:5d:57:11:99:c6:b5:d4:8f:3c:d5" and + 1600069289 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_ee678930d5bdfaa2ab0172fa4c10ae07 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "LEX CORPORATION PTY LTD" and ( + pe.signatures[i].serial == "00:ee:67:89:30:d5:bd:fa:a2:ab:01:72:fa:4c:10:ae:07" or + pe.signatures[i].serial == "ee:67:89:30:d5:bd:fa:a2:ab:01:72:fa:4c:10:ae:07" + ) and + 1571011200 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_d7c432e8d4edef515bfb9d1c214ff0f5 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "LLC \"MILKY PUT\"" and ( + pe.signatures[i].serial == "00:d7:c4:32:e8:d4:ed:ef:51:5b:fb:9d:1c:21:4f:f0:f5" or + pe.signatures[i].serial == "d7:c4:32:e8:d4:ed:ef:51:5b:fb:9d:1c:21:4f:f0:f5" + ) and + 1601596800 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_5b440a47e8ce3dd202271e5c7a666c78 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Master Networking s.r.o." and + pe.signatures[i].serial == "5b:44:0a:47:e8:ce:3d:d2:02:27:1e:5c:7a:66:6c:78" and + 1601895571 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_b82c6553b2186c219797621aaa233edb { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "MC Commerce SP Z o o" and ( + pe.signatures[i].serial == "00:b8:2c:65:53:b2:18:6c:21:97:97:62:1a:aa:23:3e:db" or + pe.signatures[i].serial == "b8:2c:65:53:b2:18:6c:21:97:97:62:1a:aa:23:3e:db" + ) and + 1585785600 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_f360f7ad0ed065fec0b44f98e04481a0 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "MEHANIKUM OOO" and ( + pe.signatures[i].serial == "00:f3:60:f7:ad:0e:d0:65:fe:c0:b4:4f:98:e0:44:81:a0" or + pe.signatures[i].serial == "f3:60:f7:ad:0e:d0:65:fe:c0:b4:4f:98:e0:44:81:a0" + ) and + 1599031121 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_fe41941464b9992a69b7317418ae8eb7 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Milsean Software Limited" and ( + pe.signatures[i].serial == "00:fe:41:94:14:64:b9:99:2a:69:b7:31:74:18:ae:8e:b7" or + pe.signatures[i].serial == "fe:41:94:14:64:b9:99:2a:69:b7:31:74:18:ae:8e:b7" + ) and + 1599523200 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_0c14b611a44a1bae0e8c7581651845b6 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "NEEDCODE SP Z O O" and + pe.signatures[i].serial == "0c:14:b6:11:a4:4a:1b:ae:0e:8c:75:81:65:18:45:b6" and + 1600300801 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_690910dc89d7857c3500fb74bed2b08d { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "OLIMP STROI, OOO" and + pe.signatures[i].serial == "69:09:10:dc:89:d7:85:7c:35:00:fb:74:be:d2:b0:8d" and + 1597276800 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_fd41e6bd7428d3008c8a05f68c9ac6f2 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "OM-FAS d.o.o." and ( + pe.signatures[i].serial == "00:fd:41:e6:bd:74:28:d3:00:8c:8a:05:f6:8c:9a:c6:f2" or + pe.signatures[i].serial == "fd:41:e6:bd:74:28:d3:00:8c:8a:05:f6:8c:9a:c6:f2" + ) and + 1575590400 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_c7079866c0e48b01246ba0c148e70d4d { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "OOO GARANT" and ( + pe.signatures[i].serial == "00:c7:07:98:66:c0:e4:8b:01:24:6b:a0:c1:48:e7:0d:4d" or + pe.signatures[i].serial == "c7:07:98:66:c0:e4:8b:01:24:6b:a0:c1:48:e7:0d:4d" + ) and + 1588679105 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_d591da22f33c800a7024aecff2cd6c6d { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "OOO T2 Soft" and ( + pe.signatures[i].serial == "00:d5:91:da:22:f3:3c:80:0a:70:24:ae:cf:f2:cd:6c:6d" or + pe.signatures[i].serial == "d5:91:da:22:f3:3c:80:0a:70:24:ae:cf:f2:cd:6c:6d" + ) and + 1588679107 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_b36e0f2053caee9c3b966f7be0b40fc3 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "PARTS-JEST d.o.o." and ( + pe.signatures[i].serial == "00:b3:6e:0f:20:53:ca:ee:9c:3b:96:6f:7b:e0:b4:0f:c3" or + pe.signatures[i].serial == "b3:6e:0f:20:53:ca:ee:9c:3b:96:6f:7b:e0:b4:0f:c3" + ) and + 1600172855 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_5b320a2f46c99c1ba1357bee { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "REGION TOURISM LLC" and + pe.signatures[i].serial == "5b:32:0a:2f:46:c9:9c:1b:a1:35:7b:ee" and + 1602513116 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_08d4352185317271c1cec9d05c279af7 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Retalit LLC" and + pe.signatures[i].serial == "08:d4:35:21:85:31:72:71:c1:ce:c9:d0:5c:27:9a:f7" and + 1596585601 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_b514e4c5309ef9f27add05bedd4339a0 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "SCABONE PTY LTD" and ( + pe.signatures[i].serial == "00:b5:14:e4:c5:30:9e:f9:f2:7a:dd:05:be:dd:43:39:a0" or + pe.signatures[i].serial == "b5:14:e4:c5:30:9e:f9:f2:7a:dd:05:be:dd:43:39:a0" + ) and + 1572566400 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_13c7b92282aae782bfb00baf879935f4 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "THE WIZARD GIFT CORPORATION" and + pe.signatures[i].serial == "13:c7:b9:22:82:aa:e7:82:bf:b0:0b:af:87:99:35:f4" and + 1603130510 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_d627f1000d12485995514bfbdefc55d9 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "THREE D CORPORATION PTY LTD" and ( + pe.signatures[i].serial == "00:d6:27:f1:00:0d:12:48:59:95:51:4b:fb:de:fc:55:d9" or + pe.signatures[i].serial == "d6:27:f1:00:0d:12:48:59:95:51:4b:fb:de:fc:55:d9" + ) and + 1597622400 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_5fb6bae8834edd8d3d58818edc86d7d7 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Tramplink LLC" and + pe.signatures[i].serial == "5f:b6:ba:e8:83:4e:dd:8d:3d:58:81:8e:dc:86:d7:d7" and + 1600781989 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_e5ad42c509a7c24605530d35832c091e { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "VESNA, OOO" and ( + pe.signatures[i].serial == "00:e5:ad:42:c5:09:a7:c2:46:05:53:0d:35:83:2c:09:1e" or + pe.signatures[i].serial == "e5:ad:42:c5:09:a7:c2:46:05:53:0d:35:83:2c:09:1e" + ) and + 1600786458 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_8e3d89c682f7c0dad70110cb7b7c8263 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "WORK PLACEMENTS INTERNATIONAL LIMITED" and ( + pe.signatures[i].serial == "00:8e:3d:89:c6:82:f7:c0:da:d7:01:10:cb:7b:7c:82:63" or + pe.signatures[i].serial == "8e:3d:89:c6:82:f7:c0:da:d7:01:10:cb:7b:7c:82:63" + ) and + 1570626662 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_ef2d35f2ae82a767a16be582ab0d1ba0 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Workstage Limited" and ( + pe.signatures[i].serial == "00:ef:2d:35:f2:ae:82:a7:67:a1:6b:e5:82:ab:0d:1b:a0" or + pe.signatures[i].serial == "ef:2d:35:f2:ae:82:a7:67:a1:6b:e5:82:ab:0d:1b:a0" + ) and + 1567123200 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_039668034826df47e6207ec9daed57c3 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "CHOO FSP, LLC" and + pe.signatures[i].serial == "03:96:68:03:48:26:df:47:e6:20:7e:c9:da:ed:57:c3" and + 1601424001 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_07bb6a9d1c642c5973c16d5353b17ca4 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "MADAS d.o.o." and + pe.signatures[i].serial == "07:bb:6a:9d:1c:64:2c:59:73:c1:6d:53:53:b1:7c:a4" and + 1601856001 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_0a1dc99e4d5264c45a5090f93242a30a { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "K & D KOMPANI d.o.o." and + pe.signatures[i].serial == "0a:1d:c9:9e:4d:52:64:c4:5a:50:90:f9:32:42:a3:0a" and + 1600905601 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_018093cfad72cdf402eecbe18b33ec71 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "FAT11 d.o.o." and + pe.signatures[i].serial == "01:80:93:cf:ad:72:cd:f4:02:ee:cb:e1:8b:33:ec:71" and + 1602000390 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_569e03988af60d80ce60728940850d9b { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "OORT inc." and ( + pe.signatures[i].serial == "00:56:9e:03:98:8a:f6:0d:80:ce:60:72:89:40:85:0d:9b" or + pe.signatures[i].serial == "56:9e:03:98:8a:f6:0d:80:ce:60:72:89:40:85:0d:9b" + ) and + 1601006510 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_418f6d959a8a0f82bef07ceba3603e52 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "OORT inc." and ( + pe.signatures[i].serial == "00:41:8f:6d:95:9a:8a:0f:82:be:f0:7c:eb:a3:60:3e:52" or + pe.signatures[i].serial == "41:8f:6d:95:9a:8a:0f:82:be:f0:7c:eb:a3:60:3e:52" + ) and + 1601928240 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_5378c5bbeba0d3309a35bb47f63037f7 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "OORT inc." and ( + pe.signatures[i].serial == "00:53:78:c5:bb:eb:a0:d3:30:9a:35:bb:47:f6:30:37:f7" or + pe.signatures[i].serial == "53:78:c5:bb:eb:a0:d3:30:9a:35:bb:47:f6:30:37:f7" + ) and + 1601427420 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_0bab6a2aa84b495d9e554a4c42c0126d { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "NOSOV SP Z O O" and + pe.signatures[i].serial == "0b:ab:6a:2a:a8:4b:49:5d:9e:55:4a:4c:42:c0:12:6d" and + 1597971600 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_6314001c3235cd59bcc3f5278c518804 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "GIE-MUTUALISTE" and + pe.signatures[i].serial == "63:14:00:1c:32:35:cd:59:bc:c3:f5:27:8c:51:88:04" and + 1600304400 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_0ed8ade5d73b73dade6943d557ff87e5 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Rumikon LLC" and + pe.signatures[i].serial == "0e:d8:ad:e5:d7:3b:73:da:de:69:43:d5:57:ff:87:e5" and + 1597885200 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_0292c7d574132ba5c0441d1c7ffcb805 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "TES LOGISTIKA d.o.o." and + pe.signatures[i].serial == "02:92:c7:d5:74:13:2b:a5:c0:44:1d:1c:7f:fc:b8:05" and + 1602183720 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_1f23f001458716d435cca1a55d660ec5 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "OOO Ringen" and + pe.signatures[i].serial == "1f:23:f0:01:45:87:16:d4:35:cc:a1:a5:5d:66:0e:c5" and + 1603176940 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_6e0ccbdfb4777e10ea6221b90dc350c2 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "TRAUMALAB INTERNATIONAL APS" and + pe.signatures[i].serial == "6e:0c:cb:df:b4:77:7e:10:ea:62:21:b9:0d:c3:50:c2" and + 1603046620 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_0ed1847a2ae5d71def1e833fddd33d38 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "SNAB-RESURS, OOO" and + pe.signatures[i].serial == "0e:d1:84:7a:2a:e5:d7:1d:ef:1e:83:3f:dd:d3:3d:38" and + 1598662800 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_97df46acb26b7c81a13cc467b47688c8 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Information Civilized System Oy" and ( + pe.signatures[i].serial == "00:97:df:46:ac:b2:6b:7c:81:a1:3c:c4:67:b4:76:88:c8" or + pe.signatures[i].serial == "97:df:46:ac:b2:6b:7c:81:a1:3c:c4:67:b4:76:88:c8" + ) and + 1602636910 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_186d49fac34ce99775b8e7ffbf50679d { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Hairis LLC" and + pe.signatures[i].serial == "18:6d:49:fa:c3:4c:e9:97:75:b8:e7:ff:bf:50:67:9d" and + 1602234590 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_b1aea98bf0ce789b6c952310f14edde0 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Absolut LLC" and ( + pe.signatures[i].serial == "00:b1:ae:a9:8b:f0:ce:78:9b:6c:95:23:10:f1:4e:dd:e0" or + pe.signatures[i].serial == "b1:ae:a9:8b:f0:ce:78:9b:6c:95:23:10:f1:4e:dd:e0" + ) and + 1602612570 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_2dcd0699da08915dde6d044cb474157c { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "VENTE DE TOUT" and + pe.signatures[i].serial == "2d:cd:06:99:da:08:91:5d:de:6d:04:4c:b4:74:15:7c" and + 1601830010 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_4b03cabe6a0481f17a2dbeb9aefad425 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "RASSVET, OOO" and + pe.signatures[i].serial == "4b:03:ca:be:6a:04:81:f1:7a:2d:be:b9:ae:fa:d4:25" and + 1603230930 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_64cd303fa289790afa03c403e9240002 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "MAITLAND TRIFECTA, INC." and + pe.signatures[i].serial == "64:cd:30:3f:a2:89:79:0a:fa:03:c4:03:e9:24:00:02" and + 1602723600 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_07cef66a71c35bc3aed6d100c6493863 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Fubon Technologies Ltd" and + pe.signatures[i].serial == "07:ce:f6:6a:71:c3:5b:c3:ae:d6:d1:00:c6:49:38:63" and + 1602740890 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_be77fe5c58b7a360add6a3fced4e8334 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Incar LLC" and ( + pe.signatures[i].serial == "00:be:77:fe:5c:58:b7:a3:60:ad:d6:a3:fc:ed:4e:83:34" or + pe.signatures[i].serial == "be:77:fe:5c:58:b7:a3:60:ad:d6:a3:fc:ed:4e:83:34" + ) and + 1602530730 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_f097e59809ae2e771b7b9ae5fc3408d7 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "ABEL RENOVATIONS, INC." and ( + pe.signatures[i].serial == "00:f0:97:e5:98:09:ae:2e:77:1b:7b:9a:e5:fc:34:08:d7" or + pe.signatures[i].serial == "f0:97:e5:98:09:ae:2e:77:1b:7b:9a:e5:fc:34:08:d7" + ) and + 1602542033 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_0cf1ed2a6ff4bee621efdf725ea174b7 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "LEVEL LIST SP Z O O" and + pe.signatures[i].serial == "0c:f1:ed:2a:6f:f4:be:e6:21:ef:df:72:5e:a1:74:b7" and + 1603036100 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_1249aa2ada4967969b71ce63bf187c38 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Umbrella LLC" and + pe.signatures[i].serial == "12:49:aa:2a:da:49:67:96:9b:71:ce:63:bf:18:7c:38" and + 1599181200 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_d59a05955a4a421500f9561ce983aac4 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Olymp LLC" and ( + pe.signatures[i].serial == "00:d5:9a:05:95:5a:4a:42:15:00:f9:56:1c:e9:83:aa:c4" or + pe.signatures[i].serial == "d5:9a:05:95:5a:4a:42:15:00:f9:56:1c:e9:83:aa:c4" + ) and + 1601895290 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_539015999e304a5952985a994f9c3a53 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Service lab LLC" and + pe.signatures[i].serial == "53:90:15:99:9e:30:4a:59:52:98:5a:99:4f:9c:3a:53" and + 1599181200 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_0b1926a5e8ae50a0efa504f005f93869 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Nordkod LLC" and + pe.signatures[i].serial == "0b:19:26:a5:e8:ae:50:a0:ef:a5:04:f0:05:f9:38:69" and + 1600650000 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_0a23b660e7322e54d7bd0e5acc890966 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "ARTBUD RADOM SP Z O O" and + pe.signatures[i].serial == "0a:23:b6:60:e7:32:2e:54:d7:bd:0e:5a:cc:89:09:66" and + 1601254800 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_6cfa5050c819c4acbb8fa75979688dff { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Elite Web Development Ltd." and ( + pe.signatures[i].serial == "00:6c:fa:50:50:c8:19:c4:ac:bb:8f:a7:59:79:68:8d:ff" or + pe.signatures[i].serial == "6c:fa:50:50:c8:19:c4:ac:bb:8f:a7:59:79:68:8d:ff" + ) and + 1600176940 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_044e05bb1a01a1cbb50cfb6cd24e5d6b { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "MUSTER PLUS SP Z O O" and + pe.signatures[i].serial == "04:4e:05:bb:1a:01:a1:cb:b5:0c:fb:6c:d2:4e:5d:6b" and + 1601427600 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_b7f19b13de9bee8a52ff365ced6f67fa { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "ALEXIS SECURITY GROUP, LLC" and ( + pe.signatures[i].serial == "00:b7:f1:9b:13:de:9b:ee:8a:52:ff:36:5c:ed:6f:67:fa" or + pe.signatures[i].serial == "b7:f1:9b:13:de:9b:ee:8a:52:ff:36:5c:ed:6f:67:fa" + ) and + 1574914319 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_b61b8e71514059adc604da05c283e514 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "APP DIVISION ApS" and ( + pe.signatures[i].serial == "00:b6:1b:8e:71:51:40:59:ad:c6:04:da:05:c2:83:e5:14" or + pe.signatures[i].serial == "b6:1b:8e:71:51:40:59:ad:c6:04:da:05:c2:83:e5:14" + ) and + 1603328400 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_ece6cbf67dc41635a5e5d075f286af23 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "THRANE AGENTUR ApS" and ( + pe.signatures[i].serial == "00:ec:e6:cb:f6:7d:c4:16:35:a5:e5:d0:75:f2:86:af:23" or + pe.signatures[i].serial == "ec:e6:cb:f6:7d:c4:16:35:a5:e5:d0:75:f2:86:af:23" + ) and + 1603369254 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_014a98d697b44f43ded21f18eb6ad0ba { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Hillcoe Software Inc." and + pe.signatures[i].serial == "01:4a:98:d6:97:b4:4f:43:de:d2:1f:18:eb:6a:d0:ba" and + 1605364760 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_063a7d09107eddd8aa1f733634c6591b { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Smart Line Logistics" and + pe.signatures[i].serial == "06:3a:7d:09:10:7e:dd:d8:aa:1f:73:36:34:c6:59:1b" and + 1605712706 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_1e74cfe7de8c5f57840a61034414ca9f { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Insta Software Solution Inc." and ( + pe.signatures[i].serial == "00:1e:74:cf:e7:de:8c:5f:57:84:0a:61:03:44:14:ca:9f" or + pe.signatures[i].serial == "1e:74:cf:e7:de:8c:5f:57:84:0a:61:03:44:14:ca:9f" + ) and + 1601733106 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_75cf729f8a740bbdef183a1c4d86a02f { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Umbor LLC" and + pe.signatures[i].serial == "75:cf:72:9f:8a:74:0b:bd:ef:18:3a:1c:4d:86:a0:2f" and + 1604223894 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_2f64677254d3844efdac2922123d05d1 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "ORGANICUP ApS" and + pe.signatures[i].serial == "2f:64:67:72:54:d3:84:4e:fd:ac:29:22:12:3d:05:d1" and + 1605640092 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_32fbf8cfa43dca3f85efabe96dfefa49 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Foxstyle LLC" and + pe.signatures[i].serial == "32:fb:f8:cf:a4:3d:ca:3f:85:ef:ab:e9:6d:fe:fa:49" and + 1598255906 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_ef9d0cf071d463cd63d13083046a7b8d { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Rubin LLC" and ( + pe.signatures[i].serial == "00:ef:9d:0c:f0:71:d4:63:cd:63:d1:30:83:04:6a:7b:8d" or + pe.signatures[i].serial == "ef:9d:0c:f0:71:d4:63:cd:63:d1:30:83:04:6a:7b:8d" + ) and + 1605358307 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_115cf1353a0e33e19099a4867a4c750a { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "212 NY Gifts, Inc." and ( + pe.signatures[i].serial == "00:11:5c:f1:35:3a:0e:33:e1:90:99:a4:86:7a:4c:75:0a" or + pe.signatures[i].serial == "11:5c:f1:35:3a:0e:33:e1:90:99:a4:86:7a:4c:75:0a" + ) and + 1605515909 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_5cf3778bb11115a884e192a7cb807599 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "SLOMATIC d.o.o." and ( + pe.signatures[i].serial == "00:5c:f3:77:8b:b1:11:15:a8:84:e1:92:a7:cb:80:75:99" or + pe.signatures[i].serial == "5c:f3:77:8b:b1:11:15:a8:84:e1:92:a7:cb:80:75:99" + ) and + 1605006199 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_82cb93593b658100cdd7a00c874287f2 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Sportsonline24 B.V." and ( + pe.signatures[i].serial == "00:82:cb:93:59:3b:65:81:00:cd:d7:a0:0c:87:42:87:f2" or + pe.signatures[i].serial == "82:cb:93:59:3b:65:81:00:cd:d7:a0:0c:87:42:87:f2" + ) and + 1605117874 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_9a8bcfd05f86b15d0c99f50cf414bd00 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "AI Software a.s." and ( + pe.signatures[i].serial == "00:9a:8b:cf:d0:5f:86:b1:5d:0c:99:f5:0c:f4:14:bd:00" or + pe.signatures[i].serial == "9a:8b:cf:d0:5f:86:b1:5d:0c:99:f5:0c:f4:14:bd:00" + ) and + 1592442000 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_95e5793f2abe0b4ec9be54fd24f76ae5 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Kommservice LLC" and ( + pe.signatures[i].serial == "00:95:e5:79:3f:2a:be:0b:4e:c9:be:54:fd:24:f7:6a:e5" or + pe.signatures[i].serial == "95:e5:79:3f:2a:be:0b:4e:c9:be:54:fd:24:f7:6a:e5" + ) and + 1604933746 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_133565779808c3b79d8e3f70a9c3ffac { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "OOO Istok" and + pe.signatures[i].serial == "13:35:65:77:98:08:c3:b7:9d:8e:3f:70:a9:c3:ff:ac" and + 1605019819 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_7e0ccda0ef37acef6c2ebe4538627e5c { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Orangetree B.V." and ( + pe.signatures[i].serial == "00:7e:0c:cd:a0:ef:37:ac:ef:6c:2e:be:45:38:62:7e:5c" or + pe.signatures[i].serial == "7e:0c:cd:a0:ef:37:ac:ef:6c:2e:be:45:38:62:7e:5c" + ) and + 1606159604 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_bad35fd70025d46c56b89e32b1a3954c { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Fort LLC" and ( + pe.signatures[i].serial == "00:ba:d3:5f:d7:00:25:d4:6c:56:b8:9e:32:b1:a3:95:4c" or + pe.signatures[i].serial == "ba:d3:5f:d7:00:25:d4:6c:56:b8:9e:32:b1:a3:95:4c" + ) and + 1604937337 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_7b91468122273aa32b7cfc80c331ea13 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "OOO KBI" and + pe.signatures[i].serial == "7b:91:46:81:22:27:3a:a3:2b:7c:fc:80:c3:31:ea:13" and + 1586942863 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_3e267b5d14cdf1f645c1ec545cec3aee { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "OOO KBI" and + pe.signatures[i].serial == "3e:26:7b:5d:14:cd:f1:f6:45:c1:ec:54:5c:ec:3a:ee" and + 1579825892 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_ae6d3c0269ef6497e14379c51a8507ba { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "VELES PROPERTIES LIMITED" and ( + pe.signatures[i].serial == "00:ae:6d:3c:02:69:ef:64:97:e1:43:79:c5:1a:85:07:ba" or + pe.signatures[i].serial == "ae:6d:3c:02:69:ef:64:97:e1:43:79:c5:1a:85:07:ba" + ) and + 1578566034 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_fd8c468cc1b45c9cfb41cbd8c835cc9e { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Pivo ZLoun s.r.o." and ( + pe.signatures[i].serial == "00:fd:8c:46:8c:c1:b4:5c:9c:fb:41:cb:d8:c8:35:cc:9e" or + pe.signatures[i].serial == "fd:8c:46:8c:c1:b4:5c:9c:fb:41:cb:d8:c8:35:cc:9e" + ) and + 1604019600 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_7c061baa3118327255161f6a7fa4e21d { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "YUTAKS, OOO" and ( + pe.signatures[i].serial == "00:7c:06:1b:aa:31:18:32:72:55:16:1f:6a:7f:a4:e2:1d" or + pe.signatures[i].serial == "7c:06:1b:aa:31:18:32:72:55:16:1f:6a:7f:a4:e2:1d" + ) and + 1599611338 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_04332c16724ffeda5868d22af56aea43 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Bespoke Software Solutions Limited" and + pe.signatures[i].serial == "04:33:2c:16:72:4f:fe:da:58:68:d2:2a:f5:6a:ea:43" and + 1597971601 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_030012f134e64347669f3256c7d050c5 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Futumarket LLC" and + pe.signatures[i].serial == "03:00:12:f1:34:e6:43:47:66:9f:32:56:c7:d0:50:c5" and + 1604036657 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_fa3dcac19b884b44ef4f81541184d6b0 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Unicom Ltd" and ( + pe.signatures[i].serial == "00:fa:3d:ca:c1:9b:88:4b:44:ef:4f:81:54:11:84:d6:b0" or + pe.signatures[i].serial == "fa:3d:ca:c1:9b:88:4b:44:ef:4f:81:54:11:84:d6:b0" + ) and + 1603958571 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_0e6f4cb8b06e01c3bd296ace3a95f814 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "EVATON, s.r.o." and + pe.signatures[i].serial == "0e:6f:4c:b8:b0:6e:01:c3:bd:29:6a:ce:3a:95:f8:14" and + 1603957781 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_085b70224253486624fc36fa658a1e32 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Best Fud, OOO" and + pe.signatures[i].serial == "08:5b:70:22:42:53:48:66:24:fc:36:fa:65:8a:1e:32" and + 1597971601 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_51cd5393514f7ace2b407c3dbfb09d8d { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "APPI CZ a.s" and + pe.signatures[i].serial == "51:cd:53:93:51:4f:7a:ce:2b:40:7c:3d:bf:b0:9d:8d" and + 1605299467 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_b72179c027b9037ee220e81ab18fe56d { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Planeta, TOV" and ( + pe.signatures[i].serial == "00:b7:21:79:c0:27:b9:03:7e:e2:20:e8:1a:b1:8f:e5:6d" or + pe.signatures[i].serial == "b7:21:79:c0:27:b9:03:7e:e2:20:e8:1a:b1:8f:e5:6d" + ) and + 1603381300 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_07b74c70c4aa092648b7f0d1a8a3a28f { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Rad-Grad D.O.O." and + pe.signatures[i].serial == "07:b7:4c:70:c4:aa:09:26:48:b7:f0:d1:a8:a3:a2:8f" and + 1603240965 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_4c8def294478b7d59ee95c61fae3d965 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "DREAM SECURITY USA INC" and + pe.signatures[i].serial == "4c:8d:ef:29:44:78:b7:d5:9e:e9:5c:61:fa:e3:d9:65" and + 1592961292 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_7d36cbb64bc9add17ba71737d3ecceca { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "LTD SERVICES LIMITED" and + pe.signatures[i].serial == "7d:36:cb:b6:4b:c9:ad:d1:7b:a7:17:37:d3:ec:ce:ca" and + 1616025600 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_ad255d4ebefa751f3782587396c08629 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "OOO Ornitek" and ( + pe.signatures[i].serial == "00:ad:25:5d:4e:be:fa:75:1f:37:82:58:73:96:c0:86:29" or + pe.signatures[i].serial == "ad:25:5d:4e:be:fa:75:1f:37:82:58:73:96:c0:86:29" + ) and + 1614643200 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_262ca7ae19d688138e75932832b18f9d { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Bisoyetutu Ltd Ltd" and + pe.signatures[i].serial == "26:2c:a7:ae:19:d6:88:13:8e:75:93:28:32:b1:8f:9d" and + 1616025600 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_59a57e8ba3dcf2b6f59981fda14b03 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Medium LLC" and + pe.signatures[i].serial == "59:a5:7e:8b:a3:dc:f2:b6:f5:99:81:fd:a1:4b:03" and + 1609113600 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_aebe117a13b8bca21685df48c74f584d { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "NANAX d.o.o." and ( + pe.signatures[i].serial == "00:ae:be:11:7a:13:b8:bc:a2:16:85:df:48:c7:4f:58:4d" or + pe.signatures[i].serial == "ae:be:11:7a:13:b8:bc:a2:16:85:df:48:c7:4f:58:4d" + ) and + 1613520000 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_7dcd19a94535f034ee36af4676740633 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Toko Saya ApS" and + pe.signatures[i].serial == "7d:cd:19:a9:45:35:f0:34:ee:36:af:46:76:74:06:33" and + 1609200000 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_ca4822e6905aa4fca9e28523f04f14a3 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "ELISTREID, OOO" and ( + pe.signatures[i].serial == "00:ca:48:22:e6:90:5a:a4:fc:a9:e2:85:23:f0:4f:14:a3" or + pe.signatures[i].serial == "ca:48:22:e6:90:5a:a4:fc:a9:e2:85:23:f0:4f:14:a3" + ) and + 1614643200 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_24c1ef800f275ab2780280c595de3464 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "HOLGAN LIMITED" and + pe.signatures[i].serial == "24:c1:ef:80:0f:27:5a:b2:78:02:80:c5:95:de:34:64" and + 1614729600 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_6401831b46588b9d872b02076c3a7b00 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "ACTIV GROUP ApS" and + pe.signatures[i].serial == "64:01:83:1b:46:58:8b:9d:87:2b:02:07:6c:3a:7b:00" and + 1615507200 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_0a01a91cce63ede5eaa3dac4883aea05 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Seacloud Technologies Pte. Ltd." and + pe.signatures[i].serial == "0a:01:a9:1c:ce:63:ed:e5:ea:a3:da:c4:88:3a:ea:05" and + 1618876800 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_54cd7ae1c27f1421136ed25088f4979a { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "ABBYMAJUTA LTD LIMITED" and + pe.signatures[i].serial == "54:cd:7a:e1:c2:7f:14:21:13:6e:d2:50:88:f4:97:9a" and + 1616371200 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_f2d693aad63e6920782a0027dfc97d91 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "EKO-KHIM TOV" and ( + pe.signatures[i].serial == "00:f2:d6:93:aa:d6:3e:69:20:78:2a:00:27:df:c9:7d:91" or + pe.signatures[i].serial == "f2:d6:93:aa:d6:3e:69:20:78:2a:00:27:df:c9:7d:91" + ) and + 1598989763 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_f8e8f6c92ba666b0688a8cacce9acccf { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "5 th Dimension LTD Oy" and ( + pe.signatures[i].serial == "00:f8:e8:f6:c9:2b:a6:66:b0:68:8a:8c:ac:ce:9a:cc:cf" or + pe.signatures[i].serial == "f8:e8:f6:c9:2b:a6:66:b0:68:8a:8c:ac:ce:9a:cc:cf" + ) and + 1618531200 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_e3d5089d4b8f01aadce2731062fb0cce { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "DEVELOP - Residence s. r. o." and ( + pe.signatures[i].serial == "00:e3:d5:08:9d:4b:8f:01:aa:dc:e2:73:10:62:fb:0c:ce" or + pe.signatures[i].serial == "e3:d5:08:9d:4b:8f:01:aa:dc:e2:73:10:62:fb:0c:ce" + ) and + 1618358400 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_7ed801843fa001b8add52d3a97b25931 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "AM El-Teknik ApS" and + pe.signatures[i].serial == "7e:d8:01:84:3f:a0:01:b8:ad:d5:2d:3a:97:b2:59:31" and + 1614297600 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_d9e834182dec62c654e775e809ac1d1b { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "FoodLehto Oy" and ( + pe.signatures[i].serial == "00:d9:e8:34:18:2d:ec:62:c6:54:e7:75:e8:09:ac:1d:1b" or + pe.signatures[i].serial == "d9:e8:34:18:2d:ec:62:c6:54:e7:75:e8:09:ac:1d:1b" + ) and + 1614297600 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_801689896ed339237464a41a2900a969 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "GLG Rental ApS" and ( + pe.signatures[i].serial == "00:80:16:89:89:6e:d3:39:23:74:64:a4:1a:29:00:a9:69" or + pe.signatures[i].serial == "80:16:89:89:6e:d3:39:23:74:64:a4:1a:29:00:a9:69" + ) and + 1615507200 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_3fd3661533eef209153c9afec3ba4d8a { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "SFB Regnskabsservice ApS" and + pe.signatures[i].serial == "3f:d3:66:15:33:ee:f2:09:15:3c:9a:fe:c3:ba:4d:8a" and + 1614816000 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_0ced87bd70b092cb93b182fac32655f6 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Creator Soft Limited" and + pe.signatures[i].serial == "0c:ed:87:bd:70:b0:92:cb:93:b1:82:fa:c3:26:55:f6" and + 1614816000 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_047801d5b55c800b48411fd8c320ca5b { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "LICHFIELD STUDIO GLASS LIMITED" and + pe.signatures[i].serial == "04:78:01:d5:b5:5c:80:0b:48:41:1f:d8:c3:20:ca:5b" and + 1614297600 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_0f0ed5318848703405d40f7c62d0f39a { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "SIES UPRAVLENIE PROTSESSAMI, OOO" and + pe.signatures[i].serial == "0f:0e:d5:31:88:48:70:34:05:d4:0f:7c:62:d0:f3:9a" and + 1614729600 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_4e7545c9fc5938f5198ab9f1749ca31c { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "For M d.o.o." and + pe.signatures[i].serial == "4e:75:45:c9:fc:59:38:f5:19:8a:b9:f1:74:9c:a3:1c" and + 1614297600 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_7ddd3796a427b42f2e52d7c7af0ca54f { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "OOO Fobos" and + pe.signatures[i].serial == "7d:dd:37:96:a4:27:b4:2f:2e:52:d7:c7:af:0c:a5:4f" and + 1612915200 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_03b27d7f4ee21a462a064a17eef70d6c { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "CCL TRADING LIMITED" and + pe.signatures[i].serial == "03:b2:7d:7f:4e:e2:1a:46:2a:06:4a:17:ee:f7:0d:6c" and + 1613952000 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_b0a308fc2e71ac4ac40677b9c27ccbad { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Volpayk LLC" and ( + pe.signatures[i].serial == "00:b0:a3:08:fc:2e:71:ac:4a:c4:06:77:b9:c2:7c:cb:ad" or + pe.signatures[i].serial == "b0:a3:08:fc:2e:71:ac:4a:c4:06:77:b9:c2:7c:cb:ad" + ) and + 1611705600 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_61b11ef9726ab2e78132e01bd791b336 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "OOO Skalari" and + pe.signatures[i].serial == "61:b1:1e:f9:72:6a:b2:e7:81:32:e0:1b:d7:91:b3:36" and + 1609372800 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_8fe807310d98357a59382090634b93f0 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "MAVE MEDIA" and ( + pe.signatures[i].serial == "00:8f:e8:07:31:0d:98:35:7a:59:38:20:90:63:4b:93:f0" or + pe.signatures[i].serial == "8f:e8:07:31:0d:98:35:7a:59:38:20:90:63:4b:93:f0" + ) and + 1613433600 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_b97f66bb221772dc07ef1d4bed8f6085 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "S-PRO d.o.o." and ( + pe.signatures[i].serial == "00:b9:7f:66:bb:22:17:72:dc:07:ef:1d:4b:ed:8f:60:85" or + pe.signatures[i].serial == "b9:7f:66:bb:22:17:72:dc:07:ef:1d:4b:ed:8f:60:85" + ) and + 1614556800 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_fed006fbf85cd1c6ba6b4345b198e1e6 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "LoL d.o.o." and ( + pe.signatures[i].serial == "00:fe:d0:06:fb:f8:5c:d1:c6:ba:6b:43:45:b1:98:e1:e6" or + pe.signatures[i].serial == "fe:d0:06:fb:f8:5c:d1:c6:ba:6b:43:45:b1:98:e1:e6" + ) and + 1614297600 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_aa28c9bd16d9d304f18af223b27bfa1e { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Tecno trade d.o.o." and ( + pe.signatures[i].serial == "00:aa:28:c9:bd:16:d9:d3:04:f1:8a:f2:23:b2:7b:fa:1e" or + pe.signatures[i].serial == "aa:28:c9:bd:16:d9:d3:04:f1:8a:f2:23:b2:7b:fa:1e" + ) and + 1611705600 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_19beff8a6c129663e5e8c18953dc1f67 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "CULNADY LTD LTD" and + pe.signatures[i].serial == "19:be:ff:8a:6c:12:96:63:e5:e8:c1:89:53:dc:1f:67" and + 1608163200 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_029685cda1c8233d2409a31206f78f9f { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "KOTO TRADE, dru\\xC5\\xBEba za posredovanje, d.o.o." and + pe.signatures[i].serial == "02:96:85:cd:a1:c8:23:3d:24:09:a3:12:06:f7:8f:9f" and + 1612396800 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_d609b6c95428954a999a8a99d4f198af { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "OOO Fudl" and ( + pe.signatures[i].serial == "00:d6:09:b6:c9:54:28:95:4a:99:9a:8a:99:d4:f1:98:af" or + pe.signatures[i].serial == "d6:09:b6:c9:54:28:95:4a:99:9a:8a:99:d4:f1:98:af" + ) and + 1612828800 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_d3356318924c8c42959bf1d1574e6482 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "ADV TOURS d.o.o." and ( + pe.signatures[i].serial == "00:d3:35:63:18:92:4c:8c:42:95:9b:f1:d1:57:4e:64:82" or + pe.signatures[i].serial == "d3:35:63:18:92:4c:8c:42:95:9b:f1:d1:57:4e:64:82" + ) and + 1613001600 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_31d852f5fca1a5966b5ed08a14825c54 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "BBT KLA d.o.o." and + pe.signatures[i].serial == "31:d8:52:f5:fc:a1:a5:96:6b:5e:d0:8a:14:82:5c:54" and + 1612396800 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_17d99cc2f5b29522d422332e681f3e18 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "PKV Trading ApS" and + pe.signatures[i].serial == "17:d9:9c:c2:f5:b2:95:22:d4:22:33:2e:68:1f:3e:18" and + 1613088000 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_6a568f85de2061f67ded98707d4988df { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "OOO Apladis" and + pe.signatures[i].serial == "6a:56:8f:85:de:20:61:f6:7d:ed:98:70:7d:49:88:df" and + 1613001600 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_038fc745523b41b40d653b83aa381b80 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "OOO Optima" and + pe.signatures[i].serial == "03:8f:c7:45:52:3b:41:b4:0d:65:3b:83:aa:38:1b:80" and + 1606143708 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_30af0d0e6d8201a5369664c5ebbb010f { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "3N-\\xC5\\xA0PORT podjetje za in\\xC5\\xBEeniring, storitve in trgovino d.o.o." and + pe.signatures[i].serial == "30:af:0d:0e:6d:82:01:a5:36:96:64:c5:eb:bb:01:0f" and + 1613433600 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_ac0a7b9420b369af3ddb748385b981 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "OOO Tochka" and ( + pe.signatures[i].serial == "00:ac:0a:7b:94:20:b3:69:af:3d:db:74:83:85:b9:81" or + pe.signatures[i].serial == "ac:0a:7b:94:20:b3:69:af:3d:db:74:83:85:b9:81" + ) and + 1604620800 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_c167f04b338b1e8747b92c2197403c43 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "FORTUNE STAR TRADING, INC." and ( + pe.signatures[i].serial == "00:c1:67:f0:4b:33:8b:1e:87:47:b9:2c:21:97:40:3c:43" or + pe.signatures[i].serial == "c1:67:f0:4b:33:8b:1e:87:47:b9:2c:21:97:40:3c:43" + ) and + 1604361600 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_9272607cfc982b782a5d36c4b78f5e7b { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Rada SP Z o o" and ( + pe.signatures[i].serial == "00:92:72:60:7c:fc:98:2b:78:2a:5d:36:c4:b7:8f:5e:7b" or + pe.signatures[i].serial == "92:72:60:7c:fc:98:2b:78:2a:5d:36:c4:b7:8f:5e:7b" + ) and + 1605139200 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_45eb9187a2505d8e6c842e6d366ad0c8 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "BAKERA s.r.o." and + pe.signatures[i].serial == "45:eb:91:87:a2:50:5d:8e:6c:84:2e:6d:36:6a:d0:c8" and + 1607040000 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_56fff139df5ae7e788e5d72196dd563a { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Cifromatika LLC" and + pe.signatures[i].serial == "56:ff:f1:39:df:5a:e7:e7:88:e5:d7:21:96:dd:56:3a" and + 1606435200 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_e161f76da3b5e4623892c8e6fda1ea3d { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "TGN Nedelica d.o.o." and ( + pe.signatures[i].serial == "00:e1:61:f7:6d:a3:b5:e4:62:38:92:c8:e6:fd:a1:ea:3d" or + pe.signatures[i].serial == "e1:61:f7:6d:a3:b5:e4:62:38:92:c8:e6:fd:a1:ea:3d" + ) and + 1604966400 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_9ae5b177ac3a7ce2aadf1c891b574924 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "OOO Kolorit" and ( + pe.signatures[i].serial == "00:9a:e5:b1:77:ac:3a:7c:e2:aa:df:1c:89:1b:57:49:24" or + pe.signatures[i].serial == "9a:e5:b1:77:ac:3a:7c:e2:aa:df:1c:89:1b:57:49:24" + ) and + 1608076800 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_a03ea3a4fa772b17037a0b80f1f968aa { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "DREVOKAPITAL, s.r.o." and ( + pe.signatures[i].serial == "00:a0:3e:a3:a4:fa:77:2b:17:03:7a:0b:80:f1:f9:68:aa" or + pe.signatures[i].serial == "a0:3e:a3:a4:fa:77:2b:17:03:7a:0b:80:f1:f9:68:aa" + ) and + 1608076800 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_333ca7d100b139b0d9c1a97cb458e226 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "FSE, d.o.o." and + pe.signatures[i].serial == "33:3c:a7:d1:00:b1:39:b0:d9:c1:a9:7c:b4:58:e2:26" and + 1608076800 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_9245d1511923f541844faa3c6bfebcbe { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "LEHTEH d.o.o., Ljubljana" and ( + pe.signatures[i].serial == "00:92:45:d1:51:19:23:f5:41:84:4f:aa:3c:6b:fe:bc:be" or + pe.signatures[i].serial == "92:45:d1:51:19:23:f5:41:84:4f:aa:3c:6b:fe:bc:be" + ) and + 1607040000 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_2888cf0f953a4a3640ee4cfc6304d9d4 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Lotte Schmidt" and + pe.signatures[i].serial == "28:88:cf:0f:95:3a:4a:36:40:ee:4c:fc:63:04:d9:d4" and + 1608024974 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_c8edcfe8be174c2f204d858c5b91dea5 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Paarcopy Oy" and ( + pe.signatures[i].serial == "00:c8:ed:cf:e8:be:17:4c:2f:20:4d:85:8c:5b:91:de:a5" or + pe.signatures[i].serial == "c8:ed:cf:e8:be:17:4c:2f:20:4d:85:8c:5b:91:de:a5" + ) and + 1608076800 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_9faf8705a3eaef9340800cc4fd38597c { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Tekhnokod LLC" and ( + pe.signatures[i].serial == "00:9f:af:87:05:a3:ea:ef:93:40:80:0c:c4:fd:38:59:7c" or + pe.signatures[i].serial == "9f:af:87:05:a3:ea:ef:93:40:80:0c:c4:fd:38:59:7c" + ) and + 1605744000 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_0940fa9a4080f35052b2077333769c2f { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "PROFF LAIN, OOO" and + pe.signatures[i].serial == "09:40:fa:9a:40:80:f3:50:52:b2:07:73:33:76:9c:2f" and + 1603497600 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_ea720222d92dc8d48e3b3c3b0fc360a6 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "CAVANAGH NETS LIMITED" and ( + pe.signatures[i].serial == "00:ea:72:02:22:d9:2d:c8:d4:8e:3b:3c:3b:0f:c3:60:a6" or + pe.signatures[i].serial == "ea:72:02:22:d9:2d:c8:d4:8e:3b:3c:3b:0f:c3:60:a6" + ) and + 1608640280 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_4743e140c05b33f0449023946bd05acb { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "STROI RENOV SARL" and + pe.signatures[i].serial == "47:43:e1:40:c0:5b:33:f0:44:90:23:94:6b:d0:5a:cb" and + 1607644800 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_a496bc774575c31abec861b68c36dcb6 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "ORGLE DVORSAK, d.o.o" and ( + pe.signatures[i].serial == "00:a4:96:bc:77:45:75:c3:1a:be:c8:61:b6:8c:36:dc:b6" or + pe.signatures[i].serial == "a4:96:bc:77:45:75:c3:1a:be:c8:61:b6:8c:36:dc:b6" + ) and + 1606867200 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_0a55c15f733bf1633e9ffae8a6e3b37d { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Osnova OOO" and + pe.signatures[i].serial == "0a:55:c1:5f:73:3b:f1:63:3e:9f:fa:e8:a6:e3:b3:7d" and + 1604016000 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_c650ae531100a91389a7f030228b3095 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "POKEROWA STRUNA SP Z O O" and ( + pe.signatures[i].serial == "00:c6:50:ae:53:11:00:a9:13:89:a7:f0:30:22:8b:30:95" or + pe.signatures[i].serial == "c6:50:ae:53:11:00:a9:13:89:a7:f0:30:22:8b:30:95" + ) and + 1606089600 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_3990362c34015ce4c23ecc3377fd3c06 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "RZOH ApS" and + pe.signatures[i].serial == "39:90:36:2c:34:01:5c:e4:c2:3e:cc:33:77:fd:3c:06" and + 1606780800 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_121fca3cfa4bd011669f5cc4e053aa3f { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Kymijoen Projektipalvelut Oy" and + pe.signatures[i].serial == "12:1f:ca:3c:fa:4b:d0:11:66:9f:5c:c4:e0:53:aa:3f" and + 1606953600 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_d338f8a490e37e6c2be80a0e349929fa { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "SAGUARO ApS" and ( + pe.signatures[i].serial == "00:d3:38:f8:a4:90:e3:7e:6c:2b:e8:0a:0e:34:99:29:fa" or + pe.signatures[i].serial == "d3:38:f8:a4:90:e3:7e:6c:2b:e8:0a:0e:34:99:29:fa" + ) and + 1607558400 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_2c1ee9b583310b5e34a1ee6945a34b26 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "OOO Artmarket" and + pe.signatures[i].serial == "2c:1e:e9:b5:83:31:0b:5e:34:a1:ee:69:45:a3:4b:26" and + 1607558400 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_d875b3e3f2db6c3eb426e24946066111 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Kubit LLC" and ( + pe.signatures[i].serial == "00:d8:75:b3:e3:f2:db:6c:3e:b4:26:e2:49:46:06:61:11" or + pe.signatures[i].serial == "d8:75:b3:e3:f2:db:6c:3e:b4:26:e2:49:46:06:61:11" + ) and + 1606953600 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_ad0a958cdf188bed43154a54bf23afba { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "RHM Ltd" and ( + pe.signatures[i].serial == "00:ad:0a:95:8c:df:18:8b:ed:43:15:4a:54:bf:23:af:ba" or + pe.signatures[i].serial == "ad:0a:95:8c:df:18:8b:ed:43:15:4a:54:bf:23:af:ba" + ) and + 1612915200 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_3cee26c125b8c188f316c3fa78d9c2f1 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Bitubit LLC" and + pe.signatures[i].serial == "3c:ee:26:c1:25:b8:c1:88:f3:16:c3:fa:78:d9:c2:f1" and + 1606435200 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_4c687a0022c36f89e253f91d1f6954e2 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "HETCO ApS" and + pe.signatures[i].serial == "4c:68:7a:00:22:c3:6f:89:e2:53:f9:1d:1f:69:54:e2" and + 1606780800 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_ca646b4275406df639cf603756f63d77 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "SHOECORP LIMITED" and ( + pe.signatures[i].serial == "00:ca:64:6b:42:75:40:6d:f6:39:cf:60:37:56:f6:3d:77" or + pe.signatures[i].serial == "ca:64:6b:42:75:40:6d:f6:39:cf:60:37:56:f6:3d:77" + ) and + 1605830400 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_addbec454b5479cabd940a72df4500af { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "SHAT LIMITED" and ( + pe.signatures[i].serial == "00:ad:db:ec:45:4b:54:79:ca:bd:94:0a:72:df:45:00:af" or + pe.signatures[i].serial == "ad:db:ec:45:4b:54:79:ca:bd:94:0a:72:df:45:00:af" + ) and + 1612828800 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_ac307e5257bb814b818d3633b630326f { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Aqua Direct s.r.o." and ( + pe.signatures[i].serial == "00:ac:30:7e:52:57:bb:81:4b:81:8d:36:33:b6:30:32:6f" or + pe.signatures[i].serial == "ac:30:7e:52:57:bb:81:4b:81:8d:36:33:b6:30:32:6f" + ) and + 1606089600 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_0d83e7f47189cdbfc7fa3e5f58882329 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "THE WIZARD GIFT CORPORATION" and + pe.signatures[i].serial == "0d:83:e7:f4:71:89:cd:bf:c7:fa:3e:5f:58:88:23:29" and + 1605830400 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_58aa64564a50e8b2d6e31d5cd6250fde { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Foreground" and + pe.signatures[i].serial == "58:aa:64:56:4a:50:e8:b2:d6:e3:1d:5c:d6:25:0f:de" and + 1609002028 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_2aa0ae245b487c8926c88ee6d736d1ca { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "PILOTE SPRL" and + pe.signatures[i].serial == "2a:a0:ae:24:5b:48:7c:89:26:c8:8e:e6:d7:36:d1:ca" and + 1612262280 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_1aec3d3f752a38617c1d7a677d0b5591 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "SILVER d.o.o." and + pe.signatures[i].serial == "1a:ec:3d:3f:75:2a:38:61:7c:1d:7a:67:7d:0b:55:91" and + 1611705600 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_a7e1dc5352c3852c5523030f57f2425c { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Pushka LLC" and ( + pe.signatures[i].serial == "00:a7:e1:dc:53:52:c3:85:2c:55:23:03:0f:57:f2:42:5c" or + pe.signatures[i].serial == "a7:e1:dc:53:52:c3:85:2c:55:23:03:0f:57:f2:42:5c" + ) and + 1611792000 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_bbd4dc3768a51aa2b3059c1bad569276 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "JJ ELECTRICAL SERVICES LIMITED" and ( + pe.signatures[i].serial == "00:bb:d4:dc:37:68:a5:1a:a2:b3:05:9c:1b:ad:56:92:76" or + pe.signatures[i].serial == "bb:d4:dc:37:68:a5:1a:a2:b3:05:9c:1b:ad:56:92:76" + ) and + 1607472000 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_08622b9dd9d78e67678ecc21e026522e { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Kayak Republic af 2015 APS" and + pe.signatures[i].serial == "08:62:2b:9d:d9:d7:8e:67:67:8e:cc:21:e0:26:52:2e" and + 1611619200 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_e69a6de0074ece38c2f30f0d4a808456 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "OOO Semantic" and ( + pe.signatures[i].serial == "00:e6:9a:6d:e0:07:4e:ce:38:c2:f3:0f:0d:4a:80:84:56" or + pe.signatures[i].serial == "e6:9a:6d:e0:07:4e:ce:38:c2:f3:0f:0d:4a:80:84:56" + ) and + 1611532800 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_8385684419ab26a3f2640b1496e1fe94 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "CAUSE FOR CHANGE LTD" and ( + pe.signatures[i].serial == "00:83:85:68:44:19:ab:26:a3:f2:64:0b:14:96:e1:fe:94" or + pe.signatures[i].serial == "83:85:68:44:19:ab:26:a3:f2:64:0b:14:96:e1:fe:94" + ) and + 1612137600 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_21e3cae5b77c41528658ada08509c392 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Network Design International Holdings Limited" and + pe.signatures[i].serial == "21:e3:ca:e5:b7:7c:41:52:86:58:ad:a0:85:09:c3:92" and + 1609233559 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_2abd2eef14d480dfea9ca9fdd823cf03 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "BE SOL d.o.o." and + pe.signatures[i].serial == "2a:bd:2e:ef:14:d4:80:df:ea:9c:a9:fd:d8:23:cf:03" and + 1611100800 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_86909b91f07f9316984d888d1e28ab76 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Dantherm Intelligent Monitoring A/S" and ( + pe.signatures[i].serial == "00:86:90:9b:91:f0:7f:93:16:98:4d:88:8d:1e:28:ab:76" or + pe.signatures[i].serial == "86:90:9b:91:f0:7f:93:16:98:4d:88:8d:1e:28:ab:76" + ) and + 1611273600 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_d1b8f1fe56381befdb2e73ffef2a4b28 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Sein\\xC3\\xA4joen Squash ja Bowling Oy" and ( + pe.signatures[i].serial == "00:d1:b8:f1:fe:56:38:1b:ef:db:2e:73:ff:ef:2a:4b:28" or + pe.signatures[i].serial == "d1:b8:f1:fe:56:38:1b:ef:db:2e:73:ff:ef:2a:4b:28" + ) and + 1617667200 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_d4ef1ab6ab5d3cb35e4efb7984def7a2 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "REIGN BROS ApS" and ( + pe.signatures[i].serial == "00:d4:ef:1a:b6:ab:5d:3c:b3:5e:4e:fb:79:84:de:f7:a2" or + pe.signatures[i].serial == "d4:ef:1a:b6:ab:5d:3c:b3:5e:4e:fb:79:84:de:f7:a2" + ) and + 1611187200 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_066276af2f2c7e246d3b1cab1b4aa42e { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "IQ Trade ApS" and + pe.signatures[i].serial == "06:62:76:af:2f:2c:7e:24:6d:3b:1c:ab:1b:4a:a4:2e" and + 1616630400 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_65cd323c2483668b90a44a711d2a6b98 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "OOO Giperion" and + pe.signatures[i].serial == "65:cd:32:3c:24:83:66:8b:90:a4:4a:71:1d:2a:6b:98" and + 1602547200 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_5a17d5de74fd8f09df596df3123139bb { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "ACTA FIS d.o.o." and + pe.signatures[i].serial == "5a:17:d5:de:74:fd:8f:09:df:59:6d:f3:12:31:39:bb" and + 1611273600 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_15da61d7e1a631803431561674fb9b90 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "JAY DANCE STUDIO d.o.o." and + pe.signatures[i].serial == "15:da:61:d7:e1:a6:31:80:34:31:56:16:74:fb:9b:90" and + 1610668800 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_7ab21306b11ff280a93fc445876988ab { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "ABC BIOS d.o.o." and + pe.signatures[i].serial == "7a:b2:13:06:b1:1f:f2:80:a9:3f:c4:45:87:69:88:ab" and + 1611014400 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_634e16e38f12e9a71aca08e4c6b2dbb9 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "AUTO RESPONSE LTD CYF" and + pe.signatures[i].serial == "63:4e:16:e3:8f:12:e9:a7:1a:ca:08:e4:c6:b2:db:b9" and + 1616112000 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_289051a83f350a2c600187c99b6c0a73 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "HALL HAULAGE LTD LTD" and + pe.signatures[i].serial == "28:90:51:a8:3f:35:0a:2c:60:01:87:c9:9b:6c:0a:73" and + 1616716800 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_818631110b5d14331dac7e6ad998b902 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "2 TOY GUYS LLC" and ( + pe.signatures[i].serial == "00:81:86:31:11:0b:5d:14:33:1d:ac:7e:6a:d9:98:b9:02" or + pe.signatures[i].serial == "81:86:31:11:0b:5d:14:33:1d:ac:7e:6a:d9:98:b9:02" + ) and + 1571616000 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_277cd16de5d61b9398b645afe41c09c7 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "THE SIGN COMPANY LIMITED" and + pe.signatures[i].serial == "27:7c:d1:6d:e5:d6:1b:93:98:b6:45:af:e4:1c:09:c7" and + 1619049600 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_d0eda76c13d30c97015708790bb94214 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "LAEN ApS" and ( + pe.signatures[i].serial == "00:d0:ed:a7:6c:13:d3:0c:97:01:57:08:79:0b:b9:42:14" or + pe.signatures[i].serial == "d0:ed:a7:6c:13:d3:0c:97:01:57:08:79:0b:b9:42:14" + ) and + 1619136000 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_6333ed618f88a05b4d82ad7bf66cb0fa { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "RHM LIMITED" and + pe.signatures[i].serial == "63:33:ed:61:8f:88:a0:5b:4d:82:ad:7b:f6:6c:b0:fa" and + 1616457600 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_3b777165b125bccc181d0bac3f5b55b3 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "STAND ALONE MUSIC LTD" and + pe.signatures[i].serial == "3b:77:71:65:b1:25:bc:cc:18:1d:0b:ac:3f:5b:55:b3" and + 1607299200 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_5b37ac3479283b6f9d75ddf0f8742d06 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "ART BOOK PHOTO s.r.o." and + pe.signatures[i].serial == "5b:37:ac:34:79:28:3b:6f:9d:75:dd:f0:f8:74:2d:06" and + 1619740800 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_3112c69d460c781fd649c71e61bfec82 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "KREATURHANDLER BJARNE ANDERSEN ApS" and + pe.signatures[i].serial == "31:12:c6:9d:46:0c:78:1f:d6:49:c7:1e:61:bf:ec:82" and + 1614902400 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_0a5b4f67ad8b22afc2debe6ce5f8f679 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Farad LLC" and + pe.signatures[i].serial == "0a:5b:4f:67:ad:8b:22:af:c2:de:be:6c:e5:f8:f6:79" and + 1607472000 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_df45b36c9d0bd248c3f9494e7ca822 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "MPO STORITVE d.o.o." and ( + pe.signatures[i].serial == "00:df:45:b3:6c:9d:0b:d2:48:c3:f9:49:4e:7c:a8:22" or + pe.signatures[i].serial == "df:45:b3:6c:9d:0b:d2:48:c3:f9:49:4e:7c:a8:22" + ) and + 1619740800 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_1ae3c4eccecda2127d43be390a850dda { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "PARTYNET LIMITED" and + pe.signatures[i].serial == "1a:e3:c4:ec:ce:cd:a2:12:7d:43:be:39:0a:85:0d:da" and + 1614902400 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_2e36360538624c9b1afd78a2fb756028 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Ts Trade ApS" and + pe.signatures[i].serial == "2e:36:36:05:38:62:4c:9b:1a:fd:78:a2:fb:75:60:28" and + 1615766400 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_addb899f8229fd53e6435e08bbd3a733 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "U.K. STEEL EXPORTS LIMITED" and ( + pe.signatures[i].serial == "00:ad:db:89:9f:82:29:fd:53:e6:43:5e:08:bb:d3:a7:33" or + pe.signatures[i].serial == "ad:db:89:9f:82:29:fd:53:e6:43:5e:08:bb:d3:a7:33" + ) and + 1616630400 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_c1a1db95d7bf80290aa6e82d8f8f996a { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Software Two Pty Ltd" and ( + pe.signatures[i].serial == "00:c1:a1:db:95:d7:bf:80:29:0a:a6:e8:2d:8f:8f:99:6a" or + pe.signatures[i].serial == "c1:a1:db:95:d7:bf:80:29:0a:a6:e8:2d:8f:8f:99:6a" + ) and + 1615334400 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_c667ffe3a5b0a5ae7cf3a9e41682e91b { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "NAILS UNLIMITED LIMITED" and ( + pe.signatures[i].serial == "00:c6:67:ff:e3:a5:b0:a5:ae:7c:f3:a9:e4:16:82:e9:1b" or + pe.signatures[i].serial == "c6:67:ff:e3:a5:b0:a5:ae:7c:f3:a9:e4:16:82:e9:1b" + ) and + 1616976000 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_e0a83917660d05cf476374659d3c7b85 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "PIK MOTEL S.R.L." and ( + pe.signatures[i].serial == "00:e0:a8:39:17:66:0d:05:cf:47:63:74:65:9d:3c:7b:85" or + pe.signatures[i].serial == "e0:a8:39:17:66:0d:05:cf:47:63:74:65:9d:3c:7b:85" + ) and + 1621468800 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_afc5522898143aafaab7fd52304cf00c { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "YAN CHING LIMITED" and ( + pe.signatures[i].serial == "00:af:c5:52:28:98:14:3a:af:aa:b7:fd:52:30:4c:f0:0c" or + pe.signatures[i].serial == "af:c5:52:28:98:14:3a:af:aa:b7:fd:52:30:4c:f0:0c" + ) and + 1622419200 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_8b3333d32b2c2a1d33b41ba5db9d4d2d { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "BOOK CAF\\xC3\\x89, s.r.o." and ( + pe.signatures[i].serial == "00:8b:33:33:d3:2b:2c:2a:1d:33:b4:1b:a5:db:9d:4d:2d" or + pe.signatures[i].serial == "8b:33:33:d3:2b:2c:2a:1d:33:b4:1b:a5:db:9d:4d:2d" + ) and + 1620000000 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_fbb1198bd8bddb0d693eb72a8613fe3f { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Trade Hunters, s. r. o." and ( + pe.signatures[i].serial == "00:fb:b1:19:8b:d8:bd:db:0d:69:3e:b7:2a:86:13:fe:3f" or + pe.signatures[i].serial == "fb:b1:19:8b:d8:bd:db:0d:69:3e:b7:2a:86:13:fe:3f" + ) and + 1620000000 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_846f77d9919fc4405aefe1701309bd67 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "IPM Skupina d.o.o." and ( + pe.signatures[i].serial == "00:84:6f:77:d9:91:9f:c4:40:5a:ef:e1:70:13:09:bd:67" or + pe.signatures[i].serial == "84:6f:77:d9:91:9f:c4:40:5a:ef:e1:70:13:09:bd:67" + ) and + 1621382400 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_0939c2bad859c0432e8e98a6c0162c02 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Activ Expeditions ApS" and + pe.signatures[i].serial == "09:39:c2:ba:d8:59:c0:43:2e:8e:98:a6:c0:16:2c:02" and + 1615939200 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_7fba0e19919ac50d700ba60250d02c8b { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "OOO Diamartis" and + pe.signatures[i].serial == "7f:ba:0e:19:91:9a:c5:0d:70:0b:a6:02:50:d0:2c:8b" and + 1623196800 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_a758504e7971869d0aec2775fffa03d5 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Amcert LLC" and ( + pe.signatures[i].serial == "00:a7:58:50:4e:79:71:86:9d:0a:ec:27:75:ff:fa:03:d5" or + pe.signatures[i].serial == "a7:58:50:4e:79:71:86:9d:0a:ec:27:75:ff:fa:03:d5" + ) and + 1623628800 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_37a67cf754ee5ae284b4cf8b9d651604 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "FORTH PROPERTY LTD" and + pe.signatures[i].serial == "37:a6:7c:f7:54:ee:5a:e2:84:b4:cf:8b:9d:65:16:04" and + 1617321600 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_119acead668bad57a48b4f42f294f8f0 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "PB03 TRANSPORT LTD." and + pe.signatures[i].serial == "11:9a:ce:ad:66:8b:ad:57:a4:8b:4f:42:f2:94:f8:f0" and + 1619654400 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_7a6d30a6eb2fa0c3369283725704ac4c { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Trade By International ApS" and + pe.signatures[i].serial == "7a:6d:30:a6:eb:2f:a0:c3:36:92:83:72:57:04:ac:4c" and + 1619568000 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_670c3494206b9f0c18714fdcffaaa42f { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "ADRIATIK PORT SERVIS, d.o.o." and + pe.signatures[i].serial == "67:0c:34:94:20:6b:9f:0c:18:71:4f:dc:ff:aa:a4:2f" and + 1622160000 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_0e8aa328af207ce8bcae1dc15c626188 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "PRO SAT SRL" and + pe.signatures[i].serial == "0e:8a:a3:28:af:20:7c:e8:bc:ae:1d:c1:5c:62:61:88" and + 1627344000 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_cfad6be1d823b4eacb803b720f525a7d { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Sistema LLC" and ( + pe.signatures[i].serial == "00:cf:ad:6b:e1:d8:23:b4:ea:cb:80:3b:72:0f:52:5a:7d" or + pe.signatures[i].serial == "cf:ad:6b:e1:d8:23:b4:ea:cb:80:3b:72:0f:52:5a:7d" + ) and + 1627430400 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_7ebcb54b7e0e6410b28610de0743d4dd { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "SIA \"MWorx\"" and + pe.signatures[i].serial == "7e:bc:b5:4b:7e:0e:64:10:b2:86:10:de:07:43:d4:dd" and + 1625616000 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_01106cc293772ca905a2b6eff02bf0f5 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "DMR Consulting Ltd." and + pe.signatures[i].serial == "01:10:6c:c2:93:77:2c:a9:05:a2:b6:ef:f0:2b:f0:f5" and + 1627084800 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_05bb162f6efe852b7bd4712fd737a61e { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Wellpro Impact Solutions Oy" and + pe.signatures[i].serial == "05:bb:16:2f:6e:fe:85:2b:7b:d4:71:2f:d7:37:a6:1e" and + 1628726400 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_6171990ba1c8e71049ebb296a35bd160 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "OWLNET LIMITED" and + pe.signatures[i].serial == "61:71:99:0b:a1:c8:e7:10:49:eb:b2:96:a3:5b:d1:60" and + 1620000000 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_2114ca3bd2afd63d7fa29d744992b043 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "MATCH CONSULTANTS LTD" and + pe.signatures[i].serial == "21:14:ca:3b:d2:af:d6:3d:7f:a2:9d:74:49:92:b0:43" and + 1625097600 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_6aaa62208a3a78bfac1443007d031e61 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Solar LLC" and + pe.signatures[i].serial == "6a:aa:62:20:8a:3a:78:bf:ac:14:43:00:7d:03:1e:61" and + 1608163200 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_09450b8f73ea43e39d2cdd56049dbe40 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "\\xE4\\xB9\\x9D\\xE6\\xB1\\x9F\\xE5\\xAE\\x8F\\xE5\\x9B\\xBE\\xE6\\x97\\xA0\\xE5\\xBF\\xA7\\xE7\\xA7\\x91\\xE6\\x8A\\x80\\xE6\\x9C\\x89\\xE9\\x99\\x90\\xE5\\x85\\xAC\\xE5\\x8F\\xB8" and + pe.signatures[i].serial == "09:45:0b:8f:73:ea:43:e3:9d:2c:dd:56:04:9d:be:40" and + 1561602110 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_0efd9bd4b4281c6522d96011df46c9c4 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "\\xE9\\x9B\\xB7\\xE7\\xA5\\x9E\\xEF\\xBC\\x88\\xE6\\xAD\\xA6\\xE6\\xB1\\x89\\xEF\\xBC\\x89\\xE4\\xBF\\xA1\\xE6\\x81\\xAF\\xE6\\x8A\\x80\\xE6\\x9C\\xAF\\xE6\\x9C\\x89\\xE9\\x99\\x90\\xE5\\x85\\xAC\\xE5\\x8F\\xB8" and + pe.signatures[i].serial == "0e:fd:9b:d4:b4:28:1c:65:22:d9:60:11:df:46:c9:c4" and + 1586249095 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_0dd7d4a785990584d8c0837659173272 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "\\xE9\\x9B\\xB7\\xE7\\xA5\\x9E\\xEF\\xBC\\x88\\xE6\\xAD\\xA6\\xE6\\xB1\\x89\\xEF\\xBC\\x89\\xE4\\xBF\\xA1\\xE6\\x81\\xAF\\xE6\\x8A\\x80\\xE6\\x9C\\xAF\\xE6\\x9C\\x89\\xE9\\x99\\x90\\xE5\\x85\\xAC\\xE5\\x8F\\xB8" and + pe.signatures[i].serial == "0d:d7:d4:a7:85:99:05:84:d8:c0:83:76:59:17:32:72" and + 1586249095 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_0c59d46580f039af2c4ab6ba0ffed197 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "\\xE5\\xA4\\xA7\\xE8\\xBF\\x9E\\xE7\\xBA\\xB5\\xE6\\xA2\\xA6\\xE7\\xBD\\x91\\xE7\\xBB\\x9C\\xE7\\xA7\\x91\\xE6\\x8A\\x80\\xE6\\x9C\\x89\\xE9\\x99\\x90\\xE5\\x85\\xAC\\xE5\\x8F\\xB8" and + pe.signatures[i].serial == "0c:59:d4:65:80:f0:39:af:2c:4a:b6:ba:0f:fe:d1:97" and + 1585108595 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_0448ec8d26597f99912138500cc41c1b { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "\\xE5\\xA4\\xA7\\xE8\\xBF\\x9E\\xE7\\xBA\\xB5\\xE6\\xA2\\xA6\\xE7\\xBD\\x91\\xE7\\xBB\\x9C\\xE7\\xA7\\x91\\xE6\\x8A\\x80\\xE6\\x9C\\x89\\xE9\\x99\\x90\\xE5\\x85\\xAC\\xE5\\x8F\\xB8" and + pe.signatures[i].serial == "04:48:ec:8d:26:59:7f:99:91:21:38:50:0c:c4:1c:1b" and + 1585108595 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_0108cbaee60728f5bf06e45a56d6f170 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "\\xE6\\xAD\\xA6\\xE6\\xB1\\x89\\xE4\\xB8\\x9C\\xE6\\xB9\\x96\\xE6\\x96\\xB0\\xE6\\x8A\\x80\\xE6\\x9C\\xAF\\xE5\\xBC\\x80\\xE5\\x8F\\x91\\xE5\\x8C\\xBA" and + pe.signatures[i].serial == "01:08:cb:ae:e6:07:28:f5:bf:06:e4:5a:56:d6:f1:70" and + 1605680260 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_038d56a12153e8b5c74c69bff65cbe3f { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "\\xE6\\xAD\\xA6\\xE6\\xB1\\x89\\xE5\\x86\\x85\\xE7\\x91\\x9F\\xE6\\x96\\xAF\\xE7\\xA7\\x91\\xE6\\x8A\\x80\\xE6\\x9C\\x89\\xE9\\x99\\x90\\xE5\\x85\\xAC\\xE5\\x8F\\xB8" and + pe.signatures[i].serial == "03:8d:56:a1:21:53:e8:b5:c7:4c:69:bf:f6:5c:be:3f" and + 1605680260 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_060d94e2ccae84536654d9daf39fef1e { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "HasCred ApS" and + pe.signatures[i].serial == "06:0d:94:e2:cc:ae:84:53:66:54:d9:da:f3:9f:ef:1e" and + 1627948800 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_0bc9b800f480691bd6b60963466b0c75 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "HasCred ApS" and + pe.signatures[i].serial == "0b:c9:b8:00:f4:80:69:1b:d6:b6:09:63:46:6b:0c:75" and + 1629158400 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_0c4324ff41f0a7b16ffcc93dffa8fa99 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "\\xE7\\xA6\\x8F\\xE5\\xBB\\xBA\\xE7\\x9C\\x81\\xE4\\xBA\\x94\\xE6\\x98\\x9F\\xE4\\xBF\\xA1\\xE6\\x81\\xAF\\xE7\\xA7\\x91\\xE6\\x8A\\x80\\xE6\\x9C\\x89\\xE9\\x99\\x90\\xE5\\x85\\xAC\\xE5\\x8F\\xB8" and + pe.signatures[i].serial == "0c:43:24:ff:41:f0:a7:b1:6f:fc:c9:3d:ff:a8:fa:99" and + 1600300800 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_0b980fc8783e4f158e41829ab21bab81 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Idris Kanchwala Holding Corp." and + pe.signatures[i].serial == "0b:98:0f:c8:78:3e:4f:15:8e:41:82:9a:b2:1b:ab:81" and + 1631750400 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_d8f515715aeffef0a0e4e37f16c254fa { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "HOLDING LA LTD" and ( + pe.signatures[i].serial == "00:d8:f5:15:71:5a:ef:fe:f0:a0:e4:e3:7f:16:c2:54:fa" or + pe.signatures[i].serial == "d8:f5:15:71:5a:ef:fe:f0:a0:e4:e3:7f:16:c2:54:fa" + ) and + 1619136000 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_d79739187c585e453c00afc11d77b523 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "SAN MARINO INVESTMENTS PTY LTD" and ( + pe.signatures[i].serial == "00:d7:97:39:18:7c:58:5e:45:3c:00:af:c1:1d:77:b5:23" or + pe.signatures[i].serial == "d7:97:39:18:7c:58:5e:45:3c:00:af:c1:1d:77:b5:23" + ) and + 1631059200 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_961cecb0227845317549e9343a980e91 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "AmiraCo Oy" and ( + pe.signatures[i].serial == "00:96:1c:ec:b0:22:78:45:31:75:49:e9:34:3a:98:0e:91" or + pe.signatures[i].serial == "96:1c:ec:b0:22:78:45:31:75:49:e9:34:3a:98:0e:91" + ) and + 1615248000 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_1ef6392b2993a6f67578299659467ea8 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "ALUSEN d. o. o." and + pe.signatures[i].serial == "1e:f6:39:2b:29:93:a6:f6:75:78:29:96:59:46:7e:a8" and + 1618531200 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_a918455c0d4da7ca474f41f11a7cf38c { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "MIDDRA INTERNATIONAL CORP." and ( + pe.signatures[i].serial == "00:a9:18:45:5c:0d:4d:a7:ca:47:4f:41:f1:1a:7c:f3:8c" or + pe.signatures[i].serial == "a9:18:45:5c:0d:4d:a7:ca:47:4f:41:f1:1a:7c:f3:8c" + ) and + 1618963200 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_936bc256d2057ca9b9ec3034c3ed0ee6 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "SALES & MAINTENANCE LIMITED" and ( + pe.signatures[i].serial == "00:93:6b:c2:56:d2:05:7c:a9:b9:ec:30:34:c3:ed:0e:e6" or + pe.signatures[i].serial == "93:6b:c2:56:d2:05:7c:a9:b9:ec:30:34:c3:ed:0e:e6" + ) and + 1616889600 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_afe8fee94b41422e01e4897bcd52d0a4 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "TLGM ApS" and ( + pe.signatures[i].serial == "00:af:e8:fe:e9:4b:41:42:2e:01:e4:89:7b:cd:52:d0:a4" or + pe.signatures[i].serial == "af:e8:fe:e9:4b:41:42:2e:01:e4:89:7b:cd:52:d0:a4" + ) and + 1617062400 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_718e89ddb33257ea77ba74be7f2baf1d { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Trap Capital ApS" and + pe.signatures[i].serial == "71:8e:89:dd:b3:32:57:ea:77:ba:74:be:7f:2b:af:1d" and + 1635462927 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_4d3e38f4aebbc32257450726b29be117 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "POLE & AERIAL FITNESS LIMITED" and + pe.signatures[i].serial == "4d:3e:38:f4:ae:bb:c3:22:57:45:07:26:b2:9b:e1:17" and + 1636123882 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_8f4c49dae1f1ff0ebe9104c6f73242bd { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Contact Merger Holding ApS" and ( + pe.signatures[i].serial == "00:8f:4c:49:da:e1:f1:ff:0e:be:91:04:c6:f7:32:42:bd" or + pe.signatures[i].serial == "8f:4c:49:da:e1:f1:ff:0e:be:91:04:c6:f7:32:42:bd" + ) and + 1636039748 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_ac3c05f1cb9453de8e7110f589fb32c0 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "TRAIN BUILDING TEAM s.r.o." and ( + pe.signatures[i].serial == "00:ac:3c:05:f1:cb:94:53:de:8e:71:10:f5:89:fb:32:c0" or + pe.signatures[i].serial == "ac:3c:05:f1:cb:94:53:de:8e:71:10:f5:89:fb:32:c0" + ) and + 1635854205 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_fbb96a90b6718810311767ca25ab1e48 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Rakurs LLC" and ( + pe.signatures[i].serial == "00:fb:b9:6a:90:b6:71:88:10:31:17:67:ca:25:ab:1e:48" or + pe.signatures[i].serial == "fb:b9:6a:90:b6:71:88:10:31:17:67:ca:25:ab:1e:48" + ) and + 1636046757 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_cfd38423aef875a10b16644d058297e2 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "TRUST DANMARK ApS" and ( + pe.signatures[i].serial == "00:cf:d3:84:23:ae:f8:75:a1:0b:16:64:4d:05:82:97:e2" or + pe.signatures[i].serial == "cf:d3:84:23:ae:f8:75:a1:0b:16:64:4d:05:82:97:e2" + ) and + 1632884040 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_e6c05c5a2222bf92818324a3a7374ad3 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "ANAQA EVENTS LTD" and ( + pe.signatures[i].serial == "00:e6:c0:5c:5a:22:22:bf:92:81:83:24:a3:a7:37:4a:d3" or + pe.signatures[i].serial == "e6:c0:5c:5a:22:22:bf:92:81:83:24:a3:a7:37:4a:d3" + ) and + 1634720407 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_75ce08bdbad44123299dbe9d7c1d20de { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Rose Holm International ApS" and + pe.signatures[i].serial == "75:ce:08:bd:ba:d4:41:23:29:9d:be:9d:7c:1d:20:de" and + 1631007095 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_333705c20b56e57f60b5eb191eef0d90 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "TASK Holding ApS" and + pe.signatures[i].serial == "33:37:05:c2:0b:56:e5:7f:60:b5:eb:19:1e:ef:0d:90" and + 1634233052 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_a2a0ba281262acce7a00119e25564386 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Sopiteks LLC" and ( + pe.signatures[i].serial == "00:a2:a0:ba:28:12:62:ac:ce:7a:00:11:9e:25:56:43:86" or + pe.signatures[i].serial == "a2:a0:ba:28:12:62:ac:ce:7a:00:11:9e:25:56:43:86" + ) and + 1631908320 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_338483cc174c16ebc454a3803ffd4217 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Lpr:n Laatu-Ravintolat Oy" and + pe.signatures[i].serial == "33:84:83:cc:17:4c:16:eb:c4:54:a3:80:3f:fd:42:17" and + 1635208206 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_be89936c26cd0d845074f6b7b47f480c { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Argus Security Maintenance Systems Inc." and ( + pe.signatures[i].serial == "00:be:89:93:6c:26:cd:0d:84:50:74:f6:b7:b4:7f:48:0c" or + pe.signatures[i].serial == "be:89:93:6c:26:cd:0d:84:50:74:f6:b7:b4:7f:48:0c" + ) and + 1634235015 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_0f20a5155e53ce20bb644f646ed6a2fd { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "CB CAM SP Z O O" and + pe.signatures[i].serial == "0f:20:a5:15:5e:53:ce:20:bb:64:4f:64:6e:d6:a2:fd" and + 1635196200 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_ea734e1dfb6e69ed2bc55e513bf95b5e { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Postmarket LLC" and ( + pe.signatures[i].serial == "00:ea:73:4e:1d:fb:6e:69:ed:2b:c5:5e:51:3b:f9:5b:5e" or + pe.signatures[i].serial == "ea:73:4e:1d:fb:6e:69:ed:2b:c5:5e:51:3b:f9:5b:5e" + ) and + 1635153791 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_ba67b0de51ebb9b1179804e75357ab26 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Fjordland Bike Wear ApS" and ( + pe.signatures[i].serial == "00:ba:67:b0:de:51:eb:b9:b1:17:98:04:e7:53:57:ab:26" or + pe.signatures[i].serial == "ba:67:b0:de:51:eb:b9:b1:17:98:04:e7:53:57:ab:26" + ) and + 1636145940 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_cff2b275ba8a1dde83ac7ff858399a62 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "XL-FORCE ApS" and ( + pe.signatures[i].serial == "00:cf:f2:b2:75:ba:8a:1d:de:83:ac:7f:f8:58:39:9a:62" or + pe.signatures[i].serial == "cf:f2:b2:75:ba:8a:1d:de:83:ac:7f:f8:58:39:9a:62" + ) and + 1636111842 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_d22e026c5b5966f1cf6ef00a7c06682e { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "AMCERT, LLC" and ( + pe.signatures[i].serial == "00:d2:2e:02:6c:5b:59:66:f1:cf:6e:f0:0a:7c:06:68:2e" or + pe.signatures[i].serial == "d2:2e:02:6c:5b:59:66:f1:cf:6e:f0:0a:7c:06:68:2e" + ) and + 1636456620 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_3054f940c931bad7b238a24376c6a5cc { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "POLE CLEAN LTD" and + pe.signatures[i].serial == "30:54:f9:40:c9:31:ba:d7:b2:38:a2:43:76:c6:a5:cc" and + 1637030220 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_a617e23d6ca8f34e2f7413cd299fc72b { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "EXPRESS BOOKS LTD" and ( + pe.signatures[i].serial == "00:a6:17:e2:3d:6c:a8:f3:4e:2f:74:13:cd:29:9f:c7:2b" or + pe.signatures[i].serial == "a6:17:e2:3d:6c:a8:f3:4e:2f:74:13:cd:29:9f:c7:2b" + ) and + 1636971821 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_387eeb89b8bf626bbf4c7c9f5b998b40 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "ULTRA ACADEMY LTD" and + pe.signatures[i].serial == "38:7e:eb:89:b8:bf:62:6b:bf:4c:7c:9f:5b:99:8b:40" and + 1637141034 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_292eb1133507f42e6f36c5549c189d5e { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Affairs-case s.r.o." and + pe.signatures[i].serial == "29:2e:b1:13:35:07:f4:2e:6f:36:c5:54:9c:18:9d:5e" and + 1638832273 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_5fbf16a33d26390a15f046c310030cf0 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "MACHINES SATU MARE SRL" and + pe.signatures[i].serial == "5f:bf:16:a3:3d:26:39:0a:15:f0:46:c3:10:03:0c:f0" and + 1638390070 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_0f007898afcba5f8af8ae65d01803617 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "TechnoElek s.r.o." and + pe.signatures[i].serial == "0f:00:78:98:af:cb:a5:f8:af:8a:e6:5d:01:80:36:17" and + 1638372946 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_e55be88ddbd93c423220468d430905dd { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "VALVE ACTUATION LTD" and ( + pe.signatures[i].serial == "00:e5:5b:e8:8d:db:d9:3c:42:32:20:46:8d:43:09:05:dd" or + pe.signatures[i].serial == "e5:5b:e8:8d:db:d9:3c:42:32:20:46:8d:43:09:05:dd" + ) and + 1637712000 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_06bcb74291d96096577bdb1e165dce85 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Revo Security SRL" and + pe.signatures[i].serial == "06:bc:b7:42:91:d9:60:96:57:7b:db:1e:16:5d:ce:85" and + 1637971201 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_c8442a8185082ef1ed7dc3fff2176aa7 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Ambidekstr LLC" and ( + pe.signatures[i].serial == "00:c8:44:2a:81:85:08:2e:f1:ed:7d:c3:ff:f2:17:6a:a7" or + pe.signatures[i].serial == "c8:44:2a:81:85:08:2e:f1:ed:7d:c3:ff:f2:17:6a:a7" + ) and + 1616976000 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_0406c4a1521a38c8d0c4aa214388e4dc { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Venezia Design SRL" and + pe.signatures[i].serial == "04:06:c4:a1:52:1a:38:c8:d0:c4:aa:21:43:88:e4:dc" and + 1641859201 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_12705fb66bc22c68372a1c4e5fa662e2 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "APRIL BROTHERS LTD" and + pe.signatures[i].serial == "12:70:5f:b6:6b:c2:2c:68:37:2a:1c:4e:5f:a6:62:e2" and + 1642464000 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_3b0914e2982be8980aa23f49848555e5 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Office Rat s.r.o." and + pe.signatures[i].serial == "3b:09:14:e2:98:2b:e8:98:0a:a2:3f:49:84:85:55:e5" and + 1643155200 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_029bf7e1cb09fe277564bd27c267de5a { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "SAMOYAJ LIMITED" and + pe.signatures[i].serial == "02:9b:f7:e1:cb:09:fe:27:75:64:bd:27:c2:67:de:5a" and + 1637712001 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_d3aee8abb9948844a3ac1c04cc7e6bdf { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "HOUSE 9A s.r.o" and ( + pe.signatures[i].serial == "00:d3:ae:e8:ab:b9:94:88:44:a3:ac:1c:04:cc:7e:6b:df" or + pe.signatures[i].serial == "d3:ae:e8:ab:b9:94:88:44:a3:ac:1c:04:cc:7e:6b:df" + ) and + 1640822400 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_734819463c1195bd6e135ce4d5bf49bc { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "videoalarm s. r. o." and + pe.signatures[i].serial == "73:48:19:46:3c:11:95:bd:6e:13:5c:e4:d5:bf:49:bc" and + 1637884800 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_db95b22362d46a73c39e0ac924883c5b { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "SPSLTD PLYMOUTH LTD" and ( + pe.signatures[i].serial == "00:db:95:b2:23:62:d4:6a:73:c3:9e:0a:c9:24:88:3c:5b" or + pe.signatures[i].serial == "db:95:b2:23:62:d4:6a:73:c3:9e:0a:c9:24:88:3c:5b" + ) and + 1621296000 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_0c48732873ac8ccebaf8f0e1e8329cec { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Hermetica Digital Ltd" and + pe.signatures[i].serial == "0c:48:73:28:73:ac:8c:ce:ba:f8:f0:e1:e8:32:9c:ec" and + 1618272000 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_c51f4cf4d82bc920421e1ad93e39d490 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "CUT AHEAD LTD" and ( + pe.signatures[i].serial == "00:c5:1f:4c:f4:d8:2b:c9:20:42:1e:1a:d9:3e:39:d4:90" or + pe.signatures[i].serial == "c5:1f:4c:f4:d8:2b:c9:20:42:1e:1a:d9:3e:39:d4:90" + ) and + 1644624000 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_c96086f1894e6420d2b4bdeea834c4d7 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "THE FAITH SP Z O O" and ( + pe.signatures[i].serial == "00:c9:60:86:f1:89:4e:64:20:d2:b4:bd:ee:a8:34:c4:d7" or + pe.signatures[i].serial == "c9:60:86:f1:89:4e:64:20:d2:b4:bd:ee:a8:34:c4:d7" + ) and + 1644969600 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_06fa27a121cc82230c3013ee634b6c62 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Zimmi Consulting Inc" and + pe.signatures[i].serial == "06:fa:27:a1:21:cc:82:23:0c:30:13:ee:63:4b:6c:62" and + 1645142401 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_9dd3b2f7957ba99f4b04fcdbe03b7aac { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "DOD MEDIA LIMITED" and ( + pe.signatures[i].serial == "00:9d:d3:b2:f7:95:7b:a9:9f:4b:04:fc:db:e0:3b:7a:ac" or + pe.signatures[i].serial == "9d:d3:b2:f7:95:7b:a9:9f:4b:04:fc:db:e0:3b:7a:ac" + ) and + 1646438400 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_061051ff2a8afab10347a6f1ff08ecb6 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "TACHOPARTS SP Z O O" and + pe.signatures[i].serial == "06:10:51:ff:2a:8a:fa:b1:03:47:a6:f1:ff:08:ec:b6" and + 1606435200 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_eda2429083bfafb04e6e7bdda1b08834 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "OWLNET LIMITED" and ( + pe.signatures[i].serial == "00:ed:a2:42:90:83:bf:af:b0:4e:6e:7b:dd:a1:b0:88:34" or + pe.signatures[i].serial == "ed:a2:42:90:83:bf:af:b0:4e:6e:7b:dd:a1:b0:88:34" + ) and + 1625011200 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_0a590154b5980e566314122987dea548 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Maya logistika d.o.o." and + pe.signatures[i].serial == "0a:59:01:54:b5:98:0e:56:63:14:12:29:87:de:a5:48" and + 1636416000 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_69a72f5591ad78a0825fbb9402ab9543 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "PUSH BANK LIMITED" and + pe.signatures[i].serial == "69:a7:2f:55:91:ad:78:a0:82:5f:bb:94:02:ab:95:43" and + 1581811200 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_0883db137021b51f3a2a08a76a4bc066 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Divertida Creative Limited" and + pe.signatures[i].serial == "08:83:db:13:70:21:b5:1f:3a:2a:08:a7:6a:4b:c0:66" and + 1627430400 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_2b921aaaba777b5a99507196c6f1c46c { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Python Software Foundation" and + pe.signatures[i].serial == "2b:92:1a:aa:ba:77:7b:5a:99:50:71:96:c6:f1:c4:6c" and + 1648425600 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_0332d5c942869bdcabf5a8266197cd14 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "JAWRO SP Z O O" and + pe.signatures[i].serial == "03:32:d5:c9:42:86:9b:dc:ab:f5:a8:26:61:97:cd:14" and + 1622160000 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_4679c5398a279318365fd77a84445699 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "HURT GROUP HOLDINGS LIMITED" and + pe.signatures[i].serial == "46:79:c5:39:8a:27:93:18:36:5f:d7:7a:84:44:56:99" and + 1643846400 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_101d6a5a29d9a77807553ceac669d853 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "BIC GROUP LIMITED" and + pe.signatures[i].serial == "10:1d:6a:5a:29:d9:a7:78:07:55:3c:ea:c6:69:d8:53" and + 1646352000 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_6000f8c02b0a15b1e53b8399845faddf { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "SAY LIMITED" and + pe.signatures[i].serial == "60:00:f8:c0:2b:0a:15:b1:e5:3b:83:99:84:5f:ad:df" and + 1644278400 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_121070be1e782f206985543bc7bc58b6 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Prod Can Holdings Inc." and + pe.signatures[i].serial == "12:10:70:be:1e:78:2f:20:69:85:54:3b:c7:bc:58:b6" and + 1647820800 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_5226a724cfa0b4bc0164ecda3f02a3dc { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "VALENTE SP Z O O" and + pe.signatures[i].serial == "52:26:a7:24:cf:a0:b4:bc:01:64:ec:da:3f:02:a3:dc" and + 1647302400 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_0a7be7722b65a866ebcd3bd7f8f10825 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Rebound Infotech Limited" and + pe.signatures[i].serial == "0a:7b:e7:72:2b:65:a8:66:eb:cd:3b:d7:f8:f1:08:25" and + 1637971200 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_05634456dbedb3556ca8415e64815c5d { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Walden Intertech Inc." and + pe.signatures[i].serial == "05:63:44:56:db:ed:b3:55:6c:a8:41:5e:64:81:5c:5d" and + 1648425600 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_2e07a8d6e3b25ae010c8ed2c4ab0fb37 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Emurasoft, Inc." and + pe.signatures[i].serial == "2e:07:a8:d6:e3:b2:5a:e0:10:c8:ed:2c:4a:b0:fb:37" and + 1650499200 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_30b4eeebd88fd205acc8577bbaed8655 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Enforcer Srl" and + pe.signatures[i].serial == "30:b4:ee:eb:d8:8f:d2:05:ac:c8:57:7b:ba:ed:86:55" and + 1646179200 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_b3391a6c1b3c6836533959e2384ab4ca { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "VERIFIED SOFTWARE LLC" and ( + pe.signatures[i].serial == "00:b3:39:1a:6c:1b:3c:68:36:53:39:59:e2:38:4a:b4:ca" or + pe.signatures[i].serial == "b3:39:1a:6c:1b:3c:68:36:53:39:59:e2:38:4a:b4:ca" + ) and + 1595462400 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_05d50a0e09bb9a836ffb90a3 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Toliz Info Tech Solutions INC." and + pe.signatures[i].serial == "05:d5:0a:0e:09:bb:9a:83:6f:fb:90:a3" and + 1643892810 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_0a2787fbb4627c91611573e323584113 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "exxon.com" and + pe.signatures[i].serial == "0a:27:87:fb:b4:62:7c:91:61:15:73:e3:23:58:41:13" and + 1640822400 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_1d36c4f439d651503589318f { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "REDWOOD MARKETING SOLUTIONS INC." and + pe.signatures[i].serial == "1d:36:c4:f4:39:d6:51:50:35:89:31:8f" and + 1651518469 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_26f855a25890b749578f13e4b9459768 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Boo\\xE2\\x80\\x99s Q & Sweets Corporation" and + pe.signatures[i].serial == "26:f8:55:a2:58:90:b7:49:57:8f:13:e4:b9:45:97:68" and + 1645401600 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_0f1ae2239bb96c5aef49d0ae50266912 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Aarav Consulting Inc." and + pe.signatures[i].serial == "0f:1a:e2:23:9b:b9:6c:5a:ef:49:d0:ae:50:26:69:12" and + 1653004800 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_1deea179f5757fe529043577762419df { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "SPIRIT CONSULTING s. r. o." and + pe.signatures[i].serial == "1d:ee:a1:79:f5:75:7f:e5:29:04:35:77:76:24:19:df" and + 1645401600 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_5b1f9ec88d185631ab032dbfd5166c0d { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "TOPFLIGHT GROUP LIMITED" and + pe.signatures[i].serial == "5b:1f:9e:c8:8d:18:56:31:ab:03:2d:bf:d5:16:6c:0d" and + 1656028800 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_58af00ce542760fc116b41fa92e18589 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "DICKIE MUSDALE WINDFARM LIMITED" and + pe.signatures[i].serial == "58:af:00:ce:54:27:60:fc:11:6b:41:fa:92:e1:85:89" and + 1654819200 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_25ba18a267d6d8e08ebc6e2457d58d1e { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "5Y TECHNOLOGY LIMITED" and + pe.signatures[i].serial == "25:ba:18:a2:67:d6:d8:e0:8e:bc:6e:24:57:d5:8d:1e" and + 1648684800 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_12df5ff3460979cec1288d874a9fbf83 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "FORWARD MUSIC AGENCY SRL" and + pe.signatures[i].serial == "12:df:5f:f3:46:09:79:ce:c1:28:8d:87:4a:9f:bf:83" and + 1599091200 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_df2547b2cab5689a81d61de80eaaa3a2 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "FORWARD MUSIC AGENCY SRL" and ( + pe.signatures[i].serial == "00:df:25:47:b2:ca:b5:68:9a:81:d6:1d:e8:0e:aa:a3:a2" or + pe.signatures[i].serial == "df:25:47:b2:ca:b5:68:9a:81:d6:1d:e8:0e:aa:a3:a2" + ) and + 1657756800 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_28b691272719b1ee { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "2021945 Ontario Inc." and + pe.signatures[i].serial == "28:b6:91:27:27:19:b1:ee" and + 1616410532 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_1c897216e58e83cbe74ad03284e1fb82 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "M-Trans Maciej Caban" and + pe.signatures[i].serial == "1c:89:72:16:e5:8e:83:cb:e7:4a:d0:32:84:e1:fb:82" and + 1639119705 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_5a364c4957d93406f76321c2316f42f0 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Board Game Bucket Ltd" and + pe.signatures[i].serial == "5a:36:4c:49:57:d9:34:06:f7:63:21:c2:31:6f:42:f0" and + 1661337307 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_e7e7f7180666546ce7a8da32119f5ce1 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "C\\xC3\\x94NG TY TNHH PDF SOFTWARE" and ( + pe.signatures[i].serial == "00:e7:e7:f7:18:06:66:54:6c:e7:a8:da:32:11:9f:5c:e1" or + pe.signatures[i].serial == "e7:e7:f7:18:06:66:54:6c:e7:a8:da:32:11:9f:5c:e1" + ) and + 1661558399 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_062b2827500c5df35a83f661b3af5dd3 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "*.eos.com" and + pe.signatures[i].serial == "06:2b:28:27:50:0c:5d:f3:5a:83:f6:61:b3:af:5d:d3" and + 1651449600 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_7bf27695fd20b588f2b2f173b6caf2ba { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Game Warriors Limited" and + pe.signatures[i].serial == "7b:f2:76:95:fd:20:b5:88:f2:b2:f1:73:b6:ca:f2:ba" and + 1662112800 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_1b248c8508042d36bbd5d92d189c61d8 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Digital Robin Limited" and + pe.signatures[i].serial == "1b:24:8c:85:08:04:2d:36:bb:d5:d9:2d:18:9c:61:d8" and + 1663171218 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_032660ee1d49ad35086027473e2614e5e724 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "sunshine.com" and + pe.signatures[i].serial == "03:26:60:ee:1d:49:ad:35:08:60:27:47:3e:26:14:e5:e7:24" and + 1660238245 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_043052956e1e6dbd5f6ae3d8b82cad2a2ed8 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "ok.com" and + pe.signatures[i].serial == "04:30:52:95:6e:1e:6d:bd:5f:6a:e3:d8:b8:2c:ad:2a:2e:d8" and + 1662149613 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_dbc03ca7e6ae6db6 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "SPIDER DEVELOPMENTS PTY LTD" and ( + pe.signatures[i].serial == "00:db:c0:3c:a7:e6:ae:6d:b6" or + pe.signatures[i].serial == "db:c0:3c:a7:e6:ae:6d:b6" + ) and + 1600826873 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_7d27332c3cb3a382a4fd232c5c66a2 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "MALVINA RECRUITMENT LIMITED" and + pe.signatures[i].serial == "7d:27:33:2c:3c:b3:a3:82:a4:fd:23:2c:5c:66:a2" and + 1655424000 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_82d224323efa65060b641f51fadfef02 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "SAVAS INVESTMENTS PTY LTD" and ( + pe.signatures[i].serial == "00:82:d2:24:32:3e:fa:65:06:0b:64:1f:51:fa:df:ef:02" or + pe.signatures[i].serial == "82:d2:24:32:3e:fa:65:06:0b:64:1f:51:fa:df:ef:02" + ) and + 1665100800 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_890570b6b0e2868a53be3f8f904a88ee { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "JESEN LESS d.o.o." and ( + pe.signatures[i].serial == "00:89:05:70:b6:b0:e2:86:8a:53:be:3f:8f:90:4a:88:ee" or + pe.signatures[i].serial == "89:05:70:b6:b0:e2:86:8a:53:be:3f:8f:90:4a:88:ee" + ) and + 1636588800 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_2642fe865f7566ce3123a5142c207094 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "C.W.D. INSTAL LTD" and + pe.signatures[i].serial == "26:42:fe:86:5f:75:66:ce:31:23:a5:14:2c:20:70:94" and + 1666310400 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_4a2e337fff23e5b2a1321ffde56d1759 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Karolina Klimowska" and + pe.signatures[i].serial == "4a:2e:33:7f:ff:23:e5:b2:a1:32:1f:fd:e5:6d:17:59" and + 1660314070 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_92d9b92f8cf7a1ba8b2c025be730c300 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "UPLagga Systems s.r.o." and ( + pe.signatures[i].serial == "00:92:d9:b9:2f:8c:f7:a1:ba:8b:2c:02:5b:e7:30:c3:00" or + pe.signatures[i].serial == "92:d9:b9:2f:8c:f7:a1:ba:8b:2c:02:5b:e7:30:c3:00" + ) and + 1598054400 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_b8164f7143e1a313003ab0c834562f1f { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Ekitai Data Inc." and ( + pe.signatures[i].serial == "00:b8:16:4f:71:43:e1:a3:13:00:3a:b0:c8:34:56:2f:1f" or + pe.signatures[i].serial == "b8:16:4f:71:43:e1:a3:13:00:3a:b0:c8:34:56:2f:1f" + ) and + 1598313600 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_24e4a2b3db6be1007b9ddc91995bc0c8 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "FLY BETTER s.r.o." and + pe.signatures[i].serial == "24:e4:a2:b3:db:6b:e1:00:7b:9d:dc:91:99:5b:c0:c8" and + 1645142400 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_881573fc67ff7395dde5bccfbce5b088 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Trade in Brasil s.r.o." and ( + pe.signatures[i].serial == "00:88:15:73:fc:67:ff:73:95:dd:e5:bc:cf:bc:e5:b0:88" or + pe.signatures[i].serial == "88:15:73:fc:67:ff:73:95:dd:e5:bc:cf:bc:e5:b0:88" + ) and + 1620000000 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_53e1f226cb77574f8fbeb5682da091bb { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "OdyLab Inc" and + pe.signatures[i].serial == "53:e1:f2:26:cb:77:57:4f:8f:be:b5:68:2d:a0:91:bb" and + 1654020559 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_0772b4d1d63233d2b8771997bc8da5c4 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Maya logistika d.o.o." and + pe.signatures[i].serial == "07:72:b4:d1:d6:32:33:d2:b8:77:19:97:bc:8d:a5:c4" and + 1637971201 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_02b6656292310b84022db5541bc48faf { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "DILA d.o.o." and + pe.signatures[i].serial == "02:b6:65:62:92:31:0b:84:02:2d:b5:54:1b:c4:8f:af" and + 1613865600 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_64c2505c7306639fc8eae544b0305338 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "MANILA Solution as" and + pe.signatures[i].serial == "64:c2:50:5c:73:06:63:9f:c8:ea:e5:44:b0:30:53:38" and + 1609418043 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_2f96a89bfec6e44dd224e8fd7e72d9bb { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "NAILS UNLIMITED LIMITED" and + pe.signatures[i].serial == "2f:96:a8:9b:fe:c6:e4:4d:d2:24:e8:fd:7e:72:d9:bb" and + 1625529600 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_b649a966410f62999c939384af553919 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "F.A.T. SARL" and ( + pe.signatures[i].serial == "00:b6:49:a9:66:41:0f:62:99:9c:93:93:84:af:55:39:19" or + pe.signatures[i].serial == "b6:49:a9:66:41:0f:62:99:9c:93:93:84:af:55:39:19" + ) and + 1590537600 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_45245eef53fcf38169c715cf68f44452 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "PAPER AND CORE SUPPLIES LTD" and + pe.signatures[i].serial == "45:24:5e:ef:53:fc:f3:81:69:c7:15:cf:68:f4:44:52" and + 1639958400 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_1895433ee9e2bd48619d75132262616f { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Evetrans Ltd" and + pe.signatures[i].serial == "18:95:43:3e:e9:e2:bd:48:61:9d:75:13:22:62:61:6f" and + 1619789516 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_1ffc9825644caf5b1f521780c5c7f42c { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "ACTIVUS LIMITED" and + pe.signatures[i].serial == "1f:fc:98:25:64:4c:af:5b:1f:52:17:80:c5:c7:f4:2c" and + 1615507200 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_8d52fb12a2511e86bbb0ba75c517eab0 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "VThink Software Consulting Inc." and ( + pe.signatures[i].serial == "00:8d:52:fb:12:a2:51:1e:86:bb:b0:ba:75:c5:17:ea:b0" or + pe.signatures[i].serial == "8d:52:fb:12:a2:51:1e:86:bb:b0:ba:75:c5:17:ea:b0" + ) and + 1599177600 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_332bd5801e8415585e72c87e0e2ec71d { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Elite Marketing Strategies, Inc." and + pe.signatures[i].serial == "33:2b:d5:80:1e:84:15:58:5e:72:c8:7e:0e:2e:c7:1d" and + 1662616824 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_e3b80c0932b52a708477939b0d32186f { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "BISOYETUTU LTD LIMITED" and ( + pe.signatures[i].serial == "00:e3:b8:0c:09:32:b5:2a:70:84:77:93:9b:0d:32:18:6f" or + pe.signatures[i].serial == "e3:b8:0c:09:32:b5:2a:70:84:77:93:9b:0d:32:18:6f" + ) and + 1617062400 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_c79f817f082986bef3209f6723c8da97 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Al-Faris group d.o.o." and ( + pe.signatures[i].serial == "00:c7:9f:81:7f:08:29:86:be:f3:20:9f:67:23:c8:da:97" or + pe.signatures[i].serial == "c7:9f:81:7f:08:29:86:be:f3:20:9f:67:23:c8:da:97" + ) and + 1616371200 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_1e5efa53a14599cc82f56f0790e20b17 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Storeks LLC" and + pe.signatures[i].serial == "1e:5e:fa:53:a1:45:99:cc:82:f5:6f:07:90:e2:0b:17" and + 1623196800 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_0cf2d0b5bfdd68cf777a0c12f806a569 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "PROTIP d.o.o. - v ste\\xC4\\x8Daju" and + pe.signatures[i].serial == "0c:f2:d0:b5:bf:dd:68:cf:77:7a:0c:12:f8:06:a5:69" and + 1611705600 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_f675139ea68b897a865a98f8e4611f00 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "BS TEHNIK d.o.o." and ( + pe.signatures[i].serial == "00:f6:75:13:9e:a6:8b:89:7a:86:5a:98:f8:e4:61:1f:00" or + pe.signatures[i].serial == "f6:75:13:9e:a6:8b:89:7a:86:5a:98:f8:e4:61:1f:00" + ) and + 1606953600 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_4728189fa0f57793484cdf764f5e283d { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Power Save Systems s.r.o." and + pe.signatures[i].serial == "47:28:18:9f:a0:f5:77:93:48:4c:df:76:4f:5e:28:3d" and + 1647302400 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_9bd81a9adaf71f1ff081c1f4a05d7fd7 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "SMART TOYS AND GAMES, INC" and ( + pe.signatures[i].serial == "00:9b:d8:1a:9a:da:f7:1f:1f:f0:81:c1:f4:a0:5d:7f:d7" or + pe.signatures[i].serial == "9b:d8:1a:9a:da:f7:1f:1f:f0:81:c1:f4:a0:5d:7f:d7" + ) and + 1601683200 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_c81319d20c6f1f1aec3398522189d90c { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "AMCERT,LLC" and ( + pe.signatures[i].serial == "00:c8:13:19:d2:0c:6f:1f:1a:ec:33:98:52:21:89:d9:0c" or + pe.signatures[i].serial == "c8:13:19:d2:0c:6f:1f:1a:ec:33:98:52:21:89:d9:0c" + ) and + 1643500800 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_c318d876768258a696ab9dd825e27acd { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "OOO Genezis" and ( + pe.signatures[i].serial == "00:c3:18:d8:76:76:82:58:a6:96:ab:9d:d8:25:e2:7a:cd" or + pe.signatures[i].serial == "c3:18:d8:76:76:82:58:a6:96:ab:9d:d8:25:e2:7a:cd" + ) and + 1615161600 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_06df5c318759d6ea9d090bfb2faf1d94 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "SpiffyTech Inc." and + pe.signatures[i].serial == "06:df:5c:31:87:59:d6:ea:9d:09:0b:fb:2f:af:1d:94" and + 1634515201 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_02de1cc6c487954592f1bf574ca2b000 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Orca System" and + pe.signatures[i].serial == "02:de:1c:c6:c4:87:95:45:92:f1:bf:57:4c:a2:b0:00" and + 1613735394 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_a32b8b4f1be43c23eb2848ab4ef06bb2 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Pak El AB" and ( + pe.signatures[i].serial == "00:a3:2b:8b:4f:1b:e4:3c:23:eb:28:48:ab:4e:f0:6b:b2" or + pe.signatures[i].serial == "a3:2b:8b:4f:1b:e4:3c:23:eb:28:48:ab:4e:f0:6b:b2" + ) and + 1673395200 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_626735ed30e50e3e0553986d806bfc54 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "FISH ACCOUNTING & TRANSLATING LIMITED" and + pe.signatures[i].serial == "62:67:35:ed:30:e5:0e:3e:05:53:98:6d:80:6b:fc:54" and + 1666742400 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_34d42e871ddb1c92fa20b55b384e1259 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "VENS CORP" and + pe.signatures[i].serial == "34:d4:2e:87:1d:db:1c:92:fa:20:b5:5b:38:4e:12:59" and + 1630368000 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_08d4dc90047b8470ccaf3924dfbd8b5f { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "OOO Dibies" and + pe.signatures[i].serial == "08:d4:dc:90:04:7b:84:70:cc:af:39:24:df:bd:8b:5f" and + 1619136000 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_c2fc83d458e653837fcfc132c9b03062 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "OOO Vertical" and ( + pe.signatures[i].serial == "00:c2:fc:83:d4:58:e6:53:83:7f:cf:c1:32:c9:b0:30:62" or + pe.signatures[i].serial == "c2:fc:83:d4:58:e6:53:83:7f:cf:c1:32:c9:b0:30:62" + ) and + 1602201600 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_54c793d2224bdd6ca527bb2b7b9dfe9d { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "CODE - HANDLE, s. r. o." and + pe.signatures[i].serial == "54:c7:93:d2:22:4b:dd:6c:a5:27:bb:2b:7b:9d:fe:9d" and + 1629676800 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_8cece6df54cf6ad63596546d77ba3581 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Mikael LLC" and ( + pe.signatures[i].serial == "00:8c:ec:e6:df:54:cf:6a:d6:35:96:54:6d:77:ba:35:81" or + pe.signatures[i].serial == "8c:ec:e6:df:54:cf:6a:d6:35:96:54:6d:77:ba:35:81" + ) and + 1613088000 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_984e84cfe362e278f558e2c70aaafac2 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Arctic Nights \\xC3\\x84k\\xC3\\xA4slompolo Oy" and ( + pe.signatures[i].serial == "00:98:4e:84:cf:e3:62:e2:78:f5:58:e2:c7:0a:aa:fa:c2" or + pe.signatures[i].serial == "98:4e:84:cf:e3:62:e2:78:f5:58:e2:c7:0a:aa:fa:c2" + ) and + 1640304000 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_ff52eb011bb748fee75153cbe1e50dd6 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "TASK ANNA LIMITED" and ( + pe.signatures[i].serial == "00:ff:52:eb:01:1b:b7:48:fe:e7:51:53:cb:e1:e5:0d:d6" or + pe.signatures[i].serial == "ff:52:eb:01:1b:b7:48:fe:e7:51:53:cb:e1:e5:0d:d6" + ) and + 1647388800 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_84a4a0d0657e217b176b455e2465aee0 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "AATB ApS" and ( + pe.signatures[i].serial == "00:84:a4:a0:d0:65:7e:21:7b:17:6b:45:5e:24:65:ae:e0" or + pe.signatures[i].serial == "84:a4:a0:d0:65:7e:21:7b:17:6b:45:5e:24:65:ae:e0" + ) and + 1616457600 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_b8f726508cf1d7b7913bf4bbd1e5c19c { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Merkuri LLC" and ( + pe.signatures[i].serial == "00:b8:f7:26:50:8c:f1:d7:b7:91:3b:f4:bb:d1:e5:c1:9c" or + pe.signatures[i].serial == "b8:f7:26:50:8c:f1:d7:b7:91:3b:f4:bb:d1:e5:c1:9c" + ) and + 1619568000 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_6a241ffe96a6349df608d22c02942268 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "HELP, d.o.o." and + pe.signatures[i].serial == "6a:24:1f:fe:96:a6:34:9d:f6:08:d2:2c:02:94:22:68" and + 1605052800 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_aa1d84779792b57f91fe7a4bde041942 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "AXIUM NORTHWESTERN HYDRO INC." and ( + pe.signatures[i].serial == "00:aa:1d:84:77:97:92:b5:7f:91:fe:7a:4b:de:04:19:42" or + pe.signatures[i].serial == "aa:1d:84:77:97:92:b5:7f:91:fe:7a:4b:de:04:19:42" + ) and + 1639872000 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_3c98b6872fbb1f4ae37a4caa749d24c2 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "OOO SMART" and + pe.signatures[i].serial == "3c:98:b6:87:2f:bb:1f:4a:e3:7a:4c:aa:74:9d:24:c2" and + 1613370100 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_e4e795fd1fd25595b869ce22aa7dc49f { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "OASIS COURT LIMITED" and ( + pe.signatures[i].serial == "00:e4:e7:95:fd:1f:d2:55:95:b8:69:ce:22:aa:7d:c4:9f" or + pe.signatures[i].serial == "e4:e7:95:fd:1f:d2:55:95:b8:69:ce:22:aa:7d:c4:9f" + ) and + 1608508800 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_e953ada7e8f1438e5f7680ff599ae43e { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "KULBYT LLC" and ( + pe.signatures[i].serial == "00:e9:53:ad:a7:e8:f1:43:8e:5f:76:80:ff:59:9a:e4:3e" or + pe.signatures[i].serial == "e9:53:ad:a7:e8:f1:43:8e:5f:76:80:ff:59:9a:e4:3e" + ) and + 1614729600 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_28c57df09ce7cc3fde2243beb4d00101 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "WATER, s.r.o." and + pe.signatures[i].serial == "28:c5:7d:f0:9c:e7:cc:3f:de:22:43:be:b4:d0:01:01" and + 1622678400 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_2d8cfcf04209dc7f771d8d18e462c35a { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "AA PLUS INVEST d.o.o." and + pe.signatures[i].serial == "2d:8c:fc:f0:42:09:dc:7f:77:1d:8d:18:e4:62:c3:5a" and + 1631491200 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_016836311fc39fbb8e6f308bb03cc2b3 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "SERVICE STREAM LIMITED" and + pe.signatures[i].serial == "01:68:36:31:1f:c3:9f:bb:8e:6f:30:8b:b0:3c:c2:b3" and + 1602547200 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_435abf46053a0a445c54217a8c233a7f { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "OOO Kodemika" and + pe.signatures[i].serial == "43:5a:bf:46:05:3a:0a:44:5c:54:21:7a:8c:23:3a:7f" and + 1616976000 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_b2f9c693a2e6634565f63c79b01dd8f8 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "PHL E STATE ApS" and ( + pe.signatures[i].serial == "00:b2:f9:c6:93:a2:e6:63:45:65:f6:3c:79:b0:1d:d8:f8" or + pe.signatures[i].serial == "b2:f9:c6:93:a2:e6:63:45:65:f6:3c:79:b0:1d:d8:f8" + ) and + 1620000000 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_54a6d33f73129e0ef059ccf51be0c35e { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "STAFFORD MEAT COMPANY, INC." and + pe.signatures[i].serial == "54:a6:d3:3f:73:12:9e:0e:f0:59:cc:f5:1b:e0:c3:5e" and + 1607100127 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_142aac4217e22b525c8587589773ba9b { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "A.B. gostinstvo trgovina posredni\\xC5\\xA1tvo in druge storitve, d.o.o." and + pe.signatures[i].serial == "14:2a:ac:42:17:e2:2b:52:5c:85:87:58:97:73:ba:9b" and + 1614124800 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_239664c12baeb5a6d787912888051392 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "FORTH PROPERTY LTD" and + pe.signatures[i].serial == "23:96:64:c1:2b:ae:b5:a6:d7:87:91:28:88:05:13:92" and + 1618272000 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_0218ebfd5a9bfd55d2f661f0d18d1d71 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "REI LUX UK LIMITED" and + pe.signatures[i].serial == "02:18:eb:fd:5a:9b:fd:55:d2:f6:61:f0:d1:8d:1d:71" and + 1608508800 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_35590ebe4a02dc23317d8ce47a947a9b { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "OOO Largos" and + pe.signatures[i].serial == "35:59:0e:be:4a:02:dc:23:31:7d:8c:e4:7a:94:7a:9b" and + 1602201600 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_aa07d4f2857119cee514a0bd412f8201 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "HANGA GIP d.o.o." and ( + pe.signatures[i].serial == "00:aa:07:d4:f2:85:71:19:ce:e5:14:a0:bd:41:2f:82:01" or + pe.signatures[i].serial == "aa:07:d4:f2:85:71:19:ce:e5:14:a0:bd:41:2f:82:01" + ) and + 1615766400 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_40f5660a90301e7a8a8c3b42 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Booz Allen Hamilton Inc." and + pe.signatures[i].serial == "40:f5:66:0a:90:30:1e:7a:8a:8c:3b:42" and + 1641833688 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_0400c7614f86d75fe4ee3f6192b6feda { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "StackUp ApS" and + pe.signatures[i].serial == "04:00:c7:61:4f:86:d7:5f:e4:ee:3f:61:92:b6:fe:da" and + 1626393601 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_e573d9c8b403c41bd59ffa0a8efd4168 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "\"VERONIKA 2\" OOO" and ( + pe.signatures[i].serial == "00:e5:73:d9:c8:b4:03:c4:1b:d5:9f:fa:0a:8e:fd:41:68" or + pe.signatures[i].serial == "e5:73:d9:c8:b4:03:c4:1b:d5:9f:fa:0a:8e:fd:41:68" + ) and + 1563148800 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_b06bc166fc765dacd2f7448c8cdd9205 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "GAS Avto, d.o.o." and ( + pe.signatures[i].serial == "00:b0:6b:c1:66:fc:76:5d:ac:d2:f7:44:8c:8c:dd:92:05" or + pe.signatures[i].serial == "b0:6b:c1:66:fc:76:5d:ac:d2:f7:44:8c:8c:dd:92:05" + ) and + 1615507200 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_e9268ed63a7d7e9dfd40a664ddfbaf18 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Casta, s.r.o." and ( + pe.signatures[i].serial == "00:e9:26:8e:d6:3a:7d:7e:9d:fd:40:a6:64:dd:fb:af:18" or + pe.signatures[i].serial == "e9:26:8e:d6:3a:7d:7e:9d:fd:40:a6:64:dd:fb:af:18" + ) and + 1647302400 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_425dc3e0ca8bcdce19d00d87e3f0ba28 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Protover LLC" and + pe.signatures[i].serial == "42:5d:c3:e0:ca:8b:cd:ce:19:d0:0d:87:e3:f0:ba:28" and + 1621900800 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_afc0ddb7bdc8207e8c3b7204018eecd3 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "\\xE9\\x83\\xB4\\xE5\\xB7\\x9E\\xE8\\x9C\\x97\\xE7\\x89\\x9B\\xE7\\xBD\\x91\\xE7\\xBB\\x9C\\xE7\\xA7\\x91\\xE6\\x8A\\x80\\xE6\\x9C\\x89\\xE9\\x99\\x90\\xE5\\x85\\xAC\\xE5\\x8F\\xB8" and ( + pe.signatures[i].serial == "00:af:c0:dd:b7:bd:c8:20:7e:8c:3b:72:04:01:8e:ec:d3" or + pe.signatures[i].serial == "af:c0:dd:b7:bd:c8:20:7e:8c:3b:72:04:01:8e:ec:d3" + ) and + 1629676800 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_38989ec61ecdb7391ff5647f7d58ad18 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "RotA Games ApS" and + pe.signatures[i].serial == "38:98:9e:c6:1e:cd:b7:39:1f:f5:64:7f:7d:58:ad:18" and + 1613088000 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_bc6c43d206a360f2d6b58537c456b709 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "ANKADA GROUP, d.o.o." and ( + pe.signatures[i].serial == "00:bc:6c:43:d2:06:a3:60:f2:d6:b5:85:37:c4:56:b7:09" or + pe.signatures[i].serial == "bc:6c:43:d2:06:a3:60:f2:d6:b5:85:37:c4:56:b7:09" + ) and + 1616630400 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_4929ab561c812af93ddb9758b545f546 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Everything Wow s.r.o." and + pe.signatures[i].serial == "49:29:ab:56:1c:81:2a:f9:3d:db:97:58:b5:45:f5:46" and + 1594252800 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_25c6dbce3d5499f65d9df16e9007465d { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "AMCERT,LLC" and + pe.signatures[i].serial == "25:c6:db:ce:3d:54:99:f6:5d:9d:f1:6e:90:07:46:5d" and + 1626566400 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_bc6a1812e001362469541108973bbd52 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "AMCERT,LLC" and ( + pe.signatures[i].serial == "00:bc:6a:18:12:e0:01:36:24:69:54:11:08:97:3b:bd:52" or + pe.signatures[i].serial == "bc:6a:18:12:e0:01:36:24:69:54:11:08:97:3b:bd:52" + ) and + 1623801600 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_bde1d6dc3622724f427a39e6a34f5124 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "AMCERT,LLC" and ( + pe.signatures[i].serial == "00:bd:e1:d6:dc:36:22:72:4f:42:7a:39:e6:a3:4f:51:24" or + pe.signatures[i].serial == "bd:e1:d6:dc:36:22:72:4f:42:7a:39:e6:a3:4f:51:24" + ) and + 1628553600 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_5c9f5f96726a6e6fc3b8bb153ac82af2 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "1105 SOFTWARE LLC" and + pe.signatures[i].serial == "5c:9f:5f:96:72:6a:6e:6f:c3:b8:bb:15:3a:c8:2a:f2" and + 1679061408 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_6e889bb3b7f7194b674c6a0335a608e0 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "CLEVERCONTROL LLC" and + pe.signatures[i].serial == "6e:88:9b:b3:b7:f7:19:4b:67:4c:6a:03:35:a6:08:e0" and + 1646956800 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_0f62f760704bdf8dc30c7baa7376f484 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Shanghai XuSong investment partnership Enterprise(Limited)" and + pe.signatures[i].serial == "0f:62:f7:60:70:4b:df:8d:c3:0c:7b:aa:73:76:f4:84" and + 1659398400 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_071202dbfda40b629c5e7acac947c2d3 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Crossfire Industries, LLC" and + pe.signatures[i].serial == "07:12:02:db:fd:a4:0b:62:9c:5e:7a:ca:c9:47:c2:d3" and + 1658620801 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_98ab9585c04d7f0e4cf4de98c14b684d { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "AMCERT,LLC" and ( + pe.signatures[i].serial == "00:98:ab:95:85:c0:4d:7f:0e:4c:f4:de:98:c1:4b:68:4d" or + pe.signatures[i].serial == "98:ab:95:85:c0:4d:7f:0e:4c:f4:de:98:c1:4b:68:4d" + ) and + 1656547200 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_4631713e66e91347f0388b98cf747794 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "\\xE5\\xB9\\xBF\\xE5\\xB7\\x9E\\xE6\\x98\\x8A\\xE5\\x8A\\xA8\\xE7\\xBD\\x91\\xE7\\xBB\\x9C\\xE7\\xA7\\x91\\xE6\\x8A\\x80\\xE6\\x9C\\x89\\xE9\\x99\\x90\\xE5\\x85\\xAC\\xE5\\x8F\\xB8" and + pe.signatures[i].serial == "46:31:71:3e:66:e9:13:47:f0:38:8b:98:cf:74:77:94" and + 1488240000 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_e963f8983d21b4c1a69c66a9d37498e5 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Max Steinhard" and ( + pe.signatures[i].serial == "00:e9:63:f8:98:3d:21:b4:c1:a6:9c:66:a9:d3:74:98:e5" or + pe.signatures[i].serial == "e9:63:f8:98:3d:21:b4:c1:a6:9c:66:a9:d3:74:98:e5" + ) and + 1656288000 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_6e44fcedd49f22f7a28cecc99104f61a { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "M-Trans Maciej Caban" and + pe.signatures[i].serial == "6e:44:fc:ed:d4:9f:22:f7:a2:8c:ec:c9:91:04:f6:1a" and + 1672923378 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_35b49ee870aea532e6ef0a4987105c8f { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Kancelaria Adwokacka Adwokat Aleksandra Krzemi\\xC5\\x84ska" and + pe.signatures[i].serial == "35:b4:9e:e8:70:ae:a5:32:e6:ef:0a:49:87:10:5c:8f" and + 1663151018 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_063dcd7d7b0bc77cac844c7213be3989 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "HANNAH SISK LIMITED" and + pe.signatures[i].serial == "06:3d:cd:7d:7b:0b:c7:7c:ac:84:4c:72:13:be:39:89" and + 1656892801 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_6f8777aa866142ad7120e5e1c9321e37 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "CLOUD SOFTWARE LINE CO., LTD." and + pe.signatures[i].serial == "6f:87:77:aa:86:61:42:ad:71:20:e5:e1:c9:32:1e:37" and + 1629676800 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_4a7f07c5d4ad2e23f9e8e03f0e229dd4 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Danalis LLC" and + pe.signatures[i].serial == "4a:7f:07:c5:d4:ad:2e:23:f9:e8:e0:3f:0e:22:9d:d4" and + 1608681600 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_f5f9c8f8c33e4ce84dd48fcb03ccb075 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Abdulkadir \\xC5\\x9Eahin" and ( + pe.signatures[i].serial == "00:f5:f9:c8:f8:c3:3e:4c:e8:4d:d4:8f:cb:03:cc:b0:75" or + pe.signatures[i].serial == "f5:f9:c8:f8:c3:3e:4c:e8:4d:d4:8f:cb:03:cc:b0:75" + ) and + 1545004800 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_57fc55239f21f139978609e323097132 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Aidem Media Limited" and + pe.signatures[i].serial == "57:fc:55:23:9f:21:f1:39:97:86:09:e3:23:09:71:32" and + 1501632000 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_eeefec4308abe63323600e1608f5e6f2 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "YUPITER-STROI, OOO" and ( + pe.signatures[i].serial == "00:ee:ef:ec:43:08:ab:e6:33:23:60:0e:16:08:f5:e6:f2" or + pe.signatures[i].serial == "ee:ef:ec:43:08:ab:e6:33:23:60:0e:16:08:f5:e6:f2" + ) and + 1491177600 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_0ecd460ce14bd8ef2926da2cd9a44176 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Rabah Azrarak" and + pe.signatures[i].serial == "0e:cd:46:0c:e1:4b:d8:ef:29:26:da:2c:d9:a4:41:76" and + 1463035153 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_5e75e997f3d70bb8c182d56b25b7d836 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Primetech Ltd." and + pe.signatures[i].serial == "5e:75:e9:97:f3:d7:0b:b8:c1:82:d5:6b:25:b7:d8:36" and + 1324252800 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_d5690d94f15315e143db10af35497dc5 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "PET SERVICES d.o.o." and ( + pe.signatures[i].serial == "00:d5:69:0d:94:f1:53:15:e1:43:db:10:af:35:49:7d:c5" or + pe.signatures[i].serial == "d5:69:0d:94:f1:53:15:e1:43:db:10:af:35:49:7d:c5" + ) and + 1576195200 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_8223c74185add0927246f5e33ebac467 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "TOV Virikton" and ( + pe.signatures[i].serial == "00:82:23:c7:41:85:ad:d0:92:72:46:f5:e3:3e:ba:c4:67" or + pe.signatures[i].serial == "82:23:c7:41:85:ad:d0:92:72:46:f5:e3:3e:ba:c4:67" + ) and + 1463616000 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_dd9e9e1d7c573714e3f567c5380ae6d0 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "CREA&COM d.o.o." and ( + pe.signatures[i].serial == "00:dd:9e:9e:1d:7c:57:37:14:e3:f5:67:c5:38:0a:e6:d0" or + pe.signatures[i].serial == "dd:9e:9e:1d:7c:57:37:14:e3:f5:67:c5:38:0a:e6:d0" + ) and + 1575849600 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_3d5e71 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "OF.PL sp. z o.o." and + pe.signatures[i].serial == "3d:5e:71" and + 1066997730 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_c33187fe848a65e8484ea492cb2cbb18 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "SELCUK GUNDOGDU" and ( + pe.signatures[i].serial == "00:c3:31:87:fe:84:8a:65:e8:48:4e:a4:92:cb:2c:bb:18" or + pe.signatures[i].serial == "c3:31:87:fe:84:8a:65:e8:48:4e:a4:92:cb:2c:bb:18" + ) and + 1426204800 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_6fc143ba34cabf1de7a4c7f8f4cdad6d { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "World Telecom International Inc." and + pe.signatures[i].serial == "6f:c1:43:ba:34:ca:bf:1d:e7:a4:c7:f8:f4:cd:ad:6d" and + 1147046400 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_6ac6268b2e431a2c1369346d175d0e30 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Install Sync" and + pe.signatures[i].serial == "6a:c6:26:8b:2e:43:1a:2c:13:69:34:6d:17:5d:0e:30" and + 1436140800 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_0fc4d9178b8df2c19e269ac6f43dd708 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "PK Partnership, OOO" and + pe.signatures[i].serial == "0f:c4:d9:17:8b:8d:f2:c1:9e:26:9a:c6:f4:3d:d7:08" and + 1466553600 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_e01407871e2146c9baab1ae7ab8ab172 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "TOV Intalev Ukraina" and ( + pe.signatures[i].serial == "00:e0:14:07:87:1e:21:46:c9:ba:ab:1a:e7:ab:8a:b1:72" or + pe.signatures[i].serial == "e0:14:07:87:1e:21:46:c9:ba:ab:1a:e7:ab:8a:b1:72" + ) and + 1464220800 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_effc6d19d6fc85872e4e5b3ccee6d301 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "C\\xC3\\x93IR IP LIMITED" and ( + pe.signatures[i].serial == "00:ef:fc:6d:19:d6:fc:85:87:2e:4e:5b:3c:ce:e6:d3:01" or + pe.signatures[i].serial == "ef:fc:6d:19:d6:fc:85:87:2e:4e:5b:3c:ce:e6:d3:01" + ) and + 1572307200 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_2f4a25d52b16eb4c9dfe71ebbd8121bb { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Blist LLC" and + pe.signatures[i].serial == "2f:4a:25:d5:2b:16:eb:4c:9d:fe:71:eb:bd:81:21:bb" and + 1629763200 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_6889aab6202bcc5f11caedf4d04f435b { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "C4DL Media" and + pe.signatures[i].serial == "68:89:aa:b6:20:2b:cc:5f:11:ca:ed:f4:d0:4f:43:5b" and + 1231891200 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_3be63083fbb1787b445da97583721419 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "\"SMART GREY\" LLC" and + pe.signatures[i].serial == "3b:e6:30:83:fb:b1:78:7b:44:5d:a9:75:83:72:14:19" and + 1493942400 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_6e2d3449272b6b96b8b9f728e87580d5 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "RADIANT, OOO" and + pe.signatures[i].serial == "6e:2d:34:49:27:2b:6b:96:b8:b9:f7:28:e8:75:80:d5" and + 1421107200 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_268c0d7028a154ac3b6349c5 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "VANKY TECHNOLOGY LIMITED" and + pe.signatures[i].serial == "26:8c:0d:70:28:a1:54:ac:3b:63:49:c5" and + 1474266712 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_2daa8d629cc0410a9482e62a0f8bf8fc { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "DON'T MISS A WORD LIMITED" and + pe.signatures[i].serial == "2d:aa:8d:62:9c:c0:41:0a:94:82:e6:2a:0f:8b:f8:fc" and + 1543449600 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_9a727e200ea76570 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Alexsandro Da Rosa - ME" and ( + pe.signatures[i].serial == "00:9a:72:7e:20:0e:a7:65:70" or + pe.signatures[i].serial == "9a:72:7e:20:0e:a7:65:70" + ) and + 1539056530 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_0954a3c876df9262cde5817f9870f0c6 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Dialer Access" and + pe.signatures[i].serial == "09:54:a3:c8:76:df:92:62:cd:e5:81:7f:98:70:f0:c6" and + 1160438400 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_3c30930e53bb026f9a5d7440155f7118 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "CPM Media, Ltd." and + pe.signatures[i].serial == "3c:30:93:0e:53:bb:02:6f:9a:5d:74:40:15:5f:71:18" and + 1064534400 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_432eefc0d4dc0326eb277a518cc4310a { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Beijing Caiyunshidai Technology Co., Ltd." and + pe.signatures[i].serial == "43:2e:ef:c0:d4:dc:03:26:eb:27:7a:51:8c:c4:31:0a" and + 1466121600 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_470d6ce21a6940320261f09e { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "VANKY TECHNOLOGY LIMITED" and + pe.signatures[i].serial == "47:0d:6c:e2:1a:69:40:32:02:61:f0:9e" and + 1474523038 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_7e6bc7e5a49e2c28e6f5d042 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Shang Hai Jian Ji Wang Luo Ke Ji You Xian Gong Si" and + pe.signatures[i].serial == "7e:6b:c7:e5:a4:9e:2c:28:e6:f5:d0:42" and + 1560995284 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_4c5020899147c850196c4ebf { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "VANKY TECHNOLOGY LIMITED" and + pe.signatures[i].serial == "4c:50:20:89:91:47:c8:50:19:6c:4e:bf" and + 1476693792 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_4efcf7adc21f070e590d49ddb8081397 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Ding Ruan" and + pe.signatures[i].serial == "4e:fc:f7:ad:c2:1f:07:0e:59:0d:49:dd:b8:08:13:97" and + 1476921600 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_cbd37c0a651913ee25a6860d7d5ccdf2 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Amma" and ( + pe.signatures[i].serial == "00:cb:d3:7c:0a:65:19:13:ee:25:a6:86:0d:7d:5c:cd:f2" or + pe.signatures[i].serial == "cb:d3:7c:0a:65:19:13:ee:25:a6:86:0d:7d:5c:cd:f2" + ) and + 1431734400 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_5fe0ad6b03c57ab67a352159004ca3db { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "SpectorSoft Corp." and + pe.signatures[i].serial == "5f:e0:ad:6b:03:c5:7a:b6:7a:35:21:59:00:4c:a3:db" and + 1402272000 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_642ad8e5ef8b3ac767f0d5c1a999bdaa { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Itgms Ltd" and + pe.signatures[i].serial == "64:2a:d8:e5:ef:8b:3a:c7:67:f0:d5:c1:a9:99:bd:aa" and + 1447804800 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_5333d3079d8afda715703775e1389991 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Trambambon LLC" and + pe.signatures[i].serial == "53:33:d3:07:9d:8a:fd:a7:15:70:37:75:e1:38:99:91" and + 1239148800 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_139a7ee1f1a7735c151089755df5d373 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Yongli Li" and + pe.signatures[i].serial == "13:9a:7e:e1:f1:a7:73:5c:15:10:89:75:5d:f5:d3:73" and + 1476057600 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_74dbe83082e1b3dfa29f9c24 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "EVANGEL TECHNOLOGY(HK) LIMITED" and + pe.signatures[i].serial == "74:db:e8:30:82:e1:b3:df:a2:9f:9c:24" and + 1468817578 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_0a466553a6391aafd181b400266c7b18 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "PhaseQ Limited" and + pe.signatures[i].serial == "0a:46:65:53:a6:39:1a:af:d1:81:b4:00:26:6c:7b:18" and + 1555545600 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_0d3dec8794fa7228d1ee40eeb8187149 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Financial Security Institute, Inc." and + pe.signatures[i].serial == "0d:3d:ec:87:94:fa:72:28:d1:ee:40:ee:b8:18:71:49" and + 1582675200 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_24af70b5d17a63ad053e5821 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "BIG JOURNEY TECHNOLOGY LIMITED" and + pe.signatures[i].serial == "24:af:70:b5:d1:7a:63:ad:05:3e:58:21" and + 1474179615 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_402e9fcba61e5eaf9c0c7b3bfd6259d9 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Yongli Li" and + pe.signatures[i].serial == "40:2e:9f:cb:a6:1e:5e:af:9c:0c:7b:3b:fd:62:59:d9" and + 1477440000 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_2c84f9136059e96134f8766670eacd52 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Open Source Developer, DIEGO MANUEL RODRIGUEZ" and + pe.signatures[i].serial == "2c:84:f9:13:60:59:e9:61:34:f8:76:66:70:ea:cd:52" and + 1442215311 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_6716a9c195987d5cfe53a094779461e7 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Inter Technologies Ltd." and + pe.signatures[i].serial == "67:16:a9:c1:95:98:7d:5c:fe:53:a0:94:77:94:61:e7" and + 1169424000 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_876c00bd665df98b35554f67a5c1c32a { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Lossera-M, OOO" and ( + pe.signatures[i].serial == "00:87:6c:00:bd:66:5d:f9:8b:35:55:4f:67:a5:c1:c3:2a" or + pe.signatures[i].serial == "87:6c:00:bd:66:5d:f9:8b:35:55:4f:67:a5:c1:c3:2a" + ) and + 1493078400 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_4b093cb60d4b992266f550934a4ac7d0 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "LCB SISTEMAS LTDA ME" and + pe.signatures[i].serial == "4b:09:3c:b6:0d:4b:99:22:66:f5:50:93:4a:4a:c7:d0" and + 1478649600 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_2050b54146b011ed30f60f61 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "VANKY TECHNOLOGY LIMITED" and + pe.signatures[i].serial == "20:50:b5:41:46:b0:11:ed:30:f6:0f:61" and + 1476773926 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_73e2f34c9c2435f29bbe0a3c { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "VANKY TECHNOLOGY LIMITED" and + pe.signatures[i].serial == "73:e2:f3:4c:9c:24:35:f2:9b:be:0a:3c" and + 1480312984 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_68c457d7495d2a8d0d7b9042836135c2 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Yuanyuan Zhang" and + pe.signatures[i].serial == "68:c4:57:d7:49:5d:2a:8d:0d:7b:90:42:83:61:35:c2" and + 1476921600 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_6b72ca367d40fbef16e73e6eba6a9a59 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Yu Bao" and + pe.signatures[i].serial == "6b:72:ca:36:7d:40:fb:ef:16:e7:3e:6e:ba:6a:9a:59" and + 1476748800 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_736b7663d322533413f36e3e7e55f920 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Net Technology" and + pe.signatures[i].serial == "73:6b:76:63:d3:22:53:34:13:f3:6e:3e:7e:55:f9:20" and + 1159488000 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_54a170102461fdc967acfafe4bbbc7f0 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Yu Bao" and + pe.signatures[i].serial == "54:a1:70:10:24:61:fd:c9:67:ac:fa:fe:4b:bb:c7:f0" and + 1476748800 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_0c501b8b113209c96c8119cf7a6b8b79 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Yuanyuan Zhang" and + pe.signatures[i].serial == "0c:50:1b:8b:11:32:09:c9:6c:81:19:cf:7a:6b:8b:79" and + 1474329600 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_0300ee4a4c52443147821a8186d04309 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Buster Ind Com Imp e Exp de Acessorios P Autos Ltda" and + pe.signatures[i].serial == "03:00:ee:4a:4c:52:44:31:47:82:1a:81:86:d0:43:09" and + 1494892800 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_202cf8 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "DATALINE LTD." and + pe.signatures[i].serial == "20:2c:f8" and + 1087841761 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_6651cc8b4850d4dec61961503ea7956b { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "NUSAAPPINSTALL(APPS INSTALLER S.L.)" and + pe.signatures[i].serial == "66:51:cc:8b:48:50:d4:de:c6:19:61:50:3e:a7:95:6b" and + 1436175828 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_25bef28467e4750331d2f403458113b8 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Beijing Caiyunshidai Technology Co., Ltd." and + pe.signatures[i].serial == "25:be:f2:84:67:e4:75:03:31:d2:f4:03:45:81:13:b8" and + 1474156800 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_0296cf3314f434c5b74d0c3e36616dd1 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Yu Bao" and + pe.signatures[i].serial == "02:96:cf:33:14:f4:34:c5:b7:4d:0c:3e:36:61:6d:d1" and + 1474934400 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_045d57d63e13775c8f812e1864797f5a { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Yuanyuan Mei" and + pe.signatures[i].serial == "04:5d:57:d6:3e:13:77:5c:8f:81:2e:18:64:79:7f:5a" and + 1485043200 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_6d633df9bb6015fc3ecea99dff309ee7 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Yuanyuan Zhang" and + pe.signatures[i].serial == "6d:63:3d:f9:bb:60:15:fc:3e:ce:a9:9d:ff:30:9e:e7" and + 1474156800 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_22e2a66e63b8cb4ec6989bf7 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Sivi Technology Limited" and + pe.signatures[i].serial == "22:e2:a6:6e:63:b8:cb:4e:c6:98:9b:f7" and + 1466995365 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_654b406de388ec2aec253ff2ba4c4bbd { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Yijiajian (Amoy) Jiankan Tech Co.,LTD." and + pe.signatures[i].serial == "65:4b:40:6d:e3:88:ec:2a:ec:25:3f:f2:ba:4c:4b:bd" and + 1398902400 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_78d1817ebcf338b4e9c810f9740a726b { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "CONSTRUTORA NOVO PARQUE LTDA - ME" and + pe.signatures[i].serial == "78:d1:81:7e:bc:f3:38:b4:e9:c8:10:f9:74:0a:72:6b" and + 1431734400 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_45fbcdb1fbd3d702fb77257b45d8c58e { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Ding Ruan" and + pe.signatures[i].serial == "45:fb:cd:b1:fb:d3:d7:02:fb:77:25:7b:45:d8:c5:8e" and + 1476662400 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_4b5d8ed5ca011679f141f124 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "VANKY TECHNOLOGY LIMITED" and + pe.signatures[i].serial == "4b:5d:8e:d5:ca:01:16:79:f1:41:f1:24" and + 1480644725 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_33671f1bcbd0f5e231fc386f4895000e { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "ALAIS, OOO" and + pe.signatures[i].serial == "33:67:1f:1b:cb:d0:f5:e2:31:fc:38:6f:48:95:00:0e" and + 1491868800 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_32bc299f0694c19ec21e71265b1d7e17 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Yu Bao" and + pe.signatures[i].serial == "32:bc:29:9f:06:94:c1:9e:c2:1e:71:26:5b:1d:7e:17" and + 1474416000 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_7b75c6b0a09afdb9787f6dff75ae7844 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Yuanyuan Zhang" and + pe.signatures[i].serial == "7b:75:c6:b0:a0:9a:fd:b9:78:7f:6d:ff:75:ae:78:44" and + 1476662400 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_167fd1295b3bb102dbb37292c838e7cd { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Yu Bao" and + pe.signatures[i].serial == "16:7f:d1:29:5b:3b:b1:02:db:b3:72:92:c8:38:e7:cd" and + 1476921600 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_253ad25e39abe8f8fda9fcf6 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "DVERI FADO, TOV" and + pe.signatures[i].serial == "25:3a:d2:5e:39:ab:e8:f8:fd:a9:fc:f6" and + 1538662130 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_a9c1523cb2c73a82771d318124963e87 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "ULTERA" and ( + pe.signatures[i].serial == "00:a9:c1:52:3c:b2:c7:3a:82:77:1d:31:81:24:96:3e:87" or + pe.signatures[i].serial == "a9:c1:52:3c:b2:c7:3a:82:77:1d:31:81:24:96:3e:87" + ) and + 1499731200 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_68e1b2c210b19bb1f2a24176709b165b { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Xin Zhou" and + pe.signatures[i].serial == "68:e1:b2:c2:10:b1:9b:b1:f2:a2:41:76:70:9b:16:5b" and + 1474502400 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_5c88313bd98bde99c9b9ac1408a63249 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Yu Bao" and + pe.signatures[i].serial == "5c:88:31:3b:d9:8b:de:99:c9:b9:ac:14:08:a6:32:49" and + 1474243200 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_7a632a6ecfc6c49ec1f42f76 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "BIG JOURNEY TECHNOLOGY LIMITED" and + pe.signatures[i].serial == "7a:63:2a:6e:cf:c6:c4:9e:c1:f4:2f:76" and + 1474959780 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_f57df6a6eee3854d513d0ba8585049b7 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "smnetworks" and ( + pe.signatures[i].serial == "00:f5:7d:f6:a6:ee:e3:85:4d:51:3d:0b:a8:58:50:49:b7" or + pe.signatures[i].serial == "f5:7d:f6:a6:ee:e3:85:4d:51:3d:0b:a8:58:50:49:b7" + ) and + 1277769600 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_0ac5ac5d323122e6d8e92d6e191b1432 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Certified Software" and + pe.signatures[i].serial == "0a:c5:ac:5d:32:31:22:e6:d8:e9:2d:6e:19:1b:14:32" and + 1140134400 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_2433d9df7efbccb870ee5904d62a0101 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Conpavi AG" and + pe.signatures[i].serial == "24:33:d9:df:7e:fb:cc:b8:70:ee:59:04:d6:2a:01:01" and + 1322438400 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_462baada57570f70df76d10b9e7bf2b7 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "DVERI FADO, TOV" and + pe.signatures[i].serial == "46:2b:aa:da:57:57:0f:70:df:76:d1:0b:9e:7b:f2:b7" and + 1551744000 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_83320d93dd8cf16d11f99b1078b0a7cb { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "TRANS LTD" and ( + pe.signatures[i].serial == "00:83:32:0d:93:dd:8c:f1:6d:11:f9:9b:10:78:b0:a7:cb" or + pe.signatures[i].serial == "83:32:0d:93:dd:8c:f1:6d:11:f9:9b:10:78:b0:a7:cb" + ) and + 1524614400 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_10bae1d20cb4cc36a0ffac86 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "BIG JOURNEY TECHNOLOGY LIMITED" and + pe.signatures[i].serial == "10:ba:e1:d2:0c:b4:cc:36:a0:ff:ac:86" and + 1476773830 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_230716bfe915dd6203b2e2a35674c2ee { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Jiang Liu" and + pe.signatures[i].serial == "23:07:16:bf:e9:15:dd:62:03:b2:e2:a3:56:74:c2:ee" and + 1472169600 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_36a77d37e68e02fd3d043c7197e044ca { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Direct Systems Ltd" and + pe.signatures[i].serial == "36:a7:7d:37:e6:8e:02:fd:3d:04:3c:71:97:e0:44:ca" and + 1515542400 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_73bff2fb714f986c1707165f0b0f2e0e { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Tecnopolis Consulting Ltd" and + pe.signatures[i].serial == "73:bf:f2:fb:71:4f:98:6c:17:07:16:5f:0b:0f:2e:0e" and + 1090886400 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_33b24170694ca0cf4d2bdf4aadf475a3 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Yu Bao" and + pe.signatures[i].serial == "33:b2:41:70:69:4c:a0:cf:4d:2b:df:4a:ad:f4:75:a3" and + 1474934400 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_3a9bdec10e00e780316baaebfe7a772c { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "PLAN ALPHA LIMITED" and + pe.signatures[i].serial == "3a:9b:de:c1:0e:00:e7:80:31:6b:aa:eb:fe:7a:77:2c" and + 1556582400 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_7cad9c37f7affa8f4d8229f97607e265 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Funbit" and + pe.signatures[i].serial == "7c:ad:9c:37:f7:af:fa:8f:4d:82:29:f9:76:07:e2:65" and + 1122508800 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_098a57 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "ELECTRONIC GROUP" and + pe.signatures[i].serial == "09:8a:57" and + 1032855179 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_5389cc6286da3bfa1dc4df498bf68361 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Joerm.com" and + pe.signatures[i].serial == "53:89:cc:62:86:da:3b:fa:1d:c4:df:49:8b:f6:83:61" and + 1495497600 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_ed9caeb7911b31bd { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "\\xE4\\xB8\\x8A\\xE6\\xB5\\xB7\\xE5\\xA4\\xA9\\xE6\\xB8\\xB8\\xE8\\xBD\\xAF\\xE4\\xBB\\xB6\\xE6\\x9C\\x89\\xE9\\x99\\x90\\xE5\\x85\\xAC\\xE5\\x8F\\xB8" and ( + pe.signatures[i].serial == "00:ed:9c:ae:b7:91:1b:31:bd" or + pe.signatures[i].serial == "ed:9c:ae:b7:91:1b:31:bd" + ) and + 1506001740 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_0fd2b19a941b7009cc728a37cb1b10b9 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "BEAR AND CILLA LTD" and + pe.signatures[i].serial == "0f:d2:b1:9a:94:1b:70:09:cc:72:8a:37:cb:1b:10:b9" and + 1560470400 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_2d88c0af1fe2609961c171213c03bd23 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Zhuzhou Lizhong Precision Manufacturing Technology Co., Ltd." and + pe.signatures[i].serial == "2d:88:c0:af:1f:e2:60:99:61:c1:71:21:3c:03:bd:23" and + 1683676800 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_6e7cc176062d91225cfdcbdf5b5f0ea5 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "SG Internet" and + pe.signatures[i].serial == "6e:7c:c1:76:06:2d:91:22:5c:fd:cb:df:5b:5f:0e:a5" and + 1317945600 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_cecedd2efc985c2dbf0019669d270079 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "TRANS LTD" and ( + pe.signatures[i].serial == "00:ce:ce:dd:2e:fc:98:5c:2d:bf:00:19:66:9d:27:00:79" or + pe.signatures[i].serial == "ce:ce:dd:2e:fc:98:5c:2d:bf:00:19:66:9d:27:00:79" + ) and + 1527811200 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_61fe6f00bd79684210534050ff46bc92 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Xingning Dexin Network Technology Co., Ltd." and + pe.signatures[i].serial == "61:fe:6f:00:bd:79:68:42:10:53:40:50:ff:46:bc:92" and + 1512000000 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_0323cc4e38735b0e6efba76ea25c73b7 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Xingning Dexin Network Technology Co., Ltd." and + pe.signatures[i].serial == "03:23:cc:4e:38:73:5b:0e:6e:fb:a7:6e:a2:5c:73:b7" and + 1512000000 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_1f9aca069ac1b6bfb0e14861ec857bf6 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Yuanyuan Zhang" and + pe.signatures[i].serial == "1f:9a:ca:06:9a:c1:b6:bf:b0:e1:48:61:ec:85:7b:f6" and + 1477440000 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_3e9d26dcf703ca3b140d7e7ad48312e2 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Dong Qian" and + pe.signatures[i].serial == "3e:9d:26:dc:f7:03:ca:3b:14:0d:7e:7a:d4:83:12:e2" and + 1440580240 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_4e2523e76ea455941e75fb8240474a75 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Yu Bao" and + pe.signatures[i].serial == "4e:25:23:e7:6e:a4:55:94:1e:75:fb:82:40:47:4a:75" and + 1476403200 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_6102468293ba7308d17efb43ad6bfb58 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Beijing Caiyunshidai Technology Co., Ltd." and + pe.signatures[i].serial == "61:02:46:82:93:ba:73:08:d1:7e:fb:43:ad:6b:fb:58" and + 1470960000 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_6ded1a7ff6da152a98a57a2f { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "BIG JOURNEY TECHNOLOGY LIMITED" and + pe.signatures[i].serial == "6d:ed:1a:7f:f6:da:15:2a:98:a5:7a:2f" and + 1479094343 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_3ce65ea057b975d2c17eaf2c2297b1eb { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "TRANS LTD" and + pe.signatures[i].serial == "3c:e6:5e:a0:57:b9:75:d2:c1:7e:af:2c:22:97:b1:eb" and + 1528243200 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_5d085a9a288549d09edc4941 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "BIG JOURNEY TECHNOLOGY LIMITED" and + pe.signatures[i].serial == "5d:08:5a:9a:28:85:49:d0:9e:dc:49:41" and + 1478757821 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_7d20dec3797a1ac30649ebb184265b79 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Jiang Liu" and + pe.signatures[i].serial == "7d:20:de:c3:79:7a:1a:c3:06:49:eb:b1:84:26:5b:79" and + 1474156800 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_187d92861076e469b5b7a19e2a9fd4ba { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Xin Zhou" and + pe.signatures[i].serial == "18:7d:92:86:10:76:e4:69:b5:b7:a1:9e:2a:9f:d4:ba" and + 1476748800 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_199a9476feca3c004ff889d34545de07 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Funcall" and + pe.signatures[i].serial == "19:9a:94:76:fe:ca:3c:00:4f:f8:89:d3:45:45:de:07" and + 1138060800 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_1efe65 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Software Plugin Ltd." and + pe.signatures[i].serial == "1e:fe:65" and + 1063224491 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_0af7e2b6a3deb99291dcaf66 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "BIG JOURNEY TECHNOLOGY LIMITED" and + pe.signatures[i].serial == "0a:f7:e2:b6:a3:de:b9:92:91:dc:af:66" and + 1474523112 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_45e27c4dfa5e6175566a13b1b6ddf3f5 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Selig Michael Irfan" and + pe.signatures[i].serial == "45:e2:7c:4d:fa:5e:61:75:56:6a:13:b1:b6:dd:f3:f5" and + 1465474542 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_37d36a4e61c0ac68ceb8bfcef2dbf283 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "ANAVERIS LIMITED" and + pe.signatures[i].serial == "37:d3:6a:4e:61:c0:ac:68:ce:b8:bf:ce:f2:db:f2:83" and + 1532476800 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_4321de10738278b93683ca542407f103 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "We Build Toolbars LLC" and + pe.signatures[i].serial == "43:21:de:10:73:82:78:b9:36:83:ca:54:24:07:f1:03" and + 1367884800 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_2a6b2df210be14f4e18e10c7 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "VANKY TECHNOLOGY LIMITED" and + pe.signatures[i].serial == "2a:6b:2d:f2:10:be:14:f4:e1:8e:10:c7" and + 1472095404 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_412ab2a50e8028ddcbc499ddf45f2045 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Ding Ruan" and + pe.signatures[i].serial == "41:2a:b2:a5:0e:80:28:dd:cb:c4:99:dd:f4:5f:20:45" and + 1479340800 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_0747f6a8c3542f954b113fd98c7607cf { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Xin Zhou" and + pe.signatures[i].serial == "07:47:f6:a8:c3:54:2f:95:4b:11:3f:d9:8c:76:07:cf" and + 1474329600 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_2572b484fa0a61be7288d785d7bda7d3 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "SILVA, OOO" and + pe.signatures[i].serial == "25:72:b4:84:fa:0a:61:be:72:88:d7:85:d7:bd:a7:d3" and + 1495152000 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_6726bd04204746c46857887f { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "BIG JOURNEY TECHNOLOGY LIMITED" and + pe.signatures[i].serial == "67:26:bd:04:20:47:46:c4:68:57:88:7f" and + 1474352405 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_4463d8b31e0f87c14233d4d0d2c487a0 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Yu Bao" and + pe.signatures[i].serial == "44:63:d8:b3:1e:0f:87:c1:42:33:d4:d0:d2:c4:87:a0" and + 1477612800 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_387982605e542d6d52f231ca6f5657cc { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Jiang Liu" and + pe.signatures[i].serial == "38:79:82:60:5e:54:2d:6d:52:f2:31:ca:6f:56:57:cc" and + 1475884800 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_e0134c41e7eda6863c4eee5b003976dd { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "5000 LIMITED" and ( + pe.signatures[i].serial == "00:e0:13:4c:41:e7:ed:a6:86:3c:4e:ee:5b:00:39:76:dd" or + pe.signatures[i].serial == "e0:13:4c:41:e7:ed:a6:86:3c:4e:ee:5b:00:39:76:dd" + ) and + 1528070400 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_5b47a4739dd8ffe81d9b5307 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "VANKY TECHNOLOGY LIMITED" and + pe.signatures[i].serial == "5b:47:a4:73:9d:d8:ff:e8:1d:9b:53:07" and + 1476953007 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_4f5a9bf75da76b949645475473793a7d { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "EXEC CONTROL LIMITED" and + pe.signatures[i].serial == "4f:5a:9b:f7:5d:a7:6b:94:96:45:47:54:73:79:3a:7d" and + 1553817600 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_081df56c9a48d02571f08907 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "BIG JOURNEY TECHNOLOGY LIMITED" and + pe.signatures[i].serial == "08:1d:f5:6c:9a:48:d0:25:71:f0:89:07" and + 1474870728 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_77d5c1a3e623575999c74409dc19753c { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Yu Bao" and + pe.signatures[i].serial == "77:d5:c1:a3:e6:23:57:59:99:c7:44:09:dc:19:75:3c" and + 1475884800 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_e9756b3f38b1172ea89fdbdfdba5f979 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Kreamer Ltd" and ( + pe.signatures[i].serial == "00:e9:75:6b:3f:38:b1:17:2e:a8:9f:db:df:db:a5:f9:79" or + pe.signatures[i].serial == "e9:75:6b:3f:38:b1:17:2e:a8:9f:db:df:db:a5:f9:79" + ) and + 1492732800 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_09fb28 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "New Dial spa" and + pe.signatures[i].serial == "09:fb:28" and + 1046968418 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_197dc32d915458953562d2fe78bf2468 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Y.L. Knafo, Ltd." and + pe.signatures[i].serial == "19:7d:c3:2d:91:54:58:95:35:62:d2:fe:78:bf:24:68" and + 1575331200 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_7c0be3d14787351e3156f5f37f2b3663 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Apex Tech, SIA" and + pe.signatures[i].serial == "7c:0b:e3:d1:47:87:35:1e:31:56:f5:f3:7f:2b:36:63" and + 1523318400 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_05054fdea356f3dd7db479fa { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "VANKY TECHNOLOGY LIMITED" and + pe.signatures[i].serial == "05:05:4f:de:a3:56:f3:dd:7d:b4:79:fa" and + 1474436511 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_08aaa069e92517f21ce67ca713f6ea63 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "pioneersoft" and + pe.signatures[i].serial == "08:aa:a0:69:e9:25:17:f2:1c:e6:7c:a7:13:f6:ea:63" and + 1368403200 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_1b7b54e0dd4d7e45a0b46834de52658d { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Xin Zhou" and + pe.signatures[i].serial == "1b:7b:54:e0:dd:4d:7e:45:a0:b4:68:34:de:52:65:8d" and + 1476662400 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_b63e4299d0b0e2dcdaeb976167a23235 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Baltservis LLC" and ( + pe.signatures[i].serial == "00:b6:3e:42:99:d0:b0:e2:dc:da:eb:97:61:67:a2:32:35" or + pe.signatures[i].serial == "b6:3e:42:99:d0:b0:e2:dc:da:eb:97:61:67:a2:32:35" + ) and + 1604102400 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_1dabae616705f5a51152eac48423f354 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Xin Zhou" and + pe.signatures[i].serial == "1d:ab:ae:61:67:05:f5:a5:11:52:ea:c4:84:23:f3:54" and + 1470960000 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_50d08f3c9bf86fba52cf592b4fe6eacf { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "CLEVERCYBER LTD" and + pe.signatures[i].serial == "50:d0:8f:3c:9b:f8:6f:ba:52:cf:59:2b:4f:e6:ea:cf" and + 1518134400 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_7c7fc3616f3157a28f702cc1df275dcd { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "CFES Projects Ltd" and + pe.signatures[i].serial == "7c:7f:c3:61:6f:31:57:a2:8f:70:2c:c1:df:27:5d:cd" and + 1522972800 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_73ed1b2f4bf8dd37a8ad9bb775774592 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "5000 LIMITED" and + pe.signatures[i].serial == "73:ed:1b:2f:4b:f8:dd:37:a8:ad:9b:b7:75:77:45:92" and + 1528243200 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_211b5dfe65bc6f34bc9d3a54 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "RAFO TECHNOLOGY INC" and + pe.signatures[i].serial == "21:1b:5d:fe:65:bc:6f:34:bc:9d:3a:54" and + 1526717931 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_5400d1c1406528b1ef625976 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "BIG JOURNEY TECHNOLOGY LIMITED" and + pe.signatures[i].serial == "54:00:d1:c1:40:65:28:b1:ef:62:59:76" and + 1474266628 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_013472d7d665557bfa0dc21b350a361b { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Yongli Zhang" and + pe.signatures[i].serial == "01:34:72:d7:d6:65:55:7b:fa:0d:c2:1b:35:0a:36:1b" and + 1470960000 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_66c758a22bfbbce327616815616ddd07 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "TIM Konstrakshn, TOV" and + pe.signatures[i].serial == "66:c7:58:a2:2b:fb:bc:e3:27:61:68:15:61:6d:dd:07" and + 1469404800 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_e61b0366d940896430bcfe3e93baac5b { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "TRANS LTD" and ( + pe.signatures[i].serial == "00:e6:1b:03:66:d9:40:89:64:30:bc:fe:3e:93:ba:ac:5b" or + pe.signatures[i].serial == "e6:1b:03:66:d9:40:89:64:30:bc:fe:3e:93:ba:ac:5b" + ) and + 1528156800 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_6294b8acc35dea7d32a95ac5d4536f8f { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "\\xE9\\x87\\x8D\\xE5\\xBA\\x86\\xE6\\x8E\\xA2\\xE9\\x95\\xBF\\xE7\\xBD\\x91\\xE7\\xBB\\x9C\\xE7\\xA7\\x91\\xE6\\x8A\\x80\\xE6\\x9C\\x89\\xE9\\x99\\x90\\xE5\\x85\\xAC\\xE5\\x8F\\xB8" and + pe.signatures[i].serial == "62:94:b8:ac:c3:5d:ea:7d:32:a9:5a:c5:d4:53:6f:8f" and + 1517443200 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_485e4626c32493c16283cfd9e30d17ad { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Yu Bao" and + pe.signatures[i].serial == "48:5e:46:26:c3:24:93:c1:62:83:cf:d9:e3:0d:17:ad" and + 1473292800 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_d0312f9177cd46b943df3ef22db4608b { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "United Systems Technology, Inc." and ( + pe.signatures[i].serial == "00:d0:31:2f:91:77:cd:46:b9:43:df:3e:f2:2d:b4:60:8b" or + pe.signatures[i].serial == "d0:31:2f:91:77:cd:46:b9:43:df:3e:f2:2d:b4:60:8b" + ) and + 1341273600 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_202702 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "RDCTO Ltd" and + pe.signatures[i].serial == "20:27:02" and + 1087391361 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_369a02e5d90b2649040e7f87 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "VANKY TECHNOLOGY LIMITED" and + pe.signatures[i].serial == "36:9a:02:e5:d9:0b:26:49:04:0e:7f:87" and + 1479094204 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_60497070ff4a83bc87bdea24da5b431d { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Xin Zhou" and + pe.signatures[i].serial == "60:49:70:70:ff:4a:83:bc:87:bd:ea:24:da:5b:43:1d" and + 1477008000 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_0a333e { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Coulomb Limited" and + pe.signatures[i].serial == "0a:33:3e" and + 1052750648 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_1cb6519b2528d006d1da987153dad2b3 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "D and D Internet Services" and + pe.signatures[i].serial == "1c:b6:51:9b:25:28:d0:06:d1:da:98:71:53:da:d2:b3" and + 1012780800 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_621e696c3a6371e77a678cbf0ee34ab2 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Yu Bao" and + pe.signatures[i].serial == "62:1e:69:6c:3a:63:71:e7:7a:67:8c:bf:0e:e3:4a:b2" and + 1467072000 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_21b991 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Web Nexus d.o.o." and + pe.signatures[i].serial == "21:b9:91" and + 1125477041 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_1cc37de5dbed097f98f56dbc { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "BIG JOURNEY TECHNOLOGY LIMITED" and + pe.signatures[i].serial == "1c:c3:7d:e5:db:ed:09:7f:98:f5:6d:bc" and + 1476693977 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_50f66ab0d7ed19b69d48f635e69572fa { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Wei Liu" and + pe.signatures[i].serial == "50:f6:6a:b0:d7:ed:19:b6:9d:48:f6:35:e6:95:72:fa" and + 1467158400 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_11212f502836a784752160351defb136cf09 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "EVANGEL TECHNOLOGY(HK) LIMITED" and + pe.signatures[i].serial == "11:21:2f:50:28:36:a7:84:75:21:60:35:1d:ef:b1:36:cf:09" and + 1463726573 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_2c16be9a7ce2a23ab7a4b4eb7da3400c { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Prince city music bar" and + pe.signatures[i].serial == "2c:16:be:9a:7c:e2:a2:3a:b7:a4:b4:eb:7d:a3:40:0c" and + 1371081600 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_22accad235fb1ac7422ebe5ea7ac9bc5 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "IMS INTERACTIVE MEDIA SOLUTIONS" and + pe.signatures[i].serial == "22:ac:ca:d2:35:fb:1a:c7:42:2e:be:5e:a7:ac:9b:c5" and + 1019001600 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_4d29757c4fbfc32b97091d96e3723002 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Xin Zhou" and + pe.signatures[i].serial == "4d:29:75:7c:4f:bf:c3:2b:97:09:1d:96:e3:72:30:02" and + 1474848000 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_3a949ef03d9dd2d150b24b274ff6d7b4 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Xin Zhou" and + pe.signatures[i].serial == "3a:94:9e:f0:3d:9d:d2:d1:50:b2:4b:27:4f:f6:d7:b4" and + 1474156800 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_954d0577d5ce8999e0387a5364829f66 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Soblosol Limited" and ( + pe.signatures[i].serial == "00:95:4d:05:77:d5:ce:89:99:e0:38:7a:53:64:82:9f:66" or + pe.signatures[i].serial == "95:4d:05:77:d5:ce:89:99:e0:38:7a:53:64:82:9f:66" + ) and + 1543968000 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_df5121dc99d1ab6b7e5229f6832123ef { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "INC SALYUT" and ( + pe.signatures[i].serial == "00:df:51:21:dc:99:d1:ab:6b:7e:52:29:f6:83:21:23:ef" or + pe.signatures[i].serial == "df:51:21:dc:99:d1:ab:6b:7e:52:29:f6:83:21:23:ef" + ) and + 1613433600 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_760cef386b63406751ae83a9eae92342 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Gidrokon LLC" and + pe.signatures[i].serial == "76:0c:ef:38:6b:63:40:67:51:ae:83:a9:ea:e9:23:42" and + 1601942400 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_5c2625fa836a64f4882c56cc7a45f0ed { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Xin Zhou" and + pe.signatures[i].serial == "5c:26:25:fa:83:6a:64:f4:88:2c:56:cc:7a:45:f0:ed" and + 1474416000 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_7df6fa580f84493c414ee0e431086737 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Yu Bao" and + pe.signatures[i].serial == "7d:f6:fa:58:0f:84:49:3c:41:4e:e0:e4:31:08:67:37" and + 1477440000 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_309d2e115f1fe2993ee2e063 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "VANKY TECHNOLOGY LIMITED" and + pe.signatures[i].serial == "30:9d:2e:11:5f:1f:e2:99:3e:e2:e0:63" and + 1467102525 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_90e33c1068f54913315b6ce9311141b9 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "GERMES, OOO" and ( + pe.signatures[i].serial == "00:90:e3:3c:10:68:f5:49:13:31:5b:6c:e9:31:11:41:b9" or + pe.signatures[i].serial == "90:e3:3c:10:68:f5:49:13:31:5b:6c:e9:31:11:41:b9" + ) and + 1487635200 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_3f15c3 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Certified Software" and + pe.signatures[i].serial == "3f:15:c3" and + 1110577130 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_285eccbd1d0000e640b84307ef88cd9f { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "DRAGON BUSINESS EQUIPMENT LIMITED" and + pe.signatures[i].serial == "28:5e:cc:bd:1d:00:00:e6:40:b8:43:07:ef:88:cd:9f" and + 1611619200 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_55ab71a3f9dde3ef20c788dd1d5ff6c3 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Zhengzhoushi Tiekelian Information Technology Co.,Ltd" and + pe.signatures[i].serial == "55:ab:71:a3:f9:dd:e3:ef:20:c7:88:dd:1d:5f:f6:c3" and + 1323907200 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_4beca26210737a5442ff8b47 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "VANKY TECHNOLOGY LIMITED" and + pe.signatures[i].serial == "4b:ec:a2:62:10:73:7a:54:42:ff:8b:47" and + 1476437049 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_0f203839a9c63b8798a7cb31 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "VANKY TECHNOLOGY LIMITED" and + pe.signatures[i].serial == "0f:20:38:39:a9:c6:3b:87:98:a7:cb:31" and + 1480923809 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_dc992ea8e6bb4926931df656d5eef8a0 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "MEGAPOLISELIT, OOO" and ( + pe.signatures[i].serial == "00:dc:99:2e:a8:e6:bb:49:26:93:1d:f6:56:d5:ee:f8:a0" or + pe.signatures[i].serial == "dc:99:2e:a8:e6:bb:49:26:93:1d:f6:56:d5:ee:f8:a0" + ) and + 1497916800 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_41bd49bb456644d8183b3dae72ec8f22 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Xin Zhou" and + pe.signatures[i].serial == "41:bd:49:bb:45:66:44:d8:18:3b:3d:ae:72:ec:8f:22" and + 1468454400 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_a8d40da6708679c08aebddea6d3f6b8a { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "VELES LTD." and ( + pe.signatures[i].serial == "00:a8:d4:0d:a6:70:86:79:c0:8a:eb:dd:ea:6d:3f:6b:8a" or + pe.signatures[i].serial == "a8:d4:0d:a6:70:86:79:c0:8a:eb:dd:ea:6d:3f:6b:8a" + ) and + 1547424000 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_307642e1f3a92c6cc2e7fb6e18f2ddcb { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "IBM" and + pe.signatures[i].serial == "30:76:42:e1:f3:a9:2c:6c:c2:e7:fb:6e:18:f2:dd:cb" and + 1500422400 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_52379131a1c69263c795a7d398db0997 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Beijing Caiyunshidai Technology Co., Ltd." and + pe.signatures[i].serial == "52:37:91:31:a1:c6:92:63:c7:95:a7:d3:98:db:09:97" and + 1476748800 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_44312cb9a927b4111360762b4d4bdd6d { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "BEAR ADAMS CONSULTING LIMITED" and + pe.signatures[i].serial == "44:31:2c:b9:a9:27:b4:11:13:60:76:2b:4d:4b:dd:6d" and + 1554768000 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_123a5074069162f4ed68fc7d48f464c2 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Yu Bao" and + pe.signatures[i].serial == "12:3a:50:74:06:91:62:f4:ed:68:fc:7d:48:f4:64:c2" and + 1472428800 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_64eb04b8def382b5efa75f63e0e85ad0 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "TOV \"MARIYA\"" and + pe.signatures[i].serial == "64:eb:04:b8:de:f3:82:b5:ef:a7:5f:63:e0:e8:5a:d0" and + 1535587200 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_76d8d908eed2f9857dc5676a680ceac9 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Yu Bao" and + pe.signatures[i].serial == "76:d8:d9:08:ee:d2:f9:85:7d:c5:67:6a:68:0c:ea:c9" and + 1467158400 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_083e3f { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Telefonicasa" and + pe.signatures[i].serial == "08:3e:3f" and + 999002664 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_79227311acdd575759198dbd3544cca7 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Xin Zhou" and + pe.signatures[i].serial == "79:22:73:11:ac:dd:57:57:59:19:8d:bd:35:44:cc:a7" and + 1478131200 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_13ae38c9ae21a8576c0d024d { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "VANKY TECHNOLOGY LIMITED" and + pe.signatures[i].serial == "13:ae:38:c9:ae:21:a8:57:6c:0d:02:4d" and + 1475062802 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_557b0abf44045827f1f36efbc96271ec { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Yuanyuan Zhang" and + pe.signatures[i].serial == "55:7b:0a:bf:44:04:58:27:f1:f3:6e:fb:c9:62:71:ec" and + 1480291200 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_7903870184e18a80899740845a15e2b2 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Qool Aid, LLC" and + pe.signatures[i].serial == "79:03:87:01:84:e1:8a:80:89:97:40:84:5a:15:e2:b2" and + 1079654400 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_5fba9b373f812c16aef531d4 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "BIG JOURNEY TECHNOLOGY LIMITED" and + pe.signatures[i].serial == "5f:ba:9b:37:3f:81:2c:16:ae:f5:31:d4" and + 1473329076 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_616a5205238590b01d7b761e444e4ad9 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Lerges" and + pe.signatures[i].serial == "61:6a:52:05:23:85:90:b0:1d:7b:76:1e:44:4e:4a:d9" and + 1421452800 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_29be2278113dd062eadca32de6b242d0 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "BLADES" and + pe.signatures[i].serial == "29:be:22:78:11:3d:d0:62:ea:dc:a3:2d:e6:b2:42:d0" and + 1536883200 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_05f70a557afd4a443f44d0baf0bc8c60 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Yu Bao" and + pe.signatures[i].serial == "05:f7:0a:55:7a:fd:4a:44:3f:44:d0:ba:f0:bc:8c:60" and + 1477440000 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_4e0665d61997072294a70c662f72eae3 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Yuanyuan Zhang" and + pe.signatures[i].serial == "4e:06:65:d6:19:97:07:22:94:a7:0c:66:2f:72:ea:e3" and + 1474502400 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_74702dff5d4056b847d009a2265fb1b3 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Shulan Hou" and + pe.signatures[i].serial == "74:70:2d:ff:5d:40:56:b8:47:d0:09:a2:26:5f:b1:b3" and + 1469664000 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_353b1cf7866ee0b0acdd532d0bb1a220 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Network Freak Limited" and + pe.signatures[i].serial == "35:3b:1c:f7:86:6e:e0:b0:ac:dd:53:2d:0b:b1:a2:20" and + 1558915200 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_093ff2870fa33eaf47259457ee58c2e0 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "AEEPZ Limited" and + pe.signatures[i].serial == "09:3f:f2:87:0f:a3:3e:af:47:25:94:57:ee:58:c2:e0" and + 1503532800 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_719c17a823839dca813ee85888b3b39a { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Yuanyuan Zhang" and + pe.signatures[i].serial == "71:9c:17:a8:23:83:9d:ca:81:3e:e8:58:88:b3:b3:9a" and + 1479686400 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_6dc86ebf5863568e2237b2d89582d705 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Dening Hu" and + pe.signatures[i].serial == "6d:c8:6e:bf:58:63:56:8e:22:37:b2:d8:95:82:d7:05" and + 1471305600 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_214df59fe53874cc011dd45727035f51 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Xin Zhou" and + pe.signatures[i].serial == "21:4d:f5:9f:e5:38:74:cc:01:1d:d4:57:27:03:5f:51" and + 1468800000 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_37ca4f66fdcc8732992723199859886c { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Aleman Ltd" and + pe.signatures[i].serial == "37:ca:4f:66:fd:cc:87:32:99:27:23:19:98:59:88:6c" and + 1505952000 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_be2f22c152bb218b898c4029056816a9 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Marts GmbH" and ( + pe.signatures[i].serial == "00:be:2f:22:c1:52:bb:21:8b:89:8c:40:29:05:68:16:a9" or + pe.signatures[i].serial == "be:2f:22:c1:52:bb:21:8b:89:8c:40:29:05:68:16:a9" + ) and + 1676246400 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_fc7065abf8303fb472b8af85918f5c24 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "DIG IN VISION SP Z O O" and ( + pe.signatures[i].serial == "00:fc:70:65:ab:f8:30:3f:b4:72:b8:af:85:91:8f:5c:24" or + pe.signatures[i].serial == "fc:70:65:ab:f8:30:3f:b4:72:b8:af:85:91:8f:5c:24" + ) and + 1604361600 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_698ff388adb50b88afb832e76b0a0ad1 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "BELLAP LIMITED" and + pe.signatures[i].serial == "69:8f:f3:88:ad:b5:0b:88:af:b8:32:e7:6b:0a:0a:d1" and + 1675070541 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_391ae38670ab188a5de26e07 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "DVERI FADO, TOV" and + pe.signatures[i].serial == "39:1a:e3:86:70:ab:18:8a:5d:e2:6e:07" and + 1540832872 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_d08d83ff118df3777e371c5c482cce7b { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "AMO-K Limited Liability Company" and ( + pe.signatures[i].serial == "00:d0:8d:83:ff:11:8d:f3:77:7e:37:1c:5c:48:2c:ce:7b" or + pe.signatures[i].serial == "d0:8d:83:ff:11:8d:f3:77:7e:37:1c:5c:48:2c:ce:7b" + ) and + 1444780800 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_06ce209477f1ac19a2049bdc5846a831 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Select'Assistance Pro" and + pe.signatures[i].serial == "06:ce:20:94:77:f1:ac:19:a2:04:9b:dc:58:46:a8:31" and + 1426710344 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_447f449121b883211663b7b7e2ead868 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "3 AM CHP" and + pe.signatures[i].serial == "44:7f:44:91:21:b8:83:21:16:63:b7:b7:e2:ea:d8:68" and + 1443052800 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_6366a9ac97df4de17366943c9b291aaa { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "xlgames" and + pe.signatures[i].serial == "63:66:a9:ac:97:df:4d:e1:73:66:94:3c:9b:29:1a:aa" and + 1326796477 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_66e3f0b4459f15ac7f2a2b44990dd709 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "KOG Co., Ltd." and + pe.signatures[i].serial == "66:e3:f0:b4:45:9f:15:ac:7f:2a:2b:44:99:0d:d7:09" and + 1320288125 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_610039d6349ee531e4caa3a65d100c7d { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Wemade Entertainment" and + pe.signatures[i].serial == "61:00:39:d6:34:9e:e5:31:e4:ca:a3:a6:5d:10:0c:7d" and + 1341792000 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_1caa0d0dadf32a2404a75195ae47820a { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "LivePlex Corp" and + pe.signatures[i].serial == "1c:aa:0d:0d:ad:f3:2a:24:04:a7:51:95:ae:47:82:0a" and + 1324425600 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_140d2c515e8ee9739bb5f1b2637dc478 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Guangzhou YuanLuo Technology Co.,Ltd" and + pe.signatures[i].serial == "14:0d:2c:51:5e:8e:e9:73:9b:b5:f1:b2:63:7d:c4:78" and + 1386806400 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_58015acd501fc9c344264eace2ce5730 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Nanjing Ranyi Technology Co., Ltd. " and + pe.signatures[i].serial == "58:01:5a:cd:50:1f:c9:c3:44:26:4e:ac:e2:ce:57:30" and + 1352246400 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_0b7279068beb15ffe8060d2c56153c35 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Guangzhou YuanLuo Technology Co.,Ltd" and + pe.signatures[i].serial == "0b:72:79:06:8b:eb:15:ff:e8:06:0d:2c:56:15:3c:35" and + 1350864000 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_0bc0f18da36702e302db170d91dc9202 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Foresee Consulting Inc." and + pe.signatures[i].serial == "0b:c0:f1:8d:a3:67:02:e3:02:db:17:0d:91:dc:92:02" and + 1637712000 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_ca9b6f49b8b41204a174c751c73dc393 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "CodeDance Ltd" and ( + pe.signatures[i].serial == "00:ca:9b:6f:49:b8:b4:12:04:a1:74:c7:51:c7:3d:c3:93" or + pe.signatures[i].serial == "ca:9b:6f:49:b8:b4:12:04:a1:74:c7:51:c7:3d:c3:93" + ) and + 1654646400 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_aaf65b8e7a2e68bc8c9e8f27331b795c { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "ALISA L LIMITED" and ( + pe.signatures[i].serial == "00:aa:f6:5b:8e:7a:2e:68:bc:8c:9e:8f:27:33:1b:79:5c" or + pe.signatures[i].serial == "aa:f6:5b:8e:7a:2e:68:bc:8c:9e:8f:27:33:1b:79:5c" + ) and + 1549324800 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_c6ed0efe2844fa44aae350c6845c3331 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "THE COMPANY OF WORDS LTD" and ( + pe.signatures[i].serial == "00:c6:ed:0e:fe:28:44:fa:44:aa:e3:50:c6:84:5c:33:31" or + pe.signatures[i].serial == "c6:ed:0e:fe:28:44:fa:44:aa:e3:50:c6:84:5c:33:31" + ) and + 1549324800 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_ede6cfbf9fa18337b0fdb49c1f693020 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "START ARCHITECTURE LTD" and ( + pe.signatures[i].serial == "00:ed:e6:cf:bf:9f:a1:83:37:b0:fd:b4:9c:1f:69:30:20" or + pe.signatures[i].serial == "ed:e6:cf:bf:9f:a1:83:37:b0:fd:b4:9c:1f:69:30:20" + ) and + 1554940800 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_eda0f47b3b38e781cdf6ef6be5d3f6ee { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "ADVANCED ACCESS SERVICES LTD" and ( + pe.signatures[i].serial == "00:ed:a0:f4:7b:3b:38:e7:81:cd:f6:ef:6b:e5:d3:f6:ee" or + pe.signatures[i].serial == "ed:a0:f4:7b:3b:38:e7:81:cd:f6:ef:6b:e5:d3:f6:ee" + ) and + 1650931200 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_5da173eb1ac76340ac058e1ff4bf5e1b { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "ALISA LTD" and + pe.signatures[i].serial == "5d:a1:73:eb:1a:c7:63:40:ac:05:8e:1f:f4:bf:5e:1b" and + 1550793600 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_1380a7ccf2bf36bc496b00d8 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "VANKY TECHNOLOGY LIMITED" and + pe.signatures[i].serial == "13:80:a7:cc:f2:bf:36:bc:49:6b:00:d8" and + 1478069976 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_02eaf27e6f1575e365fc7fe4e0be43f7 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Theravada Solutions Ltd" and + pe.signatures[i].serial == "02:ea:f2:7e:6f:15:75:e3:65:fc:7f:e4:e0:be:43:f7" and + 1562889600 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_6eb02ac2beb9611ed57eb12e { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "\\xE6\\x9D\\xA8\\xE5\\x87\\x8C\\xE4\\xBC\\xAF\\xE4\\xB9\\x90\\xE7\\xBD\\x91\\xE7\\xBB\\x9C\\xE7\\xA7\\x91\\xE6\\x8A\\x80\\xE6\\x9C\\x89\\xE9\\x99\\x90\\xE5\\x85\\xAC\\xE5\\x8F\\xB8" and + pe.signatures[i].serial == "6e:b0:2a:c2:be:b9:61:1e:d5:7e:b1:2e" and + 1585023767 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_010000000001297dba69dd { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "ROSSO INDEX K.K." and + pe.signatures[i].serial == "01:00:00:00:00:01:29:7d:ba:69:dd" and + 1277713154 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_7def22ef4c645b1decfb36b6d3539dbf { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Beijing Caiyunshidai Technology Co., Ltd." and + pe.signatures[i].serial == "7d:ef:22:ef:4c:64:5b:1d:ec:fb:36:b6:d3:53:9d:bf" and + 1474416000 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_3e39c2ccc494438bb8c2560f { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "VANKY TECHNOLOGY LIMITED" and + pe.signatures[i].serial == "3e:39:c2:cc:c4:94:43:8b:b8:c2:56:0f" and + 1466142876 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_6e3b09f43c3a0fd53b7d600f08fae2b5 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Divisible Limited" and + pe.signatures[i].serial == "6e:3b:09:f4:3c:3a:0f:d5:3b:7d:60:0f:08:fa:e2:b5" and + 1507248000 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_21220646c639d62c16992f46 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Sivi Technology Limited" and + pe.signatures[i].serial == "21:22:06:46:c6:39:d6:2c:16:99:2f:46" and + 1466130984 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_738663f2c9e4adb3ad5306aa5e7cc548 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "GIN-Konsalt" and + pe.signatures[i].serial == "73:86:63:f2:c9:e4:ad:b3:ad:53:06:aa:5e:7c:c5:48" and + 1498435200 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_4280f2c8ce1d98e5f8da7ecb005eeae5 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Beijing Caiyunshidai Technology Co., Ltd." and + pe.signatures[i].serial == "42:80:f2:c8:ce:1d:98:e5:f8:da:7e:cb:00:5e:ea:e5" and + 1476316800 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_2946397be9c5ae44e95c99af { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "VANKY TECHNOLOGY LIMITED" and + pe.signatures[i].serial == "29:46:39:7b:e9:c5:ae:44:e9:5c:99:af" and + 1476092708 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_2df453588177cf1c0c297ff4 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Shenzhen Yunhuitianxia Technology Co.,Ltd." and + pe.signatures[i].serial == "2d:f4:53:58:81:77:cf:1c:0c:29:7f:f4" and + 1479735173 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_0619c5e39a4fc60a32f9b07f6a4ca328 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Yuanyuan Zhang" and + pe.signatures[i].serial == "06:19:c5:e3:9a:4f:c6:0a:32:f9:b0:7f:6a:4c:a3:28" and + 1475884800 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_2bffef48e6a321b418041310fdb9b0d0 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "A&D DOMUS LIMITED" and + pe.signatures[i].serial == "2b:ff:ef:48:e6:a3:21:b4:18:04:13:10:fd:b9:b0:d0" and + 1554681600 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_34ec9565805f34204c6966fb81e36ba1 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Xin Zhou" and + pe.signatures[i].serial == "34:ec:95:65:80:5f:34:20:4c:69:66:fb:81:e3:6b:a1" and + 1476921600 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_b2b934b7f01e0ac1e577814992243709 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "MS CORP SOFTWARE LTD" and ( + pe.signatures[i].serial == "00:b2:b9:34:b7:f0:1e:0a:c1:e5:77:81:49:92:24:37:09" or + pe.signatures[i].serial == "b2:b9:34:b7:f0:1e:0a:c1:e5:77:81:49:92:24:37:09" + ) and + 1590710400 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_3a1b397fd9451e3b5891fc69681ed73d { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Yongli Zhang" and + pe.signatures[i].serial == "3a:1b:39:7f:d9:45:1e:3b:58:91:fc:69:68:1e:d7:3d" and + 1470614400 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_1eb816aa49e4894d9e9f78729e53cd48 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "\\xE5\\x96\\x84\\xE5\\x90\\x9B \\xE9\\x9F\\xA6" and + pe.signatures[i].serial == "1e:b8:16:aa:49:e4:89:4d:9e:9f:78:72:9e:53:cd:48" and + 1429056000 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_383ca88d6d9379c740609560 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "VANKY TECHNOLOGY LIMITED" and + pe.signatures[i].serial == "38:3c:a8:8d:6d:93:79:c7:40:60:95:60" and + 1478250214 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_6731cb1430f18b8c0c43ab40e1154169 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "3 AM CHP" and + pe.signatures[i].serial == "67:31:cb:14:30:f1:8b:8c:0c:43:ab:40:e1:15:41:69" and + 1436313600 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_159505e6456b9a9352f7c47168d89b96 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Shan Feng" and + pe.signatures[i].serial == "15:95:05:e6:45:6b:9a:93:52:f7:c4:71:68:d8:9b:96" and + 1469404800 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_04a0e92b0b9ebbb797df6ef52bd5ad05 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Beijing Caiyunshidai Technology Co., Ltd." and + pe.signatures[i].serial == "04:a0:e9:2b:0b:9e:bb:b7:97:df:6e:f5:2b:d5:ad:05" and + 1479081600 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_25f222ab2613dc4270b2aabc2519a101 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Aeroscan TOV" and + pe.signatures[i].serial == "25:f2:22:ab:26:13:dc:42:70:b2:aa:bc:25:19:a1:01" and + 1445299200 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_212ca239866f88c3d5b000b3004a569c { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "XECURE LAB CO., LTD." and + pe.signatures[i].serial == "21:2c:a2:39:86:6f:88:c3:d5:b0:00:b3:00:4a:56:9c" and + 1347840000 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_18b700a319aa98ae71b279d4e8030b82 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Yu Bao" and + pe.signatures[i].serial == "18:b7:00:a3:19:aa:98:ae:71:b2:79:d4:e8:03:0b:82" and + 1479686400 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_169138a86954be1d9b264f47 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "BIG JOURNEY TECHNOLOGY LIMITED" and + pe.signatures[i].serial == "16:91:38:a8:69:54:be:1d:9b:26:4f:47" and + 1477636474 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_33412168eeb3c0e4c7dd0508a9ffecd5 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Beijing Caiyunshidai Technology Co., Ltd." and + pe.signatures[i].serial == "33:41:21:68:ee:b3:c0:e4:c7:dd:05:08:a9:ff:ec:d5" and + 1467590400 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_422ab71ac7fb125ad7171b0c99510b0e { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Xin Zhou" and + pe.signatures[i].serial == "42:2a:b7:1a:c7:fb:12:5a:d7:17:1b:0c:99:51:0b:0e" and + 1475193600 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_6f18946e5b773b7e32d9e7b4fb8d434c { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "VECTOR LLC (VEKTOR, OOO)" and + pe.signatures[i].serial == "6f:18:94:6e:5b:77:3b:7e:32:d9:e7:b4:fb:8d:43:4c" and + 1454716800 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_3596dfc23b9a42c66700982250da2906 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Open Source Developer, Song WU" and + pe.signatures[i].serial == "35:96:df:c2:3b:9a:42:c6:67:00:98:22:50:da:29:06" and + 1397219344 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_486bbddc8c5ee99f051ecaeb3f99d2a3 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Xin Zhou" and + pe.signatures[i].serial == "48:6b:bd:dc:8c:5e:e9:9f:05:1e:ca:eb:3f:99:d2:a3" and + 1473292800 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_11211eea9d0d1d1a325b5eae1b2b1951120f { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "LLC HERMES" and + pe.signatures[i].serial == "11:21:1e:ea:9d:0d:1d:1a:32:5b:5e:ae:1b:2b:19:51:12:0f" and + 1460147212 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_172fea8cb06ffced6bfac7f2f6b77754 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Xin Zhou" and + pe.signatures[i].serial == "17:2f:ea:8c:b0:6f:fc:ed:6b:fa:c7:f2:f6:b7:77:54" and + 1467936000 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_3ee50bb98fadca2d662a0920e76685a2 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "ABDULKADIR SAHIN" and + pe.signatures[i].serial == "3e:e5:0b:b9:8f:ad:ca:2d:66:2a:09:20:e7:66:85:a2" and + 1330041600 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_21bfddb6a66435d1adce2ceb23ed7c9a { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "\\xE6\\x9D\\xA8\\xE6\\xB7\\x87\\xE6\\x99\\xBA" and + pe.signatures[i].serial == "21:bf:dd:b6:a6:64:35:d1:ad:ce:2c:eb:23:ed:7c:9a" and + 1395297334 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_5b1c3f7bbaa91ca49b06a5c1004ee5be { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Jin Yuguang" and + pe.signatures[i].serial == "5b:1c:3f:7b:ba:a9:1c:a4:9b:06:a5:c1:00:4e:e5:be" and + 1440643213 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_0a2089 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "RocketMedia S.r.l." and + pe.signatures[i].serial == "0a:20:89" and + 1050073884 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_1f84e030a0ed10d5ffe2b81b { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "VANKY TECHNOLOGY LIMITED" and + pe.signatures[i].serial == "1f:84:e0:30:a0:ed:10:d5:ff:e2:b8:1b" and + 1476869735 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_88346267057c0a82e2f39851d1b9694c { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Hudson LLC" and ( + pe.signatures[i].serial == "00:88:34:62:67:05:7c:0a:82:e2:f3:98:51:d1:b9:69:4c" or + pe.signatures[i].serial == "88:34:62:67:05:7c:0a:82:e2:f3:98:51:d1:b9:69:4c" + ) and + 1595376000 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_a46f9d8784778baa48167c48bbc56f30 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Mapping OOO" and ( + pe.signatures[i].serial == "00:a4:6f:9d:87:84:77:8b:aa:48:16:7c:48:bb:c5:6f:30" or + pe.signatures[i].serial == "a4:6f:9d:87:84:77:8b:aa:48:16:7c:48:bb:c5:6f:30" + ) and + 1618963200 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_525b5529db20d17a85be284d6b7952ea { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Buster Ind Com Imp e Exp de Acessorios P Autos Ltda" and + pe.signatures[i].serial == "52:5b:55:29:db:20:d1:7a:85:be:28:4d:6b:79:52:ea" and + 1508198400 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_70ae0e517d2ef6d5eed06b56730a1a9a { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Yu Bao" and + pe.signatures[i].serial == "70:ae:0e:51:7d:2e:f6:d5:ee:d0:6b:56:73:0a:1a:9a" and + 1475193600 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_57c3717c5e2ce9a2e0cf0340c03f458e { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "Citizen Travel Ltd" and + pe.signatures[i].serial == "57:c3:71:7c:5e:2c:e9:a2:e0:cf:03:40:c0:3f:45:8e" and + 1450915200 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_0761110efe0b688c469d687512828c1f { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "ENP Games Co., Ltd." and + pe.signatures[i].serial == "07:61:11:0e:fe:0b:68:8c:46:9d:68:75:12:82:8c:1f" and + 1433721600 <= pe.signatures[i].not_after + ) +} + +rule cert_blocklist_08aa03f385f870e3a6d243b74b1dadf6 { + meta: + author = "ReversingLabs" + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "INFO" + description = "Certificate used for digitally signing malware." + + condition: + uint16(0) == 0x5A4D and + for any i in (0..pe.number_of_signatures): ( + pe.signatures[i].subject contains "\\xE4\\xB8\\x9C\\xE8\\x8E\\x9E\\xE5\\xB8\\x82\\xE8\\x85\\xBE\\xE4\\xBA\\x91\\xE8\\xAE\\xA1\\xE7\\xAE\\x97\\xE6\\x9C\\xBA\\xE7\\xA7\\x91\\xE6\\x8A\\x80\\xE6\\x9C\\x89\\xE9\\x99\\x90\\xE5\\x85\\xAC\\xE5\\x8F\\xB8" and + pe.signatures[i].serial == "08:aa:03:f3:85:f8:70:e3:a6:d2:43:b7:4b:1d:ad:f6" and + 1352678400 <= pe.signatures[i].not_after + ) +} \ No newline at end of file diff --git a/yara/downloader/Win32.Downloader.dlMarlboro.yara b/yara/downloader/Win32.Downloader.dlMarlboro.yara new file mode 100644 index 0000000..20d86dd --- /dev/null +++ b/yara/downloader/Win32.Downloader.dlMarlboro.yara @@ -0,0 +1,79 @@ +rule Win32_Downloader_dlMarlboro : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "DLMARLBORO" + description = "Yara rule that detects dlMarlboro downloader." + + tc_detection_type = "Downloader" + tc_detection_name = "dlMarlboro" + tc_detection_factor = 3 + + strings: + + $ping_apnic = { + 55 8B EC 81 EC ?? ?? ?? ?? A1 ?? ?? ?? ?? 33 C5 89 45 ?? 6A ?? 8D 85 ?? ?? ?? ?? C7 + 85 ?? ?? ?? ?? ?? ?? ?? ?? 6A ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 8D 85 ?? ?? ?? ?? 0F 57 + C0 F3 0F 7F 85 ?? ?? ?? ?? 68 ?? ?? ?? ?? 50 6A ?? FF 15 ?? ?? ?? ?? 8D 85 ?? ?? ?? + ?? 50 68 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 68 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 8D + 85 ?? ?? ?? ?? 50 8D 85 ?? ?? ?? ?? 50 6A ?? 6A ?? 68 ?? ?? ?? ?? 6A ?? 6A ?? 6A ?? + 8D 85 ?? ?? ?? ?? 50 6A ?? FF 15 ?? ?? ?? ?? FF B5 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? FF + B5 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 8B 4D ?? 33 CD E8 ?? ?? ?? ?? 8B E5 5D C3 + } + + $download_bin_1 = { + 55 8B EC 6A ?? 68 ?? ?? ?? ?? 64 A1 ?? ?? ?? ?? 50 81 EC ?? ?? ?? ?? A1 ?? ?? ?? ?? + 33 C5 89 45 ?? 53 56 57 50 8D 45 ?? 64 A3 ?? ?? ?? ?? 89 65 ?? 8B F2 8B C1 89 85 ?? + ?? ?? ?? 8B 7D ?? 68 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 6A ?? C7 85 ?? + ?? ?? ?? ?? ?? ?? ?? 50 C7 45 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 6A ?? 68 ?? ?? + ?? ?? 83 EC ?? 8B CC 6A ?? 6A ?? C7 41 ?? ?? ?? ?? ?? C7 41 ?? ?? ?? ?? ?? 56 C6 01 + ?? E8 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 51 8D 8D ?? ?? ?? ?? C6 45 ?? ?? + E8 ?? ?? ?? ?? 50 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 8B 40 ?? F6 84 + 05 ?? ?? ?? ?? ?? 74 ?? 8B 85 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? FF 50 ?? 8D 4D ?? 51 8B + C8 E8 ?? ?? ?? ?? 50 8D 8D ?? ?? ?? ?? C6 45 ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 8D 85 ?? + ?? ?? ?? 68 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? BA ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? + ?? ?? 8B D7 8B C8 E8 ?? ?? ?? ?? BA ?? ?? ?? ?? 8B C8 E8 ?? ?? ?? ?? BA ?? ?? ?? ?? + 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B D6 8B C8 E8 ?? ?? ?? ?? BA ?? ?? ?? ?? 8B C8 E8 + ?? ?? ?? ?? BA ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? BA ?? ?? ?? ?? 8D 8D ?? + ?? ?? ?? E8 ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C6 45 ?? ?? 8D 55 + ?? C6 45 ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 8D 8D ?? ?? ?? + ?? E8 ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C6 45 ?? ?? 8D 55 ?? C6 + 45 ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 8B 40 ?? F6 84 05 ?? ?? + ?? ?? ?? 74 ?? 83 EC ?? 8D 45 ?? 8D 4D ?? 50 E8 ?? ?? ?? ?? C6 45 ?? ?? BA ?? ?? ?? + ?? 8B C8 C7 85 ?? ?? ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 84 C0 74 ?? B3 ?? EB ?? 32 DB + } + + $download_bin_2 = { + C7 45 ?? ?? ?? ?? ?? F6 85 ?? ?? ?? ?? ?? 74 ?? 83 7D ?? ?? 72 ?? FF 75 ?? E8 ?? ?? + ?? ?? 83 C4 ?? 84 DB 74 ?? 68 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? + ?? ?? 50 E8 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 3D ?? ?? ?? ?? 74 ?? 8D 80 ?? ?? ?? ?? 89 + 85 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 68 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? C7 45 ?? ?? ?? ?? + ?? C7 45 ?? ?? ?? ?? ?? C6 45 ?? ?? 8B 85 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? 8B 40 ?? 03 + C8 8D 85 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 50 C6 45 ?? ?? E8 ?? ?? ?? ?? C6 45 ?? ?? 83 + C4 ?? 8B 8D ?? ?? ?? ?? 8B F0 85 C9 74 ?? 8B 01 FF 50 ?? 85 C0 74 ?? 8B 10 8B C8 6A + ?? FF 12 8B 06 8B CE 6A ?? 8B 40 ?? FF D0 50 8D 55 ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? + ?? 8B 5D ?? 83 C4 ?? 8B 7D ?? 8B 08 8B 49 ?? F6 44 01 ?? ?? 75 ?? 8B 75 ?? 8D 4D ?? + 83 FB ?? B8 ?? ?? ?? ?? BA ?? ?? ?? ?? 0F 43 CF 3B F0 0F 42 C6 50 E8 ?? ?? ?? ?? 83 + C4 ?? 85 C0 75 ?? 83 FE ?? 73 ?? 83 C8 ?? EB ?? 33 C0 83 FE ?? 0F 95 C0 85 C0 0F 94 + C0 84 C0 0F 94 C0 84 C0 0F 85 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 6A ?? 50 + E8 ?? ?? ?? ?? 83 C4 ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? C6 45 ?? + ?? 50 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B B5 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? 56 E8 ?? + ?? ?? ?? 8D 8D ?? ?? ?? ?? C6 45 ?? ?? E8 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? C7 85 ?? ?? + ?? ?? ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 83 FB ?? 72 ?? 57 E8 ?? ?? ?? ?? 83 C4 + ?? 83 7D ?? ?? 72 ?? FF 75 ?? E8 ?? ?? ?? ?? 83 C4 ?? 83 7D ?? ?? 72 ?? FF 75 ?? E8 + ?? ?? ?? ?? 83 C4 ?? 8D 8D ?? ?? ?? ?? C6 45 ?? ?? E8 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? + C7 85 ?? ?? ?? ?? ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 8B C6 EB ?? 8B 8D ?? ?? ?? + ?? 8B 01 FF 50 ?? 8B 8D ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? B8 ?? ?? ?? ?? C3 8B 85 ?? ?? + ?? ?? 8B 4D ?? 64 89 0D ?? ?? ?? ?? 59 5F 5E 5B 8B 4D ?? 33 CD E8 ?? ?? ?? ?? 8B E5 + 5D C3 + } + + condition: + uint16(0) == 0x5A4D and $ping_apnic and $download_bin_1 and $download_bin_2 +} diff --git a/yara/exploit/Win32.Exploit.CVE20200601.yara b/yara/exploit/Win32.Exploit.CVE20200601.yara new file mode 100644 index 0000000..8ecf884 --- /dev/null +++ b/yara/exploit/Win32.Exploit.CVE20200601.yara @@ -0,0 +1,253 @@ +import "pe" + +rule Win32_Exploit_CVE20200601 : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "EXPLOIT" + exploit = "CVE-2020-0601" + description = "Yara rule that detects CVE-2020-0601 exploit." + + tc_detection_type = "Exploit" + tc_detection_name = "CVE-2020-0601" + tc_detection_factor = 5 + + strings: + + $oid_prime_explicit = { + 06 07 2A 86 48 CE 3D 01 01 + } + + $ecc_public_key_1 = { + 04 47 45 0E 96 FB 7D 5D BF E9 39 D1 21 F8 9F 0B + B6 D5 7B 1E 92 3A 48 59 1C F0 62 31 2D C0 7A 28 + FE 1A A7 5C B3 B6 CC 97 E7 45 D4 58 FA D1 77 6D + 43 A2 C0 87 65 34 0A 1F 7A DD EB 3C 33 A1 C5 9D + 4D A4 6F 41 95 38 7F C9 1E 84 EB D1 9E 49 92 87 + 94 87 0C 3A 85 4A 66 9F 9D 59 93 4D 97 61 06 86 + 4A + } + + $ecc_public_key_2 = { + 04 84 13 C9 D0 BA 6D 41 7B E2 6C D0 EB 55 5F 66 + 02 1A 24 F4 5B 89 69 47 E3 B8 C2 7D F1 F2 02 C5 + 9F A0 F6 5B D5 8B 06 19 86 4F 53 10 6D 07 24 27 + A1 A0 F8 D5 47 19 61 4C 7D CA 93 27 EA 74 0C EF + 6F 96 09 FE 63 EC 70 5D 36 AD 67 77 AE C9 9D 7C + 55 44 3A A2 63 51 1F F5 E3 62 D4 A9 47 07 3E CC + 20 + } + + $ecc_public_key_3 = { + 04 A7 56 7A 7C 52 DA 64 9B 0E 2D 5C D8 5E AC 92 + 3D FE 01 E6 19 4A 3D 14 03 4B FA 60 27 20 D9 83 + 89 69 FA 54 C6 9A 18 5E 55 2A 64 DE 06 F6 8D 4A + 3B AD 10 3C 65 3D 90 88 04 89 E0 30 61 B3 AE 5D + 01 A7 7B DE 7C B2 BE CA 65 61 00 86 AE DA 8F 7B + D0 89 AD 4D 1D 59 9A 41 B1 BC 47 80 DC 9E 62 C3 + F9 + } + + $ecc_public_key_4 = { + 04 CD 0F 5B 56 82 DF F0 45 1A D6 AD F7 79 F0 1D + C9 AC 96 D6 9E 4E 9C 1F B4 42 11 CA 86 BF 6D FB + 85 A3 C5 E5 19 5C D7 EE A6 3F 69 67 D8 78 E2 A6 + C9 C4 DB 2D 79 2E E7 8B 8D 02 6F 31 22 4D 06 E3 + 60 72 45 9D 0E 42 77 9E CE CF E5 7F 85 9B 18 E4 + FC CC 2E 72 D3 16 93 4E CA 99 63 5C A1 05 2A 6C + 06 + } + + $ecc_public_key_5 = { + 04 57 CF EA B3 39 4D 3F A1 21 E0 6E 2F 38 72 C6 + 87 97 F3 85 0B 47 E7 0F 51 C8 D1 F4 99 9B CA 59 + 65 FF 4C F9 EA 0B B7 25 D5 D2 F6 EC 31 2D 32 62 + 12 D7 76 86 A7 FA 38 C9 65 D4 FE 73 E2 84 39 F8 + 4C 49 62 13 DD BA D5 88 A0 5F 3D C8 4F B0 3F 8F + A1 50 11 E4 93 46 AD C3 5F CB F1 A4 6A 95 56 E8 + C0 + } + + $ecc_public_key_6 = { + 04 D1 D9 4A 8E 4C 0D 84 4A 51 BA 7C EF D3 CC FA + 3A 9A B5 A7 63 13 3D 01 E0 49 3E FA C1 47 C9 92 + B3 3A D7 FE 6F 9C F7 9A 3A 0F F5 0E 0A 0A C3 3F + C8 E7 12 14 8E D5 D5 6D 98 2C B3 71 32 0A EB 2A + BD F6 D7 6A 20 0B 67 45 9C D2 B2 BF 53 22 66 09 + 5D DB 11 F3 F1 05 33 58 A3 E2 B8 CF 7C CD 82 9B + BD + } + + $ecc_public_key_7 = { + 04 4A EE 58 AE 4D CA 66 DE 06 3A A3 11 FC E0 18 + F0 6E 1C BA 2D 30 0C 89 D9 D6 EE 9B 73 83 A9 23 + 15 8C 2F 59 8A 5A DD 14 EA 9D 59 2B 43 B7 06 EC + 32 B6 BA EE 41 B5 AD 5D A1 85 CC EA 1D 14 66 A3 + 67 7E 46 E2 94 F3 E7 B6 56 A1 15 59 A1 4F 37 97 + B9 22 1E BD 11 EB F4 B2 1F 5E C3 14 9A E5 D9 97 + 99 + } + + $ecc_public_key_8 = { + 04 DD A7 D9 BB 8A B8 0B FB 0B 7F 21 D2 F0 BE BE + 73 F3 33 5D 1A BC 34 EA DE C6 9B BC D0 95 F6 F0 + CC D0 0B BA 61 5B 51 46 7E 9E 2D 9F EE 8E 63 0C + 17 EC 07 70 F5 CF 84 2E 40 83 9C E8 3F 41 6D 3B + AD D3 A4 14 59 36 78 9D 03 43 EE 10 13 6C 72 DE + AE 88 A7 A1 6B B5 43 CE 67 DC 23 FF 03 1C A3 E2 + 3E + } + + $ecc_public_key_9 = { + 04 D7 66 B5 1B DB AE B3 60 EE 46 EA 88 63 75 3B + 2A 94 6D F3 5F 12 F6 E3 0F 9E B6 0A 14 53 48 52 + C8 DC 3A B3 CB 48 20 26 12 4E FA 89 84 D4 DF 91 + E4 29 7D 28 01 D9 DB 18 43 69 A1 1F B5 D3 86 16 + DC C7 7F 67 23 DF DF 31 31 83 03 35 70 B1 4B B7 + C8 17 BB 51 CB DC 94 17 DB EA 09 3B 76 12 DE AA + B5 + } + + $ecc_public_key_10 = { + 04 15 B1 E8 FD 03 15 43 E5 AC EB 87 37 11 62 EF + D2 83 36 52 7D 45 57 0B 4A 8D 7B 54 3B 3A 6E 5F + 15 02 C0 50 A6 CF 25 2F 7D CA 48 B8 C7 50 63 1C + 2A 21 08 7C 9A 36 D8 0B FE D1 26 C5 58 31 30 28 + 25 F3 5D 5D A3 B8 B6 A5 B4 92 ED 6C 2C 9F EB DD + 43 89 A2 3C 4B 48 91 1D 50 EC 26 DF D6 60 2E BD + 21 + } + + $ecc_public_key_11 = { + 04 03 47 7B 2F 75 C9 82 15 85 FB 75 E4 91 16 D4 + AB 62 99 F5 3E 52 0B 06 CE 41 00 7F 97 E1 0A 24 + 3C 1D 01 04 EE 3D D2 8D 09 97 0C E0 75 E4 FA FB + 77 8A 2A F5 03 60 4B 36 8B 16 23 16 AD 09 71 F4 + 4A F4 28 50 B4 FE 88 1C 6E 3F 6C 2F 2F 09 59 5B + A5 5B 0B 33 99 E2 C3 3D 89 F9 6A 2C EF B2 D3 06 + E9 + } + + $ecc_public_key_12 = { + 04 92 A0 41 E8 4B 82 84 5C E2 F8 31 11 99 86 64 + 4E 09 25 2F 9D 41 2F 0A AE 35 4F 74 95 B2 51 64 + 6B 8D 6B E6 3F 70 95 F0 05 44 47 A6 72 38 50 76 + 95 02 5A 8E AE 28 9E F9 2D 4E 99 EF 2C 48 6F 4C + 25 29 E8 D1 71 5B DF 1D C1 75 37 B4 D7 FA 7B 7A + 42 9C 6A 0A 56 5A 7C 69 0B AA 80 09 24 6C 7E C1 + 46 + } + + $ecc_public_key_13 = { + 04 A2 D5 9C 82 7B 95 9D F1 52 78 87 FE 8A 16 BF + 05 E6 DF A3 02 4F 0D 07 C6 00 51 BA 0C 02 52 2D + 22 A4 42 39 C4 FE 8F EA C9 C1 BE D4 4D FF 9F 7A + 9E E2 B1 7C 9A AD A7 86 09 73 87 D1 E7 9A E3 7A + A5 AA 6E FB BA B3 70 C0 67 88 A2 35 D4 A3 9A B1 + FD AD C2 EF 31 FA A8 B9 F3 FB 08 C6 91 D1 FB 29 + 95 + } + + $ecc_public_key_14 = { + 04 98 E9 2F 3D 40 72 A4 ED 93 22 72 81 13 1C DD + 10 95 F1 C5 A3 4E 71 DC 14 16 D9 0E E5 A6 05 2A + 77 64 7B 5F 4E 38 D3 BB 1C 44 B5 7F F5 1F B6 32 + 62 5D C9 E9 84 5B 4F 30 4F 11 5A 00 FD 58 58 0C + A5 F5 0F 2C 4D 07 47 13 75 DA 97 97 97 6F 31 5C + ED 2B 9D 7B 20 3B D8 B9 54 D9 5E 99 A4 3A 51 0A + 31 + } + + $ecc_public_key_15 = { + 04 0D 30 5E 1B 15 9D 03 D0 A1 79 35 B7 3A 3C 92 + 7A CA 15 1C CD 62 F3 9C 26 5C 07 3D E5 54 FA A3 + D6 CC 12 EA F4 14 5F E8 8E 19 AB 2F 2E 48 E6 AC + 18 43 78 AC D0 37 C3 BD B2 CD 2C E6 47 E2 1A E6 + 63 B8 3D 2E 2F 78 C4 4F DB F4 0F A4 68 4C 55 72 + 6B 95 1D 4E 18 42 95 78 CC 37 3C 91 E2 9B 65 2B + 29 + } + + $ecc_public_key_16 = { + 04 1A AC 54 5A A9 F9 68 23 E7 7A D5 24 6F 53 C6 + 5A D8 4B AB C6 D5 B6 D1 E6 73 71 AE DD 9C D6 0C + 61 FD DB A0 89 03 B8 05 14 EC 57 CE EE 5D 3F E2 + 21 B3 CE F7 D4 8A 79 E0 A3 83 7E 2D 97 D0 61 C4 + F1 99 DC 25 91 63 AB 7F 30 A3 B4 70 E2 C7 A1 33 + 9C F3 BF 2E 5C 53 B1 5F B3 7D 32 7F 8A 34 E3 79 + 79 + } + + $ecc_public_key_17 = { + 04 E1 FD 8E B8 43 24 AB 96 7B 85 C2 BA 0B AD 8D + E0 3A E3 24 B9 D2 B1 BE 88 3A CA BF 4A B8 F9 EF + 2C 2F AF 51 50 3C 47 75 6C F8 94 B7 9B FC 28 1E + C5 54 CC 63 9D 16 4B 53 C1 E7 20 AB CD AC 25 D2 + 7F 8F C2 C1 5A 82 5E 30 8B 7A 54 CE 03 B5 91 7F + AA 94 D0 D1 8A 48 CC 82 05 26 A1 D5 51 12 D6 7B + 36 + } + + $ecc_public_key_18 = { + 04 19 E7 BC AC 44 65 ED CD B8 3F 58 FB 8D B1 57 + A9 44 2D 05 15 F2 EF 0B FF 10 74 9F B5 62 52 5F + 66 7E 1F E5 DC 1B 45 79 0B CC C6 53 0A 9D 8D 5D + 02 D9 A9 59 DE 02 5A F6 95 2A 0E 8D 38 4A 8A 49 + C6 BC C6 03 38 07 5F 55 DA 7E 09 6E E2 7F 5E D0 + 45 20 0F 59 76 10 D6 A0 24 F0 2D DE 36 F2 6C 29 + 39 + } + + $ecc_public_key_19 = { + 04 B8 C6 79 D3 8F 6C 25 0E 9F 2E 39 19 1C 03 A4 + AE 9A E5 39 07 09 16 CA 63 B1 B9 86 F8 8A 57 C1 + 57 CE 42 FA 73 A1 F7 65 42 FF 1E C1 00 B2 6E 73 + 0E FF C7 21 E5 18 A4 AA D9 71 3F A8 D4 B9 CE 8C + 1D + } + + $ecc_public_key_20 = { + 04 C7 11 16 2A 76 1D 56 8E BE B9 62 65 D4 C3 CE + B4 F0 C3 30 EC 8F 6D D7 6E 39 BC C8 49 AB AB B8 + E3 43 78 D5 81 06 5D EF C7 7D 9F CE D6 B3 90 75 + DE 0C B0 90 DE 23 BA C8 D1 3E 67 E0 19 A9 1B 86 + 31 1E 5F 34 2D EE 17 FD 15 FB 7E 27 8A 32 A1 EA + C9 8F C9 7E 18 CB 2F 3B 2C 48 7A 7D A6 F4 01 07 + AC + } + + $ecc_public_key_21 = { + 04 DE CD BB 70 20 F1 25 20 B4 94 E8 D7 B4 3B 0F + 6E 87 DD AB AC CF 4D 40 2F 81 33 6B 59 09 18 D6 + 87 0D 26 23 9C B4 8D 95 9D 76 9F A5 B9 06 42 E6 + AD 36 B2 C4 B3 AE 7A 3C 08 D5 CB 9D 3A 5E 45 21 + 6C 0B E3 20 F5 9B C2 DD 44 33 E3 42 B9 EA F2 28 + 42 92 AA FE 0C 07 CA 8A 13 99 3B 62 00 ED DA F3 + 35 + } + + $ecc_public_key_22 = { + 04 5C D1 EE 57 0D D1 EF 81 7C 26 91 62 C3 6B E7 + FC 73 A9 A0 C3 37 44 DC D6 F8 31 E2 77 93 5F 8F + EB E3 ED 38 73 F5 FC 8B 55 B9 14 A5 8F 2C 44 28 + 19 AF 5D FB DE 09 58 C9 29 B3 A9 99 D3 75 13 3C + A9 + } + + condition: + uint16(0) == 0x5A4D and + ( + $oid_prime_explicit + ) and + ( + any of ($ecc_public_key_*) + ) and + ( + pe.number_of_signatures > 0 + ) +} \ No newline at end of file diff --git a/yara/infostealer/Win32.Infostealer.LumarStealer.yara b/yara/infostealer/Win32.Infostealer.LumarStealer.yara new file mode 100644 index 0000000..050a1d2 --- /dev/null +++ b/yara/infostealer/Win32.Infostealer.LumarStealer.yara @@ -0,0 +1,190 @@ +rule Win32_Infostealer_LumarStealer : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "LUMARSTEALER" + description = "Yara rule that detects LumarStealer infostealer." + + tc_detection_type = "Infostealer" + tc_detection_name = "LumarStealer" + tc_detection_factor = 5 + + strings: + + $collect_os_information_p1 = { + 55 8B EC 81 EC ?? ?? ?? ?? 53 56 B8 ?? ?? ?? ?? C1 E0 ?? 8B 88 ?? ?? ?? ?? FF D1 66 + A3 ?? ?? ?? ?? BA ?? ?? ?? ?? 66 89 55 ?? B8 ?? ?? ?? ?? 66 89 45 ?? B9 ?? ?? ?? ?? + 66 89 4D ?? BA ?? ?? ?? ?? 66 89 55 ?? B8 ?? ?? ?? ?? 66 89 45 ?? B9 ?? ?? ?? ?? 66 + 89 4D ?? BA ?? ?? ?? ?? 66 89 55 ?? B8 ?? ?? ?? ?? 66 89 45 ?? B9 ?? ?? ?? ?? 66 89 + 4D ?? BA ?? ?? ?? ?? 66 89 55 ?? C6 45 ?? ?? EB ?? 8A 45 ?? 04 ?? 88 45 ?? 0F B6 4D + ?? 83 F9 ?? 73 ?? 0F B6 55 ?? 0F B7 44 55 ?? 0F B7 0D ?? ?? ?? ?? 3B C1 75 ?? FF 25 + ?? ?? ?? ?? EB ?? C7 45 ?? ?? ?? ?? ?? 33 D2 89 55 ?? 89 55 ?? 89 55 ?? C7 45 ?? ?? + ?? ?? ?? 8D 75 ?? B8 ?? ?? ?? ?? 33 C9 0F A2 89 06 89 5E ?? 89 4E ?? 89 56 ?? B8 ?? + ?? ?? ?? 6B C8 ?? 8B 54 0D ?? 89 55 ?? C7 45 ?? ?? ?? ?? ?? EB ?? 8B 45 ?? 83 C0 ?? + 89 45 ?? 8B 4D ?? 3B 4D ?? 77 ?? 8D 75 ?? 8B 45 ?? 33 C9 0F A2 89 06 89 5E ?? 89 4E + ?? 89 56 ?? 81 7D ?? ?? ?? ?? ?? 75 ?? 6A ?? 8D 55 ?? 52 68 ?? ?? ?? ?? E8 ?? ?? ?? + ?? 83 C4 ?? EB ?? 81 7D ?? ?? ?? ?? ?? 75 ?? 6A ?? 8D 45 ?? 50 68 ?? ?? ?? ?? E8 ?? + ?? ?? ?? 83 C4 ?? EB ?? 81 7D ?? ?? ?? ?? ?? 75 ?? 6A ?? 8D 4D ?? 51 68 ?? ?? ?? ?? + E8 ?? ?? ?? ?? 83 C4 ?? EB ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? C6 80 ?? ?? ?? + ?? ?? 8D 95 ?? ?? ?? ?? 52 B8 ?? ?? ?? ?? C1 E0 ?? 8B 88 ?? ?? ?? ?? FF D1 85 C0 74 + ?? 6A ?? 8D 95 ?? ?? ?? ?? 52 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 8D 85 ?? ?? ?? + ?? 50 B9 ?? ?? ?? ?? D1 E1 8B 91 ?? ?? ?? ?? FF D2 8B 45 ?? A3 ?? ?? ?? ?? C7 85 ?? + ?? ?? ?? ?? ?? ?? ?? 6A ?? 8D 8D ?? ?? ?? ?? 51 6A ?? 6A ?? BA ?? ?? ?? ?? 6B C2 + } + + $collect_os_information_p2 = { + 8B 88 ?? ?? ?? ?? FF D1 85 C0 74 ?? 68 ?? ?? ?? ?? 8D 95 ?? ?? ?? ?? 52 68 ?? ?? ?? + ?? E8 ?? ?? ?? ?? 83 C4 ?? 8D 45 ?? 50 B9 ?? ?? ?? ?? 6B D1 ?? 8B 82 ?? ?? ?? ?? FF + D0 85 C0 74 ?? 6A ?? 68 ?? ?? ?? ?? 8B 4D ?? 51 8B 55 ?? 52 E8 ?? ?? ?? ?? A3 ?? ?? + ?? ?? 89 15 ?? ?? ?? ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A ?? FF 15 ?? ?? ?? ?? 6A ?? + FF 15 ?? ?? ?? ?? 89 45 ?? 6A ?? 8B 45 ?? 50 FF 15 ?? ?? ?? ?? 89 45 ?? 8D 4D ?? 51 + 6A ?? 8B 55 ?? 52 FF 15 ?? ?? ?? ?? 85 C0 74 ?? 8B 45 ?? A3 ?? ?? ?? ?? 8B 4D ?? 89 + 0D ?? ?? ?? ?? 8B 55 ?? 52 FF 15 ?? ?? ?? ?? 8B 45 ?? 50 6A ?? FF 15 ?? ?? ?? ?? 68 + ?? ?? ?? ?? 6A ?? B9 ?? ?? ?? ?? C1 E1 ?? 8B 91 ?? ?? ?? ?? FF D2 C7 45 ?? ?? ?? ?? + ?? EB ?? 8B 45 ?? 83 C0 ?? 89 45 ?? 83 7D ?? ?? 73 ?? 8B 4D ?? 83 C1 ?? 89 4D ?? EB + ?? 8B 55 ?? 83 C2 ?? 89 55 ?? 83 7D ?? ?? 73 ?? 8B 45 ?? 0F B7 0C 45 ?? ?? ?? ?? 8B + 55 ?? 0F B7 04 55 ?? ?? ?? ?? 3B C8 75 ?? 33 C9 8B 55 ?? 66 89 0C 55 ?? ?? ?? ?? EB + ?? EB ?? 5E 5B 8B E5 5D C3 + } + + $send_data_to_c2_p1 = { + 55 8B EC 81 EC ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 68 ?? ?? ?? ?? B9 ?? ?? ?? ?? 6B D1 + ?? 8B 82 ?? ?? ?? ?? FF D0 85 C0 0F 85 ?? ?? ?? ?? B9 ?? ?? ?? ?? 66 89 4D ?? 68 ?? + ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 66 89 45 ?? 6A ?? 6A ?? 0F BF 55 ?? 52 B8 ?? ?? ?? + ?? C1 E0 ?? 8B 88 ?? ?? ?? ?? FF D1 89 45 ?? 83 7D ?? ?? 0F 84 ?? ?? ?? ?? 6A ?? 6A + ?? 8D 95 ?? ?? ?? ?? 52 E8 ?? ?? ?? ?? 83 C4 ?? 6A ?? 6A ?? 8D 45 ?? 50 E8 ?? ?? ?? + ?? 83 C4 ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? 6A ?? + 6A ?? 6A ?? 68 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? 51 E8 ?? ?? ?? ?? 83 C4 ?? C7 45 ?? ?? + ?? ?? ?? EB ?? 8B 55 ?? 83 C2 ?? 89 55 ?? 83 7D ?? ?? 7D ?? 8B 45 ?? 0F B7 8C 45 ?? + ?? ?? ?? 83 F9 ?? 75 ?? 8B 55 ?? 0F B7 84 55 ?? ?? ?? ?? 83 F8 ?? 75 ?? EB ?? EB ?? + 8B 4D ?? 0F B7 94 4D ?? ?? ?? ?? 85 D2 74 ?? 8B 45 ?? 8B 4D ?? 8A 94 4D ?? ?? ?? ?? + 88 54 05 ?? 8B 45 ?? 0F BE 4C 05 ?? 83 F9 ?? 75 ?? 8B 55 ?? C6 44 15 ?? ?? EB ?? 8D + 45 ?? 50 8D 4D ?? 51 E8 ?? ?? ?? ?? 83 C4 ?? 6A ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? E8 + ?? ?? ?? ?? 83 C4 ?? 6A ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 0F + B6 15 ?? ?? ?? ?? 83 FA ?? 75 ?? C7 45 ?? ?? ?? ?? ?? EB ?? C7 45 ?? ?? ?? ?? ?? B8 + ?? ?? ?? ?? C1 E0 ?? 8A 4D ?? 88 88 ?? ?? ?? ?? 0F B6 15 ?? ?? ?? ?? 83 FA ?? 75 + } + + $send_data_to_c2_p2 = { + C7 45 ?? ?? ?? ?? ?? EB ?? C7 45 ?? ?? ?? ?? ?? B8 ?? ?? ?? ?? 6B C8 ?? 8A 55 ?? 88 + 91 ?? ?? ?? ?? 0F B6 05 ?? ?? ?? ?? 83 F8 ?? 75 ?? C7 45 ?? ?? ?? ?? ?? EB ?? C7 45 + ?? ?? ?? ?? ?? B9 ?? ?? ?? ?? 6B D1 ?? 8A 45 ?? 88 82 ?? ?? ?? ?? B9 ?? ?? ?? ?? 6B + D1 ?? C6 82 ?? ?? ?? ?? ?? B8 ?? ?? ?? ?? 6B C8 ?? 8A 15 ?? ?? ?? ?? 88 91 ?? ?? ?? + ?? B8 ?? ?? ?? ?? 6B C8 ?? C6 81 ?? ?? ?? ?? ?? BA ?? ?? ?? ?? 85 D2 74 ?? 6A ?? 8D + 45 ?? 50 8B 4D ?? 51 BA ?? ?? ?? ?? D1 E2 8B 82 ?? ?? ?? ?? FF D0 83 F8 ?? 74 ?? 6A + ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8B 4D ?? 51 BA ?? ?? ?? ?? 6B C2 ?? 8B 88 ?? ?? ?? + ?? FF D1 83 F8 ?? 74 ?? 6A ?? 8B 55 ?? 83 C2 ?? 52 8B 45 ?? 50 8B 4D ?? 51 BA ?? ?? + ?? ?? 6B C2 ?? 8B 88 ?? ?? ?? ?? FF D1 83 F8 ?? 74 ?? EB ?? 68 ?? ?? ?? ?? FF 15 ?? + ?? ?? ?? E9 ?? ?? ?? ?? 8B 55 ?? 52 B8 ?? ?? ?? ?? C1 E0 ?? 8B 88 ?? ?? ?? ?? FF D1 + BA ?? ?? ?? ?? 6B C2 ?? 8B 88 ?? ?? ?? ?? FF D1 B8 ?? ?? ?? ?? EB ?? 33 C0 8B E5 5D + C3 + } + + $find_files_p1 = { + 55 8B EC 81 EC ?? ?? ?? ?? A1 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 0F 84 ?? + ?? ?? ?? 68 ?? ?? ?? ?? 8B 0D ?? ?? ?? ?? 51 E8 ?? ?? ?? ?? 83 C4 ?? 8D 95 ?? ?? ?? + ?? 52 A1 ?? ?? ?? ?? 50 B9 ?? ?? ?? ?? 6B D1 ?? 8B 82 ?? ?? ?? ?? FF D0 89 45 ?? 8B + 0D ?? ?? ?? ?? 51 E8 ?? ?? ?? ?? 83 C4 ?? 33 D2 8B 0D ?? ?? ?? ?? 66 89 54 41 ?? 83 + 7D ?? ?? 0F 84 ?? ?? ?? ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 89 45 ?? 8B 15 ?? + ?? ?? ?? 52 E8 ?? ?? ?? ?? 83 C4 ?? 66 89 45 ?? 8D 85 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? + 83 C4 ?? 0F B7 4D ?? 8D 54 08 ?? 81 FA ?? ?? ?? ?? 72 ?? E9 ?? ?? ?? ?? 8D 85 ?? ?? + ?? ?? 50 8B 0D ?? ?? ?? ?? 51 68 ?? ?? ?? ?? 8B 15 ?? ?? ?? ?? 52 E8 ?? ?? ?? ?? 83 + C4 ?? 8B 85 ?? ?? ?? ?? 83 E0 ?? 74 ?? 68 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? 51 E8 ?? ?? + ?? ?? 83 C4 ?? 85 C0 74 ?? 68 ?? ?? ?? ?? 8D 95 ?? ?? ?? ?? 52 E8 ?? ?? ?? ?? 83 C4 + ?? 85 C0 74 ?? E9 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 25 ?? ?? ?? ?? 0F 84 ?? ?? ?? ?? B9 + ?? ?? ?? ?? 66 89 4D ?? BA ?? ?? ?? ?? 66 89 55 ?? B8 ?? ?? ?? ?? 66 89 45 ?? B9 ?? + ?? ?? ?? 66 89 4D ?? 33 D2 66 89 55 ?? B8 ?? ?? ?? ?? 66 89 45 ?? B9 ?? ?? ?? ?? 66 + } + + $find_files_p2 = { + 89 4D ?? BA ?? ?? ?? ?? 66 89 55 ?? B8 ?? ?? ?? ?? 66 89 45 ?? 33 C9 66 89 4D ?? BA + ?? ?? ?? ?? 66 89 95 ?? ?? ?? ?? B8 ?? ?? ?? ?? 66 89 85 ?? ?? ?? ?? B9 ?? ?? ?? ?? + 66 89 4D ?? BA ?? ?? ?? ?? 66 89 55 ?? B8 ?? ?? ?? ?? 66 89 45 ?? B9 ?? ?? ?? ?? 66 + 89 4D ?? BA ?? ?? ?? ?? 66 89 55 ?? 33 C0 66 89 45 ?? B9 ?? ?? ?? ?? 66 89 4D ?? BA + ?? ?? ?? ?? 66 89 55 ?? B8 ?? ?? ?? ?? 66 89 45 ?? B9 ?? ?? ?? ?? 66 89 4D ?? 33 D2 + 66 89 55 ?? B8 ?? ?? ?? ?? 66 89 45 ?? B9 ?? ?? ?? ?? 66 89 4D ?? BA ?? ?? ?? ?? 66 + 89 55 ?? B8 ?? ?? ?? ?? 66 89 45 ?? 33 C9 66 89 4D ?? BA ?? ?? ?? ?? 66 89 55 ?? B8 + ?? ?? ?? ?? 66 89 45 ?? B9 ?? ?? ?? ?? 66 89 4D ?? BA ?? ?? ?? ?? 66 89 55 ?? 33 C0 + 66 89 45 ?? B9 ?? ?? ?? ?? 66 89 4D ?? BA ?? ?? ?? ?? 66 89 55 ?? B8 ?? ?? ?? ?? 66 + 89 45 ?? 33 C9 66 89 4D ?? BA ?? ?? ?? ?? 66 89 55 ?? B8 ?? ?? ?? ?? 66 89 45 ?? B9 + ?? ?? ?? ?? 66 89 4D ?? BA ?? ?? ?? ?? 66 89 55 ?? 33 C0 66 89 45 ?? B9 ?? ?? ?? ?? + 66 89 4D ?? BA ?? ?? ?? ?? 66 89 55 ?? B8 ?? ?? ?? ?? 66 89 45 ?? B9 ?? ?? ?? ?? 66 + 89 4D ?? 33 D2 66 89 55 ?? 8D 45 ?? 50 8D 8D ?? ?? ?? ?? 51 E8 ?? ?? ?? ?? 83 C4 ?? + 85 C0 0F 85 ?? ?? ?? ?? 8D 55 ?? 52 8D 85 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 85 + } + + $find_files_p3 = { + C0 0F 85 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? 51 8D 95 ?? ?? ?? ?? 52 E8 ?? ?? ?? ?? 83 C4 + ?? 85 C0 0F 85 ?? ?? ?? ?? 8D 45 ?? 50 8D 8D ?? ?? ?? ?? 51 E8 ?? ?? ?? ?? 83 C4 ?? + 85 C0 75 ?? 8D 55 ?? 52 8D 85 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 75 ?? 8D + 4D ?? 51 8D 95 ?? ?? ?? ?? 52 E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 75 ?? 8D 45 ?? 50 8D 8D + ?? ?? ?? ?? 51 E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 75 ?? 8D 55 ?? 52 8D 85 ?? ?? ?? ?? 50 + E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 75 ?? 8D 4D ?? 51 8D 95 ?? ?? ?? ?? 52 E8 ?? ?? ?? ?? + 83 C4 ?? 85 C0 74 ?? B8 ?? ?? ?? ?? 66 89 45 ?? B9 ?? ?? ?? ?? 66 89 4D ?? BA ?? ?? + ?? ?? 66 89 55 ?? B8 ?? ?? ?? ?? 66 89 45 ?? 33 C9 66 89 4D ?? 0F B7 15 ?? ?? ?? ?? + A1 ?? ?? ?? ?? 8D 0C 50 51 8D 55 ?? 52 68 ?? ?? ?? ?? 8B 45 ?? 50 E8 ?? ?? ?? ?? 83 + C4 ?? 8B 4D ?? 51 8B 15 ?? ?? ?? ?? 52 8B 45 ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 8A 0D ?? + ?? ?? ?? 80 C1 ?? 88 0D ?? ?? ?? ?? 0F B7 55 ?? 33 C0 8B 0D ?? ?? ?? ?? 66 89 04 51 + 8D 95 ?? ?? ?? ?? 52 8B 45 ?? 50 B9 ?? ?? ?? ?? C1 E1 ?? 8B 91 ?? ?? ?? ?? FF D2 85 + C0 0F 85 ?? ?? ?? ?? 8B 45 ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 8B E5 5D C2 + } + + $find_crypto_wallets_1 = { + 55 8B EC 81 EC ?? ?? ?? ?? 8B 45 ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 0F 84 ?? ?? ?? + ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 89 45 ?? 8B 4D ?? 51 8B 55 ?? 52 E8 ?? ?? + ?? ?? 83 C4 ?? 68 ?? ?? ?? ?? 8B 45 ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 8D 8D ?? ?? ?? ?? + 51 8B 55 ?? 52 B8 ?? ?? ?? ?? 6B C8 ?? 8B 91 ?? ?? ?? ?? FF D2 89 45 ?? 8B 45 ?? 50 + E8 ?? ?? ?? ?? 83 C4 ?? 33 C9 8B 55 ?? 66 89 4C 42 ?? 83 7D ?? ?? 0F 84 ?? ?? ?? ?? + 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 89 45 ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? + ?? ?? 8B 45 ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 66 89 45 ?? 8D 8D ?? ?? ?? ?? 51 E8 ?? ?? + ?? ?? 83 C4 ?? 0F B7 55 ?? 8D 44 10 ?? 3D ?? ?? ?? ?? 72 ?? E9 ?? ?? ?? ?? 8D 8D ?? + ?? ?? ?? 51 8B 55 ?? 52 68 ?? ?? ?? ?? 8B 45 ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 8D 8D ?? + ?? ?? ?? 51 E8 ?? ?? ?? ?? 83 C4 ?? 8D 95 ?? ?? ?? ?? 52 E8 ?? ?? ?? ?? 83 C4 ?? D1 + E0 50 8D 85 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 89 45 ?? 8B 8D ?? ?? ?? ?? 83 E1 + ?? 0F 84 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 95 ?? ?? ?? ?? 52 E8 ?? ?? ?? ?? 83 C4 ?? 85 + C0 0F 84 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 85 + C0 0F 84 ?? ?? ?? ?? 81 7D ?? ?? ?? ?? ?? 0F 85 ?? ?? ?? ?? B9 ?? ?? ?? ?? 66 89 8D + ?? ?? ?? ?? BA ?? ?? ?? ?? 66 89 95 ?? ?? ?? ?? B8 ?? ?? ?? ?? 66 89 85 ?? ?? ?? ?? + B9 ?? ?? ?? ?? 66 89 8D ?? ?? ?? ?? BA ?? ?? ?? ?? 66 89 95 ?? ?? ?? ?? B8 ?? ?? ?? + ?? 66 89 85 ?? ?? ?? ?? B9 ?? ?? ?? ?? 66 89 4D ?? BA ?? ?? ?? ?? 66 89 55 ?? 33 C0 + 66 89 45 ?? 8D 4D ?? 51 6A ?? 8D 95 ?? ?? ?? ?? 52 0F B7 45 ?? 50 8B 4D ?? 51 8B 55 + ?? 52 E8 ?? ?? ?? ?? 83 C4 ?? 83 7D ?? ?? 0F 86 ?? ?? ?? ?? B8 ?? ?? ?? ?? 66 89 85 + ?? ?? ?? ?? B9 ?? ?? ?? ?? 66 89 8D ?? ?? ?? ?? BA ?? ?? ?? ?? 66 89 95 + } + + $find_crypto_wallets_2 = { + 0D ?? ?? ?? ?? 80 C1 ?? 88 0D ?? ?? ?? ?? 83 7D ?? ?? 76 ?? 8A 15 ?? ?? ?? ?? 80 C2 + ?? 88 15 ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 05 ?? ?? ?? ?? ?? + ?? ?? ?? E9 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 25 ?? ?? ?? ?? 0F 84 ?? ?? ?? ?? 83 3D ?? + ?? ?? ?? ?? 0F 85 ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? 8D 4D ?? 51 8B 55 ?? 52 E8 ?? ?? + ?? ?? 83 C4 ?? 89 45 ?? 83 7D ?? ?? 0F 84 ?? ?? ?? ?? 83 7D ?? ?? 0F 86 ?? ?? ?? ?? + B8 ?? ?? ?? ?? C1 E0 ?? 8B 4D ?? 0F B6 14 01 83 FA ?? 0F 85 ?? ?? ?? ?? B8 ?? ?? ?? + ?? 6B C8 ?? 8B 55 ?? 0F B6 04 0A 83 F8 ?? 0F 85 ?? ?? ?? ?? B9 ?? ?? ?? ?? 6B D1 ?? + 8B 45 ?? 0F B6 0C 10 83 F9 ?? 0F 85 ?? ?? ?? ?? BA ?? ?? ?? ?? 6B C2 ?? 8B 4D ?? 0F + B6 14 01 83 FA ?? 0F 85 ?? ?? ?? ?? B8 ?? ?? ?? ?? 66 89 85 ?? ?? ?? ?? B9 ?? ?? ?? + ?? 66 89 8D ?? ?? ?? ?? BA ?? ?? ?? ?? 66 89 95 ?? ?? ?? ?? B8 ?? ?? ?? ?? 66 89 85 + ?? ?? ?? ?? B9 ?? ?? ?? ?? 66 89 8D ?? ?? ?? ?? BA ?? ?? ?? ?? 66 89 95 ?? ?? ?? ?? + B8 ?? ?? ?? ?? 66 89 85 ?? ?? ?? ?? B9 ?? ?? ?? ?? 66 89 8D ?? ?? ?? ?? BA + } + + condition: + uint16(0) == 0x5A4D and + ( + all of ($collect_os_information_p*) + ) and + ( + all of ($send_data_to_c2_p*) + ) and + ( + all of ($find_files_p*) + ) and + ( + all of ($find_crypto_wallets_*) + ) +} \ No newline at end of file diff --git a/yara/infostealer/Win32.Infostealer.MultigrainPOS.yara b/yara/infostealer/Win32.Infostealer.MultigrainPOS.yara new file mode 100644 index 0000000..ed54817 --- /dev/null +++ b/yara/infostealer/Win32.Infostealer.MultigrainPOS.yara @@ -0,0 +1,88 @@ +rule Win32_Infostealer_MultigrainPOS : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "MULTIGRAINPOS" + description = "Yara rule that detects MultigrainPOS infostealer." + + tc_detection_type = "Infostealer" + tc_detection_name = "MultigrainPOS" + tc_detection_factor = 5 + + strings: + $data_exfiltration_v10_1 = { + 55 8B EC 83 EC ?? A1 ?? ?? ?? ?? 33 C5 89 45 ?? 53 8B 1D ?? ?? ?? ?? 56 57 8B 3D ?? + ?? ?? ?? C7 45 ?? ?? ?? ?? ?? 83 7D ?? ?? 6A ?? 8D 4D ?? 51 6A ?? 6A ?? 8D 45 ?? 0F + 43 45 ?? 6A ?? 50 FF 15 ?? ?? ?? ?? 6A ?? 85 C0 75 ?? 8B 45 ?? 50 8B 70 ?? FF D7 81 + FE ?? ?? ?? ?? 74 ?? 81 FE ?? ?? ?? ?? 75 ?? 83 7D ?? ?? 5F 5E 5B 72 ?? FF 75 ?? E8 + ?? ?? ?? ?? 83 C4 ?? 8B 4D ?? 33 CD B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B E5 5D C2 ?? ?? + FF 75 ?? FF D7 68 ?? ?? ?? ?? FF D3 EB + } + + $memory_scraping_v10_1 = { + 6A ?? 56 8B CF E8 ?? ?? ?? ?? 85 C0 75 ?? 6A ?? 56 8B CF E8 ?? ?? ?? ?? 8B 8D ?? ?? + ?? ?? EB ?? 3C ?? 7C ?? 3C ?? 7E ?? 8A 46 ?? 3C ?? 7C ?? 3C ?? 7E ?? 3C ?? 74 + } + + $process_search_v10_1 = { + 55 8B EC 81 EC ?? ?? ?? ?? A1 ?? ?? ?? ?? 33 C5 89 45 ?? 53 56 57 68 ?? ?? ?? ?? E8 + ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? C7 85 ?? ?? ?? ?? ?? ?? + ?? ?? 6A ?? 6A ?? FF 15 ?? ?? ?? ?? 8B F0 8D 85 ?? ?? ?? ?? 50 56 FF 15 ?? ?? ?? ?? + 85 C0 74 ?? 8B 3D ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 56 FF D7 85 C0 74 ?? 8B 1D ?? ?? + ?? ?? 68 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 50 FF D3 85 C0 74 ?? 8D + 85 ?? ?? ?? ?? 50 56 FF D7 85 C0 75 + } + + $service_creation_v10_1 = { + 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 8D 44 24 ?? 50 8D 4C 24 ?? C7 44 24 ?? ?? ?? + ?? ?? E8 ?? ?? ?? ?? 8D 4C 24 ?? E8 ?? ?? ?? ?? 33 C0 5E 8B 4C 24 ?? 33 CC E8 ?? ?? + ?? ?? 8B E5 5D C3 8B 35 ?? ?? ?? ?? 68 ?? ?? ?? ?? FF D6 8D 44 24 ?? 50 C7 44 24 ?? + ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? + FF 15 + } + + + $process_search_v11_1 = { + 55 8B EC 81 EC ?? ?? ?? ?? A1 ?? ?? ?? ?? 33 C5 89 45 ?? 53 56 57 8B 7D ?? FF 15 ?? + ?? ?? ?? 8B 1D ?? ?? ?? ?? 8B 35 ?? ?? ?? ?? EB ?? 8D 49 ?? 68 ?? ?? ?? ?? 8D 85 ?? + ?? ?? ?? 6A ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? 6A ?? 6A ?? + FF 15 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 83 F8 ?? 75 ?? 68 ?? ?? ?? ?? FF D3 EB ?? 8D 8D + ?? ?? ?? ?? 51 50 FF 15 ?? ?? ?? ?? 8B 9D ?? ?? ?? ?? 33 C0 68 ?? ?? ?? ?? 50 66 89 + 85 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 33 C9 EB ?? 8D A4 24 ?? + ?? ?? ?? EB ?? 8D 49 ?? 0F B7 84 0D ?? ?? ?? ?? 66 89 84 0D ?? ?? ?? ?? 8D 49 ?? 66 + 85 C0 75 ?? 8D 85 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? + 50 FF 15 ?? ?? ?? ?? 85 C0 74 ?? 68 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 FF 15 + } + + $memory_scraping_v11_1 = { + 6A ?? 56 8B CF E8 ?? ?? ?? ?? 6A ?? 56 8B CF E8 ?? ?? ?? ?? EB ?? 3C ?? 75 ?? 6A ?? + 56 8B CF E8 ?? ?? ?? ?? 6A ?? 56 8B CF E8 + } + + $data_exfiltration_v11_1 = { + 55 8B EC 83 EC ?? A1 ?? ?? ?? ?? 33 C5 89 45 ?? 53 8A 5D ?? 56 57 8B 3D ?? ?? ?? ?? + C7 45 ?? ?? ?? ?? ?? 83 7D ?? ?? 6A ?? 8D 4D ?? 51 6A ?? 6A ?? 8D 45 ?? 0F 43 45 ?? + 6A ?? 50 FF 15 ?? ?? ?? ?? 6A ?? 85 C0 75 ?? 8B 45 ?? 50 8B 70 ?? FF D7 81 FE ?? ?? + ?? ?? 74 ?? 81 FE ?? ?? ?? ?? 74 ?? 84 DB 74 ?? 33 F6 83 7D ?? ?? 72 ?? FF 75 ?? E8 + ?? ?? ?? ?? 83 C4 ?? 8B 4D ?? 5F 8B C6 5E 33 CD 5B E8 ?? ?? ?? ?? 8B E5 5D C2 ?? ?? + FF 75 ?? FF D7 68 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 84 DB 74 ?? EB ?? BE ?? ?? ?? ?? EB + } + + $service_creation_v11_1 = { + 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 8D 44 24 ?? 50 8D 4C 24 ?? C7 44 24 ?? ?? ?? + ?? ?? E8 ?? ?? ?? ?? 8D 4C 24 ?? E8 ?? ?? ?? ?? 33 C0 8B 4C 24 ?? 33 CC E8 ?? ?? ?? + ?? 8B E5 5D C3 8D 44 24 ?? 50 C7 44 24 ?? ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? C7 44 + 24 ?? ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? FF 15 + } + + condition: + uint16(0) == 0x5A4D and + (($data_exfiltration_v10_1 and $memory_scraping_v10_1 and $process_search_v10_1 and $service_creation_v10_1) or + ($process_search_v11_1 and $memory_scraping_v11_1 and $data_exfiltration_v11_1 and $service_creation_v11_1)) +} \ No newline at end of file diff --git a/yara/infostealer/Win32.Infostealer.ProjectHookPOS.yara b/yara/infostealer/Win32.Infostealer.ProjectHookPOS.yara new file mode 100644 index 0000000..e256e34 --- /dev/null +++ b/yara/infostealer/Win32.Infostealer.ProjectHookPOS.yara @@ -0,0 +1,98 @@ +rule Win32_Infostealer_ProjectHookPOS : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "PROJECTHOOKPOS" + description = "Yara rule that detects ProjectHookPOS infostealer." + + tc_detection_type = "Infostealer" + tc_detection_name = "ProjectHookPOS" + tc_detection_factor = 5 + + strings: + $calc_luhn = { + 55 8B EC 83 C4 ?? 53 56 57 33 C9 89 4D ?? 89 55 ?? 8B 45 ?? E8 ?? ?? ?? ?? 33 C0 55 + 68 ?? ?? ?? ?? 64 FF 30 64 89 20 C6 45 ?? ?? 33 C0 89 45 ?? 8B 45 ?? 85 C0 74 ?? 8B + D0 83 EA ?? 66 83 3A ?? 74 ?? 8D 45 ?? 8B 55 ?? E8 ?? ?? ?? ?? 85 C0 74 ?? 83 E8 ?? + 8B 00 25 ?? ?? ?? ?? 79 ?? 48 83 C8 ?? 40 85 C0 0F 94 C3 8B 45 ?? 85 C0 74 ?? 8B D0 + 83 EA ?? 66 83 3A ?? 74 ?? 8D 45 ?? 8B 55 ?? E8 ?? ?? ?? ?? 85 C0 74 ?? 83 E8 ?? 8B + 00 8B F0 85 F6 7E ?? BF ?? ?? ?? ?? 8D 45 ?? 8B 55 ?? 0F B7 54 7A ?? E8 ?? ?? ?? ?? + 8B 45 ?? 83 CA ?? E8 ?? ?? ?? ?? 0F B6 D0 66 83 FA ?? 75 ?? C6 45 ?? ?? EB ?? 84 DB + 74 ?? 0F B6 C0 0F B6 80 ?? ?? ?? ?? 01 45 ?? EB ?? 0F B6 C0 01 45 ?? 80 F3 ?? 47 4E + 75 ?? 8B 45 ?? B9 ?? ?? ?? ?? 99 F7 F9 85 D2 75 ?? 80 7D ?? ?? 74 ?? 33 DB EB ?? B3 + ?? 33 C0 5A 59 59 64 89 10 68 ?? ?? ?? ?? 8D 45 ?? E8 ?? ?? ?? ?? 8D 45 ?? E8 ?? ?? + ?? ?? C3 E9 ?? ?? ?? ?? EB ?? 8B C3 5F 5E 5B 8B E5 5D C3 + } + + $track_1_reverse = { + 55 8B EC 83 C4 ?? 53 56 33 DB 89 5D ?? 8B F1 89 55 ?? 8B 45 ?? E8 ?? ?? ?? ?? 33 C0 + 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 8B C6 33 D2 E8 ?? ?? ?? ?? 8B 45 ?? 85 C0 74 ?? + 8B D0 83 EA ?? 66 83 3A ?? 74 ?? 8D 45 ?? 8B 55 ?? E8 ?? ?? ?? ?? 85 C0 74 ?? 83 E8 + ?? 8B 00 8B D8 83 FB ?? 7C ?? 8D 45 ?? 50 B9 ?? ?? ?? ?? 8B D3 8B 45 ?? E8 ?? ?? ?? + ?? 8B 55 ?? 8B C6 E8 ?? ?? ?? ?? 4B 85 DB 75 ?? 33 C0 5A 59 59 64 89 10 68 ?? ?? ?? + ?? 8D 45 ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? C3 E9 ?? ?? ?? ?? EB ?? 5E 5B 59 59 5D C3 + } + + $check_validity_1 = { + 8B D0 83 EA ?? 66 83 3A ?? 74 ?? 8D 45 ?? 8B 55 ?? E8 ?? ?? ?? ?? 66 83 38 ?? 75 ?? + 8B 45 ?? 85 C0 74 ?? 8B D0 83 EA ?? 66 83 3A ?? 74 ?? 8D 45 ?? 8B 55 ?? E8 ?? ?? ?? + ?? 66 83 78 ?? ?? 0F 94 C0 EB ?? 33 C0 84 C0 0F 84 ?? ?? ?? ?? 8B 45 ?? 85 C0 74 ?? + 8B D0 83 EA ?? 66 83 3A ?? 74 ?? 8D 45 ?? 8B 55 ?? E8 ?? ?? ?? ?? 66 83 78 ?? ?? 0F + 85 ?? ?? ?? ?? 8B 45 ?? 85 C0 74 ?? 8B D0 83 EA ?? 66 83 3A ?? 74 ?? 8D 45 ?? 8B 55 + ?? E8 ?? ?? ?? ?? BE ?? ?? ?? ?? 66 81 78 ?? ?? ?? 73 ?? 0F B6 40 ?? 0F B6 C0 0F A3 + 06 72 ?? 33 C0 EB + } + + $encode_and_send_1 = { + 64 89 20 B2 ?? A1 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B D8 33 C9 B2 ?? A1 ?? ?? ?? ?? E8 ?? + ?? ?? ?? 8B F0 8D 4D ?? 8B 55 ?? 8B C7 E8 ?? ?? ?? ?? 8B 4D ?? 8D 45 ?? BA ?? ?? ?? + ?? E8 ?? ?? ?? ?? 8B 55 ?? 8B C3 8B 08 FF 51 ?? 8D 45 ?? 8B 4D ?? BA ?? ?? ?? ?? E8 + ?? ?? ?? ?? 8B 55 ?? 8B C3 8B 08 FF 51 ?? 8D 45 ?? 8B 4D ?? BA ?? ?? ?? ?? E8 ?? ?? + ?? ?? 8B 55 ?? 8B C3 8B 08 FF 51 ?? 8D 45 ?? 8B 4D ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? + 8B 55 ?? 8B C3 8B 08 FF 51 ?? 8B C6 E8 ?? ?? ?? ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B + C6 E8 ?? ?? ?? ?? 05 ?? ?? ?? ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 ?? 50 8B CB BA + ?? ?? ?? ?? 8B C6 E8 ?? ?? ?? ?? 8B C3 E8 ?? ?? ?? ?? 8B C6 E8 + } + + $form_create_1 = { + 8D 55 ?? B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 45 + ?? E8 ?? ?? ?? ?? 8B D0 8D 45 ?? E8 ?? ?? ?? ?? 8B 45 ?? E8 ?? ?? ?? ?? 6A ?? 8D 55 + ?? B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 45 ?? E8 + ?? ?? ?? ?? 50 8D 55 ?? A1 ?? ?? ?? ?? 8B 00 E8 ?? ?? ?? ?? 8B 45 ?? E8 ?? ?? ?? ?? + 50 E8 ?? ?? ?? ?? 8D 55 ?? B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 ?? BA ?? ?? ?? ?? E8 + ?? ?? ?? ?? 8B 45 ?? E8 ?? ?? ?? ?? 8B D0 8D 45 ?? E8 ?? ?? ?? ?? 8B 45 ?? E8 ?? ?? + ?? ?? 84 C0 0F 84 + } + + $form_create_2 = { + 33 C9 B2 ?? A1 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B D8 8B C3 E8 ?? ?? ?? ?? 05 ?? ?? ?? ?? + BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 4D ?? BA ?? ?? ?? ?? 8B C3 E8 ?? ?? ?? ?? 8D 55 ?? + B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 45 ?? E8 ?? + ?? ?? ?? 8B D0 8D 45 ?? E8 ?? ?? ?? ?? 8B 45 ?? 33 C9 BA ?? ?? ?? ?? E8 ?? ?? ?? ?? + 8B C3 E8 + } + + $form_create_3 = { + B2 ?? A1 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B D8 BA ?? ?? ?? ?? 8B C3 E8 ?? ?? ?? ?? 33 C9 + BA ?? ?? ?? ?? 8B C3 E8 ?? ?? ?? ?? 8D 55 ?? B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 ?? + BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 45 ?? E8 ?? ?? ?? ?? 8B D0 8D 45 ?? E8 ?? ?? ?? ?? + 8B 4D ?? BA ?? ?? ?? ?? 8B C3 E8 ?? ?? ?? ?? 8B C3 E8 ?? ?? ?? ?? 33 C9 BA ?? ?? ?? + ?? 8B C3 E8 ?? ?? ?? ?? 33 C9 BA ?? ?? ?? ?? 8B C3 E8 ?? ?? ?? ?? 8B C3 E8 ?? ?? ?? + ?? 8B C3 E8 ?? ?? ?? ?? 8B 0D ?? ?? ?? ?? 8B 09 B2 ?? A1 ?? ?? ?? ?? E8 ?? ?? ?? ?? + A3 ?? ?? ?? ?? BA ?? ?? ?? ?? A1 ?? ?? ?? ?? E8 ?? ?? ?? ?? 56 68 ?? ?? ?? ?? A1 ?? + ?? ?? ?? E8 ?? ?? ?? ?? B2 ?? A1 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B C6 E8 ?? ?? ?? ?? 84 + C0 74 + } + + condition: + uint16(0) == 0x5A4D and + ($calc_luhn and $track_1_reverse and $check_validity_1 and $encode_and_send_1 and + $form_create_1 and $form_create_2 and $form_create_3) + +} \ No newline at end of file diff --git a/yara/infostealer/Win32.Infostealer.StealC.yara b/yara/infostealer/Win32.Infostealer.StealC.yara new file mode 100644 index 0000000..9e44ea4 --- /dev/null +++ b/yara/infostealer/Win32.Infostealer.StealC.yara @@ -0,0 +1,57 @@ +rule Win32_Infostealer_StealC : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "STEALC" + description = "Yara rule that detects StealC infostealer." + + tc_detection_type = "Infostealer" + tc_detection_name = "StealC" + tc_detection_factor = 5 + + strings: + + $resolve_windows_api = { + 55 8B EC 51 83 65 ?? ?? 56 64 A1 ?? ?? ?? ?? 8B 40 ?? 8B 40 ?? 8B 00 8B 00 8B 40 ?? + 89 45 ?? 8B 75 ?? 89 35 ?? ?? ?? ?? 85 F6 0F 84 ?? ?? ?? ?? E8 ?? ?? ?? ?? FF 35 ?? + ?? ?? ?? A3 ?? ?? ?? ?? 56 FF D0 FF 35 ?? ?? ?? ?? A3 ?? ?? ?? ?? FF 35 + } + + $load_sqlite3_functions = { + 55 8B EC 83 EC ?? 6A ?? FF 15 ?? ?? ?? ?? 8B 4D ?? 50 89 45 ?? 89 4D ?? 8B 4D ?? 8D + 45 ?? 50 89 4D ?? E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 74 ?? 8D 45 ?? 57 89 45 ?? 8B 7D ?? + B9 ?? ?? ?? ?? 33 C0 F3 AA 5F 33 C0 C9 C3 8B 45 ?? 85 C0 74 ?? 53 8B 58 ?? 56 8B 70 + ?? FF 35 ?? ?? ?? ?? 8B C6 E8 ?? ?? ?? ?? FF 35 ?? ?? ?? ?? A3 ?? ?? ?? ?? 8B C6 E8 + ?? ?? ?? ?? FF 35 ?? ?? ?? ?? A3 ?? ?? ?? ?? 8B C6 E8 ?? ?? ?? ?? FF 35 ?? ?? ?? ?? + A3 ?? ?? ?? ?? 8B C6 E8 ?? ?? ?? ?? FF 35 ?? ?? ?? ?? A3 ?? ?? ?? ?? 8B C6 E8 ?? ?? + ?? ?? FF 35 ?? ?? ?? ?? A3 ?? ?? ?? ?? 8B C6 E8 ?? ?? ?? ?? FF 35 ?? ?? ?? ?? A3 + } + + $check_license_expiration_date = { + 55 8B EC 83 E4 ?? 83 EC ?? 57 33 C0 66 89 44 24 ?? 83 64 24 ?? ?? 8D 7C 24 ?? AB AB + AB 66 AB 33 C0 66 89 44 24 ?? 8D 7C 24 ?? AB AB AB 66 AB 33 C0 21 44 24 ?? 8D 7C 24 + ?? AB 8D 7C 24 ?? AB 8D 44 24 ?? 50 FF 15 ?? ?? ?? ?? 8D 7C 24 ?? E8 ?? ?? ?? ?? 8D + 4C 24 ?? 51 8D 4C 24 ?? 51 8D 4C 24 ?? 51 FF 35 ?? ?? ?? ?? FF 30 FF 15 ?? ?? ?? ?? + 8B 44 24 ?? 83 C4 ?? E8 ?? ?? ?? ?? 8D 44 24 ?? 50 8D 44 24 ?? 50 FF 15 ?? ?? ?? ?? + 8D 44 24 ?? 50 8D 44 24 ?? 50 FF 15 ?? ?? ?? ?? 8B 44 24 ?? 3B 44 24 ?? 72 ?? 77 ?? + 8B 44 24 ?? 3B 44 24 ?? 76 ?? 6A ?? FF 15 ?? ?? ?? ?? 5F 8B E5 5D C3 + } + + condition: + uint16(0) == 0x5A4D and + ( + $resolve_windows_api + ) and + ( + $load_sqlite3_functions + ) and + ( + $check_license_expiration_date + ) +} \ No newline at end of file diff --git a/yara/pua/Win32.PUA.Domaiq.yara b/yara/pua/Win32.PUA.Domaiq.yara new file mode 100644 index 0000000..1fe5cc5 --- /dev/null +++ b/yara/pua/Win32.PUA.Domaiq.yara @@ -0,0 +1,169 @@ +rule Win32_PUA_Domaiq : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "DOMAIQ" + description = "Yara rule that detects Domaiq potentially unwanted application." + + tc_detection_type = "PUA" + tc_detection_name = "Domaiq" + tc_detection_factor = 1 + + strings: + $payload="PEFxdWlFbXBpZXphRWxQYXlsb2FkPg" + + $NSIS_CheckIntegrity = { + 57 53 E8 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? 83 3D ?? ?? ?? ?? 00 75 ?? 6A 1C 8D 45 + D8 53 50 E8 ?? ?? ?? ?? 8B 45 D8 A9 F0 FF FF FF 75 ?? 81 7D DC EF BE AD DE 75 ?? 81 + 7D E8 49 6E 73 74 75 ?? 81 7D E4 73 6F 66 74 75 ?? 81 7D E0 4E 75 6C 6C 75 ?? 09 45 + 08 8B 45 08 8B 0D ?? ?? ?? ?? 83 E0 02 09 05 ?? ?? ?? ?? 8B 45 F0 3B C6 89 0D ?? ?? + ?? ?? 0F 8F ?? ?? ?? ?? F6 45 08 08 75 ?? F6 45 08 04 75 + } + + $NSIS_ErrorPart = { + 81 EC ?? ?? ?? ?? 53 55 56 33 DB 57 89 5C 24 ?? C7 44 24 ?? ?? ?? ?? ?? 33 F6 C6 44 + 24 ?? ?? FF 15 ?? ?? ?? ?? 68 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 53 FF 15 ?? ?? ?? ?? 6A + ?? A3 ?? ?? ?? ?? E8 ?? ?? ?? ?? A3 ?? ?? ?? ?? 53 8D 44 24 ?? 68 ?? ?? ?? ?? 50 53 + 68 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? FF 15 + ?? ?? ?? ?? BF ?? ?? ?? ?? 50 57 E8 ?? ?? ?? ?? 53 FF 15 ?? ?? ?? ?? 80 3D ?? ?? ?? + ?? ?? A3 ?? ?? ?? ?? 8B C7 75 + } + + $UPX_Decompression = { + 8A 06 46 88 07 47 01 DB 75 ?? 8B 1E 83 EE ?? 11 DB 72 ?? B8 ?? ?? ?? ?? 01 DB 75 ?? + 8B 1E 83 EE ?? 11 DB 11 C0 01 DB 73 ?? 75 ?? 8B 1E 83 EE ?? 11 DB 72 ?? 48 01 DB 75 + } + + $UPX_Encrypting = { + 31 C0 8A 07 30 D8 04 ?? 2C ?? 88 07 47 39 CF 75 + } + + $dumping_functionv2014 = { + 55 8B EC 83 EC ?? 56 68 ?? ?? ?? ?? 6A ?? 6A ?? FF 15 ?? ?? ?? ?? 8B F0 85 F6 0F 84 + ?? ?? ?? ?? 56 6A ?? FF 15 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? + 89 45 ?? 85 C0 74 ?? 56 6A ?? FF 15 ?? ?? ?? ?? 8B F0 89 75 ?? 85 F6 74 ?? 8B 45 ?? + 53 6A ?? 68 ?? ?? ?? ?? 6A ?? 6A ?? 6A ?? 68 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 6A ?? + 56 6A ?? 6A ?? 8B D8 6A ?? 53 FF 15 ?? ?? ?? ?? 8B F0 85 F6 74 ?? 57 6A ?? 6A ?? 6A + ?? 6A ?? 56 FF 15 ?? ?? ?? ?? 8B 4D ?? 8B 55 ?? 51 8B F8 52 57 E8 ?? ?? ?? ?? 83 C4 + ?? 57 FF 15 ?? ?? ?? ?? 56 8B 35 ?? ?? ?? ?? FF D6 53 FF D6 5F 5B 5E 8B E5 5D C3 + } + + $dumping_functionMidVersion = { + 55 8B EC 83 EC ?? A1 ?? ?? ?? ?? 33 C5 89 45 ?? 8B 45 ?? 53 56 57 68 ?? ?? ?? ?? 33 + DB BE ?? ?? ?? ?? 68 ?? ?? ?? ?? 89 45 ?? 89 75 ?? 89 5D ?? 88 5D ?? FF 15 ?? ?? ?? + ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 8B F8 8B CF 8D 41 ?? 8A 11 41 3A + D3 75 ?? 2B C8 51 57 8D 4D ?? E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 4D ?? E8 ?? ?? ?? ?? + 83 EC ?? 8B CC 89 65 ?? 6A ?? 89 71 ?? 89 59 ?? 68 ?? ?? ?? ?? 88 59 ?? E8 ?? ?? ?? + ?? 83 EC ?? 8B CC 89 65 ?? 6A ?? 53 8D 55 ?? 89 71 ?? 89 59 ?? 52 88 59 ?? E8 ?? ?? + ?? ?? 6A ?? E8 ?? ?? ?? ?? 83 C4 ?? 8B CC 89 65 ?? 6A ?? 89 71 ?? 89 59 ?? 68 ?? ?? + ?? ?? 88 59 ?? E8 ?? ?? ?? ?? 83 EC ?? 8B CC 89 65 ?? 6A ?? 53 8D 45 ?? 89 71 ?? 89 + 59 ?? 50 88 59 ?? E8 ?? ?? ?? ?? 6A ?? E8 ?? ?? ?? ?? 83 C4 ?? 8B CC 89 65 ?? 6A ?? + 89 71 ?? 89 59 ?? 68 ?? ?? ?? ?? 88 59 ?? E8 ?? ?? ?? ?? 83 EC ?? 8B CC 89 65 ?? 6A + ?? 53 8D 55 ?? 89 71 ?? 89 59 ?? 52 88 59 ?? E8 ?? ?? ?? ?? 6A ?? E8 ?? ?? ?? ?? 83 + C4 ?? 8B C4 89 65 ?? 68 ?? ?? ?? ?? 8D 4D ?? 51 50 E8 ?? ?? ?? ?? 83 C4 ?? E8 ?? ?? + ?? ?? 8B 7D ?? BE ?? ?? ?? ?? 83 C4 ?? 39 75 ?? 73 ?? 8D 7D ?? 68 ?? ?? ?? ?? 8D 55 + ?? 52 8D 45 ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 39 70 ?? 72 ?? 8B 40 ?? EB ?? 83 C0 ?? 8B + 4D ?? 57 51 50 E8 ?? ?? ?? ?? 83 C4 ?? 39 75 ?? 72 ?? 8B 55 ?? 52 E8 ?? ?? ?? ?? 83 + C4 ?? 39 75 ?? 72 ?? 8B 45 ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 8B 4D ?? 5F 5E 33 CD 33 C0 + 5B E8 ?? ?? ?? ?? 8B E5 5D C2 + } + + $dumping_functionE = { + 52 6A ?? FF 15 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 5? FF 15 ?? ?? ?? ?? + 89 85 ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? 8B 8D ?? ?? ?? ?? 51 6A ?? FF 15 ?? + ?? ?? ?? 89 85 ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? 8D 95 ?? ?? ?? ?? 52 68 ?? + ?? ?? ?? FF 15 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C7 85 ?? + ?? ?? ?? ?? ?? ?? ?? 81 BD ?? ?? ?? ?? ?? ?? ?? ?? 77 ?? 83 BD ?? ?? ?? ?? ?? 75 ?? + C7 85 ?? ?? ?? ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? + 50 FF 15 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? 6A ?? 68 ?? ?? + ?? ?? 6A ?? 6A ?? 6A ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 89 85 ?? ?? + ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? 6A ?? 8D 8D ?? ?? ?? ?? 51 8B 95 ?? ?? ?? ?? 52 + 8B 85 ?? ?? ?? ?? 50 8B 8D ?? ?? ?? ?? 51 FF 15 ?? ?? ?? ?? 8B 95 ?? ?? ?? ?? 52 FF + 15 ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? 51 8B CC 89 A5 ?? ?? ?? ?? 68 ?? ?? ?? + ?? E8 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? E8 + } + + $dumping_functionP = { + 50 57 56 FF 15 ?? ?? ?? ?? 8B F8 57 56 FF 15 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 57 56 + 89 45 ?? FF 15 ?? ?? ?? ?? 89 45 ?? 8D 45 ?? 50 68 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? BF + ?? ?? ?? ?? 57 56 68 ?? ?? ?? ?? 8D 45 ?? 50 FF 15 ?? ?? ?? ?? 56 68 ?? ?? ?? ?? 6A + ?? 56 56 68 ?? ?? ?? ?? 57 FF 15 ?? ?? ?? ?? 56 8B D8 8D 45 ?? 50 FF 75 ?? 89 75 ?? + FF 75 ?? 53 FF 15 ?? ?? ?? ?? 53 FF 15 + } + + $dumping_functionB= { + 52 6A ?? FF 15 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? + 89 85 ?? ?? ?? ?? 8B 8D ?? ?? ?? ?? 51 6A ?? FF 15 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? C7 + 85 ?? ?? ?? ?? ?? ?? ?? ?? 8D 95 ?? ?? ?? ?? 52 68 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 89 + 85 ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? B9 ?? ?? ?? ?? BE ?? ?? ?? ?? 8D BD ?? + ?? ?? ?? F3 A5 A4 68 ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 FF 15 ?? + ?? ?? ?? 89 85 ?? ?? ?? ?? B9 ?? ?? ?? ?? BE ?? ?? ?? ?? 8D BD ?? ?? ?? ?? F3 A5 A4 + 6A ?? 68 ?? ?? ?? ?? 6A ?? 6A ?? 6A ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? FF 15 ?? ?? ?? + ?? 89 85 ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? 6A ?? 8D 8D ?? ?? ?? ?? 51 8B 95 + ?? ?? ?? ?? 52 8B 85 ?? ?? ?? ?? 50 8B 8D ?? ?? ?? ?? 51 FF 15 ?? ?? ?? ?? 8B 95 ?? + ?? ?? ?? 52 FF 15 ?? ?? ?? ?? 51 8B CC 89 A5 ?? ?? ?? ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? + ?? 89 85 ?? ?? ?? ?? E8 + } + + $dumping_function111 = { + 68 ?? ?? ?? ?? 8D 55 ?? 52 51 E8 ?? ?? ?? ?? 83 C4 ?? 8D 4D ?? E8 ?? ?? ?? ?? 68 ?? + ?? ?? ?? 8D 45 ?? 50 8D 4D ?? 51 E8 ?? ?? ?? ?? 83 C4 ?? 39 58 ?? 72 ?? 8B 40 ?? EB + ?? 83 C0 ?? 50 6A ?? 8D 4D ?? E8 ?? ?? ?? ?? 39 5D ?? 72 ?? 8B 55 ?? 52 E8 ?? ?? ?? + ?? 83 C4 ?? 68 ?? ?? ?? ?? 8D 45 ?? 50 8D 4D ?? 51 E8 + } + + $dumping_function2 = { + 55 8B EC 51 53 8B 5D ?? 56 68 ?? ?? ?? ?? 8D 45 ?? 53 50 33 F6 E8 ?? ?? ?? ?? 8B 4D + ?? 68 ?? ?? ?? ?? 51 8D 55 ?? 52 E8 ?? ?? ?? ?? 8B 45 ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? + 83 F8 ?? 74 ?? 57 8B 7D ?? 0F BE 14 3E 8B 4D ?? 51 33 D0 52 E8 ?? ?? ?? ?? 8B C7 83 + C4 ?? 8D 50 ?? 8D A4 24 ?? ?? ?? ?? 8A 08 40 84 C9 75 ?? 2B C2 8D 4E ?? 8B D1 2B D0 + 8B 45 ?? F7 DA 1B D2 23 D1 50 8B F2 E8 ?? ?? ?? ?? 83 C4 ?? 83 F8 ?? 75 ?? 5F 8B 4D + ?? 51 E8 ?? ?? ?? ?? 8B 55 ?? 52 E8 ?? ?? ?? ?? 53 E8 ?? ?? ?? ?? 83 C4 ?? 5E 5B 8B + E5 5D C2 + } + + $lib_loader = { + 68 ?? ?? ?? ?? 57 A3 ?? ?? ?? ?? FF D6 33 05 ?? ?? ?? ?? 68 ?? ?? ?? ?? 57 A3 ?? ?? + ?? ?? FF D6 33 05 ?? ?? ?? ?? 68 ?? ?? ?? ?? 57 A3 ?? ?? ?? ?? FF D6 33 05 ?? ?? ?? + ?? 68 ?? ?? ?? ?? 57 A3 ?? ?? ?? ?? FF D6 33 05 ?? ?? ?? ?? 68 ?? ?? ?? ?? 57 + } + + $exception1 = { + B8 ?? ?? ?? ?? 50 64 FF 35 ?? ?? ?? ?? 64 89 25 ?? ?? ?? ?? 33 C0 89 08 + } + + $exception2 = { + 55 53 51 57 56 52 8D 98 ?? ?? ?? ?? 8B 53 ?? 52 8B E8 6A ?? 68 ?? ?? ?? ?? FF 73 ?? + 6A ?? 8B 4B ?? 03 CA 8B 01 FF D0 + } + + $exceptionallock = { + B8 ?? ?? ?? ?? 8D 88 ?? ?? ?? ?? 89 41 ?? 8B 54 24 ?? 8B 52 ?? C6 02 ?? 83 C2 ?? + 2B CA 89 4A ?? 33 C0 C3 + } + + condition: + + uint16(0) == 0x5A4D and + $payload and + ( + $NSIS_CheckIntegrity or + ($UPX_Decompression and $UPX_Encrypting) or + $NSIS_ErrorPart or + $dumping_functionv2014 or + $dumping_functionMidVersion or + ($exception1 and $exception2 and $exceptionallock) or + $dumping_functionP or + $dumping_functionE or + $dumping_functionB or + $dumping_function111 or + $dumping_function2 or + $lib_loader + ) +} \ No newline at end of file diff --git a/yara/ransomware/ByteCode.MSIL.Ransomware.Apis.yara b/yara/ransomware/ByteCode.MSIL.Ransomware.Apis.yara new file mode 100644 index 0000000..f7038f7 --- /dev/null +++ b/yara/ransomware/ByteCode.MSIL.Ransomware.Apis.yara @@ -0,0 +1,75 @@ +rule ByteCode_MSIL_Ransomware_Apis : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "APIS" + description = "Yara rule that detects Apis ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "Apis" + tc_detection_factor = 5 + + strings: + + $find_files = { + 28 ?? ?? ?? ?? 13 ?? 16 13 ?? 2B ?? 11 ?? 11 ?? 9A 0A 06 6F ?? ?? ?? ?? 72 ?? ?? ?? ?? + 28 ?? ?? ?? ?? 2C ?? 06 6F ?? ?? ?? ?? 28 ?? ?? ?? ?? 11 ?? 17 58 13 ?? 11 ?? 11 ?? 8E + 69 32 ?? 7E ?? ?? ?? ?? 7E ?? ?? ?? ?? 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 0B 7E ?? ?? ?? ?? + 7E ?? ?? ?? ?? 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 0C 7E ?? ?? ?? ?? 7E ?? ?? ?? ?? 72 ?? ?? + ?? ?? 28 ?? ?? ?? ?? 0D 7E ?? ?? ?? ?? 7E ?? ?? ?? ?? 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 13 + ?? 7E ?? ?? ?? ?? 7E ?? ?? ?? ?? 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 13 ?? 7E ?? ?? ?? ?? 7E + ?? ?? ?? ?? 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 13 ?? 7E ?? ?? ?? ?? 7E ?? ?? ?? ?? 72 ?? ?? + ?? ?? 28 ?? ?? ?? ?? 13 ?? 7E ?? ?? ?? ?? 7E ?? ?? ?? ?? 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? + 13 ?? 7E ?? ?? ?? ?? 7E ?? ?? ?? ?? 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 13 ?? 7E ?? ?? ?? ?? + 7E ?? ?? ?? ?? 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 13 ?? 7E ?? ?? ?? ?? 7E ?? ?? ?? ?? 72 ?? + ?? ?? ?? 28 ?? ?? ?? ?? 13 ?? 7E ?? ?? ?? ?? 7E ?? ?? ?? ?? 72 ?? ?? ?? ?? 28 ?? ?? ?? + ?? 13 ?? 7E ?? ?? ?? ?? 7E ?? ?? ?? ?? 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 13 ?? 07 28 ?? ?? + ?? ?? 08 28 ?? ?? ?? ?? 09 28 ?? ?? ?? ?? 11 ?? 28 ?? ?? ?? ?? 11 ?? 28 ?? ?? ?? ?? 11 + ?? 28 ?? ?? ?? ?? 11 ?? 28 ?? ?? ?? ?? 11 ?? 28 ?? ?? ?? ?? 11 ?? 28 ?? ?? ?? ?? 11 ?? + 28 ?? ?? ?? ?? 11 ?? 28 ?? ?? ?? ?? 11 ?? 28 ?? ?? ?? ?? 11 ?? 28 ?? ?? ?? ?? 2A + } + + $encrypt_files = { + 02 28 ?? ?? ?? ?? 0A 17 0B 16 0C 38 ?? ?? ?? ?? 73 ?? ?? ?? ?? 13 ?? 11 ?? 06 08 9A 28 + ?? ?? ?? ?? 7D ?? ?? ?? ?? 06 08 9A 28 ?? ?? ?? ?? 0D 7E ?? ?? ?? ?? 11 ?? FE 06 ?? ?? + ?? ?? 73 ?? ?? ?? ?? 28 ?? ?? ?? ?? 39 ?? ?? ?? ?? 09 7E ?? ?? ?? ?? 28 ?? ?? ?? ?? 39 + ?? ?? ?? ?? 06 08 9A 73 ?? ?? ?? ?? 13 ?? 11 ?? 20 ?? ?? ?? ?? 6F ?? ?? ?? ?? 11 ?? 6F + ?? ?? ?? ?? 20 ?? ?? ?? ?? 6A 2F ?? 28 ?? ?? ?? ?? 11 ?? 6F ?? ?? ?? ?? 28 ?? ?? ?? ?? + 18 5B 28 ?? ?? ?? ?? 6F ?? ?? ?? ?? 13 ?? 06 08 9A 11 ?? 28 ?? ?? ?? ?? 28 ?? ?? ?? ?? + 06 08 9A 06 08 9A 72 ?? ?? ?? ?? 1A 28 ?? ?? ?? ?? 28 ?? ?? ?? ?? 28 ?? ?? ?? ?? 2B ?? + 28 ?? ?? ?? ?? 11 ?? 6F ?? ?? ?? ?? 28 ?? ?? ?? ?? 1A 5B 28 ?? ?? ?? ?? 6F ?? ?? ?? ?? + 13 ?? 06 08 9A 11 ?? 28 ?? ?? ?? ?? 28 ?? ?? ?? ?? 06 08 9A 06 08 9A 72 ?? ?? ?? ?? 1A + 28 ?? ?? ?? ?? 28 ?? ?? ?? ?? 28 ?? ?? ?? ?? 07 2C ?? 16 0B 02 72 ?? ?? ?? ?? 7E ?? ?? + ?? ?? 28 ?? ?? ?? ?? 7E ?? ?? ?? ?? 28 ?? ?? ?? ?? DE ?? 26 DE ?? 08 17 58 0C 08 06 8E + 69 3F ?? ?? ?? ?? 02 28 ?? ?? ?? ?? 13 ?? 16 13 ?? 2B ?? 11 ?? 11 ?? 9A 28 ?? ?? ?? ?? + 11 ?? 17 58 13 ?? 11 ?? 11 ?? 8E 69 32 ?? DE ?? 26 DE ?? 2A + } + + $setup_env = { + 28 ?? ?? ?? ?? 2C ?? 17 28 ?? ?? ?? ?? 7E ?? ?? ?? ?? 2C ?? 28 ?? ?? ?? ?? 7E ?? ?? ?? + ?? 2C ?? 7E ?? ?? ?? ?? 28 ?? ?? ?? ?? 7E ?? ?? ?? ?? 2C ?? 28 ?? ?? ?? ?? 7E ?? ?? ?? + ?? 2C ?? 28 ?? ?? ?? ?? 7E ?? ?? ?? ?? 2C ?? 28 ?? ?? ?? ?? 2B ?? 7E ?? ?? ?? ?? 2C ?? + 7E ?? ?? ?? ?? 28 ?? ?? ?? ?? 7E ?? ?? ?? ?? 2C ?? 28 ?? ?? ?? ?? 7E ?? ?? ?? ?? 2C ?? + 28 ?? ?? ?? ?? 28 ?? ?? ?? ?? 7E ?? ?? ?? ?? 2D ?? 14 FE 06 ?? ?? ?? ?? 73 ?? ?? ?? ?? + 80 ?? ?? ?? ?? 7E ?? ?? ?? ?? 73 ?? ?? ?? ?? 28 ?? ?? ?? ?? 7E ?? ?? ?? ?? 2C ?? 7E ?? + ?? ?? ?? 28 ?? ?? ?? ?? 28 ?? ?? ?? ?? 2A + } + + condition: + uint16(0) == 0x5A4D and + ( + $setup_env + ) and + ( + $find_files + ) and + ( + $encrypt_files + ) +} \ No newline at end of file diff --git a/yara/ransomware/ByteCode.MSIL.Ransomware.ChupaCabra.yara b/yara/ransomware/ByteCode.MSIL.Ransomware.ChupaCabra.yara new file mode 100644 index 0000000..dda2bd4 --- /dev/null +++ b/yara/ransomware/ByteCode.MSIL.Ransomware.ChupaCabra.yara @@ -0,0 +1,90 @@ +rule ByteCode_MSIL_Ransomware_ChupaCabra : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "CHUPACABRA" + description = "Yara rule that detects ChupaCabra ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "ChupaCabra" + tc_detection_factor = 5 + + strings: + + $encrypt_files_p1 = { + 7E ?? ?? ?? ?? 28 ?? ?? ?? ?? 2C ?? 72 ?? ?? ?? ?? 73 ?? ?? ?? ?? 7A 7E ?? ?? ?? ?? 28 + ?? ?? ?? ?? 2C ?? 72 ?? ?? ?? ?? 73 ?? ?? ?? ?? 7A 14 0A 14 0B 7E ?? ?? ?? ?? 7E ?? ?? + ?? ?? 73 ?? ?? ?? ?? 0C 7E ?? ?? ?? ?? 28 ?? ?? ?? ?? 0D 09 73 ?? ?? ?? ?? 13 ?? 73 ?? + ?? ?? ?? 0A 06 08 06 6F ?? ?? ?? ?? 1E 5B 6F ?? ?? ?? ?? 6F ?? ?? ?? ?? 06 11 ?? 28 ?? + ?? ?? ?? 6F ?? ?? ?? ?? 06 06 6F ?? ?? ?? ?? 06 6F ?? ?? ?? ?? 6F ?? ?? ?? ?? 13 ?? 11 + ?? 11 ?? 16 73 ?? ?? ?? ?? 13 ?? 11 ?? 73 ?? ?? ?? ?? 13 ?? 11 ?? 6F ?? ?? ?? ?? 0B DE + ?? 11 ?? 2C ?? 11 ?? 6F ?? ?? ?? ?? DC 11 ?? 2C ?? 11 ?? 6F ?? ?? ?? ?? DC 11 ?? 2C ?? + 11 ?? 6F ?? ?? ?? ?? DC 06 2C ?? 06 6F ?? ?? ?? ?? DC 07 2A + } + + $encrypt_files_p2 = { + 02 73 ?? ?? ?? ?? 28 ?? ?? ?? ?? 20 ?? ?? ?? ?? 6A 30 ?? 02 28 ?? ?? ?? ?? 28 ?? ?? ?? + ?? 0A 02 06 28 ?? ?? ?? ?? 02 02 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 28 ?? ?? ?? ?? 38 ?? ?? + ?? ?? 02 73 ?? ?? ?? ?? 28 ?? ?? ?? ?? 20 ?? ?? ?? ?? 6A 30 ?? 20 ?? ?? ?? ?? 8D ?? ?? + ?? ?? 0B 02 19 28 ?? ?? ?? ?? 73 ?? ?? ?? ?? 0C 08 20 ?? ?? ?? ?? 6F ?? ?? ?? ?? 28 ?? + ?? ?? ?? 0D 09 07 09 8E 69 28 ?? ?? ?? ?? DE ?? 08 2C ?? 08 6F ?? ?? ?? ?? DC 02 19 28 + ?? ?? ?? ?? 73 ?? ?? ?? ?? 13 ?? 11 ?? 07 6F ?? ?? ?? ?? DE ?? 11 ?? 2C ?? 11 ?? 6F ?? + ?? ?? ?? DC 02 02 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 28 ?? ?? ?? ?? DD ?? ?? ?? ?? 26 02 28 + ?? ?? ?? ?? 13 ?? 11 ?? 17 5F 17 33 ?? 11 ?? 17 28 ?? ?? ?? ?? 13 ?? 02 11 ?? 28 ?? ?? + ?? ?? 02 73 ?? ?? ?? ?? 28 ?? ?? ?? ?? 20 ?? ?? ?? ?? 6A 30 ?? 02 28 ?? ?? ?? ?? 28 ?? + ?? ?? ?? 13 ?? 02 11 ?? 28 ?? ?? ?? ?? 02 02 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 28 ?? ?? ?? + ?? 38 ?? ?? ?? ?? 02 73 ?? ?? ?? ?? 28 ?? ?? ?? ?? 20 ?? ?? ?? ?? 6A 30 ?? 20 ?? ?? ?? + ?? 8D ?? ?? ?? ?? 13 ?? 02 19 28 ?? ?? ?? ?? 73 ?? ?? ?? ?? 13 ?? 11 ?? 20 ?? ?? ?? ?? + 6F ?? ?? ?? ?? 28 ?? ?? ?? ?? 13 ?? DE ?? 11 ?? 2C ?? 11 ?? 6F ?? ?? ?? ?? DC 02 19 28 + ?? ?? ?? ?? 73 ?? ?? ?? ?? 13 ?? 11 ?? 11 ?? 6F ?? ?? ?? ?? DE ?? 11 ?? 2C ?? 11 ?? 6F + ?? ?? ?? ?? DC 02 02 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 28 ?? ?? ?? ?? DE ?? DE ?? 26 DE ?? + 2A + } + + $find_files_p1 = { + 02 28 ?? ?? ?? ?? 0A 02 28 ?? ?? ?? ?? 0B 16 0C 2B ?? 06 08 9A 28 ?? ?? ?? ?? 72 ?? ?? + ?? ?? 6F ?? ?? ?? ?? 2D ?? 06 08 9A 28 ?? ?? ?? ?? 08 17 58 0C 08 06 8E 69 32 ?? 16 0D + 2B ?? 07 09 9A 28 ?? ?? ?? ?? 09 17 58 0D 09 07 8E 69 32 ?? DE ?? 26 DE ?? 2A + } + + $find_files_p2 = { + 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 28 ?? ?? ?? ?? 3A ?? ?? ?? + ?? 1F ?? 8D ?? ?? ?? ?? 25 16 1E 28 ?? ?? ?? ?? A2 25 17 1F ?? 28 ?? ?? ?? ?? A2 25 18 + 1F ?? 28 ?? ?? ?? ?? A2 25 19 1F ?? 28 ?? ?? ?? ?? A2 25 1A 1F ?? 28 ?? ?? ?? ?? A2 25 + 1B 1B 28 ?? ?? ?? ?? A2 25 1C 1C 28 ?? ?? ?? ?? A2 25 1D 1F ?? 28 ?? ?? ?? ?? A2 25 1E + 1F ?? 28 ?? ?? ?? ?? A2 25 1F ?? 1F ?? 28 ?? ?? ?? ?? A2 25 1F ?? 1F ?? 28 ?? ?? ?? ?? + A2 25 1F ?? 1F ?? 28 ?? ?? ?? ?? A2 25 1F ?? 1F ?? 28 ?? ?? ?? ?? A2 25 1F ?? 1B 28 ?? + ?? ?? ?? A2 25 1F ?? 1F ?? 28 ?? ?? ?? ?? A2 25 1F ?? 1F ?? 28 ?? ?? ?? ?? A2 25 1F ?? + 1F ?? 28 ?? ?? ?? ?? A2 25 1F ?? 1F ?? 28 ?? ?? ?? ?? A2 25 1F ?? 1F ?? 28 ?? ?? ?? ?? + A2 0A 16 0B 2B ?? 06 07 9A 28 ?? ?? ?? ?? 07 17 58 0B 07 06 8E 69 32 ?? 2A + } + + $drop_ransom_note = { + 7E ?? ?? ?? ?? 2C ?? 28 ?? ?? ?? ?? 7E ?? ?? ?? ?? 39 ?? ?? ?? ?? 20 ?? ?? ?? ?? 28 ?? + ?? ?? ?? 28 ?? ?? ?? ?? 1F ?? 28 ?? ?? ?? ?? 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 1B 8D ?? ?? + ?? ?? 25 16 72 ?? ?? ?? ?? A2 25 17 7E ?? ?? ?? ?? A2 25 18 72 ?? ?? ?? ?? A2 25 19 7E + ?? ?? ?? ?? A2 25 1A 72 ?? ?? ?? ?? A2 28 ?? ?? ?? ?? 28 ?? ?? ?? ?? 28 ?? ?? ?? ?? 20 + ?? ?? ?? ?? 28 ?? ?? ?? ?? 1B 8D ?? ?? ?? ?? 25 16 72 ?? ?? ?? ?? A2 25 17 7E ?? ?? ?? + ?? A2 25 18 72 ?? ?? ?? ?? A2 25 19 7E ?? ?? ?? ?? A2 25 1A 72 ?? ?? ?? ?? A2 28 ?? ?? + ?? ?? 28 ?? ?? ?? ?? 26 1F ?? 28 ?? ?? ?? ?? 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 28 ?? ?? ?? + ?? 26 73 ?? ?? ?? ?? 0A 7E ?? ?? ?? ?? 0B 06 07 6F ?? ?? ?? ?? 26 2A + } + + condition: + uint16(0) == 0x5A4D and + ( + all of ($find_files_p*) + ) and + ( + all of ($encrypt_files_p*) + ) and + ( + $drop_ransom_note + ) +} \ No newline at end of file diff --git a/yara/ransomware/ByteCode.MSIL.Ransomware.Cring.yara b/yara/ransomware/ByteCode.MSIL.Ransomware.Cring.yara new file mode 100644 index 0000000..b34d438 --- /dev/null +++ b/yara/ransomware/ByteCode.MSIL.Ransomware.Cring.yara @@ -0,0 +1,66 @@ +rule ByteCode_MSIL_Ransomware_Cring : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "CRING" + description = "Yara rule that detects Cring ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "Cring" + tc_detection_factor = 5 + + strings: + + $find_files_p1 = { + 28 ?? ?? ?? ?? 0A 16 0B 2B ?? 06 07 9A 0C 08 6F ?? ?? ?? ?? 19 2E ?? 08 6F ?? ?? ?? ?? + 18 33 ?? 08 6F ?? ?? ?? ?? 2C ?? 08 6F ?? ?? ?? ?? 02 17 28 ?? ?? ?? ?? 6F ?? ?? ?? ?? + 0D 2B ?? 09 6F ?? ?? ?? ?? 28 ?? ?? ?? ?? 09 6F ?? ?? ?? ?? 2D ?? DE ?? 09 2C ?? 09 6F + ?? ?? ?? ?? DC 07 17 58 0B 07 06 8E 69 32 ?? 2A + } + + $find_files_p2 = { + 02 7B ?? ?? ?? ?? 0B 07 45 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 16 0A DD ?? + ?? ?? ?? 02 15 7D ?? ?? ?? ?? 02 7B ?? ?? ?? ?? 72 ?? ?? ?? ?? 6F ?? ?? ?? ?? 3A ?? ?? + ?? ?? 14 0C 02 7B ?? ?? ?? ?? 02 7B ?? ?? ?? ?? 28 ?? ?? ?? ?? 0C DE ?? 26 DE ?? 08 2C + ?? 02 08 7D ?? ?? ?? ?? 02 16 7D ?? ?? ?? ?? 2B ?? 02 7B ?? ?? ?? ?? 02 7B ?? ?? ?? ?? + 9A 0D 02 09 7D ?? ?? ?? ?? 02 17 7D ?? ?? ?? ?? 17 0A DD ?? ?? ?? ?? 02 15 7D ?? ?? ?? + ?? 02 02 7B ?? ?? ?? ?? 17 58 7D ?? ?? ?? ?? 02 7B ?? ?? ?? ?? 02 7B ?? ?? ?? ?? 8E 69 + 32 ?? 02 14 7D ?? ?? ?? ?? 02 7B ?? ?? ?? ?? 39 ?? ?? ?? ?? 14 0C 02 7B ?? ?? ?? ?? 28 + ?? ?? ?? ?? 0C DE ?? 26 DE ?? 08 39 ?? ?? ?? ?? 02 08 7D ?? ?? ?? ?? 02 16 7D ?? ?? ?? + ?? 38 ?? ?? ?? ?? 02 7B ?? ?? ?? ?? 02 7B ?? ?? ?? ?? 9A 13 ?? 02 11 ?? 02 7B ?? ?? ?? + ?? 02 7B ?? ?? ?? ?? 28 ?? ?? ?? ?? 6F ?? ?? ?? ?? 7D ?? ?? ?? ?? 02 1F ?? 7D ?? ?? ?? + ?? 2B ?? 02 7B ?? ?? ?? ?? 6F ?? ?? ?? ?? 13 ?? 02 11 ?? 7D ?? ?? ?? ?? 02 18 7D ?? ?? + ?? ?? 17 0A DE ?? 02 1F ?? 7D ?? ?? ?? ?? 02 7B ?? ?? ?? ?? 6F ?? ?? ?? ?? 2D ?? 02 28 + ?? ?? ?? ?? 02 14 7D ?? ?? ?? ?? 02 02 7B ?? ?? ?? ?? 17 58 7D ?? ?? ?? ?? 02 7B ?? ?? + ?? ?? 02 7B ?? ?? ?? ?? 8E 69 3F ?? ?? ?? ?? 02 14 7D ?? ?? ?? ?? 16 0A DE ?? 02 28 ?? + ?? ?? ?? DC 06 2A + } + + $encrypt_files = { + 16 0A 73 ?? ?? ?? ?? 0B 07 6F ?? ?? ?? ?? 1E 5B 8D ?? ?? ?? ?? 0C 07 6F ?? ?? ?? ?? 1E + 5B 8D ?? ?? ?? ?? 0D 73 ?? ?? ?? ?? 13 ?? 11 ?? 08 6F ?? ?? ?? ?? 11 ?? 09 6F ?? ?? ?? + ?? DE ?? 11 ?? 2C ?? 11 ?? 6F ?? ?? ?? ?? DC 08 8E 69 09 8E 69 58 8D ?? ?? ?? ?? 13 ?? + 08 11 ?? 08 8E 69 28 ?? ?? ?? ?? 09 16 11 ?? 08 8E 69 09 8E 69 28 ?? ?? ?? ?? 11 ?? 04 + 28 ?? ?? ?? ?? 13 ?? 11 ?? 8E 69 28 ?? ?? ?? ?? 13 ?? 07 08 09 6F ?? ?? ?? ?? 13 ?? 02 + 19 73 ?? ?? ?? ?? 13 ?? 03 18 73 ?? ?? ?? ?? 13 ?? 11 ?? 11 ?? 17 73 ?? ?? ?? ?? 13 ?? + 11 ?? 11 ?? 16 11 ?? 8E 69 6F ?? ?? ?? ?? 11 ?? 11 ?? 16 11 ?? 8E 69 6F ?? ?? ?? ?? 11 + ?? 11 ?? 20 ?? ?? ?? ?? 6F ?? ?? ?? ?? DE ?? 11 ?? 2C ?? 11 ?? 6F ?? ?? ?? ?? DC 11 ?? + 2C ?? 11 ?? 6F ?? ?? ?? ?? DC 11 ?? 2C ?? 11 ?? 6F ?? ?? ?? ?? DC 11 ?? 2C ?? 11 ?? 6F + ?? ?? ?? ?? DC 17 0A DE ?? 07 2C ?? 07 6F ?? ?? ?? ?? DC 06 2A + } + + condition: + uint16(0) == 0x5A4D and + ( + all of ($find_files_p*) + ) and + ( + $encrypt_files + ) +} \ No newline at end of file diff --git a/yara/ransomware/ByteCode.MSIL.Ransomware.Dusk.yara b/yara/ransomware/ByteCode.MSIL.Ransomware.Dusk.yara new file mode 100644 index 0000000..a59eece --- /dev/null +++ b/yara/ransomware/ByteCode.MSIL.Ransomware.Dusk.yara @@ -0,0 +1,73 @@ +rule ByteCode_MSIL_Ransomware_Dusk : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "DUSK" + description = "Yara rule that detects Dusk ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "Dusk" + tc_detection_factor = 5 + + strings: + + $encrypt_files_p1 = { + 03 28 ?? ?? ?? ?? 28 ?? ?? ?? ?? 04 6F ?? ?? ?? ?? 0A 28 ?? ?? ?? ?? 06 6F ?? ?? ?? ?? + 0A 06 28 ?? ?? ?? ?? 0B 03 07 28 ?? ?? ?? ?? 03 03 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 28 ?? + ?? ?? ?? DE ?? 26 DE ?? 2A + } + + $encrypt_files_p2 = { + 14 0A 1E 8D ?? ?? ?? ?? 25 D0 ?? ?? ?? ?? 28 ?? ?? ?? ?? 0B 73 ?? ?? ?? ?? 0C 73 ?? ?? + ?? ?? 0D 09 20 ?? ?? ?? ?? 6F ?? ?? ?? ?? 09 20 ?? ?? ?? ?? 6F ?? ?? ?? ?? 03 07 20 ?? + ?? ?? ?? 73 ?? ?? ?? ?? 13 ?? 09 11 ?? 09 6F ?? ?? ?? ?? 1E 5B 6F ?? ?? ?? ?? 6F ?? ?? + ?? ?? 09 11 ?? 09 6F ?? ?? ?? ?? 1E 5B 6F ?? ?? ?? ?? 6F ?? ?? ?? ?? 09 17 6F ?? ?? ?? + ?? 08 09 6F ?? ?? ?? ?? 17 73 ?? ?? ?? ?? 13 ?? 11 ?? 02 16 02 8E 69 6F ?? ?? ?? ?? 11 + ?? 6F ?? ?? ?? ?? DE ?? 11 ?? 2C ?? 11 ?? 6F ?? ?? ?? ?? DC 08 6F ?? ?? ?? ?? 0A DE ?? + 09 2C ?? 09 6F ?? ?? ?? ?? DC 08 2C ?? 08 6F ?? ?? ?? ?? DC 06 2A + } + + $dusk_delete_itself = { + 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 0A 1A 8D ?? ?? ?? ?? 25 16 + 72 ?? ?? ?? ?? A2 25 17 72 ?? ?? ?? ?? 03 28 ?? ?? ?? ?? A2 25 18 72 ?? ?? ?? ?? 28 ?? + ?? ?? ?? 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? A2 25 19 72 ?? ?? ?? ?? A2 0B 06 07 28 ?? ?? ?? + ?? 06 06 28 ?? ?? ?? ?? 18 60 28 ?? ?? ?? ?? 20 ?? ?? ?? ?? 28 ?? ?? ?? ?? 06 73 ?? ?? + ?? ?? 25 17 6F ?? ?? ?? ?? 25 16 6F ?? ?? ?? ?? 28 ?? ?? ?? ?? 26 04 28 ?? ?? ?? ?? 28 + ?? ?? ?? ?? DE ?? 26 DE ?? 2A + } + + $find_files = { + 20 ?? ?? ?? ?? 72 ?? ?? ?? ?? A2 25 20 ?? ?? ?? ?? 72 ?? ?? ?? ?? A2 25 20 ?? ?? ?? ?? + 72 ?? ?? ?? ?? A2 0A 1F ?? 8D ?? ?? ?? ?? 25 16 1F ?? 28 ?? ?? ?? ?? A2 25 17 1E 28 ?? + ?? ?? ?? A2 25 18 1F ?? 28 ?? ?? ?? ?? A2 25 19 1F ?? 28 ?? ?? ?? ?? A2 25 1A 1F ?? 28 + ?? ?? ?? ?? A2 25 1B 1B 28 ?? ?? ?? ?? A2 25 1C 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 72 ?? ?? + ?? ?? 28 ?? ?? ?? ?? A2 25 1D 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 72 ?? ?? ?? ?? 28 ?? ?? ?? + ?? A2 25 1E 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? A2 25 1F ?? 72 + ?? ?? ?? ?? 28 ?? ?? ?? ?? 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? A2 0B 16 0C 2B ?? 07 08 9A 0D + 1F ?? 28 ?? ?? ?? ?? 13 ?? 09 72 ?? ?? ?? ?? 17 28 ?? ?? ?? ?? 13 ?? 16 13 ?? 2B ?? 11 + ?? 11 ?? 9A 28 ?? ?? ?? ?? 13 ?? 06 11 ?? 28 ?? ?? ?? ?? 2C ?? 02 11 ?? 11 ?? 9A 11 ?? + 28 ?? ?? ?? ?? 11 ?? 17 58 13 ?? 11 ?? 11 ?? 8E 69 32 ?? 00 02 09 28 ?? ?? ?? ?? DE ?? + 26 DE ?? 08 17 58 0C 08 07 8E 69 32 ?? 02 7B ?? ?? ?? ?? 6F ?? ?? ?? ?? 20 ?? ?? ?? ?? + 28 ?? ?? ?? ?? 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 28 ?? ?? ?? + ?? 26 DE ?? 26 DE ?? 20 ?? ?? ?? ?? 28 ?? ?? ?? ?? 02 7B ?? ?? ?? ?? 72 ?? ?? ?? ?? 20 + ?? ?? ?? ?? 6F ?? ?? ?? ?? 2A + } + + condition: + uint16(0) == 0x5A4D and + ( + $find_files + ) and + ( + all of ($encrypt_files_p*) + ) and + ( + $dusk_delete_itself + ) +} \ No newline at end of file diff --git a/yara/ransomware/ByteCode.MSIL.Ransomware.EAF.yara b/yara/ransomware/ByteCode.MSIL.Ransomware.EAF.yara new file mode 100644 index 0000000..0b31123 --- /dev/null +++ b/yara/ransomware/ByteCode.MSIL.Ransomware.EAF.yara @@ -0,0 +1,89 @@ +rule ByteCode_MSIL_Ransomware_EAF : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "EAF" + description = "Yara rule that detects EAF ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "EAF" + tc_detection_factor = 5 + + strings: + + $encrypt_files_p1 = { + 00 03 28 ?? ?? ?? ?? 0A 06 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 0B 07 39 ?? ?? ?? ?? 00 7E ?? + ?? ?? ?? 0C 03 28 ?? ?? ?? ?? 0D 03 28 ?? ?? ?? ?? 13 ?? 1E 8D ?? ?? ?? ?? 25 16 11 ?? + A2 25 17 72 ?? ?? ?? ?? A2 25 18 7E ?? ?? ?? ?? A2 25 19 72 ?? ?? ?? ?? A2 25 1A 28 ?? + ?? ?? ?? A2 25 1B 72 ?? ?? ?? ?? A2 25 1C 09 A2 25 1D 72 ?? ?? ?? ?? A2 28 ?? ?? ?? ?? + 13 ?? 02 03 11 ?? 08 28 ?? ?? ?? ?? 13 ?? 11 ?? 2D ?? 06 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? + 2B ?? 16 13 ?? 11 ?? 2C ?? 00 00 03 11 ?? 28 ?? ?? ?? ?? 00 00 DE ?? 26 00 00 DE ?? 00 + 00 00 DE ?? 26 00 00 DE ?? 2A + } + + $encrypt_files_p2 = { + 00 03 19 73 ?? ?? ?? ?? 0A 00 04 18 73 ?? ?? ?? ?? 0B 00 06 16 6A 6F ?? ?? ?? ?? 00 28 + ?? ?? ?? ?? 0C 00 1F ?? 8D ?? ?? ?? ?? 25 D0 ?? ?? ?? ?? 28 ?? ?? ?? ?? 0D 05 09 73 ?? + ?? ?? ?? 13 ?? 00 08 17 6F ?? ?? ?? ?? 00 08 18 6F ?? ?? ?? ?? 00 08 11 ?? 1F ?? 6F ?? + ?? ?? ?? 6F ?? ?? ?? ?? 00 08 11 ?? 1F ?? 6F ?? ?? ?? ?? 6F ?? ?? ?? ?? 00 07 08 6F ?? + ?? ?? ?? 17 73 ?? ?? ?? ?? 13 ?? 00 20 ?? ?? ?? ?? 13 ?? 11 ?? 8D ?? ?? ?? ?? 13 ?? 16 + 13 ?? 00 06 11 ?? 16 11 ?? 6F ?? ?? ?? ?? 13 ?? 11 ?? 20 ?? ?? ?? ?? FE 02 16 FE 01 13 + ?? 11 ?? 2C ?? 00 11 ?? 11 ?? 16 11 ?? 6F ?? ?? ?? ?? 00 00 2B ?? 11 ?? 20 ?? ?? ?? ?? + 32 ?? 11 ?? 20 ?? ?? ?? ?? FE 02 16 FE 01 2B ?? 16 13 ?? 11 ?? 2C ?? 00 11 ?? 11 ?? 16 + 11 ?? 6F ?? ?? ?? ?? 00 00 2B ?? 11 ?? 20 ?? ?? ?? ?? 32 ?? 11 ?? 20 ?? ?? ?? ?? FE 02 + 16 FE 01 2B ?? 16 13 ?? 11 ?? 2C ?? 00 11 ?? 11 ?? 16 11 ?? 6F ?? ?? ?? ?? 00 00 2B ?? + 00 07 11 ?? 16 11 ?? 6F ?? ?? ?? ?? 00 00 11 ?? 11 ?? 58 13 ?? 00 11 ?? 16 FE 03 13 ?? + 11 ?? 3A ?? ?? ?? ?? 11 ?? 6F ?? ?? ?? ?? 00 00 DE ?? 11 ?? 2C ?? 11 ?? 6F ?? ?? ?? ?? + 00 DC 00 DE ?? 11 ?? 2C ?? 11 ?? 6F ?? ?? ?? ?? 00 DC 00 DE ?? 08 2C ?? 08 6F ?? ?? ?? + ?? 00 DC 07 6F ?? ?? ?? ?? 00 00 DE ?? 07 2C ?? 07 6F ?? ?? ?? ?? 00 DC 06 6F ?? ?? ?? + ?? 00 00 DE ?? 06 2C ?? 06 6F ?? ?? ?? ?? 00 DC 03 28 ?? ?? ?? ?? 00 17 13 ?? DE ?? 26 + 00 16 13 ?? DE ?? 11 ?? 2A + } + + $find_files_p1 = { + 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 0A 16 0C 38 ?? ?? ?? ?? 73 ?? ?? ?? ?? 0D 00 09 06 08 9A + 28 ?? ?? ?? ?? 7D ?? ?? ?? ?? 06 08 9A 28 ?? ?? ?? ?? 13 ?? 7E ?? ?? ?? ?? 09 FE 06 ?? + ?? ?? ?? 73 ?? ?? ?? ?? 28 ?? ?? ?? ?? 2C ?? 09 7B ?? ?? ?? ?? 72 ?? ?? ?? ?? 28 ?? ?? + ?? ?? 2C ?? 11 ?? 7E ?? ?? ?? ?? 28 ?? ?? ?? ?? 2C ?? 11 ?? 7E ?? ?? ?? ?? 28 ?? ?? ?? + ?? 2B ?? 16 13 ?? 11 ?? 2C ?? 00 7E ?? ?? ?? ?? 06 08 9A 6F ?? ?? ?? ?? 00 00 00 08 17 + 58 0C 08 06 8E 69 FE 04 13 ?? 11 ?? 3A ?? ?? ?? ?? 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 0B 16 + 13 ?? 2B ?? 00 07 11 ?? 9A 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 2C ?? 07 11 ?? 9A 72 ?? ?? ?? + ?? 28 ?? ?? ?? ?? 2C ?? 07 11 ?? 9A 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 2C ?? 07 11 ?? 9A 72 + ?? ?? ?? ?? 28 ?? ?? ?? ?? 2B ?? 16 13 ?? 11 ?? 2C ?? 00 07 11 ?? 9A 28 ?? ?? ?? ?? 00 + 00 00 11 ?? 17 58 13 ?? 11 ?? 07 8E 69 FE 04 13 ?? 11 ?? 2D ?? 00 DE ?? 26 00 00 DE ?? + 2A + } + + $find_files_p2 = { + 00 28 ?? ?? ?? ?? 0A 16 0B 2B ?? 73 ?? ?? ?? ?? 0C 08 06 07 9A 7D ?? ?? ?? ?? 00 08 7B + ?? ?? ?? ?? 6F ?? ?? ?? ?? 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 2C ?? 08 7B ?? ?? ?? ?? 6F ?? + ?? ?? ?? 2B ?? 16 0D 09 2C ?? 00 08 FE 06 ?? ?? ?? ?? 73 ?? ?? ?? ?? 73 ?? ?? ?? ?? 28 + ?? ?? ?? ?? 00 00 00 07 17 58 0B 07 06 8E 69 32 ?? 00 DE ?? 26 00 00 DE ?? 2A + } + + $destroy_exe_file = { + 00 1F ?? 28 ?? ?? ?? ?? 0A 72 ?? ?? ?? ?? 0B 7E ?? ?? ?? ?? 07 6F ?? ?? ?? ?? 0C 7E ?? + ?? ?? ?? 07 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 6F ?? ?? ?? ?? 0C 08 72 ?? ?? ?? ?? 1B 8D ?? + ?? ?? ?? 25 16 72 ?? ?? ?? ?? A2 25 17 06 A2 25 18 72 ?? ?? ?? ?? A2 25 19 28 ?? ?? ?? + ?? A2 25 1A 72 ?? ?? ?? ?? A2 28 ?? ?? ?? ?? 6F ?? ?? ?? ?? 00 08 6F ?? ?? ?? ?? 00 00 + DE ?? 26 00 00 DE ?? 2A + } + + condition: + uint16(0) == 0x5A4D and + ( + all of ($find_files_p*) + ) and + ( + all of ($encrypt_files_p*) + ) and + ( + $destroy_exe_file + ) +} \ No newline at end of file diff --git a/yara/ransomware/ByteCode.MSIL.Ransomware.Eternity.yara b/yara/ransomware/ByteCode.MSIL.Ransomware.Eternity.yara new file mode 100644 index 0000000..21668f7 --- /dev/null +++ b/yara/ransomware/ByteCode.MSIL.Ransomware.Eternity.yara @@ -0,0 +1,74 @@ +rule ByteCode_MSIL_Ransomware_Eternity : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "ETERNITY" + description = "Yara rule that detects Eternity ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "Eternity" + tc_detection_factor = 5 + + strings: + + $find_files = { + 02 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 7E ?? ?? ?? ?? 25 2D ?? 26 7E ?? ?? ?? ?? FE 06 ?? ?? + ?? ?? 73 ?? ?? ?? ?? 25 80 ?? ?? ?? ?? 28 ?? ?? ?? ?? 0A 06 6F ?? ?? ?? ?? 0C 2B ?? 08 + 6F ?? ?? ?? ?? 0D 09 03 04 28 ?? ?? ?? ?? 08 6F ?? ?? ?? ?? 2D ?? DE ?? 08 2C ?? 08 6F + ?? ?? ?? ?? DC 02 28 ?? ?? ?? ?? 0B 07 13 ?? 16 13 ?? 38 ?? ?? ?? ?? 11 ?? 11 ?? 9A 13 + ?? 11 ?? 72 ?? ?? ?? ?? 6F ?? ?? ?? ?? 2D ?? 11 ?? 72 ?? ?? ?? ?? 6F ?? ?? ?? ?? 2D ?? + 11 ?? 72 ?? ?? ?? ?? 6F ?? ?? ?? ?? 2D ?? 11 ?? 72 ?? ?? ?? ?? 6F ?? ?? ?? ?? 2D ?? 11 + ?? 72 ?? ?? ?? ?? 6F ?? ?? ?? ?? 2D ?? 11 ?? 72 ?? ?? ?? ?? 6F ?? ?? ?? ?? 2D ?? 11 ?? + 72 ?? ?? ?? ?? 6F ?? ?? ?? ?? 2D ?? 11 ?? 72 ?? ?? ?? ?? 6F ?? ?? ?? ?? 2D ?? 11 ?? 72 + ?? ?? ?? ?? 6F ?? ?? ?? ?? 2D ?? 11 ?? 03 04 28 ?? ?? ?? ?? DE ?? 26 DE ?? 11 ?? 17 58 + 13 ?? 11 ?? 11 ?? 8E 69 3F ?? ?? ?? ?? 2A + } + + $encrypt_files = { + 28 ?? ?? ?? ?? 7E ?? ?? ?? ?? 6F ?? ?? ?? ?? 0A 28 ?? ?? ?? ?? 06 6F ?? ?? ?? ?? 0A 02 + 28 ?? ?? ?? ?? 0B 07 06 28 ?? ?? ?? ?? 0C 02 19 28 ?? ?? ?? ?? 0D 09 16 6A 6F ?? ?? ?? + ?? 09 6F ?? ?? ?? ?? 02 1C 73 ?? ?? ?? ?? 13 ?? 11 ?? 6F ?? ?? ?? ?? 2C ?? 28 ?? ?? ?? + ?? 72 ?? ?? ?? ?? 6F ?? ?? ?? ?? 13 ?? 11 ?? 11 ?? 16 11 ?? 8E 69 6F ?? ?? ?? ?? 11 ?? + 08 16 08 8E 69 6F ?? ?? ?? ?? 7E ?? ?? ?? ?? 17 58 80 ?? ?? ?? ?? 7E ?? ?? ?? ?? 02 6F + ?? ?? ?? ?? DE ?? 11 ?? 2C ?? 11 ?? 6F ?? ?? ?? ?? DC 2A + } + + $aes_encrypt = { + 14 0A 1E 8D ?? ?? ?? ?? 25 D0 ?? ?? ?? ?? 28 ?? ?? ?? ?? 0B 73 ?? ?? ?? ?? 0C 73 ?? ?? + ?? ?? 0D 09 20 ?? ?? ?? ?? 6F ?? ?? ?? ?? 09 20 ?? ?? ?? ?? 6F ?? ?? ?? ?? 03 07 20 ?? + ?? ?? ?? 73 ?? ?? ?? ?? 13 ?? 09 11 ?? 09 6F ?? ?? ?? ?? 1E 5B 6F ?? ?? ?? ?? 6F ?? ?? + ?? ?? 09 11 ?? 09 6F ?? ?? ?? ?? 1E 5B 6F ?? ?? ?? ?? 6F ?? ?? ?? ?? 09 17 6F ?? ?? ?? + ?? 08 09 6F ?? ?? ?? ?? 17 73 ?? ?? ?? ?? 13 ?? 11 ?? 02 16 02 8E 69 6F ?? ?? ?? ?? 11 + ?? 6F ?? ?? ?? ?? DE ?? 11 ?? 2C ?? 11 ?? 6F ?? ?? ?? ?? DC 08 6F ?? ?? ?? ?? 0A DE ?? + 09 2C ?? 09 6F ?? ?? ?? ?? DC 08 2C ?? 08 6F ?? ?? ?? ?? DC 06 2A + } + + $encrypt_pass = { + 72 ?? ?? ?? ?? 0A 06 73 ?? ?? ?? ?? 0B D0 ?? ?? ?? ?? 28 ?? ?? ?? ?? 73 ?? ?? ?? ?? 0C + 08 07 6F ?? ?? ?? ?? A5 ?? ?? ?? ?? 0D 73 ?? ?? ?? ?? 13 ?? 11 ?? 09 6F ?? ?? ?? ?? 7E + ?? ?? ?? ?? 73 ?? ?? ?? ?? 13 ?? 28 ?? ?? ?? ?? 11 ?? 6F ?? ?? ?? ?? 13 ?? 11 ?? 11 ?? + 16 6F ?? ?? ?? ?? 13 ?? 11 ?? 28 ?? ?? ?? ?? 13 ?? 16 28 ?? ?? ?? ?? 72 ?? ?? ?? ?? 28 + ?? ?? ?? ?? 11 ?? 28 ?? ?? ?? ?? 2A + } + + condition: + uint16(0) == 0x5A4D and + ( + $find_files + ) and + ( + $encrypt_files + ) and + ( + $aes_encrypt + ) and + ( + $encrypt_pass + ) +} \ No newline at end of file diff --git a/yara/ransomware/ByteCode.MSIL.Ransomware.Fantom.yara b/yara/ransomware/ByteCode.MSIL.Ransomware.Fantom.yara new file mode 100644 index 0000000..1d40565 --- /dev/null +++ b/yara/ransomware/ByteCode.MSIL.Ransomware.Fantom.yara @@ -0,0 +1,97 @@ +rule ByteCode_MSIL_Ransomware_Fantom : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "FANTOM" + description = "Yara rule that detects Fantom ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "Fantom" + tc_detection_factor = 5 + + strings: + + $encrypt_files_1 = { + 00 72 ?? ?? ?? ?? 02 7B ?? ?? ?? ?? 28 ?? ?? ?? ?? 02 7B ?? ?? ?? ?? 28 ?? ?? ?? ?? + 26 DE ?? 26 DE ?? 02 28 ?? ?? ?? ?? 13 ?? 02 28 ?? ?? ?? ?? 02 28 ?? ?? ?? ?? 02 28 + ?? ?? ?? ?? 1F ?? 28 ?? ?? ?? ?? [1-2] 02 72 ?? ?? ?? ?? 7D ?? ?? ?? ?? 02 [1-2] 20 + ?? ?? ?? ?? 02 7B ?? ?? ?? ?? 28 ?? ?? ?? ?? 7D ?? ?? ?? ?? 28 ?? ?? ?? ?? 11 ?? 6F + ?? ?? ?? ?? 13 ?? 02 11 ?? 28 ?? ?? ?? ?? 7D ?? ?? ?? ?? 02 02 7B ?? ?? ?? ?? 02 7B + ?? ?? ?? ?? 28 ?? ?? ?? ?? 7D ?? ?? ?? ?? 02 28 ?? ?? ?? ?? 20 ?? ?? ?? ?? 8D ?? ?? + ?? ?? 13 ?? 11 ?? 16 + } + + $encrypt_files_2 = { + 72 ?? ?? ?? ?? A2 11 ?? 17 72 ?? ?? ?? ?? A2 11 ?? 18 72 ?? ?? ?? ?? A2 11 ?? + 19 72 ?? ?? ?? ?? A2 11 ?? 1A 72 ?? ?? ?? ?? A2 11 ?? 1B 72 ?? ?? ?? ?? A2 11 + ?? 1C 72 ?? ?? ?? ?? A2 11 ?? 1D 72 ?? ?? ?? ?? A2 11 ?? 1E 72 ?? ?? ?? ?? A2 + 11 ?? 1F ?? 72 ?? ?? ?? ?? A2 11 ?? 1F ?? 72 ?? ?? ?? ?? A2 11 ?? 1F ?? 72 ?? + ?? ?? ?? A2 11 ?? 1F ?? 72 ?? ?? ?? ?? A2 11 ?? 1F ?? 72 ?? ?? ?? ?? A2 11 ?? + 1F ?? 72 ?? ?? ?? ?? A2 11 ?? 1F ?? 72 ?? ?? ?? ?? A2 11 ?? 1F ?? 72 ?? ?? ?? + ?? A2 11 ?? 1F ?? 72 ?? ?? ?? ?? A2 11 ?? 1F ?? 72 ?? ?? ?? ?? A2 11 ?? 1F ?? + 72 ?? ?? ?? ?? A2 11 ?? 1F ?? 72 ?? ?? ?? ?? A2 11 ?? 1F ?? 72 ?? ?? ?? ?? A2 + 11 ?? 1F ?? 72 ?? ?? ?? ?? A2 11 ?? 1F ?? 72 ?? ?? ?? ?? A2 11 ?? 1F ?? 72 ?? + ?? ?? ?? A2 11 ?? 1F ?? 72 ?? ?? ?? ?? A2 11 ?? 1F ?? 72 ?? ?? ?? ?? A2 11 ?? + 1F ?? 72 ?? ?? ?? ?? A2 11 ?? 1F ?? 72 ?? ?? ?? ?? A2 11 ?? 1F ?? 72 ?? ?? ?? + ?? A2 11 ?? 1F ?? 72 ?? ?? ?? ?? A2 11 ?? 1F ?? 72 ?? ?? ?? ?? A2 11 ?? 1F ?? + 72 ?? ?? ?? ?? A2 11 ?? 1F ?? 72 ?? ?? ?? ?? A2 11 ?? 1F ?? 72 ?? ?? ?? ?? A2 + 11 ?? 1F ?? 72 ?? ?? ?? ?? A2 11 ?? 1F ?? 72 ?? ?? ?? ?? A2 11 ?? 1F ?? 72 ?? + ?? ?? ?? A2 11 ?? 1F ?? 72 ?? ?? ?? ?? A2 11 ?? 1F ?? 72 ?? ?? ?? ?? A2 11 ?? + 1F ?? 72 ?? ?? ?? ?? A2 11 ?? 1F ?? 72 ?? ?? ?? ?? A2 11 ?? 1F ?? 72 ?? ?? ?? + ?? A2 11 ?? 1F ?? 72 ?? ?? ?? ?? A2 11 ?? 1F ?? 72 ?? ?? ?? ?? A2 11 ?? 1F ?? + 72 ?? ?? ?? ?? A2 11 ?? 1F ?? 72 ?? ?? ?? ?? A2 11 ?? 1F ?? 72 ?? ?? ?? ?? A2 + 11 ?? 1F ?? 72 ?? ?? ?? ?? A2 11 ?? 1F ?? 72 ?? ?? ?? ?? A2 11 ?? 1F ?? 72 ?? + ?? ?? ?? A2 11 ?? 1F ?? 72 ?? ?? ?? ?? A2 11 ?? 1F ?? 72 ?? ?? ?? ?? A2 11 ?? + 1F ?? 72 ?? ?? ?? ?? A2 11 ?? 1F ?? 72 ?? ?? ?? ?? A2 11 ?? 1F ?? 72 ?? ?? ?? + ?? A2 11 ?? 1F ?? 72 ?? ?? ?? ?? A2 11 ?? 1F ?? 72 ?? ?? ?? ?? A2 11 ?? 1F ?? + 72 ?? ?? ?? ?? A2 11 ?? 1F ?? 72 ?? ?? ?? ?? A2 11 ?? 1F ?? 72 ?? ?? ?? ?? A2 + 11 ?? 1F ?? 72 ?? ?? ?? ?? A2 11 ?? 1F ?? 72 ?? ?? ?? ?? A2 11 ?? 1F ?? 72 ?? + ?? ?? ?? A2 11 ?? 1F ?? 72 ?? ?? ?? ?? A2 11 ?? 1F ?? 72 ?? ?? ?? ?? A2 11 + } + + $lockfile = { + 02 7B ?? ?? ?? ?? 16 FE ?? 3A ?? ?? ?? ?? 21 EA 17 ?? ?? ?? ?? ?? ?? ?? + 03 73 ?? ?? ?? ?? [2-4] 6F ?? ?? ?? ?? [2-4] 21 00 65 CD 1D + 00 00 00 00 FE ?? 16 FE ?? 2D ?? [2-4] FE ?? 16 FE ?? 2D ?? 03 28 + ?? ?? ?? ?? ?? 28 ?? ?? ?? ?? 04 6F ?? ?? ?? ?? [1-2] 28 ?? ?? ?? ?? [1-2] + 6F ?? ?? ?? ?? [1-2] 02 ?? [1-2] 28 ?? ?? ?? ?? [1-2] 03 [1-2] 28 ?? ?? + ?? ?? 03 03 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 28 ?? ?? ?? ?? [1-2] ?? FE ?? + 16 FE ?? 2D ?? 2B ?? 03 03 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 28 ?? ?? ?? ?? + 2B ?? 03 28 ?? ?? ?? ?? ?? 28 ?? ?? ?? ?? 04 6F ?? ?? ?? ?? [1-2] 28 ?? + ?? ?? ?? [1-2] 6F ?? ?? ?? ?? [1-2] 02 ?? [1-2] 28 ?? ?? ?? ?? [1-2] 03 + [1-2] 28 ?? ?? ?? ?? 03 03 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 28 ?? ?? ?? ?? + 2A + } + + $lockdir = { + 03 28 ?? ?? ?? ?? 0A 03 28 ?? ?? ?? ?? 0B 16 0C 08 06 8E 69 FE ?? 2C ?? + 00 06 08 9A 28 ?? ?? ?? ?? 0D 05 09 28 ?? ?? ?? ?? 16 FE ?? 2D ?? 02 25 + 7B ?? ?? ?? ?? 17 58 7D ?? ?? ?? ?? 02 06 08 9A 04 28 ?? ?? ?? ?? DE ?? + 26 DE ?? 26 DE ?? 08 17 58 0C 2B ?? 16 0C 08 07 8E 69 FE ?? 2C ?? 00 02 + 07 08 9A 04 05 28 ?? ?? ?? ?? 02 07 08 9A 04 28 ?? ?? ?? ?? DE ?? 26 DE + ?? 26 DE ?? 08 17 58 0C 2B ?? 2A + } + + $sendkey = { + 00 02 7C ?? ?? ?? ?? 28 ?? ?? ?? ?? 0A 73 ?? ?? ?? ?? 0B 73 ?? ?? ?? ?? + 0C 08 72 ?? ?? ?? ?? 02 7B ?? ?? ?? ?? 6F ?? ?? ?? ?? 08 72 ?? ?? ?? ?? + 02 7B ?? ?? ?? ?? 6F ?? ?? ?? ?? 08 72 ?? ?? ?? ?? 02 7B ?? ?? ?? ?? 6F + ?? ?? ?? ?? 08 72 ?? ?? ?? ?? 06 6F ?? ?? ?? ?? 07 03 72 ?? ?? ?? ?? 08 + 6F ?? ?? ?? ?? 26 07 6F ?? ?? ?? ?? DE ?? 26 DE ?? 2A + } + + condition: + uint16(0) == 0x5A4D and + ( + (all of ($encrypt_files_*)) and + $lockfile and + $lockdir and + $sendkey + ) +} \ No newline at end of file diff --git a/yara/ransomware/ByteCode.MSIL.Ransomware.GhosTEncryptor.yara b/yara/ransomware/ByteCode.MSIL.Ransomware.GhosTEncryptor.yara new file mode 100644 index 0000000..f71216b --- /dev/null +++ b/yara/ransomware/ByteCode.MSIL.Ransomware.GhosTEncryptor.yara @@ -0,0 +1,69 @@ +rule ByteCode_MSIL_Ransomware_GhosTEncryptor : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "GHOSTENCRYPTOR" + description = "Yara rule that detects GhosTEncryptor ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "GhosTEncryptor" + tc_detection_factor = 5 + + strings: + + $enum_folders = { + 17 8D ?? ?? ?? ?? 0A 06 16 72 ?? ?? ?? ?? A2 03 28 ?? ?? ?? ?? 0B 16 0C 38 ?? ?? ?? ?? + 07 08 9A 0D 02 09 28 ?? ?? ?? ?? 2C ?? 09 72 ?? ?? ?? ?? 6F ?? ?? ?? ?? 2D ?? 09 72 ?? + ?? ?? ?? 6F ?? ?? ?? ?? 2D ?? 09 72 ?? ?? ?? ?? 6F ?? ?? ?? ?? 2D ?? 09 72 ?? ?? ?? ?? + 6F ?? ?? ?? ?? 2D ?? 09 72 ?? ?? ?? ?? 6F ?? ?? ?? ?? 2D ?? 09 72 ?? ?? ?? ?? 6F ?? ?? + ?? ?? 2D ?? 09 72 ?? ?? ?? ?? 6F ?? ?? ?? ?? 2D ?? 02 02 7B ?? ?? ?? ?? 09 72 ?? ?? ?? + ?? 28 ?? ?? ?? ?? 7D ?? ?? ?? ?? 02 09 28 ?? ?? ?? ?? 26 08 17 58 0C 08 07 8E 69 3F ?? + ?? ?? ?? 02 7B ?? ?? ?? ?? 06 17 6F ?? ?? ?? ?? 2A + } + + $encrypt_folder_p1 = { + 1F ?? 8D ?? ?? ?? ?? 25 16 72 ?? ?? ?? ?? A2 25 17 72 ?? ?? ?? ?? A2 25 18 72 ?? ?? ?? + ?? A2 25 19 72 ?? ?? ?? ?? A2 25 1A 72 ?? ?? ?? ?? A2 25 1B 72 ?? ?? ?? ?? A2 25 1C 72 + ?? ?? ?? ?? A2 25 1D 72 ?? ?? ?? ?? A2 25 1E 72 ?? ?? ?? ?? A2 25 1F ?? 72 ?? ?? ?? ?? + A2 25 1F ?? 72 ?? ?? ?? ?? A2 25 1F ?? 72 + } + + $encrypt_folder_p2 = { + A2 0A 03 28 ?? ?? ?? ?? 0B 03 28 ?? ?? ?? ?? 0C 16 0D 2B ?? 07 09 9A 28 ?? ?? ?? ?? 13 + ?? 06 11 ?? 28 ?? ?? ?? ?? 2C ?? 02 07 09 9A 04 28 ?? ?? ?? ?? 09 17 58 0D 09 07 8E 69 + 32 ?? 16 13 ?? 2B ?? 02 08 11 ?? 9A 04 28 ?? ?? ?? ?? 11 ?? 17 58 13 ?? 11 ?? 08 8E 69 + 32 ?? 2A + } + + $deep_search_p1 = { + 17 8D ?? ?? ?? ?? 0A 06 16 72 ?? ?? ?? ?? A2 7E ?? ?? ?? ?? 0B 02 0C 16 0D 38 ?? ?? ?? + ?? 08 09 9A 28 ?? ?? ?? ?? 13 ?? 16 13 ?? 38 ?? ?? ?? ?? 11 ?? 11 ?? 9A 13 ?? 11 ?? 72 + ?? ?? ?? ?? 6F ?? ?? ?? ?? 3A ?? ?? ?? ?? 11 ?? 72 ?? ?? ?? ?? 6F ?? ?? ?? ?? 3A ?? ?? + ?? ?? 11 ?? 72 ?? ?? ?? ?? 6F ?? ?? ?? ?? 3A ?? ?? ?? ?? 11 ?? 72 + } + + $deep_search_p2 = { + 6F ?? ?? ?? ?? 2D ?? 11 ?? 72 ?? ?? ?? ?? 6F ?? ?? ?? ?? 2D ?? 11 ?? 72 ?? ?? ?? ?? 6F + ?? ?? ?? ?? 2D ?? 11 ?? 72 ?? ?? ?? ?? 6F ?? ?? ?? ?? 2C ?? 07 11 ?? 72 ?? ?? ?? ?? 28 + ?? ?? ?? ?? 0B 11 ?? 17 58 13 ?? 11 ?? 11 ?? 8E 69 3F ?? ?? ?? ?? 09 17 58 0D 09 08 8E + 69 3F ?? ?? ?? ?? 07 06 17 6F ?? ?? ?? ?? 2A + } + + condition: + uint16(0) == 0x5A4D and + ( + $enum_folders + ) and + ( + all of ($deep_search_p*) + ) and + ( + all of ($encrypt_folder_p*) + ) +} \ No newline at end of file diff --git a/yara/ransomware/ByteCode.MSIL.Ransomware.Ghostbin.yara b/yara/ransomware/ByteCode.MSIL.Ransomware.Ghostbin.yara new file mode 100644 index 0000000..9aaf179 --- /dev/null +++ b/yara/ransomware/ByteCode.MSIL.Ransomware.Ghostbin.yara @@ -0,0 +1,61 @@ +rule ByteCode_MSIL_Ransomware_Ghostbin : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "GHOSTBIN" + description = "Yara rule that detects Ghostbin ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "Ghostbin" + tc_detection_factor = 5 + + strings: + + $setup_env = { + 7E ?? ?? ?? ?? 28 ?? ?? ?? ?? 28 ?? ?? ?? ?? 28 ?? ?? ?? ?? 0A 16 0B 2B ?? 06 07 9A 0C + 08 6F ?? ?? ?? ?? 6F ?? ?? ?? ?? 16 18 6F ?? ?? ?? ?? 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 16 + 28 ?? ?? ?? ?? 2C ?? 08 6F ?? ?? ?? ?? 19 FE 01 08 6F ?? ?? ?? ?? 18 FE 01 60 2C ?? 08 + 6F ?? ?? ?? ?? 28 ?? ?? ?? ?? 07 17 D6 0B 07 06 8E 69 32 ?? 00 72 ?? ?? ?? ?? 28 ?? ?? + ?? ?? 2C ?? 16 28 ?? ?? ?? ?? 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 72 ?? ?? ?? ?? 28 ?? ?? ?? + ?? DE ?? 28 ?? ?? ?? ?? 28 ?? ?? ?? ?? DE ?? 00 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 2C ?? 72 + ?? ?? ?? ?? 72 ?? ?? ?? ?? 16 1F ?? 16 28 ?? ?? ?? ?? 26 DE ?? 28 ?? ?? ?? ?? 28 ?? ?? + ?? ?? DE ?? 2A + } + + $encrypt_files = { + 73 ?? ?? ?? ?? 73 ?? ?? ?? ?? 0A 25 6F ?? ?? ?? ?? 25 06 28 ?? ?? ?? ?? 03 6F ?? ?? ?? + ?? 6F ?? ?? ?? ?? 6F ?? ?? ?? ?? 25 17 6F ?? ?? ?? ?? 25 6F ?? ?? ?? ?? 0C 6F ?? ?? ?? + ?? 02 16 02 8E 69 6F ?? ?? ?? ?? 0B 07 8E 69 17 59 1F ?? 58 17 58 8D ?? ?? ?? ?? 0D 08 + 09 1F ?? 28 ?? ?? ?? ?? 07 16 09 1F ?? 07 8E 69 28 ?? ?? ?? ?? 09 2A + } + + $find_files = { + 02 17 8D ?? ?? ?? ?? 25 16 1F ?? 9D 6F ?? ?? ?? ?? 28 ?? ?? ?? ?? 16 6F ?? ?? ?? ?? 28 + ?? ?? ?? ?? 72 ?? ?? ?? ?? 16 28 ?? ?? ?? ?? 39 ?? ?? ?? ?? 02 28 ?? ?? ?? ?? 0A 16 0B + 2B ?? 06 07 9A 0C 7E ?? ?? ?? ?? 08 28 ?? ?? ?? ?? 6F ?? ?? ?? ?? 2C ?? 08 28 ?? ?? ?? + ?? 7E ?? ?? ?? ?? 28 ?? ?? ?? ?? 6F ?? ?? ?? ?? 2D ?? 08 7E ?? ?? ?? ?? 28 ?? ?? ?? ?? + 28 ?? ?? ?? ?? 08 28 ?? ?? ?? ?? 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 28 ?? ?? ?? ?? 08 28 ?? + ?? ?? ?? 08 28 ?? ?? ?? ?? DE ?? 25 28 ?? ?? ?? ?? 0D 28 ?? ?? ?? ?? DE ?? 07 17 D6 0B + 07 06 8E 69 32 ?? 02 28 ?? ?? ?? ?? 13 ?? 16 13 ?? 2B ?? 11 ?? 11 ?? 9A 28 ?? ?? ?? ?? + 11 ?? 17 D6 13 ?? 11 ?? 11 ?? 8E 69 32 ?? DE ?? 25 28 ?? ?? ?? ?? 13 ?? 28 ?? ?? ?? ?? + DE ?? 2A + } + + condition: + uint16(0) == 0x5A4D and + ( + $setup_env + ) and + ( + $find_files + ) and + ( + $encrypt_files + ) +} \ No newline at end of file diff --git a/yara/ransomware/ByteCode.MSIL.Ransomware.GoodWill.yara b/yara/ransomware/ByteCode.MSIL.Ransomware.GoodWill.yara new file mode 100644 index 0000000..3fdc85a --- /dev/null +++ b/yara/ransomware/ByteCode.MSIL.Ransomware.GoodWill.yara @@ -0,0 +1,89 @@ +rule ByteCode_MSIL_Ransomware_GoodWill : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "GOODWILL" + description = "Yara rule that detects GoodWill ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "GoodWill" + tc_detection_factor = 5 + + strings: + + $encrypt_file = { + 02 28 ?? ?? ?? ?? 28 ?? ?? ?? ?? 7E ?? ?? ?? ?? 6F ?? ?? ?? ?? 0A 28 ?? ?? ?? ?? 06 6F + ?? ?? ?? ?? 0A 06 28 ?? ?? ?? ?? 0B 02 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 0C 02 72 ?? ?? ?? + ?? 28 ?? ?? ?? ?? 28 ?? ?? ?? ?? 08 07 28 ?? ?? ?? ?? 02 28 ?? ?? ?? ?? DE ?? 26 72 ?? + ?? ?? ?? 28 ?? ?? ?? ?? DE ?? 2A + } + + $aes_encrypt = { + 14 0A 03 0B 73 ?? ?? ?? ?? 0C 73 ?? ?? ?? ?? 0D 09 20 ?? ?? ?? ?? 6F ?? ?? ?? ?? 09 20 + ?? ?? ?? ?? 6F ?? ?? ?? ?? 03 07 20 ?? ?? ?? ?? 73 ?? ?? ?? ?? 13 ?? 09 11 ?? 09 6F ?? + ?? ?? ?? 1E 5B 6F ?? ?? ?? ?? 6F ?? ?? ?? ?? 09 11 ?? 09 6F ?? ?? ?? ?? 1E 5B 6F ?? ?? + ?? ?? 6F ?? ?? ?? ?? 09 17 6F ?? ?? ?? ?? 08 09 6F ?? ?? ?? ?? 17 73 ?? ?? ?? ?? 13 ?? + 11 ?? 02 16 02 8E 69 6F ?? ?? ?? ?? 11 ?? 6F ?? ?? ?? ?? DE ?? 11 ?? 2C ?? 11 ?? 6F ?? + ?? ?? ?? DC 08 6F ?? ?? ?? ?? 0A DE ?? 09 2C ?? 09 6F ?? ?? ?? ?? DC 08 2C ?? 08 6F ?? + ?? ?? ?? DC 06 2A + } + + $find_files_p1 = { + 28 ?? ?? ?? ?? 0A 1F ?? 28 ?? ?? ?? ?? 0B 18 8D ?? ?? ?? ?? 25 16 72 ?? ?? ?? ?? A2 25 + 17 72 ?? ?? ?? ?? A2 0C 06 0D 16 13 ?? 38 ?? ?? ?? ?? 09 11 ?? 9A 13 ?? 11 ?? 6F ?? ?? + ?? ?? 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 2C ?? DD ?? ?? ?? ?? 11 ?? 6F ?? ?? ?? ?? 13 ?? 11 + ?? 28 ?? ?? ?? ?? 08 13 ?? 16 13 ?? 38 ?? ?? ?? ?? 11 ?? 11 ?? 9A 13 ?? 11 ?? 28 ?? ?? + ?? ?? 6F ?? ?? ?? ?? 13 ?? 2B ?? 11 ?? 6F ?? ?? ?? ?? 13 ?? 11 ?? 11 ?? 17 28 ?? ?? ?? + ?? 6F ?? ?? ?? ?? 13 ?? 2B ?? 73 ?? ?? ?? ?? 13 ?? 11 ?? 11 ?? 6F ?? ?? ?? ?? 7D ?? ?? + ?? ?? 11 ?? FE 06 ?? ?? ?? ?? 73 ?? ?? ?? ?? 73 ?? ?? ?? ?? 25 19 6F ?? ?? ?? ?? 6F ?? + ?? ?? ?? DE ?? 26 DE ?? 11 ?? 6F ?? ?? ?? ?? 2D ?? DE ?? 11 ?? 2C ?? 11 ?? 6F ?? ?? ?? + ?? DC DE ?? 26 DE ?? 26 DE ?? 11 ?? 6F ?? ?? ?? ?? 2D ?? DE ?? 11 ?? 2C ?? 11 ?? 6F ?? + ?? ?? ?? DC 11 ?? 11 ?? 28 ?? ?? ?? ?? 6F ?? ?? ?? ?? 13 ?? 2B ?? 73 ?? ?? ?? ?? 13 ?? + 11 ?? 11 ?? 6F ?? ?? ?? ?? 7D ?? ?? ?? ?? 11 ?? FE 06 ?? ?? ?? ?? 73 ?? ?? ?? ?? 73 ?? + ?? ?? ?? 25 19 6F ?? ?? ?? ?? 6F ?? ?? ?? ?? DE ?? 26 DE ?? 11 ?? 6F ?? ?? ?? ?? 2D ?? + DE ?? 11 ?? 2C ?? 11 ?? 6F ?? ?? ?? ?? DC DE ?? 26 DE ?? 11 ?? 17 58 13 ?? 11 ?? 11 ?? + 8E 69 3F ?? ?? ?? ?? DE ?? 26 DE ?? 11 ?? 17 58 13 ?? 11 ?? 09 8E 69 3F ?? ?? ?? ?? 08 + } + + $find_files_p2 = { + 13 ?? 16 13 ?? 38 ?? ?? ?? ?? 11 ?? 11 ?? 9A 13 ?? 07 28 ?? ?? ?? ?? 6F ?? ?? ?? ?? 13 + ?? 2B ?? 11 ?? 6F ?? ?? ?? ?? 13 ?? 11 ?? 11 ?? 17 28 ?? ?? ?? ?? 6F ?? ?? ?? ?? 13 ?? + 2B ?? 73 ?? ?? ?? ?? 13 ?? 11 ?? 11 ?? 6F ?? ?? ?? ?? 7D ?? ?? ?? ?? 11 ?? FE 06 ?? ?? + ?? ?? 73 ?? ?? ?? ?? 73 ?? ?? ?? ?? 25 19 6F ?? ?? ?? ?? 6F ?? ?? ?? ?? DE ?? 26 DE ?? + 26 DE ?? 11 ?? 6F ?? ?? ?? ?? 2D ?? DE ?? 11 ?? 2C ?? 11 ?? 6F ?? ?? ?? ?? DC DE ?? 26 + DE ?? 11 ?? 6F ?? ?? ?? ?? 2D ?? DE ?? 11 ?? 2C ?? 11 ?? 6F ?? ?? ?? ?? DC 07 11 ?? 28 + ?? ?? ?? ?? 6F ?? ?? ?? ?? 13 ?? 2B ?? 73 ?? ?? ?? ?? 13 ?? 11 ?? 11 ?? 6F ?? ?? ?? ?? + 7D ?? ?? ?? ?? 11 ?? FE 06 ?? ?? ?? ?? 73 ?? ?? ?? ?? 73 ?? ?? ?? ?? 25 19 6F ?? ?? ?? + ?? 6F ?? ?? ?? ?? DE ?? 26 DE ?? 11 ?? 6F ?? ?? ?? ?? 2D ?? DE ?? 11 ?? 2C ?? 11 ?? 6F + ?? ?? ?? ?? DC DE ?? 26 DE ?? 11 ?? 17 58 13 ?? 11 ?? 11 ?? 8E 69 3F ?? ?? ?? ?? 2A + } + + $remote_connection = { + 73 ?? ?? ?? ?? 0A 00 7E ?? ?? ?? ?? 28 ?? ?? ?? ?? 2C ?? 7E ?? ?? ?? ?? 17 28 ?? ?? ?? + ?? 7E ?? ?? ?? ?? 28 ?? ?? ?? ?? 1C 6F ?? ?? ?? ?? 2B ?? 7E ?? ?? ?? ?? 28 ?? ?? ?? ?? + 1C 6F ?? ?? ?? ?? 06 7E ?? ?? ?? ?? 7E ?? ?? ?? ?? 6F ?? ?? ?? ?? 20 ?? ?? ?? ?? 28 ?? + ?? ?? ?? 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 28 ?? ?? ?? ?? 26 17 0B DE ?? 26 72 ?? ?? ?? ?? + 28 ?? ?? ?? ?? 20 ?? ?? ?? ?? 28 ?? ?? ?? ?? DE ?? 07 2A + } + + condition: + uint16(0) == 0x5A4D and + ( + all of ($find_files_p*) + ) and + ( + $encrypt_file + ) and + ( + $aes_encrypt + ) and + ( + $remote_connection + ) +} \ No newline at end of file diff --git a/yara/ransomware/ByteCode.MSIL.Ransomware.HarpoonLocker.yara b/yara/ransomware/ByteCode.MSIL.Ransomware.HarpoonLocker.yara new file mode 100644 index 0000000..96d38e9 --- /dev/null +++ b/yara/ransomware/ByteCode.MSIL.Ransomware.HarpoonLocker.yara @@ -0,0 +1,96 @@ +rule ByteCode_MSIL_Ransomware_HarpoonLocker : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "HARPOONLOCKER" + description = "Yara rule that detects HarpoonLocker ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "HarpoonLocker" + tc_detection_factor = 5 + + strings: + + $encrypt_files_p1 = { + 7E ?? ?? ?? ?? 25 2D ?? 26 7E ?? ?? ?? ?? FE 06 ?? ?? ?? ?? 73 ?? ?? ?? ?? 25 80 ?? ?? + ?? ?? 28 ?? ?? ?? ?? 26 28 ?? ?? ?? ?? 14 FE 06 ?? ?? ?? ?? 73 ?? ?? ?? ?? 6F ?? ?? ?? + ?? 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 28 ?? ?? ?? ?? 25 7E ?? ?? ?? ?? 6F ?? ?? ?? ?? 16 6F + ?? ?? ?? ?? 80 ?? ?? ?? ?? 28 ?? ?? ?? ?? 0A 16 0B 2B ?? 73 ?? ?? ?? ?? 25 06 07 9A 7D + ?? ?? ?? ?? FE 06 ?? ?? ?? ?? 73 ?? ?? ?? ?? 14 28 ?? ?? ?? ?? 26 07 17 58 0B 07 06 8E + 69 32 ?? 7E ?? ?? ?? ?? 2C ?? 28 ?? ?? ?? ?? 6F ?? ?? ?? ?? 0C 2B ?? 73 ?? ?? ?? ?? 0D + 09 12 ?? 28 ?? ?? ?? ?? 7D ?? ?? ?? ?? 09 7B ?? ?? ?? ?? 6F ?? ?? ?? ?? 28 ?? ?? ?? ?? + 6F ?? ?? ?? ?? 28 ?? ?? ?? ?? 2C ?? 09 FE 06 ?? ?? ?? ?? 73 ?? ?? ?? ?? 14 28 ?? ?? ?? + ?? 26 12 ?? 28 ?? ?? ?? ?? 2D ?? DE ?? 12 ?? FE 16 ?? ?? ?? ?? 6F ?? ?? ?? ?? DC 12 ?? + 12 ?? 28 ?? ?? ?? ?? 12 ?? 12 ?? 28 ?? ?? ?? ?? 11 ?? 11 ?? 59 13 ?? 72 ?? ?? ?? ?? 11 + ?? 8C ?? ?? ?? ?? 28 ?? ?? ?? ?? 28 ?? ?? ?? ?? 11 ?? 2C ?? 20 ?? ?? ?? ?? 28 ?? ?? ?? + ?? 2B ?? 2A + } + + $encrypt_files_p2 = { + 12 ?? FE 15 ?? ?? ?? ?? 12 ?? FE 15 ?? ?? ?? ?? 12 ?? FE 15 ?? ?? ?? ?? 02 16 12 ?? 28 + ?? ?? ?? ?? 26 08 7B ?? ?? ?? ?? 0D 08 7B ?? ?? ?? ?? 20 ?? ?? ?? ?? 35 ?? 08 7B ?? ?? + ?? ?? 16 36 ?? DD ?? ?? ?? ?? 02 02 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 28 ?? ?? ?? ?? 02 72 + ?? ?? ?? ?? 28 ?? ?? ?? ?? 10 ?? 03 03 6F ?? ?? ?? ?? 03 6F ?? ?? ?? ?? 6F ?? ?? ?? ?? + 13 ?? 1F ?? 8D ?? ?? ?? ?? 13 ?? 03 6F ?? ?? ?? ?? 16 11 ?? 16 1F ?? 28 ?? ?? ?? ?? 03 + 6F ?? ?? ?? ?? 16 11 ?? 1F ?? 1F ?? 28 ?? ?? ?? ?? 11 ?? 28 ?? ?? ?? ?? 13 ?? 1F ?? 6A + 13 ?? 17 13 ?? 09 6E 13 ?? 2B ?? 11 ?? 17 58 13 ?? 11 ?? 11 ?? 59 13 ?? 11 ?? 11 ?? 30 + ?? 02 19 17 7E ?? ?? ?? ?? 19 20 ?? ?? ?? ?? 7E ?? ?? ?? ?? 28 ?? ?? ?? ?? 13 ?? 11 ?? + 7E ?? ?? ?? ?? 28 ?? ?? ?? ?? 2C ?? DD ?? ?? ?? ?? 11 ?? 7E ?? ?? ?? ?? 1A 16 09 20 ?? + ?? ?? ?? 58 14 28 ?? ?? ?? ?? 0A 06 7E ?? ?? ?? ?? 28 ?? ?? ?? ?? 2C ?? DD ?? ?? ?? ?? + 06 1F ?? 16 16 7E ?? ?? ?? ?? 28 ?? ?? ?? ?? 0B 07 7E ?? ?? ?? ?? 28 ?? ?? ?? ?? 2C ?? + DD ?? ?? ?? ?? 11 ?? 28 ?? ?? ?? ?? 26 16 13 ?? 16 13 ?? 2B ?? 11 ?? 20 ?? ?? ?? ?? 2F + ?? 09 6E 11 ?? 6A 59 13 ?? 11 ?? D4 8D ?? ?? ?? ?? 13 ?? 11 ?? 17 58 11 ?? 33 ?? 11 ?? + D4 8D ?? ?? ?? ?? 13 ?? 07 11 ?? 28 ?? ?? ?? ?? 11 ?? 16 11 ?? 8E 69 28 ?? ?? ?? ?? 11 + ?? 18 5D 2D ?? 11 ?? 8E 69 1F ?? 33 ?? 11 ?? 11 ?? 28 ?? ?? ?? ?? 13 ?? 11 ?? 16 07 11 + ?? 28 ?? ?? ?? ?? 11 ?? 8E 69 28 ?? ?? ?? ?? 11 ?? 11 ?? 8E 69 58 13 ?? 11 ?? 17 58 13 + ?? 11 ?? 11 ?? 3F ?? ?? ?? ?? 11 ?? 20 ?? ?? ?? ?? 32 ?? 11 ?? 16 07 09 28 ?? ?? ?? ?? + 11 ?? 8E 69 28 ?? ?? ?? ?? 2B ?? 11 ?? 16 07 11 ?? 28 ?? ?? ?? ?? 11 ?? 8E 69 28 ?? ?? + ?? ?? DE ?? 26 DE ?? 26 DE ?? 00 07 28 ?? ?? ?? ?? 26 DE ?? 26 DE ?? 00 06 28 ?? ?? ?? + ?? 26 DE ?? 26 DE ?? DC 2A + } + + $find_files = { + 73 ?? ?? ?? ?? 0A 06 02 7D ?? ?? ?? ?? 7E ?? ?? ?? ?? 06 FE 06 ?? ?? ?? ?? 73 ?? ?? ?? + ?? 28 ?? ?? ?? ?? 2C ?? 2A 00 06 7B ?? ?? ?? ?? 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 7E ?? ?? + ?? ?? 28 ?? ?? ?? ?? DE ?? 26 DE ?? 14 0B 06 7B ?? ?? ?? ?? 28 ?? ?? ?? ?? 0B DE ?? 26 + DE ?? 07 2C ?? 07 8E 16 FE 01 2B ?? 17 0C 06 7B ?? ?? ?? ?? 28 ?? ?? ?? ?? 13 ?? 16 13 + ?? 2B ?? 73 ?? ?? ?? ?? 13 ?? 11 ?? 11 ?? 11 ?? 9A 7D ?? ?? ?? ?? 08 2C ?? 11 ?? 7B ?? + ?? ?? ?? 28 ?? ?? ?? ?? 2B ?? 11 ?? FE 06 ?? ?? ?? ?? 73 ?? ?? ?? ?? 14 28 ?? ?? ?? ?? + 26 11 ?? 17 58 13 ?? 11 ?? 11 ?? 8E 69 32 ?? DE ?? 26 DE ?? 08 2C ?? DD ?? ?? ?? ?? 28 + ?? ?? ?? ?? 0D 09 20 ?? ?? ?? ?? 6F ?? ?? ?? ?? 09 20 ?? ?? ?? ?? 6F ?? ?? ?? ?? 09 17 + 6F ?? ?? ?? ?? 09 6F ?? ?? ?? ?? 09 6F ?? ?? ?? ?? 07 13 ?? 16 13 ?? 2B ?? 73 ?? ?? ?? + ?? 13 ?? 11 ?? 11 ?? 11 ?? 9A 7D ?? ?? ?? ?? 11 ?? 7B ?? ?? ?? ?? 28 ?? ?? ?? ?? 13 ?? + 7E ?? ?? ?? ?? 11 ?? 6F ?? ?? ?? ?? 6F ?? ?? ?? ?? 2D ?? 7E ?? ?? ?? ?? 11 ?? FE 06 ?? + ?? ?? ?? 73 ?? ?? ?? ?? 28 ?? ?? ?? ?? 2D ?? 11 ?? 7B ?? ?? ?? ?? 09 28 ?? ?? ?? ?? DE + ?? 26 DE ?? 11 ?? 17 58 13 ?? 11 ?? 11 ?? 8E 69 32 ?? 00 09 6F ?? ?? ?? ?? DE ?? 26 DE + ?? DE ?? 26 DE ?? 2A + } + + $change_boot = { + 02 8E 2C ?? 02 16 9A 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 2C ?? 28 ?? ?? ?? ?? 2A 02 16 9A 72 + ?? ?? ?? ?? 28 ?? ?? ?? ?? 2C ?? 28 ?? ?? ?? ?? 28 ?? ?? ?? ?? 2A 02 16 9A 72 ?? ?? ?? + ?? 6F ?? ?? ?? ?? 2C ?? 17 80 ?? ?? ?? ?? 16 80 ?? ?? ?? ?? 02 16 9A 72 ?? ?? ?? ?? 6F + ?? ?? ?? ?? 2C ?? 17 80 ?? ?? ?? ?? 02 16 9A 72 ?? ?? ?? ?? 6F ?? ?? ?? ?? 2C ?? 28 ?? + ?? ?? ?? 2A 28 ?? ?? ?? ?? 2C ?? 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 72 ?? ?? ?? ?? 72 ?? ?? + ?? ?? 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 28 ?? ?? ?? ?? 28 ?? ?? ?? ?? 28 ?? ?? ?? ?? 28 ?? + ?? ?? ?? 28 ?? ?? ?? ?? 2C ?? 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 2A 28 ?? ?? ?? ?? 2A + } + + condition: + uint16(0) == 0x5A4D and + ( + $change_boot + ) and + ( + $find_files + ) and + ( + all of ($encrypt_files_p*) + ) +} \ No newline at end of file diff --git a/yara/ransomware/ByteCode.MSIL.Ransomware.Hog.yara b/yara/ransomware/ByteCode.MSIL.Ransomware.Hog.yara new file mode 100644 index 0000000..bdbbe7e --- /dev/null +++ b/yara/ransomware/ByteCode.MSIL.Ransomware.Hog.yara @@ -0,0 +1,70 @@ +rule ByteCode_MSIL_Ransomware_Hog : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "HOG" + description = "Yara rule that detects Hog ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "Hog" + tc_detection_factor = 5 + + strings: + + $generate_key = { + 73 ?? ?? ?? ?? 0A 73 ?? ?? ?? ?? 0B 1A 8D ?? ?? ?? ?? 0C 2B ?? 07 08 6F ?? ?? ?? ?? 08 + 16 28 ?? ?? ?? ?? 0D 06 72 ?? ?? ?? ?? 09 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 5E 28 ?? ?? ?? + ?? 6F ?? ?? ?? ?? 26 02 25 17 59 10 ?? 16 30 ?? 06 6F ?? ?? ?? ?? 13 ?? DE ?? 07 2C ?? + 07 6F ?? ?? ?? ?? DC 11 ?? 2A + } + + $find_files = { + 16 7E ?? ?? ?? ?? 73 ?? ?? ?? ?? 0A 06 16 16 6F ?? ?? ?? ?? 2D ?? DD ?? ?? ?? ?? 00 1F + ?? 28 ?? ?? ?? ?? 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 80 ?? ?? ?? ?? 7E ?? ?? ?? ?? 28 ?? ?? + ?? ?? 80 ?? ?? ?? ?? 73 ?? ?? ?? ?? 0B 07 72 ?? ?? ?? ?? 7E ?? ?? ?? ?? 28 ?? ?? ?? ?? + 6F ?? ?? ?? ?? 20 ?? ?? ?? ?? 28 ?? ?? ?? ?? 72 ?? ?? ?? ?? 6F ?? ?? ?? ?? 2D ?? 7E ?? + ?? ?? ?? 6F ?? ?? ?? ?? 17 31 ?? 28 ?? ?? ?? ?? 7E ?? ?? ?? ?? 25 2D ?? 26 7E ?? ?? ?? + ?? FE 06 ?? ?? ?? ?? 73 ?? ?? ?? ?? 25 80 ?? ?? ?? ?? 28 ?? ?? ?? ?? 6F ?? ?? ?? ?? 0C + 2B ?? 08 6F ?? ?? ?? ?? 28 ?? ?? ?? ?? 08 6F ?? ?? ?? ?? 2D ?? DE ?? 08 2C ?? 08 6F ?? + ?? ?? ?? DC 28 ?? ?? ?? ?? DE ?? 07 2C ?? 07 6F ?? ?? ?? ?? DC DE ?? 26 28 ?? ?? ?? ?? + DE ?? 06 2C ?? 06 6F ?? ?? ?? ?? DC 2A + } + + $encrypt_files_p1 = { + 02 7E ?? ?? ?? ?? 6F ?? ?? ?? ?? 3A ?? ?? ?? ?? 02 73 ?? ?? ?? ?? 6F ?? ?? ?? ?? 7E ?? + ?? ?? ?? 31 ?? DD ?? ?? ?? ?? 73 ?? ?? ?? ?? 0A 06 7E ?? ?? ?? ?? 28 ?? ?? ?? ?? 6F ?? + ?? ?? ?? 06 1F ?? 8D ?? ?? ?? ?? 25 D0 ?? ?? ?? ?? 28 ?? ?? ?? ?? 6F ?? ?? ?? ?? 02 19 + 73 ?? ?? ?? ?? 0B 02 7E ?? ?? ?? ?? 28 ?? ?? ?? ?? 28 ?? ?? ?? ?? 0C 08 06 6F ?? ?? ?? + ?? 17 73 ?? ?? ?? ?? 0D 08 06 6F ?? ?? ?? ?? 16 06 6F ?? ?? ?? ?? 8E 69 6F ?? ?? ?? ?? + 07 09 6F ?? ?? ?? ?? DE ?? 09 2C ?? 09 6F ?? ?? ?? ?? DC DE ?? 08 2C ?? 08 6F ?? ?? ?? + ?? DC DE ?? 07 2C ?? 07 6F ?? ?? ?? ?? DC DE ?? 06 2C ?? 06 6F ?? ?? ?? ?? DC 02 28 ?? + ?? ?? ?? DE ?? 26 DE ?? 2A + } + + $encrypt_files_p2 = { + 73 ?? ?? ?? ?? 0A 06 7E ?? ?? ?? ?? 28 ?? ?? ?? ?? 6F ?? ?? ?? ?? 06 1F ?? 8D ?? ?? ?? + ?? 25 D0 ?? ?? ?? ?? 28 ?? ?? ?? ?? 6F ?? ?? ?? ?? 28 ?? ?? ?? ?? 02 6F ?? ?? ?? ?? 0B + 73 ?? ?? ?? ?? 0C 08 06 6F ?? ?? ?? ?? 17 73 ?? ?? ?? ?? 0D 09 07 16 07 8E 69 6F ?? ?? + ?? ?? 09 6F ?? ?? ?? ?? DE ?? 09 2C ?? 09 6F ?? ?? ?? ?? DC 08 6F ?? ?? ?? ?? 28 ?? ?? + ?? ?? 10 ?? DE ?? 08 2C ?? 08 6F ?? ?? ?? ?? DC 02 13 ?? DE ?? 06 2C ?? 06 6F ?? ?? ?? + ?? DC 26 DE ?? 02 2A 11 ?? 2A + } + + condition: + uint16(0) == 0x5A4D and + ( + $find_files + ) and + ( + $generate_key + ) and + ( + all of ($encrypt_files_p*) + ) +} \ No newline at end of file diff --git a/yara/ransomware/ByteCode.MSIL.Ransomware.Invert.yara b/yara/ransomware/ByteCode.MSIL.Ransomware.Invert.yara new file mode 100644 index 0000000..5d521e9 --- /dev/null +++ b/yara/ransomware/ByteCode.MSIL.Ransomware.Invert.yara @@ -0,0 +1,66 @@ +rule ByteCode_MSIL_Ransomware_Invert : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "INVERT" + description = "Yara rule that detects Invert ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "Invert" + tc_detection_factor = 5 + + strings: + + $encrypt_files = { + 73 ?? ?? ?? ?? 0A 06 04 7D ?? ?? ?? ?? 00 00 02 28 ?? ?? ?? ?? 06 7B ?? ?? ?? ?? 25 2D + ?? 26 06 06 FE 06 ?? ?? ?? ?? 73 ?? ?? ?? ?? 25 0C 7D ?? ?? ?? ?? 08 7E ?? ?? ?? ?? 25 + 2D ?? 26 7E ?? ?? ?? ?? FE 06 ?? ?? ?? ?? 73 ?? ?? ?? ?? 25 80 ?? ?? ?? ?? 28 ?? ?? ?? + ?? 7E ?? ?? ?? ?? 25 2D ?? 26 7E ?? ?? ?? ?? FE 06 ?? ?? ?? ?? 73 ?? ?? ?? ?? 25 80 ?? + ?? ?? ?? 28 ?? ?? ?? ?? 7E ?? ?? ?? ?? 25 2D ?? 26 7E ?? ?? ?? ?? FE 06 ?? ?? ?? ?? 73 + ?? ?? ?? ?? 25 80 ?? ?? ?? ?? 28 ?? ?? ?? ?? 7E ?? ?? ?? ?? 25 2D ?? 26 7E ?? ?? ?? ?? + FE 06 ?? ?? ?? ?? 73 ?? ?? ?? ?? 25 80 ?? ?? ?? ?? 28 ?? ?? ?? ?? 7E ?? ?? ?? ?? 25 2D + ?? 26 7E ?? ?? ?? ?? FE 06 ?? ?? ?? ?? 73 ?? ?? ?? ?? 25 80 ?? ?? ?? ?? 28 ?? ?? ?? ?? + 7E ?? ?? ?? ?? 25 2D ?? 26 7E ?? ?? ?? ?? FE 06 ?? ?? ?? ?? 73 ?? ?? ?? ?? 25 80 ?? ?? + ?? ?? 28 ?? ?? ?? ?? 6F ?? ?? ?? ?? 0B 2B ?? 07 6F ?? ?? ?? ?? 0D 00 00 09 03 28 ?? ?? + ?? ?? 13 ?? 11 ?? 2C ?? 00 7E ?? ?? ?? ?? 09 6F ?? ?? ?? ?? 26 00 00 DE ?? 26 00 00 DE + ?? 00 07 6F ?? ?? ?? ?? 2D ?? DE ?? 07 2C ?? 07 6F ?? ?? ?? ?? 00 DC 2A + } + + $find_files = { + 00 73 ?? ?? ?? ?? 0A 00 28 ?? ?? ?? ?? 18 8D ?? ?? ?? ?? 25 16 28 ?? ?? ?? ?? A2 25 17 + 72 ?? ?? ?? ?? A2 17 6F ?? ?? ?? ?? 28 ?? ?? ?? ?? 6F ?? ?? ?? ?? 0B 2B ?? 12 ?? 28 ?? + ?? ?? ?? 0C 00 06 08 6F ?? ?? ?? ?? 6F ?? ?? ?? ?? 26 00 12 ?? 28 ?? ?? ?? ?? 2D ?? DE + ?? 12 ?? FE 16 ?? ?? ?? ?? 6F ?? ?? ?? ?? 00 DC 06 72 ?? ?? ?? ?? 6F ?? ?? ?? ?? 26 06 + 0D 2B ?? 09 2A + } + + $get_file_list = { + 00 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 28 ?? ?? ?? ?? 0A 06 2C + ?? 00 02 73 ?? ?? ?? ?? 7D ?? ?? ?? ?? 02 7B ?? ?? ?? ?? 6F ?? ?? ?? ?? 00 00 38 ?? ?? + ?? ?? 00 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 73 ?? ?? ?? ?? 0B + 00 00 28 ?? ?? ?? ?? 6F ?? ?? ?? ?? 0C 2B ?? 12 ?? 28 ?? ?? ?? ?? 0D 00 07 09 6F ?? ?? + ?? ?? 00 00 12 ?? 28 ?? ?? ?? ?? 2D ?? DE ?? 12 ?? FE 16 ?? ?? ?? ?? 6F ?? ?? ?? ?? 00 + DC 00 DE ?? 07 2C ?? 07 6F ?? ?? ?? ?? 00 DC 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 72 ?? ?? ?? + ?? 28 ?? ?? ?? ?? 18 28 ?? ?? ?? ?? 00 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 72 ?? ?? ?? ?? 28 + ?? ?? ?? ?? 18 28 ?? ?? ?? ?? 00 02 73 ?? ?? ?? ?? 7D ?? ?? ?? ?? 02 7B ?? ?? ?? ?? 6F + ?? ?? ?? ?? 00 00 2A + } + + condition: + uint16(0) == 0x5A4D and + ( + $get_file_list + ) and + ( + $find_files + ) and + ( + $encrypt_files + ) +} \ No newline at end of file diff --git a/yara/ransomware/ByteCode.MSIL.Ransomware.Janelle.yara b/yara/ransomware/ByteCode.MSIL.Ransomware.Janelle.yara new file mode 100644 index 0000000..5fe86a5 --- /dev/null +++ b/yara/ransomware/ByteCode.MSIL.Ransomware.Janelle.yara @@ -0,0 +1,96 @@ +rule ByteCode_MSIL_Ransomware_Janelle : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "JANELLE" + description = "Yara rule that detects Janelle ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "Janelle" + tc_detection_factor = 5 + + strings: + + $setup_env_p1 = { + 00 02 7B ?? ?? ?? ?? 72 ?? ?? ?? ?? 6F ?? ?? ?? ?? 00 73 ?? ?? ?? ?? 0A 06 02 7D ?? ?? + ?? ?? 00 7E ?? ?? ?? ?? 72 ?? ?? ?? ?? 17 6F ?? ?? ?? ?? 0B 07 72 ?? ?? ?? ?? 28 ?? ?? + ?? ?? 6F ?? ?? ?? ?? 6F ?? ?? ?? ?? 00 00 28 ?? ?? ?? ?? 6F ?? ?? ?? ?? 0C 2B ?? 08 6F + ?? ?? ?? ?? 74 ?? ?? ?? ?? 0D 00 02 7B ?? ?? ?? ?? 6F ?? ?? ?? ?? 09 6F ?? ?? ?? ?? 6F + ?? ?? ?? ?? 6F ?? ?? ?? ?? 26 00 08 6F ?? ?? ?? ?? 2D ?? DE ?? 08 75 ?? ?? ?? ?? 13 ?? + 11 ?? 2C ?? 11 ?? 6F ?? ?? ?? ?? 00 DC 02 7B ?? ?? ?? ?? 16 6F ?? ?? ?? ?? 00 16 28 ?? + ?? ?? ?? 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 28 ?? ?? ?? ?? 16 FE 01 13 ?? 11 ?? 2C ?? 00 16 + 28 ?? ?? ?? ?? 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 28 ?? ?? ?? ?? 6F ?? ?? ?? ?? 00 16 28 ?? + ?? ?? ?? 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 00 00 28 ?? ?? ?? + ?? 6F ?? ?? ?? ?? 13 ?? 11 ?? 2C ?? 00 02 16 28 ?? ?? ?? ?? 00 00 28 ?? ?? ?? ?? 6F ?? + ?? ?? ?? 6F ?? ?? ?? ?? 16 FE 02 16 FE 01 13 ?? 11 ?? 2C ?? 00 28 ?? ?? ?? ?? 28 ?? ?? + ?? ?? 13 ?? 12 ?? 28 ?? ?? ?? ?? 6F ?? ?? ?? ?? 00 28 ?? ?? ?? ?? 28 ?? ?? ?? ?? 13 ?? + 12 ?? 23 ?? ?? ?? ?? ?? ?? ?? ?? 28 ?? ?? ?? ?? 13 ?? 12 ?? 28 ?? ?? ?? ?? 6F ?? ?? ?? + ?? 00 28 ?? ?? ?? ?? 28 ?? ?? ?? ?? 13 ?? 12 ?? 23 ?? ?? ?? ?? ?? ?? ?? ?? 28 ?? ?? ?? + ?? 13 ?? 12 ?? 28 ?? ?? ?? ?? 6F ?? ?? ?? ?? 00 28 ?? ?? ?? ?? 6F ?? ?? ?? ?? 00 00 02 + } + + $setup_env_p2 = { + 7B ?? ?? ?? ?? 28 ?? ?? ?? ?? 6F ?? ?? ?? ?? 6F ?? ?? ?? ?? 00 02 7B ?? ?? ?? ?? 28 ?? + ?? ?? ?? 6F ?? ?? ?? ?? 6F ?? ?? ?? ?? 00 16 28 ?? ?? ?? ?? 72 ?? ?? ?? ?? 28 ?? ?? ?? + ?? 28 ?? ?? ?? ?? 13 ?? 11 ?? 2C ?? 00 02 7B ?? ?? ?? ?? 72 ?? ?? ?? ?? 16 28 ?? ?? ?? + ?? 28 ?? ?? ?? ?? 73 ?? ?? ?? ?? 6F ?? ?? ?? ?? 00 00 2B ?? 00 16 28 ?? ?? ?? ?? 72 ?? + ?? ?? ?? 28 ?? ?? ?? ?? 28 ?? ?? ?? ?? 6F ?? ?? ?? ?? 00 16 28 ?? ?? ?? ?? 72 ?? ?? ?? + ?? 28 ?? ?? ?? ?? 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 00 02 7B ?? ?? ?? ?? 72 ?? ?? ?? ?? 16 + 28 ?? ?? ?? ?? 28 ?? ?? ?? ?? 73 ?? ?? ?? ?? 6F ?? ?? ?? ?? 00 00 28 ?? ?? ?? ?? 16 28 + ?? ?? ?? ?? 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 6F ?? ?? ?? ?? 00 16 28 ?? ?? ?? ?? 72 ?? ?? + ?? ?? 28 ?? ?? ?? ?? 28 ?? ?? ?? ?? 00 28 ?? ?? ?? ?? 6F ?? ?? ?? ?? 72 ?? ?? ?? ?? 28 + ?? ?? ?? ?? 13 ?? 11 ?? 2C ?? 00 28 ?? ?? ?? ?? 02 20 ?? ?? ?? ?? 28 ?? ?? ?? ?? 6F ?? + ?? ?? ?? 00 28 ?? ?? ?? ?? 6F ?? ?? ?? ?? 00 00 16 28 ?? ?? ?? ?? 72 ?? ?? ?? ?? 28 ?? + ?? ?? ?? 28 ?? ?? ?? ?? 00 16 28 ?? ?? ?? ?? 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 28 ?? ?? ?? + ?? 6F ?? ?? ?? ?? 00 06 28 ?? ?? ?? ?? 6F ?? ?? ?? ?? 7D ?? ?? ?? ?? 16 28 ?? ?? ?? ?? + 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 28 ?? ?? ?? ?? 6F ?? ?? ?? ?? 06 7B ?? ?? ?? ?? 28 ?? ?? + ?? ?? 28 ?? ?? ?? ?? 00 28 ?? ?? ?? ?? 6F ?? ?? ?? ?? 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 13 + ?? 11 ?? 2C ?? 00 02 17 7D ?? ?? ?? ?? 06 FE 06 ?? ?? ?? ?? 73 ?? ?? ?? ?? 73 ?? ?? ?? + ?? 25 17 6F ?? ?? ?? ?? 00 6F ?? ?? ?? ?? 00 06 7B ?? ?? ?? ?? 28 ?? ?? ?? ?? 00 00 02 + 7B ?? ?? ?? ?? 16 28 ?? ?? ?? ?? 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 28 ?? ?? ?? ?? 6F ?? ?? + ?? ?? 00 00 2A + } + + $find_files = { + 73 ?? ?? ?? ?? 0A 06 02 7D ?? ?? ?? ?? 06 04 7D ?? ?? ?? ?? 06 05 7D ?? ?? ?? ?? 00 00 + 03 28 ?? ?? ?? ?? 0B 00 07 0C 16 0D 2B ?? 08 09 9A 13 ?? 00 02 11 ?? 06 7B ?? ?? ?? ?? + 28 ?? ?? ?? ?? 00 00 09 17 58 0D 09 08 8E 69 32 ?? 06 7B ?? ?? ?? ?? 13 ?? 11 ?? 2C ?? + 00 00 00 03 28 ?? ?? ?? ?? 13 ?? 16 13 ?? 2B ?? 73 ?? ?? ?? ?? 13 ?? 11 ?? 06 7D ?? ?? + ?? ?? 11 ?? 11 ?? 11 ?? 9A 7D ?? ?? ?? ?? 00 11 ?? FE 06 ?? ?? ?? ?? 73 ?? ?? ?? ?? 73 + ?? ?? ?? ?? 25 17 6F ?? ?? ?? ?? 00 6F ?? ?? ?? ?? 00 00 11 ?? 17 58 13 ?? 11 ?? 11 ?? + 8E 69 32 ?? 00 DE ?? 13 ?? 00 72 ?? ?? ?? ?? 03 28 ?? ?? ?? ?? 28 ?? ?? ?? ?? 00 00 DE + ?? 00 00 DE ?? 26 00 72 ?? ?? ?? ?? 03 28 ?? ?? ?? ?? 28 ?? ?? ?? ?? 00 00 DE ?? 2A + } + + $encrypt_files = { + 00 28 ?? ?? ?? ?? 0A 03 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 18 73 ?? ?? ?? ?? 0B 28 ?? ?? ?? + ?? 04 6F ?? ?? ?? ?? 0C 73 ?? ?? ?? ?? 0D 09 20 ?? ?? ?? ?? 6F ?? ?? ?? ?? 00 09 20 ?? + ?? ?? ?? 6F ?? ?? ?? ?? 00 09 18 6F ?? ?? ?? ?? 00 08 06 20 ?? ?? ?? ?? 73 ?? ?? ?? ?? + 13 ?? 09 11 ?? 09 6F ?? ?? ?? ?? 1E 5B 6F ?? ?? ?? ?? 6F ?? ?? ?? ?? 00 09 11 ?? 09 6F + ?? ?? ?? ?? 1E 5B 6F ?? ?? ?? ?? 6F ?? ?? ?? ?? 00 09 1A 6F ?? ?? ?? ?? 00 07 06 16 06 + 8E 69 6F ?? ?? ?? ?? 00 07 09 6F ?? ?? ?? ?? 17 73 ?? ?? ?? ?? 13 ?? 03 19 73 ?? ?? ?? + ?? 13 ?? 20 ?? ?? ?? ?? 8D ?? ?? ?? ?? 13 ?? 00 2B ?? 00 28 ?? ?? ?? ?? 00 11 ?? 11 ?? + 16 11 ?? 6F ?? ?? ?? ?? 00 00 11 ?? 11 ?? 16 11 ?? 8E 69 6F ?? ?? ?? ?? 25 13 ?? 16 FE + 02 13 ?? 11 ?? 2D ?? 11 ?? 6F ?? ?? ?? ?? 00 00 DE ?? 13 ?? 00 72 ?? ?? ?? ?? 11 ?? 6F + ?? ?? ?? ?? 28 ?? ?? ?? ?? 28 ?? ?? ?? ?? 00 00 DE ?? DE ?? 00 11 ?? 6F ?? ?? ?? ?? 00 + 07 6F ?? ?? ?? ?? 00 00 DC 2A + } + + condition: + uint16(0) == 0x5A4D and + ( + all of ($setup_env_p*) + ) and + ( + $find_files + ) and + ( + $encrypt_files + ) +} \ No newline at end of file diff --git a/yara/ransomware/ByteCode.MSIL.Ransomware.Khonsari.yara b/yara/ransomware/ByteCode.MSIL.Ransomware.Khonsari.yara new file mode 100644 index 0000000..13cd9b6 --- /dev/null +++ b/yara/ransomware/ByteCode.MSIL.Ransomware.Khonsari.yara @@ -0,0 +1,68 @@ +rule ByteCode_MSIL_Ransomware_Khonsari : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "KHONSARI" + description = "Yara rule that detects Khonsari ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "Khonsari" + tc_detection_factor = 5 + + strings: + + $find_files = { + 73 ?? ?? ?? ?? 0A 73 ?? ?? ?? ?? 72 ?? ?? ?? ?? 13 ?? 11 ?? 13 ?? 11 ?? 72 ?? ?? ?? ?? + 13 ?? 11 ?? 13 ?? 11 ?? 13 ?? 11 ?? 28 ?? ?? ?? ?? 28 ?? ?? ?? ?? 26 28 ?? ?? ?? ?? 0B + 16 0C 2B ?? 07 08 9A 0D 09 6F ?? ?? ?? ?? 72 ?? ?? ?? ?? 13 ?? 11 ?? 13 ?? 11 ?? 72 ?? + ?? ?? ?? 13 ?? 11 ?? 13 ?? 11 ?? 13 ?? 11 ?? 28 ?? ?? ?? ?? 6F ?? ?? ?? ?? 2D ?? 06 09 + 6F ?? ?? ?? ?? 6F ?? ?? ?? ?? 08 17 58 0C 08 07 8E 69 32 ?? 06 1B 28 ?? ?? ?? ?? 6F ?? + ?? ?? ?? 06 1F ?? 28 ?? ?? ?? ?? 6F ?? ?? ?? ?? 06 1F ?? 28 ?? ?? ?? ?? 6F ?? ?? ?? ?? + 06 1F ?? 28 ?? ?? ?? ?? 72 ?? ?? ?? ?? 13 ?? 11 ?? 72 ?? ?? ?? ?? 13 ?? 11 ?? 13 ?? 11 + ?? 28 ?? ?? ?? ?? 28 ?? ?? ?? ?? 6F ?? ?? ?? ?? 06 1F ?? 28 ?? ?? ?? ?? 6F ?? ?? ?? ?? + 06 6F ?? ?? ?? ?? 13 ?? 38 ?? ?? ?? ?? 12 ?? 28 ?? ?? ?? ?? 13 ?? 11 ?? 28 ?? ?? ?? ?? + 6F ?? ?? ?? ?? 13 ?? 2B ?? 11 ?? 6F ?? ?? ?? ?? 13 ?? 11 ?? 28 ?? ?? ?? ?? 2D ?? 00 11 + ?? 7E ?? ?? ?? ?? 11 ?? 28 ?? ?? ?? ?? 6F ?? ?? ?? ?? 28 ?? ?? ?? ?? 11 ?? 11 ?? 72 ?? + ?? ?? ?? 13 ?? 11 ?? 72 ?? ?? ?? ?? 13 ?? 11 ?? 13 ?? 11 ?? 28 ?? ?? ?? ?? 28 ?? ?? ?? + ?? 28 ?? ?? ?? ?? DE ?? 26 DE ?? 11 ?? 6F ?? ?? ?? ?? 2D ?? DE ?? 11 ?? 2C ?? 11 ?? 6F + ?? ?? ?? ?? DC DE ?? 26 DE ?? 12 ?? 28 ?? ?? ?? ?? 3A ?? ?? ?? ?? DE ?? 12 ?? FE 16 ?? + ?? ?? ?? 6F ?? ?? ?? ?? DC 7E ?? ?? ?? ?? 7E ?? ?? ?? ?? 28 ?? ?? ?? ?? 7E ?? ?? ?? ?? + 28 ?? ?? ?? ?? 26 2A + } + + $get_key = { + 73 ?? ?? ?? ?? 0A 06 12 ?? FE 15 ?? ?? ?? ?? 12 ?? 72 ?? ?? ?? ?? 13 ?? 11 ?? 13 ?? 11 + ?? 13 ?? 11 ?? 72 ?? ?? ?? ?? 13 ?? 11 ?? 13 ?? 11 ?? 28 ?? ?? ?? ?? 28 ?? ?? ?? ?? 7D + ?? ?? ?? ?? 12 ?? 72 ?? ?? ?? ?? 13 ?? 11 ?? 13 ?? 11 ?? 13 ?? 11 ?? 13 ?? 11 ?? 72 ?? + ?? ?? ?? 13 ?? 11 ?? 13 ?? 11 ?? 28 ?? ?? ?? ?? 28 ?? ?? ?? ?? 7D ?? ?? ?? ?? 07 6F ?? + ?? ?? ?? 06 02 7B ?? ?? ?? ?? 17 6F ?? ?? ?? ?? 28 ?? ?? ?? ?? 72 ?? ?? ?? ?? 13 ?? 11 + ?? 13 ?? 11 ?? 72 ?? ?? ?? ?? 13 ?? 11 ?? 28 ?? ?? ?? ?? 06 02 7B ?? ?? ?? ?? 17 6F ?? + ?? ?? ?? 28 ?? ?? ?? ?? 28 ?? ?? ?? ?? 0C DE ?? 06 2C ?? 06 6F ?? ?? ?? ?? DC 08 2A + } + + $encrypt_files = { + 28 ?? ?? ?? ?? 0A 06 20 ?? ?? ?? ?? 20 ?? ?? ?? ?? 61 13 ?? 11 ?? 6F ?? ?? ?? ?? 06 20 + ?? ?? ?? ?? 20 ?? ?? ?? ?? 61 13 ?? 11 ?? 13 ?? 11 ?? 13 ?? 11 ?? 13 ?? 11 ?? 6F ?? ?? + ?? ?? 06 19 6F ?? ?? ?? ?? 06 02 7B ?? ?? ?? ?? 6F ?? ?? ?? ?? 06 02 7B ?? ?? ?? ?? 6F + ?? ?? ?? ?? 06 06 6F ?? ?? ?? ?? 06 6F ?? ?? ?? ?? 6F ?? ?? ?? ?? 0B 02 03 07 28 ?? ?? + ?? ?? 0C DE ?? 07 2C ?? 07 6F ?? ?? ?? ?? DC 06 2C ?? 06 6F ?? ?? ?? ?? DC 08 2A + } + + condition: + uint16(0) == 0x5A4D and + ( + $find_files + ) and + ( + $get_key + ) and + ( + $encrypt_files + ) +} \ No newline at end of file diff --git a/yara/ransomware/ByteCode.MSIL.Ransomware.McBurglar.yara b/yara/ransomware/ByteCode.MSIL.Ransomware.McBurglar.yara new file mode 100644 index 0000000..d4fc8bb --- /dev/null +++ b/yara/ransomware/ByteCode.MSIL.Ransomware.McBurglar.yara @@ -0,0 +1,75 @@ +rule ByteCode_MSIL_Ransomware_McBurglar : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "MCBURGLAR" + description = "Yara rule that detects McBurglar ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "McBurglar" + tc_detection_factor = 5 + + strings: + + $setup_env = { + 00 7E ?? ?? ?? ?? 16 28 ?? ?? ?? ?? 6F ?? ?? ?? ?? 00 7E ?? ?? ?? ?? 1F ?? 28 ?? ?? ?? + ?? 6F ?? ?? ?? ?? 00 7E ?? ?? ?? ?? 1F ?? 28 ?? ?? ?? ?? 6F ?? ?? ?? ?? 00 7E ?? ?? ?? + ?? 1B 28 ?? ?? ?? ?? 6F ?? ?? ?? ?? 00 7E ?? ?? ?? ?? 1F ?? 28 ?? ?? ?? ?? 6F ?? ?? ?? + ?? 00 7E ?? ?? ?? ?? 1F ?? 28 ?? ?? ?? ?? 6F ?? ?? ?? ?? 00 28 ?? ?? ?? ?? 00 28 ?? ?? + ?? ?? 00 2A + } + + $encrypt_files_p1 = { + 00 00 7E ?? ?? ?? ?? 6F ?? ?? ?? ?? 0A 2B ?? 73 ?? ?? ?? ?? 0B 07 12 ?? 28 ?? ?? ?? ?? + 7D ?? ?? ?? ?? 00 07 FE 06 ?? ?? ?? ?? 73 ?? ?? ?? ?? 73 ?? ?? ?? ?? 28 ?? ?? ?? ?? 00 + 00 12 ?? 28 ?? ?? ?? ?? 2D ?? DE ?? 12 ?? FE 16 ?? ?? ?? ?? 6F ?? ?? ?? ?? 00 DC 2A + } + + $encrypt_files_p2 = { + 00 28 ?? ?? ?? ?? 0A 02 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 18 73 ?? ?? ?? ?? 0B 73 ?? ?? ?? + ?? 0C 28 ?? ?? ?? ?? 03 6F ?? ?? ?? ?? 0D 73 ?? ?? ?? ?? 13 ?? 11 ?? 20 ?? ?? ?? ?? 6F + ?? ?? ?? ?? 00 11 ?? 20 ?? ?? ?? ?? 6F ?? ?? ?? ?? 00 11 ?? 18 6F ?? ?? ?? ?? 00 09 06 + 20 ?? ?? ?? ?? 73 ?? ?? ?? ?? 13 ?? 11 ?? 11 ?? 11 ?? 6F ?? ?? ?? ?? 1E 5B 6F ?? ?? ?? + ?? 6F ?? ?? ?? ?? 00 11 ?? 11 ?? 11 ?? 6F ?? ?? ?? ?? 1E 5B 6F ?? ?? ?? ?? 6F ?? ?? ?? + ?? 00 11 ?? 1A 6F ?? ?? ?? ?? 00 07 06 16 06 8E 69 6F ?? ?? ?? ?? 00 07 11 ?? 6F ?? ?? + ?? ?? 17 73 ?? ?? ?? ?? 13 ?? 02 19 73 ?? ?? ?? ?? 13 ?? 20 ?? ?? ?? ?? 8D ?? ?? ?? ?? + 13 ?? 00 2B ?? 00 11 ?? 11 ?? 16 11 ?? 6F ?? ?? ?? ?? 00 00 11 ?? 11 ?? 16 11 ?? 8E 69 + 6F ?? ?? ?? ?? 25 13 ?? 16 FE 02 13 ?? 11 ?? 2D ?? 11 ?? 6F ?? ?? ?? ?? 00 00 DE ?? 13 + ?? 00 72 ?? ?? ?? ?? 11 ?? 6F ?? ?? ?? ?? 28 ?? ?? ?? ?? 28 ?? ?? ?? ?? 00 00 DE ?? DE + ?? 00 11 ?? 6F ?? ?? ?? ?? 00 07 6F ?? ?? ?? ?? 00 00 DC 2A + } + + $find_files = { + 00 00 02 28 ?? ?? ?? ?? 0A 00 06 0C 16 0D 2B ?? 08 09 9A 13 ?? 00 11 ?? 28 ?? ?? ?? ?? + 00 00 09 17 58 0D 09 08 8E 69 32 ?? 02 28 ?? ?? ?? ?? 0B 00 07 13 ?? 16 13 ?? 2B ?? 11 + ?? 11 ?? 9A 13 ?? 00 11 ?? 28 ?? ?? ?? ?? 00 00 11 ?? 17 58 13 ?? 11 ?? 11 ?? 8E 69 32 + ?? 00 DE ?? 26 00 00 DE ?? 2A + } + + $generate_salt = { + 00 1F ?? 8D ?? ?? ?? ?? 0A 73 ?? ?? ?? ?? 0B 00 16 0C 2B ?? 00 07 06 6F ?? ?? ?? ?? 00 + 00 08 17 58 0C 08 1F ?? FE 04 0D 09 2D ?? 00 DE ?? 07 2C ?? 07 6F ?? ?? ?? ?? 00 DC 06 + 13 ?? 2B ?? 11 ?? 2A + } + + condition: + uint16(0) == 0x5A4D and + ( + $setup_env + ) and + ( + $find_files + ) and + ( + $generate_salt + ) and + ( + all of ($encrypt_files_p*) + ) +} \ No newline at end of file diff --git a/yara/ransomware/ByteCode.MSIL.Ransomware.Moisha.yara b/yara/ransomware/ByteCode.MSIL.Ransomware.Moisha.yara new file mode 100644 index 0000000..04eb360 --- /dev/null +++ b/yara/ransomware/ByteCode.MSIL.Ransomware.Moisha.yara @@ -0,0 +1,86 @@ +rule ByteCode_MSIL_Ransomware_Moisha : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "MOISHA" + description = "Yara rule that detects Moisha ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "Moisha" + tc_detection_factor = 5 + + strings: + + $find_files_p1 = { + 73 ?? ?? ?? ?? 0A 02 6F ?? ?? ?? ?? 6F ?? ?? ?? ?? 0B 2B ?? 07 6F ?? ?? ?? ?? 0C 08 28 + ?? ?? ?? ?? 2D ?? 06 08 6F ?? ?? ?? ?? 07 6F ?? ?? ?? ?? 2D ?? DE ?? 07 2C ?? 07 6F ?? + ?? ?? ?? DC DE ?? 26 DE ?? 06 2A + } + + $find_files_p2 = { + 02 28 ?? ?? ?? ?? 39 ?? ?? ?? ?? 02 28 ?? ?? ?? ?? 0A 06 6F ?? ?? ?? ?? 6F ?? ?? ?? ?? + 0B 2B ?? 07 6F ?? ?? ?? ?? 0C 08 6F ?? ?? ?? ?? 0D 03 09 6F ?? ?? ?? ?? 04 2C ?? 04 09 + 6F ?? ?? ?? ?? 07 6F ?? ?? ?? ?? 2D ?? DE ?? 07 2C ?? 07 6F ?? ?? ?? ?? DC 06 6F ?? ?? + ?? ?? 6F ?? ?? ?? ?? 13 ?? 2B ?? 11 ?? 6F ?? ?? ?? ?? 13 ?? 11 ?? 6F ?? ?? ?? ?? 03 04 + 28 ?? ?? ?? ?? DE ?? 26 DE ?? 11 ?? 6F ?? ?? ?? ?? 2D ?? DE ?? 11 ?? 2C ?? 11 ?? 6F ?? + ?? ?? ?? DC 02 28 ?? ?? ?? ?? 6F ?? ?? ?? ?? 13 ?? 03 11 ?? 6F ?? ?? ?? ?? 04 2C ?? 04 + 11 ?? 6F ?? ?? ?? ?? 2A + } + + $find_files_p3 = { + 73 ?? ?? ?? ?? 0A 06 03 7D ?? ?? ?? ?? 06 04 7D ?? ?? ?? ?? 06 05 7D ?? ?? ?? ?? 02 28 + ?? ?? ?? ?? 39 ?? ?? ?? ?? 06 02 28 ?? ?? ?? ?? 28 ?? ?? ?? ?? 7D ?? ?? ?? ?? 06 7B ?? + ?? ?? ?? 2C ?? 06 7B ?? ?? ?? ?? 6F ?? ?? ?? ?? 16 31 ?? 06 7B ?? ?? ?? ?? 2C ?? 06 FE + 06 ?? ?? ?? ?? 73 ?? ?? ?? ?? 73 ?? ?? ?? ?? 0B 07 17 6F ?? ?? ?? ?? 07 17 6F ?? ?? ?? + ?? 7E ?? ?? ?? ?? 07 6F ?? ?? ?? ?? 07 6F ?? ?? ?? ?? DE ?? 26 DE ?? 02 28 ?? ?? ?? ?? + 28 ?? ?? ?? ?? 6F ?? ?? ?? ?? 0C 2B ?? 12 ?? 28 ?? ?? ?? ?? 0D 09 6F ?? ?? ?? ?? 06 7B + ?? ?? ?? ?? 06 7B ?? ?? ?? ?? 06 7B ?? ?? ?? ?? 28 ?? ?? ?? ?? DE ?? 26 DE ?? 12 ?? 28 + ?? ?? ?? ?? 2D ?? DE ?? 12 ?? FE 16 ?? ?? ?? ?? 6F ?? ?? ?? ?? DC 2A + } + + $import_priv_key = { + 02 73 ?? ?? ?? ?? 13 ?? 11 ?? 73 ?? ?? ?? ?? 13 ?? 16 13 ?? 16 13 ?? 16 13 ?? 11 ?? 6F + ?? ?? ?? ?? 13 ?? 11 ?? 20 ?? ?? ?? ?? 33 ?? 11 ?? 6F ?? ?? ?? ?? 26 2B ?? 11 ?? 20 ?? + ?? ?? ?? 33 ?? 11 ?? 6F ?? ?? ?? ?? 26 2B ?? 28 ?? ?? ?? ?? 73 ?? ?? ?? ?? 7A 11 ?? 6F + ?? ?? ?? ?? 13 ?? 11 ?? 20 ?? ?? ?? ?? 2E ?? 28 ?? ?? ?? ?? 73 ?? ?? ?? ?? 7A 11 ?? 6F + ?? ?? ?? ?? 13 ?? 11 ?? 2C ?? 28 ?? ?? ?? ?? 73 ?? ?? ?? ?? 7A 11 ?? 28 ?? ?? ?? ?? 13 + ?? 11 ?? 11 ?? 6F ?? ?? ?? ?? 0A 11 ?? 28 ?? ?? ?? ?? 13 ?? 11 ?? 11 ?? 6F ?? ?? ?? ?? + 0B 11 ?? 28 ?? ?? ?? ?? 13 ?? 11 ?? 11 ?? 6F ?? ?? ?? ?? 0C 11 ?? 28 ?? ?? ?? ?? 13 ?? + 11 ?? 11 ?? 6F ?? ?? ?? ?? 0D 11 ?? 28 ?? ?? ?? ?? 13 ?? 11 ?? 11 ?? 6F ?? ?? ?? ?? 13 + ?? 11 ?? 28 ?? ?? ?? ?? 13 ?? 11 ?? 11 ?? 6F ?? ?? ?? ?? 13 ?? 11 ?? 28 ?? ?? ?? ?? 13 + ?? 11 ?? 11 ?? 6F ?? ?? ?? ?? 13 ?? 11 ?? 28 ?? ?? ?? ?? 13 ?? 11 ?? 11 ?? 6F ?? ?? ?? + ?? 13 ?? 12 ?? FE 15 ?? ?? ?? ?? 12 ?? 06 7D ?? ?? ?? ?? 12 ?? 07 7D ?? ?? ?? ?? 12 ?? + 08 7D ?? ?? ?? ?? 12 ?? 09 7D ?? ?? ?? ?? 12 ?? 11 ?? 7D ?? ?? ?? ?? 12 ?? 11 ?? 7D ?? + ?? ?? ?? 12 ?? 11 ?? 7D ?? ?? ?? ?? 12 ?? 11 ?? 7D ?? ?? ?? ?? 11 ?? 13 ?? DE ?? 11 ?? + 6F ?? ?? ?? ?? DC 11 ?? 2A + } + + $encrypt_files = { + 20 ?? ?? ?? ?? 8D ?? ?? ?? ?? 0A 14 0B 14 0C 16 0D 20 ?? ?? ?? ?? 13 ?? 03 19 17 1D 28 + ?? ?? ?? ?? 0B 03 19 18 1D 28 ?? ?? ?? ?? 0C 02 7B ?? ?? ?? ?? 08 17 6F ?? ?? ?? ?? 13 + ?? 07 06 16 06 8E 69 6F ?? ?? ?? ?? 13 ?? 11 ?? 16 31 ?? 11 ?? 06 16 11 ?? 6F ?? ?? ?? + ?? 11 ?? 6F ?? ?? ?? ?? 11 ?? 6F ?? ?? ?? ?? 04 11 ?? 6F ?? ?? ?? ?? 04 6F ?? ?? ?? ?? + 13 ?? 11 ?? 8E 69 13 ?? 11 ?? 28 ?? ?? ?? ?? 13 ?? 08 08 6F ?? ?? ?? ?? 16 6F ?? ?? ?? + ?? 26 08 11 ?? 16 11 ?? 8E 69 6F ?? ?? ?? ?? 08 11 ?? 16 11 ?? 8E 69 6F ?? ?? ?? ?? 08 + 6F ?? ?? ?? ?? 17 0D DE ?? 11 ?? 2C ?? 11 ?? 6F ?? ?? ?? ?? DC DE ?? 13 ?? DE ?? 07 2C + ?? 07 6F ?? ?? ?? ?? 08 2C ?? 08 6F ?? ?? ?? ?? 09 26 DC 2A + } + + condition: + uint16(0) == 0x5A4D and + ( + all of ($find_files_p*) + ) and + ( + $import_priv_key + ) and + ( + $encrypt_files + ) +} \ No newline at end of file diff --git a/yara/ransomware/ByteCode.MSIL.Ransomware.Namaste.yara b/yara/ransomware/ByteCode.MSIL.Ransomware.Namaste.yara new file mode 100644 index 0000000..000eb93 --- /dev/null +++ b/yara/ransomware/ByteCode.MSIL.Ransomware.Namaste.yara @@ -0,0 +1,81 @@ +rule ByteCode_MSIL_Ransomware_Namaste : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "NAMASTE" + description = "Yara rule that detects Namaste ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "Namaste" + tc_detection_factor = 5 + + strings: + + $find_files_p1 = { + 03 28 ?? ?? ?? ?? 0A 16 0B 2B ?? 02 06 07 9A 28 ?? ?? ?? ?? 07 17 58 0B 07 06 8E 69 32 + ?? DE ?? 26 DE ?? 00 03 28 ?? ?? ?? ?? 0C 16 0D 2B ?? 08 09 9A 13 ?? 02 11 ?? 28 ?? ?? + ?? ?? 17 28 ?? ?? ?? ?? 09 17 58 0D 09 08 8E 69 32 ?? DE ?? 26 DE ?? 2A + } + + $find_files_p2 = { + 02 7B ?? ?? ?? ?? 2D ?? 03 72 ?? ?? ?? ?? 6F ?? ?? ?? ?? 2C ?? 17 2A 03 6F ?? ?? ?? ?? + 0A 06 28 ?? ?? ?? ?? 6F ?? ?? ?? ?? 28 ?? ?? ?? ?? 3A ?? ?? ?? ?? 06 72 ?? ?? ?? ?? 6F + ?? ?? ?? ?? 3A ?? ?? ?? ?? 06 72 ?? ?? ?? ?? 6F ?? ?? ?? ?? 3A ?? ?? ?? ?? 06 72 ?? ?? + ?? ?? 6F ?? ?? ?? ?? 3A ?? ?? ?? ?? 06 72 ?? ?? ?? ?? 6F ?? ?? ?? ?? 3A ?? ?? ?? ?? 06 + 72 ?? ?? ?? ?? 6F ?? ?? ?? ?? 3A ?? ?? ?? ?? 06 72 ?? ?? ?? ?? 6F ?? ?? ?? ?? 3A ?? ?? + ?? ?? 06 72 ?? ?? ?? ?? 6F ?? ?? ?? ?? 2D ?? 06 72 ?? ?? ?? ?? 6F ?? ?? ?? ?? 2D ?? 06 + 72 ?? ?? ?? ?? 6F ?? ?? ?? ?? 2D ?? 06 72 ?? ?? ?? ?? 6F ?? ?? ?? ?? 2D ?? 06 72 ?? ?? + ?? ?? 6F ?? ?? ?? ?? 2D ?? 06 72 ?? ?? ?? ?? 6F ?? ?? ?? ?? 2D ?? 06 72 ?? ?? ?? ?? 6F + ?? ?? ?? ?? 2D ?? 06 72 ?? ?? ?? ?? 6F ?? ?? ?? ?? 2D ?? 06 72 ?? ?? ?? ?? 6F ?? ?? ?? + ?? 2D ?? 06 72 ?? ?? ?? ?? 6F ?? ?? ?? ?? 2C ?? 16 2A 02 7B ?? ?? ?? ?? 2C ?? 03 72 ?? + ?? ?? ?? 6F ?? ?? ?? ?? 2C ?? 16 2A 02 7B ?? ?? ?? ?? 2D ?? 03 72 ?? ?? ?? ?? 6F ?? ?? + ?? ?? 2D ?? 16 2A 03 28 ?? ?? ?? ?? 6F ?? ?? ?? ?? 0B 03 73 ?? ?? ?? ?? 28 ?? ?? ?? ?? + 20 ?? ?? ?? ?? 6A 31 ?? 16 0C DE ?? DE ?? 26 DE ?? 02 28 ?? ?? ?? ?? 07 28 ?? ?? ?? ?? + 2A 08 2A + } + + $encrypt_files_p1 = { + 02 03 28 ?? ?? ?? ?? 2C ?? 02 7B ?? ?? ?? ?? 2C ?? 02 03 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? + 02 7B ?? ?? ?? ?? 03 6F ?? ?? ?? ?? 02 7C ?? ?? ?? ?? 28 ?? ?? ?? ?? 26 2B ?? 02 03 72 + ?? ?? ?? ?? 28 ?? ?? ?? ?? DE ?? 26 DE ?? 02 7B ?? ?? ?? ?? 2C ?? 03 72 ?? ?? ?? ?? 6F + ?? ?? ?? ?? 2C ?? 02 7C ?? ?? ?? ?? 28 ?? ?? ?? ?? 26 2A + } + + $encrypt_files_p2 = { + 1F ?? 28 ?? ?? ?? ?? 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 28 ?? ?? ?? ?? 2C ?? 02 20 ?? ?? ?? + ?? 7D ?? ?? ?? ?? 02 17 7D ?? ?? ?? ?? 02 17 7D ?? ?? ?? ?? 28 ?? ?? ?? ?? 7E ?? ?? ?? + ?? 25 2D ?? 26 7E ?? ?? ?? ?? FE 06 ?? ?? ?? ?? 73 ?? ?? ?? ?? 25 80 ?? ?? ?? ?? 28 ?? + ?? ?? ?? 28 ?? ?? ?? ?? 02 1F ?? 28 ?? ?? ?? ?? 28 ?? ?? ?? ?? 02 1B 28 ?? ?? ?? ?? 28 + ?? ?? ?? ?? 02 1F ?? 28 ?? ?? ?? ?? 28 ?? ?? ?? ?? 02 1F ?? 28 ?? ?? ?? ?? 28 ?? ?? ?? + ?? 02 1F ?? 28 ?? ?? ?? ?? 28 ?? ?? ?? ?? 02 1F ?? 28 ?? ?? ?? ?? 28 ?? ?? ?? ?? 02 1F + ?? 28 ?? ?? ?? ?? 28 ?? ?? ?? ?? 6F ?? ?? ?? ?? 0A 2B ?? 12 ?? 28 ?? ?? ?? ?? 0B 02 07 + 28 ?? ?? ?? ?? 12 ?? 28 ?? ?? ?? ?? 2D ?? DE ?? 12 ?? FE 16 ?? ?? ?? ?? 6F ?? ?? ?? ?? + DC 02 FE 06 ?? ?? ?? ?? 73 ?? ?? ?? ?? 73 ?? ?? ?? ?? 6F ?? ?? ?? ?? 2A + } + + $encrypt_files_p3 = { + 28 ?? ?? ?? ?? 04 6F ?? ?? ?? ?? 26 73 ?? ?? ?? ?? 0A 06 20 ?? ?? ?? ?? 6F ?? ?? ?? ?? + 06 20 ?? ?? ?? ?? 6F ?? ?? ?? ?? 06 18 6F ?? ?? ?? ?? 04 14 73 ?? ?? ?? ?? 0B 06 07 06 + 6F ?? ?? ?? ?? 1E 5B 6F ?? ?? ?? ?? 6F ?? ?? ?? ?? 06 07 06 6F ?? ?? ?? ?? 1E 5B 6F ?? + ?? ?? ?? 6F ?? ?? ?? ?? 06 1A 6F ?? ?? ?? ?? 03 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 18 73 ?? + ?? ?? ?? 0C 08 06 6F ?? ?? ?? ?? 17 73 ?? ?? ?? ?? 0D 03 19 73 ?? ?? ?? ?? 13 ?? 20 ?? + ?? ?? ?? 8D ?? ?? ?? ?? 13 ?? 2B ?? 09 11 ?? 16 11 ?? 6F ?? ?? ?? ?? 11 ?? 11 ?? 16 11 + ?? 8E 69 6F ?? ?? ?? ?? 25 13 ?? 16 30 ?? DE ?? 11 ?? 2C ?? 11 ?? 6F ?? ?? ?? ?? DC 09 + 2C ?? 09 6F ?? ?? ?? ?? DC 08 2C ?? 08 6F ?? ?? ?? ?? DC 03 28 ?? ?? ?? ?? 2A + } + + condition: + uint16(0) == 0x5A4D and + ( + all of ($find_files_p*) + ) and + ( + all of ($encrypt_files_p*) + ) +} \ No newline at end of file diff --git a/yara/ransomware/ByteCode.MSIL.Ransomware.Oct.yara b/yara/ransomware/ByteCode.MSIL.Ransomware.Oct.yara new file mode 100644 index 0000000..fe3a53a --- /dev/null +++ b/yara/ransomware/ByteCode.MSIL.Ransomware.Oct.yara @@ -0,0 +1,68 @@ +rule ByteCode_MSIL_Ransomware_Oct : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "OCT" + description = "Yara rule that detects Oct ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "Oct" + tc_detection_factor = 5 + + strings: + + $encrypt_files = { + 1E 8D ?? ?? ?? ?? 25 D0 ?? ?? ?? ?? 28 ?? ?? ?? ?? 0A 03 0B 07 18 73 ?? ?? ?? ?? 0C 73 + ?? ?? ?? ?? 0D 09 20 ?? ?? ?? ?? 6F ?? ?? ?? ?? 09 20 ?? ?? ?? ?? 6F ?? ?? ?? ?? 04 06 + 20 ?? ?? ?? ?? 73 ?? ?? ?? ?? 13 ?? 09 11 ?? 09 6F ?? ?? ?? ?? 1E 5B 6F ?? ?? ?? ?? 6F + ?? ?? ?? ?? 09 11 ?? 09 6F ?? ?? ?? ?? 1E 5B 6F ?? ?? ?? ?? 6F ?? ?? ?? ?? 09 19 6F ?? + ?? ?? ?? 09 17 6F ?? ?? ?? ?? 08 09 6F ?? ?? ?? ?? 17 73 ?? ?? ?? ?? 13 ?? 02 19 73 ?? + ?? ?? ?? 13 ?? 2B ?? 11 ?? 11 ?? D2 6F ?? ?? ?? ?? 11 ?? 6F ?? ?? ?? ?? 25 13 ?? 15 33 + ?? 11 ?? 6F ?? ?? ?? ?? 11 ?? 6F ?? ?? ?? ?? 08 6F ?? ?? ?? ?? 02 28 ?? ?? ?? ?? DE ?? + 13 ?? 11 ?? 6F ?? ?? ?? ?? 28 ?? ?? ?? ?? DE ?? 2A + } + + $find_files = { + 16 0A 38 ?? ?? ?? ?? 16 0B 2B ?? 02 06 9A 28 ?? ?? ?? ?? 2C ?? 02 06 9A 73 ?? ?? ?? ?? + 0C 08 72 ?? ?? ?? ?? 03 07 9A 28 ?? ?? ?? ?? 17 6F ?? ?? ?? ?? 0D 09 13 ?? 16 13 ?? 2B + ?? 11 ?? 11 ?? 9A 13 ?? 11 ?? 6F ?? ?? ?? ?? 11 ?? 6F ?? ?? ?? ?? 05 28 ?? ?? ?? ?? 1E + 8D ?? ?? ?? ?? 25 D0 ?? ?? ?? ?? 28 ?? ?? ?? ?? 28 ?? ?? ?? ?? 11 ?? 17 58 13 ?? 11 ?? + 11 ?? 8E 69 32 ?? 07 17 58 0B 07 03 8E 69 32 ?? 06 17 58 0A 06 02 8E 69 3F ?? ?? ?? ?? + 2A + } + + $collect_env_and_start_enc_proc = { + 19 8D ?? ?? ?? ?? 0B 07 16 16 28 ?? ?? ?? ?? 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? A2 07 17 1B + 28 ?? ?? ?? ?? 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? A2 07 18 1F ?? 28 ?? ?? ?? ?? 72 ?? ?? ?? + ?? 28 ?? ?? ?? ?? A2 07 1F ?? 8D ?? ?? ?? ?? 0C 08 16 72 ?? ?? ?? ?? A2 08 17 72 ?? ?? + ?? ?? A2 08 18 72 ?? ?? ?? ?? A2 08 19 72 ?? ?? ?? ?? A2 08 1A 72 ?? ?? ?? ?? A2 08 1B + 72 ?? ?? ?? ?? A2 08 1C 72 ?? ?? ?? ?? A2 08 1D 72 ?? ?? ?? ?? A2 08 1E 72 ?? ?? ?? ?? + A2 08 1F ?? 72 ?? ?? ?? ?? A2 08 1F ?? 72 ?? ?? ?? ?? A2 08 1F ?? 72 ?? ?? ?? ?? A2 08 + 1F ?? 72 ?? ?? ?? ?? A2 08 1F ?? 72 ?? ?? ?? ?? A2 08 1F ?? 72 ?? ?? ?? ?? A2 08 1F ?? + 72 ?? ?? ?? ?? A2 08 1F ?? 72 ?? ?? ?? ?? A2 08 1F ?? 72 ?? ?? ?? ?? A2 08 1F ?? 72 ?? + ?? ?? ?? A2 08 1F ?? 72 ?? ?? ?? ?? A2 08 1F ?? 72 ?? ?? ?? ?? A2 08 1F ?? 72 ?? ?? ?? + ?? A2 08 1F ?? 72 ?? ?? ?? ?? A2 08 1F ?? 72 ?? ?? ?? ?? A2 08 72 ?? ?? ?? ?? 72 ?? ?? + ?? ?? 28 ?? ?? ?? ?? 16 28 ?? ?? ?? ?? 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 73 ?? ?? ?? ?? 0A + 06 72 ?? ?? ?? ?? 6F ?? ?? ?? ?? DE ?? 06 2C ?? 06 6F ?? ?? ?? ?? DC 72 ?? ?? ?? ?? 16 + 28 ?? ?? ?? ?? 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 28 ?? ?? ?? ?? 26 7E ?? ?? ?? ?? 72 ?? ?? + ?? ?? 28 ?? ?? ?? ?? 2C ?? 28 ?? ?? ?? ?? 2A + } + + condition: + uint16(0) == 0x5A4D and + ( + $collect_env_and_start_enc_proc + ) and + ( + $find_files + ) and + ( + $encrypt_files + ) +} \ No newline at end of file diff --git a/yara/ransomware/ByteCode.MSIL.Ransomware.Pacman.yara b/yara/ransomware/ByteCode.MSIL.Ransomware.Pacman.yara new file mode 100644 index 0000000..b707873 --- /dev/null +++ b/yara/ransomware/ByteCode.MSIL.Ransomware.Pacman.yara @@ -0,0 +1,68 @@ +rule ByteCode_MSIL_Ransomware_Pacman : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "PACMAN" + description = "Yara rule that detects Pacman ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "Pacman" + tc_detection_factor = 5 + + strings: + $pacman_find_encrypted_1 = { + 28 0A 00 00 06 [0-2] 6F 0D 00 00 06 [0-2] 6F 33 00 00 06 [0-2] 28 FD 01 00 06 [0-2] 28 + 29 02 00 06 1F 1C 28 0E 04 00 06 [0-2] 7E 13 00 00 04 20 0F 03 00 00 28 2F 00 00 06 25 + 26 28 5D 02 00 06 [0-2] 28 6D 01 00 06 [0-2] 0B 07 13 06 16 13 05 2B 31 11 06 11 05 9A + 0C 28 0A 00 00 06 [0-2] 6F 0D 00 00 06 [0-2] 6F 33 00 00 06 [0-2] 28 FD 01 00 06 [0-2] + 08 28 55 02 00 06 [0-2] 26 11 05 17 D6 13 05 11 05 11 06 8E B7 32 C7 1D 45 01 00 00 00 + F6 FF FF FF 17 2D 06 D0 1E 01 00 06 26 16 0A 38 BC 01 00 00 28 0A 00 00 06 [0-2] 6F 0D + 00 00 06 [0-2] 6F 33 00 00 06 [0-2] 28 FD 01 00 06 [0-2] 06 28 AA 04 00 06 [0-2] 14 20 + B0 0F 00 00 28 2F 00 00 06 [0-2] 1F 0A 8D 76 00 00 01 13 07 11 07 16 20 BF 0F 00 00 28 + 2F 00 00 06 [0-2] A2 11 07 17 20 C2 0F 00 00 28 2F 00 00 06 [0-2] A2 11 07 18 20 C5 0F + 00 00 28 2F 00 00 06 [0-2] A2 11 07 19 20 C8 0F 00 00 28 2F 00 00 06 [0-2] A2 11 07 1A + 20 CB 0F 00 00 28 2F 00 00 06 [0-2] A2 11 07 1B 20 CE 0F 00 00 28 2F 00 00 06 [0-2] A2 + } + + $pacman_find_encrypted_2 = { + 11 07 1C 20 D1 0F 00 00 28 2F 00 00 06 [0-2] A2 11 07 1D 20 D4 0F 00 00 28 2F 00 00 06 + [0-2] A2 11 07 1E 20 C2 0F 00 00 28 2F 00 00 06 [0-2] A2 11 07 1F 09 20 D7 0F 00 00 28 + 2F 00 00 06 [0-2] A2 11 07 14 14 14 28 7A 04 00 06 [0-2] 28 E2 05 00 06 [0-2] 0D 28 07 + 00 00 06 28 1A 04 00 06 [0-2] 28 0A 00 00 06 [0-2] 6F 0D 00 00 06 [0-2] 6F 33 00 00 06 + [0-2] 28 FD 01 00 06 [0-2] 06 28 AA 04 00 06 [0-2] 28 E2 05 00 06 [0-2] 28 36 05 00 06 + [0-2] 2C 78 1A 45 01 00 00 00 F6 FF FF FF 7E 16 00 00 04 28 9D 02 00 06 [0-2] 28 0A 00 + 00 06 [0-2] 6F 0D 00 00 06 [0-2] 6F 33 00 00 06 [0-2] 28 FD 01 00 06 [0-2] 06 28 AA 04 + 00 06 [0-2] 28 E2 05 00 06 [0-2] 09 16 28 23 01 00 06 28 0A 00 00 06 [0-2] 6F 0D 00 00 + 06 [0-2] 6F 33 00 00 06 [0-2] 28 FD 01 00 06 [0-2] 06 28 AA 04 00 06 [0-2] 28 E2 05 00 + 06 [0-2] 28 66 04 00 06 DE 0F 25 28 4E 04 00 06 13 04 28 02 03 00 06 DE 00 06 17 D6 0A + 06 28 0A 00 00 06 [0-2] 6F 0D 00 00 06 [0-2] 6F 33 00 00 06 [0-2] 28 FD 01 00 06 [0-2] + 28 E2 04 00 06 [0-2] 3F 1B FE FF FF 1B 45 01 00 00 00 F6 FF FF FF 28 28 00 00 06 2A + } + + $pacman_encrypt = { + 28 65 02 00 06 [0-2] 0A 16 13 05 20 00 04 00 00 13 07 06 11 07 28 2A 05 00 06 [0-2] 2C + 19 1C 45 01 00 00 00 F6 FF FF FF 17 2D 06 D0 20 01 00 06 26 11 07 13 05 2B 15 11 07 15 + D6 13 07 11 07 17 2F D0 17 45 01 00 00 00 F6 FF FF FF 20 DA 0F 00 00 28 2F 00 00 06 [0-2] + 11 05 28 9D 02 00 06 [0-2] 28 E2 02 00 06 [0-2] 28 6E 03 00 06 06 28 0A 03 00 06 [0-2] + 0B 14 13 04 14 0D 1F 0E 8D 25 00 00 01 13 0B 11 0B 16 ?? 9C 11 0B 17 ?? 9C 11 0B 18 + ?? 9C 11 0B 19 ?? 9C 11 0B 1A ?? 9C 11 0B 1B ?? 9C 11 0B 1C ?? 9C 11 0B 1D ?? 9C 11 0B + 1E 20 ?? ?? ?? ?? 9C 11 0B 1F 09 20 ?? ?? ?? ?? 9C 11 0B 1F 0A 20 ?? ?? ?? ?? 9C 11 0B + 1F 0B 1F ?? 9C 11 0B 1F 0C 1F ?? 9C 11 0B 1F 0D 1F ?? 9C 11 0B 13 06 02 11 06 11 05 07 + 12 04 12 03 28 1F 01 00 06 05 2C 18 18 45 01 00 00 00 F6 FF FF FF 06 11 04 09 28 96 03 + 00 06 [0-2] 0C 2B 0C 06 11 04 09 28 7E 05 00 06 [0-2] 0C 04 08 17 28 45 01 00 06 [0-2] + 13 08 20 01 04 00 00 8D 25 00 00 01 13 09 03 11 09 16 20 00 04 00 00 28 3A 03 00 06 [0-2] + 13 0A 11 0A 16 33 0C 1D 45 01 00 00 00 F6 FF FF FF DE 24 11 08 11 09 16 11 0A 28 F6 04 + 00 06 2B CF 11 08 2C 11 18 45 01 00 00 00 F6 FF FF FF 11 08 28 1E 03 00 06 DC DE 0C 28 + 4E 04 00 06 28 02 03 00 06 DE 00 08 28 1E 03 00 06 2A + } + + condition: + uint16(0) == 0x5A4D and + ($pacman_find_encrypted_1 and $pacman_find_encrypted_2 and $pacman_encrypt) +} \ No newline at end of file diff --git a/yara/ransomware/ByteCode.MSIL.Ransomware.PoliceRecords.yara b/yara/ransomware/ByteCode.MSIL.Ransomware.PoliceRecords.yara new file mode 100644 index 0000000..fb3fd68 --- /dev/null +++ b/yara/ransomware/ByteCode.MSIL.Ransomware.PoliceRecords.yara @@ -0,0 +1,79 @@ +rule ByteCode_MSIL_Ransomware_PoliceRecords : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "POLICERECORDS" + description = "Yara rule that detects PoliceRecords ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "PoliceRecords" + tc_detection_factor = 5 + + strings: + + $encrypt_files = { + 00 72 ?? ?? ?? ?? 0A 73 ?? ?? ?? ?? 0B 07 06 6F ?? ?? ?? ?? 0C 04 0D 09 18 73 ?? ?? ?? + ?? 13 ?? 73 ?? ?? ?? ?? 13 ?? 11 ?? 11 ?? 08 08 6F ?? ?? ?? ?? 17 73 ?? ?? ?? ?? 13 ?? + 03 19 73 ?? ?? ?? ?? 13 ?? 2B ?? 11 ?? 11 ?? D2 6F ?? ?? ?? ?? 00 11 ?? 6F ?? ?? ?? ?? + 25 13 ?? 15 FE 01 16 FE 01 13 ?? 11 ?? 2D ?? 11 ?? 6F ?? ?? ?? ?? 00 11 ?? 6F ?? ?? ?? + ?? 00 11 ?? 6F ?? ?? ?? ?? 00 00 DE ?? 26 00 00 DE ?? 2A + } + + $find_files = { + 11 ?? 11 ?? 9A 13 ?? 00 00 07 11 ?? 11 ?? 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 6F ?? ?? ?? ?? + 00 11 ?? 28 ?? ?? ?? ?? 00 00 DE ?? 26 00 00 DE ?? 00 11 ?? 17 58 13 ?? 11 ?? 11 ?? 8E + 69 32 ?? 00 DE ?? 26 00 00 DE ?? 17 8D ?? ?? ?? ?? 25 16 72 ?? ?? ?? ?? A2 0C 16 13 ?? + 2B ?? 00 00 72 ?? ?? ?? ?? 72 ?? ?? ?? ?? 72 ?? ?? ?? ?? 08 11 ?? 9A 28 ?? ?? ?? ?? 00 + 72 ?? ?? ?? ?? 08 11 ?? 9A 28 ?? ?? ?? ?? 18 28 ?? ?? ?? ?? 00 00 DE ?? 26 00 00 DE ?? + 00 11 ?? 17 58 13 ?? 11 ?? 08 8E 69 FE 04 13 ?? 11 ?? 2D ?? 00 00 72 ?? ?? ?? ?? 1D 28 + ?? ?? ?? ?? 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 28 ?? ?? ?? ?? 00 1D 28 ?? ?? ?? ?? 72 ?? ?? + ?? ?? 28 ?? ?? ?? ?? 20 ?? ?? ?? ?? 28 ?? ?? ?? ?? 00 00 DE ?? 26 00 00 DE ?? 7E ?? ?? + ?? ?? 72 ?? ?? ?? ?? 6F ?? ?? ?? ?? 0D 09 72 ?? ?? ?? ?? 17 8C ?? ?? ?? ?? 1A 6F ?? ?? + ?? ?? 00 7E ?? ?? ?? ?? 72 ?? ?? ?? ?? 6F ?? ?? ?? ?? 13 ?? 11 ?? 72 ?? ?? ?? ?? 16 8C + ?? ?? ?? ?? 1A 6F ?? ?? ?? ?? 00 7E ?? ?? ?? ?? 72 ?? ?? ?? ?? 6F ?? ?? ?? ?? 13 ?? 11 + ?? 72 ?? ?? ?? ?? 17 8C ?? ?? ?? ?? 1A 6F ?? ?? ?? ?? 00 7E ?? ?? ?? ?? 72 ?? ?? ?? ?? + 6F ?? ?? ?? ?? 13 ?? 11 ?? 72 ?? ?? ?? ?? 17 8C ?? ?? ?? ?? 1A 6F ?? ?? ?? ?? 00 7E ?? + ?? ?? ?? 72 ?? ?? ?? ?? 6F ?? ?? ?? ?? 13 ?? 11 ?? 72 ?? ?? ?? ?? 72 ?? ?? ?? ?? 17 6F + ?? ?? ?? ?? 00 7E ?? ?? ?? ?? 72 ?? ?? ?? ?? 6F ?? ?? ?? ?? 13 ?? 11 ?? 72 ?? ?? ?? ?? + 72 ?? ?? ?? ?? 17 6F ?? ?? ?? ?? 00 07 FE 06 ?? ?? ?? ?? 73 ?? ?? ?? ?? 73 ?? ?? ?? ?? + 13 ?? 11 ?? 6F ?? ?? ?? ?? 00 73 ?? ?? ?? ?? 13 ?? 11 ?? 6F ?? ?? ?? ?? 26 2A + } + + $desktop_kill_tick = { + 02 7B ?? ?? ?? ?? 6F ?? ?? ?? ?? 00 16 28 ?? ?? ?? ?? 0A 06 72 ?? ?? ?? ?? 28 ?? ?? ?? + ?? 0B 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 0C 08 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 0D 09 72 ?? ?? + ?? ?? 28 ?? ?? ?? ?? 13 ?? 07 28 ?? ?? ?? ?? 13 ?? 11 ?? 2C ?? 00 07 28 ?? ?? ?? ?? 00 + 00 11 ?? 28 ?? ?? ?? ?? 13 ?? 11 ?? 2C ?? 00 11 ?? 28 ?? ?? ?? ?? 00 00 02 7B ?? ?? ?? + ?? 6F ?? ?? ?? ?? 00 2A + } + + $drop_ransom_note = { + 00 16 28 ?? ?? ?? ?? 0A 06 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 28 ?? ?? ?? ?? 0B 00 07 72 ?? + ?? ?? ?? 6F ?? ?? ?? ?? 00 07 72 ?? ?? ?? ?? 6F ?? ?? ?? ?? 00 07 72 ?? ?? ?? ?? 6F ?? + ?? ?? ?? 00 07 72 ?? ?? ?? ?? 6F ?? ?? ?? ?? 00 07 72 ?? ?? ?? ?? 6F ?? ?? ?? ?? 00 07 + 72 ?? ?? ?? ?? 6F ?? ?? ?? ?? 00 07 72 ?? ?? ?? ?? 6F ?? ?? ?? ?? 00 00 DE ?? 07 2C ?? + 07 6F ?? ?? ?? ?? 00 DC 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 28 + ?? ?? ?? ?? 26 2A + } + + condition: + uint16(0) == 0x5A4D and + ( + $find_files + ) and + ( + $encrypt_files + ) and + ( + $desktop_kill_tick + ) and + ( + $drop_ransom_note + ) +} \ No newline at end of file diff --git a/yara/ransomware/ByteCode.MSIL.Ransomware.Povlsomware.yara b/yara/ransomware/ByteCode.MSIL.Ransomware.Povlsomware.yara new file mode 100644 index 0000000..f068682 --- /dev/null +++ b/yara/ransomware/ByteCode.MSIL.Ransomware.Povlsomware.yara @@ -0,0 +1,64 @@ +rule ByteCode_MSIL_Ransomware_Povlsomware : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "POVLSOMWARE" + description = "Yara rule that detects Povlsomware ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "Povlsomware" + tc_detection_factor = 5 + + strings: + + $setup_attack = { + 7E ?? ?? ?? ?? 25 2D ?? 26 7E ?? ?? ?? ?? FE 06 ?? ?? ?? ?? 73 ?? ?? ?? ?? 25 80 ?? ?? + ?? ?? 73 ?? ?? ?? ?? 0A 06 6F ?? ?? ?? ?? 00 7E ?? ?? ?? ?? 28 ?? ?? ?? ?? 0B 07 2C ?? + 00 7E ?? ?? ?? ?? 28 ?? ?? ?? ?? 8E 69 80 ?? ?? ?? ?? 00 7E ?? ?? ?? ?? 28 ?? ?? ?? ?? + 0C 16 0D 2B ?? 08 09 9A 13 ?? 00 7E ?? ?? ?? ?? 11 ?? 6F ?? ?? ?? ?? 00 00 09 17 58 0D + 09 08 8E 69 32 ?? 00 38 ?? ?? ?? ?? 00 7E ?? ?? ?? ?? 25 2D ?? 26 7E ?? ?? ?? ?? FE 06 + ?? ?? ?? ?? 73 ?? ?? ?? ?? 25 80 ?? ?? ?? ?? 73 ?? ?? ?? ?? 13 ?? 11 ?? 1A 6F ?? ?? ?? + ?? 00 11 ?? 6F ?? ?? ?? ?? 00 11 ?? 6F ?? ?? ?? ?? 00 00 7E ?? ?? ?? ?? 6F ?? ?? ?? ?? + 13 ?? 2B ?? 12 ?? 28 ?? ?? ?? ?? 13 ?? 00 00 11 ?? 28 ?? ?? ?? ?? 00 00 DE ?? 26 00 00 + DE ?? 00 12 ?? 28 ?? ?? ?? ?? 2D ?? DE ?? 12 ?? FE 16 ?? ?? ?? ?? 6F ?? ?? ?? ?? 00 DC + 28 ?? ?? ?? ?? 00 00 28 ?? ?? ?? ?? 00 28 ?? ?? ?? ?? 00 2A + } + + $find_files = { + 02 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 7E ?? ?? ?? ?? 25 2D ?? 26 7E ?? ?? ?? ?? FE 06 ?? ?? + ?? ?? 73 ?? ?? ?? ?? 25 80 ?? ?? ?? ?? 28 ?? ?? ?? ?? 0A 00 06 6F ?? ?? ?? ?? 0C 2B ?? + 08 6F ?? ?? ?? ?? 0D 00 7E ?? ?? ?? ?? 09 6F ?? ?? ?? ?? 00 00 08 6F ?? ?? ?? ?? 2D ?? + DE ?? 08 2C ?? 08 6F ?? ?? ?? ?? 00 DC 02 28 ?? ?? ?? ?? 0B 00 07 13 ?? 16 13 ?? 38 ?? + ?? ?? ?? 11 ?? 11 ?? 9A 13 ?? 00 11 ?? 72 ?? ?? ?? ?? 6F ?? ?? ?? ?? 2D ?? 11 ?? 72 ?? + ?? ?? ?? 6F ?? ?? ?? ?? 2D ?? 11 ?? 72 ?? ?? ?? ?? 6F ?? ?? ?? ?? 2D ?? 11 ?? 72 ?? ?? + ?? ?? 6F ?? ?? ?? ?? 2D ?? 11 ?? 72 ?? ?? ?? ?? 6F ?? ?? ?? ?? 2D ?? 11 ?? 72 ?? ?? ?? + ?? 6F ?? ?? ?? ?? 2D ?? 11 ?? 72 ?? ?? ?? ?? 6F ?? ?? ?? ?? 2D ?? 11 ?? 72 ?? ?? ?? ?? + 6F ?? ?? ?? ?? 16 FE 01 2B ?? 16 13 ?? 11 ?? 2C ?? 00 11 ?? 03 28 ?? ?? ?? ?? 00 00 00 + DE ?? 26 00 00 DE ?? 11 ?? 17 58 13 ?? 11 ?? 11 ?? 8E 69 3F ?? ?? ?? ?? 2A + } + + $encrypt_files = { + 00 02 72 ?? ?? ?? ?? 6F ?? ?? ?? ?? 0A 06 2C ?? 2B ?? 02 28 ?? ?? ?? ?? 6F ?? ?? ?? ?? + 6F ?? ?? ?? ?? 0B 07 2C ?? 2B ?? 02 28 ?? ?? ?? ?? 00 02 02 72 ?? ?? ?? ?? 28 ?? ?? ?? + ?? 28 ?? ?? ?? ?? 00 7E ?? ?? ?? ?? 17 58 80 ?? ?? ?? ?? 7E ?? ?? ?? ?? 02 6F ?? ?? ?? + ?? 00 7E ?? ?? ?? ?? 02 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 28 ?? ?? ?? ?? 00 2A + } + + condition: + uint16(0) == 0x5A4D and + ( + $setup_attack + ) and + ( + $find_files + ) and + ( + $encrypt_files + ) +} \ No newline at end of file diff --git a/yara/ransomware/ByteCode.MSIL.Ransomware.Retis.yara b/yara/ransomware/ByteCode.MSIL.Ransomware.Retis.yara new file mode 100644 index 0000000..0f6fee9 --- /dev/null +++ b/yara/ransomware/ByteCode.MSIL.Ransomware.Retis.yara @@ -0,0 +1,74 @@ +rule ByteCode_MSIL_Ransomware_Retis : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "RETIS" + description = "Yara rule that detects Retis ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "Retis" + tc_detection_factor = 5 + + strings: + + $search_files = { + 00 00 04 6F ?? ?? ?? ?? 0B 38 ?? ?? ?? ?? 12 ?? 28 ?? ?? ?? ?? 0C 00 08 28 ?? ?? ?? ?? + 0A 72 ?? ?? ?? ?? 06 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 28 ?? ?? ?? ?? 00 00 03 6F ?? ?? ?? + ?? 0D 38 ?? ?? ?? ?? 12 ?? 28 ?? ?? ?? ?? 13 ?? 00 00 72 ?? ?? ?? ?? 11 ?? 72 ?? ?? ?? + ?? 28 ?? ?? ?? ?? 28 ?? ?? ?? ?? 00 06 72 ?? ?? ?? ?? 11 ?? 6F ?? ?? ?? ?? 28 ?? ?? ?? + ?? 17 28 ?? ?? ?? ?? 73 ?? ?? ?? ?? 13 ?? 00 11 ?? 6F ?? ?? ?? ?? 13 ?? 38 ?? ?? ?? ?? + 12 ?? 28 ?? ?? ?? ?? 13 07 00 11 ?? 73 ?? ?? ?? ?? 13 ?? 02 11 ?? 28 ?? ?? ?? ?? 16 FE + ?? 13 ?? 11 ?? 2C ?? 00 02 11 ?? 6F ?? ?? ?? ?? 28 ?? ?? ?? ?? 00 1F ?? 28 ?? ?? ?? ?? + 00 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 00 28 ?? ?? ?? ?? 00 11 ?? 6F ?? ?? ?? ?? 28 ?? ?? ?? + ?? 00 00 2B ?? 00 1F ?? 28 ?? ?? ?? ?? 00 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 00 28 ?? ?? ?? + ?? 00 72 ?? ?? ?? ?? 11 ?? 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 28 ?? ?? ?? ?? 00 00 00 12 ?? + 28 ?? ?? ?? ?? 3A ?? ?? ?? ?? DE ?? 12 ?? FE ?? ?? ?? ?? ?? 6F ?? ?? ?? ?? 00 DC 00 DE + ?? 26 00 00 DE ?? 00 12 ?? 28 ?? ?? ?? ?? 3A ?? ?? ?? ?? DE ?? 12 ?? FE ?? ?? ?? ?? ?? + 6F ?? ?? ?? ?? 00 DC 00 12 ?? 28 ?? ?? ?? ?? 3A ?? ?? ?? ?? DE ?? 12 ?? FE ?? ?? ?? ?? + ?? 6F ?? ?? ?? ?? 00 DC 2A + } + + + $search_drives = { + 00 28 ?? ?? ?? ?? 0A 73 ?? ?? ?? ?? 0B 00 06 0C 16 0D 2B ?? 08 09 9A 13 ?? 00 + 11 ?? 6F ?? ?? ?? ?? 13 ?? 11 ?? 2C ?? 00 07 11 ?? 6F ?? ?? ?? ?? 6F ?? ?? ?? + ?? 6F ?? ?? ?? ?? 00 00 00 09 17 58 0D 09 08 8E 69 32 ?? 07 72 ?? ?? ?? ?? 6F + ?? ?? ?? ?? 26 00 07 6F ?? ?? ?? ?? 13 ?? 38 ?? ?? ?? ?? 12 ?? 28 ?? ?? ?? ?? + 13 ?? 00 28 ?? ?? ?? ?? 00 72 ?? ?? ?? ?? 11 ?? 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? + 28 ?? ?? ?? ?? 00 28 ?? ?? ?? ?? 00 00 03 6F ?? ?? ?? ?? 13 ?? 38 ?? ?? ?? ?? + 12 ?? 28 ?? ?? ?? ?? 13 ?? 00 00 72 ?? ?? ?? ?? 11 ?? 72 ?? ?? ?? ?? 28 ?? ?? + ?? ?? 28 ?? ?? ?? ?? 00 11 ?? 72 ?? ?? ?? ?? 11 ?? 6F ?? ?? ?? ?? 28 ?? ?? ?? + ?? 17 28 ?? ?? ?? ?? 73 ?? ?? ?? ?? 13 ?? 00 11 ?? 6F ?? ?? ?? ?? 13 ?? 2B ?? + 12 ?? 28 ?? ?? ?? ?? 13 ?? 00 02 11 ?? 6F ?? ?? ?? ?? 28 ?? ?? ?? ?? 00 1F ?? + 28 ?? ?? ?? ?? 00 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 00 28 ?? ?? ?? ?? 00 11 ?? 6F + ?? ?? ?? ?? 28 ?? ?? ?? ?? 00 00 12 ?? 28 ?? ?? ?? ?? 2D ?? DE ?? 12 ?? FE ?? + ?? ?? ?? ?? 6F ?? ?? ?? ?? 00 DC 00 DE ?? 26 00 00 DE ?? 00 12 ?? 28 ?? ?? ?? + ?? 3A ?? ?? ?? ?? DE ?? 12 ?? FE ?? ?? ?? ?? ?? 6F ?? ?? ?? ?? 00 DC 00 12 ?? + 28 ?? ?? ?? ?? 3A ?? ?? ?? ?? DE ?? 12 ?? FE ?? ?? ?? ?? ?? 6F ?? ?? ?? ?? 00 + DC 2A + } + + $encrypt_files = { + 00 03 19 17 73 ?? ?? ?? ?? 0A 06 6F ?? ?? ?? ?? D4 8D ?? ?? ?? ?? 0B 06 07 + 16 07 8E 69 6F ?? ?? ?? ?? 26 06 6F ?? ?? ?? ?? 00 03 18 18 73 ?? ?? ?? ?? + 0C 73 ?? ?? ?? ?? 0D 09 28 ?? ?? ?? ?? 02 7B ?? ?? ?? ?? 6F ?? ?? ?? ?? 6F + ?? ?? ?? ?? 00 09 28 ?? ?? ?? ?? 02 7B ?? ?? ?? ?? 6F ?? ?? ?? ?? 6F ?? ?? + ?? ?? 00 09 6F ?? ?? ?? ?? 13 ?? 08 11 ?? 17 73 ?? ?? ?? ?? 13 ?? 11 ?? 07 + 16 07 8E 69 6F ?? ?? ?? ?? 00 11 ?? 6F ?? ?? ?? ?? 00 08 6F ?? ?? ?? ?? 00 + 03 03 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 28 ?? ?? ?? ?? 00 2A + } + + condition: + uint16(0) == 0x5A4D and + ( + $search_files and + $search_drives and + $encrypt_files + ) +} \ No newline at end of file diff --git a/yara/ransomware/ByteCode.MSIL.Ransomware.TaRRaK.yara b/yara/ransomware/ByteCode.MSIL.Ransomware.TaRRaK.yara new file mode 100644 index 0000000..c260c5f --- /dev/null +++ b/yara/ransomware/ByteCode.MSIL.Ransomware.TaRRaK.yara @@ -0,0 +1,96 @@ +rule ByteCode_MSIL_Ransomware_TaRRaK : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "TARRAK" + description = "Yara rule that detects TaRRaK ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "TaRRaK" + tc_detection_factor = 5 + + strings: + + $encrypt_files_p1 = { + 03 28 ?? ?? ?? ?? 0A 16 0B 2B ?? 06 07 9A 0C 73 ?? ?? ?? ?? 0D 09 08 28 ?? ?? ?? ?? 7D + ?? ?? ?? ?? 02 7B ?? ?? ?? ?? 09 FE 06 ?? ?? ?? ?? 73 ?? ?? ?? ?? 28 ?? ?? ?? ?? 2C ?? + 02 08 28 ?? ?? ?? ?? 07 17 58 0B 07 06 8E 69 32 ?? DE ?? 26 DE ?? 00 03 28 ?? ?? ?? ?? + 0A 16 0B 2B ?? 06 07 9A 13 ?? 11 ?? 72 ?? ?? ?? ?? 6F ?? ?? ?? ?? 2D ?? 11 ?? 72 ?? ?? + ?? ?? 6F ?? ?? ?? ?? 2D ?? 11 ?? 72 ?? ?? ?? ?? 6F ?? ?? ?? ?? 2D ?? 11 ?? 72 ?? ?? ?? + ?? 6F ?? ?? ?? ?? 2D ?? 11 ?? 72 ?? ?? ?? ?? 6F ?? ?? ?? ?? 2D ?? 11 ?? 72 ?? ?? ?? ?? + 6F ?? ?? ?? ?? 2D ?? 11 ?? 72 ?? ?? ?? ?? 6F ?? ?? ?? ?? 2D ?? 02 11 ?? 28 ?? ?? ?? ?? + 07 17 58 0B 07 06 8E 69 32 ?? DE ?? 26 DE ?? 2A + } + + $encrypt_files_p2 = { + 03 8E 69 17 59 0A 06 17 2F ?? 03 2A 03 06 95 0B 16 0D 1C 1F ?? 06 17 58 5B 58 13 ?? 2B + ?? 09 20 ?? ?? ?? ?? 58 0D 09 18 64 19 5F 13 ?? 16 13 ?? 2B ?? 03 11 ?? 17 58 95 0C 03 + 11 ?? 8F ?? ?? ?? ?? 25 4B 02 09 08 07 11 ?? 11 ?? 04 28 ?? ?? ?? ?? 58 25 13 ?? 54 11 + ?? 0B 11 ?? 17 58 13 ?? 11 ?? 06 32 ?? 03 16 95 0C 03 06 8F ?? ?? ?? ?? 25 4B 02 09 08 + 07 11 ?? 11 ?? 04 28 ?? ?? ?? ?? 58 25 13 ?? 54 11 ?? 0B 16 11 ?? 25 17 59 13 ?? 32 ?? + 03 2A + } + + $encrypt_files_p3 = { + 05 1B 64 04 18 62 61 04 19 64 05 1A 62 61 58 03 04 61 0E ?? 0E ?? 19 5F 6A 0E ?? 6E 61 + D4 95 05 61 58 61 2A + } + + $encrypt_files_p4 = { + 03 8E 2D ?? 03 2A 02 02 02 03 17 28 ?? ?? ?? ?? 02 02 7B ?? ?? ?? ?? 16 28 ?? ?? ?? ?? + 28 ?? ?? ?? ?? 16 28 ?? ?? ?? ?? 2A + } + + $find_files_p1 = { + 73 ?? ?? ?? ?? 25 02 28 ?? ?? ?? ?? 6F ?? ?? ?? ?? 25 28 ?? ?? ?? ?? 7E ?? ?? ?? ?? 25 + 2D ?? 26 7E ?? ?? ?? ?? FE 06 ?? ?? ?? ?? 73 ?? ?? ?? ?? 25 80 ?? ?? ?? ?? 28 ?? ?? ?? + ?? 6F ?? ?? ?? ?? 2A + } + + $find_files_p2 = { + 73 ?? ?? ?? ?? 25 1F ?? 28 ?? ?? ?? ?? 6F ?? ?? ?? ?? 25 1B 28 ?? ?? ?? ?? 6F ?? ?? ?? + ?? 25 1F ?? 28 ?? ?? ?? ?? 6F ?? ?? ?? ?? 25 1F ?? 28 ?? ?? ?? ?? 6F ?? ?? ?? ?? 25 1F + ?? 28 ?? ?? ?? ?? 6F ?? ?? ?? ?? 2A + } + + $change_desktop = { + 1F ?? 28 ?? ?? ?? ?? 02 7B ?? ?? ?? ?? 28 ?? ?? ?? ?? 0A 28 ?? ?? ?? ?? 06 28 ?? ?? ?? + ?? 6F ?? ?? ?? ?? 7E ?? ?? ?? ?? 72 ?? ?? ?? ?? 17 6F ?? ?? ?? ?? 25 72 ?? ?? ?? ?? 17 + 8C ?? ?? ?? ?? 6F ?? ?? ?? ?? 72 ?? ?? ?? ?? 16 8C ?? ?? ?? ?? 6F ?? ?? ?? ?? 1F ?? 16 + 06 19 28 ?? ?? ?? ?? 26 DE ?? 26 DE ?? 2A + } + + $drop_ransom_note = { + 02 7B ?? ?? ?? ?? 6F ?? ?? ?? ?? 2D ?? 2A 00 28 ?? ?? ?? ?? 72 ?? ?? ?? ?? 02 7B ?? ?? + ?? ?? 6F ?? ?? ?? ?? 0D 12 ?? 28 ?? ?? ?? ?? 6F ?? ?? ?? ?? 72 ?? ?? ?? ?? 7E ?? ?? ?? + ?? 28 ?? ?? ?? ?? 6F ?? ?? ?? ?? 0A 73 ?? ?? ?? ?? 0B 07 06 6F ?? ?? ?? ?? 26 07 6F ?? + ?? ?? ?? 26 07 72 ?? ?? ?? ?? 6F ?? ?? ?? ?? 26 02 7B ?? ?? ?? ?? 6F ?? ?? ?? ?? 13 ?? + 2B ?? 12 ?? 28 ?? ?? ?? ?? 13 ?? 07 11 ?? 6F ?? ?? ?? ?? 26 12 ?? 28 ?? ?? ?? ?? 2D ?? + DE ?? 12 ?? FE 16 ?? ?? ?? ?? 6F ?? ?? ?? ?? DC 07 6F ?? ?? ?? ?? 0C 02 28 ?? ?? ?? ?? + 6F ?? ?? ?? ?? 13 ?? 2B ?? 11 ?? 6F ?? ?? ?? ?? 13 ?? 11 ?? 02 7B ?? ?? ?? ?? 28 ?? ?? + ?? ?? 06 28 ?? ?? ?? ?? 11 ?? 02 7B ?? ?? ?? ?? 28 ?? ?? ?? ?? 08 28 ?? ?? ?? ?? DE ?? + 26 DE ?? 11 ?? 6F ?? ?? ?? ?? 2D ?? DE ?? 11 ?? 2C ?? 11 ?? 6F ?? ?? ?? ?? DC DE ?? 26 + DE ?? 2A + } + + condition: + uint16(0) == 0x5A4D and + ( + all of ($find_files_p*) + ) and + ( + all of ($encrypt_files_p*) + ) and + ( + $change_desktop + ) and + ( + $drop_ransom_note + ) +} \ No newline at end of file diff --git a/yara/ransomware/ByteCode.MSIL.Ransomware.Thanos.yara b/yara/ransomware/ByteCode.MSIL.Ransomware.Thanos.yara new file mode 100644 index 0000000..16e8461 --- /dev/null +++ b/yara/ransomware/ByteCode.MSIL.Ransomware.Thanos.yara @@ -0,0 +1,106 @@ +rule ByteCode_MSIL_Ransomware_Thanos : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "THANOS" + description = "Yara rule that detects Thanos ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "Thanos" + tc_detection_factor = 5 + + strings: + + $find_files_p1 = { + 6F ?? ?? ?? ?? 72 ?? ?? ?? ?? 6F ?? ?? ?? ?? 16 FE 01 2B ?? 16 00 13 ?? 11 ?? 2D ?? DD + ?? ?? ?? ?? 08 6F ?? ?? ?? ?? 28 ?? ?? ?? ?? 2C ?? 08 6F ?? ?? ?? ?? 6C 7E ?? ?? ?? ?? + 28 ?? ?? ?? ?? 23 ?? ?? ?? ?? ?? ?? ?? ?? 5A 23 ?? ?? ?? ?? ?? ?? ?? ?? 5A 35 ?? 7E ?? + ?? ?? ?? 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 16 FE 01 2B ?? 17 00 13 ?? 11 ?? 2D ?? 00 06 08 + 6F ?? ?? ?? ?? 6F ?? ?? ?? ?? 00 00 2B ?? 08 6F ?? ?? ?? ?? 28 ?? ?? ?? ?? 2C ?? 7E ?? + ?? ?? ?? 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 16 FE 01 2B ?? 17 00 13 ?? 11 ?? 2D ?? 00 06 08 + 6F ?? ?? ?? ?? 6F ?? ?? ?? ?? 00 00 00 DE ?? 26 00 00 DE ?? 26 00 00 DE ?? 00 00 00 11 + ?? 6F ?? ?? ?? ?? 13 ?? 11 ?? 3A ?? ?? ?? ?? DE ?? 11 ?? 14 FE 01 13 ?? 11 ?? 2D ?? 11 + ?? 6F ?? ?? ?? ?? 00 DC 00 00 07 72 ?? ?? ?? ?? 6F ?? ?? ?? ?? 6F ?? ?? ?? ?? 13 ?? 38 + ?? ?? ?? ?? 11 ?? 6F ?? ?? ?? ?? 0D 00 07 6F ?? ?? ?? ?? 6F ?? ?? ?? ?? 72 ?? ?? ?? ?? + 6F ?? ?? ?? ?? 2D ?? 07 6F ?? ?? ?? ?? 6F ?? ?? ?? ?? 72 ?? ?? ?? ?? 6F ?? ?? ?? ?? 2D + ?? 07 6F ?? ?? ?? ?? 6F ?? ?? ?? ?? 72 ?? ?? ?? ?? 6F ?? ?? ?? ?? 2D ?? 07 6F ?? ?? ?? + ?? 6F ?? ?? ?? ?? 72 ?? ?? ?? ?? 6F ?? ?? ?? ?? 2D ?? 07 6F ?? ?? ?? ?? 6F + } + + $find_files_p2 = { + 72 ?? ?? ?? ?? 6F ?? ?? ?? ?? 2D ?? 07 6F ?? ?? ?? ?? 6F ?? ?? ?? ?? 72 ?? ?? ?? ?? 6F + ?? ?? ?? ?? 16 FE 01 2B ?? 16 00 13 ?? 11 ?? 2D ?? 38 ?? ?? ?? ?? 00 00 09 72 ?? ?? ?? + ?? 17 6F ?? ?? ?? ?? 6F ?? ?? ?? ?? 13 ?? 38 ?? ?? ?? ?? 11 ?? 6F ?? ?? ?? ?? 0C 00 00 + 08 6F ?? ?? ?? ?? 6F ?? ?? ?? ?? 72 ?? ?? ?? ?? 6F ?? ?? ?? ?? 3A ?? ?? ?? ?? 08 6F ?? + ?? ?? ?? 6F ?? ?? ?? ?? 72 ?? ?? ?? ?? 6F ?? ?? ?? ?? 3A ?? ?? ?? ?? 08 6F ?? ?? ?? ?? + 6F ?? ?? ?? ?? 72 ?? ?? ?? ?? 6F ?? ?? ?? ?? 3A ?? ?? ?? ?? 08 6F ?? ?? ?? ?? 6F ?? ?? + ?? ?? 72 ?? ?? ?? ?? 6F ?? ?? ?? ?? 3A + } + + $find_files_p3 = { + 6F ?? ?? ?? ?? 6F ?? ?? ?? ?? 72 ?? ?? ?? ?? 6F ?? ?? ?? ?? 3A ?? ?? ?? ?? 08 6F ?? ?? + ?? ?? 6F ?? ?? ?? ?? 72 ?? ?? ?? ?? 6F ?? ?? ?? ?? 3A ?? ?? ?? ?? 08 6F ?? ?? ?? ?? 6F + ?? ?? ?? ?? 72 ?? ?? ?? ?? 6F ?? ?? ?? ?? 2D ?? 08 6F ?? ?? ?? ?? 72 ?? ?? ?? ?? 00 6F + ?? ?? ?? ?? 2D ?? 08 6F ?? ?? ?? ?? 72 ?? ?? ?? ?? 6F ?? ?? ?? ?? 2D ?? 08 6F ?? ?? ?? + ?? 72 ?? ?? ?? ?? 6F ?? ?? ?? ?? 2D ?? 08 6F ?? ?? ?? ?? 72 ?? ?? ?? ?? 6F ?? ?? ?? ?? + 2D ?? 08 6F ?? ?? ?? ?? 72 ?? ?? ?? ?? 6F ?? ?? ?? ?? 2D ?? 08 6F ?? ?? ?? ?? 72 ?? ?? + ?? ?? 6F ?? ?? ?? ?? 16 FE 01 2B ?? 16 00 13 ?? 11 ?? 2D ?? DD ?? ?? ?? ?? 08 6F ?? ?? + ?? ?? 28 ?? ?? ?? ?? 2C ?? 08 6F ?? ?? ?? ?? 6C 7E ?? ?? ?? ?? 28 ?? ?? ?? ?? 23 ?? ?? + ?? ?? ?? ?? ?? ?? 5A 23 ?? ?? ?? ?? ?? ?? ?? ?? 5A 35 ?? 7E ?? ?? ?? ?? 72 ?? ?? ?? ?? + 28 ?? ?? ?? ?? 16 FE 01 2B ?? 17 00 13 ?? 11 ?? 2D ?? 00 06 08 6F ?? ?? ?? ?? 6F ?? ?? + ?? ?? 00 00 2B ?? 08 6F ?? ?? ?? ?? 28 ?? ?? ?? ?? 2C ?? 7E ?? ?? ?? ?? 72 ?? ?? ?? ?? + 28 ?? ?? ?? ?? 16 FE 01 2B ?? 17 00 13 ?? 11 ?? 2D ?? 00 06 08 6F ?? ?? ?? ?? 6F ?? ?? + ?? ?? 00 00 00 DE ?? 26 00 00 DE ?? 26 00 00 DE ?? 00 00 00 11 ?? 6F ?? ?? ?? ?? 13 ?? + 11 ?? 3A ?? ?? ?? ?? DE ?? 11 ?? 14 FE 01 13 ?? 11 ?? 2D ?? 11 ?? 6F ?? ?? ?? ?? 00 DC + 00 00 DE ?? 26 00 00 DE ?? 26 00 00 DE ?? 00 00 11 ?? 6F ?? ?? ?? ?? 13 ?? 11 ?? 3A ?? + ?? ?? ?? DE ?? 11 ?? 14 FE 01 13 ?? 11 ?? 2D ?? 11 ?? 6F ?? ?? ?? ?? 00 DC 00 00 DE ?? + 26 00 00 DE ?? 26 00 00 DE ?? 26 00 00 DE ?? 26 00 00 DE ?? 00 06 13 ?? 2B ?? 11 ?? 2A + } + + $encrypt_files = { + 73 ?? ?? ?? ?? 13 ?? 11 ?? 03 7D ?? ?? ?? ?? 11 ?? 04 7D ?? ?? ?? ?? 11 ?? 05 7D ?? ?? + ?? ?? 11 ?? 0E ?? 7D ?? ?? ?? ?? 00 28 ?? ?? ?? ?? 11 ?? 7B ?? ?? ?? ?? 6F ?? ?? ?? ?? + 80 ?? ?? ?? ?? 02 16 9A 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 16 FE 01 13 ?? 11 ?? 2D ?? 00 28 + ?? ?? ?? ?? 0A 06 8E 69 16 FE 02 16 FE 01 13 ?? 11 ?? 2D ?? 00 16 0B 2B ?? 00 06 07 9A + 6F ?? ?? ?? ?? 16 FE 01 13 ?? 11 ?? 2D ?? 00 7E ?? ?? ?? ?? 06 07 9A 6F ?? ?? ?? ?? 6F + ?? ?? ?? ?? 13 ?? 11 ?? 2D ?? 00 7E ?? ?? ?? ?? 06 07 9A 6F ?? ?? ?? ?? 6F ?? ?? ?? ?? + 00 00 00 00 07 17 58 0B 07 06 8E 69 FE 04 13 ?? 11 ?? 2D ?? 00 00 2B ?? 00 16 0B 2B ?? + 00 7E ?? ?? ?? ?? 02 07 9A 6F ?? ?? ?? ?? 13 ?? 11 ?? 2D ?? 00 7E ?? ?? ?? ?? 02 07 9A + 6F ?? ?? ?? ?? 00 00 00 07 17 58 0B 07 02 8E 69 FE 04 13 ?? 11 ?? 2D ?? 00 7E ?? ?? ?? + ?? 72 ?? ?? ?? ?? 00 6F ?? ?? ?? ?? 2C ?? 7E ?? ?? ?? ?? 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? + 16 FE 01 2B ?? 17 00 13 ?? 11 ?? 2D ?? 00 7E ?? ?? ?? ?? 72 ?? ?? ?? ?? 00 6F ?? ?? ?? + ?? 26 00 00 7E ?? ?? ?? ?? 6F ?? ?? ?? ?? 13 ?? 38 ?? ?? ?? ?? 14 0D 73 ?? ?? ?? ?? 13 + ?? 11 ?? 11 ?? 7D ?? ?? ?? ?? 11 ?? 12 ?? 28 ?? ?? ?? ?? 7D ?? ?? ?? ?? 00 7E ?? ?? ?? + ?? 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 16 FE 01 13 ?? 11 ?? 2D ?? 00 09 2D ?? 11 ?? FE 06 ?? + ?? ?? ?? 73 ?? ?? ?? ?? 0D 2B ?? 09 73 ?? ?? ?? ?? 0C 08 1A 6F ?? ?? ?? ?? 00 08 16 6F + ?? ?? ?? ?? 00 08 6F ?? ?? ?? ?? 00 08 6F ?? ?? ?? ?? 00 00 2B ?? 00 11 ?? 7B ?? ?? ?? + ?? 11 ?? 7B ?? ?? ?? ?? 11 ?? 7B ?? ?? ?? ?? 11 ?? 7B ?? ?? ?? ?? 11 ?? 7B ?? ?? ?? ?? + 28 ?? ?? ?? ?? 00 00 00 12 ?? 28 ?? ?? ?? ?? 13 ?? 11 ?? 3A ?? ?? ?? ?? DE ?? 12 ?? FE + 16 ?? ?? ?? ?? 6F ?? ?? ?? ?? 00 DC 00 00 2A + } + + $remote_connection = { + 00 00 28 ?? ?? ?? ?? 72 ?? ?? ?? ?? 72 ?? ?? ?? ?? 6F ?? ?? ?? ?? 16 19 6F ?? ?? ?? ?? + 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 0A 73 ?? ?? ?? ?? 0B 07 02 28 ?? ?? ?? ?? 06 28 ?? ?? ?? + ?? 6F ?? ?? ?? ?? 00 28 ?? ?? ?? ?? 06 28 ?? ?? ?? ?? 0C DE ?? 26 00 00 DE ?? 00 7E ?? + ?? ?? ?? 0C 2B ?? 00 08 2A + } + + condition: + uint16(0) == 0x5A4D and + ( + all of ($find_files_p*) + ) and + ( + $encrypt_files + ) and + ( + $remote_connection + ) +} \ No newline at end of file diff --git a/yara/ransomware/ByteCode.MSIL.Ransomware.TimeCrypt.yara b/yara/ransomware/ByteCode.MSIL.Ransomware.TimeCrypt.yara new file mode 100644 index 0000000..946b60b --- /dev/null +++ b/yara/ransomware/ByteCode.MSIL.Ransomware.TimeCrypt.yara @@ -0,0 +1,69 @@ +rule ByteCode_MSIL_Ransomware_TimeCrypt : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "TIMECRYPT" + description = "Yara rule that detects TimeCrypt ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "TimeCrypt" + tc_detection_factor = 5 + + strings: + + $find_files = { + 7E ?? ?? ?? ?? 0A 16 0B 38 ?? ?? ?? ?? 73 ?? ?? ?? ?? 0C 08 06 07 9A 7D ?? ?? ?? ?? 73 + ?? ?? ?? ?? 0D 09 08 7D ?? ?? ?? ?? 09 28 ?? ?? ?? ?? 6F ?? ?? ?? ?? 7D ?? ?? ?? ?? 09 + 28 ?? ?? ?? ?? 7D ?? ?? ?? ?? 09 7B ?? ?? ?? ?? 72 ?? ?? ?? ?? 09 7B ?? ?? ?? ?? 28 ?? + ?? ?? ?? 09 7B ?? ?? ?? ?? 72 ?? ?? ?? ?? 09 7B ?? ?? ?? ?? 28 ?? ?? ?? ?? 09 7B ?? ?? + ?? ?? 72 ?? ?? ?? ?? 09 7B ?? ?? ?? ?? 28 ?? ?? ?? ?? 09 7B ?? ?? ?? ?? 7B ?? ?? ?? ?? + 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 2C ?? 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 72 ?? ?? ?? ?? 28 ?? + ?? ?? ?? 73 ?? ?? ?? ?? 13 ?? 2B ?? 09 7B ?? ?? ?? ?? 7B ?? ?? ?? ?? 72 ?? ?? ?? ?? 28 + ?? ?? ?? ?? 2C ?? 1B 28 ?? ?? ?? ?? 73 ?? ?? ?? ?? 13 ?? 2B ?? 1F ?? 28 ?? ?? ?? ?? 73 + ?? ?? ?? ?? 13 ?? 11 ?? 2D ?? 2A 11 ?? 6F ?? ?? ?? ?? 09 FE 06 ?? ?? ?? ?? 73 ?? ?? ?? + ?? 28 ?? ?? ?? ?? 26 11 ?? 6F ?? ?? ?? ?? 09 FE 06 ?? ?? ?? ?? 73 ?? ?? ?? ?? 28 ?? ?? + ?? ?? 26 07 17 58 0B 07 06 8E 69 3F ?? ?? ?? ?? 2A + } + + $encrypt_files = { + 02 72 ?? ?? ?? ?? 6F ?? ?? ?? ?? 2D ?? 73 ?? ?? ?? ?? 0A 06 03 6F ?? ?? ?? ?? 06 02 6F + ?? ?? ?? ?? 26 06 02 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 6F ?? ?? ?? ?? DE ?? 06 2C ?? 06 6F + ?? ?? ?? ?? DC 02 17 28 ?? ?? ?? ?? DE ?? 26 DE ?? 2A + } + + $send_http_request = { + 1C 8D ?? ?? ?? ?? 25 16 72 ?? ?? ?? ?? A2 25 17 02 72 ?? ?? ?? ?? 72 ?? ?? ?? ?? 6F ?? + ?? ?? ?? 72 ?? ?? ?? ?? 72 ?? ?? ?? ?? 6F ?? ?? ?? ?? A2 25 18 72 ?? ?? ?? ?? A2 25 19 + 03 A2 25 1A 72 ?? ?? ?? ?? A2 25 1B 04 28 ?? ?? ?? ?? A2 28 ?? ?? ?? ?? 0A 73 ?? ?? ?? + ?? 25 6F ?? ?? ?? ?? 6F ?? ?? ?? ?? 72 ?? ?? ?? ?? 6F ?? ?? ?? ?? 06 6F ?? ?? ?? ?? 6F + ?? ?? ?? ?? 26 DE ?? 26 DE ?? 2A + } + + $send_dns_request = { + 1C 8D ?? ?? ?? ?? 25 16 04 28 ?? ?? ?? ?? A2 25 17 72 ?? ?? ?? ?? A2 25 18 03 A2 25 19 + 72 ?? ?? ?? ?? A2 25 1A 02 72 ?? ?? ?? ?? 72 ?? ?? ?? ?? 6F ?? ?? ?? ?? 72 ?? ?? ?? ?? + 72 ?? ?? ?? ?? 6F ?? ?? ?? ?? A2 25 1B 72 ?? ?? ?? ?? A2 28 ?? ?? ?? ?? 28 ?? ?? ?? ?? + 26 DE ?? 26 DE ?? 2A + } + + condition: + uint16(0) == 0x5A4D and + ( + $find_files + ) and + ( + $encrypt_files + ) and + ( + $send_http_request + ) and + ( + $send_dns_request + ) +} \ No newline at end of file diff --git a/yara/ransomware/ByteCode.MSIL.Ransomware.TimeTime.yara b/yara/ransomware/ByteCode.MSIL.Ransomware.TimeTime.yara new file mode 100644 index 0000000..a28c626 --- /dev/null +++ b/yara/ransomware/ByteCode.MSIL.Ransomware.TimeTime.yara @@ -0,0 +1,75 @@ +rule ByteCode_MSIL_Ransomware_TimeTime : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "TIMETIME" + description = "Yara rule that detects TimeTime ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "TimeTime" + tc_detection_factor = 5 + + strings: + + $rename_files = { + 00 00 7E ?? ?? ?? ?? 6F ?? ?? ?? ?? 0A 2B ?? 12 ?? 28 ?? ?? ?? ?? 0B 00 07 28 ?? ?? ?? + ?? 16 FE 01 0C 08 2C ?? 2B ?? 00 00 07 07 7E ?? ?? ?? ?? 28 ?? ?? ?? ?? 28 ?? ?? ?? ?? + 00 00 DE ?? 26 00 00 DE ?? 00 12 ?? 28 ?? ?? ?? ?? 2D ?? DE ?? 12 ?? FE 16 ?? ?? ?? ?? + 6F ?? ?? ?? ?? 00 DC 2A + } + + $find_files = { + 00 73 ?? ?? ?? ?? 0A 00 02 72 ?? ?? ?? ?? 6F ?? ?? ?? ?? 0B 07 2C ?? 06 0C DD ?? ?? ?? + ?? 02 72 ?? ?? ?? ?? 6F ?? ?? ?? ?? 0D 09 2C ?? 06 0C DD ?? ?? ?? ?? 02 72 ?? ?? ?? ?? + 6F ?? ?? ?? ?? 13 ?? 11 ?? 2C ?? 06 0C DD ?? ?? ?? ?? 02 72 ?? ?? ?? ?? 6F ?? ?? ?? ?? + 13 ?? 11 ?? 2C ?? 06 0C DD ?? ?? ?? ?? 02 72 ?? ?? ?? ?? 6F ?? ?? ?? ?? 13 ?? 11 ?? 2C + ?? 06 0C DD ?? ?? ?? ?? 02 72 ?? ?? ?? ?? 6F ?? ?? ?? ?? 13 ?? 11 ?? 2C ?? 06 0C DD ?? + ?? ?? ?? 02 72 ?? ?? ?? ?? 6F ?? ?? ?? ?? 13 ?? 11 ?? 2C ?? 06 0C DD ?? ?? ?? ?? 02 72 + ?? ?? ?? ?? 6F ?? ?? ?? ?? 13 ?? 11 ?? 2C ?? 06 0C DD ?? ?? ?? ?? 02 72 ?? ?? ?? ?? 6F + ?? ?? ?? ?? 13 ?? 11 ?? 2C ?? 06 0C DE ?? 00 02 28 ?? ?? ?? ?? 13 ?? 16 13 ?? 2B ?? 11 + ?? 11 ?? 9A 13 ?? 00 06 11 ?? 6F ?? ?? ?? ?? 00 00 11 ?? 17 58 13 ?? 11 ?? 11 ?? 8E 69 + 32 ?? 00 02 28 ?? ?? ?? ?? 13 ?? 16 13 ?? 2B ?? 11 ?? 11 ?? 9A 13 ?? 00 06 11 ?? 28 ?? + ?? ?? ?? 6F ?? ?? ?? ?? 00 00 11 ?? 17 58 13 ?? 11 ?? 11 ?? 8E 69 32 ?? 00 DE ?? 13 ?? + 00 00 DE ?? 06 0C 2B ?? 08 2A + } + + $encrypt_folder = { + 00 02 28 ?? ?? ?? ?? 0A 00 06 6F ?? ?? ?? ?? 0B 38 ?? ?? ?? ?? 12 ?? 28 ?? ?? ?? ?? 0C + 00 00 08 7E ?? ?? ?? ?? 6F ?? ?? ?? ?? 16 FE 01 0D 09 2C ?? 00 16 13 ?? 16 13 ?? 08 73 + ?? ?? ?? ?? 28 ?? ?? ?? ?? 8C ?? ?? ?? ?? 17 8C ?? ?? ?? ?? 28 ?? ?? ?? ?? 13 ?? 08 19 + 73 ?? ?? ?? ?? 13 ?? 00 11 ?? 6F ?? ?? ?? ?? 13 ?? 11 ?? 6F ?? ?? ?? ?? 13 ?? 00 DE ?? + 11 ?? 2C ?? 11 ?? 6F ?? ?? ?? ?? 00 DC 11 ?? 16 FE 01 11 ?? 5F 11 ?? 5F 13 ?? 11 ?? 2C + ?? 00 08 28 ?? ?? ?? ?? 00 00 00 00 DE ?? 26 00 00 DE ?? 00 12 ?? 28 ?? ?? ?? ?? 3A ?? + ?? ?? ?? DE ?? 12 ?? FE 16 ?? ?? ?? ?? 6F ?? ?? ?? ?? 00 DC 2A + } + + $encrypt_files = { + 00 02 7E ?? ?? ?? ?? 6F ?? ?? ?? ?? 0C 08 2C ?? 38 ?? ?? ?? ?? 02 7E ?? ?? ?? ?? 6F ?? + ?? ?? ?? 0D 09 2C ?? 2B ?? 02 28 ?? ?? ?? ?? 0A 06 8E 69 8D ?? ?? ?? ?? 0B 16 13 ?? 2B + ?? 00 06 11 ?? 91 13 ?? 11 ?? 17 58 D1 13 ?? 11 ?? D2 13 ?? 07 11 ?? 11 ?? 9C 00 11 ?? + 17 58 13 ?? 11 ?? 07 8E 69 FE 04 13 ?? 11 ?? 2D ?? 02 07 28 ?? ?? ?? ?? 00 02 02 7E ?? + ?? ?? ?? 28 ?? ?? ?? ?? 28 ?? ?? ?? ?? 00 02 28 ?? ?? ?? ?? 00 02 28 ?? ?? ?? ?? 00 7E + ?? ?? ?? ?? 02 6F ?? ?? ?? ?? 00 2A + } + + condition: + uint16(0) == 0x5A4D and + ( + $find_files + ) and + ( + $encrypt_files + ) and + ( + $encrypt_folder + ) and + ( + $rename_files + ) +} \ No newline at end of file diff --git a/yara/ransomware/ByteCode.MSIL.Ransomware.Venom.yara b/yara/ransomware/ByteCode.MSIL.Ransomware.Venom.yara new file mode 100644 index 0000000..cb0ab17 --- /dev/null +++ b/yara/ransomware/ByteCode.MSIL.Ransomware.Venom.yara @@ -0,0 +1,68 @@ +rule ByteCode_MSIL_Ransomware_Venom : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "VENOM" + description = "Yara rule that detects Venom ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "Venom" + tc_detection_factor = 5 + + strings: + + $setup_env = { + 00 28 ?? ?? ?? ?? 0A 73 ?? ?? ?? ?? 0B 07 1F ?? 28 ?? ?? ?? ?? 6F ?? ?? ?? ?? 00 07 1B + 28 ?? ?? ?? ?? 6F ?? ?? ?? ?? 00 07 1F ?? 28 ?? ?? ?? ?? 6F ?? ?? ?? ?? 00 07 1F ?? 28 + ?? ?? ?? ?? 6F ?? ?? ?? ?? 00 07 1F ?? 28 ?? ?? ?? ?? 6F ?? ?? ?? ?? 00 00 07 6F ?? ?? + ?? ?? 13 ?? 2B ?? 12 ?? 28 ?? ?? ?? ?? 13 ?? 00 06 11 ?? 28 ?? ?? ?? ?? 00 00 12 ?? 28 + ?? ?? ?? ?? 2D ?? DE ?? 12 ?? FE 16 ?? ?? ?? ?? 6F ?? ?? ?? ?? 00 DC 72 ?? ?? ?? ?? 1F + ?? 28 ?? ?? ?? ?? 72 ?? ?? ?? ?? 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 00 72 ?? ?? ?? ?? 1F ?? + 28 ?? ?? ?? ?? 72 ?? ?? ?? ?? 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 00 1F ?? 28 ?? ?? ?? ?? 72 + ?? ?? ?? ?? 28 ?? ?? ?? ?? 28 ?? ?? ?? ?? 00 72 ?? ?? ?? ?? 1F ?? 28 ?? ?? ?? ?? 72 ?? + ?? ?? ?? 28 ?? ?? ?? ?? 28 ?? ?? ?? ?? 26 20 ?? ?? ?? ?? 8D ?? ?? ?? ?? 25 D0 ?? ?? ?? + ?? 28 ?? ?? ?? ?? 0C 72 ?? ?? ?? ?? 20 ?? ?? ?? ?? 19 7E ?? ?? ?? ?? 19 16 7E ?? ?? ?? + ?? 28 ?? ?? ?? ?? 0D 09 08 20 ?? ?? ?? ?? 12 ?? 7E ?? ?? ?? ?? 28 ?? ?? ?? ?? 26 17 28 + ?? ?? ?? ?? 00 2A + } + + $find_files = { + 00 00 00 03 28 ?? ?? ?? ?? 0A 16 0B 2B ?? 06 07 9A 0C 00 00 08 72 ?? ?? ?? ?? 6F ?? ?? + ?? ?? 16 FE 01 0D 09 2C ?? 00 08 02 28 ?? ?? ?? ?? 00 00 00 DE ?? 26 00 00 DE ?? 00 07 + 17 58 0B 07 06 8E 69 32 ?? 00 03 28 ?? ?? ?? ?? 13 ?? 16 13 ?? 2B ?? 11 ?? 11 ?? 9A 13 + ?? 00 11 ?? 02 28 ?? ?? ?? ?? 00 00 11 ?? 17 58 13 ?? 11 ?? 11 ?? 8E 69 32 ?? 00 DE ?? + 26 00 00 DE ?? 2A + } + + $encrypt_files = { + 00 28 ?? ?? ?? ?? 0A 28 ?? ?? ?? ?? 03 6F ?? ?? ?? ?? 0B 02 72 ?? ?? ?? ?? 28 ?? ?? ?? + ?? 18 73 ?? ?? ?? ?? 0C 73 ?? ?? ?? ?? 0D 09 20 ?? ?? ?? ?? 6F ?? ?? ?? ?? 00 09 20 ?? + ?? ?? ?? 6F ?? ?? ?? ?? 00 09 18 6F ?? ?? ?? ?? 00 07 06 20 ?? ?? ?? ?? 73 ?? ?? ?? ?? + 13 ?? 09 11 ?? 09 6F ?? ?? ?? ?? 1E 5B 6F ?? ?? ?? ?? 6F ?? ?? ?? ?? 00 09 11 ?? 09 6F + ?? ?? ?? ?? 1E 5B 6F ?? ?? ?? ?? 6F ?? ?? ?? ?? 00 09 17 6F ?? ?? ?? ?? 00 08 06 16 06 + 8E 69 6F ?? ?? ?? ?? 00 08 09 6F ?? ?? ?? ?? 17 73 ?? ?? ?? ?? 13 ?? 02 19 73 ?? ?? ?? + ?? 13 ?? 20 ?? ?? ?? ?? 8D ?? ?? ?? ?? 13 ?? 00 2B ?? 00 11 ?? 11 ?? 16 11 ?? 6F ?? ?? + ?? ?? 00 00 11 ?? 11 ?? 16 11 ?? 8E 69 6F ?? ?? ?? ?? 25 13 ?? 16 FE 02 13 ?? 11 ?? 2D + ?? 11 ?? 6F ?? ?? ?? ?? 00 00 DE ?? 13 ?? 00 11 ?? 6F ?? ?? ?? ?? 28 ?? ?? ?? ?? 00 00 + DE ?? DE ?? 00 11 ?? 6F ?? ?? ?? ?? 00 08 6F ?? ?? ?? ?? 00 00 02 28 ?? ?? ?? ?? 00 00 + DE ?? 26 00 00 DE ?? 00 DC 2A + } + + condition: + uint16(0) == 0x5A4D and + ( + $setup_env + ) and + ( + $find_files + ) and + ( + $encrypt_files + ) +} \ No newline at end of file diff --git a/yara/ransomware/ByteCode.MSIL.Ransomware.WildFire.yara b/yara/ransomware/ByteCode.MSIL.Ransomware.WildFire.yara new file mode 100644 index 0000000..84f7134 --- /dev/null +++ b/yara/ransomware/ByteCode.MSIL.Ransomware.WildFire.yara @@ -0,0 +1,77 @@ +rule ByteCode_MSIL_Ransomware_WildFire : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "WILDFIRE" + description = "Yara rule that detects WildFire ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "WildFire" + tc_detection_factor = 5 + + strings: + + $encrypt_files = { + 00 02 19 17 73 ?? ?? ?? ?? 0A 1B 8D ?? ?? ?? ?? 25 16 02 16 02 [5-10] 6F ?? ?? ?? ?? + 6F ?? ?? ?? ?? A2 25 17 [5-10] A2 25 18 7E ?? ?? ?? ?? A2 25 19 [5-10] A2 25 1A 02 02 + [5-10] 6F ?? ?? ?? ?? 17 D6 6F ?? ?? ?? ?? A2 28 ?? ?? ?? ?? 0B 07 [5-10] 28 ?? ?? ?? + ?? 1A 18 73 ?? ?? ?? ?? 0C 08 21 00 00 00 00 00 00 00 00 6F ?? ?? ?? ?? 20 ?? ?? ?? ?? + 8D ?? ?? ?? ?? 0D 21 00 00 00 00 00 00 00 00 13 ?? 06 6F ?? ?? ?? ?? 13 ?? 73 ?? ?? ?? + ?? 13 ?? 08 11 ?? 7E ?? ?? ?? ?? 7E ?? ?? ?? ?? 6F ?? ?? ?? ?? 17 73 ?? ?? ?? ?? 13 ?? + 2B ?? 06 09 16 20 ?? ?? ?? ?? 6F ?? ?? ?? ?? 13 ?? 11 ?? 09 16 11 ?? 6F ?? ?? ?? ?? 11 + ?? 11 ?? 6A D6 13 ?? 11 ?? 11 ?? FE ?? 2D ?? 11 ?? 6F ?? ?? ?? ?? 06 6F ?? ?? ?? ?? 08 + 6F ?? ?? ?? ?? 7E ?? ?? ?? ?? 17 D6 80 ?? ?? ?? ?? 02 28 ?? ?? ?? ?? DE ?? 28 ?? ?? ?? + ?? 28 ?? ?? ?? ?? DE ?? 2A + } + + $enum_drives = { + 00 00 28 ?? ?? ?? ?? 1F ?? 0A 18 0C 28 ?? ?? ?? ?? 6F ?? ?? ?? ?? 6F ?? ?? ?? ?? 6F + ?? ?? ?? ?? 28 ?? ?? ?? ?? 6F ?? ?? ?? ?? 28 ?? ?? ?? ?? 19 0C 28 ?? ?? ?? ?? 0D 1A + 0C 09 13 ?? 16 13 ?? 11 ?? 11 ?? 8E 69 FE ?? 2C ?? 11 ?? 11 ?? 9A 13 ?? 1B 0C 11 ?? + 6F ?? ?? ?? ?? 2C ?? 1C 0C 11 ?? 6F ?? ?? ?? ?? 19 FE ?? 16 FE ?? 65 18 60 1A 60 11 + ?? 6F ?? ?? ?? ?? 21 ?? ?? ?? ?? ?? ?? ?? ?? FE ?? 16 FE ?? 65 5F 16 FE ?? 2C ?? 1D + 0C 11 ?? 6F ?? ?? ?? ?? 6F ?? ?? ?? ?? 17 28 ?? ?? ?? ?? 1E 0C 11 ?? 6F ?? ?? ?? ?? + 6F ?? ?? ?? ?? 28 ?? ?? ?? ?? 1F ?? 0C 11 ?? 17 D6 13 ?? 2B + } + + $file_search = { + A2 25 20 ?? ?? ?? ?? [5-10] A2 25 20 ?? ?? ?? ?? [5-10] A2 25 20 ?? ?? ?? ?? [5-10] + A2 25 20 ?? ?? ?? ?? [5-10] A2 25 20 ?? ?? ?? ?? [5-10] A2 0D 19 0C 19 8D ?? ?? ?? ?? + 25 16 [5-10] A2 25 17 [5-10] A2 25 18 [5-10] A2 13 04 1A 0C 02 28 ?? ?? ?? ?? 13 ?? 1B + 0C 11 ?? 8E 69 17 DA 13 ?? 16 13 ?? 11 ?? 11 ?? (30 | 3D) [1-4] 1C 0C 11 ?? 11 ?? 9A 28 + ?? ?? ?? ?? 6F ?? ?? ?? ?? 13 ?? 1D 0C 09 11 ?? 6F ?? ?? ?? ?? 11 ?? 11 ?? 9A [5-10] 6F + ?? ?? ?? ?? 16 FE ?? 5F 11 ?? 11 ?? 9A 1F ?? 28 ?? ?? ?? ?? [5-10] 28 ?? ?? ?? ?? 6F ?? + ?? ?? ?? 16 FE ?? 5F 11 ?? [5-10] 16 28 ?? ?? ?? ?? 16 FE ?? 5F 2C ?? 1E 0C 11 ?? 11 ?? + 9A 28 ?? ?? ?? ?? 1F ?? 0C 11 ?? 17 D6 13 ?? (38 | 2B) [1-4] 1F ?? 0C 02 28 ?? ?? ?? ?? + 13 ?? 1F ?? 0C 11 ?? 8E 69 17 DA 13 ?? 16 13 ?? 11 ?? 11 ?? 30 ?? 1F ?? 0C 11 ?? 11 ?? + 11 ?? 9A 6F ?? ?? ?? ?? 6F ?? ?? ?? ?? 16 FE ?? 2C ?? 1F ?? 0C 11 ?? 11 ?? 9A 28 ?? ?? + ?? ?? 1F ?? 0C 11 ?? 17 D6 13 ?? 2B ?? 1F ?? 0C 02 17 8D ?? ?? ?? ?? 25 16 1F ?? 9D 6F + ?? ?? ?? ?? 8E 69 17 DA 18 FE ?? 16 FE ?? 2C ?? 1F ?? 0C 02 16 28 ?? ?? ?? ?? DD ?? ?? + ?? ?? 07 17 58 16 0B 45 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? + ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? + ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? + ?? ?? ?? ?? ?? ?? ?? ?? ?? DE + } + + $remote_server_communication_1 = { + 00 7E ?? ?? ?? ?? 73 ?? ?? ?? ?? 16 7E ?? ?? ?? ?? 8E 69 6F ?? ?? ?? ?? 9A [5-10] 28 ?? + ?? ?? ?? 0B 02 [5-10] 16 28 ?? ?? ?? ?? 16 FE ?? 3A ?? ?? ?? ?? 02 [5-10] 16 28 ?? ?? ?? + ?? 16 FE ?? 39 ?? ?? ?? ?? 1D 8D ?? ?? ?? ?? 25 16 [5-10] A2 25 17 02 A2 25 18 [5-10] A2 + 25 19 7E ?? ?? ?? ?? A2 25 1A [5-10] A2 25 1B 7E ?? ?? ?? ?? 28 ?? ?? ?? ?? A2 25 1C [5-10] + A2 28 ?? ?? ?? ?? 13 ?? 28 ?? ?? ?? ?? 11 ?? 6F ?? ?? ?? ?? 13 ?? 11 ?? 28 ?? ?? ?? ?? 13 ?? + [5-10] 11 ?? 28 ?? ?? ?? ?? 13 ?? 73 ?? ?? ?? ?? 13 ?? 11 ?? 11 ?? 6F ?? ?? ?? ?? 13 ?? 07 + 28 ?? ?? ?? ?? 74 ?? ?? ?? ?? 13 ?? 11 ?? [5-10] 6F ?? ?? ?? ?? 11 ?? [5-10] 6F ?? ?? ?? ?? + 11 ?? 11 ?? 8E 69 6A 6F ?? ?? ?? ?? 11 ?? 6F ?? ?? ?? ?? 16 6F ?? ?? ?? ?? 11 ?? 6F ?? ?? ?? + ?? 13 ?? 11 ?? 11 ?? 16 11 ?? 8E 69 6F ?? ?? ?? ?? 11 ?? 6F ?? ?? ?? ?? 11 ?? 6F ?? ?? ?? ?? + 74 ?? ?? ?? ?? 13 ?? 11 ?? 6F ?? ?? ?? ?? 73 ?? ?? ?? ?? 13 ?? 11 ?? 6F ?? ?? ?? ?? 13 ?? 11 + } + + condition: + uint16(0) == 0x5A4D and $enum_drives and $file_search and $encrypt_files and $remote_server_communication_1 +} \ No newline at end of file diff --git a/yara/ransomware/ByteCode.MSIL.Ransomware.WormLocker.yara b/yara/ransomware/ByteCode.MSIL.Ransomware.WormLocker.yara new file mode 100644 index 0000000..3e6b037 --- /dev/null +++ b/yara/ransomware/ByteCode.MSIL.Ransomware.WormLocker.yara @@ -0,0 +1,69 @@ +rule ByteCode_MSIL_Ransomware_WormLocker : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "WORMLOCKER" + description = "Yara rule that detects WormLocker ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "WormLocker" + tc_detection_factor = 5 + + strings: + + $set_environment = { + 73 ?? ?? ?? ?? 0A 06 02 7D ?? ?? ?? ?? 00 16 28 ?? ?? ?? ?? 0B 72 ?? ?? ?? ?? 28 ?? ?? + ?? ?? 0C 08 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 0D 02 20 ?? ?? ?? ?? 20 ?? ?? ?? ?? 73 ?? ?? + ?? ?? 28 ?? ?? ?? ?? 00 7E ?? ?? ?? ?? 72 ?? ?? ?? ?? 6F ?? ?? ?? ?? 13 ?? 11 ?? 72 ?? + ?? ?? ?? 72 ?? ?? ?? ?? 17 6F ?? ?? ?? ?? 00 07 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 72 ?? ?? + ?? ?? 28 ?? ?? ?? ?? 00 09 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? + 00 02 7B ?? ?? ?? ?? 6F ?? ?? ?? ?? 00 02 7B ?? ?? ?? ?? 6F ?? ?? ?? ?? 00 02 7B ?? ?? + ?? ?? 6F ?? ?? ?? ?? 00 06 28 ?? ?? ?? ?? 7D ?? ?? ?? ?? 73 ?? ?? ?? ?? 25 20 ?? ?? ?? + ?? 6F ?? ?? ?? ?? 00 13 ?? 11 ?? 06 FE 06 ?? ?? ?? ?? 73 ?? ?? ?? ?? 6F ?? ?? ?? ?? 00 + 11 ?? 17 6F ?? ?? ?? ?? 00 02 7B ?? ?? ?? ?? 6F ?? ?? ?? ?? 00 2A + } + + $find_files = { + 00 28 ?? ?? ?? ?? 00 16 28 ?? ?? ?? ?? 0A 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 0B 07 72 ?? ?? + ?? ?? 28 ?? ?? ?? ?? 0C 06 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 72 ?? ?? ?? ?? 17 28 ?? ?? ?? + ?? 0D 08 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 72 ?? ?? ?? ?? 17 28 ?? ?? ?? ?? 13 ?? 73 ?? ?? + ?? ?? 13 ?? 72 ?? ?? ?? ?? 13 ?? 16 13 ?? 2B ?? 00 11 ?? 09 11 ?? 9A 11 ?? 6F ?? ?? ?? + ?? 00 00 11 ?? 17 58 13 ?? 11 ?? 09 8E 69 FE 04 13 ?? 11 ?? 2D ?? 16 13 ?? 2B ?? 00 11 + ?? 11 ?? 11 ?? 9A 11 ?? 6F ?? ?? ?? ?? 00 00 11 ?? 17 58 13 ?? 11 ?? 11 ?? 8E 69 FE 04 + 13 ?? 11 ?? 2D ?? 2A + } + + $encrypt_files_p1 = { + 00 14 0A 1E 8D ?? ?? ?? ?? 25 D0 ?? ?? ?? ?? 28 ?? ?? ?? ?? 0B 73 ?? ?? ?? ?? 0C 00 73 + ?? ?? ?? ?? 0D 00 09 20 ?? ?? ?? ?? 6F ?? ?? ?? ?? 00 09 20 ?? ?? ?? ?? 6F ?? ?? ?? ?? + 00 03 07 20 ?? ?? ?? ?? 73 ?? ?? ?? ?? 13 ?? 09 11 ?? 09 6F ?? ?? ?? ?? 1E 5B 6F ?? ?? + ?? ?? 6F ?? ?? ?? ?? 00 09 11 ?? 09 6F ?? ?? ?? ?? 1E 5B 6F ?? ?? ?? ?? 6F ?? ?? ?? ?? + 00 09 17 6F ?? ?? ?? ?? 00 08 09 6F ?? ?? ?? ?? 17 73 ?? ?? ?? ?? 13 ?? 00 11 ?? 02 16 + 02 8E 69 6F ?? ?? ?? ?? 00 11 ?? 6F ?? ?? ?? ?? 00 00 DE ?? 11 ?? 2C ?? 11 ?? 6F ?? ?? + ?? ?? 00 DC 08 6F ?? ?? ?? ?? 0A 00 DE ?? 09 2C ?? 09 6F ?? ?? ?? ?? 00 DC 00 DE ?? 08 + 2C ?? 08 6F ?? ?? ?? ?? 00 DC 06 13 ?? 2B ?? 11 ?? 2A + } + + $encrypt_files_p2 = { + 00 03 28 ?? ?? ?? ?? 0A 28 ?? ?? ?? ?? 04 6F ?? ?? ?? ?? 0B 28 ?? ?? ?? ?? 07 6F ?? ?? + ?? ?? 0B 06 07 28 ?? ?? ?? ?? 0C 03 0D 09 08 28 ?? ?? ?? ?? 00 2A + } + + condition: + uint16(0) == 0x5A4D and + ( + $set_environment + ) and + ( + $find_files + ) and + ( + all of ($encrypt_files_p*) + ) +} \ No newline at end of file diff --git a/yara/ransomware/ByteCode.MSIL.Ransomware.ZeroLocker.yara b/yara/ransomware/ByteCode.MSIL.Ransomware.ZeroLocker.yara new file mode 100644 index 0000000..419b13a --- /dev/null +++ b/yara/ransomware/ByteCode.MSIL.Ransomware.ZeroLocker.yara @@ -0,0 +1,70 @@ +rule ByteCode_MSIL_Ransomware_ZeroLocker : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "ZEROLOCKER" + description = "Yara rule that detects ZeroLocker ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "ZeroLocker" + tc_detection_factor = 5 + + strings: + $encrypt_routine_1 = { + 00 28 5B 00 00 0A 20 ?? 07 00 00 28 60 00 00 06 13 09 20 ?? 07 00 00 28 60 00 00 06 13 + 0B 02 03 20 ?? 07 00 00 28 60 00 00 06 20 ?? 07 00 00 28 60 00 00 06 73 ?? 00 00 0A 7D + 1B 00 00 04 20 ?? 07 00 00 28 60 00 00 06 13 0B 02 04 20 ?? 07 00 00 28 60 00 00 06 20 + ?? 07 00 00 28 60 00 00 06 73 ?? 00 00 0A 7D 1C 00 00 04 20 ?? 07 00 00 28 60 00 00 06 + 13 0B 02 7B 1C 00 00 04 20 ?? 07 00 00 28 60 00 00 06 6A 6F ?? 00 00 0A 00 20 ?? 07 00 + 00 28 60 00 00 06 13 0B 20 ?? 07 00 00 28 60 00 00 06 8D 1E 00 00 01 0A 20 ?? 07 00 00 + 28 60 00 00 06 13 0B 20 ?? 07 00 00 28 60 00 00 06 6A 13 04 20 ?? 07 00 00 28 60 00 00 + 06 13 0B 02 7B 1B 00 00 04 6F ?? 00 00 0A [0-2] 13 05 20 ?? 07 00 00 28 60 00 00 06 13 + 0B 73 ?? 00 00 0A 0C 20 ?? 07 00 00 28 60 00 00 06 13 0B 00 0E 05 20 ?? 07 00 00 28 60 + 00 00 06 59 13 0C 11 0C 45 02 00 00 00 02 00 00 00 ?? 00 00 00 2B ?? 00 20 ?? 07 00 00 + 28 60 00 00 06 13 0B 02 7B 1C 00 00 04 08 05 0E 04 6F ?? 00 00 0A [0-2] 20 ?? 07 00 00 + 28 60 00 00 06 73 ?? 00 00 0A 0B 2B ?? 00 20 ?? 07 00 00 28 60 00 00 06 13 0B 02 7B 1C + 00 00 04 08 05 0E 04 6F ?? 00 00 0A [0-2] 20 ?? 07 00 00 28 60 00 00 06 73 ?? 00 00 0A + 0B 00 2B 62 20 ?? 07 00 00 28 60 00 00 06 13 0B 02 7B 1B 00 00 04 06 20 ?? 07 00 00 28 + 60 00 00 06 20 ?? 07 00 00 28 60 00 00 06 6F ?? 00 00 0A [0-2] 0D 20 ?? 07 00 00 28 60 + } + + $encrypt_routine_2 = { + 00 00 06 13 0B 07 06 20 ?? 07 00 00 28 60 00 00 06 09 6F ?? 00 00 0A 00 20 ?? 07 00 00 + 28 60 00 00 06 13 0B 11 04 09 6A D6 13 04 00 20 ?? 07 00 00 28 60 00 00 06 13 0B 11 04 + 11 05 FE 04 13 0D 11 0D 2D 86 ?? 45 01 00 00 00 F6 FF FF FF 17 2D 06 D0 4F 00 00 06 26 + 20 ?? 07 00 00 28 60 00 00 06 13 0B 07 6F ?? 00 00 0A 00 20 ?? 07 00 00 28 60 00 00 06 + 13 0B 02 7B 1B 00 00 04 6F ?? 00 00 0A 00 20 ?? 07 00 00 28 60 00 00 06 13 0B 02 7B 1C + 00 00 04 6F ?? 00 00 0A 00 20 ?? 07 00 00 28 60 00 00 06 13 0B 0E 05 20 ?? 07 00 00 28 + 60 00 00 06 FE 01 13 0D 11 0D 2C 32 ?? 45 01 00 00 00 F6 FF FF FF 20 ?? 07 00 00 28 60 + 00 00 06 13 0B 03 73 ?? 00 00 0A 13 06 20 ?? 07 00 00 28 60 00 00 06 13 0B 11 06 6F ?? + 00 00 0A 00 00 20 ?? 07 00 00 28 60 00 00 06 13 0B 0E 05 20 ?? 07 00 00 28 60 00 00 06 + FE 01 13 0D 11 0D 2C ?? [0-20] 20 ?? 07 00 00 28 60 00 00 06 13 0B 03 73 ?? 00 00 0A 13 + 07 20 ?? 07 00 00 28 60 00 00 06 13 0B 11 07 6F ?? 00 00 0A 00 00 20 ?? ?? 00 00 28 60 + 00 00 06 13 0B 02 7B 1B 00 00 04 6F ?? 00 00 0A 00 20 ?? ?? 00 00 28 60 00 00 06 13 0B + 02 7B 1C 00 00 04 6F ?? 00 00 0A 00 DD 3B 01 00 00 11 0A 2B 0D 11 0A 20 ?? ?? 00 00 28 + } + + $encrypt_routine_3 = { + 60 00 00 06 58 20 ?? 08 00 00 28 60 00 00 06 13 0A 45 26 00 00 00 00 00 00 00 ?? FC FF + FF ?? FC FF FF ?? FC FF FF ?? FC FF FF ?? FC FF FF ?? FC FF FF ?? FC FF FF ?? ?? FF FF + ?? FD FF FF ?? FD FF FF ?? FD FF FF 00 00 00 00 ?? FD FF FF ?? FD FF FF ?? FD FF FF ?? + FD FF FF ?? FD FF FF ?? FD FF FF ?? ?? FF FF ?? FD FF FF ?? FD FF FF ?? FD FF FF ?? ?? + FF FF ?? FE FF FF ?? FE FF FF ?? FE FF FF ?? FE FF FF ?? FE FF FF ?? FE FF FF ?? FE FF + FF ?? FE FF FF E8 FE FF FF FC FE FF FF 10 FF FF FF 11 FF FF FF 29 FF FF FF 41 FF FF FF + DE 6D 11 0B 13 0A 11 09 20 ?? 08 00 00 28 60 00 00 06 30 16 ?? 45 01 00 00 00 F6 FF FF + FF 20 ?? 08 00 00 28 60 00 00 06 2B 02 11 09 45 02 00 00 00 00 00 00 00 11 FF FF FF DE + 34 75 4B 00 00 01 14 FE 03 11 09 20 ?? 08 00 00 28 60 00 00 06 FE 03 5F 11 0A 20 ?? 08 + 00 00 28 60 00 00 06 FE 01 5F FE 11 74 4B 00 00 01 28 57 00 00 0A DE 93 20 ?? 08 00 00 + 28 60 00 00 06 28 ?? 00 00 0A + } + + condition: + uint16(0) == 0x5A4D and + ($encrypt_routine_1 and $encrypt_routine_2 and $encrypt_routine_3) +} \ No newline at end of file diff --git a/yara/ransomware/Bytecode.MSIL.Ransomware.CobraLocker.yara b/yara/ransomware/Bytecode.MSIL.Ransomware.CobraLocker.yara new file mode 100644 index 0000000..9824975 --- /dev/null +++ b/yara/ransomware/Bytecode.MSIL.Ransomware.CobraLocker.yara @@ -0,0 +1,59 @@ +rule Bytecode_MSIL_Ransomware_CobraLocker : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "COBRALOCKER" + description = "Yara rule that detects CobraLocker ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "CobraLocker" + tc_detection_factor = 5 + + strings: + + $encrypt_files = { + 14 0A 1E 8D ?? ?? ?? ?? 25 D0 ?? ?? ?? ?? 28 ?? ?? ?? ?? 0B 73 ?? ?? ?? ?? 0C 00 73 ?? + ?? ?? ?? 0D 00 09 20 ?? ?? ?? ?? 6F ?? ?? ?? ?? 00 09 20 ?? ?? ?? ?? 6F ?? ?? ?? ?? 00 + 03 07 20 ?? ?? ?? ?? 73 ?? ?? ?? ?? 13 ?? 09 11 ?? 09 6F ?? ?? ?? ?? 1E 5B 6F ?? ?? ?? + ?? 6F ?? ?? ?? ?? 00 09 11 ?? 09 6F ?? ?? ?? ?? 1E 5B 6F ?? ?? ?? ?? 6F ?? ?? ?? ?? 00 + 09 17 6F ?? ?? ?? ?? 00 08 09 6F ?? ?? ?? ?? 17 73 ?? ?? ?? ?? 13 ?? 00 11 ?? 02 16 02 + 8E 69 6F ?? ?? ?? ?? 00 11 ?? 6F ?? ?? ?? ?? 00 00 DD ?? ?? ?? ?? 11 ?? 38 ?? ?? ?? ?? + 38 ?? ?? ?? ?? 39 ?? ?? ?? ?? 11 ?? 6F ?? ?? ?? ?? 00 DC 08 6F ?? ?? ?? ?? 0A 00 DD ?? + ?? ?? ?? 09 38 ?? ?? ?? ?? 38 ?? ?? ?? ?? 39 ?? ?? ?? ?? 09 6F ?? ?? ?? ?? 00 DC 00 DD + ?? ?? ?? ?? 08 38 ?? ?? ?? ?? 38 ?? ?? ?? ?? 39 ?? ?? ?? ?? 08 6F ?? ?? ?? ?? 00 DC 06 + 13 ?? 38 ?? ?? ?? ?? 38 ?? ?? ?? ?? 38 ?? ?? ?? ?? 11 ?? 2A + } + + $find_files = { + 16 28 ?? ?? ?? ?? 0A 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 0B 07 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? + 0C 07 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 0D 07 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 13 ?? 06 72 ?? + ?? ?? ?? 28 ?? ?? ?? ?? 72 ?? ?? ?? ?? 17 28 ?? ?? ?? ?? 13 ?? 08 72 ?? ?? ?? ?? 28 ?? + ?? ?? ?? 72 ?? ?? ?? ?? 17 28 ?? ?? ?? ?? 13 ?? 09 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 72 ?? + ?? ?? ?? 16 28 ?? ?? ?? ?? 13 ?? 11 ?? 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 72 ?? ?? ?? ?? 17 + 28 ?? ?? ?? ?? 13 ?? 73 ?? ?? ?? ?? 13 ?? 72 ?? ?? ?? ?? 13 ?? 16 13 ?? 38 ?? ?? ?? ?? + 00 11 ?? 11 ?? 11 ?? 9A 11 ?? 6F ?? ?? ?? ?? 00 00 11 ?? 17 58 13 ?? 11 ?? 11 ?? 8E 69 + FE 04 13 ?? 11 ?? 38 ?? ?? ?? ?? 38 ?? ?? ?? ?? 00 11 ?? 11 ?? 11 ?? 9A 11 ?? 6F ?? ?? + ?? ?? 00 00 11 ?? 17 58 13 ?? 11 ?? 11 ?? 8E 69 FE 04 13 ?? 11 ?? 38 ?? ?? ?? ?? 38 ?? + ?? ?? ?? 00 11 ?? 11 ?? 11 ?? 9A 11 ?? 6F ?? ?? ?? ?? 00 00 11 ?? 17 58 13 ?? 11 ?? 11 + ?? 8E 69 FE 04 13 ?? 11 ?? 38 ?? ?? ?? ?? 38 ?? ?? ?? ?? 00 11 ?? 11 ?? 11 ?? 9A 11 ?? + 6F ?? ?? ?? ?? 00 00 11 ?? 17 58 13 ?? 11 ?? 11 ?? 8E 69 FE 04 13 ?? 11 ?? 38 ?? ?? ?? + ?? 38 ?? ?? ?? ?? 3A ?? ?? ?? ?? 16 13 ?? 38 ?? ?? ?? ?? 38 ?? ?? ?? ?? 3A ?? ?? ?? ?? + 16 13 ?? 38 ?? ?? ?? ?? 38 ?? ?? ?? ?? 3A ?? ?? ?? ?? 16 13 ?? 38 ?? ?? ?? ?? 38 ?? ?? + ?? ?? 3A ?? ?? ?? ?? 2A + } + + condition: + uint16(0) == 0x5A4D and + ( + $find_files + ) and + ( + $encrypt_files + ) +} \ No newline at end of file diff --git a/yara/ransomware/Linux.Ransomware.GwisinLocker.yara b/yara/ransomware/Linux.Ransomware.GwisinLocker.yara new file mode 100644 index 0000000..07722c0 --- /dev/null +++ b/yara/ransomware/Linux.Ransomware.GwisinLocker.yara @@ -0,0 +1,354 @@ +rule Linux_Ransomware_GwisinLocker : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "GWISINLOCKER" + description = "Yara rule that detects GwisinLocker ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "GwisinLocker" + tc_detection_factor = 5 + + strings: + + $init_key_v1 = { + 55 57 56 53 E8 ?? ?? ?? ?? 81 C3 ?? ?? ?? ?? 81 EC ?? ?? ?? ?? 8D 74 24 ?? 56 E8 ?? + ?? ?? ?? 83 C4 ?? 85 C0 74 ?? 31 FF 83 EC ?? 56 E8 ?? ?? ?? ?? 81 C4 ?? ?? ?? ?? 89 + F8 5B 5E 5F 5D C3 66 90 31 D2 31 C0 89 54 04 ?? 83 C0 ?? 83 F8 ?? 72 ?? 83 EC ?? 8D + 83 ?? ?? ?? ?? 50 8D 83 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 89 C5 8D 7C 24 ?? 85 + C0 74 ?? 50 6A ?? 6A ?? 57 E8 ?? ?? ?? ?? 89 2C 24 E8 ?? ?? ?? ?? 83 C4 ?? 83 EC ?? + 6A ?? 57 56 E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 75 ?? C7 04 24 ?? ?? ?? ?? 83 EC ?? 8D 44 + 24 ?? 50 FF B4 24 ?? ?? ?? ?? FF B4 24 ?? ?? ?? ?? FF B4 24 ?? ?? ?? ?? 6A ?? FF B3 + ?? ?? ?? ?? FF B4 24 ?? ?? ?? ?? 56 FF B3 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 + 0F 94 C0 0F B6 C0 89 C7 E9 + } + + $encrypt_files_v1_p1 = { + 55 B9 ?? ?? ?? ?? 57 56 53 E8 ?? ?? ?? ?? 81 C3 ?? ?? ?? ?? 81 EC ?? ?? ?? ?? 8B 84 + 24 ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? 89 44 24 ?? 8B 84 24 + ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? 89 44 24 ?? 8D 44 24 ?? 83 EC ?? 89 44 24 ?? 89 + C7 31 C0 F3 AB C7 44 24 ?? ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? + ?? 6A ?? FF 74 24 ?? E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 75 ?? 8D 84 24 ?? ?? ?? ?? 89 44 + 24 ?? 8D 84 24 ?? ?? ?? ?? 89 44 24 ?? 31 FF 83 EC ?? 68 ?? ?? ?? ?? FF 74 24 ?? E8 + ?? ?? ?? ?? 58 5A 6A ?? FF 74 24 ?? E8 ?? ?? ?? ?? 59 5E 6A ?? FF 74 24 ?? E8 ?? ?? + ?? ?? 81 C4 ?? ?? ?? ?? 89 F8 5B 5E 5F 5D C3 8D 74 26 ?? 90 83 EC ?? 6A ?? 8D 84 24 + ?? ?? ?? ?? 89 44 24 ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 8D B4 24 ?? ?? ?? ?? 89 74 24 ?? + 85 C0 74 ?? 83 EC ?? 6A ?? FF 74 24 ?? 56 E8 ?? ?? ?? ?? 8D 83 ?? ?? ?? ?? 59 5E 50 + 89 C5 FF B4 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 44 24 ?? 89 C6 83 C4 ?? 85 C0 0F 84 ?? + ?? ?? ?? 83 EC ?? FF B4 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 50 89 C7 FF B4 24 ?? + ?? ?? ?? FF B4 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 94 24 ?? ?? ?? ?? 01 FA 89 D0 8B 54 + 24 ?? 89 10 0F B7 54 24 ?? 66 89 50 ?? 0F B6 54 24 ?? 88 50 ?? 8B 94 24 ?? ?? ?? ?? + C6 44 3A ?? ?? BF ?? ?? ?? ?? 6A ?? 6A ?? 6A ?? 56 E8 ?? ?? ?? ?? 83 C4 ?? 56 E8 ?? + ?? ?? ?? B9 ?? ?? ?? ?? 83 C4 ?? 39 C1 B9 ?? ?? ?? ?? 19 D1 7D ?? 83 EC ?? FF B4 24 + ?? ?? ?? ?? FF B4 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 74 ?? 83 EC ?? FF 74 + 24 ?? E8 ?? ?? ?? ?? 83 C4 ?? E9 ?? ?? ?? ?? 8D 74 26 ?? 90 83 EC ?? 56 E8 ?? ?? ?? + ?? 58 5A 55 FF B4 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 44 24 ?? 89 C6 83 C4 ?? 85 C0 0F + } + + $encrypt_files_v1_p2 = { + 84 ?? ?? ?? ?? 6A ?? 6A ?? 6A ?? 50 E8 ?? ?? ?? ?? 89 34 24 E8 ?? ?? ?? ?? 8B 74 24 + ?? 8B 7C 24 ?? 89 D1 89 74 24 ?? 89 7C 24 ?? 83 C4 ?? 39 F0 19 F9 7D ?? 89 44 24 ?? + 89 54 24 ?? 8B 7C 24 ?? 8B 74 24 ?? 89 F9 89 F5 C1 F9 ?? 89 C8 89 4C 24 ?? 31 CD 8B + 74 24 ?? C1 F8 ?? 89 44 24 ?? 89 E8 29 F0 8B 74 24 ?? 89 C7 83 E7 ?? 31 CF 89 F8 8B + 7C 24 ?? 29 F0 8B 74 24 ?? 89 FA 19 FA 8B 7C 24 ?? 29 C6 89 74 24 ?? 19 D7 83 EC ?? + 89 7C 24 ?? 8D 44 24 ?? 50 E8 ?? ?? ?? ?? 8D BC 24 ?? ?? ?? ?? 8D B4 24 ?? ?? ?? ?? + B9 ?? ?? ?? ?? 89 84 24 ?? ?? ?? ?? 31 C0 F3 AB 89 94 24 ?? ?? ?? ?? 56 6A ?? FF 74 + 24 ?? FF B4 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 89 C7 85 C0 0F 84 ?? ?? ?? ?? 83 + EC ?? FF 74 24 ?? E8 ?? ?? ?? ?? 5F 5D FF B4 24 ?? ?? ?? ?? 56 E8 ?? ?? ?? ?? 83 C4 + ?? 89 C7 85 C0 0F 84 ?? ?? ?? ?? 8B B4 24 ?? ?? ?? ?? 8B 54 24 ?? 31 FF 8B 44 24 ?? + 89 7C 24 ?? 89 74 24 ?? 8D 74 24 ?? 89 D7 89 74 24 ?? 8D B3 ?? ?? ?? ?? 09 C7 89 74 + } + + $encrypt_files_v1_p3 = { + 24 ?? 0F 84 ?? ?? ?? ?? 8B 4C 24 ?? 8B 6C 24 ?? 89 4C 24 ?? EB ?? 66 90 83 EC ?? 31 + ED FF B4 24 ?? ?? ?? ?? FF B4 24 ?? ?? ?? ?? FF B4 24 ?? ?? ?? ?? FF 74 24 ?? FF 74 + 24 ?? FF 74 24 ?? E8 ?? ?? ?? ?? 83 C4 ?? 31 D2 6A ?? 8B 84 24 ?? ?? ?? ?? 52 F7 D8 + 50 57 E8 ?? ?? ?? ?? 57 FF B4 24 ?? ?? ?? ?? 6A ?? FF B4 24 ?? ?? ?? ?? E8 ?? ?? ?? + ?? 8B 44 24 ?? 8B BC 24 ?? ?? ?? ?? 8B 54 24 ?? 29 F8 19 EA 89 44 24 ?? 89 D6 89 54 + 24 ?? 83 C4 ?? 09 C6 74 ?? 39 84 24 ?? ?? ?? ?? 89 E9 8B 7C 24 ?? 19 D1 0F 4C 84 24 + ?? ?? ?? ?? 89 84 24 ?? ?? ?? ?? 8B 84 24 ?? ?? ?? ?? 89 44 24 ?? 8B 84 24 ?? ?? ?? + ?? 89 44 24 ?? 8B 84 24 ?? ?? ?? ?? 89 44 24 ?? 8B 84 24 ?? ?? ?? ?? 89 44 24 ?? 57 + FF B4 24 ?? ?? ?? ?? 6A ?? FF B4 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 39 84 24 ?? + ?? ?? ?? 0F 84 ?? ?? ?? ?? 83 EC ?? BF ?? ?? ?? ?? FF 74 24 ?? E8 ?? ?? ?? ?? 83 C4 + ?? E9 ?? ?? ?? ?? 83 EC ?? FF B4 24 ?? ?? ?? ?? FF B4 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? + 83 C4 ?? E9 + } + + $find_files_v1_p1 = { + 55 89 C5 57 E8 ?? ?? ?? ?? 81 C7 ?? ?? ?? ?? 56 53 81 EC ?? ?? ?? ?? 89 54 24 ?? 8B + B4 24 ?? ?? ?? ?? 89 7C 24 ?? 89 FB 89 4C 24 ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 89 44 24 + ?? C7 44 24 ?? ?? ?? ?? ?? 85 C0 74 ?? 8D 58 ?? 80 7C 05 ?? ?? 0F 45 D8 89 5C 24 ?? + 8B BC 24 ?? ?? ?? ?? 83 E7 ?? 74 ?? 83 EC ?? 8D 44 24 ?? 89 44 24 ?? 50 55 6A ?? 8B + 5C 24 ?? E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 74 ?? 8B 5C 24 ?? E8 ?? ?? ?? ?? 8B 00 83 F8 + ?? 0F 85 ?? ?? ?? ?? BF ?? ?? ?? ?? C6 44 24 ?? ?? C7 44 24 ?? ?? ?? ?? ?? EB ?? 8D + B4 26 ?? ?? ?? ?? 66 90 83 EC ?? 8D 44 24 ?? 89 44 24 ?? 50 55 6A ?? 8B 5C 24 ?? E8 + ?? ?? ?? ?? 83 C4 ?? 85 C0 78 ?? 8B 84 24 ?? ?? ?? ?? 25 ?? ?? ?? ?? 3D ?? ?? ?? ?? + 0F 84 ?? ?? ?? ?? 3D ?? ?? ?? ?? 0F 84 ?? ?? ?? ?? C6 44 24 ?? ?? 31 FF C7 44 24 ?? + ?? ?? ?? ?? 8B 54 24 ?? 8B 44 24 ?? F6 84 24 ?? ?? ?? ?? ?? 74 ?? 85 F6 0F 84 ?? ?? + ?? ?? 8B 4E ?? 8B 5E ?? 31 D1 31 C3 09 CB 0F 84 ?? ?? ?? ?? 31 FF 81 C4 ?? ?? ?? ?? + 89 F8 5B 5E 5F 5D C3 8D 74 26 ?? 90 8B 5C 24 ?? E8 ?? ?? ?? ?? 89 C7 8B 00 83 F8 ?? + 0F 85 ?? ?? ?? ?? 83 EC ?? FF 74 24 ?? 55 6A ?? 8B 5C 24 ?? E8 ?? ?? ?? ?? 83 C4 ?? + 85 C0 0F 85 ?? ?? ?? ?? BF ?? ?? ?? ?? C6 44 24 ?? ?? C7 44 24 ?? ?? ?? ?? ?? E9 ?? + ?? ?? ?? 8D 74 26 ?? 90 89 54 24 ?? 8B 94 24 ?? ?? ?? ?? 89 44 24 ?? 8B 84 24 ?? ?? + ?? ?? 89 74 24 ?? 89 44 24 ?? 89 54 24 ?? 85 F6 0F 84 ?? ?? ?? ?? 8B 46 ?? 8B 4C 24 + ?? 83 C0 ?? 83 C1 ?? 89 44 24 ?? 89 44 24 ?? 8B 46 ?? 89 4C 24 ?? 89 4C 24 ?? 89 44 + } + + $find_files_v1_p2 = { + 24 ?? C7 44 24 ?? ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? 83 FF ?? 0F 84 ?? ?? ?? ?? 8B + 84 24 ?? ?? ?? ?? 83 E0 ?? 89 44 24 ?? 75 ?? 8D 44 24 ?? 50 FF 74 24 ?? FF 74 24 ?? + 55 8B 44 24 ?? FF D0 89 C7 83 C4 ?? 85 C0 0F 85 ?? ?? ?? ?? 85 F6 74 ?? 8B 84 24 ?? + ?? ?? ?? 8B 5C 24 ?? 89 6C 24 ?? 8B 4C 24 ?? 8B BC 24 ?? ?? ?? ?? 89 C5 EB ?? 8D B6 + ?? ?? ?? ?? 8B 36 85 F6 74 ?? 8B 46 ?? 8B 56 ?? 31 D8 31 CA 09 C2 75 ?? 8B 46 ?? 8B + 56 ?? 31 E8 31 FA 09 C2 0F 84 ?? ?? ?? ?? 8B 36 85 F6 75 ?? 8B 6C 24 ?? 8B 7C 24 ?? + 85 FF 74 ?? 80 7C 24 ?? ?? 0F 85 ?? ?? ?? ?? 8B 44 24 ?? C6 44 05 ?? ?? 8B 44 24 ?? + 85 C0 0F 84 ?? ?? ?? ?? 8D 44 24 ?? 50 FF 74 24 ?? FF 74 24 ?? 55 8B 44 24 ?? FF D0 + 83 C4 ?? 89 C7 81 C4 ?? ?? ?? ?? 89 F8 5B 5E 5F 5D C3 66 90 83 EC ?? 6A ?? 55 8B 5C + 24 ?? E8 ?? ?? ?? ?? 8B 5C 24 ?? 89 44 24 ?? 89 C7 E8 ?? ?? ?? ?? 8B 00 89 44 24 ?? + 83 C4 ?? 85 FF 79 ?? 83 F8 ?? 0F B6 4C 24 ?? BA ?? ?? ?? ?? 0F 94 C0 84 C0 B8 ?? ?? + ?? ?? 0F 44 44 24 ?? 0F 45 CA 89 44 24 ?? 88 4C 24 ?? 8B 44 24 ?? 85 C0 0F 85 ?? ?? + ?? ?? 83 EC ?? FF 74 24 ?? 8B 5C 24 ?? E8 ?? ?? ?? ?? 83 C4 ?? E9 ?? ?? ?? ?? 8D B4 + 26 ?? ?? ?? ?? 8D 76 ?? 89 54 24 ?? 8B 94 24 ?? ?? ?? ?? 89 44 24 ?? 8B 84 24 ?? ?? + ?? ?? C7 44 24 ?? ?? ?? ?? ?? 89 44 24 ?? 89 54 24 ?? 8B 44 24 ?? C7 44 24 ?? ?? ?? + ?? ?? C7 44 24 ?? ?? ?? ?? ?? 8D 48 ?? 89 4C 24 ?? 89 4C 24 ?? 85 C0 74 ?? 80 7C 05 + ?? ?? 74 ?? E9 ?? ?? ?? ?? 8D 76 ?? 80 7C 05 ?? ?? 0F 85 ?? ?? ?? ?? 83 E8 ?? 75 ?? + 31 D2 89 54 24 ?? E9 ?? ?? ?? ?? 8D 74 26 ?? 90 89 54 24 ?? 8B 94 24 ?? ?? ?? ?? 89 + } + + $find_files_v1_p3 = { + 44 24 ?? 8B 84 24 ?? ?? ?? ?? 89 74 24 ?? 89 44 24 ?? 89 54 24 ?? E9 ?? ?? ?? ?? 90 + 8B 84 24 ?? ?? ?? ?? BF ?? ?? ?? ?? C6 44 24 ?? ?? 83 E0 ?? 83 F8 ?? 19 C0 83 E0 ?? + 83 C0 ?? 89 44 24 ?? E9 ?? ?? ?? ?? 8D B4 26 ?? ?? ?? ?? 90 8B 74 24 ?? 85 F6 0F 88 + ?? ?? ?? ?? 83 EC ?? FF 74 24 ?? 8B 5C 24 ?? E8 ?? ?? ?? ?? 83 C4 ?? 89 C6 85 C0 0F + 84 ?? ?? ?? ?? B8 ?? ?? ?? ?? 2B 44 24 ?? 89 44 24 ?? 8D B4 26 ?? ?? ?? ?? 8D 76 ?? + 83 EC ?? 56 8B 5C 24 ?? E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 0F 84 ?? ?? ?? ?? 80 78 ?? ?? + 0F 84 ?? ?? ?? ?? 83 EC ?? 8D 78 ?? 57 8B 5C 24 ?? E8 ?? ?? ?? ?? 83 C4 ?? 3B 44 24 + ?? 0F 83 ?? ?? ?? ?? 8B 44 24 ?? 83 EC ?? C6 44 05 ?? ?? 57 8B 44 24 ?? 01 E8 50 8B + 5C 24 ?? E8 ?? ?? ?? ?? 8B 44 24 ?? 5A 5B 8D 48 ?? 8D 44 24 ?? 50 89 E8 FF B4 24 ?? + ?? ?? ?? 8B 54 24 ?? E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 0F 84 ?? ?? ?? ?? 83 EC ?? 89 C7 + 56 8B 5C 24 ?? E8 ?? ?? ?? ?? 83 C4 ?? E9 ?? ?? ?? ?? 66 90 80 78 ?? ?? 0F 84 ?? ?? + ?? ?? 66 83 78 ?? ?? 0F 85 ?? ?? ?? ?? E9 ?? ?? ?? ?? 8D B6 ?? ?? ?? ?? 80 7C 05 ?? + ?? 8D 48 ?? 89 C2 0F 84 ?? ?? ?? ?? 85 C9 0F 84 ?? ?? ?? ?? 80 7C 05 ?? ?? 8D 50 ?? + 75 ?? E9 ?? ?? ?? ?? 8D B4 26 ?? ?? ?? ?? 66 90 89 C2 85 D2 0F 84 ?? ?? ?? ?? 80 7C + 15 ?? ?? 8D 42 ?? 75 ?? E9 ?? ?? ?? ?? 8D B4 26 ?? ?? ?? ?? 85 FF 0F 84 ?? ?? ?? ?? + 31 FF C6 44 24 ?? ?? C7 44 24 ?? ?? ?? ?? ?? E9 ?? ?? ?? ?? 83 EC ?? 56 8B 5C 24 ?? + E8 ?? ?? ?? ?? 83 C4 ?? E9 ?? ?? ?? ?? 8B 07 E9 ?? ?? ?? ?? 8B 7C 24 ?? 89 FB BF ?? + ?? ?? ?? E8 ?? ?? ?? ?? 83 EC ?? C7 00 ?? ?? ?? ?? 56 E8 ?? ?? ?? ?? 83 C4 ?? E9 ?? + ?? ?? ?? BF + } + + $kill_processes_v1_p1 = { + 55 BA ?? ?? ?? ?? B8 ?? ?? ?? ?? BD ?? ?? ?? ?? 57 89 E9 56 53 E8 ?? ?? ?? ?? 81 C3 + ?? ?? ?? ?? 81 EC ?? ?? ?? ?? 66 89 54 24 ?? 8D 7C 24 ?? C7 44 24 ?? ?? ?? ?? ?? C7 + 44 24 ?? ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? 8D B3 ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? + ?? C7 44 24 ?? ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? C6 44 24 + ?? ?? C7 44 24 ?? ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? C7 44 + 24 ?? ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? C6 44 24 ?? ?? C7 44 24 ?? ?? ?? ?? ?? C7 + 44 24 ?? ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? 66 89 44 24 ?? + C6 44 24 ?? ?? C7 44 24 ?? ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? + ?? C7 44 24 ?? ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? C6 44 24 ?? ?? 8B 83 ?? ?? ?? ?? + 89 44 24 ?? 8B 83 ?? ?? ?? ?? 89 84 24 ?? ?? ?? ?? F3 A5 8D B4 24 ?? ?? ?? ?? C6 44 + } + + $kill_processes_v1_p2 = { + 24 ?? ?? 83 EC ?? C7 44 24 ?? ?? ?? ?? ?? 89 F7 C7 44 24 ?? ?? ?? ?? ?? C7 44 24 ?? + ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? 89 CD C7 44 24 ?? ?? ?? + ?? ?? B9 ?? ?? ?? ?? 89 E8 F3 AB FF B4 24 ?? ?? ?? ?? 89 F7 8D 44 24 ?? 50 56 E8 ?? + ?? ?? ?? 89 34 24 E8 ?? ?? ?? ?? 83 C4 ?? 89 E8 B9 ?? ?? ?? ?? F3 AB FF B4 24 ?? ?? + ?? ?? 89 F7 8D 44 24 ?? 50 56 E8 ?? ?? ?? ?? 89 34 24 E8 ?? ?? ?? ?? 83 C4 ?? 89 E8 + B9 ?? ?? ?? ?? F3 AB FF B4 24 ?? ?? ?? ?? 89 F7 8D 44 24 ?? 50 56 E8 ?? ?? ?? ?? 89 + 34 24 E8 ?? ?? ?? ?? 83 C4 ?? 89 E8 B9 ?? ?? ?? ?? F3 AB FF B4 24 ?? ?? ?? ?? 89 F7 + 8D 44 24 ?? 50 56 E8 ?? ?? ?? ?? 89 34 24 E8 ?? ?? ?? ?? 83 C4 ?? 89 E8 B9 ?? ?? ?? + ?? F3 AB FF B4 24 ?? ?? ?? ?? 89 F7 8D 84 24 ?? ?? ?? ?? 50 56 E8 ?? ?? ?? ?? 89 34 + 24 E8 ?? ?? ?? ?? 83 C4 ?? 89 E8 B9 ?? ?? ?? ?? F3 AB FF B4 24 ?? ?? ?? ?? 89 F7 8D + 44 24 ?? 50 56 E8 ?? ?? ?? ?? 89 34 24 E8 ?? ?? ?? ?? 83 C4 ?? 89 E8 B9 ?? ?? ?? ?? + F3 AB FF B4 24 ?? ?? ?? ?? 8D 44 24 ?? 50 56 E8 ?? ?? ?? ?? 89 34 24 E8 ?? ?? ?? ?? + 81 C4 ?? ?? ?? ?? 5B 5E 5F 5D C3 + } + + $shut_down_esxi_v1 = { + 55 B8 ?? ?? ?? ?? BD ?? ?? ?? ?? 57 89 C1 56 53 E8 ?? ?? ?? ?? 81 C3 ?? ?? ?? ?? 81 + EC ?? ?? ?? ?? 8D 7C 24 ?? C7 44 24 ?? 65 73 78 63 C7 44 24 ?? 6C 69 20 76 C7 44 24 + ?? 6D 20 70 72 8D B3 ?? ?? ?? ?? C7 44 24 ?? 6F 63 65 73 F3 A5 8D B4 24 ?? ?? ?? ?? + C7 44 24 ?? 73 20 6B 69 83 EC ?? 89 F7 C7 44 24 ?? 6C 6C 20 2D C7 44 24 ?? 2D 74 79 + 70 C7 44 24 ?? 65 3D 66 6F C7 44 24 ?? 72 63 65 20 C7 44 24 ?? 2D 2D 77 6F 89 C8 B9 + ?? ?? ?? ?? C7 44 24 ?? 72 6C 64 2D C7 44 24 ?? 69 64 3D 22 C7 84 24 ?? ?? ?? ?? 25 + 73 22 00 C7 44 24 ?? 5B 45 53 58 C7 44 24 ?? 69 5D 20 53 C7 44 24 ?? 68 75 74 74 C7 + 44 24 ?? 69 6E 67 20 C7 44 24 ?? 64 6F 77 6E F3 AB C7 44 24 ?? 20 2D 20 25 8D 83 ?? + ?? ?? ?? 66 89 6C 24 ?? C6 44 24 ?? ?? 50 8D 84 24 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 + C4 ?? 85 C0 0F 84 ?? ?? ?? ?? BF ?? ?? ?? ?? 89 C5 8D 44 24 ?? 66 89 7C 24 ?? 31 FF + } + + $kill_processes_v2_p1 = { + 41 54 BA ?? ?? ?? ?? B9 ?? ?? ?? ?? 45 31 E4 48 B8 ?? ?? ?? ?? ?? ?? ?? ?? 55 48 89 + FD 53 48 81 EC ?? ?? ?? ?? 66 0F 6F 05 ?? ?? 00 00 48 89 84 24 ?? ?? ?? ?? B8 ?? ?? + ?? ?? 48 8D 9C 24 ?? ?? ?? ?? 48 8D B4 24 ?? ?? ?? ?? 0F 29 84 24 ?? ?? ?? ?? 66 0F + 6F 05 ?? ?? 00 00 48 89 DF 66 89 44 24 ?? 48 B8 ?? ?? ?? ?? ?? ?? ?? ?? 0F 29 44 24 + ?? 66 0F 6F 05 ?? ?? 00 00 66 89 54 24 ?? 48 89 EA 0F 29 44 24 ?? 66 0F 6F 05 ?? ?? + 00 00 66 89 8C 24 ?? ?? 00 00 B9 ?? ?? ?? ?? 0F 29 44 24 ?? 66 0F 6F 05 ?? ?? 00 00 + C7 84 24 ?? ?? ?? ?? ?? ?? ?? ?? 0F 29 84 24 ?? ?? ?? ?? 66 0F 6F 05 ?? ?? 00 00 C6 + 84 24 ?? ?? ?? ?? ?? 0F 29 84 24 ?? ?? ?? ?? 66 0F 6F 05 ?? ?? 00 00 C7 44 24 ?? ?? + ?? ?? ?? 0F 29 84 24 ?? ?? ?? ?? 66 0F 6F 05 ?? ?? 00 00 C6 44 24 ?? ?? 0F 29 84 24 + ?? ?? ?? ?? C6 44 24 ?? ?? C7 44 24 ?? ?? ?? ?? ?? C6 44 24 ?? ?? C7 84 24 ?? ?? ?? + ?? ?? ?? ?? ?? C6 84 24 ?? ?? ?? ?? ?? 48 89 44 24 ?? 48 B8 + } + + $kill_processes_v2_p2 = { + 48 89 44 24 ?? 4C 89 E0 F3 48 AB 48 89 DF C6 44 24 ?? ?? C7 44 24 ?? ?? ?? ?? ?? C7 + 44 24 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 89 DF E8 ?? ?? ?? ?? 4C 89 E0 48 89 DF B9 ?? + ?? ?? ?? F3 48 AB 48 8D 74 24 ?? 48 89 EA 48 89 DF E8 ?? ?? ?? ?? 48 89 DF E8 ?? ?? + ?? ?? 4C 89 E0 48 89 DF B9 ?? ?? ?? ?? F3 48 AB 48 8D 74 24 ?? 48 89 EA 48 89 DF E8 + ?? ?? ?? ?? 48 89 DF E8 ?? ?? ?? ?? 4C 89 E0 48 89 DF B9 ?? ?? ?? ?? F3 48 AB 48 8D + 74 24 ?? 48 89 EA 48 89 DF E8 ?? ?? ?? ?? 48 89 DF E8 ?? ?? ?? ?? 4C 89 E0 48 89 DF + B9 ?? ?? ?? ?? F3 48 AB 48 8D B4 24 ?? ?? ?? ?? 48 89 EA 48 89 DF E8 ?? ?? ?? ?? 48 + 89 DF E8 ?? ?? ?? ?? 4C 89 E0 48 89 DF B9 ?? ?? ?? ?? F3 48 AB 48 8D 74 24 ?? 48 89 + EA 48 89 DF E8 ?? ?? ?? ?? 48 89 DF E8 ?? ?? ?? ?? 4C 89 E0 48 89 DF B9 ?? ?? ?? ?? + F3 48 AB 48 8D 74 24 ?? 48 89 EA 48 89 DF E8 ?? ?? ?? ?? 48 89 DF E8 ?? ?? ?? ?? 48 + 81 C4 ?? ?? ?? ?? 5B 5D 41 5C C3 + } + + $encrypt_files_v2_p1 = { + 48 B8 ?? ?? ?? ?? ?? ?? ?? ?? 41 57 66 0F EF C0 49 89 FF 41 56 49 89 D6 41 55 49 89 + F5 BE ?? ?? ?? ?? 41 54 55 53 48 81 EC ?? ?? ?? ?? 48 8D 5C 24 ?? 48 89 4C 24 ?? 48 + 8D AC 24 ?? ?? ?? ?? 48 89 DF 4C 89 04 24 0F 29 44 24 ?? 0F 29 44 24 ?? 0F 29 44 24 + ?? 48 C7 44 24 ?? ?? ?? ?? ?? 0F 29 44 24 ?? 48 89 44 24 ?? E8 ?? ?? ?? ?? 85 C0 75 + ?? 45 31 E4 48 89 EF BE ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 89 DF BE ?? ?? ?? ?? E8 ?? ?? + ?? ?? 48 8D 7B ?? BE ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 81 C4 ?? ?? ?? ?? 44 89 E0 5B 5D + 41 5C 41 5D 41 5E 41 5F C3 0F 1F 80 ?? ?? ?? ?? 48 8D 7B ?? BE ?? ?? ?? ?? E8 ?? ?? + ?? ?? 85 C0 74 ?? BA ?? ?? ?? ?? 48 89 DE 48 89 EF E8 ?? ?? ?? ?? 48 8D 35 ?? ?? ?? + ?? 4C 89 FF E8 ?? ?? ?? ?? 48 89 44 24 ?? 48 85 C0 0F 84 ?? ?? ?? ?? 4C 89 FF E8 ?? + ?? ?? ?? 4C 89 FE 4C 89 EF 48 89 C2 49 89 C4 E8 ?? ?? ?? ?? 8B 54 24 ?? 4B 8D 44 25 + ?? 31 F6 89 10 0F B7 54 24 ?? 66 89 50 ?? 0F B6 54 24 ?? 88 50 ?? BA ?? ?? ?? ?? 43 + C6 44 25 ?? ?? 4C 8B 64 24 ?? 4C 89 E7 E8 ?? ?? ?? ?? 4C 89 E7 4C 89 64 24 ?? 45 31 + E4 E8 ?? ?? ?? ?? 48 83 F8 ?? 7E ?? 4C 89 EE 4C 89 FF E8 ?? ?? ?? ?? 85 C0 74 ?? 48 + 8B 7C 24 ?? E8 ?? ?? ?? ?? E9 ?? ?? ?? ?? 66 0F 1F 44 00 ?? 48 8B 7C 24 ?? E8 ?? ?? + ?? ?? 48 8D 35 ?? ?? ?? ?? 4C 89 EF E8 ?? ?? ?? ?? 48 89 44 24 ?? 49 89 C4 48 85 C0 + } + + $encrypt_files_v2_p2 = { + 0F 84 ?? ?? ?? ?? 31 F6 BA ?? ?? ?? ?? 48 89 C7 E8 ?? ?? ?? ?? 4C 89 E7 4C 89 64 24 + ?? E8 ?? ?? ?? ?? 48 39 44 24 ?? 48 0F 4E 44 24 ?? 48 8D 7C 24 ?? 48 89 C1 48 C1 F9 + ?? 48 C1 E9 ?? 48 8D 14 08 83 E2 ?? 48 29 CA 48 29 D0 48 89 44 24 ?? E8 ?? ?? ?? ?? + 48 8D BC 24 ?? ?? ?? ?? B9 ?? ?? ?? ?? 48 89 DE 48 89 44 24 ?? 31 C0 BA ?? ?? ?? ?? + F3 48 AB 48 8D 84 24 ?? ?? ?? ?? 48 8B 3C 24 48 89 C1 48 89 44 24 ?? E8 ?? ?? ?? ?? + 41 89 C4 85 C0 0F 84 ?? ?? ?? ?? 48 8B 7C 24 ?? E8 ?? ?? ?? ?? 48 8B 7C 24 ?? 4C 89 + EE E8 ?? ?? ?? ?? 41 89 C4 85 C0 0F 84 ?? ?? ?? ?? 48 8B 44 24 ?? 4C 8D 64 24 ?? 48 + 85 C0 75 ?? E9 ?? ?? ?? ?? 0F 1F 80 ?? ?? ?? ?? 4D 89 F1 4D 89 E8 4C 89 E9 4C 89 E2 + 48 89 EE 48 8D 3D ?? ?? ?? ?? E8 ?? ?? ?? ?? 4C 89 F6 BA ?? ?? ?? ?? 4C 89 FF 48 F7 + DE E8 ?? ?? ?? ?? 4C 89 F9 4C 89 F2 BE ?? ?? ?? ?? 4C 89 EF E8 ?? ?? ?? ?? 48 8B 44 + 24 ?? 4C 29 F0 48 89 44 24 ?? 74 ?? 49 39 C6 4C 8B 7C 24 ?? BE ?? ?? ?? ?? 4C 89 EF + 4C 0F 47 F0 66 0F 6F 4C 24 ?? 4C 89 F9 4C 89 F2 0F 29 4C 24 ?? E8 ?? ?? ?? ?? 4C 39 + F0 74 ?? 48 8B 7C 24 ?? 41 BC ?? ?? ?? ?? E8 ?? ?? ?? ?? E9 ?? ?? ?? ?? 4C 89 FE 4C + 89 EF E8 ?? ?? ?? ?? E9 + } + + $find_files_v2_p1 = { + 41 57 4D 89 C7 41 56 49 89 FE 41 55 49 89 FD 41 54 55 53 89 CB 48 81 EC ?? ?? ?? ?? + 48 89 34 24 89 54 24 ?? 41 8B 55 ?? 49 83 C5 ?? 8D 82 ?? ?? ?? ?? F7 D2 21 D0 25 ?? + ?? ?? ?? 74 ?? 89 C2 C1 EA ?? A9 ?? ?? ?? ?? 0F 44 C2 49 8D 55 ?? 4C 0F 44 EA 89 C6 + 40 00 C6 49 83 DD ?? 31 ED 4D 29 F5 74 ?? 49 8D 6D ?? 43 80 7C 2E ?? ?? 49 0F 45 ED + 48 8D 44 24 ?? 41 89 DC 4C 89 F6 48 89 44 24 ?? 48 89 C2 BF ?? ?? ?? ?? 41 83 E4 ?? + 0F 84 ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 00 83 F8 + ?? 0F 85 ?? ?? ?? ?? B9 ?? ?? ?? ?? 45 31 DB 41 BC ?? ?? ?? ?? 48 8B 44 24 ?? F6 C3 + ?? 0F 85 ?? ?? ?? ?? 48 89 44 24 ?? 48 8B 44 24 ?? 4C 89 7C 24 ?? 48 89 44 24 ?? 4D + 85 FF 0F 84 ?? ?? ?? ?? 41 8B 47 ?? 8D 55 ?? 89 54 24 ?? 83 C0 ?? 89 44 24 ?? 89 44 + 24 ?? 41 8B 47 ?? 89 44 24 ?? 45 31 C0 C7 44 24 ?? ?? ?? ?? ?? 83 F9 ?? 0F 84 ?? ?? + ?? ?? 89 D8 83 E0 ?? 89 44 24 ?? 75 ?? 44 88 5C 24 ?? 44 89 E2 48 8D 4C 24 ?? 4C 89 + F7 48 8B 74 24 ?? 48 8B 04 24 44 89 44 24 ?? FF D0 44 8B 44 24 ?? 44 0F B6 5C 24 ?? + 85 C0 89 C2 75 ?? 4D 85 FF 0F 84 ?? ?? ?? ?? 48 8B 44 24 ?? 48 8B 54 24 ?? EB ?? 0F + 1F 44 00 ?? 4D 8B 3F 4D 85 FF 0F 84 ?? ?? ?? ?? 49 39 47 ?? 75 ?? 49 39 57 ?? 75 ?? + 31 D2 48 81 C4 ?? ?? ?? ?? 89 D0 5B 5D 41 5C 41 5D 41 5E 41 5F C3 66 90 E8 ?? ?? ?? + ?? 85 C0 78 ?? 8B 44 24 ?? 25 ?? ?? ?? ?? 3D ?? ?? ?? ?? 0F 84 ?? ?? ?? ?? 3D ?? ?? + ?? ?? 0F 84 ?? ?? ?? ?? 31 C9 45 31 DB 45 31 E4 48 8B 44 24 ?? F6 C3 ?? 0F 84 ?? ?? + ?? ?? 4D 85 FF 0F 84 ?? ?? ?? ?? 49 39 47 ?? 75 ?? 48 89 44 24 ?? 48 8B 44 24 ?? 4C + } + + $find_files_v2_p2 = { + 89 7C 24 ?? 48 89 44 24 ?? E9 ?? ?? ?? ?? 66 2E 0F 1F 84 00 ?? ?? 00 00 E8 ?? ?? ?? + ?? 49 89 C4 8B 00 83 F8 ?? 0F 85 ?? ?? ?? ?? 48 8B 54 24 ?? 4C 89 F6 BF ?? ?? ?? ?? + E8 ?? ?? ?? ?? 85 C0 0F 85 ?? ?? ?? ?? B9 ?? ?? ?? ?? 45 31 DB 41 BC ?? ?? ?? ?? EB + ?? 0F 1F 00 8B 4C 24 ?? 85 C9 74 ?? 45 84 DB 0F 85 ?? ?? ?? ?? 8B 44 24 ?? 43 C6 04 + 2E ?? 85 C0 0F 84 ?? ?? ?? ?? 44 89 E2 48 8D 4C 24 ?? 48 8B 74 24 ?? 4C 89 F7 48 8B + 04 24 FF D0 89 C2 E9 ?? ?? ?? ?? 90 31 F6 4C 89 F7 31 C0 44 88 5C 24 ?? E8 ?? ?? ?? + ?? 89 44 24 ?? E8 ?? ?? ?? ?? 8B 7C 24 ?? 44 0F B6 5C 24 ?? 44 8B 00 85 FF 79 ?? 41 + 83 F8 ?? BA ?? ?? ?? ?? 0F 94 C0 84 C0 B8 ?? ?? ?? ?? 44 0F 45 DA 44 0F 45 E0 8B 74 + 24 ?? 85 F6 0F 85 ?? ?? ?? ?? 8B 7C 24 ?? 44 88 5C 24 ?? 44 89 44 24 ?? E8 ?? ?? ?? + ?? 44 0F B6 5C 24 ?? 44 8B 44 24 ?? E9 ?? ?? ?? ?? 0F 1F 00 48 89 44 24 ?? 48 8B 44 + 24 ?? 48 C7 44 24 ?? ?? ?? ?? ?? 48 89 44 24 ?? 8D 45 ?? C7 44 24 ?? ?? ?? ?? ?? 89 + 44 24 ?? C7 44 24 ?? ?? ?? ?? ?? 48 85 ED 74 ?? 41 80 3C 2E ?? 48 89 E8 74 ?? E9 ?? + ?? ?? ?? 0F 1F 44 00 ?? 41 80 3C 06 ?? 0F 85 ?? ?? ?? ?? 48 83 E8 ?? 75 ?? 31 D2 89 + } + + $find_files_v2_p3 = { + 54 24 ?? E9 ?? ?? ?? ?? 0F 1F 40 ?? 89 D8 B9 ?? ?? ?? ?? 41 BB ?? ?? ?? ?? 83 E0 ?? + 83 F8 ?? 45 19 E4 41 83 E4 ?? 41 83 C4 ?? E9 ?? ?? ?? ?? 0F 1F 44 00 ?? 8B 54 24 ?? + 85 D2 0F 88 ?? ?? ?? ?? 8B 7C 24 ?? E8 ?? ?? ?? ?? 49 89 C7 48 85 C0 0F 84 ?? ?? ?? + ?? B8 ?? ?? ?? ?? 44 89 64 24 ?? 4C 29 E8 48 89 44 24 ?? 48 8D 44 24 ?? 48 89 44 24 + ?? 8B 44 24 ?? 83 E8 ?? 89 44 24 ?? 4C 89 FF E8 ?? ?? ?? ?? 48 85 C0 0F 84 ?? ?? ?? + ?? 80 78 ?? ?? 74 ?? 4C 8D 60 ?? 4C 89 E7 E8 ?? ?? ?? ?? 48 3B 44 24 ?? 0F 83 ?? ?? + ?? ?? 41 C6 04 2E ?? 49 8D 7C 2E ?? 4C 89 E6 E8 ?? ?? ?? ?? 4C 8B 44 24 ?? 8B 54 24 + ?? 89 D9 48 8B 34 24 4C 89 F7 E8 ?? ?? ?? ?? 85 C0 74 ?? 4C 89 FF 89 04 24 E8 ?? ?? + ?? ?? 8B 14 24 E9 ?? ?? ?? ?? 66 90 80 78 ?? ?? 74 ?? 66 83 78 ?? ?? 75 ?? EB ?? 90 + 41 80 7C 06 ?? ?? 48 8D 70 ?? 89 C2 0F 84 ?? ?? ?? ?? 48 85 F6 0F 84 ?? ?? ?? ?? 41 + 80 7C 06 ?? ?? 48 8D 50 ?? 75 ?? E9 ?? ?? ?? ?? 0F 1F 40 ?? 48 89 C2 48 85 D2 0F 84 + ?? ?? ?? ?? 41 80 7C 16 ?? ?? 48 8D 42 ?? 75 ?? E9 ?? ?? ?? ?? 0F 1F 00 45 85 E4 0F + 84 ?? ?? ?? ?? 31 C9 45 31 DB 41 BC ?? ?? ?? ?? E9 ?? ?? ?? ?? 4C 89 FF 44 8B 64 24 + ?? E8 ?? ?? ?? ?? E9 ?? ?? ?? ?? 41 8B 04 24 E9 ?? ?? ?? ?? E8 ?? ?? ?? ?? 4C 89 FF + C7 00 ?? ?? ?? ?? E8 ?? ?? ?? ?? BA ?? ?? ?? ?? E9 ?? ?? ?? ?? BA ?? ?? ?? ?? E9 ?? + ?? ?? ?? 48 89 F2 E9 ?? ?? ?? ?? 44 89 04 24 E8 ?? ?? ?? ?? 44 8B 04 24 BA ?? ?? ?? + ?? 44 89 00 E9 ?? ?? ?? ?? 8B 7C 24 ?? E8 ?? ?? ?? ?? 83 CA ?? E9 + } + + $init_key_v2 = { + 48 85 FF 0F 84 ?? ?? ?? ?? 48 85 F6 0F 84 ?? ?? ?? ?? 41 56 41 55 41 54 55 48 89 F5 + 53 48 89 FB 48 81 EC ?? ?? ?? ?? 4C 8D 64 24 ?? 4C 89 E7 E8 ?? ?? ?? ?? 85 C0 75 ?? + 66 0F EF C0 48 8D 35 ?? ?? ?? ?? 48 8D 3D ?? ?? ?? ?? 49 89 E6 0F 29 04 24 0F 29 44 + 24 ?? E8 ?? ?? ?? ?? 49 89 C5 48 85 C0 74 ?? 4C 89 F7 48 89 C1 BA ?? ?? ?? ?? BE ?? + ?? ?? ?? E8 ?? ?? ?? ?? 4C 89 EF E8 ?? ?? ?? ?? BA ?? ?? ?? ?? 4C 89 F6 4C 89 E7 E8 + ?? ?? ?? ?? 85 C0 74 ?? 31 C0 48 81 C4 ?? ?? ?? ?? 5B 5D 41 5C 41 5D 41 5E C3 66 2E + 0F 1F 84 00 ?? ?? 00 00 31 C0 C3 0F 1F 44 00 ?? 48 89 EA 48 89 DE 4C 89 E7 E8 ?? ?? + ?? ?? 85 C0 75 ?? 4C 89 E7 E8 ?? ?? ?? ?? 89 E8 EB + } + + condition: + uint32(0) == 0x464C457F and + ( + ( + ( + all of ($find_files_v1_p*) + ) and + ( + all of ($kill_processes_v1_p*) + ) and + ( + $init_key_v1 + ) and + ( + all of ($encrypt_files_v1_p*) + ) and + ( + $shut_down_esxi_v1 + ) + ) or + ( + ( + all of ($find_files_v2_p*) + ) and + ( + all of ($kill_processes_v2_p*) + ) and + ( + $init_key_v2 + ) and + ( + all of ($encrypt_files_v2_p*) + ) + ) + ) +} \ No newline at end of file diff --git a/yara/ransomware/Linux.Ransomware.KillDisk.yara b/yara/ransomware/Linux.Ransomware.KillDisk.yara new file mode 100644 index 0000000..86c07c6 --- /dev/null +++ b/yara/ransomware/Linux.Ransomware.KillDisk.yara @@ -0,0 +1,144 @@ +rule Linux_Ransomware_KillDisk : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "KILLDISK" + description = "Yara rule that detects KillDisk ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "KillDisk" + tc_detection_factor = 5 + + strings: + + $encrypt_files_1 = { + 55 48 89 E5 48 81 EC ?? ?? ?? ?? 48 89 BD ?? ?? ?? ?? 64 48 8B 04 25 ?? ?? ?? ?? 48 + 89 45 ?? 31 C0 C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? 48 C7 85 + ?? ?? ?? ?? ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? 48 8D 95 ?? ?? ?? ?? 48 8B 85 + ?? ?? ?? ?? 48 89 D6 48 89 C7 E8 ?? ?? ?? ?? 85 C0 74 ?? BF ?? ?? ?? ?? E8 ?? ?? ?? + ?? B8 ?? ?? ?? ?? E9 ?? ?? ?? ?? BF ?? ?? ?? ?? E8 ?? ?? ?? ?? BF ?? ?? ?? ?? E8 ?? + ?? ?? ?? BF ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 8B 85 ?? ?? ?? ?? BE ?? ?? ?? ?? 48 89 C7 + B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 05 ?? ?? ?? ?? 8B 05 ?? ?? ?? ?? 85 C0 79 ?? 48 8B + 85 ?? ?? ?? ?? 48 89 C6 BF ?? ?? ?? ?? B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 8B 85 ?? ?? + ?? ?? BE ?? ?? ?? ?? 48 89 C7 E8 ?? ?? ?? ?? 85 C0 78 ?? 48 8B 85 ?? ?? ?? ?? BE ?? + ?? ?? ?? 48 89 C7 B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 05 ?? ?? ?? ?? 8B 05 ?? ?? ?? ?? + 85 C0 79 ?? B8 ?? ?? ?? ?? E9 ?? ?? ?? ?? 48 8B 45 ?? 48 8D 90 ?? ?? ?? ?? 48 85 C0 + 48 0F 48 C2 48 C1 F8 ?? 48 89 85 ?? ?? ?? ?? 48 8B 45 ?? 48 85 C0 7E ?? 48 83 BD ?? + ?? ?? ?? ?? 7F ?? B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 83 BD ?? ?? ?? ?? + ?? 75 ?? B8 ?? ?? ?? ?? E9 ?? ?? ?? ?? 48 83 BD ?? ?? ?? ?? ?? 0F 8E ?? ?? ?? ?? 48 + 83 BD ?? ?? ?? ?? ?? 7F ?? B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 83 BD ?? + ?? ?? ?? ?? 75 ?? B8 ?? ?? ?? ?? E9 ?? ?? ?? ?? 48 8B 85 ?? ?? ?? ?? 48 89 C2 48 C1 + } + + $encrypt_files_2 = { + EA ?? 48 01 D0 48 D1 F8 48 C1 E0 ?? 48 89 C1 8B 85 ?? ?? ?? ?? BA ?? ?? ?? ?? 48 89 + CE 89 C7 E8 ?? ?? ?? ?? B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 83 BD ?? ?? + ?? ?? ?? 75 ?? B8 ?? ?? ?? ?? E9 ?? ?? ?? ?? 48 83 BD ?? ?? ?? ?? ?? 0F 8E ?? ?? ?? + ?? 48 81 BD ?? ?? ?? ?? ?? ?? ?? ?? 0F 8F ?? ?? ?? ?? 48 8B 8D ?? ?? ?? ?? 48 BA ?? + ?? ?? ?? ?? ?? ?? ?? 48 89 C8 48 F7 EA 48 8D 04 0A 48 C1 F8 ?? 48 89 C2 48 89 C8 48 + C1 F8 ?? 48 29 C2 48 89 D0 89 85 ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? EB ?? 8B + 85 ?? ?? ?? ?? C1 E0 ?? 48 63 C8 8B 85 ?? ?? ?? ?? BA ?? ?? ?? ?? 48 89 CE 89 C7 E8 + ?? ?? ?? ?? B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 83 BD ?? ?? ?? ?? ?? 75 + ?? B8 ?? ?? ?? ?? E9 ?? ?? ?? ?? 83 85 ?? ?? ?? ?? ?? 83 85 ?? ?? ?? ?? ?? 8B 85 ?? + ?? ?? ?? 3B 85 ?? ?? ?? ?? 7C ?? 48 81 BD ?? ?? ?? ?? ?? ?? ?? ?? 0F 8E ?? ?? ?? ?? + 48 8B 8D ?? ?? ?? ?? 48 BA ?? ?? ?? ?? ?? ?? ?? ?? 48 89 C8 48 F7 EA 48 8D 04 0A 48 + C1 F8 ?? 48 89 C2 48 89 C8 48 C1 F8 ?? 48 29 C2 48 89 D0 89 85 ?? ?? ?? ?? C7 85 ?? + ?? ?? ?? ?? ?? ?? ?? EB ?? 8B 85 ?? ?? ?? ?? C1 E0 ?? 48 63 C8 8B 85 ?? ?? ?? ?? BA + ?? ?? ?? ?? 48 89 CE 89 C7 E8 ?? ?? ?? ?? B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 85 ?? ?? + ?? ?? 83 BD ?? ?? ?? ?? ?? 75 ?? B8 ?? ?? ?? ?? EB ?? 83 85 ?? ?? ?? ?? ?? 83 85 ?? + ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 3B 85 ?? ?? ?? ?? 7C ?? 8B 05 ?? ?? ?? ?? 89 C7 E8 ?? + ?? ?? ?? 8B 05 ?? ?? ?? ?? 89 C7 E8 ?? ?? ?? ?? B8 ?? ?? ?? ?? 48 8B 75 ?? 64 48 33 + 34 25 ?? ?? ?? ?? 74 ?? E8 ?? ?? ?? ?? C9 C3 + } + + $search_files = { + 55 48 89 E5 48 81 EC ?? ?? ?? ?? 48 89 BD ?? ?? ?? ?? 64 48 8B 04 25 ?? ?? ?? ?? 48 + 89 45 ?? 31 C0 8B 05 ?? ?? ?? ?? 83 C0 ?? 89 05 ?? ?? ?? ?? 8B 05 ?? ?? ?? ?? 83 F8 + ?? 75 ?? B8 ?? ?? ?? ?? E9 ?? ?? ?? ?? 48 8B 85 ?? ?? ?? ?? 48 89 C7 E8 ?? ?? ?? ?? + 48 89 85 ?? ?? ?? ?? 48 83 BD ?? ?? ?? ?? ?? 75 ?? B8 ?? ?? ?? ?? E9 ?? ?? ?? ?? C7 + 85 ?? ?? ?? ?? ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? E9 ?? ?? ?? ?? 48 8B 85 ?? + ?? ?? ?? 48 83 C0 ?? BE ?? ?? ?? ?? 48 89 C7 E8 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? + 48 8B 85 ?? ?? ?? ?? 48 83 C0 ?? BE ?? ?? ?? ?? 48 89 C7 E8 ?? ?? ?? ?? 85 C0 75 ?? + E9 ?? ?? ?? ?? 83 BD ?? ?? ?? ?? ?? 0F 84 ?? ?? ?? ?? 48 8B 85 ?? ?? ?? ?? 48 83 C0 + ?? BE ?? ?? ?? ?? 48 89 C7 E8 ?? ?? ?? ?? 85 C0 75 ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? + E9 ?? ?? ?? ?? 48 8B 85 ?? ?? ?? ?? 48 83 C0 ?? BE ?? ?? ?? ?? 48 89 C7 E8 ?? ?? ?? + ?? 85 C0 74 ?? 48 8B 85 ?? ?? ?? ?? 48 83 C0 ?? BE ?? ?? ?? ?? 48 89 C7 E8 ?? ?? ?? + ?? 85 C0 75 ?? 83 85 ?? ?? ?? ?? ?? 83 BD ?? ?? ?? ?? ?? 0F 85 ?? ?? ?? ?? C7 85 ?? + ?? ?? ?? ?? ?? ?? ?? E9 ?? ?? ?? ?? 48 8B 95 ?? ?? ?? ?? 48 8D 85 ?? ?? ?? ?? 48 89 + D6 48 89 C7 E8 ?? ?? ?? ?? 48 8D 85 ?? ?? ?? ?? 48 C7 C1 ?? ?? ?? ?? 48 89 C2 B8 ?? + ?? ?? ?? 48 89 D7 F2 AE 48 89 C8 48 F7 D0 48 8D 50 ?? 48 8D 85 ?? ?? ?? ?? 48 01 D0 + 66 C7 00 ?? ?? 48 8B 85 ?? ?? ?? ?? 48 8D 50 ?? 48 8D 85 ?? ?? ?? ?? 48 89 D6 48 89 + C7 E8 ?? ?? ?? ?? 48 8D 85 ?? ?? ?? ?? 48 89 C7 E8 ?? ?? ?? ?? 83 F8 ?? 75 ?? 48 8D + 85 ?? ?? ?? ?? 48 89 C7 E8 ?? ?? ?? ?? 8B 05 ?? ?? ?? ?? 83 E8 ?? 89 05 ?? ?? ?? ?? + 48 8B 85 ?? ?? ?? ?? 48 89 C7 E8 ?? ?? ?? ?? 48 89 85 ?? ?? ?? ?? 48 83 BD ?? ?? ?? + ?? ?? 0F 85 ?? ?? ?? ?? 48 8B 85 ?? ?? ?? ?? 48 89 C7 E8 ?? ?? ?? ?? B8 ?? ?? ?? ?? + 48 8B 4D ?? 64 48 33 0C 25 ?? ?? ?? ?? 74 ?? E8 ?? ?? ?? ?? C9 C3 + } + + $subvert_grub_1 = { + 55 48 89 E5 48 81 EC ?? ?? ?? ?? 64 48 8B 04 25 ?? ?? ?? ?? 48 89 45 ?? 31 C0 48 B8 + ?? ?? ?? ?? ?? ?? ?? ?? 48 89 85 ?? ?? ?? ?? 48 B8 ?? ?? ?? ?? ?? ?? ?? ?? 48 89 85 + ?? ?? ?? ?? 48 B8 ?? ?? ?? ?? ?? ?? ?? ?? 48 89 85 ?? ?? ?? ?? 48 B8 ?? ?? ?? ?? ?? + ?? ?? ?? 48 89 85 ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? 48 B8 ?? ?? ?? ?? ?? ?? + ?? ?? 48 89 85 ?? ?? ?? ?? 48 B8 ?? ?? ?? ?? ?? ?? ?? ?? 48 89 85 ?? ?? ?? ?? 48 B8 + ?? ?? ?? ?? ?? ?? ?? ?? 48 89 85 ?? ?? ?? ?? 48 B8 ?? ?? ?? ?? ?? ?? ?? ?? 48 89 85 + ?? ?? ?? ?? 48 B8 ?? ?? ?? ?? ?? ?? ?? ?? 48 89 85 ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? + ?? ?? ?? 66 C7 85 ?? ?? FF FF ?? ?? 48 B8 ?? ?? ?? ?? ?? ?? ?? ?? 48 89 85 ?? ?? ?? + ?? 48 B8 ?? ?? ?? ?? ?? ?? ?? ?? 48 89 85 ?? ?? ?? ?? 48 B8 ?? ?? ?? ?? ?? ?? ?? ?? + 48 89 85 ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C6 85 ?? ?? ?? ?? ?? 48 B8 ?? ?? + ?? ?? ?? ?? ?? ?? 48 89 85 ?? ?? ?? ?? 48 B8 ?? ?? ?? ?? ?? ?? ?? ?? 48 89 85 ?? ?? + ?? ?? 48 B8 ?? ?? ?? ?? ?? ?? ?? ?? 48 89 85 ?? ?? ?? ?? 48 B8 ?? ?? ?? ?? ?? ?? ?? + ?? 48 89 85 ?? ?? ?? ?? 48 B8 ?? ?? ?? ?? ?? ?? ?? ?? 48 89 85 ?? ?? ?? ?? 48 B8 + } + + $subvert_grub_2 = { + 48 89 85 ?? ?? ?? ?? 66 C7 85 ?? ?? FF FF ?? ?? 48 B8 ?? ?? ?? + ?? ?? ?? ?? ?? 48 89 85 ?? ?? ?? ?? 48 B8 ?? ?? ?? ?? ?? ?? ?? ?? 48 89 85 ?? ?? ?? + ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C6 85 ?? ?? ?? ?? ?? 48 B8 ?? ?? ?? ?? ?? ?? ?? ?? + 48 89 85 ?? ?? ?? ?? 48 B8 ?? ?? ?? ?? ?? ?? ?? ?? 48 89 85 ?? ?? ?? ?? 48 B8 ?? ?? + ?? ?? ?? ?? ?? ?? 48 89 85 ?? ?? ?? ?? 48 B8 ?? ?? ?? ?? ?? ?? ?? ?? 48 89 85 ?? ?? + ?? ?? 48 B8 ?? ?? ?? ?? ?? ?? ?? ?? 48 89 85 ?? ?? ?? ?? BE ?? ?? ?? ?? BF ?? ?? ?? + ?? E8 ?? ?? ?? ?? 48 89 85 ?? ?? ?? ?? 48 83 BD ?? ?? ?? ?? ?? 0F 84 ?? ?? ?? ?? 48 + 8B 85 ?? ?? ?? ?? 48 89 C1 BA ?? ?? ?? ?? BE ?? ?? ?? ?? BF ?? ?? ?? ?? E8 ?? ?? ?? + ?? BE ?? ?? ?? ?? BF ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 89 85 ?? ?? ?? ?? 4C 8D 85 ?? ?? + ?? ?? 48 8D BD ?? ?? ?? ?? 48 8D 8D ?? ?? ?? ?? 48 8D 95 ?? ?? ?? ?? 48 8B 85 ?? ?? + ?? ?? 48 8D B5 ?? ?? ?? ?? 56 48 8D B5 ?? ?? ?? ?? 56 4D 89 C1 49 89 F8 BE ?? ?? ?? + ?? 48 89 C7 B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 83 C4 ?? 48 8B 85 ?? ?? ?? ?? 48 89 C7 + E8 ?? ?? ?? ?? BF ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 89 85 ?? ?? ?? ?? 48 83 BD ?? ?? ?? + ?? ?? 0F 85 ?? ?? ?? ?? B8 ?? ?? ?? ?? E9 ?? ?? ?? ?? 48 8D 85 ?? ?? ?? ?? 48 B9 ?? + ?? ?? ?? ?? ?? ?? ?? 48 89 08 C7 40 ?? ?? ?? ?? ?? C6 40 ?? ?? 48 8B 85 + } + + $subvert_grub_3 = { + 48 8D 50 ?? 48 8D 85 ?? ?? ?? ?? 48 89 D6 48 89 C7 E8 ?? ?? ?? ?? 48 8B 85 ?? ?? ?? + ?? 48 83 C0 ?? BE ?? ?? ?? ?? 48 89 C7 E8 ?? ?? ?? ?? 85 C0 74 ?? 48 8B 85 ?? ?? ?? + ?? 48 83 C0 ?? BE ?? ?? ?? ?? 48 89 C7 E8 ?? ?? ?? ?? 85 C0 74 ?? 48 8B 85 ?? ?? ?? + ?? 48 83 C0 ?? BE ?? ?? ?? ?? 48 89 C7 E8 ?? ?? ?? ?? 85 C0 75 ?? EB ?? 48 8D 85 ?? + ?? ?? ?? 48 89 C7 E8 ?? ?? ?? ?? 48 8B 85 ?? ?? ?? ?? 48 89 C7 E8 ?? ?? ?? ?? 48 89 + 85 ?? ?? ?? ?? 48 83 BD ?? ?? ?? ?? ?? 0F 85 ?? ?? ?? ?? BF ?? ?? ?? ?? E8 ?? ?? ?? + ?? E9 ?? ?? ?? ?? BE ?? ?? ?? ?? BF ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 89 85 ?? ?? ?? ?? + 48 83 BD ?? ?? ?? ?? ?? 74 ?? 4C 8D 85 ?? ?? ?? ?? 48 8D BD ?? ?? ?? ?? 48 8D 8D ?? + ?? ?? ?? 48 8D 95 ?? ?? ?? ?? 48 8B 85 ?? ?? ?? ?? 48 8D B5 ?? ?? ?? ?? 56 48 8D B5 + ?? ?? ?? ?? 56 4D 89 C1 49 89 F8 BE ?? ?? ?? ?? 48 89 C7 B8 ?? ?? ?? ?? E8 ?? ?? ?? + ?? 48 83 C4 ?? EB ?? BE ?? ?? ?? ?? BF ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 89 85 ?? ?? ?? + ?? 48 83 BD ?? ?? ?? ?? ?? 74 ?? 4C 8D 85 ?? ?? ?? ?? 48 8D BD ?? ?? ?? ?? 48 8D 8D + ?? ?? ?? ?? 48 8D 95 ?? ?? ?? ?? 48 8B 85 ?? ?? ?? ?? 48 8D B5 ?? ?? ?? ?? 56 48 8D + B5 ?? ?? ?? ?? 56 4D 89 C1 49 89 F8 BE ?? ?? ?? ?? 48 89 C7 B8 ?? ?? ?? ?? E8 ?? ?? + ?? ?? 48 83 C4 ?? 48 8B 85 ?? ?? ?? ?? 48 89 C7 E8 ?? ?? ?? ?? B8 ?? ?? ?? ?? 48 8B + 55 ?? 64 48 33 14 25 ?? ?? ?? ?? 74 ?? E8 ?? ?? ?? ?? C9 C3 + } + + condition: + uint32(0) == 0x464C457F and + ( + $search_files and + (all of ($encrypt_files_*)) and + (all of ($subvert_grub_*)) + ) +} \ No newline at end of file diff --git a/yara/ransomware/Linux.Ransomware.LuckyJoe.yara b/yara/ransomware/Linux.Ransomware.LuckyJoe.yara new file mode 100644 index 0000000..2635f84 --- /dev/null +++ b/yara/ransomware/Linux.Ransomware.LuckyJoe.yara @@ -0,0 +1,146 @@ +rule Linux_Ransomware_LuckyJoe : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "LUCKYJOE" + description = "Yara rule that detects LuckyJoe ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "LuckyJoe" + tc_detection_factor = 5 + + strings: + + $main_call_p1 = { + 55 48 89 E5 48 81 EC ?? ?? ?? ?? 48 C7 45 ?? ?? ?? ?? ?? 48 C7 45 ?? ?? ?? ?? ?? 48 + C7 45 ?? ?? ?? ?? ?? 48 C7 45 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 89 C7 E8 ?? ?? ?? ?? + 48 89 45 ?? 48 8B 55 ?? 48 8B 45 ?? 48 89 D6 48 89 C7 E8 ?? ?? ?? ?? 48 8D 75 ?? 48 + 8B 45 ?? B9 ?? ?? ?? ?? BA ?? ?? ?? ?? 48 89 C7 E8 ?? ?? ?? ?? 48 89 45 ?? BE ?? ?? + ?? ?? BF ?? ?? ?? ?? B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 8B 05 ?? ?? ?? ?? 48 89 C7 E8 + ?? ?? ?? ?? B9 ?? ?? ?? ?? BA ?? ?? ?? ?? BE ?? ?? ?? ?? BF ?? ?? ?? ?? E8 ?? ?? ?? + ?? 48 89 05 ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 89 C7 E8 ?? ?? ?? ?? 48 89 45 ?? E8 ?? ?? + ?? ?? 48 89 C7 E8 ?? ?? ?? ?? 48 89 45 ?? 48 8B 35 ?? ?? ?? ?? 48 83 EC ?? 48 8B 45 + ?? 6A ?? 41 B9 ?? ?? ?? ?? 41 B8 ?? ?? ?? ?? B9 ?? ?? ?? ?? BA ?? ?? ?? ?? 48 89 C7 + E8 ?? ?? ?? ?? 48 83 C4 ?? 48 8B 15 ?? ?? ?? ?? 48 8B 45 ?? 48 89 D6 48 89 C7 E8 ?? + ?? ?? ?? 48 8B 45 ?? B9 ?? ?? ?? ?? BA ?? ?? ?? ?? BE ?? ?? ?? ?? 48 89 C7 E8 ?? ?? + ?? ?? 48 98 48 89 45 ?? 48 8B 45 ?? B9 ?? ?? ?? ?? BA ?? ?? ?? ?? BE ?? ?? ?? ?? 48 + } + + $main_call_p2 = { + 89 C7 E8 ?? ?? ?? ?? 48 98 48 89 45 ?? 48 8B 45 ?? 48 83 C0 ?? 48 89 C7 E8 ?? ?? ?? + ?? 48 89 45 ?? 48 8B 45 ?? 48 83 C0 ?? 48 89 C7 E8 ?? ?? ?? ?? 48 89 45 ?? 48 8B 45 + ?? 89 C2 48 8B 4D ?? 48 8B 45 ?? 48 89 CE 48 89 C7 E8 ?? ?? ?? ?? 48 8B 45 ?? 89 C2 + 48 8B 4D ?? 48 8B 45 ?? 48 89 CE 48 89 C7 E8 ?? ?? ?? ?? 48 8B 55 ?? 48 8B 45 ?? 48 + 01 D0 C6 00 ?? 48 8B 55 ?? 48 8B 45 ?? 48 01 D0 C6 00 ?? 48 8B 45 ?? 48 8B 55 ?? 48 + 89 D6 48 89 C7 E8 ?? ?? ?? ?? 48 89 45 ?? 48 83 7D ?? ?? 75 ?? BF ?? ?? ?? ?? E8 ?? + ?? ?? ?? B8 ?? ?? ?? ?? E9 ?? ?? ?? ?? 48 8B 45 ?? 48 89 C6 BF ?? ?? ?? ?? B8 ?? ?? + ?? ?? E8 ?? ?? ?? ?? BE ?? ?? ?? ?? BF ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 F8 ?? 74 ?? B8 + ?? ?? ?? ?? E9 ?? ?? ?? ?? BE ?? ?? ?? ?? BF ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 89 45 ?? + 48 83 7D ?? ?? 74 ?? 48 8B 55 ?? 48 8B 45 ?? BE ?? ?? ?? ?? 48 89 C7 B8 + } + + $main_call_p3 = { + E8 ?? ?? ?? ?? 89 45 ?? 83 7D ?? ?? 79 ?? 48 8B 45 ?? 89 C7 E8 ?? ?? ?? ?? B8 ?? ?? + ?? ?? E9 ?? ?? ?? ?? 48 8B 45 ?? 48 89 C7 E8 ?? ?? ?? ?? 48 8B 45 ?? 89 C7 E8 ?? ?? + ?? ?? 48 C7 45 ?? ?? ?? ?? ?? BE ?? ?? ?? ?? BF ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 89 45 + ?? 48 83 7D ?? ?? 74 ?? EB ?? BF ?? ?? ?? ?? E8 ?? ?? ?? ?? B8 ?? ?? ?? ?? E9 ?? ?? + ?? ?? 48 8B 55 ?? 48 8B 45 ?? BE ?? ?? ?? ?? 48 89 C7 B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? + 89 45 ?? 83 7D ?? ?? 79 ?? 48 8B 45 ?? 89 C7 E8 ?? ?? ?? ?? EB ?? 48 8B 45 ?? 48 89 + C7 E8 ?? ?? ?? ?? 48 8B 45 ?? 89 C7 E8 ?? ?? ?? ?? EB ?? BF ?? ?? ?? ?? E8 ?? ?? ?? + ?? 48 C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? BE ?? ?? ?? ?? BF ?? ?? ?? + ?? B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? EB ?? 8B 45 ?? 48 98 48 8B 84 + C5 ?? ?? ?? ?? 48 89 C6 BF ?? ?? ?? ?? B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 45 ?? 48 98 + 48 8B 84 C5 ?? ?? ?? ?? 48 89 C7 E8 ?? ?? ?? ?? 83 45 ?? ?? 83 7D ?? ?? 74 ?? BF ?? + ?? ?? ?? E8 ?? ?? ?? ?? 48 8B 45 ?? 48 89 C7 E8 ?? ?? ?? ?? 48 8B 45 ?? 48 89 C7 E8 + ?? ?? ?? ?? 48 8B 45 ?? 48 89 C7 E8 ?? ?? ?? ?? B8 ?? ?? ?? ?? C9 C3 + } + + $encrypt_files_p1 = { + 55 48 89 E5 53 48 81 EC ?? ?? ?? ?? 48 89 BD ?? ?? ?? ?? 48 8D 85 ?? ?? ?? ?? BA ?? + ?? ?? ?? B9 ?? ?? ?? ?? 48 89 C7 48 89 D6 F3 48 A5 48 89 F2 48 89 F8 0F B7 0A 66 89 + 08 48 8D 40 ?? 48 8D 52 ?? 48 C7 45 ?? ?? ?? ?? ?? 48 C7 85 ?? ?? ?? ?? ?? ?? ?? ?? + 48 C7 45 ?? ?? ?? ?? ?? 48 8D 95 ?? ?? ?? ?? B8 ?? ?? ?? ?? B9 ?? ?? ?? ?? 48 89 D7 + F3 48 AB 48 8B 85 ?? ?? ?? ?? 48 89 C7 E8 ?? ?? ?? ?? 48 89 45 ?? 48 83 7D ?? ?? 75 + ?? 48 8B 85 ?? ?? ?? ?? 48 89 C6 BF ?? ?? ?? ?? B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? E9 ?? + ?? ?? ?? E9 ?? ?? ?? ?? 48 8D 95 ?? ?? ?? ?? 48 8D 85 ?? ?? ?? ?? 48 89 D6 48 89 C7 + E8 ?? ?? ?? ?? 48 8B 45 ?? 0F B6 40 ?? 3C ?? 0F 85 ?? ?? ?? ?? 48 8B 85 ?? ?? ?? ?? + 48 89 C7 E8 ?? ?? ?? ?? 48 89 C3 48 8B 45 ?? 48 83 C0 ?? 48 89 C7 E8 ?? ?? ?? ?? 48 + 01 D8 48 83 C0 ?? 48 89 C7 E8 ?? ?? ?? ?? 48 89 45 ?? 48 8B 85 ?? ?? ?? ?? BE ?? ?? + ?? ?? 48 89 C7 E8 ?? ?? ?? ?? 84 C0 74 ?? 48 8B 45 ?? 48 8D 48 ?? 48 8B 95 ?? ?? ?? + ?? 48 8B 45 ?? BE ?? ?? ?? ?? 48 89 C7 B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? EB ?? 48 8B 45 + ?? 48 8D 48 ?? 48 8B 95 ?? ?? ?? ?? 48 8B 45 ?? BE ?? ?? ?? ?? 48 89 C7 B8 ?? ?? ?? + ?? E8 ?? ?? ?? ?? 48 8D 95 ?? ?? ?? ?? 48 8B 4D ?? 48 8D 85 ?? ?? ?? ?? 48 89 CE 48 + 89 C7 E8 ?? ?? ?? ?? 48 89 45 ?? EB ?? 48 8B 45 ?? 48 83 C0 ?? 48 89 C7 E8 ?? ?? ?? + ?? 48 89 C2 48 8B 45 ?? 48 89 C6 48 89 D7 E8 ?? ?? ?? ?? 85 C0 75 ?? 48 8B 45 ?? 48 + } + + $encrypt_files_p2 = { + 89 C6 BF ?? ?? ?? ?? B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 8B 45 ?? 48 89 C7 E8 ?? ?? ?? + ?? EB ?? 48 8D 95 ?? ?? ?? ?? 48 8B 45 ?? 48 89 C6 BF ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 + 89 45 ?? 48 83 7D ?? ?? 75 ?? 48 8B 45 ?? 48 89 C7 E8 ?? ?? ?? ?? E9 ?? ?? ?? ?? 48 + 8B 45 ?? 0F B6 40 ?? 3C ?? 0F 85 ?? ?? ?? ?? 48 8B 45 ?? 48 83 C0 ?? BE ?? ?? ?? ?? + 48 89 C7 E8 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? 48 8B 45 ?? 48 83 C0 ?? BE ?? ?? ?? + ?? 48 89 C7 E8 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? 48 8B 45 ?? 48 83 C0 ?? 48 89 45 + ?? 48 8B 85 ?? ?? ?? ?? 48 89 C7 E8 ?? ?? ?? ?? 48 89 C3 48 8B 45 ?? 48 89 C7 E8 ?? + ?? ?? ?? 48 01 D8 48 83 C0 ?? 48 89 C7 E8 ?? ?? ?? ?? 48 89 45 ?? 48 8B 85 ?? ?? ?? + ?? BE ?? ?? ?? ?? 48 89 C7 E8 ?? ?? ?? ?? 84 C0 74 ?? 48 8B 45 ?? 48 8D 48 ?? 48 8B + 95 ?? ?? ?? ?? 48 8B 45 ?? BE ?? ?? ?? ?? 48 89 C7 B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? EB + ?? 48 8B 45 ?? 48 8D 48 ?? 48 8B 95 ?? ?? ?? ?? 48 8B 45 ?? BE ?? ?? ?? ?? 48 89 C7 + B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 8B 45 ?? 48 89 C7 E8 ?? ?? ?? ?? 48 8B 45 ?? 48 89 + C7 E8 ?? ?? ?? ?? 48 8B 45 ?? 48 89 C7 E8 ?? ?? ?? ?? 48 89 45 ?? 48 83 7D ?? ?? 0F + 85 ?? ?? ?? ?? 48 8B 45 ?? 48 89 C7 E8 ?? ?? ?? ?? 48 81 C4 ?? ?? ?? ?? 5B 5D C3 + } + + $encrypt_internal_message_p1 = { + 55 48 89 E5 53 48 83 EC ?? 48 89 7D ?? 48 89 75 ?? 48 C7 45 ?? ?? ?? ?? ?? BF ?? ?? + ?? ?? E8 ?? ?? ?? ?? 48 89 45 ?? 48 8B 45 ?? 48 89 C7 E8 ?? ?? ?? ?? 89 45 ?? 48 8B + 45 ?? 48 89 C7 E8 ?? ?? ?? ?? 89 45 ?? 8B 45 ?? 83 C0 ?? 48 98 48 89 C7 E8 ?? ?? ?? + ?? 48 89 45 ?? 8B 45 ?? 83 C0 ?? 48 63 D0 48 8B 45 ?? BE ?? ?? ?? ?? 48 89 C7 E8 ?? + ?? ?? ?? 8B 45 ?? 48 63 D0 48 8B 4D ?? 48 8B 45 ?? 48 89 CE 48 89 C7 E8 ?? ?? ?? ?? + 8B 45 ?? 48 98 48 89 C7 E8 ?? ?? ?? ?? 48 89 45 ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? + ?? ?? ?? 8B 45 ?? 83 E8 ?? 89 45 ?? C7 45 ?? ?? ?? ?? ?? 66 0F EF C0 F2 0F 2A 45 ?? + 66 0F EF C9 F2 0F 2A 4D ?? F2 0F 5E C1 E8 ?? ?? ?? ?? F2 0F 2C C0 89 45 ?? 8B 45 ?? + 0F AF 45 ?? 48 98 48 89 C7 E8 ?? ?? ?? ?? 48 89 45 ?? 8B 45 ?? 0F AF 45 ?? 48 63 D0 + 48 8B 45 ?? BE ?? ?? ?? ?? 48 89 C7 E8 ?? ?? ?? ?? 8B 45 ?? 0F AF 45 ?? 89 C3 48 8B + 45 ?? 48 89 C7 E8 ?? ?? ?? ?? 48 89 C6 8B 45 ?? 89 C1 89 DA BF ?? ?? ?? ?? B8 ?? ?? + ?? ?? E8 ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? 48 C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? + ?? E9 ?? ?? ?? ?? 8B 45 ?? 2B 45 ?? 3B 45 ?? 7D ?? 8B 45 ?? 2B 45 ?? 89 45 ?? 8B 45 + ?? 48 63 D0 48 8B 45 ?? BE ?? ?? ?? ?? 48 89 C7 E8 ?? ?? ?? ?? 8B 45 ?? 2B 45 ?? 89 + } + + $encrypt_internal_message_p2 = { + C6 BF ?? ?? ?? ?? B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 45 ?? 48 63 D0 48 8B 45 ?? 48 8D + 34 02 48 8B 4D ?? 48 8B 55 ?? 8B 45 ?? 41 B8 ?? ?? ?? ?? 89 C7 E8 ?? ?? ?? ?? 89 45 + ?? 8B 45 ?? 89 C6 BF ?? ?? ?? ?? B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 7D ?? ?? 75 ?? E8 + ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 89 C2 48 8B 45 ?? 48 89 C6 48 89 D7 E8 ?? ?? ?? ?? 48 + 8B 05 ?? ?? ?? ?? 48 8B 55 ?? BE ?? ?? ?? ?? 48 89 C7 B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? + 48 8B 45 ?? 48 89 C7 E8 ?? ?? ?? ?? 48 8B 45 ?? 48 89 C7 E8 ?? ?? ?? ?? 48 8B 45 ?? + 48 89 C7 E8 ?? ?? ?? ?? 48 8B 45 ?? 48 89 C7 E8 ?? ?? ?? ?? B8 ?? ?? ?? ?? E9 ?? ?? + ?? ?? 8B 45 ?? 48 63 D0 8B 45 ?? 48 63 C8 48 8B 45 ?? 48 01 C1 48 8B 45 ?? 48 89 C6 + 48 89 CF E8 ?? ?? ?? ?? 48 8B 45 ?? 48 89 C7 E8 ?? ?? ?? ?? 48 89 C6 BF ?? ?? ?? ?? + B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 45 ?? 01 45 ?? 8B 45 ?? 01 45 ?? 48 8B 45 ?? 48 89 + C7 E8 ?? ?? ?? ?? 83 45 ?? ?? 8B 45 ?? 3B 45 ?? 0F 8E ?? ?? ?? ?? 48 8B 45 ?? 48 89 + C7 E8 ?? ?? ?? ?? 48 8B 45 ?? 48 89 C7 E8 ?? ?? ?? ?? 8B 4D ?? 48 8B 45 ?? BA ?? ?? + ?? ?? 89 CE 48 89 C7 E8 ?? ?? ?? ?? 48 89 45 ?? 48 8B 45 ?? 48 89 C7 E8 ?? ?? ?? ?? + 48 89 C6 BF ?? ?? ?? ?? B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 8B 45 ?? 48 83 C4 ?? 5B 5D + C3 + } + + condition: + uint32(0) == 0x464C457F and + ( + all of ($main_call_p*) + ) and + ( + all of ($encrypt_files_p*) + ) and + ( + all of ($encrypt_internal_message_p*) + ) +} \ No newline at end of file diff --git a/yara/ransomware/Linux.Ransomware.RedAlert.yara b/yara/ransomware/Linux.Ransomware.RedAlert.yara new file mode 100644 index 0000000..537240a --- /dev/null +++ b/yara/ransomware/Linux.Ransomware.RedAlert.yara @@ -0,0 +1,146 @@ +rule Linux_Ransomware_RedAlert : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "REDALERT" + description = "Yara rule that detects RedAlert ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "RedAlert" + tc_detection_factor = 5 + + strings: + + $encrypt_files_p1 = { + 41 57 41 56 41 55 41 54 55 53 48 81 EC ?? ?? ?? ?? 48 89 74 24 ?? BE ?? ?? ?? ?? 48 + 89 54 24 ?? 48 89 4C 24 ?? 4C 89 44 24 ?? E8 ?? ?? ?? ?? 48 85 C0 48 89 C5 75 ?? BF + ?? ?? ?? ?? E8 ?? ?? ?? ?? EB ?? 48 89 C7 E8 ?? ?? ?? ?? 83 F8 ?? 89 C3 75 ?? BF ?? + ?? ?? ?? E8 ?? ?? ?? ?? 48 89 EF E8 ?? ?? ?? ?? 31 C0 E9 ?? ?? ?? ?? 48 8D 54 24 ?? + 89 C6 BF ?? ?? ?? ?? E8 ?? ?? ?? ?? FF C0 75 ?? BF ?? ?? ?? ?? EB ?? 4C 8B B4 24 ?? + ?? ?? ?? 4D 85 F6 7F ?? BF ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 DF E8 ?? ?? ?? ?? EB ?? 49 + 81 FE ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? 0F 97 44 24 ?? 49 81 FE ?? ?? ?? ?? 0F 97 + 44 24 ?? 80 7C 24 ?? ?? 74 ?? BA ?? ?? ?? ?? 4C 89 F0 C7 44 24 ?? ?? ?? ?? ?? 48 89 + D3 31 D2 48 F7 F3 48 6B C8 ?? 48 89 4C 24 ?? 49 81 FE ?? ?? ?? ?? 77 ?? 4D 89 F4 41 + BD ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? EB ?? 41 BC ?? ?? ?? ?? 45 31 ED C7 44 24 ?? + ?? ?? ?? ?? 4D 63 FD C7 44 24 ?? ?? ?? ?? ?? 4C 0F AF 7C 24 ?? E9 ?? ?? ?? ?? 80 7C + 24 ?? ?? 74 ?? 45 85 ED 74 ?? 80 7C 24 ?? ?? 74 ?? 41 8D 45 ?? 3B 44 24 ?? 4C 89 FE + 75 ?? 49 8D B6 ?? ?? ?? ?? EB ?? 31 F6 31 D2 48 89 EF E8 ?? ?? ?? ?? 48 63 7C 24 ?? + 48 89 E9 4C 89 E2 48 03 7C 24 ?? BE ?? ?? ?? ?? E8 ?? ?? ?? ?? 4C 39 E0 74 ?? BF ?? + ?? ?? ?? EB ?? 44 01 64 24 ?? 41 FF C5 44 3B 6C 24 ?? 0F 85 ?? ?? ?? ?? 48 8D 9C 24 + ?? ?? ?? ?? BA ?? ?? ?? ?? BE ?? ?? ?? ?? 48 89 DF E8 ?? ?? ?? ?? 84 C0 74 ?? BF ?? + ?? ?? ?? EB ?? 48 8D BC 24 ?? ?? ?? ?? BA ?? ?? ?? ?? 48 89 DE E8 ?? ?? ?? ?? 85 C0 + 74 ?? BF ?? ?? ?? ?? E8 ?? ?? ?? ?? 4C 63 6C 24 ?? 45 89 E7 44 89 64 24 ?? 4C 0F AF + 6C 24 ?? C6 44 24 ?? ?? C7 44 24 ?? ?? ?? ?? ?? E9 ?? ?? ?? ?? 4C 8B 4C 24 ?? 41 B8 + ?? ?? ?? ?? B9 ?? ?? ?? ?? BA ?? ?? ?? ?? BE ?? ?? ?? ?? 48 89 DF E8 ?? ?? ?? ?? 84 + } + + $encrypt_files_p2 = { + C0 75 ?? 48 8B 54 24 ?? 48 8B 7C 24 ?? 48 89 E9 BE ?? ?? ?? ?? E8 ?? ?? ?? ?? 0F B7 + 15 ?? ?? ?? ?? 48 39 D0 75 ?? 48 8B 44 24 ?? 48 89 E9 BE ?? ?? ?? ?? 0F B7 50 ?? 48 + 8B 38 E8 ?? ?? ?? ?? 48 8B 4C 24 ?? 0F B7 51 ?? 48 39 D0 74 ?? BF ?? ?? ?? ?? E9 ?? + ?? ?? ?? 48 89 EF E8 ?? ?? ?? ?? 4C 03 7C 24 ?? 44 3B 6C 24 ?? 0F 8C ?? ?? ?? ?? E9 + ?? ?? ?? ?? BF ?? ?? ?? ?? EB ?? BF ?? ?? ?? ?? E8 ?? ?? ?? ?? E9 ?? ?? ?? ?? 80 7C + 24 ?? ?? 74 ?? 83 7C 24 ?? ?? 74 ?? 80 7C 24 ?? ?? 74 ?? 8B 44 24 ?? 4C 89 EE FF C0 + 3B 44 24 ?? 75 ?? 49 8D B6 ?? ?? ?? ?? EB ?? 31 F6 31 D2 48 89 EF E8 ?? ?? ?? ?? 48 + 63 44 24 ?? 48 8B 5C 24 ?? 48 8D B4 24 ?? ?? ?? ?? 48 8D BC 24 ?? ?? ?? ?? 31 C9 31 + D2 45 89 E1 C7 44 24 ?? ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? 48 01 C3 48 8D 84 24 ?? + ?? ?? ?? 49 89 D8 48 89 1C 24 48 89 44 24 ?? E8 ?? ?? ?? ?? 85 C0 0F 85 ?? ?? ?? ?? + 48 89 E9 4C 89 E2 BE ?? ?? ?? ?? 48 89 DF E8 ?? ?? ?? ?? 4C 39 E0 0F 85 ?? ?? ?? ?? + FF 44 24 ?? 8B 54 24 ?? 8B 4C 24 ?? 01 54 24 ?? 39 4C 24 ?? 75 ?? 31 F6 BA ?? ?? ?? + ?? 48 89 EF E8 ?? ?? ?? ?? 48 8D BC 24 ?? ?? ?? ?? 48 89 E9 BA ?? ?? ?? ?? BE ?? ?? + ?? ?? E8 ?? ?? ?? ?? 8A 5C 24 ?? 48 83 F8 ?? B0 ?? 0F 44 D8 44 3B 7C 24 ?? 88 5C 24 + ?? 74 ?? BF ?? ?? ?? ?? E8 ?? ?? ?? ?? 44 03 7C 24 ?? 4C 03 6C 24 ?? 8B 44 24 ?? 39 + 44 24 ?? 0F 8C ?? ?? ?? ?? 48 89 EF E8 ?? ?? ?? ?? 0F B6 44 24 ?? 48 81 C4 ?? ?? ?? + ?? 5B 5D 41 5C 41 5D 41 5E 41 5F C3 + } + + $find_files_p1 = { + 41 57 FC 41 56 41 55 41 54 49 89 FC 55 53 48 83 EC ?? 48 8B 84 24 ?? ?? ?? ?? 48 89 + 4C 24 ?? 48 83 C9 ?? 48 89 74 24 ?? 4C 89 44 24 ?? 4C 89 4C 24 ?? 88 54 24 ?? 48 89 + 44 24 ?? 48 8B 84 24 ?? ?? ?? ?? 44 8A BC 24 ?? ?? ?? ?? 48 89 44 24 ?? 48 8B 84 24 + ?? ?? ?? ?? 48 89 44 24 ?? 48 8B 84 24 ?? ?? ?? ?? 48 89 44 24 ?? 31 C0 F2 AE 4C 89 + E7 48 F7 D1 4C 8D 71 ?? E8 ?? ?? ?? ?? 48 85 C0 48 89 44 24 ?? 0F 85 ?? ?? ?? ?? E8 + ?? ?? ?? ?? 8B 38 E8 ?? ?? ?? ?? 48 83 C4 ?? 4C 89 E6 48 89 C2 5B 5D 41 5C 41 5D 41 + 5E 41 5F BF ?? ?? ?? ?? 31 C0 E9 ?? ?? ?? ?? 45 84 FF 48 8D 6B ?? 74 ?? 0F B6 4B ?? + 48 89 EA 4C 89 E6 BF ?? ?? ?? ?? 31 C0 E8 ?? ?? ?? ?? 80 7B ?? ?? 0F 85 ?? ?? ?? ?? + 80 7C 24 ?? ?? 0F 84 ?? ?? ?? ?? BE ?? ?? ?? ?? 48 89 EF E8 ?? ?? ?? ?? 85 C0 0F 84 + ?? ?? ?? ?? BE ?? ?? ?? ?? 48 89 EF E8 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? BE ?? ?? + ?? ?? 48 89 EF E8 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? FC 31 C0 48 83 C9 ?? 48 89 EF + F2 AE 4C 89 F0 48 29 C8 48 3B 44 24 ?? 76 ?? 48 8B 3D ?? ?? ?? ?? 48 89 E9 4C 89 E2 + BE ?? ?? ?? ?? 31 C0 E8 ?? ?? ?? ?? E9 ?? ?? ?? ?? 4B 8D 1C 34 48 89 EE 48 8D 7B ?? + C6 03 ?? E8 ?? ?? ?? ?? 41 0F B6 C7 4C 8B 4C 24 ?? 4C 8B 44 24 ?? 89 44 24 ?? 48 8B + 44 24 ?? BA ?? ?? ?? ?? 48 8B 4C 24 ?? 48 8B 74 24 ?? 4C 89 E7 48 89 44 24 ?? 48 8B + } + + $find_files_p2 = { + 44 24 ?? 48 89 44 24 ?? 48 8B 44 24 ?? 48 89 44 24 ?? 48 8B 44 24 ?? 48 89 04 24 E8 + ?? ?? ?? ?? E9 ?? ?? ?? ?? 45 84 FF 0F 85 ?? ?? ?? ?? FC 48 83 C9 ?? 48 89 EF 44 88 + F8 F2 AE 48 8B 54 24 ?? 48 89 EF 48 89 CB 48 8B 4C 24 ?? 48 F7 D3 48 89 DE 4C 8D 6B + ?? E8 ?? ?? ?? ?? 84 C0 74 ?? 48 89 EA 4C 89 E6 BF ?? ?? ?? ?? 31 C0 E8 ?? ?? ?? ?? + E9 ?? ?? ?? ?? 4C 89 EA BE ?? ?? ?? ?? 48 89 EF E8 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? + ?? 48 89 DE 48 89 EF E8 ?? ?? ?? ?? 84 C0 0F 84 ?? ?? ?? ?? 4B 8D 1C 34 48 89 EA 4C + 89 E6 BF ?? ?? ?? ?? 31 C0 E8 ?? ?? ?? ?? 48 8D 7B ?? 48 89 EE C6 03 ?? E8 ?? ?? ?? + ?? 0F B7 0D ?? ?? ?? ?? 4C 89 E7 4C 8B 44 24 ?? 48 8B 54 24 ?? 48 8B 74 24 ?? FF 15 + ?? ?? ?? ?? 84 C0 BF ?? ?? ?? ?? 74 ?? 48 8B 7C 24 ?? B9 ?? ?? ?? ?? 4C 89 E2 BE ?? + ?? ?? ?? 31 C0 E8 ?? ?? ?? ?? 48 8B 74 24 ?? 4C 89 E7 E8 ?? ?? ?? ?? 85 C0 74 ?? BF + ?? ?? ?? ?? E8 ?? ?? ?? ?? BF ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 8B 7C 24 ?? 41 8D 56 ?? + 4C 89 E6 E8 ?? ?? ?? ?? C6 03 ?? 48 8B 7C 24 ?? E8 ?? ?? ?? ?? 48 85 C0 48 89 C3 0F + 85 ?? ?? ?? ?? 48 8B 7C 24 ?? 48 83 C4 ?? 5B 5D 41 5C 41 5D 41 5E 41 5F E9 + } + + $setup_environment = { + 55 48 89 E5 41 56 49 89 F6 BE ?? ?? ?? ?? 41 55 41 54 53 48 89 FB 48 83 EC ?? E8 ?? + ?? ?? ?? 48 85 C0 49 89 C4 75 ?? BF ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 8D 7D ?? E8 ?? ?? + ?? ?? 84 C0 BF ?? ?? ?? ?? 74 ?? BE ?? ?? ?? ?? 48 89 DF E8 ?? ?? ?? ?? 48 85 C0 49 + 89 C4 74 ?? 0F B7 55 ?? 48 8B 7D ?? 48 89 C1 BE ?? ?? ?? ?? E8 ?? ?? ?? ?? 0F B7 55 + ?? 48 8B 7D ?? 4C 89 E1 BE ?? ?? ?? ?? E8 ?? ?? ?? ?? 0F B7 55 ?? 31 C9 39 C2 0F 85 + ?? ?? ?? ?? E9 ?? ?? ?? ?? BF ?? ?? ?? ?? E8 ?? ?? ?? ?? E9 ?? ?? ?? ?? BF ?? ?? ?? + ?? 49 89 E5 E8 ?? ?? ?? ?? 66 8B 3D ?? ?? 22 00 66 03 3D ?? ?? 22 00 66 8B 05 ?? ?? + 22 00 66 89 7D ?? 0F B7 FF 66 89 45 ?? E8 ?? ?? ?? ?? 0F B7 7D ?? 48 89 45 ?? E8 ?? + ?? ?? ?? 0F B7 55 ?? 48 8B 7D ?? 4C 89 E1 BE ?? ?? ?? ?? 48 89 45 ?? E8 ?? ?? ?? ?? + 0F B7 55 ?? 48 8B 7D ?? 4C 89 E1 BE ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 8B 75 ?? BF ?? ?? + ?? ?? 31 C0 E8 ?? ?? ?? ?? 0F B7 45 ?? 0F B7 35 ?? ?? ?? ?? 31 C9 48 8B 7D ?? 48 83 + C0 ?? 25 ?? ?? ?? ?? 48 29 C4 48 8D 5C 24 ?? 48 83 E3 ?? 48 89 DA E8 ?? ?? ?? ?? 48 + 89 DE BF ?? ?? ?? ?? 31 C0 E8 ?? ?? ?? ?? 0F B7 3D ?? ?? ?? ?? BE ?? ?? ?? ?? 48 03 + 7D ?? E8 ?? ?? ?? ?? 66 39 05 ?? ?? 22 00 74 ?? BF ?? ?? ?? ?? E8 ?? ?? ?? ?? 4C 89 + EC 31 C9 EB ?? 4C 89 E7 E8 ?? ?? ?? ?? 48 8D 75 ?? B9 ?? ?? ?? ?? 4C 89 F7 FC F3 A5 + B1 ?? EB ?? 4C 89 EC EB ?? 48 8D 65 ?? 89 C8 5B 41 5C 41 5D 41 5E C9 C3 + } + + $make_configuration = { + 41 56 BE ?? ?? ?? ?? 49 89 FE BF ?? ?? ?? ?? 41 55 41 54 55 53 48 83 EC ?? E8 ?? ?? + ?? ?? 84 C0 88 C3 74 ?? BF ?? ?? ?? ?? E8 ?? ?? ?? ?? 31 FF EB ?? BF ?? ?? ?? ?? E8 + ?? ?? ?? ?? BA ?? ?? ?? ?? 0F B7 F0 BF ?? ?? ?? ?? E8 ?? ?? ?? ?? BF ?? ?? ?? ?? E8 + ?? ?? ?? ?? B9 ?? ?? ?? ?? 49 89 C4 48 89 C2 BE ?? ?? ?? ?? BF ?? ?? ?? ?? 66 C7 00 + ?? ?? C6 40 ?? ?? E8 ?? ?? ?? ?? 4C 89 E6 BF ?? ?? ?? ?? 31 C0 E8 ?? ?? ?? ?? 48 89 + E6 4C 89 E7 E8 ?? ?? ?? ?? 84 C0 75 ?? BF ?? ?? ?? ?? E8 ?? ?? ?? ?? BF ?? ?? ?? ?? + E8 ?? ?? ?? ?? FC 88 D8 BF ?? ?? ?? ?? 48 83 C9 ?? F2 AE 48 F7 D1 48 FF C9 8D 59 ?? + 83 C1 ?? 48 63 F9 E8 ?? ?? ?? ?? 48 85 C0 48 89 C5 0F 84 ?? ?? ?? ?? 48 8D 78 ?? 48 + 63 D3 BE ?? ?? ?? ?? C6 00 ?? E8 ?? ?? ?? ?? 48 89 EF BE ?? ?? ?? ?? E8 ?? ?? ?? ?? + 48 85 C0 48 89 C3 BF ?? ?? ?? ?? 74 ?? 0F B7 54 24 ?? 48 8B 7C 24 ?? 48 89 C1 BE ?? + ?? ?? ?? E8 ?? ?? ?? ?? 48 89 DF E8 ?? ?? ?? ?? 48 89 EF E8 ?? ?? ?? ?? BF ?? ?? ?? + ?? E8 ?? ?? ?? ?? 4C 89 E7 E8 ?? ?? ?? ?? 4C 89 F7 48 89 E6 B9 ?? ?? ?? ?? FC F3 A5 + 48 83 C4 ?? 5B 5D 41 5C 41 5D 41 5E C3 BF ?? ?? ?? ?? E8 ?? ?? ?? ?? E9 + } + + condition: + uint32(0) == 0x464C457F and + ( + $setup_environment + ) and + ( + all of ($find_files_p*) + ) and + ( + all of ($encrypt_files_p*) + ) and + ( + $make_configuration + ) +} \ No newline at end of file diff --git a/yara/ransomware/Win32.Ransomware.5ss5c.yara b/yara/ransomware/Win32.Ransomware.5ss5c.yara new file mode 100644 index 0000000..621b5b7 --- /dev/null +++ b/yara/ransomware/Win32.Ransomware.5ss5c.yara @@ -0,0 +1,267 @@ +rule Win32_Ransomware_5ss5c : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "5SS5C" + description = "Yara rule that detects 5ss5c ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "5ss5c" + tc_detection_factor = 5 + + strings: + + $find_files_p1 = { + 55 8B EC 6A ?? 68 ?? ?? ?? ?? 64 A1 ?? ?? ?? ?? 50 81 EC ?? ?? ?? ?? A1 ?? ?? ?? ?? + 33 C5 89 45 ?? 53 56 57 50 8D 45 ?? 64 A3 ?? ?? ?? ?? 8B FA 89 BD ?? ?? ?? ?? 8B F1 + 8B 5D ?? 33 C0 89 9D ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 89 45 ?? 89 45 ?? 6A ?? 89 45 ?? + 89 45 ?? 89 45 ?? E8 ?? ?? ?? ?? 89 45 ?? 8D 4D ?? 83 C4 ?? C7 00 ?? ?? ?? ?? C7 40 + ?? ?? ?? ?? ?? 8B 45 ?? 89 08 C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C6 45 ?? ?? + 57 8D 8D ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? C6 45 ?? ?? 6A ?? C7 45 ?? + ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 45 ?? 8D 4D + ?? C7 00 ?? ?? ?? ?? C7 40 ?? ?? ?? ?? ?? 8B 45 ?? 89 08 C7 45 ?? ?? ?? ?? ?? C7 45 + ?? ?? ?? ?? ?? C6 45 ?? ?? C6 45 ?? ?? 6A ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? + ?? C7 45 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 45 ?? 8D 4D ?? C7 00 ?? ?? ?? ?? C7 40 ?? + ?? ?? ?? ?? 8B 45 ?? 89 08 C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C6 45 ?? ?? C6 + 45 ?? ?? 6A ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C7 85 ?? + ?? ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? 83 C4 ?? C7 + 00 ?? ?? ?? ?? C7 40 ?? ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 89 08 C7 85 ?? ?? ?? ?? ?? ?? + ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C6 85 ?? ?? ?? ?? ?? 0F 57 C0 8B 43 ?? 66 0F D6 + } + + $find_files_p2 = { + 45 ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? 89 45 ?? C6 45 + ?? ?? 8B 3B 85 FF 74 ?? 6A ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 4D ?? E8 ?? ?? ?? + ?? 8B 47 ?? 8D 8D ?? ?? ?? ?? 89 45 ?? 8D 45 ?? 89 47 ?? 89 7D ?? E8 ?? ?? ?? ?? 6A + ?? 68 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? C6 45 ?? ?? E8 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? 3B + C8 74 ?? 83 78 ?? ?? 8D 48 ?? 72 ?? 8B 09 FF 70 ?? 51 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? + ?? 83 BD ?? ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 0F 43 85 ?? ?? ?? ?? 51 + 50 FF 15 ?? ?? ?? ?? 8B C8 89 8D ?? ?? ?? ?? 83 F9 ?? 0F 84 ?? ?? ?? ?? 8B D8 66 66 + 0F 1F 84 00 ?? ?? ?? ?? 80 BD ?? ?? ?? ?? ?? 0F 84 ?? ?? ?? ?? 83 7D ?? ?? 8D 45 ?? + 8B 8D ?? ?? ?? ?? 0F 43 45 ?? C7 45 ?? ?? ?? ?? ?? C6 00 ?? 8D 41 ?? 83 79 ?? ?? 72 + ?? 8B 00 FF 71 ?? 8D 4D ?? 50 E8 ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? 8B C8 E8 ?? ?? ?? + ?? 8D 8D ?? ?? ?? ?? 8B D0 8D 79 ?? 8A 01 41 84 C0 75 ?? 2B CF 8D 85 ?? ?? ?? ?? 51 + 50 8B CA E8 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 8B D8 F6 85 ?? + ?? ?? ?? ?? 0F 84 ?? ?? ?? ?? 33 FF FF B7 ?? ?? ?? ?? 53 E8 ?? ?? ?? ?? 83 C4 ?? 85 + C0 0F 85 ?? ?? ?? ?? 83 C7 ?? 81 FF ?? ?? ?? ?? 72 ?? 68 ?? ?? ?? ?? 50 8D 85 ?? ?? + ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C6 45 ?? ?? 8D 85 ?? + ?? ?? ?? 8B 9D ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? 6A ?? 83 CB ?? C7 85 ?? ?? ?? ?? ?? ?? + ?? ?? 50 89 9D ?? ?? ?? ?? 89 5D ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? C7 + } + + $find_files_p3 = { + 45 ?? ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 6A ?? 8B 40 ?? C7 84 05 ?? ?? ?? ?? ?? ?? ?? ?? + 8B 85 ?? ?? ?? ?? 8B 48 ?? 8D 41 ?? 89 84 0D ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? + ?? ?? 51 6A ?? 68 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? C6 45 ?? ?? E8 ?? ?? ?? ?? 85 C0 75 + ?? 8B 85 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? 6A ?? 8B 40 ?? 03 C8 33 C0 39 41 ?? 0F 94 C0 + 8D 04 85 ?? ?? ?? ?? 0B 41 ?? 50 E8 ?? ?? ?? ?? C6 45 ?? ?? 8D 55 ?? 83 7D ?? ?? 8D + 8D ?? ?? ?? ?? FF 75 ?? 0F 43 55 ?? E8 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 8D 8D + ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 C0 75 ?? 8B 85 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? 6A ?? 8B + 40 ?? 03 C8 33 C0 39 41 ?? 0F 94 C0 8D 04 85 ?? ?? ?? ?? 0B 41 ?? 50 E8 ?? ?? ?? ?? + 8B 5D ?? 8D 55 ?? 53 FF B5 ?? ?? ?? ?? 8B CE E8 ?? ?? ?? ?? 8B F8 83 C4 ?? 8B 85 ?? + ?? ?? ?? 8B 40 ?? 85 FF 0F 85 ?? ?? ?? ?? C7 84 05 ?? ?? ?? ?? ?? ?? ?? ?? 8B 85 ?? + ?? ?? ?? 8B 48 ?? 8D 41 ?? 89 84 0D ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B + 85 ?? ?? ?? ?? 8B 40 ?? C7 84 05 ?? ?? ?? ?? ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 8B 48 ?? + 8D 41 ?? 89 84 0D ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? C6 45 ?? ?? 50 C7 85 ?? ?? ?? ?? ?? + ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? C6 45 ?? ?? E9 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? 8D 51 + ?? 0F 1F 80 ?? ?? ?? ?? 8A 01 41 84 C0 75 ?? 2B CA 8D 85 ?? ?? ?? ?? 51 50 8D 4D + } + + $find_files_p4 = { + E8 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? 8D 51 ?? 8A 01 41 84 C0 75 ?? 2B CA 8D 85 ?? ?? ?? + ?? 51 50 8D 4D ?? E8 ?? ?? ?? ?? 83 EC ?? 8D 45 ?? 83 7D ?? ?? 8B FC 0F 43 45 ?? C7 + 07 ?? ?? ?? ?? C7 47 ?? ?? ?? ?? ?? 89 47 ?? C6 45 ?? ?? 8B 5D ?? 85 DB 74 ?? 6A ?? + 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B CF E8 ?? ?? ?? ?? 8B 43 ?? 8D 8D ?? ?? ?? ?? 89 + 47 ?? 89 7B ?? 89 1F E8 ?? ?? ?? ?? 8B 45 ?? 8D 4D ?? 83 EC ?? 83 7D ?? ?? 8B FC 0F + 43 4D ?? 03 C1 C7 07 ?? ?? ?? ?? C7 47 ?? ?? ?? ?? ?? 89 47 ?? C6 45 ?? ?? 8B 5D ?? + 85 DB 74 ?? 6A ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B CF E8 ?? ?? ?? ?? 8B 43 ?? 8D + 8D ?? ?? ?? ?? 89 47 ?? 89 7B ?? 89 1F E8 ?? ?? ?? ?? 83 EC ?? 8D 45 ?? 83 7D ?? ?? + 8B FC 0F 43 45 ?? C7 07 ?? ?? ?? ?? C7 47 ?? ?? ?? ?? ?? 89 47 ?? C6 45 ?? ?? 8B 5D + ?? 85 DB 74 ?? 6A ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B CF E8 ?? ?? ?? ?? 8B 43 ?? + 8D 8D ?? ?? ?? ?? 89 47 ?? 89 7B ?? 89 1F E8 ?? ?? ?? ?? BA ?? ?? ?? ?? C6 45 + } + + $find_files_p5 = { + 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 6A ?? 8D 8D ?? ?? ?? ?? C6 45 ?? ?? E8 ?? + ?? ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? C6 45 ?? + ?? 8D 55 ?? 83 7D ?? ?? 8B 4D ?? 0F 43 55 ?? C7 45 ?? ?? ?? ?? ?? 89 4D ?? 83 F9 ?? + 72 ?? 49 83 C8 ?? 3B C8 89 4D ?? 0F 42 C1 03 C2 0F 1F 40 ?? 80 38 ?? 75 ?? 0F B6 08 + 80 F9 ?? 75 ?? 33 C9 EB ?? 1B C9 83 C9 ?? 85 C9 74 ?? 3B C2 74 ?? 48 EB ?? 2B C2 EB + ?? 83 C8 ?? 6A ?? 8D 78 ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? + ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? + 83 C4 ?? C7 00 ?? ?? ?? ?? C7 40 ?? ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 89 08 C6 45 ?? ?? + 8B 45 ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C6 85 ?? ?? ?? + ?? ?? 3B C7 0F 82 ?? ?? ?? ?? 2B C7 C7 45 ?? ?? ?? ?? ?? 83 C9 ?? 89 45 ?? 83 F8 ?? + 0F 42 C8 83 7D ?? ?? 8D 45 ?? 0F 43 45 ?? 51 03 C7 8D 8D ?? ?? ?? ?? 50 E8 ?? ?? ?? + ?? 83 8D ?? ?? ?? ?? ?? 8D 4D ?? E8 ?? ?? ?? ?? C6 85 ?? ?? ?? ?? ?? 8D 85 ?? ?? ?? + ?? FF B5 ?? ?? ?? ?? 8D 4D ?? 50 E8 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D + } + + $find_files_p6 = { + 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 EC ?? 8D 45 ?? 83 7D ?? ?? 8B FC 0F 43 45 ?? C7 07 + ?? ?? ?? ?? C7 47 ?? ?? ?? ?? ?? 89 47 ?? C6 45 ?? ?? 8B 5D ?? 85 DB 74 ?? 6A ?? 8D + 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B CF E8 ?? ?? ?? ?? 8B 43 ?? 8D 8D ?? ?? ?? ?? 89 47 + ?? 89 7B ?? 89 1F E8 ?? ?? ?? ?? 8B 45 ?? 8D 4D ?? 83 EC ?? 83 7D ?? ?? 8B FC 0F 43 + 4D ?? 03 C1 C7 07 ?? ?? ?? ?? C7 47 ?? ?? ?? ?? ?? 89 47 ?? C6 45 ?? ?? 8B 5D ?? 85 + DB 74 ?? 6A ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B CF E8 ?? ?? ?? ?? 8B 43 ?? 8D 8D + ?? ?? ?? ?? 89 47 ?? 89 7B ?? 89 1F E8 ?? ?? ?? ?? 83 EC ?? 8D 45 ?? 83 7D ?? ?? 8B + FC 0F 43 45 ?? C7 07 ?? ?? ?? ?? C7 47 ?? ?? ?? ?? ?? 89 47 ?? C6 45 ?? ?? 8B 5D ?? + 85 DB 74 ?? 6A ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B CF E8 ?? ?? ?? ?? 8B 43 ?? 8D + 8D ?? ?? ?? ?? 89 47 ?? 89 7B ?? 89 1F E8 ?? ?? ?? ?? BA ?? ?? ?? ?? C6 45 ?? ?? 8D + 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 6A ?? 8D 8D ?? ?? ?? ?? C6 45 ?? ?? E8 ?? ?? + ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? C6 45 ?? ?? + 33 FF 66 66 0F 1F 84 00 ?? ?? ?? ?? 83 7D ?? ?? 8D 45 ?? FF B7 ?? ?? ?? ?? 0F 43 45 + ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 0F 85 ?? ?? ?? ?? 83 7D ?? ?? 8D 45 ?? 68 ?? ?? + ?? ?? 0F 43 45 ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 0F 85 ?? ?? ?? ?? 83 C7 ?? 83 FF + ?? 72 ?? 8B 5D ?? 85 DB 0F 85 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 68 ?? ?? ?? ?? 50 E8 ?? + ?? ?? ?? 83 C4 ?? 85 C0 74 ?? 8B 46 ?? 8D 4D ?? 51 39 46 ?? 74 ?? 8B C8 E8 ?? ?? ?? + ?? 8B 7E ?? 8D 8D ?? ?? ?? ?? 6A ?? E8 ?? ?? ?? ?? 8B 0E 8D 41 ?? F7 D9 1B C9 23 C8 + } + + $find_files_p7 = { + 74 ?? 8B 01 85 C0 74 ?? 39 78 ?? 72 ?? 77 ?? C7 00 ?? ?? ?? ?? 8B 01 8B 40 ?? 89 01 + EB ?? 8D 48 ?? 8B 01 85 C0 75 ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 46 ?? ?? EB ?? + 50 8B CE E8 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 68 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? + 85 C0 75 ?? 8B 46 ?? 8D 4D ?? 51 39 46 ?? 74 ?? 8B C8 E8 ?? ?? ?? ?? 8B 7E ?? 8D 8D + ?? ?? ?? ?? 6A ?? E8 ?? ?? ?? ?? 8B 0E 8D 41 ?? F7 D9 1B C9 23 C8 74 ?? 8B 01 85 C0 + 74 ?? 66 0F 1F 44 00 ?? 39 78 ?? 72 ?? 77 ?? C7 00 ?? ?? ?? ?? 8B 01 8B 40 ?? 89 01 + EB ?? 8D 48 ?? 8B 01 85 C0 75 ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 46 ?? ?? EB ?? + 50 8B CE E8 ?? ?? ?? ?? 8B 8D ?? ?? ?? ?? 8D 45 ?? 50 8D 85 ?? ?? ?? ?? 50 E8 ?? ?? + ?? ?? 83 8D ?? ?? ?? ?? ?? 8B D8 8B 7D ?? 85 FF 74 ?? 8B 3F 8B CB E8 ?? ?? ?? ?? 3B + } + + $find_files_p8 = { + C7 74 ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A ?? E8 + ?? ?? ?? ?? 83 C4 ?? 83 F8 ?? 75 ?? CC 6A ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 68 ?? ?? + ?? ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 8B 43 ?? 3B 45 ?? 74 ?? 8D 85 ?? ?? ?? + ?? 68 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 75 ?? B3 ?? EB ?? 32 DB 8B 85 ?? + ?? ?? ?? A8 ?? 74 ?? 83 E0 ?? 89 85 ?? ?? ?? ?? 6A ?? 8D 4D ?? C6 45 ?? ?? E8 ?? ?? + ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 4D ?? E8 ?? ?? ?? ?? C6 45 ?? ?? 84 DB 0F + 84 ?? ?? ?? ?? 8B 46 ?? 8D 4D ?? 51 39 46 ?? 0F 84 ?? ?? ?? ?? 8B C8 E8 ?? ?? ?? ?? + 8B 7E ?? 8D 8D ?? ?? ?? ?? 6A ?? E8 ?? ?? ?? ?? 8B 0E 8D 41 ?? F7 D9 1B C9 23 C8 74 + ?? 8B 01 85 C0 74 ?? 90 39 78 ?? 72 ?? 77 ?? C7 00 ?? ?? ?? ?? 8B 01 8B 40 ?? 89 01 + EB ?? 8D 48 ?? 8B 01 85 C0 75 ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 46 ?? ?? E9 ?? + ?? ?? ?? 83 FB ?? 0F 85 ?? ?? ?? ?? 8B 8D ?? ?? ?? ?? 8D 45 ?? 50 8D 85 ?? ?? ?? ?? + 50 E8 ?? ?? ?? ?? 83 8D ?? ?? ?? ?? ?? 8B D8 8B 7D ?? 85 FF 74 ?? 8B 3F 8B CB E8 ?? + ?? ?? ?? 3B C7 74 ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? + ?? 6A ?? E8 ?? ?? ?? ?? 83 C4 ?? 83 F8 ?? 75 ?? CC 6A ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? + ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 8B 43 ?? 3B 45 ?? 75 ?? 8D + } + + $find_files_p9 = { + 85 ?? ?? ?? ?? 68 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 75 ?? B3 ?? EB ?? 32 + DB 8B 85 ?? ?? ?? ?? A8 ?? 74 ?? 83 E0 ?? 89 85 ?? ?? ?? ?? 6A ?? 8D 8D ?? ?? ?? ?? + C6 45 ?? ?? E8 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? + ?? ?? ?? C6 45 ?? ?? 84 DB 0F 84 ?? ?? ?? ?? 8B 46 ?? 8D 4D ?? 51 39 46 ?? 0F 84 ?? + ?? ?? ?? 8B C8 E8 ?? ?? ?? ?? 8B 7E ?? 8D 4D ?? 6A ?? E8 ?? ?? ?? ?? 8B 0E 8D 41 ?? + F7 D9 1B C9 23 C8 74 ?? 8B 01 85 C0 74 ?? 39 78 ?? 72 ?? 77 ?? C7 00 ?? ?? ?? ?? 8B + 01 8B 40 ?? 89 01 EB ?? 8D 48 ?? 8B 01 85 C0 75 ?? 8D 4D ?? E8 ?? ?? ?? ?? 83 46 ?? + ?? E9 ?? ?? ?? ?? 83 FB ?? 0F 85 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 68 ?? ?? ?? ?? 50 E8 + ?? ?? ?? ?? 83 C4 ?? 85 C0 75 ?? 8B 46 ?? 8D 4D ?? 51 39 46 ?? 74 ?? 8B C8 E8 ?? ?? + ?? ?? 8B 7E ?? 8D 4D ?? 6A ?? E8 ?? ?? ?? ?? 8B 0E 8D 41 ?? F7 D9 1B C9 23 C8 74 ?? + 8B 01 85 C0 74 ?? 66 0F 1F 44 00 ?? 39 78 ?? 72 ?? 77 ?? C7 00 ?? ?? ?? ?? 8B 01 8B + } + + $find_files_p10 = { + 40 ?? 89 01 EB ?? 8D 48 ?? 8B 01 85 C0 75 ?? 8D 4D ?? E8 ?? ?? ?? ?? 83 46 ?? ?? EB + ?? 50 8B CE E8 ?? ?? ?? ?? 8B 9D ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 53 FF 15 ?? ?? ?? + ?? 83 F8 ?? 0F 84 ?? ?? ?? ?? 53 FF 15 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 8B F8 83 FF ?? + 75 ?? 33 FF 6A ?? 8D 4D ?? C6 45 ?? ?? E8 ?? ?? ?? ?? 8D 4D ?? E8 ?? ?? ?? ?? 8D 4D + ?? E8 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? + 8D 4D ?? E8 ?? ?? ?? ?? 8D 4D ?? E8 ?? ?? ?? ?? 8D 4D ?? E8 ?? ?? ?? ?? 8D 4D ?? E8 + ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 4D + ?? E8 ?? ?? ?? ?? 8D 4D ?? E8 ?? ?? ?? ?? 8B C7 8B 4D ?? 64 89 0D ?? ?? ?? ?? 59 5F + 5E 5B 8B 4D ?? 33 CD E8 ?? ?? ?? ?? 8B E5 5D C3 C7 84 05 ?? ?? ?? ?? ?? ?? ?? ?? 8B + 85 ?? ?? ?? ?? 8B 48 ?? 8D 41 ?? 89 84 0D ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? + ?? 8B 85 ?? ?? ?? ?? 8B 40 ?? C7 84 05 ?? ?? ?? ?? ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 8B + 48 ?? 8D 41 ?? 89 84 0D ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? C6 45 ?? ?? 50 C7 85 ?? ?? ?? + ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? E9 ?? ?? ?? ?? E8 + } + + $encrypt_files_p1 = { + B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? A1 ?? ?? ?? ?? 33 C4 89 44 24 ?? 55 8B 6C 24 ?? 56 8B + 74 24 ?? 57 8B 7C 24 ?? 85 F6 0F 8E ?? ?? ?? ?? FF 35 ?? ?? ?? ?? 57 E8 ?? ?? ?? ?? + 83 C4 ?? 50 E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? FF 35 ?? ?? ?? ?? 57 E8 + ?? ?? ?? ?? 83 C4 ?? 89 44 24 ?? 85 C0 75 ?? A1 ?? ?? ?? ?? 85 C0 75 ?? E8 ?? ?? ?? + ?? A3 ?? ?? ?? ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A ?? 6A ?? 50 E8 ?? ?? ?? ?? 83 C4 + ?? 83 C8 ?? 5F 5E 5D 8B 4C 24 ?? 33 CC E8 ?? ?? ?? ?? 83 C4 ?? C3 8B 4C 24 ?? 8B C1 + 83 E8 ?? 74 ?? 51 68 ?? ?? ?? ?? 8D 44 24 ?? 6A ?? 50 E8 ?? ?? ?? ?? A1 ?? ?? ?? ?? + 83 C4 ?? 85 C0 75 ?? E8 ?? ?? ?? ?? A3 ?? ?? ?? ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A + ?? 6A ?? 50 E8 ?? ?? ?? ?? 8D 44 24 ?? 50 68 ?? ?? ?? ?? 6A ?? E8 ?? ?? ?? ?? 83 C4 + ?? 83 C8 ?? 5F 5E 5D 8B 4C 24 ?? 33 CC E8 ?? ?? ?? ?? 83 C4 ?? C3 68 ?? ?? ?? ?? 68 + ?? ?? ?? ?? 56 E8 ?? ?? ?? ?? 8B F8 83 C4 ?? 85 FF 75 ?? A1 ?? ?? ?? ?? 85 C0 75 + } + + $encrypt_files_p2 = { + E8 ?? ?? ?? ?? A3 ?? ?? ?? ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A ?? 6A ?? 50 E8 ?? ?? + ?? ?? 83 C4 ?? 83 C8 ?? 5F 5E 5D 8B 4C 24 ?? 33 CC E8 ?? ?? ?? ?? 83 C4 ?? C3 33 C9 + 85 F6 7E ?? 8D 56 ?? 53 8B 5C 24 ?? 03 D7 66 0F 1F 44 00 ?? 8A 04 19 8D 52 ?? 41 88 + 42 ?? 3B CE 7C ?? 5B 8D 44 24 ?? 89 74 24 ?? 50 8B 44 24 ?? 57 6A ?? 6A ?? 6A ?? FF + 70 ?? FF 15 ?? ?? ?? ?? 85 C0 0F 85 ?? ?? ?? ?? A1 ?? ?? ?? ?? 85 C0 75 ?? E8 ?? ?? + ?? ?? A3 ?? ?? ?? ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A ?? 6A ?? 50 E8 ?? ?? ?? ?? 83 + C4 ?? FF 15 ?? ?? ?? ?? 50 68 ?? ?? ?? ?? 8D 44 24 ?? 6A ?? 50 E8 ?? ?? ?? ?? 8D 44 + 24 ?? 50 68 ?? ?? ?? ?? 6A ?? E8 ?? ?? ?? ?? FF 74 24 ?? 57 E8 ?? ?? ?? ?? 68 ?? ?? + ?? ?? 68 ?? ?? ?? ?? 57 E8 ?? ?? ?? ?? 83 C4 ?? 83 C8 ?? 5F 5E 5D 8B 4C 24 ?? 33 CC + E8 ?? ?? ?? ?? 83 C4 ?? C3 8B 74 24 ?? 56 57 55 E8 ?? ?? ?? ?? 56 57 E8 ?? ?? ?? ?? + 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 57 E8 ?? ?? ?? ?? 83 C4 ?? 8B 4C 24 ?? 8B C6 5F 5E 5D + 33 CC E8 ?? ?? ?? ?? 83 C4 ?? C3 + } + + $remote_connection_p1 = { + 55 8B EC 6A ?? 68 ?? ?? ?? ?? 64 A1 ?? ?? ?? ?? 50 81 EC ?? ?? ?? ?? A1 ?? ?? ?? ?? + 33 C5 89 45 ?? 53 56 57 50 8D 45 ?? 64 A3 ?? ?? ?? ?? 89 8D ?? ?? ?? ?? 6A ?? E8 ?? + ?? ?? ?? FF 35 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 68 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 6A ?? + E8 ?? ?? ?? ?? FF 35 ?? ?? ?? ?? 8B D8 FF 35 ?? ?? ?? ?? 68 ?? ?? ?? ?? 53 E8 ?? ?? + ?? ?? 68 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 6A ?? 50 E8 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? 83 + C4 ?? 49 90 8A 41 ?? 8D 49 ?? 84 C0 75 ?? A1 ?? ?? ?? ?? BA ?? ?? ?? ?? 83 3D ?? ?? + ?? ?? ?? 89 01 A1 ?? ?? ?? ?? 0F 43 15 ?? ?? ?? ?? 89 41 ?? 8B F2 A1 ?? ?? ?? ?? 89 + 41 ?? A1 ?? ?? ?? ?? 89 41 ?? A1 ?? ?? ?? ?? 89 41 ?? 8A 02 42 84 C0 75 ?? 8D BD ?? + ?? ?? ?? 2B D6 4F 8A 47 ?? 47 84 C0 75 ?? 8B CA C1 E9 ?? F3 A5 8B CA 83 E1 ?? F3 A4 + 8D 8D ?? ?? ?? ?? 49 8A 41 ?? 8D 49 ?? 84 C0 75 ?? A1 ?? ?? ?? ?? 8B 95 ?? ?? ?? ?? + 8B F2 89 01 66 A1 ?? ?? ?? ?? 66 89 41 ?? A0 ?? ?? ?? ?? 88 41 ?? 66 90 8A 02 42 84 + C0 75 ?? 8D BD ?? ?? ?? ?? 2B D6 4F 8A 47 ?? 47 84 C0 75 ?? 8B CA C1 E9 ?? F3 A5 8B + CA 83 E1 ?? F3 A4 8D 8D ?? ?? ?? ?? 49 0F 1F 00 8A 41 ?? 8D 49 ?? 84 C0 75 ?? A1 ?? + ?? ?? ?? 8B F3 89 01 66 A1 ?? ?? ?? ?? 66 89 41 ?? A0 ?? ?? ?? ?? 88 41 ?? 8A 03 43 + 84 C0 75 ?? 8D BD ?? ?? ?? ?? 2B DE 4F 8A 47 ?? 47 84 C0 75 ?? 8B CB C1 E9 ?? F3 A5 + 8B CB 83 E1 ?? F3 A4 8D 8D ?? ?? ?? ?? 49 8A 41 ?? 8D 49 ?? 84 C0 75 ?? A1 ?? ?? ?? + ?? 8B 95 ?? ?? ?? ?? 8B F2 89 01 A1 ?? ?? ?? ?? 89 41 ?? A0 ?? ?? ?? ?? 88 41 ?? 0F + } + + $remote_connection_p2 = { + 1F 44 00 ?? 8A 02 42 84 C0 75 ?? 8D BD ?? ?? ?? ?? 2B D6 4F 8A 47 ?? 47 84 C0 75 ?? + 8B CA C1 E9 ?? F3 A5 8B CA 83 E1 ?? F3 A4 8D 8D ?? ?? ?? ?? 49 0F 1F 00 8A 41 ?? 8D + 49 ?? 84 C0 75 ?? A1 ?? ?? ?? ?? 89 01 A1 ?? ?? ?? ?? 89 41 ?? A1 ?? ?? ?? ?? 89 41 + ?? A0 ?? ?? ?? ?? 6A ?? 88 41 ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? + ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 8D 8D ?? ?? + ?? ?? 83 C4 ?? C7 00 ?? ?? ?? ?? C7 40 ?? ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 89 08 C7 45 + ?? ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? 8D 51 ?? C7 85 ?? ?? + ?? ?? ?? ?? ?? ?? C6 85 ?? ?? ?? ?? ?? 0F 1F 00 8A 01 41 84 C0 75 ?? 2B CA 8D 85 ?? + ?? ?? ?? 51 50 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 6A ?? 6A ?? 6A ?? 6A ?? 68 ?? ?? ?? + ?? C7 45 ?? ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? + 6A ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 8B 3D ?? ?? ?? ?? 8B D8 85 + DB 74 ?? 6A ?? 6A ?? 6A ?? 68 ?? ?? ?? ?? 83 EC ?? 8D 85 ?? ?? ?? ?? 8B CC 50 E8 ?? + ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 50 68 ?? ?? ?? ?? 53 FF 15 ?? ?? ?? ?? 8B F0 85 F6 + 74 ?? 6A ?? 6A ?? 6A ?? 6A ?? 6A ?? 6A ?? 56 FF 15 ?? ?? ?? ?? 85 C0 74 ?? 6A ?? 56 + FF 15 ?? ?? ?? ?? 56 FF D7 53 FF D7 FF B5 ?? ?? ?? ?? FF D7 8D 8D ?? ?? ?? ?? E8 ?? + ?? ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 4D ?? 64 89 0D ?? ?? ?? ?? 59 5F 5E 5B + 8B 4D ?? 33 CD E8 ?? ?? ?? ?? 8B E5 5D C3 + } + + condition: + uint16(0) == 0x5A4D and + ( + all of ($find_files_p*) + ) and + ( + all of ($encrypt_files_p*) + ) and + ( + all of ($remote_connection_p*) + ) +} \ No newline at end of file diff --git a/yara/ransomware/Win32.Ransomware.ASN1Encoder.yara b/yara/ransomware/Win32.Ransomware.ASN1Encoder.yara new file mode 100644 index 0000000..688e5b7 --- /dev/null +++ b/yara/ransomware/Win32.Ransomware.ASN1Encoder.yara @@ -0,0 +1,136 @@ +rule Win32_Ransomware_ASN1Encoder : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "ASN1ENCODER" + description = "Yara rule that detects ASN1Encoder ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "ASN1Encoder" + tc_detection_factor = 5 + + strings: + + $remote_connection_p1 = { + 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? FF 35 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 33 F6 0F B6 + 84 34 ?? ?? ?? ?? 50 B8 ?? ?? ?? ?? 2B C6 68 ?? ?? ?? ?? 03 C0 50 53 E8 ?? ?? ?? ?? + 83 C4 ?? 83 C3 ?? 46 83 FE ?? 72 ?? 8B 5C 24 ?? BE ?? ?? ?? ?? A1 ?? ?? ?? ?? 53 50 + 68 ?? ?? ?? ?? 56 50 E8 ?? ?? ?? ?? A1 ?? ?? ?? ?? 83 C4 ?? 50 68 ?? ?? ?? ?? 56 50 + E8 ?? ?? ?? ?? 33 C0 83 C4 ?? 8B F0 85 FF 74 ?? A1 ?? ?? ?? ?? 0F B6 04 06 50 B8 ?? + ?? ?? ?? 2B C6 68 ?? ?? ?? ?? 03 C0 50 53 E8 ?? ?? ?? ?? 83 C4 ?? 83 C3 ?? 46 3B F7 + 72 ?? 8B 5C 24 ?? A1 ?? ?? ?? ?? BE ?? ?? ?? ?? 53 50 68 ?? ?? ?? ?? 56 50 E8 ?? ?? + ?? ?? A1 ?? ?? ?? ?? 83 C4 ?? 50 68 ?? ?? ?? ?? 56 50 E8 ?? ?? ?? ?? 8D 8C 24 ?? ?? + ?? ?? E8 ?? ?? ?? ?? A1 ?? ?? ?? ?? BA ?? ?? ?? ?? C1 E8 ?? 50 E8 ?? ?? ?? ?? 83 C4 + ?? 8D 94 24 ?? ?? ?? ?? 8D 8C 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? 33 C0 8B FB 8B F0 0F B6 + 84 34 ?? ?? ?? ?? 50 B8 ?? ?? ?? ?? 2B C6 68 ?? ?? ?? ?? 03 C0 50 57 E8 ?? ?? ?? ?? + 83 C4 ?? 83 C7 ?? 46 83 FE ?? 72 ?? A1 ?? ?? ?? ?? 53 50 68 ?? ?? ?? ?? BB ?? ?? ?? + ?? 53 50 E8 ?? ?? ?? ?? 83 C4 ?? 8D 84 24 ?? ?? ?? ?? 50 A1 ?? ?? ?? ?? 50 68 ?? ?? + ?? ?? 53 50 E8 ?? ?? ?? ?? 83 C4 ?? 8D 84 24 ?? ?? ?? ?? 50 A1 ?? ?? ?? ?? 50 68 ?? + ?? ?? ?? 53 50 E8 ?? ?? ?? ?? 83 C4 ?? 8D 84 24 ?? ?? ?? ?? 50 A1 ?? ?? ?? ?? 50 68 + ?? ?? ?? ?? 53 50 E8 ?? ?? ?? ?? 8B 0D ?? ?? ?? ?? 83 C4 ?? 33 F6 8D 51 ?? 66 8B 01 + 83 C1 ?? 66 3B C6 75 ?? 2B CA 8B 15 ?? ?? ?? ?? D1 F9 8D 72 ?? 8A 02 42 84 C0 75 ?? + 8B 3D ?? ?? ?? ?? 2B D6 8D 04 0A 8D 34 45 ?? ?? ?? ?? 56 6A ?? FF D7 50 FF 15 ?? ?? + ?? ?? 8B D8 8D 04 36 50 6A ?? 89 5C 24 ?? FF D7 50 FF 15 ?? ?? ?? ?? FF 35 ?? ?? ?? + ?? 8B F8 FF 35 ?? ?? ?? ?? 89 7C 24 ?? 68 ?? ?? ?? ?? 56 53 E8 ?? ?? ?? ?? 33 C9 89 + } + + $remote_connection_p2 = { + 44 24 ?? 83 C4 ?? 89 8C 24 ?? ?? ?? ?? 8B D9 85 C0 7E ?? 8B 44 24 ?? 0F B7 04 58 66 + 89 84 24 ?? ?? ?? ?? 83 F8 ?? 75 ?? 83 EF ?? 66 8B 47 ?? 83 C7 ?? 66 3B C1 75 ?? BE + ?? ?? ?? ?? 83 C3 ?? A5 A5 66 A5 EB ?? 8D 94 24 ?? ?? ?? ?? 8B F2 66 8B 02 83 C2 ?? + 66 3B C1 75 ?? 2B D6 83 EF ?? 66 8B 47 ?? 83 C7 ?? 66 3B C1 75 ?? 8B CA C1 E9 ?? F3 + A5 8B CA 83 E1 ?? F3 A4 33 C9 8B 7C 24 ?? 43 3B 5C 24 ?? 7C ?? FF 74 24 ?? 51 FF 15 + ?? ?? ?? ?? 8B 35 ?? ?? ?? ?? 50 FF D6 FF 35 ?? ?? ?? ?? 33 C0 50 FF 15 ?? ?? ?? ?? + 50 FF D6 8B 5C 24 ?? 53 33 DB 53 FF 15 ?? ?? ?? ?? 50 FF D6 FF 74 24 ?? 53 FF 15 ?? + ?? ?? ?? 50 FF D6 FF 74 24 ?? 53 FF 15 ?? ?? ?? ?? 50 FF D6 8B 5C 24 ?? 89 3D ?? ?? + ?? ?? C7 05 ?? ?? ?? ?? ?? ?? ?? ?? 33 FF E9 ?? ?? ?? ?? 83 F8 ?? 0F 84 ?? ?? ?? ?? + 83 F8 ?? 0F 84 ?? ?? ?? ?? 83 F8 ?? 0F 84 ?? ?? ?? ?? 83 F8 ?? 0F 85 ?? ?? ?? ?? 57 + FF 15 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? 6A ?? FF 15 ?? ?? ?? ?? 89 44 24 ?? 85 C0 + 0F 84 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 8B D8 8B F3 89 5C 24 ?? 8D 4E ?? 8A 06 46 84 + C0 75 ?? 8B 3D ?? ?? ?? ?? 2B F1 68 ?? ?? ?? ?? 6A ?? FF D7 50 FF 15 ?? ?? ?? ?? 89 + 44 24 ?? 85 DB 0F 84 ?? ?? ?? ?? 81 FE ?? ?? ?? ?? 0F 82 ?? ?? ?? ?? 68 ?? ?? ?? ?? + 6A ?? FF D7 50 FF 15 ?? ?? ?? ?? 68 ?? ?? ?? ?? 89 44 24 ?? 8D 84 24 ?? ?? ?? ?? 68 + ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 8D 8C 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? A1 ?? ?? + ?? ?? BA ?? ?? ?? ?? C1 E8 ?? 50 E8 ?? ?? ?? ?? 59 8D 94 24 ?? ?? ?? ?? 8D 8C 24 ?? + ?? ?? ?? E8 ?? ?? ?? ?? 33 C0 8B C8 8B F8 3B FE 73 ?? 81 F9 ?? ?? ?? ?? 74 ?? FF 74 + 24 ?? 8D 84 24 ?? ?? ?? ?? 50 8D 04 1F 50 E8 + } + + $encrypt_files_p1 = { + 8B CA 8D 84 24 ?? ?? ?? ?? C1 E9 ?? F3 A5 53 68 ?? ?? ?? ?? 6A ?? 53 6A ?? 8B CA 83 + E1 ?? 68 ?? ?? ?? ?? F3 A4 50 FF 15 ?? ?? ?? ?? 8B D8 33 FF 89 5C 24 ?? 89 3D ?? ?? + ?? ?? 68 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? A1 ?? ?? ?? ?? 85 C0 0F 85 ?? ?? ?? ?? C7 44 + 24 ?? ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? 83 FB ?? 74 ?? 85 DB 0F 85 ?? ?? ?? ?? 33 + F6 8D 8C 24 ?? ?? ?? ?? 8B DE E8 ?? ?? ?? ?? 8D 84 24 ?? ?? ?? ?? BE ?? ?? ?? ?? 50 + 8D 44 24 ?? 8B D6 50 B9 ?? ?? ?? ?? E8 ?? ?? ?? ?? 59 59 8B CE E8 ?? ?? ?? ?? 33 D2 + 8D 88 ?? ?? ?? ?? 8D 81 ?? ?? ?? ?? 89 4C 24 ?? 89 44 24 ?? 8B 44 24 ?? C1 E8 ?? 89 + 44 24 ?? 83 C0 ?? 89 44 24 ?? 8B F0 8B C1 F7 F6 40 0F AF 44 24 ?? 50 6A ?? 89 44 24 + ?? FF 15 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? FF 74 24 ?? 89 44 24 ?? 6A ?? FF 15 ?? ?? + ?? ?? 50 FF 15 ?? ?? ?? ?? FF 74 24 ?? 89 44 24 ?? 6A ?? FF 15 ?? ?? ?? ?? 50 FF 15 + ?? ?? ?? ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 50 89 44 24 ?? E8 ?? ?? ?? ?? 8B 54 24 ?? + 8D 44 24 ?? 83 C4 ?? 81 C2 ?? ?? ?? ?? B9 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 59 8D 8C 24 + ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 44 24 ?? 89 44 24 ?? 39 5C 24 ?? 76 ?? 8B 44 24 ?? 8D + 54 24 ?? 8B 4C 24 ?? 2B C3 3B 44 24 ?? 0F 42 F0 8D 84 24 ?? ?? ?? ?? 50 8B 44 24 ?? + 8D 0C 39 68 ?? ?? ?? ?? 03 C3 56 50 E8 ?? ?? ?? ?? 03 7C 24 ?? 83 C4 ?? 03 DE 3B 7C + 24 ?? 72 ?? 33 FF 8D 84 24 ?? ?? ?? ?? 57 68 ?? ?? ?? ?? 6A ?? 57 6A ?? 68 ?? ?? ?? + ?? 50 FF 15 ?? ?? ?? ?? 8B D8 89 5C 24 ?? 83 FB ?? 74 ?? 85 DB 74 ?? 57 8D 44 24 ?? + 89 7C 24 ?? 8B 3D ?? ?? ?? ?? 50 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 53 FF D7 33 F6 8D 44 + } + + $encrypt_files_p2 = { + 24 ?? 56 50 FF 74 24 ?? FF 74 24 ?? 53 FF D7 33 FF 68 ?? ?? ?? ?? 57 68 ?? ?? ?? ?? + E8 ?? ?? ?? ?? 83 C4 ?? FF 74 24 ?? 57 FF 15 ?? ?? ?? ?? 8B 35 ?? ?? ?? ?? 50 FF D6 + FF 74 24 ?? 57 FF 15 ?? ?? ?? ?? 50 FF D6 C7 05 ?? ?? ?? ?? ?? ?? ?? ?? E9 ?? ?? ?? + ?? 83 F8 ?? 0F 85 ?? ?? ?? ?? 83 3D ?? ?? ?? ?? ?? 75 ?? 68 ?? ?? ?? ?? 6A ?? FF 15 + ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? A3 ?? ?? ?? ?? 33 F6 56 53 FF 15 ?? ?? ?? ?? 3D ?? + ?? ?? ?? 76 ?? 39 35 ?? ?? ?? ?? 75 ?? 56 53 FF 15 ?? ?? ?? ?? 56 8B F8 B8 ?? ?? ?? + ?? 56 50 53 2B F8 FF 15 ?? ?? ?? ?? 57 6A ?? FF 15 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? + 56 8D 8C 24 ?? ?? ?? ?? A3 ?? ?? ?? ?? 51 57 50 53 FF 15 ?? ?? ?? ?? 33 C0 50 50 50 + 53 FF 15 ?? ?? ?? ?? 33 F6 8D 84 24 ?? ?? ?? ?? 56 50 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? + 53 FF 15 ?? ?? ?? ?? 83 3D ?? ?? ?? ?? ?? 0F 85 ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A ?? FF + 15 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8B D8 6A ?? 89 5C 24 ?? FF 15 ?? + ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A ?? 89 44 24 ?? FF 15 ?? ?? ?? ?? 50 + FF 15 ?? ?? ?? ?? 8D 8C 24 ?? ?? ?? ?? 89 44 24 ?? E8 ?? ?? ?? ?? A1 ?? ?? ?? ?? BA + ?? ?? ?? ?? C1 E8 ?? 50 E8 ?? ?? ?? ?? 59 8D 94 24 ?? ?? ?? ?? 8D 8C 24 ?? ?? ?? ?? + E8 ?? ?? ?? ?? 8B 0D ?? ?? ?? ?? 85 C9 75 ?? 68 ?? ?? ?? ?? 6A ?? FF 15 ?? ?? ?? ?? + 50 FF 15 + } + + $find_files = { + 53 68 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 8B 35 ?? ?? ?? ?? FF D6 83 C4 ?? 53 8D 85 ?? + ?? ?? ?? 50 8D 85 ?? ?? ?? ?? 50 FF D6 83 C4 ?? 8D 85 ?? ?? ?? ?? 50 8D 85 ?? ?? ?? + ?? 50 FF 15 ?? ?? ?? ?? 8B F0 89 75 ?? 83 FE ?? 0F 84 ?? ?? ?? ?? 85 F6 0F 84 ?? ?? + ?? ?? 33 DB B9 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 66 8B 10 66 3B 11 75 ?? 66 85 D2 74 ?? + 66 8B 50 ?? 66 3B 51 ?? 75 ?? 83 C0 ?? 83 C1 ?? 66 85 D2 75 ?? 8B C3 EB ?? 1B C0 83 + C8 ?? 85 C0 0F 84 ?? ?? ?? ?? B9 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 66 8B 10 66 3B 11 75 + ?? 66 85 D2 74 ?? 66 8B 50 ?? 66 3B 51 ?? 75 ?? 83 C0 ?? 83 C1 ?? 66 85 D2 75 ?? 8B + C3 EB ?? 1B C0 83 C8 ?? 85 C0 0F 84 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 FF B5 ?? ?? ?? + ?? 68 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 83 C4 ?? 8D 85 ?? ?? ?? ?? + F6 85 ?? ?? ?? ?? ?? 0F 84 ?? ?? ?? ?? 6A ?? 59 BE ?? ?? ?? ?? 8D BD ?? ?? ?? ?? F3 + A5 6A ?? 59 BE ?? ?? ?? ?? 8D BD ?? ?? ?? ?? F3 A5 66 A5 6A ?? 59 BE ?? ?? ?? ?? 8D + BD ?? ?? ?? ?? F3 A5 66 A5 BE ?? ?? ?? ?? 8D BD ?? ?? ?? ?? A5 A5 A5 A5 50 E8 ?? ?? + ?? ?? 59 8B F0 8D 85 ?? ?? ?? ?? 50 56 E8 ?? ?? ?? ?? 59 59 85 C0 75 ?? 8D 85 ?? ?? + ?? ?? 50 56 E8 ?? ?? ?? ?? 59 59 85 C0 75 ?? 8D 85 ?? ?? ?? ?? 50 56 E8 ?? ?? ?? ?? + 59 59 85 C0 75 ?? 8D 85 ?? ?? ?? ?? 50 56 E8 ?? ?? ?? ?? 59 59 85 C0 75 ?? FF 75 ?? + 8B 55 ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 59 8B 75 ?? E9 ?? ?? ?? ?? FF 75 ?? E9 ?? + ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 8B F8 66 39 1F 0F 84 + } + + condition: + uint16(0) == 0x5A4D and + ( + $find_files and + ( + all of ($encrypt_files_p*) + ) and + ( + all of ($remote_connection_p*) + ) + ) +} \ No newline at end of file diff --git a/yara/ransomware/Win32.Ransomware.Acepy.yara b/yara/ransomware/Win32.Ransomware.Acepy.yara new file mode 100644 index 0000000..b5d3409 --- /dev/null +++ b/yara/ransomware/Win32.Ransomware.Acepy.yara @@ -0,0 +1,69 @@ +rule Win32_Ransomware_Acepy : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "ACEPY" + description = "Yara rule that detects Acepy ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "Acepy" + tc_detection_factor = 5 + + strings: + + $find_files = { + E9 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 83 E0 ?? 83 F8 ?? 0F 84 ?? ?? ?? ?? B8 ?? ?? ?? ?? + 50 8D 85 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? B9 ?? ?? ?? ?? 51 50 E8 ?? ?? ?? ?? + 83 C4 ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? E9 ?? ?? ?? ?? 8B 45 ?? 8B 08 51 E8 ?? ?? ?? ?? + 83 C4 ?? 50 8D 85 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 83 F8 ?? 0F 84 ?? ?? ?? ?? + E9 ?? ?? ?? ?? E9 ?? ?? ?? ?? B8 ?? ?? ?? ?? 50 8D 85 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? + B8 ?? ?? ?? ?? 50 8D 85 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 8D 85 ?? ?? ?? ?? 50 + 8B 85 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 F8 ?? 0F 85 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 50 + E8 ?? ?? ?? ?? B8 ?? ?? ?? ?? 50 B8 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? E8 ?? ?? + ?? ?? B8 ?? ?? ?? ?? C9 C3 + } + + $encrypt_files = { + 55 89 E5 81 EC ?? ?? ?? ?? 90 B8 ?? ?? ?? ?? 50 8B 45 ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? + 89 45 ?? 8B 45 ?? 83 F8 ?? 0F 84 ?? ?? ?? ?? E9 ?? ?? ?? ?? B8 ?? ?? ?? ?? E9 ?? ?? + ?? ?? B8 ?? ?? ?? ?? 50 B8 ?? ?? ?? ?? 50 8B 45 ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 8B 45 + ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 89 45 ?? B8 ?? ?? ?? ?? 50 B8 ?? ?? ?? ?? 50 8B 45 ?? + 50 E8 ?? ?? ?? ?? 83 C4 ?? 8B 45 ?? 40 50 B8 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? + 89 45 ?? 8B 45 ?? 50 B8 ?? ?? ?? ?? 50 8B 45 ?? 50 8B 45 ?? 50 E8 ?? ?? ?? ?? 83 C4 + ?? B8 ?? ?? ?? ?? 89 45 ?? 8B 45 ?? 8B 4D ?? 39 C8 0F 83 ?? ?? ?? ?? E9 ?? ?? ?? ?? + 8B 45 ?? 89 C1 40 89 45 ?? EB ?? 8B 45 ?? 8B 4D ?? 01 C1 8B 45 ?? 8B 55 ?? 01 C2 8B + 45 ?? 50 89 4D ?? 89 55 ?? E8 ?? ?? ?? ?? 83 C4 ?? 89 45 ?? 8B 45 ?? 8B 4D ?? 31 D2 + F7 F1 8B 45 ?? 01 D0 8B 4D ?? 0F BE 09 0F BE 10 31 D1 8B 45 ?? 88 08 EB ?? B8 ?? ?? + ?? ?? 50 8B 45 ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 8B 4D ?? 51 B9 ?? ?? ?? ?? 51 50 E8 ?? + ?? ?? ?? 83 C4 ?? 8B 45 ?? 50 B8 ?? ?? ?? ?? 50 8B 45 ?? 50 8B 45 ?? 50 E8 ?? ?? ?? + ?? 83 C4 ?? 8B 45 ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 8B 45 ?? C9 C3 + } + + $drop_ransom_note = { + 55 89 E5 81 EC ?? ?? ?? ?? 90 B8 ?? ?? ?? ?? 50 8B 45 ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? + 89 45 ?? 8B 45 ?? 83 F8 ?? 0F 84 ?? ?? ?? ?? E9 ?? ?? ?? ?? B8 ?? ?? ?? ?? E9 ?? ?? + ?? ?? B8 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 8B 4D ?? 51 50 B8 ?? ?? ?? ?? 50 B8 + ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 8B 45 ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? B8 ?? ?? + ?? ?? C9 C3 + } + + condition: + uint16(0) == 0x5A4D and + ( + ( + $find_files + ) and + ( + $encrypt_files + ) and + ( + $drop_ransom_note + ) + ) +} \ No newline at end of file diff --git a/yara/ransomware/Win32.Ransomware.Afrodita.yara b/yara/ransomware/Win32.Ransomware.Afrodita.yara new file mode 100644 index 0000000..b162a4c --- /dev/null +++ b/yara/ransomware/Win32.Ransomware.Afrodita.yara @@ -0,0 +1,119 @@ +rule Win32_Ransomware_Afrodita : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "AFRODITA" + description = "Yara rule that detects Afrodita ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "Afrodita" + tc_detection_factor = 5 + + strings: + + $exclude_directories_and_drop_ransom_note = { + 8D 85 ?? ?? ?? ?? 50 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 74 ?? 8D 8D ?? ?? + ?? ?? 51 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 75 ?? E9 ?? ?? ?? ?? 8D 95 ?? + ?? ?? ?? 52 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 75 ?? E9 ?? ?? ?? ?? 8D 85 + ?? ?? ?? ?? 50 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 75 ?? E9 ?? ?? ?? ?? 8D + 8D ?? ?? ?? ?? 51 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 75 ?? E9 ?? ?? ?? ?? + 8D 95 ?? ?? ?? ?? 52 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 75 ?? E9 ?? ?? ?? + ?? 8D 85 ?? ?? ?? ?? 50 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 75 ?? E9 ?? ?? + ?? ?? 8D 8D ?? ?? ?? ?? 51 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 75 ?? E9 ?? + ?? ?? ?? 8D 95 ?? ?? ?? ?? 52 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 75 ?? E9 + ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 83 E0 ?? 75 ?? E9 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? 51 8B + 55 ?? 52 8D 85 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 89 85 ?? ?? ?? ?? 8B 8D ?? ?? + ?? ?? 89 8D ?? ?? ?? ?? C6 45 ?? ?? 68 ?? ?? ?? ?? 8B 95 ?? ?? ?? ?? 52 8D 85 ?? ?? + ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 89 85 ?? ?? ?? ?? 8B 8D ?? ?? ?? ?? 51 8D 4D ?? E8 + ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? C6 45 ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? + ?? ?? C6 45 ?? ?? 68 ?? ?? ?? ?? 8B 55 ?? 52 8D 45 ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 6A + ?? 68 ?? ?? ?? ?? 6A ?? 6A ?? 6A ?? 68 ?? ?? ?? ?? 8D 4D ?? E8 ?? ?? ?? ?? 50 FF 15 + ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 6A ?? 8D 8D ?? ?? ?? ?? 51 68 ?? ?? ?? ?? 68 ?? ?? ?? + ?? 8B 95 ?? ?? ?? ?? 52 FF 15 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 8D + 4D ?? E8 ?? ?? ?? ?? EB ?? B8 + } + + $drop_ransom_note_no_dir_exclusion = { + 8D 95 ?? ?? ?? ?? 52 8B 43 ?? 50 8D 8D ?? ?? ?? ?? 51 E8 ?? ?? ?? ?? 83 C4 ?? 89 85 + ?? ?? ?? ?? 8B 95 ?? ?? ?? ?? 89 95 ?? ?? ?? ?? C6 45 ?? ?? 68 ?? ?? ?? ?? 8B 85 ?? + ?? ?? ?? 50 8D 8D ?? ?? ?? ?? 51 E8 ?? ?? ?? ?? 83 C4 ?? 89 85 ?? ?? ?? ?? 8B 95 ?? + ?? ?? ?? 52 8D 4D ?? E8 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? C6 45 ?? ?? 8D + 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? C6 45 ?? ?? 33 C0 88 85 ?? ?? ?? ?? 33 C9 88 8D ?? ?? + ?? ?? 33 D2 88 95 ?? ?? ?? ?? 0F B6 85 ?? ?? ?? ?? 50 0F B6 8D ?? ?? ?? ?? 51 0F B6 + 95 ?? ?? ?? ?? 52 8D 85 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 8B C8 E8 ?? ?? ?? ?? + 50 8B 4B ?? 51 8D 55 ?? 52 E8 ?? ?? ?? ?? 83 C4 ?? 6A ?? 68 ?? ?? ?? ?? 6A ?? 6A ?? + 6A ?? 68 ?? ?? ?? ?? 8D 4D ?? E8 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? + 6A ?? 8D 85 ?? ?? ?? ?? 50 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8B 8D ?? ?? ?? ?? 51 FF 15 + ?? ?? ?? ?? 8B 95 ?? ?? ?? ?? 52 FF 15 ?? ?? ?? ?? 8D 4D ?? E8 ?? ?? ?? ?? EB ?? 8B + 5D ?? B8 ?? ?? ?? ?? C3 C7 45 + } + + $find_files_p1 = { + 8B FF 55 8B EC 81 EC ?? ?? ?? ?? A1 ?? ?? ?? ?? 33 C5 89 45 ?? 8B 4D ?? 8B 55 ?? 53 + 57 8B 7D ?? 89 95 ?? ?? ?? ?? 3B CF 74 ?? 8A 01 3C ?? 74 ?? 3C ?? 74 ?? 3C ?? 74 ?? + 51 57 E8 ?? ?? ?? ?? 59 59 8B C8 3B CF 75 ?? 8B 95 ?? ?? ?? ?? 8A 01 88 85 ?? ?? ?? + ?? 3C ?? 75 ?? 8D 47 ?? 3B C8 74 ?? 52 33 DB 53 53 57 E8 ?? ?? ?? ?? 83 C4 ?? E9 ?? + ?? ?? ?? 8A 85 ?? ?? ?? ?? 33 DB 3C ?? 74 ?? 3C ?? 74 ?? 3C ?? 8A C3 75 ?? B0 ?? 2B + CF 0F B6 C0 41 89 9D ?? ?? ?? ?? F7 D8 89 9D ?? ?? ?? ?? 56 1B C0 89 9D ?? ?? ?? ?? + 23 C1 89 9D ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 89 9D ?? ?? ?? ?? 88 9D ?? ?? ?? ?? E8 ?? + ?? ?? ?? 50 8D 85 ?? ?? ?? ?? 50 57 E8 ?? ?? ?? ?? 83 C4 ?? 8D 8D ?? ?? ?? ?? F7 D8 + } + + $find_files_p2 = { + 1B C0 53 53 53 51 F7 D0 23 85 ?? ?? ?? ?? 53 50 FF 15 ?? ?? ?? ?? 8B F0 83 FE ?? 75 + ?? FF B5 ?? ?? ?? ?? 53 53 57 E8 ?? ?? ?? ?? 83 C4 ?? 8B D8 E9 ?? ?? ?? ?? 8B 85 ?? + ?? ?? ?? 8B 48 ?? 2B 08 C1 F9 ?? 89 8D ?? ?? ?? ?? 89 9D ?? ?? ?? ?? 89 9D ?? ?? ?? + ?? 89 9D ?? ?? ?? ?? 89 9D ?? ?? ?? ?? 89 9D ?? ?? ?? ?? 88 9D ?? ?? ?? ?? E8 ?? ?? + ?? ?? 50 8D 85 ?? ?? ?? ?? 50 8D 85 ?? ?? ?? ?? 50 8D 85 ?? ?? ?? ?? 50 E8 ?? ?? ?? + ?? 83 C4 ?? F7 D8 1B C0 F7 D0 23 85 ?? ?? ?? ?? 80 38 ?? 75 ?? 8A 48 ?? 84 C9 74 ?? + 80 F9 ?? 75 ?? 38 58 ?? 74 ?? FF B5 ?? ?? ?? ?? FF B5 ?? ?? ?? ?? 57 50 E8 ?? ?? ?? + ?? 83 C4 ?? 89 85 ?? ?? ?? ?? 85 C0 75 ?? 38 9D ?? ?? ?? ?? 74 ?? FF B5 ?? ?? ?? ?? + E8 ?? ?? ?? ?? 59 8D 85 ?? ?? ?? ?? 50 56 FF 15 ?? ?? ?? ?? 85 C0 0F 85 ?? ?? ?? ?? + 8B 85 ?? ?? ?? ?? 8B 8D ?? ?? ?? ?? 8B 10 8B 40 ?? 2B C2 C1 F8 ?? 3B C8 74 ?? 68 ?? + ?? ?? ?? 2B C1 6A ?? 50 8D 04 8A 50 E8 ?? ?? ?? ?? 83 C4 ?? EB ?? 38 9D ?? ?? ?? ?? + 74 ?? FF B5 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 59 8B D8 56 FF 15 ?? ?? ?? + ?? 80 BD ?? ?? ?? ?? ?? 5E 74 ?? FF B5 ?? ?? ?? ?? E8 ?? ?? ?? ?? 59 8B C3 8B 4D ?? + 5F 33 CD 5B E8 ?? ?? ?? ?? C9 C3 + } + + $encrypt_files = { + 53 8B DC 83 EC ?? 83 E4 ?? 83 C4 ?? 55 8B 6B ?? 89 6C 24 ?? 8B EC 6A ?? 68 ?? ?? ?? + ?? 64 A1 ?? ?? ?? ?? 50 53 81 EC ?? ?? ?? ?? A1 ?? ?? ?? ?? 33 C5 89 45 ?? 50 8D 45 + ?? 64 A3 ?? ?? ?? ?? 89 8D ?? ?? ?? ?? 6A ?? 6A ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? + C7 45 ?? ?? ?? ?? ?? 6A ?? 8D 45 ?? 50 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 4B ?? 51 + FF 15 ?? ?? ?? ?? 83 E0 ?? 74 ?? 8B 53 ?? 52 FF 15 ?? ?? ?? ?? 83 E0 ?? 50 8B 43 ?? + 50 FF 15 ?? ?? ?? ?? 8B 4B ?? 51 8B 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 C0 74 ?? 8B 53 + ?? 52 8D 45 ?? 50 83 EC ?? 8B CC 89 A5 ?? ?? ?? ?? 51 8B 8D ?? ?? ?? ?? E8 ?? ?? ?? + ?? 8B 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? E9 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 4D ?? E8 ?? ?? + ?? ?? C6 45 ?? ?? 8D 55 ?? 52 8B 43 ?? 50 8D 4D ?? 51 E8 ?? ?? ?? ?? 83 C4 ?? C6 45 + ?? ?? 8D 4D ?? E8 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 8B 95 ?? ?? ?? ?? 52 8B 43 ?? 50 8D + 4D ?? 51 83 EC ?? 8B D4 89 A5 ?? ?? ?? ?? 52 8B 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 8D + ?? ?? ?? ?? E8 ?? ?? ?? ?? 6A ?? 8B 43 ?? 50 8B 8D ?? ?? ?? ?? 51 FF 15 ?? ?? ?? ?? + C6 45 ?? ?? 8D 4D ?? E8 ?? ?? ?? ?? C6 45 ?? ?? 8D 4D ?? E8 ?? ?? ?? ?? C7 45 ?? ?? + ?? ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 4D ?? 64 89 0D ?? ?? ?? ?? 59 8B 4D ?? + 33 CD E8 ?? ?? ?? ?? 8B E5 5D 8B E3 5B C2 + } + + condition: + uint16(0) == 0x5A4D and + ( + all of ($find_files_p*) + ) and + ( + $encrypt_files + ) and + ( + ( + $exclude_directories_and_drop_ransom_note + ) or + ( + $drop_ransom_note_no_dir_exclusion + ) + ) +} \ No newline at end of file diff --git a/yara/ransomware/Win32.Ransomware.Ako.yara b/yara/ransomware/Win32.Ransomware.Ako.yara new file mode 100644 index 0000000..be0e776 --- /dev/null +++ b/yara/ransomware/Win32.Ransomware.Ako.yara @@ -0,0 +1,152 @@ +rule Win32_Ransomware_Ako : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "AKO" + description = "Yara rule that detects Ako ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "Ako" + tc_detection_factor = 5 + + strings: + + $encrypt_network_shares_win32_p1 = { + 55 8B EC 6A ?? 68 ?? ?? ?? ?? 64 A1 ?? ?? ?? ?? 50 81 EC ?? ?? ?? ?? A1 ?? ?? ?? ?? + 33 C5 89 45 ?? 50 8D 45 ?? 64 A3 ?? ?? ?? ?? 89 4D ?? 8B 45 ?? 50 8D 4D ?? E8 ?? ?? + ?? ?? 8B 4D ?? 81 C1 ?? ?? ?? ?? E8 ?? ?? ?? ?? 0F B6 C8 85 C9 0F 85 ?? ?? ?? ?? 8B + 4D ?? E8 ?? ?? ?? ?? 0F B6 D0 85 D2 0F 85 ?? ?? ?? ?? 8D 4D ?? E8 ?? ?? ?? ?? 8D 45 + ?? 50 8B 4D ?? 51 E8 ?? ?? ?? ?? 83 C4 ?? 8D 4D ?? E8 ?? ?? ?? ?? 0F B6 D0 85 D2 0F + 85 ?? ?? ?? ?? 8D 45 ?? 50 8B 4D ?? 83 C1 ?? E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 4D ?? + E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? 51 8B 4D ?? E8 ?? ?? ?? ?? 50 8D 95 + ?? ?? ?? ?? 52 8B 4D ?? E8 ?? ?? ?? ?? 50 68 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 E8 ?? + ?? ?? ?? 83 C4 ?? 50 8D 8D ?? ?? ?? ?? 51 E8 ?? ?? ?? ?? 83 C4 ?? 50 8D 4D ?? E8 ?? + ?? ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 8D ?? + ?? ?? ?? E8 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 55 ?? 52 + 68 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 50 8D 8D ?? ?? ?? ?? 51 + E8 ?? ?? ?? ?? 83 C4 ?? 50 8D 4D ?? E8 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? E8 + } + + $encrypt_network_shares_win32_p2 = { + 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8B 4D ?? E8 ?? ?? ?? ?? 50 8D 95 ?? + ?? ?? ?? 52 8B 4D ?? E8 ?? ?? ?? ?? 50 68 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 E8 ?? ?? + ?? ?? 83 C4 ?? 50 8D 8D ?? ?? ?? ?? 51 E8 ?? ?? ?? ?? 83 C4 ?? 50 8D 4D ?? E8 ?? ?? + ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 8D ?? ?? + ?? ?? E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8B 4D ?? E8 ?? ?? ?? ?? 50 8D 95 ?? ?? ?? ?? 52 + 8B 4D ?? E8 ?? ?? ?? ?? 50 68 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 + ?? 50 8D 8D ?? ?? ?? ?? 51 E8 ?? ?? ?? ?? 83 C4 ?? 50 8D 4D ?? E8 ?? ?? ?? ?? 8D 8D + ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? + ?? ?? ?? 68 ?? ?? ?? ?? 8D 4D ?? E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 4D ?? E8 ?? ?? ?? + ?? 8D 4D ?? E8 ?? ?? ?? ?? 8D 55 ?? 52 8D 45 ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 8D 4D ?? + E8 ?? ?? ?? ?? 0F B6 C8 85 C9 0F 85 ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? EB ?? 8B 55 ?? + 83 C2 ?? 89 55 ?? 8D 4D ?? E8 ?? ?? ?? ?? 39 45 ?? 73 ?? 83 7D ?? ?? 76 ?? 8B 45 + } + + $encrypt_network_shares_win32_p3 = { + 33 D2 B9 ?? ?? ?? ?? F7 F1 85 D2 75 ?? 6A ?? 68 ?? ?? ?? ?? 8B 55 ?? 52 8D 4D ?? E8 + ?? ?? ?? ?? 8B 45 ?? 83 C0 ?? 89 45 ?? EB ?? 68 ?? ?? ?? ?? 8D 4D ?? E8 ?? ?? ?? ?? + 8D 4D ?? 51 E8 ?? ?? ?? ?? 83 C4 ?? 50 8D 55 ?? 52 8D 4D ?? E8 ?? ?? ?? ?? 8D 4D ?? + E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 + 8B 4D ?? E8 ?? ?? ?? ?? 50 8D 8D ?? ?? ?? ?? 51 8B 4D ?? E8 ?? ?? ?? ?? 50 E8 ?? ?? + ?? ?? 83 C4 ?? 50 8D 95 ?? ?? ?? ?? 52 8D 4D ?? E8 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? E8 + ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 68 ?? + ?? ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 4D ?? E8 ?? ?? ?? ?? 50 8D 85 ?? ?? ?? + ?? 50 8B 4D ?? E8 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 50 8D 8D ?? ?? ?? ?? 51 8D + 4D ?? E8 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? + ?? C6 45 ?? ?? 8D 4D ?? E8 ?? ?? ?? ?? 8D 4D ?? E8 ?? ?? ?? ?? 8D 4D ?? E8 ?? ?? ?? + ?? 8A 45 ?? EB ?? 8D 4D ?? E8 ?? ?? ?? ?? 8D 4D ?? E8 ?? ?? ?? ?? 8D 4D ?? E8 ?? ?? + ?? ?? 32 C0 8B 4D ?? 64 89 0D ?? ?? ?? ?? 59 8B 4D ?? 33 CD E8 ?? ?? ?? ?? 8B E5 5D + C2 + } + + $find_files_win32_p1 = { + 8B FF 55 8B EC 51 8B 4D ?? 53 57 33 DB 8D 51 ?? 66 8B 01 83 C1 ?? 66 3B C3 75 ?? 8B + 7D ?? 2B CA D1 F9 8B C7 41 F7 D0 89 4D ?? 3B C8 76 ?? 6A ?? 58 EB ?? 56 8D 5F ?? 03 + D9 6A ?? 53 E8 ?? ?? ?? ?? 8B F0 59 59 85 FF 74 ?? 57 FF 75 ?? 53 56 E8 ?? ?? ?? ?? + 83 C4 ?? 85 C0 75 ?? FF 75 ?? 2B DF 8D 04 7E FF 75 ?? 53 50 E8 ?? ?? ?? ?? 83 C4 ?? + 85 C0 75 ?? 8B 7D ?? 8B CF E8 ?? ?? ?? ?? 8B D8 85 DB 74 ?? 56 E8 ?? ?? ?? ?? 59 EB + ?? 8B 47 ?? 89 30 83 47 ?? ?? 33 DB 6A ?? E8 ?? ?? ?? ?? 59 8B C3 5E 5F 5B 8B E5 5D + C3 33 C0 50 50 50 50 50 E8 ?? ?? ?? ?? CC 8B FF 55 8B EC 81 EC ?? ?? ?? ?? A1 ?? ?? + ?? ?? 33 C5 89 45 ?? 8B 55 ?? 8B 4D ?? 53 8B 5D ?? 89 8D ?? ?? ?? ?? 56 57 3B D3 74 + ?? 0F B7 02 8D 8D ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 84 C0 75 ?? 83 EA ?? 3B D3 75 ?? 8B + } + + $find_files_win32_p2 = { + 8D ?? ?? ?? ?? 0F B7 32 83 FE ?? 75 ?? 8D 43 ?? 3B D0 74 ?? 51 33 FF 57 57 53 E8 ?? + ?? ?? ?? 83 C4 ?? EB ?? 56 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 2B D3 0F B6 C0 D1 FA 42 + F7 D8 68 ?? ?? ?? ?? 1B C0 33 FF 23 C2 89 85 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 57 50 E8 + ?? ?? ?? ?? 83 C4 ?? 8D 85 ?? ?? ?? ?? 57 57 57 50 57 53 FF 15 ?? ?? ?? ?? 8B F0 8B + 85 ?? ?? ?? ?? 83 FE ?? 75 ?? 50 57 57 53 E8 ?? ?? ?? ?? 83 C4 ?? 8B F8 83 FE ?? 74 + ?? 56 FF 15 ?? ?? ?? ?? 8B C7 8B 4D ?? 5F 5E 33 CD 5B E8 ?? ?? ?? ?? 8B E5 5D C3 8B + 48 ?? 2B 08 C1 F9 ?? 6A ?? 89 8D ?? ?? ?? ?? 59 66 39 8D ?? ?? ?? ?? 75 ?? 66 39 BD + ?? ?? ?? ?? 74 ?? 66 39 8D ?? ?? ?? ?? 75 ?? 66 39 BD ?? ?? ?? ?? 74 ?? 50 FF B5 ?? + ?? ?? ?? 8D 85 ?? ?? ?? ?? 53 50 E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 75 ?? 8D 85 ?? ?? ?? + ?? 50 56 FF 15 ?? ?? ?? ?? 6A ?? 85 C0 8B 85 ?? ?? ?? ?? 59 75 ?? 8B 10 8B 40 ?? 8B + 8D ?? ?? ?? ?? 2B C2 C1 F8 ?? 3B C8 0F 84 ?? ?? ?? ?? 68 ?? ?? ?? ?? 2B C1 6A ?? 50 + 8D 04 8A 50 E8 ?? ?? ?? ?? 83 C4 ?? E9 + } + + $encrypt_files_win32_p1 = { + 55 8B EC 6A ?? 68 ?? ?? ?? ?? 64 A1 ?? ?? ?? ?? 50 81 EC ?? ?? ?? ?? A1 ?? ?? ?? ?? + 33 C5 89 45 ?? 50 8D 45 ?? 64 A3 ?? ?? ?? ?? 89 4D ?? 83 7D ?? ?? 74 ?? 83 7D ?? ?? + 75 ?? 32 C0 E9 ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A ?? 8B 45 ?? 50 8B 4D ?? E8 ?? ?? ?? ?? + 89 85 ?? ?? ?? ?? 81 BD ?? ?? ?? ?? ?? ?? ?? ?? 73 ?? 32 C0 E9 ?? ?? ?? ?? C7 45 ?? + ?? ?? ?? ?? 33 C9 89 4D ?? 8D 55 ?? 52 8B 45 ?? 50 FF 15 ?? ?? ?? ?? 85 C0 75 ?? 32 + C0 E9 ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? 6A ?? 8B 8D ?? ?? ?? ?? + 51 8D 4D ?? E8 ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? 8D 4D ?? E8 ?? ?? ?? ?? C7 45 ?? ?? + ?? ?? ?? 33 D2 89 55 ?? C7 45 ?? ?? ?? ?? ?? 33 C0 89 45 ?? 0F 57 C0 66 0F 13 85 ?? + ?? ?? ?? EB ?? 8B 8D ?? ?? ?? ?? 81 C1 ?? ?? ?? ?? 8B 95 ?? ?? ?? ?? 83 D2 ?? 89 8D + ?? ?? ?? ?? 89 95 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 3B 45 ?? 0F 8F ?? ?? ?? ?? 7C ?? 8B + 8D ?? ?? ?? ?? 3B 4D ?? 0F 83 ?? ?? ?? ?? 0F 57 C0 66 0F 13 45 ?? 6A ?? 8D 55 ?? 52 + } + + $encrypt_files_win32_p2 = { + 8B 45 ?? 50 8B 4D ?? 51 8B 55 ?? 52 FF 15 ?? ?? ?? ?? 85 C0 75 ?? C6 45 ?? ?? 8D 4D + ?? E8 ?? ?? ?? ?? 8D 4D ?? E8 ?? ?? ?? ?? 8A 45 ?? E9 ?? ?? ?? ?? 6A ?? 8D 45 ?? 50 + 68 ?? ?? ?? ?? 6A ?? 8D 4D ?? E8 ?? ?? ?? ?? 50 8B 4D ?? 51 FF 15 ?? ?? ?? ?? 85 C0 + 75 ?? C6 45 ?? ?? 8D 4D ?? E8 ?? ?? ?? ?? 8D 4D ?? E8 ?? ?? ?? ?? 8A 45 ?? E9 ?? ?? + ?? ?? 6A ?? 8D 55 ?? 52 8B 45 ?? 50 8B 4D ?? 51 8B 55 ?? 52 FF 15 ?? ?? ?? ?? 85 C0 + 75 ?? C6 45 ?? ?? 8D 4D ?? E8 ?? ?? ?? ?? 8D 4D ?? E8 ?? ?? ?? ?? 8A 45 ?? E9 ?? ?? + ?? ?? C7 45 ?? ?? ?? ?? ?? EB ?? 8B 45 ?? 05 ?? ?? ?? ?? 89 45 ?? 8B 4D ?? 3B 4D ?? + 0F 83 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 4D ?? E8 ?? ?? ?? ?? 03 45 ?? 50 6A ?? 8D 4D ?? + E8 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 8B 95 ?? ?? ?? ?? 52 68 ?? ?? ?? ?? 8D 45 + ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 50 6A ?? 8B 4D ?? 51 8B 4D ?? E8 ?? ?? ?? ?? 0F B6 D0 + 85 D2 75 ?? C6 45 ?? ?? 8D 4D ?? E8 ?? ?? ?? ?? 8D 4D ?? E8 ?? ?? ?? ?? 8A 45 ?? E9 + ?? ?? ?? ?? 6A ?? 8D 45 ?? 50 8B 8D ?? ?? ?? ?? 51 8D 4D ?? E8 ?? ?? ?? ?? 50 8B 55 + ?? 52 FF 15 ?? ?? ?? ?? 85 C0 75 ?? C6 45 ?? ?? 8D 4D ?? E8 ?? ?? ?? ?? 8D 4D ?? E8 + ?? ?? ?? ?? 8A 45 ?? E9 ?? ?? ?? ?? E9 ?? ?? ?? ?? 83 7D ?? ?? 75 ?? EB ?? E9 ?? ?? + ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? 33 C0 89 85 ?? ?? ?? ?? 8B 8D ?? ?? ?? ?? 89 4D + ?? 8B 95 ?? ?? ?? ?? 89 55 ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? 33 C0 89 85 + } + + $encrypt_files_win32_p3 = { + 8B 8D ?? ?? ?? ?? 89 4D ?? 8B 95 ?? ?? ?? ?? 89 55 ?? 6A ?? 8D 45 ?? 50 8B 4D ?? 51 + 8B 55 ?? 52 8B 45 ?? 50 FF 15 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? 6A ?? 8D 4D ?? 51 + 8B 4D ?? 83 C1 ?? E8 ?? ?? ?? ?? 50 8B 4D ?? 83 C1 ?? E8 ?? ?? ?? ?? 50 8B 55 ?? 52 + FF 15 ?? ?? ?? ?? 85 C0 74 ?? 8B 4D ?? 83 C1 ?? E8 ?? ?? ?? ?? 39 45 ?? 75 ?? 0F 57 + C0 66 0F 13 45 ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? 8B 45 ?? 89 45 ?? 8B 4D + ?? 89 4D ?? 8B 55 ?? 89 55 ?? 6A ?? 8D 45 ?? 50 6A ?? 8D 4D ?? 51 8B 55 ?? 52 FF 15 + ?? ?? ?? ?? 85 C0 74 ?? 83 7D ?? ?? 75 ?? C6 45 ?? ?? 8D 4D ?? E8 ?? ?? ?? ?? 8D 4D + ?? E8 ?? ?? ?? ?? 8A 45 ?? EB ?? C6 45 ?? ?? 8D 4D ?? E8 ?? ?? ?? ?? 8D 4D ?? E8 ?? + ?? ?? ?? 8A 45 ?? 8B 4D ?? 64 89 0D ?? ?? ?? ?? 59 8B 4D ?? 33 CD E8 ?? ?? ?? ?? 8B + E5 5D C2 + } + + condition: + uint16(0) == 0x5A4D and + ( + all of ($find_files_win32_p*) + ) and + ( + all of ($encrypt_files_win32_p*) + ) and + ( + all of ($encrypt_network_shares_win32_p*) + ) +} \ No newline at end of file diff --git a/yara/ransomware/Win32.Ransomware.Alcatraz.yara b/yara/ransomware/Win32.Ransomware.Alcatraz.yara new file mode 100644 index 0000000..2f64e1b --- /dev/null +++ b/yara/ransomware/Win32.Ransomware.Alcatraz.yara @@ -0,0 +1,91 @@ +rule Win32_Ransomware_Alcatraz : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "ALCATRAZ" + description = "Yara rule that detects Alcatraz ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "Alcatraz" + tc_detection_factor = 5 + + strings: + + $encrypt_files = { + 55 8B EC 81 EC ?? ?? ?? ?? A1 ?? ?? ?? ?? 33 C5 89 45 ?? 6A ?? 6A ?? 6A ?? 6A ?? 6A + ?? 68 ?? ?? ?? ?? 8B 45 ?? 50 FF 15 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? C7 85 ?? ?? ?? ?? + ?? ?? ?? ?? 8B 4D ?? 51 8D 95 ?? ?? ?? ?? 52 E8 ?? ?? ?? ?? 83 C4 ?? 68 ?? ?? ?? ?? + 8D 85 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 83 BD ?? ?? ?? ?? ?? 75 ?? 83 C8 ?? E9 + ?? ?? ?? ?? 6A ?? 8B 8D ?? ?? ?? ?? 51 FF 15 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 83 BD ?? + ?? ?? ?? ?? 75 ?? 83 C8 ?? E9 ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C7 85 ?? ?? + ?? ?? ?? ?? ?? ?? 8B 95 ?? ?? ?? ?? 52 E8 ?? ?? ?? ?? 83 C4 ?? 89 85 ?? ?? ?? ?? 83 + BD ?? ?? ?? ?? ?? 75 ?? 83 C8 ?? E9 ?? ?? ?? ?? 6A ?? 8D 85 ?? ?? ?? ?? 50 8B 8D ?? + ?? ?? ?? 51 8B 95 ?? ?? ?? ?? 52 8B 85 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 8B 8D ?? ?? + ?? ?? 51 FF 15 ?? ?? ?? ?? 68 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 83 BD ?? ?? ?? ?? ?? 75 + ?? 83 C8 ?? E9 ?? ?? ?? ?? 8B 55 ?? 52 FF 15 ?? ?? ?? ?? 68 ?? ?? ?? ?? FF 15 ?? ?? + ?? ?? 8B 85 ?? ?? ?? ?? 50 8B 8D ?? ?? ?? ?? 51 8D 95 ?? ?? ?? ?? 52 8D 85 ?? ?? ?? + ?? 50 8B 4D ?? 51 E8 ?? ?? ?? ?? 83 C4 ?? 0F B6 D0 85 D2 75 ?? 83 7D ?? ?? 74 ?? 6A + ?? 8B 45 ?? 50 FF 15 ?? ?? ?? ?? B8 ?? ?? ?? ?? EB ?? 6A ?? 6A ?? 6A ?? 6A ?? 6A ?? + 68 ?? ?? ?? ?? 8B 4D ?? 51 FF 15 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 83 BD ?? ?? ?? ?? ?? + 75 ?? 83 C8 ?? EB ?? 6A ?? 8D 95 ?? ?? ?? ?? 52 8B 85 ?? ?? ?? ?? 50 8B 8D ?? ?? ?? + ?? 51 8B 95 ?? ?? ?? ?? 52 FF 15 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? + 8D 8D ?? ?? ?? ?? 51 8B 55 ?? 52 E8 ?? ?? ?? ?? 83 C4 ?? 8B 85 ?? ?? ?? ?? 8B 4D ?? + 33 CD E8 ?? ?? ?? ?? 8B E5 5D C3 + } + + $remote_server = { + 55 8B EC 83 EC ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 + 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? 6A ?? 6A ?? 6A ?? 6A ?? + 68 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 89 45 ?? 83 7D ?? ?? 74 ?? 6A ?? 6A ?? 68 ?? ?? ?? + ?? 8B 45 ?? 50 FF 15 ?? ?? ?? ?? 89 45 ?? 83 7D ?? ?? 74 ?? 68 ?? ?? ?? ?? 6A ?? 6A + ?? 6A ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8B 4D ?? 51 FF 15 ?? ?? ?? ?? 89 45 ?? 68 ?? + ?? ?? ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8B 55 ?? 52 FF 15 ?? ?? ?? ?? 89 45 ?? 83 7D + ?? ?? 74 ?? 6A ?? 6A ?? 6A ?? 6A ?? 6A ?? 6A ?? 8B 45 ?? 50 FF 15 ?? ?? ?? ?? 89 45 + ?? 83 7D ?? ?? 74 ?? 6A ?? 8B 4D ?? 51 FF 15 ?? ?? ?? ?? 89 45 ?? 83 7D ?? ?? 0F 84 + ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? 8D 55 ?? 52 8B 45 ?? 50 FF 15 ?? ?? ?? ?? 85 C0 75 + ?? 83 C8 ?? E9 ?? ?? ?? ?? 8B 4D ?? 83 C1 ?? 51 E8 ?? ?? ?? ?? 83 C4 ?? 89 45 ?? 83 + 7D ?? ?? 75 ?? C7 45 ?? ?? ?? ?? ?? E9 ?? ?? ?? ?? 8B 55 ?? 83 C2 ?? 52 6A ?? 8B 45 + ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 8D 4D ?? 51 8B 55 ?? 52 8B 45 ?? 50 8B 4D ?? 51 FF 15 + ?? ?? ?? ?? 85 C0 75 ?? 83 C8 ?? E9 ?? ?? ?? ?? EB ?? C7 45 ?? ?? ?? ?? ?? EB ?? 8B + 55 ?? 83 C2 ?? 89 55 ?? 8B 45 ?? 3B 45 ?? 73 ?? 8B 4D ?? 03 4D ?? 0F BE 11 83 FA ?? + 74 ?? 8B 45 ?? 03 45 ?? 0F BE 08 83 F9 ?? 74 ?? 8B 55 ?? 03 55 ?? 8B 45 ?? 03 45 ?? + 8A 08 88 0A EB ?? 8B 55 ?? 03 55 ?? C6 02 ?? EB ?? EB ?? EB ?? 83 7D ?? ?? 0F 87 ?? + ?? ?? ?? 83 7D ?? ?? 75 ?? 83 C8 ?? EB ?? 83 7D ?? ?? 74 ?? 8B 45 ?? 50 FF 15 ?? ?? + ?? ?? 83 7D ?? ?? 74 ?? 8B 4D ?? 51 FF 15 ?? ?? ?? ?? 83 7D ?? ?? 74 ?? 8B 55 ?? 52 + FF 15 ?? ?? ?? ?? 8B E5 5D C3 + } + + $remote_server_2 = { + 55 8B EC 83 EC ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 + 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? E8 ?? ?? + ?? ?? 83 C4 ?? 89 45 ?? A1 ?? ?? ?? ?? 50 8B 0D ?? ?? ?? ?? 51 8B 15 ?? ?? ?? ?? 52 + A1 ?? ?? ?? ?? 50 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 50 8B 0D ?? ?? ?? ?? 51 68 + ?? ?? ?? ?? 8B 15 ?? ?? ?? ?? 52 68 ?? ?? ?? ?? 8B 45 ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? + 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 89 45 ?? 68 ?? ?? ?? ?? 8B 4D ?? 51 8B 55 ?? + 52 E8 ?? ?? ?? ?? 83 C4 ?? 6A ?? 6A ?? 6A ?? 6A ?? 68 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? + 89 45 ?? 83 7D ?? ?? 74 ?? 6A ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8B 45 ?? 50 FF 15 ?? + ?? ?? ?? 89 45 ?? 83 7D ?? ?? 74 ?? 68 ?? ?? ?? ?? 6A ?? 6A ?? 6A ?? 8B 4D ?? 51 68 + ?? ?? ?? ?? 8B 55 ?? 52 FF 15 ?? ?? ?? ?? 89 45 ?? 68 ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? + ?? 8B 45 ?? 50 FF 15 ?? ?? ?? ?? 89 45 ?? 83 7D ?? ?? 74 ?? 6A ?? 6A ?? 6A ?? 6A ?? + 6A ?? 6A ?? 8B 4D ?? 51 FF 15 ?? ?? ?? ?? 89 45 ?? 83 7D ?? ?? 74 ?? 6A ?? 8B 55 ?? + 52 FF 15 ?? ?? ?? ?? 89 45 ?? 83 7D ?? ?? 0F 84 ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? 8D + 45 ?? 50 8B 4D ?? 51 FF 15 ?? ?? ?? ?? 85 C0 75 ?? 33 C0 E9 ?? ?? ?? ?? 8B 55 ?? 83 + C2 ?? 52 E8 ?? ?? ?? ?? 83 C4 ?? 89 45 ?? 83 7D ?? ?? 75 ?? C7 45 ?? ?? ?? ?? ?? 33 + C0 E9 ?? ?? ?? ?? EB ?? 8B 45 ?? 83 C0 ?? 50 6A ?? 8B 4D ?? 51 E8 ?? ?? ?? ?? 83 C4 + ?? 8D 55 ?? 52 8B 45 ?? 50 8B 4D ?? 51 8B 55 ?? 52 FF 15 ?? ?? ?? ?? 85 C0 75 ?? 33 + C0 EB ?? EB ?? 6A ?? 8B 45 ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 50 68 ?? ?? ?? ?? 8B 4D ?? + 51 E8 ?? ?? ?? ?? 83 C4 ?? 83 F8 ?? 74 ?? B8 ?? ?? ?? ?? EB ?? 83 7D ?? ?? 0F 87 ?? + ?? ?? ?? 83 7D ?? ?? 75 ?? 83 C8 ?? EB ?? 83 7D ?? ?? 74 ?? 8B 55 ?? 52 FF 15 ?? ?? + ?? ?? 83 7D ?? ?? 74 ?? 8B 45 ?? 50 FF 15 ?? ?? ?? ?? 83 7D ?? ?? 74 ?? 8B 4D ?? 51 + FF 15 ?? ?? ?? ?? 8B E5 5D C3 + } + + condition: + uint16(0) == 0x5A4D and $encrypt_files and $remote_server and $remote_server_2 +} \ No newline at end of file diff --git a/yara/ransomware/Win32.Ransomware.AnteFrigus.yara b/yara/ransomware/Win32.Ransomware.AnteFrigus.yara new file mode 100644 index 0000000..ee6d236 --- /dev/null +++ b/yara/ransomware/Win32.Ransomware.AnteFrigus.yara @@ -0,0 +1,210 @@ +rule Win32_Ransomware_AnteFrigus : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "ANTEFRIGUS" + description = "Yara rule that detects AnteFrigus ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "AnteFrigus" + tc_detection_factor = 5 + + strings: + + $find_files_p1 = { + 68 ?? ?? ?? ?? B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 45 ?? 8D 4D ?? 68 ?? ?? ?? ?? 8B D0 + 89 85 ?? ?? ?? ?? E8 ?? ?? ?? ?? 59 83 65 ?? ?? 8D 8D ?? ?? ?? ?? 83 7D ?? ?? 8D 45 + ?? 51 0F 43 45 ?? 50 FF 15 ?? ?? ?? ?? 8B D8 83 FB ?? 0F 84 ?? ?? ?? ?? 33 C0 8D 7D + ?? AB AB AB 33 C0 89 45 ?? 89 45 ?? 89 45 ?? C6 45 ?? ?? F6 85 ?? ?? ?? ?? ?? 74 ?? + 68 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? 68 ?? + ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? 8D 85 ?? ?? + ?? ?? 50 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B F0 8B 95 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? + 68 ?? ?? ?? ?? C6 45 ?? ?? E8 ?? ?? ?? ?? 59 8B D0 C6 45 ?? ?? 8B 4A ?? 8B 7A ?? 2B + CF 39 4E ?? 76 ?? 8B 46 ?? 2B 46 ?? 3B C7 72 ?? 83 7A ?? ?? 72 ?? 8B 12 57 52 51 8B + CE E8 ?? ?? ?? ?? EB ?? 56 8B CA E8 ?? ?? ?? ?? 50 8D 4D ?? E8 ?? ?? ?? ?? C6 85 ?? + ?? ?? ?? ?? 8D 45 ?? FF B5 ?? ?? ?? ?? 8D 4D ?? 50 E8 ?? ?? ?? ?? 8D 4D ?? E8 ?? ?? + ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? C6 45 ?? ?? E8 ?? ?? ?? ?? + 83 7D ?? ?? 8D 4D ?? 8B 45 ?? 0F 43 4D ?? 8D 04 41 8D 4D ?? 0F 43 4D ?? 51 50 51 8D + 4D ?? E8 ?? ?? ?? ?? 8D 45 ?? C6 45 ?? ?? 83 65 ?? ?? 8D 4D ?? 83 65 ?? ?? 50 E8 ?? + ?? ?? ?? C6 45 ?? ?? 8D 75 ?? 83 7D ?? ?? 8B 55 ?? 0F 43 75 ?? 85 D2 74 ?? 83 C9 ?? + 8D 42 ?? 3B C1 0F 42 C8 03 CE EB ?? 3B CE 74 ?? 49 80 39 ?? 75 ?? 2B CE EB ?? 83 C9 + ?? 83 F9 ?? 0F 84 ?? ?? ?? ?? 83 65 ?? ?? 8D 71 ?? C7 45 ?? ?? ?? ?? ?? C6 45 + } + + $find_files_p2 = { + 3B D6 0F 82 ?? ?? ?? ?? 2B D6 8D 45 ?? 83 C9 ?? 83 FA ?? 0F 42 CA 83 7D ?? ?? 51 0F + 43 45 ?? 8D 4D ?? 03 C6 50 E8 ?? ?? ?? ?? 83 EC ?? C6 45 ?? ?? 8B CC 8D 45 ?? 50 83 + 61 ?? ?? 83 61 ?? ?? E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 83 F8 ?? 0F 85 ?? ?? ?? + ?? 68 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 6A ?? 50 E8 ?? ?? ?? ?? 59 59 8D 8D ?? ?? ?? ?? + E8 ?? ?? ?? ?? 51 51 8D 45 ?? C6 45 ?? ?? 50 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 6A ?? + 6A ?? 6A ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 8D 8D ?? ?? ?? ?? + E8 ?? ?? ?? ?? BF ?? ?? ?? ?? 8B 70 ?? 03 30 3B F7 7D ?? 8D 4D ?? E8 ?? ?? ?? ?? 8D + 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 3B F7 7D ?? 8D 4D ?? E8 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? + E8 ?? ?? ?? ?? 8D 4D ?? C6 45 ?? ?? E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 4D ?? E8 ?? ?? + ?? ?? F6 85 ?? ?? ?? ?? ?? 74 ?? 8B 45 ?? 8D 4D ?? 51 3B 45 ?? 74 ?? 8B C8 E8 ?? ?? + ?? ?? 83 45 ?? ?? EB ?? 50 8D 4D ?? E8 ?? ?? ?? ?? 8D 4D ?? E8 ?? ?? ?? ?? 8D 4D ?? + C6 45 ?? ?? E8 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 53 FF 15 ?? ?? ?? ?? 85 C0 0F 85 ?? + ?? ?? ?? 53 FF 15 ?? ?? ?? ?? 8B 7D ?? 8B 75 ?? 6A ?? 5B 3B F7 74 ?? 56 E8 ?? ?? ?? + ?? 03 F3 59 3B F7 75 ?? 8B 7D ?? 8B 75 ?? 85 F6 74 ?? 3B F7 74 ?? 8B CE E8 ?? ?? ?? + ?? 03 F3 3B F7 75 ?? 8B 75 ?? 8B 45 ?? 2B C6 99 F7 FB 6B C0 ?? 50 56 E8 ?? ?? ?? ?? + 59 59 8D 4D ?? E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? C3 E8 + } + + $remote_connection_p1 = { + 55 8D AC 24 ?? ?? ?? ?? 81 EC ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? 64 A1 ?? ?? ?? ?? 50 + 81 EC ?? ?? ?? ?? A1 ?? ?? ?? ?? 33 C5 89 85 ?? ?? ?? ?? 53 56 57 50 8D 45 ?? 64 A3 + ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? 50 BA ?? ?? ?? ?? 8D 8D ?? ?? ?? + ?? E8 ?? ?? ?? ?? C6 45 ?? ?? C7 04 24 ?? ?? ?? ?? 50 8D 85 ?? ?? ?? ?? 50 E8 ?? ?? + ?? ?? 83 C4 ?? 8D 8D ?? ?? ?? ?? C6 45 ?? ?? 51 8B C8 E8 ?? ?? ?? ?? 50 8D 4D ?? E8 + ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 45 ?? C6 45 ?? ?? 50 8D 45 ?? 50 E8 ?? ?? ?? ?? 83 C4 + ?? 8D 8D ?? ?? ?? ?? C6 45 ?? ?? 51 8B C8 E8 ?? ?? ?? ?? 50 8D 4D ?? E8 ?? ?? ?? ?? + 68 ?? ?? ?? ?? 8D 45 ?? C6 45 ?? ?? 50 8D 45 ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 8D 8D ?? + ?? ?? ?? C6 45 ?? ?? 51 8B C8 E8 ?? ?? ?? ?? 50 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D + 4D ?? E8 ?? ?? ?? ?? 8D 4D ?? E8 ?? ?? ?? ?? 8D 4D ?? E8 ?? ?? ?? ?? 8D 4D ?? E8 ?? + ?? ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? C6 45 ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? + ?? 83 BD ?? ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? 8B BD ?? ?? ?? ?? 8D B5 ?? ?? ?? ?? 0F 43 + 8D ?? ?? ?? ?? 03 F9 C7 85 ?? ?? ?? ?? ?? ?? ?? ?? 83 BD ?? ?? ?? ?? ?? 8D 8D ?? ?? + ?? ?? 0F 43 B5 ?? ?? ?? ?? 33 C0 66 89 85 ?? ?? ?? ?? 33 DB 8B C7 89 9D + } + + $remote_connection_p2 = { + 2B C6 50 E8 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 89 45 ?? C6 45 ?? ?? EB ?? 66 0F BE 06 8D + 8D ?? ?? ?? ?? 0F B7 C0 50 E8 ?? ?? ?? ?? 46 3B F7 75 ?? 53 53 53 53 68 ?? ?? ?? ?? + C6 45 ?? ?? 88 5D ?? FF 15 ?? ?? ?? ?? 8B D8 85 DB 0F 84 ?? ?? ?? ?? 6A ?? 33 C0 50 + 6A ?? 50 50 6A ?? 68 ?? ?? ?? ?? 53 FF 15 ?? ?? ?? ?? 8B 3D ?? ?? ?? ?? 89 45 ?? 85 + C0 74 ?? 6A ?? 68 ?? ?? ?? ?? 33 C9 51 51 51 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 50 FF 15 + ?? ?? ?? ?? 8B F0 85 F6 74 ?? 33 C0 50 50 50 50 56 FF 15 ?? ?? ?? ?? 85 C0 74 ?? 68 + ?? ?? ?? ?? 8D 45 ?? 6A ?? 50 E8 ?? ?? ?? ?? 51 8D 4D ?? E8 ?? ?? ?? ?? C6 45 ?? ?? + 83 7D ?? ?? 0F 85 ?? ?? ?? ?? 8D 4D ?? E8 ?? ?? ?? ?? 56 FF D7 FF 75 ?? FF D7 53 FF + D7 80 7D ?? ?? 74 ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 59 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? + ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 8D ?? ?? ?? + ?? E8 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? + 8B 4D ?? 64 89 0D ?? ?? ?? ?? 59 5F 5E 5B 8B 8D ?? ?? ?? ?? 33 CD E8 ?? ?? ?? ?? 81 + C5 ?? ?? ?? ?? C9 C3 8B 85 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? 3D ?? ?? ?? ?? 73 ?? + 8D 95 ?? ?? ?? ?? C6 84 05 ?? ?? ?? ?? ?? 8D 4D ?? E8 ?? ?? ?? ?? C6 45 ?? ?? 8D 85 + ?? ?? ?? ?? 50 68 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 56 FF 15 ?? ?? ?? ?? 85 C0 75 ?? + E9 ?? ?? ?? ?? E8 + } + + $encrypt_files_p1 = { + 66 39 03 0F 85 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 59 59 33 C0 8D 8D ?? + ?? ?? ?? 68 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? E8 ?? ?? ?? ?? C6 45 ?? + ?? 8D 95 ?? ?? ?? ?? 83 BD ?? ?? ?? ?? ?? B9 ?? ?? ?? ?? FF B5 ?? ?? ?? ?? 0F 43 95 + ?? ?? ?? ?? E8 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 59 59 8D 85 ?? ?? ?? ?? C7 85 ?? ?? ?? + ?? ?? ?? ?? ?? 50 8D 85 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 8D 8D + ?? ?? ?? ?? E8 ?? ?? ?? ?? 6A ?? 5B C6 45 ?? ?? 8D 8D ?? ?? ?? ?? 39 9D ?? ?? ?? ?? + 8B 85 ?? ?? ?? ?? 0F 43 8D ?? ?? ?? ?? 8D 04 41 8D 8D ?? ?? ?? ?? 0F 43 8D ?? ?? ?? + ?? 51 50 51 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 33 C0 C7 85 ?? ?? ?? ?? ?? ?? ?? ?? 89 + 85 ?? ?? ?? ?? 88 85 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? C6 45 ?? ?? 50 BA ?? ?? ?? ?? 8D + 4D ?? E8 ?? ?? ?? ?? C6 45 ?? ?? C7 04 24 ?? ?? ?? ?? 50 8D 45 ?? 50 E8 ?? ?? ?? ?? + 83 C4 ?? 8D 8D ?? ?? ?? ?? C6 45 ?? ?? 51 8B C8 E8 ?? ?? ?? ?? 50 8D 4D ?? E8 ?? ?? + ?? ?? C6 45 ?? ?? 68 ?? ?? ?? ?? 8D 45 ?? 50 8D 85 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 8D + } + + $encrypt_files_p2 = { + 8D ?? ?? ?? ?? 83 C4 ?? 3B C8 74 ?? 33 C9 88 4D ?? 8D 8D ?? ?? ?? ?? FF 75 ?? 50 E8 + ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 4D ?? E8 ?? ?? ?? ?? 8D 4D ?? E8 ?? + ?? ?? ?? 8D 4D ?? C6 45 ?? ?? E8 ?? ?? ?? ?? BE ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? 56 E8 + ?? ?? ?? ?? 56 8D 8D ?? ?? ?? ?? C6 45 ?? ?? E8 ?? ?? ?? ?? 6A ?? 33 C0 59 89 85 ?? + ?? ?? ?? 89 8D ?? ?? ?? ?? 88 85 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 89 8D ?? ?? ?? ?? 88 + 85 ?? ?? ?? ?? BF ?? ?? ?? ?? C6 45 ?? ?? 57 50 8D 45 ?? 50 E8 ?? ?? ?? ?? 59 8D 4D + ?? E8 ?? ?? ?? ?? 33 C0 C6 45 ?? ?? 57 50 8D 85 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 59 8D + 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? C6 45 ?? ?? E8 ?? ?? ?? ?? 6A ?? 59 99 F7 F9 8D 4D ?? + 52 E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 6A ?? 59 99 F7 F9 8D 8D ?? ?? ?? ?? 52 E8 ?? ?? ?? + ?? 83 EB ?? 75 ?? 8D 95 ?? ?? ?? ?? 8D 4D ?? E8 ?? ?? ?? ?? 8D 95 ?? ?? ?? ?? 8D 8D + ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 8D 95 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? + E8 ?? ?? ?? ?? 57 8D 85 ?? ?? ?? ?? C6 45 ?? ?? 53 50 E8 ?? ?? ?? ?? 83 C4 ?? 8D 8D + ?? ?? ?? ?? E8 ?? ?? ?? ?? 51 51 68 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? C6 45 ?? ?? E8 ?? + ?? ?? ?? 39 9D ?? ?? ?? ?? 74 ?? 83 BD ?? ?? ?? ?? ?? 8D 95 ?? ?? ?? ?? FF B5 ?? ?? + ?? ?? 0F 43 95 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 59 8D 8D ?? ?? ?? ?? E8 + ?? ?? ?? ?? BE ?? ?? ?? ?? 8D 95 ?? ?? ?? ?? 56 8D 4D ?? E8 ?? ?? ?? ?? 59 8D 8D ?? + ?? ?? ?? C6 45 ?? ?? 51 8B C8 E8 ?? ?? ?? ?? 50 8D 4D ?? E8 ?? ?? ?? ?? 56 8D 45 ?? + C6 45 ?? ?? 50 8D 45 ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 8D 8D ?? ?? ?? ?? C6 45 ?? ?? 51 + } + + $encrypt_files_p3 = { + 8B C8 E8 ?? ?? ?? ?? 50 8D 4D ?? E8 ?? ?? ?? ?? 56 8D 45 ?? C6 45 ?? ?? 50 8D 85 ?? + ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 8D 8D ?? ?? ?? ?? C6 45 ?? ?? 51 8B C8 E8 ?? ?? + ?? ?? 50 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 4D ?? + E8 ?? ?? ?? ?? 8D 4D ?? E8 ?? ?? ?? ?? 8D 4D ?? E8 ?? ?? ?? ?? 8D 4D ?? C6 45 ?? ?? + E8 ?? ?? ?? ?? 8B F3 39 B5 ?? ?? ?? ?? 76 ?? 83 BD ?? ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? + 8D 8D ?? ?? ?? ?? 0F 43 85 ?? ?? ?? ?? 8A 04 30 04 ?? 88 45 ?? FF 75 ?? E8 ?? ?? ?? + ?? 46 3B B5 ?? ?? ?? ?? 72 ?? 8B F3 39 B5 ?? ?? ?? ?? 76 ?? 83 BD ?? ?? ?? ?? ?? 8D + 85 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? 0F 43 85 ?? ?? ?? ?? 8A 04 30 2C ?? 88 45 ?? FF 75 + ?? E8 ?? ?? ?? ?? 46 3B B5 ?? ?? ?? ?? 72 ?? 8D 85 ?? ?? ?? ?? BA ?? ?? ?? ?? 50 8D + 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? C6 45 ?? ?? C7 04 24 ?? ?? ?? ?? 50 8D 85 ?? ?? ?? ?? + 50 E8 ?? ?? ?? ?? 83 C4 ?? 8D 8D ?? ?? ?? ?? C6 45 ?? ?? E8 ?? ?? ?? ?? 6A ?? 68 ?? + ?? ?? ?? FF 15 ?? ?? ?? ?? 57 8D 85 ?? ?? ?? ?? 53 50 E8 ?? ?? ?? ?? 59 59 8D 8D ?? + ?? ?? ?? E8 ?? ?? ?? ?? C6 45 ?? ?? 8D 85 ?? ?? ?? ?? 83 BD ?? ?? ?? ?? ?? 51 0F 43 + } + + $encrypt_files_p4 = { + 85 ?? ?? ?? ?? 51 50 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 BD ?? ?? ?? ?? ?? BE ?? ?? + ?? ?? 0F 84 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? BA ?? ?? ?? ?? 50 8D 8D ?? ?? ?? ?? E8 ?? + ?? ?? ?? 56 50 8D 85 ?? ?? ?? ?? C6 45 ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 8D 8D ?? ?? + ?? ?? C6 45 ?? ?? 51 8B C8 E8 ?? ?? ?? ?? 50 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 68 ?? + ?? ?? ?? 8D 85 ?? ?? ?? ?? C6 45 ?? ?? 50 8D 45 ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 8D 8D + ?? ?? ?? ?? C6 45 ?? ?? 51 8B C8 E8 ?? ?? ?? ?? 50 8D 4D ?? E8 ?? ?? ?? ?? 68 ?? ?? + ?? ?? 8D 45 ?? C6 45 ?? ?? 50 8D 45 ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 8D 8D ?? ?? ?? ?? + C6 45 ?? ?? 51 8B C8 E8 ?? ?? ?? ?? 50 8D 4D ?? E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 45 + ?? C6 45 ?? ?? 50 8D 85 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 8B D0 C6 45 ?? ?? 8D + 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 4D ?? E8 ?? ?? ?? + ?? 8D 4D ?? E8 ?? ?? ?? ?? 8D 4D ?? E8 ?? ?? ?? ?? 8D 4D ?? E8 ?? ?? ?? ?? 8D 8D ?? + ?? ?? ?? E8 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? C6 45 ?? + ?? E8 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? 53 E8 ?? ?? ?? ?? + 59 59 68 ?? ?? ?? ?? 51 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? 51 8D 8D ?? + ?? ?? ?? C6 45 ?? ?? E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? 51 8D 8D ?? ?? ?? ?? C6 45 ?? ?? + E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? 51 8D 8D ?? ?? ?? ?? C6 45 ?? ?? E8 ?? ?? ?? ?? 68 ?? + ?? ?? ?? 51 8D 8D ?? ?? ?? ?? C6 45 ?? ?? E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? 51 8D 8D ?? + ?? ?? ?? C6 45 ?? ?? E8 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? C6 45 ?? ?? E8 ?? ?? ?? ?? 8D + 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? E8 + ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 57 8D + } + + $encrypt_files_p5 = { + 85 ?? ?? ?? ?? 53 50 E8 ?? ?? ?? ?? 59 59 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? C6 45 ?? + ?? 8D 85 ?? ?? ?? ?? 83 BD ?? ?? ?? ?? ?? 51 0F 43 85 ?? ?? ?? ?? 51 50 8D 8D ?? ?? + ?? ?? E8 ?? ?? ?? ?? 83 BD ?? ?? ?? ?? ?? 0F 84 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? BA ?? + ?? ?? ?? 50 8D 4D ?? E8 ?? ?? ?? ?? 56 50 8D 45 ?? C6 45 ?? ?? 50 E8 ?? ?? ?? ?? 83 + C4 ?? 8D 8D ?? ?? ?? ?? C6 45 ?? ?? 51 8B C8 E8 ?? ?? ?? ?? 50 8D 8D ?? ?? ?? ?? E8 + ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? C6 45 ?? ?? 50 8D 85 ?? ?? ?? ?? 50 E8 + ?? ?? ?? ?? 83 C4 ?? 8D 8D ?? ?? ?? ?? C6 45 ?? ?? 51 8B C8 E8 ?? ?? ?? ?? 50 8D 4D + ?? E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 45 ?? C6 45 ?? ?? 50 8D 85 ?? ?? ?? ?? 50 E8 ?? + ?? ?? ?? 83 C4 ?? 8D 8D ?? ?? ?? ?? C6 45 ?? ?? 51 8B C8 E8 ?? ?? ?? ?? 50 8D 4D ?? + E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 45 ?? C6 45 ?? ?? 50 8D 85 ?? ?? ?? ?? 50 E8 ?? ?? + ?? ?? 83 C4 ?? 8B D0 C6 45 ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 8D + } + + $encrypt_files_p6 = { + E8 ?? ?? ?? ?? 8D 4D ?? E8 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 4D ?? E8 + ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 4D + ?? E8 ?? ?? ?? ?? 8D 4D ?? C6 45 ?? ?? E8 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? + ?? 83 EC ?? 8D 85 ?? ?? ?? ?? 8B CC 89 65 ?? 50 89 59 ?? 89 59 ?? E8 ?? ?? ?? ?? 83 + EC ?? C6 45 ?? ?? 8B CC 89 65 ?? 8D 85 ?? ?? ?? ?? 50 89 59 ?? 89 59 ?? E8 ?? ?? ?? + ?? 83 EC ?? C6 45 ?? ?? 8B CC 89 65 ?? 8D 85 ?? ?? ?? ?? 50 89 59 ?? 89 59 ?? E8 ?? + ?? ?? ?? 83 EC ?? C6 45 ?? ?? 8B CC 8D 85 ?? ?? ?? ?? 50 89 59 ?? 89 59 ?? E8 ?? ?? + ?? ?? C6 45 ?? ?? E8 ?? ?? ?? ?? FF B5 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 8D ?? ?? ?? ?? + 8D 95 ?? ?? ?? ?? 83 C4 ?? 8B F0 83 BD ?? ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 0F 43 95 ?? + ?? ?? ?? 03 CA 83 BD ?? ?? ?? ?? ?? 0F 43 85 ?? ?? ?? ?? 2B C8 51 50 56 E8 ?? ?? ?? + ?? 56 E8 ?? ?? ?? ?? 83 C4 ?? 53 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 53 FF 15 ?? ?? ?? ?? + 68 + } + + condition: + uint16(0) == 0x5A4D and + ( + all of ($find_files_p*) + ) and + ( + all of ($encrypt_files_p*) + ) and + ( + all of ($remote_connection_p*) + ) +} \ No newline at end of file diff --git a/yara/ransomware/Win32.Ransomware.Archiveus.yara b/yara/ransomware/Win32.Ransomware.Archiveus.yara new file mode 100644 index 0000000..efc17a8 --- /dev/null +++ b/yara/ransomware/Win32.Ransomware.Archiveus.yara @@ -0,0 +1,50 @@ +import "pe" + +rule Win32_Ransomware_Archiveus : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "ARCHIVEUS" + description = "Yara rule that detects Archiveus ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "Archiveus" + tc_detection_factor = 5 + + strings: + + $entry_point = { + 68 ?? ?? 40 00 E8 ?? ?? ?? FF + } + + $dump_instruction = { + 8B 3D ?? ?? ?? ?? 6A ?? FF D7 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 85 C0 + 74 ?? 8B 46 ?? 50 68 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 8B D0 8D 4D ?? FF 15 ?? ?? ?? ?? + 50 6A ?? 6A ?? 6A ?? FF 15 ?? ?? ?? ?? 8D 4D ?? FF 15 ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A + ?? 68 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 83 C4 ?? 6A ?? FF D7 FF 15 ?? ?? ?? ?? E9 ?? ?? + ?? ?? 8D 4D ?? 51 FF 15 ?? ?? ?? ?? 8D 55 ?? 6A ?? 52 FF 15 ?? ?? ?? ?? 8B 1D ?? ?? + ?? ?? 6A ?? 6A ?? 6A ?? 8D 45 ?? 68 ?? ?? ?? ?? 8D 4D ?? 50 51 FF D3 50 8D 55 ?? 8D + 45 ?? 52 50 FF D3 50 FF 15 + } + + $extension_rule = { + 8B 13 6A ?? 68 ?? ?? ?? ?? 52 50 FF 15 ?? ?? ?? ?? D9 85 ?? ?? ?? ?? DB 85 ?? ?? ?? + ?? DD 9D ?? ?? ?? ?? DC 8D ?? ?? ?? ?? DF E0 A8 ?? 0F 85 ?? ?? ?? ?? FF 15 ?? ?? ?? + ?? DC 05 ?? ?? ?? ?? DF E0 A8 ?? 0F 85 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 8D 4D ?? 89 45 + ?? FF 15 ?? ?? ?? ?? 8B 46 ?? 50 68 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 8B D0 8D 4D ?? FF + 15 ?? ?? ?? ?? 50 68 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 8B D0 8D 4D ?? FF 15 ?? ?? ?? ?? + 50 6A ?? 6A ?? 6A ?? FF 15 + } + + $instruction_string = "INSTRUCTIONS HOW TO GET YOUR FILES BACK.txt" wide + + condition: + uint16(0) == 0x5A4D and ($entry_point at pe.entry_point) and $dump_instruction and $extension_rule and $instruction_string + +} \ No newline at end of file diff --git a/yara/ransomware/Win32.Ransomware.Armage.yara b/yara/ransomware/Win32.Ransomware.Armage.yara new file mode 100644 index 0000000..ce5d138 --- /dev/null +++ b/yara/ransomware/Win32.Ransomware.Armage.yara @@ -0,0 +1,128 @@ +rule Win32_Ransomware_Armage : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "ARMAGE" + description = "Yara rule that detects Armage ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "Armage" + tc_detection_factor = 5 + + strings: + + $encrypt_files_p1 = { + 55 89 E5 53 8D 5D ?? 81 EC ?? ?? ?? ?? 89 4D ?? C7 45 ?? ?? ?? ?? ?? 89 5D ?? 8D 5D + ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? 89 65 ?? 89 1C 24 E8 ?? ?? ?? ?? 8B 45 + ?? 8D 50 ?? 8D 48 ?? C7 00 ?? ?? ?? ?? C7 40 ?? ?? ?? ?? ?? C6 40 ?? ?? 89 50 ?? 89 + 95 ?? ?? ?? ?? 8D 50 ?? 89 50 ?? 89 95 ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? C7 04 24 + ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 4D ?? 8D 5D ?? 83 EC ?? 89 5D ?? + 8B 41 ?? 8B 51 ?? 8D 4D ?? 01 C2 89 04 24 89 54 24 ?? C7 45 ?? ?? ?? ?? ?? E8 ?? ?? + ?? ?? 8D 45 ?? 8D 5D ?? 83 EC ?? 89 5C 24 ?? 89 04 24 C7 45 ?? ?? ?? ?? ?? E8 ?? ?? + ?? ?? 8B 45 ?? 8D 5D ?? 39 D8 74 ?? 89 04 24 E8 ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? E8 + ?? ?? ?? ?? 8B 55 ?? 8B 4D ?? 89 42 ?? 8B 55 ?? 89 4C 24 ?? 89 04 24 29 CA 89 54 24 + ?? E8 ?? ?? ?? ?? 8B 55 ?? 89 42 ?? 8B 42 ?? 89 04 24 E8 ?? ?? ?? ?? 8B 55 ?? 89 42 + ?? 89 04 24 E8 ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? 8B 55 ?? + 8B 42 ?? 89 04 24 E8 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 89 04 24 E8 ?? ?? ?? ?? 8B 8D ?? + ?? ?? ?? 89 4C 24 ?? 89 85 ?? ?? ?? ?? 89 44 24 ?? 8B 55 ?? 8B 42 ?? 89 04 24 E8 ?? + ?? ?? ?? 8B 8D ?? ?? ?? ?? 89 4C 24 ?? 89 8D ?? ?? ?? ?? 89 4C 24 ?? 8B 85 ?? ?? ?? + ?? 89 44 24 ?? 8B 55 ?? 8B 42 ?? 89 04 24 E8 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 89 44 24 + ?? 8B 85 ?? ?? ?? ?? 89 04 24 E8 ?? ?? ?? ?? 8B 9D ?? ?? ?? ?? 89 5C 24 ?? 8B 8D ?? + ?? ?? ?? 89 4C 24 ?? 89 85 ?? ?? ?? ?? 89 44 24 ?? 8B 55 ?? 8B 42 ?? 89 04 24 E8 ?? + ?? ?? ?? 89 44 24 ?? 8B 85 ?? ?? ?? ?? 89 44 24 ?? 8D 45 ?? 89 04 24 E8 + } + + $encrypt_files_p2 = { + 8B 55 ?? 8D 45 ?? 89 04 24 C7 45 ?? ?? ?? ?? ?? 8D 4A ?? E8 ?? ?? ?? ?? 8B 45 ?? 8D + 55 ?? 83 EC ?? 39 D0 74 ?? 89 04 24 E8 ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? C7 44 24 + ?? ?? ?? ?? ?? C7 04 24 ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? A1 ?? ?? ?? + ?? 8B 40 ?? 8B 80 ?? ?? ?? ?? 85 C0 89 85 ?? ?? ?? ?? 0F 84 ?? ?? ?? ?? 8B 85 ?? ?? + ?? ?? 80 78 ?? ?? 74 ?? 0F BE 40 ?? 89 04 24 B9 ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? E8 + ?? ?? ?? ?? 83 EC ?? 89 C1 E8 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 89 04 24 E8 ?? ?? ?? ?? + 8B 45 ?? 85 C0 74 ?? 89 04 24 E8 ?? ?? ?? ?? 8D 45 ?? 89 04 24 E8 ?? ?? ?? ?? 8B 5D + ?? C9 C3 90 8B 8D ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? + 8B 00 8B 50 ?? B8 ?? ?? ?? ?? 81 FA ?? ?? ?? ?? 74 ?? C7 04 24 ?? ?? ?? ?? 8B 8D ?? + ?? ?? ?? FF D2 83 EC ?? 0F BE C0 E9 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C5 ?? 8B 45 ?? 89 + 85 ?? ?? ?? ?? 8B 45 ?? 85 C0 74 ?? 83 E8 ?? 74 ?? 83 E8 ?? 74 ?? 83 E8 ?? 74 ?? 83 + E8 ?? 74 ?? 0F 0B 8B 45 ?? 8D 55 ?? 39 D0 74 ?? 89 04 24 E8 ?? ?? ?? ?? 8B 45 ?? 85 + C0 74 ?? 89 04 24 E8 ?? ?? ?? ?? 8B 45 ?? 8B 40 ?? 3B 85 ?? ?? ?? ?? 74 ?? 89 04 24 + E8 ?? ?? ?? ?? 8B 45 ?? 8B 40 ?? 39 85 ?? ?? ?? ?? 74 ?? 89 04 24 E8 ?? ?? ?? ?? 8B + 85 ?? ?? ?? ?? 89 04 24 C7 45 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 45 ?? 8D 55 ?? 39 D0 + 75 ?? EB + } + + $find_files_p1 = { + 55 89 E5 81 EC ?? ?? ?? ?? 8D 55 ?? 89 4D ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? + ?? C7 45 ?? ?? ?? ?? ?? 89 55 ?? 8D 55 ?? 89 65 ?? 89 14 24 E8 ?? ?? ?? ?? 8B 45 ?? + 8B 4D ?? 83 C0 ?? 8B 51 ?? 89 45 ?? 8D 45 ?? 89 45 ?? 8B 45 ?? 89 55 ?? 8B 00 89 C1 + 89 45 ?? 01 D1 74 ?? 85 C0 75 ?? C7 04 24 ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? E8 ?? ?? + ?? ?? 8B 45 ?? 83 F8 ?? 89 45 ?? 0F 87 ?? ?? ?? ?? 83 7D ?? ?? 0F 85 ?? ?? ?? ?? 8B + 45 ?? 8D 55 ?? 0F B6 00 88 45 ?? B8 ?? ?? ?? ?? 89 45 ?? C6 04 02 ?? B8 ?? ?? ?? ?? + 2B 45 ?? 83 F8 ?? 0F 86 ?? ?? ?? ?? 8D 4D ?? C7 44 24 ?? ?? ?? ?? ?? C7 04 24 ?? ?? + ?? ?? C7 45 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 45 ?? 83 EC ?? 89 44 24 ?? 8B 45 ?? 89 + 04 24 C7 45 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 4D ?? 8B 55 ?? 83 EC ?? 89 81 ?? ?? ?? + ?? 8D 4D ?? 39 CA 74 ?? 89 14 24 E8 ?? ?? ?? ?? 8B 45 ?? 8B 80 ?? ?? ?? ?? 83 F8 + } + + $find_files_p2 = { + 8B 45 ?? 0F 95 00 8D 45 ?? 89 04 24 E8 ?? ?? ?? ?? C9 C2 ?? ?? 8D 76 ?? 8D 45 ?? 8B + 4D ?? 89 4C 24 ?? 8B 4D ?? 89 04 24 89 4C 24 ?? E8 ?? ?? ?? ?? 8B 45 ?? 8B 55 ?? E9 + ?? ?? ?? ?? 8D 45 ?? 8D 4D ?? C7 44 24 ?? ?? ?? ?? ?? 89 04 24 C7 45 ?? ?? ?? ?? ?? + E8 ?? ?? ?? ?? 8B 55 ?? 83 EC ?? 89 45 ?? 89 55 ?? EB ?? C7 04 24 ?? ?? ?? ?? C7 45 + ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C5 ?? 8B 45 ?? 89 45 ?? 8B 45 ?? 85 C0 74 ?? 83 E8 + ?? 74 ?? 0F 0B 8B 45 ?? 8D 55 ?? 39 D0 74 ?? 89 04 24 E8 ?? ?? ?? ?? 8B 45 ?? 89 04 + 24 C7 45 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 90 66 90 55 89 E5 57 56 8D 45 ?? 53 83 EC ?? + 89 45 ?? 8D 45 ?? 89 4D ?? C7 45 ?? ?? ?? ?? ?? 89 45 ?? C7 45 ?? ?? ?? ?? ?? C7 45 + ?? ?? ?? ?? ?? 89 65 ?? 89 04 24 E8 ?? ?? ?? ?? 8B 5D ?? C6 45 ?? ?? 8B 83 ?? ?? ?? + ?? 83 F8 ?? 74 ?? 8D 53 ?? 89 04 24 89 54 24 ?? C7 45 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? + 83 EC ?? 85 C0 0F 95 45 ?? 0F B6 45 ?? 8B 75 ?? 88 06 8B 45 ?? 89 04 24 E8 ?? ?? ?? + ?? 0F B6 45 ?? 8D 65 ?? 5B 5E 5F 5D C3 + } + + $enum_resources_p1 = { + 55 B8 ?? ?? ?? ?? 89 E5 E8 ?? ?? ?? ?? 29 C4 8D 45 ?? 89 8D ?? ?? ?? ?? 89 A5 ?? ?? + ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? C7 85 ?? ?? + ?? ?? ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? 89 04 24 E8 ?? ?? ?? ?? 8D 85 ?? ?? + ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? 89 44 24 ?? 8B 45 + ?? C7 44 24 ?? ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? C7 04 24 ?? ?? ?? ?? 89 44 24 ?? + C7 85 ?? ?? ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 EC ?? 85 C0 74 ?? C7 85 ?? ?? ?? ?? + ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 89 04 24 E8 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? C9 C2 ?? ?? + 8D 85 ?? ?? ?? ?? 89 44 24 ?? 8D 85 ?? ?? ?? ?? 89 44 24 ?? 8D 85 ?? ?? ?? ?? 89 44 + 24 ?? 8B 85 ?? ?? ?? ?? 89 04 24 E8 ?? ?? ?? ?? 83 EC ?? 85 C0 75 ?? 8D 85 ?? ?? ?? + ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 85 C0 75 ?? EB + ?? 8D B4 26 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? F6 40 ?? ?? 0F 85 ?? ?? ?? ?? 83 85 ?? ?? + ?? ?? ?? 83 85 ?? ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 3B 85 ?? ?? ?? ?? 0F 83 + } + + $enum_resources_p2 = { + 8B 85 ?? ?? ?? ?? F6 40 ?? ?? 74 ?? 8B 40 ?? 89 C2 89 85 ?? ?? ?? ?? 8D 85 ?? ?? ?? + ?? 85 D2 89 85 ?? ?? ?? ?? B8 ?? ?? ?? ?? 74 ?? 89 14 24 E8 ?? ?? ?? ?? 03 85 ?? ?? + ?? ?? 89 44 24 ?? 8B 85 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? 89 04 24 C7 85 ?? ?? ?? ?? ?? + ?? ?? ?? E8 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 83 EC ?? 8B 48 ?? 3B 48 ?? 0F 84 ?? ?? ?? + ?? 85 C9 74 ?? 8D 41 ?? 8B 95 ?? ?? ?? ?? 89 01 8B 85 ?? ?? ?? ?? 01 C2 89 04 24 89 + 54 24 ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 83 EC ?? 8B + 48 ?? 8B 85 ?? ?? ?? ?? 83 C1 ?? 89 48 ?? 8B 85 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? 39 C8 + 0F 84 ?? ?? ?? ?? 89 04 24 E8 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? F6 40 ?? ?? 0F 84 ?? ?? + ?? ?? 89 04 24 8B 8D ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 EC + ?? E9 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 89 0C 24 89 44 24 ?? 8B 8D ?? ?? ?? ?? C7 85 ?? + ?? ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 EC ?? EB + } + + condition: + uint16(0) == 0x5A4D and + ( + all of ($enum_resources_p*) + ) and + ( + all of ($find_files_p*) + ) and + ( + all of ($encrypt_files_p*) + ) +} \ No newline at end of file diff --git a/yara/ransomware/Win32.Ransomware.Atlas.yara b/yara/ransomware/Win32.Ransomware.Atlas.yara new file mode 100644 index 0000000..a88dee3 --- /dev/null +++ b/yara/ransomware/Win32.Ransomware.Atlas.yara @@ -0,0 +1,99 @@ +rule Win32_Ransomware_Atlas : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "ATLAS" + description = "Yara rule that detects Atlas ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "Atlas" + tc_detection_factor = 5 + + strings: + + $encrypt_files = { + 8B 74 24 ?? 8B 3D ?? ?? ?? ?? 8D 4C 24 ?? 6A ?? 51 8D 94 24 ?? ?? ?? ?? 68 ?? ?? ?? + ?? 52 56 FF D7 8B 94 24 ?? ?? ?? ?? 8D 44 24 ?? 8D 8C 24 ?? ?? ?? ?? 50 8B 84 24 ?? + ?? ?? ?? 51 52 50 E8 ?? ?? ?? ?? 8B 54 24 ?? 83 C4 ?? 8D 4C 24 ?? 8D 84 24 ?? ?? ?? + ?? 6A ?? 51 8B 4C 24 ?? 52 50 51 FF 15 ?? ?? ?? ?? 8D 54 24 ?? 6A ?? 52 55 53 56 FF + D7 8B 7C 24 ?? 33 C9 3B FD 89 4C 24 ?? 0F 85 ?? ?? ?? ?? EB ?? 8B 4C 24 ?? 33 F6 8A + 84 34 ?? ?? ?? ?? 02 C1 F6 E9 88 44 34 ?? 8A 84 34 ?? ?? ?? ?? 02 C1 F6 E9 88 44 34 + ?? 46 83 FE ?? 7C ?? 8B 74 24 ?? 57 56 8D 44 24 ?? 53 8D 8C 24 ?? ?? ?? ?? 50 51 E8 + ?? ?? ?? ?? 8B 54 24 ?? 8D 84 24 ?? ?? ?? ?? 52 53 56 8D 8C 24 ?? ?? ?? ?? 50 51 E8 + ?? ?? ?? ?? 8B 44 24 ?? 8B 4C 24 ?? 83 C4 ?? 8D 54 24 ?? 6A ?? 52 50 53 51 FF 15 ?? + ?? ?? ?? 8B 44 24 ?? 8D 54 24 ?? 6A ?? 52 55 53 50 FF 15 ?? ?? ?? ?? 8B 4C 24 ?? 8B + 7C 24 ?? 41 3B FD 89 4C 24 ?? 0F 84 ?? ?? ?? ?? 8B 74 24 ?? 85 FF 74 ?? 8B 54 24 ?? + 8D 4C 24 ?? 6A ?? 51 57 53 52 FF 15 ?? ?? ?? ?? 56 8B 35 ?? ?? ?? ?? FF D6 8B 44 24 + ?? 50 FF D6 8B 35 ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A ?? 53 FF D6 8B 4C 24 ?? 68 ?? ?? ?? + ?? 6A ?? 51 FF D6 5F 5E 5D 33 C0 5B 81 C4 ?? ?? ?? ?? C3 + } + + $remote_server_1 = { + 68 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 33 F6 33 C9 8D 94 24 ?? ?? ?? ?? 8A 0C 2E + 8D 84 24 ?? ?? ?? ?? 51 52 68 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 46 81 FE ?? ?? + ?? ?? 7C ?? 8D 8C 24 ?? ?? ?? ?? 8D 94 24 ?? ?? ?? ?? 51 68 ?? ?? ?? ?? 52 E8 ?? ?? + ?? ?? 83 C4 ?? 33 F6 33 C0 8D 8C 24 ?? ?? ?? ?? 8A 04 1E 8D 94 24 ?? ?? ?? ?? 50 51 + 68 ?? ?? ?? ?? 52 E8 ?? ?? ?? ?? 83 C4 ?? 46 81 FE ?? ?? ?? ?? 7C ?? 8D 84 24 ?? ?? + ?? ?? 8D BC 24 ?? ?? ?? ?? 50 83 C9 ?? 33 C0 33 F6 F2 AE F7 D1 49 51 8D 8C 24 ?? ?? + ?? ?? 51 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 75 ?? 83 FE ?? + 0F 84 ?? ?? ?? ?? 68 ?? ?? ?? ?? 46 FF 15 ?? ?? ?? ?? 8D BC 24 ?? ?? ?? ?? 83 C9 ?? + 33 C0 8D 94 24 ?? ?? ?? ?? F2 AE F7 D1 49 52 8D 84 24 ?? ?? ?? ?? 51 50 68 ?? ?? ?? + ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 74 ?? BE ?? ?? ?? ?? 8D 84 24 ?? ?? + ?? ?? 8A 10 8A 1E 8A CA 3A D3 75 ?? 84 C9 74 ?? 8A 50 ?? 8A 5E ?? 8A CA 3A D3 75 ?? + 83 C0 ?? 83 C6 ?? 84 C9 75 ?? 33 C0 EB + } + + $remote_server_2 = { + 68 ?? ?? ?? ?? 8D 84 24 ?? ?? ?? ?? 68 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 50 E8 + ?? ?? ?? ?? 83 C4 ?? 8D 8C 24 ?? ?? ?? ?? BB ?? ?? ?? ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? + ?? 51 2B D8 E8 ?? ?? ?? ?? 83 C4 ?? 50 E8 ?? ?? ?? ?? 8D 94 24 ?? ?? ?? ?? 68 ?? ?? + ?? ?? 52 03 D8 E8 ?? ?? ?? ?? 8B CB 8B F0 8B C1 83 C6 ?? 8D BC 24 ?? ?? ?? ?? 83 C4 + ?? C1 E9 ?? F3 A5 8B C8 68 ?? ?? ?? ?? 83 E1 ?? 68 ?? ?? ?? ?? F3 A4 8D 8C 24 ?? ?? + ?? ?? 51 E8 ?? ?? ?? ?? 83 C4 ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 8D 94 24 ?? ?? ?? ?? BB + ?? ?? ?? ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 52 2B D8 E8 ?? ?? ?? ?? 83 C4 ?? 50 E8 ?? + ?? ?? ?? 03 D8 8D 84 24 ?? ?? ?? ?? 68 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 8B CB 8B F0 8B + D1 BF ?? ?? ?? ?? C1 E9 ?? F3 A5 83 C4 ?? 8B CA 83 E1 ?? 8D 84 24 ?? ?? ?? ?? 68 ?? + ?? ?? ?? 68 ?? ?? ?? ?? F3 A4 50 E8 ?? ?? ?? ?? 83 C4 ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? + BB ?? ?? ?? ?? 2B D8 68 ?? ?? ?? ?? 8D 8C 24 ?? ?? ?? ?? 68 ?? ?? ?? ?? 51 E8 ?? ?? + ?? ?? 83 C4 ?? 50 E8 ?? ?? ?? ?? 8D 94 24 ?? ?? ?? ?? 68 ?? ?? ?? ?? 52 03 D8 E8 ?? + ?? ?? ?? 8B CB 8B F0 8B C1 83 C6 ?? BF ?? ?? ?? ?? 68 ?? ?? ?? ?? C1 E9 ?? F3 A5 8B + C8 68 ?? ?? ?? ?? 83 E1 ?? F3 A4 E8 ?? ?? ?? ?? 8D BC 24 ?? ?? ?? ?? 83 C9 ?? 33 C0 + 83 C4 ?? F2 AE F7 D1 49 83 F9 ?? 0F 82 ?? ?? ?? ?? 33 F6 8D BC 24 ?? ?? ?? ?? 8D 8C + 34 ?? ?? ?? ?? 51 68 ?? ?? ?? ?? 57 E8 ?? ?? ?? ?? 83 C4 ?? 46 83 C7 ?? 81 FE ?? ?? + ?? ?? 72 ?? 8B 3D ?? ?? ?? ?? FF D7 8D 94 24 ?? ?? ?? ?? 56 52 8B E8 E8 ?? ?? ?? ?? + 83 C4 ?? FF D7 8B F0 8D 44 24 ?? 50 2B F5 C7 44 24 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B + 4C 24 ?? 8D 94 24 ?? ?? ?? ?? 51 56 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 52 E8 ?? ?? ?? ?? + 8D 84 24 ?? ?? ?? ?? 8D BC 24 ?? ?? ?? ?? 50 83 C9 ?? 33 C0 F2 AE F7 D1 49 51 8D 8C + 24 ?? ?? ?? ?? 51 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? E8 + } + + $send_post_packet = { + 68 ?? ?? ?? ?? 51 E8 ?? ?? ?? ?? 83 C4 ?? 6A ?? 6A ?? 6A ?? E8 ?? ?? ?? ?? 8B F0 83 + FE ?? 89 75 ?? 75 ?? 50 E8 ?? ?? ?? ?? 33 C0 8B 4D ?? 64 89 0D ?? ?? ?? ?? 5F 5E 5B + 8B E5 5D C3 6A ?? 66 C7 45 ?? ?? ?? E8 ?? ?? ?? ?? 8D 55 ?? 66 89 45 ?? 52 E8 ?? ?? + ?? ?? 89 45 ?? 8D 45 ?? 6A ?? 50 56 E8 ?? ?? ?? ?? 83 F8 ?? 75 ?? 56 E8 ?? ?? ?? ?? + 33 C0 8B 4D ?? 64 89 0D ?? ?? ?? ?? 5F 5E 5B 8B E5 5D C3 8D BD ?? ?? ?? ?? 83 C9 ?? + 33 C0 6A ?? F2 AE F7 D1 49 51 8D 8D ?? ?? ?? ?? 51 56 E8 ?? ?? ?? ?? 83 F8 ?? 75 ?? + 56 E8 ?? ?? ?? ?? 33 C0 8B 4D ?? 64 89 0D ?? ?? ?? ?? 5F 5E 5B 8B E5 5D C3 + } + + $send_get_request = { + 68 ?? ?? ?? ?? 55 E8 ?? ?? ?? ?? 83 C4 ?? 6A ?? 6A ?? 6A ?? E8 ?? ?? ?? ?? 8B D8 83 + FB ?? 75 ?? 68 ?? ?? ?? ?? 6A ?? 55 FF 15 ?? ?? ?? ?? 53 E8 ?? ?? ?? ?? 5F 5E 5D 33 + C0 5B 81 C4 ?? ?? ?? ?? C3 6A ?? 66 C7 44 24 ?? ?? ?? E8 ?? ?? ?? ?? 8D 54 24 ?? 66 + 89 44 24 ?? 52 E8 ?? ?? ?? ?? 89 44 24 ?? 8D 44 24 ?? 6A ?? 50 53 E8 ?? ?? ?? ?? 83 + F8 ?? 75 ?? 68 ?? ?? ?? ?? 6A ?? 55 FF 15 ?? ?? ?? ?? 53 E8 ?? ?? ?? ?? 5F 5E 5D 33 + C0 5B 81 C4 ?? ?? ?? ?? C3 8B FD 83 C9 ?? 33 C0 6A ?? F2 AE F7 D1 49 51 55 53 E8 ?? + ?? ?? ?? 83 F8 ?? 75 ?? 68 ?? ?? ?? ?? 6A ?? 55 FF 15 ?? ?? ?? ?? 53 E8 ?? ?? ?? ?? + 5F 5E 5D 33 C0 5B 81 C4 ?? ?? ?? ?? C3 + } + condition: + uint16(0) == 0x5A4D and $encrypt_files and $remote_server_1 and $remote_server_2 and + $send_post_packet and $send_get_request +} \ No newline at end of file diff --git a/yara/ransomware/Win32.Ransomware.Avaddon.yara b/yara/ransomware/Win32.Ransomware.Avaddon.yara new file mode 100644 index 0000000..fee7f01 --- /dev/null +++ b/yara/ransomware/Win32.Ransomware.Avaddon.yara @@ -0,0 +1,148 @@ +rule Win32_Ransomware_Avaddon : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "AVADDON" + description = "Yara rule that detects Avaddon ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "Avaddon" + tc_detection_factor = 5 + + strings: + + $find_files = { + 8B FF 55 8B EC 51 8B 4D ?? 53 57 33 DB 8D 51 ?? 66 8B 01 83 C1 ?? 66 3B C3 75 ?? 8B + 7D ?? 2B CA D1 F9 8B C7 41 F7 D0 89 4D ?? 3B C8 76 ?? 6A ?? 58 5F 5B C9 C3 56 8D 5F + ?? 03 D9 6A ?? 53 E8 ?? ?? ?? ?? 8B F0 59 59 85 FF 74 ?? 57 FF 75 ?? 53 56 E8 ?? ?? + ?? ?? 83 C4 ?? 85 C0 75 ?? FF 75 ?? 2B DF 8D 04 7E FF 75 ?? 53 50 E8 ?? ?? ?? ?? 83 + C4 ?? 85 C0 75 ?? 8B 7D ?? 8B CF E8 ?? ?? ?? ?? 8B D8 85 DB 74 ?? 56 E8 ?? ?? ?? ?? + 59 EB ?? 8B 47 ?? 89 30 83 47 ?? ?? 33 DB 6A ?? E8 ?? ?? ?? ?? 59 8B C3 5E EB ?? 33 + C0 50 50 50 50 50 E8 ?? ?? ?? ?? CC 8B FF 55 8B EC 81 EC ?? ?? ?? ?? A1 ?? ?? ?? ?? + 33 C5 89 45 ?? 8B 55 ?? 8B 4D ?? 53 8B 5D ?? 89 8D ?? ?? ?? ?? 56 57 3B D3 74 ?? 0F + B7 02 8D 8D ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 84 C0 75 ?? 83 EA ?? 3B D3 75 ?? 8B 8D ?? + ?? ?? ?? 0F B7 32 83 FE ?? 75 ?? 8D 43 ?? 3B D0 74 ?? 51 33 FF 57 57 53 E8 ?? ?? ?? + ?? 83 C4 ?? E9 ?? ?? ?? ?? 56 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 2B D3 0F B6 C0 D1 FA + 42 F7 D8 1B C0 33 FF 57 57 23 C2 57 89 85 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 57 53 FF + 15 ?? ?? ?? ?? 8B F0 8B 85 ?? ?? ?? ?? 83 FE ?? 75 ?? 50 57 57 53 E8 ?? ?? ?? ?? 83 + C4 ?? 8B F8 E9 ?? ?? ?? ?? 8B 48 ?? 2B 08 C1 F9 ?? 6A ?? 89 8D ?? ?? ?? ?? 59 66 39 + 8D ?? ?? ?? ?? 75 ?? 66 39 BD ?? ?? ?? ?? 74 ?? 66 39 8D ?? ?? ?? ?? 75 ?? 66 39 BD + ?? ?? ?? ?? 74 ?? 50 FF B5 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 53 50 E8 ?? ?? ?? ?? 83 C4 + ?? 85 C0 75 ?? 8D 85 ?? ?? ?? ?? 50 56 FF 15 ?? ?? ?? ?? 6A ?? 85 C0 8B 85 ?? ?? ?? + ?? 59 75 ?? 8B 10 8B 40 ?? 8B 8D ?? ?? ?? ?? 2B C2 C1 F8 ?? 3B C8 74 ?? 68 ?? ?? ?? + ?? 2B C1 6A ?? 50 8D 04 8A 50 E8 ?? ?? ?? ?? 83 C4 ?? EB ?? 8B F8 56 FF 15 ?? ?? ?? + ?? 8B C7 8B 4D ?? 5F 5E 33 CD 5B E8 ?? ?? ?? ?? C9 C3 + } + + $encrypt_files_p1 = { + 55 8B EC 6A ?? 68 ?? ?? ?? ?? 64 A1 ?? ?? ?? ?? 50 81 EC ?? ?? ?? ?? A1 ?? ?? ?? ?? + 33 C5 89 45 ?? 53 56 57 50 8D 45 ?? 64 A3 ?? ?? ?? ?? 89 8D ?? ?? ?? ?? 8B 45 ?? 8B + 7D ?? 85 C0 0F 84 ?? ?? ?? ?? 83 FF ?? 0F 84 ?? ?? ?? ?? 6A ?? 8D 4D ?? C7 45 ?? ?? + ?? ?? ?? 51 6A ?? 6A ?? 6A ?? 6A ?? 50 FF 15 ?? ?? ?? ?? 85 C0 0F 84 + } + + $encrypt_files_p2 = { + 6A ?? 8D 45 ?? 0F 57 C0 50 66 0F 13 45 ?? FF 75 ?? FF 75 ?? 57 FF 15 ?? ?? ?? ?? 85 + C0 0F 84 ?? ?? ?? ?? 83 7D ?? ?? 8D 4D ?? 6A ?? 51 8D 45 ?? 0F 43 45 ?? 68 ?? ?? ?? + ?? 50 57 FF 15 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? 6A ?? 8D 45 ?? 50 FF 75 ?? FF 75 + ?? 57 FF 15 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? 33 F6 39 75 ?? 0F 86 ?? ?? ?? ?? 83 + 7D ?? ?? 8D 45 ?? 8D 4D ?? 0F 43 45 ?? 83 7D ?? ?? 68 ?? ?? ?? ?? 0F 43 4D ?? 03 C6 + 50 51 E8 ?? ?? ?? ?? 83 C4 ?? C7 45 ?? ?? ?? ?? ?? 83 7D ?? ?? 8D 4D ?? 8D 45 ?? 0F + 43 45 ?? 53 51 50 6A ?? 6A ?? 6A ?? FF 75 ?? FF 15 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? + ?? 83 7D ?? ?? 8D 4D ?? 6A ?? 51 8D 45 ?? 0F 43 45 ?? 53 50 57 FF 15 ?? ?? ?? ?? 85 + C0 0F 84 ?? ?? ?? ?? 81 C6 ?? ?? ?? ?? 3B 75 ?? 0F 82 ?? ?? ?? ?? 83 7D ?? ?? 74 + } + + $encrypt_files_p3 = { + 8B 45 ?? 89 45 ?? 8B 45 ?? 6A ?? 89 45 ?? 8D 45 ?? 50 51 52 57 89 55 ?? 89 4D ?? FF + 15 ?? ?? ?? ?? 85 C0 74 ?? 8B 9D ?? ?? ?? ?? 83 7B ?? ?? 8D 43 ?? 72 ?? 8B 00 6A ?? + 8D 4D ?? 51 FF 73 ?? 50 57 FF D6 85 C0 74 ?? 8B 4B ?? 39 4D ?? 75 ?? 8B 45 ?? 89 85 + ?? ?? ?? ?? 8B 45 ?? 89 45 ?? 8B 45 ?? 6A ?? 89 45 ?? 8D 45 ?? 50 6A ?? 8D 85 ?? ?? + ?? ?? 89 4D ?? 50 57 C7 45 ?? ?? ?? ?? ?? FF D6 85 C0 74 ?? 83 7D ?? ?? 75 ?? B3 ?? + EB ?? 32 DB 8B 55 ?? 83 FA ?? 72 ?? 8B 4D ?? 42 8B C1 81 FA ?? ?? ?? ?? 72 ?? 8B 49 + ?? 83 C2 ?? 2B C1 83 C0 ?? 83 F8 ?? 77 ?? 52 51 E8 ?? ?? ?? ?? 83 C4 ?? 8B 55 ?? C7 + 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C6 45 ?? ?? 83 FA ?? 72 ?? 8B 4D ?? 42 8B C1 + 81 FA ?? ?? ?? ?? 72 ?? 8B 49 ?? 83 C2 ?? 2B C1 83 C0 ?? 83 F8 ?? 77 ?? 52 51 E8 ?? + ?? ?? ?? 83 C4 ?? 8A C3 EB ?? 32 C0 8B 4D ?? 64 89 0D ?? ?? ?? ?? 59 5F 5E 5B 8B 4D + ?? 33 CD E8 ?? ?? ?? ?? 8B E5 5D C2 + } + + $remote_connection_p1 = { + 55 8B EC 6A ?? 68 ?? ?? ?? ?? 64 A1 ?? ?? ?? ?? 50 81 EC ?? ?? ?? ?? A1 ?? ?? ?? ?? + 33 C5 89 45 ?? 56 57 50 8D 45 ?? 64 A3 ?? ?? ?? ?? 8B 45 ?? 33 C9 8B 75 ?? 89 85 ?? + ?? ?? ?? 89 85 ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? + ?? 66 89 8D ?? ?? ?? ?? 89 4D ?? 39 4E ?? 0F 84 ?? ?? ?? ?? 66 39 4E ?? 0F 86 ?? ?? + ?? ?? 39 4E ?? 0F 84 ?? ?? ?? ?? 39 4E ?? 0F 84 ?? ?? ?? ?? 8B 06 8D 8D ?? ?? ?? ?? + 8B 7E ?? BA ?? ?? ?? ?? 89 85 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 78 ?? ?? 72 ?? 8B 00 6A + ?? 6A ?? 57 FF B5 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 8B 95 ?? ?? ?? ?? 8B F8 89 BD ?? + ?? ?? ?? 83 FA ?? 72 ?? 8B 8D ?? ?? ?? ?? 8D 14 55 ?? ?? ?? ?? 8B C1 81 FA ?? ?? ?? + ?? 72 ?? 8B 49 ?? 83 C2 ?? 2B C1 83 C0 ?? 83 F8 ?? 0F 87 ?? ?? ?? ?? 52 51 E8 ?? ?? + ?? ?? 83 C4 ?? 33 C0 C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? 66 + 89 85 ?? ?? ?? ?? 85 FF 0F 84 ?? ?? ?? ?? 83 7E ?? ?? 8D 46 ?? 0F B7 4E ?? 72 ?? 8B + } + + $remote_connection_p2 = { + 00 6A ?? 68 ?? ?? ?? ?? 6A ?? 6A ?? 6A ?? 51 50 57 FF 15 ?? ?? ?? ?? 89 85 ?? ?? ?? + ?? 85 C0 0F 84 ?? ?? ?? ?? 8B 7E ?? 8D 8D ?? ?? ?? ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? + 8B D0 83 7A ?? ?? 72 ?? 8B 12 83 7E ?? ?? 8D 4E ?? 72 ?? 8B 09 83 7E ?? ?? 8D 46 ?? + 72 ?? 8B 00 6A ?? 57 6A ?? 6A ?? 52 51 50 FF B5 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 8B 95 + ?? ?? ?? ?? 8B F8 89 BD ?? ?? ?? ?? 83 FA ?? 72 ?? 8B 8D ?? ?? ?? ?? 8D 14 55 ?? ?? + ?? ?? 8B C1 81 FA ?? ?? ?? ?? 72 ?? 8B 49 ?? 83 C2 ?? 2B C1 83 C0 ?? 83 F8 ?? 0F 87 + ?? ?? ?? ?? 52 51 E8 ?? ?? ?? ?? 83 C4 ?? 33 C0 C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C7 85 + ?? ?? ?? ?? ?? ?? ?? ?? 66 89 85 ?? ?? ?? ?? 85 FF 0F 84 ?? ?? ?? ?? 8B 46 ?? 85 C0 + 75 ?? 50 50 50 50 57 FF 15 ?? ?? ?? ?? EB ?? 83 C6 ?? 83 7E ?? ?? 72 ?? 8B 36 50 56 + 6A ?? 6A ?? 57 FF 15 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 85 ?? ?? + ?? ?? 6A ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? 8D 85 ?? ?? ?? + ?? 50 68 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 57 FF 15 ?? ?? ?? ?? 85 C0 0F 84 + } + + $enum_resources_p1 = { + 33 D2 89 7D ?? 89 7D ?? 89 75 ?? 89 45 ?? 89 45 ?? 89 4D ?? 89 55 ?? 89 55 ?? 39 56 + ?? 0F 84 ?? ?? ?? ?? 89 55 ?? 89 55 ?? 89 55 ?? 89 55 ?? 83 7E ?? ?? 8B C6 72 ?? 8B + 06 8D 4D ?? 51 8D 4D ?? 51 8D 4D ?? 51 6A ?? 8D 4D ?? 51 6A ?? 50 FF 15 ?? ?? ?? ?? + 89 45 ?? 85 C0 74 ?? 3D ?? ?? ?? ?? 0F 85 ?? ?? ?? ?? 83 7D ?? ?? 8B 45 ?? 89 45 ?? + C7 45 ?? ?? ?? ?? ?? 0F 82 + } + + $enum_resources_p2 = { + 8D 4D ?? D1 F8 50 52 E8 ?? ?? ?? ?? 8B 7D ?? 8D 4D ?? 8B 75 ?? 83 FF ?? 8B 55 ?? 6A + ?? 68 ?? ?? ?? ?? 0F 43 CE 6A ?? E8 ?? ?? ?? ?? 83 C4 ?? 83 F8 ?? 0F 85 ?? ?? ?? ?? + 8B 7D ?? 8D 8D ?? ?? ?? ?? C6 45 ?? ?? 33 C0 8B 75 ?? 66 89 85 ?? ?? ?? ?? 83 CE ?? + 8B 47 ?? 83 C0 ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? 50 C7 85 ?? ?? ?? ?? ?? ?? ?? ?? 89 + 75 ?? E8 ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 7F ?? + ?? 8B C7 72 ?? 8B 07 FF 77 ?? 8D 8D ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? + ?? 8D 8D ?? ?? ?? ?? E8 + } + + $enum_resources_p3 = { + 53 8B DC 83 EC ?? 83 E4 ?? 83 C4 ?? 55 8B 6B ?? 89 6C 24 ?? 8B EC 6A ?? 68 ?? ?? ?? + ?? 64 A1 ?? ?? ?? ?? 50 53 83 EC ?? A1 ?? ?? ?? ?? 33 C5 89 45 ?? 56 57 50 8D 45 ?? + 64 A3 ?? ?? ?? ?? 8B 43 ?? 8D 4D ?? 89 45 ?? 89 45 ?? 66 8B 43 ?? 6A ?? 68 ?? ?? ?? + ?? C7 45 ?? ?? ?? ?? ?? 66 89 45 ?? C7 45 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 7D ?? ?? + 8D 4D ?? 8D 45 ?? 0F 43 45 ?? 51 50 8D 45 ?? 50 FF 15 ?? ?? ?? ?? 8B 7D ?? 8D 45 ?? + 8B 75 ?? 8D 4D ?? 8B 55 ?? 83 FF ?? 0F 43 45 ?? 0F 43 CA 8D 04 70 89 45 ?? 8D 45 ?? + 0F 43 45 ?? 8D 04 70 3B C8 74 ?? 66 83 39 ?? 74 ?? 83 C1 ?? 3B C8 75 ?? 3B C8 74 ?? + 8D 51 ?? 3B D0 74 + } + + condition: + uint16(0) == 0x5A4D and + ( + $find_files + ) and + ( + all of ($enum_resources_p*) + ) and + ( + all of ($encrypt_files_p*) + ) and + ( + all of ($remote_connection_p*) + ) +} \ No newline at end of file diff --git a/yara/ransomware/Win32.Ransomware.AvosLocker.yara b/yara/ransomware/Win32.Ransomware.AvosLocker.yara new file mode 100644 index 0000000..25402d1 --- /dev/null +++ b/yara/ransomware/Win32.Ransomware.AvosLocker.yara @@ -0,0 +1,108 @@ +rule Win32_Ransomware_AvosLocker : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "AVOSLOCKER" + description = "Yara rule that detects AvosLocker ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "AvosLocker" + tc_detection_factor = 5 + + strings: + + $find_files = { + 53 53 53 51 F7 D0 23 85 ?? ?? ?? ?? 53 50 FF 15 ?? ?? ?? ?? 8B F0 83 FE ?? 75 ?? FF + B5 ?? ?? ?? ?? 53 53 57 E8 ?? ?? ?? ?? 83 C4 ?? 8B D8 E9 ?? ?? ?? ?? 8B 85 ?? ?? ?? + ?? 8B 48 ?? 2B 08 C1 F9 ?? 89 8D ?? ?? ?? ?? 89 9D ?? ?? ?? ?? 89 9D ?? ?? ?? ?? 89 + 9D ?? ?? ?? ?? 89 9D ?? ?? ?? ?? 89 9D ?? ?? ?? ?? 88 9D ?? ?? ?? ?? E8 ?? ?? ?? ?? + 50 8D 85 ?? ?? ?? ?? 50 8D 85 ?? ?? ?? ?? 50 8D 85 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 + C4 ?? F7 D8 1B C0 F7 D0 23 85 ?? ?? ?? ?? 80 38 ?? 75 ?? 8A 48 ?? 84 C9 74 ?? 80 F9 + ?? 75 ?? 38 58 ?? 74 ?? FF B5 ?? ?? ?? ?? FF B5 ?? ?? ?? ?? 57 50 E8 ?? ?? ?? ?? 83 + C4 ?? 89 85 ?? ?? ?? ?? 85 C0 75 ?? 38 9D ?? ?? ?? ?? 74 ?? FF B5 ?? ?? ?? ?? E8 ?? + ?? ?? ?? 59 8D 85 ?? ?? ?? ?? 50 56 FF 15 ?? ?? ?? ?? 85 C0 0F 85 ?? ?? ?? ?? 8B 85 + ?? ?? ?? ?? 8B 8D ?? ?? ?? ?? 8B 10 8B 40 ?? 2B C2 C1 F8 ?? 3B C8 74 ?? 68 ?? ?? ?? + ?? 2B C1 6A ?? 50 8D 04 8A 50 E8 ?? ?? ?? ?? 83 C4 ?? EB ?? 38 9D ?? ?? ?? ?? 74 ?? + FF B5 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 59 8B D8 56 FF 15 + } + + $enum_resources = { + 50 51 6A ?? 6A ?? 6A ?? C7 45 ?? ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 85 C0 0F 85 ?? ?? ?? + ?? FF 75 ?? 6A ?? FF 15 ?? ?? ?? ?? 8B F8 85 FF 0F 84 ?? ?? ?? ?? FF 75 ?? 6A ?? 57 + E8 ?? ?? ?? ?? 83 C4 ?? 8D 45 ?? 50 57 8D 45 ?? 50 FF 75 ?? FF 15 ?? ?? ?? ?? 85 C0 + 0F 85 ?? ?? ?? ?? 33 DB 39 5D ?? 76 ?? 8D 77 ?? 83 7E ?? ?? 0F 85 ?? ?? ?? ?? 83 7E + ?? ?? 0F 85 ?? ?? ?? ?? 6A ?? 6A ?? 6A ?? 8D 46 ?? 50 FF 15 ?? ?? ?? ?? 85 C0 0F 85 + ?? ?? ?? ?? 39 46 ?? B9 ?? ?? ?? ?? 0F 28 05 ?? ?? ?? ?? 8B D1 0F 45 56 ?? 8B C1 83 + 7E ?? ?? 0F 11 85 ?? ?? ?? ?? 0F 45 46 ?? 83 3E ?? 0F 28 05 ?? ?? ?? ?? 89 45 ?? 8B + C1 0F 45 06 83 7E ?? ?? 0F 11 45 ?? 89 45 ?? 8B C1 0F 28 05 ?? ?? ?? ?? 0F 45 46 ?? + 33 C9 0F 11 45 ?? 89 45 ?? 0F 28 05 ?? ?? ?? ?? 0F 11 45 ?? 8A 85 ?? ?? ?? ?? 30 84 + 0D ?? ?? ?? ?? 41 83 F9 ?? 72 ?? 52 FF 75 ?? 8D 85 ?? ?? ?? ?? C6 45 ?? ?? FF 75 ?? + FF 75 ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 83 3E ?? 0F 84 ?? ?? ?? ?? FF 36 E8 ?? ?? ?? ?? + 59 83 F8 ?? 0F 86 ?? ?? ?? ?? 8B 06 80 78 ?? ?? 75 ?? B1 ?? C7 45 ?? ?? ?? ?? ?? C7 + 45 ?? ?? ?? ?? ?? 33 C0 66 C7 45 ?? ?? ?? C6 45 ?? ?? 30 4C 05 ?? 40 83 F8 ?? 73 ?? + 8A 4D ?? EB ?? 8D 45 ?? C6 45 ?? ?? 50 E8 ?? ?? ?? ?? 59 FF 36 8D 8D ?? ?? ?? ?? E8 + ?? ?? ?? ?? 83 65 ?? ?? 50 51 8D 4D ?? E8 ?? ?? ?? ?? C6 45 ?? ?? 50 E8 ?? ?? ?? ?? + C6 45 ?? ?? 83 7D ?? ?? 0F 85 ?? ?? ?? ?? 83 4D ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? + ?? EB ?? B1 ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? 33 C0 C7 45 ?? ?? ?? ?? ?? + C6 45 ?? ?? 30 4C 05 ?? 40 83 F8 ?? 73 ?? 8A 4D ?? EB ?? 8D 45 ?? C6 45 ?? ?? 50 E8 + ?? ?? ?? ?? 59 F7 46 ?? ?? ?? ?? ?? 74 ?? 8D 4E ?? E8 ?? ?? ?? ?? 43 83 C6 ?? 3B 5D + ?? 0F 82 ?? ?? ?? ?? E9 ?? ?? ?? ?? FF 75 ?? FF 15 + } + + $import_key = { + 50 53 53 68 ?? ?? ?? ?? FF 35 ?? ?? ?? ?? FF B5 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 85 C0 + 0F 85 ?? ?? ?? ?? 8B 35 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 53 68 ?? ?? ?? ?? 50 68 ?? ?? + ?? ?? FF D6 50 53 68 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? B1 ?? C7 85 ?? ?? ?? ?? ?? ?? ?? + ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? 8B C3 C7 85 ?? ?? ?? ?? ?? ?? ?? ?? 30 8C 05 ?? ?? + ?? ?? 40 83 F8 ?? 73 ?? 8A 8D ?? ?? ?? ?? EB ?? 8D 85 ?? ?? ?? ?? 88 9D ?? ?? ?? ?? + 50 8D 85 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 0F 28 05 ?? ?? ?? ?? 59 0F 11 85 ?? ?? ?? ?? + 59 0F 28 05 ?? ?? ?? ?? 8B CB 0F 11 85 ?? ?? ?? ?? 66 C7 85 ?? ?? ?? ?? ?? ?? 88 9D + ?? ?? ?? ?? 8A 85 ?? ?? ?? ?? 30 84 0D ?? ?? ?? ?? 41 83 F9 ?? 72 ?? 88 9D ?? ?? ?? + ?? FF D6 50 8D 85 ?? ?? ?? ?? E9 ?? ?? ?? ?? FF 36 8D 45 ?? 89 9D ?? ?? ?? ?? 50 E8 + ?? ?? ?? ?? FF 76 ?? 8D 45 ?? 50 E8 ?? ?? ?? ?? 8D 45 ?? 50 E8 ?? ?? ?? ?? 8B 8D ?? + ?? ?? ?? 83 C4 ?? 8B D7 50 8D 45 ?? 50 8D 85 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? + 84 C0 75 ?? 0F 28 05 ?? ?? ?? ?? 8B CB 0F 11 85 ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? + ?? ?? 0F 28 05 ?? ?? ?? ?? 0F 11 85 ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? 66 C7 + 85 ?? ?? ?? ?? ?? ?? 88 9D ?? ?? ?? ?? 8A 85 ?? ?? ?? ?? 30 84 0D ?? ?? ?? ?? 41 83 + F9 ?? 72 ?? 8D 85 ?? ?? ?? ?? 88 9D ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 59 8D 45 ?? 50 E8 + ?? ?? ?? ?? 59 8D 4D ?? 85 C0 74 ?? 88 19 41 83 E8 ?? 75 ?? 39 9D ?? ?? ?? ?? 74 ?? + FF B5 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 8B 4D ?? 5F 5E 33 CD 5B E8 + } + + $encrypt_files = { + 50 51 51 FF B5 ?? ?? ?? ?? 51 FF B5 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? + ?? ?? 8B BD ?? ?? ?? ?? 57 89 BD ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B F0 59 85 F6 0F 84 ?? + ?? ?? ?? 8B 85 ?? ?? ?? ?? 8B CE 85 C0 74 ?? C6 01 ?? 41 83 E8 ?? 75 ?? 8D 85 ?? ?? + ?? ?? 50 E8 ?? ?? ?? ?? 59 83 C0 ?? 74 ?? 39 85 ?? ?? ?? ?? 72 ?? 50 8D 85 ?? ?? ?? + ?? 50 56 E8 ?? ?? ?? ?? 83 C4 ?? EB ?? FF B5 ?? ?? ?? ?? 6A ?? 56 E8 ?? ?? ?? ?? 83 + C4 ?? E8 ?? ?? ?? ?? C7 00 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 E8 ?? ?? + ?? ?? 59 57 40 89 85 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 56 6A ?? FF B5 ?? ?? ?? ?? 6A + ?? FF B5 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? D1 EF 6A ?? 5A 74 ?? + 8B 9D ?? ?? ?? ?? 4B 03 DE 8A 03 8A 0C 32 88 04 32 42 88 0B 4B 3B D7 72 ?? 8B 9D ?? + ?? ?? ?? 8B BD ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 57 03 C3 56 50 E8 ?? ?? ?? ?? 03 DF 56 + 89 9D ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B BD ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 8B B5 ?? ?? ?? + ?? 47 81 C6 ?? ?? ?? ?? 89 BD ?? ?? ?? ?? 50 89 B5 ?? ?? ?? ?? E8 ?? ?? ?? ?? 33 D2 + B9 ?? ?? ?? ?? F7 F1 83 C4 ?? 40 3B F8 0F 82 + } + + condition: + uint16(0) == 0x5A4D and + ( + $enum_resources + ) and + ( + $find_files + ) and + ( + $import_key + ) and + ( + $encrypt_files + ) +} \ No newline at end of file diff --git a/yara/ransomware/Win32.Ransomware.BKRansomware.yara b/yara/ransomware/Win32.Ransomware.BKRansomware.yara new file mode 100644 index 0000000..93387c8 --- /dev/null +++ b/yara/ransomware/Win32.Ransomware.BKRansomware.yara @@ -0,0 +1,79 @@ +rule Win32_Ransomware_BKRansomware : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "BKRANSOMWARE" + description = "Yara rule that detects BKRansomware ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "BKRansomware" + tc_detection_factor = 5 + + strings: + + $search_files = { + 55 8B EC B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? A1 ?? ?? ?? ?? 33 C5 89 45 ?? 53 56 57 68 ?? + ?? ?? ?? 8D 85 ?? ?? ?? ?? 8B F9 6A ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 8D 85 ?? ?? ?? ?? + 57 68 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 8D 85 ?? ?? ?? ?? 50 8D 85 ?? ?? ?? ?? + 50 FF 15 ?? ?? ?? ?? 8B D8 83 FB ?? 0F 84 ?? ?? ?? ?? EB ?? 8D A4 24 ?? ?? ?? ?? 90 + 8D 85 ?? ?? ?? ?? 68 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 0F 85 ?? ?? ?? ?? + 8B B5 ?? ?? ?? ?? 83 FE ?? 0F 85 ?? ?? ?? ?? B9 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 66 8B + 10 66 3B 11 75 ?? 66 85 D2 74 ?? 66 8B 50 ?? 66 3B 51 ?? 75 ?? 83 C0 ?? 83 C1 ?? 66 + 85 D2 75 ?? 33 C0 EB ?? 1B C0 83 C8 ?? 85 C0 74 ?? B8 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? + 66 8B 11 66 3B 10 75 ?? 66 85 D2 74 ?? 66 8B 51 ?? 66 3B 50 ?? 75 ?? 83 C1 ?? 83 C0 + ?? 66 85 D2 75 ?? 33 C0 EB ?? 1B C0 83 C8 ?? 85 C0 74 ?? 8D 85 ?? ?? ?? ?? 50 57 8D + 85 ?? ?? ?? ?? 68 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 68 + ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 6A ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? EB ?? 83 FE ?? 74 ?? + 68 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 6A ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 8D 85 ?? ?? ?? ?? + 50 57 8D 85 ?? ?? ?? ?? 68 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 8D 8D ?? ?? ?? ?? + E8 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 53 FF 15 ?? ?? ?? ?? 85 C0 0F 85 ?? ?? ?? ?? 53 + FF 15 ?? ?? ?? ?? 8B 4D ?? 5F 5E 33 CD 5B E8 ?? ?? ?? ?? 8B E5 5D C3 + } + + $encrypt_files_p1 = { + 55 8B EC B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? A1 ?? ?? ?? ?? 33 C5 89 45 ?? 53 57 6A ?? 68 + ?? ?? ?? ?? 6A ?? 6A ?? 6A ?? 8B F9 68 ?? ?? ?? ?? 57 89 BD ?? ?? ?? ?? FF 15 ?? ?? + ?? ?? 8B D8 89 9D ?? ?? ?? ?? 83 FB ?? 0F 84 ?? ?? ?? ?? 56 6A ?? 53 FF 15 ?? ?? ?? + ?? 8B F0 68 ?? ?? ?? ?? 57 89 B5 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 0F 85 ?? + ?? ?? ?? 68 ?? ?? ?? ?? 57 E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 0F 85 ?? ?? ?? ?? 68 ?? ?? + ?? ?? 57 E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 0F 85 ?? ?? ?? ?? 68 ?? ?? ?? ?? 57 E8 ?? ?? + ?? ?? 83 C4 ?? 85 C0 0F 85 ?? ?? ?? ?? 68 ?? ?? ?? ?? 57 E8 ?? ?? ?? ?? 83 C4 ?? 85 + C0 0F 85 ?? ?? ?? ?? 68 ?? ?? ?? ?? 57 E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 75 ?? 68 ?? ?? + ?? ?? 57 E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 75 ?? 68 ?? ?? ?? ?? 57 E8 ?? ?? ?? ?? 83 C4 + ?? 85 C0 75 ?? 68 ?? ?? ?? ?? 57 E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 75 ?? 68 ?? ?? ?? ?? + 57 E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 75 ?? 68 ?? ?? ?? ?? 57 E8 ?? ?? ?? ?? 83 C4 ?? 85 + C0 75 ?? 68 ?? ?? ?? ?? 57 E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 0F 84 ?? ?? ?? ?? 68 ?? ?? + ?? ?? 8D 85 ?? ?? ?? ?? 6A ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 85 F6 0F 8E ?? ?? ?? ?? 33 + } + + $encrypt_files_p2 = { + FF 8D 49 ?? 6A ?? 8D 85 ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? 50 68 ?? ?? ?? ?? + 8D 85 ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? 50 53 FF 15 ?? ?? ?? ?? 8D 8D ?? ?? + ?? ?? 33 F6 8D 51 ?? EB ?? 8D 49 ?? 8A 01 41 84 C0 75 ?? 2B CA 74 ?? BB ?? ?? ?? ?? + 8A 84 35 ?? ?? ?? ?? 3C ?? 7C ?? 3C ?? 7F ?? 0F BE C0 83 E8 ?? 99 F7 FB 80 C2 ?? EB + ?? 3C ?? 7C ?? 3C ?? 7F ?? 0F BE C0 83 E8 ?? 99 F7 FB 80 C2 ?? 88 94 35 ?? ?? ?? ?? + 8D 85 ?? ?? ?? ?? 46 8D 50 ?? 8A 08 40 84 C9 75 ?? 2B C2 3B F0 72 ?? 8B 9D ?? ?? ?? + ?? 6A ?? 6A ?? 57 53 FF 15 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? 8D 51 ?? 8D 9B ?? ?? ?? ?? + 8A 01 41 84 C0 75 ?? 6A ?? 8D 85 ?? ?? ?? ?? 2B CA 50 51 8D 85 ?? ?? ?? ?? 50 53 FF + 15 ?? ?? ?? ?? 03 BD ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A ?? 50 E8 ?? ?? + ?? ?? 83 C4 ?? 3B BD ?? ?? ?? ?? 0F 8C ?? ?? ?? ?? 8B BD ?? ?? ?? ?? 53 FF 15 ?? ?? + ?? ?? 68 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 6A ?? 50 E8 ?? ?? ?? ?? 57 8D 85 ?? ?? ?? ?? + 68 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 8D 85 ?? ?? ?? ?? 50 57 FF 15 ?? ?? ?? ?? + 5E 8B 4D ?? 5F 33 CD 5B E8 ?? ?? ?? ?? 8B E5 5D C3 + } + + condition: + uint16(0) == 0x5A4D and + ( + $search_files + ) and + ( + all of ($encrypt_files_p*) + ) +} \ No newline at end of file diff --git a/yara/ransomware/Win32.Ransomware.Babuk.yara b/yara/ransomware/Win32.Ransomware.Babuk.yara new file mode 100644 index 0000000..1d6b572 --- /dev/null +++ b/yara/ransomware/Win32.Ransomware.Babuk.yara @@ -0,0 +1,117 @@ +rule Win32_Ransomware_Babuk : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "BABUK" + description = "Yara rule that detects Babuk ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "Babuk" + tc_detection_factor = 5 + + strings: + + $find_files = { + 55 8B EC 81 EC ?? ?? ?? ?? A1 ?? ?? ?? ?? 33 C5 89 45 ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? + ?? 83 C4 ?? 89 85 ?? ?? ?? ?? 83 BD ?? ?? ?? ?? ?? 0F 84 ?? ?? ?? ?? 8B 45 ?? 50 8B + 8D ?? ?? ?? ?? 51 FF 15 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8B 95 ?? ?? ?? ?? 52 FF 15 ?? ?? + ?? ?? 8D 85 ?? ?? ?? ?? 50 8B 8D ?? ?? ?? ?? 51 FF 15 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? + 83 BD ?? ?? ?? ?? ?? 0F 84 ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? EB ?? 8B 95 ?? + ?? ?? ?? 83 C2 ?? 89 95 ?? ?? ?? ?? 83 BD ?? ?? ?? ?? ?? 73 ?? 8B 85 ?? ?? ?? ?? 8B + 0C 85 ?? ?? ?? ?? 51 8D 95 ?? ?? ?? ?? 52 FF 15 ?? ?? ?? ?? 85 C0 75 ?? E9 ?? ?? ?? + ?? E9 ?? ?? ?? ?? EB ?? 8B 45 ?? 50 8B 8D ?? ?? ?? ?? 51 FF 15 ?? ?? ?? ?? 68 ?? ?? + ?? ?? 8B 95 ?? ?? ?? ?? 52 FF 15 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 8B 8D ?? ?? ?? ?? + 51 FF 15 ?? ?? ?? ?? 8B 95 ?? ?? ?? ?? 83 E2 ?? 74 ?? 83 7D ?? ?? 77 ?? 8B 45 ?? 83 + C0 ?? 50 8B 8D ?? ?? ?? ?? 51 E8 ?? ?? ?? ?? 83 C4 ?? E9 ?? ?? ?? ?? 68 ?? ?? ?? ?? + 8D 95 ?? ?? ?? ?? 52 FF 15 ?? ?? ?? ?? 85 C0 74 ?? 8D 85 ?? ?? ?? ?? 50 FF 15 ?? ?? + ?? ?? 89 85 ?? ?? ?? ?? EB ?? 8B 8D ?? ?? ?? ?? 83 E9 ?? 89 8D ?? ?? ?? ?? 83 BD ?? + ?? ?? ?? ?? 7C ?? 8B 95 ?? ?? ?? ?? 0F B7 84 55 ?? ?? ?? ?? 83 F8 ?? 75 ?? 68 ?? ?? + ?? ?? 8B 8D ?? ?? ?? ?? 8D 94 4D ?? ?? ?? ?? 52 FF 15 ?? ?? ?? ?? 85 C0 75 ?? EB ?? + EB ?? EB ?? EB ?? EB ?? 8B 85 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 8D 8D ?? ?? ?? + ?? 51 8B 95 ?? ?? ?? ?? 52 FF 15 ?? ?? ?? ?? 85 C0 0F 85 ?? ?? ?? ?? 8B 85 ?? ?? ?? + ?? 50 FF 15 + } + + $encrypt_files_p1 = { + 55 8B EC B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? A1 ?? ?? ?? ?? 33 C5 89 45 ?? C7 85 ?? ?? ?? + ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? 8B 45 ?? 50 FF 15 ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? 6A + ?? 6A ?? 6A ?? 68 ?? ?? ?? ?? 8B 4D ?? 51 FF 15 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 83 BD + ?? ?? ?? ?? ?? 0F 84 ?? ?? ?? ?? 8D 95 ?? ?? ?? ?? 52 8B 85 ?? ?? ?? ?? 50 FF 15 ?? + ?? ?? ?? 6A ?? 6A ?? 6A ?? 6A ?? 6A ?? 8B 8D ?? ?? ?? ?? 51 FF 15 ?? ?? ?? ?? 89 85 + ?? ?? ?? ?? 83 BD ?? ?? ?? ?? ?? 0F 84 ?? ?? ?? ?? 83 BD ?? ?? ?? ?? ?? 0F 8C ?? ?? + ?? ?? 7F ?? 81 BD ?? ?? ?? ?? ?? ?? ?? ?? 0F 86 ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? 8B + 95 ?? ?? ?? ?? 52 8B 85 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 6A ?? 6A ?? 52 50 E8 ?? ?? ?? + ?? 89 85 ?? ?? ?? ?? 89 95 ?? ?? ?? ?? 0F 57 C0 66 0F 13 85 ?? ?? ?? ?? EB ?? 8B 8D + ?? ?? ?? ?? 83 C1 ?? 8B 95 ?? ?? ?? ?? 83 D2 ?? 89 8D ?? ?? ?? ?? 89 95 ?? ?? ?? ?? + 83 BD ?? ?? ?? ?? ?? 0F 8F ?? ?? ?? ?? 7C ?? 83 BD ?? ?? ?? ?? ?? 0F 83 ?? ?? ?? ?? + 8B 85 ?? ?? ?? ?? 50 8B 8D ?? ?? ?? ?? 51 8B 95 ?? ?? ?? ?? 52 8B 85 ?? ?? ?? ?? 50 + } + + $encrypt_files_p2 = { + E8 ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? 52 50 E8 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 89 95 ?? + ?? ?? ?? 68 ?? ?? ?? ?? 8B 8D ?? ?? ?? ?? 51 8B 95 ?? ?? ?? ?? 52 68 ?? ?? ?? ?? 8B + 85 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 83 BD ?? ?? ?? ?? ?? 74 ?? 68 + ?? ?? ?? ?? 8B 8D ?? ?? ?? ?? 51 8B 95 ?? ?? ?? ?? 52 68 ?? ?? ?? ?? 6A ?? 68 ?? ?? + ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 68 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 50 8B 8D ?? ?? ?? ?? + 51 68 ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 8B 95 ?? ?? ?? ?? 52 + FF 15 ?? ?? ?? ?? E9 ?? ?? ?? ?? E9 ?? ?? ?? ?? 83 BD ?? ?? ?? ?? ?? 0F 8C ?? ?? ?? + ?? 7F ?? 83 BD ?? ?? ?? ?? ?? 0F 86 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 50 6A ?? 6A ?? 68 + ?? ?? ?? ?? 8B 8D ?? ?? ?? ?? 51 FF 15 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 83 BD ?? ?? ?? + ?? ?? 74 ?? 8B 95 ?? ?? ?? ?? 52 8B 85 ?? ?? ?? ?? 50 8B 8D ?? ?? ?? ?? 51 68 ?? ?? + ?? ?? 6A ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 8B 95 ?? ?? ?? ?? 52 8B 85 ?? ?? + ?? ?? 50 8B 8D ?? ?? ?? ?? 51 68 ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 + } + + $encrypt_files_p3 = { + C4 ?? 8B 95 ?? ?? ?? ?? 52 FF 15 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? + 8B 8D ?? ?? ?? ?? 51 FF 15 ?? ?? ?? ?? 8B 95 ?? ?? ?? ?? 52 FF 15 ?? ?? ?? ?? 68 ?? + ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 89 85 ?? ?? ?? ?? 83 BD ?? ?? ?? ?? ?? 74 ?? 8B 45 + ?? 50 8B 8D ?? ?? ?? ?? 51 FF 15 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8B 95 ?? ?? ?? ?? 52 FF + 15 ?? ?? ?? ?? 6A ?? 8B 85 ?? ?? ?? ?? 50 8B 4D ?? 51 FF 15 ?? ?? ?? ?? 8B 95 ?? ?? + ?? ?? 52 E8 ?? ?? ?? ?? 83 C4 ?? E9 ?? ?? ?? ?? 83 BD ?? ?? ?? ?? ?? 0F 84 ?? ?? ?? + ?? 6A ?? 6A ?? 8D 45 ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 8D 4D ?? 51 6A ?? 8D 95 ?? ?? ?? + ?? 52 E8 ?? ?? ?? ?? 85 C0 0F 85 ?? ?? ?? ?? 6A ?? 6A ?? 6A ?? 6A ?? 8D 45 ?? 50 6A + ?? 8B 8D ?? ?? ?? ?? 51 E8 ?? ?? ?? ?? 85 C0 0F 85 ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? + ?? ?? ?? 8D 95 ?? ?? ?? ?? 52 8D 85 ?? ?? ?? ?? 50 8D 8D ?? ?? ?? ?? 51 8D 95 ?? ?? + ?? ?? 52 8B 85 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 85 C0 0F 85 ?? ?? ?? ?? C7 85 ?? ?? ?? + ?? ?? ?? ?? ?? EB ?? 8B 8D ?? ?? ?? ?? 83 C1 ?? 89 8D ?? ?? ?? ?? 8B 95 ?? ?? ?? ?? + 3B 95 ?? ?? ?? ?? 0F 83 ?? ?? ?? ?? 69 85 ?? ?? ?? ?? ?? ?? ?? ?? 83 BC 05 ?? ?? ?? + ?? ?? 0F 84 ?? ?? ?? ?? 69 8D ?? ?? ?? ?? ?? ?? ?? ?? 81 BC 0D ?? ?? ?? ?? ?? ?? ?? + ?? 74 ?? FF 15 ?? ?? ?? ?? 69 95 ?? ?? ?? ?? ?? ?? ?? ?? 3B 84 15 ?? ?? ?? ?? 74 ?? + 69 85 ?? ?? ?? ?? ?? ?? ?? ?? 8B 8C 05 ?? ?? ?? ?? 51 6A ?? 68 ?? ?? ?? ?? FF 15 ?? + ?? ?? ?? 89 85 ?? ?? ?? ?? 83 BD ?? ?? ?? ?? ?? 74 ?? 6A ?? 8B 95 ?? ?? ?? ?? 52 FF + 15 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 8B 8D ?? ?? ?? + ?? 51 FF 15 ?? ?? ?? ?? E9 ?? ?? ?? ?? 8B 95 ?? ?? ?? ?? 52 E8 ?? ?? ?? ?? C7 85 ?? + ?? ?? ?? ?? ?? ?? ?? E9 ?? ?? ?? ?? 8B 4D ?? 33 CD E8 ?? ?? ?? ?? 8B E5 5D C3 + } + + $enum_resources = { + 55 8B EC 83 EC ?? A1 ?? ?? ?? ?? 33 C5 89 45 ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? + ?? ?? 8D 45 ?? 50 8B 4D ?? 51 6A ?? 6A ?? 6A ?? E8 ?? ?? ?? ?? 85 C0 0F 85 ?? ?? ?? + ?? 8B 55 ?? 52 E8 ?? ?? ?? ?? 83 C4 ?? 89 45 ?? 83 7D ?? ?? 0F 84 ?? ?? ?? ?? 8D 45 + ?? 50 8B 4D ?? 51 8D 55 ?? 52 8B 45 ?? 50 E8 ?? ?? ?? ?? 85 C0 75 ?? C7 45 ?? ?? ?? + ?? ?? EB ?? 8B 4D ?? 83 C1 ?? 89 4D ?? 8B 55 ?? 3B 55 ?? 73 ?? 8B 45 ?? C1 E0 ?? 8B + 4D ?? 8B 54 01 ?? 83 E2 ?? 74 ?? 8B 45 ?? C1 E0 ?? 03 45 ?? 50 E8 ?? ?? ?? ?? 83 C4 + ?? EB ?? 6A ?? 8B 4D ?? C1 E1 ?? 8B 55 ?? 8B 44 0A ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? EB + ?? EB ?? 8B 4D ?? 51 E8 ?? ?? ?? ?? 83 C4 ?? 8B 55 ?? 52 E8 ?? ?? ?? ?? 8B 4D ?? 33 + CD E8 ?? ?? ?? ?? 8B E5 5D C3 + } + + condition: + uint16(0) == 0x5A4D and + ( + $find_files + ) and + ( + all of ($encrypt_files_p*) + ) and + ( + $enum_resources + ) +} \ No newline at end of file diff --git a/yara/ransomware/Win32.Ransomware.BadBlock.yara b/yara/ransomware/Win32.Ransomware.BadBlock.yara new file mode 100644 index 0000000..8e15cfb --- /dev/null +++ b/yara/ransomware/Win32.Ransomware.BadBlock.yara @@ -0,0 +1,100 @@ +rule Win32_Ransomware_BadBlock : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "BADBLOCK" + description = "Yara rule that detects BadBlock ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "BadBlock" + tc_detection_factor = 5 + + strings: + + $encrypt_files = { + 55 8B EC 83 C4 ?? 53 56 57 33 DB 89 5D ?? 89 5D ?? 89 5D ?? 89 4D ?? 89 55 ?? 8B D8 + 8B 45 ?? E8 ?? ?? ?? ?? 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 8D 55 ?? 8B 45 ?? + 8B 40 ?? E8 ?? ?? ?? ?? 8B 55 ?? 8B C3 E8 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? 8D 55 + ?? 8B 45 ?? 8B 40 ?? E8 ?? ?? ?? ?? 8D 45 ?? 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 45 + ?? B2 ?? E8 ?? ?? ?? ?? 84 C0 0F 84 ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A ?? 6A ?? 6A ?? 8D + 45 ?? 50 E8 ?? ?? ?? ?? 8D 45 ?? 50 6A ?? 6A ?? 68 ?? ?? ?? ?? 8B 45 ?? 50 E8 ?? ?? + ?? ?? 8D 45 ?? E8 ?? ?? ?? ?? 8B D0 8B 45 ?? 85 C0 74 ?? 83 E8 ?? 8B 00 6A ?? 50 52 + 8B 45 ?? 50 E8 ?? ?? ?? ?? 8D 45 ?? 50 6A ?? 8B 45 ?? 50 68 ?? ?? ?? ?? 8B 45 ?? 50 + E8 ?? ?? ?? ?? 8B 45 ?? 50 E8 ?? ?? ?? ?? 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 + 6A ?? 6A ?? 8B 45 ?? E8 ?? ?? ?? ?? 8B 45 ?? 8B 10 FF 12 89 45 ?? 89 55 ?? E9 ?? ?? + ?? ?? 83 7D ?? ?? 75 ?? 81 7D ?? ?? ?? ?? ?? 73 ?? EB ?? 7D ?? 8B 45 ?? 89 45 ?? 8B + 45 ?? 89 45 ?? EB ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? 8B 45 ?? 8B D8 8B C3 + E8 ?? ?? ?? ?? 8B F0 8B D6 8B CB 8B 45 ?? 8B 38 FF 57 ?? 89 45 ?? 8B 45 ?? 8B 10 FF + 12 52 50 8B 45 ?? E8 ?? ?? ?? ?? 3B 54 24 ?? 75 ?? 3B 04 24 5A 58 72 ?? EB ?? 5A 58 + 7C ?? 8B 45 ?? 50 8D 45 ?? 50 56 6A ?? 6A ?? 6A ?? 8B 45 ?? 50 E8 ?? ?? ?? ?? EB ?? + 8B 45 ?? 50 8D 45 ?? 50 56 6A ?? 6A ?? 6A ?? 8B 45 ?? 50 E8 ?? ?? ?? ?? 8B 45 ?? E8 + ?? ?? ?? ?? 52 50 8B C3 99 29 04 24 19 54 24 ?? 58 5A 52 50 8B 45 ?? E8 ?? ?? ?? ?? + 8B D6 8B 4D ?? 8B 45 ?? 8B 38 FF 57 ?? 8B C3 99 29 45 ?? 19 55 ?? 8B D3 8B C6 E8 ?? + ?? ?? ?? 83 7D ?? ?? 75 ?? 83 7D ?? ?? 0F 87 ?? ?? ?? ?? EB ?? 0F 8F ?? ?? ?? ?? A1 + ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B D0 B9 ?? ?? ?? ?? 8B 45 ?? E8 ?? ?? ?? ?? 8B 45 ?? 8B + 48 ?? 8D 45 ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 4D ?? A1 ?? ?? ?? ?? 8B 00 8B 80 ?? + ?? ?? ?? 8B 80 ?? ?? ?? ?? BA ?? ?? ?? ?? 8B 18 FF 53 ?? 8B 45 ?? E8 ?? ?? ?? ?? 33 + C0 5A 59 59 64 89 10 EB ?? E9 ?? ?? ?? ?? 8B 45 ?? E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? EB + ?? E8 ?? ?? ?? ?? EB ?? 8B 45 ?? E8 ?? ?? ?? ?? 33 C0 5A 59 59 64 89 10 68 ?? ?? ?? + ?? 8D 45 ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 ?? E8 ?? ?? ?? ?? C3 E9 ?? ?? ?? ?? + EB ?? 5F 5E 5B 8B E5 5D C3 + } + + $search_files = { + 55 8B EC 81 C4 ?? ?? ?? ?? 53 56 57 33 C9 89 8D ?? ?? ?? ?? 89 8D ?? ?? ?? ?? 89 8D + ?? ?? ?? ?? 89 8D ?? ?? ?? ?? 89 55 ?? 89 85 ?? ?? ?? ?? 8B 45 ?? E8 ?? ?? ?? ?? 8D + 85 ?? ?? ?? ?? 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 + 89 20 B2 ?? A1 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B F0 8D 85 ?? ?? ?? ?? B9 ?? ?? ?? ?? 8B + 55 ?? E8 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? BA ?? ?? ?? ?? E8 ?? ?? ?? + ?? 85 C0 0F 94 C3 E9 ?? ?? ?? ?? F6 85 ?? ?? ?? ?? ?? 0F 84 ?? ?? ?? ?? 8B 85 ?? ?? + ?? ?? 66 83 38 ?? 0F 84 ?? ?? ?? ?? B9 ?? ?? ?? ?? 8B 95 ?? ?? ?? ?? A1 ?? ?? ?? ?? + E8 ?? ?? ?? ?? 85 C0 0F 85 ?? ?? ?? ?? B9 ?? ?? ?? ?? 8B 95 ?? ?? ?? ?? A1 ?? ?? ?? + ?? E8 ?? ?? ?? ?? 85 C0 75 ?? B9 ?? ?? ?? ?? 8B 95 ?? ?? ?? ?? B8 ?? ?? ?? ?? E8 ?? + ?? ?? ?? 85 C0 75 ?? B9 ?? ?? ?? ?? 8B 95 ?? ?? ?? ?? B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? + 85 C0 75 ?? 8B 95 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 C0 74 ?? 8D 85 ?? + ?? ?? ?? 8B 8D ?? ?? ?? ?? 8B 55 ?? E8 ?? ?? ?? ?? 8B 95 ?? ?? ?? ?? 8B 0D ?? ?? ?? + ?? 8B 85 ?? ?? ?? ?? E8 ?? ?? ?? ?? F6 85 ?? ?? ?? ?? ?? 74 ?? 8B 85 ?? ?? ?? ?? 66 + 83 38 ?? 74 ?? B9 ?? ?? ?? ?? 8B 95 ?? ?? ?? ?? B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 C0 + 75 ?? 8D 85 ?? ?? ?? ?? 8B 8D ?? ?? ?? ?? 8B 55 ?? E8 ?? ?? ?? ?? 8B 95 ?? ?? ?? ?? + 8B C6 8B 08 FF 51 ?? 8D 85 ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 C0 0F 94 C3 84 DB 0F 85 ?? + ?? ?? ?? 8D 85 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B C6 8B 10 FF 52 ?? 8B D8 4B 85 DB 7C ?? + 43 C7 85 ?? ?? ?? ?? ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? 8B 95 ?? ?? ?? ?? 8B C6 8B 38 FF + 57 ?? 8D 85 ?? ?? ?? ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 95 ?? ?? ?? ?? 8B 85 ?? ?? + ?? ?? E8 ?? ?? ?? ?? FF 85 ?? ?? ?? ?? 4B 75 ?? 8B C6 E8 ?? ?? ?? ?? 33 C0 5A 59 59 + 64 89 10 68 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 85 ?? ?? + ?? ?? 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 ?? E8 ?? ?? ?? ?? C3 + } + + $remote_connection = { + A1 ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 45 ?? B2 ?? A1 ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 45 ?? + 8D 4D ?? 8B 45 ?? 8B 90 ?? ?? ?? ?? 8B 45 ?? E8 ?? ?? ?? ?? 8B 4D ?? 8D 45 ?? BA ?? + ?? ?? ?? E8 ?? ?? ?? ?? 8B 55 ?? 8D 45 ?? E8 ?? ?? ?? ?? 8B 55 ?? 8B 45 ?? 8B 08 FF + 51 ?? 8B 45 ?? E8 ?? ?? ?? ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 45 ?? E8 ?? ?? ?? ?? + 05 ?? ?? ?? ?? 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 + 89 20 6A ?? 8D 45 ?? 50 8D 4D ?? 8B 15 ?? ?? ?? ?? 8B 45 ?? E8 ?? ?? ?? ?? 8B 55 ?? + 8D 45 ?? E8 ?? ?? ?? ?? 8D 45 ?? 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 55 ?? 8B 4D ?? + 8B 45 ?? E8 ?? ?? ?? ?? B9 ?? ?? ?? ?? 8B 55 ?? B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 C0 + 74 ?? C7 45 ?? ?? ?? ?? ?? 8B 5D ?? 85 DB 74 ?? 83 EB ?? 8B 1B 68 ?? ?? ?? ?? 8B CB + BA ?? ?? ?? ?? 8B 45 ?? E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? E9 ?? ?? ?? ?? B9 ?? ?? ?? ?? + 8B 55 ?? B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 C0 74 ?? 8B 45 ?? 8B 90 ?? ?? ?? ?? 8D 45 + ?? 8B 0D ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 45 ?? B2 ?? E8 ?? ?? ?? ?? 84 C0 75 ?? 8B 45 + ?? 8B 90 ?? ?? ?? ?? 8D 45 ?? 8B 0D ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 45 ?? E8 ?? ?? ?? + ?? 8B 75 ?? 85 F6 74 ?? 83 EE ?? 8B 36 68 ?? ?? ?? ?? 8B CE BA ?? ?? ?? ?? 8B 45 ?? + E8 ?? ?? ?? ?? 33 C0 A3 ?? ?? ?? ?? B2 ?? A1 ?? ?? ?? ?? E8 ?? ?? ?? ?? 33 C0 5A 59 + 59 64 89 10 68 ?? ?? ?? ?? 8B 45 ?? E8 ?? ?? ?? ?? 8B 45 ?? E8 ?? ?? ?? ?? C3 + } + + condition: + uint16(0) == 0x5A4D and + ( + $search_files and + $encrypt_files and + $remote_connection + ) +} \ No newline at end of file diff --git a/yara/ransomware/Win32.Ransomware.Badbeeteam.yara b/yara/ransomware/Win32.Ransomware.Badbeeteam.yara new file mode 100644 index 0000000..75a33bc --- /dev/null +++ b/yara/ransomware/Win32.Ransomware.Badbeeteam.yara @@ -0,0 +1,137 @@ +rule Win32_Ransomware_Badbeeteam : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "BADBEETEAM" + description = "Yara rule that detects Badbeeteam ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "Badbeeteam" + tc_detection_factor = 5 + + strings: + + $find_files_p1 = { + 8B FF 55 8B EC 51 8B 4D ?? 8D 51 ?? 8A 01 41 84 C0 75 ?? 57 8B 7D ?? 2B CA 8B C7 41 + F7 D0 89 4D ?? 3B C8 76 ?? 6A ?? 58 5F C9 C3 53 56 8D 5F ?? 03 D9 6A ?? 53 E8 ?? ?? + ?? ?? 8B F0 59 59 85 FF 74 ?? 57 FF 75 ?? 53 56 E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 75 ?? + FF 75 ?? 2B DF 8D 04 3E FF 75 ?? 53 50 E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 75 ?? 8B 5D ?? + 8B CB E8 ?? ?? ?? ?? 33 FF 89 45 ?? 85 C0 74 ?? 56 E8 ?? ?? ?? ?? 8B 75 ?? 59 EB ?? + 8B 43 ?? 89 30 8B F7 83 43 ?? ?? 57 E8 ?? ?? ?? ?? 59 8B C6 5E 5B EB ?? 33 FF 57 57 + 57 57 57 E8 ?? ?? ?? ?? CC 8B FF 55 8B EC 81 EC ?? ?? ?? ?? A1 ?? ?? ?? ?? 33 C5 89 + 45 ?? 8B 4D ?? 8B 55 ?? 53 57 8B 7D ?? 89 95 ?? ?? ?? ?? 3B CF 74 ?? 8A 01 3C ?? 74 + ?? 3C ?? 74 ?? 3C ?? 74 ?? 51 57 E8 ?? ?? ?? ?? 59 59 8B C8 3B CF 75 ?? 8B 95 ?? ?? + ?? ?? 8A 01 88 85 ?? ?? ?? ?? 3C ?? 75 ?? 8D 47 ?? 3B C8 74 ?? 52 33 DB 53 53 57 E8 + ?? ?? ?? ?? 83 C4 ?? E9 ?? ?? ?? ?? 8A 85 ?? ?? ?? ?? 33 DB 3C ?? 74 ?? 3C ?? 74 ?? + 3C ?? 8A C3 75 ?? B0 ?? 2B CF 0F B6 C0 41 89 9D ?? ?? ?? ?? F7 D8 89 9D + } + + $find_files_p2 = { + 56 1B C0 89 9D ?? ?? ?? ?? 23 C1 89 9D ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 89 9D ?? ?? ?? + ?? 88 9D ?? ?? ?? ?? E8 ?? ?? ?? ?? 50 8D 85 ?? ?? ?? ?? 50 57 E8 ?? ?? ?? ?? 83 C4 + ?? 8D 8D ?? ?? ?? ?? F7 D8 1B C0 53 53 53 51 F7 D0 23 85 ?? ?? ?? ?? 53 50 FF 15 ?? + ?? ?? ?? 8B F0 83 FE ?? 75 ?? FF B5 ?? ?? ?? ?? 53 53 57 E8 ?? ?? ?? ?? 83 C4 ?? 8B + D8 E9 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 8B 48 ?? 2B 08 C1 F9 ?? 89 8D ?? ?? ?? ?? 89 9D + ?? ?? ?? ?? 89 9D ?? ?? ?? ?? 89 9D ?? ?? ?? ?? 89 9D ?? ?? ?? ?? 89 9D ?? ?? ?? ?? + 88 9D ?? ?? ?? ?? E8 ?? ?? ?? ?? 50 8D 85 ?? ?? ?? ?? 50 8D 85 ?? ?? ?? ?? 50 8D 85 + ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? F7 D8 1B C0 F7 D0 23 85 ?? ?? ?? ?? 80 38 ?? + 75 ?? 8A 48 ?? 84 C9 74 ?? 80 F9 ?? 75 ?? 38 58 ?? 74 ?? FF B5 ?? ?? ?? ?? FF B5 ?? + ?? ?? ?? 57 50 E8 ?? ?? ?? ?? 83 C4 ?? 89 85 ?? ?? ?? ?? 85 C0 75 ?? 38 9D ?? ?? ?? + ?? 74 ?? FF B5 ?? ?? ?? ?? E8 ?? ?? ?? ?? 59 8D 85 ?? ?? ?? ?? 50 56 FF 15 ?? ?? ?? + ?? 85 C0 0F 85 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 8B 8D ?? ?? ?? ?? 8B 10 8B 40 ?? 2B C2 + C1 F8 ?? 3B C8 74 ?? 68 ?? ?? ?? ?? 2B C1 6A ?? 50 8D 04 8A 50 E8 ?? ?? ?? ?? 83 C4 + ?? EB ?? 38 9D ?? ?? ?? ?? 74 ?? FF B5 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? + 59 8B D8 56 FF 15 ?? ?? ?? ?? 80 BD ?? ?? ?? ?? ?? 5E 74 ?? FF B5 ?? ?? ?? ?? E8 ?? + ?? ?? ?? 59 8B C3 8B 4D ?? 5F 33 CD 5B E8 ?? ?? ?? ?? C9 C3 + } + + $encrypt_files_p1 = { + 59 6A ?? 68 ?? ?? ?? ?? 52 50 E8 ?? ?? ?? ?? 89 F1 83 C4 ?? 84 C0 0F 85 ?? ?? ?? ?? + 51 E8 ?? ?? ?? ?? 59 B9 ?? ?? ?? ?? 89 D6 6A ?? 5A 56 50 E8 ?? ?? ?? ?? 8D 8C 24 ?? + ?? ?? ?? 83 C4 ?? 84 C0 0F 85 ?? ?? ?? ?? FF 04 24 51 57 E8 ?? ?? ?? ?? 58 59 8D 8C + 24 ?? ?? ?? ?? 8D 54 24 ?? 57 E8 ?? ?? ?? ?? 58 83 BC 24 ?? ?? ?? ?? ?? 0F 84 ?? ?? + ?? ?? 8B 84 24 ?? ?? ?? ?? F2 0F 10 84 24 ?? ?? ?? ?? 89 84 24 ?? ?? ?? ?? A1 ?? ?? + ?? ?? F2 0F 11 84 24 ?? ?? ?? ?? 8B 00 83 F8 ?? 72 ?? 8D 84 24 ?? ?? ?? ?? C7 84 24 + ?? ?? ?? ?? ?? ?? ?? ?? 8D 4C 24 ?? 89 44 24 ?? 31 C0 C7 44 24 ?? ?? ?? ?? ?? 40 89 + 84 24 ?? ?? ?? ?? 83 A4 24 ?? ?? ?? ?? ?? 89 8C 24 ?? ?? ?? ?? 89 84 24 ?? ?? ?? ?? + 68 ?? ?? ?? ?? 6A ?? 57 E8 ?? ?? ?? ?? 83 C4 ?? 8D 8C 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? + 8D 8C 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 4C 24 ?? E8 ?? ?? ?? ?? E9 ?? ?? ?? ?? 57 E8 + ?? ?? ?? ?? 59 89 D6 B9 ?? ?? ?? ?? 6A ?? 5A 56 50 E8 ?? ?? ?? ?? 59 5A 89 F9 89 C3 + E8 ?? ?? ?? ?? 84 DB 0F 85 ?? ?? ?? ?? 6A ?? 59 8D 7C 24 ?? 8D B4 24 ?? ?? ?? ?? F3 + A5 6A ?? 59 8D BC 24 ?? ?? ?? ?? 8D 74 24 ?? 31 C0 F3 A5 E9 ?? ?? ?? ?? 8B 84 24 ?? + ?? ?? ?? 85 C0 74 ?? 8B 8C 24 ?? ?? ?? ?? 50 FF 11 83 C4 ?? 8B 84 24 ?? ?? ?? ?? 8B + 70 ?? 8B 78 ?? FF B4 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? 59 89 C1 89 F2 57 E8 ?? ?? ?? ?? + 58 8D 8C 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 9C 24 ?? ?? ?? ?? 53 E8 ?? ?? ?? ?? 59 69 + } + + $encrypt_files_p2 = { + 7B ?? ?? ?? ?? ?? 89 C6 83 C6 ?? 85 FF 74 ?? 83 7E ?? ?? 74 ?? 8D 46 ?? 50 E8 ?? ?? + ?? ?? 58 81 C6 ?? ?? ?? ?? 81 C7 ?? ?? ?? ?? EB ?? 83 7E ?? ?? 74 ?? 83 3E ?? 74 ?? + 8D 4E ?? E8 ?? ?? ?? ?? EB ?? 8D 46 ?? 50 E8 ?? ?? ?? ?? 58 8B 06 F0 FF 08 75 ?? 56 + E8 ?? ?? ?? ?? EB ?? 53 8D 44 24 ?? 50 E8 ?? ?? ?? ?? 58 59 8B 4C 24 ?? 85 C9 74 ?? + 8B 54 24 ?? FF 74 24 ?? E8 ?? ?? ?? ?? 58 8D 9C 24 ?? ?? ?? ?? 53 E8 ?? ?? ?? ?? 59 + 6B 5B ?? ?? 89 C7 89 C6 83 C7 ?? 85 DB 74 ?? 8D 4E ?? E8 ?? ?? ?? ?? 83 7E ?? ?? 74 + ?? 57 E8 ?? ?? ?? ?? 58 83 3F ?? 74 ?? 8D 47 ?? EB ?? 8D 46 ?? 50 E8 ?? ?? ?? ?? 58 + 83 C6 ?? 83 C7 ?? 83 C3 ?? EB ?? 8D 84 24 ?? ?? ?? ?? 50 8D 5C 24 ?? 53 E8 ?? ?? ?? + ?? 58 59 8B 4C 24 ?? 85 C9 74 ?? 8B 54 24 ?? FF 74 24 ?? E8 ?? ?? ?? ?? 58 8D B4 24 + ?? ?? ?? ?? 56 E8 ?? ?? ?? ?? 59 6B 7E ?? ?? 89 C1 85 FF 74 ?? 8D 59 ?? 83 C1 ?? E8 + ?? ?? ?? ?? 89 D9 83 C7 ?? 8D 5C 24 ?? EB ?? 56 53 E8 ?? ?? ?? ?? 58 59 8B 4C 24 ?? + 85 C9 74 ?? 8B 54 24 ?? FF 74 24 ?? E8 ?? ?? ?? ?? 58 A1 ?? ?? ?? ?? 8B 00 83 F8 ?? + 72 ?? 89 E0 68 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 59 59 89 C6 89 D7 68 ?? ?? ?? ?? 8D 44 + 24 ?? 50 E8 ?? ?? ?? ?? 59 59 89 B4 24 ?? ?? ?? ?? 89 BC 24 ?? ?? ?? ?? 89 84 24 ?? + ?? ?? ?? 89 94 24 ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? 6A ?? 58 89 44 24 ?? 83 64 24 + ?? ?? 8D 8C 24 ?? ?? ?? ?? 89 4C 24 ?? 89 44 24 ?? 68 ?? ?? ?? ?? 6A ?? 53 E8 ?? ?? + ?? ?? 83 C4 ?? 8D 4C 24 ?? E8 ?? ?? ?? ?? 8B 7D ?? 8B 77 ?? 83 C7 ?? 8D 4E ?? E8 ?? + ?? ?? ?? C7 46 ?? ?? ?? ?? ?? 83 66 ?? ?? 89 F9 E8 ?? ?? ?? ?? 8D 65 ?? 5E 5F 5B 5D + C3 + } + + $drop_hta_file_p1 = { + 6A ?? 68 ?? ?? ?? ?? 57 E8 ?? ?? ?? ?? 83 C4 ?? 56 E8 ?? ?? ?? ?? 59 89 D3 89 F9 89 + C2 53 E8 ?? ?? ?? ?? 58 8D B4 24 ?? ?? ?? ?? 89 F1 E8 ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? + ?? 56 E8 ?? ?? ?? ?? 83 C4 ?? 57 E8 ?? ?? ?? ?? 58 31 DB 43 53 57 E8 ?? ?? ?? ?? 59 + 5A 53 89 DF 50 E8 ?? ?? ?? ?? 59 5A 8D 5C 24 ?? 89 C2 89 D9 56 E8 ?? ?? ?? ?? 58 39 + 3B 0F 85 ?? ?? ?? ?? F2 0F 10 44 24 ?? A1 ?? ?? ?? ?? 8D 74 24 ?? 8D BC 24 ?? ?? ?? + ?? F2 0F 11 44 24 ?? 8B 00 83 F8 ?? 72 ?? 68 ?? ?? ?? ?? 56 E8 ?? ?? ?? ?? 59 59 89 + 84 24 ?? ?? ?? ?? 31 C0 C7 84 24 ?? ?? ?? ?? ?? ?? ?? ?? 89 94 24 ?? ?? ?? ?? 40 89 + 84 24 ?? ?? ?? ?? 83 A4 24 ?? ?? ?? ?? ?? 89 BC 24 ?? ?? ?? ?? 89 84 24 ?? ?? ?? ?? + 68 ?? ?? ?? ?? 6A ?? 8D 84 24 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 56 E8 ?? ?? ?? + ?? EB ?? 8B 44 24 ?? 89 84 24 ?? ?? ?? ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A ?? 6A ?? + 8D BC 24 ?? ?? ?? ?? 57 8D B4 24 ?? ?? ?? ?? 56 E8 ?? ?? ?? ?? 83 C4 ?? 89 F1 E8 ?? + ?? ?? ?? 57 E8 ?? ?? ?? ?? 58 6A ?? 68 ?? ?? ?? ?? 57 E8 ?? ?? ?? ?? 83 C4 ?? 6A + } + + $drop_hta_file_p2 = { + 68 ?? ?? ?? ?? 57 E8 ?? ?? ?? ?? 83 C4 ?? 8D B4 24 ?? ?? ?? ?? 56 E8 ?? ?? ?? ?? 58 + 31 DB 43 53 56 E8 ?? ?? ?? ?? 59 5A 53 50 E8 ?? ?? ?? ?? 59 5A 8D 74 24 ?? 89 C2 89 + F1 57 E8 ?? ?? ?? ?? 58 39 1E 0F 85 ?? ?? ?? ?? F2 0F 10 44 24 ?? A1 ?? ?? ?? ?? 8D + 74 24 ?? F2 0F 11 84 24 ?? ?? ?? ?? 8B 00 83 F8 ?? 72 ?? 68 ?? ?? ?? ?? 8D 84 24 ?? + ?? ?? ?? 50 E8 ?? ?? ?? ?? 59 59 89 44 24 ?? 31 C0 C7 84 24 ?? ?? ?? ?? ?? ?? ?? ?? + 89 54 24 ?? 40 89 84 24 ?? ?? ?? ?? 83 A4 24 ?? ?? ?? ?? ?? 89 B4 24 ?? ?? ?? ?? 89 + 84 24 ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A ?? 8D 84 24 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 + ?? 8D 84 24 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? EB ?? 8B 44 24 ?? 89 44 24 ?? 68 ?? ?? ?? + ?? 68 ?? ?? ?? ?? 6A ?? 6A ?? 8D 74 24 ?? 56 8D 9C 24 ?? ?? ?? ?? 53 E8 ?? ?? ?? ?? + 83 C4 ?? 89 D9 E8 ?? ?? ?? ?? 56 E8 ?? ?? ?? ?? 58 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 59 + 8D BC 24 ?? ?? ?? ?? 89 C3 89 84 24 ?? ?? ?? ?? BA ?? ?? ?? ?? 89 F9 6A ?? E8 ?? ?? + ?? ?? 58 83 64 24 ?? ?? 83 64 24 ?? ?? 57 E8 ?? ?? ?? ?? 59 8D 4C 24 ?? 51 56 6A ?? + 68 ?? ?? ?? ?? 6A ?? 6A ?? 6A ?? 50 53 E8 + } + + condition: + uint16(0) == 0x5A4D and + ( + all of ($find_files_p*) + ) and + ( + all of ($encrypt_files_p*) + ) and + ( + all of ($drop_hta_file_p*) + ) +} \ No newline at end of file diff --git a/yara/ransomware/Win32.Ransomware.Balaclava.yara b/yara/ransomware/Win32.Ransomware.Balaclava.yara new file mode 100644 index 0000000..f396f47 --- /dev/null +++ b/yara/ransomware/Win32.Ransomware.Balaclava.yara @@ -0,0 +1,113 @@ +rule Win32_Ransomware_Balaclava : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "BALACLAVA" + description = "Yara rule that detects Balaclava ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "Balaclava" + tc_detection_factor = 5 + + strings: + + $find_files_p1 = { + 55 8B EC 83 EC ?? 53 56 8B 75 ?? 33 D2 57 6A ?? 5B 8B 7E ?? 89 55 ?? 8D 4F ?? 66 8B + 07 03 FB 66 3B C2 75 ?? 2B F9 B9 ?? ?? ?? ?? D1 FF E8 ?? ?? ?? ?? 50 FF 76 ?? 89 45 + ?? FF 15 ?? ?? ?? ?? 89 45 ?? 83 F8 ?? 75 ?? 50 FF 15 ?? ?? ?? ?? E9 ?? ?? ?? ?? 8B + 45 ?? 83 C0 ?? 89 45 ?? 8B D8 33 D2 8D 4B ?? 66 8B 03 83 C3 ?? 66 3B C2 75 ?? 2B D9 + D1 FB 8D 04 3B 3D ?? ?? ?? ?? 7C ?? 8D 04 45 ?? ?? ?? ?? 50 39 56 ?? 74 ?? FF 76 ?? + 52 FF 15 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? EB ?? 52 FF 15 ?? ?? ?? ?? 50 FF 15 ?? ?? + ?? ?? 39 46 ?? 74 ?? 89 46 ?? 8B 46 ?? 33 C9 66 89 0C 78 8B 55 ?? F7 02 ?? ?? ?? ?? + 0F 85 ?? ?? ?? ?? 33 D2 8B C2 6A ?? 89 45 ?? 59 89 4D ?? 3B C1 7F ?? 03 C1 8B 4D ?? + 99 2B C2 D1 F8 89 45 ?? 8B 14 85 ?? ?? ?? ?? 66 8B 01 66 3B 02 75 ?? 66 85 C0 74 ?? + 66 8B 41 ?? 66 3B 42 ?? 75 ?? 83 C1 ?? 83 C2 ?? 66 85 C0 75 ?? 33 D2 8B C2 EB ?? 1B + C0 83 C8 ?? 33 D2 85 C0 0F 84 ?? ?? ?? ?? 79 ?? 8B 4D ?? 8B 45 ?? 49 EB ?? 8B 45 ?? + 8B 4D ?? 40 89 45 ?? EB ?? 8B 45 ?? F6 00 ?? 0F 84 ?? ?? ?? ?? 8D 04 5D ?? ?? ?? ?? + 50 8B 46 ?? FF 75 ?? 8D 04 78 83 C0 ?? 50 E8 ?? ?? ?? ?? 8B 4E ?? 83 C4 ?? 8B 46 ?? + 66 8B 10 66 3B 11 75 ?? 66 85 D2 74 ?? 66 8B 50 ?? 66 3B 51 ?? 75 ?? 83 C0 ?? 83 C1 + ?? 66 85 D2 75 ?? 33 C0 EB ?? 1B C0 83 C8 ?? 85 C0 0F 84 ?? ?? ?? ?? 83 7E ?? ?? 74 + ?? 83 7E ?? ?? 7E ?? FF 76 ?? 8B 4E ?? FF 76 ?? E8 ?? ?? ?? ?? 59 59 8B 4E ?? 8D 14 + } + + $find_files_p2 = { + 3B A1 ?? ?? ?? ?? 56 89 44 51 ?? 66 A1 ?? ?? ?? ?? 66 89 44 51 ?? FF 46 ?? E8 ?? ?? + ?? ?? FF 4E ?? E9 ?? ?? ?? ?? 39 56 ?? 0F 85 ?? ?? ?? ?? 8D 04 5D ?? ?? ?? ?? 50 8B + 46 ?? FF 75 ?? 8D 04 78 83 C0 ?? 50 E8 ?? ?? ?? ?? 8B 5E ?? 83 C4 ?? 8B CB B8 ?? ?? + ?? ?? 66 8B 10 66 3B 11 75 ?? 66 85 D2 74 ?? 66 8B 50 ?? 66 3B 51 ?? 75 ?? 83 C0 ?? + 83 C1 ?? 66 85 D2 75 ?? 33 C0 EB ?? 1B C0 83 C8 ?? 85 C0 0F 84 ?? ?? ?? ?? 8B CB 8D + 51 ?? 66 8B 01 83 C1 ?? 66 3B 45 ?? 75 ?? 2B CA D1 F9 83 F9 ?? 72 ?? 8B CB 8D 51 ?? + 66 8B 01 83 C1 ?? 66 3B 45 ?? 75 ?? 2B CA D1 F9 83 C1 ?? 68 ?? ?? ?? ?? 8D 04 4B 50 + FF 15 ?? ?? ?? ?? 59 59 85 C0 0F 84 ?? ?? ?? ?? 8B 45 ?? 8B 00 A8 ?? 74 ?? 83 E0 ?? + 50 FF 76 ?? FF 15 ?? ?? ?? ?? 68 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? BB ?? ?? ?? ?? 53 FF + 15 ?? ?? ?? ?? EB ?? 85 C0 75 ?? 6A ?? 53 68 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 8B 0D ?? + ?? ?? ?? 6A ?? 58 3B C8 A1 ?? ?? ?? ?? 74 ?? 83 F8 ?? 74 ?? FF 76 ?? A1 ?? ?? ?? ?? + 33 D2 6A ?? 03 C1 59 F7 F1 FF 34 95 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? FF 05 ?? ?? ?? ?? + FF 05 ?? ?? ?? ?? 53 FF 15 ?? ?? ?? ?? 68 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 8B 46 ?? 6A + ?? 59 66 89 4C 78 ?? 33 C9 8B 46 ?? 66 89 0C 78 FF 75 ?? 8B 5D ?? 53 FF 15 ?? ?? ?? + ?? 85 C0 74 ?? 8B 45 ?? E9 ?? ?? ?? ?? 53 FF 15 ?? ?? ?? ?? 8B 5D ?? 33 FF 39 7E ?? + 75 ?? 89 3E 53 FF 15 ?? ?? ?? ?? 8B DF 8B 4D ?? E8 ?? ?? ?? ?? 5F 5E 8B C3 5B 8B E5 + 5D C2 + } + + $encrypt_files_p1 = { + 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 55 ?? 8B C1 89 45 ?? C7 45 ?? ?? ?? + ?? ?? 33 F6 89 75 ?? 83 4D ?? ?? 89 75 ?? 89 75 ?? 89 75 ?? 89 75 ?? 89 75 ?? 89 75 + ?? 56 68 ?? ?? ?? ?? 6A ?? 56 56 68 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 8B D8 89 5D ?? + 83 FB ?? 74 ?? 8D 45 ?? 50 53 FF 15 ?? ?? ?? ?? 85 C0 74 ?? 8B 45 ?? 0B 45 ?? 74 ?? + 8B FE EB ?? 33 FF 47 89 7D ?? 85 FF 0F 85 ?? ?? ?? ?? 8B 45 ?? 89 45 ?? 8B 45 ?? 89 + 45 ?? A1 ?? ?? ?? ?? 85 C0 74 ?? 6A ?? FF 75 ?? FF D0 8B C8 A1 ?? ?? ?? ?? EB ?? 8B + CE 85 C9 0F 84 ?? ?? ?? ?? 85 C0 74 ?? 6A ?? FF 75 ?? FF D0 EB ?? 8B C6 85 C0 0F 84 + ?? ?? ?? ?? 56 8D 45 ?? 50 68 ?? ?? ?? ?? 8B 7D ?? 57 53 FF 15 ?? ?? ?? ?? 85 C0 75 + ?? 83 CF ?? 89 7D ?? E9 ?? ?? ?? ?? 8B 45 ?? 3B C6 7C ?? 8B 4D ?? 7F ?? 81 F9 ?? ?? + ?? ?? 76 ?? 81 E9 ?? ?? ?? ?? 1B C6 50 51 33 D2 8B CB E8 ?? ?? ?? ?? 59 59 23 C2 89 + } + + $encrypt_files_p2 = { + 75 ?? 85 F6 75 ?? 56 8D 45 ?? 50 68 ?? ?? ?? ?? 8B 45 ?? 03 C7 50 53 FF 15 ?? ?? ?? + ?? 8B FE 89 7D ?? EB ?? 56 56 6A ?? 5A 8B CB E8 ?? ?? ?? ?? 59 59 23 C2 8B FE 89 7D + ?? 85 FF 75 ?? 56 8D 45 ?? 50 6A ?? FF 75 ?? 53 FF 15 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? + ?? ?? 8B 4D ?? FF 71 ?? FF 71 ?? 8D 41 ?? 50 FF 71 ?? 6A ?? 5A 8B 4D ?? E8 ?? ?? ?? + ?? 83 C4 ?? 0F B6 C0 23 F8 89 7D ?? 0F 85 ?? ?? ?? ?? 56 8D 45 ?? 50 8B 45 ?? FF 70 + ?? FF 70 ?? 53 FF 15 ?? ?? ?? ?? 56 8D 45 ?? 50 8B 45 ?? FF 70 ?? FF 70 ?? 53 FF 15 + ?? ?? ?? ?? 51 8B 55 ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 51 8D 45 ?? 50 8B 55 ?? 52 + 8B 4D ?? 8B 45 ?? 03 C1 50 52 51 51 8B 55 ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 + ?? 85 C0 75 ?? 56 8D 45 ?? 50 6A ?? 8D 45 ?? 50 53 FF 15 ?? ?? ?? ?? 53 FF 15 ?? ?? + ?? ?? 56 56 33 D2 8B CB E8 ?? ?? ?? ?? 59 59 56 8D 45 ?? 50 FF 75 ?? FF 75 ?? 53 FF + 15 ?? ?? ?? ?? 83 7D ?? ?? 76 ?? 8B 45 ?? 2D ?? ?? ?? ?? 8B 4D ?? 1B CE 51 50 33 D2 + 8B CB E8 ?? ?? ?? ?? 59 59 56 8D 45 ?? 50 FF 75 ?? 8B 45 ?? 03 45 ?? 50 53 FF 15 ?? + ?? ?? ?? C7 45 ?? ?? ?? ?? ?? 83 4D ?? ?? E8 ?? ?? ?? ?? 8B C7 E8 ?? ?? ?? ?? C3 + } + + $find_volumes = { + 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? BE ?? ?? ?? ?? 56 33 DB 53 8D 85 ?? ?? + ?? ?? 50 E8 ?? ?? ?? ?? 56 53 8D 85 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 68 ?? ?? + ?? ?? 8D 85 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 8B F8 89 7D ?? 83 FF ?? 0F 84 ?? ?? ?? + ?? 89 5D ?? 6A ?? 5B 8D B5 ?? ?? ?? ?? 8D 4E ?? 33 D2 66 8B 06 83 C6 ?? 66 3B C2 75 + ?? 2B F1 D1 FE 66 39 9D ?? ?? ?? ?? 0F 85 ?? ?? ?? ?? 66 39 9D ?? ?? ?? ?? 75 ?? 66 + 83 BD ?? ?? ?? ?? ?? 75 ?? 66 39 9D ?? ?? ?? ?? 75 ?? 66 39 9C 75 ?? ?? ?? ?? 75 ?? + 33 C0 66 89 84 75 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 8D 85 ?? ?? ?? ?? + 50 FF 15 ?? ?? ?? ?? 66 89 9C 75 ?? ?? ?? ?? 85 C0 74 ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? + ?? ?? 68 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 57 FF 15 ?? ?? ?? ?? 85 C0 0F 85 ?? ?? ?? + ?? FF 15 ?? ?? ?? ?? 89 45 ?? 83 4D ?? ?? E8 ?? ?? ?? ?? EB ?? 8B 7D ?? 57 FF 15 ?? + ?? ?? ?? 8B 65 ?? E8 ?? ?? ?? ?? C3 + } + + condition: + uint16(0) == 0x5A4D and + ( + $find_volumes + ) and + ( + all of ($find_files_p*) + ) and + ( + all of ($encrypt_files_p*) + ) +} \ No newline at end of file diff --git a/yara/ransomware/Win32.Ransomware.Bam2021.yara b/yara/ransomware/Win32.Ransomware.Bam2021.yara new file mode 100644 index 0000000..5b83576 --- /dev/null +++ b/yara/ransomware/Win32.Ransomware.Bam2021.yara @@ -0,0 +1,167 @@ +rule Win32_Ransomware_Bam2021 : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "BAM2021" + description = "Yara rule that detects Bam2021 ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "Bam2021" + tc_detection_factor = 5 + + strings: + + $enum_shares = { + 83 EC ?? 53 55 8B 2D ?? ?? ?? ?? 56 57 68 ?? ?? ?? ?? FF D5 8B 74 24 ?? 6A ?? 56 C7 + 44 24 ?? ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 85 C0 75 ?? 8B 4C 24 + ?? 8D 44 24 ?? 50 51 6A ?? 6A ?? 6A ?? E8 ?? ?? ?? ?? 85 C0 74 ?? 89 06 33 C0 5F 5E + 5D 5B 83 C4 ?? C2 ?? ?? 8B 54 24 ?? 52 6A ?? FF 15 ?? ?? ?? ?? 8B F8 89 7C 24 ?? 85 + FF 75 ?? 89 06 8B 44 24 ?? 50 6A ?? 57 E8 ?? ?? ?? ?? 8B 44 24 ?? 83 C4 ?? 8D 4C 24 + ?? 51 57 8D 54 24 ?? 52 50 E8 ?? ?? ?? ?? 8B F0 85 F6 0F 85 ?? ?? ?? ?? 33 DB 39 5C + 24 ?? 76 ?? 8D 77 ?? 90 33 C0 89 44 24 ?? 89 44 24 ?? 89 44 24 ?? 89 44 24 ?? 89 44 + 24 ?? 89 44 24 ?? 89 44 24 ?? 89 44 24 ?? 8B 06 50 C7 44 24 ?? ?? ?? ?? ?? 89 44 24 + ?? FF D5 6A ?? 6A ?? 6A ?? 8D 4C 24 ?? 51 E8 ?? ?? ?? ?? 85 C0 75 ?? 8B 3E E8 ?? ?? + ?? ?? 8B 7C 24 ?? 8B 54 24 ?? 6A ?? 6A ?? 52 E8 ?? ?? ?? ?? 8B 46 ?? 83 E0 ?? 3C ?? + 75 ?? 8B 4C 24 ?? 8B 44 24 ?? 51 8D 56 ?? 52 50 E8 ?? ?? ?? ?? 43 83 C6 ?? 3B 5C 24 + ?? 0F 82 ?? ?? ?? ?? E9 ?? ?? ?? ?? 81 FE ?? ?? ?? ?? 74 ?? 56 68 ?? ?? ?? ?? E8 ?? + ?? ?? ?? 8B 4C 24 ?? 83 C4 ?? 89 31 57 FF 15 ?? ?? ?? ?? 8B 54 24 ?? 52 E8 ?? ?? ?? + ?? 8B F0 85 F6 74 ?? 56 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 44 24 ?? 83 C4 ?? 89 30 33 + C0 5F 5E 5D 5B 83 C4 ?? C2 + } + + $find_files_p1 = { + 8D 94 24 ?? ?? ?? ?? 52 8D 84 24 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 89 44 24 ?? 83 F8 + ?? 0F 84 ?? ?? ?? ?? 8B 7C 24 ?? EB ?? 8D A4 24 ?? ?? ?? ?? B9 ?? ?? ?? ?? 8D 84 24 + ?? ?? ?? ?? 8D 64 24 ?? 66 8B 10 66 3B 11 75 ?? 66 3B D5 74 ?? 66 8B 50 ?? 66 3B 51 + ?? 75 ?? 83 C0 ?? 83 C1 ?? 66 3B D5 75 ?? 33 C0 EB ?? 1B C0 83 D8 ?? 3B C5 0F 84 ?? + ?? ?? ?? B9 ?? ?? ?? ?? 8D 84 24 ?? ?? ?? ?? 90 66 8B 10 66 3B 11 75 ?? 66 3B D5 74 + ?? 66 8B 50 ?? 66 3B 51 ?? 75 ?? 83 C0 ?? 83 C1 ?? 66 3B D5 75 ?? 33 C0 EB ?? 1B C0 + 83 D8 ?? 3B C5 0F 84 ?? ?? ?? ?? F6 84 24 ?? ?? ?? ?? ?? 0F 84 ?? ?? ?? ?? 8D 8C 24 + ?? ?? ?? ?? 51 BB ?? ?? ?? ?? 8D 74 24 ?? E8 ?? ?? ?? ?? 83 C4 ?? 50 8D 9C 24 ?? ?? + ?? ?? 8D 74 24 ?? C6 84 24 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 6A ?? 55 8D 8C 24 + ?? ?? ?? ?? C6 84 24 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 7C 24 ?? ?? 72 ?? 8B 54 24 ?? + 52 E8 ?? ?? ?? ?? 83 C4 ?? 33 C0 C6 84 24 ?? ?? ?? ?? ?? 83 BC 24 ?? ?? ?? ?? ?? C7 + 44 24 ?? ?? ?? ?? ?? 89 6C 24 ?? 66 89 44 24 ?? 72 ?? 8B 4C 24 ?? 51 E8 ?? ?? ?? ?? + 83 C4 ?? 8B 54 24 ?? 8B 44 24 ?? 42 3B C2 77 ?? 8D 5C 24 ?? E8 ?? ?? ?? ?? 8B 44 24 + ?? 8B 4C 24 ?? 8B 54 24 ?? 8D 34 0A 3B C6 77 ?? 2B F0 8B 44 24 ?? 39 2C B0 75 ?? 6A + ?? E8 ?? ?? ?? ?? 8B 4C 24 ?? 83 C4 ?? 89 04 B1 8B 54 24 ?? 8B 0C B2 89 4C 24 ?? 89 + } + + $find_files_p2 = { + 4C 24 ?? C6 84 24 ?? ?? ?? ?? ?? 3B CD 74 ?? 33 C0 C7 41 ?? ?? ?? ?? ?? 89 69 ?? 6A + ?? 66 89 41 ?? 55 8D 84 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? C6 84 24 ?? ?? ?? ?? ?? FF 44 + 24 ?? E9 ?? ?? ?? ?? 83 BC 24 ?? ?? ?? ?? ?? 8B 84 24 ?? ?? ?? ?? 73 ?? 8D 84 24 ?? + ?? ?? ?? 8D 8C 24 ?? ?? ?? ?? 51 50 68 ?? ?? ?? ?? 6A ?? 8D 94 24 ?? ?? ?? ?? 68 ?? + ?? ?? ?? 52 E8 ?? ?? ?? ?? 83 C4 ?? 8D 47 ?? 50 8D 8C 24 ?? ?? ?? ?? 51 FF 15 ?? ?? + ?? ?? 85 C0 0F 85 ?? ?? ?? ?? 8B 1D ?? ?? ?? ?? BE ?? ?? ?? ?? 8B 16 52 8D 84 24 ?? + ?? ?? ?? 50 FF D3 85 C0 75 ?? 83 C6 ?? 81 FE ?? ?? ?? ?? 7C ?? E9 ?? ?? ?? ?? 57 8D + 8C 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 44 24 ?? 83 C0 ?? 8D 94 24 ?? ?? ?? ?? 2B D0 0F + B7 08 66 89 0C 02 83 C0 ?? 66 3B CD 75 ?? 33 C0 EB ?? 8D A4 24 ?? ?? ?? ?? 8D 49 ?? + 0F B7 8C 04 ?? ?? ?? ?? 66 89 8C 04 ?? ?? ?? ?? 83 C0 ?? 66 3B CD 75 ?? 33 C0 8D 9B + ?? ?? ?? ?? 0F B7 88 ?? ?? ?? ?? 66 89 8C 04 ?? ?? ?? ?? 83 C0 ?? 66 3B CD 75 ?? 8B + 5C 24 ?? 6A ?? B9 ?? ?? ?? ?? 8D 94 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 54 24 ?? 8D 8C + 24 ?? ?? ?? ?? 51 52 FF 15 ?? ?? ?? ?? 85 C0 0F 85 ?? ?? ?? ?? 8B 44 24 ?? 50 FF 15 + } + + $encrypt_files_p1 = { + 55 8B EC 83 E4 ?? 6A ?? 68 ?? ?? ?? ?? 64 A1 ?? ?? ?? ?? 50 81 EC ?? ?? ?? ?? A1 ?? + ?? ?? ?? 33 C4 89 84 24 ?? ?? ?? ?? 53 56 57 A1 ?? ?? ?? ?? 33 C4 50 8D 84 24 ?? ?? + ?? ?? 64 A3 ?? ?? ?? ?? A1 ?? ?? ?? ?? 33 DB 3B C3 75 ?? 6A ?? E8 ?? ?? ?? ?? 8B F0 + 83 C4 ?? 3B F3 74 ?? 68 ?? ?? ?? ?? 8D 46 ?? 6A ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 8B C6 + EB ?? 33 C0 A3 ?? ?? ?? ?? 8D 4C 24 ?? 51 8B F8 E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 84 + 24 ?? ?? ?? ?? 33 D2 53 89 9C 24 ?? ?? ?? ?? 50 66 89 94 24 ?? ?? ?? ?? E8 ?? ?? ?? + ?? 83 C4 ?? 68 ?? ?? ?? ?? 8D 94 24 ?? ?? ?? ?? 33 C9 53 52 66 89 8C 24 ?? ?? ?? ?? + E8 ?? ?? ?? ?? 83 C4 ?? 68 ?? ?? ?? ?? 8D 8C 24 ?? ?? ?? ?? 33 C0 53 51 66 89 84 24 + ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 68 ?? ?? ?? ?? 8D 44 24 ?? 33 D2 53 50 66 89 54 + 24 ?? E8 ?? ?? ?? ?? 83 C4 ?? 68 ?? ?? ?? ?? 8D 94 24 ?? ?? ?? ?? 33 C9 53 52 66 89 + 8C 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 47 ?? 83 C4 ?? 50 89 5C 24 ?? 89 44 24 ?? E8 ?? + ?? ?? ?? 53 53 8D 84 24 ?? ?? ?? ?? 50 53 FF 15 ?? ?? ?? ?? 85 C0 74 ?? 83 EC ?? 8B + } + + $encrypt_files_p2 = { + F4 33 C9 8D 84 24 ?? ?? ?? ?? C7 46 ?? ?? ?? ?? ?? 89 5E ?? 89 64 24 ?? 66 89 4E ?? + 8D 50 ?? 90 66 8B 08 83 C0 ?? 66 3B CB 75 ?? 2B C2 D1 F8 50 8D 84 24 ?? ?? ?? ?? E8 + ?? ?? ?? ?? 57 E8 ?? ?? ?? ?? 53 6A ?? 8D 94 24 ?? ?? ?? ?? 52 53 FF 15 ?? ?? ?? ?? + 85 C0 74 ?? 83 EC ?? 8B F4 33 C0 C7 46 ?? ?? ?? ?? ?? 89 5E ?? 66 89 46 ?? 8D 84 24 + ?? ?? ?? ?? 89 64 24 ?? 8D 50 ?? EB ?? 8D 49 ?? 66 8B 08 83 C0 ?? 66 3B CB 75 ?? 2B + C2 D1 F8 50 8D 84 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? 57 E8 ?? ?? ?? ?? 53 6A ?? 8D 8C 24 + ?? ?? ?? ?? 51 53 FF 15 ?? ?? ?? ?? 85 C0 74 ?? 83 EC ?? 8B F4 33 D2 C7 46 ?? ?? ?? + ?? ?? 89 5E ?? 8D 84 24 ?? ?? ?? ?? 66 89 56 ?? 89 64 24 ?? 8D 50 ?? EB ?? 8D 49 ?? + 66 8B 08 83 C0 ?? 66 3B CB 75 ?? 2B C2 D1 F8 50 8D 84 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? + 57 E8 ?? ?? ?? ?? 53 6A ?? 8D 44 24 ?? 50 53 FF 15 ?? ?? ?? ?? 85 C0 74 ?? 68 ?? ?? + ?? ?? 8D 4C 24 ?? 68 ?? ?? ?? ?? 51 E8 ?? ?? ?? ?? 83 EC ?? 8B F4 33 D2 C7 46 ?? ?? + ?? ?? ?? 89 5E ?? 8D 44 24 ?? 66 89 56 ?? 89 64 24 ?? 8D 50 ?? 8D A4 24 ?? ?? ?? ?? + 66 8B 08 83 C0 ?? 66 3B CB 75 ?? 2B C2 D1 F8 50 8D 44 24 ?? E8 ?? ?? ?? ?? 57 E8 ?? + ?? ?? ?? 53 6A ?? 8D 84 24 ?? ?? ?? ?? 50 53 FF 15 ?? ?? ?? ?? 85 C0 74 ?? 68 ?? ?? + ?? ?? 8D 8C 24 ?? ?? ?? ?? 68 ?? ?? ?? ?? 51 E8 ?? ?? ?? ?? 83 EC ?? 8B F4 33 D2 C7 + } + + $encrypt_files_p3 = { + 46 ?? ?? ?? ?? ?? 89 5E ?? 8D 84 24 ?? ?? ?? ?? 66 89 56 ?? 89 64 24 ?? 8D 50 ?? 90 + 66 8B 08 83 C0 ?? 66 3B CB 75 ?? 2B C2 D1 F8 50 8D 84 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? + 57 E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 53 8D 44 24 ?? 50 53 6A ?? 53 53 53 68 ?? ?? ?? ?? + 68 ?? ?? ?? ?? 89 5C 24 ?? FF 15 ?? ?? ?? ?? 85 C0 75 ?? 8B 4C 24 ?? 51 FF 15 ?? ?? + ?? ?? E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 68 ?? ?? ?? ?? 8B F8 53 + 57 E8 ?? ?? ?? ?? 8B 74 24 ?? 83 C4 ?? 6A ?? 56 FF 15 ?? ?? ?? ?? 85 C0 75 ?? 8D 54 + 24 ?? 52 57 8B CE E8 ?? ?? ?? ?? 8B 74 24 ?? E8 ?? ?? ?? ?? 57 E8 ?? ?? ?? ?? 83 C4 + ?? 8D 74 24 ?? C7 84 24 ?? ?? ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 44 24 ?? 50 E8 ?? + ?? ?? ?? 83 C4 ?? 8B 8C 24 ?? ?? ?? ?? 64 89 0D ?? ?? ?? ?? 59 5F 5E 5B 8B 8C 24 ?? + ?? ?? ?? 33 CC E8 ?? ?? ?? ?? 8B E5 5D C3 + } + + $generate_key = { + 50 C7 44 24 ?? ?? ?? ?? ?? F3 A5 FF 15 ?? ?? ?? ?? 85 C0 75 ?? 5F 5E 5D B8 ?? ?? ?? + ?? 5B 8B 4C 24 ?? 33 CC E8 ?? ?? ?? ?? 83 C4 ?? C2 ?? ?? 8B 44 24 ?? 8D 4C 24 ?? 51 + 6A ?? 6A ?? 6A ?? 8D 54 24 ?? 52 50 FF 15 ?? ?? ?? ?? 85 C0 75 ?? 5F 5E 5D B8 ?? ?? + ?? ?? 5B 8B 4C 24 ?? 33 CC E8 ?? ?? ?? ?? 83 C4 ?? C2 ?? ?? 8B 54 24 ?? 6A ?? 8D 4C + 24 ?? 51 6A ?? 52 FF 15 ?? ?? ?? ?? 85 C0 75 ?? 5F 5E 5D B8 ?? ?? ?? ?? 5B 8B 4C 24 + ?? 33 CC E8 ?? ?? ?? ?? 83 C4 ?? C2 ?? ?? 8B 54 24 ?? 6A ?? 8D 44 24 ?? 50 8D 4C 24 + ?? 51 6A ?? 52 C7 44 24 ?? ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 85 C0 75 ?? 5F 5E 5D B8 ?? + ?? ?? ?? 5B 8B 4C 24 ?? 33 CC E8 ?? ?? ?? ?? 83 C4 ?? C2 ?? ?? 8B 44 24 ?? C1 E8 ?? + 89 44 24 ?? 03 C3 50 E8 ?? ?? ?? ?? 8B F0 83 C4 ?? 85 F6 75 ?? 5F 5E 5D B8 ?? ?? ?? + ?? 5B 8B 4C 24 ?? 33 CC E8 ?? ?? ?? ?? 83 C4 ?? C2 ?? ?? 53 55 56 E8 ?? ?? ?? ?? 8B + 4C 24 ?? 83 C4 ?? 89 5C 24 ?? 83 C3 ?? 53 8D 44 24 ?? 50 56 6A ?? 6A ?? 6A ?? 51 FF + 15 ?? ?? ?? ?? 85 C0 75 ?? 5F 5E 5D B8 ?? ?? ?? ?? 5B 8B 4C 24 ?? 33 CC E8 ?? ?? ?? + ?? 83 C4 ?? C2 ?? ?? 8B 7C 24 ?? 8B 54 24 ?? 57 56 52 E8 ?? ?? ?? ?? 8B 44 24 ?? 56 + 89 38 E8 ?? ?? ?? ?? 8B 4C 24 ?? 83 C4 ?? 5F 5E 5D 5B 33 CC 33 C0 E8 ?? ?? ?? ?? 83 + C4 ?? C2 + } + + $remote_connection = { + 81 EC ?? ?? ?? ?? A1 ?? ?? ?? ?? 33 C4 89 84 24 ?? ?? ?? ?? 57 8D 44 24 ?? 50 68 ?? + ?? ?? ?? FF 15 ?? ?? ?? ?? 85 C0 75 ?? 50 6A ?? 6A ?? FF 15 ?? ?? ?? ?? 89 46 ?? 83 + F8 ?? 74 ?? 8B 46 ?? 8D 7E ?? 83 E8 ?? 83 78 ?? ?? 7E ?? 8B 48 ?? 51 8B CF E8 ?? ?? + ?? ?? 8B 3F 57 FF 15 ?? ?? ?? ?? 6A ?? 6A ?? 8D 54 24 ?? 52 89 44 24 ?? FF 15 ?? ?? + ?? ?? 85 C0 75 ?? 8B 46 ?? 50 FF 15 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 33 C0 5F 8B 8C 24 + ?? ?? ?? ?? 33 CC E8 ?? ?? ?? ?? 81 C4 ?? ?? ?? ?? C3 8B 48 ?? 8B 11 8B 02 0F B7 56 + ?? B9 ?? ?? ?? ?? 52 89 44 24 ?? 66 89 4C 24 ?? FF 15 ?? ?? ?? ?? 8B 4E ?? 66 89 44 + 24 ?? 6A ?? 8D 44 24 ?? 50 51 FF 15 ?? ?? ?? ?? 83 F8 ?? 75 ?? FF 15 ?? ?? ?? ?? 8B + 56 ?? 52 FF 15 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 33 C0 5F 8B 8C 24 ?? ?? ?? ?? 33 CC E8 + ?? ?? ?? ?? 81 C4 ?? ?? ?? ?? C3 8B 8C 24 ?? ?? ?? ?? 5F 33 CC B8 ?? ?? ?? ?? E8 ?? + ?? ?? ?? 81 C4 ?? ?? ?? ?? C3 + } + + condition: + uint16(0) == 0x5A4D and + ( + $enum_shares + ) and + ( + all of ($find_files_p*) + ) and + ( + $generate_key + ) and + ( + all of ($encrypt_files_p*) + ) and + ( + $remote_connection + ) +} \ No newline at end of file diff --git a/yara/ransomware/Win32.Ransomware.BananaCrypt.yara b/yara/ransomware/Win32.Ransomware.BananaCrypt.yara new file mode 100644 index 0000000..e19f0ec --- /dev/null +++ b/yara/ransomware/Win32.Ransomware.BananaCrypt.yara @@ -0,0 +1,103 @@ +rule Win32_Ransomware_BananaCrypt : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "BANANACRYPT" + description = "Yara rule that detects BananaCrypt ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "BananaCrypt" + tc_detection_factor = 5 + + strings: + + $encrypt_files_p1 = { + 55 89 E5 57 56 53 89 C3 81 EC ?? ?? ?? ?? 89 95 ?? ?? ?? ?? 8B 55 ?? 89 8D ?? ?? ?? + ?? 85 D2 74 ?? 8B 45 ?? 85 C0 0F 85 ?? ?? ?? ?? 31 F6 0F B6 13 84 D2 0F 84 ?? ?? ?? + ?? 8D 43 ?? 88 95 ?? ?? ?? ?? 8D 8B ?? ?? ?? ?? 8D BD ?? ?? ?? ?? EB ?? 83 C0 ?? 83 + C7 ?? 88 57 ?? 39 C1 74 ?? 0F B6 10 84 D2 75 ?? 89 BD ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? + C6 00 ?? 89 1C 24 E8 ?? ?? ?? ?? 85 C0 89 85 ?? ?? ?? ?? 0F 84 ?? ?? ?? ?? 89 F0 84 + C0 0F 85 ?? ?? ?? ?? 8D 5D ?? 8D 76 ?? 8D BC 27 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 89 04 + 24 E8 ?? ?? ?? ?? 85 C0 89 C6 0F 84 ?? ?? ?? ?? 8B 8D ?? ?? ?? ?? 8D BD ?? ?? ?? ?? + 39 F9 89 C8 76 ?? 0F B6 41 ?? 89 CF 3C ?? 0F 95 C1 3C ?? 0F 95 C2 84 D1 0F 84 ?? ?? + ?? ?? 3C ?? 0F 84 ?? ?? ?? ?? 8D 47 ?? C6 07 ?? 8D 7E ?? 39 D8 89 BD ?? ?? ?? ?? 73 + ?? 0F B6 56 ?? 84 D2 74 ?? 89 F9 8B BD ?? ?? ?? ?? EB ?? 90 0F B6 11 84 D2 74 ?? 83 + C0 ?? 83 C1 ?? 88 50 ?? 39 D8 75 ?? 89 BD ?? ?? ?? ?? C6 00 ?? 8D 85 ?? ?? ?? ?? 31 + FF 89 04 24 E8 ?? ?? ?? ?? 85 C0 89 C2 74 ?? 80 38 ?? 74 ?? 8B 85 ?? ?? ?? ?? 66 90 + 83 C7 ?? 80 3C 3A ?? 75 ?? 89 85 ?? ?? ?? ?? 89 54 24 ?? C7 04 24 ?? ?? ?? ?? 89 95 + ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 46 ?? 83 F8 ?? 0F 84 ?? ?? ?? ?? 3D ?? ?? ?? ?? 8B 95 + ?? ?? ?? ?? 74 ?? 85 C0 0F 85 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 89 7C 24 ?? 89 14 24 89 + } + + $encrypt_files_p2 = { + 44 24 ?? 8B 85 ?? ?? ?? ?? 89 44 24 ?? E8 ?? ?? ?? ?? 84 C0 0F 84 ?? ?? ?? ?? C7 04 + 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 C6 8D 85 ?? ?? ?? ?? 89 F1 89 04 24 E8 ?? ?? ?? ?? + 83 EC ?? 89 F1 E8 ?? ?? ?? ?? 84 C0 0F 85 ?? ?? ?? ?? 89 F1 E8 ?? ?? ?? ?? 89 C7 8D + 40 ?? 83 F8 ?? 76 ?? 89 F1 83 05 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 F1 E8 ?? ?? ?? ?? + 89 85 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 89 3C 24 89 44 24 ?? E8 ?? ?? ?? ?? 89 F1 E8 ?? + ?? ?? ?? 89 F1 E8 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? C7 04 24 ?? ?? ?? ?? 89 44 24 ?? E8 + ?? ?? ?? ?? 89 F1 E8 ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? 89 34 24 E8 ?? ?? ?? ?? 89 + F1 E8 ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? 89 34 24 E8 ?? ?? ?? ?? E9 ?? ?? ?? ?? 8B + B5 ?? ?? ?? ?? BF ?? ?? ?? ?? B9 ?? ?? ?? ?? F3 A6 0F 84 ?? ?? ?? ?? 8B B5 ?? ?? ?? + ?? BF ?? ?? ?? ?? B9 ?? ?? ?? ?? F3 A6 0F 84 ?? ?? ?? ?? 8B 45 ?? 8B 8D ?? ?? ?? ?? + 8B 95 ?? ?? ?? ?? 89 44 24 ?? 8B 45 ?? 89 04 24 8D 85 ?? ?? ?? ?? E8 ?? ?? ?? ?? E9 + ?? ?? ?? ?? 8D 74 26 ?? 8B 85 ?? ?? ?? ?? E9 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 89 04 24 + E8 ?? ?? ?? ?? 8D 65 ?? B8 ?? ?? ?? ?? 5B 5E 5F 5D C3 8B 45 ?? 89 1C 24 89 44 24 ?? + 8B 45 ?? 89 44 24 ?? E8 ?? ?? ?? ?? 89 C6 E9 ?? ?? ?? ?? 8D 65 ?? 31 C0 5B 5E 5F 5D + C3 8D 85 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? E9 + } + + $find_files_p1 = { + 8D 4C 24 ?? 83 E4 ?? FF 71 ?? 55 89 E5 57 56 53 51 81 EC ?? ?? ?? ?? 8B 31 8B 79 ?? + E8 ?? ?? ?? ?? C7 04 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 FE ?? 7E ?? 89 74 24 ?? C7 04 + 24 ?? ?? ?? ?? 31 DB E8 ?? ?? ?? ?? 8B 04 9F 89 5C 24 ?? 83 C3 ?? C7 04 24 ?? ?? ?? + ?? 89 44 24 ?? E8 ?? ?? ?? ?? 39 DE 75 ?? C7 44 24 ?? ?? ?? ?? ?? 8B 47 ?? 89 04 24 + E8 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 F8 ?? 0F 84 ?? ?? ?? ?? 89 + 44 24 ?? C7 04 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? BE ?? ?? ?? ?? B9 ?? ?? ?? ?? 8D BD ?? + ?? ?? ?? F3 A5 8D 85 ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? + ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? 89 04 24 C7 85 + } + + $find_files_p2 = { + 8B 85 ?? ?? ?? ?? 89 04 24 E8 ?? ?? ?? ?? C7 04 24 ?? ?? ?? ?? 89 C3 E8 ?? ?? ?? ?? + 8D 44 03 ?? 89 04 24 E8 ?? ?? ?? ?? 89 C3 8B 85 ?? ?? ?? ?? 89 1C 24 89 44 24 ?? E8 + ?? ?? ?? ?? 89 DA 8B 0A 83 C2 ?? 8D 81 ?? ?? ?? ?? F7 D1 21 C8 25 ?? ?? ?? ?? 74 ?? + A9 ?? ?? ?? ?? 74 ?? 89 C1 00 C1 83 DA ?? C7 02 ?? ?? ?? ?? C7 42 ?? ?? ?? ?? ?? C7 + 42 ?? ?? ?? ?? ?? C7 42 ?? ?? ?? ?? ?? C7 42 ?? ?? ?? ?? ?? C7 04 24 ?? ?? ?? ?? E8 + ?? ?? ?? ?? 84 C0 74 ?? C7 04 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 65 ?? 31 C0 59 5B 5E + 5F 5D 8D 61 ?? C3 C1 E8 ?? 83 C2 ?? EB ?? 8D 85 ?? ?? ?? ?? 8D 95 ?? ?? ?? ?? B9 ?? + ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? 8D BD ?? ?? ?? ?? BE ?? ?? ?? ?? 89 04 24 B8 ?? ?? + ?? ?? E8 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 8D 95 ?? ?? ?? ?? B9 ?? ?? ?? ?? C7 44 24 ?? + ?? ?? ?? ?? C7 04 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? A1 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? 29 + F9 89 85 ?? ?? ?? ?? A1 ?? ?? ?? ?? 29 CE 81 C1 ?? ?? ?? ?? C1 E9 ?? 89 45 ?? F3 + } + + $find_files_p3 = { + A5 89 1C 24 E8 ?? ?? ?? ?? 84 C0 0F 84 ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? C7 04 24 + ?? ?? ?? ?? E8 ?? ?? ?? ?? C7 04 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? + ?? C7 04 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 C0 89 C6 74 ?? 89 44 24 ?? C7 44 24 ?? ?? + ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? C7 04 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 34 24 E8 ?? + ?? ?? ?? 89 1C 24 E8 ?? ?? ?? ?? A1 ?? ?? ?? ?? C7 04 24 ?? ?? ?? ?? 89 44 24 ?? E8 + ?? ?? ?? ?? E9 ?? ?? ?? ?? C7 04 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? E9 ?? ?? ?? ?? C7 04 + 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? C7 04 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? E9 ?? ?? ?? ?? C7 + 44 24 ?? ?? ?? ?? ?? 89 1C 24 E8 ?? ?? ?? ?? 85 C0 89 C6 0F 84 ?? ?? ?? ?? 89 44 24 + ?? 8D 85 ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? 89 04 24 E8 ?? + ?? ?? ?? 89 34 24 E8 ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? C7 + 44 24 ?? ?? ?? ?? ?? C7 04 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 EC ?? E9 + } + + condition: + uint16(0) == 0x5A4D and + ( + all of ($find_files_p*) + ) and + ( + all of ($encrypt_files_p*) + ) +} \ No newline at end of file diff --git a/yara/ransomware/Win32.Ransomware.BandarChor.yara b/yara/ransomware/Win32.Ransomware.BandarChor.yara new file mode 100644 index 0000000..f464144 --- /dev/null +++ b/yara/ransomware/Win32.Ransomware.BandarChor.yara @@ -0,0 +1,97 @@ +rule Win32_Ransomware_BandarChor : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "BANDARCHOR" + description = "Yara rule that detects BandarChor ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "BandarChor" + tc_detection_factor = 5 + + strings: + $file_extensions_1 = { + 55 8B EC B9 ?? ?? ?? ?? 6A ?? 6A ?? 49 75 F9 51 53 89 55 ?? 8B D8 8B 45 ?? E8 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 8B 15 ?? ?? + ?? ?? E8 ?? ?? ?? ?? 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 8D 85 ?? ?? ?? ?? B9 ?? ?? ?? ?? 8B 55 ?? E8 ?? ?? ?? ?? + 8B 85 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 C0 0F 85 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? BA ?? ?? ?? + ?? E8 ?? ?? ?? ?? 0F 84 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 0F 84 ?? ?? ?? ?? 8D 4D ?? 8B 95 ?? + ?? ?? ?? 8B 45 ?? E8 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 83 E0 ?? 83 F8 ?? 0F 85 F9 00 00 00 8D 95 ?? ?? ?? ?? 8B 85 ?? ?? ?? + ?? E8 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 0F 84 ?? ?? ?? ?? 8D 95 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? + E8 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 0F 84 ?? ?? ?? ?? 8D 95 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? E8 + ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 0F 84 ?? ?? ?? ?? 8D 95 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? E8 ?? + ?? ?? ?? 8B 85 ?? ?? ?? ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 0F 84 ?? ?? ?? ?? 8D 95 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? E8 ?? ?? + ?? ?? 8B 85 ?? ?? ?? ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 0F 84 ?? ?? ?? ?? 8D 95 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? E8 ?? ?? ?? + ?? 8B 85 ?? ?? ?? ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 0F 84 ?? ?? ?? ?? 8B 55 ?? 8B C3 E8 4F FE FF FF E9 ?? ?? ?? ?? 8D 95 + } + + $file_extensions_2 = { + ?? ?? ?? ?? 8B 45 ?? E8 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 8D 95 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? BA ?? ?? ?? ?? + E8 ?? ?? ?? ?? 0F 84 ?? ?? ?? ?? 8D 95 ?? ?? ?? ?? 8B 45 ?? E8 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 8D 95 ?? ?? ?? ?? E8 ?? ?? + ?? ?? 8B 85 ?? ?? ?? ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 0F 84 ?? ?? ?? ?? 8D 95 ?? ?? ?? ?? 8B 45 ?? E8 ?? ?? ?? ?? 8B 85 + ?? ?? ?? ?? 8D 95 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 0F 84 ?? ?? ?? ?? 8D 95 ?? + ?? ?? ?? 8B 45 ?? E8 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 8D 95 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? BA ?? ?? ?? ?? E8 + ?? ?? ?? ?? 0F 84 ?? ?? ?? ?? 8D 95 ?? ?? ?? ?? 8B 45 ?? E8 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 8D 95 ?? ?? ?? ?? E8 ?? ?? ?? + ?? 8B 85 ?? ?? ?? ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 0F 84 ?? ?? ?? ?? 8D 95 ?? ?? ?? ?? 8B 45 ?? E8 ?? ?? ?? ?? 8B 85 ?? + ?? ?? ?? 8D 95 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 0F 84 ?? ?? ?? ?? 8D 95 ?? ?? + ?? ?? 8B 45 ?? E8 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 8D 95 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? BA ?? ?? ?? ?? E8 ?? + ?? ?? ?? 0F 84 ?? ?? ?? ?? 8D 95 ?? ?? ?? ?? 8B 45 ?? E8 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 8D 95 ?? ?? ?? ?? E8 + } + + $file_extensions_3 = { + 8B 85 ?? ?? ?? ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 0F 84 ?? ?? ?? ?? 8D 95 ?? ?? ?? ?? 8B 45 ?? E8 ?? ?? ?? ?? 8B 85 ?? ?? + ?? ?? 8D 95 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 0F 84 ?? ?? ?? ?? 8D 95 ?? ?? ?? + ?? 8B 45 ?? E8 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 8D 95 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? BA ?? ?? ?? ?? E8 ?? ?? + ?? ?? 0F 84 ?? ?? ?? ?? 8D 95 ?? ?? ?? ?? 8B 45 ?? E8 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 8D 95 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B + 85 ?? ?? ?? ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 0F 84 ?? ?? ?? ?? 8D 95 ?? ?? ?? ?? 8B 45 ?? E8 ?? ?? ?? ?? 8B 85 ?? ?? ?? + ?? 8D 95 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 0F 84 ?? ?? ?? ?? 8D 95 ?? ?? ?? ?? + 8B 45 ?? E8 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 8D 95 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? BA ?? ?? ?? ?? E8 ?? ?? ?? + ?? 0F 84 ?? ?? ?? ?? 8D 95 ?? ?? ?? ?? 8B 45 ?? E8 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 8D 95 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 85 + ?? ?? ?? ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 0F 84 ?? ?? ?? ?? 8D 95 ?? ?? ?? ?? 8B 45 ?? E8 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? + 8D 95 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 0F 84 ?? ?? ?? ?? 8D 95 ?? ?? ?? ?? 8B + 45 ?? E8 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 8D 95 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? BA ?? ?? ?? ?? E8 + } + + $file_extensions_4 = { + 0F 84 ?? ?? ?? ?? 8D 95 ?? ?? ?? ?? 8B 45 ?? E8 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 8D 95 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 85 ?? + ?? ?? ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 0F 84 ?? ?? ?? ?? 8D 95 ?? ?? ?? ?? 8B 45 ?? E8 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 8D + 95 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 0F 84 ?? ?? ?? ?? 8D 95 ?? ?? ?? ?? 8B 45 + ?? E8 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 8D 95 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 0F + 84 ?? ?? ?? ?? 8D 95 ?? ?? ?? ?? 8B 45 ?? E8 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 8D 95 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 85 ?? ?? + ?? ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 0F 84 ?? ?? ?? ?? 8D 95 ?? ?? ?? ?? 8B 45 ?? E8 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 8D 95 + ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 0F 84 ?? ?? ?? ?? 8D 95 ?? ?? ?? ?? 8B 45 ?? + E8 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 8D 95 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 0F 84 + } + + $file_extensions_5 = { + ?? ?? ?? ?? 8D 95 ?? ?? ?? ?? 8B 45 ?? E8 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 8D 95 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 85 ?? ?? ?? + ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 0F 84 ?? ?? ?? ?? 8D 95 ?? ?? ?? ?? 8B 45 ?? E8 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 8D 95 ?? + ?? ?? ?? E8 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 0F 84 ?? ?? ?? ?? 8D 95 ?? ?? ?? ?? 8B 45 ?? E8 + ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 8D 95 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 0F 84 ?? + ?? ?? ?? 8D 95 ?? ?? ?? ?? 8B 45 ?? E8 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 8D 95 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? + BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 0F 84 ?? ?? ?? ?? 8D 95 ?? ?? ?? ?? 8B 45 ?? E8 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 8D 95 ?? ?? + ?? ?? E8 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 0F 84 ?? ?? ?? ?? 8D 95 ?? ?? ?? ?? 8B 45 ?? E8 ?? + ?? ?? ?? 8B 85 ?? ?? ?? ?? 8D 95 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 0F 84 + } + + $parse_server_commands = { + 83 F9 ?? 0F 84 E0 00 00 00 50 53 56 57 89 C3 89 D6 89 CF 31 D2 8A 06 8A 56 ?? 3C ?? 74 25 3C ?? 74 3E 3C ?? 74 51 3C ?? + 74 5C 3C ?? 74 76 3C ?? 0F 84 84 00 00 00 3C ?? 0F 84 8B 00 00 00 E9 97 00 00 00 83 F9 ?? 89 D8 7F 0A E8 ?? ?? ?? ?? E9 + 91 00 00 00 89 CA E8 ?? ?? ?? ?? E9 85 00 00 00 83 F9 ?? 89 D8 7F 07 E8 ?? ?? ?? ?? EB 77 89 CA E8 ?? ?? ?? ?? EB 6E 89 + D8 83 C3 ?? E8 ?? ?? ?? ?? 4F 7F F3 EB 5F 55 89 D5 8B 54 2E ?? 89 D8 03 5C 2E ?? 8B 4C 2E ?? 8B 12 E8 62 FF FF FF 4F 7F + E8 5D EB 41 55 89 D5 89 D8 03 5C 2E ?? 89 F2 E8 ?? ?? ?? ?? 4F 7F F0 5D EB 2B 89 D8 83 C3 ?? E8 ?? ?? ?? ?? 4F 7F F3 EB + 1C 89 D8 89 F2 83 C3 ?? E8 ?? ?? ?? ?? 4F 7F F1 EB 0B 5F 5E 5B 58 B0 ?? E9 ?? ?? ?? ?? 5F 5E 5B 58 C3 8B C0 B9 ?? ?? ?? + ?? E9 0A FF FF FF C3 + } + + condition: + uint16(0) == 0x5A4D and + (($file_extensions_1 and $file_extensions_2 and $file_extensions_3 and + $file_extensions_4 and $file_extensions_5) and + $parse_server_commands) +} \ No newline at end of file diff --git a/yara/ransomware/Win32.Ransomware.BitCrypt.yara b/yara/ransomware/Win32.Ransomware.BitCrypt.yara new file mode 100644 index 0000000..6679c21 --- /dev/null +++ b/yara/ransomware/Win32.Ransomware.BitCrypt.yara @@ -0,0 +1,112 @@ +import "pe" + +rule Win32_Ransomware_BitCrypt : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "BITCRYPT" + description = "Yara rule that detects BitCrypt ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "BitCrypt" + tc_detection_factor = 5 + + strings: + $bc_bcdedit = { + 55 8B EC 6A ?? 53 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 B2 ?? A1 ?? ?? ?? + ?? E8 ?? ?? ?? ?? 8B D8 BA ?? ?? ?? ?? 8B C3 E8 ?? ?? ?? ?? 8D 45 ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? BA ?? ?? ?? ?? 8B C3 + E8 ?? ?? ?? ?? 8B C3 E8 ?? ?? ?? ?? B2 ?? A1 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B D8 BA ?? ?? ?? ?? 8B C3 E8 ?? ?? ?? ?? 8D 45 + ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? BA ?? ?? ?? ?? 8B C3 E8 ?? ?? ?? ?? 8B C3 E8 ?? ?? ?? ?? 33 C0 5A 59 59 64 89 10 68 ?? + ?? ?? ?? 6A ?? 6A ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A ?? 6A ?? E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 6A ?? 6A ?? + 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A ?? 6A ?? E8 ?? ?? ?? ?? C3 + } + + $bc_enum_drives_a_z = { + 55 8B EC 81 C4 ?? ?? ?? ?? 53 56 33 D2 89 95 ?? ?? ?? ?? 89 95 ?? ?? ?? ?? 89 95 ?? ?? ?? ?? 8B F0 33 C0 55 68 ?? ?? ?? + ?? 64 FF 30 64 89 20 B2 ?? A1 ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 06 B3 ?? 8D 85 ?? ?? ?? ?? 8B D3 E8 ?? ?? ?? ?? 8D 85 ?? ?? + ?? ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 95 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? B9 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 95 ?? ?? ?? ?? + 8D 45 ?? B1 ?? E8 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 8B D3 E8 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B + 85 ?? ?? ?? ?? E8 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 E8 ?? 75 1B 8D 85 ?? ?? ?? ?? 8D 55 ?? E8 ?? ?? ?? ?? 8B 95 ?? ?? ?? + ?? 8B 06 8B 08 FF 51 ?? 43 80 FB ?? 0F 85 65 FF FF FF 33 C0 5A 59 59 64 89 10 68 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? BA ?? ?? + ?? ?? E8 ?? ?? ?? ?? C3 + } + + $bc_do_extensions_1 = { + 55 8B EC 81 C4 ?? ?? ?? ?? 53 56 57 33 DB 89 9D ?? ?? ?? ?? 89 9D ?? ?? ?? ?? 89 9D ?? ?? ?? ?? 89 9D ?? ?? ?? ?? 89 9D + ?? ?? ?? ?? 89 9D ?? ?? ?? ?? 89 4D ?? 89 55 ?? 89 45 ?? 8B 7D ?? 8B 5D ?? 8B 45 ?? E8 ?? ?? ?? ?? 8B 45 ?? E8 ?? ?? ?? + ?? 8B 45 ?? E8 ?? ?? ?? ?? 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 8D 85 ?? + ?? ?? ?? 8B 4D ?? 8B 55 ?? E8 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? E8 ?? ?? ?? ?? 84 C0 0F 85 81 01 00 00 E8 ?? ?? ?? ?? BA ?? + ?? ?? ?? 33 C0 E8 ?? ?? ?? ?? 8B F0 8B C3 8B 14 B5 ?? ?? ?? ?? E8 ?? ?? ?? ?? EB 28 A0 ?? ?? ?? ?? 50 8D 85 ?? ?? ?? ?? + 50 8B 03 33 C9 BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 95 ?? ?? ?? ?? 8B C3 E8 ?? ?? ?? ?? 8B 13 B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? + 85 C0 75 C8 EB 28 A0 ?? ?? ?? ?? 50 8D 85 ?? ?? ?? ?? 50 8B 03 33 C9 BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 95 ?? ?? ?? ?? 8B + C3 E8 ?? ?? ?? ?? 8B 13 B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 C0 75 C8 FF 75 ?? 68 ?? ?? ?? ?? FF 35 ?? ?? ?? ?? 68 ?? ?? ?? + ?? 8D 95 ?? ?? ?? ?? B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? FF B5 ?? ?? ?? ?? 89 B5 ?? ?? ?? ?? DB 85 ?? ?? ?? ?? 83 C4 ?? DB 3C + } + + $bc_do_extensions_2 = { + 24 9B 8D 95 ?? ?? ?? ?? B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? FF B5 ?? ?? ?? ?? 8B C7 BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 85 ?? ?? + ?? ?? 8B 4D ?? 8B 55 ?? E8 ?? ?? ?? ?? 8B 95 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? E8 ?? ?? ?? + ?? E8 ?? ?? ?? ?? 8B 13 8D 85 ?? ?? ?? ?? E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 17 8D 85 ?? ?? ?? ?? E8 ?? ?? + ?? ?? E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? BA ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 85 + ?? ?? ?? ?? E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? B3 ?? EB 02 33 DB 33 C0 5A 59 59 64 89 10 EB 0C E9 ?? ?? ?? ?? 33 DB E8 ?? ?? + ?? ?? 33 C0 5A 59 59 64 89 10 68 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? BA ?? ?? ?? ?? E8 ?? ?? + ?? ?? 8D 45 ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? C3 E9 ?? ?? ?? ?? EB D0 8B C3 5F 5E 5B 8B E5 5D C2 + } + + $bc_do_files_1 = { + 55 8B EC 81 C4 ?? ?? ?? ?? 53 56 57 33 C9 89 8D ?? ?? ?? ?? 89 8D ?? ?? ?? ?? 89 8D ?? ?? ?? ?? 89 4D ?? 89 55 ?? 8B F0 + 8D 85 ?? ?? ?? ?? 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 B3 ?? 8B 06 E8 ?? ?? ?? ?? + 89 45 ?? 8B 16 8D 85 ?? ?? ?? ?? 8B 4D ?? E8 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? BA ?? ?? ?? ?? E8 ?? ?? ?? + ?? 8B F8 85 FF 0F 85 91 00 00 00 F6 85 ?? ?? ?? ?? ?? 75 73 56 8D B5 ?? ?? ?? ?? 8D BD ?? ?? ?? ?? B9 ?? ?? ?? ?? F3 A5 + 5E 8B 85 ?? ?? ?? ?? 89 45 ?? 8B 85 ?? ?? ?? ?? 89 45 ?? 8D 45 ?? 33 D2 E8 ?? ?? ?? ?? 83 C4 ?? DD 1C 24 9B 8D 45 ?? E8 + ?? ?? ?? ?? FF 75 ?? 68 ?? ?? ?? ?? FF 36 FF B5 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 95 ?? ?? + ?? ?? 8B 45 ?? 8B 40 ?? 8B 00 8B 08 FF 51 ?? 8D 85 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B F8 85 FF 0F 84 6F FF FF FF 8D 85 ?? ?? + ?? ?? E8 ?? ?? ?? ?? 84 DB 0F 84 B7 00 00 00 8B 16 8D 85 ?? ?? ?? ?? B9 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 8D + } + + $bc_do_files_2 = { + 8D ?? ?? ?? ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B F8 85 FF 75 7E F6 85 ?? ?? ?? ?? ?? 74 64 8B 85 ?? ?? ?? ?? BA ?? ?? ?? + ?? E8 ?? ?? ?? ?? 74 52 8B 85 ?? ?? ?? ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 74 40 FF 36 FF B5 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8B + C6 BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 45 ?? 50 8B C6 8B 55 ?? E8 57 FE FF FF 59 84 C0 75 04 33 DB EB 21 8B 55 ?? 42 8B C6 + B9 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B F8 85 FF 74 82 8D 85 ?? ?? ?? ?? E8 ?? ?? ?? ?? 33 C0 + 5A 59 59 64 89 10 68 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 8B 15 ?? ?? ?? ?? E8 + ?? ?? ?? ?? 8D 45 ?? E8 ?? ?? ?? ?? C3 + } + + $bc_main_1 = { + 55 8B EC B9 ?? ?? ?? ?? 6A ?? 6A ?? 49 75 F9 53 56 57 B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 + 89 20 33 C0 A3 ?? ?? ?? ?? B2 ?? A1 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 55 ?? B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 55 ?? B8 ?? ?? + ?? ?? B9 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 55 ?? B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 55 ?? B8 ?? ?? ?? ?? B9 ?? ?? ?? ?? E8 ?? + ?? ?? ?? B8 ?? ?? ?? ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? B8 ?? ?? ?? ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? B8 ?? ?? ?? ?? BA ?? + ?? ?? ?? E8 ?? ?? ?? ?? B8 ?? ?? ?? ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? B8 ?? ?? ?? ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? BA ?? + ?? ?? ?? A1 ?? ?? ?? ?? E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? C6 05 ?? ?? ?? ?? ?? 8D 45 ?? E8 ?? ?? ?? ?? 8B 55 ?? B8 ?? ?? ?? + ?? E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? C7 05 ?? ?? ?? ?? ?? ?? ?? ?? 8D 45 ?? 8B 0D ?? ?? ?? ?? + 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 45 ?? E8 ?? ?? ?? ?? 84 C0 75 7A 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8B 0D ?? ?? ?? ?? 8B + } + + $bc_main_2 = { + 15 ?? ?? ?? ?? A1 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B D8 8D 45 ?? 8B 0D ?? ?? ?? ?? 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 45 ?? + E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 55 ?? 33 C0 E8 ?? ?? ?? ?? 8B 45 ?? 50 8D 45 ?? 8B 0D ?? ?? ?? ?? 8B 15 + ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 55 ?? 58 E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? EB 11 BA ?? ?? ?? ?? B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? + 8B D8 B2 ?? A1 ?? ?? ?? ?? E8 ?? ?? ?? ?? A3 ?? ?? ?? ?? 80 FB ?? 0F 85 ?? ?? ?? ?? C6 05 ?? ?? ?? ?? ?? B2 ?? A1 ?? ?? + ?? ?? E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 80 3D ?? ?? ?? ?? ?? 75 ED A1 ?? ?? ?? ?? 8B 10 FF 52 ?? 83 F8 ?? 0F + 8E ?? ?? ?? ?? A1 ?? ?? ?? ?? 8B 10 FF 52 ?? 99 F7 3D ?? ?? ?? ?? A3 ?? ?? ?? ?? A1 ?? ?? ?? ?? 8B 10 FF 52 ?? 99 F7 3D + ?? ?? ?? ?? 89 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? A1 ?? ?? ?? ?? 48 85 C0 7C ?? 40 89 45 ?? C7 05 ?? ?? ?? ?? ?? ?? ?? ?? + } + + $bc_main2 = { + E8 ?? ?? ?? ?? 6A ?? 6A ?? 68 ?? ?? ?? ?? FF 35 ?? ?? ?? ?? 68 ?? ?? ?? ?? FF 35 ?? ?? ?? ?? FF 35 ?? ?? ?? ?? 8D 45 ?? + BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 45 ?? E8 ?? ?? ?? ?? 50 68 ?? ?? ?? ?? 6A ?? 6A ?? E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 80 3D + ?? ?? ?? ?? ?? 0F 85 ?? ?? ?? ?? 33 C0 5A 59 59 64 89 10 68 ?? ?? ?? ?? 8D 45 ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? C3 + } + + condition: + uint16(0) == 0x5A4D and ($bc_main_1 at pe.entry_point) and $bc_main_2 and $bc_main2 and $bc_bcdedit and $bc_enum_drives_a_z and + $bc_do_extensions_1 and $bc_do_extensions_2 and $bc_do_files_1 and $bc_do_files_2 +} \ No newline at end of file diff --git a/yara/ransomware/Win32.Ransomware.BlackBasta.yara b/yara/ransomware/Win32.Ransomware.BlackBasta.yara new file mode 100644 index 0000000..7be9507 --- /dev/null +++ b/yara/ransomware/Win32.Ransomware.BlackBasta.yara @@ -0,0 +1,531 @@ +rule Win32_Ransomware_BlackBasta : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "BLACKBASTA" + description = "Yara rule that detects BlackBasta ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "BlackBasta" + tc_detection_factor = 5 + + strings: + + $find_files = { + 53 50 FF 15 ?? ?? ?? ?? 8B F0 83 FE ?? 75 ?? FF B5 ?? ?? ?? ?? 53 53 57 E8 ?? ?? ?? + ?? 83 C4 ?? 8B F0 38 9D ?? ?? ?? ?? 74 ?? FF B5 ?? ?? ?? ?? E8 ?? ?? ?? ?? 59 8B C6 + E9 ?? ?? ?? ?? 8B 8D ?? ?? ?? ?? 8B 41 ?? 2B 01 C1 F8 ?? 89 85 ?? ?? ?? ?? 89 9D ?? + ?? ?? ?? 89 9D ?? ?? ?? ?? 89 9D ?? ?? ?? ?? 89 9D ?? ?? ?? ?? 89 9D ?? ?? ?? ?? 88 + 9D ?? ?? ?? ?? E8 ?? ?? ?? ?? 50 8D 85 ?? ?? ?? ?? 50 8D 85 ?? ?? ?? ?? 50 8D 85 ?? + ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? F7 D8 1B C0 F7 D0 23 85 ?? ?? ?? ?? 80 38 ?? 75 + ?? 8A 48 ?? 84 C9 74 ?? 80 F9 ?? 75 ?? 38 58 ?? 74 ?? FF B5 ?? ?? ?? ?? FF B5 ?? ?? + ?? ?? 57 50 E8 ?? ?? ?? ?? 83 C4 ?? 89 85 ?? ?? ?? ?? 85 C0 75 ?? 38 9D ?? ?? ?? ?? + 74 ?? FF B5 ?? ?? ?? ?? E8 ?? ?? ?? ?? 59 8D 85 ?? ?? ?? ?? 50 56 FF 15 + } + + $encrypt_files_v1 = { + 6A ?? E8 ?? ?? ?? ?? 8B F8 89 BD ?? ?? ?? ?? 6A ?? E8 ?? ?? ?? ?? 8B F0 89 B5 ?? ?? + ?? ?? 6A ?? E8 ?? ?? ?? ?? 8B D8 57 E8 ?? ?? ?? ?? 6A ?? 57 56 E8 ?? ?? ?? ?? 8D 4F + ?? 6A ?? 51 53 E8 ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 6A + ?? 57 E8 ?? ?? ?? ?? 83 C4 ?? 8B F8 FF B5 ?? ?? ?? ?? 57 53 56 83 EC ?? 8B F4 89 A5 + ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? 8D 4D ?? E8 ?? ?? ?? ?? 50 6A ?? 56 8D 4D ?? E8 ?? + ?? ?? ?? C6 45 ?? ?? 8D 85 ?? ?? ?? ?? 50 C6 45 ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 8B 85 + ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 6A ?? 6A ?? 6A ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 6A + ?? FF B5 ?? ?? ?? ?? 57 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 6A ?? 6A ?? 8D 85 ?? ?? ?? + ?? 50 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 8D ?? ?? + ?? ?? E8 ?? ?? ?? ?? 57 E8 ?? ?? ?? ?? FF B5 ?? ?? ?? ?? E8 ?? ?? ?? ?? FF B5 ?? ?? + ?? ?? E8 ?? ?? ?? ?? 53 E8 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 8D 85 ?? ?? ?? ?? 50 E8 + ?? ?? ?? ?? 83 C4 ?? C6 45 ?? ?? C6 45 ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? C6 45 + ?? ?? C6 45 ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? C6 45 ?? ?? 80 BD ?? ?? ?? ?? ?? + 74 ?? FF B5 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 + } + + $cmd_prompt = { + 8B FF 55 8B EC 83 EC ?? A1 ?? ?? ?? ?? ?? ?? ?? ?? FC 53 56 8B 75 ?? 8D 45 ?? 33 DB + 68 ?? ?? ?? ?? 53 50 89 5D ?? E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 74 ?? 83 F8 ?? 0F 84 ?? + ?? ?? ?? 85 F6 75 ?? 53 39 5D ?? 75 ?? E8 ?? ?? ?? ?? 59 33 C0 E9 ?? ?? ?? ?? FF 75 + ?? E8 ?? ?? ?? ?? FF 75 ?? 8B F0 E8 ?? ?? ?? ?? 33 C0 83 C4 ?? 85 F6 0F 94 C0 E9 ?? + ?? ?? ?? 8B 45 ?? 89 45 ?? C7 45 ?? ?? ?? ?? ?? 89 75 ?? 89 5D ?? 57 85 C0 74 ?? E8 + ?? ?? ?? ?? 8B 38 E8 ?? ?? ?? ?? 53 89 18 8D 45 ?? 50 FF 75 ?? 53 E8 ?? ?? ?? ?? 83 + C4 ?? 8B F0 E8 ?? ?? ?? ?? 83 FE ?? 74 ?? 89 38 EB ?? 83 38 ?? 74 ?? E8 ?? ?? ?? ?? + 83 38 ?? 74 ?? 83 CE ?? FF 75 ?? E8 ?? ?? ?? ?? 59 EB ?? E8 ?? ?? ?? ?? 89 38 53 8D + 45 ?? B9 ?? ?? ?? ?? 50 51 53 89 4D ?? E8 ?? ?? ?? ?? FF 75 ?? 8B F0 E8 ?? ?? ?? ?? + 83 C4 ?? 8B C6 5F 8B 4D ?? 5E 33 CD 5B E8 ?? ?? ?? ?? C9 C3 53 + } + + $ldap_connect = { + C6 45 ?? ?? 8D 45 ?? 83 7D ?? ?? 0F 43 45 ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? + ?? 68 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 8B D8 89 5D ?? C7 45 ?? ?? ?? ?? ?? 8D 45 ?? + 50 6A ?? 53 8B 35 ?? ?? ?? ?? FF D6 C7 45 ?? ?? ?? ?? ?? 8D 45 ?? 50 6A ?? 53 FF D6 + 6A ?? 53 FF 15 ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A ?? 6A ?? 53 FF 15 ?? ?? ?? ?? 83 C4 ?? + 85 C0 74 ?? 6A ?? 6A ?? 53 FF 15 ?? ?? ?? ?? 83 C4 ?? 6A ?? 6A ?? 6A ?? 6A ?? 6A ?? + 6A ?? 8D 45 ?? 50 68 ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? 53 FF 15 ?? ?? ?? ?? 83 C4 ?? + 8B F0 89 75 ?? 8D 45 ?? 50 8D 45 ?? 50 6A ?? 6A ?? 56 53 FF 15 ?? ?? ?? ?? 83 C4 ?? + 85 C0 0F 85 ?? ?? ?? ?? FF 75 ?? 53 FF 15 ?? ?? ?? ?? 8B F8 83 C4 ?? 85 FF 0F 84 ?? + ?? ?? ?? FF 75 ?? 57 53 FF 15 ?? ?? ?? ?? 83 C4 ?? 8B F0 85 F6 0F 84 ?? ?? ?? ?? 8B + 06 85 C0 0F 84 ?? ?? ?? ?? 50 8D 4D ?? E8 ?? ?? ?? ?? C6 45 ?? ?? 8D 45 ?? 50 8B 4D + ?? E8 ?? ?? ?? ?? C6 45 ?? ?? 8D 4D ?? E8 ?? ?? ?? ?? FF 36 68 ?? ?? ?? ?? E8 ?? ?? + ?? ?? 83 C4 ?? 8B C8 89 4D ?? 8B 01 8B 40 ?? C6 45 ?? ?? 8B 44 08 ?? 8B 58 ?? 89 5D + ?? 8B 03 8B CB FF 50 ?? 83 4D ?? ?? 8D 45 ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 8B 10 6A ?? + 8B C8 FF 52 ?? 0F B7 C0 89 45 ?? 83 65 ?? ?? C6 45 ?? ?? 85 DB 74 ?? 8B 03 8B CB FF + 50 ?? 8B C8 85 C9 74 ?? 8B 01 6A ?? FF 10 8B 45 ?? 50 8B 4D ?? E8 ?? ?? ?? ?? 8B 4D + ?? E8 ?? ?? ?? ?? 8B 5D ?? 56 FF 15 + } + + $encrypt_files_v2 = { + 8D 45 ?? 50 6A ?? 57 E8 ?? ?? ?? ?? 83 C4 ?? 8B F8 6A ?? 57 53 FF 75 ?? 83 EC ?? 8B + F4 89 A5 ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? 8D 4D ?? E8 ?? ?? ?? ?? 50 6A ?? 56 8D 4D + ?? E8 ?? ?? ?? ?? C6 45 ?? ?? 8D 85 ?? ?? ?? ?? 50 C6 45 ?? ?? E8 ?? ?? ?? ?? 83 C4 + ?? 8B 45 ?? 89 45 ?? 6A ?? 6A ?? 6A ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 6A ?? FF 75 + ?? 57 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 6A ?? 6A ?? 8D 45 ?? 50 8D 8D ?? ?? ?? ?? E8 + ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 57 E8 + ?? ?? ?? ?? FF 75 ?? E8 ?? ?? ?? ?? FF 75 ?? E8 ?? ?? ?? ?? 53 E8 ?? ?? ?? ?? 8D 85 + ?? ?? ?? ?? 50 8D 85 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 + } + + $encrypt_files_v3 = { + 6A ?? E8 ?? ?? ?? ?? 8B F8 89 BD ?? ?? ?? ?? 6A ?? E8 ?? ?? ?? ?? 8B F0 89 B5 ?? ?? + ?? ?? 6A ?? E8 ?? ?? ?? ?? 8B D8 57 E8 ?? ?? ?? ?? 6A ?? 57 56 E8 ?? ?? ?? ?? 8D 4F + ?? 6A ?? 51 53 E8 ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 6A + ?? 57 E8 ?? ?? ?? ?? 83 C4 ?? 8B F8 6A ?? 57 53 56 83 EC ?? 8B F4 89 A5 ?? ?? ?? ?? + 6A ?? 68 ?? ?? ?? ?? 8D 4D ?? E8 ?? ?? ?? ?? 50 6A ?? 56 8D 4D ?? E8 ?? ?? ?? ?? C6 + 45 ?? ?? 8D 85 ?? ?? ?? ?? 50 C6 45 ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 8B 85 ?? ?? ?? ?? + 89 85 ?? ?? ?? ?? 6A ?? 6A ?? 6A ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 6A ?? FF B5 ?? + ?? ?? ?? 57 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 6A ?? 6A ?? 8D 85 ?? ?? ?? ?? 50 8D 8D + ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? + ?? ?? ?? 57 E8 ?? ?? ?? ?? FF B5 ?? ?? ?? ?? E8 ?? ?? ?? ?? FF B5 ?? ?? ?? ?? E8 ?? + ?? ?? ?? 53 E8 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 8D 85 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? + 83 C4 ?? C6 45 ?? ?? C6 45 ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? C6 45 ?? ?? C6 45 + ?? ?? 8D 8D ?? ?? ?? ?? E8 + } + + $encrypt_files_v4 = { + 8D 45 ?? 50 E8 ?? ?? ?? ?? 0F 10 45 ?? 0F 11 45 ?? 0F 10 45 ?? 0F 11 45 ?? 8B 45 ?? + 8B 4D ?? 89 45 ?? 89 4D ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 6A ?? + 8D 45 ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 8B F8 56 57 8D 45 ?? 50 8D 45 ?? 50 83 EC ?? 8B + F4 89 A5 ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? 8D 4D ?? E8 ?? ?? ?? ?? 50 6A ?? 56 8D 4D + ?? E8 ?? ?? ?? ?? C6 45 ?? ?? 8D 85 ?? ?? ?? ?? 50 C6 45 ?? ?? E8 ?? ?? ?? ?? 83 C4 + ?? 8B 85 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 6A ?? 6A ?? 6A ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? + ?? ?? 6A ?? FF B5 ?? ?? ?? ?? 57 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 6A ?? 6A ?? 8D 85 + ?? ?? ?? ?? 50 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D + 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 6A ?? 57 E8 ?? ?? ?? ?? 8B B5 ?? ?? ?? ?? EB ?? 8D 85 + ?? ?? ?? ?? 50 8D 85 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? C6 45 ?? ?? C6 45 ?? ?? + 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? C6 45 ?? ?? C6 45 ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? + ?? ?? C6 45 ?? ?? 8B 8D ?? ?? ?? ?? 83 F9 ?? 72 ?? 8D 0C 4D ?? ?? ?? ?? 89 8D ?? ?? + ?? ?? 8B 95 ?? ?? ?? ?? 8B C2 81 F9 ?? ?? ?? ?? 72 ?? 83 C1 ?? 89 8D ?? ?? ?? ?? 8B + 50 ?? 2B C2 83 C0 ?? 83 F8 ?? 0F 87 ?? ?? ?? ?? 51 52 E8 ?? ?? ?? ?? 83 C4 ?? C7 85 + ?? ?? ?? ?? ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? 33 C0 66 89 85 ?? ?? FF FF C6 + 45 ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? C6 45 ?? ?? 8D 8D ?? ?? ?? ?? E8 + } + + $drop_ransom_note_v1 = { + 55 8B EC 6A ?? 68 ?? ?? ?? ?? 64 A1 ?? ?? ?? ?? ?? ?? ?? ?? 03 00 00 A1 ?? ?? ?? ?? + 33 C5 89 45 ?? 53 56 57 50 8D 45 ?? 64 A3 ?? ?? ?? ?? ?? ?? ?? ?? 45 FC 00 00 00 00 + 6A ?? 6A ?? 8D 85 ?? ?? ?? ?? 50 6A ?? FF 15 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 8D ?? ?? + ?? ?? E8 ?? ?? ?? ?? C6 45 ?? ?? 50 8D 85 ?? ?? ?? ?? 50 8D 85 ?? ?? ?? ?? 50 E8 ?? + ?? ?? ?? 83 C4 ?? C6 45 ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 83 + BD ?? ?? ?? ?? ?? 0F 43 85 ?? ?? ?? ?? 50 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 6A + ?? 6A ?? 6A ?? 8D 85 ?? ?? ?? ?? 50 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? C6 45 ?? ?? 83 + BD ?? ?? ?? ?? ?? 74 ?? 68 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? C6 45 ?? ?? + 8D 85 ?? ?? ?? ?? 83 BD ?? ?? ?? ?? ?? 0F 43 85 ?? ?? ?? ?? 6A ?? FF B5 ?? ?? ?? ?? + 50 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 8D ?? ?? ?? + ?? E8 ?? ?? ?? ?? C6 45 ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? C6 45 ?? ?? 8D 8D ?? + ?? ?? ?? E8 ?? ?? ?? ?? C6 45 ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? C7 45 ?? ?? ?? + ?? ?? 8B 4D ?? 64 89 0D ?? ?? ?? ?? 59 5F 5E 5B 8B 4D ?? 33 CD E8 ?? ?? ?? ?? 8B E5 + 5D C3 + } + + $exclude_from_encryption_v1 = { + 83 FE ?? 0F 85 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 4D ?? E8 ?? ?? ?? ?? C6 45 ?? ?? 8D 4D + ?? 6A ?? 50 E8 ?? ?? ?? ?? 8B F0 C6 45 ?? ?? 8D 4D ?? E8 ?? ?? ?? ?? 83 FE ?? 0F 85 + ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 4D ?? E8 ?? ?? ?? ?? C6 45 ?? ?? 8D 4D ?? 6A ?? 50 E8 + ?? ?? ?? ?? 8B F0 C6 45 ?? ?? 8D 4D ?? E8 ?? ?? ?? ?? 83 FE ?? 0F 85 ?? ?? ?? ?? 68 + ?? ?? ?? ?? 8D 4D ?? E8 ?? ?? ?? ?? C6 45 ?? ?? 8D 4D ?? 6A ?? 50 E8 ?? ?? ?? ?? 8B + F0 C6 45 ?? ?? 8D 4D ?? E8 ?? ?? ?? ?? 83 FE ?? 0F 85 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D + 4D ?? E8 ?? ?? ?? ?? C6 45 ?? ?? 8D 4D ?? 6A ?? 50 E8 ?? ?? ?? ?? 8B F0 C6 45 ?? ?? + 8D 4D ?? E8 ?? ?? ?? ?? 83 FE ?? 0F 85 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 4D ?? E8 ?? ?? + ?? ?? C6 45 ?? ?? 8D 4D ?? 6A ?? 50 E8 ?? ?? ?? ?? 8B F0 C6 45 ?? ?? 8D 4D ?? E8 ?? + ?? ?? ?? 83 FE ?? 75 ?? 68 ?? ?? ?? ?? 8D 4D ?? E8 ?? ?? ?? ?? C6 45 ?? ?? 8D 4D + } + + $exclude_from_encryption_v2_p1 = { + 50 C6 45 ?? ?? E8 ?? ?? ?? ?? C6 45 ?? ?? 8D 85 ?? ?? ?? ?? 50 8D 85 ?? ?? ?? ?? 50 + E8 ?? ?? ?? ?? 83 C4 ?? C6 45 ?? ?? 8D 85 ?? ?? ?? ?? 50 8D 8D ?? ?? ?? ?? E8 ?? ?? + ?? ?? 84 C0 0F 84 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 05 ?? ?? ?? ?? 50 8D 4D ?? E8 ?? ?? + ?? ?? C6 45 ?? ?? 8D 45 ?? 50 8D 4D ?? E8 ?? ?? ?? ?? C6 45 ?? ?? 68 ?? ?? ?? ?? 8D + 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? C6 45 ?? ?? 6A ?? 50 8D 4D ?? E8 ?? ?? ?? ?? 8B F0 C6 + 45 ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 FE ?? 74 ?? C6 45 ?? ?? 8D 4D ?? E8 ?? + ?? ?? ?? C6 45 ?? ?? E9 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? + C6 45 ?? ?? 6A ?? 50 8D 4D ?? E8 ?? ?? ?? ?? 8B F0 C6 45 ?? ?? 8D 8D ?? ?? ?? ?? E8 + ?? ?? ?? ?? 83 FE ?? 74 ?? C6 45 ?? ?? 8D 4D ?? E8 ?? ?? ?? ?? C6 45 ?? ?? E9 ?? ?? + ?? ?? 68 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? C6 45 ?? ?? 6A ?? 50 8D 4D ?? + E8 ?? ?? ?? ?? 8B F0 C6 45 ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 FE ?? 74 ?? C6 + } + + $exclude_from_encryption_v2_p2 = { + 45 ?? ?? 8D 4D ?? E8 ?? ?? ?? ?? C6 45 ?? ?? E9 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 8D ?? + ?? ?? ?? E8 ?? ?? ?? ?? C6 45 ?? ?? 6A ?? 50 8D 4D ?? E8 ?? ?? ?? ?? 8B F0 C6 45 ?? + ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 FE ?? 74 ?? C6 45 ?? ?? 8D 4D ?? E8 ?? ?? ?? + ?? C6 45 ?? ?? E9 ?? ?? ?? ?? 8D 45 ?? 50 8D 85 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 + ?? C6 45 ?? ?? 8D 8D ?? ?? ?? ?? 51 8B C8 E8 ?? ?? ?? ?? C6 45 ?? ?? 6A ?? 50 8D 4D + ?? E8 ?? ?? ?? ?? C6 45 ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? C6 45 ?? ?? C6 45 ?? + ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 7D ?? ?? 74 ?? 68 ?? ?? ?? ?? 8D 8D ?? ?? ?? + ?? E8 ?? ?? ?? ?? C6 45 ?? ?? C6 45 ?? ?? FF B5 ?? ?? ?? ?? 8D 45 ?? 50 E8 ?? ?? ?? + ?? 83 C4 ?? B9 ?? ?? ?? ?? 8D 95 ?? ?? ?? ?? 84 C0 0F 44 CA 8D 45 ?? 50 E8 ?? ?? ?? + ?? C7 45 ?? ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? C6 45 ?? ?? 80 BD ?? ?? ?? + ?? ?? 74 ?? FF B5 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? C6 45 ?? ?? C6 45 ?? ?? 8D 4D + ?? E8 ?? ?? ?? ?? C6 45 ?? ?? 8D 4D ?? E8 + } + + $encrypt_files_v5_p1 = { + 50 F2 0F 11 45 ?? FF 15 ?? ?? ?? ?? 8B F0 83 FE ?? 74 ?? 8D 45 ?? 50 56 FF 15 ?? ?? + ?? ?? 85 C0 75 ?? 56 FF 15 ?? ?? ?? ?? C6 45 ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? + C6 45 ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C6 45 ?? ?? + 8B 8D ?? ?? ?? ?? 85 C9 74 ?? 8B 01 6A ?? FF 10 C7 45 ?? ?? ?? ?? ?? 8D 4B ?? E8 ?? + ?? ?? ?? 8B 4D ?? 5F 64 89 0D ?? ?? ?? ?? 5E 8B E5 5D 8B E3 5B C2 ?? ?? 8B 7D ?? 83 + C1 ?? 8B 35 ?? ?? ?? ?? 8B 45 ?? E9 ?? ?? ?? ?? 8B 45 ?? 8D 8D ?? ?? ?? ?? 8B 7D ?? + 6A ?? 89 45 ?? E8 ?? ?? ?? ?? 6A ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? C7 85 ?? ?? ?? + ?? ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C6 45 ?? + ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C6 45 ?? ?? 8D 85 ?? ?? ?? ?? 89 45 ?? 8D 8D ?? ?? + ?? ?? 8D 85 ?? ?? ?? ?? C6 85 ?? ?? ?? ?? ?? 89 45 ?? 83 E0 ?? 03 C1 C7 85 ?? ?? ?? + ?? ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C6 85 ?? ?? ?? ?? ?? 89 85 ?? ?? ?? ?? + C6 45 ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C6 45 ?? ?? C7 85 ?? ?? ?? ?? + ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C7 85 ?? ?? + ?? ?? ?? ?? ?? ?? C6 45 ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? + ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C6 45 ?? ?? 6A ?? + E8 ?? ?? ?? ?? 6A ?? 89 45 ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? E8 ?? ?? ?? + ?? 89 45 ?? C6 45 ?? ?? 6A ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? E8 ?? ?? ?? + ?? 83 C4 ?? 89 45 ?? C6 45 ?? ?? B9 ?? ?? ?? ?? 6A ?? FF 75 ?? E8 ?? ?? ?? ?? 6A ?? + FF 75 ?? B9 ?? ?? ?? ?? E8 ?? ?? ?? ?? 6A ?? FF 75 ?? 6A ?? FF 75 ?? 8D 8D ?? ?? ?? + ?? E8 ?? ?? ?? ?? 6A ?? FF 75 ?? FF 75 ?? E8 ?? ?? ?? ?? 8B 45 ?? 6A ?? FF 75 ?? 83 + } + + $encrypt_files_v5_p2 = { + C0 ?? 50 E8 ?? ?? ?? ?? 8B 45 ?? 83 C4 ?? 85 C0 0F 8F ?? ?? ?? ?? 7C ?? 81 FF ?? ?? + ?? ?? 0F 83 ?? ?? ?? ?? F2 0F 10 05 ?? ?? ?? ?? F2 0F 11 45 ?? 0F 57 C0 66 0F 13 45 + ?? 8B 4D ?? 8B 55 ?? 89 4D ?? 8B CF 89 55 ?? 2B 4D ?? 6A ?? 6A ?? 1B C2 50 51 E8 ?? + ?? ?? ?? F2 0F 10 45 ?? 8B CA F2 0F 59 05 ?? ?? ?? ?? 89 4D ?? 8B C8 89 45 ?? F2 0F + 11 45 ?? E8 ?? ?? ?? ?? F2 0F 59 45 ?? E8 ?? ?? ?? ?? 8B C8 0B CA 0F 85 ?? ?? ?? ?? + 39 4D ?? 0F 8C ?? ?? ?? ?? 7F ?? 85 FF 0F 84 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 89 45 ?? + 8D 8D ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? C6 45 ?? ?? E9 ?? ?? ?? ?? 85 + C0 0F 8C ?? ?? ?? ?? 7F ?? 81 FF ?? ?? ?? ?? 0F 86 ?? ?? ?? ?? F2 0F 10 05 ?? ?? ?? + ?? 8D 85 ?? ?? ?? ?? 89 45 ?? 8D 8D ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? F2 0F 11 45 ?? 50 + E8 ?? ?? ?? ?? C6 45 ?? ?? 50 6A ?? 68 ?? ?? ?? ?? 6A ?? 6A ?? 56 C6 45 ?? ?? 8B 4D + ?? E8 ?? ?? ?? ?? 8B 45 ?? 33 D2 C7 45 ?? ?? ?? ?? ?? E9 ?? ?? ?? ?? 52 50 FF 75 ?? + FF 75 ?? E8 ?? ?? ?? ?? 8B C8 89 45 ?? 0B CA 89 55 ?? 75 ?? 8D 85 ?? ?? ?? ?? 89 45 + ?? 8D 8D ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? C6 45 ?? ?? 50 FF 75 ?? 57 + 6A ?? 6A ?? 56 C6 45 ?? ?? 8B 4D ?? E8 ?? ?? ?? ?? E9 ?? ?? ?? ?? 83 7D ?? ?? 0F 57 + C0 66 0F 13 45 ?? 0F 8C ?? ?? ?? ?? 7F ?? 83 7D ?? ?? 0F 86 ?? ?? ?? ?? 8B 45 ?? 8B + 7D ?? 89 45 ?? 66 66 0F 1F 84 00 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 89 45 ?? 8D 8D ?? ?? + ?? ?? 8D 85 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? C6 45 ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? + C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? + ?? ?? C6 45 ?? ?? 8D 85 ?? ?? ?? ?? 50 8B 45 ?? 8B CF 0F A4 C8 ?? 6A ?? C1 E1 ?? 03 + 4D ?? 6A ?? 13 45 ?? 50 51 56 C6 45 ?? ?? 8B 4D ?? E8 ?? ?? ?? ?? 03 7D ?? 8B 45 ?? + 13 45 ?? 89 45 ?? 3B 45 ?? 0F 8C ?? ?? ?? ?? 7F ?? 3B 7D ?? 0F 82 + } + + $encrypt_files_v6_p1 = { + E8 ?? ?? ?? ?? C6 45 ?? ?? 8D 8D ?? ?? ?? ?? 6A ?? 6A ?? C7 85 ?? ?? ?? ?? ?? ?? ?? + ?? E8 ?? ?? ?? ?? C6 45 ?? ?? 85 F6 0F 8F ?? ?? ?? ?? 6A ?? 6A ?? 68 ?? ?? ?? ?? 8D + 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? C6 45 ?? ?? 8D 8D ?? ?? ?? ?? 6A ?? E8 ?? ?? ?? ?? 6A + ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? C6 45 ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C7 85 + ?? ?? ?? ?? ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C6 45 ?? ?? 8D 8D ?? ?? ?? ?? + 8B 85 ?? ?? ?? ?? 8D 95 ?? ?? ?? ?? 52 03 48 ?? 8B 01 FF 50 ?? 83 7B ?? ?? 8D 43 ?? + F2 0F 10 05 ?? ?? ?? ?? 0F 43 43 ?? 6A ?? 68 ?? ?? ?? ?? 6A ?? 6A ?? 6A ?? 68 ?? ?? + ?? ?? 50 F2 0F 11 45 ?? FF 15 ?? ?? ?? ?? 8B F8 83 FF ?? 74 ?? 8D 45 ?? 50 57 FF 15 + ?? ?? ?? ?? 85 C0 0F 85 ?? ?? ?? ?? 57 FF 15 ?? ?? ?? ?? C6 45 ?? ?? 8D 8D ?? ?? ?? + ?? E8 ?? ?? ?? ?? C6 45 ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? + ?? ?? C6 45 ?? ?? 8B 8D ?? ?? ?? ?? 85 C9 74 ?? 8B 01 6A ?? FF 10 C6 45 ?? ?? C7 85 + ?? ?? ?? ?? ?? ?? ?? ?? C6 45 ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? C7 45 ?? ?? ?? + ?? ?? 8D 4B ?? E8 ?? ?? ?? ?? 8B 4D ?? 5F 64 89 0D ?? ?? ?? ?? 5E 8B E5 5D 8B E3 5B + C2 ?? ?? 85 F6 0F 84 ?? ?? ?? ?? 83 3D ?? ?? ?? ?? ?? 8B CF 76 ?? 8B FE 2B 7D ?? 66 + 8B 04 0F 66 3B 01 75 ?? 83 C1 ?? 83 EA ?? 75 ?? 2B 75 ?? D1 FE E9 ?? ?? ?? ?? 8B 7D + ?? 83 C6 ?? 8B 15 ?? ?? ?? ?? 8B 45 ?? E9 ?? ?? ?? ?? 8B 45 ?? 8D 8D ?? ?? ?? ?? 8B + 75 ?? 6A ?? 89 45 ?? E8 ?? ?? ?? ?? 6A ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? C7 85 ?? + ?? ?? ?? ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C6 + } + + $encrypt_files_v6_p2 = { + 45 ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C6 45 ?? ?? 8D 85 ?? ?? ?? ?? 89 45 ?? 8D 8D + ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? C6 85 ?? ?? ?? ?? ?? 89 45 ?? 83 E0 ?? 03 C1 C7 85 ?? + ?? ?? ?? ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C6 85 ?? ?? ?? ?? ?? 89 85 ?? ?? + ?? ?? C6 45 ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C6 45 ?? ?? C7 85 ?? ?? + ?? ?? ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C7 85 + ?? ?? ?? ?? ?? ?? ?? ?? C6 45 ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C7 85 ?? ?? ?? ?? + ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C6 45 ?? ?? + 6A ?? E8 ?? ?? ?? ?? 6A ?? 89 45 ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? E8 ?? + ?? ?? ?? 89 45 ?? C6 45 ?? ?? 6A ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? E8 ?? + ?? ?? ?? 83 C4 ?? 89 45 ?? C6 45 ?? ?? 8D 8D ?? ?? ?? ?? 6A ?? FF 75 ?? E8 ?? ?? ?? + ?? 6A ?? FF 75 ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 6A ?? FF 75 ?? 6A ?? FF 75 ?? 8D + 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 6A ?? FF 75 ?? FF 75 ?? E8 ?? ?? ?? ?? 8B 45 ?? 6A ?? + FF 75 ?? 83 C0 ?? 50 E8 ?? ?? ?? ?? 8B 45 ?? 83 C4 ?? 85 C0 0F 8F ?? ?? ?? ?? 7C + } + + $encrypt_files_v6_p3 = { + 81 FE ?? ?? ?? ?? 0F 83 ?? ?? ?? ?? F2 0F 10 05 ?? ?? ?? ?? F2 0F 11 45 ?? 0F 57 C0 + 66 0F 13 45 ?? 8B 4D ?? 8B 55 ?? 89 4D ?? 8B CE 89 55 ?? 2B 4D ?? 6A ?? 6A ?? 1B C2 + 50 51 E8 ?? ?? ?? ?? F2 0F 10 45 ?? 8B CA F2 0F 59 05 ?? ?? ?? ?? 89 4D ?? 8B C8 89 + 45 ?? F2 0F 11 45 ?? E8 ?? ?? ?? ?? F2 0F 59 45 ?? E8 ?? ?? ?? ?? 8B C8 0B CA 0F 85 + ?? ?? ?? ?? 39 4D ?? 0F 8C ?? ?? ?? ?? 7F ?? 85 F6 0F 84 ?? ?? ?? ?? 8D 85 ?? ?? ?? + ?? 89 45 ?? 8D 8D ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? C6 45 ?? ?? E9 ?? + ?? ?? ?? 85 C0 0F 8C ?? ?? ?? ?? 7F ?? 81 FE ?? ?? ?? ?? 0F 86 ?? ?? ?? ?? F2 0F 10 + 05 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 89 45 ?? 8D 8D ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? F2 0F + 11 45 ?? 50 E8 ?? ?? ?? ?? C6 45 ?? ?? 50 6A ?? 68 ?? ?? ?? ?? 6A ?? 6A ?? 57 C6 45 + ?? ?? 8B 4D ?? E8 ?? ?? ?? ?? 8B 45 ?? 33 D2 C7 45 ?? ?? ?? ?? ?? E9 ?? ?? ?? ?? 52 + 50 FF 75 ?? FF 75 ?? E8 ?? ?? ?? ?? 8B C8 89 45 ?? 0B CA 89 55 ?? 75 ?? 8D 85 ?? ?? + ?? ?? 89 45 ?? 8D 8D ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? C6 45 ?? ?? 50 + FF 75 ?? 56 6A ?? 6A ?? 57 C6 45 ?? ?? 8B 4D + } + + $set_default_icon_p1 = { + 55 8B EC 6A ?? 68 ?? ?? ?? ?? 64 A1 ?? ?? ?? ?? 50 64 89 25 ?? ?? ?? ?? 83 EC ?? C7 + 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? 33 C0 C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? + ?? C7 45 ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? 66 + 89 45 ?? E8 ?? ?? ?? ?? 83 C4 ?? 8D 4D ?? 50 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? C6 45 ?? + ?? B0 ?? C7 45 ?? ?? ?? ?? ?? 33 C9 C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 + ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? 66 98 + 66 31 44 4D ?? 41 83 F9 ?? 73 ?? 8A 45 ?? EB ?? 33 C0 56 66 89 45 ?? C6 45 ?? ?? 8D + 45 ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 8D 4D ?? 50 8D 45 ?? 50 E8 ?? ?? ?? ?? 8B F0 C7 45 + ?? ?? ?? ?? ?? 6A ?? 8D 45 ?? C7 45 ?? ?? ?? ?? ?? 56 50 C7 45 ?? ?? ?? ?? ?? E8 ?? + ?? ?? ?? 33 C0 C7 46 ?? ?? ?? ?? ?? 83 C4 ?? C7 46 ?? ?? ?? ?? ?? 66 89 06 C7 45 ?? + ?? ?? ?? ?? C6 45 ?? ?? 8B 4D ?? 83 F9 ?? 72 ?? 8B 55 ?? 8D 0C 4D ?? ?? ?? ?? 8B C2 + } + + $set_default_icon_p2 = { + 81 F9 ?? ?? ?? ?? 72 ?? 8B 50 ?? 83 C1 ?? 2B C2 83 C0 ?? 83 F8 ?? 0F 87 ?? ?? ?? ?? + 51 52 E8 ?? ?? ?? ?? 83 C4 ?? 8D 4D ?? C7 45 ?? ?? ?? ?? ?? 51 8D 4D ?? C7 45 ?? ?? + ?? ?? ?? 51 6A ?? 68 ?? ?? ?? ?? 33 C0 83 7D ?? ?? 6A ?? 66 89 45 ?? 8D 45 ?? 0F 43 + 45 ?? 6A ?? 6A ?? 50 68 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 85 C0 75 ?? 83 7D ?? ?? 8D 4D + ?? 8B 45 ?? 0F 43 4D ?? 03 C0 50 51 6A ?? 6A ?? 8D 45 ?? C7 45 ?? ?? ?? ?? ?? 50 FF + 75 ?? FF 15 ?? ?? ?? ?? 8B 35 ?? ?? ?? ?? 6A ?? 6A ?? 6A ?? 68 ?? ?? ?? ?? FF D6 6A + ?? 6A ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? FF D6 B8 ?? ?? ?? ?? 89 45 ?? 83 E0 ?? 89 45 + ?? C6 45 ?? ?? 8B 4D ?? 5E 83 F9 ?? 72 ?? 8B 55 ?? 8D 0C 4D ?? ?? ?? ?? 8B C2 81 F9 + ?? ?? ?? ?? 72 ?? 8B 50 ?? 83 C1 ?? 2B C2 83 C0 ?? 83 F8 ?? 77 ?? 51 52 E8 ?? ?? ?? + ?? 83 C4 ?? 33 C0 C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? 66 89 45 ?? C7 45 ?? ?? + ?? ?? ?? 8D 4D ?? E8 ?? ?? ?? ?? 8B 4D ?? 64 89 0D ?? ?? ?? ?? 8B E5 5D C3 + } + + $find_system_volumes = { + 55 8B EC 6A ?? 68 ?? ?? ?? ?? 64 A1 ?? ?? ?? ?? 50 64 89 25 ?? ?? ?? ?? 81 EC ?? ?? + ?? ?? 53 56 57 C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? 8B 75 ?? C7 06 ?? ?? ?? ?? + C7 46 ?? ?? ?? ?? ?? C7 46 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 68 + ?? ?? ?? ?? 50 C7 45 ?? ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 8B 1D ?? ?? ?? ?? 8B F8 66 90 + 8D 45 ?? 50 68 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 8D 85 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? + ?? 85 C0 0F 84 ?? ?? ?? ?? 6A ?? 6A ?? 8D 45 ?? 50 6A ?? 6A ?? 6A ?? 6A ?? 8D 85 ?? + ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? F7 45 ?? ?? ?? ?? ?? 0F 85 ?? + ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 33 D2 C7 45 ?? ?? ?? ?? ?? 66 89 55 ?? + 83 C4 ?? 8D 95 ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? 8D 0C 00 C7 45 ?? ?? ?? ?? ?? 8D 85 + ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? 03 C1 C7 45 ?? ?? ?? ?? ?? 3B D0 74 ?? D1 F9 8B C2 + 51 50 8D 4D ?? E8 ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? 8D 4D ?? 8B 46 ?? 3B 46 ?? 74 ?? + 6A ?? 51 50 C7 00 ?? ?? ?? ?? C7 40 ?? ?? ?? ?? ?? C7 40 ?? ?? ?? ?? ?? E8 ?? ?? ?? + ?? 33 C0 C7 45 ?? ?? ?? ?? ?? 83 C4 ?? C7 45 ?? ?? ?? ?? ?? 83 46 ?? ?? 66 89 45 ?? + EB ?? 51 50 8B CE E8 ?? ?? ?? ?? C6 45 ?? ?? 8B 4D ?? 83 F9 ?? 72 ?? 8B 55 ?? 8D 0C + 4D ?? ?? ?? ?? 8B C2 81 F9 ?? ?? ?? ?? 72 ?? 8B 50 ?? 83 C1 ?? 2B C2 83 C0 ?? 83 F8 + ?? 77 ?? 51 52 E8 ?? ?? ?? ?? 83 C4 ?? 33 C0 C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? + ?? 66 89 45 ?? 68 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 57 FF D3 85 C0 0F 85 ?? ?? ?? ?? + 57 FF 15 ?? ?? ?? ?? 8B 4D ?? 8B C6 5F 5E 5B 64 89 0D ?? ?? ?? ?? 8B E5 5D C3 + } + + $drop_ransom_note_v2_p1 = { + 55 8B EC 6A ?? 68 ?? ?? ?? ?? 64 A1 ?? ?? ?? ?? 50 64 89 25 ?? ?? ?? ?? 83 EC ?? 53 + 56 57 C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? 8B 7D ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? + ?? B9 ?? ?? ?? ?? 8B D8 2B CF 83 C4 ?? 3B CB 0F 82 ?? ?? ?? ?? 83 7D ?? ?? 8D 45 ?? + 8D 0C 3B C7 45 ?? ?? ?? ?? ?? 0F 43 45 ?? BE ?? ?? ?? ?? 89 45 ?? 8D 45 ?? C7 45 ?? + ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? 89 4D ?? 89 45 ?? 3B CE 76 ?? 8B F1 83 CE ?? 81 FE + ?? ?? ?? ?? 76 ?? BE ?? ?? ?? ?? EB ?? B8 ?? ?? ?? ?? 3B F0 0F 42 F0 8D 46 ?? 50 8D + 4D ?? E8 ?? ?? ?? ?? 89 45 ?? 8D 0C 3B 89 45 ?? 89 75 ?? 8D 34 3F 56 FF 75 ?? 89 4D + ?? 50 E8 ?? ?? ?? ?? 8B 7D ?? 8D 04 1B 50 68 ?? ?? ?? ?? 8D 0C 3E 51 E8 ?? ?? ?? ?? + 8B 45 ?? 33 C9 83 C4 ?? C7 45 ?? ?? ?? ?? ?? 66 89 0C 47 C6 45 ?? ?? B8 ?? ?? ?? ?? + 83 3D ?? ?? ?? ?? ?? 8D 4D ?? FF 35 ?? ?? ?? ?? 0F 43 05 ?? ?? ?? ?? 50 E8 ?? ?? ?? + ?? 8B F0 C7 45 ?? ?? ?? ?? ?? 6A ?? 8D 45 ?? C7 45 ?? ?? ?? ?? ?? 56 50 C7 45 ?? ?? + ?? ?? ?? E8 ?? ?? ?? ?? 33 C0 C7 46 ?? ?? ?? ?? ?? C7 46 ?? ?? ?? ?? ?? 83 C4 ?? 66 + } + + $drop_ransom_note_v2_p2 = { + 89 06 BE ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? 89 75 ?? 83 E6 ?? 89 75 ?? C6 45 ?? ?? 8B + 4D ?? 83 F9 ?? 72 ?? 8B 55 ?? 8D 0C 4D ?? ?? ?? ?? 8B C2 81 F9 ?? ?? ?? ?? 72 ?? 8B + 50 ?? 83 C1 ?? 2B C2 83 C0 ?? 83 F8 ?? 0F 87 ?? ?? ?? ?? 51 52 E8 ?? ?? ?? ?? 83 C4 + ?? 6A ?? 68 ?? ?? ?? ?? 6A ?? 33 C0 C7 45 ?? ?? ?? ?? ?? 83 7D ?? ?? 6A ?? 66 89 45 + ?? 8D 45 ?? 0F 43 45 ?? 6A ?? 68 ?? ?? ?? ?? 50 C7 45 ?? ?? ?? ?? ?? FF 15 ?? ?? ?? + ?? 8B F8 83 FF ?? 74 ?? 6A ?? 6A ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 57 FF 15 ?? ?? ?? + ?? 57 FF 15 ?? ?? ?? ?? 83 E6 ?? 89 75 ?? C6 45 ?? ?? 8B 4D ?? 5F 5E 5B 83 F9 ?? 72 + ?? 8B 55 ?? 8D 0C 4D ?? ?? ?? ?? 8B C2 81 F9 ?? ?? ?? ?? 72 ?? 8B 50 ?? 83 C1 ?? 2B + C2 83 C0 ?? 83 F8 ?? 77 ?? 51 52 E8 ?? ?? ?? ?? 83 C4 ?? 33 C0 C7 45 ?? ?? ?? ?? ?? + C7 45 ?? ?? ?? ?? ?? 66 89 45 ?? C7 45 ?? ?? ?? ?? ?? 8D 4D ?? E8 ?? ?? ?? ?? 8B 4D + ?? 64 89 0D ?? ?? ?? ?? 8B E5 5D C3 + } + + $encrypt_files_v5 = { + 50 FF 15 ?? ?? ?? ?? 8B D8 C6 45 ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? F6 C3 ?? 74 + ?? C6 45 ?? ?? 80 7D ?? ?? 0F 84 ?? ?? ?? ?? FF 75 ?? E8 ?? ?? ?? ?? 83 C4 ?? E9 ?? + ?? ?? ?? 8D 4D ?? E8 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 8D 4D ?? E8 ?? ?? ?? ?? C6 45 + ?? ?? 8D 8D ?? ?? ?? ?? 51 8B C8 E8 ?? ?? ?? ?? C6 45 ?? ?? 50 8D 4D ?? E8 ?? ?? ?? + ?? C6 45 ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? C6 45 ?? ?? C6 45 ?? ?? 8D 8D ?? ?? + ?? ?? E8 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 8D 4D ?? E8 ?? ?? ?? ?? C6 45 ?? ?? 8D 8D + ?? ?? ?? ?? 51 8B C8 E8 ?? ?? ?? ?? C6 45 ?? ?? 50 8D 4D ?? E8 ?? ?? ?? ?? C6 45 ?? + ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? C6 45 ?? ?? C6 45 ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? + ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? 8D 4D ?? E8 ?? ?? ?? ?? 83 F8 ?? 0F 84 ?? ?? ?? ?? 8D + 45 ?? 50 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? C6 45 ?? ?? 6A ?? 6A ?? 8D 8D ?? ?? ?? ?? + E8 ?? ?? ?? ?? 8B F8 83 FF ?? 75 ?? C6 45 ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? E9 + ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? 83 BD ?? ?? ?? ?? ?? 0F 43 8D ?? ?? ?? ?? 8B 85 ?? ?? + ?? ?? 8D 0C 41 89 4D ?? 8D 85 ?? ?? ?? ?? 0F 43 85 ?? ?? ?? ?? 89 45 ?? 89 45 ?? 8D + 04 78 89 45 ?? 51 50 8D 85 ?? ?? ?? ?? 50 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 68 ?? ?? + ?? ?? 8D 45 + } + + $find_system_volumes_v2_p1 = { + C7 45 ?? ?? ?? ?? ?? 89 7D ?? FF 15 ?? ?? ?? ?? 8B D8 8D 45 ?? 50 68 ?? ?? ?? ?? 8D + 85 ?? ?? ?? ?? 50 8D 85 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? 6A + ?? 6A ?? 8D 45 ?? 50 6A ?? 6A ?? 6A ?? 6A ?? 8D 85 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? + 85 C0 0F 84 ?? ?? ?? ?? F7 45 ?? ?? ?? ?? ?? 0F 85 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 + E8 ?? ?? ?? ?? 83 C4 ?? 8D 4D ?? 51 8D 8D ?? ?? ?? ?? 8D 04 41 50 8B C1 8D 4D ?? 50 + E8 ?? ?? ?? ?? 8B F0 C6 45 ?? ?? 8B 4D ?? 3B 4D ?? 74 ?? 6A ?? 56 51 C7 01 ?? ?? ?? + ?? C7 41 ?? ?? ?? ?? ?? C7 41 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? C7 46 ?? ?? ?? + ?? ?? C7 46 ?? ?? ?? ?? ?? C6 06 ?? 83 45 ?? ?? EB ?? 56 51 8D 4D ?? E8 ?? ?? ?? ?? + C6 45 ?? ?? 8D 4D ?? E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 53 FF 15 ?? + ?? ?? ?? 85 C0 0F 85 ?? ?? ?? ?? 53 FF 15 ?? ?? ?? ?? 8B 75 ?? 33 C9 89 4D ?? B8 ?? + ?? ?? ?? 8B 4D ?? 2B CE F7 E9 C1 FA ?? 8B C2 C1 E8 ?? 03 C2 0F 84 ?? ?? ?? ?? 33 DB + 8D 4D ?? 8D 04 33 89 4D ?? C6 45 ?? ?? 8D 4D ?? 51 50 8D 45 ?? 50 E8 ?? ?? ?? ?? 83 + C4 ?? 8D 4D ?? 83 CF ?? 89 7D ?? C7 45 ?? ?? ?? ?? ?? 6A ?? E8 ?? ?? ?? ?? C6 45 ?? + ?? 83 E7 ?? 89 7D ?? C6 45 ?? ?? 8D 45 ?? 8B 35 ?? ?? ?? ?? 3B 35 ?? ?? ?? ?? 74 ?? + 6A ?? 50 56 89 75 ?? C7 06 ?? ?? ?? ?? C7 46 ?? ?? ?? ?? ?? C7 46 ?? ?? ?? ?? ?? E8 + ?? ?? ?? ?? 33 C0 C7 45 ?? ?? ?? ?? ?? 83 C4 ?? C7 45 ?? ?? ?? ?? ?? 66 89 45 ?? C6 + } + + $find_system_volumes_v2_p2 = { + 45 ?? ?? 8B 45 ?? 89 46 ?? C6 45 ?? ?? 83 05 ?? ?? ?? ?? ?? EB ?? 50 56 B9 ?? ?? ?? + ?? E8 ?? ?? ?? ?? C6 45 ?? ?? 8B 4D ?? 83 F9 ?? 72 ?? 8B 55 ?? 8D 0C 4D ?? ?? ?? ?? + 8B C2 81 F9 ?? ?? ?? ?? 72 ?? 8B 50 ?? 83 C1 ?? 2B C2 83 C0 ?? 83 F8 ?? 0F 87 ?? ?? + ?? ?? 51 52 E8 ?? ?? ?? ?? 83 C4 ?? 8B 4D ?? 33 C0 8B 75 ?? 83 C3 ?? FF 45 ?? 2B CE + 66 89 45 ?? B8 ?? ?? ?? ?? F7 E9 C7 45 ?? ?? ?? ?? ?? C1 FA ?? 8B C2 C7 45 ?? ?? ?? + ?? ?? C1 E8 ?? 03 C2 39 45 ?? 0F 82 ?? ?? ?? ?? 83 E7 ?? 89 7D ?? C7 45 ?? ?? ?? ?? + ?? 8D 4D ?? E8 ?? ?? ?? ?? 5F 5B EB ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 ?? 68 ?? + ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? C7 45 ?? ?? ?? ?? ?? 8D 4D ?? 6A ?? C7 45 ?? ?? + ?? ?? ?? E8 ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? 8D 45 ?? 50 B9 ?? ?? ?? ?? E8 ?? ?? ?? + ?? C7 45 ?? ?? ?? ?? ?? 8D 4D ?? E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? F3 + 0F 7E 05 ?? ?? ?? ?? 8B F0 2B 75 ?? 66 0F D6 45 ?? 90 8B 55 ?? 8B 4D ?? E8 ?? ?? ?? + ?? 83 3D ?? ?? ?? ?? ?? F2 0F 10 0D ?? ?? ?? ?? F2 0F 59 C1 F2 0F 59 C1 F2 0F 59 C1 + F2 0F 11 45 ?? 74 ?? E8 ?? ?? ?? ?? 8B 0D ?? ?? ?? ?? 3B C8 74 ?? 6A ?? 51 FF 35 ?? + ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 75 ?? 0F 57 C0 66 0F 13 05 ?? ?? ?? ?? FF 35 + ?? ?? ?? ?? FF 15 ?? ?? ?? ?? F2 0F 10 45 ?? 83 EC ?? F2 0F 11 44 24 ?? 66 0F 6E C6 + F3 0F E6 C0 C1 EE + } + + condition: + uint16(0) == 0x5A4D and + ( + ( + ( + $find_files + ) and + ( + $encrypt_files_v1 + ) and + ( + $cmd_prompt + ) and + ( + $exclude_from_encryption_v1 + ) + ) or + ( + ( + $find_files + ) and + ( + $cmd_prompt + ) and + ( + $ldap_connect + ) and + ( + $encrypt_files_v2 + ) and + ( + $exclude_from_encryption_v1 + ) + ) or + ( + ( + $find_files + ) and + ( + $cmd_prompt + ) and + ( + $ldap_connect + ) and + ( + $encrypt_files_v3 + ) and + ( + $exclude_from_encryption_v1 + ) + ) or + ( + ( + $find_files + ) and + ( + $encrypt_files_v4 + ) and + ( + $drop_ransom_note_v1 + ) and + ( + all of ($exclude_from_encryption_v2_p*) + ) + ) or + ( + ( + $find_files + ) and + ( + $exclude_from_encryption_v1 + ) and + ( + any of ($encrypt_files_v5) + ) and + ( + all of ($find_system_volumes_v2_p*) + ) + ) or + ( + ( + all of ($encrypt_files_v5_p*) + ) and + ( + all of ($set_default_icon_p*) + ) and + ( + $find_system_volumes + ) and + ( + all of ($drop_ransom_note_v2_p*) + ) and + ( + $find_files + ) + ) or + ( + ( + all of ($encrypt_files_v6_p*) + ) and + ( + all of ($set_default_icon_p*) + ) and + ( + all of ($drop_ransom_note_v2_p*) + ) and + ( + $find_files + ) + ) + ) +} \ No newline at end of file diff --git a/yara/ransomware/Win32.Ransomware.BlackCat.yara b/yara/ransomware/Win32.Ransomware.BlackCat.yara new file mode 100644 index 0000000..43677dd --- /dev/null +++ b/yara/ransomware/Win32.Ransomware.BlackCat.yara @@ -0,0 +1,109 @@ +rule Win32_Ransomware_BlackCat : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "BLACKCAT" + description = "Yara rule that detects BlackCat ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "BlackCat" + tc_detection_factor = 5 + + strings: + + $remote_connection_p1 = { + 8B 44 24 ?? B9 ?? ?? ?? ?? BA ?? ?? ?? ?? 89 44 24 ?? C7 44 24 ?? ?? ?? ?? ?? A1 ?? + ?? ?? ?? C7 84 24 ?? ?? ?? ?? ?? ?? ?? ?? C7 84 24 ?? ?? ?? ?? ?? ?? ?? ?? C7 84 24 + ?? ?? ?? ?? ?? ?? ?? ?? C7 84 24 ?? ?? ?? ?? ?? ?? ?? ?? C7 84 24 ?? ?? ?? ?? ?? ?? + ?? ?? C7 84 24 ?? ?? ?? ?? ?? ?? ?? ?? 83 F8 ?? A1 ?? ?? ?? ?? 0F 45 C1 8B 0D ?? ?? + ?? ?? 0F 45 CA 8D 54 24 ?? 89 94 24 ?? ?? ?? ?? C7 84 24 ?? ?? ?? ?? ?? ?? ?? ?? C7 + 84 24 ?? ?? ?? ?? ?? ?? ?? ?? C7 84 24 ?? ?? ?? ?? ?? ?? ?? ?? C7 84 24 ?? ?? ?? ?? + ?? ?? ?? ?? C7 84 24 ?? ?? ?? ?? ?? ?? ?? ?? C7 84 24 ?? ?? ?? ?? ?? ?? ?? ?? C7 84 + 24 ?? ?? ?? ?? ?? ?? ?? ?? C7 84 24 ?? ?? ?? ?? ?? ?? ?? ?? C7 84 24 ?? ?? ?? ?? ?? + ?? ?? ?? 56 51 FF 50 ?? 83 C4 ?? C7 84 24 ?? ?? ?? ?? ?? ?? ?? ?? 56 68 ?? ?? ?? ?? + FF 74 24 ?? E8 ?? ?? ?? ?? 83 F8 ?? 75 ?? E8 ?? ?? ?? ?? C7 84 24 ?? ?? ?? ?? ?? ?? + ?? ?? 6A ?? 56 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? FF 74 24 ?? E8 ?? ?? ?? ?? 83 F8 ?? 75 + ?? E8 ?? ?? ?? ?? C7 84 24 ?? ?? ?? ?? ?? ?? ?? ?? 6A ?? 56 68 ?? ?? ?? ?? 68 ?? ?? + ?? ?? FF 74 24 ?? E8 ?? ?? ?? ?? 83 F8 ?? 75 ?? E8 ?? ?? ?? ?? 8B 83 ?? ?? ?? ?? 85 + } + + $remote_connection_p2 = { + C0 89 44 24 ?? 0F 88 ?? ?? ?? ?? 8B 8B ?? ?? ?? ?? 74 ?? A1 ?? ?? ?? ?? 89 CB 85 C0 + 75 ?? E8 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? A3 ?? ?? ?? ?? FF 74 24 ?? 6A ?? 50 E8 + ?? ?? ?? ?? 85 C0 89 D9 75 ?? E9 ?? ?? ?? ?? B8 ?? ?? ?? ?? 8B 5C 24 ?? 89 44 24 ?? + 53 51 50 E8 ?? ?? ?? ?? 83 C4 ?? 8B 44 24 ?? 89 F1 8D 54 24 ?? 89 44 24 ?? 89 5C 24 + ?? 89 5C 24 ?? C6 44 24 ?? ?? E8 ?? ?? ?? ?? 83 BC 24 ?? ?? ?? ?? ?? 0F 84 ?? ?? ?? + ?? 8B 84 24 ?? ?? ?? ?? 8B 9C 24 ?? ?? ?? ?? B9 ?? ?? ?? ?? 89 44 24 ?? 8B 84 24 ?? + ?? ?? ?? 3D ?? ?? ?? ?? 0F 43 C1 6A ?? 50 53 FF 74 24 ?? E8 ?? ?? ?? ?? 83 F8 ?? 89 + 44 24 ?? 75 ?? E8 ?? ?? ?? ?? 83 7C 24 ?? ?? 74 ?? 53 6A ?? FF 35 ?? ?? ?? ?? E8 ?? + ?? ?? ?? 8B 44 24 ?? 89 44 24 ?? 83 7C 24 ?? ?? 74 ?? FF 74 24 ?? 6A ?? FF 35 ?? ?? + ?? ?? E8 ?? ?? ?? ?? 83 7C 24 ?? ?? 8B 5C 24 ?? 0F 84 ?? ?? ?? ?? 80 BB ?? ?? ?? ?? + ?? 0F 85 ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? EB + } + + $enum_procs = { + 68 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 53 E8 ?? ?? ?? ?? 83 C4 ?? 8B 4D ?? 39 F7 74 ?? + 69 C7 ?? ?? ?? ?? 89 4D ?? 01 C8 68 ?? ?? ?? ?? 89 DE 53 50 E8 ?? ?? ?? ?? 83 C4 ?? + 47 8D 85 ?? ?? ?? ?? 89 7D ?? 50 8B 5D ?? 53 E8 ?? ?? ?? ?? 85 C0 74 ?? 8B 45 ?? 89 + F3 89 C6 EB ?? 8D 4D ?? 89 F2 E8 ?? ?? ?? ?? 8B 4D ?? 8B 7D ?? EB ?? 31 FF 8B 75 ?? + 85 FF 75 ?? E9 ?? ?? ?? ?? 31 FF 53 E8 ?? ?? ?? ?? 8B 75 ?? 85 FF 0F 84 ?? ?? ?? ?? + 83 7D ?? ?? 0F 84 ?? ?? ?? ?? 69 C7 ?? ?? ?? ?? 8B 4D ?? 8D BD ?? ?? ?? ?? 01 F0 89 + 45 ?? 8B 45 ?? 8D 04 40 8D 04 81 89 45 ?? EB + } + + $find_files = { + 57 6A ?? FF 35 ?? ?? ?? ?? E8 ?? ?? ?? ?? E9 ?? ?? ?? ?? 8B B5 ?? ?? ?? ?? 8B 85 ?? + ?? ?? ?? 89 45 ?? 68 ?? ?? ?? ?? 6A ?? 53 E8 ?? ?? ?? ?? 83 C4 ?? 53 56 E8 ?? ?? ?? + ?? 83 F8 ?? 89 45 ?? 0F 84 ?? ?? ?? ?? 89 75 ?? A1 ?? ?? ?? ?? 85 C0 75 ?? E8 ?? ?? + ?? ?? 85 C0 0F 84 ?? ?? ?? ?? A3 ?? ?? ?? ?? 6A ?? 6A ?? 50 E8 ?? ?? ?? ?? 85 C0 0F + 84 ?? ?? ?? ?? 89 C6 8B 45 ?? 8B 4D ?? 89 46 ?? 8B 45 ?? 89 46 ?? 8B 45 ?? 89 46 ?? + 8D 41 ?? C7 06 ?? ?? ?? ?? C7 46 ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? 53 89 CB 50 E8 ?? ?? + ?? ?? 83 C4 ?? 8B 45 ?? 89 43 ?? 89 73 ?? 8B 75 ?? 31 C0 C7 43 ?? ?? ?? ?? ?? F7 45 + ?? ?? ?? ?? ?? 89 03 75 ?? 83 7D ?? ?? 74 ?? 57 6A ?? FF 35 ?? ?? ?? ?? E8 ?? ?? ?? + ?? 83 7D ?? ?? 75 ?? 83 7D ?? ?? 74 ?? 83 7D ?? ?? 74 ?? FF 75 ?? 6A ?? FF 35 ?? ?? + ?? ?? E8 ?? ?? ?? ?? 81 C4 ?? ?? ?? ?? 5E 5F 5B 5D C3 + } + + $encrypt_files_p1 = { + B8 ?? ?? ?? ?? 8D 4D ?? 8D 95 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 8B 7D ?? 8B 75 + ?? 8D 4D ?? 89 FA 56 E8 ?? ?? ?? ?? 83 C4 ?? 83 7D ?? ?? 75 ?? 8B 45 ?? 8B 5D ?? 89 + 45 ?? 8B 45 ?? 83 F8 ?? 72 ?? 85 DB 74 ?? 0F B7 0B 81 F9 ?? ?? ?? ?? 75 ?? 8B 4B ?? + 89 C2 29 CA 72 ?? 83 FA ?? 72 ?? 85 DB 74 ?? 81 3C 0B ?? ?? ?? ?? 75 ?? 0F B7 54 0B + ?? 81 FA ?? ?? ?? ?? 75 ?? 0F B7 54 0B ?? 83 EA ?? 89 55 ?? BA ?? ?? ?? ?? 19 D2 89 + 55 ?? 72 ?? 83 F9 ?? 76 + } + + $encrypt_files_p2 = { + 53 E8 ?? ?? ?? ?? FF 75 ?? E8 ?? ?? ?? ?? 8B 5D ?? 83 7D ?? ?? 0F 84 ?? ?? ?? ?? 57 + 6A ?? FF 35 ?? ?? ?? ?? E8 ?? ?? ?? ?? E9 ?? ?? ?? ?? 8D 51 ?? 29 D0 8B 55 ?? 0F 92 + 45 ?? 83 7D ?? ?? 75 ?? 80 7D ?? ?? 75 ?? 39 C2 77 ?? B8 ?? ?? ?? ?? F7 64 0B ?? 8B + 55 ?? 70 ?? 39 C2 72 ?? 8B 44 0B ?? B9 ?? ?? ?? ?? BA ?? ?? ?? ?? 89 45 ?? 8B 85 ?? + ?? ?? ?? 89 45 ?? E8 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? 8B 8D ?? ?? ?? ?? 8B 55 ?? + 89 45 ?? 89 10 89 48 ?? 8B 45 ?? 89 45 ?? 53 E8 ?? ?? ?? ?? FF 75 ?? E8 ?? ?? ?? ?? + 8B 45 ?? 8B 4D ?? 29 45 ?? 3B 4D ?? 0F 85 ?? ?? ?? ?? 8B 55 ?? 8D 4D ?? E8 ?? ?? ?? + ?? 8B 45 ?? 8B 4D ?? 89 45 ?? 89 4D ?? E9 ?? ?? ?? ?? 53 E8 ?? ?? ?? ?? 8B 35 ?? ?? + ?? ?? 8B 45 ?? F2 0F 10 45 ?? 85 F6 89 85 ?? ?? ?? ?? F2 0F 11 85 ?? ?? ?? ?? 0F 84 + ?? ?? ?? ?? A1 ?? ?? ?? ?? 85 C0 74 ?? 8D 0C C0 8D 3C 49 01 C7 01 F7 EB + } + + condition: + uint16(0) == 0x5A4D and + ( + $enum_procs + ) and + ( + $find_files + ) and + ( + all of ($encrypt_files_p*) + ) and + ( + all of ($remote_connection_p*) + ) +} \ No newline at end of file diff --git a/yara/ransomware/Win32.Ransomware.BlackMoon.yara b/yara/ransomware/Win32.Ransomware.BlackMoon.yara new file mode 100644 index 0000000..d23deb6 --- /dev/null +++ b/yara/ransomware/Win32.Ransomware.BlackMoon.yara @@ -0,0 +1,70 @@ +rule Win32_Ransomware_BlackMoon : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "BLACKMOON" + description = "Yara rule that detects BlackMoon ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "BlackMoon" + tc_detection_factor = 5 + + strings: + + $find_files = { + 81 EC ?? ?? ?? ?? 53 8B 9C 24 ?? ?? ?? ?? 55 56 8B 33 57 8B BC 24 ?? ?? ?? ?? 33 ED + 85 FF 74 ?? 57 E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 76 ?? 85 F6 74 ?? 83 FE ?? 74 ?? 56 FF + 15 ?? ?? ?? ?? 8D 44 24 ?? 50 57 FF 15 ?? ?? ?? ?? 8B F0 83 FE ?? 89 33 74 ?? 8B 84 + 24 ?? ?? ?? ?? 85 C0 74 ?? 8B 4C 24 ?? 83 E1 ?? 80 F9 ?? 74 ?? EB ?? 8B 94 24 ?? ?? + ?? ?? 8B 44 24 ?? 85 C2 74 ?? BD ?? ?? ?? ?? 85 F6 74 ?? 83 FE ?? 74 ?? 85 ED 75 ?? + 8B 84 24 ?? ?? ?? ?? 8B 3D ?? ?? ?? ?? 85 C0 8D 44 24 ?? 50 56 74 ?? FF D7 85 C0 74 + ?? 8B 4C 24 ?? 83 E1 ?? 80 F9 ?? 75 ?? 8D 54 24 ?? 52 56 FF D7 85 C0 75 ?? 5F 5E 5D + 33 C0 5B 81 C4 ?? ?? ?? ?? C3 FF D7 85 C0 74 ?? 8B 9C 24 ?? ?? ?? ?? 85 5C 24 ?? 75 + ?? 8D 4C 24 ?? 51 56 FF D7 85 C0 75 ?? 5F 5E 5D 5B 81 C4 ?? ?? ?? ?? C3 8D 54 24 ?? + 52 E8 ?? ?? ?? ?? 40 50 E8 ?? ?? ?? ?? 8B D0 8D 7C 24 ?? 83 C9 ?? 33 C0 83 C4 ?? F2 + AE F7 D1 2B F9 8B C1 8B F7 8B FA C1 E9 ?? F3 A5 8B C8 8B C2 83 E1 ?? F3 A4 5F 5E 5D + 5B 81 C4 ?? ?? ?? ?? C3 + } + + $encrypt_files_p1 = { + 55 8B EC 81 EC ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? + 6A ?? 8B 5D ?? 8B 03 85 C0 75 ?? B8 ?? ?? ?? ?? 50 68 ?? ?? ?? ?? BB ?? ?? ?? ?? E8 + ?? ?? ?? ?? 83 C4 ?? 89 45 ?? 68 ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? 6A ?? 6A ?? 6A ?? + 68 ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A ?? 8B 5D ?? 8B 03 85 C0 75 ?? + B8 ?? ?? ?? ?? 50 68 ?? ?? ?? ?? BB ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 89 45 ?? DB + 45 ?? DD 5D ?? DD 45 ?? DB 45 ?? DD 5D ?? DC 65 ?? DD 5D ?? DD 45 ?? E8 ?? ?? ?? ?? + 68 ?? ?? ?? ?? 6A ?? 50 68 ?? ?? ?? ?? 6A ?? 8B 5D ?? 8B 03 85 C0 75 ?? B8 ?? ?? ?? + ?? 50 68 ?? ?? ?? ?? BB ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 89 45 ?? 8B 45 ?? 50 8B + 5D ?? 85 DB 74 ?? 53 E8 ?? ?? ?? ?? 83 C4 ?? 58 89 45 ?? 68 ?? ?? ?? ?? 6A ?? 8B 5D + ?? 8B 03 85 C0 75 ?? B8 ?? ?? ?? ?? 50 68 ?? ?? ?? ?? BB ?? ?? ?? ?? E8 + } + + $encrypt_files_p2 = { + 83 C4 ?? 89 45 ?? 8B 45 ?? 50 8B 5D ?? 85 DB 74 ?? 53 E8 ?? ?? ?? ?? 83 C4 ?? 58 89 + 45 ?? 68 ?? ?? ?? ?? 6A ?? 8B 5D ?? 8B 03 85 C0 75 ?? B8 ?? ?? ?? ?? 50 68 ?? ?? ?? + ?? BB ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 68 ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? 68 ?? + ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A ?? 8B 45 ?? 85 C0 75 ?? B8 ?? ?? ?? + ?? 50 68 ?? ?? ?? ?? BB ?? ?? ?? ?? B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 89 45 ?? + 8B 45 ?? 50 8B 5D ?? 85 DB 74 ?? 53 E8 ?? ?? ?? ?? 83 C4 ?? 58 89 45 ?? 68 ?? ?? ?? + ?? 8B 5D ?? FF 33 B9 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 89 45 ?? 68 ?? ?? ?? ?? 6A + ?? 8B 45 ?? 85 C0 75 ?? B8 ?? ?? ?? ?? 50 68 ?? ?? ?? ?? 6A ?? 8B 45 ?? 85 C0 75 ?? + B8 ?? ?? ?? ?? 50 68 ?? ?? ?? ?? BB ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 8B 5D ?? 85 + DB 74 ?? 53 E8 ?? ?? ?? ?? 83 C4 ?? 8B 5D ?? 85 DB 74 ?? 53 E8 ?? ?? ?? ?? 83 C4 ?? + 8B 5D ?? 85 DB 74 ?? 53 E8 ?? ?? ?? ?? 83 C4 ?? 8B E5 5D C2 + } + + condition: + uint16(0) == 0x5A4D and + ( + $find_files + ) and + ( + all of ($encrypt_files_p*) + ) +} \ No newline at end of file diff --git a/yara/ransomware/Win32.Ransomware.Blitzkrieg.yara b/yara/ransomware/Win32.Ransomware.Blitzkrieg.yara new file mode 100644 index 0000000..0196ff7 --- /dev/null +++ b/yara/ransomware/Win32.Ransomware.Blitzkrieg.yara @@ -0,0 +1,127 @@ +rule Win32_Ransomware_Blitzkrieg : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "BLITZKRIEG" + description = "Yara rule that detects Blitzkrieg ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "Blitzkrieg" + tc_detection_factor = 5 + + strings: + + $encrypt_files = { + 55 8B EC 83 C4 ?? 53 56 57 33 D2 89 55 ?? 89 55 ?? 89 45 ?? 33 C0 55 68 ?? ?? ?? ?? + 64 FF 30 64 89 20 B2 ?? A1 ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 45 ?? 33 C0 55 68 ?? ?? ?? + ?? 64 FF 30 64 89 20 8B 45 ?? 8B 40 ?? 8B 10 FF 52 ?? 8B F0 4E 83 FE ?? 0F 8C ?? ?? + ?? ?? 8B 45 ?? 8B 48 ?? B2 ?? A1 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B D8 A0 ?? ?? ?? ?? 88 + 43 ?? C6 43 ?? ?? 8D 4D ?? 8B 45 ?? 8B 40 ?? 8B D6 8B 38 FF 57 ?? 8B 55 ?? 8B C3 E8 + ?? ?? ?? ?? 8D 43 ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? B2 ?? 8B C3 E8 ?? ?? ?? ?? 8B D3 + 8B 45 ?? E8 ?? ?? ?? ?? 8B 45 ?? E8 ?? ?? ?? ?? 40 50 8D 45 ?? B9 ?? ?? ?? ?? 8B 15 + ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 8B 45 ?? E8 ?? ?? ?? ?? 8B 55 ?? 8B 4B ?? 89 0C + 82 4E 83 FE ?? 0F 85 ?? ?? ?? ?? 6A ?? 6A ?? 8B 45 ?? 50 8B 45 ?? E8 ?? ?? ?? ?? 50 + E8 ?? ?? ?? ?? 33 C0 5A 59 59 64 89 10 68 ?? ?? ?? ?? 8B 45 ?? E8 ?? ?? ?? ?? E8 ?? + ?? ?? ?? 84 C0 74 ?? E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? C3 + } + + $search_files_p1 = { + E8 ?? ?? ?? ?? 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 33 C0 89 45 ?? B2 ?? A1 ?? + ?? ?? ?? E8 ?? ?? ?? ?? 89 45 ?? 8B 45 ?? F6 40 ?? ?? 74 ?? FF 45 ?? 8B 45 ?? F6 40 + ?? ?? 74 ?? 83 45 ?? ?? 8B 45 ?? F6 40 ?? ?? 74 ?? 83 45 ?? ?? 8B 45 ?? F6 40 ?? ?? + 74 ?? 83 45 ?? ?? 8B 45 ?? F6 40 ?? ?? 74 ?? 83 45 ?? ?? B2 ?? A1 ?? ?? ?? ?? E8 ?? + ?? ?? ?? 89 45 ?? 8B 45 ?? 8B 10 FF 52 ?? 8D 45 ?? E8 ?? ?? ?? ?? 8B 45 ?? 8B 40 ?? + E8 ?? ?? ?? ?? 85 C0 7E ?? 89 45 ?? C7 45 ?? ?? ?? ?? ?? 8B 45 ?? 8B 55 ?? 8B 52 ?? + 48 85 D2 74 ?? 3B 42 ?? 72 ?? E8 ?? ?? ?? ?? 40 80 7C 02 ?? ?? 74 ?? 8D 85 ?? ?? ?? + ?? 8B 55 ?? 8B 4D ?? 8B 49 ?? 4A 85 C9 74 ?? 3B 51 ?? 72 ?? E8 ?? ?? ?? ?? 42 8A 54 + 11 ?? E8 ?? ?? ?? ?? 8B 95 ?? ?? ?? ?? 8D 45 ?? E8 ?? ?? ?? ?? EB ?? 8B 55 ?? 8B 45 + ?? 8B 08 FF 51 ?? 8D 45 ?? E8 ?? ?? ?? ?? FF 45 ?? FF 4D ?? 75 ?? 8B 45 ?? 8B 10 FF + 52 ?? 48 85 C0 0F 8C ?? ?? ?? ?? 40 89 45 ?? C7 45 ?? ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? + 8B 55 ?? 8B 45 ?? 8B 18 FF 53 ?? 8B 8D ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 8B 55 ?? E8 ?? + ?? ?? ?? 8B 85 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? 8B 55 ?? E8 ?? ?? ?? ?? 85 C0 0F 85 ?? + ?? ?? ?? 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 8D 45 ?? 8B 8D ?? ?? ?? ?? 8B 55 + ?? E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? BA ?? ?? ?? ?? B8 ?? ?? ?? ?? E8 + ?? ?? ?? ?? FF B5 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? BA ?? ?? ?? ?? E8 ?? + ?? ?? ?? 8B 85 ?? ?? ?? ?? 8B 55 ?? E8 ?? ?? ?? ?? 85 C0 0F 8F ?? ?? ?? ?? 8B 55 ?? + B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 C0 0F 8F ?? ?? ?? ?? 8B 55 ?? 8B 45 ?? E8 ?? ?? ?? + ?? 84 C0 0F 85 ?? ?? ?? ?? 8B 45 ?? E8 ?? ?? ?? ?? 84 C0 75 ?? 8B 55 ?? B8 ?? ?? ?? + ?? E8 ?? ?? ?? ?? 85 C0 7F ?? 8B 45 ?? 8B 40 ?? 50 8B 4D ?? B2 ?? A1 ?? ?? ?? ?? E8 + ?? ?? ?? ?? 8B D8 B2 ?? 8B C3 E8 ?? ?? ?? ?? 8B D3 8B 45 ?? E8 ?? ?? ?? ?? 8B 45 + } + + $search_files_p2 = { + E8 ?? ?? ?? ?? 40 50 8D 45 ?? B9 ?? ?? ?? ?? 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 + ?? 8B 45 ?? E8 ?? ?? ?? ?? 8B 55 ?? 85 D2 74 ?? 3B 42 ?? 72 ?? E8 ?? ?? ?? ?? 8B 4B + ?? 89 0C 82 8D 85 ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? 6A ?? 6A ?? 8B + 45 ?? 50 8B 45 ?? E8 ?? ?? ?? ?? 85 C0 79 ?? E8 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 33 C0 + 5A 59 59 64 89 10 68 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? E8 ?? ?? ?? ?? C3 E9 ?? ?? ?? ?? + EB ?? FF 45 ?? FF 4D ?? 0F 85 ?? ?? ?? ?? 8B 45 ?? 80 78 ?? ?? 0F 84 ?? ?? ?? ?? 8D + 85 ?? ?? ?? ?? B9 ?? ?? ?? ?? 8B 55 ?? E8 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 8D 8D ?? ?? + ?? ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 C0 0F 85 ?? ?? ?? ?? 33 C0 55 68 ?? ?? ?? ?? + 64 FF 30 64 89 20 F6 85 ?? ?? ?? ?? ?? 0F 84 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? BA ?? ?? + ?? ?? E8 ?? ?? ?? ?? 0F 84 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? BA ?? ?? ?? ?? E8 ?? ?? ?? + ?? 0F 84 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 8B 8D ?? ?? ?? ?? 8B 55 ?? E8 ?? ?? ?? ?? 8B + 85 ?? ?? ?? ?? 8D 95 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 95 ?? ?? ?? ?? 8B 45 ?? E8 ?? ?? + ?? ?? 8D 85 ?? ?? ?? ?? 8B 8D ?? ?? ?? ?? 8B 55 ?? E8 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? + 8D 95 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B D0 8D 85 ?? ?? + ?? ?? E8 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? E8 ?? ?? ?? ?? 84 C0 75 ?? 8D 85 ?? ?? ?? ?? + 8B 8D ?? ?? ?? ?? 8B 55 ?? E8 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 8D 95 ?? ?? ?? ?? E8 ?? + ?? ?? ?? 8D 85 ?? ?? ?? ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 95 ?? ?? ?? ?? 8B 45 ?? + 8B 48 ?? 8B 45 ?? E8 + } + + $disable_services_p1 = { + E8 ?? ?? ?? ?? 8B F0 BA ?? ?? ?? ?? 8B C6 8B 08 FF 51 ?? BA ?? ?? ?? ?? 8B C6 8B 08 + FF 51 ?? BA ?? ?? ?? ?? 8B C6 8B 08 FF 51 ?? BA ?? ?? ?? ?? 8B C6 8B 08 FF 51 ?? BA + ?? ?? ?? ?? 8B C6 8B 08 FF 51 ?? BA ?? ?? ?? ?? 8B C6 8B 08 FF 51 ?? BA ?? ?? ?? ?? + 8B C6 8B 08 FF 51 ?? BA ?? ?? ?? ?? 8B C6 8B 08 FF 51 ?? BA ?? ?? ?? ?? 8B C6 8B 08 + FF 51 ?? BA ?? ?? ?? ?? 8B C6 8B 08 FF 51 ?? BA ?? ?? ?? ?? 8B C6 8B 08 FF 51 ?? BA + ?? ?? ?? ?? 8B C6 8B 08 FF 51 ?? BA ?? ?? ?? ?? 8B C6 8B 08 FF 51 ?? BA ?? ?? ?? ?? + 8B C6 8B 08 FF 51 ?? BA ?? ?? ?? ?? 8B C6 8B 08 FF 51 ?? BA ?? ?? ?? ?? 8B C6 8B 08 + FF 51 ?? BA ?? ?? ?? ?? 8B C6 8B 08 FF 51 ?? BA ?? ?? ?? ?? 8B C6 8B 08 FF 51 ?? BA + ?? ?? ?? ?? 8B C6 8B 08 FF 51 ?? BA ?? ?? ?? ?? 8B C6 8B 08 FF 51 ?? BA ?? ?? ?? ?? + 8B C6 8B 08 FF 51 ?? BA ?? ?? ?? ?? 8B C6 8B 08 FF 51 ?? BA ?? ?? ?? ?? 8B C6 8B 08 + FF 51 ?? BA ?? ?? ?? ?? 8B C6 8B 08 FF 51 ?? BA ?? ?? ?? ?? 8B C6 8B 08 FF 51 ?? BA + ?? ?? ?? ?? 8B C6 8B 08 FF 51 ?? BA ?? ?? ?? ?? 8B C6 8B 08 FF 51 ?? BA ?? ?? ?? ?? + 8B C6 8B 08 FF 51 ?? BA ?? ?? ?? ?? 8B C6 8B 08 FF 51 ?? BA ?? ?? ?? ?? 8B C6 8B 08 + FF 51 ?? BA ?? ?? ?? ?? 8B C6 8B 08 FF 51 ?? BA ?? ?? ?? ?? 8B C6 8B 08 FF 51 ?? BA + ?? ?? ?? ?? 8B C6 8B 08 FF 51 ?? BA ?? ?? ?? ?? 8B C6 8B 08 FF 51 ?? BA + } + + $disable_services_p2 = { + 8B C6 8B 08 FF 51 ?? BA ?? ?? ?? ?? 8B C6 8B 08 FF 51 ?? BA ?? ?? ?? ?? 8B C6 8B 08 + FF 51 ?? BA ?? ?? ?? ?? 8B C6 8B 08 FF 51 ?? BA ?? ?? ?? ?? 8B C6 8B 08 FF 51 ?? BA + ?? ?? ?? ?? 8B C6 8B 08 FF 51 ?? BA ?? ?? ?? ?? 8B C6 8B 08 FF 51 ?? BA ?? ?? ?? ?? + 8B C6 8B 08 FF 51 ?? BA ?? ?? ?? ?? 8B C6 8B 08 FF 51 ?? BA ?? ?? ?? ?? 8B C6 8B 08 + FF 51 ?? BA ?? ?? ?? ?? 8B C6 8B 08 FF 51 ?? BA ?? ?? ?? ?? 8B C6 8B 08 FF 51 ?? BA + ?? ?? ?? ?? 8B C6 8B 08 FF 51 ?? BA ?? ?? ?? ?? 8B C6 8B 08 FF 51 ?? BA ?? ?? ?? ?? + 8B C6 8B 08 FF 51 ?? BA ?? ?? ?? ?? 8B C6 8B 08 FF 51 ?? BA ?? ?? ?? ?? 8B C6 8B 08 + FF 51 ?? BA ?? ?? ?? ?? 8B C6 8B 08 FF 51 ?? BA ?? ?? ?? ?? 8B C6 8B 08 FF 51 ?? BA + ?? ?? ?? ?? 8B C6 8B 08 FF 51 ?? BA ?? ?? ?? ?? 8B C6 8B 08 FF 51 ?? BA ?? ?? ?? ?? + 8B C6 8B 08 FF 51 ?? BA ?? ?? ?? ?? 8B C6 8B 08 FF 51 ?? BA ?? ?? ?? ?? 8B C6 8B 08 + FF 51 ?? BA ?? ?? ?? ?? 8B C6 8B 08 FF 51 ?? BA ?? ?? ?? ?? 8B C6 8B 08 FF 51 ?? BA + ?? ?? ?? ?? 8B C6 8B 08 FF 51 ?? 8B 55 ?? 8B C6 8B 08 FF 51 ?? 6A ?? 8B 45 ?? E8 ?? + ?? ?? ?? 8B D0 8D 45 ?? E8 ?? ?? ?? ?? 8B 45 ?? 33 C9 33 D2 E8 ?? ?? ?? ?? 33 C0 5A + 59 59 64 89 10 68 ?? ?? ?? ?? 8D 45 ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? C3 + } + + condition: + uint16(0) == 0x5A4D and + ( + ( + all of ($disable_services_p*) + ) and + ( + all of ($search_files_p*) + ) and + ( + $encrypt_files + ) + ) +} \ No newline at end of file diff --git a/yara/ransomware/Win32.Ransomware.BlueLocker.yara b/yara/ransomware/Win32.Ransomware.BlueLocker.yara new file mode 100644 index 0000000..bea7dea --- /dev/null +++ b/yara/ransomware/Win32.Ransomware.BlueLocker.yara @@ -0,0 +1,130 @@ +rule Win32_Ransomware_BlueLocker : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "BLUELOCKER" + description = "Yara rule that detects BlueLocker ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "BlueLocker" + tc_detection_factor = 5 + + strings: + + $encrypt_files_p1 = { + 55 8B EC 81 EC ?? ?? ?? ?? A1 ?? ?? ?? ?? 33 C5 89 45 ?? 8B 45 ?? 53 56 8B 75 ?? 57 + 8B 7D ?? 6A ?? 68 ?? ?? ?? ?? 6A ?? 6A ?? 6A ?? 68 ?? ?? ?? ?? 56 89 55 ?? 89 75 ?? + 89 45 ?? 89 7D ?? FF 15 ?? ?? ?? ?? 8B D8 C7 45 ?? ?? ?? ?? ?? 8D 45 ?? 50 53 FF 15 + ?? ?? ?? ?? 8B 55 ?? 33 C9 0B C8 89 55 ?? 89 4D ?? 83 FB ?? 75 ?? 0B C3 5F 5E 5B 8B + 4D ?? 33 CD E8 ?? ?? ?? ?? 8B E5 5D C3 6A ?? 56 FF 15 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8B + F0 FF 15 ?? ?? ?? ?? 33 C9 03 F0 83 C6 ?? 0F 92 C1 F7 D9 0B CE 51 E8 ?? ?? ?? ?? 8B + F0 83 C4 ?? 89 75 ?? 85 F6 0F 84 ?? ?? ?? ?? FF 75 ?? FF 15 ?? ?? ?? ?? 50 FF 75 ?? + 56 E8 ?? ?? ?? ?? 83 C4 ?? D1 E8 50 56 E8 ?? ?? ?? ?? 83 C4 ?? 68 ?? ?? ?? ?? 56 E8 + ?? ?? ?? ?? 83 C4 ?? D1 E8 50 56 E8 ?? ?? ?? ?? 8B 4D ?? 83 C4 ?? 85 C9 0F 8C ?? ?? + ?? ?? 8B 45 ?? 0F 8F ?? ?? ?? ?? 3D ?? ?? ?? ?? 0F 82 ?? ?? ?? ?? 85 C9 0F 8F ?? ?? + ?? ?? 7C ?? 3D ?? ?? ?? ?? 0F 83 ?? ?? ?? ?? 6A ?? 53 FF 15 ?? ?? ?? ?? 8B 55 ?? 8D + 4D ?? D1 E8 89 45 ?? E8 ?? ?? ?? ?? 0F B6 4F ?? 0F 57 C0 0F B6 47 ?? C1 E1 ?? 0B C8 + } + + $encrypt_files_p2 = { + 66 0F 13 45 ?? 0F B6 47 ?? C1 E1 ?? 0B C8 C7 45 ?? ?? ?? ?? ?? 0F B6 07 C1 E1 ?? 0B + C8 C7 45 ?? ?? ?? ?? ?? 0F B6 47 ?? 89 4D ?? 0F B6 4F ?? C1 E1 ?? 0B C8 0F B6 47 ?? + 6A ?? 6A ?? FF 75 ?? C1 E1 ?? FF 75 ?? 0B C8 0F B6 47 ?? 8B 3D ?? ?? ?? ?? C1 E1 ?? + 0B C8 53 89 4D ?? FF D7 33 F6 8D 45 ?? 56 50 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 53 FF 15 + ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? 0F 1F 40 ?? FF 75 ?? BA ?? ?? ?? ?? 8D 4D ?? E8 + ?? ?? ?? ?? 8B 4D ?? 83 C4 ?? 33 C0 F7 D9 13 C0 6A ?? 6A ?? F7 D8 50 51 53 FF D7 6A + ?? 8D 45 ?? 50 FF 75 ?? 68 ?? ?? ?? ?? 53 FF 15 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? + 8B 45 ?? 03 F0 3B 75 ?? 0F 87 ?? ?? ?? ?? 3D ?? ?? ?? ?? 0F 82 ?? ?? ?? ?? 6A ?? 8D + 45 ?? 50 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 53 FF 15 ?? ?? ?? ?? 85 C0 75 ?? E9 ?? ?? ?? + ?? 85 C9 7F ?? 7C ?? 3D ?? ?? ?? ?? 73 ?? 8B 75 ?? 8B CB 57 8B D6 E8 ?? ?? ?? ?? 8B + 3D ?? ?? ?? ?? 83 C4 ?? E9 ?? ?? ?? ?? 8B 75 ?? 8B CB 57 8B D6 E8 ?? ?? ?? ?? 8B 3D + ?? ?? ?? ?? 83 C4 ?? E9 ?? ?? ?? ?? 8B 55 ?? 8D 4D ?? E8 ?? ?? ?? ?? 0F B6 4F ?? 0F + } + + $encrypt_files_p3 = { + 57 C0 0F B6 47 ?? C1 E1 ?? 0B C8 66 0F 13 45 ?? 0F B6 47 ?? C1 E1 ?? 0B C8 C7 45 ?? + ?? ?? ?? ?? 0F B6 07 C1 E1 ?? 0B C8 C7 45 ?? ?? ?? ?? ?? 0F B6 47 ?? 89 4D ?? 0F B6 + 4F ?? C1 E1 ?? 0B C8 0F B6 47 ?? 6A ?? 6A ?? FF 75 ?? C1 E1 ?? FF 75 ?? 0B C8 0F B6 + 47 ?? 8B 3D ?? ?? ?? ?? C1 E1 ?? 0B C8 53 89 4D ?? FF D7 8B 35 ?? ?? ?? ?? 8D 45 ?? + 6A ?? 50 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 53 FF D6 85 C0 74 ?? FF 75 ?? BA ?? ?? ?? ?? + 8D 4D ?? E8 ?? ?? ?? ?? 8B 4D ?? 83 C4 ?? 33 C0 F7 D9 13 C0 6A ?? 6A ?? F7 D8 50 51 + 53 FF D7 6A ?? 8D 45 ?? 50 FF 75 ?? 68 ?? ?? ?? ?? 53 FF 15 ?? ?? ?? ?? 85 C0 74 ?? + 81 7D ?? ?? ?? ?? ?? 72 ?? 6A ?? 8D 45 ?? 50 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 53 FF D6 + 85 C0 75 ?? 8B 75 ?? 6A ?? 0F 57 C0 6A ?? 66 0F 13 45 ?? FF 75 ?? FF 75 ?? 53 FF D7 + 6A ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B D0 C7 45 ?? ?? ?? ?? ?? 83 C4 ?? 89 55 ?? C7 + 45 ?? ?? ?? ?? ?? 85 D2 74 ?? 8B FA B9 ?? ?? ?? ?? F3 A5 8B 4D ?? 68 ?? ?? ?? ?? 8B + 01 8B 49 ?? 89 82 ?? ?? ?? ?? 8D 45 ?? 50 52 6A ?? 6A ?? 6A ?? FF 75 ?? 89 8A ?? ?? + ?? ?? FF 15 ?? ?? ?? ?? 8B 75 ?? 85 C0 74 ?? 6A ?? 8D 45 ?? 50 FF 75 ?? 56 53 FF 15 + ?? ?? ?? ?? 56 E8 ?? ?? ?? ?? 83 C4 ?? 33 F6 EB ?? 83 CE ?? 85 DB 74 ?? 53 FF 15 ?? + ?? ?? ?? 8B 7D ?? 57 FF 75 ?? FF 15 ?? ?? ?? ?? EB ?? 8B 7D ?? 57 E8 ?? ?? ?? ?? 8B + 4D ?? 83 C4 ?? 8B C6 33 CD 5F 5E 5B E8 ?? ?? ?? ?? 8B E5 5D C3 + } + + $find_files_p1 = { + FF 74 B4 ?? 8D 84 24 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? 46 83 + FE ?? 7C ?? FF 74 24 ?? FF D7 68 ?? ?? ?? ?? 8B F0 FF D7 03 F0 8D 84 24 ?? ?? ?? ?? + 6A ?? 50 FF D7 8D 0C 06 33 C0 83 C1 ?? 0F 92 C0 F7 D8 0B C1 50 E8 ?? ?? ?? ?? 8B F0 + 83 C4 ?? 85 F6 0F 84 ?? ?? ?? ?? FF 74 24 ?? FF D7 48 50 FF 74 24 ?? 56 E8 ?? ?? ?? + ?? 83 C4 ?? D1 E8 50 56 E8 ?? ?? ?? ?? 83 C4 ?? 8D 84 24 ?? ?? ?? ?? 50 56 E8 ?? ?? + ?? ?? 83 C4 ?? D1 E8 50 56 E8 ?? ?? ?? ?? 83 C4 ?? 68 ?? ?? ?? ?? 56 E8 ?? ?? ?? ?? + 83 C4 ?? D1 E8 50 56 E8 ?? ?? ?? ?? 8B 7C 24 ?? 83 C4 ?? 83 C7 ?? 57 FF 15 ?? ?? ?? + ?? 6A ?? 6A ?? E8 ?? ?? ?? ?? 8B C8 83 C4 ?? 85 C9 74 ?? 8B 54 24 ?? C7 01 ?? ?? ?? + ?? C7 41 ?? ?? ?? ?? ?? 83 7A ?? ?? 75 ?? 89 4A ?? 89 4A ?? 57 89 31 FF 15 ?? ?? ?? + ?? E9 ?? ?? ?? ?? 8B 42 ?? 89 48 ?? 8B 42 ?? 8B 40 ?? 89 42 ?? 89 30 57 FF 15 ?? ?? + ?? ?? E9 ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? 33 F6 C7 44 24 ?? ?? ?? ?? ?? C7 44 24 + ?? ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? + ?? C7 44 24 ?? ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? C7 44 24 + ?? ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? + ?? C7 44 24 ?? ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? C7 44 24 + ?? ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? + ?? C7 44 24 ?? ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? FF 74 B4 ?? 8D 84 24 + } + + $find_files_p2 = { + 50 FF D3 85 C0 0F 85 ?? ?? ?? ?? 46 83 FE ?? 7C ?? 6A ?? FF 74 24 ?? FF D7 8B F0 8D + 84 24 ?? ?? ?? ?? 50 FF D7 03 F0 33 C0 83 C6 ?? 0F 92 C0 F7 D8 0B C6 50 E8 ?? ?? ?? + ?? 8B F0 83 C4 ?? 85 F6 0F 84 ?? ?? ?? ?? FF 74 24 ?? FF D7 48 50 FF 74 24 ?? 56 E8 + ?? ?? ?? ?? 83 C4 ?? D1 E8 50 56 E8 ?? ?? ?? ?? 83 C4 ?? 8D 84 24 ?? ?? ?? ?? 50 56 + E8 ?? ?? ?? ?? 83 C4 ?? D1 E8 50 56 E8 ?? ?? ?? ?? 83 C4 ?? 6A ?? 68 ?? ?? ?? ?? E8 + ?? ?? ?? ?? 8B F8 83 C4 ?? 85 FF 75 ?? 56 E8 ?? ?? ?? ?? EB ?? 6A ?? 6A ?? E8 ?? ?? + ?? ?? 8B D8 83 C4 ?? 85 DB 75 ?? 56 E8 ?? ?? ?? ?? 83 C4 ?? 57 EB ?? 57 68 ?? ?? ?? + ?? FF 74 24 ?? FF 15 ?? ?? ?? ?? 85 C0 74 ?? 53 6A ?? FF 74 24 ?? FF 15 ?? ?? ?? ?? + 85 C0 74 ?? 8B 54 24 ?? 53 57 56 E8 ?? ?? ?? ?? 83 C4 ?? 56 E8 ?? ?? ?? ?? 83 C4 ?? + 57 E8 ?? ?? ?? ?? 83 C4 ?? 53 E8 ?? ?? ?? ?? 8B 1D ?? ?? ?? ?? 83 C4 ?? 8B 35 ?? ?? + ?? ?? 8D 84 24 ?? ?? ?? ?? 50 FF 74 24 ?? FF 15 + } + + $create_crypt_context = { + 55 8B EC 83 EC ?? A1 ?? ?? ?? ?? 33 C5 89 45 ?? 68 ?? ?? ?? ?? 6A ?? 6A ?? FF 15 ?? + ?? ?? ?? 6A ?? 50 FF 15 ?? ?? ?? ?? 85 C0 74 ?? 83 C8 ?? 8B 4D ?? 33 CD E8 ?? ?? ?? + ?? 8B E5 5D C2 ?? ?? 56 8B 35 ?? ?? ?? ?? 8D 45 ?? 68 ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? + ?? 6A ?? 50 FF D6 85 C0 75 ?? 68 ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? 50 8D 45 ?? 50 FF + D6 85 C0 75 ?? 68 ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? 50 8D 45 ?? 50 FF D6 85 C0 75 ?? + 68 ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? 50 8D 45 ?? 50 FF D6 85 C0 0F 84 ?? ?? ?? ?? 6A + ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B F0 83 C4 ?? 85 F6 74 ?? 68 ?? ?? ?? ?? 56 6A ?? + FF 15 ?? ?? ?? ?? 8D 45 ?? 89 35 ?? ?? ?? ?? 50 68 ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? + 68 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 85 C0 75 ?? FF 35 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 8D + 04 45 ?? ?? ?? ?? 50 FF 35 ?? ?? ?? ?? 6A ?? 6A ?? 68 ?? ?? ?? ?? FF 75 ?? FF 15 ?? + ?? ?? ?? 85 C0 75 ?? 50 50 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 50 FF 15 ?? + ?? ?? ?? 8B 45 ?? 5E 85 C0 74 ?? 6A ?? 50 FF 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 4D ?? + 33 C0 33 CD E8 ?? ?? ?? ?? 8B E5 5D C2 + } + + condition: + uint16(0) == 0x5A4D and + ( + all of ($find_files_p*) + ) and + ( + $create_crypt_context + ) and + ( + all of ($encrypt_files_p*) + ) +} \ No newline at end of file diff --git a/yara/ransomware/Win32.Ransomware.BrainCrypt.yara b/yara/ransomware/Win32.Ransomware.BrainCrypt.yara new file mode 100644 index 0000000..bd9965f --- /dev/null +++ b/yara/ransomware/Win32.Ransomware.BrainCrypt.yara @@ -0,0 +1,121 @@ +rule Win32_Ransomware_BrainCrypt : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "BRAINCRYPT" + description = "Yara rule that detects BrainCrypt ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "BrainCrypt" + tc_detection_factor = 5 + + strings: + + $get_files_for_encryption_32 = { + 64 8B 0D ?? ?? ?? ?? 8B 89 ?? ?? ?? ?? 3B 61 ?? 0F 86 ?? ?? ?? ?? 83 EC ?? 80 7C 24 + ?? ?? 74 ?? 8B 5C 24 ?? 89 1C 24 8B 5C 24 ?? 89 5C 24 ?? BB ?? ?? ?? ?? 89 5C 24 ?? + E8 ?? ?? ?? ?? 83 C4 ?? C3 83 3D ?? ?? ?? ?? ?? 0F 86 ?? ?? ?? ?? 8B 1D ?? ?? ?? ?? + 83 C3 ?? FC 8B 0B 89 0C 24 8B 4B ?? 89 4C 24 ?? 83 3D ?? ?? ?? ?? ?? 0F 86 ?? ?? ?? + ?? 8B 1D ?? ?? ?? ?? 83 C3 ?? 8D 7C 24 ?? FC 8B 0B 89 0F 8B 4B ?? 89 4F ?? E8 ?? ?? + ?? ?? 8B 5C 24 ?? 89 1D ?? ?? ?? ?? 8B 5C 24 ?? 80 3D ?? ?? ?? ?? ?? 75 ?? 89 1D ?? + ?? ?? ?? 8B 5C 24 ?? 89 1C 24 8B 5C 24 ?? 89 5C 24 ?? BB ?? ?? ?? ?? 89 5C 24 ?? E8 + ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 0C 24 8B 44 24 ?? C7 04 24 ?? ?? ?? ?? 89 4C 24 ?? 89 + 4C 24 ?? 89 44 24 ?? 89 44 24 ?? BB ?? ?? ?? ?? 89 5C 24 ?? C7 44 24 ?? ?? ?? ?? ?? + E8 ?? ?? ?? ?? 8D 5C 24 ?? FC 8B 0B 89 0C 24 8B 4B ?? 89 4C 24 ?? E8 ?? ?? ?? ?? E9 + ?? ?? ?? ?? BD ?? ?? ?? ?? 89 2C 24 89 5C 24 ?? E8 ?? ?? ?? ?? E9 ?? ?? ?? ?? E8 ?? + ?? ?? ?? 0F 0B E8 ?? ?? ?? ?? 0F 0B E8 ?? ?? ?? ?? E9 + } + + $encrypt_file_32 = { + 64 8B 0D ?? ?? ?? ?? 8B 89 ?? ?? ?? ?? 3B 61 ?? 0F 86 ?? ?? ?? ?? 83 EC ?? 8B 5C 24 + ?? 89 1C 24 8B 5C 24 ?? 89 5C 24 ?? E8 ?? ?? ?? ?? 8B 54 24 ?? 8B 4C 24 ?? 8B 44 24 + ?? 89 54 24 ?? 89 14 24 89 4C 24 ?? 89 4C 24 ?? 89 44 24 ?? 89 44 24 ?? 8B 5C 24 ?? + 89 5C 24 ?? 8B 5C 24 ?? 89 5C 24 ?? 8B 5C 24 ?? 89 5C 24 ?? E8 ?? ?? ?? ?? 8B 54 24 + ?? 8B 4C 24 ?? 8B 44 24 ?? 8B 5C 24 ?? 89 1C 24 8B 5C 24 ?? 89 5C 24 ?? 89 54 24 ?? + 89 54 24 ?? 89 4C 24 ?? 89 4C 24 ?? 89 44 24 ?? 89 44 24 ?? C7 44 24 ?? ?? ?? ?? ?? + E8 ?? ?? ?? ?? 83 C4 ?? C3 E8 ?? ?? ?? ?? E9 + } + + $attach_to_server_32 = { + 64 8B 0D ?? ?? ?? ?? 8B 89 ?? ?? ?? ?? 3B 61 ?? 0F 86 ?? ?? ?? ?? 83 EC ?? 31 DB 89 + 5C 24 ?? 89 5C 24 ?? C7 04 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 4C 24 ?? 89 CF 83 F9 ?? + 0F 84 ?? ?? ?? ?? 31 C0 E8 ?? ?? ?? ?? 89 4C 24 ?? 89 0C 24 83 3C 24 ?? 0F 84 ?? ?? + ?? ?? 8B 5C 24 ?? 89 5C 24 ?? 8B 5C 24 ?? 89 5C 24 ?? E8 ?? ?? ?? ?? 8B 5C 24 ?? 89 + 1C 24 83 3C 24 ?? 0F 84 ?? ?? ?? ?? BB ?? ?? ?? ?? 89 5C 24 ?? C7 44 24 ?? ?? ?? ?? + ?? E8 ?? ?? ?? ?? 8B 5C 24 ?? 89 1C 24 83 3C 24 ?? 0F 84 ?? ?? ?? ?? BB ?? ?? ?? ?? + 89 5C 24 ?? C7 44 24 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 5C 24 ?? 89 1C 24 83 3C 24 ?? + 0F 84 ?? ?? ?? ?? 8B 5C 24 ?? 89 5C 24 ?? 8B 5C 24 ?? 89 5C 24 ?? E8 ?? ?? ?? ?? 8B + 44 24 ?? 83 F8 ?? 0F 84 ?? ?? ?? ?? 31 DB 89 5C 24 ?? 89 5C 24 ?? 31 ED 39 E8 0F 85 + ?? ?? ?? ?? B9 ?? ?? ?? ?? B8 ?? ?? ?? ?? 89 4C 24 ?? 89 0C 24 89 44 24 ?? 89 44 24 + ?? E8 ?? ?? ?? ?? 8B 44 24 ?? 89 44 24 ?? 83 F8 ?? 0F 84 ?? ?? ?? ?? 8B 48 ?? 8B 68 + ?? 89 6C 24 ?? 89 6C 24 ?? 89 4C 24 ?? 83 F9 ?? 0F 84 ?? ?? ?? ?? 8D 59 ?? C7 04 24 + ?? ?? ?? ?? 89 5C 24 ?? E8 ?? ?? ?? ?? 83 F8 ?? 0F 85 ?? ?? ?? ?? C7 04 24 ?? ?? ?? + ?? 8B 44 24 ?? 83 F8 ?? 74 ?? 83 C0 ?? 8D 7C 24 ?? FC 8B 08 89 0F 8B 48 ?? 89 4F ?? + E8 ?? ?? ?? ?? 8D 5C 24 ?? FC 8B 0B 89 0C 24 8B 4B ?? 89 4C 24 ?? E8 ?? ?? ?? ?? 8B + 54 24 ?? 8B 4C 24 ?? 8B 44 24 ?? C7 04 24 ?? ?? ?? ?? 89 54 24 ?? 89 54 24 ?? 89 4C + 24 ?? 89 4C 24 ?? 89 44 24 ?? 89 44 24 ?? E8 ?? ?? ?? ?? 8B 5C 24 ?? 89 5C 24 ?? 8B + 5C 24 ?? 89 5C 24 ?? 90 E8 ?? ?? ?? ?? 83 C4 ?? C3 + } + + $get_files_for_encryption_64 = { + 65 48 8B 0C 25 ?? ?? ?? ?? 48 8B 89 ?? ?? ?? ?? 48 3B 61 ?? 0F 86 ?? ?? ?? ?? 48 83 + EC ?? 48 89 6C 24 ?? 48 8D 6C 24 ?? 0F B6 44 24 ?? 84 C0 0F 85 ?? ?? ?? ?? 48 8B 05 + ?? ?? ?? ?? 48 8B 0D ?? ?? ?? ?? 48 83 F9 ?? 0F 86 ?? ?? ?? ?? 48 8B 48 ?? 48 8B 40 + ?? 48 89 0C 24 48 89 44 24 ?? 48 8B 05 ?? ?? ?? ?? 48 8B 0D ?? ?? ?? ?? 48 83 F9 ?? + 0F 86 ?? ?? ?? ?? 48 8B 48 ?? 48 8B 40 ?? 48 89 4C 24 ?? 48 89 44 24 ?? E8 ?? ?? ?? + ?? 48 8B 44 24 ?? 48 8B 4C 24 ?? 48 89 0D ?? ?? ?? ?? 8B 0D ?? ?? ?? ?? 84 C9 0F 85 + ?? ?? ?? ?? 48 89 05 ?? ?? ?? ?? 48 8B 44 24 ?? 48 89 04 24 48 8B 44 24 ?? 48 89 44 + 24 ?? 48 8D 05 ?? ?? ?? ?? 48 89 44 24 ?? E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 8B 04 24 + 48 8B 4C 24 ?? 48 C7 04 24 ?? ?? ?? ?? 48 89 44 24 ?? 48 89 4C 24 ?? 48 8D 05 ?? ?? + ?? ?? 48 89 44 24 ?? 48 C7 44 24 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 8B 44 24 ?? 48 8B + 4C 24 ?? 48 89 04 24 48 89 4C 24 ?? E8 ?? ?? ?? ?? 48 8B 6C 24 ?? 48 83 C4 ?? C3 48 + 8D 0D ?? ?? ?? ?? 48 89 0C 24 48 89 44 24 ?? E8 ?? ?? ?? ?? E9 ?? ?? ?? ?? E8 ?? ?? + ?? ?? 0F 0B 48 8B 44 24 ?? 48 89 04 24 48 8B 44 24 ?? 48 89 44 24 ?? 48 8D 05 ?? ?? + ?? ?? 48 89 44 24 ?? E8 ?? ?? ?? ?? EB ?? E8 ?? ?? ?? ?? E9 + } + + $attach_to_server_64 = { + 65 48 8B 0C 25 ?? ?? ?? ?? 48 8B 89 ?? ?? ?? ?? 48 3B 61 ?? 0F 86 ?? ?? ?? ?? 48 83 + EC ?? 48 89 6C 24 ?? 48 8D 6C 24 ?? 48 C7 44 24 ?? ?? ?? ?? ?? 48 C7 84 24 ?? ?? ?? + ?? ?? ?? ?? ?? 48 8D 05 ?? ?? ?? ?? 48 89 04 24 E8 ?? ?? ?? ?? 48 8B 7C 24 ?? 48 89 + 7C 24 ?? 84 07 0F 57 C0 48 83 C7 ?? 48 89 6C 24 ?? 48 8D 6C 24 ?? E8 ?? ?? ?? ?? 48 + 8B 6D ?? 48 8B 44 24 ?? 48 89 04 24 48 8B 4C 24 ?? 48 89 4C 24 ?? 48 8B 4C 24 ?? 48 + 89 4C 24 ?? E8 ?? ?? ?? ?? 48 8B 44 24 ?? 48 89 04 24 48 8D 0D ?? ?? ?? ?? 48 89 4C + 24 ?? 48 C7 44 24 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 8B 44 24 ?? 48 89 04 24 48 8D 0D + ?? ?? ?? ?? 48 89 4C 24 ?? 48 C7 44 24 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 8B 44 24 ?? + 48 89 04 24 48 8B 4C 24 ?? 48 89 4C 24 ?? 48 8B 4C 24 ?? 48 89 4C 24 ?? E8 ?? ?? ?? + ?? 48 8B 44 24 ?? 48 8B 48 ?? 48 8B 10 48 8B 58 ?? 48 8B 40 ?? 48 39 CB 0F 87 ?? ?? + ?? ?? 48 29 D9 48 29 D8 48 85 C0 0F 84 ?? ?? ?? ?? 48 C7 04 24 ?? ?? ?? ?? 48 01 DA + 48 89 54 24 ?? 48 89 4C 24 ?? 48 89 44 24 ?? E8 ?? ?? ?? ?? 48 8B 44 24 ?? 48 8B 4C + 24 ?? 48 89 0C 24 48 89 44 24 ?? E8 ?? ?? ?? ?? 48 8B 44 24 ?? 48 89 44 24 ?? 48 8B + 48 ?? 48 8B 50 ?? 84 01 48 89 54 24 ?? C7 04 24 ?? ?? ?? ?? 48 83 C1 ?? 48 89 4C 24 + ?? E8 ?? ?? ?? ?? 85 C0 0F 85 ?? ?? ?? ?? 48 8D 05 ?? ?? ?? ?? 48 89 04 24 48 8B 44 + 24 ?? 48 8B 48 ?? 48 8B 40 ?? 48 89 4C 24 ?? 48 89 44 24 ?? E8 ?? ?? ?? ?? 48 8B 44 + 24 ?? 48 8B 4C 24 ?? 48 89 04 24 48 89 4C 24 ?? E8 ?? ?? ?? ?? 48 8B 44 24 ?? 48 8B + 4C 24 ?? 48 8B 54 24 ?? 48 C7 04 24 ?? ?? ?? ?? 48 89 44 24 ?? 48 89 4C 24 ?? 48 89 + 54 24 ?? E8 ?? ?? ?? ?? 48 8B 44 24 ?? 48 8B 4C 24 ?? 48 89 44 24 ?? 48 89 8C 24 ?? + ?? ?? ?? 90 E8 ?? ?? ?? ?? 48 8B 6C 24 ?? 48 83 C4 ?? C3 90 E8 ?? ?? ?? ?? 48 8B 6C + 24 ?? 48 83 C4 ?? C3 31 DB E9 ?? ?? ?? ?? E8 ?? ?? ?? ?? 0F 0B E8 ?? ?? ?? ?? E9 + } + + $encrypt_file_64 = { + 65 48 8B 0C 25 ?? ?? ?? ?? 48 8B 89 ?? ?? ?? ?? 48 3B 61 ?? 0F 86 ?? ?? ?? ?? 48 83 + EC ?? 48 89 6C 24 ?? 48 8D 6C 24 ?? 48 8B 44 24 ?? 48 89 04 24 48 8B 44 24 ?? 48 89 + 44 24 ?? E8 ?? ?? ?? ?? 48 8B 44 24 ?? 48 8B 4C 24 ?? 48 8B 54 24 ?? 48 89 04 24 48 + 89 4C 24 ?? 48 89 54 24 ?? 48 8B 44 24 ?? 48 89 44 24 ?? 48 8B 84 24 ?? ?? ?? ?? 48 + 89 44 24 ?? 48 8B 84 24 ?? ?? ?? ?? 48 89 44 24 ?? E8 ?? ?? ?? ?? 48 8B 44 24 ?? 48 + 8B 4C 24 ?? 48 8B 54 24 ?? 48 8B 5C 24 ?? 48 89 1C 24 48 8B 5C 24 ?? 48 89 5C 24 ?? + 48 89 44 24 ?? 48 89 4C 24 ?? 48 89 54 24 ?? C7 44 24 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? + 48 8B 6C 24 ?? 48 83 C4 ?? C3 E8 ?? ?? ?? ?? E9 + } + + condition: + uint16(0) == 0x5A4D and (($get_files_for_encryption_32 and $encrypt_file_32 and $attach_to_server_32) or + ($get_files_for_encryption_64 and $encrypt_file_64 and $attach_to_server_64)) +} \ No newline at end of file diff --git a/yara/ransomware/Win32.Ransomware.Buran.yara b/yara/ransomware/Win32.Ransomware.Buran.yara new file mode 100644 index 0000000..5a8f636 --- /dev/null +++ b/yara/ransomware/Win32.Ransomware.Buran.yara @@ -0,0 +1,91 @@ +rule Win32_Ransomware_Buran : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "BURAN" + description = "Yara rule that detects Buran ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "Buran" + tc_detection_factor = 5 + + strings: + + $find_files = { + 55 8B EC 81 C4 ?? ?? ?? ?? 53 56 57 33 DB 89 9D ?? ?? ?? ?? 89 9D ?? ?? ?? ?? 89 9D + ?? ?? ?? ?? 89 9D ?? ?? ?? ?? 89 9D ?? ?? ?? ?? 89 9D ?? ?? ?? ?? 89 9D ?? ?? ?? ?? + 89 5D ?? 89 5D ?? 88 8D ?? ?? ?? ?? 88 95 ?? ?? ?? ?? 89 45 ?? 8D 45 ?? E8 ?? ?? ?? + ?? 8D 85 ?? ?? ?? ?? 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 33 C0 55 68 ?? ?? ?? ?? 64 FF + 30 64 89 20 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 8D 55 ?? 8B 45 ?? E8 ?? ?? ?? + ?? 8B 55 ?? A1 ?? ?? ?? ?? E8 ?? ?? ?? ?? 84 C0 74 ?? 80 BD ?? ?? ?? ?? ?? 75 ?? 33 + C0 5A 59 59 64 89 10 E9 ?? ?? ?? ?? 8D 95 ?? ?? ?? ?? B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? + 8B 95 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 8D ?? ?? ?? ?? 8D 85 ?? ?? ?? + ?? 8B 55 ?? E8 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? BA ?? ?? ?? ?? E8 ?? + ?? ?? ?? 85 C0 0F 85 ?? ?? ?? ?? 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 8D 45 ?? + 8B 8D ?? ?? ?? ?? 8B 55 ?? E8 ?? ?? ?? ?? 8B 55 ?? A1 ?? ?? ?? ?? E8 ?? ?? ?? ?? 84 + C0 75 ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 55 ?? A1 ?? ?? ?? ?? E8 ?? ?? ?? ?? 84 C0 + 74 ?? 80 BD ?? ?? ?? ?? ?? 74 ?? 33 C9 8B 55 ?? A1 ?? ?? ?? ?? E8 ?? ?? ?? ?? 68 ?? + ?? ?? ?? E8 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 C0 74 ?? 33 C0 5A 59 59 + 64 89 10 68 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? E8 ?? ?? ?? ?? C3 E9 + } + + $encrypt_files = { + 53 56 57 55 BB ?? ?? ?? ?? BF ?? ?? ?? ?? 80 7B ?? ?? 75 ?? 83 3F ?? 74 ?? 8B 07 89 + C6 33 C0 89 07 FF D6 83 3F ?? 75 ?? 83 3D ?? ?? ?? ?? ?? 74 ?? E8 ?? ?? ?? ?? E8 ?? + ?? ?? ?? 33 C0 A3 ?? ?? ?? ?? 80 7B ?? ?? 75 ?? 83 3D ?? ?? ?? ?? ?? 75 ?? 33 C0 89 + 43 ?? E8 ?? ?? ?? ?? 80 7B ?? ?? 76 ?? 83 3D ?? ?? ?? ?? ?? 74 ?? 8B 7B ?? 85 FF 74 + ?? 8B C7 E8 ?? ?? ?? ?? 8B 6B ?? 8B 75 ?? 3B 75 ?? 74 ?? 85 F6 74 ?? 56 E8 ?? ?? ?? + ?? E8 ?? ?? ?? ?? 80 7B ?? ?? 75 ?? FF 53 ?? 80 7B ?? ?? 74 ?? E8 ?? ?? ?? ?? 83 3B + ?? 75 ?? 83 3D ?? ?? ?? ?? ?? 74 ?? FF 15 ?? ?? ?? ?? A1 ?? ?? ?? ?? 50 E8 ?? ?? ?? + ?? 8B 03 8B F0 8B FB B9 ?? ?? ?? ?? F3 A5 E9 ?? ?? ?? ?? 5D 5F 5E 5B C3 A3 + } + + $remote_connection_p1 = { + 55 8B EC 81 C4 ?? ?? ?? ?? 50 83 C4 ?? 53 56 33 DB 89 9D ?? ?? ?? ?? 89 9D ?? ?? ?? + ?? 89 9D ?? ?? ?? ?? 89 9D ?? ?? ?? ?? 89 9D ?? ?? ?? ?? 89 5D ?? 8B D9 89 55 ?? 89 + 45 ?? 8B 45 ?? E8 ?? ?? ?? ?? 8B 45 ?? E8 ?? ?? ?? ?? 33 C0 55 68 ?? ?? ?? ?? 64 FF + 30 64 89 20 8B C3 E8 ?? ?? ?? ?? 6A ?? 6A ?? 6A ?? 6A ?? 6A ?? E8 ?? ?? ?? ?? 89 45 + ?? 83 7D ?? ?? 0F 84 ?? ?? ?? ?? 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 BE ?? ?? + ?? ?? 6A ?? 6A ?? 6A ?? 6A ?? 6A ?? 56 8D 95 ?? ?? ?? ?? B8 ?? ?? ?? ?? E8 ?? ?? ?? + ?? 8B 85 ?? ?? ?? ?? E8 ?? ?? ?? ?? 50 8B 45 ?? 50 E8 ?? ?? ?? ?? 89 45 ?? 83 7D ?? + ?? 0F 84 ?? ?? ?? ?? 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 8D 55 ?? B8 ?? ?? ?? + ?? E8 ?? ?? ?? ?? BE ?? ?? ?? ?? 6A ?? 56 6A ?? 6A ?? 6A ?? 8B 45 ?? E8 + } + + $remote_connection_p2 = { + 50 8B 45 ?? E8 ?? ?? ?? ?? 50 8B 45 ?? 50 E8 ?? ?? ?? ?? 89 45 ?? 83 7D ?? ?? 0F 84 + ?? ?? ?? ?? 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 33 C9 B2 ?? A1 ?? ?? ?? ?? E8 + ?? ?? ?? ?? 89 45 ?? 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 8D 95 ?? ?? ?? ?? B8 + ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 95 ?? + ?? ?? ?? 8B 45 ?? E8 ?? ?? ?? ?? 8D 95 ?? ?? ?? ?? B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D + 85 ?? ?? ?? ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 95 ?? ?? ?? ?? 8B 45 ?? E8 ?? ?? ?? + ?? 8D 95 ?? ?? ?? ?? B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? FF B5 ?? ?? ?? ?? FF 75 ?? 68 ?? + ?? ?? ?? 8D 85 ?? ?? ?? ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 95 ?? ?? ?? ?? 8B 45 ?? + E8 ?? ?? ?? ?? 8B 45 ?? 8B 70 ?? 85 F6 74 ?? 83 EE ?? 8B 36 68 ?? ?? ?? ?? 56 8B 45 + ?? 8B 40 ?? E8 ?? ?? ?? ?? 50 8B 45 ?? 50 E8 ?? ?? ?? ?? 6A ?? 6A ?? 6A ?? 6A ?? 8B + 45 ?? 50 E8 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? B2 ?? A1 ?? ?? ?? ?? E8 ?? ?? ?? ?? + 89 45 ?? 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 EB ?? 83 7D ?? ?? 74 ?? 8D 95 ?? + ?? ?? ?? 8B 4D ?? 8B 45 ?? 8B 30 FF 56 ?? 8D 45 ?? 50 68 ?? ?? ?? ?? 8D 85 ?? ?? ?? + ?? 50 8B 45 ?? 50 E8 ?? ?? ?? ?? 85 C0 75 ?? C6 85 ?? ?? ?? ?? ?? 8D 95 ?? ?? ?? ?? + B9 ?? ?? ?? ?? 8B 45 ?? 8B 30 FF 56 ?? 8B C3 8B 55 ?? 8B 52 ?? E8 ?? ?? ?? ?? 33 C0 + 5A 59 59 64 89 10 68 ?? ?? ?? ?? 8B 45 ?? E8 ?? ?? ?? ?? C3 E9 + } + + condition: + uint16(0) == 0x5A4D and + ( + $find_files + ) and + ( + $encrypt_files + ) and + ( + all of ($remote_connection_p*) + ) +} \ No newline at end of file diff --git a/yara/ransomware/Win32.Ransomware.ChiChi.yara b/yara/ransomware/Win32.Ransomware.ChiChi.yara new file mode 100644 index 0000000..42972a0 --- /dev/null +++ b/yara/ransomware/Win32.Ransomware.ChiChi.yara @@ -0,0 +1,66 @@ +rule Win32_Ransomware_ChiChi : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "CHICHI" + description = "Yara rule that detects ChiChi ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "ChiChi" + tc_detection_factor = 5 + + strings: + + $generate_key = { + 55 8B EC 6A ?? 68 ?? ?? ?? ?? 64 A1 ?? ?? ?? ?? 50 83 EC ?? 53 56 57 A1 ?? ?? ?? ?? + 33 C5 50 8D 45 ?? 64 A3 ?? ?? ?? ?? 8B D9 8B 7D ?? C7 45 ?? ?? ?? ?? ?? 89 7D ?? 85 + FF 75 ?? 33 F6 EB ?? 57 E8 ?? ?? ?? ?? 83 C4 ?? 8B F0 89 75 ?? 6A ?? 8D 4D ?? C7 45 + ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 4D ?? C7 45 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 57 56 8D + 4D ?? C6 45 ?? ?? E8 ?? ?? ?? ?? 8B 45 ?? C6 45 ?? ?? C7 45 ?? ?? ?? ?? ?? 85 C0 74 + ?? 6A ?? 50 FF 15 ?? ?? ?? ?? 8B 03 8B CB 57 56 FF 50 ?? C7 45 ?? ?? ?? ?? ?? 85 F6 + 74 ?? 83 FF ?? 8D 45 ?? 8D 4D ?? 8B FE 0F 46 C8 32 C0 56 8B 09 F3 AA E8 ?? ?? ?? ?? + 83 C4 ?? 8B 4D ?? 64 89 0D ?? ?? ?? ?? 59 5F 5E 5B 8B E5 5D C2 + } + + $encrypt_files = { + 55 8B EC 51 53 56 57 8B D9 68 ?? ?? ?? ?? 53 89 5D ?? FF 15 ?? ?? ?? ?? 8B 35 ?? ?? + ?? ?? 53 FF D6 68 ?? ?? ?? ?? 8B F8 FF D6 8B 1D ?? ?? ?? ?? 03 F8 03 FF 83 C7 ?? 57 + 6A ?? FF 35 ?? ?? ?? ?? FF D3 8B F0 85 F6 74 ?? 8B 7D ?? 57 56 FF 15 ?? ?? ?? ?? 68 + ?? ?? ?? ?? 56 FF 15 ?? ?? ?? ?? 6A ?? 56 57 FF 15 ?? ?? ?? ?? 85 C0 75 ?? 5F 5E 5B + 8B E5 5D C3 6A ?? 68 ?? ?? ?? ?? 6A ?? 6A ?? 6A ?? 68 ?? ?? ?? ?? 56 FF 15 ?? ?? ?? + ?? 56 6A ?? FF 35 ?? ?? ?? ?? 8B F8 FF 15 ?? ?? ?? ?? 83 FF ?? 74 ?? 8B CF E8 ?? ?? + ?? ?? 5F 5E 5B 8B E5 5D C3 5F 5E B8 ?? ?? ?? ?? 5B 8B E5 5D C3 + } + + $find_files = { + 6A ?? 8D 44 24 ?? 50 68 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 50 68 ?? ?? ?? ?? 56 FF 15 ?? + ?? ?? ?? 56 FF 15 ?? ?? ?? ?? FF 74 24 ?? 53 FF 15 ?? ?? ?? ?? 68 ?? ?? ?? ?? 53 FF + D7 8D 44 24 ?? 50 53 FF 15 ?? ?? ?? ?? 8B 1D ?? ?? ?? ?? 89 44 24 ?? 83 F8 ?? 0F 84 + ?? ?? ?? ?? 8B 3D ?? ?? ?? ?? 33 F6 FF B6 ?? ?? ?? ?? 8D 44 24 ?? 50 FF 15 ?? ?? ?? + ?? 85 C0 0F 84 ?? ?? ?? ?? 83 C6 ?? 81 FE ?? ?? ?? ?? 72 ?? FF 74 24 ?? 8B 74 24 ?? + 56 FF 15 ?? ?? ?? ?? 68 ?? ?? ?? ?? 56 FF 15 ?? ?? ?? ?? 8D 44 24 ?? 50 56 FF 15 ?? + ?? ?? ?? F6 44 24 ?? ?? 0F 85 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 44 24 ?? 50 FF 15 ?? ?? + ?? ?? 85 C0 0F 84 ?? ?? ?? ?? 8D 44 24 ?? 50 FF 15 ?? ?? ?? ?? 83 E8 ?? 78 ?? 66 83 + 7C 44 ?? ?? 74 ?? 83 E8 ?? 79 ?? EB ?? 8D 74 24 ?? 8D 34 46 68 ?? ?? ?? ?? 56 FF 15 + ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? 68 ?? ?? ?? ?? 56 FF 15 ?? ?? ?? ?? 85 C0 0F 84 + ?? ?? ?? ?? 68 ?? ?? ?? ?? 56 FF 15 ?? ?? ?? ?? 85 C0 0F 84 + } + + condition: + uint16(0) == 0x5A4D and + ( + $find_files + ) and + ( + $generate_key + ) and + ( + $encrypt_files + ) +} \ No newline at end of file diff --git a/yara/ransomware/Win32.Ransomware.Cincoo.yara b/yara/ransomware/Win32.Ransomware.Cincoo.yara new file mode 100644 index 0000000..94a6267 --- /dev/null +++ b/yara/ransomware/Win32.Ransomware.Cincoo.yara @@ -0,0 +1,78 @@ +rule Win32_Ransomware_Cincoo : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "CINCOO" + description = "Yara rule that detects Cincoo ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "Cincoo" + tc_detection_factor = 5 + + strings: + + $find_files = { + 55 8B EC 6A ?? 68 ?? ?? ?? ?? 64 A1 ?? ?? ?? ?? 50 83 EC ?? 53 56 57 A1 ?? ?? ?? ?? + 33 C5 50 8D 45 ?? 64 A3 ?? ?? ?? ?? 89 55 ?? 8B D9 83 7B ?? ?? 8B F3 8B 45 ?? 8B 7D + ?? 89 45 ?? 72 ?? 8B 33 8D 4E ?? 66 8B 06 83 C6 ?? 66 85 C0 75 ?? 2B F1 D1 FE 0F 84 + ?? ?? ?? ?? 3B 73 ?? 0F 85 ?? ?? ?? ?? 88 45 ?? 8D 55 ?? FF 75 ?? 8D 4D ?? C7 45 ?? + ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 8D 45 ?? C7 45 ?? ?? ?? ?? + ?? 50 8B CB E8 ?? ?? ?? ?? 8B 55 ?? 83 FA ?? 72 ?? 8B 4D ?? 8D 14 55 ?? ?? ?? ?? 8B + C1 81 FA ?? ?? ?? ?? 72 ?? 8B 49 ?? 83 C2 ?? 2B C1 83 C0 ?? 83 F8 ?? 0F 87 ?? ?? ?? + ?? 52 51 E8 ?? ?? ?? ?? 83 C4 ?? 83 7B ?? ?? 72 ?? 8B 1B 8B 75 ?? 57 56 53 E8 ?? ?? + ?? ?? 85 C0 75 ?? 8B 36 8B CF E8 ?? ?? ?? ?? 84 C0 74 ?? 57 56 E8 ?? ?? ?? ?? 85 C0 + 75 ?? 8B CF E8 ?? ?? ?? ?? 84 C0 75 ?? 33 C0 8B 4D ?? 64 89 0D ?? ?? ?? ?? 59 5F 5E + 5B 8B E5 5D C3 + } + + $encrypt_files = { + 55 8B EC 83 EC ?? 8B 45 ?? 53 8B D9 89 45 ?? B9 ?? ?? ?? ?? 8B C1 56 8B 53 ?? 2B C2 + 8B 75 ?? 89 55 ?? 57 3B C6 0F 82 ?? ?? ?? ?? 8B 7B ?? 8D 04 32 8B F0 89 45 ?? 83 CE + ?? 89 7D ?? 3B F1 76 ?? 8B F1 EB ?? 8B C7 D1 E8 2B C8 3B F9 76 ?? BE ?? ?? ?? ?? EB + ?? 03 C7 3B F0 0F 42 F0 33 C9 8B C6 83 C0 ?? 0F 92 C1 F7 D9 0B C8 81 F9 ?? ?? ?? ?? + 72 ?? 8D 41 ?? 3B C1 0F 86 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 0F 84 ?? ?? + ?? ?? 8B 55 ?? 8D 78 ?? 83 E7 ?? 89 47 ?? EB ?? 85 C9 74 ?? 51 E8 ?? ?? ?? ?? 8B 55 + ?? 83 C4 ?? 8B F8 EB ?? 33 FF 8B 45 ?? 89 43 ?? 8B 45 ?? 89 73 ?? 8D 34 3A 03 C6 83 + 7D ?? ?? 89 45 ?? 52 72 ?? 8B 33 56 57 E8 ?? ?? ?? ?? FF 75 ?? 8B 45 ?? FF 75 ?? 03 + C7 50 E8 ?? ?? ?? ?? 8B 45 ?? 83 C4 ?? 8B 4D ?? 41 C6 00 ?? 81 F9 ?? ?? ?? ?? 72 ?? + 8B 56 ?? 83 C1 ?? 2B F2 8D 46 ?? 83 F8 ?? 77 ?? 8B F2 51 56 E8 ?? ?? ?? ?? 83 C4 ?? + 89 3B 8B C3 5F 5E 5B 8B E5 5D C2 ?? ?? 53 57 E8 ?? ?? ?? ?? FF 75 ?? FF 75 ?? 56 E8 + ?? ?? ?? ?? 8B 45 ?? 83 C4 ?? C6 00 ?? 8B C3 89 3B 5F 5E 5B 8B E5 5D C2 ?? ?? E8 ?? + ?? ?? ?? E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? CC CC CC 56 8B F1 FF 76 ?? E8 ?? ?? ?? ?? 8B + 4E ?? 83 F9 ?? 72 ?? 8B 06 8D 0C 4D ?? ?? ?? ?? 81 F9 ?? ?? ?? ?? 72 ?? 8B 50 ?? 83 + C1 ?? 2B C2 83 C0 ?? 83 F8 ?? 77 ?? 8B C2 51 50 E8 ?? ?? ?? ?? 83 C4 ?? C7 46 ?? ?? + ?? ?? ?? 33 C0 C7 46 ?? ?? ?? ?? ?? 66 89 06 5E C3 E8 ?? ?? ?? ?? CC CC CC CC CC CC + 8B 09 85 C9 74 ?? 8B 01 6A ?? FF 10 C3 + } + + $drop_ransom_note = { + 52 51 E8 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 83 C4 ?? 83 F8 ?? 74 ?? 8D 4D ?? C6 46 ?? ?? + E8 ?? ?? ?? ?? 8B 45 ?? E9 ?? ?? ?? ?? 8B CE C6 45 ?? ?? E8 ?? ?? ?? ?? 84 C0 0F 84 + ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 4D ?? C7 45 ?? ?? + ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C6 45 ?? ?? C6 45 ?? ?? E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? + 8D 85 ?? ?? ?? ?? C6 45 ?? ?? 6A ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 8D 85 ?? ?? ?? ?? 8D + 4E ?? 50 E8 ?? ?? ?? ?? 81 CF ?? ?? ?? ?? 89 BD ?? ?? ?? ?? C6 45 ?? ?? 8B 95 ?? ?? + ?? ?? 8B C2 8B 8D ?? ?? ?? ?? 2B C1 89 8D ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? 83 F8 ?? + 72 ?? 83 FA ?? 8D B5 ?? ?? ?? ?? 8D 41 ?? 0F 43 B5 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 8D + 04 0E 50 E8 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 83 C4 ?? C6 44 30 ?? ?? 8D 85 ?? ?? ?? ?? + EB + } + + condition: + uint16(0) == 0x5A4D and + ( + $find_files + ) and + ( + $encrypt_files + ) and + ( + $drop_ransom_note + ) +} \ No newline at end of file diff --git a/yara/ransomware/Win32.Ransomware.Clop.yara b/yara/ransomware/Win32.Ransomware.Clop.yara new file mode 100644 index 0000000..77e4ac4 --- /dev/null +++ b/yara/ransomware/Win32.Ransomware.Clop.yara @@ -0,0 +1,109 @@ +rule Win32_Ransomware_Clop : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "CLOP" + description = "Yara rule that detects Clop ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "Clop" + tc_detection_factor = 5 + + strings: + + $encrypt_files_p1 = { + 8B 95 ?? ?? ?? ?? 52 8B 85 ?? ?? ?? ?? 50 6A ?? 8B 8D ?? ?? ?? ?? 51 E8 ?? ?? ?? ?? + 83 C4 ?? 83 BD ?? ?? ?? ?? ?? 74 ?? 8B 95 ?? ?? ?? ?? 52 FF 15 ?? ?? ?? ?? 83 BD ?? + ?? ?? ?? ?? 74 ?? 8B 85 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? + ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? 6A ?? 6A ?? 6A ?? 8B 8D ?? ?? ?? ?? 51 FF 15 ?? ?? + ?? ?? FF 15 ?? ?? ?? ?? 6A ?? 8D 95 ?? ?? ?? ?? 52 6A ?? 68 ?? ?? ?? ?? 8B 85 ?? ?? + ?? ?? 50 FF 15 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? 6A ?? 6A ?? 6A ?? 8B 8D ?? ?? ?? + ?? 51 FF 15 ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? 68 ?? ?? + ?? ?? 6A ?? FF 15 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 8B 95 ?? ?? ?? ?? 52 8B 85 ?? ?? ?? + ?? 8B 88 ?? ?? ?? ?? 51 8B 95 ?? ?? ?? ?? 8B 82 ?? ?? ?? ?? 50 8B 8D ?? ?? ?? ?? 8B + 91 ?? ?? ?? ?? 52 8B 85 ?? ?? ?? ?? 50 8D 8D ?? ?? ?? ?? 51 8B 95 ?? ?? ?? ?? 52 E8 + ?? ?? ?? ?? 83 C4 ?? 6A ?? 8D 85 ?? ?? ?? ?? 50 8B 8D ?? ?? ?? ?? 51 8B 95 ?? ?? ?? + ?? 52 8B 85 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 85 C0 74 ?? 83 BD ?? ?? ?? ?? ?? 74 ?? + 68 ?? ?? ?? ?? 6A ?? 8B 8D ?? ?? ?? ?? 51 FF 15 ?? ?? ?? ?? 83 BD ?? ?? ?? ?? ?? 74 + ?? 68 ?? ?? ?? ?? 6A ?? 8B 95 ?? ?? ?? ?? 52 FF 15 ?? ?? ?? ?? 83 BD ?? ?? ?? ?? ?? + 74 ?? 8B 85 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 6A ?? 8D 8D ?? ?? ?? ?? 51 8D 95 ?? ?? + ?? ?? 52 FF 15 + } + + $encrypt_files_p2 = { + 55 8B EC B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? A1 ?? ?? ?? ?? 33 C5 89 45 ?? 8B 45 ?? 50 8D + 4D ?? 51 FF 15 ?? ?? ?? ?? 68 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 8B 15 ?? ?? ?? ?? 52 FF + 15 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 50 8B 0D ?? ?? ?? ?? 51 8D 95 ?? + ?? ?? ?? 52 E8 ?? ?? ?? ?? 83 C4 ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? 6A ?? 6A ?? 8D 85 + ?? ?? ?? ?? 50 8D 8D ?? ?? ?? ?? 51 6A ?? 6A ?? 8D 95 ?? ?? ?? ?? 52 FF 15 ?? ?? ?? + ?? 85 C0 75 ?? 33 C0 E9 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 8D 8D ?? ?? ?? ?? 51 6A ?? + 68 ?? ?? ?? ?? 8B 95 ?? ?? ?? ?? 52 8D 85 ?? ?? ?? ?? 50 6A ?? 6A ?? FF 15 ?? ?? ?? + ?? 85 C0 75 ?? 33 C0 E9 ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A + ?? 6A ?? 6A ?? 8D 8D ?? ?? ?? ?? 51 FF 15 ?? ?? ?? ?? 85 C0 75 ?? 33 C0 E9 ?? ?? ?? + ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? 8D 95 ?? ?? ?? ?? 52 8B 85 ?? ?? ?? ?? 50 6A ?? 8B + 8D ?? ?? ?? ?? 51 FF 15 ?? ?? ?? ?? 85 C0 75 ?? 33 C0 E9 ?? ?? ?? ?? 68 ?? ?? ?? ?? + FF 15 ?? ?? ?? ?? BA ?? ?? ?? ?? 85 D2 0F 84 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 50 8B 8D + ?? ?? ?? ?? 51 8B 95 ?? ?? ?? ?? 52 6A ?? 6A ?? E8 ?? ?? ?? ?? 50 A1 ?? ?? ?? ?? 50 + 68 ?? ?? ?? ?? 8D 4D ?? 51 E8 ?? ?? ?? ?? 83 C4 ?? 68 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? + 8B 95 ?? ?? ?? ?? 52 8B 85 ?? ?? ?? ?? 50 8B 8D ?? ?? ?? ?? 51 6A ?? 6A ?? E8 ?? ?? + ?? ?? 50 8B 15 ?? ?? ?? ?? 52 68 ?? ?? ?? ?? 8D 45 ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 68 + ?? ?? ?? ?? FF 15 ?? ?? ?? ?? E9 ?? ?? ?? ?? 33 C0 8B 4D ?? 33 CD E8 ?? ?? ?? ?? 8B + E5 5D C2 + } + + $encrypt_files_p3 = { + 55 8B EC 83 EC ?? 6A ?? FF 15 ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? 8B 45 ?? 89 45 ?? 8B + 4D ?? 51 8D 55 ?? 52 6A ?? 6A ?? 6A ?? 6A ?? 8B 45 ?? 50 FF 15 ?? ?? ?? ?? 85 C0 75 + ?? FF 15 ?? ?? ?? ?? 33 C0 EB ?? 8B 4D ?? 51 6A ?? 8B 55 ?? 52 E8 ?? ?? ?? ?? 83 C4 + ?? 8B 45 ?? 50 8B 4D ?? 51 8B 55 ?? 52 E8 ?? ?? ?? ?? 83 C4 ?? 8B 45 ?? 50 8D 4D ?? + 51 8B 55 ?? 52 6A ?? 6A ?? 6A ?? 8B 45 ?? 50 FF 15 ?? ?? ?? ?? 85 C0 75 ?? FF 15 ?? + ?? ?? ?? 33 C0 EB ?? 8B 4D ?? 8B 55 ?? 89 11 33 C0 8B E5 5D C3 + } + + $find_files = { + 8D 95 ?? ?? ?? ?? 52 6A ?? 6A ?? 6A ?? 6A ?? FF 15 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 + 68 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? 51 FF 15 ?? ?? ?? ?? 83 C4 ?? 8D 95 ?? ?? ?? ?? 52 + 8D 85 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 83 BD ?? ?? ?? ?? ?? 74 ?? + 8D 8D ?? ?? ?? ?? 51 8B 95 ?? ?? ?? ?? 52 FF 15 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 83 BD + ?? ?? ?? ?? ?? 75 ?? EB ?? 68 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 85 + C0 76 ?? 8D 8D ?? ?? ?? ?? 51 8D 95 ?? ?? ?? ?? 52 68 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? + 50 FF 15 ?? ?? ?? ?? 83 C4 ?? EB ?? 8B 8D ?? ?? ?? ?? 51 FF 15 ?? ?? ?? ?? 6A ?? 68 + ?? ?? ?? ?? 6A ?? 6A ?? 6A ?? 68 ?? ?? ?? ?? 8D 95 ?? ?? ?? ?? 52 FF 15 ?? ?? ?? ?? + 89 85 ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? 83 BD ?? ?? ?? ?? ?? 0F 84 ?? ?? ?? + ?? 6A ?? 8B 85 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 8B 8D ?? ?? ?? ?? + 51 6A ?? FF 15 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 6A ?? 8D 95 ?? ?? ?? ?? 52 8B 85 ?? ?? + ?? ?? 50 8B 8D ?? ?? ?? ?? 51 8B 95 ?? ?? ?? ?? 52 FF 15 ?? ?? ?? ?? C7 85 ?? ?? ?? + ?? ?? ?? ?? ?? C6 45 ?? ?? 6A ?? 6A ?? 8D 45 ?? 50 E8 + } + + $uninstall_eset_av = { + 8D 45 ?? 50 FF 15 ?? ?? ?? ?? 85 C0 0F 86 ?? ?? ?? ?? 8D 4D ?? 51 68 ?? ?? ?? ?? 8D + 95 ?? ?? ?? ?? 52 FF 15 ?? ?? ?? ?? 83 C4 ?? 6A ?? 6A ?? 8D 85 ?? ?? ?? ?? 50 68 ?? + ?? ?? ?? 6A ?? 6A ?? FF 15 ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? EB ?? 8B 8D ?? + ?? ?? ?? 83 C1 ?? 89 8D ?? ?? ?? ?? 81 BD ?? ?? ?? ?? ?? ?? ?? ?? 7D ?? 68 ?? ?? ?? + ?? 6A ?? FF 15 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 6A ?? 8B 95 ?? ?? ?? ?? 52 FF 15 ?? ?? + ?? ?? 6A ?? 6A ?? 6A ?? 8B 85 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A ?? + FF 15 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 6A ?? 8B 8D ?? ?? ?? ?? 51 FF 15 ?? ?? ?? ?? 6A + ?? 6A ?? 6A ?? 8B 95 ?? ?? ?? ?? 52 FF 15 ?? ?? ?? ?? 6A ?? FF 15 ?? ?? ?? ?? E9 ?? + ?? ?? ?? 6A ?? 6A ?? 6A ?? 68 ?? ?? ?? ?? 6A ?? 6A ?? FF 15 ?? ?? ?? ?? 89 85 ?? ?? + ?? ?? 8B 85 ?? ?? ?? ?? 50 FF 15 + } + + condition: + uint16(0) == 0x5A4D and + ( + $find_files + ) and + ( + all of ($encrypt_files_p*) + ) and + ( + $uninstall_eset_av + ) +} \ No newline at end of file diff --git a/yara/ransomware/Win32.Ransomware.Conti.yara b/yara/ransomware/Win32.Ransomware.Conti.yara new file mode 100644 index 0000000..a3432fd --- /dev/null +++ b/yara/ransomware/Win32.Ransomware.Conti.yara @@ -0,0 +1,74 @@ +rule Win32_Ransomware_Conti : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "CONTI" + description = "Yara rule that detects Conti ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "Conti" + tc_detection_factor = 5 + + strings: + + $find_files = { + 55 8B EC 83 E4 ?? 81 EC ?? ?? ?? ?? 53 56 57 8B D9 53 FF 15 ?? ?? ?? ?? 89 44 24 ?? + 8D 0C 45 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B F8 89 7C 24 ?? 85 FF 0F 84 ?? ?? ?? ?? 8B 44 + 24 ?? B9 ?? ?? ?? ?? 53 BE ?? ?? ?? ?? 57 66 83 7C 43 ?? ?? 0F 45 F1 FF 15 ?? ?? ?? + ?? 56 57 FF 15 ?? ?? ?? ?? 8B CB E8 ?? ?? ?? ?? 8D 44 24 ?? 50 57 FF 15 ?? ?? ?? ?? + 8B F8 83 FF ?? 0F 84 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 44 24 ?? 50 FF 15 ?? ?? ?? ?? 85 + C0 0F 84 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 44 24 ?? 50 FF 15 ?? ?? ?? ?? 85 C0 0F 84 ?? + ?? ?? ?? F6 44 24 ?? ?? 74 ?? 8D 4C 24 ?? E8 ?? ?? ?? ?? 85 C0 74 ?? 8D 54 24 ?? 8B + CB E8 ?? ?? ?? ?? 8B F0 85 F6 74 ?? 8B CE E8 ?? ?? ?? ?? 8B CE E8 ?? ?? ?? ?? EB ?? + 8D 4C 24 ?? E8 ?? ?? ?? ?? 85 C0 74 ?? 8D 54 24 ?? 8B CB E8 ?? ?? ?? ?? 8B F0 85 F6 + 74 ?? 68 ?? ?? ?? ?? 6A ?? FF 15 ?? ?? ?? ?? 85 C0 74 ?? 6A ?? 5A 8B C8 C6 01 ?? 41 + 83 EA ?? 75 ?? 83 48 ?? ?? 50 89 70 ?? A1 ?? ?? ?? ?? 52 6A ?? FF 70 ?? FF 15 ?? ?? + ?? ?? 8D 44 24 ?? 50 57 FF 15 ?? ?? ?? ?? 85 C0 0F 85 ?? ?? ?? ?? 8B 4C 24 ?? E8 ?? + ?? ?? ?? 83 FF ?? 74 ?? 57 FF 15 ?? ?? ?? ?? 5F 5E 5B 8B E5 5D C3 + } + + $encrypt_files_p1 = { + 55 8B EC 81 EC ?? ?? ?? ?? 53 56 57 BB ?? ?? ?? ?? 8B F9 53 57 FF 15 ?? ?? ?? ?? 85 + C0 0F 85 ?? ?? ?? ?? BE ?? ?? ?? ?? 56 57 FF 15 ?? ?? ?? ?? 85 C0 0F 85 ?? ?? ?? ?? + A1 ?? ?? ?? ?? 83 F8 ?? 75 ?? 89 75 ?? 33 F6 C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? + ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? 89 5D ?? FF 74 B5 ?? 57 FF 15 ?? ?? ?? + ?? 85 C0 75 ?? 46 83 FE ?? 7C ?? 33 C0 40 EB ?? 85 C0 75 ?? 8B 35 ?? ?? ?? ?? BB ?? + ?? ?? ?? B9 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? C6 00 ?? 40 83 E9 ?? 75 ?? 53 56 FF 15 ?? + ?? ?? ?? 85 C0 74 ?? 2B C6 D1 F8 74 ?? 85 C0 78 ?? 40 50 56 8D 85 ?? ?? ?? ?? 50 FF + 15 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 57 FF 15 ?? ?? ?? ?? 85 C0 75 ?? 53 56 FF 15 ?? + ?? ?? ?? 8B F0 85 F6 74 ?? 83 C6 ?? EB ?? 33 C0 5F 5E 5B C9 C3 + } + + $encrypt_files_p2 = { + 55 8B EC 83 EC ?? 53 56 57 6A ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 33 DB 53 FF 15 ?? ?? + ?? ?? 8B F8 85 FF 75 ?? 53 FF 15 ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A ?? 5E 56 68 ?? ?? ?? + ?? 53 8D 45 ?? 50 FF 15 ?? ?? ?? ?? 85 C0 75 ?? 68 ?? ?? ?? ?? 56 68 ?? ?? ?? ?? 53 + 8D 45 ?? 50 FF 15 ?? ?? ?? ?? 85 C0 75 ?? 68 ?? ?? ?? ?? 56 68 ?? ?? ?? ?? 53 8D 45 + ?? 50 FF 15 ?? ?? ?? ?? 85 C0 75 ?? 68 ?? ?? ?? ?? 56 68 ?? ?? ?? ?? 53 8D 45 ?? 50 + FF 15 ?? ?? ?? ?? 85 C0 75 ?? 6A ?? FF 15 ?? ?? ?? ?? 8D 45 ?? 50 53 53 68 ?? ?? ?? + ?? 68 ?? ?? ?? ?? FF 75 ?? FF 15 ?? ?? ?? ?? 85 C0 75 ?? 6A ?? FF 15 ?? ?? ?? ?? 6A + ?? 8D 45 ?? 50 8D 45 ?? 50 8D 45 ?? 50 8B 45 ?? FF 70 ?? FF 15 ?? ?? ?? ?? 85 C0 75 + ?? 6A ?? FF 15 ?? ?? ?? ?? 81 7D ?? ?? ?? ?? ?? 0F 84 ?? ?? ?? ?? FF 75 ?? 8B 4D ?? + 8B D7 FF 75 ?? E8 ?? ?? ?? ?? 59 59 85 C0 74 ?? 8B 45 ?? FF 70 ?? FF 15 ?? ?? ?? ?? + 8B 45 ?? B9 ?? ?? ?? ?? 83 48 ?? ?? 8B 45 ?? 8B 58 ?? E8 ?? ?? ?? ?? 8B F0 85 F6 74 + ?? 53 56 FF 15 ?? ?? ?? ?? 68 ?? ?? ?? ?? 56 FF 15 ?? ?? ?? ?? 56 53 FF 15 ?? ?? ?? + ?? 8B CE E8 ?? ?? ?? ?? 8B 4D ?? E8 ?? ?? ?? ?? 8B 4D ?? 8B 49 ?? E8 ?? ?? ?? ?? FF + 75 ?? FF 15 ?? ?? ?? ?? E9 ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A ?? 57 FF 15 ?? ?? ?? ?? FF + 75 ?? FF 15 ?? ?? ?? ?? 6A ?? FF 15 ?? ?? ?? ?? 5F 5E 33 C0 5B C9 C2 + } + + condition: + uint16(0) == 0x5A4D and + ( + $find_files + ) and + ( + all of ($encrypt_files_p*) + ) +} \ No newline at end of file diff --git a/yara/ransomware/Win32.Ransomware.Cryakl.yara b/yara/ransomware/Win32.Ransomware.Cryakl.yara new file mode 100644 index 0000000..72af456 --- /dev/null +++ b/yara/ransomware/Win32.Ransomware.Cryakl.yara @@ -0,0 +1,64 @@ +rule Win32_Ransomware_Cryakl : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "CRYAKL" + description = "Yara rule that detects Cryakl ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "Cryakl" + tc_detection_factor = 5 + + strings: + + $enum_and_encrypt_files_1 = { + 8B 85 ?? ?? ?? ?? 50 8D 95 ?? ?? ?? ?? B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 85 ?? ?? ?? + ?? 5A E8 ?? ?? ?? ?? 85 C0 0F 85 ?? ?? ?? ?? 8D 95 ?? ?? ?? ?? 8B 45 ?? E8 ?? ?? ?? + ?? 8B 85 ?? ?? ?? ?? 50 8D 95 ?? ?? ?? ?? B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 85 ?? ?? + ?? ?? 5A E8 ?? ?? ?? ?? 85 C0 0F 85 ?? ?? ?? ?? 8D 95 ?? ?? ?? ?? 8B 45 ?? E8 ?? ?? + ?? ?? 8B 85 ?? ?? ?? ?? 50 8D 95 ?? ?? ?? ?? B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 85 ?? + ?? ?? ?? 5A E8 ?? ?? ?? ?? 85 C0 0F 85 ?? ?? ?? ?? 8D 95 ?? ?? ?? ?? 8B 45 ?? E8 ?? + ?? ?? ?? 8B 85 ?? ?? ?? ?? 50 8D 95 ?? ?? ?? ?? B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 85 + ?? ?? ?? ?? 5A E8 ?? ?? ?? ?? 85 C0 0F 85 ?? ?? ?? ?? 33 C0 55 68 ?? ?? ?? ?? 64 FF + 30 64 89 20 8B 45 ?? E8 ?? ?? ?? ?? 8B 55 ?? 80 7C 02 ?? ?? 74 ?? 8D 45 ?? BA ?? ?? + ?? ?? E8 ?? ?? ?? ?? 6A ?? E8 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? B9 ?? ?? ?? ?? 8B 55 ?? + E8 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 + C0 0F 85 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 0F 84 ?? ?? ?? + ?? 8B 85 ?? ?? ?? ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 0F 84 ?? ?? ?? ?? 8B 85 ?? ?? ?? + ?? 83 E0 ?? 83 F8 ?? 75 ?? A1 ?? ?? ?? ?? 8B 80 ?? ?? ?? ?? 8B 10 FF 92 ?? ?? ?? ?? + 84 C0 0F 84 ?? ?? ?? ?? FF 75 ?? FF B5 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 85 + } + + $enum_and_encrypt_files_2 = { + BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? E8 ?? ?? ?? ?? E9 ?? ?? ?? ?? 8D 85 + ?? ?? ?? ?? 8B 8D ?? ?? ?? ?? 8B 55 ?? E8 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 50 8D 95 ?? + ?? ?? ?? 33 C0 E8 ?? ?? ?? ?? 8B 95 ?? ?? ?? ?? 58 E8 ?? ?? ?? ?? 0F 84 ?? ?? ?? ?? + C6 45 ?? ?? A1 ?? ?? ?? ?? 8B 80 ?? ?? ?? ?? 8B 80 ?? ?? ?? ?? 8B 10 FF 52 ?? 8B D8 + 4B 85 DB 0F 8C ?? ?? ?? ?? 43 33 F6 8D 95 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? E8 ?? ?? ?? + ?? 8B 85 ?? ?? ?? ?? 8D 95 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 50 8D 8D ?? + ?? ?? ?? A1 ?? ?? ?? ?? 8B 80 ?? ?? ?? ?? 8B 80 ?? ?? ?? ?? 8B D6 8B 38 FF 57 ?? 8B + 85 ?? ?? ?? ?? 8D 95 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 8D ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? + BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 95 ?? ?? ?? ?? 58 E8 ?? ?? ?? ?? 75 ?? C6 45 ?? ?? + 46 4B 0F 85 ?? ?? ?? ?? 80 7D ?? ?? 0F 84 ?? ?? ?? ?? A1 ?? ?? ?? ?? 50 A1 ?? ?? ?? + ?? 50 8D 85 ?? ?? ?? ?? 8B 8D ?? ?? ?? ?? 8B 55 ?? E8 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? + 8B 0D ?? ?? ?? ?? 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 05 ?? ?? ?? ?? 8B 15 ?? ?? ?? + ?? 83 C0 ?? 83 D2 ?? 89 05 ?? ?? ?? ?? 89 15 ?? ?? ?? ?? A1 ?? ?? ?? ?? 8B 80 ?? ?? + ?? ?? 8B 10 FF 92 ?? ?? ?? ?? 84 C0 75 ?? 68 ?? ?? ?? ?? FF 35 ?? ?? ?? ?? FF 35 ?? + ?? ?? ?? 8D 85 ?? ?? ?? ?? E8 ?? ?? ?? ?? FF B5 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 85 ?? + ?? ?? ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 95 ?? ?? ?? ?? A1 ?? ?? ?? ?? 8B 80 ?? ?? + ?? ?? E8 ?? ?? ?? ?? A1 ?? ?? ?? ?? 8B 00 E8 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? E8 ?? ?? + ?? ?? 85 C0 0F 84 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? E8 + } + + condition: + uint16(0) == 0x5A4D and + ( + (all of ($enum_and_encrypt_files_*)) + ) +} \ No newline at end of file diff --git a/yara/ransomware/Win32.Ransomware.Crypmic.yara b/yara/ransomware/Win32.Ransomware.Crypmic.yara new file mode 100644 index 0000000..a3ac69f --- /dev/null +++ b/yara/ransomware/Win32.Ransomware.Crypmic.yara @@ -0,0 +1,56 @@ +rule Win32_Ransomware_Crypmic : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "CRYPMIC" + description = "Yara rule that detects Crypmic ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "Crypmic" + tc_detection_factor = 5 + + strings: + + $search_and_encrypt_1 = { + 55 8B EC 81 EC ?? ?? ?? ?? 53 56 B8 ?? ?? ?? ?? 57 8B F9 89 7D ?? C7 45 ?? ?? ?? ?? + ?? 89 45 ?? 8D 50 ?? 68 ?? ?? ?? ?? 6A ?? FF 77 ?? 66 89 85 ?? ?? ?? ?? 8B 47 ?? C7 + 85 ?? ?? ?? ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? FF D0 66 8B 95 ?? ?? ?? ?? 33 F6 33 + C9 89 45 ?? 66 3B F2 74 ?? 0F B7 D2 41 66 89 14 06 8D 34 09 33 DB 0F B7 94 35 ?? ?? + ?? ?? 66 3B DA 75 ?? BA ?? ?? ?? ?? 66 89 14 48 8D 1C 48 8D 8D ?? ?? ?? ?? 51 C7 43 + ?? ?? ?? ?? ?? 50 8B 47 ?? FF D0 8B F0 83 FE ?? 0F 84 ?? ?? ?? ?? F6 85 ?? ?? ?? ?? + ?? 74 ?? 66 8B 8D ?? ?? ?? ?? 66 83 F9 ?? 74 ?? 66 83 BD ?? ?? ?? ?? ?? 74 ?? 33 D2 + 33 C0 66 3B D1 74 ?? 0F B7 C9 8B FF 40 66 89 4C 1A ?? 8D 14 00 C7 45 ?? ?? ?? ?? ?? + 0F B7 8C 15 ?? ?? ?? ?? 66 39 4D ?? 75 ?? 8B 55 ?? 33 C9 66 89 4C 43 ?? 68 ?? ?? ?? + ?? 8B CF E8 ?? ?? ?? ?? 83 C4 ?? 01 45 ?? 8D 85 ?? ?? ?? ?? 50 8B 47 ?? 56 FF D0 85 + C0 75 ?? 8B 47 ?? 56 FF D0 8D 85 ?? ?? ?? ?? 50 FF 75 ?? C7 43 ?? ?? ?? ?? ?? 8B 47 + } + + $search_and_encrypt_2 = { + 33 F6 89 75 ?? FF D0 89 45 ?? 83 F8 ?? 0F 84 ?? ?? ?? ?? EB ?? 8D 9B ?? ?? ?? ?? + F6 85 ?? ?? ?? ?? ?? 75 ?? 66 8B BD ?? ?? ?? ?? 33 F6 8B 8E ?? ?? ?? ?? 8D 95 ?? ?? + ?? ?? E8 ?? ?? ?? ?? 85 C0 74 ?? BA ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 66 83 FF ?? 75 ?? + EB ?? 8D 9B ?? ?? ?? ?? 66 8B 48 ?? 83 C0 ?? 83 C2 ?? 66 3B 0A 74 ?? 66 83 38 ?? 0F + 85 ?? ?? ?? ?? 66 83 3A ?? 0F 85 ?? ?? ?? ?? 83 C6 ?? 81 FE ?? ?? ?? ?? 72 ?? 8B 7D + ?? 8B 75 ?? 8B 45 ?? 8D 8D ?? ?? ?? ?? 51 50 8B 47 ?? FF D0 85 C0 8B 45 ?? 0F 85 ?? + ?? ?? ?? 50 8B 47 ?? FF D0 85 F6 74 ?? 8B 55 ?? 33 C0 8B CF 66 89 43 ?? E8 ?? ?? ?? + ?? FF 75 ?? 8B 47 ?? 6A ?? FF 77 ?? FF D0 8B 45 ?? 8B 5D ?? 03 C6 03 D8 8B 45 ?? 40 + 89 5D ?? 89 45 ?? BA ?? ?? ?? ?? 83 F8 ?? 0F 8E ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 85 ?? + ?? ?? ?? 50 8B 47 ?? 68 ?? ?? ?? ?? FF D0 68 ?? ?? ?? ?? 8D 95 ?? ?? ?? ?? 8B CF E8 + ?? ?? ?? ?? 83 C4 ?? 03 C3 5F 5E 5B 8B E5 5D C3 33 C9 33 C0 66 3B CF 74 ?? 0F B7 CF + 33 D2 8D 9B ?? ?? ?? ?? 40 66 89 4C 1A ?? 8D 14 00 33 F6 0F B7 8C 15 ?? ?? ?? ?? 66 + 3B F1 75 ?? 8B 75 ?? FF 75 ?? 8B 7D ?? 33 C9 46 57 66 89 4C 43 ?? 89 75 ?? E8 ?? ?? + ?? ?? E9 + } + + condition: + uint16(0) == 0x5A4D and + ( + (all of ($search_and_encrypt_*)) + ) +} \ No newline at end of file diff --git a/yara/ransomware/Win32.Ransomware.Crypren.yara b/yara/ransomware/Win32.Ransomware.Crypren.yara new file mode 100644 index 0000000..d9db561 --- /dev/null +++ b/yara/ransomware/Win32.Ransomware.Crypren.yara @@ -0,0 +1,144 @@ +rule Win32_Ransomware_Crypren : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "CRYPREN" + description = "Yara rule that detects Crypren ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "Crypren" + tc_detection_factor = 5 + + strings: + + $enum_directories_p1 = { + 55 8B EC 6A ?? 68 ?? ?? ?? ?? 64 A1 ?? ?? ?? ?? 50 81 EC ?? ?? ?? ?? A1 ?? ?? ?? ?? + 33 C5 89 45 ?? 53 56 57 50 8D 45 ?? 64 A3 ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? 8D 8D ?? + ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? + ?? ?? C6 85 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? C6 + 45 ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C6 85 ?? ?? ?? + ?? ?? E8 ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? C6 45 ?? ?? C7 85 ?? ?? + ?? ?? ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C6 85 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? + 6A ?? 68 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? C6 45 ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C7 + 85 ?? ?? ?? ?? ?? ?? ?? ?? C6 85 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? + 8D 8D ?? ?? ?? ?? C6 45 ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? + ?? ?? C6 85 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? C6 + 45 ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C6 85 ?? ?? ?? + ?? ?? E8 ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? C6 45 ?? ?? C7 85 ?? ?? + ?? ?? ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C6 85 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? + 6A ?? 68 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? C6 45 ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C7 + } + + $enum_directories_p2 = { + 85 ?? ?? ?? ?? ?? ?? ?? ?? C6 85 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? + 8D 8D ?? ?? ?? ?? C6 45 ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? + ?? ?? C6 85 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? C6 + 45 ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C6 85 ?? ?? ?? + ?? ?? E8 ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? C6 45 ?? ?? C7 85 ?? ?? + ?? ?? ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C6 85 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? + 6A ?? 68 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? C6 45 ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C7 + 85 ?? ?? ?? ?? ?? ?? ?? ?? C6 85 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? + 8D 8D ?? ?? ?? ?? C6 45 ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C6 85 ?? ?? + ?? ?? ?? E8 ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? 8D 4D ?? C6 45 ?? ?? C7 45 ?? ?? ?? ?? + ?? C7 45 ?? ?? ?? ?? ?? C6 45 ?? ?? E8 ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? 8D 4D ?? C6 + } + + $enum_directories_p3 = { + 45 ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C6 45 ?? ?? E8 ?? ?? ?? ?? 6A ?? + 68 ?? ?? ?? ?? 8D 4D ?? C6 45 ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C6 45 + ?? ?? E8 ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? 8D 4D ?? C6 45 ?? ?? C7 45 ?? ?? ?? ?? ?? + C7 45 ?? ?? ?? ?? ?? C6 45 ?? ?? E8 ?? ?? ?? ?? 8B 4D ?? 8D BD ?? ?? ?? ?? C7 85 ?? + ?? ?? ?? ?? ?? ?? ?? 90 83 7F ?? ?? 8B 5F ?? 72 ?? 8B 37 EB ?? 8B F7 83 7D ?? ?? 8D + 45 ?? 8B D3 0F 43 45 ?? 3B CB 0F 42 D1 85 D2 74 ?? 83 EA ?? 72 ?? 8D 9B ?? ?? ?? ?? + 8B 08 3B 0E 75 ?? 83 C0 ?? 83 C6 ?? 83 EA ?? 73 ?? 83 FA ?? 74 ?? 8A 08 3A 0E 75 ?? + 83 FA ?? 74 ?? 8A 48 ?? 3A 4E ?? 75 ?? 83 FA ?? 74 ?? 8A 48 ?? 3A 4E ?? 75 ?? 83 FA + ?? 74 ?? 8A 40 ?? 3A 46 ?? 74 ?? 1B C0 83 C8 ?? EB ?? 33 C0 8B 4D ?? 85 C0 75 ?? 3B + CB 73 ?? 83 C8 ?? EB ?? 33 C0 3B CB 0F 95 C0 85 C0 0F 94 C0 84 C0 75 ?? 8B 85 ?? ?? + ?? ?? 83 C7 ?? 40 89 85 ?? ?? ?? ?? 83 F8 ?? 0F 82 ?? ?? ?? ?? B3 ?? EB ?? 32 DB 68 + ?? ?? ?? ?? 6A ?? 6A ?? 8D 85 ?? ?? ?? ?? C6 45 ?? ?? 50 E8 ?? ?? ?? ?? 83 7D ?? ?? + 72 ?? FF 75 ?? E8 ?? ?? ?? ?? 83 C4 ?? 8A C3 8B 4D ?? 64 89 0D ?? ?? ?? ?? 59 5F 5E + 5B 8B 4D ?? 33 CD E8 ?? ?? ?? ?? 8B E5 5D C3 + } + + $encrypt_files_p1 = { + 55 8B EC 6A ?? 68 ?? ?? ?? ?? 64 A1 ?? ?? ?? ?? 50 81 EC ?? ?? ?? ?? A1 ?? ?? ?? ?? + 33 C5 89 45 ?? 53 56 57 50 8D 45 ?? 64 A3 ?? ?? ?? ?? 6A ?? 8D 8D ?? ?? ?? ?? C7 45 + ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 6A ?? 8D 8D ?? ?? ?? ?? C6 45 ?? ?? E8 ?? ?? ?? ?? 68 + ?? ?? ?? ?? 8D 45 ?? C6 45 ?? ?? 50 8D 45 ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? C7 45 ?? ?? + ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C6 45 ?? ?? 33 FF C6 45 ?? ?? 83 7D ?? ?? 8D 45 ?? 6A + ?? 0F 43 45 ?? 8D 8D ?? ?? ?? ?? 6A ?? 50 E8 ?? ?? ?? ?? 83 7D ?? ?? 8D 45 ?? 6A ?? + 0F 43 45 ?? 8D 8D ?? ?? ?? ?? 6A ?? 50 E8 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 8B 48 ?? 8B + 94 0D ?? ?? ?? ?? 85 D2 0F 85 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 8B 40 ?? 39 BC 05 ?? ?? + ?? ?? 0F 85 ?? ?? ?? ?? F6 C2 ?? 0F 85 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 03 C8 8D 45 ?? + 50 E8 ?? ?? ?? ?? 50 C6 45 ?? ?? E8 ?? ?? ?? ?? 8B 4D ?? 83 C4 ?? C6 45 ?? ?? 8B F0 + 85 C9 74 ?? 8B 11 FF 52 ?? 85 C0 74 ?? 8B 10 8B C8 6A ?? FF 12 8B 06 8B CE 6A ?? 8B + 40 ?? FF D0 88 45 ?? 8D 45 ?? FF 75 ?? 50 8D 85 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 + ?? 8D 4D ?? 6A ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 33 F6 39 75 ?? 76 ?? EB ?? 8D A4 24 + ?? ?? ?? ?? 83 7D ?? ?? 8D 45 ?? 8D 4D ?? 0F 43 45 ?? 83 7D ?? ?? 0F 43 4D ?? 33 D2 + } + + $encrypt_files_p2 = { + 0F BE 1C 30 8B C7 F7 75 ?? 8A 0C 0A 0F BE C1 03 C3 3D ?? ?? ?? ?? 7C ?? 25 ?? ?? ?? + ?? 79 ?? 48 0D ?? ?? ?? ?? 40 EB ?? 02 D9 0F B6 C3 50 8D 85 ?? ?? ?? ?? 50 E8 ?? ?? + ?? ?? 46 83 C4 ?? 47 3B 75 ?? 72 ?? 6A ?? 68 ?? ?? ?? ?? 8D 4D ?? E8 ?? ?? ?? ?? 8B + 85 ?? ?? ?? ?? 8B 48 ?? F6 84 0D ?? ?? ?? ?? ?? 0F 84 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? + E8 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 7D ?? ?? 72 ?? FF 75 ?? E8 ?? ?? + ?? ?? 83 C4 ?? 83 7D ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C6 45 ?? ?? 72 + ?? FF 75 ?? E8 ?? ?? ?? ?? 83 C4 ?? 8D 8D ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? + ?? ?? ?? ?? C6 45 ?? ?? C6 45 ?? ?? E8 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? C7 85 ?? ?? ?? + ?? ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? C6 45 ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? + ?? 8D 85 ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 83 7D + ?? ?? 72 ?? FF 75 ?? E8 ?? ?? ?? ?? 83 C4 ?? 83 7D ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 + ?? ?? ?? ?? ?? C6 45 ?? ?? 72 ?? FF 75 ?? E8 ?? ?? ?? ?? 83 C4 ?? 8B 4D ?? 64 89 0D + ?? ?? ?? ?? 59 5F 5E 5B 8B 4D ?? 33 CD E8 ?? ?? ?? ?? 8B E5 5D C3 + } + + $enum_drives_p1 = { + 6A ?? 68 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C7 85 ?? ?? ?? + ?? ?? ?? ?? ?? C6 85 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? 8D 8D ?? ?? + ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C6 85 ?? ?? ?? ?? + ?? E8 ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? + ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C6 85 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 6A ?? 68 ?? ?? + ?? ?? 8D 8D ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? + C6 85 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? C7 85 ?? + ?? ?? ?? ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C6 85 ?? ?? ?? ?? ?? E8 ?? ?? ?? + ?? 6A ?? 68 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C7 85 ?? ?? + ?? ?? ?? ?? ?? ?? C6 85 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? 8D 8D ?? + ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C6 85 + } + + $enum_drives_p2 = { + E8 ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? + C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C6 85 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? + ?? 8D 8D ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C6 + 85 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? C7 85 ?? ?? + ?? ?? ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C6 85 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? + 6A ?? 68 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C7 85 ?? ?? ?? + ?? ?? ?? ?? ?? C6 85 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C7 + 85 ?? ?? ?? ?? ?? ?? ?? ?? C6 85 ?? ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? 8D 8D ?? ?? ?? + ?? E8 ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 85 + ?? ?? ?? ?? ?? ?? ?? ?? C6 85 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? 8D + 4D ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C6 45 ?? ?? E8 ?? ?? ?? ?? 6A ?? 68 + ?? ?? ?? ?? 8D 4D ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C6 45 ?? ?? E8 + } + + condition: + uint16(0) == 0x5A4D and + ( + ( + all of ($enum_directories_p*) + ) and + ( + all of ($enum_drives_p*) + ) and + ( + all of ($encrypt_files_p*) + ) + ) +} \ No newline at end of file diff --git a/yara/ransomware/Win32.Ransomware.CryptoBit.yara b/yara/ransomware/Win32.Ransomware.CryptoBit.yara new file mode 100644 index 0000000..7f442c1 --- /dev/null +++ b/yara/ransomware/Win32.Ransomware.CryptoBit.yara @@ -0,0 +1,113 @@ +rule Win32_Ransomware_CryptoBit : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "CRYPTOBIT" + description = "Yara rule that detects CryptoBit ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "CryptoBit" + tc_detection_factor = 5 + + strings: + + $encrypt_files_p1 = { + 55 8B EC 83 C4 ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? 83 + 7D ?? ?? 75 ?? FF 75 ?? EB ?? 6A ?? 59 83 C9 ?? 83 F1 ?? 89 4D ?? 6A ?? 6A ?? 6A ?? + 6A ?? 6A ?? FF 75 ?? E8 ?? ?? ?? ?? 0B C0 0F 84 ?? ?? ?? ?? 89 45 ?? 60 BE ?? ?? ?? + ?? 56 64 FF 35 ?? ?? ?? ?? 64 89 25 ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? 8B 45 ?? 33 D2 + 8B 0D ?? ?? ?? ?? F7 F1 0B C0 74 ?? FF 35 ?? ?? ?? ?? EB ?? 52 8B 0C 24 29 4D ?? 51 + FF 75 ?? 6A ?? 68 ?? ?? ?? ?? FF 75 ?? E8 ?? ?? ?? ?? 59 0B C0 74 ?? 89 45 ?? 51 FF + 75 ?? E8 ?? ?? ?? ?? 83 7D ?? ?? 75 ?? 83 7D ?? ?? 75 ?? 89 45 ?? 89 4D ?? FF 75 ?? + E8 ?? ?? ?? ?? EB ?? EB ?? 83 7D ?? ?? 75 ?? C7 45 ?? ?? ?? ?? ?? EB ?? A1 ?? ?? ?? + ?? 01 45 ?? EB ?? EB ?? 8B 64 24 ?? 64 8F 05 ?? ?? ?? ?? 83 C4 ?? 61 EB ?? EB ?? 64 + 8F 05 ?? ?? ?? ?? 83 C4 ?? FF 75 ?? E8 ?? ?? ?? ?? 83 7D ?? ?? 74 ?? 8B 45 ?? 8B 4D + ?? EB ?? 8B 45 ?? C9 C2 + } + + $encrypt_files_p2 = { + 55 8B EC 83 C4 ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? 6A + ?? 6A ?? 6A ?? 6A ?? 6A ?? 68 ?? ?? ?? ?? FF 75 ?? E8 ?? ?? ?? ?? 83 F8 ?? 0F 84 ?? + ?? ?? ?? 89 45 ?? 8D 45 ?? 50 FF 75 ?? E8 ?? ?? ?? ?? 83 F8 ?? 75 ?? E8 ?? ?? ?? ?? + 0B C0 74 ?? E9 ?? ?? ?? ?? 89 45 ?? 8B 15 ?? ?? ?? ?? 8B 4D ?? 0B C9 75 ?? 83 F8 ?? + 73 ?? E9 ?? ?? ?? ?? EB ?? 0B C9 75 ?? 3B C2 73 ?? 50 EB ?? 52 8F 45 ?? 83 7D ?? ?? + 75 ?? A1 ?? ?? ?? ?? 39 45 ?? 72 ?? FF 75 ?? FF 75 ?? FF 75 ?? FF 75 ?? E8 ?? ?? ?? + ?? 89 45 ?? 0B C0 74 ?? 6A ?? 50 51 FF 75 ?? E8 ?? ?? ?? ?? E9 ?? ?? ?? ?? 6A ?? 6A + ?? 6A ?? 6A ?? 6A ?? FF 75 ?? E8 ?? ?? ?? ?? 0B C0 74 ?? 89 45 ?? 60 BE ?? ?? ?? ?? + 56 64 FF 35 ?? ?? ?? ?? 64 89 25 ?? ?? ?? ?? FF 75 ?? 6A ?? 6A ?? 68 ?? ?? ?? ?? FF + 75 ?? E8 ?? ?? ?? ?? 0B C0 74 ?? 50 8B 4D ?? 8B 04 24 83 C9 ?? 83 F1 ?? 51 50 E8 ?? + ?? ?? ?? 89 45 ?? 0B C0 74 ?? 6A ?? 50 51 FF 75 ?? E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? EB + ?? 8B 64 24 ?? 64 8F 05 ?? ?? ?? ?? 83 C4 ?? 61 EB ?? EB ?? 64 8F 05 ?? ?? ?? ?? 83 + C4 ?? 83 7D ?? ?? 74 ?? FF 75 ?? E8 ?? ?? ?? ?? 83 7D ?? ?? 74 ?? FF 75 ?? E8 ?? ?? + ?? ?? 83 7D ?? ?? 74 ?? 8B 45 ?? 8B 4D ?? EB ?? 33 C0 33 C9 C9 C2 + } + + $find_files_p1 = { + 55 8B EC 83 C4 ?? 57 56 C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? + ?? C7 45 ?? ?? ?? ?? ?? 8B 75 ?? 83 7E ?? ?? 75 ?? E8 ?? ?? ?? ?? 50 8D 46 ?? 50 E8 + ?? ?? ?? ?? 23 C0 0F 84 ?? ?? ?? ?? EB ?? 83 7E ?? ?? 75 ?? FF 35 ?? ?? ?? ?? 8D 46 + ?? 50 E8 ?? ?? ?? ?? 23 C0 0F 84 ?? ?? ?? ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 23 C0 0F + 84 ?? ?? ?? ?? 89 45 ?? B9 ?? ?? ?? ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 23 C0 0F 84 ?? + ?? ?? ?? 89 45 ?? 8B 75 ?? 8B 7D ?? 68 ?? ?? ?? ?? 57 56 E8 ?? ?? ?? ?? 8D 57 ?? 8B + 47 ?? D1 E0 C7 04 10 ?? ?? ?? ?? C6 44 10 ?? ?? FF 75 ?? 8D 47 ?? 50 E8 ?? ?? ?? ?? + 83 F8 ?? 0F 84 ?? ?? ?? ?? 89 45 ?? 8B 55 ?? 8B 75 ?? 8B 7D ?? 8B 02 25 ?? ?? ?? ?? + 0F 85 ?? ?? ?? ?? 8B 02 83 E0 ?? 0F 85 ?? ?? ?? ?? 8B 02 83 E0 ?? F7 02 ?? ?? ?? ?? + 0F 85 ?? ?? ?? ?? 8D 47 ?? 50 8D 46 ?? 50 E8 ?? ?? ?? ?? 8B 55 ?? 8D 42 ?? 50 8D 47 + ?? 50 E8 ?? ?? ?? ?? 8D 47 ?? 50 E8 ?? ?? ?? ?? 8B 55 ?? 89 47 ?? F7 02 ?? ?? ?? ?? + 74 ?? 68 ?? ?? ?? ?? 8D 47 ?? 50 E8 ?? ?? ?? ?? FF 77 ?? 8D 47 ?? 50 E8 ?? ?? ?? ?? + 83 F8 ?? 74 ?? 83 F8 ?? 75 ?? 48 50 FF 76 ?? 8D 47 ?? 50 E8 ?? ?? ?? ?? 0B C0 75 + } + + $find_files_p2 = { + 0B C9 74 ?? FF 45 ?? E9 ?? ?? ?? ?? 83 7A ?? ?? 0F 84 ?? ?? ?? ?? 81 7A ?? ?? ?? ?? + ?? 0F 84 ?? ?? ?? ?? F7 02 ?? ?? ?? ?? 0F 85 ?? ?? ?? ?? F7 02 ?? ?? ?? ?? 0F 85 ?? + ?? ?? ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 0B C0 74 ?? 8B F8 FF 76 ?? 8F 47 ?? FF 76 ?? + 8F 47 ?? FF 36 8F 07 8D 47 ?? 50 8D 46 ?? 50 E8 ?? ?? ?? ?? 8B 55 ?? 8D 42 ?? 50 8D + 47 ?? 50 E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 47 ?? 50 E8 ?? ?? ?? ?? 8D 47 ?? 50 E8 ?? + ?? ?? ?? 89 47 ?? 83 3F ?? 75 ?? 57 68 ?? ?? ?? ?? FF 76 ?? E8 ?? ?? ?? ?? 0B C0 75 + ?? 57 E8 ?? ?? ?? ?? EB ?? 57 E8 ?? ?? ?? ?? EB ?? E9 ?? ?? ?? ?? FF 75 ?? FF 75 ?? + E8 ?? ?? ?? ?? 0B C0 0F 85 ?? ?? ?? ?? FF 75 ?? E8 ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? + 8B 75 ?? 83 7D ?? ?? 74 ?? 6A ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 8B + 14 24 51 50 52 8D 46 ?? 50 E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? E8 ?? + ?? ?? ?? 50 6A ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 50 D1 E1 8B 5C 24 ?? 51 50 53 8D 46 + ?? 50 E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 7D ?? ?? 74 ?? FF 75 ?? E8 ?? + ?? ?? ?? 83 7D ?? ?? 74 ?? FF 75 ?? E8 ?? ?? ?? ?? 83 7D ?? ?? 74 ?? FF 75 ?? E8 ?? + ?? ?? ?? 8B 45 ?? 5E 5F C9 C2 + } + + $remote_connection = { + 55 8B EC 81 C4 ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? + ?? 6A ?? 68 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 6A ?? 6A ?? 6A ?? 6A ?? + 6A ?? E8 ?? ?? ?? ?? 23 C0 89 85 ?? ?? ?? ?? 0F 84 ?? ?? ?? ?? 6A ?? 6A ?? 6A ?? 6A + ?? 6A ?? 6A ?? FF 75 ?? FF B5 ?? ?? ?? ?? E8 ?? ?? ?? ?? 0B C0 89 85 ?? ?? ?? ?? 0F + 84 ?? ?? ?? ?? 8D 5D ?? C7 03 ?? ?? ?? ?? C7 43 ?? ?? ?? ?? ?? FF 75 ?? 8D 85 ?? ?? + ?? ?? 50 E8 ?? ?? ?? ?? FF 75 ?? 8D 85 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 6A ?? 68 ?? ?? + ?? ?? 6A ?? 6A ?? 6A ?? 8D 85 ?? ?? ?? ?? 50 8D 45 ?? 50 FF B5 ?? ?? ?? ?? E8 ?? ?? + ?? ?? 89 85 ?? ?? ?? ?? 83 F8 ?? 74 ?? 6A ?? 6A ?? 6A ?? 6A ?? FF B5 ?? ?? ?? ?? E8 + ?? ?? ?? ?? 23 C0 74 ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 23 C0 89 85 ?? ?? ?? ?? 74 ?? + 8D 85 ?? ?? ?? ?? 50 68 ?? ?? ?? ?? FF B5 ?? ?? ?? ?? FF B5 ?? ?? ?? ?? E8 ?? ?? ?? + ?? FF B5 ?? ?? ?? ?? 0B C0 74 ?? 83 BD ?? ?? ?? ?? ?? 74 ?? C7 85 ?? ?? ?? ?? ?? ?? + ?? ?? EB ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 BD ?? ?? ?? ?? ?? 74 ?? + FF B5 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 BD ?? ?? ?? ?? ?? 74 ?? FF B5 ?? ?? ?? ?? E8 ?? + ?? ?? ?? 83 BD ?? ?? ?? ?? ?? 74 ?? FF B5 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 85 ?? ?? ?? + ?? C9 C2 + } + + condition: + uint16(0) == 0x5A4D and + ( + $remote_connection and + ( + all of ($find_files_p*) + ) and + ( + all of ($encrypt_files_p*) + ) + ) +} \ No newline at end of file diff --git a/yara/ransomware/Win32.Ransomware.CryptoFortress.yara b/yara/ransomware/Win32.Ransomware.CryptoFortress.yara new file mode 100644 index 0000000..17b9629 --- /dev/null +++ b/yara/ransomware/Win32.Ransomware.CryptoFortress.yara @@ -0,0 +1,162 @@ +rule Win32_Ransomware_CryptoFortress : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "CRYPTOFORTRESS" + description = "Yara rule that detects CryptoFortress ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "CryptoFortress" + tc_detection_factor = 5 + + strings: + + $enum_drives = { + 55 8B EC 83 C4 ?? 56 57 C7 45 ?? ?? ?? ?? ?? C7 05 ?? ?? ?? ?? ?? ?? ?? ?? FF 15 ?? + ?? ?? ?? 8D 7D ?? B2 ?? B9 ?? ?? ?? ?? A9 ?? ?? ?? ?? 74 ?? 88 17 47 D1 E8 FE C2 49 + 75 ?? C6 07 ?? 8D 45 ?? 50 E8 ?? ?? ?? ?? 8B F8 8D 75 ?? 8A 16 88 55 ?? 8D 45 ?? 50 + FF 15 ?? ?? ?? ?? 8D 55 ?? C6 42 ?? ?? 83 F8 ?? 75 ?? 60 8D 45 ?? 50 8D 45 ?? 50 6A + ?? 8D 45 ?? 50 FF 15 ?? ?? ?? ?? 8D 45 ?? 50 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 ?? + 50 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? FF 05 ?? ?? ?? ?? 61 46 4F 75 ?? A1 ?? ?? ?? ?? A3 + ?? ?? ?? ?? A1 ?? ?? ?? ?? A3 ?? ?? ?? ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? + ?? 5F 5E C9 C3 + } + + $enum_shared_resources = { + 55 8B EC 83 C4 ?? 8D 45 ?? 50 FF 75 ?? 6A ?? 6A ?? 6A ?? FF 15 ?? ?? ?? ?? 0B C0 0F + 85 ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A ?? FF 35 ?? ?? ?? ?? E8 ?? ?? + ?? ?? 89 45 ?? C7 45 ?? ?? ?? ?? ?? 8D 45 ?? 50 FF 75 ?? 8D 45 ?? 50 FF 75 ?? FF 15 + ?? ?? ?? ?? 83 7D ?? ?? 74 ?? 3D ?? ?? ?? ?? 74 ?? 8B 4D ?? 51 8D 49 ?? 6B C9 ?? 8B + 45 ?? 8D 0C 01 6A ?? 51 8D 45 ?? 50 E8 ?? ?? ?? ?? 83 7D ?? ?? 75 ?? FF 75 ?? E8 ?? + ?? ?? ?? 83 F8 ?? 76 ?? FF 75 ?? FF 15 ?? ?? ?? ?? 50 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? + 0B C0 74 ?? FF 75 ?? E8 ?? ?? ?? ?? EB ?? 8D 45 ?? 50 E8 ?? ?? ?? ?? 59 49 75 ?? EB + ?? EB ?? E9 ?? ?? ?? ?? FF 75 ?? 6A ?? FF 35 ?? ?? ?? ?? E8 ?? ?? ?? ?? FF 75 ?? FF + 15 ?? ?? ?? ?? C9 C2 + } + + $find_files = { + 55 8B EC 81 C4 ?? ?? ?? ?? FF 35 ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? FF 35 + ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? FF 35 ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 85 + ?? ?? ?? ?? FF 35 ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? FF 35 ?? ?? ?? ?? E8 + ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 FF B5 ?? ?? ?? ?? FF 15 ?? ?? ?? + ?? 40 0F 84 ?? ?? ?? ?? 48 89 85 ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? + 83 E0 ?? 0F 84 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 C0 + 0F 84 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 C0 0F 84 ?? + ?? ?? ?? FF B5 ?? ?? ?? ?? FF B5 ?? ?? ?? ?? E8 ?? ?? ?? ?? FF B5 ?? ?? ?? ?? FF 15 + ?? ?? ?? ?? C6 00 ?? 8D 85 ?? ?? ?? ?? 50 FF B5 ?? ?? ?? ?? E8 ?? ?? ?? ?? FF B5 ?? + ?? ?? ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? FF B5 ?? ?? ?? ?? FF + 15 ?? ?? ?? ?? C6 00 ?? 2B 85 ?? ?? ?? ?? 50 8D 85 ?? ?? ?? ?? 50 FF B5 ?? ?? ?? ?? + E8 ?? ?? ?? ?? FF B5 ?? ?? ?? ?? E8 ?? ?? ?? ?? FF B5 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B + 8D ?? ?? ?? ?? C7 04 08 ?? ?? ?? ?? E8 ?? ?? ?? ?? 58 8B 8D ?? ?? ?? ?? C7 44 08 ?? + ?? ?? ?? ?? E9 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 C0 + 0F 84 ?? ?? ?? ?? FF B5 ?? ?? ?? ?? E8 ?? ?? ?? ?? 50 FF B5 ?? ?? ?? ?? FF B5 ?? ?? + ?? ?? E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 85 C0 0F + 85 ?? ?? ?? ?? 8B 4D ?? 0B C9 75 ?? 6A ?? FF B5 ?? ?? ?? ?? E8 ?? ?? ?? ?? FF 45 ?? + 8D 85 ?? ?? ?? ?? 50 FF B5 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 68 ?? ?? + ?? ?? E8 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 FF + 15 ?? ?? ?? ?? 85 C0 0F 85 ?? ?? ?? ?? 8B 0D ?? ?? ?? ?? 49 8B 1D ?? ?? ?? ?? 51 53 + FF B5 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 83 F8 ?? 75 ?? 59 EB ?? 53 E8 ?? ?? ?? ?? 03 D8 + 83 C3 ?? 59 E2 ?? A1 ?? ?? ?? ?? 85 C0 74 ?? 8B 8D ?? ?? ?? ?? 8B 95 ?? ?? ?? ?? 0B + C9 75 ?? 3B D0 72 ?? EB ?? EB ?? FF B5 ?? ?? ?? ?? FF B5 ?? ?? ?? ?? E8 ?? ?? ?? ?? + FF B5 ?? ?? ?? ?? E8 ?? ?? ?? ?? 0B C0 75 ?? FF B5 ?? ?? ?? ?? FF B5 ?? ?? ?? ?? E8 + ?? ?? ?? ?? 68 ?? ?? ?? ?? FF B5 ?? ?? ?? ?? E8 ?? ?? ?? ?? FF 35 ?? ?? ?? ?? FF B5 + ?? ?? ?? ?? E8 ?? ?? ?? ?? FF B5 ?? ?? ?? ?? FF B5 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 8D + 85 ?? ?? ?? ?? 50 FF B5 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 85 C0 0F 85 ?? ?? ?? ?? FF B5 + ?? ?? ?? ?? FF 15 ?? ?? ?? ?? C9 C3 + } + + $encrypt_files = { + 55 8B EC 83 C4 ?? 53 33 C0 89 45 ?? 89 45 ?? 89 45 ?? 89 45 ?? 89 45 ?? 89 45 ?? 89 + 45 ?? 89 45 ?? 89 45 ?? 89 45 ?? 89 45 ?? 89 45 ?? 89 45 ?? FF 35 ?? ?? ?? ?? E8 ?? + ?? ?? ?? 89 45 ?? FF 75 ?? E8 ?? ?? ?? ?? 33 C0 50 50 6A ?? 50 6A ?? 68 ?? ?? ?? ?? + FF 75 ?? FF 15 ?? ?? ?? ?? 83 F8 ?? 75 ?? E9 ?? ?? ?? ?? 89 45 ?? 8D 45 ?? 50 8D 45 + ?? 50 8D 45 ?? 50 FF 75 ?? FF 15 ?? ?? ?? ?? 8D 45 ?? 50 FF 75 ?? FF 15 ?? ?? ?? ?? + 83 7D ?? ?? 75 ?? 83 7D ?? ?? 73 ?? E9 ?? ?? ?? ?? 8B 55 ?? 8B 4D ?? BB ?? ?? ?? ?? + B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 0F B6 05 ?? ?? ?? ?? E8 ?? ?? ?? ?? BB ?? ?? ?? ?? B8 + ?? ?? ?? ?? E8 ?? ?? ?? ?? 0B D2 75 ?? 0B C9 75 ?? B9 ?? ?? ?? ?? 89 4D ?? 89 55 ?? + B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 4D ?? 89 55 ?? BB ?? ?? ?? ?? B8 ?? ?? ?? ?? E8 ?? + ?? ?? ?? 89 4D ?? 89 55 ?? 0B DB 75 ?? 0B C0 74 ?? 83 45 ?? ?? 83 55 ?? ?? FF 75 ?? + FF 75 ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? 83 7D ?? ?? 77 ?? 81 7D ?? ?? ?? + ?? ?? 76 ?? B8 ?? ?? ?? ?? EB ?? 8B 45 ?? 6B C0 ?? 89 45 ?? 6A ?? 8D 45 ?? 50 FF 75 + ?? FF 75 ?? E8 ?? ?? ?? ?? 83 F8 ?? 75 ?? E8 ?? ?? ?? ?? 0B C0 74 ?? E9 ?? ?? ?? ?? + 6A ?? 8D 45 ?? 50 FF 75 ?? FF 75 ?? FF 75 ?? FF 15 ?? ?? ?? ?? 0B C0 75 ?? E9 ?? ?? + ?? ?? 68 ?? ?? ?? ?? 8D 45 ?? 50 FF 75 ?? 6A ?? 6A ?? 6A ?? FF 35 ?? ?? ?? ?? FF 15 + ?? ?? ?? ?? 0B C0 75 ?? E9 ?? ?? ?? ?? 6A ?? 8D 45 ?? 50 FF 75 ?? FF 75 ?? E8 ?? ?? + ?? ?? 83 F8 ?? 75 ?? E8 ?? ?? ?? ?? 0B C0 74 ?? E9 ?? ?? ?? ?? 6A ?? 8D 45 ?? 50 FF + 75 ?? FF 75 ?? FF 75 ?? FF 15 ?? ?? ?? ?? 0B C0 75 ?? E9 ?? ?? ?? ?? DF 6D ?? DA 45 + ?? DF 7D ?? C7 45 ?? ?? ?? ?? ?? DF 6D ?? DA 65 ?? DF 7D ?? C7 45 ?? ?? ?? ?? ?? DF + 6D ?? DA 65 ?? DF 7D ?? 83 7D ?? ?? 75 ?? 83 7D ?? ?? 74 ?? E9 ?? ?? ?? ?? 8F 45 ?? + 8F 45 ?? 6A ?? 8D 45 ?? 50 FF 75 ?? FF 75 ?? E8 ?? ?? ?? ?? 83 F8 ?? 75 ?? E8 ?? ?? + ?? ?? 0B C0 74 ?? EB ?? 6A ?? 8D 45 ?? 50 6A ?? 8D 45 ?? 50 FF 75 ?? FF 15 ?? ?? ?? + ?? 0B C0 75 ?? EB ?? 6A ?? 8D 45 ?? 50 6A ?? 68 ?? ?? ?? ?? FF 75 ?? FF 15 ?? ?? ?? + ?? 0B C0 75 ?? EB ?? EB ?? 8D 45 ?? 50 8D 45 ?? 50 8D 45 ?? 50 FF 75 ?? FF 15 ?? ?? + ?? ?? FF 75 ?? E8 ?? ?? ?? ?? B8 ?? ?? ?? ?? EB ?? 8D 45 ?? 50 8D 45 ?? 50 8D 45 ?? + 50 FF 75 ?? FF 15 ?? ?? ?? ?? FF 75 ?? E8 ?? ?? ?? ?? B8 ?? ?? ?? ?? 5B C9 C2 + } + + $read_config_file = { + 55 8B EC 83 C4 ?? [0-20] 6A ?? 68 ?? ?? ?? ?? 6A + ?? (E8 | FF 15) ?? ?? ?? ?? 0B C0 75 ?? 33 C0 C9 + C3 89 45 ?? 50 6A ?? (E8 | FF 15) ?? ?? ?? ?? 0B + C0 75 04 33 C0 C9 C3 89 45 ?? FF 75 ?? 6A ?? + (E8 | FF 15) ?? ?? ?? ?? 0B C0 75 04 33 C0 C9 C3 + 89 45 ?? 50 (E8 | FF 15) ?? ?? ?? ?? 0B C0 75 04 + 33 C0 C9 C3 89 45 ?? FF 75 ?? 6A ?? (E8 | FF 15) + ?? ?? ?? ?? 0B C0 75 04 33 C0 C9 C3 89 45 ?? 8B + D8 FF 75 ?? FF 75 ?? FF 75 ?? (E8 | FF 15) ?? ?? + ?? ?? FF 75 ?? (E8 | FF 15) ?? ?? ?? ?? 8B 5D ?? + 6A ?? 53 68 ?? ?? ?? ?? (E8 | FF 15) ?? ?? ?? ?? + 83 C3 ?? 8B 45 ?? 83 (E8 | FF 15) ?? 50 53 + (E8 | FF 15) ?? ?? ?? ?? 8A 03 A2 ?? ?? ?? ?? 83 + C3 ?? 8A 03 A2 ?? ?? ?? ?? 83 C3 + } + + $file_type_loop = { + 51 53 FF B5 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 83 F8 + ?? 75 03 59 EB ?? 53 E8 ?? ?? ?? ?? 03 D8 83 C3 + ?? 59 E2 DC [20-40] FF B5 ?? ?? ?? ?? FF B5 ?? + ?? ?? ?? E8 ?? ?? ?? ?? FF B5 ?? ?? ?? ?? E8 ?? + ?? ?? ?? 0B C0 75 44 FF B5 ?? ?? ?? ?? FF B5 ?? + ?? ?? ?? E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? FF B5 ?? + ?? ?? ?? E8 ?? ?? ?? ?? FF 35 ?? ?? ?? ?? FF B5 + ?? ?? ?? ?? E8 ?? ?? ?? ?? FF B5 ?? ?? ?? ?? FF + B5 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 8D 85 ?? ?? ?? + ?? 50 FF B5 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 85 C0 + 0F 85 + } + + $encrypt_routine = { + FF 75 ?? FF 75 ?? E8 ?? ?? ?? ?? 83 F8 ?? 75 ?? + [0-10] E9 ?? ?? ?? ?? 6A ?? [1-10] FF 75 ?? + FF (35 | 75) [1-4] FF 75 ?? (E8 | FF 15) + ?? ?? ?? ?? 0B C0 75 ?? E9 ?? ?? ?? ?? 68 ?? + ?? ?? ?? [1-10] FF (35 | 75) [1-4] 6A ?? + 6A ?? 6A ?? FF 35 ?? ?? ?? ?? (E8 | FF 15) ?? + ?? ?? ?? 0B C0 75 ?? (EB | E9) [1-4] 6A ?? + [2-10] FF 75 ?? FF 75 ?? E8 ?? ?? ?? ?? 83 F8 + ?? 75 ?? [10-40] FF (35 | 75) [1-4] FF 75 ?? + (E8 |FF 15) + } + + condition: + uint16(0) == 0x5A4D and + ( + ( + $read_config_file and + $file_type_loop and + $encrypt_routine + ) or + ( + $enum_drives and + $enum_shared_resources and + $find_files and + $encrypt_files + ) + ) +} \ No newline at end of file diff --git a/yara/ransomware/Win32.Ransomware.CryptoJoker.yara b/yara/ransomware/Win32.Ransomware.CryptoJoker.yara new file mode 100644 index 0000000..a1c039d --- /dev/null +++ b/yara/ransomware/Win32.Ransomware.CryptoJoker.yara @@ -0,0 +1,140 @@ +rule Win32_Ransomware_CryptoJoker : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "CRYPTOJOKER" + description = "Yara rule that detects CryptoJoker ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "CryptoJoker" + tc_detection_factor = 5 + + strings: + + $call_encrypt = { + 2B 02 26 16 FE 09 00 00 FE 09 01 00 FE 09 02 00 6F ?? ?? ?? ?? 2A + } + + $encrypt_files = { + 2B 02 26 16 20 04 ?? ?? ?? 28 ?? ?? ?? ?? 39 ?? ?? ?? ?? 26 20 00 04 ?? ?? 73 ?? ?? ?? ?? 0C 20 05 ?? ?? ?? + 16 39 ?? ?? ?? ?? 26 28 ?? ?? ?? ?? 02 28 ?? ?? ?? ?? 0B 38 ?? ?? ?? ?? 20 04 ?? ?? ?? FE ?? ?? ?? FE ?? ?? + ?? 45 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 38 ?? ?? ?? ?? 26 + 20 03 ?? ?? ?? 16 39 ?? ?? ?? ?? 26 00 20 ?? ?? ?? ?? 28 ?? ?? ?? ?? 0A 28 ?? ?? ?? ?? 28 ?? ?? ?? ?? 39 ?? + ?? ?? ?? 26 20 00 ?? ?? ?? 38 ?? ?? ?? ?? 00 00 08 06 28 ?? ?? ?? ?? 28 ?? ?? ?? ?? 28 ?? ?? ?? ?? 3A ?? ?? + ?? ?? 26 20 03 ?? ?? ?? 38 ?? ?? ?? ?? 09 28 ?? ?? ?? ?? 13 04 20 04 ?? ?? ?? 28 ?? ?? ?? ?? 3A ?? ?? ?? ?? + 26 00 08 07 17 28 ?? ?? ?? ?? 0D 38 ?? ?? ?? ?? 20 03 ?? ?? ?? FE ?? ?? ?? FE ?? ?? ?? 45 ?? ?? ?? ?? ?? ?? + ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 38 ?? ?? ?? ?? 26 20 02 ?? ?? ?? 38 ?? ?? ?? ?? 11 04 + 13 05 DD ?? ?? ?? ?? 00 08 16 28 ?? ?? ?? ?? 00 00 DC 08 14 FE 01 13 06 11 06 3A ?? ?? ?? ?? 08 28 ?? ?? ?? + ?? 00 DC 00 11 05 2A + } + + $start_process = { + 2B ?? 26 16 20 10 ?? ?? ?? 38 ?? ?? ?? ?? 20 ?? ?? ?? ?? 28 ?? ?? ?? ?? 0B 20 ?? ?? ?? ?? + 38 ?? ?? ?? ?? 00 11 05 17 28 ?? ?? ?? ?? 20 06 ?? ?? ?? 38 ?? ?? ?? ?? 00 28 ?? ?? ?? ?? + 0A 20 09 ?? ?? ?? 38 ?? ?? ?? ?? 00 11 05 08 28 ?? ?? ?? ?? 20 12 ?? ?? ?? 38 ?? ?? ?? ?? + 11 06 17 20 ?? ?? ?? ?? 28 ?? ?? ?? ?? A2 20 ?? ?? ?? ?? 28 ?? ?? ?? ?? 3A ?? ?? ?? ?? 38 + ?? ?? ?? ?? 11 05 17 28 ?? ?? ?? ?? 20 ?? ?? ?? ?? 38 ?? ?? ?? ?? 11 06 19 20 ?? ?? ?? ?? + 28 ?? ?? ?? ?? A2 20 0F ?? ?? ?? 38 ?? ?? ?? ?? 1A 8D ?? ?? ?? ?? 13 06 20 02 ?? ?? ?? 38 + ?? ?? ?? ?? 00 11 04 28 ?? ?? ?? ?? 26 20 13 ?? ?? ?? 38 ?? ?? ?? ?? 08 09 28 ?? ?? ?? ?? + 20 07 ?? ?? ?? 38 ?? ?? ?? ?? 73 ?? ?? ?? ?? 13 05 38 ?? ?? ?? ?? 26 20 0D ?? ?? ?? 38 ?? + ?? ?? ?? 11 06 0D 38 ?? ?? ?? ?? 20 10 ?? ?? ?? FE ?? ?? ?? FE ?? ?? ?? 45 ?? ?? ?? ?? ?? + ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? + ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? + ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 20 08 ?? ?? ?? 17 3A ?? ?? ?? ?? + 26 11 06 18 20 ?? ?? ?? ?? 28 ?? ?? ?? ?? A2 20 00 ?? ?? ?? 28 ?? ?? ?? ?? 39 ?? ?? ?? ?? + 26 06 07 28 ?? ?? ?? ?? 0C 20 0B ?? ?? ?? 28 ?? ?? ?? ?? 39 ?? ?? ?? ?? 26 11 06 16 20 ?? + ?? ?? ?? 28 ?? ?? ?? ?? A2 17 28 ?? ?? ?? ?? 3A ?? ?? ?? ?? 26 20 03 ?? ?? ?? 16 39 ?? ?? + ?? ?? 26 00 11 04 11 05 28 ?? ?? ?? ?? 20 0A ?? ?? ?? 17 3A ?? ?? ?? ?? 26 00 73 ?? ?? ?? + ?? 13 04 20 04 ?? ?? ?? 38 ?? ?? ?? ?? 2A + } + + $msgbox_timer = { + 00 28 ?? ?? ?? ?? 0A 06 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 0B 07 28 ?? ?? ?? ?? 0C + 00 02 7B ?? ?? ?? ?? 08 6F ?? ?? ?? ?? 6F ?? ?? ?? ?? 00 00 DE 12 08 14 FE 01 + 13 04 11 04 2D ?? 08 6F ?? ?? ?? ?? 00 DC 00 02 7B ?? ?? ?? ?? 16 32 0E 02 7B + ?? ?? ?? ?? 16 FE 04 16 FE 01 2B ?? 16 00 13 04 11 04 2D ?? 00 02 7B ?? ?? ?? + ?? 6F ?? ?? ?? ?? 00 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 26 38 ?? ?? ?? ?? 02 7B ?? + ?? ?? ?? 2D ?? 02 7B ?? ?? ?? ?? 2D ?? 02 7B ?? ?? ?? ?? 16 FE 01 16 FE 01 2B + ?? 17 00 13 04 11 04 2D ?? 00 02 7B ?? ?? ?? ?? 6F ?? ?? ?? ?? 00 73 ?? ?? ?? + ?? 0D 09 17 6F ?? ?? ?? ?? 00 09 72 ?? ?? ?? ?? 72 ?? ?? ?? ?? 16 1F 40 28 ?? + ?? ?? ?? 26 00 38 ?? ?? ?? ?? 00 02 7B ?? ?? ?? ?? 17 FE 04 16 FE 01 13 04 11 + 04 2D ?? 00 02 1F 3B 7D ?? ?? ?? ?? 02 7B ?? ?? ?? ?? 17 FE 04 16 FE 01 13 04 + 11 04 2D ?? 00 02 1F 3B 7D ?? ?? ?? ?? 02 7B ?? ?? ?? ?? 16 FE 01 13 04 11 04 + 2D ?? 02 25 7B ?? ?? ?? ?? 17 59 7D ?? ?? ?? ?? 00 2B ?? 02 25 7B ?? ?? ?? ?? + 17 59 7D ?? ?? ?? ?? 00 2B ?? 02 25 7B ?? ?? ?? ?? 17 59 7D ?? ?? ?? ?? 02 7B + ?? ?? ?? ?? 1F 09 FE 02 16 FE 01 13 04 11 04 2D ?? 02 7B ?? ?? ?? ?? 02 7C ?? + ?? ?? ?? 28 ?? ?? ?? ?? 6F ?? ?? ?? ?? 00 2B ?? 02 7B ?? ?? ?? ?? 72 ?? ?? ?? + ?? 02 7C ?? ?? ?? ?? 28 ?? ?? ?? ?? 28 ?? ?? ?? ?? 6F ?? ?? ?? ?? 00 02 7B ?? + ?? ?? ?? 1F 09 FE 02 16 FE 01 13 04 11 04 2D ?? 02 7B ?? ?? ?? ?? 02 7C ?? ?? + ?? ?? 28 ?? ?? ?? ?? 6F ?? ?? ?? ?? 00 2B ?? 02 7B ?? ?? ?? ?? 72 ?? ?? ?? ?? + 02 7C ?? ?? ?? ?? 28 ?? ?? ?? ?? 28 ?? ?? ?? ?? 6F ?? ?? ?? ?? 00 02 7B ?? ?? + ?? ?? 1F 09 FE 02 16 FE 01 13 04 11 04 2D ?? 02 7B ?? ?? ?? ?? 02 7C ?? ?? ?? + ?? 28 ?? ?? ?? ?? 6F ?? ?? ?? ?? 00 2B ?? 02 7B ?? ?? ?? ?? 72 ?? ?? ?? ?? 02 + 7C ?? ?? ?? ?? 28 ?? ?? ?? ?? 28 ?? ?? ?? ?? 6F ?? ?? ?? ?? 00 00 2A + } + + $unzip_packed_file = { + 28 ?? ?? ?? ?? 0A 28 ?? ?? ?? ?? 0B 06 07 2E ?? 07 06 28 ?? ?? ?? ?? 2D ?? 14 + 2A 02 73 ?? ?? ?? ?? 0C 16 8D ?? ?? ?? ?? 0D 08 6F ?? ?? ?? ?? 13 04 11 04 20 + ?? ?? ?? ?? 40 ?? ?? ?? ?? 08 6F ?? ?? ?? ?? 68 13 05 08 6F ?? ?? ?? ?? 13 06 + 08 6F ?? ?? ?? ?? 13 07 11 04 20 ?? ?? ?? ?? 33 ?? 11 05 1F 14 33 ?? 11 06 2D + ?? 11 07 1E 2E ?? 72 ?? ?? ?? ?? 73 ?? ?? ?? ?? 7A 08 6F ?? ?? ?? ?? 26 08 6F + ?? ?? ?? ?? 26 08 6F ?? ?? ?? ?? 26 08 6F ?? ?? ?? ?? 13 08 08 6F ?? ?? ?? ?? + 13 09 08 6F ?? ?? ?? ?? 13 0A 11 09 16 31 ?? 11 09 8D ?? ?? ?? ?? 13 0B 08 11 + 0B 16 11 09 6F ?? ?? ?? ?? 26 11 0A 16 31 ?? 11 0A 8D ?? ?? ?? ?? 13 0C 08 11 + 0C 16 11 0A 6F ?? ?? ?? ?? 26 08 6F ?? ?? ?? ?? 08 6F ?? ?? ?? ?? 59 D4 8D ?? + ?? ?? ?? 13 0D 08 11 0D 16 11 0D 8E 69 6F ?? ?? ?? ?? 26 11 0D 73 ?? ?? ?? ?? + 13 0E 11 08 8D ?? ?? ?? ?? 0D 11 0E 09 16 09 8E 69 6F ?? ?? ?? ?? 26 14 13 0D + 38 ?? ?? ?? ?? 11 04 1F 18 63 13 0F 11 04 11 0F 1F 18 62 59 13 04 11 04 20 ?? + ?? ?? ?? 40 ?? ?? ?? ?? 11 0F 17 33 ?? 08 6F ?? ?? ?? ?? 13 10 11 10 8D ?? ?? + ?? ?? 0D 16 13 11 2B ?? 08 6F ?? ?? ?? ?? 13 12 08 6F ?? ?? ?? ?? 13 13 11 12 + 8D ?? ?? ?? ?? 13 15 08 11 15 16 11 15 8E 69 6F ?? ?? ?? ?? 26 11 15 73 ?? ?? + ?? ?? 13 14 11 14 09 11 11 11 13 6F ?? ?? ?? ?? 26 11 11 11 13 58 13 11 11 11 + 11 10 32 ?? 11 0F 18 33 ?? 1E 8D ?? ?? ?? ?? 25 D0 ?? ?? ?? ?? 28 ?? ?? ?? ?? + 13 16 1E 8D ?? ?? ?? ?? 25 D0 ?? ?? ?? ?? 28 ?? ?? ?? ?? 13 17 11 16 11 17 17 + 28 ?? ?? ?? ?? 13 18 11 18 02 1A 02 8E 69 1A 59 6F ?? ?? ?? ?? 13 19 11 19 28 + ?? ?? ?? ?? 0D DE ?? 11 18 2C ?? 11 18 6F ?? ?? ?? ?? DC 11 0F 19 33 ?? 1F 10 + 8D ?? ?? ?? ?? 25 D0 ?? ?? ?? ?? 28 ?? ?? ?? ?? 13 1A 1F 10 8D ?? ?? ?? ?? 25 + D0 ?? ?? ?? ?? 28 ?? ?? ?? ?? 13 1B 11 1A 11 1B 17 28 ?? ?? ?? ?? 13 1C 11 1C + 02 1A 02 8E 69 1A 59 6F ?? ?? ?? ?? 13 1D 11 1D 28 ?? ?? ?? ?? 0D DE 17 11 1C + 2C ?? 11 1C 6F ?? ?? ?? ?? DC 72 B5 0E 00 70 73 ?? ?? ?? ?? 7A 08 6F ?? ?? ?? + ?? 14 0C 09 2A + } + + $resolve_assembly = { + 12 00 03 6F ?? ?? ?? ?? 28 ?? ?? ?? ?? 12 00 16 28 ?? ?? ?? ?? 0B 28 ?? ?? ?? ?? 07 + 6F ?? ?? ?? ?? 28 ?? ?? ?? ?? 0C 72 ?? ?? ?? ?? 17 8D ?? ?? ?? ?? 13 13 11 13 16 1F + 2C 9D 11 13 6F ?? ?? ?? ?? 0D 7E ?? ?? ?? ?? 13 04 16 13 05 16 13 06 16 13 07 2B ?? + 09 11 07 9A 08 28 ?? ?? ?? ?? 2C 0A 09 11 07 17 58 9A 13 04 2B ?? 11 07 18 58 13 07 + 11 07 09 8E 69 17 59 32 ?? 11 04 6F ?? ?? ?? ?? 2D ?? 12 00 7B ?? ?? ?? ?? 6F ?? ?? + ?? ?? 2D ?? 28 ?? ?? ?? ?? 12 00 7B ?? ?? ?? ?? 6F ?? ?? ?? ?? 28 ?? ?? ?? ?? 0C 16 + 13 08 2B ?? 09 11 08 9A 08 28 ?? ?? ?? ?? 2C ?? 09 11 08 17 58 9A 13 04 2B ?? 11 08 + 18 58 13 08 11 08 09 8E 69 17 59 32 ?? 11 04 6F ?? ?? ?? ?? 16 3E ?? ?? ?? ?? 11 04 + 16 6F ?? ?? ?? ?? 1F 5B 33 ?? 11 04 1F 5D 6F ?? ?? ?? ?? 13 09 11 04 17 11 09 17 59 + 6F ?? ?? ?? ?? 13 0A 11 0A 1F 7A 6F ?? ?? ?? ?? 16 FE 04 16 FE 01 13 05 11 0A 1F 74 + 6F ?? ?? ?? ?? 16 FE 04 16 FE 01 13 06 11 04 11 09 17 58 6F ?? ?? ?? ?? 13 04 7E ?? + ?? ?? ?? 25 13 14 28 ?? ?? ?? ?? 7E ?? ?? ?? ?? 11 04 6F ?? ?? ?? ?? 2C ?? 7E ?? ?? + ?? ?? 11 04 6F ?? ?? ?? ?? 13 12 DD ?? ?? ?? ?? 28 ?? ?? ?? ?? 11 04 6F ?? ?? ?? ?? + 13 0B 11 0B 39 ?? ?? ?? ?? 11 0B 6F ?? ?? ?? ?? 69 13 0C 11 0C 8D ?? ?? ?? ?? 13 0D + 11 0B 11 0D 16 11 0C 6F ?? ?? ?? ?? 26 11 05 2C ?? 11 0D 28 ?? ?? ?? ?? 13 0D 14 13 + 0E 11 06 2D ?? 11 0D 28 ?? ?? ?? ?? 13 0E DE 0C 26 17 13 06 DE ?? 26 17 13 06 DE ?? + 11 06 2C ?? 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 11 04 28 ?? ?? ?? ?? 13 0F 11 0F 28 ?? ?? + ?? ?? 26 11 0F 12 00 7B ?? ?? ?? ?? 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 13 10 11 10 28 ?? + ?? ?? ?? 2D ?? 11 10 28 ?? ?? ?? ?? 13 11 11 11 11 0D 16 11 0D 8E 69 6F ?? ?? ?? ?? + 11 11 6F ?? ?? ?? ?? 11 10 14 1A 28 ?? ?? ?? ?? 26 11 0F 14 1A 28 ?? ?? ?? ?? 26 11 + 10 28 ?? ?? ?? ?? 13 0E DE ?? 26 DE ?? 7E ?? ?? ?? ?? 11 04 11 0E 6F ?? ?? ?? ?? 11 + 0E 13 12 DE ?? DE ?? 11 14 28 ?? ?? ?? ?? DC 14 2A 11 12 2A + } + + condition: + uint16(0) == 0x5A4D and + (($call_encrypt and $encrypt_files and $start_process) or + ($msgbox_timer) or + ($unzip_packed_file and $resolve_assembly)) +} \ No newline at end of file diff --git a/yara/ransomware/Win32.Ransomware.CryptoLocker.yara b/yara/ransomware/Win32.Ransomware.CryptoLocker.yara new file mode 100644 index 0000000..fa2ba24 --- /dev/null +++ b/yara/ransomware/Win32.Ransomware.CryptoLocker.yara @@ -0,0 +1,154 @@ +import "pe" + +rule Win32_Ransomware_CryptoLocker : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "CRYPTOLOCKER" + description = "Yara rule that detects CryptoLocker ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "CryptoLocker" + tc_detection_factor = 5 + + strings: + + $file_loop_1 = { + 55 8B EC 83 EC ?? 53 56 8B D9 57 89 5D ?? E8 ?? ?? ?? ?? 84 C0 0F 84 ?? ?? ?? ?? 32 C9 83 7D ?? ?? 88 4D ?? 0F 86 45 01 + 00 00 8B 5D ?? 0F 57 C0 66 0F 13 45 ?? 84 C9 74 08 6A ?? FF 15 ?? ?? ?? ?? 6A ?? 6A ?? FF 75 ?? FF 75 ?? FF 33 FF 15 ?? + ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? 8D 45 ?? 50 FF 33 FF 15 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? 8B 4D ?? 8B 55 ?? 8B 75 ?? + 6A ?? 8B 49 ?? 6A ?? 52 56 8B 01 6A ?? 89 55 ?? 8B 00 FF D0 84 C0 0F 84 E6 00 00 00 FF 15 ?? ?? ?? ?? 8B 7D ?? 33 D2 89 + 45 ?? 8B D8 85 FF 72 18 77 08 81 FE ?? ?? ?? ?? 76 0E B8 ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? EB 05 8B C6 89 7D ?? 3B D0 73 + 0F 8B 45 ?? 8D 0C 13 8B 40 ?? 88 0C 02 42 EB CC 8B 5D ?? 85 FF 8B FE 75 04 85 F6 74 6B 85 DB 77 0E 72 08 81 FF ?? ?? ?? + ?? 73 04 8B F7 EB 05 BE ?? ?? ?? ?? 6A ?? 8D 45 ?? 50 8B 45 ?? 56 FF 70 ?? 8B 45 ?? FF 30 FF 15 ?? ?? ?? ?? 85 C0 74 ?? + 39 75 ?? 75 ?? 8B 45 ?? 2B FE 8B 55 ?? 83 DB ?? 2B D7 8B 48 ?? 8B 45 ?? 1B C3 50 8B 31 52 FF 75 ?? FF 75 ?? 8B 06 6A ?? + FF D0 84 C0 74 34 85 DB 77 AD 72 04 85 FF 75 95 8B 5D ?? FF 33 FF 15 ?? ?? ?? ?? 8A 4D ?? FE C1 0F B6 C1 88 4D ?? 3B 45 + ?? 0F 82 C6 FE FF FF B0 ?? 5F 5E 5B 8B E5 5D C2 + } + + $file_loop_2 = { + 55 8B EC 83 EC ?? 53 56 8B D9 57 89 5D ?? E8 ?? ?? ?? ?? 84 C0 0F 84 ?? ?? ?? ?? 32 C9 83 7D ?? ?? 88 4D ?? 0F 86 50 01 + 00 00 8B 5D ?? 0F 57 C0 66 0F 13 45 ?? 84 C9 74 08 6A ?? FF 15 ?? ?? ?? ?? 6A ?? 6A ?? FF 75 ?? FF 75 ?? FF 33 FF 15 ?? + ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? 8D 45 ?? 50 FF 33 FF 15 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? 8B 4D ?? 8B 55 ?? 8B 49 ?? + 8B 75 ?? 8B 01 6A ?? 8B 00 6A ?? 52 56 6A ?? 89 55 ?? FF D0 84 C0 0F 84 F1 00 00 00 FF 15 ?? ?? ?? ?? 8B 7D ?? 89 45 ?? + 33 D2 8B D8 85 FF 72 18 77 08 81 FE ?? ?? ?? ?? 76 0E B8 ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? EB 05 8B C6 89 7D ?? 3B D0 73 + 10 8B 45 ?? 8D 0C 13 8B 40 ?? 42 88 4C 02 ?? EB CB 8B 5D ?? 85 FF 8B FE 75 04 85 F6 74 75 85 DB 77 11 72 08 81 FF ?? ?? + ?? ?? 73 07 8B F7 89 5D ?? EB 0C BE ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? 6A ?? 8D 45 ?? 50 8B 45 ?? 56 FF 70 ?? 8B 45 ?? FF + 30 FF 15 ?? ?? ?? ?? 85 C0 74 ?? 39 75 ?? 75 ?? 8B 45 ?? 8B 55 ?? 8B 48 ?? 8B 45 ?? 2B FE 8B 31 83 DB ?? 2B D7 1B C3 50 + 8B 06 52 FF 75 ?? FF 75 ?? 6A ?? FF D0 84 C0 74 34 85 DB 77 A6 72 04 85 FF 75 8B 8B 5D ?? FF 33 FF 15 ?? ?? ?? ?? 8A 4D + ?? FE C1 0F B6 C1 88 4D ?? 3B 45 ?? 0F 82 BB FE FF FF B0 ?? 5F 5E 5B 8B E5 5D C2 + } + + $file_loop_3 = { + 55 8B EC 83 EC ?? 53 56 8B C1 57 89 45 ?? E8 ?? ?? ?? ?? 84 C0 0F 84 62 01 00 00 8B 5D ?? 32 C0 0F 57 C0 88 45 ?? 66 0F + 13 45 ?? EB 03 8D 49 ?? 84 C0 74 08 6A ?? FF 15 ?? ?? ?? ?? 6A ?? 6A ?? FF 75 ?? FF 75 ?? FF 33 FF 15 ?? ?? ?? ?? 85 C0 + 0F 84 27 01 00 00 8D 45 ?? 50 FF 33 FF 15 ?? ?? ?? ?? 85 C0 0F 84 13 01 00 00 8B 4D ?? 8B 55 ?? 8B 49 ?? 8B 75 ?? 8B 01 + 6A ?? 8B 00 6A ?? 52 56 6A ?? 89 55 ?? FF D0 84 C0 0F 84 EE 00 00 00 FF 15 ?? ?? ?? ?? 8B 7D ?? 89 45 ?? 33 D2 8B D8 90 + 85 FF 72 18 77 08 81 FE ?? ?? ?? ?? 76 0E B8 ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? EB 05 8B C6 89 7D ?? 3B D0 73 10 8B 45 ?? + 8D 0C 13 8B 40 ?? 42 88 4C 02 ?? EB CB 8B 5D ?? 85 FF 8B FE 75 04 85 F6 74 75 85 DB 77 11 72 08 81 FF ?? ?? ?? ?? 73 07 + 8B F7 89 5D ?? EB 0C BE ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? 6A ?? 8D 45 ?? 50 8B 45 ?? 56 FF 70 ?? 8B 45 ?? FF 30 FF 15 ?? + ?? ?? ?? 85 C0 74 5E 39 75 ?? 75 59 8B 45 ?? 8B 55 ?? 8B 48 ?? 8B 45 ?? 2B FE 8B 31 83 DB ?? 2B D7 1B C3 50 8B 06 52 FF + 75 ?? FF 75 ?? 6A ?? FF D0 84 C0 74 30 85 DB 77 A6 72 04 85 FF 75 8B 8B 5D ?? FF 33 FF 15 ?? ?? ?? ?? 8A 45 ?? FE C0 88 + 45 ?? 3C ?? 0F 82 BE FE FF FF B0 ?? 5F 5E 5B 8B E5 5D C2 + } + + $encrypt_data_1 = { + 55 8B EC 56 8B 75 ?? 57 8B F9 39 75 ?? 73 09 5F 83 C8 ?? 5E 5D C2 ?? ?? 8B 07 53 85 C0 74 58 48 83 F8 ?? 77 48 8B 5D ?? + 8B 45 ?? 3B D8 74 0B 56 50 53 E8 ?? ?? ?? ?? 83 C4 ?? FF 75 ?? 8D 45 ?? 89 75 ?? 50 8B 45 ?? 53 6A ?? 0F B6 C0 50 6A ?? + FF 77 ?? FF 15 ?? ?? ?? ?? 8B 4D ?? 83 CA ?? 85 C0 5B 0F 44 CA 5F 8B C1 5E 5D C2 ?? ?? 5B 5F 83 C8 ?? 5E 5D C2 ?? ?? 8B + 47 ?? 33 D2 89 45 ?? 8B 47 ?? 85 F6 74 26 8B 7D ?? 8B DE 8B 4D ?? 8B F0 2B F9 8A 04 0F 8D 49 ?? 32 04 32 88 41 ?? 8D 42 + ?? 33 D2 F7 75 ?? 4B 75 E9 8B 75 ?? 5B 5F 8B C6 5E 5D C2 + } + + $encrypt_data_2 = { + 55 8B EC 56 8B 75 ?? 57 8B F9 39 75 ?? 73 09 5F 83 C8 ?? 5E 5D C2 ?? ?? 8B 07 53 85 C0 74 56 48 83 F8 ?? 77 46 8B 5D ?? + 8B 45 ?? 3B D8 74 0B 56 50 53 E8 ?? ?? ?? ?? 83 C4 ?? FF 75 ?? 8D 45 ?? 50 0F B6 45 ?? 53 6A ?? 50 6A ?? FF 77 ?? 89 75 + ?? FF 15 ?? ?? ?? ?? 8B 4D ?? 83 CA ?? 85 C0 5B 0F 44 CA 5F 8B C1 5E 5D C2 ?? ?? 5B 5F 83 C8 ?? 5E 5D C2 ?? ?? 8B 47 ?? + 33 D2 89 45 ?? 8B 47 ?? 85 F6 74 26 8B 4D ?? 8B 7D ?? 8B DE 2B F9 8B F0 8A 04 0F 32 04 32 8D 49 ?? 88 41 ?? 8D 42 ?? 33 + D2 F7 75 ?? 4B 75 E9 8B 75 ?? 5B 5F 8B C6 5E 5D C2 + } + + $encrypt_data_3 = { + 55 8B EC 53 56 8B 75 ?? 8B D9 39 75 ?? 72 4C 83 3B ?? 77 47 8B 45 ?? 57 8B 7D ?? 3B F8 74 0B 56 50 57 E8 ?? ?? ?? ?? 83 + C4 ?? FF 75 ?? 8D 45 ?? 50 0F B6 45 ?? 57 6A ?? 50 6A ?? FF 73 ?? 89 75 ?? FF 15 ?? ?? ?? ?? 8B 4D ?? 83 CA ?? 85 C0 5F + 0F 44 CA 5E 8B C1 5B 5D C2 ?? ?? 5E 83 C8 ?? 5B 5D C2 + } + + $decrypt_data_1 = { + 55 8B EC 53 56 57 8B F9 8B 07 85 C0 74 53 48 83 F8 ?? 77 55 8B 75 ?? 39 75 ?? 72 4D 8B 5D ?? 8B 45 ?? 3B D8 74 0B 56 50 + 53 E8 ?? ?? ?? ?? 83 C4 ?? 8D 45 ?? 89 75 ?? 50 8B 45 ?? 53 6A ?? 0F B6 C0 50 6A ?? FF 77 ?? FF 15 ?? ?? ?? ?? 8B 4D ?? + 83 CA ?? 85 C0 5F 0F 44 CA 5E 8B C1 5B 5D C2 ?? ?? 8B 75 ?? 39 75 ?? 73 0A 5F 5E 83 C8 ?? 5B 5D C2 ?? ?? 8B 47 ?? 33 D2 + 89 45 ?? 8B 47 ?? 85 F6 74 28 8B 7D ?? 8B DE 8B 4D ?? 8B F0 2B F9 8B FF 8A 04 0F 8D 49 ?? 32 04 32 88 41 ?? 8D 42 ?? 33 + D2 F7 75 ?? 4B 75 E9 8B 75 ?? 5F 8B C6 5E 5B 5D C2 + } + + $decrypt_data_2 = { + 55 8B EC 53 56 57 8B F9 8B 07 85 C0 74 51 48 83 F8 ?? 77 53 8B 75 ?? 39 75 ?? 72 4B 8B 5D ?? 8B 45 ?? 3B D8 74 0B 56 50 + 53 E8 ?? ?? ?? ?? 83 C4 ?? 8D 45 ?? 50 0F B6 45 ?? 53 6A ?? 50 6A ?? FF 77 ?? 89 75 ?? FF 15 ?? ?? ?? ?? 8B 4D ?? 83 CA + ?? 85 C0 5F 0F 44 CA 5E 8B C1 5B 5D C2 ?? ?? 8B 75 ?? 39 75 ?? 73 0A 5F 5E 83 C8 ?? 5B 5D C2 ?? ?? 8B 47 ?? 33 D2 89 45 + ?? 8B 47 ?? 85 F6 74 2A 8B 4D ?? 8B 7D ?? 8B DE 2B F9 8B F0 8D 64 24 ?? 8A 04 0F 32 04 32 8D 49 ?? 88 41 ?? 8D 42 ?? 33 + D2 F7 75 ?? 4B 75 E9 8B 75 ?? 5F 8B C6 5E 5B 5D C2 + } + + $decrypt_data_3 = { + 55 8B EC 53 8B D9 83 3B ?? 77 56 56 8B 75 ?? 39 75 ?? 73 09 5E 83 C8 ?? 5B 5D C2 ?? ?? 8B 45 ?? 57 8B 7D ?? 3B F8 74 0B + 56 50 57 E8 ?? ?? ?? ?? 83 C4 ?? 8D 45 ?? 50 0F B6 45 ?? 57 6A ?? 50 6A ?? FF 73 ?? 89 75 ?? FF 15 ?? ?? ?? ?? 8B 4D ?? + 83 CA ?? 85 C0 5F 0F 44 CA 5E 8B C1 5B 5D C2 ?? ?? 83 C8 ?? 5B 5D C2 + } + + $decrypt_strings_1 = { + 55 8B EC 53 56 8B D9 8B F2 57 33 C9 33 FF 2B DE 8B 45 ?? 8D 14 31 8A 04 07 02 C1 32 04 13 88 02 8D 47 ?? 33 D2 F7 75 ?? + 8B FA F6 C1 ?? 75 0B 8B C1 D1 E8 66 83 3C 46 ?? 74 03 41 EB D3 D1 E9 5F 5E 5B 8D 41 ?? 5D C3 + } + + $decrypt_strings_2 = { + 55 8B EC 53 56 8B D9 57 8B F2 33 C9 33 FF 2B DE 8B 45 ?? 8D 14 31 8A 04 07 02 C1 32 04 13 88 02 8D 47 ?? 33 D2 F7 75 ?? + 8B FA F6 C1 ?? 75 0B 8B C1 D1 E8 66 83 3C 46 ?? 74 03 41 EB D3 5F D1 E9 5E 8D 41 ?? 5B 5D C3 + } + + $decrypt_1 = { + A1 ?? ?? ?? ?? 3D ?? ?? ?? ?? 0F 8C B7 00 00 00 33 D2 8B 0C 95 ?? ?? ?? ?? 33 0C 95 ?? ?? ?? ?? 81 E1 ?? ?? ?? ?? 33 0C + 95 ?? ?? ?? ?? 8B C1 D1 E9 83 E0 ?? 33 0C 85 ?? ?? ?? ?? 33 0C 95 ?? ?? ?? ?? 89 0C 95 ?? ?? ?? ?? 42 81 FA ?? ?? ?? ?? + 7C C0 81 FA ?? ?? ?? ?? 7D 39 56 8D 34 95 ?? ?? ?? ?? 8B 0E 33 4E ?? 81 E1 ?? ?? ?? ?? 33 0E 8B C1 D1 E9 83 E0 ?? 8B 04 + 85 ?? ?? ?? ?? 33 86 ?? ?? ?? ?? 33 C1 89 06 83 C6 ?? 81 FE ?? ?? ?? ?? 7C D0 5E 8B 0D ?? ?? ?? ?? 33 0D ?? ?? ?? ?? 81 + E1 ?? ?? ?? ?? 33 0D ?? ?? ?? ?? 8B C1 D1 E9 83 E0 ?? 33 0C 85 ?? ?? ?? ?? 33 0D ?? ?? ?? ?? 33 C0 89 0D ?? ?? ?? ?? 8B + 0C 85 ?? ?? ?? ?? 40 A3 ?? ?? ?? ?? 8B C1 C1 E8 ?? 33 C8 8B C1 25 ?? ?? ?? ?? C1 E0 ?? 33 C8 8B C1 25 ?? ?? ?? ?? C1 E0 + ?? 33 C8 8B C1 C1 E8 ?? 33 C1 C3 + } + + $decrypt_2 = { + A1 ?? ?? ?? ?? 3D ?? ?? ?? ?? 0F 8C C7 00 00 00 33 D2 EB 0C 8D A4 24 ?? ?? ?? ?? EB 03 8D 49 ?? 8B 0C 95 ?? ?? ?? ?? 33 + 0C 95 ?? ?? ?? ?? 42 81 E1 ?? ?? ?? ?? 33 0C 95 ?? ?? ?? ?? 8B C1 83 E0 ?? D1 E9 33 0C 85 ?? ?? ?? ?? 33 0C 95 ?? ?? ?? + ?? 89 0C 95 ?? ?? ?? ?? 81 FA ?? ?? ?? ?? 7C C0 81 FA ?? ?? ?? ?? 7D 3B 56 8D 34 95 ?? ?? ?? ?? 8B 0E 33 4E ?? 83 C6 ?? + 81 E1 ?? ?? ?? ?? 33 4E ?? 8B C1 83 E0 ?? D1 E9 8B 04 85 ?? ?? ?? ?? 33 86 ?? ?? ?? ?? 33 C1 89 46 ?? 81 FE ?? ?? ?? ?? + 7C CE 5E 8B 0D ?? ?? ?? ?? 33 0D ?? ?? ?? ?? 81 E1 ?? ?? ?? ?? 33 0D ?? ?? ?? ?? 8B C1 83 E0 ?? D1 E9 33 0C 85 ?? ?? ?? + ?? 33 0D ?? ?? ?? ?? 33 C0 89 0D ?? ?? ?? ?? 8B 0C 85 ?? ?? ?? ?? 40 A3 ?? ?? ?? ?? 8B C1 C1 E8 ?? 33 C8 8B C1 25 ?? ?? + ?? ?? C1 E0 ?? 33 C8 8B C1 25 ?? ?? ?? ?? C1 E0 ?? 33 C8 8B C1 C1 E8 ?? 33 C1 C3 + } + + $decrypt_3 = { + A1 ?? ?? ?? ?? 3D ?? ?? ?? ?? 0F 8C C7 00 00 00 33 D2 EB 0C 8D A4 24 ?? ?? ?? ?? EB 03 8D 49 ?? 8B 0C 95 ?? ?? ?? ?? 33 + 0C 95 ?? ?? ?? ?? 42 81 E1 ?? ?? ?? ?? 33 0C 95 ?? ?? ?? ?? 8B C1 83 E0 ?? D1 E9 33 0C 85 ?? ?? ?? ?? 33 0C 95 ?? ?? ?? + ?? 89 0C 95 ?? ?? ?? ?? 81 FA ?? ?? ?? ?? 7C C0 81 FA ?? ?? ?? ?? 7D 3B 56 8D 34 95 ?? ?? ?? ?? 8B 0E 33 4E ?? 83 C6 ?? + 81 E1 ?? ?? ?? ?? 33 4E ?? 8B C1 83 E0 ?? D1 E9 8B 04 85 ?? ?? ?? ?? 33 86 ?? ?? ?? ?? 33 C1 89 46 ?? 81 FE ?? ?? ?? ?? + 7C CE 5E 8B 0D ?? ?? ?? ?? 33 0D ?? ?? ?? ?? 81 E1 ?? ?? ?? ?? 33 0D ?? ?? ?? ?? 8B C1 83 E0 ?? D1 E9 33 0C 85 ?? ?? ?? + ?? 33 0D ?? ?? ?? ?? 33 C0 89 0D ?? ?? ?? ?? 8B 0C 85 ?? ?? ?? ?? 40 A3 ?? ?? ?? ?? 8B C1 C1 E8 ?? 33 C8 8B C1 25 ?? ?? + ?? ?? C1 E0 ?? 33 C8 8B C1 25 ?? ?? ?? ?? C1 E0 ?? 33 C8 8B C1 C1 E8 ?? 33 C1 C3 + } + + $entrypoint_all = { + 83 EC ?? E8 ?? ?? ?? ?? 50 FF 15 + } + + condition: + uint16(0) == 0x5A4D and ((($file_loop_1 and $encrypt_data_1 and $decrypt_data_1 and $decrypt_strings_1 and $decrypt_1) or + ($file_loop_2 and $encrypt_data_2 and $decrypt_data_2 and $decrypt_strings_2 and $decrypt_2) or + ($file_loop_3 and $encrypt_data_3 and $decrypt_data_3 and $decrypt_3)) and + ($entrypoint_all at pe.entry_point)) +} \ No newline at end of file diff --git a/yara/ransomware/Win32.Ransomware.CryptoWall.yara b/yara/ransomware/Win32.Ransomware.CryptoWall.yara new file mode 100644 index 0000000..844fa11 --- /dev/null +++ b/yara/ransomware/Win32.Ransomware.CryptoWall.yara @@ -0,0 +1,312 @@ +import "pe" + +rule Win32_Ransomware_CryptoWall : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "CRYPTOWALL" + description = "Yara rule that detects CryptoWall ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "CryptoWall" + tc_detection_factor = 5 + + strings: + $v30_entrypoint = { + 55 8B EC 83 EC ?? E8 ?? ?? ?? ?? 85 C0 0F 84 9A 00 00 00 E8 ?? ?? ?? ?? 89 45 ?? 83 7D ?? ?? 75 7E C7 45 ?? ?? ?? ?? ?? + 8D 45 ?? 50 6A ?? E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 74 65 8B 4D ?? 51 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 90 ?? ?? ?? ?? FF D2 + E8 ?? ?? ?? ?? 8B 40 ?? A3 ?? ?? ?? ?? C7 05 ?? ?? ?? ?? ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 + 75 19 C7 05 ?? ?? ?? ?? ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 8B 4D ?? 51 E8 ?? ?? ?? ?? 83 C4 ?? 6A + ?? 6A ?? E8 ?? ?? ?? ?? 8B 50 ?? FF D2 33 C0 8B E5 5D C2 + } + + $v20_entrypoint = { + 55 8B EC 83 EC ?? E8 ?? ?? ?? ?? 85 C0 0F 84 A3 00 00 00 E8 ?? ?? ?? ?? 89 45 ?? 83 7D ?? ?? 0F 85 83 00 00 00 C7 45 ?? + ?? ?? ?? ?? 8D 45 ?? 50 6A ?? E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 74 6A 8B 4D ?? 51 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 90 ?? ?? + ?? ?? FF D2 E8 ?? ?? ?? ?? 8B 40 ?? A3 ?? ?? ?? ?? C7 05 ?? ?? ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? E8 + ?? ?? ?? ?? 83 C4 ?? 85 C0 75 19 C7 05 ?? ?? ?? ?? ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 8B 4D ?? 51 + E8 ?? ?? ?? ?? 83 C4 ?? 6A ?? 6A ?? E8 ?? ?? ?? ?? 8B 50 ?? FF D2 33 C0 8B E5 5D C2 + } + + $v30_api_load = { + 55 8B EC 83 EC ?? C7 45 ?? ?? ?? ?? ?? 83 7D ?? ?? 74 06 83 7D ?? ?? 75 08 8B 45 ?? E9 50 01 00 00 8B 45 ?? 50 E8 ?? ?? + ?? ?? 83 C4 ?? 89 45 ?? 83 7D ?? ?? 0F 84 34 01 00 00 B9 ?? ?? ?? ?? 6B D1 ?? 8B 45 ?? 8B 4D ?? 03 4C 10 ?? 89 4D ?? 8B + 55 ?? 8B 45 ?? 03 42 ?? 89 45 ?? 8B 4D ?? 8B 55 ?? 03 51 ?? 89 55 ?? 8B 45 ?? 8B 4D ?? 03 48 ?? 89 4D ?? C7 45 ?? ?? ?? + ?? ?? EB 09 8B 55 ?? 83 C2 ?? 89 55 ?? 8B 45 ?? 8B 4D ?? 3B 48 ?? 0F 83 DA 00 00 00 8B 55 ?? 8B 45 ?? 8B 4D ?? 03 0C 90 + 51 E8 ?? ?? ?? ?? 83 C4 ?? 3B 45 ?? 0F 85 B7 00 00 00 BA ?? ?? ?? ?? 6B C2 ?? 8B 4D ?? 8B 54 01 ?? 8B 44 01 ?? 89 55 ?? + 89 45 ?? 8B 4D ?? 8B 55 ?? 0F B7 04 4A 8B 4D ?? 8B 14 81 3B 55 ?? 76 71 8B 45 ?? 8B 4D ?? 0F B7 14 41 8B 45 ?? 03 45 ?? + 8B 4D ?? 39 04 91 73 59 8B 55 ?? 8B 45 ?? 0F B7 0C 50 8B 55 ?? 8B 45 ?? 03 04 8A 89 45 ?? 74 3F 6A ?? 8B 4D ?? 51 E8 ?? + ?? ?? ?? 83 C4 ?? 8B 55 ?? 8D 44 02 ?? 50 8D 4D ?? 51 E8 ?? ?? ?? ?? 8B 90 ?? ?? ?? ?? FF D2 8D 45 ?? 50 6A ?? 8D 4D ?? + 51 8B 55 ?? 52 E8 ?? ?? ?? ?? 8B 40 ?? FF D0 EB 16 8B 4D ?? 8B 55 ?? 0F B7 04 4A 8B 4D ?? 8B 55 ?? 03 14 81 89 55 ?? EB + 05 E9 0E FF FF FF 8B 45 ?? 8B E5 5D C3 + } + + $v30_dll_load = { + 55 8B EC 83 EC ?? E8 ?? ?? ?? ?? 89 45 ?? 83 7D ?? ?? 74 58 8B 45 ?? 8B 48 ?? 89 4D ?? 8B 55 ?? 83 C2 ?? 89 55 ?? 8B 45 + ?? 8B 08 89 4D ?? 8B 55 ?? 3B 55 ?? 74 36 8B 45 ?? 89 45 ?? 8B 4D ?? 0F B7 51 ?? D1 EA 52 8B 45 ?? 8B 48 ?? 51 E8 ?? ?? + ?? ?? 83 C4 ?? 3B 45 ?? 75 08 8B 55 ?? 8B 42 ?? EB 0C 8B 45 ?? 8B 08 89 4D ?? EB C2 33 C0 8B E5 5D C3 + } + + $v30_calculate_hash = { + 55 8B EC 83 EC ?? 56 C7 45 ?? ?? ?? ?? ?? 83 7D ?? ?? 74 5E 83 7D ?? ?? 74 58 8B 45 ?? 89 45 ?? 8B 4D ?? 89 4D ?? 8B 55 + ?? 83 EA ?? 89 55 ?? 83 7D ?? ?? 74 3D 8B 45 ?? 66 8B 08 66 89 4D ?? 8B 75 ?? C1 EE ?? 0F B7 55 ?? 52 E8 ?? ?? ?? ?? 83 + C4 ?? 0F B7 C0 33 45 ?? 25 ?? ?? ?? ?? 33 34 85 ?? ?? ?? ?? 89 75 ?? 8B 4D ?? 83 C1 ?? 89 4D ?? EB AE 8B 45 ?? 83 F0 ?? + 5E 8B E5 5D C3 + } + + $v30_1_find_file_1 = { + 55 8B EC 83 EC ?? C7 45 ?? ?? ?? ?? ?? 83 7D ?? ?? 74 06 83 7D ?? ?? 75 08 8B 45 ?? E9 47 02 00 00 E8 ?? ?? ?? ?? 89 45 + ?? 83 7D ?? ?? 0F 84 32 02 00 00 8B 45 ?? 50 8B 4D ?? 51 E8 ?? ?? ?? ?? 8B 90 ?? ?? ?? ?? FF D2 8B 45 ?? 50 E8 ?? ?? ?? + ?? 83 C4 ?? 8B 4D ?? 0F B7 54 41 ?? 83 FA ?? 74 16 68 ?? ?? ?? ?? 8B 45 ?? 50 E8 ?? ?? ?? ?? 8B 88 ?? ?? ?? ?? FF D1 68 + ?? ?? ?? ?? 8B 55 ?? 52 E8 ?? ?? ?? ?? 8B 80 ?? ?? ?? ?? FF D0 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 89 45 ?? 83 7D ?? + ?? 0F 84 B2 01 00 00 8B 4D ?? 51 8B 55 ?? 52 E8 ?? ?? ?? ?? 8B 80 ?? ?? ?? ?? FF D0 89 45 ?? 83 7D ?? ?? 0F 84 84 01 00 + 00 C7 45 ?? ?? ?? ?? ?? 8B 4D ?? 8B 11 83 E2 ?? 0F 85 A0 00 00 00 C7 45 ?? ?? ?? ?? ?? 8B 45 ?? 83 C0 ?? 50 E8 ?? ?? ?? + ?? 83 C4 ?? 85 C0 0F 85 80 00 00 00 8D 4D ?? 51 8B 55 ?? 83 C2 ?? 52 E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 74 69 C7 45 ?? ?? ?? + ?? ?? 8D 45 ?? 50 8B 4D ?? 83 C1 ?? 51 8B 55 ?? 52 E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 74 47 8B 45 ?? 50 8B 4D ?? 8B 11 52 8B + 45 ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 89 45 ?? 83 7D ?? ?? 75 1C 8B 4D ?? 83 C1 ?? 89 4D ?? 8B 55 ?? 8B 42 ?? 50 8B 4D ?? 51 + } + + $v30_1_find_file_2 = { + E8 ?? ?? ?? ?? 83 C4 ?? 8B 55 ?? 52 E8 ?? ?? ?? ?? 83 C4 ?? EB 67 8B 45 ?? 83 C0 ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 75 + 54 C7 45 ?? ?? ?? ?? ?? 8D 4D ?? 51 8B 55 ?? 83 C2 ?? 52 8B 45 ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 74 32 8B 4D ?? 51 E8 + ?? ?? ?? ?? 83 C4 ?? 85 C0 75 16 8B 55 ?? 52 8B 45 ?? 50 E8 30 FE FF FF 83 C4 ?? 03 45 ?? 89 45 ?? 8B 4D ?? 51 E8 ?? ?? + ?? ?? 83 C4 ?? 8B 55 ?? 52 8B 45 ?? 50 E8 ?? ?? ?? ?? 8B 88 ?? ?? ?? ?? FF D1 85 C0 0F 85 CE FE FF FF 8B 55 ?? 52 E8 ?? + ?? ?? ?? 8B 80 ?? ?? ?? ?? FF D0 83 7D ?? ?? 74 2E 8B 4D ?? 51 E8 ?? ?? ?? ?? 83 C4 ?? 50 8B 55 ?? 52 E8 ?? ?? ?? ?? 83 + C4 ?? 3D ?? ?? ?? ?? 74 0E 6A ?? 8B 45 ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 8B 4D ?? 89 4D ?? 8B 55 ?? 52 E8 ?? ?? ?? ?? 83 C4 + ?? 8B 45 ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 8B 45 ?? 8B E5 5D C3 + } + + $v30_2_find_file_1 = { + 55 8B EC 83 EC ?? C7 45 ?? ?? ?? ?? ?? 83 7D ?? ?? 74 06 83 7D ?? ?? 75 08 8B 45 ?? E9 ( 3B | 3D ) 02 00 00 E8 ?? ?? ?? + ?? 89 45 ?? 83 7D ?? ?? 0F 84 ( 26 | 28 ) 02 00 00 8B 45 ?? 50 8B 4D ?? 51 E8 ?? ?? ?? ?? 8B 90 ?? ?? ?? ?? FF D2 8B 45 + ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 8B 4D ?? 0F B7 54 41 ?? 83 FA ?? 74 16 68 ?? ?? ?? ?? 8B 45 ?? 50 E8 ?? ?? ?? ?? 8B 88 ?? + ?? ?? ?? FF D1 68 ?? ?? ?? ?? 8B 55 ?? 52 E8 ?? ?? ?? ?? 8B 80 ?? ?? ?? ?? FF D0 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? + 89 45 ?? 83 7D ?? ?? 0F 84 ( A6 | A8 ) 01 00 00 8B 4D ?? 51 8B 55 ?? 52 E8 ?? ?? ?? ?? 8B 80 ?? ?? ?? ?? FF D0 89 45 ?? + 83 7D ?? ?? 0F 84 ( 78 | 7A ) 01 00 00 C7 45 ?? ?? ?? ?? ?? 8B 4D ?? 8B 11 83 E2 ?? 0F 85 94 00 00 00 C7 45 ?? ?? ?? ?? + ?? 8B 45 ?? 83 C0 ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 75 78 8B 4D ?? 83 C1 ?? 51 E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 74 65 C7 + 45 ?? ?? ?? ?? ?? 8D 55 ?? 52 8B 45 ?? 83 C0 ?? 50 8B 4D ?? 51 E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 74 43 8B 55 ?? 8B 02 50 8B + } + + $v30_2_find_file_2 = { + 4D ?? 51 E8 ?? ?? ?? ?? 83 C4 ?? 89 45 ?? 83 7D ?? ?? 75 1C 8B 55 ?? 83 C2 ?? 89 55 ?? 8B 45 ?? 8B 48 ?? 51 8B 55 ?? 52 + E8 ?? ?? ?? ?? 83 C4 ?? 8B 45 ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? EB 67 8B 4D ?? 83 C1 ?? 51 E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 75 + 54 C7 45 ?? ?? ?? ?? ?? 8D 55 ?? 52 8B 45 ?? 83 C0 ?? 50 8B 4D ?? 51 E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 74 32 8B 55 ?? 52 E8 + ?? ?? ?? ?? 83 C4 ?? 85 C0 75 16 8B 45 ?? 50 8B 4D ?? 51 E8 3C FE FF FF 83 C4 ?? 03 45 ?? 89 45 ?? 8B 55 ?? 52 E8 ?? ?? + ?? ?? 83 C4 ?? 8B 45 ?? 50 8B 4D ?? 51 E8 ?? ?? ?? ?? 8B 90 ?? ?? ?? ?? FF D2 85 C0 0F 85 DA FE FF FF 8B 45 ?? 50 E8 ?? + ?? ?? ?? 8B 88 ?? ?? ?? ?? FF D1 83 7D ?? ?? 74 ( 2E | 30 ) 8B 55 ?? 52 E8 ?? ?? ?? ?? 83 C4 ?? 50 8B 45 ?? 50 E8 ?? ?? + ?? ?? 83 C4 ?? 3D ?? ?? ?? ?? 74 ( 0E | 10 ) 6A ?? [0-2] 8B 4D ?? 51 E8 ?? ?? ?? ?? 83 C4 ?? 8B 55 ?? 89 55 ?? 8B 45 ?? + 50 E8 ?? ?? ?? ?? 83 C4 ?? 8B 4D ?? 51 E8 ?? ?? ?? ?? 83 C4 ?? 8B 45 ?? 8B E5 5D C3 + } + + $v30_3_find_file_1 = { + 55 8B EC 83 EC ?? C7 45 ?? ?? ?? ?? ?? 83 7D ?? ?? 74 06 83 7D ?? ?? 75 08 8B 45 ?? E9 7C 02 00 00 E8 ?? ?? ?? ?? 89 45 + ?? 83 7D ?? ?? 0F 84 67 02 00 00 8B 45 ?? 50 8B 4D ?? 51 E8 ?? ?? ?? ?? 8B 90 ?? ?? ?? ?? FF D2 8B 45 ?? 50 E8 ?? ?? ?? + ?? 83 C4 ?? 8B 4D ?? 0F B7 54 41 ?? 83 FA ?? 74 16 68 ?? ?? ?? ?? 8B 45 ?? 50 E8 ?? ?? ?? ?? 8B 88 ?? ?? ?? ?? FF D1 68 + ?? ?? ?? ?? 8B 55 ?? 52 E8 ?? ?? ?? ?? 8B 80 ?? ?? ?? ?? FF D0 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 89 45 ?? 83 7D ?? + ?? 0F 84 E7 01 00 00 8B 4D ?? 51 8B 55 ?? 52 E8 ?? ?? ?? ?? 8B 80 ?? ?? ?? ?? FF D0 89 45 ?? 83 7D ?? ?? 0F 84 B9 01 00 + 00 C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? 8B 4D ?? 83 C1 ?? 51 E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 0F 85 91 00 00 00 8D 55 + ?? 52 8B 45 ?? 83 C0 ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 74 7A 8B 4D ?? 8B 11 83 E2 ?? 75 70 C7 45 ?? ?? ?? ?? ?? 8D 45 + ?? 50 8B 4D ?? 83 C1 ?? 51 8B 55 ?? 52 E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 74 49 8B 45 ?? 8B 48 ?? 51 8B 55 ?? 52 8B 45 ?? 8B + } + + $v30_3_find_file_2 = { + 08 51 8B 55 ?? 52 E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 75 1C 8B 45 ?? 83 C0 ?? 89 45 ?? 8B 4D ?? 8B 51 ?? 52 8B 45 ?? 50 E8 ?? + ?? ?? ?? 83 C4 ?? 8B 4D ?? 51 E8 ?? ?? ?? ?? 83 C4 ?? E9 88 00 00 00 8B 55 ?? 8B 02 83 E0 ?? 74 7E 8B 4D ?? 83 79 ?? ?? + 74 75 8B 55 ?? 83 C2 ?? 52 E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 75 62 C7 45 ?? ?? ?? ?? ?? 8D 45 ?? 50 8B 4D ?? 83 C1 ?? 51 8B + 55 ?? 52 E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 74 40 8B 45 ?? 50 8B 4D ?? 8B 51 ?? 52 E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 75 1D 8B 45 + ?? 50 8B 4D ?? 51 E8 15 FE FF FF 83 C4 ?? 85 C0 74 09 8B 55 ?? 83 C2 ?? 89 55 ?? 8B 45 ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 8B + 4D ?? 51 8B 55 ?? 52 E8 ?? ?? ?? ?? 8B 80 ?? ?? ?? ?? FF D0 85 C0 0F 85 AC FE FF FF 8B 4D ?? 51 E8 ?? ?? ?? ?? 8B 90 ?? + ?? ?? ?? FF D2 8B 45 ?? 50 8B 4D ?? 8B 51 ?? 52 E8 ?? ?? ?? ?? 83 C4 ?? 83 7D ?? ?? 74 2E 8B 45 ?? 50 E8 ?? ?? ?? ?? 83 + C4 ?? 50 8B 4D ?? 51 E8 ?? ?? ?? ?? 83 C4 ?? 3D ?? ?? ?? ?? 74 0E 6A ?? 8B 55 ?? 52 E8 ?? ?? ?? ?? 83 C4 ?? 8B 45 ?? 89 + 45 ?? 8B 4D ?? 51 E8 ?? ?? ?? ?? 83 C4 ?? 8B 55 ?? 52 E8 ?? ?? ?? ?? 83 C4 ?? 8B 45 ?? 8B E5 5D C3 + } + + $v20_1_encrypt_file_1 = { + 55 8B EC 81 EC ?? ?? ?? ?? 56 C7 45 ?? ?? ?? ?? ?? 83 7D ?? ?? 74 06 83 7D ?? ?? 75 08 8B 45 ?? E9 99 05 00 00 8B 45 ?? + 83 38 ?? 74 1B 8B 4D ?? 83 79 ?? ?? 74 12 8B 55 ?? 83 7A ?? ?? 74 09 8B 45 ?? 83 78 ?? ?? 75 08 8B 45 ?? E9 6E 05 00 00 + 8B 4D ?? 51 E8 ?? ?? ?? ?? 8B 90 ?? ?? ?? ?? FF D2 89 45 ?? 6A ?? 8B 45 ?? 50 E8 ?? ?? ?? ?? 8B 88 ?? ?? ?? ?? FF D1 C7 + 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? 6A ?? 6A ?? 6A ?? 6A ?? 6A ?? 68 ?? ?? ?? ?? 8B 55 ?? 52 E8 ?? ?? ?? ?? 8B 80 ?? + ?? ?? ?? FF D0 89 45 ?? 83 7D ?? ?? 0F 84 F4 04 00 00 8D 8D ?? ?? ?? ?? 51 8D 95 ?? ?? ?? ?? 52 8D 85 ?? ?? ?? ?? 50 8B + 4D ?? 51 E8 ?? ?? ?? ?? 8B 90 ?? ?? ?? ?? FF D2 85 C0 74 07 C7 45 ?? ?? ?? ?? ?? 66 0F 57 C0 66 0F 13 45 ?? 8D 45 ?? 50 + 8B 4D ?? 51 8B 55 ?? 52 E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 0F 85 E7 03 00 00 66 0F 57 C0 66 0F 13 85 ?? ?? ?? ?? 6A ?? 6A ?? + 8B 85 ?? ?? ?? ?? 50 8B 8D ?? ?? ?? ?? 51 8B 55 ?? 52 E8 ?? ?? ?? ?? 8B 80 ?? ?? ?? ?? FF D0 83 F8 ?? 0F 84 AF 03 00 00 + 8D 4D ?? 51 8B 55 ?? 52 E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 0F 84 97 03 00 00 6A ?? 6A ?? 6A ?? 6A ?? 6A ?? 68 ?? ?? ?? ?? 8B + 45 ?? 50 E8 ?? ?? ?? ?? 8B 88 ?? ?? ?? ?? FF D1 89 45 ?? 83 7D ?? ?? 0F 84 6A 03 00 00 C7 45 ?? ?? ?? ?? ?? 8D 55 ?? 52 + E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 0F 84 2C 03 00 00 C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? + ?? ?? ?? ?? 8D 45 ?? 50 8D 4D ?? 51 8D 55 ?? 52 8D 45 ?? 50 8B 4D ?? 51 E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 0F 84 D9 02 00 00 + } + + $v20_1_encrypt_file_2 = { + C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? 8D 55 ?? 52 8D 45 ?? 50 8B 4D ?? 51 8B 55 ?? 52 8B 45 ?? 8B 48 ?? 51 8B 55 ?? + 8B 02 50 E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 0F 84 81 02 00 00 C7 45 ?? ?? ?? ?? ?? 6A ?? 8D 4D ?? 51 8B 55 ?? 8B 42 ?? 50 8B + 4D ?? 8B 51 ?? 52 8B 45 ?? 50 E8 ?? ?? ?? ?? 8B 88 ?? ?? ?? ?? FF D1 85 C0 0F 84 41 02 00 00 8B 55 ?? 8B 45 ?? 3B 42 ?? + 0F 85 32 02 00 00 6A ?? 8D 4D ?? 51 8B 55 ?? 52 8B 45 ?? 50 8B 4D ?? 51 E8 ?? ?? ?? ?? 8B 90 ?? ?? ?? ?? FF D2 85 C0 0F + 84 0B 02 00 00 8B 45 ?? 3B 45 ?? 0F 85 FF 01 00 00 8B 4D ?? 51 E8 ?? ?? ?? ?? 8B 90 ?? ?? ?? ?? FF D2 C7 45 ?? ?? ?? ?? + ?? 8B 45 ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 89 45 ?? 83 7D ?? ?? 0F 84 CE 01 00 00 66 0F 57 C0 66 0F 13 45 ?? C7 45 ?? ?? ?? + ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? 8B 4D ?? 3B 4D ?? 75 0C 8B 55 ?? 3B 55 ?? 0F 84 73 01 00 00 C7 45 ?? ?? + ?? ?? ?? 8B 45 ?? 33 C9 8B 55 ?? 2B 55 ?? 8B 75 ?? 1B 75 ?? 89 85 ?? ?? ?? ?? 89 4D ?? 89 55 ?? 89 75 ?? 8B 45 ?? 3B 45 + ?? 77 1A 72 0B 8B 8D ?? ?? ?? ?? 3B 4D ?? 73 0D 8B 55 ?? 33 C0 89 55 ?? 89 45 ?? EB 12 8B 4D ?? 2B 4D ?? 8B 55 ?? 1B 55 + ?? 89 4D ?? 89 55 ?? 8B 45 ?? 89 45 ?? 8B 4D ?? 33 D2 03 4D ?? 13 55 ?? 89 8D ?? ?? ?? ?? 89 95 ?? ?? ?? ?? 8B 85 ?? ?? + ?? ?? 3B 45 ?? 75 12 8B 8D ?? ?? ?? ?? 3B 4D ?? 75 07 C7 45 ?? ?? ?? ?? ?? 6A ?? 8D 55 ?? 52 8B 45 ?? 50 8B 4D ?? 51 8B + } + + $v20_1_encrypt_file_3 = { + 55 ?? 52 E8 ?? ?? ?? ?? 8B 80 ?? ?? ?? ?? FF D0 85 C0 0F 84 A2 00 00 00 8B 4D ?? 3B 4D ?? 0F 85 96 00 00 00 C7 45 ?? ?? + ?? ?? ?? C7 45 ?? ?? ?? ?? ?? 8D 55 ?? 52 8D 45 ?? 50 8B 4D ?? 51 8B 55 ?? 52 8B 45 ?? 50 8B 4D ?? 51 8B 55 ?? 52 E8 ?? + ?? ?? ?? 83 C4 ?? 85 C0 74 60 6A ?? 8D 45 ?? 50 8B 4D ?? 51 8B 55 ?? 52 8B 45 ?? 50 E8 ?? ?? ?? ?? 8B 88 ?? ?? ?? ?? FF + D1 85 C0 74 31 8B 55 ?? 3B 55 ?? 75 29 8B 45 ?? 33 C9 03 45 ?? 13 4D ?? 89 45 ?? 89 4D ?? C7 45 ?? ?? ?? ?? ?? 8B 55 ?? + 52 E8 ?? ?? ?? ?? 8B 80 ?? ?? ?? ?? FF D0 8B 4D ?? 51 E8 ?? ?? ?? ?? 83 C4 ?? 83 7D ?? ?? 75 02 EB 0D 83 7D ?? ?? 74 02 + EB 05 E9 79 FE FF FF 83 7D ?? ?? 74 17 8B 55 ?? 3B 55 ?? 75 0F 8B 45 ?? 3B 45 ?? 75 07 C7 45 ?? ?? ?? ?? ?? 8B 4D ?? 51 + E8 ?? ?? ?? ?? 83 C4 ?? 8B 55 ?? 52 E8 ?? ?? ?? ?? 83 C4 ?? 8B 45 ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 8B 4D ?? 51 E8 ?? ?? ?? + ?? 8B 90 ?? ?? ?? ?? FF D2 6A ?? 8B 45 ?? 50 E8 ?? ?? ?? ?? 8B 88 ?? ?? ?? ?? FF D1 8B 55 ?? 52 E8 ?? ?? ?? ?? 8B 80 ?? + ?? ?? ?? FF D0 83 7D ?? ?? 74 0C 8B 4D ?? 51 E8 ?? ?? ?? ?? 83 C4 ?? 8B 55 ?? 52 E8 ?? ?? ?? ?? 8B 80 ?? ?? ?? ?? FF D0 + 83 7D ?? ?? 75 22 6A ?? 8B 4D ?? 51 8B 55 ?? 52 E8 ?? ?? ?? ?? 8B 80 ?? ?? ?? ?? FF D0 85 C0 75 07 C7 45 ?? ?? ?? ?? ?? + 8B 4D ?? 51 E8 ?? ?? ?? ?? 83 C4 ?? 8B 55 ?? 52 E8 ?? ?? ?? ?? 83 C4 ?? 83 7D ?? ?? 74 60 6A ?? 6A ?? 6A ?? 6A ?? 6A ?? + 68 ?? ?? ?? ?? 8B 45 ?? 50 E8 ?? ?? ?? ?? 8B 88 ?? ?? ?? ?? FF D1 89 45 ?? 83 7D ?? ?? 74 37 8D 95 ?? ?? ?? ?? 52 8D 85 + ?? ?? ?? ?? 50 8D 8D ?? ?? ?? ?? 51 8B 55 ?? 52 E8 ?? ?? ?? ?? 8B 80 ?? ?? ?? ?? FF D0 8B 4D ?? 51 E8 ?? ?? ?? ?? 8B 90 + ?? ?? ?? ?? FF D2 8B 45 ?? 50 8B 4D ?? 51 E8 ?? ?? ?? ?? 8B 90 ?? ?? ?? ?? FF D2 8B 45 ?? 5E 8B E5 5D C3 + } + + $v30_1_encrypt_file_1 = { + 55 8B EC 83 EC ?? C7 45 ?? ?? ?? ?? ?? 83 7D ?? ?? 74 06 83 7D ?? ?? 75 08 8B 45 ?? E9 02 05 00 00 8B 45 ?? 83 38 ?? 74 + 09 8B 4D ?? 83 79 ?? ?? 75 08 8B 45 ?? E9 E9 04 00 00 C7 45 ?? ?? ?? ?? ?? 8B 55 ?? 52 E8 ?? ?? ?? ?? 8B 80 ?? ?? ?? ?? + FF D0 89 45 ?? 6A ?? 8B 4D ?? 51 E8 ?? ?? ?? ?? 8B 90 ?? ?? ?? ?? FF D2 6A ?? 6A ?? 6A ?? 6A ?? 6A ?? 68 ?? ?? ?? ?? 8B + 45 ?? 50 E8 ?? ?? ?? ?? 8B 88 ?? ?? ?? ?? FF D1 89 45 ?? 83 7D ?? ?? 0F 84 6F 04 00 00 C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? + ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? 6A ?? 8B 55 ?? 52 8B 45 ?? 50 E8 ?? ?? ?? ?? 83 + C4 ?? 85 C0 0F 85 90 03 00 00 6A ?? 6A ?? 6A ?? 8B 4D ?? 51 E8 ?? ?? ?? ?? 8B 90 ?? ?? ?? ?? FF D2 83 F8 ?? 0F 84 70 03 + 00 00 6A ?? 8B 45 ?? 50 E8 ?? ?? ?? ?? 8B 88 ?? ?? ?? ?? FF D1 89 45 ?? 83 7D ?? ?? 0F 84 50 03 00 00 8D 55 ?? 52 8B 45 + ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 0F 84 38 03 00 00 6A ?? 6A ?? 6A ?? 6A ?? 6A ?? 68 ?? ?? ?? ?? 8B 4D ?? 51 E8 ?? ?? + ?? ?? 8B 90 ?? ?? ?? ?? FF D2 89 45 ?? 83 7D ?? ?? 0F 84 04 03 00 00 6A ?? 6A ?? 8B 45 ?? 8B 48 ?? 51 8B 55 ?? 52 E8 ?? + ?? ?? ?? 8B 80 ?? ?? ?? ?? FF D0 83 F8 ?? 0F 84 CC 02 00 00 8B 4D ?? 3B 4D ?? 73 08 8B 55 ?? 89 55 ?? EB 06 8B 45 ?? 89 + 45 ?? 8B 4D ?? 89 4D ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? 8D 55 ?? 52 6A ?? 6A ?? 8B 45 ?? 8B 08 51 E8 ?? ?? ?? + ?? 8B 90 ?? ?? ?? ?? FF D2 85 C0 0F 84 73 01 00 00 8B 45 ?? 8B 48 ?? 83 E9 ?? 89 4D ?? 8B 55 ?? D1 E2 89 55 ?? 8B 45 ?? + } + + $v30_1_encrypt_file_2 = { + 50 E8 ?? ?? ?? ?? 83 C4 ?? 89 45 ?? 83 7D ?? ?? 0F 84 35 01 00 00 C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? + ?? ?? ?? C7 45 ?? ?? ?? ?? ?? 8B 4D ?? 2B 4D ?? 39 4D ?? 73 08 8B 55 ?? 89 55 ?? EB 09 8B 45 ?? 2B 45 ?? 89 45 ?? 8B 4D + ?? 89 4D ?? C7 45 ?? ?? ?? ?? ?? 6A ?? 8D 55 ?? 52 8B 45 ?? 50 8B 4D ?? 51 8B 55 ?? 52 E8 ?? ?? ?? ?? 8B 80 ?? ?? ?? ?? + FF D0 85 C0 0F 84 94 00 00 00 8B 4D ?? 3B 4D ?? 0F 85 88 00 00 00 8B 55 ?? 3B 55 ?? 73 07 C7 45 ?? ?? ?? ?? ?? 83 7D ?? + ?? 74 73 8B 45 ?? 89 45 ?? 8B 4D ?? 51 8D 55 ?? 52 8B 45 ?? 50 6A ?? 8B 4D ?? 51 6A ?? 8B 55 ?? 52 E8 ?? ?? ?? ?? 8B 80 + ?? ?? ?? ?? FF D0 85 C0 74 44 6A ?? 8D 4D ?? 51 8B 55 ?? 52 8B 45 ?? 50 8B 4D ?? 51 E8 ?? ?? ?? ?? 8B 90 ?? ?? ?? ?? FF + D2 85 C0 74 21 8B 45 ?? 3B 45 ?? 75 19 8B 4D ?? 03 4D ?? 89 4D ?? 8B 55 ?? 03 55 ?? 89 55 ?? C7 45 ?? ?? ?? ?? ?? 83 7D + ?? ?? 74 06 83 7D ?? ?? 74 02 EB 0C 8B 45 ?? 3B 45 ?? 0F 85 FB FE FF FF 8B 4D ?? 3B 4D ?? 75 07 C7 45 ?? ?? ?? ?? ?? 8B + 55 ?? 52 E8 ?? ?? ?? ?? 83 C4 ?? 8B 45 ?? 50 E8 ?? ?? ?? ?? 8B 88 ?? ?? ?? ?? FF D1 83 7D ?? ?? 0F 85 02 01 00 00 C7 45 + ?? ?? ?? ?? ?? 6A ?? 6A ?? 6A ?? 8B 55 ?? 52 E8 ?? ?? ?? ?? 8B 80 ?? ?? ?? ?? FF D0 83 F8 ?? 0F 84 DB 00 00 00 6A ?? 8D + 4D ?? 51 8B 55 ?? 8B 42 ?? 50 8B 4D ?? 8B 51 ?? 52 8B 45 ?? 50 E8 ?? ?? ?? ?? 8B 88 ?? ?? ?? ?? FF D1 85 C0 0F 84 AE 00 + } + + $v30_1_encrypt_file_3 = { + 00 00 8B 55 ?? 8B 45 ?? 3B 42 ?? 0F 85 9F 00 00 00 6A ?? 8D 4D ?? 51 6A ?? 8D 55 ?? 52 8B 45 ?? 50 E8 ?? ?? ?? ?? 8B 88 + ?? ?? ?? ?? FF D1 85 C0 74 7E 83 7D ?? ?? 75 78 8B 55 ?? 3B 55 ?? 74 1B 8B 45 ?? 8B 4D ?? 03 48 ?? 89 4D ?? 8B 55 ?? 2B + 55 ?? 89 55 ?? 8B 45 ?? 89 45 ?? 6A ?? 8D 4D ?? 51 6A ?? 8D 55 ?? 52 8B 45 ?? 50 E8 ?? ?? ?? ?? 8B 88 ?? ?? ?? ?? FF D1 + 85 C0 74 34 83 7D ?? ?? 75 2E 6A ?? 8D 55 ?? 52 6A ?? 8D 45 ?? 50 8B 4D ?? 51 E8 ?? ?? ?? ?? 8B 90 ?? ?? ?? ?? FF D2 85 + C0 74 0D 83 7D ?? ?? 75 07 C7 45 ?? ?? ?? ?? ?? 8B 45 ?? 50 E8 ?? ?? ?? ?? 8B 88 ?? ?? ?? ?? FF D1 EB 07 C7 45 ?? ?? ?? + ?? ?? 8B 55 ?? 52 E8 ?? ?? ?? ?? 8B 80 ?? ?? ?? ?? FF D0 83 7D ?? ?? 75 71 83 7D ?? ?? 75 28 83 7D ?? ?? 75 22 68 ?? ?? + ?? ?? 8B 4D ?? 51 8B 55 ?? 52 E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 74 07 C7 45 ?? ?? ?? ?? ?? EB 43 83 7D ?? ?? 74 36 83 7D ?? + ?? 74 30 C7 45 ?? ?? ?? ?? ?? 8B 45 ?? 50 8B 4D ?? 51 8B 55 ?? 52 8B 45 ?? 50 8B 4D ?? 51 E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 + 74 07 C7 45 ?? ?? ?? ?? ?? EB 07 C7 45 ?? ?? ?? ?? ?? 8B 55 ?? 52 E8 ?? ?? ?? ?? 83 C4 ?? 8B 45 ?? 50 E8 ?? ?? ?? ?? 83 + C4 ?? EB 07 C7 45 ?? ?? ?? ?? ?? 8B 4D ?? 51 8B 55 ?? 52 E8 ?? ?? ?? ?? 8B 80 ?? ?? ?? ?? FF D0 8B 45 ?? 8B E5 5D C3 + } + + $v30_2_encrypt_file_1 = { + 55 8B EC 81 EC ?? ?? ?? ?? 56 C7 45 ?? ?? ?? ?? ?? 83 7D ?? ?? 74 06 83 7D ?? ?? 75 08 8B 45 ?? E9 BF 05 00 00 8B 45 ?? + 83 38 ?? 74 1B 8B 4D ?? 83 79 ?? ?? 74 12 8B 55 ?? 83 7A ?? ?? 74 09 8B 45 ?? 83 78 ?? ?? 75 08 8B 45 ?? E9 94 05 00 00 + 8B 4D ?? 51 E8 ?? ?? ?? ?? 8B 90 ?? ?? ?? ?? FF D2 89 45 ?? 6A ?? 8B 45 ?? 50 E8 ?? ?? ?? ?? 8B 88 ?? ?? ?? ?? FF D1 C7 + 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? 6A ?? 6A ?? 6A ?? 6A ?? 6A ?? 68 ?? ?? ?? ?? 8B 55 ?? 52 E8 ?? ?? ?? ?? 8B 80 ?? + ?? ?? ?? FF D0 89 45 ?? 83 7D ?? ?? 0F 84 1A 05 00 00 8D 8D ?? ?? ?? ?? 51 8D 95 ?? ?? ?? ?? 52 8D 85 ?? ?? ?? ?? 50 8B + 4D ?? 51 E8 ?? ?? ?? ?? 8B 90 ?? ?? ?? ?? FF D2 85 C0 74 07 C7 45 ?? ?? ?? ?? ?? 66 0F 57 C0 66 0F 13 45 ?? 8D 45 ?? 50 + 8B 4D ?? 51 8B 55 ?? 52 E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 0F 85 0D 04 00 00 66 0F 57 C0 66 0F 13 85 ?? ?? ?? ?? 6A ?? 6A ?? + 8B 85 ?? ?? ?? ?? 50 8B 8D ?? ?? ?? ?? 51 8B 55 ?? 52 E8 ?? ?? ?? ?? 8B 80 ?? ?? ?? ?? FF D0 83 F8 ?? 0F 84 D5 03 00 00 + 8D 4D ?? 51 8B 55 ?? 52 E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 0F 84 BD 03 00 00 6A ?? 6A ?? 6A ?? 6A ?? 6A ?? 68 ?? ?? ?? ?? 8B + 45 ?? 50 E8 ?? ?? ?? ?? 8B 88 ?? ?? ?? ?? FF D1 89 45 ?? 83 7D ?? ?? 0F 84 90 03 00 00 C7 45 ?? ?? ?? ?? ?? 8D 55 ?? 52 + E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 0F 84 52 03 00 00 C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? + ?? ?? ?? ?? 8D 45 ?? 50 8D 4D ?? 51 8D 55 ?? 52 8D 45 ?? 50 8B 4D ?? 51 E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 0F 84 FF 02 00 00 + } + + $v30_2_encrypt_file_2 = { + C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? 8D 55 ?? 52 8D 45 ?? 50 8B 4D ?? 51 8B 55 ?? 52 8B 45 ?? 8B 48 ?? 51 8B 55 ?? + 8B 02 50 E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 0F 84 A7 02 00 00 C7 45 ?? ?? ?? ?? ?? 6A ?? 8D 4D ?? 51 8B 55 ?? 8B 42 ?? 50 8B + 4D ?? 8B 51 ?? 52 8B 45 ?? 50 E8 ?? ?? ?? ?? 8B 88 ?? ?? ?? ?? FF D1 85 C0 0F 84 67 02 00 00 8B 55 ?? 8B 45 ?? 3B 42 ?? + 0F 85 58 02 00 00 6A ?? 8D 4D ?? 51 8B 55 ?? 52 8B 45 ?? 50 8B 4D ?? 51 E8 ?? ?? ?? ?? 8B 90 ?? ?? ?? ?? FF D2 85 C0 0F + 84 31 02 00 00 8B 45 ?? 3B 45 ?? 0F 85 25 02 00 00 8B 4D ?? 51 E8 ?? ?? ?? ?? 8B 90 ?? ?? ?? ?? FF D2 C7 45 ?? ?? ?? ?? + ?? 8B 45 ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 89 45 ?? 83 7D ?? ?? 0F 84 F4 01 00 00 66 0F 57 C0 66 0F 13 45 ?? C7 45 ?? ?? ?? + ?? ?? 66 0F 57 C0 66 0F 13 45 ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? 8B 4D ?? 3B 4D ?? 75 0C 8B 55 ?? 3B 55 ?? 0F + 84 90 01 00 00 C7 45 ?? ?? ?? ?? ?? 8B 45 ?? 33 C9 8B 55 ?? 2B 55 ?? 8B 75 ?? 1B 75 ?? 89 85 ?? ?? ?? ?? 89 8D ?? ?? ?? + ?? 89 95 ?? ?? ?? ?? 89 75 ?? 8B 85 ?? ?? ?? ?? 3B 45 ?? 77 1D 72 0E 8B 8D ?? ?? ?? ?? 3B 8D ?? ?? ?? ?? 73 0D 8B 55 ?? + 33 C0 89 55 ?? 89 45 ?? EB 12 8B 4D ?? 2B 4D ?? 8B 55 ?? 1B 55 ?? 89 4D ?? 89 55 ?? 8B 45 ?? 89 45 ?? 8B 4D ?? 33 D2 03 + 4D ?? 13 55 ?? 89 8D ?? ?? ?? ?? 89 95 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 3B 45 ?? 75 12 8B 8D ?? ?? ?? ?? 3B 4D ?? 75 07 C7 + 45 ?? ?? ?? ?? ?? 6A ?? 8D 55 ?? 52 8B 45 ?? 50 8B 4D ?? 51 8B 55 ?? 52 E8 ?? ?? ?? ?? 8B 80 ?? ?? ?? ?? FF D0 85 C0 0F + 84 B3 00 00 00 8B 4D ?? 3B 4D ?? 0F 85 A7 00 00 00 C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? 8D 55 ?? 52 8D 45 ?? 50 8B + } + + $v30_2_encrypt_file_3 = { + 4D ?? 51 8B 55 ?? 52 8B 45 ?? 50 8B 4D ?? 51 8B 55 ?? 52 E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 74 71 6A ?? 8D 45 ?? 50 8B 4D ?? + 51 8B 55 ?? 52 8B 45 ?? 50 E8 ?? ?? ?? ?? 8B 88 ?? ?? ?? ?? FF D1 85 C0 74 42 8B 55 ?? 3B 55 ?? 75 3A 8B 45 ?? 33 C9 03 + 45 ?? 13 4D ?? 89 45 ?? 89 4D ?? C7 45 ?? ?? ?? ?? ?? 8B 55 ?? 33 C0 03 55 ?? 13 45 ?? 89 55 ?? 89 45 ?? 8B 4D ?? 51 E8 + ?? ?? ?? ?? 8B 90 ?? ?? ?? ?? FF D2 8B 45 ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 83 7D ?? ?? 75 02 EB 0D 83 7D ?? ?? 74 02 EB 05 + E9 5C FE FF FF 83 7D ?? ?? 74 17 8B 4D ?? 3B 4D ?? 75 0F 8B 55 ?? 3B 55 ?? 75 07 C7 45 ?? ?? ?? ?? ?? 8B 45 ?? 50 E8 ?? + ?? ?? ?? 83 C4 ?? 8B 4D ?? 51 E8 ?? ?? ?? ?? 83 C4 ?? 8B 55 ?? 52 E8 ?? ?? ?? ?? 83 C4 ?? 8B 45 ?? 50 E8 ?? ?? ?? ?? 8B + 88 ?? ?? ?? ?? FF D1 6A ?? 8B 55 ?? 52 E8 ?? ?? ?? ?? 8B 80 ?? ?? ?? ?? FF D0 8B 4D ?? 51 E8 ?? ?? ?? ?? 8B 90 ?? ?? ?? + ?? FF D2 83 7D ?? ?? 74 0C 8B 45 ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 8B 4D ?? 51 E8 ?? ?? ?? ?? 8B 90 ?? ?? ?? ?? FF D2 83 7D + ?? ?? 75 22 6A ?? 8B 45 ?? 50 8B 4D ?? 51 E8 ?? ?? ?? ?? 8B 90 ?? ?? ?? ?? FF D2 85 C0 75 07 C7 45 ?? ?? ?? ?? ?? 8B 45 + ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 8B 4D ?? 51 E8 ?? ?? ?? ?? 83 C4 ?? 83 7D ?? ?? 74 60 6A ?? 6A ?? 6A ?? 6A ?? 6A ?? 68 ?? + ?? ?? ?? 8B 55 ?? 52 E8 ?? ?? ?? ?? 8B 80 ?? ?? ?? ?? FF D0 89 45 ?? 83 7D ?? ?? 74 37 8D 8D ?? ?? ?? ?? 51 8D 95 ?? ?? + ?? ?? 52 8D 85 ?? ?? ?? ?? 50 8B 4D ?? 51 E8 ?? ?? ?? ?? 8B 90 ?? ?? ?? ?? FF D2 8B 45 ?? 50 E8 ?? ?? ?? ?? 8B 88 ?? ?? + ?? ?? FF D1 8B 55 ?? 52 8B 45 ?? 50 E8 ?? ?? ?? ?? 8B 88 ?? ?? ?? ?? FF D1 8B 45 ?? 5E 8B E5 5D C3 + } + + $v30_3_encrypt_file_1 = { + 55 8B EC 83 EC ?? C7 45 ?? ?? ?? ?? ?? 83 7D ?? ?? 75 08 8B 45 ?? E9 48 04 00 00 83 7D ?? ?? 75 08 8B 45 ?? E9 3A 04 00 + 00 8B 45 ?? 83 78 ?? ?? 74 11 8B 4D ?? 83 39 ?? 74 09 8B 55 ?? 83 7A ?? ?? 75 08 8B 45 ?? E9 18 04 00 00 C7 45 ?? ?? ?? + ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? 8B 45 ?? 50 E8 ?? ?? ?? ?? 8B 88 ?? ?? ?? ?? FF D1 89 45 ?? 6A ?? 8B 55 + ?? 52 E8 ?? ?? ?? ?? 8B 80 ?? ?? ?? ?? FF D0 6A ?? 6A ?? 6A ?? 6A ?? 6A ?? 68 ?? ?? ?? ?? 8B 4D ?? 51 E8 ?? ?? ?? ?? 8B + 90 ?? ?? ?? ?? FF D2 89 45 ?? 83 7D ?? ?? 0F 84 90 03 00 00 C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? 83 7D ?? ?? 0F 84 + 83 00 00 00 8B 45 ?? 8B 48 ?? 51 E8 ?? ?? ?? ?? 83 C4 ?? 89 45 ?? 83 7D ?? ?? 74 6B 6A ?? 8D 55 ?? 52 8B 45 ?? 8B 48 ?? + 51 8B 55 ?? 52 8B 45 ?? 50 E8 ?? ?? ?? ?? 8B 88 ?? ?? ?? ?? FF D1 85 C0 74 39 8B 55 ?? 3B 15 ?? ?? ?? ?? 75 2E 8B 45 ?? + 8B 48 ?? 51 8B 55 ?? 8B 42 ?? 50 8B 4D ?? 51 E8 ?? ?? ?? ?? 8B 50 ?? FF D2 85 C0 75 0E C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? + ?? ?? ?? 8B 45 ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 83 7D ?? ?? 0F 84 9A 02 00 00 6A ?? 6A ?? 6A ?? 8B 4D ?? 51 E8 ?? ?? ?? ?? + 8B 90 ?? ?? ?? ?? FF D2 6A ?? 8B 45 ?? 50 E8 ?? ?? ?? ?? 8B 88 ?? ?? ?? ?? FF D1 89 45 ?? 83 7D ?? ?? 0F 84 63 02 00 00 + 8B 55 ?? 3B 55 ?? 0F 87 57 02 00 00 8D 45 ?? 50 8B 4D ?? 51 E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 0F 84 3F 02 00 00 6A ?? 6A + } + + $v30_3_encrypt_file_2 = { + 6A ?? 6A ?? 6A ?? 68 ?? ?? ?? ?? 8B 55 ?? 52 E8 ?? ?? ?? ?? 8B 80 ?? ?? ?? ?? FF D0 89 45 ?? 83 7D ?? ?? 0F 84 0B 02 00 + 00 C7 45 ?? ?? ?? ?? ?? 8B 4D ?? 81 E1 ?? ?? ?? ?? 74 1C 6A ?? 6A ?? 8B 15 ?? ?? ?? ?? 52 8B 45 ?? 50 E8 ?? ?? ?? ?? 8B + 88 ?? ?? ?? ?? FF D1 C7 45 ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A ?? 6A ?? 6A ?? 8D 55 ?? 52 E8 ?? ?? ?? ?? 8B 80 ?? ?? ?? ?? + FF D0 85 C0 0F 84 52 01 00 00 C7 45 ?? ?? ?? ?? ?? 8D 4D ?? 51 6A ?? 6A ?? 8B 55 ?? 8B 02 50 8B 4D ?? 8B 51 ?? 52 8B 45 + ?? 50 E8 ?? ?? ?? ?? 8B 88 ?? ?? ?? ?? FF D1 85 C0 0F 84 0A 01 00 00 8B 55 ?? 8B 42 ?? 83 E8 ?? 89 45 ?? 8B 4D ?? D1 E1 + 89 4D ?? 8B 55 ?? 52 E8 ?? ?? ?? ?? 83 C4 ?? 89 45 ?? 83 7D ?? ?? 0F 84 CC 00 00 00 C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? + ?? ?? 6A ?? 8D 45 ?? 50 8B 4D ?? 51 8B 55 ?? 52 8B 45 ?? 50 E8 ?? ?? ?? ?? 8B 88 ?? ?? ?? ?? FF D1 85 C0 74 76 8B 55 ?? + 3B 55 ?? 73 07 C7 45 ?? ?? ?? ?? ?? 83 7D ?? ?? 74 5F 8B 45 ?? 50 8D 4D ?? 51 8B 55 ?? 52 6A ?? 8B 45 ?? 50 6A ?? 8B 4D + ?? 51 E8 ?? ?? ?? ?? 8B 90 ?? ?? ?? ?? FF D2 85 C0 74 21 6A ?? 8D 45 ?? 50 8B 4D ?? 51 8B 55 ?? 52 8B 45 ?? 50 E8 ?? ?? + ?? ?? 8B 88 ?? ?? ?? ?? FF D1 EB 15 83 7D ?? ?? 74 0D 83 7D ?? ?? 74 07 C7 45 ?? ?? ?? ?? ?? EB 0E EB 02 EB 0A 83 7D ?? + ?? 0F 84 54 FF FF FF 83 7D ?? ?? 74 07 C7 45 ?? ?? ?? ?? ?? 8B 55 ?? 52 E8 ?? ?? ?? ?? 83 C4 ?? 8B 45 ?? 50 E8 ?? ?? ?? + } + + $v30_3_encrypt_file_3 = { + ?? 8B 88 ?? ?? ?? ?? FF D1 6A ?? 8B 55 ?? 52 E8 ?? ?? ?? ?? 8B 80 ?? ?? ?? ?? FF D0 83 7D ?? ?? 75 47 8B 4D ?? 81 E1 ?? + ?? ?? ?? 74 3C 6A ?? 6A ?? 6A ?? 8B 55 ?? 52 E8 ?? ?? ?? ?? 8B 80 ?? ?? ?? ?? FF D0 6A ?? 8D 4D ?? 51 8B 55 ?? 8B 42 ?? + 50 8B 4D ?? 8B 51 ?? 52 8B 45 ?? 50 E8 ?? ?? ?? ?? 8B 88 ?? ?? ?? ?? FF D1 8B 55 ?? 52 E8 ?? ?? ?? ?? 8B 80 ?? ?? ?? ?? + FF D0 EB 07 C7 45 ?? ?? ?? ?? ?? 8B 4D ?? 51 E8 ?? ?? ?? ?? 8B 90 ?? ?? ?? ?? FF D2 83 7D ?? ?? 75 20 68 ?? ?? ?? ?? 8B + 45 ?? 50 8B 4D ?? 51 E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 75 07 C7 45 ?? ?? ?? ?? ?? 8B 55 ?? 52 E8 ?? ?? ?? ?? 83 C4 ?? 8B 45 + ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? EB 07 C7 45 ?? ?? ?? ?? ?? 8B 4D ?? 51 8B 55 ?? 52 E8 ?? ?? ?? ?? 8B 80 ?? ?? ?? ?? FF D0 + 8B 45 ?? 8B E5 5D C3 + } + + condition: + uint16(0) == 0x5A4D and ((($v30_entrypoint at pe.entry_point) and $v30_api_load and $v30_calculate_hash and $v30_dll_load and + $v30_1_find_file_1 and $v30_1_find_file_2 and $v30_1_encrypt_file_1 and $v30_1_encrypt_file_2 and $v30_1_encrypt_file_3) or + (($v30_entrypoint at pe.entry_point) and $v30_api_load and $v30_calculate_hash and $v30_dll_load and + $v30_2_find_file_1 and $v30_2_find_file_2 and $v30_2_encrypt_file_1 and $v30_2_encrypt_file_2 and $v30_2_encrypt_file_3) or + (($v20_entrypoint at pe.entry_point) and $v30_api_load and $v30_calculate_hash and $v30_dll_load and + $v30_2_find_file_1 and $v30_2_find_file_2 and $v20_1_encrypt_file_1 and $v20_1_encrypt_file_2 and $v20_1_encrypt_file_3) or + (($v30_entrypoint at pe.entry_point) and $v30_api_load and $v30_calculate_hash and $v30_dll_load and + $v30_3_find_file_1 and $v30_3_find_file_2 and $v30_3_encrypt_file_1 and $v30_3_encrypt_file_2 and $v30_3_encrypt_file_3)) +} \ No newline at end of file diff --git a/yara/ransomware/Win32.Ransomware.Crysis.yara b/yara/ransomware/Win32.Ransomware.Crysis.yara new file mode 100644 index 0000000..dc816ae --- /dev/null +++ b/yara/ransomware/Win32.Ransomware.Crysis.yara @@ -0,0 +1,108 @@ +rule Win32_Ransomware_Crysis : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "CRYSIS" + description = "Yara rule that detects Crysis ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "Crysis" + tc_detection_factor = 5 + + strings: + + $remote_connection_1 = { + 55 8B EC 83 EC ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C6 45 ?? ?? 6A ?? 6A ?? + 6A ?? FF 15 ?? ?? ?? ?? 89 45 ?? 6A ?? 6A ?? 8D 45 ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? B9 + ?? ?? ?? ?? 66 89 4D ?? 6A ?? FF 15 ?? ?? ?? ?? 66 89 45 ?? 8B 55 ?? 52 FF 15 ?? ?? + ?? ?? 89 45 ?? 83 7D ?? ?? 0F 84 ?? ?? ?? ?? 83 7D ?? ?? 0F 84 ?? ?? ?? ?? C7 45 ?? + ?? ?? ?? ?? EB ?? 8B 45 ?? 83 C0 ?? 89 45 ?? 8B 4D ?? 8B 51 ?? 8B 45 ?? 83 3C 82 ?? + 74 ?? 8B 4D ?? 0F BF 51 ?? 52 8B 45 ?? 8B 48 ?? 8B 55 ?? 8B 04 91 50 8D 4D ?? 51 E8 + ?? ?? ?? ?? 83 C4 ?? 6A ?? 8D 55 ?? 52 8B 45 ?? 50 FF 15 ?? ?? ?? ?? 85 C0 75 ?? 6A + ?? 8B 4D ?? 51 FF 15 ?? ?? ?? ?? 50 8B 55 ?? 52 8B 45 ?? 50 FF 15 ?? ?? ?? ?? 6A ?? + 6A ?? 8D 4D ?? 51 8B 55 ?? 52 FF 15 ?? ?? ?? ?? 8B 45 ?? 50 FF 15 ?? ?? ?? ?? C7 45 + ?? ?? ?? ?? ?? EB ?? E9 ?? ?? ?? ?? 8B 45 ?? 8B E5 5D C3 + } + + $enumerate_files = { + 55 8B EC 83 E4 ?? 81 EC ?? ?? ?? ?? 53 33 DB 81 7D ?? ?? ?? ?? ?? 56 57 89 5C 24 ?? + 0F 8D ?? ?? ?? ?? 68 ?? ?? ?? ?? 53 FF 15 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 8B 7D ?? + 57 8B F0 FF 15 ?? ?? ?? ?? 3D ?? ?? ?? ?? 0F 8D ?? ?? ?? ?? 68 ?? ?? ?? ?? 57 6A ?? + 68 ?? ?? ?? ?? 56 E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 0F 8E ?? ?? ?? ?? 8D 44 24 ?? 50 56 + FF 15 ?? ?? ?? ?? 89 44 24 ?? 83 F8 ?? 0F 84 ?? ?? ?? ?? 8B 5D ?? 8D 4C 24 ?? 51 68 + ?? ?? ?? ?? 57 6A ?? 68 ?? ?? ?? ?? 56 E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 7E ?? F6 44 24 + ?? ?? 74 ?? 66 83 7C 24 ?? ?? 74 ?? 53 8D 54 24 ?? 52 8B D6 8B CF FF 55 ?? 85 C0 7E + ?? 8B 45 ?? 8B 4D ?? 40 50 53 51 56 E8 ?? ?? ?? ?? 83 C4 ?? EB ?? 53 8D 54 24 ?? 52 + 8B D6 8B CF FF 55 ?? 85 C0 7E ?? FF 44 24 ?? 8B 4C 24 ?? 8D 44 24 ?? 50 51 FF 15 ?? + ?? ?? ?? 85 C0 7F ?? 8B 54 24 ?? 52 FF 15 ?? ?? ?? ?? 8B 5C 24 ?? 56 6A ?? FF 15 ?? + ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 5F 5E 8B C3 5B 8B E5 5D C3 + } + + $enumerate_resources = { + FF 15 ?? ?? ?? ?? 85 C0 0F 85 ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? + 8D 55 ?? 52 8B 45 ?? 50 8D 4D ?? 51 8B 55 ?? 52 FF 15 ?? ?? ?? ?? 85 C0 0F 85 ?? ?? + ?? ?? C7 45 ?? ?? ?? ?? ?? EB ?? 8B 45 ?? 83 C0 ?? 89 45 ?? 8B 4D ?? 3B 4D ?? 0F 83 + ?? ?? ?? ?? 8B 55 ?? C1 E2 ?? 8B 45 ?? 83 7C 10 ?? ?? 75 ?? 8B 4D ?? 51 FF 15 ?? ?? + ?? ?? 8B 55 ?? C1 E2 ?? 8B 4D ?? 8B 75 ?? 8B 54 16 ?? E8 ?? ?? ?? ?? 85 C0 74 ?? 8B + 45 ?? 50 8B 4D ?? 51 8B 55 ?? C1 E2 ?? 8B 45 ?? 8B 4C 10 ?? 51 E8 ?? ?? ?? ?? 83 C4 + ?? 8B 55 ?? C1 E2 ?? 8B 45 ?? 8B 4C 10 ?? 83 E1 ?? 74 ?? 8B 55 ?? 52 8B 45 ?? 50 8B + 4D ?? 51 8B 55 ?? C1 E2 ?? 03 55 ?? 52 E8 ?? ?? ?? ?? 83 C4 ?? E9 ?? ?? ?? ?? C7 45 + ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? E9 ?? ?? ?? ?? 8B 45 ?? 50 FF 15 ?? ?? ?? ?? 8D + 4D ?? 51 8B 55 ?? 52 6A ?? 6A ?? 6A ?? FF 15 ?? ?? ?? ?? 85 C0 0F 85 ?? ?? ?? ?? C7 + 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? 8D 45 ?? 50 8B 4D ?? 51 8D 55 ?? 52 8B 45 ?? + 50 FF 15 ?? ?? ?? ?? 85 C0 0F 85 ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? EB ?? 8B 4D ?? 83 + C1 ?? 89 4D ?? 8B 55 ?? 3B 55 ?? 0F 83 ?? ?? ?? ?? 8B 45 ?? C1 E0 ?? 8B 4D ?? 83 7C + 01 ?? ?? 75 ?? 8B 55 ?? 52 FF 15 ?? ?? ?? ?? 8B 55 ?? C1 E2 ?? 8B 4D ?? 8B 75 ?? 8B + 54 16 ?? E8 ?? ?? ?? ?? 85 C0 74 ?? 8B 45 ?? 50 8B 4D ?? 51 8B 55 ?? C1 E2 ?? 8B 45 + ?? 8B 4C 10 ?? 51 E8 ?? ?? ?? ?? 83 C4 ?? 8B 55 ?? C1 E2 ?? 8B 45 ?? 8B 4C 10 ?? 83 + E1 ?? 74 ?? 8B 55 ?? 52 8B 45 ?? 50 8B 4D ?? 51 8B 55 ?? C1 E2 ?? 03 55 ?? 52 E8 ?? + ?? ?? ?? 83 C4 ?? E9 ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? E9 ?? ?? + ?? ?? 8B 45 ?? 50 FF 15 ?? ?? ?? ?? 5E 8B E5 5D C3 + } + + $encrypt_files = { + 55 8B EC 81 EC ?? ?? ?? ?? 53 8B D8 33 C0 56 89 45 ?? 89 45 ?? 89 45 ?? 89 45 ?? 8B + 45 ?? 6A ?? 50 8D 4D ?? 51 8D 77 ?? C7 45 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 45 ?? 8B + D3 83 E2 ?? 2B DA 83 EB ?? 83 C4 ?? 89 5D ?? 8B 1D ?? ?? ?? ?? 50 FF D3 89 45 ?? 83 + F8 ?? 0F 84 ?? ?? ?? ?? 8B 4D ?? 51 FF D3 83 F8 ?? 0F 85 ?? ?? ?? ?? 8B 55 ?? 81 C2 + ?? ?? ?? ?? 81 FA ?? ?? ?? ?? 0F 83 ?? ?? ?? ?? 8B 45 ?? A8 ?? 74 ?? 83 E0 ?? 50 8B + 45 ?? 50 FF 15 ?? ?? ?? ?? 8B 4D ?? 6A ?? 6A ?? 6A ?? 6A ?? 6A ?? 68 ?? ?? ?? ?? 51 + FF 15 ?? ?? ?? ?? 8B D8 89 5D ?? 83 FB ?? 0F 84 ?? ?? ?? ?? 6A ?? 8D 55 ?? 52 33 C0 + 33 C9 51 50 53 89 45 ?? 89 45 ?? FF 15 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? 83 7D ?? + ?? 75 ?? 83 7D ?? ?? 0F 84 ?? ?? ?? ?? 33 C9 51 8D 55 ?? 52 33 C0 50 51 53 FF 15 ?? + ?? ?? ?? 8B 45 ?? 6A ?? 6A ?? 6A ?? 6A ?? 6A ?? 68 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? + 8B D8 83 FB ?? 0F 84 ?? ?? ?? ?? 8B 55 ?? 8B 4D ?? 8D 85 ?? ?? ?? ?? E8 ?? ?? ?? ?? + 8B 55 ?? 8B 45 ?? 6A ?? 8D 4D ?? 51 52 57 50 FF 15 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? + ?? 8B 4D ?? 85 C9 74 ?? 8B 45 ?? 85 C0 75 ?? 3B 4D ?? 73 ?? 8B D1 83 E2 ?? B8 ?? ?? + ?? ?? 2B C2 89 45 ?? 57 03 C1 8D 8D ?? ?? ?? ?? 57 51 E8 ?? ?? ?? ?? 8B 4D ?? 03 4D + ?? 83 C4 ?? 6A ?? 8D 55 ?? 52 51 57 53 FF 15 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? 8B + 45 ?? 03 45 ?? 39 45 ?? 0F 85 ?? ?? ?? ?? 8B 55 ?? 8B 45 ?? 6A ?? 8D 4D ?? 51 52 57 + 50 FF 15 ?? ?? ?? ?? 85 C0 75 ?? E9 ?? ?? ?? ?? 6A ?? 6A ?? 57 E8 ?? ?? ?? ?? 8B 45 + ?? 83 C4 ?? C7 47 ?? ?? ?? ?? ?? C7 47 ?? ?? ?? ?? ?? 85 C0 74 ?? 8B 4D ?? 51 50 56 + C7 47 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 45 ?? 83 C4 ?? 03 F0 01 45 ?? 8B 55 ?? 6A ?? + 52 56 E8 ?? ?? ?? ?? 8B 45 ?? 6A ?? 50 83 C6 ?? 56 E8 ?? ?? ?? ?? 6A ?? 8D 4D ?? 51 + 83 C6 ?? 56 E8 ?? ?? ?? ?? 6A ?? 8D 55 ?? 52 83 C6 ?? 56 E8 ?? ?? ?? ?? 8B 45 ?? 68 + ?? ?? ?? ?? 50 83 C6 ?? 56 E8 ?? ?? ?? ?? 6A ?? 8D 4D ?? 51 83 EE ?? 56 E8 ?? ?? ?? + ?? 83 C4 ?? 6A ?? 8D 55 ?? 52 83 C6 ?? 2B F7 56 57 53 FF 15 ?? ?? ?? ?? 85 C0 74 ?? + 39 75 ?? 75 ?? 53 FF 15 ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? 53 FF 15 ?? ?? ?? ?? 83 7D + ?? ?? 7E ?? 8B 75 ?? 33 C9 51 8D 55 ?? 52 33 C0 50 51 56 FF 15 ?? ?? ?? ?? 56 FF 15 + ?? ?? ?? ?? 8B 5D ?? 53 FF 15 ?? ?? ?? ?? 83 7D ?? ?? 7E ?? 8B 45 ?? 8B 4D ?? 50 51 + FF 15 ?? ?? ?? ?? 8B 55 ?? 52 FF 15 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 6A + ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 8B 45 ?? 5E 5B 8B E5 5D C3 + } + + condition: + uint16(0) == 0x5A4D and + ( + $enumerate_resources and + $enumerate_files and + $encrypt_files and + $remote_connection_1 + ) +} \ No newline at end of file diff --git a/yara/ransomware/Win32.Ransomware.Cuba.yara b/yara/ransomware/Win32.Ransomware.Cuba.yara new file mode 100644 index 0000000..12ff6f3 --- /dev/null +++ b/yara/ransomware/Win32.Ransomware.Cuba.yara @@ -0,0 +1,126 @@ +rule Win32_Ransomware_Cuba : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "CUBA" + description = "Yara rule that detects Cuba ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "Cuba" + tc_detection_factor = 5 + + strings: + + $find_files_p1 = { + 51 50 8D 4D ?? E8 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? C6 45 ?? ?? 50 8B D7 8D 4D ?? E8 ?? + ?? ?? ?? 83 C4 ?? C6 45 ?? ?? F6 85 ?? ?? ?? ?? ?? 0F 84 ?? ?? ?? ?? 8D 4D ?? E8 ?? + ?? ?? ?? 84 C0 0F 85 ?? ?? ?? ?? 83 7D ?? ?? 72 ?? 83 7D ?? ?? 8D 45 ?? 0F 43 45 ?? + 0F B7 00 50 E8 ?? ?? ?? ?? 83 C4 ?? 83 F8 ?? 75 ?? 83 7D ?? ?? 8D 45 ?? 0F 43 45 ?? + 0F B7 40 ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 83 F8 ?? 75 ?? 83 7D ?? ?? 8D 45 ?? 0F 43 45 + ?? 0F B7 40 ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 83 F8 ?? 75 ?? 83 7D ?? ?? 8D 45 ?? 0F 43 + 45 ?? 0F B7 40 ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 83 F8 ?? 75 ?? B0 ?? EB ?? 32 C0 84 C0 + 0F 85 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 55 ?? 8D 4D ?? E8 ?? ?? ?? ?? 83 C4 ?? 8B D3 C6 + 45 ?? ?? 8B C8 E8 ?? ?? ?? ?? C6 45 ?? ?? 8B 55 ?? 83 FA ?? 0F 82 ?? ?? ?? ?? 8B 4D + ?? 8D 14 55 ?? ?? ?? ?? 8B C1 81 FA ?? ?? ?? ?? 72 ?? 8B 49 ?? 83 C2 ?? 2B C1 83 C0 + ?? 83 F8 ?? 0F 87 ?? ?? ?? ?? 52 51 E8 ?? ?? ?? ?? 83 C4 ?? E9 ?? ?? ?? ?? 8D 55 ?? + 8D 4D ?? E8 ?? ?? ?? ?? C6 45 ?? ?? 8D 75 ?? 8B 5D ?? 83 FB ?? 8B 7D ?? 8B 45 ?? 0F + 43 F7 83 F8 ?? 75 ?? B9 ?? ?? ?? ?? 8B D0 2B F1 66 8B 04 0E 66 3B 01 75 ?? 83 C1 ?? + 83 EA ?? 75 ?? E9 ?? ?? ?? ?? 8B 45 ?? 83 FB ?? 8D 75 ?? 0F 43 F7 83 F8 ?? 75 ?? B9 + ?? ?? ?? ?? 8B D0 2B F1 66 8B 04 0E 66 3B 01 75 ?? 83 C1 ?? 83 EA ?? 75 ?? E9 ?? ?? + ?? ?? 8B 45 ?? 83 FB ?? 8D 75 ?? 0F 43 F7 83 F8 ?? 75 ?? B9 ?? ?? ?? ?? 8B D0 2B F1 + } + + $find_files_p2 = { + 66 8B 04 0E 66 3B 01 75 ?? 83 C1 ?? 83 EA ?? 75 ?? E9 ?? ?? ?? ?? 8B 45 ?? 83 FB ?? + 8D 75 ?? 0F 43 F7 83 F8 ?? 75 ?? B9 ?? ?? ?? ?? 8B D0 2B F1 66 8B 04 0E 66 3B 01 75 + ?? 83 C1 ?? 83 EA ?? 75 ?? E9 ?? ?? ?? ?? 8B 45 ?? 83 FB ?? 8D 75 ?? 0F 43 F7 83 F8 + ?? 75 ?? B9 ?? ?? ?? ?? 8B D0 2B F1 66 8B 04 0E 66 3B 01 75 ?? 83 C1 ?? 83 EA ?? 75 + ?? EB ?? 83 7D ?? ?? 75 ?? 8B 55 ?? 8D 45 ?? 8B 4D ?? 83 FA ?? 0F 43 C1 66 83 38 ?? + 75 ?? 83 FA ?? 8D 45 ?? 0F 43 C1 66 83 78 ?? ?? 75 ?? 83 FA ?? 8D 45 ?? 0F 43 C1 66 + 83 78 ?? ?? 75 ?? 83 FA ?? 8D 45 ?? 0F 43 C1 66 83 78 ?? ?? 74 ?? 8B 8D ?? ?? ?? ?? + 8D 45 ?? 50 E8 ?? ?? ?? ?? 8B 5D ?? 8B 7D ?? C6 45 ?? ?? 83 FB ?? 72 ?? 8D 0C 5D ?? + ?? ?? ?? 8B C7 81 F9 ?? ?? ?? ?? 72 ?? 8B 7F ?? 83 C1 ?? 2B C7 83 C0 ?? 83 F8 ?? 0F + 87 ?? ?? ?? ?? 51 57 E8 ?? ?? ?? ?? 83 C4 ?? 8B BD ?? ?? ?? ?? 8B B5 ?? ?? ?? ?? 8B + 9D ?? ?? ?? ?? C6 45 ?? ?? 8B 55 ?? 83 FA ?? 72 ?? 8B 4D ?? 8D 14 55 ?? ?? ?? ?? 8B + C1 81 FA ?? ?? ?? ?? 72 ?? 8B 49 ?? 83 C2 ?? 2B C1 83 C0 ?? 83 F8 ?? 0F 87 ?? ?? ?? + ?? 52 51 E8 ?? ?? ?? ?? 83 C4 ?? 33 C0 C7 45 ?? ?? ?? ?? ?? 88 45 ?? 8B 55 ?? C7 45 + ?? ?? ?? ?? ?? 66 89 45 ?? 83 FA ?? 72 ?? 8B 4D ?? 8D 14 55 ?? ?? ?? ?? 8B C1 81 FA + ?? ?? ?? ?? 72 ?? 8B 49 ?? 83 C2 ?? 2B C1 83 C0 ?? 83 F8 ?? 77 ?? 52 51 E8 ?? ?? ?? + ?? 83 C4 ?? 8D 85 ?? ?? ?? ?? 50 56 FF 15 + } + + $enum_resources = { + 55 8B EC 6A ?? 68 ?? ?? ?? ?? 64 A1 ?? ?? ?? ?? 50 83 EC ?? A1 ?? ?? ?? ?? 33 C5 89 + 45 ?? 53 56 57 50 8D 45 ?? 64 A3 ?? ?? ?? ?? 8B DA 89 5D ?? 8D 45 ?? C7 45 ?? ?? ?? + ?? ?? 50 51 6A ?? 6A ?? 6A ?? C7 45 ?? ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 85 C0 74 ?? 32 + C0 E9 ?? ?? ?? ?? FF 75 ?? 6A ?? FF 15 ?? ?? ?? ?? 8B F0 89 75 ?? 85 F6 74 ?? 66 90 + FF 75 ?? 6A ?? 56 E8 ?? ?? ?? ?? 83 C4 ?? 8D 45 ?? 50 56 8D 45 ?? 50 FF 75 ?? FF 15 + ?? ?? ?? ?? 85 C0 0F 85 ?? ?? ?? ?? 33 FF 39 7D ?? 76 ?? 83 C6 ?? 83 7E ?? ?? 0F 85 + ?? ?? ?? ?? 83 3E ?? 0F 85 ?? ?? ?? ?? 8B 56 ?? 33 C0 66 89 45 ?? 8B C2 C7 45 ?? ?? + ?? ?? ?? C7 45 ?? ?? ?? ?? ?? 8D 58 ?? 66 8B 08 83 C0 ?? 66 85 C9 75 ?? 2B C3 8D 4D + ?? D1 F8 50 52 E8 ?? ?? ?? ?? 8B 5D ?? 8D 45 ?? 50 8B CB C7 45 ?? ?? ?? ?? ?? E8 ?? + ?? ?? ?? C7 45 ?? ?? ?? ?? ?? 8B 55 ?? 83 FA ?? 72 ?? 8B 4D ?? 8D 14 55 ?? ?? ?? ?? + 8B C1 81 FA ?? ?? ?? ?? 72 ?? 8B 49 ?? 83 C2 ?? 2B C1 83 C0 ?? 83 F8 ?? 77 ?? 52 51 + E8 ?? ?? ?? ?? 83 C4 ?? F7 46 ?? ?? ?? ?? ?? 74 ?? 8D 4E ?? 8B D3 E8 ?? ?? ?? ?? 47 + 83 C6 ?? 3B 7D ?? 0F 82 ?? ?? ?? ?? 8B 75 ?? E9 ?? ?? ?? ?? 56 FF 15 ?? ?? ?? ?? FF + 75 ?? FF 15 ?? ?? ?? ?? 85 C0 0F 94 C0 8B 4D ?? 64 89 0D ?? ?? ?? ?? 59 5F 5E 5B 8B + 4D ?? 33 CD E8 ?? ?? ?? ?? 8B E5 5D C3 + } + + $encrypt_files_p1 = { + 55 8B EC 6A ?? 68 ?? ?? ?? ?? 64 A1 ?? ?? ?? ?? 50 83 EC ?? A1 ?? ?? ?? ?? 33 C5 89 + 45 ?? 53 56 57 50 8D 45 ?? 64 A3 ?? ?? ?? ?? 8B F1 8B 7D ?? 0F 57 C0 66 0F 13 45 ?? + C7 45 ?? ?? ?? ?? ?? 8B C7 83 7F ?? ?? 72 ?? 8B 07 6A ?? 68 ?? ?? ?? ?? 6A ?? 6A ?? + 6A ?? 68 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 8B D8 89 5D ?? 83 FB ?? 75 ?? FF 15 ?? ?? + ?? ?? 32 DB E9 ?? ?? ?? ?? 8D 8E ?? ?? ?? ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 84 C0 74 + ?? 8D 8E ?? ?? ?? ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 6A ?? 8D 8E ?? ?? ?? ?? 6A ?? 8D + 41 ?? 50 6A ?? 8D 56 ?? 51 52 89 55 ?? E8 ?? ?? ?? ?? 83 C4 ?? 8D 45 ?? 50 53 FF 15 + ?? ?? ?? ?? 8B 4D ?? 8B 45 ?? 85 C9 7F ?? 7C ?? 3D ?? ?? ?? ?? 77 ?? 8D 45 ?? 8B CE + 50 E8 ?? ?? ?? ?? EB ?? 85 C9 7F ?? 7C ?? 3D ?? ?? ?? ?? 77 ?? 6A ?? EB ?? 6A ?? 8D + 45 ?? 8B CE 50 E8 ?? ?? ?? ?? 8B 75 ?? 8A D8 83 FE ?? 74 ?? 56 FF 15 ?? ?? ?? ?? 83 + CE ?? 89 75 ?? FF 75 ?? E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8B D7 8D 4D ?? E8 ?? ?? ?? ?? + 83 C4 ?? 8D 45 ?? 83 7D ?? ?? 0F 43 45 ?? 83 7F ?? ?? 72 ?? 8B 3F 50 57 FF 15 ?? ?? + ?? ?? 8B 55 ?? 83 FA ?? 72 ?? 8B 4D ?? 8D 14 55 ?? ?? ?? ?? 8B C1 81 FA ?? ?? ?? ?? + 72 ?? 8B 49 ?? 83 C2 ?? 2B C1 83 C0 ?? 83 F8 ?? 77 ?? 52 51 E8 ?? ?? ?? ?? 83 C4 ?? + 33 C0 C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? 66 89 45 ?? 83 FE ?? 74 ?? 56 FF 15 + ?? ?? ?? ?? 8A C3 8B 4D ?? 64 89 0D ?? ?? ?? ?? 59 5F 5E 5B 8B 4D ?? 33 CD E8 ?? ?? + ?? ?? 8B E5 5D C2 ?? ?? E8 ?? ?? ?? ?? CC CC CC 55 8B EC 83 E4 ?? 81 EC + } + + $encrypt_files_p2 = { + A1 ?? ?? ?? ?? 33 C4 89 84 24 ?? ?? ?? ?? 53 8B 5D ?? 56 57 8B F9 89 5C 24 ?? 6A ?? + 8D 4C 24 ?? C7 44 24 ?? ?? ?? ?? ?? 51 8B 17 8B 47 ?? 2B C2 50 52 FF 33 FF 15 ?? ?? + ?? ?? 85 C0 75 ?? FF 15 ?? ?? ?? ?? 89 43 ?? 32 C0 5F 5E 5B 8B 8C 24 ?? ?? ?? ?? 33 + CC E8 ?? ?? ?? ?? 8B E5 5D C2 ?? ?? 8B 44 24 ?? 8B 57 ?? 8B 0F 89 44 24 ?? 89 54 24 + ?? 89 4C 24 ?? 85 C0 7E ?? 8B D8 8B 47 ?? 8B F3 2B 47 ?? 3B D8 52 0F 43 F0 8D 47 ?? + 56 51 50 E8 ?? ?? ?? ?? 56 FF 74 24 ?? FF 74 24 ?? E8 ?? ?? ?? ?? 8B 4C 24 ?? 2B DE + 8B 54 24 ?? 03 CE 83 C4 ?? 89 4C 24 ?? 85 DB 7F ?? 8B 5C 24 ?? 6A ?? 6A ?? 0F 57 C0 + 66 0F 13 44 24 ?? FF 74 24 ?? FF 74 24 ?? FF 33 FF 15 ?? ?? ?? ?? 8B 35 ?? ?? ?? ?? + 85 C0 75 ?? FF D6 89 43 ?? 68 ?? ?? ?? ?? 8D 44 24 ?? 6A ?? 50 E8 ?? ?? ?? ?? A1 ?? + ?? ?? ?? 8D 4C 24 ?? 89 44 24 ?? 83 C4 ?? A1 ?? ?? ?? ?? 89 44 24 ?? A1 ?? ?? ?? ?? + 89 44 24 ?? 8D 87 ?? ?? ?? ?? 50 C7 44 24 ?? ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? E8 + ?? ?? ?? ?? 83 4C 24 ?? ?? 8D 44 24 ?? 6A ?? 50 68 ?? ?? ?? ?? 8D 44 24 ?? C7 44 24 + ?? ?? ?? ?? ?? 50 FF 33 FF 15 ?? ?? ?? ?? 85 C0 75 ?? FF D6 89 43 ?? 6A ?? 8D 44 24 + ?? C7 44 24 ?? ?? ?? ?? ?? 50 FF 74 24 ?? FF 37 FF 33 FF 15 ?? ?? ?? ?? 85 C0 75 ?? + FF D6 89 43 ?? 32 C0 5F 5E 5B 8B 8C 24 ?? ?? ?? ?? 33 CC E8 ?? ?? ?? ?? 8B E5 5D C2 + ?? ?? 8B 8C 24 ?? ?? ?? ?? B0 ?? 5F 5E 5B 33 CC E8 ?? ?? ?? ?? 8B E5 5D C2 + } + + condition: + uint16(0) == 0x5A4D and + ( + $enum_resources + ) and + ( + all of ($find_files_p*) + ) and + ( + all of ($encrypt_files_p*) + ) +} \ No newline at end of file diff --git a/yara/ransomware/Win32.Ransomware.DMALocker.yara b/yara/ransomware/Win32.Ransomware.DMALocker.yara new file mode 100644 index 0000000..99bef3d --- /dev/null +++ b/yara/ransomware/Win32.Ransomware.DMALocker.yara @@ -0,0 +1,149 @@ +rule Win32_Ransomware_DMALocker : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "DMALOCKER" + description = "Yara rule that detects DMALocker ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "DMALocker" + tc_detection_factor = 5 + + strings: + + $dmalock_v1_encrypt_files_1 = { + 83 C4 ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 68 ?? ?? ?? ?? A3 ?? ?? ?? ?? E8 ?? + ?? ?? ?? 83 C4 ?? 68 ?? ?? ?? ?? A3 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 8D 95 ?? ?? + ?? ?? A3 ?? ?? ?? ?? 52 8D 85 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 83 + F8 ?? 75 ?? 32 C0 5F 5E 5B 8B 4D ?? 33 CD E8 ?? ?? ?? ?? 8B E5 5D C3 8A 9D ?? ?? ?? + ?? 33 C0 84 DB 74 ?? EB ?? 8D [2-5] 8A 90 ?? ?? ?? ?? 84 D2 74 ?? 8A 8C 05 + ?? ?? ?? ?? 3A CA 74 ?? 80 F1 ?? 3A CA 75 ?? 40 80 BC 05 ?? ?? ?? ?? ?? 75 ?? 8A 8C + 05 ?? ?? ?? ?? 3A 88 ?? ?? ?? ?? 0F 84 ?? ?? ?? ?? 33 C0 84 DB 74 ?? 8A 90 ?? ?? ?? + ?? 84 D2 74 ?? 8A 8C 05 ?? ?? ?? ?? 3A CA + } + + $dmalock_v1_encrypt_files_2 = { + EB ?? 8D 8D ?? ?? ?? ?? 51 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 8B BD ?? ?? ?? ?? + 8D 95 ?? ?? ?? ?? 52 57 FF 15 ?? ?? ?? ?? 85 C0 0F 85 ?? ?? ?? ?? 57 FF 15 ?? ?? ?? + ?? 8B 4D ?? 5F 5E 33 CD B0 ?? 5B E8 ?? ?? ?? ?? 8B E5 5D C3 + } + + $dmalock_v1_encrypt_files_3 = { + 74 ?? 80 F1 ?? 3A CA 75 ?? 40 80 BC 05 ?? ?? ?? ?? ?? 75 ?? 8A 8C 05 ?? ?? ?? ?? 3A + 88 ?? ?? ?? ?? 0F 84 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? 51 56 8D 95 ?? ?? ?? ?? 68 ?? ?? + ?? ?? 52 E8 ?? ?? ?? ?? 8A 85 ?? ?? ?? ?? 83 C4 ?? A8 ?? 74 ?? A8 ?? 0F 85 ?? ?? ?? + ?? 8D 85 ?? ?? ?? ?? 50 56 8D 8D ?? ?? ?? ?? 68 ?? ?? ?? ?? 51 E8 ?? ?? ?? ?? 8B 55 + ?? 8B 85 ?? ?? ?? ?? 52 50 8D 8D ?? ?? ?? ?? 51 E8 ?? ?? ?? ?? 83 C4 + } + + $dmalock_v1_enum_shares_and_discs_type_1 = { + 55 8B EC 81 EC ?? ?? ?? ?? A1 ?? ?? ?? ?? 33 C5 89 45 ?? 8B 45 ?? 53 56 57 68 ?? ?? + ?? ?? 50 89 85 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? 83 C4 ?? 89 ?? ?? ?? ?? ?? C6 85 ?? + ?? ?? ?? ?? 85 ?? 0F 84 ?? ?? ?? ?? ?? 32 DB E8 ?? ?? ?? ?? 83 C4 ?? 6A ?? 6A ?? ?? + 8B F8 E8 ?? ?? ?? ?? 83 C4 ?? 33 C0 ?? 6A ?? 89 45 ?? 66 89 45 ?? 88 45 ?? 8D 45 ?? + 6A ?? 50 88 5D ?? E8 ?? ?? ?? ?? 6A ?? 8D 4D ?? 68 ?? ?? ?? ?? 51 E8 ?? ?? ?? ?? 83 + C4 ?? 85 C0 75 ?? B3 ?? 6A ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 84 DB 74 ?? ?? E8 ?? ?? + ?? ?? 83 C4 ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 32 C0 5F 5E 5B 8B 4D ?? 33 CD + E8 ?? ?? ?? ?? 8B E5 5D C3 8D 95 ?? ?? ?? ?? 52 ?? E8 ?? ?? ?? ?? 83 C4 ?? 50 E8 ?? + ?? ?? ?? 83 C4 ?? 83 BD ?? ?? ?? ?? ?? 77 ?? 81 BD ?? ?? ?? ?? ?? ?? ?? ?? 72 ?? C6 + 85 ?? ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 ?? E8 ?? ?? ?? ?? 83 C4 ?? 50 E8 ?? ?? ?? ?? + 8B 8D ?? ?? ?? ?? 8B 95 ?? ?? ?? ?? 51 52 68 + } + + $dmalock_v1_enum_shares_and_discs_type_2 = { + 55 8B EC 81 EC ?? ?? ?? ?? A1 ?? ?? ?? ?? 33 C5 89 45 ?? 8B 45 ?? 53 8B 5D ?? 56 57 + 8D 8D ?? ?? ?? ?? 51 50 6A ?? 6A ?? 6A ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C7 85 ?? ?? + ?? ?? ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 85 C0 74 ?? 50 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 + C4 ?? 33 C0 5F 5E 5B 8B 4D ?? 33 CD E8 ?? ?? ?? ?? 8B E5 5D C2 ?? ?? 8B 95 ?? ?? ?? + ?? 52 6A ?? FF 15 ?? ?? ?? ?? 8B F8 89 BD ?? ?? ?? ?? 85 FF 75 ?? 50 68 ?? ?? ?? ?? + E8 ?? ?? ?? ?? 83 C4 ?? 33 C0 5F 5E 5B 8B 4D ?? 33 CD E8 ?? ?? ?? ?? 8B E5 5D C2 ?? + ?? 8D A4 24 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 50 6A ?? 57 E8 ?? ?? ?? ?? 8B 85 ?? ?? ?? + ?? 83 C4 ?? 8D 8D ?? ?? ?? ?? 51 57 8D 95 ?? ?? ?? ?? 52 50 FF 15 ?? ?? ?? ?? 85 C0 + 0F 85 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 39 85 ?? ?? ?? ?? 76 ?? 8D 77 ?? EB ?? 8D A4 24 + ?? ?? ?? ?? 83 7E ?? ?? 0F 85 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? 6A ?? 51 + C6 85 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 0E 8B C1 83 C4 ?? 8D 78 ?? 8B FF 8A 10 40 84 + D2 75 ?? 2B C7 50 51 8D 95 ?? ?? ?? ?? 52 E8 ?? ?? ?? ?? 8B 06 83 C4 ?? 8D 50 ?? 90 + 8A 08 40 84 C9 75 ?? 2B C2 6A ?? 8D 84 05 ?? ?? ?? ?? 68 ?? ?? ?? ?? 50 E8 ?? ?? ?? + ?? 8B 4D ?? 83 C4 ?? 51 8D 95 ?? ?? ?? ?? 53 52 E8 ?? ?? ?? ?? 8B BD ?? ?? ?? ?? 83 + C4 ?? 8B 46 ?? 83 E0 ?? 3C ?? 75 ?? 8B 4D ?? 51 53 8D 56 ?? 52 E8 ?? ?? ?? ?? 85 C0 + 75 ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 8B 85 ?? ?? ?? ?? 40 83 C6 ?? 89 85 ?? + ?? ?? ?? 3B 85 ?? ?? ?? ?? 0F 82 ?? ?? ?? ?? E9 ?? ?? ?? ?? 3D ?? ?? ?? ?? 74 ?? 50 + 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 57 FF 15 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 50 FF + 15 ?? ?? ?? ?? 8B 4D ?? F7 D8 5F 1B C0 5E 33 CD 40 5B E8 ?? ?? ?? ?? 8B E5 5D C2 + } + + $dmalock_v1_enum_shares_and_discs_type_3 = { + 55 8B EC 81 EC ?? ?? ?? ?? A1 ?? ?? ?? ?? 33 C5 89 45 ?? 8B 45 ?? 53 56 57 68 ?? ?? + ?? ?? 89 85 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? A3 ?? ?? ?? ?? FF D0 68 ?? ?? ?? ?? + 8D 8D ?? ?? ?? ?? 6A ?? 51 8B D8 C6 85 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 68 ?? + ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? A3 ?? ?? ?? ?? BF ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? + ?? ?? ?? F7 C3 ?? ?? ?? ?? 76 ?? 57 8D 95 ?? ?? ?? ?? 68 ?? ?? ?? ?? 52 E8 ?? ?? ?? + ?? 83 C4 ?? 8D 85 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? 51 8B F0 56 68 + ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 83 FE ?? 74 ?? 83 FE ?? 74 ?? 83 FE ?? 75 ?? 8B + 55 ?? 8B 85 ?? ?? ?? ?? 52 50 8D 8D ?? ?? ?? ?? 51 E8 ?? ?? ?? ?? 83 C4 ?? 47 D1 EB + FF 8D ?? ?? ?? ?? 75 ?? 8B 4D ?? 5F 5E 33 CD 5B E8 ?? ?? ?? ?? 8B E5 5D C3 + } + + $dmalock_v2_enum_logical_disks = { + 55 8B EC 81 EC ?? ?? ?? ?? A1 ?? ?? ?? ?? 33 C5 89 45 ?? 53 33 DB 68 ?? ?? ?? ?? 8D + 85 ?? ?? ?? ?? 53 50 88 9D ?? ?? ?? ?? E8 ?? ?? ?? ?? 0F BE 4D ?? 51 8D 95 ?? ?? ?? + ?? 68 ?? ?? ?? ?? 52 E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 53 50 88 9D ?? + ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 68 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? 51 8D 95 ?? ?? ?? + ?? 52 FF 15 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 68 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? + 85 C0 75 ?? 8D 8D ?? ?? ?? ?? 68 ?? ?? ?? ?? 51 E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 74 ?? + B0 ?? 5B 8B 4D ?? 33 CD E8 ?? ?? ?? ?? 8B E5 5D C3 8B 4D ?? 8A C3 33 CD 5B E8 ?? ?? + ?? ?? 8B E5 5D C3 + } + + $dmalock_v4_remote_server_communication = { + 85 FF 0F 84 ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A ?? 57 E8 ?? ?? ?? ?? 83 C4 ?? 83 FB ?? 0F + 87 ?? ?? ?? ?? FF 24 9D ?? ?? ?? ?? 8B 46 ?? 50 68 ?? ?? ?? ?? 57 E8 ?? ?? ?? ?? 83 + C4 ?? B0 ?? C3 8B 4E ?? 8B 56 ?? 51 52 68 ?? ?? ?? ?? 57 E8 ?? ?? ?? ?? 83 C4 ?? B0 + ?? C3 8B 46 ?? 8B 4E ?? 50 51 68 ?? ?? ?? ?? 57 E8 ?? ?? ?? ?? 83 C4 ?? B0 ?? C3 8B + 56 ?? 8B 46 ?? 52 50 68 ?? ?? ?? ?? 57 E8 ?? ?? ?? ?? 83 C4 ?? B0 ?? C3 8B 4E ?? 8B + 56 ?? 51 52 68 ?? ?? ?? ?? 57 E8 ?? ?? ?? ?? 83 C4 ?? B0 ?? C3 8B 46 ?? 8B 4E ?? 8B + 56 ?? 50 51 52 68 ?? ?? ?? ?? 57 E8 ?? ?? ?? ?? 83 C4 ?? B0 ?? C3 8B 46 ?? 8B 4E ?? + 50 51 68 ?? ?? ?? ?? 57 E8 ?? ?? ?? ?? 83 C4 ?? B0 ?? C3 32 C0 C3 + } + + $dmalock_v4_encrypt_file_1 = { + 55 8B EC 81 EC ?? ?? ?? ?? A1 ?? ?? ?? ?? 33 C5 89 45 ?? 8B 45 ?? 53 56 57 68 ?? ?? + ?? ?? 50 89 85 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B F0 83 C4 ?? 85 F6 0F 84 ?? ?? ?? ?? 56 + 32 DB E8 ?? ?? ?? ?? 83 C4 ?? 6A ?? 6A ?? 56 8B F8 E8 ?? ?? ?? ?? 83 C4 ?? 33 C0 56 + 6A ?? 89 45 ?? 89 45 ?? 66 89 45 ?? 8D 45 ?? 6A ?? 50 88 5D ?? E8 ?? ?? ?? ?? 6A ?? + 8D 4D ?? 68 ?? ?? ?? ?? 51 E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 75 ?? B3 ?? 6A ?? 57 56 E8 + ?? ?? ?? ?? 83 C4 ?? 84 DB 74 ?? 56 E8 ?? ?? ?? ?? 83 C4 ?? 33 C0 5F 5E 5B 8B 4D ?? + 33 CD E8 ?? ?? ?? ?? 8B E5 5D C3 + } + + $dmalock_v4_encrypt_file_2 = { + 68 ?? ?? ?? ?? 8D 95 ?? ?? ?? ?? 6A ?? 52 C6 85 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 85 + ?? ?? ?? ?? 83 C4 ?? 68 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 8B F0 83 C4 ?? 89 B5 ?? ?? ?? + ?? 85 F6 0F 84 ?? ?? ?? ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 68 ?? ?? ?? ?? 8B + D8 6A ?? 53 E8 ?? ?? ?? ?? 83 C4 ?? 83 3D ?? ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? + ?? 0F 85 ?? ?? ?? ?? 6A ?? E8 ?? ?? ?? ?? 8B F0 83 C4 ?? 89 B5 ?? ?? ?? ?? 85 F6 74 + ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 89 46 ?? 85 C0 74 ?? 8B 75 ?? B9 ?? ?? ?? + ?? 8B F8 F3 A5 66 A5 8B B5 ?? ?? ?? ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 89 46 + ?? EB ?? 33 F6 68 ?? ?? ?? ?? 6A ?? 6A ?? 6A ?? 8D 7E ?? 57 89 35 ?? ?? ?? ?? FF 15 + ?? ?? ?? ?? 85 C0 74 ?? 6A ?? 8B C6 E8 ?? ?? ?? ?? 84 C0 74 ?? 8B 4E ?? 8B 17 56 6A + ?? 6A ?? 68 ?? ?? ?? ?? 51 52 FF 15 ?? ?? ?? ?? 85 C0 74 ?? C6 46 ?? ?? 8B B5 ?? ?? + ?? ?? 8D 85 ?? ?? ?? ?? 50 53 8D 8D ?? ?? ?? ?? 51 E8 ?? ?? ?? ?? 56 6A ?? 6A ?? 68 + ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 95 ?? ?? ?? ?? 56 52 6A ?? 53 E8 ?? ?? ?? ?? 8B 45 ?? + 8B 8D ?? ?? ?? ?? 56 50 6A ?? 51 E8 ?? ?? ?? ?? 53 E8 ?? ?? ?? ?? 83 C4 ?? E8 ?? ?? + ?? ?? E8 ?? ?? ?? ?? 8B 95 ?? ?? ?? ?? 52 E8 ?? ?? ?? ?? 83 C4 ?? 8B 4D ?? 5F 5E 33 + CD B8 ?? ?? ?? ?? 5B E8 ?? ?? ?? ?? 8B E5 5D C3 + } + + condition: + uint16(0) == 0x5A4D and ($dmalock_v1_encrypt_files_1 and $dmalock_v1_encrypt_files_2 and $dmalock_v1_encrypt_files_3 and $dmalock_v1_enum_shares_and_discs_type_1) or + ($dmalock_v1_encrypt_files_1 and $dmalock_v1_encrypt_files_2 and $dmalock_v1_encrypt_files_3 and $dmalock_v1_enum_shares_and_discs_type_2) or + ($dmalock_v1_encrypt_files_1 and $dmalock_v1_encrypt_files_2 and $dmalock_v1_encrypt_files_3 and $dmalock_v1_enum_shares_and_discs_type_3) or + ($dmalock_v1_encrypt_files_1 and $dmalock_v1_encrypt_files_3 and $dmalock_v1_enum_shares_and_discs_type_1 and $dmalock_v2_enum_logical_disks) or + ($dmalock_v4_encrypt_file_1 and $dmalock_v4_encrypt_file_2 and $dmalock_v4_remote_server_communication and $dmalock_v2_enum_logical_disks) +} \ No newline at end of file diff --git a/yara/ransomware/Win32.Ransomware.DMR.yara b/yara/ransomware/Win32.Ransomware.DMR.yara new file mode 100644 index 0000000..717bded --- /dev/null +++ b/yara/ransomware/Win32.Ransomware.DMR.yara @@ -0,0 +1,214 @@ +rule Win32_Ransomware_DMR : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "DMR" + description = "Yara rule that detects DMR ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "DMR" + tc_detection_factor = 5 + + strings: + + $find_files_p1 = { + 8B FF 55 8B EC 81 EC ?? ?? ?? ?? A1 ?? ?? ?? ?? 33 C5 89 45 ?? 8B 4D ?? 8B 55 ?? 53 + 57 8B 7D ?? 89 95 ?? ?? ?? ?? 3B CF 74 ?? 8A 01 3C ?? 74 ?? 3C ?? 74 ?? 3C ?? 74 ?? + 51 57 E8 ?? ?? ?? ?? 59 59 8B C8 3B CF 75 ?? 8B 95 ?? ?? ?? ?? 8A 01 88 85 ?? ?? ?? + ?? 3C ?? 75 ?? 8D 47 ?? 3B C8 74 ?? 52 33 DB 53 53 57 E8 ?? ?? ?? ?? 83 C4 ?? E9 ?? + ?? ?? ?? 8A 85 ?? ?? ?? ?? 33 DB 3C ?? 74 ?? 3C ?? 74 ?? 3C ?? 8A C3 75 ?? B0 ?? 2B + CF 0F B6 C0 41 89 9D ?? ?? ?? ?? F7 D8 89 9D ?? ?? ?? ?? 56 1B C0 89 9D ?? ?? ?? ?? + 23 C1 89 9D ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 89 9D ?? ?? ?? ?? 88 9D ?? ?? ?? ?? E8 ?? + ?? ?? ?? 50 8D 85 ?? ?? ?? ?? 50 57 E8 ?? ?? ?? ?? 83 C4 ?? 8D 8D ?? ?? ?? ?? F7 D8 + 1B C0 53 53 53 51 F7 D0 23 85 ?? ?? ?? ?? 53 50 FF 15 ?? ?? ?? ?? 8B F0 83 FE ?? 75 + ?? FF B5 ?? ?? ?? ?? 53 53 57 E8 ?? ?? ?? ?? 83 C4 ?? 8B D8 E9 ?? ?? ?? ?? 8B 85 ?? + ?? ?? ?? 8B 48 ?? 2B 08 C1 F9 ?? 89 8D ?? ?? ?? ?? 89 9D ?? ?? ?? ?? 89 9D ?? ?? ?? + ?? 89 9D ?? ?? ?? ?? 89 9D ?? ?? ?? ?? 89 9D ?? ?? ?? ?? 88 9D ?? ?? ?? ?? E8 ?? ?? + ?? ?? 50 8D 85 ?? ?? ?? ?? 50 8D 85 ?? ?? ?? ?? 50 8D 85 ?? ?? ?? ?? 50 E8 ?? ?? ?? + ?? 83 C4 ?? F7 D8 1B C0 F7 D0 23 85 ?? ?? ?? ?? 80 38 ?? 75 ?? 8A 48 ?? 84 C9 74 + } + + $find_files_p2 = { + 80 F9 ?? 75 ?? 38 58 ?? 74 ?? FF B5 ?? ?? ?? ?? FF B5 ?? ?? ?? ?? 57 50 E8 ?? ?? ?? + ?? 83 C4 ?? 89 85 ?? ?? ?? ?? 85 C0 75 ?? 38 9D ?? ?? ?? ?? 74 ?? FF B5 ?? ?? ?? ?? + E8 ?? ?? ?? ?? 59 8D 85 ?? ?? ?? ?? 50 56 FF 15 ?? ?? ?? ?? 85 C0 0F 85 ?? ?? ?? ?? + 8B 85 ?? ?? ?? ?? 8B 8D ?? ?? ?? ?? 8B 10 8B 40 ?? 2B C2 C1 F8 ?? 3B C8 74 ?? 68 ?? + ?? ?? ?? 2B C1 6A ?? 50 8D 04 8A 50 E8 ?? ?? ?? ?? 83 C4 ?? EB ?? 38 9D ?? ?? ?? ?? + 74 ?? FF B5 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 59 8B D8 56 FF 15 ?? ?? ?? + ?? 80 BD ?? ?? ?? ?? ?? 5E 74 ?? FF B5 ?? ?? ?? ?? E8 ?? ?? ?? ?? 59 8B C3 8B 4D ?? + 5F 33 CD 5B E8 ?? ?? ?? ?? C9 C3 + } + + $encrypt_files_p1 = { + 55 8B EC 6A ?? 68 ?? ?? ?? ?? 64 A1 ?? ?? ?? ?? 50 81 EC ?? ?? ?? ?? A1 ?? ?? ?? ?? + 33 C5 89 45 ?? 56 57 50 8D 45 ?? 64 A3 ?? ?? ?? ?? 8B F1 89 B5 ?? ?? ?? ?? C7 45 ?? + ?? ?? ?? ?? 8D 45 ?? 83 7D ?? ?? 68 ?? ?? ?? ?? 0F 43 45 ?? 50 E8 ?? ?? ?? ?? 83 C4 + ?? 85 C0 0F 85 ?? ?? ?? ?? 83 7D ?? ?? 8D 45 ?? 68 ?? ?? ?? ?? 0F 43 45 ?? 50 E8 ?? + ?? ?? ?? 83 C4 ?? 85 C0 0F 85 ?? ?? ?? ?? 88 85 ?? ?? ?? ?? 8D 55 ?? FF B5 ?? ?? ?? + ?? 8D 4D ?? E8 ?? ?? ?? ?? 83 C4 ?? 8D 4D ?? C6 45 ?? ?? E8 ?? ?? ?? ?? C6 45 ?? ?? + 8B 55 ?? 88 85 ?? ?? ?? ?? 83 FA ?? 72 ?? 8B 4D ?? 8D 14 55 ?? ?? ?? ?? 8B C1 81 FA + ?? ?? ?? ?? 72 ?? 8B 49 ?? 83 C2 ?? 2B C1 83 C0 ?? 83 F8 ?? 0F 87 ?? ?? ?? ?? 52 51 + E8 ?? ?? ?? ?? 8A 85 ?? ?? ?? ?? 83 C4 ?? 84 C0 0F 84 ?? ?? ?? ?? C6 85 ?? ?? ?? ?? + ?? 8D 55 ?? FF B5 ?? ?? ?? ?? 8D 4D ?? E8 ?? ?? ?? ?? 83 C4 ?? C6 45 ?? ?? 8D 45 ?? + 83 7D ?? ?? 0F 43 45 ?? 50 FF 15 ?? ?? ?? ?? 83 E0 ?? 8D 4D ?? 83 7D ?? ?? 50 0F 43 + } + + $encrypt_files_p2 = { + 4D ?? 51 FF 15 ?? ?? ?? ?? 8D 45 ?? 50 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 68 ?? ?? ?? + ?? 8D 85 ?? ?? ?? ?? C6 45 ?? ?? 6A ?? 50 E8 ?? ?? ?? ?? 83 7D ?? ?? 8D 45 ?? 8D 8D + ?? ?? ?? ?? 0F 43 45 ?? 50 E8 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 8B 40 ?? C7 84 05 ?? ?? + ?? ?? ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 8B 48 ?? 8D 41 ?? 89 84 0D ?? ?? ?? ?? 8D BE ?? + ?? ?? ?? C6 45 ?? ?? 83 7F ?? ?? 8B C7 89 BD ?? ?? ?? ?? 72 ?? 8B 07 83 7F ?? ?? 75 + ?? 0F B6 00 3C ?? 75 ?? 33 C0 EB ?? 1B C0 83 C8 ?? 85 C0 75 ?? C7 86 ?? ?? ?? ?? ?? + ?? ?? ?? B8 ?? ?? ?? ?? EB ?? 8B 86 ?? ?? ?? ?? 6A ?? 50 8D 4D ?? C7 45 ?? ?? ?? ?? + ?? C7 45 ?? ?? ?? ?? ?? C6 45 ?? ?? E8 ?? ?? ?? ?? C6 45 ?? ?? 8D 4D ?? 8B 86 ?? ?? + ?? ?? 83 7D ?? ?? 99 0F 43 4D ?? 52 50 51 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 8D ?? + ?? ?? ?? 8B 55 ?? 3B CA 77 ?? 83 7D ?? ?? 8D 45 ?? 89 4D ?? 0F 43 45 ?? C6 04 01 ?? + EB ?? 8B 45 ?? 8B F9 2B FA 2B C2 3B F8 77 ?? 83 7D ?? ?? 8D 75 ?? 57 0F 43 75 ?? 03 + } + + $encrypt_files_p3 = { + F2 89 4D ?? 6A ?? 56 E8 ?? ?? ?? ?? C6 04 3E ?? 83 C4 ?? 8B B5 ?? ?? ?? ?? EB ?? 6A + ?? 57 C6 85 ?? ?? ?? ?? ?? 8D 4D ?? FF B5 ?? ?? ?? ?? 57 E8 ?? ?? ?? ?? 8B BD ?? ?? + ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 C0 75 ?? 8B 85 ?? ?? ?? ?? 8D 8D ?? ?? ?? + ?? 6A ?? 8B 40 ?? 03 C8 33 C0 39 41 ?? 0F 94 C0 8D 04 85 ?? ?? ?? ?? 0B 41 ?? 50 E8 + ?? ?? ?? ?? 83 7D ?? ?? 8D 45 ?? 0F 43 45 ?? 83 BD ?? ?? ?? ?? ?? 0F 85 ?? ?? ?? ?? + 6A ?? 6A ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 0F 84 ?? ?? ?? ?? 6A ?? 50 8D 8D ?? ?? + ?? ?? E8 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 8B 48 ?? 89 8D ?? ?? ?? ?? 8B 01 FF 50 ?? 8D + 85 ?? ?? ?? ?? C6 45 ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 8D 8D ?? ?? ?? ?? 50 E8 ?? ?? + ?? ?? C6 45 ?? ?? 8B 8D ?? ?? ?? ?? 85 C9 74 ?? 8B 01 8B 40 ?? FF D0 85 C0 74 ?? 8B + 08 6A ?? 8B 11 8B C8 FF D2 8B 85 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? 33 D2 8B 40 ?? 03 C8 + B8 ?? ?? ?? ?? 39 51 ?? 0F 45 C2 EB ?? 8B 85 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? 8B 40 ?? + 03 C8 33 C0 39 41 ?? 0F 94 C0 8D 04 85 ?? ?? ?? ?? 0B 41 ?? 6A ?? 50 E8 ?? ?? ?? ?? + 81 C6 ?? ?? ?? ?? 8D 45 ?? 3B F0 74 ?? 83 7D ?? ?? 8B CE FF 75 ?? 0F 43 45 ?? 50 E8 + ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? 8D 4D ?? C7 45 ?? ?? ?? ?? ?? C7 45 + } + + $encrypt_files_p4 = { + C6 45 ?? ?? E8 ?? ?? ?? ?? C6 45 ?? ?? 83 7F ?? ?? 8B 47 ?? 72 ?? 8B 3F 83 F8 ?? 75 + ?? 0F B6 07 3C ?? 75 ?? 33 C0 EB ?? 1B C0 83 C8 ?? 8B BD ?? ?? ?? ?? 85 C0 75 ?? 8D + 45 ?? 50 83 EC ?? 8D 87 ?? ?? ?? ?? 8B CC 89 A5 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 EC + ?? C6 45 ?? ?? 8B CC 56 E8 ?? ?? ?? ?? C6 45 ?? ?? E8 ?? ?? ?? ?? EB ?? 8B BD ?? ?? + ?? ?? 8D 45 ?? 3B F0 74 ?? 83 7D ?? ?? 8B CE FF 75 ?? 0F 43 45 ?? 50 E8 ?? ?? ?? ?? + 8D 45 ?? 3B C6 74 ?? 83 7E ?? ?? 8B C6 72 ?? 8B 06 FF 76 ?? 8D 4D ?? 50 E8 ?? ?? ?? + ?? 6A ?? 68 ?? ?? ?? ?? 8B CE E8 ?? ?? ?? ?? 83 7E ?? ?? 8B C6 72 ?? 8B 06 C7 46 ?? + ?? ?? ?? ?? 8D 55 ?? C6 00 ?? 8D 8D ?? ?? ?? ?? 83 7D ?? ?? FF 75 ?? 0F 43 55 ?? E8 + ?? ?? ?? ?? 83 C4 ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 C0 75 ?? 8B 85 ?? ?? ?? ?? + 8D 8D ?? ?? ?? ?? 6A ?? 8B 40 ?? 03 C8 33 C0 39 41 ?? 0F 94 C0 8D 04 85 ?? ?? ?? ?? + 0B 41 ?? 50 E8 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 8D 4D ?? E8 ?? ?? ?? ?? 8D 8D ?? ?? + ?? ?? C6 45 ?? ?? 51 8B C8 E8 ?? ?? ?? ?? 8B F0 8D 85 ?? ?? ?? ?? C6 45 ?? ?? 50 8D + 4D ?? E8 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? C6 45 ?? ?? 51 8B C8 E8 ?? ?? ?? ?? 8B C8 C6 + 45 ?? ?? 8B 41 ?? 8B 51 ?? 2B C2 83 F8 ?? 72 ?? 83 79 ?? ?? 8D 42 ?? 89 41 ?? 8B C1 + 72 ?? 8B 01 66 C7 04 02 ?? ?? EB ?? 6A ?? 68 ?? ?? ?? ?? C6 85 ?? ?? ?? ?? ?? FF B5 + ?? ?? ?? ?? 6A ?? E8 ?? ?? ?? ?? 8B C8 C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C7 85 ?? ?? ?? + ?? ?? ?? ?? ?? 0F 10 01 0F 11 85 ?? ?? ?? ?? F3 0F 7E 41 ?? 66 0F D6 85 ?? ?? ?? ?? + C7 41 ?? ?? ?? ?? ?? C7 41 ?? ?? ?? ?? ?? C6 01 ?? C6 45 ?? ?? 8B 95 ?? ?? ?? ?? 8B + } + + $encrypt_files_p5 = { + C2 8B 8D ?? ?? ?? ?? 2B C1 83 F8 ?? 72 ?? 8D 41 ?? 83 FA ?? 89 85 ?? ?? ?? ?? 8D 85 + ?? ?? ?? ?? 0F 43 85 ?? ?? ?? ?? C7 04 01 ?? ?? ?? ?? C6 44 01 ?? ?? 8D 85 ?? ?? ?? + ?? EB ?? 6A ?? 68 ?? ?? ?? ?? C6 85 ?? ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? FF B5 ?? ?? ?? + ?? 6A ?? E8 ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? + 0F 10 00 0F 11 85 ?? ?? ?? ?? F3 0F 7E 40 ?? 66 0F D6 85 ?? ?? ?? ?? C7 40 ?? ?? ?? + ?? ?? C7 40 ?? ?? ?? ?? ?? C6 00 ?? 8D 47 ?? C6 45 ?? ?? 50 8D 8D ?? ?? ?? ?? E8 ?? + ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? 0F 10 00 0F 11 + 85 ?? ?? ?? ?? F3 0F 7E 40 ?? 66 0F D6 85 ?? ?? ?? ?? C7 40 ?? ?? ?? ?? ?? C7 40 ?? + ?? ?? ?? ?? C6 00 ?? C6 45 ?? ?? 8B 95 ?? ?? ?? ?? 8B C2 8B 8D ?? ?? ?? ?? 2B C1 83 + F8 ?? 72 ?? 8D 41 ?? 83 FA ?? 89 85 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 0F 43 85 ?? ?? ?? + ?? 66 C7 04 08 ?? ?? 8D 85 ?? ?? ?? ?? EB ?? 6A ?? 68 ?? ?? ?? ?? C6 85 ?? ?? ?? ?? + ?? 8D 8D ?? ?? ?? ?? FF B5 ?? ?? ?? ?? 6A ?? E8 ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? + ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? 0F 10 00 0F 11 85 ?? ?? ?? ?? F3 0F 7E 40 ?? 66 + 0F D6 85 ?? ?? ?? ?? C7 40 ?? ?? ?? ?? ?? C7 40 ?? ?? ?? ?? ?? C6 00 ?? C6 45 + } + + $encrypt_files_p6 = { + 8B BD ?? ?? ?? ?? 8B C7 8B 8D ?? ?? ?? ?? 2B C1 8B 56 ?? 3B D0 76 ?? 8B 46 ?? 2B C2 + 3B C1 72 ?? 83 FF ?? 8D 85 ?? ?? ?? ?? 51 0F 43 85 ?? ?? ?? ?? 8B CE 50 6A ?? E8 ?? + ?? ?? ?? EB ?? 56 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C7 + 85 ?? ?? ?? ?? ?? ?? ?? ?? 0F 10 00 0F 11 85 ?? ?? ?? ?? F3 0F 7E 40 ?? 66 0F D6 85 + ?? ?? ?? ?? C6 00 ?? C7 40 ?? ?? ?? ?? ?? C7 40 ?? ?? ?? ?? ?? C6 45 ?? ?? 8B 95 ?? + ?? ?? ?? 8B C2 8B 8D ?? ?? ?? ?? 2B C1 6A ?? 68 ?? ?? ?? ?? 83 F8 ?? 72 ?? 83 FA ?? + 8D B5 ?? ?? ?? ?? 8D 41 ?? 0F 43 B5 ?? ?? ?? ?? 03 F1 89 85 ?? ?? ?? ?? 56 E8 ?? ?? + ?? ?? 83 C4 ?? C6 46 ?? ?? 8D 85 ?? ?? ?? ?? EB ?? C6 85 ?? ?? ?? ?? ?? 8D 8D ?? ?? + ?? ?? FF B5 ?? ?? ?? ?? 6A ?? E8 ?? ?? ?? ?? 0F 10 00 0F 11 45 ?? F3 0F 7E 40 ?? 66 + 0F D6 45 ?? C7 40 ?? ?? ?? ?? ?? C7 40 ?? ?? ?? ?? ?? C6 00 ?? C6 45 ?? ?? 8B 95 ?? + ?? ?? ?? 83 FA ?? 72 ?? 8B 8D ?? ?? ?? ?? 42 8B C1 81 FA ?? ?? ?? ?? 72 ?? 8B 49 ?? + 83 C2 ?? 2B C1 83 C0 ?? 83 F8 ?? 0F 87 ?? ?? ?? ?? 52 51 E8 ?? ?? ?? ?? 83 C4 ?? C7 + 85 ?? ?? ?? ?? ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C6 85 ?? ?? ?? ?? ?? C6 45 + ?? ?? 8B 95 ?? ?? ?? ?? 83 FA ?? 72 ?? 8B 8D ?? ?? ?? ?? 42 8B C1 81 FA ?? ?? ?? ?? + 72 ?? 8B 49 ?? 83 C2 ?? 2B C1 83 C0 ?? 83 F8 ?? 0F 87 ?? ?? ?? ?? 52 51 E8 ?? ?? ?? + ?? 83 C4 ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C6 85 ?? ?? + ?? ?? ?? C6 45 ?? ?? 8B 95 ?? ?? ?? ?? 83 FA ?? 72 ?? 8B 8D ?? ?? ?? ?? 42 8B C1 81 + } + + $encrypt_files_p7 = { + FA ?? ?? ?? ?? 72 ?? 8B 49 ?? 83 C2 ?? 2B C1 83 C0 ?? 83 F8 ?? 0F 87 ?? ?? ?? ?? 52 + 51 E8 ?? ?? ?? ?? 83 C4 ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? + ?? C6 85 ?? ?? ?? ?? ?? C6 45 ?? ?? 8B 95 ?? ?? ?? ?? 83 FA ?? 72 ?? 8B 8D ?? ?? ?? + ?? 42 8B C1 81 FA ?? ?? ?? ?? 72 ?? 8B 49 ?? 83 C2 ?? 2B C1 83 C0 ?? 83 F8 ?? 0F 87 + ?? ?? ?? ?? 52 51 E8 ?? ?? ?? ?? 83 C4 ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C7 85 ?? ?? + ?? ?? ?? ?? ?? ?? C6 85 ?? ?? ?? ?? ?? C6 45 ?? ?? 8B 95 ?? ?? ?? ?? 83 FA ?? 72 ?? + 8B 8D ?? ?? ?? ?? 42 8B C1 81 FA ?? ?? ?? ?? 72 ?? 8B 49 ?? 83 C2 ?? 2B C1 83 C0 ?? + 83 F8 ?? 0F 87 ?? ?? ?? ?? 52 51 E8 ?? ?? ?? ?? 83 C4 ?? C7 85 ?? ?? ?? ?? ?? ?? ?? + ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C6 85 ?? ?? ?? ?? ?? C6 45 ?? ?? 8B 95 ?? ?? ?? ?? + 83 FA ?? 72 ?? 8B 8D ?? ?? ?? ?? 42 8B C1 81 FA ?? ?? ?? ?? 72 ?? 8B 49 ?? 83 C2 ?? + 2B C1 83 C0 ?? 83 F8 ?? 0F 87 ?? ?? ?? ?? 52 51 E8 ?? ?? ?? ?? 83 C4 ?? C7 85 ?? ?? + ?? ?? ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C6 85 ?? ?? ?? ?? ?? C6 45 ?? ?? 8B + } + + $encrypt_files_p8 = { + 95 ?? ?? ?? ?? 83 FA ?? 72 ?? 8B 8D ?? ?? ?? ?? 8D 14 55 ?? ?? ?? ?? 8B C1 81 FA ?? + ?? ?? ?? 72 ?? 8B 49 ?? 83 C2 ?? 2B C1 83 C0 ?? 83 F8 ?? 0F 87 ?? ?? ?? ?? 52 51 E8 + ?? ?? ?? ?? 83 C4 ?? 33 C0 C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? + ?? 66 89 85 ?? ?? ?? ?? C6 45 ?? ?? 8B 95 ?? ?? ?? ?? 83 FA ?? 72 ?? 8B 8D ?? ?? ?? + ?? 42 8B C1 81 FA ?? ?? ?? ?? 72 ?? 8B 49 ?? 83 C2 ?? 2B C1 83 C0 ?? 83 F8 ?? 0F 87 + ?? ?? ?? ?? 52 51 E8 ?? ?? ?? ?? 83 C4 ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C7 85 ?? ?? + ?? ?? ?? ?? ?? ?? C6 85 ?? ?? ?? ?? ?? C6 45 ?? ?? 8B 95 ?? ?? ?? ?? 83 FA ?? 72 ?? + 8B 8D ?? ?? ?? ?? 8D 14 55 ?? ?? ?? ?? 8B C1 81 FA ?? ?? ?? ?? 72 ?? 8B 49 ?? 83 C2 + ?? 2B C1 83 C0 ?? 83 F8 ?? 0F 87 ?? ?? ?? ?? 52 51 E8 ?? ?? ?? ?? 83 C4 ?? 33 C0 C7 + 85 ?? ?? ?? ?? ?? ?? ?? ?? 83 EC ?? 66 89 85 ?? ?? ?? ?? 8D 45 ?? C7 85 ?? ?? ?? ?? + ?? ?? ?? ?? 8B CC 50 E8 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 8B F0 + C6 45 ?? ?? 83 7E ?? ?? 72 ?? 8B 36 83 EC ?? 8D 85 ?? ?? ?? ?? 8B CC 50 E8 ?? ?? ?? + ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 83 78 ?? ?? 72 ?? 8B 00 56 50 E8 ?? ?? + ?? ?? 8B 95 ?? ?? ?? ?? 83 C4 ?? 83 FA ?? 72 ?? 8B 8D ?? ?? ?? ?? 8D 14 55 ?? ?? ?? + ?? 8B C1 81 FA ?? ?? ?? ?? 72 ?? 8B 49 ?? 83 C2 ?? 2B C1 83 C0 ?? 83 F8 ?? 0F 87 ?? + ?? ?? ?? 52 51 E8 ?? ?? ?? ?? 83 C4 ?? 8B 95 ?? ?? ?? ?? 33 C0 C7 85 ?? ?? ?? ?? ?? + ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? 66 89 85 ?? ?? ?? ?? 83 FA ?? 72 ?? 8B 8D ?? + ?? ?? ?? 8D 14 55 ?? ?? ?? ?? 8B C1 81 FA ?? ?? ?? ?? 72 ?? 8B 49 ?? 83 C2 ?? 2B C1 + } + + $encrypt_files_p9 = { + 83 C0 ?? 83 F8 ?? 0F 87 ?? ?? ?? ?? 52 51 E8 ?? ?? ?? ?? 83 C4 ?? 8B 55 ?? 83 FA ?? + 72 ?? 8B 4D ?? 42 8B C1 81 FA ?? ?? ?? ?? 72 ?? 8B 49 ?? 83 C2 ?? 2B C1 83 C0 ?? 83 + F8 ?? 0F 87 ?? ?? ?? ?? 52 51 E8 ?? ?? ?? ?? 83 C4 ?? 8B 55 ?? 83 FA ?? 72 ?? 8B 4D + ?? 42 8B C1 81 FA ?? ?? ?? ?? 72 ?? 8B 49 ?? 83 C2 ?? 2B C1 83 C0 ?? 83 F8 ?? 0F 87 + ?? ?? ?? ?? 52 51 E8 ?? ?? ?? ?? 83 C4 ?? 8B 55 ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? + ?? ?? ?? C6 45 ?? ?? 83 FA ?? 72 ?? 8B 4D ?? 42 8B C1 81 FA ?? ?? ?? ?? 72 ?? 8B 49 + ?? 83 C2 ?? 2B C1 83 C0 ?? 83 F8 ?? 0F 87 ?? ?? ?? ?? 52 51 E8 ?? ?? ?? ?? 83 C4 ?? + 8D 8D ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C6 45 ?? ?? E8 ?? ?? ?? + ?? 8B 55 ?? 83 FA ?? 72 ?? 8B 8D ?? ?? ?? ?? 42 8B C1 81 FA ?? ?? ?? ?? 72 ?? 8B 49 + ?? 83 C2 ?? 2B C1 83 C0 ?? 83 F8 ?? 0F 87 ?? ?? ?? ?? 52 51 E8 ?? ?? ?? ?? 83 C4 ?? + 8B 55 ?? 83 FA ?? 72 ?? 8B 4D ?? 8D 14 55 ?? ?? ?? ?? 8B C1 81 FA ?? ?? ?? ?? 72 ?? + 8B 49 ?? 83 C2 ?? 2B C1 83 C0 ?? 83 F8 ?? 77 ?? 52 51 E8 ?? ?? ?? ?? 83 C4 ?? 8B 55 + ?? 83 FA ?? 72 ?? 8B 4D ?? 42 8B C1 81 FA ?? ?? ?? ?? 72 ?? 8B 49 ?? 83 C2 ?? 2B C1 + 83 C0 ?? 83 F8 ?? 77 ?? 52 51 E8 ?? ?? ?? ?? 83 C4 ?? 8B 4D ?? 64 89 0D ?? ?? ?? ?? + 59 5F 5E 8B 4D ?? 33 CD E8 ?? ?? ?? ?? 8B E5 5D C2 ?? ?? E8 ?? ?? ?? ?? E8 ?? ?? ?? + ?? E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? E8 + } + + condition: + uint16(0) == 0x5A4D and + ( + all of ($find_files_p*) + ) and + ( + all of ($encrypt_files_p*) + ) +} \ No newline at end of file diff --git a/yara/ransomware/Win32.Ransomware.DarkSide.yara b/yara/ransomware/Win32.Ransomware.DarkSide.yara new file mode 100644 index 0000000..a20db11 --- /dev/null +++ b/yara/ransomware/Win32.Ransomware.DarkSide.yara @@ -0,0 +1,94 @@ +rule Win32_Ransomware_DarkSide : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "DARKSIDE" + description = "Yara rule that detects DarkSide ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "DarkSide" + tc_detection_factor = 5 + + strings: + + $find_files_v1 = { + 55 8B EC 81 EC ?? ?? ?? ?? 53 51 52 56 57 C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? + 83 7D ?? ?? 0F 84 ?? ?? ?? ?? FF 75 ?? FF 15 ?? ?? ?? ?? 83 C4 ?? 8D 04 45 ?? ?? ?? + ?? 50 6A ?? FF 35 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 89 45 ?? 83 7D ?? ?? 0F 84 ?? ?? ?? + ?? FF 75 ?? FF 75 ?? FF 15 ?? ?? ?? ?? 83 C4 ?? FF 75 ?? E8 ?? ?? ?? ?? C7 45 ?? ?? + ?? ?? ?? 8D 45 ?? 50 FF 75 ?? FF 15 ?? ?? ?? ?? 83 C4 ?? 6A ?? 6A ?? 6A ?? 8D 85 ?? + ?? ?? ?? 50 6A ?? FF 75 ?? FF 15 ?? ?? ?? ?? 89 45 ?? 83 7D ?? ?? 74 ?? 8D 9D ?? ?? + ?? ?? 83 3B ?? 74 ?? 81 3B ?? ?? ?? ?? 74 ?? C7 45 ?? ?? ?? ?? ?? EB ?? 8D 85 ?? ?? + ?? ?? 50 FF 75 ?? FF 15 ?? ?? ?? ?? 85 C0 75 ?? FF 75 ?? FF 15 ?? ?? ?? ?? 83 7D ?? + ?? 74 ?? FF 75 ?? 6A ?? FF 35 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 8B 45 ?? 5F 5E 5A 59 5B + 8B E5 5D C2 + } + + $enumerate_drives = { + 55 8B EC 81 EC ?? ?? ?? ?? 53 51 52 56 57 8D 85 ?? ?? ?? ?? 50 68 ?? ?? ?? ?? FF 15 + ?? ?? ?? ?? 8B D8 85 DB 74 ?? C1 EB ?? 8D B5 ?? ?? ?? ?? 56 FF 15 ?? ?? ?? ?? 83 F8 + ?? 74 ?? 83 F8 ?? 75 ?? 56 E8 ?? ?? ?? ?? 8D 76 ?? 4B 85 DB 75 ?? 5F 5E 5A 59 5B 8B + E5 5D C3 55 8B EC 81 EC ?? ?? ?? ?? 53 51 52 56 57 8D 85 ?? ?? ?? ?? 50 FF 75 ?? E8 + ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 8D 45 ?? C7 + 00 ?? ?? ?? ?? C7 40 ?? ?? ?? ?? ?? 50 8D 85 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 83 C4 + ?? 6A ?? 6A ?? 6A ?? 8D 85 ?? ?? ?? ?? 50 6A ?? 8D 85 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? + ?? 89 45 ?? 83 7D ?? ?? 74 ?? 8B 85 ?? ?? ?? ?? 66 A9 ?? ?? 74 ?? 6A ?? 8D 85 ?? ?? + ?? ?? 50 FF 15 ?? ?? ?? ?? 83 C4 ?? 8D 8D ?? ?? ?? ?? 51 8D 40 ?? 50 FF 15 ?? ?? ?? + ?? 83 C4 ?? 8D 85 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 FF 75 ?? FF 15 + ?? ?? ?? ?? 85 C0 75 ?? FF 75 ?? FF 15 ?? ?? ?? ?? 5F 5E 5A 59 5B 8B E5 5D C2 + } + + $escalate_privileges = { + 55 8B EC 83 C4 ?? 53 51 52 56 57 8D 45 ?? 50 6A ?? 6A ?? FF 15 ?? ?? ?? ?? 85 C0 0F + 85 ?? ?? ?? ?? 8D 45 ?? 50 6A ?? 8D 45 ?? 50 6A ?? FF 75 ?? FF 15 ?? ?? ?? ?? FF 75 + ?? 6A ?? FF 35 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 89 45 ?? 83 7D ?? ?? 74 ?? 8D 45 ?? 50 + FF 75 ?? FF 75 ?? 6A ?? FF 75 ?? FF 15 ?? ?? ?? ?? 85 C0 75 ?? 8B 75 ?? AD 8B F8 83 + 7E ?? ?? 74 ?? C7 46 ?? ?? ?? ?? ?? 83 C6 ?? 4F 85 FF 75 ?? 6A ?? 6A ?? 6A ?? FF 75 + ?? 6A ?? FF 75 ?? FF 15 ?? ?? ?? ?? FF 75 ?? 6A ?? FF 35 ?? ?? ?? ?? FF 15 ?? ?? ?? + ?? FF 75 ?? FF 15 ?? ?? ?? ?? 5F 5E 5A 59 5B 8B E5 5D C3 + } + + $enumerate_netshare = { + 55 8B EC 81 EC ?? ?? ?? ?? 53 51 52 56 57 8D 85 ?? ?? ?? ?? 50 68 ?? ?? ?? ?? FF 15 + ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? 8B 7D ?? 8D 45 ?? 50 8D 45 ?? 50 8D 45 ?? 50 6A ?? + 8D 45 ?? 50 6A ?? 57 FF 15 ?? ?? ?? ?? 85 C0 75 ?? 8B 75 ?? 83 7E ?? ?? 75 ?? 68 ?? + ?? ?? ?? 6A ?? FF 35 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 8B D8 C7 03 ?? ?? ?? ?? C7 43 ?? + ?? ?? ?? ?? C7 43 ?? ?? ?? ?? ?? C7 43 ?? ?? ?? ?? ?? 8D 47 ?? 50 53 FF 15 ?? ?? ?? + ?? 83 C4 ?? 53 FF 15 ?? ?? ?? ?? FF 36 53 FF 15 ?? ?? ?? ?? 83 C4 ?? 53 E8 ?? ?? ?? + ?? 53 6A ?? FF 35 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 83 C6 ?? FF 4D ?? 83 7D ?? ?? 75 ?? + FF 15 ?? ?? ?? ?? 5F 5E 5A 59 5B 8B E5 5D C2 + } + + $find_files_v2 = { + 55 8B EC 81 EC ?? ?? ?? ?? 53 51 52 56 57 8D 85 ?? ?? ?? ?? 50 FF 75 ?? E8 ?? ?? ?? + ?? 85 C0 0F 84 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 8D BD + ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 57 FF 15 ?? ?? ?? ?? 83 C4 ?? 57 FF 15 ?? ?? ?? ?? + 83 C4 ?? 66 83 7C 47 ?? ?? 74 ?? 66 C7 04 47 ?? ?? 83 C7 ?? C7 04 47 ?? ?? ?? ?? C7 + 44 47 ?? ?? ?? ?? ?? 6A ?? 6A ?? 6A ?? 8D 85 ?? ?? ?? ?? 50 6A ?? 8D 85 ?? ?? ?? ?? + 50 FF 15 ?? ?? ?? ?? 89 45 ?? 83 7D ?? ?? 74 ?? 8B 85 ?? ?? ?? ?? 66 A9 ?? ?? 74 ?? + 8D 9D ?? ?? ?? ?? 8D B5 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 56 FF 15 ?? ?? ?? ?? 83 C4 + ?? 6A ?? 56 FF 15 ?? ?? ?? ?? 83 C4 ?? 83 C0 ?? 53 50 FF 15 ?? ?? ?? ?? 83 C4 ?? 56 + E8 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 FF 75 ?? FF 15 ?? ?? ?? ?? 85 C0 75 ?? FF 75 ?? + FF 15 ?? ?? ?? ?? 5F 5E 5A 59 5B 8B E5 5D C2 + } + + condition: + uint16(0) == 0x5A4D and + ( + ( + $find_files_v1 and + $enumerate_drives and + $escalate_privileges + ) or + ( + $find_files_v2 and + $enumerate_netshare + ) + ) +} \ No newline at end of file diff --git a/yara/ransomware/Win32.Ransomware.DearCry.yara b/yara/ransomware/Win32.Ransomware.DearCry.yara new file mode 100644 index 0000000..1853b2f --- /dev/null +++ b/yara/ransomware/Win32.Ransomware.DearCry.yara @@ -0,0 +1,96 @@ +rule Win32_Ransomware_DearCry : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "DEARCRY" + description = "Yara rule that detects DearCry ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "DearCry" + tc_detection_factor = 5 + + strings: + + $drop_ransom_note_p1 = { + 55 8B EC 83 E4 ?? 81 EC ?? ?? ?? ?? A1 ?? ?? ?? ?? 33 C4 89 84 24 ?? ?? ?? ?? A1 ?? + ?? ?? ?? 53 56 57 33 DB 68 ?? ?? ?? ?? 50 C7 05 ?? ?? ?? ?? ?? ?? ?? ?? 89 1D ?? ?? + ?? ?? 89 1D ?? ?? ?? ?? C7 05 ?? ?? ?? ?? ?? ?? ?? ?? 89 1D ?? ?? ?? ?? FF 15 ?? ?? + ?? ?? E8 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 6A ?? 68 ?? ?? ?? ?? 89 44 24 ?? E8 + ?? ?? ?? ?? 8B F0 6A ?? 68 ?? ?? ?? ?? 89 74 24 ?? E8 ?? ?? ?? ?? 8B F8 89 7C 24 ?? + E8 ?? ?? ?? ?? 8B 0D ?? ?? ?? ?? 51 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? E8 + ?? ?? ?? ?? 83 C4 ?? 3B F3 0F 84 ?? ?? ?? ?? 3B FB 0F 84 ?? ?? ?? ?? 68 ?? ?? ?? ?? + 6A ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 89 5C 24 ?? B8 ?? ?? ?? ?? 33 F6 8B FF + 38 18 74 ?? 50 E8 ?? ?? ?? ?? 8D BE ?? ?? ?? ?? 83 C4 ?? 8B D7 8A 08 88 0A 40 42 84 + C9 75 ?? 8B C7 33 F6 8D 50 ?? 8A 08 40 84 C9 75 ?? 2B C2 74 ?? 0F BE 14 37 52 E8 ?? + ?? ?? ?? 88 04 37 8B C7 83 C4 ?? 46 8D 50 ?? 8A 08 40 84 C9 75 ?? 2B C2 3B F0 72 ?? + 8B 74 24 ?? 46 89 74 24 ?? 69 F6 ?? ?? ?? ?? 8D 86 ?? ?? ?? ?? 3B C3 75 ?? 6A ?? 68 + } + + $drop_ransom_note_p2 = { + 89 5C 24 ?? E8 ?? ?? ?? ?? 53 8B F0 53 8D 44 24 ?? 50 56 E8 ?? ?? ?? ?? 56 89 44 24 + ?? E8 ?? ?? ?? ?? 8B 44 24 ?? 83 C4 ?? 8B F8 3B C3 0F 84 ?? ?? ?? ?? FF 15 ?? ?? ?? + ?? 85 C0 0F 86 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 4C 24 ?? 53 51 88 5C 24 ?? E8 ?? ?? ?? + ?? 83 C4 ?? 8D 54 24 ?? 52 68 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? + 8A 44 1C ?? 3C ?? 7C ?? 3C ?? 7E ?? 3C ?? 0F 8C ?? ?? ?? ?? 3C ?? 0F 8F ?? ?? ?? ?? + 0F BE C0 50 8D 4C 24 ?? 68 ?? ?? ?? ?? 51 E8 ?? ?? ?? ?? 8B 35 ?? ?? ?? ?? 83 C4 ?? + 8D 54 24 ?? 52 FF D6 83 F8 ?? 0F 84 ?? ?? ?? ?? 8D 44 24 ?? 50 FF D6 85 C0 74 ?? 8B + 4C 24 ?? 8B 54 24 ?? 8B 44 24 ?? 51 52 50 6A ?? 8D 4C 24 ?? 51 57 E8 ?? ?? ?? ?? 0F + BE 54 1C ?? 68 ?? ?? ?? ?? 52 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 68 ?? ?? + ?? ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B F0 83 C4 ?? 85 F6 74 ?? B8 ?? ?? ?? ?? 8D 50 + ?? 8D 49 ?? 8A 08 40 84 C9 75 ?? 56 2B C2 50 6A ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 56 + E8 ?? ?? ?? ?? 83 C4 ?? 43 81 FB ?? ?? ?? ?? 0F 8C ?? ?? ?? ?? 33 DB 57 + } + + $find_files_p1 = { + 55 8B EC 6A ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 64 A1 ?? ?? ?? ?? 50 83 EC ?? B8 ?? ?? + ?? ?? E8 ?? ?? ?? ?? A1 ?? ?? ?? ?? 31 45 ?? 33 C5 89 45 ?? 53 56 57 50 8D 45 ?? 64 + A3 ?? ?? ?? ?? 89 65 ?? 8B 45 ?? 89 85 ?? ?? ?? ?? 8B 75 ?? 89 B5 ?? ?? ?? ?? 8B 4D + ?? 89 8D ?? ?? ?? ?? 8B 55 ?? 89 95 ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? 68 ?? + ?? ?? ?? 6A ?? 8D 85 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? C6 85 ?? ?? ?? ?? ?? 68 + ?? ?? ?? ?? 6A ?? 8D 8D ?? ?? ?? ?? 51 E8 ?? ?? ?? ?? 83 C4 ?? C6 85 ?? ?? ?? ?? ?? + 8B C6 8D 50 ?? 8D 49 ?? 8A 08 40 84 C9 75 ?? 2B C2 80 7C 06 ?? ?? 74 ?? 8B C6 8D 50 + ?? 8A 08 40 84 C9 75 ?? 2B C2 80 7C 06 ?? ?? 74 ?? 68 ?? ?? ?? ?? 56 68 ?? ?? ?? ?? + 8D 95 ?? ?? ?? ?? 52 EB ?? 68 ?? ?? ?? ?? 56 68 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 E8 + ?? ?? ?? ?? 83 C4 ?? 8D 8D ?? ?? ?? ?? 51 8D 95 ?? ?? ?? ?? 52 FF 15 ?? ?? ?? ?? 89 + 85 ?? ?? ?? ?? 83 F8 ?? 0F 84 ?? ?? ?? ?? F6 85 ?? ?? ?? ?? ?? 0F 85 ?? ?? ?? ?? 6A + ?? 8D 85 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 8B D8 85 DB 0F 84 ?? ?? ?? ?? 8B C6 + 8D 50 ?? 8A 08 40 84 C9 75 ?? 2B C2 8B D0 8D 85 ?? ?? ?? ?? 8D 78 ?? 8A 08 40 84 C9 + 75 ?? 2B C7 03 C2 3D ?? ?? ?? ?? 0F 83 ?? ?? ?? ?? 6A ?? 6A ?? 8D 4D ?? 51 E8 ?? ?? + ?? ?? 83 C4 ?? 8B C3 8D 50 ?? 8A 08 40 84 C9 75 ?? 2B C2 83 F8 ?? 76 ?? B8 ?? ?? ?? + ?? EB ?? 8B C3 8D 50 ?? 8D 64 24 ?? 8A 08 40 84 C9 75 ?? 2B C2 50 53 8D 55 ?? 52 E8 + } + + $find_files_p2 = { + 83 C4 ?? 33 FF 8D 45 ?? 8D 50 ?? 90 8A 08 40 84 C9 75 ?? 2B C2 74 ?? EB ?? 8D 49 ?? + 0F BE 44 3D ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 88 44 3D ?? 47 8D 45 ?? 8D 50 ?? 8D A4 24 + ?? ?? ?? ?? 8A 08 40 84 C9 75 ?? 2B C2 3B F8 72 ?? 8D 4D ?? 51 68 ?? ?? ?? ?? E8 ?? + ?? ?? ?? 83 C4 ?? 85 C0 0F 84 ?? ?? ?? ?? B9 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 8A 10 3A + 11 75 ?? 84 D2 74 ?? 8A 50 ?? 3A 51 ?? 75 ?? 83 C0 ?? 83 C1 ?? 84 D2 75 ?? 33 C0 EB + ?? 1B C0 83 D8 ?? 85 C0 0F 84 ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A ?? 8D 95 ?? ?? ?? ?? 52 + E8 ?? ?? ?? ?? 83 C4 ?? 8B C6 8D 50 ?? 8D A4 24 ?? ?? ?? ?? 8A 08 40 84 C9 75 ?? 2B + C2 80 7C 30 ?? ?? 74 ?? 8B C6 8D 50 ?? 8A 08 40 84 C9 75 ?? 2B C2 80 7C 30 ?? ?? 74 + ?? 8D 85 ?? ?? ?? ?? 50 56 68 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? 51 EB ?? 8D 95 ?? ?? ?? + ?? 52 56 68 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? C7 45 ?? ?? ?? + ?? ?? 68 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? 51 E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 74 ?? 50 E8 + ?? ?? ?? ?? 83 C4 ?? 68 ?? ?? ?? ?? 6A ?? 8B BD ?? ?? ?? ?? 57 E8 ?? ?? ?? ?? 83 C4 + ?? 68 ?? ?? ?? ?? 6A ?? 8B 9D ?? ?? ?? ?? 53 E8 ?? ?? ?? ?? 83 C4 ?? 53 57 8B 55 ?? + 52 8D BD ?? ?? ?? ?? 8B 9D ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? C7 45 ?? ?? ?? ?? ?? + E9 ?? ?? ?? ?? B8 ?? ?? ?? ?? C3 8B 65 ?? C7 45 ?? ?? ?? ?? ?? 8B B5 ?? ?? ?? ?? E9 + ?? ?? ?? ?? 80 BD ?? ?? ?? ?? ?? 0F 84 ?? ?? ?? ?? 8B C6 8D 50 ?? 8B FF + } + + condition: + uint16(0) == 0x5A4D and + ( + all of ($drop_ransom_note_p*) + ) and + ( + all of ($find_files_p*) + ) +} \ No newline at end of file diff --git a/yara/ransomware/Win32.Ransomware.Defray.yara b/yara/ransomware/Win32.Ransomware.Defray.yara new file mode 100644 index 0000000..0ae0b47 --- /dev/null +++ b/yara/ransomware/Win32.Ransomware.Defray.yara @@ -0,0 +1,157 @@ +rule Win32_Ransomware_Defray : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "DEFRAY" + description = "Yara rule that detects Defray ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "Defray" + tc_detection_factor = 5 + + strings: + + $find_files = { + 55 8B EC 81 EC ?? ?? ?? ?? A1 ?? ?? ?? ?? 33 C5 89 45 ?? 53 56 57 68 ?? ?? ?? ?? 33 + F6 89 95 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 8B D9 56 50 89 9D ?? ?? ?? ?? E8 ?? ?? ?? ?? + 83 C4 ?? 8D 85 ?? ?? ?? ?? 68 ?? ?? ?? ?? 56 50 E8 ?? ?? ?? ?? 8D 95 ?? ?? ?? ?? 83 + C4 ?? 2B D3 8B CB 89 95 ?? ?? ?? ?? 0F B7 01 66 89 04 0A 8D 49 ?? 66 85 C0 75 ?? 8D + BD ?? ?? ?? ?? 83 EF ?? 66 8B 47 ?? 83 C7 ?? 66 3B C6 75 ?? BE ?? ?? ?? ?? 68 ?? ?? + ?? ?? 53 A5 A5 66 A5 FF 15 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 8D 85 ?? ?? ?? ?? 50 FF + 15 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 83 F8 ?? 0F 84 ?? ?? ?? ?? 33 F6 8B 1D ?? ?? ?? ?? + 83 FB ?? 0F 84 ?? ?? ?? ?? B9 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 66 8B 10 66 3B 11 75 ?? + 66 85 D2 74 ?? 66 8B 50 ?? 66 3B 51 ?? 75 ?? 83 C0 ?? 83 C1 ?? 66 85 D2 75 ?? 8B C6 + EB ?? 1B C0 83 C8 ?? 85 C0 0F 84 ?? ?? ?? ?? B9 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 66 8B + 10 66 3B 11 75 ?? 66 85 D2 74 ?? 66 8B 50 ?? 66 3B 51 ?? 75 ?? 83 C0 ?? 83 C1 ?? 66 + 85 D2 75 ?? 8B C6 EB ?? 1B C0 83 C8 ?? 85 C0 0F 84 ?? ?? ?? ?? 8B 8D ?? ?? ?? ?? 8B + 95 ?? ?? ?? ?? 0F B7 01 66 89 04 0A 8D 49 ?? 66 85 C0 75 ?? 8D BD ?? ?? ?? ?? 83 EF + ?? 33 C9 66 8B 47 ?? 8D 7F ?? 66 3B C1 75 ?? A1 ?? ?? ?? ?? 8D 95 ?? ?? ?? ?? 89 07 + 8B F2 66 8B 02 83 C2 ?? 66 3B C1 75 ?? 8D BD ?? ?? ?? ?? 2B D6 83 EF ?? 66 8B 47 ?? + 83 C7 ?? 66 3B C1 75 ?? 8B CA C1 E9 ?? F3 A5 8B CA 83 E1 ?? F6 85 ?? ?? ?? ?? ?? F3 + A4 74 ?? 8B 95 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? EB ?? F7 85 ?? ?? ?? ?? + ?? ?? ?? ?? 75 ?? 8B 8D ?? ?? ?? ?? 66 8B 85 ?? ?? ?? ?? 66 89 04 59 43 89 1D ?? ?? + ?? ?? 33 F6 8B 9D ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 53 FF 15 ?? ?? ?? ?? 85 C0 0F 85 + ?? ?? ?? ?? 53 FF 15 ?? ?? ?? ?? 8B 4D ?? 5F 5E 33 CD 5B E8 ?? ?? ?? ?? 8B E5 5D C3 + } + + $find_special_folders = { + 55 8B EC 81 EC ?? ?? ?? ?? A1 ?? ?? ?? ?? 33 C5 89 45 ?? 53 56 57 BE ?? ?? ?? ?? 8D + 85 ?? ?? ?? ?? 56 33 DB 53 50 E8 ?? ?? ?? ?? 83 C4 ?? 8D 85 ?? ?? ?? ?? 56 53 50 E8 + ?? ?? ?? ?? 83 C4 ?? 8D 85 ?? ?? ?? ?? 56 53 50 E8 ?? ?? ?? ?? 83 C4 ?? 8D 85 ?? ?? + ?? ?? BE ?? ?? ?? ?? 8D BD ?? ?? ?? ?? 6A ?? 59 68 ?? ?? ?? ?? 53 F3 A5 50 E8 ?? ?? + ?? ?? 83 C4 ?? 8D BD ?? ?? ?? ?? BE ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 6A ?? 59 F3 A5 68 + ?? ?? ?? ?? 53 50 66 A5 E8 ?? ?? ?? ?? 83 C4 ?? 8D 85 ?? ?? ?? ?? BE ?? ?? ?? ?? 8D + BD ?? ?? ?? ?? 6A ?? 59 68 ?? ?? ?? ?? 53 F3 A5 50 E8 ?? ?? ?? ?? 8B 35 ?? ?? ?? ?? + 8D 85 ?? ?? ?? ?? 83 C4 ?? 53 6A ?? 50 53 FF D6 53 6A ?? 8D 85 ?? ?? ?? ?? 50 53 FF + D6 53 6A ?? 8D 85 ?? ?? ?? ?? 50 53 FF D6 8D BD ?? ?? ?? ?? 83 EF ?? 66 8B 47 ?? 83 + C7 ?? 66 3B C3 75 ?? 6A ?? 59 BE ?? ?? ?? ?? F3 A5 8D BD ?? ?? ?? ?? 83 EF ?? 66 8B + 47 ?? 83 C7 ?? 66 3B C3 75 ?? 6A ?? 59 BE ?? ?? ?? ?? F3 A5 8D BD ?? ?? ?? ?? 83 EF + ?? 66 8B 47 ?? 83 C7 ?? 66 3B C3 75 ?? BE ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? A5 A5 A5 A5 + 66 A5 E8 ?? ?? ?? ?? 84 C0 74 ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 84 C0 74 ?? 8D 8D + ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 8D ?? + ?? ?? ?? E8 ?? ?? ?? ?? 84 C0 74 ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 84 C0 74 ?? 8D + 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 8D + ?? ?? ?? ?? E8 ?? ?? ?? ?? 84 C0 74 ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 84 C0 74 ?? + 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B + 4D ?? 5F 5E 33 CD 5B E8 ?? ?? ?? ?? 8B E5 5D C3 + } + + $remote_connection = { + 55 8B EC 81 EC ?? ?? ?? ?? A1 ?? ?? ?? ?? 33 C5 89 45 ?? 8B 45 ?? 53 56 57 89 85 ?? + ?? ?? ?? 33 DB 8B 45 ?? 8B FA 68 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 53 + 50 E8 ?? ?? ?? ?? A1 ?? ?? ?? ?? 83 C4 ?? 89 45 ?? A0 ?? ?? ?? ?? 88 45 ?? 8D 85 ?? + ?? ?? ?? 53 53 53 53 50 FF 15 ?? ?? ?? ?? 8B 35 ?? ?? ?? ?? 8B D8 89 9D ?? ?? ?? ?? + 85 DB 74 ?? 33 C0 50 50 6A ?? 50 50 68 ?? ?? ?? ?? 57 53 FF 15 ?? ?? ?? ?? 8B F8 85 + FF 74 ?? 33 C0 50 68 ?? ?? ?? ?? 50 50 68 ?? ?? ?? ?? FF B5 ?? ?? ?? ?? 8D 45 ?? 50 + 57 FF 15 ?? ?? ?? ?? 8B D8 85 DB 74 ?? 8B 95 ?? ?? ?? ?? 33 C9 85 D2 74 ?? 8B CA 8D + 41 ?? 89 85 ?? ?? ?? ?? 8A 01 41 84 C0 75 ?? 2B 8D ?? ?? ?? ?? 51 52 6A ?? 6A ?? 53 + FF 15 ?? ?? ?? ?? 53 FF D6 8B 9D ?? ?? ?? ?? 57 FF D6 53 FF D6 8B 4D ?? 5F 5E 33 CD + 5B E8 ?? ?? ?? ?? 8B E5 5D C3 + } + + $encrypt_files_1 = { + 55 8B EC 51 51 83 4D ?? ?? 83 4D ?? ?? 57 6A ?? 68 ?? ?? ?? ?? 6A ?? 6A ?? 6A ?? 68 + ?? ?? ?? ?? 51 FF 15 ?? ?? ?? ?? 8B F8 83 FF ?? 75 ?? 6A ?? 58 EB ?? 56 8D 45 ?? 50 + 57 FF 15 ?? ?? ?? ?? 89 45 ?? 85 C0 75 ?? 6A ?? EB ?? 8B 75 ?? 3B C6 0F 42 F0 83 7D + ?? ?? 74 ?? 6A ?? 8D 45 ?? 50 56 FF 75 ?? 57 FF 15 ?? ?? ?? ?? 85 C0 75 ?? 6A ?? 5E + 57 FF 15 ?? ?? ?? ?? EB ?? 57 FF 15 ?? ?? ?? ?? 3B 75 ?? 6A ?? 58 0F 45 F0 8B C6 EB + ?? 57 FF 15 ?? ?? ?? ?? B8 ?? ?? ?? ?? 5E 5F 8B E5 5D C2 + } + + $encrypt_files_2_p1 = { + 68 ?? ?? ?? ?? B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 8D ?? ?? ?? ?? 33 C0 89 85 ?? ?? ?? + ?? 89 85 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 89 45 ?? 89 85 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? + 89 85 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 89 85 ?? ?? + ?? ?? 89 85 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 68 ?? ?? ?? ?? C6 45 ?? ?? 50 89 85 ?? ?? + ?? ?? 89 85 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 6A ?? 59 33 C0 8D 7D ?? + F3 AB 83 C4 ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 59 85 C0 74 ?? FF 15 ?? ?? ?? ?? 50 + 68 ?? ?? ?? ?? 83 CE ?? EB ?? 6A ?? 8D 55 ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 59 85 + C0 74 ?? FF 15 ?? ?? ?? ?? 50 68 ?? ?? ?? ?? 6A ?? 5E 6A ?? 8B D6 59 E8 ?? ?? ?? ?? + 59 59 E9 ?? ?? ?? ?? 8B B5 ?? ?? ?? ?? 85 F6 75 ?? 6A ?? 5E E9 ?? ?? ?? ?? 80 BD ?? + ?? ?? ?? ?? B8 ?? ?? ?? ?? 75 ?? B8 ?? ?? ?? ?? 3B F0 0F 47 F0 8D 85 ?? ?? ?? ?? 50 + 56 8B C8 89 B5 ?? ?? ?? ?? E8 ?? ?? ?? ?? 56 FF B5 ?? ?? ?? ?? 8D 4D ?? E8 ?? ?? ?? + ?? 8B F8 85 FF 79 ?? FF 15 ?? ?? ?? ?? 50 8D 45 ?? 50 6A ?? 5A 6A ?? 59 E8 ?? ?? ?? + ?? 59 59 BE ?? ?? ?? ?? E9 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 C0 74 ?? + FF 15 ?? ?? ?? ?? 50 68 ?? ?? ?? ?? 6A ?? 5A 6A ?? 59 E8 ?? ?? ?? ?? 59 59 6A ?? E9 + ?? ?? ?? ?? 8B 95 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? 56 E8 ?? ?? ?? ?? 59 8D 55 ?? 8D 8D + ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B C7 8B DF 25 ?? ?? ?? ?? 79 ?? 48 83 C8 ?? 40 74 ?? 8B + } + + $encrypt_files_2_p2 = { + B5 ?? ?? ?? ?? 43 46 8B C3 25 ?? ?? ?? ?? 79 ?? 48 83 C8 ?? 40 75 ?? 89 B5 ?? ?? ?? + ?? 8D 85 ?? ?? ?? ?? 50 53 8B C8 E8 ?? ?? ?? ?? 33 D2 85 FF 7E ?? 8B 85 ?? ?? ?? ?? + 8A 0C 10 8B 85 ?? ?? ?? ?? 88 0C 10 42 3B D7 7C ?? 3B FB 7D ?? 8B C3 2B C7 50 8B 85 + ?? ?? ?? ?? FF B5 ?? ?? ?? ?? 03 C7 50 E8 ?? ?? ?? ?? 83 C4 ?? 8D 85 ?? ?? ?? ?? 50 + 53 8B C8 E8 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 68 ?? ?? ?? ?? 8B C8 E8 ?? ?? ?? ?? 8B + 95 ?? ?? ?? ?? 8D 45 ?? 51 50 51 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 74 + ?? 6A ?? E9 ?? ?? ?? ?? 8B 95 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? 53 FF B5 ?? ?? ?? ?? E8 + ?? ?? ?? ?? 59 59 85 C0 75 ?? 6A ?? 33 FF 5A 8B 85 ?? ?? ?? ?? 8A 4C 3D ?? 88 0C 38 + 47 3B FA 7C ?? 8D 75 ?? 6A ?? 2B F2 5F 8B 85 ?? ?? ?? ?? 8A 0C 32 88 0C 10 42 3B D7 + 7C ?? 51 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 8D 95 ?? ?? ?? ?? E8 + ?? ?? ?? ?? 59 59 85 C0 74 ?? 6A ?? E9 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 83 EC ?? 8D + 85 ?? ?? ?? ?? 50 51 8B 8D ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 + } + + $encrypt_files_2_p3 = { + 85 C0 79 ?? 6A ?? E9 ?? ?? ?? ?? 8D B5 ?? ?? ?? ?? BA ?? ?? ?? ?? 2B F7 8B 85 ?? ?? + ?? ?? 8A 0C 37 88 0C 38 47 3B FA 7C ?? 8B B5 ?? ?? ?? ?? A1 ?? ?? ?? ?? 8A 8C 02 ?? + ?? ?? ?? 8B 85 ?? ?? ?? ?? 88 0C 10 42 81 FA ?? ?? ?? ?? 7C ?? 83 BD ?? ?? ?? ?? ?? + 74 ?? 8D 4D ?? E8 ?? ?? ?? ?? 84 C0 75 ?? BE ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? + ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 8D ?? ?? + ?? ?? E8 ?? ?? ?? ?? 8B C6 E9 ?? ?? ?? ?? 51 6A ?? 53 FF B5 ?? ?? ?? ?? 8D 4D ?? E8 + ?? ?? ?? ?? 8B F8 85 FF 79 ?? FF 15 ?? ?? ?? ?? 50 8D 45 ?? 50 6A ?? 5A 6A ?? 59 E8 + ?? ?? ?? ?? 59 59 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? + 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 87 ?? ?? ?? ?? + E9 ?? ?? ?? ?? 51 6A ?? 68 ?? ?? ?? ?? FF B5 ?? ?? ?? ?? 8D 4D ?? E8 ?? ?? ?? ?? 8B + F8 85 FF 79 ?? FF 15 ?? ?? ?? ?? 50 8D 45 ?? 50 6A ?? 5A 6A ?? 59 E8 ?? ?? ?? ?? 59 + 59 EB ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 8D ?? + ?? ?? ?? E8 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 01 34 85 + ?? ?? ?? ?? FF 04 85 ?? ?? ?? ?? 33 FF 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 8D ?? ?? + ?? ?? E8 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? + ?? 8B C7 E8 ?? ?? ?? ?? C3 + } + + condition: + uint16(0) == 0x5A4D and + ( + $find_files + ) and + ( + $find_special_folders + ) and + ( + $encrypt_files_1 + ) and + ( + all of ($encrypt_files_2_p*) + ) and + ( + $remote_connection + ) +} \ No newline at end of file diff --git a/yara/ransomware/Win32.Ransomware.Delphimorix.yara b/yara/ransomware/Win32.Ransomware.Delphimorix.yara new file mode 100644 index 0000000..b7b7af4 --- /dev/null +++ b/yara/ransomware/Win32.Ransomware.Delphimorix.yara @@ -0,0 +1,67 @@ +rule Win32_Ransomware_Delphimorix : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "DELPHIMORIX" + description = "Yara rule that detects Delphimorix ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "Delphimorix" + tc_detection_factor = 5 + + strings: + + $encrypt_files = { + 55 8B EC 83 C4 ?? 53 56 57 33 D2 89 55 ?? 89 45 ?? 8B 45 ?? E8 ?? ?? ?? ?? 33 C0 55 + 68 ?? ?? ?? ?? 64 FF 30 64 89 20 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 6A ?? 8B + 4D ?? B2 ?? A1 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B D8 68 ?? ?? ?? ?? 8D 45 ?? B9 ?? ?? ?? + ?? 8B 55 ?? E8 ?? ?? ?? ?? 8B 4D ?? B2 ?? A1 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B F0 8B C3 + 8B 10 FF 12 52 50 B9 ?? ?? ?? ?? 8B D3 8B C6 E8 ?? ?? ?? ?? 8B C3 E8 ?? ?? ?? ?? 8B + C6 E8 ?? ?? ?? ?? 8B 45 ?? E8 ?? ?? ?? ?? 33 C0 5A 59 59 64 89 10 EB ?? E9 ?? ?? ?? + ?? E8 ?? ?? ?? ?? 33 C0 5A 59 59 64 89 10 68 ?? ?? ?? ?? 8D 45 ?? BA ?? ?? ?? ?? E8 + ?? ?? ?? ?? C3 E9 ?? ?? ?? ?? EB ?? 5F 5E 5B 59 59 5D C3 + } + + $find_files_p1 = { + 55 8B EC 81 C4 ?? ?? ?? ?? 53 56 33 DB 89 9D ?? ?? ?? ?? 89 9D ?? ?? ?? ?? 89 9D ?? + ?? ?? ?? 89 9D ?? ?? ?? ?? 89 9D ?? ?? ?? ?? 8B D9 89 55 ?? 89 45 ?? 8B 45 ?? E8 ?? + ?? ?? ?? 8B 45 ?? E8 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? + 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 8B 45 ?? E8 ?? ?? ?? ?? 8B 55 ?? 80 7C 02 + ?? ?? 75 ?? 8B 45 ?? E8 ?? ?? ?? ?? 8B D0 4A 8D 45 ?? E8 ?? ?? ?? ?? FF 75 ?? 68 ?? + ?? ?? ?? FF 75 ?? 8D 85 ?? ?? ?? ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? + 8D 8D ?? ?? ?? ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 C0 0F 85 ?? ?? ?? ?? 8B 85 ?? ?? + ?? ?? 8B D0 83 CA ?? 3B D0 75 ?? 80 FB ?? 0F 85 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? BA ?? + ?? ?? ?? E8 ?? ?? ?? ?? 0F 84 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? BA ?? ?? ?? ?? E8 ?? ?? + ?? ?? 0F 84 ?? ?? ?? ?? FF 75 ?? 68 ?? ?? ?? ?? FF B5 ?? ?? ?? ?? 8D 85 + } + + $find_files_p2 = { + BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 8B CB 8B 55 ?? E8 ?? ?? ?? ?? E9 ?? + ?? ?? ?? FF 75 ?? 68 ?? ?? ?? ?? FF B5 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? BA ?? ?? ?? ?? + E8 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? E8 ?? ?? ?? ?? E9 ?? ?? ?? ?? 8B B5 ?? ?? ?? ?? 8B + C6 83 C8 ?? 3B C6 75 ?? 80 FB ?? 75 ?? 8B 85 ?? ?? ?? ?? BA ?? ?? ?? ?? E8 ?? ?? ?? + ?? 74 ?? 8B 85 ?? ?? ?? ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 74 ?? FF 75 ?? 68 ?? ?? ?? + ?? FF B5 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 85 ?? ?? ?? + ?? 8B CB 8B 55 ?? E8 ?? ?? ?? ?? EB ?? FF 75 ?? 68 ?? ?? ?? ?? FF B5 ?? ?? ?? ?? 8D + 85 ?? ?? ?? ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 85 + ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? E8 ?? ?? ?? ?? + 33 C0 5A 59 59 64 89 10 68 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? BA ?? ?? ?? ?? E8 ?? ?? ?? + ?? 8D 85 ?? ?? ?? ?? 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 ?? BA ?? ?? ?? ?? E8 ?? + ?? ?? ?? C3 + } + + condition: + uint16(0) == 0x5A4D and + ( + all of ($find_files_p*) + ) and + ( + $encrypt_files + ) +} \ No newline at end of file diff --git a/yara/ransomware/Win32.Ransomware.DenizKizi.yara b/yara/ransomware/Win32.Ransomware.DenizKizi.yara new file mode 100644 index 0000000..7581467 --- /dev/null +++ b/yara/ransomware/Win32.Ransomware.DenizKizi.yara @@ -0,0 +1,88 @@ +rule Win32_Ransomware_DenizKizi : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "DENIZKIZI" + description = "Yara rule that detects DenizKizi ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "DenizKizi" + tc_detection_factor = 5 + + strings: + + $find_files = { + 8D 85 ?? ?? ?? ?? B9 ?? ?? ?? ?? 8B 55 ?? E8 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 8D 8D ?? + ?? ?? ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 C0 0F 85 ?? ?? ?? ?? 33 C0 55 68 ?? ?? ?? + ?? 64 FF 30 64 89 20 8D 95 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 85 ?? ?? + ?? ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 C0 7E ?? 8D 85 ?? ?? ?? ?? 8B 8D ?? ?? ?? ?? + 8B 55 ?? E8 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 8B 4D ?? 8B 55 ?? E8 ?? ?? ?? ?? 8D 85 ?? + ?? ?? ?? E8 ?? ?? ?? ?? 85 C0 74 ?? 33 C0 5A 59 59 64 89 10 68 ?? ?? ?? ?? 8D 85 ?? + ?? ?? ?? E8 ?? ?? ?? ?? C3 E9 ?? ?? ?? ?? EB ?? 8D 85 ?? ?? ?? ?? B9 ?? ?? ?? ?? 8B + 55 ?? E8 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? BA ?? ?? ?? ?? E8 ?? ?? ?? + ?? 85 C0 0F 85 ?? ?? ?? ?? 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 F6 85 ?? ?? ?? + ?? ?? 74 ?? 8B 85 ?? ?? ?? ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 74 ?? 8B 85 ?? ?? ?? ?? + BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 74 ?? 8D 85 ?? ?? ?? ?? 8B 8D ?? ?? ?? ?? 8B 55 ?? E8 + ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 8B 4D ?? 8B 55 ?? E8 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? E8 + ?? ?? ?? ?? 85 C0 74 ?? 33 C0 5A 59 59 64 89 10 68 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? E8 + ?? ?? ?? ?? C3 E9 ?? ?? ?? ?? EB ?? 33 C0 5A 59 59 64 89 10 EB ?? E9 ?? ?? ?? ?? E8 + ?? ?? ?? ?? 33 C0 5A 59 59 64 89 10 68 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? BA ?? ?? ?? ?? + E8 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 ?? BA ?? ?? + ?? ?? E8 ?? ?? ?? ?? C3 E9 ?? ?? ?? ?? EB ?? 5F 5E 5B 8B E5 5D C3 + } + + $encrypt_files = { + 55 8B EC 83 C4 ?? 53 56 57 33 DB 89 5D ?? 89 4D ?? 89 55 ?? 89 45 ?? 8B 45 ?? E8 ?? + ?? ?? ?? 8B 45 ?? E8 ?? ?? ?? ?? 8B 45 ?? E8 ?? ?? ?? ?? 33 C0 55 68 ?? ?? ?? ?? 64 + FF 30 64 89 20 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 B2 ?? A1 ?? ?? ?? ?? E8 ?? + ?? ?? ?? 89 45 ?? B2 ?? A1 ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 45 ?? 33 C0 55 68 ?? ?? ?? + ?? 64 FF 30 64 89 20 33 C9 B2 ?? A1 ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 45 ?? 8B 0D ?? ?? + ?? ?? 8B 55 ?? 8B 45 ?? E8 ?? ?? ?? ?? 33 C9 B2 ?? A1 ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 + 45 ?? 8B 0D ?? ?? ?? ?? 8B 55 ?? 8B 45 ?? E8 ?? ?? ?? ?? 8B 55 ?? 8B 45 ?? E8 ?? ?? + ?? ?? 8B 45 ?? 8B 10 FF 12 52 50 8B 45 ?? 8B 10 FF 52 ?? B2 ?? A1 ?? ?? ?? ?? E8 ?? + ?? ?? ?? 89 45 ?? 8B 45 ?? 8B 10 FF 12 50 8B 4D ?? 8B 55 ?? 8B 45 ?? E8 ?? ?? ?? ?? + 8B 45 ?? 8B 10 FF 52 ?? 6A ?? 6A ?? 8B 45 ?? E8 ?? ?? ?? ?? 8B 45 ?? 8B 10 FF 12 50 + 8B 4D ?? 8B 55 ?? 8B 45 ?? E8 ?? ?? ?? ?? 8B 45 ?? 8B 10 FF 52 ?? 8B 55 ?? 8B 45 ?? + E8 ?? ?? ?? ?? 8D 45 ?? B9 ?? ?? ?? ?? 8B 55 ?? E8 ?? ?? ?? ?? 8B 45 ?? E8 ?? ?? ?? + ?? 50 8B 45 ?? E8 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 33 C0 5A 59 59 64 89 10 68 ?? ?? ?? + ?? 8B 45 ?? E8 ?? ?? ?? ?? 6A ?? 6A ?? 8B 45 ?? E8 ?? ?? ?? ?? 8B 45 ?? E8 ?? ?? ?? + ?? 8B 45 ?? E8 ?? ?? ?? ?? 8B 45 ?? E8 ?? ?? ?? ?? 8B 45 ?? E8 ?? ?? ?? ?? C3 + } + + $delete_shadow_copies = { + 6A ?? 6A ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A ?? 6A ?? E8 ?? ?? ?? ?? 33 C0 5A 59 59 + 64 89 10 EB ?? E9 ?? ?? ?? ?? E8 ?? ?? ?? ?? 6A ?? 6A ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? + ?? 6A ?? 6A ?? E8 ?? ?? ?? ?? A1 ?? ?? ?? ?? 8B 00 E8 ?? ?? ?? ?? A1 ?? ?? ?? ?? 8B + 00 E8 ?? ?? ?? ?? A1 ?? ?? ?? ?? 8B 00 E8 ?? ?? ?? ?? A1 ?? ?? ?? ?? 8B 00 E8 ?? ?? + ?? ?? A1 ?? ?? ?? ?? 8B 00 E8 ?? ?? ?? ?? A1 ?? ?? ?? ?? 8B 00 E8 ?? ?? ?? ?? A1 ?? + ?? ?? ?? 8B 00 E8 ?? ?? ?? ?? A1 ?? ?? ?? ?? 8B 00 E8 ?? ?? ?? ?? A1 ?? ?? ?? ?? 8B + 00 E8 ?? ?? ?? ?? A1 ?? ?? ?? ?? 8B 00 E8 ?? ?? ?? ?? A1 ?? ?? ?? ?? 8B 00 E8 ?? ?? + ?? ?? A1 ?? ?? ?? ?? 8B 00 E8 ?? ?? ?? ?? A1 ?? ?? ?? ?? 8B 00 E8 ?? ?? ?? ?? A1 ?? + ?? ?? ?? 8B 00 E8 ?? ?? ?? ?? A1 ?? ?? ?? ?? 8B 00 E8 ?? ?? ?? ?? A1 ?? ?? ?? ?? 8B + 00 E8 ?? ?? ?? ?? A1 ?? ?? ?? ?? 8B 00 E8 ?? ?? ?? ?? A1 ?? ?? ?? ?? 8B 00 E8 ?? ?? + ?? ?? A1 ?? ?? ?? ?? 8B 00 E8 ?? ?? ?? ?? A1 ?? ?? ?? ?? 8B 00 E8 ?? ?? ?? ?? A1 ?? + ?? ?? ?? 8B 00 E8 ?? ?? ?? ?? A1 ?? ?? ?? ?? 8B 00 E8 ?? ?? ?? ?? A1 ?? ?? ?? ?? 8B + 00 E8 ?? ?? ?? ?? A1 ?? ?? ?? ?? 8B 00 E8 ?? ?? ?? ?? A1 ?? ?? ?? ?? 8B 00 E8 ?? ?? + ?? ?? 33 C0 5A 59 59 64 89 10 68 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? BA ?? ?? ?? ?? E8 ?? + ?? ?? ?? 8D 45 ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? C3 E9 ?? ?? ?? ?? EB ?? 5F 5E 5B 8B + E5 5D C3 + } + + condition: + uint16(0) == 0x5A4D and + ( + $find_files + ) and + ( + $encrypt_files + ) and + ( + $delete_shadow_copies + ) +} \ No newline at end of file diff --git a/yara/ransomware/Win32.Ransomware.DesuCrypt.yara b/yara/ransomware/Win32.Ransomware.DesuCrypt.yara new file mode 100644 index 0000000..4fe962f --- /dev/null +++ b/yara/ransomware/Win32.Ransomware.DesuCrypt.yara @@ -0,0 +1,93 @@ +rule Win32_Ransomware_DesuCrypt : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "DESUCRYPT" + description = "Yara rule that detects DesuCrypt ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "DesuCrypt" + tc_detection_factor = 5 + + strings: + + $find_files = { + 8B FF 55 8B EC 51 8B 4D ?? 8D 51 ?? 8A 01 41 84 C0 75 ?? 57 8B 7D ?? 2B CA 8B C7 41 + F7 D0 89 4D ?? 3B C8 76 ?? 6A ?? 58 EB ?? 53 56 8D 5F ?? 03 D9 6A ?? 53 E8 ?? ?? ?? + ?? 8B F0 59 59 85 FF 74 ?? 57 FF 75 ?? 53 56 E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 75 ?? FF + 75 ?? 2B DF 8D 04 3E FF 75 ?? 53 50 E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 75 ?? 8B 5D ?? 8B + CB E8 ?? ?? ?? ?? 33 FF 89 45 ?? 85 C0 74 ?? 56 E8 ?? ?? ?? ?? 8B 75 ?? 59 EB ?? 8B + 43 ?? 89 30 8B F7 83 43 ?? ?? 57 E8 ?? ?? ?? ?? 59 8B C6 5E 5B 5F 8B E5 5D C3 33 FF + 57 57 57 57 57 E8 ?? ?? ?? ?? CC 8B FF 55 8B EC 81 EC ?? ?? ?? ?? A1 ?? ?? ?? ?? 33 + C5 89 45 ?? 8B 4D ?? 53 8B 5D ?? 57 8B 7D ?? 89 9D ?? ?? ?? ?? EB ?? 8A 01 3C ?? 74 + ?? 3C ?? 74 ?? 3C ?? 74 ?? 51 57 E8 ?? ?? ?? ?? 59 59 8B C8 3B CF 75 ?? 8A 11 80 FA + ?? 75 ?? 8D 47 ?? 3B C8 74 ?? 53 33 DB 53 53 57 E8 ?? ?? ?? ?? 83 C4 ?? EB ?? 33 DB + 80 FA ?? 74 ?? 80 FA ?? 74 ?? 8A C3 80 FA ?? 75 ?? B0 ?? 0F B6 C0 2B CF 41 F7 D8 56 + 1B C0 23 C1 68 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 53 50 E8 ?? ?? ?? ?? + 83 C4 ?? 8D 85 ?? ?? ?? ?? 53 53 53 50 53 57 FF 15 ?? ?? ?? ?? 8B F0 8B 85 ?? ?? ?? + ?? 83 FE ?? 75 ?? 50 53 53 57 E8 ?? ?? ?? ?? 83 C4 ?? 8B D8 83 FE ?? 74 ?? 56 FF 15 + ?? ?? ?? ?? 8B C3 5E 8B 4D ?? 5F 33 CD 5B E8 ?? ?? ?? ?? 8B E5 5D C3 8B 48 ?? 2B 08 + C1 F9 ?? 89 8D ?? ?? ?? ?? 80 BD ?? ?? ?? ?? ?? 75 ?? 8A 8D ?? ?? ?? ?? 84 C9 74 ?? + 80 F9 ?? 75 ?? 38 9D ?? ?? ?? ?? 74 ?? 50 FF B5 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 57 50 + E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 75 ?? 8D 85 ?? ?? ?? ?? 50 56 FF 15 ?? ?? ?? ?? 85 C0 + 8B 85 ?? ?? ?? ?? 75 ?? 8B 10 8B 40 ?? 8B 8D ?? ?? ?? ?? 2B C2 C1 F8 ?? 3B C8 0F 84 + ?? ?? ?? ?? 68 ?? ?? ?? ?? 2B C1 6A ?? 50 8D 04 8A 50 E8 ?? ?? ?? ?? 83 C4 ?? E9 + } + + $encrypt_files = { + 55 8B EC 83 E4 ?? B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? A1 ?? ?? ?? ?? 33 C4 89 84 24 ?? ?? + ?? ?? 53 56 57 8B D9 89 54 24 ?? B9 ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? BE ?? ?? ?? + ?? C7 44 24 ?? ?? ?? ?? ?? 8D 7C 24 ?? C7 44 24 ?? ?? ?? ?? ?? F3 A5 6A ?? 6A ?? 8D + 44 24 ?? 50 8D 84 24 ?? ?? ?? ?? 66 A5 50 6A ?? 6A ?? 8D 44 24 ?? 50 FF 15 ?? ?? ?? + ?? 85 C0 75 ?? FF 15 ?? ?? ?? ?? 50 68 ?? ?? ?? ?? 6A ?? E8 ?? ?? ?? ?? 83 C4 ?? 50 + E8 ?? ?? ?? ?? 83 C4 ?? 33 C0 5F 5E 5B 8B 8C 24 ?? ?? ?? ?? 33 CC E8 ?? ?? ?? ?? 8B + E5 5D C3 8D 44 24 ?? 50 8D 44 24 ?? 50 6A ?? 68 ?? ?? ?? ?? FF 74 24 ?? 8D 84 24 ?? + ?? ?? ?? 50 6A ?? 6A ?? FF 15 ?? ?? ?? ?? 85 C0 75 ?? FF 15 ?? ?? ?? ?? 50 68 ?? ?? + ?? ?? EB ?? 68 ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? 6A ?? 8D 44 24 ?? 50 FF 15 ?? ?? ?? + ?? 85 C0 75 ?? FF 15 ?? ?? ?? ?? 50 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 33 C0 5F + 5E 5B 8B 8C 24 ?? ?? ?? ?? 33 CC E8 ?? ?? ?? ?? 8B E5 5D C3 8D 44 24 ?? 50 FF 74 24 + ?? 6A ?? FF 74 24 ?? FF 15 ?? ?? ?? ?? 85 C0 75 ?? FF 15 ?? ?? ?? ?? 50 68 ?? ?? ?? + ?? E9 ?? ?? ?? ?? 8B 43 ?? 8B 3D ?? ?? ?? ?? 50 89 44 24 ?? 89 44 24 ?? 8D 44 24 ?? + 50 6A ?? 6A ?? 6A ?? 6A ?? FF 74 24 ?? FF D7 85 C0 75 ?? FF 15 ?? ?? ?? ?? 50 51 BA + ?? ?? ?? ?? B9 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 8B C8 E8 ?? ?? ?? ?? 50 E8 ?? ?? + ?? ?? 83 C4 ?? 33 C0 5F 5E 5B 8B 8C 24 ?? ?? ?? ?? 33 CC E8 ?? ?? ?? ?? 8B E5 5D C3 + FF 74 24 ?? E8 ?? ?? ?? ?? 83 C4 ?? 8B F0 FF 74 24 ?? 6A ?? 56 E8 ?? ?? ?? ?? 83 C4 + ?? 83 7B ?? ?? 72 ?? 8B 1B FF 74 24 ?? 53 56 E8 ?? ?? ?? ?? 83 C4 ?? 8D 44 24 ?? FF + 74 24 ?? 50 56 6A ?? 6A ?? 6A ?? FF 74 24 ?? FF D7 85 C0 0F 84 ?? ?? ?? ?? 8B 4C 24 + ?? 8B 44 24 ?? 5F 89 01 8B C6 8B 8C 24 ?? ?? ?? ?? 5E 5B 33 CC E8 ?? ?? ?? ?? 8B E5 + 5D C3 + } + + $enum_shares = { + 55 8B EC 6A ?? 68 ?? ?? ?? ?? 64 A1 ?? ?? ?? ?? 50 83 EC ?? A1 ?? ?? ?? ?? 33 C5 89 + 45 ?? 53 56 57 50 8D 45 ?? 64 A3 ?? ?? ?? ?? 8B F1 89 75 ?? 8B 45 ?? 8D 4D ?? 51 50 + 6A ?? 6A ?? 6A ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 85 C0 + 0F 85 ?? ?? ?? ?? FF 75 ?? 6A ?? FF 15 ?? ?? ?? ?? 8B F8 89 7D ?? 85 FF 0F 84 ?? ?? + ?? ?? 8D 45 ?? 50 57 8D 45 ?? 50 FF 75 ?? FF 15 ?? ?? ?? ?? 85 C0 0F 85 ?? ?? ?? ?? + 0F 1F 40 ?? 33 DB 39 5D ?? 0F 8E ?? ?? ?? ?? 83 C7 ?? 66 90 F7 47 ?? ?? ?? ?? ?? 74 + ?? 8D 47 ?? 89 45 ?? 8B 06 8B 48 ?? 85 C9 0F 84 ?? ?? ?? ?? 8B 01 8D 55 ?? 52 FF 50 + ?? E9 ?? ?? ?? ?? 8B 17 33 C0 66 89 45 ?? 8B C2 C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? + ?? ?? 8D 70 ?? 66 8B 08 83 C0 ?? 66 85 C9 75 ?? 2B C6 D1 F8 83 F8 ?? 77 ?? 8D 34 00 + 89 45 ?? 56 52 8D 45 ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 33 C0 66 89 44 35 ?? EB ?? 52 C6 + 45 ?? ?? 8D 4D ?? FF 75 ?? 50 E8 ?? ?? ?? ?? 8B 75 ?? 8D 45 ?? C7 45 ?? ?? ?? ?? ?? + 50 8B 4E ?? E8 ?? ?? ?? ?? 8D 4D ?? C7 45 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 43 83 C7 ?? + 3B 5D ?? 0F 8C ?? ?? ?? ?? 8B 7D ?? 8D 45 ?? C7 45 ?? ?? ?? ?? ?? 50 57 8D 45 ?? C7 + 45 ?? ?? ?? ?? ?? 50 FF 75 ?? FF 15 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? 57 FF 15 ?? + ?? ?? ?? FF 75 ?? FF 15 ?? ?? ?? ?? 8B 4D ?? 64 89 0D ?? ?? ?? ?? 59 5F 5E 5B 8B 4D + ?? 33 CD E8 ?? ?? ?? ?? 8B E5 5D C2 + } + + condition: + uint16(0) == 0x5A4D and + ( + $find_files and + $encrypt_files and + $enum_shares + ) +} \ No newline at end of file diff --git a/yara/ransomware/Win32.Ransomware.Dharma.yara b/yara/ransomware/Win32.Ransomware.Dharma.yara new file mode 100644 index 0000000..2f6fec6 --- /dev/null +++ b/yara/ransomware/Win32.Ransomware.Dharma.yara @@ -0,0 +1,108 @@ +rule Win32_Ransomware_Dharma : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "DHARMA" + description = "Yara rule that detects Dharma ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "Dharma" + tc_detection_factor = 5 + + strings: + + $file_search = { + 55 8B EC 83 EC ?? C7 45 ?? ?? ?? ?? ?? 6A ?? 6A ?? 6A ?? 6A ?? 6A ?? 68 ?? ?? ?? ?? + 8B 45 ?? 50 E8 ?? ?? ?? ?? 89 45 ?? 83 7D ?? ?? 0F 84 ?? ?? ?? ?? 8D 4D ?? 51 8B 55 + ?? 52 E8 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? 8B 45 ?? 50 E8 ?? ?? ?? ?? 83 7D ?? ?? + 75 ?? 83 7D ?? ?? 0F 84 ?? ?? ?? ?? 83 7D ?? ?? 75 ?? 81 7D ?? ?? ?? ?? ?? 76 ?? 8B + 4D ?? 51 8B 55 ?? 52 8B 45 ?? 50 8B 4D ?? 51 8B 55 ?? 52 8B 45 ?? 50 8B 4D ?? 51 8B + 55 ?? 52 8B 45 ?? 50 8B 4D ?? 51 8B 55 ?? 52 E8 ?? ?? ?? ?? 83 C4 ?? 89 45 ?? 83 7D + ?? ?? 75 ?? 8B 45 ?? 50 8B 4D ?? 51 8B 55 ?? 52 8B 45 ?? 50 8B 4D ?? 51 8B 55 ?? 52 + 8B 45 ?? 50 8B 4D ?? 51 8B 55 ?? 52 8B 45 ?? 50 8B 4D ?? 51 E8 ?? ?? ?? ?? 83 C4 ?? + 89 45 ?? 8B 45 ?? 8B E5 5D C3 + } + + $file_encrypt_1 = { + 55 8B EC 81 EC ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 + ?? ?? ?? ?? ?? 8B 45 ?? 89 85 ?? ?? ?? ?? 8B 8D ?? ?? ?? ?? 83 C1 ?? 89 4D ?? C7 45 + ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? + ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? 6A ?? 8B 55 ?? 52 8D 85 ?? ?? ?? ?? 50 E8 ?? ?? ?? + ?? 83 C4 ?? 8B 45 ?? 33 D2 B9 ?? ?? ?? ?? F7 F1 8B 45 ?? 2B C2 83 E8 ?? 89 45 ?? 8B + 4D ?? 51 E8 ?? ?? ?? ?? 89 45 ?? 83 7D ?? ?? 0F 84 ?? ?? ?? ?? 8B 55 ?? 52 E8 ?? ?? + ?? ?? 83 F8 ?? 0F 85 ?? ?? ?? ?? 8B 45 ?? 05 ?? ?? ?? ?? 3D ?? ?? ?? ?? 0F 83 ?? ?? + ?? ?? 8B 4D ?? 83 E1 ?? 74 ?? 8B 55 ?? 83 E2 ?? 52 8B 45 ?? 50 E8 ?? ?? ?? ?? 6A ?? + 6A ?? 6A ?? 6A ?? 6A ?? 68 ?? ?? ?? ?? 8B 4D ?? 51 E8 ?? ?? ?? ?? 89 45 ?? 83 7D ?? + ?? 0F 84 ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? 8B 55 ?? 89 55 ?? 8B 45 ?? 89 85 ?? ?? ?? + ?? 8B 8D ?? ?? ?? ?? 89 8D ?? ?? ?? ?? 6A ?? 8D 55 ?? 52 8B 85 ?? ?? ?? ?? 50 8B 8D + ?? ?? ?? ?? 51 8B 55 ?? 52 E8 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? 83 7D ?? ?? 75 ?? + 83 7D ?? ?? 0F 84 ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 89 85 + ?? ?? ?? ?? 6A ?? 8D 4D ?? 51 8B 95 ?? ?? ?? ?? 52 8B 85 ?? ?? ?? ?? 50 8B 4D ?? 51 + E8 ?? ?? ?? ?? 6A ?? 6A ?? 6A ?? 6A ?? 6A ?? 68 ?? ?? ?? ?? 8B 55 ?? 52 E8 ?? ?? ?? + ?? 89 85 ?? ?? ?? ?? 83 BD ?? ?? ?? ?? ?? 0F 84 ?? ?? ?? ?? 6A ?? 8B 45 ?? 50 8B 4D + ?? 51 8D 95 ?? ?? ?? ?? 52 E8 ?? ?? ?? ?? 83 C4 ?? 6A ?? 8D 45 ?? 50 8B 4D ?? 51 8B + 55 ?? 52 8B 45 ?? 50 E8 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? 83 7D ?? ?? 74 ?? 83 7D + ?? ?? 75 ?? 8B 4D ?? 3B 4D ?? 73 ?? 8B 45 ?? 33 D2 B9 ?? ?? ?? ?? F7 F1 B8 ?? ?? ?? + ?? 2B C2 89 45 ?? 8B 4D ?? 03 4D ?? 51 8B 55 ?? 52 8B 45 ?? 50 8D 8D ?? ?? ?? ?? 51 + E8 ?? ?? ?? ?? 83 C4 ?? 6A ?? 8D 95 ?? ?? ?? ?? 52 8B 45 ?? 03 45 ?? 50 8B 4D ?? 51 + } + + + $file_encrypt_2 = { + 8B 95 ?? ?? ?? ?? 52 E8 ?? ?? ?? ?? 85 C0 74 ?? 8B 45 ?? 03 45 ?? 39 85 ?? ?? ?? ?? + 74 ?? E9 ?? ?? ?? ?? E9 ?? ?? ?? ?? 6A ?? 6A ?? 8B 8D ?? ?? ?? ?? 51 E8 ?? ?? ?? ?? + 83 C4 ?? 8B 95 ?? ?? ?? ?? C7 42 ?? ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? C7 40 ?? ?? ?? ?? + ?? 83 7D ?? ?? 74 ?? 8B 8D ?? ?? ?? ?? C7 41 ?? ?? ?? ?? ?? 8B 55 ?? 52 8B 45 ?? 50 + 8B 4D ?? 51 E8 ?? ?? ?? ?? 83 C4 ?? 8B 55 ?? 03 55 ?? 89 55 ?? 8B 45 ?? 03 45 ?? 89 + 45 ?? 6A ?? 8B 4D ?? 51 8B 55 ?? 52 E8 ?? ?? ?? ?? 83 C4 ?? 8B 45 ?? 83 C0 ?? 89 45 + ?? 6A ?? 8B 4D ?? 51 8B 55 ?? 52 E8 ?? ?? ?? ?? 83 C4 ?? 8B 45 ?? 83 C0 ?? 89 45 ?? + 6A ?? 8D 8D ?? ?? ?? ?? 51 8B 55 ?? 52 E8 ?? ?? ?? ?? 83 C4 ?? 8B 45 ?? 83 C0 ?? 89 + 45 ?? 6A ?? 8D 4D ?? 51 8B 55 ?? 52 E8 ?? ?? ?? ?? 83 C4 ?? 8B 45 ?? 83 C0 ?? 89 45 + ?? 68 ?? ?? ?? ?? 8B 4D ?? 51 8B 55 ?? 52 E8 ?? ?? ?? ?? 83 C4 ?? 8B 45 ?? 05 ?? ?? + ?? ?? 89 45 ?? 6A ?? 8D 4D ?? 51 8B 55 ?? 52 E8 ?? ?? ?? ?? 83 C4 ?? 8B 45 ?? 83 C0 + ?? 89 45 ?? 6A ?? 8D 8D ?? ?? ?? ?? 51 8B 55 ?? 2B 55 ?? 52 8B 45 ?? 50 8B 8D ?? ?? + ?? ?? 51 E8 ?? ?? ?? ?? 85 C0 74 ?? 8B 55 ?? 2B 55 ?? 39 95 ?? ?? ?? ?? 74 ?? EB ?? + EB ?? 8B 85 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? EB ?? E9 ?? + ?? ?? ?? 8B 8D ?? ?? ?? ?? 51 E8 ?? ?? ?? ?? 83 BD ?? ?? ?? ?? ?? 7E ?? C7 85 ?? ?? + ?? ?? ?? ?? ?? ?? 8B 95 ?? ?? ?? ?? 89 95 ?? ?? ?? ?? 6A ?? 8D 45 ?? 50 8B 8D ?? ?? + ?? ?? 51 8B 95 ?? ?? ?? ?? 52 8B 45 ?? 50 E8 ?? ?? ?? ?? 8B 4D ?? 51 E8 ?? ?? ?? ?? + 8B 55 ?? 52 E8 ?? ?? ?? ?? 83 BD ?? ?? ?? ?? ?? 7E ?? 8B 45 ?? 50 8B 4D ?? 51 E8 ?? + ?? ?? ?? 8B 55 ?? 52 E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A ?? 8D 85 ?? ?? ?? ?? 50 E8 ?? + ?? ?? ?? 83 C4 ?? 8B 85 ?? ?? ?? ?? 8B E5 5D C3 + } + + $enum_shares = { + 55 8B EC 83 EC ?? C7 45 ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 89 45 + ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? 83 7D ?? ?? 0F 85 ?? ?? ?? ?? 8D 45 ?? + 50 8B 4D ?? 51 6A ?? 6A ?? 6A ?? E8 ?? ?? ?? ?? 85 C0 0F 85 ?? ?? ?? ?? C7 45 ?? ?? + ?? ?? ?? C7 45 ?? ?? ?? ?? ?? 8D 55 ?? 52 8B 45 ?? 50 8D 4D ?? 51 8B 55 ?? 52 E8 ?? + ?? ?? ?? 85 C0 0F 85 ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? EB ?? 8B 45 ?? 83 C0 ?? 89 45 + ?? 8B 4D ?? 3B 4D ?? 0F 83 ?? ?? ?? ?? 8B 55 ?? C1 E2 ?? 8B 45 ?? 83 7C 10 ?? ?? 75 + ?? 8B 4D ?? 51 E8 ?? ?? ?? ?? 50 8B 55 ?? 52 8B 45 ?? C1 E0 ?? 8B 4D ?? 8B 54 01 ?? + 52 E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 74 ?? 6A ?? 8B 45 ?? 50 8B 4D ?? C1 E1 ?? 8B 55 ?? + 8B 44 0A ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 6A ?? 8B 4D ?? 51 8B 55 ?? C1 E2 ?? 8B 45 ?? + 8B 4C 10 ?? 51 E8 ?? ?? ?? ?? 83 C4 ?? 8B 55 ?? C1 E2 ?? 8B 45 ?? 8B 4C 10 ?? 83 E1 + ?? 74 ?? 8B 55 ?? 52 8B 45 ?? 50 8B 4D ?? C1 E1 ?? 03 4D ?? 51 E8 ?? ?? ?? ?? 83 C4 + ?? E9 ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? E9 ?? ?? ?? ?? 8B 55 ?? + 52 E8 ?? ?? ?? ?? 8D 45 ?? 50 8B 4D ?? 51 6A ?? 6A ?? 6A ?? E8 ?? ?? ?? ?? 85 C0 0F + 85 ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? 8D 55 ?? 52 8B 45 ?? 50 8D + 4D ?? 51 8B 55 ?? 52 E8 ?? ?? ?? ?? 85 C0 0F 85 ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? EB + ?? 8B 45 ?? 83 C0 ?? 89 45 ?? 8B 4D ?? 3B 4D ?? 0F 83 ?? ?? ?? ?? 8B 55 ?? C1 E2 ?? + 8B 45 ?? 83 7C 10 ?? ?? 75 ?? 8B 4D ?? 51 E8 ?? ?? ?? ?? 50 8B 55 ?? 52 8B 45 ?? C1 + E0 ?? 8B 4D ?? 8B 54 01 ?? 52 E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 74 ?? 6A ?? 8B 45 ?? 50 + 8B 4D ?? C1 E1 ?? 8B 55 ?? 8B 44 0A ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 6A ?? 8B 4D ?? 51 + 8B 55 ?? C1 E2 ?? 8B 45 ?? 8B 4C 10 ?? 51 E8 ?? ?? ?? ?? 83 C4 ?? 8B 55 ?? C1 E2 ?? + 8B 45 ?? 8B 4C 10 ?? 83 E1 ?? 74 ?? 8B 55 ?? 52 8B 45 ?? 50 8B 4D ?? C1 E1 ?? 03 4D + ?? 51 E8 ?? ?? ?? ?? 83 C4 ?? E9 ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? + ?? E9 ?? ?? ?? ?? 8B 55 ?? 52 E8 ?? ?? ?? ?? 8B E5 5D C3 + } + + condition: + uint16(0) == 0x5A4D and $file_search and $enum_shares and $file_encrypt_1 and $file_encrypt_2 +} \ No newline at end of file diff --git a/yara/ransomware/Win32.Ransomware.DirtyDecrypt.yara b/yara/ransomware/Win32.Ransomware.DirtyDecrypt.yara new file mode 100644 index 0000000..828f57e --- /dev/null +++ b/yara/ransomware/Win32.Ransomware.DirtyDecrypt.yara @@ -0,0 +1,112 @@ +import "pe" + +rule Win32_Ransomware_DirtyDecrypt : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "DIRTYDECRYPT" + description = "Yara rule that detects DirtyDecrypt ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "DirtyDecrypt" + tc_detection_factor = 5 + + strings: + $dd_ep = { + 55 8B EC 83 EC ?? E8 ?? ?? ?? ?? 85 C0 0F 84 BF 00 00 00 C7 45 ?? ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 89 45 ?? 83 7D ?? ?? 74 + 1F 6A ?? 6A ?? 68 ?? ?? ?? ?? 6A ?? 8B 45 ?? 50 E8 ?? ?? ?? ?? 85 C0 74 07 C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? EB + 09 8B 4D ?? 83 C1 ?? 89 4D ?? 83 7D ?? ?? 73 15 6A ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 55 ?? 89 44 95 ?? EB DC 6A ?? 68 + ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 45 ?? 6A ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 45 ?? 8B 45 ?? 50 8B 4D ?? 51 E8 ?? ?? ?? ?? + 8B 15 ?? ?? ?? ?? 52 E8 ?? ?? ?? ?? A1 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 8B 0D ?? ?? ?? ?? 51 E8 ?? ?? ?? ?? 6A ?? 6A ?? 6A + ?? 8D 55 ?? 52 E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 6A ?? FF 15 ?? ?? ?? ?? 33 C0 8B E5 5D C2 ?? ?? + } + + $dd_hash = { + 55 8B EC 83 EC ?? C7 45 ?? ?? ?? ?? ?? 83 7D ?? ?? 0F 84 D5 00 00 00 83 7D ?? ?? 0F 84 CB 00 00 00 83 7D ?? ?? 0F 84 C1 + 00 00 00 83 7D ?? ?? 0F 84 B7 00 00 00 83 7D ?? ?? 0F 84 AD 00 00 00 83 7D ?? ?? 0F 84 A3 00 00 00 C7 45 ?? ?? ?? ?? ?? + 8D 45 ?? 50 6A ?? 6A ?? 68 ?? ?? ?? ?? 8B 4D ?? 51 FF 15 ?? ?? ?? ?? 85 C0 75 02 EB 6F 83 7D ?? ?? 76 2A 6A ?? 6A ?? 8B + 55 ?? 52 8B 45 ?? 50 FF 15 ?? ?? ?? ?? 85 C0 75 02 EB 51 8B 4D ?? 83 E9 ?? 89 4D ?? 8B 55 ?? 83 C2 ?? 89 55 ?? 6A ?? 8B + 45 ?? 50 8B 4D ?? 51 8B 55 ?? 52 FF 15 ?? ?? ?? ?? 85 C0 75 02 EB 25 6A ?? 6A ?? 8B 45 ?? 50 8B 4D ?? 51 8B 55 ?? 52 8B + 45 ?? 50 FF 15 ?? ?? ?? ?? 89 45 ?? 33 C9 0F 85 74 FF FF FF 83 7D ?? ?? 74 0A 8B 55 ?? 52 FF 15 ?? ?? ?? ?? 8B 45 ?? 8B + E5 5D C2 ?? ?? + } + + $dd_getkey = { + 55 8B EC 83 EC ?? C7 45 ?? ?? ?? ?? ?? 83 7D ?? ?? 74 31 C7 45 ?? ?? ?? ?? ?? 6A ?? 8D 45 ?? 50 8D 4D ?? 51 6A ?? 8B 55 + ?? 52 FF 15 ?? ?? ?? ?? 85 C0 75 07 C7 45 ?? ?? ?? ?? ?? 8B 45 ?? C1 E8 ?? 89 45 ?? 8B 45 ?? 8B E5 5D C2 ?? ?? + } + + $dd_destroykey = { + 55 8B EC 83 7D ?? ?? 74 0A 8B 45 ?? 50 FF 15 ?? ?? ?? ?? 5D C2 + } + + $dd_importkey = { + 55 8B EC 51 C7 45 ?? ?? ?? ?? ?? 8D 45 ?? 50 6A ?? 6A ?? 8B 4D ?? 8B 51 ?? 52 8B 45 ?? 8B 08 51 8B 55 ?? 52 FF 15 ?? ?? + ?? ?? 8B 45 ?? 8B E5 5D C2 ?? ?? + } + + $dd_decrypt = { + 55 8B EC 83 EC ?? C7 45 ?? ?? ?? ?? ?? 83 7D ?? ?? 0F 84 22 01 00 00 83 7D ?? ?? 0F 84 18 01 00 00 83 7D ?? ?? 0F 84 0E + 01 00 00 83 7D ?? ?? 0F 84 04 01 00 00 83 7D ?? ?? 0F 84 FA 00 00 00 8B 45 ?? 50 E8 ?? ?? ?? ?? 89 45 ?? 8B 45 ?? 33 D2 + F7 75 ?? 0F AF 45 ?? 89 45 ?? 8B 4D ?? 89 4D ?? 8B 55 ?? 8B 02 03 45 ?? 89 45 ?? 8B 4D ?? 8B 11 03 55 ?? 52 8B 45 ?? 8B + 08 51 6A ?? E8 ?? ?? ?? ?? 8B 55 ?? 89 02 8B 45 ?? 83 38 ?? 0F 84 A7 00 00 00 8B 4D ?? 8B 11 8B 45 ?? 03 10 89 55 ?? 83 + 7D ?? ?? 74 61 6A ?? 8B 4D ?? 51 8B 55 ?? 52 8B 45 ?? 50 E8 ?? ?? ?? ?? 8B 4D ?? 51 8B 55 ?? 52 E8 ?? ?? ?? ?? 8B 45 ?? + 89 45 ?? 8D 4D ?? 51 8B 55 ?? 52 6A ?? 6A ?? 6A ?? 8B 45 ?? 50 FF 15 ?? ?? ?? ?? 85 C0 75 02 EB 1D 8B 4D ?? 03 4D ?? 89 + 4D ?? 8B 55 ?? 2B 55 ?? 89 55 ?? 8B 45 ?? 03 45 ?? 89 45 ?? EB 99 83 7D ?? ?? 75 15 8B 4D ?? 89 4D ?? 8B 55 ?? 8B 45 ?? + 2B 02 8B 4D ?? 89 01 EB 18 8B 55 ?? 8B 02 50 8B 4D ?? 8B 11 52 6A ?? E8 ?? ?? ?? ?? 8B 4D ?? 89 01 8B 45 ?? 8B E5 5D C2 + ?? ?? + } + + $dd_encrypt = { + 55 8B EC 83 EC ?? C7 45 ?? ?? ?? ?? ?? 83 7D ?? ?? 0F 84 89 01 00 00 83 7D ?? ?? 0F 84 7F 01 00 00 83 7D ?? ?? 0F 84 75 + 01 00 00 83 7D ?? ?? 0F 84 6B 01 00 00 83 7D ?? ?? 0F 84 61 01 00 00 8B 45 ?? 50 E8 ?? ?? ?? ?? 89 45 ?? 8B 4D ?? 83 E9 + ?? 89 4D ?? 8B 55 ?? 89 55 ?? 6A ?? 8D 45 ?? 50 6A ?? 6A ?? 6A ?? 6A ?? 8B 4D ?? 51 FF 15 ?? ?? ?? ?? 85 C0 0F 84 26 01 + 00 00 8B 55 ?? 3B 55 ?? 76 08 8B 45 ?? 89 45 ?? EB 06 8B 4D ?? 89 4D ?? 8B 55 ?? 89 55 ?? 8B 45 ?? 33 D2 F7 75 ?? 0F AF + 45 ?? 8B 4D ?? 8B 11 03 D0 03 55 ?? 89 55 ?? 8B 45 ?? 50 8B 4D ?? 8B 11 52 6A ?? E8 ?? ?? ?? ?? 8B 4D ?? 89 01 8B 55 ?? + 83 3A ?? 0F 84 CF 00 00 00 8B 45 ?? 8B 08 8B 55 ?? 03 0A 89 4D ?? 83 7D ?? ?? 0F 84 84 00 00 00 8B 45 ?? 3B 45 ?? 73 08 + 8B 4D ?? 89 4D ?? EB 06 8B 55 ?? 89 55 ?? 8B 45 ?? 89 45 ?? 6A ?? 8B 4D ?? 51 8B 55 ?? 52 8B 45 ?? 50 E8 ?? ?? ?? ?? 8B + 4D ?? 89 4D ?? 8B 55 ?? 52 8D 45 ?? 50 8B 4D ?? 51 6A ?? 6A ?? 6A ?? 8B 55 ?? 52 FF 15 ?? ?? ?? ?? 85 C0 75 02 EB 2D 8B + 45 ?? 50 8B 4D ?? 51 E8 ?? ?? ?? ?? 8B 55 ?? 03 55 ?? 89 55 ?? 8B 45 ?? 2B 45 ?? 89 45 ?? 8B 4D ?? 03 4D ?? 89 4D ?? E9 + 72 FF FF FF 83 7D ?? ?? 75 16 8B 55 ?? 8B 45 ?? 2B 02 8B 4D ?? 89 01 C7 45 ?? ?? ?? ?? ?? EB 18 8B 55 ?? 8B 02 50 8B 4D + ?? 8B 11 52 6A ?? E8 ?? ?? ?? ?? 8B 4D ?? 89 01 8B 45 ?? 8B E5 5D C2 ?? ?? + } + + $dd_provparam = { + 55 8B EC 83 EC ?? 83 7D ?? ?? 0F 84 94 00 00 00 C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? 6A ?? 8D 45 ?? 50 6A ?? 6A ?? + 8B 4D ?? 51 FF 15 ?? ?? ?? ?? 85 C0 74 3F 8B 55 ?? 83 C2 ?? 52 E8 ?? ?? ?? ?? 89 45 ?? 83 7D ?? ?? 74 2A 6A ?? 8D 45 ?? + 50 8B 4D ?? 51 6A ?? 8B 55 ?? 52 FF 15 ?? ?? ?? ?? 85 C0 75 10 8B 45 ?? 50 E8 ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? 6A ?? 8B + 4D ?? 51 FF 15 ?? ?? ?? ?? 83 7D ?? ?? 74 1D 6A ?? 6A ?? 6A ?? 8B 55 ?? 52 8D 45 ?? 50 FF 15 ?? ?? ?? ?? 8B 4D ?? 51 E8 + ?? ?? ?? ?? 8B E5 5D C2 ?? ?? + } + + $dd_acquirecontext = { + 55 8B EC 83 EC ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? 83 7D ?? ?? 74 0B 8B 45 ?? 0D ?? ?? ?? ?? 89 45 ?? C7 45 ?? + ?? ?? ?? ?? 83 7D ?? ?? 75 07 C7 45 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 03 45 ?? 50 6A ?? 6A ?? 6A ?? 8D 4D ?? 51 E8 ?? ?? ?? + ?? 8B 55 ?? 52 6A ?? 8B 45 ?? 50 8D 4D ?? 51 8D 55 ?? 52 FF 15 ?? ?? ?? ?? 85 C0 75 39 8B 45 ?? 83 C8 ?? 50 6A ?? 8B 4D + ?? 51 8D 55 ?? 52 8D 45 ?? 50 FF 15 ?? ?? ?? ?? 85 C0 75 1A 6A ?? 6A ?? 6A ?? 8D 4D ?? 51 8D 55 ?? 52 FF 15 ?? ?? ?? ?? + 85 C0 75 02 EB 0E 6A ?? FF 15 ?? ?? ?? ?? 83 7D ?? ?? 74 9D 8B 45 ?? 8B E5 5D C2 ?? ?? + } + + $dd_mrwhite = { + 55 8B EC 81 EC ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? 83 7D ?? ?? 0F 84 64 01 00 00 E8 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 6A ?? 8D + 85 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 BD ?? ?? ?? ?? ?? 74 12 83 3D ?? ?? ?? ?? ?? 74 09 83 3D ?? ?? ?? ?? ?? 75 05 E9 13 + 01 00 00 6A ?? 6A ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8B 8D ?? ?? ?? ?? 51 E8 ?? ?? ?? ?? 85 C0 75 05 E9 F0 00 00 00 8B 95 + ?? ?? ?? ?? 52 6A ?? 6A ?? 6A ?? 8B 45 ?? 50 8D 8D ?? ?? ?? ?? 51 8D 95 ?? ?? ?? ?? 52 E8 ?? ?? ?? ?? 3D ?? ?? ?? ?? 74 + 05 E9 C0 00 00 00 8D 85 ?? ?? ?? ?? 50 8D 8D ?? ?? ?? ?? 51 E8 ?? ?? ?? ?? 85 C0 74 09 83 BD ?? ?? ?? ?? ?? 73 05 E9 9B + 00 00 00 8B 95 ?? ?? ?? ?? 52 8B 85 ?? ?? ?? ?? 50 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 50 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 C0 + 75 02 EB 72 8B 8D ?? ?? ?? ?? 89 8D ?? ?? ?? ?? 8B 95 ?? ?? ?? ?? 8B 02 83 C0 ?? 3B 85 ?? ?? ?? ?? 76 02 EB 51 8B 8D ?? + ?? ?? ?? 83 39 ?? 74 3E 0F B7 95 ?? ?? ?? ?? 83 FA ?? 75 32 8B 85 ?? ?? ?? ?? 8B 08 51 8B 95 ?? ?? ?? ?? 83 C2 ?? 52 6A + ?? 8D 85 ?? ?? ?? ?? 50 8B 0D ?? ?? ?? ?? 51 8B 15 ?? ?? ?? ?? 52 E8 ?? ?? ?? ?? 89 45 ?? 33 C0 0F 85 CD FE FF FF 8D 8D + ?? ?? ?? ?? 51 E8 ?? ?? ?? ?? 8B 95 ?? ?? ?? ?? 52 E8 ?? ?? ?? ?? 8B 45 ?? 8B E5 5D C2 ?? ?? + } + + condition: + uint16(0) == 0x5A4D and ($dd_ep at pe.entry_point) and $dd_hash and $dd_getkey and $dd_destroykey and $dd_importkey and $dd_decrypt and $dd_encrypt + and $dd_provparam and $dd_acquirecontext and $dd_mrwhite +} \ No newline at end of file diff --git a/yara/ransomware/Win32.Ransomware.District.yara b/yara/ransomware/Win32.Ransomware.District.yara new file mode 100644 index 0000000..dcc314a --- /dev/null +++ b/yara/ransomware/Win32.Ransomware.District.yara @@ -0,0 +1,194 @@ +rule Win32_Ransomware_District : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "DISTRICT" + description = "Yara rule that detects District ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "District" + tc_detection_factor = 5 + + strings: + + $encrypt_files_p1 = { + 55 8B EC 83 E4 ?? 81 EC ?? ?? ?? ?? 53 56 57 83 EC ?? C7 44 24 ?? ?? ?? ?? ?? 8D 44 + 24 ?? 8B F1 8D 4D ?? 50 E8 ?? ?? ?? ?? 40 C7 44 24 ?? ?? ?? ?? ?? 6A ?? 33 C9 C7 44 + 24 ?? ?? ?? ?? ?? 50 8D 45 ?? 66 89 4C 24 ?? 50 8D 4C 24 ?? E8 ?? ?? ?? ?? 83 EC ?? + C7 44 24 ?? ?? ?? ?? ?? 8D 44 24 ?? 8D 4D ?? 50 E8 ?? ?? ?? ?? 40 C7 84 24 ?? ?? ?? + ?? ?? ?? ?? ?? 33 C9 C7 84 24 ?? ?? ?? ?? ?? ?? ?? ?? 50 51 8D 45 ?? 66 89 8C 24 ?? + ?? ?? ?? 50 8D 8C 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 EC ?? C7 44 24 ?? ?? ?? ?? ?? 8D + 44 24 ?? 8D 4C 24 ?? 50 E8 ?? ?? ?? ?? 40 C7 44 24 ?? ?? ?? ?? ?? 6A ?? 33 C9 C7 44 + 24 ?? ?? ?? ?? ?? 50 8D 44 24 ?? 66 89 4C 24 ?? 50 8D 4C 24 ?? E8 ?? ?? ?? ?? 83 EC + ?? C7 44 24 ?? ?? ?? ?? ?? 8D 44 24 ?? 8D 4C 24 ?? 50 E8 ?? ?? ?? ?? 33 C9 C7 44 24 + ?? ?? ?? ?? ?? 50 51 8D 44 24 ?? 66 89 4C 24 ?? 50 8D 4C 24 ?? C7 44 24 ?? ?? ?? ?? + ?? E8 ?? ?? ?? ?? 33 C0 C7 44 24 ?? ?? ?? ?? ?? 6A ?? 50 66 89 44 24 ?? 8D 4C 24 ?? + 8D 45 ?? C7 44 24 ?? ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 6A ?? 6A ?? 56 8D 4C 24 ?? E8 ?? + ?? ?? ?? 83 7D ?? ?? 8D 45 ?? 6A ?? 0F 43 45 ?? 68 ?? ?? ?? ?? 6A ?? 6A ?? 6A ?? 68 + ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 8B F8 83 FF ?? 0F 84 ?? ?? ?? ?? 6A ?? 57 FF 15 ?? + ?? ?? ?? 83 F8 ?? 0F 84 ?? ?? ?? ?? 66 0F 6E C0 F3 0F E6 C0 C1 E8 ?? F2 0F 58 04 C5 + ?? ?? ?? ?? F2 0F 59 05 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B F0 56 E8 ?? ?? ?? ?? 56 8B D8 + } + + $encrypt_files_p2 = { + E8 ?? ?? ?? ?? 83 C4 ?? 89 44 24 ?? C7 44 24 ?? ?? ?? ?? ?? 0F 1F 40 ?? 0F 1F 84 00 + ?? ?? ?? ?? A1 ?? ?? ?? ?? 8B 0D ?? ?? ?? ?? 6A ?? A3 ?? ?? ?? ?? 8D 44 24 ?? 50 56 + 53 57 89 0D ?? ?? ?? ?? C7 05 ?? ?? ?? ?? ?? ?? ?? ?? C7 05 ?? ?? ?? ?? ?? ?? ?? ?? + FF 15 ?? ?? ?? ?? 56 FF 74 24 ?? 8B D3 E8 ?? ?? ?? ?? 8B 44 24 ?? 83 C4 ?? F7 D8 6A + ?? 6A ?? 50 57 FF 15 ?? ?? ?? ?? 6A ?? 8D 44 24 ?? 50 56 FF 74 24 ?? 57 FF 15 ?? ?? + ?? ?? 83 6C 24 ?? ?? 75 ?? 53 E8 ?? ?? ?? ?? FF 74 24 ?? E8 ?? ?? ?? ?? 83 C4 ?? 57 + FF 15 ?? ?? ?? ?? 83 7C 24 ?? ?? 8D 4C 24 ?? 8D 45 ?? 0F 43 4C 24 ?? 83 7D ?? ?? 51 + 0F 43 45 ?? 50 FF 15 ?? ?? ?? ?? 8B 44 24 ?? 83 F8 ?? 72 ?? 40 8D 4C 24 ?? 50 FF 74 + 24 ?? E8 ?? ?? ?? ?? 33 C0 C7 44 24 ?? ?? ?? ?? ?? 66 89 44 24 ?? 8B 44 24 ?? C7 44 + 24 ?? ?? ?? ?? ?? 83 F8 ?? 72 ?? 40 8D 4C 24 ?? 50 FF 74 24 ?? E8 ?? ?? ?? ?? 33 C0 + C7 44 24 ?? ?? ?? ?? ?? 66 89 44 24 ?? 8B 44 24 ?? C7 44 24 ?? ?? ?? ?? ?? 83 F8 ?? + 72 ?? 40 8D 4C 24 ?? 50 FF 74 24 ?? E8 ?? ?? ?? ?? 33 C0 C7 44 24 ?? ?? ?? ?? ?? 66 + 89 44 24 ?? 8B 84 24 ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? 83 F8 ?? 72 ?? 40 8D 4C 24 + ?? 50 FF 74 24 ?? E8 ?? ?? ?? ?? 33 C0 C7 84 24 ?? ?? ?? ?? ?? ?? ?? ?? 66 89 44 24 + ?? 8B 44 24 ?? C7 84 24 ?? ?? ?? ?? ?? ?? ?? ?? 83 F8 ?? 72 ?? 40 8D 4C 24 ?? 50 FF + 74 24 ?? E8 ?? ?? ?? ?? 33 C0 C7 44 24 ?? ?? ?? ?? ?? 66 89 44 24 ?? 89 44 24 ?? 8B + 45 ?? 83 F8 ?? 72 ?? 8B 4D ?? 40 3D ?? ?? ?? ?? 77 ?? 03 C0 3D ?? ?? ?? ?? 72 ?? F6 + C1 ?? 75 ?? 8B 41 ?? 3B C1 73 ?? 2B C8 83 F9 ?? 72 ?? 83 F9 ?? 77 ?? 8B C8 51 E8 ?? + ?? ?? ?? 83 C4 ?? 5F 5E 5B 8B E5 5D C2 + } + + $find_files = { + 53 55 56 57 6A ?? 8B F1 E8 ?? ?? ?? ?? 83 C4 ?? 8D 9E ?? ?? ?? ?? 8B E8 53 68 ?? ?? + ?? ?? FF 15 ?? ?? ?? ?? 53 50 89 45 ?? FF 15 ?? ?? ?? ?? 85 C0 74 ?? 8D BE ?? ?? ?? + ?? 0F 1F 80 ?? ?? ?? ?? F6 03 ?? 57 74 ?? 8B CE E8 ?? ?? ?? ?? 84 C0 75 ?? 57 E8 ?? + ?? ?? ?? 83 C4 ?? 85 C0 75 ?? 50 8B CE E8 ?? ?? ?? ?? EB ?? E8 ?? ?? ?? ?? 84 C0 74 + ?? 8B CE E8 ?? ?? ?? ?? 53 FF 75 ?? FF 15 ?? ?? ?? ?? 85 C0 75 ?? 80 7C 24 ?? ?? 75 + ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 6A ?? 55 E8 ?? ?? ?? ?? 83 C4 ?? 5F 5E 5D + 5B C2 + } + + $enum_resources_1_p1 = { + B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 53 55 56 57 33 C0 C7 44 24 ?? ?? ?? ?? ?? 66 89 44 24 + ?? 8B DA 8D 44 24 ?? 89 5C 24 ?? 50 51 6A ?? 6A ?? 6A ?? C7 44 24 ?? ?? ?? ?? ?? FF + 15 ?? ?? ?? ?? 85 C0 74 ?? 3D ?? ?? ?? ?? 75 ?? 68 ?? ?? ?? ?? 8D 84 24 ?? ?? ?? ?? + 50 68 ?? ?? ?? ?? 8D 84 24 ?? ?? ?? ?? 50 8D 44 24 ?? 50 FF 15 ?? ?? ?? ?? BE ?? ?? + ?? ?? E9 ?? ?? ?? ?? 8D 44 24 ?? C7 44 24 ?? ?? ?? ?? ?? 50 8D 84 24 ?? ?? ?? ?? C7 + 44 24 ?? ?? ?? ?? ?? 50 8D 44 24 ?? 50 FF 74 24 ?? FF 15 ?? ?? ?? ?? 85 C0 74 ?? 3D + ?? ?? ?? ?? 75 ?? 68 ?? ?? ?? ?? 8D 84 24 ?? ?? ?? ?? 50 68 ?? ?? ?? ?? 8D 84 24 ?? + ?? ?? ?? 50 8D 44 24 ?? 50 FF 15 ?? ?? ?? ?? BE ?? ?? ?? ?? E9 ?? ?? ?? ?? 33 ED 89 + 6C 24 ?? 39 6C 24 ?? 0F 86 ?? ?? ?? ?? 8B 3D ?? ?? ?? ?? 85 DB 0F 8E ?? ?? ?? ?? C1 + E5 ?? 8B F3 89 6C 24 ?? 89 5C 24 ?? 0F 1F 84 00 ?? ?? ?? ?? 83 BC 2C ?? ?? ?? ?? ?? + 0F 85 ?? ?? ?? ?? 83 3D ?? ?? ?? ?? ?? 74 ?? 8B 84 2C ?? ?? ?? ?? 66 83 78 ?? ?? 8D + 50 ?? 74 ?? 8D B4 24 ?? ?? ?? ?? 8D 48 ?? 8A 01 8D 52 ?? 88 06 8D 76 ?? 66 83 3A + } + + $enum_resources_1_p2 = { + 8D 49 ?? 75 ?? 8B 74 24 ?? 8D 84 24 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 8D 44 24 ?? 50 + 6A ?? FF 15 ?? ?? ?? ?? 68 ?? ?? ?? ?? FF B4 2C ?? ?? ?? ?? 8D 84 24 ?? ?? ?? ?? 50 + E8 ?? ?? ?? ?? 83 C4 ?? 8D 44 24 ?? 50 6A ?? 8D 84 24 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? + ?? 85 C0 0F 85 ?? ?? ?? ?? 8B 44 24 ?? FF 70 ?? 8B 40 ?? 83 E0 ?? 50 8D 84 24 ?? ?? + ?? ?? 68 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 8B 74 24 ?? 83 C4 ?? C6 44 24 ?? ?? 8B 56 ?? + F6 C2 ?? 74 ?? 8D 4C 24 ?? 49 8A 41 ?? 8D 49 ?? 84 C0 75 ?? A1 ?? ?? ?? ?? 89 01 66 + A1 ?? ?? ?? ?? 66 89 41 ?? F6 C2 ?? 74 ?? 8D 4C 24 ?? 49 0F 1F 44 00 ?? 8A 41 ?? 8D + 49 ?? 84 C0 75 ?? A1 ?? ?? ?? ?? 89 01 66 A1 ?? ?? ?? ?? 66 89 41 ?? A0 ?? ?? ?? ?? + 88 41 ?? F6 C2 ?? 74 ?? 8D 4C 24 ?? 49 0F 1F 00 8A 41 ?? 8D 49 ?? 84 C0 75 ?? A1 ?? + ?? ?? ?? 89 01 A1 ?? ?? ?? ?? 89 41 ?? 66 A1 ?? ?? ?? ?? 66 89 41 ?? A0 ?? ?? ?? ?? + 88 41 ?? F6 C2 ?? 74 ?? 8D 4C 24 ?? 49 8A 41 ?? 8D 49 ?? 84 C0 75 ?? A1 ?? ?? ?? ?? + 89 01 66 A1 ?? ?? ?? ?? 66 89 41 ?? F6 C2 ?? 74 ?? 8D 4C 24 ?? 49 66 0F 1F 44 00 ?? + 8A 41 ?? 8D 49 ?? 84 C0 75 ?? A1 ?? ?? ?? ?? 89 01 66 A1 ?? ?? ?? ?? 66 89 41 ?? F6 + } + + $enum_resources_1_p3 = { + C2 ?? 74 ?? 8D 4C 24 ?? 49 8A 41 ?? 8D 49 ?? 84 C0 75 ?? A1 ?? ?? ?? ?? 89 01 A1 ?? + ?? ?? ?? 89 41 ?? A1 ?? ?? ?? ?? 89 41 ?? A0 ?? ?? ?? ?? 88 41 ?? F6 C2 ?? 74 ?? 8D + 4C 24 ?? 49 8A 41 ?? 8D 49 ?? 84 C0 75 ?? A1 ?? ?? ?? ?? 89 01 66 A1 ?? ?? ?? ?? 66 + 89 41 ?? 84 D2 79 ?? 8D 4C 24 ?? 49 0F 1F 40 ?? 8A 41 ?? 8D 49 ?? 84 C0 75 ?? A1 ?? + ?? ?? ?? 89 01 A1 ?? ?? ?? ?? 89 41 ?? A1 ?? ?? ?? ?? 89 41 ?? 66 A1 ?? ?? ?? ?? 66 + 89 41 ?? F7 C2 ?? ?? ?? ?? 74 ?? 8D 4C 24 ?? 49 8A 41 ?? 8D 49 ?? 84 C0 75 ?? A1 ?? + ?? ?? ?? 89 01 A1 ?? ?? ?? ?? 89 41 ?? A1 ?? ?? ?? ?? 89 41 ?? A1 ?? ?? ?? ?? 89 41 + ?? F7 C2 ?? ?? ?? ?? 74 ?? 8D 4C 24 ?? 49 66 90 8A 41 ?? 8D 49 ?? 84 C0 75 ?? A1 ?? + ?? ?? ?? 89 01 A1 ?? ?? ?? ?? 89 41 ?? A1 ?? ?? ?? ?? 89 41 ?? 66 A1 ?? ?? ?? ?? 66 + 89 41 ?? A0 ?? ?? ?? ?? 88 41 ?? F7 C2 ?? ?? ?? ?? 74 ?? 8D 4C 24 ?? 49 8A 41 ?? 8D + 49 ?? 84 C0 75 ?? A1 ?? ?? ?? ?? 89 01 A1 ?? ?? ?? ?? 89 41 ?? A1 ?? ?? ?? ?? 89 41 + ?? F7 C2 ?? ?? ?? ?? 74 ?? 8D 4C 24 ?? 49 66 90 8A 41 ?? 8D 49 ?? 84 C0 75 ?? A1 ?? + ?? ?? ?? 89 01 A1 ?? ?? ?? ?? 89 41 ?? A1 ?? ?? ?? ?? 89 41 ?? F7 C2 ?? ?? ?? ?? 74 + } + + $enum_resources_2_p1 = { + 8D 4C 24 ?? 49 66 90 8A 41 ?? 8D 49 ?? 84 C0 75 ?? A1 ?? ?? ?? ?? 89 01 A1 ?? ?? ?? + ?? 89 41 ?? A1 ?? ?? ?? ?? 89 41 ?? 66 A1 ?? ?? ?? ?? 66 89 41 ?? F7 C2 ?? ?? ?? ?? + 74 ?? 8D 4C 24 ?? 49 8A 41 ?? 8D 49 ?? 84 C0 75 ?? A1 ?? ?? ?? ?? 89 01 A1 ?? ?? ?? + ?? 89 41 ?? A1 ?? ?? ?? ?? 89 41 ?? F7 C2 ?? ?? ?? ?? 74 ?? 8D 4C 24 ?? 49 8A 41 ?? + 8D 49 ?? 84 C0 75 ?? A1 ?? ?? ?? ?? 89 01 66 A1 ?? ?? ?? ?? 66 89 41 ?? F7 C2 ?? ?? + ?? ?? 74 ?? 8D 4C 24 ?? 49 66 90 8A 41 ?? 8D 49 ?? 84 C0 75 ?? A1 ?? ?? ?? ?? 89 01 + 66 A1 ?? ?? ?? ?? 66 89 41 ?? A0 ?? ?? ?? ?? 88 41 ?? F7 C2 ?? ?? ?? ?? 74 ?? 8D 4C + 24 ?? 49 8A 41 ?? 8D 49 ?? 84 C0 75 ?? A1 ?? ?? ?? ?? 89 01 66 A1 ?? ?? ?? ?? 66 89 + 41 ?? F7 C2 ?? ?? ?? ?? 74 ?? 8D 4C 24 ?? 49 8A 41 ?? 8D 49 ?? 84 C0 75 ?? A1 ?? ?? + ?? ?? 89 01 66 A1 ?? ?? ?? ?? 66 89 41 ?? F7 C2 ?? ?? ?? ?? 74 ?? 8D 4C 24 ?? 49 8A + 41 ?? 8D 49 ?? 84 C0 75 ?? A1 ?? ?? ?? ?? 89 01 66 A1 ?? ?? ?? ?? 66 89 41 ?? F7 C2 + ?? ?? ?? ?? 74 ?? 8D 4C 24 ?? 49 8A 41 ?? 8D 49 ?? 84 C0 75 ?? A1 ?? ?? ?? ?? 89 01 + A1 ?? ?? ?? ?? 89 41 ?? A1 ?? ?? ?? ?? 89 41 ?? A0 ?? ?? ?? ?? 88 41 ?? F7 C2 ?? ?? + ?? ?? 74 ?? 8D 4C 24 ?? 49 66 90 8A 41 ?? 8D 49 ?? 84 C0 75 ?? A1 ?? ?? ?? ?? 89 + } + + $enum_resources_2_p2 = { + 01 A1 ?? ?? ?? ?? 89 41 ?? 66 A1 ?? ?? ?? ?? 66 89 41 ?? F7 C2 ?? ?? ?? ?? 74 ?? 8D + 4C 24 ?? 49 8A 41 ?? 8D 49 ?? 84 C0 75 ?? A1 ?? ?? ?? ?? 89 01 66 A1 ?? ?? ?? ?? 66 + 89 41 ?? F7 C2 ?? ?? ?? ?? 74 ?? 8D 4C 24 ?? 49 8A 41 ?? 8D 49 ?? 84 C0 75 ?? A1 ?? + ?? ?? ?? 89 01 66 A1 ?? ?? ?? ?? 66 89 41 ?? F7 C2 ?? ?? ?? ?? 74 ?? 8D 4C 24 ?? 49 + 8A 41 ?? 8D 49 ?? 84 C0 75 ?? A1 ?? ?? ?? ?? 89 01 66 A1 ?? ?? ?? ?? 66 89 41 ?? F7 + C2 ?? ?? ?? ?? 74 ?? 8D 4C 24 ?? 49 8A 41 ?? 8D 49 ?? 84 C0 75 ?? A1 ?? ?? ?? ?? 89 + 01 A1 ?? ?? ?? ?? 89 41 ?? A1 ?? ?? ?? ?? 89 41 ?? A1 ?? ?? ?? ?? 89 41 ?? 85 D2 79 + ?? 8D 4C 24 ?? 49 66 0F 1F 44 00 ?? 8A 41 ?? 8D 49 ?? 84 C0 75 ?? A1 ?? ?? ?? ?? 89 + 01 A1 ?? ?? ?? ?? 89 41 ?? A1 ?? ?? ?? ?? 89 41 ?? A1 ?? ?? ?? ?? 89 41 ?? A0 ?? ?? + ?? ?? 88 41 ?? F7 C2 ?? ?? ?? ?? 74 ?? 8D 4C 24 ?? 49 66 90 8A 41 ?? 8D 49 ?? 84 C0 + 75 ?? A1 ?? ?? ?? ?? 89 01 66 A1 ?? ?? ?? ?? 66 89 41 ?? 8D 4C 24 ?? 8D 51 ?? 8A 01 + 41 84 C0 75 ?? 2B CA 56 88 44 0C ?? FF D7 8D 44 24 ?? C7 44 24 ?? ?? ?? ?? ?? 50 8D + } + + $enum_resources_2_p3 = { + 84 24 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? FF 74 24 ?? FF D7 8B BC 2C ?? ?? ?? ?? 33 D2 + 8B CF 8D 71 ?? 8A 01 41 84 C0 75 ?? 2B CE 8D 43 ?? 03 C1 74 ?? 8B 6C 24 ?? 8B DF 8B + CB 42 8D 71 ?? 0F 1F 00 8A 01 41 84 C0 75 ?? 2B CE 8D 45 ?? 03 C1 3B D0 72 ?? 8B 6C + 24 ?? 8B 5C 24 ?? 8B CF 33 D2 8D 71 ?? 8A 01 41 84 C0 75 ?? 2B CE 8D 43 ?? 03 C1 74 + ?? 8B 9C 2C ?? ?? ?? ?? 8B 6C 24 ?? 0F 1F 40 ?? 8B CB 42 8D 71 ?? 8A 01 41 84 C0 75 + ?? 2B CE 8D 45 ?? 03 C1 3B D0 72 ?? 8B 6C 24 ?? 8B 5C 24 ?? 33 D2 8D 4F ?? 8A 07 47 + 84 C0 75 ?? 2B F9 8D 43 ?? 03 C7 74 ?? 8B BC 2C ?? ?? ?? ?? 0F 1F 40 ?? 8B C7 42 8D + 70 ?? 8A 08 40 84 C9 75 ?? 2B C6 40 03 C3 3B D0 72 ?? 8B 3D ?? ?? ?? ?? 8B 74 24 ?? + 83 EE ?? 89 74 24 ?? 0F 85 ?? ?? ?? ?? 8B 6C 24 ?? 8B F5 C1 E6 ?? 8B 84 34 ?? ?? ?? + ?? 83 F8 ?? 0F 87 ?? ?? ?? ?? FF 24 85 ?? ?? ?? ?? 68 ?? ?? ?? ?? E9 ?? ?? ?? ?? 68 + ?? ?? ?? ?? E9 ?? ?? ?? ?? 8B 94 34 ?? ?? ?? ?? 66 83 3A ?? 75 ?? 33 C9 EB ?? 8B CA + } + + $enum_resources_2_p4 = { + 8D 79 ?? 66 8B 01 83 C1 ?? 66 85 C0 75 ?? 2B CF D1 F9 51 52 8D 4C 24 ?? E8 ?? ?? ?? + ?? 8D 44 24 ?? B9 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? E9 ?? ?? ?? ?? 8B 94 34 ?? ?? ?? ?? + 66 83 3A ?? 75 ?? 33 C9 EB ?? 8B CA 8D 79 ?? 0F 1F 44 00 ?? 66 8B 01 83 C1 ?? 66 85 + C0 75 ?? EB ?? 8B 94 34 ?? ?? ?? ?? 66 83 3A ?? 75 ?? 33 C9 EB ?? 8B CA 8D 79 ?? 66 + 8B 01 83 C1 ?? 66 85 C0 75 ?? EB ?? 68 ?? ?? ?? ?? EB ?? 68 ?? ?? ?? ?? EB ?? 68 ?? + ?? ?? ?? EB ?? 68 ?? ?? ?? ?? EB ?? 8B 94 34 ?? ?? ?? ?? 66 83 3A ?? 75 ?? 33 C9 E9 + ?? ?? ?? ?? 8B CA 8D 79 ?? 66 8B 01 83 C1 ?? 66 85 C0 75 ?? E9 ?? ?? ?? ?? 68 ?? ?? + ?? ?? EB ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? F6 84 34 ?? ?? ?? ?? ?? 74 ?? 8D + 8C 24 ?? ?? ?? ?? 8D 53 ?? 03 CE E8 ?? ?? ?? ?? 8B 3D ?? ?? ?? ?? 45 89 6C 24 ?? 3B + 6C 24 ?? 0F 82 ?? ?? ?? ?? FF 74 24 ?? FF 15 ?? ?? ?? ?? 33 F6 8B 44 24 ?? 83 F8 ?? + 72 ?? 8B 4C 24 ?? 40 3D ?? ?? ?? ?? 77 ?? 03 C0 3D ?? ?? ?? ?? 72 ?? F6 C1 ?? 75 ?? + 8B 41 ?? 3B C1 73 ?? 2B C8 83 F9 ?? 72 ?? 83 F9 ?? 77 ?? 8B C8 51 E8 ?? ?? ?? ?? 83 + C4 ?? 5F 8B C6 5E 5D 5B 81 C4 ?? ?? ?? ?? C3 + } + + condition: + uint16(0) == 0x5A4D and + ( + all of ($encrypt_files_p*) + ) and + ( + $find_files + ) and + ( + all of ($enum_resources_1_p*) + ) and + ( + all of ($enum_resources_2_p*) + ) +} \ No newline at end of file diff --git a/yara/ransomware/Win32.Ransomware.DogeCrypt.yara b/yara/ransomware/Win32.Ransomware.DogeCrypt.yara new file mode 100644 index 0000000..0400e2a --- /dev/null +++ b/yara/ransomware/Win32.Ransomware.DogeCrypt.yara @@ -0,0 +1,114 @@ +rule Win32_Ransomware_DogeCrypt : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "DOGECRYPT" + description = "Yara rule that detects DogeCrypt ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "DogeCrypt" + tc_detection_factor = 5 + + strings: + + $encrypt_files_DogeCrypt_p1 = { + 50 E8 ?? ?? ?? ?? 8D 45 ?? C6 45 ?? ?? 50 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? C6 45 ?? + ?? BA ?? ?? ?? ?? 83 3D ?? ?? ?? ?? ?? 8B B5 ?? ?? ?? ?? 0F 43 15 ?? ?? ?? ?? 8B 85 + ?? ?? ?? ?? 8B 0D ?? ?? ?? ?? 2B C6 89 B5 ?? ?? ?? ?? 3B C8 77 ?? 83 BD ?? ?? ?? ?? + ?? 8D 3C 31 8D 04 09 89 BD ?? ?? ?? ?? 50 8B 85 ?? ?? ?? ?? 8D B5 ?? ?? ?? ?? 0F 43 + B5 ?? ?? ?? ?? 52 8D 04 46 50 E8 ?? ?? ?? ?? 83 C4 ?? 33 C0 66 89 04 7E EB ?? 51 52 + C6 85 ?? ?? ?? ?? ?? FF B5 ?? ?? ?? ?? 51 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 7D ?? + ?? 8D 45 ?? 8B 35 ?? ?? ?? ?? 0F 43 45 ?? 6A ?? 68 ?? ?? ?? ?? 6A ?? 6A ?? 6A ?? 68 + ?? ?? ?? ?? 50 FF D6 8B F8 83 FF ?? 74 ?? 83 BD ?? ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 6A + ?? 0F 43 85 ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A ?? 6A ?? 6A ?? 68 ?? ?? ?? ?? 50 FF D6 8B + F0 83 FE ?? 0F 85 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 8B 95 ?? ?? ?? ?? 83 FA ?? 72 ?? 8B + 8D ?? ?? ?? ?? 8D 14 55 ?? ?? ?? ?? 8B C1 81 FA ?? ?? ?? ?? 72 ?? 8B 49 ?? 83 C2 ?? + 2B C1 83 C0 ?? 83 F8 ?? 0F 87 ?? ?? ?? ?? 52 51 E8 ?? ?? ?? ?? 83 C4 ?? 8B 95 ?? ?? + ?? ?? 33 C0 C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? 66 89 85 ?? + ?? ?? ?? 83 FA ?? 72 ?? 8B 8D ?? ?? ?? ?? 8D 14 55 ?? ?? ?? ?? 8B C1 81 FA ?? ?? ?? + ?? 72 ?? 8B 49 ?? 83 C2 ?? 2B C1 83 C0 ?? 83 F8 ?? 0F 87 ?? ?? ?? ?? 52 51 E8 ?? ?? + ?? ?? 83 C4 ?? 8B 95 ?? ?? ?? ?? 83 FA ?? 72 ?? 8B 8D ?? ?? ?? ?? 8D 14 55 ?? ?? ?? + ?? 8B C1 81 FA ?? ?? ?? ?? 72 ?? 8B 49 ?? 83 C2 ?? 2B C1 83 C0 ?? 83 F8 ?? 0F 87 ?? + ?? ?? ?? 52 51 E8 ?? ?? ?? ?? 83 C4 ?? 8B 95 ?? ?? ?? ?? 83 FA ?? 72 ?? 8B 8D ?? ?? + ?? ?? 8D 14 55 ?? ?? ?? ?? 8B C1 81 FA ?? ?? ?? ?? 72 ?? 8B 49 ?? 83 C2 ?? 2B C1 83 + } + + $encrypt_files_DogeCrypt_p2 = { + C0 ?? 83 F8 ?? 0F 87 ?? ?? ?? ?? 52 51 E8 ?? ?? ?? ?? 83 C4 ?? 8B 95 ?? ?? ?? ?? 83 + FA ?? 0F 82 ?? ?? ?? ?? 8B 8D ?? ?? ?? ?? 8D 14 55 ?? ?? ?? ?? 8B C1 81 FA ?? ?? ?? + ?? 0F 82 ?? ?? ?? ?? 8B 49 ?? 83 C2 ?? 2B C1 83 C0 ?? 83 F8 ?? 0F 87 ?? ?? ?? ?? E9 + ?? ?? ?? ?? 90 6A ?? 8D 85 ?? ?? ?? ?? 50 68 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 57 FF + 15 ?? ?? ?? ?? 8B 8D ?? ?? ?? ?? BA ?? ?? ?? ?? 81 F9 ?? ?? ?? ?? 0F 42 DA 85 C0 74 + ?? 85 C9 74 ?? 51 8D 85 ?? ?? ?? ?? 89 8D ?? ?? ?? ?? 50 8D 85 ?? ?? ?? ?? 50 6A ?? + 53 6A ?? FF 35 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 6A ?? 8D 85 ?? ?? ?? ?? 50 FF B5 ?? ?? + ?? ?? 8D 85 ?? ?? ?? ?? 50 56 FF 15 ?? ?? ?? ?? EB ?? 56 8B 35 ?? ?? ?? ?? FF D6 57 + FF D6 83 7D ?? ?? 8D 45 ?? 0F 43 45 ?? 50 FF 15 ?? ?? ?? ?? E9 ?? ?? ?? ?? 52 51 E8 + ?? ?? ?? ?? 83 C4 ?? 8B 55 ?? 33 C0 66 89 85 ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? + ?? 89 85 ?? ?? ?? ?? 83 FA ?? 72 ?? 8B 4D ?? 8D 14 55 ?? ?? ?? ?? 8B C1 81 FA ?? ?? + ?? ?? 72 ?? 8B 49 ?? 83 C2 ?? 2B C1 83 C0 ?? 83 F8 ?? 77 ?? 52 51 E8 ?? ?? ?? ?? 83 + C4 ?? 8B 4D ?? 64 89 0D ?? ?? ?? ?? 59 5F 5E 5B 8B 4D ?? 33 CD E8 ?? ?? ?? ?? 8B E5 + 5D C3 + } + + $find_files_DogeCrypt = { + 8B FF 55 8B EC 51 8B 4D ?? 8D 51 ?? 8A 01 41 84 C0 75 ?? 57 8B 7D ?? 2B CA 8B C7 41 + F7 D0 89 4D ?? 3B C8 76 ?? 6A ?? 58 EB ?? 53 56 8D 5F ?? 03 D9 6A ?? 53 E8 ?? ?? ?? + ?? 8B F0 59 59 85 FF 74 ?? 57 FF 75 ?? 53 56 E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 75 ?? FF + 75 ?? 2B DF 8D 04 3E FF 75 ?? 53 50 E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 75 ?? 8B 5D ?? 8B + CB E8 ?? ?? ?? ?? 33 FF 89 45 ?? 85 C0 74 ?? 56 E8 ?? ?? ?? ?? 8B 75 ?? 59 EB ?? 8B + 43 ?? 89 30 8B F7 83 43 ?? ?? 57 E8 ?? ?? ?? ?? 59 8B C6 5E 5B 5F 8B E5 5D C3 33 FF + 57 57 57 57 57 E8 ?? ?? ?? ?? CC 8B FF 55 8B EC 81 EC ?? ?? ?? ?? A1 ?? ?? ?? ?? 33 + C5 89 45 ?? 8B 4D ?? 53 8B 5D ?? 57 8B 7D ?? 89 9D ?? ?? ?? ?? EB ?? 8A 01 3C ?? 74 + ?? 3C ?? 74 ?? 3C ?? 74 ?? 51 57 E8 ?? ?? ?? ?? 59 59 8B C8 3B CF 75 ?? 8A 11 80 FA + ?? 75 ?? 8D 47 ?? 3B C8 74 ?? 53 33 DB 53 53 57 E8 ?? ?? ?? ?? 83 C4 ?? EB ?? 33 DB + 80 FA ?? 74 ?? 80 FA ?? 74 ?? 8A C3 80 FA ?? 75 ?? B0 ?? 0F B6 C0 2B CF 41 F7 D8 56 + 1B C0 23 C1 68 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 53 50 E8 ?? ?? ?? ?? + 83 C4 ?? 8D 85 ?? ?? ?? ?? 53 53 53 50 53 57 FF 15 ?? ?? ?? ?? 8B F0 8B 85 ?? ?? ?? + ?? 83 FE ?? 75 ?? 50 53 53 57 E8 ?? ?? ?? ?? 83 C4 ?? 8B D8 83 FE ?? 74 ?? 56 FF 15 + ?? ?? ?? ?? 8B C3 5E 8B 4D ?? 5F 33 CD 5B E8 ?? ?? ?? ?? 8B E5 5D C3 8B 48 ?? 2B 08 + C1 F9 ?? 89 8D ?? ?? ?? ?? 80 BD ?? ?? ?? ?? ?? 75 ?? 8A 8D ?? ?? ?? ?? 84 C9 74 ?? + 80 F9 ?? 75 ?? 38 9D ?? ?? ?? ?? 74 ?? 50 FF B5 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 57 50 + E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 75 ?? 8D 85 ?? ?? ?? ?? 50 56 FF 15 ?? ?? ?? ?? 85 C0 + 8B 85 ?? ?? ?? ?? 75 ?? 8B 10 8B 40 ?? 8B 8D ?? ?? ?? ?? 2B C2 C1 F8 ?? 3B C8 0F 84 + ?? ?? ?? ?? 68 ?? ?? ?? ?? 2B C1 6A ?? 50 8D 04 8A 50 E8 ?? ?? ?? ?? 83 C4 ?? E9 + } + + $decrypt_DesucryptKeyContainer_DogeCrypt = { + 68 ?? ?? ?? ?? 8D 4D ?? C7 45 ?? ?? ?? ?? ?? 66 89 45 ?? E8 ?? ?? ?? ?? C7 45 ?? ?? + ?? ?? ?? 8D 55 ?? 83 7D ?? ?? 8B 5D ?? 8B 35 ?? ?? ?? ?? 0F 43 D3 A1 ?? ?? ?? ?? 8B + 4D ?? 2B C6 89 75 ?? 3B C8 77 ?? 83 3D ?? ?? ?? ?? ?? 8D 3C 31 8D 04 09 89 3D ?? ?? + ?? ?? 50 8B 45 ?? BE ?? ?? ?? ?? 0F 43 35 ?? ?? ?? ?? 52 8D 04 46 50 E8 ?? ?? ?? ?? + 83 C4 ?? 33 C0 66 89 04 7E EB ?? 51 52 C6 45 ?? ?? FF 75 ?? 51 B9 ?? ?? ?? ?? E8 ?? + ?? ?? ?? 8B 5D ?? C7 45 ?? ?? ?? ?? ?? 8B 45 ?? 83 F8 ?? 72 ?? 8D 0C 45 ?? ?? ?? ?? + 8B C3 81 F9 ?? ?? ?? ?? 72 ?? 8B 5B ?? 83 C1 ?? 2B C3 83 C0 ?? 83 F8 ?? 0F 87 ?? ?? + ?? ?? 51 53 E8 ?? ?? ?? ?? 83 C4 ?? 83 3D ?? ?? ?? ?? ?? B8 ?? ?? ?? ?? 6A ?? 0F 43 + 05 ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A ?? 6A ?? 6A ?? 68 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? + 8B F0 83 FE ?? 0F 84 ?? ?? ?? ?? 8B 1D ?? ?? ?? ?? 8D 45 ?? 6A ?? 50 6A ?? 68 ?? ?? + ?? ?? 56 FF D3 83 F8 ?? 0F 85 ?? ?? ?? ?? BA ?? ?? ?? ?? B9 ?? ?? ?? ?? E8 ?? ?? ?? + ?? 50 E8 ?? ?? ?? ?? FF 35 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 8B F8 8D 45 ?? 6A ?? + 50 C6 07 ?? FF 35 ?? ?? ?? ?? 57 56 FF D3 83 F8 ?? 75 ?? BA ?? ?? ?? ?? B9 ?? ?? ?? + ?? E8 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 68 ?? ?? ?? ?? 6A ?? 6A ?? FF 35 ?? ?? + ?? ?? 57 FF 35 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 83 F8 ?? 75 ?? BA ?? ?? ?? ?? B9 ?? ?? + ?? ?? E8 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 57 E8 ?? ?? ?? ?? 83 C4 ?? B8 ?? ?? + ?? ?? EB ?? 33 C0 8B 4D ?? 64 89 0D ?? ?? ?? ?? 59 5F 5E 5B 8B 4D ?? 33 CD E8 ?? ?? + ?? ?? 8B E5 5D C3 E8 ?? ?? ?? ?? E8 + } + + condition: + uint16(0) == 0x5A4D and + ( + $decrypt_DesucryptKeyContainer_DogeCrypt + ) and + ( + $find_files_DogeCrypt + ) and + ( + all of ($encrypt_files_DogeCrypt_p*) + ) +} \ No newline at end of file diff --git a/yara/ransomware/Win32.Ransomware.Dragon.yara b/yara/ransomware/Win32.Ransomware.Dragon.yara new file mode 100644 index 0000000..1ec8c2b --- /dev/null +++ b/yara/ransomware/Win32.Ransomware.Dragon.yara @@ -0,0 +1,149 @@ +rule Win32_Ransomware_Dragon : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "DRAGON" + description = "Yara rule that detects Dragon ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "Dragon" + tc_detection_factor = 5 + + strings: + + $remote_connection_p1 = { + 55 8B EC 6A ?? 68 ?? ?? ?? ?? 64 A1 ?? ?? ?? ?? 50 81 EC ?? ?? ?? ?? A1 ?? ?? ?? ?? + 33 C5 89 45 ?? 56 50 8D 45 ?? 64 A3 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 6A + ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 8D 85 ?? ?? ?? ?? 50 68 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? + 85 C0 0F 85 ?? ?? ?? ?? 89 45 ?? C7 45 ?? ?? ?? ?? ?? 88 45 ?? 83 EC ?? 89 45 ?? 8B + CC 89 A5 ?? ?? ?? ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 EC ?? C6 45 ?? ?? 8B CC E8 ?? + ?? ?? ?? 8D 8D ?? ?? ?? ?? C6 45 ?? ?? E8 ?? ?? ?? ?? 8B D0 C6 45 ?? ?? 8D 8D ?? ?? + ?? ?? E8 ?? ?? ?? ?? 8B F0 68 ?? ?? ?? ?? BA ?? ?? ?? ?? C6 45 ?? ?? 8D 8D ?? ?? ?? + ?? E8 ?? ?? ?? ?? 83 C4 ?? 56 8B D0 C6 45 ?? ?? 8D 4D ?? E8 ?? ?? ?? ?? 83 C4 ?? C6 + 45 ?? ?? 8B 95 ?? ?? ?? ?? 83 FA ?? 72 ?? 8B 8D ?? ?? ?? ?? 42 8B C1 81 FA ?? ?? ?? + ?? 72 ?? 8B 49 ?? 83 C2 ?? 2B C1 83 C0 ?? 83 F8 ?? 0F 87 ?? ?? ?? ?? 52 51 E8 ?? ?? + ?? ?? 83 C4 ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C6 85 ?? + ?? ?? ?? ?? C6 45 ?? ?? 8B 95 ?? ?? ?? ?? 83 FA ?? 72 ?? 8B 8D ?? ?? ?? ?? 42 8B C1 + } + + $remote_connection_p2 = { + 81 FA ?? ?? ?? ?? 72 ?? 8B 49 ?? 83 C2 ?? 2B C1 83 C0 ?? 83 F8 ?? 0F 87 ?? ?? ?? ?? + 52 51 E8 ?? ?? ?? ?? 83 C4 ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? + ?? ?? C6 85 ?? ?? ?? ?? ?? C6 45 ?? ?? 8B 95 ?? ?? ?? ?? 83 FA ?? 72 ?? 8B 8D ?? ?? + ?? ?? 42 8B C1 81 FA ?? ?? ?? ?? 72 ?? 8B 49 ?? 83 C2 ?? 2B C1 83 C0 ?? 83 F8 ?? 0F + 87 ?? ?? ?? ?? 52 51 E8 ?? ?? ?? ?? 83 C4 ?? 83 7D ?? ?? 8D 4D ?? 8D 55 ?? C7 85 ?? + ?? ?? ?? ?? ?? ?? ?? 0F 43 4D ?? 51 C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C6 85 ?? ?? ?? ?? + ?? E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 0F 85 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 8B 55 ?? 83 FA + ?? 72 ?? 8B 4D ?? 42 8B C1 81 FA ?? ?? ?? ?? 72 ?? 8B 49 ?? 83 C2 ?? 2B C1 83 C0 ?? + 83 F8 ?? 77 ?? 52 51 E8 ?? ?? ?? ?? 83 C4 ?? 8B 55 ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? + ?? ?? ?? ?? C6 45 ?? ?? 83 FA ?? 72 ?? 8B 4D ?? 42 8B C1 81 FA ?? ?? ?? ?? 72 ?? 8B + 49 ?? 83 C2 ?? 2B C1 83 C0 ?? 83 F8 ?? 77 ?? 52 51 E8 ?? ?? ?? ?? 83 C4 ?? 8B 4D ?? + 64 89 0D ?? ?? ?? ?? 59 5E 8B 4D ?? 33 CD E8 ?? ?? ?? ?? 8B E5 5D C3 + } + + $find_files_1 = { + 55 8B EC 81 EC ?? ?? ?? ?? A1 ?? ?? ?? ?? 33 C5 89 45 ?? 53 56 57 83 EC ?? 89 8D ?? + ?? ?? ?? 8B D4 8D 71 ?? C7 42 ?? ?? ?? ?? ?? C7 42 ?? ?? ?? ?? ?? C6 02 ?? 8A 01 41 + 84 C0 75 ?? 2B CE 8B B5 ?? ?? ?? ?? 51 56 8B CA E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 56 8D + 85 ?? ?? ?? ?? 68 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 8D 85 ?? ?? ?? ?? 50 8D 85 + ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 8B F8 83 FF ?? 0F 84 ?? ?? ?? ?? 8B 1D + } + + $find_files_2 = { + 8A 10 3A 11 75 ?? 84 D2 74 ?? 8A 50 ?? 3A 51 ?? 75 ?? 83 C0 ?? 83 C1 ?? 84 D2 75 ?? + 33 C0 EB ?? 1B C0 83 C8 ?? 85 C0 0F 84 ?? ?? ?? ?? B8 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? + 8A 11 3A 10 75 ?? 84 D2 74 ?? 8A 51 ?? 3A 50 ?? 75 ?? 83 C1 ?? 83 C0 ?? 84 D2 75 ?? + 33 C0 EB ?? 1B C0 83 C8 ?? 85 C0 0F 84 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 68 ?? ?? ?? + ?? 56 8D 85 ?? ?? ?? ?? 68 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 51 8B D4 8D 8D ?? ?? ?? ?? + 8D 71 ?? C7 42 ?? ?? ?? ?? ?? C7 42 ?? ?? ?? ?? ?? C6 02 ?? 8A 01 41 84 C0 75 ?? 2B + CE 8D 85 ?? ?? ?? ?? 51 50 8B CA E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 84 C0 74 ?? + 83 EC ?? 8B CC 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 + ?? F6 85 ?? ?? ?? ?? ?? 74 ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B B5 ?? ?? ?? ?? 8D + 85 ?? ?? ?? ?? 50 57 FF D3 85 C0 0F 85 ?? ?? ?? ?? 57 FF 15 ?? ?? ?? ?? 8B 4D ?? 5F + 5E 33 CD 5B E8 ?? ?? ?? ?? 8B E5 5D C3 + } + + $skip_hk_china_taiwan_p1 = { + 55 8B EC 6A ?? 68 ?? ?? ?? ?? 64 A1 ?? ?? ?? ?? 50 81 EC ?? ?? ?? ?? A1 ?? ?? ?? ?? + 33 C5 89 45 ?? 50 8D 45 ?? 64 A3 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 6A ?? + 50 E8 ?? ?? ?? ?? 83 C4 ?? 8D 85 ?? ?? ?? ?? 50 68 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 85 + C0 0F 85 ?? ?? ?? ?? 89 45 ?? C7 45 ?? ?? ?? ?? ?? 88 45 ?? 89 45 ?? 8D 4D ?? 6A ?? + 68 ?? ?? ?? ?? 89 45 ?? C7 45 ?? ?? ?? ?? ?? 88 45 ?? E8 ?? ?? ?? ?? C6 45 ?? ?? 8D + 4D ?? 83 7D ?? ?? 8D 55 ?? 0F 43 4D ?? 51 E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 0F 85 ?? ?? + ?? ?? FF 15 ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? + C7 45 ?? ?? ?? ?? ?? C6 85 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? C6 45 ?? ?? 8D 4D ?? 6A ?? + 68 ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C6 45 ?? ?? E8 ?? ?? ?? ?? + C6 45 ?? ?? 8D 4D ?? 6A ?? 68 ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? + C6 45 ?? ?? E8 ?? ?? ?? ?? 6A ?? 8D 85 ?? ?? ?? ?? 50 8D 4D ?? E8 ?? ?? ?? ?? 83 F8 + ?? 0F 85 ?? ?? ?? ?? 6A ?? 8D 45 ?? 50 8D 4D ?? E8 ?? ?? ?? ?? 83 F8 ?? 0F 85 ?? ?? + ?? ?? 6A ?? 8D 45 ?? 50 8D 4D ?? E8 ?? ?? ?? ?? 83 F8 ?? 0F 85 ?? ?? ?? ?? 8B 55 ?? + 83 FA ?? 72 ?? 8B 4D ?? 42 8B C1 81 FA ?? ?? ?? ?? 72 ?? 8B 49 ?? 83 C2 ?? 2B C1 83 + C0 ?? 83 F8 ?? 0F 87 ?? ?? ?? ?? 52 51 E8 ?? ?? ?? ?? 83 C4 ?? 8B 55 ?? 83 FA ?? 72 + ?? 8B 4D ?? 42 8B C1 81 FA ?? ?? ?? ?? 72 ?? 8B 49 ?? 83 C2 ?? 2B C1 83 C0 ?? 83 F8 + ?? 0F 87 ?? ?? ?? ?? 52 51 E8 ?? ?? ?? ?? 83 C4 ?? 8B 55 ?? 83 FA ?? 72 ?? 8B 8D ?? + ?? ?? ?? 42 8B C1 81 FA ?? ?? ?? ?? 72 ?? 8B 49 ?? 83 C2 ?? 2B C1 83 C0 ?? 83 F8 + } + + $skip_hk_china_taiwan_p2 = { + 0F 87 ?? ?? ?? ?? 52 51 E8 ?? ?? ?? ?? 83 C4 ?? 8B 55 ?? 83 FA ?? 72 ?? 8B 4D ?? 42 + 8B C1 81 FA ?? ?? ?? ?? 72 ?? 8B 49 ?? 83 C2 ?? 2B C1 83 C0 ?? 83 F8 ?? 0F 87 ?? ?? + ?? ?? 52 51 E8 ?? ?? ?? ?? 83 C4 ?? 8B 55 ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? + ?? C6 45 ?? ?? 83 FA ?? 72 ?? 8B 4D ?? 42 8B C1 81 FA ?? ?? ?? ?? 72 ?? 8B 49 ?? 83 + C2 ?? 2B C1 83 C0 ?? 83 F8 ?? 0F 87 ?? ?? ?? ?? 52 51 E8 ?? ?? ?? ?? 83 C4 ?? B0 ?? + 8B 4D ?? 64 89 0D ?? ?? ?? ?? 59 8B 4D ?? 33 CD E8 ?? ?? ?? ?? 8B E5 5D C3 8B 55 ?? + 83 FA ?? 72 ?? 8B 4D ?? 42 8B C1 81 FA ?? ?? ?? ?? 72 ?? 8B 49 ?? 83 C2 ?? 2B C1 83 + C0 ?? 83 F8 ?? 0F 87 ?? ?? ?? ?? 52 51 E8 ?? ?? ?? ?? 83 C4 ?? 8B 55 ?? 83 FA ?? 72 + ?? 8B 4D ?? 42 8B C1 81 FA ?? ?? ?? ?? 72 ?? 8B 49 ?? 83 C2 ?? 2B C1 83 C0 ?? 83 F8 + ?? 0F 87 ?? ?? ?? ?? 52 51 E8 ?? ?? ?? ?? 83 C4 ?? 8B 55 ?? 83 FA ?? 72 ?? 8B 8D ?? + ?? ?? ?? 42 8B C1 81 FA ?? ?? ?? ?? 72 ?? 8B 49 ?? 83 C2 ?? 2B C1 83 C0 ?? 83 F8 ?? + 0F 87 ?? ?? ?? ?? 52 51 E8 ?? ?? ?? ?? 83 C4 ?? 8B 55 ?? 83 FA ?? 72 ?? 8B 4D ?? 42 + 8B C1 81 FA ?? ?? ?? ?? 72 ?? 8B 49 ?? 83 C2 ?? 2B C1 83 C0 ?? 83 F8 ?? 77 ?? 52 51 + E8 ?? ?? ?? ?? 83 C4 ?? 8B 55 ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C6 45 ?? + ?? 83 FA ?? 72 ?? 8B 4D ?? 42 8B C1 81 FA ?? ?? ?? ?? 72 ?? 8B 49 ?? 83 C2 ?? 2B C1 + 83 C0 ?? 83 F8 ?? 77 ?? 52 51 E8 ?? ?? ?? ?? 83 C4 ?? 32 C0 E9 ?? ?? ?? ?? 6A ?? E8 + ?? ?? ?? ?? E8 + } + + $crypt_files = { + 8B FF 55 8B EC 83 EC ?? A1 ?? ?? ?? ?? 33 C5 89 45 ?? 8B 4D ?? 8B 45 ?? 89 45 ?? 89 + 4D ?? 56 8B 75 ?? 85 C9 75 ?? 33 C0 E9 ?? ?? ?? ?? 85 C0 75 ?? E8 ?? ?? ?? ?? 83 20 + ?? E8 ?? ?? ?? ?? C7 00 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C8 ?? E9 ?? ?? ?? ?? 53 8B C6 + 8B D6 C1 FA ?? 83 E0 ?? 57 6B F8 ?? 89 55 ?? 8B 14 95 ?? ?? ?? ?? 89 7D ?? 8A 5C 3A + ?? 80 FB ?? 74 ?? 80 FB ?? 75 ?? 8B C1 F7 D0 A8 ?? 75 ?? E8 ?? ?? ?? ?? 83 20 ?? E8 + ?? ?? ?? ?? C7 00 ?? ?? ?? ?? E8 ?? ?? ?? ?? E9 ?? ?? ?? ?? F6 44 3A ?? ?? 74 ?? 6A + ?? 6A ?? 6A ?? 56 E8 ?? ?? ?? ?? 83 C4 ?? 33 C0 8D 7D ?? AB 56 AB AB E8 ?? ?? ?? ?? + 59 84 C0 74 ?? 84 DB 74 ?? FE CB 80 FB ?? 8B 5D ?? 0F 87 ?? ?? ?? ?? FF 75 ?? 8D 45 + ?? 53 50 E8 ?? ?? ?? ?? 83 C4 ?? 8B F0 E9 ?? ?? ?? ?? FF 75 ?? 8B 5D ?? 8D 45 ?? 53 + 56 50 E8 ?? ?? ?? ?? 83 C4 ?? EB ?? 8B 4D ?? 8B 55 ?? 8B 04 8D ?? ?? ?? ?? 80 7C 10 + ?? ?? 7D ?? 0F BE C3 8B 5D ?? 83 E8 ?? 74 ?? 83 E8 ?? 74 ?? 83 E8 ?? 75 ?? FF 75 ?? + 8D 45 ?? 53 56 50 E8 ?? ?? ?? ?? EB ?? FF 75 ?? 8D 45 ?? 53 56 50 E8 ?? ?? ?? ?? EB + ?? FF 75 ?? 8D 45 ?? 53 56 50 E8 ?? ?? ?? ?? EB ?? 8B 4C 10 ?? 8D 7D ?? 8B 5D ?? 33 + C0 AB 6A ?? AB AB 8D 45 ?? 50 FF 75 ?? 53 51 FF 15 ?? ?? ?? ?? 85 C0 75 ?? FF 15 ?? + ?? ?? ?? 89 45 ?? 8D 75 ?? 8D 7D ?? A5 A5 A5 8B 4D ?? 8B 55 ?? 8B 45 ?? 85 C0 75 ?? + 8B 45 ?? 85 C0 74 ?? 6A ?? 5E 3B C6 75 ?? E8 ?? ?? ?? ?? C7 00 ?? ?? ?? ?? E8 ?? ?? + ?? ?? 89 30 EB ?? 50 E8 ?? ?? ?? ?? 59 EB ?? 8B 04 8D ?? ?? ?? ?? F6 44 10 ?? ?? 74 + ?? 80 3B ?? 75 ?? 33 C0 EB ?? E8 ?? ?? ?? ?? C7 00 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 20 + ?? 83 C8 ?? EB ?? 2B 45 ?? 5F 5B 8B 4D ?? 33 CD 5E E8 ?? ?? ?? ?? 8B E5 5D C3 + } + + condition: + uint16(0) == 0x5A4D and + ( + all of ($skip_hk_china_taiwan_p*) + ) and + ( + all of ($find_files_*) + ) and + ( + $crypt_files + ) and + ( + all of ($remote_connection_p*) + ) +} \ No newline at end of file diff --git a/yara/ransomware/Win32.Ransomware.Dualshot.yara b/yara/ransomware/Win32.Ransomware.Dualshot.yara new file mode 100644 index 0000000..63379cb --- /dev/null +++ b/yara/ransomware/Win32.Ransomware.Dualshot.yara @@ -0,0 +1,112 @@ +rule Win32_Ransomware_Dualshot : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "DUALSHOT" + description = "Yara rule that detects Dualshot ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "Dualshot" + tc_detection_factor = 5 + + strings: + + $internal_encrypt_file = { + 02 28 ?? ?? ?? ?? 0A 02 28 ?? ?? ?? ?? 0B 02 28 ?? ?? ?? ?? 0C 02 28 ?? ?? ?? ?? 03 28 + ?? ?? ?? ?? 0D 02 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 28 ?? ?? ?? ?? 25 09 16 09 8E 69 6F ?? + ?? ?? ?? 6F ?? ?? ?? ?? 02 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 06 28 ?? ?? ?? ?? 02 72 ?? ?? + ?? ?? 28 ?? ?? ?? ?? 07 28 ?? ?? ?? ?? 02 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 08 28 ?? ?? ?? + ?? 02 1B 19 28 ?? ?? ?? ?? 6F ?? ?? ?? ?? DE ?? 26 DE ?? 00 02 28 ?? ?? ?? ?? DE ?? 26 + DE ?? 2A + } + + $encrypt_files_p1 = { + 11 ?? 17 58 13 ?? 11 ?? 11 ?? 8E 69 32 ?? DE ?? 26 DE ?? 11 ?? 17 58 13 ?? 11 ?? 11 ?? + 8E 69 32 ?? DE ?? 26 DE ?? 11 ?? 17 58 13 ?? 11 ?? 11 ?? 8E 69 3F ?? ?? ?? ?? 11 ?? 13 + ?? 16 13 ?? 2B ?? 11 ?? 11 ?? 9A 13 ?? 11 ?? 11 ?? 28 ?? ?? ?? ?? DE ?? 26 DE ?? 11 ?? + 17 58 13 ?? 11 ?? 11 ?? 8E 69 32 ?? 72 ?? ?? ?? ?? 11 ?? 28 ?? ?? ?? ?? 13 ?? 28 ?? ?? + ?? ?? 72 ?? ?? ?? ?? 08 20 ?? ?? ?? ?? 20 ?? ?? ?? ?? 6F ?? ?? ?? ?? 13 ?? 12 ?? 28 ?? + ?? ?? ?? 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 13 ?? 11 ?? 28 ?? ?? ?? ?? 25 28 ?? ?? ?? ?? 11 + ?? 6F ?? ?? ?? ?? 16 28 ?? ?? ?? ?? 11 ?? 6F ?? ?? ?? ?? 8E 69 6F ?? ?? ?? ?? 6F ?? ?? + ?? ?? 06 72 ?? ?? ?? ?? 12 ?? 6F ?? ?? ?? ?? 26 07 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 39 ?? + ?? ?? ?? 28 ?? ?? ?? ?? 72 ?? ?? ?? ?? 08 1F ?? 20 ?? ?? ?? ?? 6F ?? ?? ?? ?? 13 ?? 12 + ?? 28 ?? ?? ?? ?? 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 13 ?? 11 ?? 28 ?? ?? ?? ?? 11 ?? 72 ?? + ?? ?? ?? 28 ?? ?? ?? ?? 6F ?? ?? ?? ?? 73 ?? ?? ?? ?? 25 17 6F ?? ?? ?? ?? 25 16 6F ?? + ?? ?? ?? 25 17 6F ?? ?? ?? ?? 25 72 ?? ?? ?? ?? 6F ?? ?? ?? ?? 25 72 ?? ?? ?? ?? 11 ?? + 28 ?? ?? ?? ?? 6F ?? ?? ?? ?? 25 72 ?? ?? ?? ?? 6F ?? ?? ?? ?? 28 ?? ?? ?? ?? 26 DE ?? + 26 DE ?? 72 ?? ?? ?? ?? 72 ?? ?? ?? ?? 08 20 ?? ?? ?? ?? 20 ?? ?? ?? ?? 6F ?? ?? ?? ?? + 13 ?? 12 ?? 28 ?? ?? ?? ?? 28 ?? ?? ?? ?? 1B 8D ?? ?? ?? ?? 25 16 28 ?? ?? ?? ?? 6F ?? + ?? ?? ?? A2 25 17 72 ?? ?? ?? ?? A2 25 18 11 ?? A2 25 19 72 ?? ?? ?? ?? A2 25 1A 11 ?? + A2 28 ?? ?? ?? ?? 28 ?? ?? ?? ?? 09 2C ?? 73 ?? ?? ?? ?? 25 17 6F ?? ?? ?? ?? 25 16 6F + ?? ?? ?? ?? 25 17 6F ?? ?? ?? ?? 25 72 ?? ?? ?? ?? 6F ?? ?? ?? ?? 25 72 ?? ?? ?? ?? 6F + ?? ?? ?? ?? 28 ?? ?? ?? ?? 26 2B ?? 28 ?? ?? ?? ?? 6F ?? ?? ?? ?? 72 ?? ?? ?? ?? 11 ?? + 72 ?? ?? ?? ?? 11 ?? 28 ?? ?? ?? ?? 28 ?? ?? ?? ?? 26 28 ?? ?? ?? ?? 6F ?? ?? ?? ?? 2A + } + + $encrypt_files_p2 = { + 02 16 9A 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 39 ?? ?? ?? ?? 02 17 9A 28 ?? ?? ?? ?? 13 ?? 02 + 18 9A 28 ?? ?? ?? ?? 2C ?? 02 18 9A 28 ?? ?? ?? ?? 13 ?? 28 ?? ?? ?? ?? 11 ?? 28 ?? ?? + ?? ?? 6F ?? ?? ?? ?? 02 18 9A 1B 19 28 ?? ?? ?? ?? 6F ?? ?? ?? ?? DE ?? 26 DE ?? 02 18 + 9A 28 ?? ?? ?? ?? 11 ?? 28 ?? ?? ?? ?? 6F ?? ?? ?? ?? 28 ?? ?? ?? ?? 73 ?? ?? ?? ?? 28 + ?? ?? ?? ?? 2A 1F ?? 28 ?? ?? ?? ?? 72 ?? ?? ?? ?? 08 20 ?? ?? ?? ?? 20 ?? ?? ?? ?? 6F + ?? ?? ?? ?? 13 ?? 12 ?? 28 ?? ?? ?? ?? 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 13 ?? 28 ?? ?? ?? + ?? 6F ?? ?? ?? ?? 11 ?? 28 ?? ?? ?? ?? 06 72 ?? ?? ?? ?? 12 ?? 6F ?? ?? ?? ?? 26 07 72 + ?? ?? ?? ?? 28 ?? ?? ?? ?? 2C ?? 28 ?? ?? ?? ?? 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 28 ?? ?? + ?? ?? 6F ?? ?? ?? ?? DE ?? 26 DE ?? 11 ?? 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 26 18 8D ?? ?? + ?? ?? 25 16 72 ?? ?? ?? ?? A2 25 17 72 ?? ?? ?? ?? A2 13 ?? 16 13 ?? 38 ?? ?? ?? ?? 00 + 1B 8D ?? ?? ?? ?? 25 16 28 ?? ?? ?? ?? A2 25 17 72 ?? ?? ?? ?? A2 25 18 08 20 ?? ?? ?? + ?? 20 ?? ?? ?? ?? 6F ?? ?? ?? ?? 13 ?? 12 ?? 28 ?? ?? ?? ?? A2 25 19 72 ?? ?? ?? ?? A2 + 25 1A 11 ?? 08 11 ?? 8E 69 6F ?? ?? ?? ?? 9A A2 28 ?? ?? ?? ?? 13 ?? 11 ?? 28 ?? ?? ?? + ?? 6F ?? ?? ?? ?? 73 ?? ?? ?? ?? 25 11 ?? 6F ?? ?? ?? ?? 25 17 6F ?? ?? ?? ?? 25 16 6F + ?? ?? ?? ?? 25 17 6F ?? ?? ?? ?? 28 ?? ?? ?? ?? 26 DE ?? 26 DE ?? 11 ?? 17 58 13 ?? 11 + ?? 1F ?? 3F ?? ?? ?? ?? 73 ?? ?? ?? ?? 25 17 6F ?? ?? ?? ?? 25 16 6F ?? ?? ?? ?? 25 17 + 6F ?? ?? ?? ?? 25 72 ?? ?? ?? ?? 6F ?? ?? ?? ?? 25 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 6F ?? + ?? ?? ?? 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 6F ?? ?? ?? ?? 28 ?? ?? ?? ?? 26 28 ?? ?? ?? ?? + 6F ?? ?? ?? ?? 2A + } + + $find_files_p1 = { + 73 ?? ?? ?? ?? 0A 06 72 ?? ?? ?? ?? 72 ?? ?? ?? ?? 6F ?? ?? ?? ?? 06 72 ?? ?? ?? ?? 72 + ?? ?? ?? ?? 6F ?? ?? ?? ?? 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 2D ?? 72 ?? ?? ?? ?? 28 ?? ?? + ?? ?? 2C ?? 28 ?? ?? ?? ?? 6F ?? ?? ?? ?? 73 ?? ?? ?? ?? 0C 28 ?? ?? ?? ?? 16 28 ?? ?? + ?? ?? 02 8E 39 ?? ?? ?? ?? 02 16 9A 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 39 ?? ?? ?? ?? 16 0D + 28 ?? ?? ?? ?? 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 28 ?? ?? ?? ?? 2C ?? 17 0D 20 ?? ?? ?? ?? + 28 ?? ?? ?? ?? 1F ?? 1B 28 ?? ?? ?? ?? 25 6F ?? ?? ?? ?? 13 ?? 6F ?? ?? ?? ?? 13 ?? 28 + ?? ?? ?? ?? 72 ?? ?? ?? ?? 08 20 ?? ?? ?? ?? 20 ?? ?? ?? ?? 6F ?? ?? ?? ?? 13 ?? 12 ?? + 28 ?? ?? ?? ?? 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 13 ?? 11 ?? 28 ?? ?? ?? ?? 25 11 ?? 16 11 + ?? 8E 69 6F ?? ?? ?? ?? 6F ?? ?? ?? ?? 16 8D ?? ?? ?? ?? 13 ?? 1C 8D ?? ?? ?? ?? 25 16 + 72 ?? ?? ?? ?? A2 25 17 72 ?? ?? ?? ?? A2 25 18 72 ?? ?? ?? ?? A2 25 19 72 ?? ?? ?? ?? + A2 25 1A 72 ?? ?? ?? ?? A2 25 1B 72 ?? ?? ?? ?? A2 13 ?? 1F ?? 8D ?? ?? ?? ?? 25 16 72 + ?? ?? ?? ?? A2 25 17 72 ?? ?? ?? ?? A2 25 18 72 ?? ?? ?? ?? A2 25 19 72 ?? ?? ?? ?? A2 + 25 1A 72 ?? ?? ?? ?? A2 25 1B 72 ?? ?? ?? ?? A2 25 1C 72 ?? ?? ?? ?? A2 25 1D 72 ?? ?? + ?? ?? A2 25 1E 72 ?? ?? ?? ?? A2 25 1F ?? 72 ?? ?? ?? ?? A2 25 1F ?? 72 + } + + $find_files_p2 = { + A2 13 ?? 1F ?? 28 ?? ?? ?? ?? 28 ?? ?? ?? ?? 6F ?? ?? ?? ?? 13 ?? 28 ?? ?? ?? ?? 6F ?? + ?? ?? ?? 6F ?? ?? ?? ?? 1C 32 ?? 11 ?? 28 ?? ?? ?? ?? 6F ?? ?? ?? ?? 13 ?? 11 ?? 13 ?? + 16 13 ?? 38 ?? ?? ?? ?? 11 ?? 11 ?? 9A 13 ?? 11 ?? 72 ?? ?? ?? ?? 11 ?? 28 ?? ?? ?? ?? + 72 ?? ?? ?? ?? 17 28 ?? ?? ?? ?? 13 ?? 16 13 ?? 2B ?? 11 ?? 11 ?? 9A 13 ?? 11 ?? 13 ?? + 16 13 ?? 2B ?? 11 ?? 11 ?? 9A 13 ?? 11 ?? 72 ?? ?? ?? ?? 11 ?? 28 ?? ?? ?? ?? 6F ?? ?? + ?? ?? 2C ?? 12 ?? 11 ?? 8E 69 17 58 28 ?? ?? ?? ?? 11 ?? 11 ?? 16 6F ?? ?? ?? ?? 11 ?? + A2 2B + } + + condition: + uint16(0) == 0x5A4D and + ( + all of ($find_files_p*) + ) and + ( + all of ($encrypt_files_p*) + ) and + ( + $internal_encrypt_file + ) +} \ No newline at end of file diff --git a/yara/ransomware/Win32.Ransomware.Encoded01.yara b/yara/ransomware/Win32.Ransomware.Encoded01.yara new file mode 100644 index 0000000..615504d --- /dev/null +++ b/yara/ransomware/Win32.Ransomware.Encoded01.yara @@ -0,0 +1,141 @@ +rule Win32_Ransomware_Encoded01 : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "ENCODED01" + description = "Yara rule that detects Encoded01 ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "Encoded01" + tc_detection_factor = 5 + + strings: + + $find_files_p1 = { + 55 8B EC 51 B9 ?? ?? ?? ?? 6A ?? 6A ?? 49 75 ?? 51 87 4D ?? 53 56 57 89 4D ?? 89 55 + ?? 89 45 ?? 8B 45 ?? E8 ?? ?? ?? ?? 8D 45 ?? E8 ?? ?? ?? ?? 33 C0 55 68 ?? ?? ?? ?? + 64 FF 30 64 89 20 8B 45 ?? E8 ?? ?? ?? ?? 83 F8 ?? 0F 8C ?? ?? ?? ?? 8D 85 ?? ?? ?? + ?? 8B 15 ?? ?? ?? ?? 8B 12 E8 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 8D 55 ?? E8 ?? ?? ?? ?? + 8B 45 ?? E8 ?? ?? ?? ?? 89 45 ?? 83 7D ?? ?? 0F 8E ?? ?? ?? ?? 8B 45 ?? E8 ?? ?? ?? + ?? 8B 55 ?? 66 83 7C 42 ?? ?? 75 ?? 8B 45 ?? E8 ?? ?? ?? ?? 8B D0 4A 8D 45 ?? E8 ?? + ?? ?? ?? 8B 7D ?? 4F 85 FF 0F 8C ?? ?? ?? ?? 47 8D 85 ?? ?? ?? ?? 50 FF 75 ?? 68 ?? + ?? ?? ?? 8B 45 ?? 8B 55 ?? FF 34 90 8D 85 ?? ?? ?? ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? + 8B 85 ?? ?? ?? ?? E8 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 8B D8 83 FB ?? 0F 84 ?? ?? ?? ?? + 33 F6 46 81 FE ?? ?? ?? ?? 0F 87 ?? ?? ?? ?? 83 FB ?? 0F 84 ?? ?? ?? ?? 8D 45 ?? 8D + 95 ?? ?? ?? ?? B9 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 45 ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? + 0F 84 ?? ?? ?? ?? 8B 45 ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 0F 84 ?? ?? ?? ?? F6 85 ?? + ?? ?? ?? ?? 0F 85 ?? ?? ?? ?? F6 85 ?? ?? ?? ?? ?? 0F 85 ?? ?? ?? ?? FF 75 ?? 68 ?? + ?? ?? ?? FF 75 ?? 8D 85 ?? ?? ?? ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? + 8D 95 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 95 ?? ?? ?? ?? 8D 45 ?? E8 ?? ?? ?? ?? 8B 55 ?? + 8B 45 ?? E8 ?? ?? ?? ?? 85 C0 0F 85 ?? ?? ?? ?? 8A 55 ?? 8B 45 ?? E8 ?? ?? ?? ?? 84 + } + + $find_files_p2 = { + C0 0F 85 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 8B 15 ?? ?? ?? ?? 8B 12 E8 ?? ?? ?? ?? 8B 95 + ?? ?? ?? ?? 8B 45 ?? E8 ?? ?? ?? ?? 84 C0 0F 85 ?? ?? ?? ?? 8A 55 ?? 8B 45 ?? E8 ?? + ?? ?? ?? 84 C0 0F 85 ?? ?? ?? ?? 8B 45 ?? E8 ?? ?? ?? ?? 84 C0 0F 85 ?? ?? ?? ?? A1 + ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 8B 45 ?? E8 ?? ?? ?? ?? 89 45 ?? 89 55 ?? 6A ?? 68 ?? + ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? A1 ?? ?? ?? ?? 8B 50 ?? 8B 00 E8 ?? ?? ?? ?? E8 ?? ?? + ?? ?? 3B 55 ?? 75 ?? 3B 45 ?? 0F 86 ?? ?? ?? ?? EB ?? 0F 8E ?? ?? ?? ?? 83 7D ?? ?? + 75 ?? 83 7D ?? ?? 0F 86 ?? ?? ?? ?? EB ?? 0F 8E ?? ?? ?? ?? 8B 45 ?? 83 38 ?? 73 ?? + 8B 45 ?? E8 ?? ?? ?? ?? 40 03 C0 50 E8 ?? ?? ?? ?? 59 89 45 ?? 83 7D ?? ?? 0F 84 ?? + ?? ?? ?? 8B 45 ?? E8 ?? ?? ?? ?? 8B 45 ?? E8 ?? ?? ?? ?? 40 03 C0 50 8B 45 ?? E8 ?? + ?? ?? ?? 8B D0 8B 45 ?? 59 E8 ?? ?? ?? ?? 8B 45 ?? 50 6A ?? 8D 45 ?? 50 B9 ?? ?? ?? + ?? 33 D2 33 C0 E8 ?? ?? ?? ?? 8B D0 8B 45 ?? E8 ?? ?? ?? ?? EB ?? 8B 45 ?? E8 ?? ?? + ?? ?? 8B 45 ?? E8 ?? ?? ?? ?? 40 03 C0 50 E8 ?? ?? ?? ?? 59 89 45 ?? 83 7D ?? ?? 74 + ?? 8B 45 ?? E8 ?? ?? ?? ?? 8B 45 ?? E8 ?? ?? ?? ?? 40 03 C0 50 8B 45 ?? E8 ?? ?? ?? + ?? 8B D0 8B 45 ?? 59 E8 ?? ?? ?? ?? 8B 45 ?? 50 6A ?? 8D 45 ?? 50 B9 ?? ?? ?? ?? 33 + D2 33 C0 E8 ?? ?? ?? ?? 8B D0 8B 45 ?? E8 ?? ?? ?? ?? A1 ?? ?? ?? ?? 50 E8 ?? ?? ?? + ?? EB ?? 8B 45 ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 74 ?? 8B 45 ?? BA ?? ?? ?? ?? E8 ?? + ?? ?? ?? 74 ?? F6 85 ?? ?? ?? ?? ?? 74 ?? 8A 45 ?? 50 8A 45 ?? 50 FF 75 ?? 68 ?? ?? + ?? ?? FF 75 ?? 8D 85 ?? ?? ?? ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 8D ?? ?? ?? ?? 8B + 55 ?? 8B 45 ?? E8 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 53 E8 ?? ?? ?? ?? 83 F8 ?? 1B C0 + 40 84 C0 0F 85 ?? ?? ?? ?? 83 FB ?? 74 ?? 53 E8 ?? ?? ?? ?? 4F + } + + $enum_resources = { + 55 8B EC 83 C4 ?? 53 56 57 8B F9 89 55 ?? 8B F0 8B 5D ?? C6 45 ?? ?? 33 C0 89 03 33 + C0 89 07 8D 45 ?? 50 8B 45 ?? 50 6A ?? 56 6A ?? E8 ?? ?? ?? ?? 85 C0 0F 85 ?? ?? ?? + ?? C7 45 ?? ?? ?? ?? ?? 8B 45 ?? E8 ?? ?? ?? ?? 89 03 83 3B ?? 74 ?? 83 3B ?? 74 ?? + C7 07 ?? ?? ?? ?? 8B 03 33 C9 8B 55 ?? E8 ?? ?? ?? ?? 8D 45 ?? 50 8B 03 50 57 8B 45 + ?? 50 E8 ?? ?? ?? ?? 8B F0 81 FE ?? ?? ?? ?? 75 ?? 8B C3 8B 55 ?? E8 ?? ?? ?? ?? EB + ?? BE ?? ?? ?? ?? EB ?? 81 FE ?? ?? ?? ?? 74 ?? 85 F6 0F 94 45 ?? 80 7D ?? ?? 75 ?? + 8B 03 E8 ?? ?? ?? ?? 33 C0 89 03 33 C0 89 07 8B 45 ?? 50 E8 ?? ?? ?? ?? 8A 45 ?? 5F + 5E 5B 8B E5 5D C2 + } + + $remote_connection_p1 = { + BB ?? ?? ?? ?? 83 FB ?? 75 ?? 33 C0 89 45 ?? 83 FB ?? 75 ?? C7 45 ?? ?? ?? ?? ?? 8B + C6 E8 ?? ?? ?? ?? 8B C6 BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 33 FF 33 C0 89 45 ?? 8D 45 ?? + 50 8B 55 ?? B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 50 8B 45 ?? E8 ?? ?? ?? ?? 5A 2B C2 83 C0 + ?? 50 8B 55 ?? B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B D0 83 C2 ?? 8B 45 ?? 59 E8 ?? ?? ?? + ?? 8D 45 ?? 50 8D 85 ?? ?? ?? ?? 8B 55 ?? E8 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 66 BA ?? + ?? E8 ?? ?? ?? ?? 50 8B 45 ?? E8 ?? ?? ?? ?? 5A 2B C2 50 8D 85 ?? ?? ?? ?? 8B 55 ?? + E8 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 66 BA ?? ?? E8 ?? ?? ?? ?? 8B D0 42 8B 45 ?? 59 E8 + ?? ?? ?? ?? 8D 45 ?? 50 8D 85 ?? ?? ?? ?? 8B 55 ?? E8 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? + 66 BA ?? ?? E8 ?? ?? ?? ?? 8B C8 49 BA ?? ?? ?? ?? 8B 45 ?? E8 ?? ?? ?? ?? 85 FF 0F + 85 ?? ?? ?? ?? 8B 45 ?? E8 ?? ?? ?? ?? 48 0F 8E ?? ?? ?? ?? 6A ?? 6A ?? 6A ?? 8B 45 + ?? 50 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 45 ?? 83 7D ?? ?? 0F 84 ?? ?? ?? ?? 6A ?? 6A + ?? 6A ?? 6A ?? 6A ?? 6A ?? 8B 45 ?? E8 ?? ?? ?? ?? 50 8B 45 ?? 50 E8 ?? ?? ?? ?? 89 + 45 ?? 83 7D ?? ?? 0F 84 ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? 6A ?? 6A ?? 68 ?? ?? ?? ?? + 8B 45 ?? E8 ?? ?? ?? ?? 50 68 ?? ?? ?? ?? 8B 45 ?? 50 E8 ?? ?? ?? ?? 89 45 ?? 83 7D + ?? ?? 0F 84 ?? ?? ?? ?? 8B 45 ?? E8 ?? ?? ?? ?? 50 8B 45 ?? E8 ?? ?? ?? ?? 50 6A + } + + $remote_connection_p2 = { + 68 ?? ?? ?? ?? 8B 45 ?? 50 E8 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? 8D 45 ?? 50 68 ?? + ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 8B 45 ?? 50 E8 ?? ?? ?? ?? 85 C0 74 ?? 83 7D ?? ?? 74 + ?? 8B 06 E8 ?? ?? ?? ?? 99 52 50 8B 45 ?? 03 C7 33 D2 3B 54 24 ?? 75 ?? 3B 04 24 5A + 58 76 ?? EB ?? 5A 58 7E ?? 8B 06 E8 ?? ?? ?? ?? 8B D0 81 C2 ?? ?? ?? ?? 8B C6 E8 ?? + ?? ?? ?? 8B C6 E8 ?? ?? ?? ?? 03 C7 8D 95 ?? ?? ?? ?? 8B 4D ?? E8 ?? ?? ?? ?? 03 7D + ?? 81 FF ?? ?? ?? ?? 77 ?? 83 7D ?? ?? 0F 85 ?? ?? ?? ?? 8B 45 ?? 50 E8 ?? ?? ?? ?? + 8B 45 ?? 50 E8 ?? ?? ?? ?? 8B 45 ?? 50 E8 ?? ?? ?? ?? E9 ?? ?? ?? ?? 6A ?? 6A ?? 6A + ?? 8B 45 ?? 50 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 45 ?? 83 7D ?? ?? 0F 84 ?? ?? ?? ?? + 6A ?? 6A ?? 6A ?? 6A ?? 6A ?? 6A ?? 8B 45 ?? E8 ?? ?? ?? ?? 50 8B 45 ?? 50 E8 ?? ?? + ?? ?? 89 45 ?? 83 7D ?? ?? 0F 84 ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? 6A ?? 6A ?? 68 ?? + ?? ?? ?? 8B 45 ?? E8 ?? ?? ?? ?? 50 68 ?? ?? ?? ?? 8B 45 ?? 50 E8 ?? ?? ?? ?? 89 45 + ?? 83 7D ?? ?? 0F 84 ?? ?? ?? ?? 6A ?? 6A ?? 6A ?? 68 ?? ?? ?? ?? 8B 45 ?? 50 E8 ?? + ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? 8D 45 ?? 50 68 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 8B + 45 ?? 50 E8 ?? ?? ?? ?? 85 C0 74 ?? 83 7D ?? ?? 74 ?? 8B 06 E8 ?? ?? ?? ?? 99 52 50 + 8B 45 ?? 03 C7 33 D2 3B 54 24 ?? 75 ?? 3B 04 24 5A 58 76 ?? EB ?? 5A 58 7E ?? 8B 06 + E8 ?? ?? ?? ?? 8B D0 81 C2 ?? ?? ?? ?? 8B C6 E8 ?? ?? ?? ?? 8B C6 E8 ?? ?? ?? ?? 03 + C7 8D 95 ?? ?? ?? ?? 8B 4D ?? E8 ?? ?? ?? ?? 03 7D ?? 81 FF ?? ?? ?? ?? 77 ?? 83 7D + ?? ?? 0F 85 ?? ?? ?? ?? 8B 45 ?? 50 E8 + } + + $encrypt_files = { + 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 8D 45 ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 ?? + E8 ?? ?? ?? ?? FF 75 ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 55 ?? E8 ?? ?? ?? ?? FF 75 + ?? 68 ?? ?? ?? ?? B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 55 ?? E8 ?? ?? ?? ?? FF 75 ?? 68 + ?? ?? ?? ?? B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 55 ?? E8 ?? ?? ?? ?? FF 75 ?? 68 ?? ?? + ?? ?? B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 55 ?? E8 ?? ?? ?? ?? FF 75 ?? 68 ?? ?? ?? ?? + 8D 55 ?? B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? FF 75 ?? 68 ?? ?? ?? ?? 8D 55 ?? B8 ?? ?? ?? + ?? E8 ?? ?? ?? ?? FF 75 ?? 68 ?? ?? ?? ?? 8D 55 ?? B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? FF + 75 ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 55 ?? E8 ?? ?? ?? ?? FF 75 ?? 68 ?? ?? ?? ?? + E8 ?? ?? ?? ?? 8D 55 ?? E8 ?? ?? ?? ?? FF 75 ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 55 + ?? E8 ?? ?? ?? ?? FF 75 ?? 68 ?? ?? ?? ?? 8D 45 ?? E8 ?? ?? ?? ?? FF 75 ?? 68 ?? ?? + ?? ?? 8D 45 ?? E8 ?? ?? ?? ?? FF 75 ?? 8D 45 ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 7D + ?? ?? 74 + } + + condition: + uint16(0) == 0x5A4D and + ( + $enum_resources + ) and + ( + all of ($find_files_p*) + ) and + ( + $encrypt_files + ) and + ( + all of ($remote_connection_p*) + ) +} \ No newline at end of file diff --git a/yara/ransomware/Win32.Ransomware.Erica.yara b/yara/ransomware/Win32.Ransomware.Erica.yara new file mode 100644 index 0000000..a885bb8 --- /dev/null +++ b/yara/ransomware/Win32.Ransomware.Erica.yara @@ -0,0 +1,76 @@ +rule Win32_Ransomware_Erica : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "ERICA" + description = "Yara rule that detects Erica ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "Erica" + tc_detection_factor = 5 + + strings: + + $encrypt_files_p1 = { + 55 8B EC 83 C4 ?? 53 56 57 89 4D ?? 8B F2 8B D8 8B 45 ?? E8 ?? ?? ?? ?? 33 C0 55 68 + ?? ?? ?? ?? 64 FF 30 64 89 20 33 C0 89 45 ?? 8A 43 ?? 2C ?? 72 ?? 74 ?? EB ?? BF ?? + ?? ?? ?? EB ?? BF ?? ?? ?? ?? EB ?? BF ?? ?? ?? ?? 33 DB 68 ?? ?? ?? ?? 8B 45 ?? 50 + 8B 45 ?? 50 6A ?? 56 E8 ?? ?? ?? ?? 85 C0 74 ?? 8D 45 ?? 50 6A ?? 6A ?? 57 8B 06 50 + E8 ?? ?? ?? ?? 85 C0 74 ?? 6A ?? 8B 45 ?? E8 ?? ?? ?? ?? 50 8D 45 ?? E8 ?? ?? ?? ?? + 50 8B 45 ?? 50 E8 ?? ?? ?? ?? 85 C0 74 ?? 8B 45 ?? 50 6A ?? 8B 45 ?? 50 8B 45 ?? 50 + 8B 06 50 E8 ?? ?? ?? ?? 85 C0 75 ?? BB ?? ?? ?? ?? EB ?? BB ?? ?? ?? ?? EB ?? BB ?? + ?? ?? ?? EB ?? BB ?? ?? ?? ?? 83 7D ?? ?? 74 ?? 8B 45 ?? 50 E8 ?? ?? ?? ?? 33 C0 5A + 59 59 64 89 10 68 ?? ?? ?? ?? 8D 45 ?? E8 ?? ?? ?? ?? C3 + } + + $encrypt_files_p2 = { + 8D 40 ?? 55 8B EC 83 C4 ?? 53 33 DB 89 5D ?? 89 5D ?? 8B D9 89 55 ?? 89 45 ?? 33 C0 + 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 33 C0 89 45 ?? 33 C0 89 45 ?? 33 C0 89 45 ?? 33 + C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 8D 45 ?? 50 8B 45 ?? 8D 50 ?? 8B 45 ?? 33 C9 + E8 ?? ?? ?? ?? 8B 55 ?? 8B 45 ?? 83 C0 ?? B9 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 45 ?? 8B + 40 ?? E8 ?? ?? ?? ?? 8B D0 4A 8B 45 ?? 83 C0 ?? E8 ?? ?? ?? ?? 8B 45 ?? 8B 40 ?? E8 + ?? ?? ?? ?? 89 45 ?? 8D 45 ?? 50 8B 45 ?? 8B 48 ?? 8B 45 ?? 8D 50 ?? 8B 45 ?? E8 ?? + ?? ?? ?? 8B 45 ?? E8 ?? ?? ?? ?? 85 C0 75 ?? C7 45 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? E9 + ?? ?? ?? ?? 8B 45 ?? 50 53 8B 45 ?? 50 8B 45 ?? 50 8D 4D ?? 8D 55 ?? 8B 45 ?? E8 ?? + ?? ?? ?? 89 45 ?? 83 7D ?? ?? 74 ?? E8 ?? ?? ?? ?? E9 ?? ?? ?? ?? 8B 45 ?? 89 45 ?? + 8B 45 ?? 50 8D 45 ?? 50 8B 45 ?? 83 C0 ?? E8 ?? ?? ?? ?? 50 6A ?? 6A ?? 6A ?? 8B 45 + ?? 50 E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 3D ?? ?? ?? ?? 75 ?? 8B 45 ?? 83 C0 ?? 8B 55 ?? + E8 ?? ?? ?? ?? 8B 45 ?? 50 8D 45 ?? 50 8B 45 ?? 83 C0 ?? E8 ?? ?? ?? ?? 50 6A ?? 6A + ?? 6A ?? 8B 45 ?? 50 E8 ?? ?? ?? ?? EB ?? E8 ?? ?? ?? ?? 85 C0 74 ?? C7 45 ?? ?? ?? + ?? ?? 8B 45 ?? 83 C0 ?? 8B 55 ?? E8 ?? ?? ?? ?? 83 7D ?? ?? 74 ?? E8 ?? ?? ?? ?? EB + ?? 8B 45 ?? 8B 50 ?? 8B 45 ?? 83 C0 ?? E8 ?? ?? ?? ?? 33 C0 5A 59 59 64 89 10 68 ?? + ?? ?? ?? 83 7D ?? ?? 74 ?? 8B 45 ?? 50 E8 ?? ?? ?? ?? 83 7D ?? ?? 74 ?? 6A ?? 8B 45 + ?? 50 E8 ?? ?? ?? ?? 83 7D ?? ?? 74 ?? 8B 45 ?? 8D 50 ?? 8B 45 ?? 8B 4D ?? E8 ?? ?? + ?? ?? C3 + } + + $find_files = { + 55 8B EC 81 C4 ?? ?? ?? ?? 53 56 33 DB 89 9D ?? ?? ?? ?? 89 5D ?? 8B D9 89 55 ?? 89 + 45 ?? 8B 45 ?? E8 ?? ?? ?? ?? 8B 45 ?? E8 ?? ?? ?? ?? 33 C0 55 68 ?? ?? ?? ?? 64 FF + 30 64 89 20 8B C3 E8 ?? ?? ?? ?? 83 7D ?? ?? 74 ?? 8B 45 ?? E8 ?? ?? ?? ?? 8B 55 ?? + 80 7C 02 ?? ?? 74 ?? 8D 45 ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 7D ?? ?? 74 ?? 8B 45 + ?? 80 38 ?? 75 ?? 8D 8D ?? ?? ?? ?? BA ?? ?? ?? ?? 8B 45 ?? E8 ?? ?? ?? ?? 8B 95 ?? + ?? ?? ?? 8D 45 ?? E8 ?? ?? ?? ?? 8D 45 ?? 8B 4D ?? 8B 55 ?? E8 ?? ?? ?? ?? 8D 85 ?? + ?? ?? ?? 50 8B 45 ?? E8 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 8B F0 85 F6 0F 95 C0 EB ?? F7 + 85 ?? ?? ?? ?? ?? ?? ?? ?? 77 ?? 83 3B ?? 74 ?? 8B C3 BA ?? ?? ?? ?? E8 ?? ?? ?? ?? + FF 33 FF 75 ?? 8D 85 ?? ?? ?? ?? 8D 95 ?? ?? ?? ?? B9 ?? ?? ?? ?? E8 ?? ?? ?? ?? FF + B5 ?? ?? ?? ?? 8B C3 BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 56 E8 ?? ?? + ?? ?? F7 D8 1B C0 F7 D8 84 C0 75 ?? 56 E8 ?? ?? ?? ?? 33 C0 5A 59 59 64 89 10 68 ?? + ?? ?? ?? 8D 85 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? C3 + } + + condition: + uint16(0) == 0x5A4D and + ( + $find_files + ) and + ( + all of ($encrypt_files_p*) + ) +} \ No newline at end of file diff --git a/yara/ransomware/Win32.Ransomware.FCT.yara b/yara/ransomware/Win32.Ransomware.FCT.yara new file mode 100644 index 0000000..607e7f2 --- /dev/null +++ b/yara/ransomware/Win32.Ransomware.FCT.yara @@ -0,0 +1,86 @@ +rule Win32_Ransomware_FCT : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "FCT" + description = "Yara rule that detects FCT ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "FCT" + tc_detection_factor = 5 + + strings: + + $find_files_p1 = { + 6A ?? 68 ?? ?? ?? ?? C6 85 ?? ?? ?? ?? ?? 8D 4D ?? FF B5 ?? ?? ?? ?? 6A ?? E8 ?? ?? + ?? ?? 83 7D ?? ?? 8D 8D ?? ?? ?? ?? 8D 45 ?? 0F 43 45 ?? 51 50 FF 15 ?? ?? ?? ?? 89 + 85 ?? ?? ?? ?? 83 F8 ?? 0F 84 ?? ?? ?? ?? 6A ?? 51 8D 4D ?? C7 45 ?? ?? ?? ?? ?? C7 + 45 ?? ?? ?? ?? ?? C6 45 ?? ?? E8 ?? ?? ?? ?? C6 45 ?? ?? 33 DB 8B 55 ?? 33 C9 8B 75 + ?? 89 9D ?? ?? ?? ?? 85 D2 74 ?? 66 90 83 7D ?? ?? 8D 45 ?? 0F 43 C6 0F BE 04 08 41 + 03 D8 3B CA 72 ?? 89 9D ?? ?? ?? ?? 8B 9D ?? ?? ?? ?? F6 85 ?? ?? ?? ?? ?? 0F 84 ?? + ?? ?? ?? 66 83 BD ?? ?? ?? ?? ?? 0F 84 ?? ?? ?? ?? 8B CF C7 45 ?? ?? ?? ?? ?? 33 C0 + C7 45 ?? ?? ?? ?? ?? 66 89 45 ?? 8D 51 ?? 66 8B 01 83 C1 ?? 66 85 C0 75 ?? 2B CA D1 + F9 51 57 8D 4D ?? E8 ?? ?? ?? ?? C6 45 ?? ?? 8B 75 ?? 8B C6 8B 55 ?? 2B C2 83 F8 ?? + 72 ?? 83 FE ?? 8D 45 ?? 8D 4A ?? BB ?? ?? ?? ?? 0F 43 45 ?? 89 4D ?? 66 89 1C 50 33 + D2 66 89 14 48 EB ?? 6A ?? 68 ?? ?? ?? ?? C6 85 ?? ?? ?? ?? ?? 8D 4D ?? FF B5 ?? ?? + ?? ?? 6A ?? E8 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? 8D 51 + } + + $find_files_p2 = { + 52 51 E8 ?? ?? ?? ?? 83 C4 ?? C6 45 ?? ?? 8B 55 ?? 83 FA ?? 72 ?? 8B 4D ?? 8D 14 55 + ?? ?? ?? ?? 8B C1 81 FA ?? ?? ?? ?? 72 ?? 8B 49 ?? 83 C2 ?? 2B C1 83 C0 ?? 83 F8 ?? + 0F 87 ?? ?? ?? ?? 52 51 E8 ?? ?? ?? ?? 83 C4 ?? 8B 9D ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? + 50 53 FF 15 ?? ?? ?? ?? 85 C0 74 ?? 8B BD ?? ?? ?? ?? E9 ?? ?? ?? ?? 53 FF 15 ?? ?? + ?? ?? 8B 45 ?? 83 F8 ?? 72 ?? 8B 55 ?? 8D 48 ?? 8B C2 81 F9 ?? ?? ?? ?? 72 ?? 8B 52 + ?? 83 C1 ?? 2B C2 83 C0 ?? 83 F8 ?? 77 ?? 51 52 E8 ?? ?? ?? ?? 83 C4 ?? 8B 55 ?? 83 + FA ?? 72 ?? 8B 4D ?? 8D 14 55 ?? ?? ?? ?? 8B C1 81 FA ?? ?? ?? ?? 72 ?? 8B 49 ?? 83 + C2 ?? 2B C1 83 C0 ?? 83 F8 ?? 77 ?? 52 51 E8 ?? ?? ?? ?? 83 C4 ?? 8B 4D ?? 64 89 0D + ?? ?? ?? ?? 59 5F 5E 5B 8B 4D ?? 33 CD E8 ?? ?? ?? ?? 8B E5 5D C3 E8 + } + + $encrypt_files_p1 = { + 66 8B 01 83 C1 ?? 66 85 C0 75 ?? 2B CA D1 F9 51 57 8D 4D ?? E8 ?? ?? ?? ?? C6 45 ?? + ?? 8B 75 ?? 8B C6 8B 55 ?? 2B C2 83 F8 ?? 72 ?? 83 FE ?? 8D 45 ?? 8D 4A ?? BB ?? ?? + ?? ?? 0F 43 45 ?? 89 4D ?? 66 89 1C 50 33 D2 66 89 14 48 EB ?? 6A ?? 68 ?? ?? ?? ?? + C6 85 ?? ?? ?? ?? ?? 8D 4D ?? FF B5 ?? ?? ?? ?? 6A ?? E8 ?? ?? ?? ?? 8D 8D ?? ?? ?? + ?? 8D 51 ?? 66 8B 01 83 C1 ?? 66 85 C0 75 ?? 8B 5D ?? 2B CA 8B 55 ?? 8B C3 D1 F9 2B + C2 3B C8 77 ?? 83 FB ?? 8D 04 09 50 8D 75 ?? 0F 43 75 ?? 8D 85 ?? ?? ?? ?? 50 8D 3C + 0A 89 7D ?? 8D 04 56 50 E8 ?? ?? ?? ?? 83 C4 ?? 33 C0 66 89 04 7E EB ?? 51 8D 85 ?? + ?? ?? ?? C6 85 ?? ?? ?? ?? ?? 50 FF B5 ?? ?? ?? ?? 51 8D 4D ?? E8 ?? ?? ?? ?? 81 BD + ?? ?? ?? ?? ?? ?? ?? ?? 0F 87 ?? ?? ?? ?? 83 7D ?? ?? 8D 45 ?? 6A ?? 0F 43 45 ?? 68 + ?? ?? ?? ?? 6A ?? 6A ?? 6A ?? 68 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 8B F8 83 FF ?? 0F + 84 ?? ?? ?? ?? 8B 95 ?? ?? ?? ?? 8B F2 85 F6 74 + } + + $encrypt_files_p2 = { + 6A ?? 8D 45 ?? 50 A1 ?? ?? ?? ?? 2B C6 56 03 C1 50 57 FF 15 ?? ?? ?? ?? 2B 75 ?? 74 + ?? 8B 8D ?? ?? ?? ?? EB ?? 57 FF 15 ?? ?? ?? ?? C6 45 ?? ?? 33 C0 8B 9D ?? ?? ?? ?? + BA ?? ?? ?? ?? 66 89 85 ?? ?? ?? ?? 83 CB ?? 8B 45 ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? + 89 95 ?? ?? ?? ?? 89 9D ?? ?? ?? ?? 8D 48 ?? 3B CA 76 ?? C6 85 ?? ?? ?? ?? ?? FF B5 + ?? ?? ?? ?? 51 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 45 ?? 8B 95 ?? ?? ?? ?? C7 85 ?? + ?? ?? ?? ?? ?? ?? ?? 83 7D ?? ?? 8D 4D ?? 0F 43 4D ?? 3B C2 77 ?? 8D 34 00 89 85 ?? + ?? ?? ?? 83 FA ?? 8D BD ?? ?? ?? ?? 56 0F 43 BD ?? ?? ?? ?? 51 57 E8 ?? ?? ?? ?? 83 + C4 ?? 33 C0 66 89 04 37 EB ?? 50 51 C6 85 ?? ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? FF B5 ?? + ?? ?? ?? 50 E8 ?? ?? ?? ?? 8B 95 ?? ?? ?? ?? 8B C2 8B 8D ?? ?? ?? ?? 2B C1 83 F8 ?? + 72 ?? 83 FA ?? 8D B5 ?? ?? ?? ?? 6A ?? 0F 43 B5 ?? ?? ?? ?? 8D 79 ?? 68 ?? ?? ?? ?? + 89 BD ?? ?? ?? ?? 8D 04 4E 50 E8 ?? ?? ?? ?? 83 C4 ?? 33 C0 66 89 04 7E EB ?? 6A ?? + 68 ?? ?? ?? ?? C6 85 ?? ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? FF B5 ?? ?? ?? ?? 6A ?? E8 ?? + ?? ?? ?? 83 BD ?? ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? 8D 45 ?? 0F 43 8D ?? ?? ?? ?? 83 7D + ?? ?? 51 0F 43 45 ?? 50 FF 15 + } + + condition: + uint16(0) == 0x5A4D and + ( + all of ($find_files_p*) + ) and + ( + all of ($encrypt_files_p*) + ) +} \ No newline at end of file diff --git a/yara/ransomware/Win32.Ransomware.FLKR.yara b/yara/ransomware/Win32.Ransomware.FLKR.yara new file mode 100644 index 0000000..2e56af9 --- /dev/null +++ b/yara/ransomware/Win32.Ransomware.FLKR.yara @@ -0,0 +1,71 @@ +rule Win32_Ransomware_FLKR : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "FLKR" + description = "Yara rule that detects FLKR ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "FLKR" + tc_detection_factor = 5 + + strings: + + $search_and_encrypt_p1 = { + 81 EC ?? ?? ?? ?? A1 ?? ?? ?? ?? 33 C4 89 84 24 ?? ?? ?? ?? 53 55 56 57 8B BC 24 ?? + ?? ?? ?? 57 89 7C 24 ?? FF 15 ?? ?? ?? ?? 8B 2D ?? ?? ?? ?? 68 ?? ?? ?? ?? 57 89 44 + 24 ?? FF D5 8D 44 24 ?? 50 57 FF 15 ?? ?? ?? ?? 89 44 24 ?? 83 F8 ?? 0F 84 ?? ?? ?? + ?? 8B 35 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 4C 24 ?? 51 FF D6 85 C0 0F 84 ?? ?? ?? ?? 68 + ?? ?? ?? ?? 8D 54 24 ?? 52 FF D6 85 C0 0F 84 ?? ?? ?? ?? 8B 44 24 ?? 8D 4C 24 ?? 51 + 57 C6 04 07 ?? FF D5 F6 44 24 ?? ?? 0F 84 ?? ?? ?? ?? 8D 5C 24 ?? E8 ?? ?? ?? ?? 84 + C0 0F 85 ?? ?? ?? ?? 8A 0F 33 D2 84 C9 74 ?? BE ?? ?? ?? ?? 8B C7 2B F7 88 0C 06 8A + 48 ?? 40 42 84 C9 75 ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? C6 82 ?? ?? ?? ?? ?? C6 82 ?? + ?? ?? ?? ?? FF D5 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B F0 83 C4 ?? 85 F6 + 74 ?? 56 68 ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 56 E8 ?? ?? ?? ?? 83 C4 + ?? 68 ?? ?? ?? ?? 57 FF D5 57 E8 ?? ?? ?? ?? E9 ?? ?? ?? ?? 33 C0 38 44 24 ?? 74 + } + + $search_and_encrypt_p2 = { + 40 80 7C 04 ?? ?? 75 ?? 8A 4C 04 ?? 80 F9 ?? 75 ?? 80 7C 04 ?? ?? 75 ?? 80 7C 04 ?? + ?? 75 ?? 80 7C 04 ?? ?? 74 ?? 80 F9 ?? 75 ?? B3 ?? 38 5C 04 ?? 75 ?? 80 7C 04 ?? ?? + 75 ?? 80 7C 04 ?? ?? 75 ?? 57 FF 15 ?? ?? ?? ?? 85 C0 74 ?? FF 05 ?? ?? ?? ?? E9 ?? + ?? ?? ?? FF 05 ?? ?? ?? ?? E9 ?? ?? ?? ?? B3 ?? B2 ?? 80 F9 ?? 75 ?? 38 5C 04 ?? 75 + ?? 80 7C 04 ?? ?? 75 ?? 38 5C 04 ?? 75 ?? 32 D2 80 F9 ?? 75 ?? 80 7C 04 ?? ?? 75 ?? + 80 7C 04 ?? ?? 75 ?? 80 7C 04 ?? ?? 75 ?? 32 D2 80 F9 ?? 75 ?? 80 7C 04 ?? ?? 75 ?? + 80 7C 04 ?? ?? 75 ?? 80 7C 04 ?? ?? 0F 84 ?? ?? ?? ?? 84 D2 0F 84 ?? ?? ?? ?? 8A 0F + 33 D2 84 C9 74 ?? 8D B4 24 ?? ?? ?? ?? 8B C7 2B F7 8D A4 24 ?? ?? ?? ?? 88 0C 06 8A + 48 ?? 40 42 84 C9 75 ?? A1 ?? ?? ?? ?? 8B 0D ?? ?? ?? ?? 89 84 24 ?? ?? ?? ?? 0F B6 + 05 ?? ?? ?? ?? C6 84 14 ?? ?? ?? ?? ?? 8B 15 ?? ?? ?? ?? 89 94 24 ?? ?? ?? ?? 8B 15 + ?? ?? ?? ?? 88 84 24 ?? ?? ?? ?? 33 C0 6A ?? 89 8C 24 ?? ?? ?? ?? 89 94 24 ?? ?? ?? + ?? 89 84 24 ?? ?? ?? ?? 89 84 24 ?? ?? ?? ?? 89 84 24 ?? ?? ?? ?? 88 84 24 ?? ?? ?? + ?? E8 ?? ?? ?? ?? 83 C4 ?? 8B D8 68 ?? ?? ?? ?? 89 5C 24 ?? E8 ?? ?? ?? ?? 8B 0D ?? + ?? ?? ?? 8B 15 ?? ?? ?? ?? 8B E8 A1 ?? ?? ?? ?? 89 8C 24 ?? ?? ?? ?? 8B 0D ?? ?? ?? + ?? 89 84 24 ?? ?? ?? ?? 0F B6 05 ?? ?? ?? ?? 89 94 24 ?? ?? ?? ?? 66 8B 15 ?? ?? ?? + ?? 89 8C 24 ?? ?? ?? ?? 83 C4 ?? 8D 8C 24 ?? ?? ?? ?? 8D 74 24 ?? 89 6C 24 ?? 66 89 + } + + $search_and_encrypt_p3 = { + 94 24 ?? ?? ?? ?? 88 84 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 8C 24 ?? ?? ?? ?? 68 ?? ?? + ?? ?? 51 E8 ?? ?? ?? ?? 8B F0 83 C4 ?? 85 F6 0F 84 ?? ?? ?? ?? 8D 94 24 ?? ?? ?? ?? + 52 8D 84 24 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 8D 8C 24 ?? ?? ?? ?? 68 ?? ?? ?? ?? 51 + E8 ?? ?? ?? ?? 8B F8 83 C4 ?? 85 FF 74 ?? 56 E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 75 ?? 56 + 68 ?? ?? ?? ?? 8D 94 24 ?? ?? ?? ?? 6A ?? 52 E8 ?? ?? ?? ?? 83 C4 ?? 8D 44 24 ?? 50 + 8D 84 24 ?? ?? ?? ?? 8B C8 E8 ?? ?? ?? ?? 57 68 ?? ?? ?? ?? 8D 8C 24 ?? ?? ?? ?? 6A + ?? 51 E8 ?? ?? ?? ?? 56 E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 74 ?? 57 E8 ?? ?? ?? ?? 83 C4 + ?? 56 E8 ?? ?? ?? ?? 8B 7C 24 ?? 83 C4 ?? FF 05 ?? ?? ?? ?? 8D 94 24 ?? ?? ?? ?? 52 + FF 15 ?? ?? ?? ?? BE ?? ?? ?? ?? 2B F0 8D 84 24 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 03 + C6 50 8D 8C 24 ?? ?? ?? ?? 51 8B D1 52 FF 15 ?? ?? ?? ?? 8D 84 24 ?? ?? ?? ?? 50 FF + 15 ?? ?? ?? ?? 85 C0 75 ?? FF 05 ?? ?? ?? ?? 53 E8 ?? ?? ?? ?? 83 C4 ?? 55 E8 ?? ?? + ?? ?? 8B 2D ?? ?? ?? ?? 83 C4 ?? 8B 74 24 ?? 8D 4C 24 ?? 51 56 FF 15 ?? ?? ?? ?? 85 + C0 0F 85 ?? ?? ?? ?? 56 FF 15 + } + + condition: + uint16(0) == 0x5A4D and (all of ($search_and_encrypt_p*)) +} \ No newline at end of file diff --git a/yara/ransomware/Win32.Ransomware.FarAttack.yara b/yara/ransomware/Win32.Ransomware.FarAttack.yara new file mode 100644 index 0000000..44d51f0 --- /dev/null +++ b/yara/ransomware/Win32.Ransomware.FarAttack.yara @@ -0,0 +1,93 @@ +rule Win32_Ransomware_FarAttack : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "FARATTACK" + description = "Yara rule that detects FarAttack ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "FarAttack" + tc_detection_factor = 5 + + strings: + + $find_files = { + 56 FF 73 ?? FF 15 ?? ?? ?? ?? 89 45 ?? 83 F8 ?? 75 ?? 50 FF 15 ?? ?? ?? ?? 56 E8 ?? + ?? ?? ?? 59 6A ?? 58 E9 ?? ?? ?? ?? 8D 46 ?? 50 FF 15 ?? ?? ?? ?? 89 45 ?? 03 C7 89 + 45 ?? 3D ?? ?? ?? ?? 0F 8D ?? ?? ?? ?? F7 06 ?? ?? ?? ?? 0F 85 ?? ?? ?? ?? 8D 4E ?? + 51 68 ?? ?? ?? ?? 6A ?? FF 35 ?? ?? ?? ?? FF 35 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? + 83 F8 ?? 0F 84 ?? ?? ?? ?? F6 06 ?? 74 ?? 8B 45 ?? 8D 04 45 ?? ?? ?? ?? 50 8D 46 ?? + 50 8B 43 ?? 8D 04 78 83 C0 ?? 50 E8 ?? ?? ?? ?? 8B 0D ?? ?? ?? ?? 83 C4 ?? 8B 53 ?? + 8B 75 ?? 8B 01 53 89 44 72 ?? 66 8B 41 ?? 8B CE 66 89 44 4A ?? FF 43 ?? 83 63 ?? ?? + E8 ?? ?? ?? ?? FF 4B ?? 83 63 ?? ?? 8B 75 ?? E9 ?? ?? ?? ?? 83 7B ?? ?? 75 ?? FF 73 + ?? FF 73 ?? FF 73 ?? FF 73 ?? 57 FF 73 ?? E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 74 ?? C7 43 + ?? ?? ?? ?? ?? 8D 46 ?? 50 FF 15 ?? ?? ?? ?? 50 68 ?? ?? ?? ?? 6A ?? FF 35 ?? ?? ?? + ?? FF 35 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 83 F8 ?? 0F 84 ?? ?? ?? ?? 8B 45 ?? 8D + 04 45 ?? ?? ?? ?? 50 8D 46 ?? 50 8B 43 ?? 8D 04 78 83 C0 ?? 50 E8 ?? ?? ?? ?? 83 C4 + ?? 83 7E ?? ?? 75 ?? 83 7E ?? ?? 74 ?? 6A ?? E8 ?? ?? ?? ?? 8B F8 8B 45 ?? 8D 34 00 + 8D 4E ?? 51 E8 ?? ?? ?? ?? 56 89 07 FF 73 ?? 50 E8 ?? ?? ?? ?? 8B 07 33 C9 83 C4 ?? + 66 89 0C 06 8B 75 ?? 51 57 51 8B 46 ?? 89 47 ?? 8B 46 ?? 89 47 ?? 8B 45 ?? 89 47 ?? + FF 73 ?? FF 15 ?? ?? ?? ?? 8B 7D ?? 8B 4B ?? A1 ?? ?? ?? ?? 89 44 79 ?? 66 A1 ?? ?? + ?? ?? 66 89 44 79 ?? 56 FF 75 ?? FF 15 + } + + $create_key = { + 55 8B EC 56 6A ?? E8 ?? ?? ?? ?? 8B F0 59 85 F6 75 ?? 32 C0 EB ?? A1 ?? ?? ?? ?? 53 + 33 DB 85 C0 74 ?? 53 6A ?? 53 53 56 FF D0 EB ?? 8A C3 84 C0 75 ?? FF 15 ?? ?? ?? ?? + 3D ?? ?? ?? ?? 75 ?? A1 ?? ?? ?? ?? 85 C0 74 ?? 6A ?? 6A ?? 53 53 56 FF D0 8A D8 84 + DB 75 ?? 56 E8 ?? ?? ?? ?? 59 32 C0 EB ?? 8B 4D ?? B0 ?? 89 71 ?? 5B 5E 5D C3 + } + + $encrypt_files_p1 = { + 50 68 ?? ?? ?? ?? 6A ?? 50 50 68 ?? ?? ?? ?? 57 FF 15 ?? ?? ?? ?? 8B F8 89 7D ?? 83 + FF ?? 0F 84 ?? ?? ?? ?? 8B 45 ?? 0B 45 ?? 0F 84 ?? ?? ?? ?? 8B 45 ?? 8B 48 ?? 8B 40 + ?? 83 C1 ?? 03 C1 8B 5D ?? 89 5D ?? 8B 4D ?? 89 4D ?? 99 03 D8 89 5D ?? 13 CA 89 4D + ?? 8B 55 ?? 8B 45 ?? 85 D2 7C ?? 7F ?? 3D ?? ?? ?? ?? 76 ?? 89 75 ?? EB ?? 83 65 ?? + ?? 85 D2 7C ?? 7F ?? 3D ?? ?? ?? ?? 76 ?? 89 75 ?? EB ?? 83 65 ?? ?? C7 45 ?? ?? ?? + ?? ?? 83 7D ?? ?? 74 ?? 6A ?? 6A ?? 52 50 E8 ?? ?? ?? ?? 6A ?? 6A ?? 59 89 4D ?? 51 + 52 50 E8 ?? ?? ?? ?? 89 45 ?? 89 55 ?? 8B 4D ?? 6A ?? 53 51 6A ?? 6A ?? 57 FF 15 ?? + ?? ?? ?? 8B D8 89 5D ?? 85 DB 0F 84 ?? ?? ?? ?? 83 FB ?? 0F 84 ?? ?? ?? ?? B8 ?? ?? + ?? ?? 89 45 ?? 89 45 ?? 33 C9 8B C1 89 45 ?? 89 45 ?? 89 4D ?? 89 4D ?? 89 45 ?? 89 + 45 ?? 89 4D ?? 8B 4D ?? FF 71 ?? 6A ?? 8D 85 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? + 84 C0 0F 85 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 8D 85 ?? ?? ?? ?? 50 E8 + ?? ?? ?? ?? 83 C4 ?? 85 C0 0F 85 ?? ?? ?? ?? 8B 4D ?? FF 71 ?? FF 71 ?? 8D 41 ?? 50 + FF 71 ?? 6A ?? 8D 85 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 8B 45 ?? 8B 55 ?? 85 C0 + } + + $encrypt_files_p2 = { + 75 ?? 89 55 ?? 21 45 ?? 8B CE 89 4D ?? 89 4D ?? EB ?? 8B 4D ?? 3B 4D ?? 0F 8D ?? ?? + ?? ?? 85 C0 0F 84 ?? ?? ?? ?? 85 C9 74 ?? 83 7D ?? ?? 74 ?? 8D 41 ?? 3B 45 ?? 74 ?? + 8B C1 99 FF 75 ?? FF 75 ?? 52 50 E8 ?? ?? ?? ?? 8B C8 89 45 ?? C7 45 ?? ?? ?? ?? ?? + EB ?? 8B CA 81 E9 ?? ?? ?? ?? 89 4D ?? 8B 55 ?? 83 DA ?? 83 65 ?? ?? 89 55 ?? 6A ?? + 8B 45 ?? FF 70 ?? 52 51 E8 ?? ?? ?? ?? 6A ?? 8B 4D ?? FF 71 ?? 52 50 E8 ?? ?? ?? ?? + 8B C8 89 4D ?? 89 55 ?? 8B 45 ?? 2B C1 89 45 ?? 8B 4D ?? 1B CA 89 45 ?? 89 4D ?? EB + ?? 8B 55 ?? 8B C2 C1 F8 ?? FF 75 ?? FF 75 ?? 52 68 ?? ?? ?? ?? 53 FF 15 ?? ?? ?? ?? + 89 45 ?? 85 C0 75 ?? 50 FF 75 ?? FF 75 ?? 57 E8 ?? ?? ?? ?? 83 C4 ?? 57 FF 15 ?? ?? + ?? ?? 8B 75 ?? 8B 7D ?? 83 4D ?? ?? E8 ?? ?? ?? ?? FF 75 ?? FF 15 ?? ?? ?? ?? 8B 45 + ?? E8 ?? ?? ?? ?? C3 03 45 ?? 56 6A ?? 8D 4D ?? 51 50 FF 75 ?? 50 6A ?? 6A ?? 8D 85 + ?? ?? ?? ?? 50 8D 85 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 75 ?? 8B 45 ?? 40 + 89 45 ?? 3B 45 ?? 75 ?? 8B 75 ?? FF 76 ?? FF 76 ?? 8B 45 ?? 03 45 ?? 03 45 ?? 50 E8 + ?? ?? ?? ?? FF 76 ?? FF 76 ?? 8B 46 ?? 03 45 ?? 03 45 ?? 03 45 ?? 50 E8 ?? ?? ?? ?? + 83 C4 ?? 8B 7E ?? 03 7E ?? 03 7D ?? 03 7D ?? 8B 45 ?? 03 F8 8D 75 ?? A5 A5 A5 A5 6A + ?? 50 FF 15 ?? ?? ?? ?? 8B 7D ?? 33 F6 46 FF 75 ?? FF 15 ?? ?? ?? ?? 8B 4D ?? 89 4D + ?? 8B 55 ?? 8B 45 ?? E9 ?? ?? ?? ?? 53 8B 35 ?? ?? ?? ?? FF D6 + } + + condition: + uint16(0) == 0x5A4D and + ( + $find_files + ) and + ( + $create_key + ) and + ( + all of ($encrypt_files_p*) + ) +} \ No newline at end of file diff --git a/yara/ransomware/Win32.Ransomware.FenixLocker.yara b/yara/ransomware/Win32.Ransomware.FenixLocker.yara new file mode 100644 index 0000000..d64309a --- /dev/null +++ b/yara/ransomware/Win32.Ransomware.FenixLocker.yara @@ -0,0 +1,143 @@ +rule Win32_Ransomware_FenixLocker : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "FENIXLOCKER" + description = "Yara rule that detects FenixLocker ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "FenixLocker" + tc_detection_factor = 5 + + strings: + + $encrypt_files_1 = { + 55 8B EC B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? A1 ?? ?? ?? ?? 33 C5 89 45 ?? 56 68 ?? ?? ?? + ?? 8D 85 ?? ?? ?? ?? 89 95 ?? ?? ?? ?? 68 ?? ?? ?? ?? 50 8B F1 E8 ?? ?? ?? ?? 83 C4 + ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C7 + 85 ?? ?? ?? ?? ?? ?? ?? ?? 6A ?? 6A ?? 50 8D 85 ?? ?? ?? ?? 50 6A ?? 6A ?? 8D 85 ?? + ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 85 C0 75 ?? FF 15 ?? ?? ?? ?? 50 68 ?? ?? ?? ?? 6A ?? + E8 ?? ?? ?? ?? 83 C4 ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 33 C0 5E 8B 4D ?? 33 CD E8 ?? ?? + ?? ?? 8B E5 5D C3 8D 85 ?? ?? ?? ?? 50 8D 85 ?? ?? ?? ?? 50 6A ?? 68 ?? ?? ?? ?? FF + B5 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 6A ?? 6A ?? FF 15 ?? ?? ?? ?? 85 C0 75 ?? FF 15 + ?? ?? ?? ?? 50 68 ?? ?? ?? ?? EB ?? 68 ?? ?? ?? ?? 6A ?? 6A ?? 6A ?? 8D 85 ?? ?? ?? + ?? 50 FF 15 ?? ?? ?? ?? 85 C0 75 ?? FF 15 ?? ?? ?? ?? 50 68 ?? ?? ?? ?? E8 ?? ?? ?? + ?? 83 C4 ?? 33 C0 5E 8B 4D ?? 33 CD E8 ?? ?? ?? ?? 8B E5 5D C3 8D 85 ?? ?? ?? ?? 50 + FF B5 ?? ?? ?? ?? 6A ?? FF B5 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 85 C0 75 ?? FF 15 ?? ?? + ?? ?? 50 68 ?? ?? ?? ?? E9 ?? ?? ?? ?? 8B 46 ?? 50 89 85 ?? ?? ?? ?? 89 85 ?? ?? ?? + ?? 8D 85 ?? ?? ?? ?? 50 6A ?? 6A ?? 6A ?? 6A ?? FF B5 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? + 85 C0 0F 84 ?? ?? ?? ?? 57 FF B5 ?? ?? ?? ?? E8 ?? ?? ?? ?? FF B5 ?? ?? ?? ?? 8B F8 + 6A ?? 57 E8 ?? ?? ?? ?? 83 C4 ?? 83 7E ?? ?? 72 ?? 8B 36 FF B5 ?? ?? ?? ?? 56 57 E8 + ?? ?? ?? ?? 83 C4 ?? 8D 85 ?? ?? ?? ?? FF B5 ?? ?? ?? ?? 50 57 6A ?? 6A ?? 6A ?? FF + B5 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 85 C0 75 ?? 5F 5E 8B 4D ?? 33 CD E8 ?? ?? ?? ?? 8B + E5 5D C3 8B 8D ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 89 01 8B C7 8B 4D ?? 5F 33 CD 5E E8 ?? + ?? ?? ?? 8B E5 5D C3 + } + + $encrypt_files_2 = { + B9 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 8A 10 3A 11 75 ?? 84 D2 74 ?? 8A 50 ?? 3A 51 ?? 75 + ?? 83 C0 ?? 83 C1 ?? 84 D2 75 ?? 33 C0 EB ?? 1B C0 83 C8 ?? 85 C0 0F 84 ?? ?? ?? ?? + F6 85 ?? ?? ?? ?? ?? 8D 55 ?? 68 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? 0F 84 ?? ?? ?? ?? E8 + ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? C6 45 ?? ?? 51 8B D0 8D 4D ?? E8 ?? ?? ?? ?? 83 C4 ?? + 8B F8 C6 45 ?? ?? 8B 4D ?? 8B 55 ?? 41 3B D1 77 ?? 51 8D 4D ?? E8 ?? ?? ?? ?? 8B 55 + ?? 8B 4D ?? 4A 8B 45 ?? 23 CA 03 C1 89 4D ?? 8B 4D ?? 23 D0 83 3C 91 ?? 8D 34 95 ?? + ?? ?? ?? 75 ?? 6A ?? E8 ?? ?? ?? ?? 8B 4D ?? 83 C4 ?? 89 04 31 8B 4D ?? 8B 0C 31 85 + C9 74 ?? 57 E8 ?? ?? ?? ?? FF 45 ?? C6 45 ?? ?? 8B 45 ?? 83 F8 ?? 72 ?? 8B 4D ?? 40 + 3D ?? ?? ?? ?? 72 ?? F6 C1 ?? 0F 85 ?? ?? ?? ?? 8B 41 ?? 3B C1 0F 83 ?? ?? ?? ?? 2B + C8 83 F9 ?? 0F 82 ?? ?? ?? ?? 83 F9 ?? 0F 87 ?? ?? ?? ?? 8B C8 51 E8 ?? ?? ?? ?? 83 + C4 ?? C6 45 ?? ?? 8B 85 ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C6 45 + ?? ?? 83 F8 ?? 72 ?? 8B 8D ?? ?? ?? ?? 40 3D ?? ?? ?? ?? 72 ?? F6 C1 ?? 0F 85 ?? ?? + ?? ?? 8B 41 ?? 3B C1 0F 83 ?? ?? ?? ?? 2B C8 83 F9 ?? 0F 82 ?? ?? ?? ?? 83 F9 ?? 0F + 87 ?? ?? ?? ?? 8B C8 51 E8 ?? ?? ?? ?? 83 C4 ?? 8B BD ?? ?? ?? ?? 8B B5 ?? ?? ?? ?? + 8D 85 ?? ?? ?? ?? 50 57 FF 15 ?? ?? ?? ?? 85 C0 0F 85 ?? ?? ?? ?? 85 F6 0F 8E ?? ?? + ?? ?? 68 ?? ?? ?? ?? 50 8D 85 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 55 ?? + 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? C6 45 ?? ?? 8D 8D ?? ?? ?? ?? 50 E8 ?? ?? + ?? ?? C6 45 ?? ?? 8B 85 ?? ?? ?? ?? 83 F8 ?? 72 ?? 8B 8D ?? ?? ?? ?? 40 3D ?? ?? ?? + ?? 72 ?? F6 C1 ?? 0F 85 ?? ?? ?? ?? 8B 41 ?? 3B C1 0F 83 ?? ?? ?? ?? 2B C8 83 F9 ?? + 0F 82 ?? ?? ?? ?? 83 F9 ?? 0F 87 ?? ?? ?? ?? 8B C8 51 E8 ?? ?? ?? ?? 83 C4 ?? 8B 85 + ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C6 85 ?? ?? + ?? ?? ?? 8B 40 ?? F6 84 05 ?? ?? ?? ?? ?? 0F 85 ?? ?? ?? ?? 8D 45 ?? 50 E8 ?? ?? ?? + ?? 8B D0 C6 45 ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? C6 45 ?? ?? 8B 45 ?? 83 F8 ?? + 72 ?? 8B 4D ?? 40 3D ?? ?? ?? ?? 72 ?? F6 C1 ?? 0F 85 ?? ?? ?? ?? 8B 41 ?? 3B C1 0F + 83 ?? ?? ?? ?? 2B C8 83 F9 ?? 0F 82 ?? ?? ?? ?? 83 F9 ?? 0F 87 ?? ?? ?? ?? 8B C8 51 + E8 ?? ?? ?? ?? 83 C4 ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 C0 75 ?? 8B 85 ?? ?? ?? + ?? 8D 8D ?? ?? ?? ?? 6A ?? 8B 40 ?? 03 C8 8B 51 ?? 83 CA ?? 8B C2 83 C8 ?? 83 79 ?? + ?? 0F 45 C2 50 E8 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 8B 40 ?? C7 84 05 ?? ?? ?? ?? ?? ?? + ?? ?? 8B 85 ?? ?? ?? ?? 8B 48 ?? 8D 41 ?? 89 84 0D ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? E8 + ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 8B 40 ?? C7 84 05 ?? ?? ?? ?? ?? ?? ?? ?? 8B 85 ?? ?? + ?? ?? 8B 48 ?? 8D 41 ?? 89 84 0D ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? C6 45 ?? ?? 50 C7 85 + ?? ?? ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? C6 45 ?? ?? FF 15 ?? ?? ?? ?? 57 FF + 15 ?? ?? ?? ?? 83 7D ?? ?? 0F 85 ?? ?? ?? ?? 8D 4D ?? E8 ?? ?? ?? ?? 8D 4D ?? E8 ?? + ?? ?? ?? FF 75 ?? E8 ?? ?? ?? ?? 83 C4 ?? C7 45 ?? ?? ?? ?? ?? 8D 4D ?? E8 ?? ?? ?? + ?? 8D 4D ?? E8 ?? ?? ?? ?? 8D 4D ?? E8 ?? ?? ?? ?? B0 ?? 8B 4D ?? 64 89 0D ?? ?? ?? + ?? 59 5F 5E 8B 4D ?? 33 CD E8 ?? ?? ?? ?? 8B E5 5D C3 + } + + $encrypt_files_3 = { + E8 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? C6 45 ?? ?? 51 8B D0 8D 4D ?? E8 ?? ?? ?? ?? 83 C4 + ?? C6 45 ?? ?? 8B 85 ?? ?? ?? ?? 83 F8 ?? 72 ?? 8B 8D ?? ?? ?? ?? 40 3D ?? ?? ?? ?? + 72 ?? F6 C1 ?? 0F 85 ?? ?? ?? ?? 8B 41 ?? 3B C1 0F 83 ?? ?? ?? ?? 2B C8 83 F9 ?? 0F + 82 ?? ?? ?? ?? 83 F9 ?? 0F 87 ?? ?? ?? ?? 8B C8 51 E8 ?? ?? ?? ?? 83 C4 ?? C7 85 ?? + ?? ?? ?? ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C6 85 ?? ?? ?? ?? ?? 83 FE ?? 0F + 84 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? B8 ?? ?? ?? + ?? 8D 8D ?? ?? ?? ?? 8A 11 3A 10 75 ?? 84 D2 74 ?? 8A 51 ?? 3A 50 ?? 75 ?? 83 C1 ?? + 83 C0 ?? 84 D2 75 ?? 33 C0 EB ?? 1B C0 83 C8 ?? 85 C0 0F 84 ?? ?? ?? ?? 6A ?? 6A ?? + 8D 45 ?? C7 45 ?? ?? ?? ?? ?? 50 8D 4D ?? C7 45 ?? ?? ?? ?? ?? C6 45 ?? ?? E8 ?? ?? + ?? ?? 6A ?? 68 ?? ?? ?? ?? 8D 4D ?? C6 45 ?? ?? E8 ?? ?? ?? ?? 83 7D ?? ?? 8D 45 ?? + 8D 4D ?? 0F 43 4D ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 7E ?? 83 7D ?? ?? 8D 4D ?? 8D + 45 ?? 0F 43 4D ?? 83 7D ?? ?? 51 0F 43 45 ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 75 ?? + 46 EB ?? 85 F6 75 ?? 83 F8 ?? B8 ?? ?? ?? ?? 0F 45 F0 89 B5 ?? ?? ?? ?? 8D 4D ?? E8 + ?? ?? ?? ?? C6 45 ?? ?? 8B 45 ?? 83 F8 ?? 0F 82 ?? ?? ?? ?? 8B 4D ?? 40 3D ?? ?? ?? + ?? 72 ?? F6 C1 ?? 75 ?? 8B 41 ?? 3B C1 73 ?? 2B C8 83 F9 ?? 72 ?? 83 F9 ?? 77 ?? 8B + C8 51 E8 ?? ?? ?? ?? 83 C4 ?? E9 ?? ?? ?? ?? E8 + } + + $encrypt_files_4 = { + 8B BD ?? ?? ?? ?? 8B B5 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 57 FF 15 ?? ?? ?? ?? 85 C0 + 0F 85 ?? ?? ?? ?? 85 F6 0F 8E ?? ?? ?? ?? 68 ?? ?? ?? ?? 50 8D 85 ?? ?? ?? ?? 50 E8 + ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 55 ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? C6 45 + ?? ?? 8D 8D ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? C6 45 ?? ?? 8B 85 ?? ?? ?? ?? 83 F8 ?? 72 + ?? 40 8D 8D ?? ?? ?? ?? 50 FF B5 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? C7 85 + ?? ?? ?? ?? ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C6 85 ?? ?? ?? ?? ?? 8B 40 ?? + F6 84 05 ?? ?? ?? ?? ?? 75 ?? 8D 45 ?? 50 E8 ?? ?? ?? ?? 8B D0 C6 45 ?? ?? 8D 8D ?? + ?? ?? ?? E8 ?? ?? ?? ?? C6 45 ?? ?? 8B 45 ?? 83 F8 ?? 72 ?? 40 8D 4D ?? 50 FF 75 ?? + E8 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 C0 75 ?? 8B 85 ?? ?? ?? ?? 8D 8D + ?? ?? ?? ?? 8B 40 ?? 03 C8 8B 41 ?? 83 C8 ?? 83 79 ?? ?? 75 ?? 83 C8 ?? 6A ?? 50 E8 + ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 8B 40 ?? C7 84 05 ?? ?? ?? ?? ?? ?? ?? ?? 8B 85 ?? ?? + ?? ?? 8B 48 ?? 8D 41 ?? 89 84 0D ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 85 + ?? ?? ?? ?? 8B 40 ?? C7 84 05 ?? ?? ?? ?? ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 8B 48 ?? 8D + 41 ?? 89 84 0D ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? C6 45 ?? ?? 50 C7 85 ?? ?? ?? ?? ?? ?? + ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? C6 45 ?? ?? FF 15 ?? ?? ?? ?? 57 FF 15 ?? ?? ?? ?? 83 + 7D ?? ?? 0F 85 ?? ?? ?? ?? 8D 4D ?? E8 ?? ?? ?? ?? 8D 4D ?? E8 ?? ?? ?? ?? FF 75 ?? + E8 ?? ?? ?? ?? 8B 45 ?? 83 C4 ?? C7 45 ?? ?? ?? ?? ?? 83 F8 ?? 72 ?? 40 8D 4D ?? 50 + } + + $encrypt_files_5 = { + FF 75 ?? E8 ?? ?? ?? ?? 8B 45 ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C6 45 ?? + ?? 83 F8 ?? 72 ?? 40 8D 4D ?? 50 FF 75 ?? E8 ?? ?? ?? ?? 8B 45 ?? C7 45 ?? ?? ?? ?? + ?? C7 45 ?? ?? ?? ?? ?? C6 45 ?? ?? 83 F8 ?? 72 ?? 40 8D 4D ?? 50 FF 75 ?? E8 ?? ?? + ?? ?? B0 ?? 8B 4D ?? 64 89 0D ?? ?? ?? ?? 59 5F 5E 8B 4D ?? 33 CD E8 ?? ?? ?? ?? 8B + E5 5D C3 E8 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? C6 45 ?? ?? 51 8B D0 8D 4D ?? E8 ?? ?? ?? + ?? 83 C4 ?? C6 45 ?? ?? 8B 85 ?? ?? ?? ?? 83 F8 ?? 72 ?? 40 8D 8D ?? ?? ?? ?? 50 FF + B5 ?? ?? ?? ?? E8 ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? + ?? ?? C6 85 ?? ?? ?? ?? ?? 83 FE ?? 0F 84 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? + ?? 85 C0 0F 84 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 68 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 + ?? 85 C0 0F 84 ?? ?? ?? ?? 6A ?? 6A ?? 8D 45 ?? C7 45 ?? ?? ?? ?? ?? 50 8D 4D ?? C7 + 45 ?? ?? ?? ?? ?? C6 45 ?? ?? E8 ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? 8D 4D ?? C6 45 ?? + ?? E8 ?? ?? ?? ?? 83 7D ?? ?? 8D 45 ?? 8D 4D ?? 0F 43 4D ?? 50 E8 ?? ?? ?? ?? 83 C4 + ?? 85 C0 7E ?? 83 7D ?? ?? 8D 4D ?? 8D 45 ?? 0F 43 4D ?? 83 7D ?? ?? 51 0F 43 45 ?? + 50 E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 75 ?? 46 89 B5 ?? ?? ?? ?? 8B 45 ?? 83 F8 ?? 72 ?? + 40 8D 4D ?? 50 FF 75 ?? E8 ?? ?? ?? ?? C6 45 ?? ?? 8B 45 ?? 83 F8 ?? 0F 82 ?? ?? ?? + ?? 40 8D 4D ?? 50 FF 75 ?? E8 ?? ?? ?? ?? E9 + } + + condition: + uint16(0) == 0x5A4D and ($encrypt_files_1 and $encrypt_files_2 and $encrypt_files_3) or + ($encrypt_files_1 and $encrypt_files_4 and $encrypt_files_5) +} \ No newline at end of file diff --git a/yara/ransomware/Win32.Ransomware.Ferrlock.yara b/yara/ransomware/Win32.Ransomware.Ferrlock.yara new file mode 100644 index 0000000..1eadddd --- /dev/null +++ b/yara/ransomware/Win32.Ransomware.Ferrlock.yara @@ -0,0 +1,131 @@ +rule Win32_Ransomware_Ferrlock : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "FERRLOCK" + description = "Yara rule that detects Ferrlock ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "Ferrlock" + tc_detection_factor = 5 + + strings: + + $search_files_p1 = { + 8B FF 55 8B EC 51 8B 4D ?? 8D 51 ?? 8A 01 41 84 C0 75 ?? 57 8B 7D ?? 2B CA 8B C7 41 + F7 D0 89 4D ?? 3B C8 76 ?? 6A ?? 58 EB ?? 53 56 8D 5F ?? 03 D9 6A ?? 53 E8 ?? ?? ?? + ?? 8B F0 59 59 85 FF 74 ?? 57 FF 75 ?? 53 56 E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 75 ?? FF + 75 ?? 2B DF 8D 04 3E FF 75 ?? 53 50 E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 75 ?? 8B 5D ?? 8B + CB E8 ?? ?? ?? ?? 33 FF 89 45 ?? 85 C0 74 ?? 56 E8 ?? ?? ?? ?? 8B 75 ?? 59 EB ?? 8B + 43 ?? 89 30 8B F7 83 43 ?? ?? 57 E8 ?? ?? ?? ?? 59 8B C6 5E 5B 5F 8B E5 5D C3 33 FF + 57 57 57 57 57 E8 ?? ?? ?? ?? CC 8B FF 55 8B EC 81 EC ?? ?? ?? ?? A1 ?? ?? ?? ?? 33 + C5 89 45 ?? 8B 4D ?? 53 8B 5D ?? 57 8B 7D ?? 89 9D ?? ?? ?? ?? EB ?? 8A 01 3C ?? 74 + ?? 3C ?? 74 ?? 3C ?? 74 ?? 51 57 E8 ?? ?? ?? ?? 59 59 8B C8 3B CF 75 ?? 8A 11 80 FA + ?? 75 ?? 8D 47 ?? 3B C8 74 ?? 53 33 DB 53 53 57 E8 ?? ?? ?? ?? 83 C4 ?? EB ?? 33 DB + } + + $search_files_p2 = { + 80 FA ?? 74 ?? 80 FA ?? 74 ?? 8A C3 80 FA ?? 75 ?? B0 ?? 0F B6 C0 2B CF 41 F7 D8 56 + 1B C0 23 C1 68 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 53 50 E8 ?? ?? ?? ?? + 83 C4 ?? 8D 85 ?? ?? ?? ?? 53 53 53 50 53 57 FF 15 ?? ?? ?? ?? 8B F0 8B 85 ?? ?? ?? + ?? 83 FE ?? 75 ?? 50 53 53 57 E8 ?? ?? ?? ?? 83 C4 ?? 8B D8 83 FE ?? 74 ?? 56 FF 15 + ?? ?? ?? ?? 8B C3 5E 8B 4D ?? 5F 33 CD 5B E8 ?? ?? ?? ?? 8B E5 5D C3 8B 48 ?? 2B 08 + C1 F9 ?? 89 8D ?? ?? ?? ?? 80 BD ?? ?? ?? ?? ?? 75 ?? 8A 8D ?? ?? ?? ?? 84 C9 74 ?? + 80 F9 ?? 75 ?? 38 9D ?? ?? ?? ?? 74 ?? 50 FF B5 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 57 50 + E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 75 ?? 8D 85 ?? ?? ?? ?? 50 56 FF 15 ?? ?? ?? ?? 85 C0 + 8B 85 ?? ?? ?? ?? 75 ?? 8B 10 8B 40 ?? 8B 8D ?? ?? ?? ?? 2B C2 C1 F8 ?? 3B C8 0F 84 + ?? ?? ?? ?? 68 ?? ?? ?? ?? 2B C1 6A ?? 50 8D 04 8A 50 E8 ?? ?? ?? ?? 83 C4 ?? E9 + } + + $enum_rsrc = { + 6A ?? B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 4D ?? 8B 45 ?? 8D 4D ?? 83 4D ?? ?? 51 50 6A + ?? 6A ?? 6A ?? C7 45 ?? ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 85 C0 0F 85 ?? ?? ?? ?? FF 75 + ?? 6A ?? FF 15 ?? ?? ?? ?? 8B F0 85 F6 0F 84 ?? ?? ?? ?? EB ?? 33 DB 39 5D ?? 7E ?? + 8D 7E ?? F7 47 ?? ?? ?? ?? ?? 74 ?? 8D 47 ?? 89 45 ?? 8B 45 ?? 8B 00 8B 48 ?? 85 C9 + 74 ?? 8B 01 8D 55 ?? 52 FF 50 ?? EB ?? FF 37 8D 4D ?? E8 ?? ?? ?? ?? 83 65 ?? ?? 8D + 45 ?? 50 8B 45 ?? 8B 48 ?? E8 ?? ?? ?? ?? 83 4D ?? ?? 8D 4D ?? E8 ?? ?? ?? ?? 43 83 + C7 ?? 3B 5D ?? 7C ?? 83 4D ?? ?? C7 45 ?? ?? ?? ?? ?? 8D 45 ?? 50 56 8D 45 ?? 50 FF + 75 ?? FF 15 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? 56 FF 15 ?? ?? ?? ?? FF 75 ?? FF 15 + ?? ?? ?? ?? E8 ?? ?? ?? ?? C2 ?? ?? E8 ?? ?? ?? ?? CC 55 8B EC 6A ?? 68 ?? ?? ?? ?? + 64 A1 ?? ?? ?? ?? 50 56 A1 ?? ?? ?? ?? 33 C5 50 8D 45 ?? 64 A3 ?? ?? ?? ?? 8B F1 83 + 65 ?? ?? 8B 4E ?? 85 C9 74 ?? 8B 11 3B CE 0F 95 C0 0F B6 C0 50 FF 52 ?? 83 66 ?? ?? + 8B 4D ?? 64 89 0D ?? ?? ?? ?? 59 5E 8B E5 5D C3 + } + + $create_test_file_p1 = { + 68 ?? ?? ?? ?? B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 51 8D 4D ?? E8 ?? ?? ?? ?? 33 DB 8D 55 + ?? 68 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? 89 5D ?? E8 ?? ?? ?? ?? 59 8D 45 ?? C6 45 ?? ?? + 50 8D 4D ?? 89 5D ?? 89 5D ?? E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 4D ?? C6 45 ?? ?? E8 + ?? ?? ?? ?? 8B 35 ?? ?? ?? ?? 83 CB ?? 8B 3D ?? ?? ?? ?? E9 ?? ?? ?? ?? 83 65 ?? ?? + 8D 4D ?? 83 65 ?? ?? 56 E8 ?? ?? ?? ?? C6 45 ?? ?? 8D 4D ?? FF 75 ?? 8B 45 ?? 2B 45 + ?? 50 8D 45 ?? 50 E8 ?? ?? ?? ?? 83 7D ?? ?? 8D 45 ?? 8B 55 ?? 8D 4D ?? 0F 43 45 ?? + 83 7D ?? ?? 0F 43 4D ?? 3B 55 ?? 75 ?? 52 50 51 E8 ?? ?? ?? ?? 83 C4 ?? C6 85 ?? ?? + ?? ?? ?? 85 C0 74 ?? C6 85 ?? ?? ?? ?? ?? 8D 4D ?? E8 ?? ?? ?? ?? 80 BD ?? ?? ?? ?? + ?? 8D 4D ?? 0F 85 ?? ?? ?? ?? C6 45 ?? ?? E8 ?? ?? ?? ?? 83 C6 ?? 3B F7 0F 85 ?? ?? + ?? ?? 83 7D ?? ?? 8D 45 ?? 8B 35 ?? ?? ?? ?? BF ?? ?? ?? ?? 0F 43 45 ?? 33 C9 51 57 + } + + $create_test_file_p2 = { + 6A ?? 51 51 68 ?? ?? ?? ?? 50 FF D6 3B C3 0F 84 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 83 + 7D ?? ?? 8D 45 ?? 0F 43 45 ?? 50 FF 15 ?? ?? ?? ?? 83 7D ?? ?? 8D 45 ?? 0F 43 45 ?? + 33 C9 51 57 6A ?? 51 51 68 ?? ?? ?? ?? 50 FF D6 8B F8 3B FB 0F 84 ?? ?? ?? ?? 6A ?? + 57 FF 15 ?? ?? ?? ?? 8B F0 85 F6 75 ?? 57 FF 15 ?? ?? ?? ?? E9 ?? ?? ?? ?? E8 ?? ?? + ?? ?? E9 ?? ?? ?? ?? 6A ?? 58 3B F0 0F 42 F0 03 F0 56 E8 ?? ?? ?? ?? 59 6A ?? 89 85 + ?? ?? ?? ?? 8D 45 ?? 50 56 8B B5 ?? ?? ?? ?? 56 57 FF 15 ?? ?? ?? ?? 83 7D ?? ?? 75 + ?? 57 FF 15 ?? ?? ?? ?? EB ?? 83 7D ?? ?? 8D 45 ?? FF 75 ?? 0F 43 45 ?? 8D 55 ?? 50 + 8B CE E8 ?? ?? ?? ?? 59 59 33 DB 53 53 53 57 FF 15 ?? ?? ?? ?? 53 8D 45 ?? 50 FF 75 + ?? 56 57 FF 15 ?? ?? ?? ?? 57 FF 15 ?? ?? ?? ?? 83 7D ?? ?? 8D 4D ?? 8D 45 ?? 0F 43 + 4D ?? 83 7D ?? ?? 51 0F 43 45 ?? 50 FF 15 ?? ?? ?? ?? 56 E8 ?? ?? ?? ?? 59 8D 4D ?? + E8 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 4D ?? E8 ?? ?? ?? ?? 8B C3 E8 ?? + ?? ?? ?? C3 + } + + $encrypt_files_p1 = { + 68 ?? ?? ?? ?? B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 8D ?? ?? ?? ?? 33 F6 8D 4D ?? 89 B5 + ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 75 ?? 8D 4D ?? 68 ?? ?? ?? ?? 89 75 ?? 89 75 ?? E8 ?? + ?? ?? ?? 68 ?? ?? ?? ?? C6 45 ?? ?? E8 ?? ?? ?? ?? 83 7D ?? ?? 8D 7D ?? 8B D8 8B 45 + ?? 0F 43 7D ?? 59 3B D8 77 ?? 85 DB 74 ?? 2B C3 40 03 C7 89 85 ?? ?? ?? ?? 2B C7 50 + 6A ?? 57 EB ?? 53 68 ?? ?? ?? ?? 56 E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 74 ?? 8B 85 ?? ?? + ?? ?? 46 2B C6 50 6A ?? 56 E8 ?? ?? ?? ?? 8B F0 83 C4 ?? 85 F6 75 ?? EB ?? 2B F7 EB + ?? 83 CE ?? 83 FE ?? 74 ?? 83 7D ?? ?? 8D 45 ?? FF 75 ?? 0F 43 45 ?? 50 51 56 8D 4D + ?? E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? 33 F6 8D 85 ?? ?? ?? ?? 56 50 E8 ?? ?? ?? ?? C7 85 + ?? ?? ?? ?? ?? ?? ?? ?? 83 C4 ?? C6 45 ?? ?? 8D 85 ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? + ?? ?? ?? 8D 8D ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C7 85 + } + + $encrypt_files_p2 = { + 50 E8 ?? ?? ?? ?? 6A ?? 5F 89 7D ?? 8B 85 ?? ?? ?? ?? 8B 40 ?? C7 84 05 ?? ?? ?? ?? + ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 8B 48 ?? 51 8D 41 ?? 89 84 0D ?? ?? ?? ?? 8D 8D ?? ?? + ?? ?? E8 ?? ?? ?? ?? 8B 95 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? 68 ?? ?? ?? ?? C6 45 ?? ?? + E8 ?? ?? ?? ?? C6 45 ?? ?? 8B C8 C7 04 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? 50 8D 8D ?? ?? + ?? ?? E8 ?? ?? ?? ?? C6 45 ?? ?? 8D 85 ?? ?? ?? ?? 83 BD ?? ?? ?? ?? ?? 51 0F 43 85 + ?? ?? ?? ?? 51 50 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? + 8D 8D ?? ?? ?? ?? C6 45 ?? ?? E8 ?? ?? ?? ?? 39 B5 ?? ?? ?? ?? 74 ?? 83 7D ?? ?? 8D + 55 ?? FF 75 ?? 0F 43 55 ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 59 8D 8D ?? ?? ?? ?? E8 + ?? ?? ?? ?? 85 C0 75 ?? 8B 85 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? 56 8B 40 ?? 03 C8 8B 51 + ?? 83 CA ?? 8B C2 0B C7 39 71 ?? 0F 44 D0 52 E8 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? + ?? ?? ?? 8D 85 ?? ?? ?? ?? C6 45 ?? ?? 50 C7 85 ?? ?? ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? + ?? 59 8D 4D ?? E8 ?? ?? ?? ?? 8D 4D ?? E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? C3 + } + + condition: + uint16(0) == 0x5A4D and + ( + $enum_rsrc + ) and + ( + all of ($search_files_p*) + ) and + ( + all of ($create_test_file_p*) + ) and + ( + all of ($encrypt_files_p*) + ) +} \ No newline at end of file diff --git a/yara/ransomware/Win32.Ransomware.Flamingo.yara b/yara/ransomware/Win32.Ransomware.Flamingo.yara new file mode 100644 index 0000000..16333b0 --- /dev/null +++ b/yara/ransomware/Win32.Ransomware.Flamingo.yara @@ -0,0 +1,54 @@ +rule Win32_Ransomware_Flamingo : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "FLAMINGO" + description = "Yara rule that detects Flamingo ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "Flamingo" + tc_detection_factor = 5 + + strings: + + $find_files = { + 68 ?? ?? ?? ?? 1B C0 23 C1 89 85 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 57 50 E8 ?? ?? ?? ?? + 83 C4 ?? 8D 85 ?? ?? ?? ?? 57 57 57 50 57 53 FF 15 ?? ?? ?? ?? 8B F0 8B 85 ?? ?? ?? + ?? 83 FE ?? 75 ?? 50 57 57 53 E8 ?? ?? ?? ?? 83 C4 ?? 8B F8 83 FE ?? 74 ?? 56 FF 15 + ?? ?? ?? ?? 8B C7 8B 4D ?? 5F 5E 33 CD 5B E8 ?? ?? ?? ?? 8B E5 5D C3 8B 48 ?? 2B 08 + C1 F9 ?? 89 8D ?? ?? ?? ?? 80 BD ?? ?? ?? ?? ?? 75 ?? 8A 8D ?? ?? ?? ?? 84 C9 74 ?? + 80 F9 ?? 75 ?? 80 BD ?? ?? ?? ?? ?? 74 ?? 50 FF B5 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 53 + 50 E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 75 ?? 8D 85 ?? ?? ?? ?? 50 56 FF 15 ?? ?? ?? ?? 85 + C0 8B 85 ?? ?? ?? ?? 75 ?? 8B 10 8B 40 ?? 8B 8D ?? ?? ?? ?? 2B C2 C1 F8 ?? 3B C8 0F + 84 ?? ?? ?? ?? 68 ?? ?? ?? ?? 2B C1 6A ?? 50 8D 04 8A 50 E8 ?? ?? ?? ?? 83 C4 ?? E9 + } + + $encrypt_files = { + 68 ?? ?? ?? ?? 83 EC ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? 8B CC C7 85 ?? ?? ?? ?? ?? ?? + ?? ?? C6 85 ?? ?? ?? ?? ?? C7 41 ?? ?? ?? ?? ?? C7 41 ?? ?? ?? ?? ?? C7 41 ?? ?? ?? + ?? ?? 83 79 ?? ?? C7 41 ?? ?? ?? ?? ?? 72 ?? 8B 01 EB ?? 8B C1 6A ?? C6 00 ?? 8D 85 + ?? ?? ?? ?? 6A ?? 50 E8 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 50 68 ?? ?? + ?? ?? 51 6A ?? 83 EC ?? C6 45 ?? ?? 8B CC C7 41 ?? ?? ?? ?? ?? C7 41 ?? ?? ?? ?? ?? + C7 41 ?? ?? ?? ?? ?? 83 79 ?? ?? C7 41 ?? ?? ?? ?? ?? 72 ?? 8B 01 EB ?? 8B C1 6A ?? + C6 00 ?? 8D 85 ?? ?? ?? ?? 6A ?? 50 E8 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 E8 ?? ?? ?? + ?? 8B BD ?? ?? ?? ?? 50 68 ?? ?? ?? ?? 8D 45 ?? C6 45 ?? ?? 50 68 ?? ?? ?? ?? 68 ?? + ?? ?? ?? 8D 47 ?? 50 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 83 EC ?? 8B CC C7 41 ?? ?? ?? ?? + ?? C7 41 ?? ?? ?? ?? ?? C7 41 ?? ?? ?? ?? ?? 83 79 ?? ?? C7 41 ?? ?? ?? ?? ?? 72 ?? + 8B 01 EB ?? 8B C1 6A ?? C6 00 ?? 8D 85 ?? ?? ?? ?? 6A ?? 50 E8 + } + + condition: + uint16(0) == 0x5A4D and + ( + $find_files + ) and + ( + $encrypt_files + ) +} \ No newline at end of file diff --git a/yara/ransomware/Win32.Ransomware.FuxSocy.yara b/yara/ransomware/Win32.Ransomware.FuxSocy.yara new file mode 100644 index 0000000..d57b377 --- /dev/null +++ b/yara/ransomware/Win32.Ransomware.FuxSocy.yara @@ -0,0 +1,114 @@ +rule Win32_Ransomware_FuxSocy : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "FUXSOCY" + description = "Yara rule that detects FuxSocy ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "FuxSocy" + tc_detection_factor = 5 + + strings: + + $encrypt_files_1 = { + 83 EC ?? 53 55 57 89 54 24 ?? 8B 54 24 ?? 51 33 DB E8 ?? ?? ?? ?? 8B E8 59 85 ED 0F + 84 ?? ?? ?? ?? 8B 44 24 ?? 89 5C 24 ?? 89 5C 24 ?? C7 44 24 ?? ?? ?? ?? ?? 8B CB E9 + ?? ?? ?? ?? 53 53 FF 74 24 ?? 41 FF 74 24 ?? BF ?? ?? ?? ?? FF 74 24 ?? 3B C7 0F 42 + F8 2B C7 89 4C 24 ?? 89 44 24 ?? FF 15 ?? ?? ?? ?? 53 8D 44 24 ?? 50 57 FF 74 24 ?? + FF 74 24 ?? FF 15 ?? ?? ?? ?? 57 FF 74 24 ?? 8D 54 24 ?? 8D 4C 24 ?? E8 ?? ?? ?? ?? + 59 59 57 8D 44 24 ?? 50 FF 74 24 ?? 33 C0 39 44 24 ?? 53 0F 94 C0 89 7C 24 ?? 50 53 + 55 FF 15 ?? ?? ?? ?? 85 C0 74 ?? 53 53 FF 74 24 ?? FF 74 24 ?? FF 74 24 ?? FF 15 ?? + ?? ?? ?? 53 8D 44 24 ?? 50 57 FF 74 24 ?? FF 74 24 ?? FF 15 ?? ?? ?? ?? 01 7C 24 ?? + 8B 4C 24 ?? 11 5C 24 ?? F6 C1 ?? 75 ?? 6A ?? FF 15 ?? ?? ?? ?? 8B 4C 24 ?? 8B 44 24 + ?? 85 C0 0F 85 ?? ?? ?? ?? EB ?? 88 5C 24 ?? FF 74 24 ?? 8B 54 24 ?? 8B 4C 24 ?? E8 + ?? ?? ?? ?? 59 8B 4C 24 ?? 55 89 41 ?? FF 15 ?? ?? ?? ?? 8A 5C 24 ?? 5F 5D 8A C3 5B + 83 C4 ?? C3 + } + + $encrypt_files_2 = { + 83 EC ?? 53 55 56 8B 74 24 ?? 8B C1 8B 36 57 89 54 24 ?? 89 44 24 ?? E8 ?? ?? ?? ?? + 8B F8 33 D2 8D 5F ?? 8B C6 F7 F3 33 C9 85 D2 0F 95 C1 89 54 24 ?? 33 D2 03 C8 89 4C + 24 ?? 0F AF CF 89 4C 24 ?? E8 ?? ?? ?? ?? 8B E8 89 6C 24 ?? 85 ED 0F 84 ?? ?? ?? ?? + 33 D2 8B CF E8 ?? ?? ?? ?? 8B F0 85 F6 0F 84 ?? ?? ?? ?? 8B 44 24 ?? 83 64 24 ?? ?? + 48 89 6C 24 ?? 89 44 24 ?? 74 ?? 53 FF 74 24 ?? 89 5C 24 ?? 56 E8 ?? ?? ?? ?? 83 C4 + ?? 8D 44 24 ?? 57 50 56 33 C0 50 50 50 FF 74 24 ?? FF 15 ?? ?? ?? ?? 85 C0 0F 84 ?? + ?? ?? ?? 33 C9 85 FF 74 ?? 8B 54 24 ?? 8D 6E ?? 03 EF 8A 45 ?? 4D 88 04 11 41 3B CF + 72 ?? 8B 6C 24 ?? 8B 44 24 ?? 03 44 24 ?? 01 5C 24 ?? 89 44 24 ?? 8B 44 24 ?? 40 89 + 44 24 ?? 3B 44 24 ?? 72 ?? 8B 44 24 ?? 85 C0 0F 45 D8 53 FF 74 24 ?? 89 5C 24 ?? 56 + E8 ?? ?? ?? ?? 83 C4 ?? 8D 44 24 ?? 57 50 56 6A ?? 6A ?? 6A ?? FF 74 24 ?? FF 15 ?? + ?? ?? ?? 8B D8 F7 DB 1A DB 80 E3 ?? 33 C9 85 FF 74 ?? 8B 6C 24 ?? 8D 56 ?? 03 D7 8A + 02 4A 88 04 29 41 3B CF 72 ?? 8B 6C 24 ?? 8B CE E8 ?? ?? ?? ?? 84 DB 75 ?? 8B CD E8 + ?? ?? ?? ?? 33 ED EB ?? 32 DB EB ?? 8B 4C 24 ?? 8B 44 24 ?? 89 01 5F 5E 8B C5 5D 5B + 83 C4 ?? C3 + } + + $find_files_1 = { + 81 EC ?? ?? ?? ?? 53 56 57 8B BC 24 ?? ?? ?? ?? 8B F2 89 74 24 ?? 8B D9 85 FF 0F 84 + ?? ?? ?? ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 84 C0 0F 84 ?? ?? ?? ?? 8B D7 C1 E2 ?? 8B + CE E8 ?? ?? ?? ?? 84 C0 0F 84 ?? ?? ?? ?? 8B 8C 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? 84 C0 + 0F 84 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8B D3 8D 8C 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? 59 84 C0 + 0F 84 ?? ?? ?? ?? 55 68 ?? ?? ?? ?? 8D 44 24 ?? 6A ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 8D + 44 24 ?? 50 8D 84 24 ?? ?? ?? ?? 50 C7 44 24 ?? ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 8B E8 + 83 FD ?? 0F 84 ?? ?? ?? ?? 8D 4C 24 ?? E8 ?? ?? ?? ?? 84 C0 0F 85 ?? ?? ?? ?? 8B 44 + 24 ?? 83 E0 ?? 74 ?? F6 84 24 ?? ?? ?? ?? ?? 75 ?? 85 C0 75 ?? F6 84 24 ?? ?? ?? ?? + ?? 74 ?? 33 F6 85 FF 74 ?? 8B 44 24 ?? FF 34 B0 8D 44 24 ?? 50 FF 15 ?? ?? ?? ?? 85 + C0 75 ?? 46 3B F7 72 ?? EB ?? FF B4 24 ?? ?? ?? ?? 8D 44 24 ?? 50 53 FF 94 24 ?? ?? + ?? ?? 83 C4 ?? 85 C0 0F 84 ?? ?? ?? ?? 83 BC 24 ?? ?? ?? ?? ?? 74 ?? FF B4 24 ?? ?? + ?? ?? FF 15 ?? ?? ?? ?? 8B 74 24 ?? F6 44 24 ?? ?? 74 ?? F6 84 24 ?? ?? ?? ?? ?? 74 + ?? 8D 44 24 ?? 50 8B D3 8D 8C 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? 59 84 C0 74 ?? 83 BC 24 + ?? ?? ?? ?? ?? 74 ?? FF B4 24 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? FF B4 24 ?? ?? ?? ?? 8B + D6 FF B4 24 ?? ?? ?? ?? 8D 8C 24 ?? ?? ?? ?? FF B4 24 ?? ?? ?? ?? FF B4 24 ?? ?? ?? + ?? FF B4 24 ?? ?? ?? ?? 57 E8 ?? ?? ?? ?? 83 C4 ?? 8D 44 24 ?? 50 55 FF 15 ?? ?? ?? + ?? 85 C0 0F 85 ?? ?? ?? ?? EB ?? 83 64 24 ?? ?? 55 FF 15 ?? ?? ?? ?? 5D 5F 5E 5B 81 + C4 ?? ?? ?? ?? C3 + } + + $find_files_2 = { + 81 EC ?? ?? ?? ?? 8D 44 24 ?? 53 55 56 68 ?? ?? ?? ?? 50 8B D9 FF 15 ?? ?? ?? ?? 8B + F0 85 F6 0F 84 ?? ?? ?? ?? 8D 6C 24 ?? 8D 6C 75 ?? 33 C0 66 89 44 74 ?? 68 ?? ?? ?? + ?? 8D 44 24 ?? 50 FF 15 ?? ?? ?? ?? 6A ?? 59 E8 ?? ?? ?? ?? 83 C0 ?? 6A ?? 59 66 89 + 45 ?? E8 ?? ?? ?? ?? 83 C0 ?? 66 89 44 74 ?? 8D 84 24 ?? ?? ?? ?? 50 8D 44 24 ?? 50 + FF 15 ?? ?? ?? ?? 83 F8 ?? 74 ?? 50 FF 15 ?? ?? ?? ?? 8D 8C 24 ?? ?? ?? ?? E8 ?? ?? + ?? ?? 84 C0 74 ?? 8D 84 24 ?? ?? ?? ?? 50 55 FF 15 ?? ?? ?? ?? 83 64 24 ?? ?? 8D 44 + 24 ?? 50 8D 44 24 ?? 50 FF 15 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? 8D 44 24 ?? 50 53 + FF 15 ?? ?? ?? ?? 5E 5D 5B 81 C4 ?? ?? ?? ?? C3 + } + + $find_files_3 = { + 81 EC ?? ?? ?? ?? 53 55 56 8B D9 57 8B FA 85 DB 74 ?? 33 D2 E8 ?? ?? ?? ?? 8B F0 85 + F6 0F 84 ?? ?? ?? ?? 57 56 8D 84 24 ?? ?? ?? ?? 68 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? + 83 C4 ?? 8B CE E8 ?? ?? ?? ?? 8D 84 24 ?? ?? ?? ?? 50 C6 43 ?? ?? FF 15 ?? ?? ?? ?? + 0D ?? ?? ?? ?? 50 8D 84 24 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 84 24 + ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? EB ?? 57 FF 15 ?? ?? ?? ?? 0D ?? ?? ?? ?? 50 57 FF + 15 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8B D7 8D 8C 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? 59 84 C0 0F + 84 ?? ?? ?? ?? 8B B4 24 ?? ?? ?? ?? 80 7E ?? ?? 75 ?? 8B 15 ?? ?? ?? ?? 8D 8C 24 ?? + ?? ?? ?? E8 ?? ?? ?? ?? 84 C0 0F 85 ?? ?? ?? ?? 8D 44 24 ?? 50 8D 84 24 ?? ?? ?? ?? + 50 FF 15 ?? ?? ?? ?? 8B E8 83 FD ?? 0F 84 ?? ?? ?? ?? 83 64 24 ?? ?? 6A ?? FF 35 ?? + ?? ?? ?? FF 15 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? 8D 4C 24 ?? E8 ?? ?? ?? ?? 84 C0 + 0F 85 ?? ?? ?? ?? F7 44 24 ?? ?? ?? ?? ?? 0F 85 ?? ?? ?? ?? 83 7C 24 ?? ?? 75 ?? 56 + 57 FF 15 ?? ?? ?? ?? 50 8B D7 8B CB E8 ?? ?? ?? ?? 59 59 89 44 24 ?? 85 C0 0F 84 ?? + ?? ?? ?? 8D 44 24 ?? 50 FF 15 ?? ?? ?? ?? 50 8D 44 24 ?? 50 FF 15 ?? ?? ?? ?? F6 44 + 24 ?? ?? 74 ?? 80 7E ?? ?? 75 ?? 6A ?? FF 15 ?? ?? ?? ?? 8B 4C 24 ?? 56 FF B4 24 ?? + ?? ?? ?? 8D 54 24 ?? E8 ?? ?? ?? ?? 59 59 EB ?? 80 7E ?? ?? 74 ?? 85 DB 74 ?? 83 7C + 24 ?? ?? 7C ?? 7F ?? 81 7C 24 ?? ?? ?? ?? ?? 72 ?? 80 3E ?? 74 ?? 6A ?? 8D 44 24 ?? + 50 FF 15 ?? ?? ?? ?? 85 C0 74 ?? 56 8D 44 24 ?? 50 FF 74 24 ?? FF 94 24 ?? ?? ?? ?? + 83 C4 ?? 85 C0 74 ?? 8D 44 24 ?? 50 55 FF 15 ?? ?? ?? ?? 85 C0 0F 85 ?? ?? ?? ?? 55 + FF 15 ?? ?? ?? ?? 5F 5E 5D 5B 81 C4 ?? ?? ?? ?? C3 + } + + condition: + uint16(0) == 0x5A4D and + ( + all of ($find_files_*) + ) and + ( + all of ($encrypt_files_*) + ) +} \ No newline at end of file diff --git a/yara/ransomware/Win32.Ransomware.GPGQwerty.yara b/yara/ransomware/Win32.Ransomware.GPGQwerty.yara new file mode 100644 index 0000000..fd364f3 --- /dev/null +++ b/yara/ransomware/Win32.Ransomware.GPGQwerty.yara @@ -0,0 +1,83 @@ +rule Win32_Ransomware_GPGQwerty : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "GPGQWERTY" + description = "Yara rule that detects GPGQwerty ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "GPGQwerty" + tc_detection_factor = 5 + + strings: + + $find_files_p1 = { + 56 53 89 D3 81 EC ?? ?? ?? ?? 8D 54 24 ?? 89 04 24 89 54 24 ?? E8 ?? ?? ?? ?? 83 EC + ?? 83 F8 ?? 89 C6 74 ?? 31 C0 8D 4B ?? 66 89 43 ?? 31 C0 EB ?? 0F B7 43 ?? 83 C0 ?? + 66 3D ?? ?? 66 89 43 ?? 83 D1 ?? 0F B7 C0 0F B6 44 04 ?? 84 C0 88 01 75 ?? 8B 44 24 + ?? 24 ?? 83 F8 ?? 76 ?? C7 43 ?? ?? ?? ?? ?? 81 C4 ?? ?? ?? ?? 89 F0 5B 5E C3 66 90 + 89 43 ?? 81 C4 ?? ?? ?? ?? 89 F0 5B 5E C3 E8 ?? ?? ?? ?? 89 C3 E8 ?? ?? ?? ?? 83 F8 + ?? 89 03 74 ?? E8 ?? ?? ?? ?? 81 38 ?? ?? ?? ?? 74 ?? E8 ?? ?? ?? ?? 83 38 ?? 74 ?? + E8 ?? ?? ?? ?? C7 00 ?? ?? ?? ?? EB ?? E8 ?? ?? ?? ?? C7 00 ?? ?? ?? ?? EB ?? E8 ?? + ?? ?? ?? C7 00 ?? ?? ?? ?? EB ?? 90 56 53 89 D3 81 EC ?? ?? ?? ?? 8D 54 24 ?? 89 04 + 24 89 54 24 ?? E8 ?? ?? ?? ?? 83 EC ?? 85 C0 89 C6 74 ?? 31 C0 8D 4B ?? 66 89 43 ?? + 31 C0 EB ?? 0F B7 43 ?? 83 C0 ?? 66 3D ?? ?? 66 89 43 ?? 83 D1 ?? 0F B7 C0 0F B6 44 + 04 ?? 84 C0 88 01 75 ?? 8B 44 24 ?? 24 ?? 83 F8 ?? 77 ?? 89 43 ?? 81 C4 ?? ?? ?? ?? + 89 F0 5B 5E C3 8D B4 26 ?? ?? ?? ?? C7 43 ?? ?? ?? ?? ?? 81 C4 ?? ?? ?? ?? 89 F0 5B + 5E C3 E8 ?? ?? ?? ?? 83 F8 ?? 74 ?? E8 ?? ?? ?? ?? C7 00 ?? ?? ?? ?? 81 C4 ?? ?? ?? + ?? 89 F0 5B 5E C3 + } + + $find_files_p2 = { + 8B 45 ?? 89 45 ?? 8B 45 ?? 89 04 24 E8 ?? ?? ?? ?? 89 45 ?? 83 7D ?? ?? 0F 95 C0 84 + C0 0F 84 ?? ?? ?? ?? 8B 45 ?? 83 C0 ?? C7 44 24 ?? ?? ?? ?? ?? 89 04 24 E8 ?? ?? ?? + ?? 85 C0 74 ?? 8B 45 ?? 83 C0 ?? C7 44 24 ?? ?? ?? ?? ?? 89 04 24 E8 ?? ?? ?? ?? 85 + C0 74 ?? C6 85 ?? ?? ?? ?? ?? 8B 45 ?? 89 44 24 ?? 8D 85 ?? ?? ?? ?? 89 04 24 E8 ?? + ?? ?? ?? 8B 45 ?? 83 C0 ?? 89 44 24 ?? 8D 85 ?? ?? ?? ?? 89 04 24 E8 ?? ?? ?? ?? 8D + 85 ?? ?? ?? ?? 89 45 ?? 8B 45 ?? 89 04 24 E8 ?? ?? ?? ?? 85 C0 0F 94 C0 84 C0 0F 84 + ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? 8B 45 ?? 89 04 24 E8 ?? ?? ?? ?? 85 C0 0F 85 ?? + ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? 8B 45 ?? 89 04 24 E8 ?? ?? ?? ?? 85 C0 0F 85 ?? ?? + ?? ?? C7 44 24 ?? ?? ?? ?? ?? 8B 45 ?? 89 04 24 E8 ?? ?? ?? ?? 85 C0 0F 85 ?? ?? ?? + ?? C7 44 24 ?? ?? ?? ?? ?? 8B 45 ?? 89 04 24 E8 ?? ?? ?? ?? 85 C0 0F 85 ?? ?? ?? ?? + C7 44 24 ?? ?? ?? ?? ?? 8B 45 ?? 89 04 24 E8 ?? ?? ?? ?? 85 C0 0F 85 ?? ?? ?? ?? C7 + 44 24 ?? ?? ?? ?? ?? 8B 45 ?? 89 04 24 E8 ?? ?? ?? ?? 85 C0 0F 85 ?? ?? ?? ?? C7 44 + 24 ?? ?? ?? ?? ?? 8B 45 ?? 89 04 24 E8 ?? ?? ?? ?? 85 C0 0F 85 ?? ?? ?? ?? C7 44 24 + ?? ?? ?? ?? ?? 8B 45 ?? 89 04 24 E8 ?? ?? ?? ?? 85 C0 0F 85 ?? ?? ?? ?? 8B 45 ?? 83 + C0 ?? C7 44 24 ?? ?? ?? ?? ?? 89 04 24 E8 ?? ?? ?? ?? 85 C0 0F 85 ?? ?? ?? ?? 8B 45 + ?? 83 C0 ?? C7 44 24 ?? ?? ?? ?? ?? 89 04 24 E8 ?? ?? ?? ?? 85 C0 0F 85 ?? ?? ?? ?? + 8B 45 ?? 83 C0 ?? C7 44 24 ?? ?? ?? ?? ?? 89 04 24 E8 ?? ?? ?? ?? 85 C0 0F 85 ?? ?? + ?? ?? C7 04 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 04 24 E8 ?? ?? ?? ?? E8 + } + + $encrypt_files = { + C7 44 24 ?? ?? ?? ?? ?? C7 04 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? + C7 04 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? C7 04 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 45 ?? 83 + C0 ?? 89 44 24 ?? 8B 45 ?? 89 44 24 ?? C7 44 24 ?? ?? ?? ?? ?? C7 04 24 ?? ?? ?? ?? + E8 ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? C7 04 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? C7 04 24 + ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 45 ?? 89 44 24 ?? 8D 85 ?? ?? ?? ?? 89 44 24 ?? C7 44 + 24 ?? ?? ?? ?? ?? C7 04 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? C7 04 24 ?? ?? ?? ?? E8 ?? ?? + ?? ?? 8B 45 ?? 89 44 24 ?? 8D 85 ?? ?? ?? ?? 89 44 24 ?? C7 44 24 ?? ?? ?? ?? ?? C7 + 04 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? C7 04 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 45 ?? 89 44 + 24 ?? 8D 85 ?? ?? ?? ?? 89 44 24 ?? C7 44 24 ?? ?? ?? ?? ?? C7 04 24 ?? ?? ?? ?? E8 + ?? ?? ?? ?? C7 04 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 45 ?? 89 44 24 ?? 8D 85 ?? ?? ?? + ?? 89 44 24 ?? C7 44 24 ?? ?? ?? ?? ?? C7 04 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? C7 04 24 + ?? ?? ?? ?? E8 ?? ?? ?? ?? E9 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? B9 ?? ?? ?? ?? 89 C2 B8 + ?? ?? ?? ?? 89 D7 F2 AE 89 C8 F7 D0 8D 50 ?? 8D 85 ?? ?? ?? ?? 01 D0 66 C7 00 ?? ?? + 8B 45 ?? 83 E8 ?? 89 44 24 ?? 8D 85 ?? ?? ?? ?? 89 04 24 E8 ?? ?? ?? ?? E9 + } + + condition: + uint16(0) == 0x5A4D and + ( + all of ($find_files_p*) + ) and + ( + $encrypt_files + ) +} \ No newline at end of file diff --git a/yara/ransomware/Win32.Ransomware.GandCrab.yara b/yara/ransomware/Win32.Ransomware.GandCrab.yara new file mode 100644 index 0000000..0613f2b --- /dev/null +++ b/yara/ransomware/Win32.Ransomware.GandCrab.yara @@ -0,0 +1,892 @@ +rule Win32_Ransomware_GandCrab : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "GANDCRAB" + description = "Yara rule that detects GandCrab ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "GandCrab" + tc_detection_factor = 5 + + strings: + + $remote_connection = { + 55 8B EC 81 EC ?? ?? ?? ?? 53 56 57 8B F9 89 55 ?? 8D 4D ?? E8 ?? ?? ?? ?? 6A ?? 68 + ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A ?? FF 15 ?? ?? ?? ?? 8B D8 89 5D ?? 85 DB 74 ?? 33 C0 + 83 F8 ?? 75 ?? 68 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 8B CB E8 ?? ?? ?? ?? 83 F8 ?? 74 ?? + 57 FF 15 ?? ?? ?? ?? 8D 4D ?? 8D 34 45 ?? ?? ?? ?? 8D 46 ?? 50 E8 ?? ?? ?? ?? 68 ?? + ?? ?? ?? 8D 4D ?? E8 ?? ?? ?? ?? 56 8D 4D ?? E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 4D ?? + 8B D8 E8 ?? ?? ?? ?? 8B 35 ?? ?? ?? ?? 68 ?? ?? ?? ?? 53 89 45 ?? FF D6 57 53 FF D6 + 6A ?? 59 BE ?? ?? ?? ?? 8D BD ?? ?? ?? ?? F3 A5 8B 35 ?? ?? ?? ?? 53 FF D6 33 FF 8D + 85 ?? ?? ?? ?? 21 BD ?? ?? ?? ?? 68 ?? ?? ?? ?? 57 50 E8 ?? ?? ?? ?? 83 C4 ?? 8D 85 + ?? ?? ?? ?? 68 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D + 85 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 50 8D 85 ?? ?? ?? ?? 50 68 ?? ?? ?? ?? 83 EC ?? + FF 75 ?? 53 FF D6 8B 75 ?? 8D 4D ?? 50 53 8D 85 ?? ?? ?? ?? 50 56 E8 ?? ?? ?? ?? 85 + C0 74 ?? 47 83 7D ?? ?? 74 ?? 8B 4D ?? 8D 55 ?? 83 65 ?? ?? E8 ?? ?? ?? ?? 85 C0 74 + ?? 8B 45 ?? 85 C0 74 ?? 8B 4D ?? 89 01 EB ?? 33 FF 68 ?? ?? ?? ?? 6A ?? 56 FF 15 ?? + ?? ?? ?? 8D 4D ?? E8 ?? ?? ?? ?? 8D 4D ?? E8 ?? ?? ?? ?? 83 7D ?? ?? 74 ?? FF 75 ?? + FF 15 ?? ?? ?? ?? 8B C7 5F 5E 5B 8B E5 5D C3 + } + + $remote_connection_v2 = { + 55 8B EC 83 EC ?? 53 56 8B D9 89 55 ?? 57 8D 4D ?? 89 5D ?? E8 ?? ?? ?? ?? E8 ?? ?? + ?? ?? 53 89 45 ?? FF 15 ?? ?? ?? ?? 8B 35 ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? 8D 3C 45 + ?? ?? ?? ?? 8D 47 ?? 50 6A ?? FF D6 6A ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A ?? 8B D8 + FF D6 89 45 ?? 85 DB 74 ?? 8D 47 ?? 3B F8 73 ?? 8B F3 EB ?? 33 F6 FF 75 ?? 56 FF 15 + ?? ?? ?? ?? F3 0F 6F 05 ?? ?? ?? ?? 56 F3 0F 7F 45 ?? F3 0F 6F 05 ?? ?? ?? ?? F3 0F + 7F 45 ?? F3 0F 6F 05 ?? ?? ?? ?? F3 0F 7F 45 ?? F3 0F 6F 05 ?? ?? ?? ?? F3 0F 7F 45 + ?? F3 0F 6F 05 ?? ?? ?? ?? F3 0F 7F 45 ?? F3 0F 6F 05 ?? ?? ?? ?? F3 0F 7F 45 ?? FF + 15 ?? ?? ?? ?? 8D 45 ?? 33 FF 50 FF 15 ?? ?? ?? ?? 50 8D 45 ?? 50 68 ?? ?? ?? ?? 83 + EC ?? 68 ?? ?? ?? ?? FF 75 ?? 56 FF 15 ?? ?? ?? ?? 50 56 8B 75 ?? 8D 4D ?? 68 ?? ?? + ?? ?? 56 E8 ?? ?? ?? ?? 85 C0 74 ?? 83 7D ?? ?? BF ?? ?? ?? ?? 74 ?? 8B 4D ?? 8D 55 + ?? C7 45 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 C0 74 ?? 8B 45 ?? 85 C0 74 ?? 8B 4D ?? 89 + 01 EB ?? 33 FF 68 ?? ?? ?? ?? 6A ?? 56 8B 35 ?? ?? ?? ?? FF D6 68 ?? ?? ?? ?? 6A ?? + FF 75 ?? FF D6 68 ?? ?? ?? ?? 6A ?? 53 FF D6 8B 45 ?? 85 C0 74 ?? 50 FF 15 ?? ?? ?? + ?? 8B C7 5F 5E 5B 8B E5 5D C3 + } + + $crypt_files = { + 55 8B EC 83 E4 ?? 81 EC ?? ?? ?? ?? 53 56 57 51 33 C0 89 4C 24 ?? 40 8B DA 50 51 50 + 83 EC ?? 89 5C 24 ?? 50 51 50 51 50 51 50 51 50 83 EC ?? 50 51 50 8D 8C 24 ?? ?? ?? + ?? E8 ?? ?? ?? ?? 8D 4C 24 ?? E8 ?? ?? ?? ?? 8D 4C 24 ?? E8 ?? ?? ?? ?? 8B 75 ?? 8B + F8 03 F3 8D 4E ?? 8D 0C CF C1 E1 ?? 51 8D 4C 24 ?? E8 ?? ?? ?? ?? 8D 04 B7 8D 04 C5 + ?? ?? ?? ?? 50 8D 4C 24 ?? E8 ?? ?? ?? ?? 8B 75 ?? 89 44 24 ?? 8D 0C F5 ?? ?? ?? ?? + 51 8D 4C 24 ?? E8 ?? ?? ?? ?? 8D 0C DD ?? ?? ?? ?? 8B F8 51 8D 4C 24 ?? E8 ?? ?? ?? + ?? 8B D8 89 5C 24 ?? 85 FF 0F 84 ?? ?? ?? ?? 8D 44 24 ?? 50 57 68 ?? ?? ?? ?? 56 FF + 75 ?? 8D 0C 36 8B 35 ?? ?? ?? ?? 89 4C 24 ?? FF D6 8B 4C 24 ?? 8D 04 09 89 44 24 ?? + 8D 44 24 ?? 50 53 68 ?? ?? ?? ?? 51 FF 74 24 ?? FF D6 53 8B 1D ?? ?? ?? ?? FF D3 57 + 8B F0 FF D3 83 C0 ?? 8D 4C 24 ?? 03 C6 50 E8 ?? ?? ?? ?? 57 FF D3 40 8D 4C 24 ?? 50 + E8 ?? ?? ?? ?? FF 74 24 ?? 89 44 24 ?? FF D3 40 8D 4C 24 ?? 50 E8 ?? ?? ?? ?? 33 F6 + 89 44 24 ?? 8B CE 57 89 4C 24 ?? FF D3 85 C0 74 ?? 8B 54 24 ?? 89 54 24 ?? 8B 44 24 + ?? 8A 0C 38 80 F9 ?? 74 ?? 80 F9 ?? 74 ?? 88 0A 42 89 54 24 ?? 40 57 89 44 24 ?? FF + D3 8B 4C 24 ?? 8B 54 24 ?? 3B C8 72 ?? 8B 7C 24 ?? 57 FF D3 85 C0 74 ?? 8B 4C 24 ?? + 89 4C 24 ?? 8A 04 3E 3C ?? 74 ?? 3C ?? 74 ?? 88 01 41 89 4C 24 ?? 57 46 FF D3 8B 4C + 24 ?? 3B F0 72 ?? 8B 7C 24 ?? 8B 1D ?? ?? ?? ?? 68 ?? ?? ?? ?? 57 FF D3 8B 35 ?? ?? + ?? ?? 57 FF D6 8D 4C 24 ?? 8D 3C 47 57 E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? 57 FF D3 57 FF + D6 FF 74 24 ?? 8D 34 47 FF 15 ?? ?? ?? ?? 50 56 6A ?? FF 74 24 ?? 6A ?? 68 ?? ?? ?? + ?? FF 15 ?? ?? ?? ?? 68 ?? ?? ?? ?? 57 FF D3 57 FF 15 ?? ?? ?? ?? FF 74 24 ?? 8D 34 + 47 FF 15 ?? ?? ?? ?? 50 56 6A ?? FF 74 24 ?? 6A ?? 68 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? + 68 ?? ?? ?? ?? 57 FF D3 8B 74 24 ?? 8B 1D ?? ?? ?? ?? 56 FF D3 C1 E0 ?? 8D 4C 24 ?? + 83 C0 ?? 50 E8 ?? ?? ?? ?? 56 FF D3 8D 4C 24 ?? 8D 04 C5 ?? ?? ?? ?? 50 E8 ?? ?? ?? + ?? 56 89 44 24 ?? FF D3 8B 5C 24 ?? 8B F0 8B CB 8D 3C 36 8B D7 E8 ?? ?? ?? ?? 8D 44 + 24 ?? 8B CE 8B 74 24 ?? 50 56 68 ?? ?? ?? ?? 57 C1 E1 ?? 53 89 4C 24 ?? FF 15 ?? ?? + ?? ?? 85 C0 75 ?? FF 15 ?? ?? ?? ?? 8B 1D ?? ?? ?? ?? 56 FF D3 83 C0 ?? 8D 4C 24 ?? + 50 E8 ?? ?? ?? ?? 56 FF D3 40 8D 4C 24 ?? 50 E8 ?? ?? ?? ?? 89 44 24 ?? 33 F6 8B 44 + 24 ?? 8B FE 50 FF D3 85 C0 74 ?? 8B 54 24 ?? 89 54 24 ?? 8B 44 24 ?? 8A 0C 07 80 F9 + ?? 74 ?? 80 F9 ?? 74 ?? 88 0A 42 89 54 24 ?? 50 47 FF D3 8B 54 24 ?? 3B F8 72 ?? 8B + 7C 24 ?? 57 FF D3 50 FF 74 24 ?? 6A ?? 57 56 68 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 6A ?? + 8D 54 24 ?? 89 74 24 ?? 8B CF E8 ?? ?? ?? ?? 59 85 C0 75 ?? 8D 4C 24 ?? E8 ?? ?? ?? + ?? 8D 4C 24 ?? E8 ?? ?? ?? ?? 8D 4C 24 ?? E8 ?? ?? ?? ?? EB ?? 8B 4C 24 ?? 85 C9 74 + ?? 8B 45 ?? 89 08 8D 4C 24 ?? E8 ?? ?? ?? ?? 8D 4C 24 ?? E8 ?? ?? ?? ?? 8D 4C 24 ?? + E8 ?? ?? ?? ?? 33 F6 46 8D 4C 24 ?? E8 ?? ?? ?? ?? 8D 4C 24 ?? E8 ?? ?? ?? ?? 5F 8B + C6 5E 5B 8B E5 5D C3 + } + + $crypt_files_v2 = { + 8B 55 ?? 8B 1D ?? ?? ?? ?? 8D 04 12 89 44 24 ?? 8D 44 24 ?? 50 51 68 ?? ?? ?? ?? 52 + FF 75 ?? FF D3 8D 04 36 89 44 24 ?? 8D 44 24 ?? 50 57 68 ?? ?? ?? ?? 56 FF 74 24 ?? + FF D3 8B 1D ?? ?? ?? ?? 57 FF D3 FF 74 24 ?? 8B F0 FF D3 6A ?? 83 C0 ?? 68 ?? ?? ?? + ?? 03 F0 56 6A ?? FF 15 ?? ?? ?? ?? FF 74 24 ?? 89 44 24 ?? 89 44 24 ?? C7 44 24 ?? + ?? ?? ?? ?? FF D3 8B 54 24 ?? 40 85 D2 74 ?? 3B C6 73 ?? 8D 0C 02 89 44 24 ?? 89 4C + 24 ?? 89 54 24 ?? EB ?? C7 44 24 ?? ?? ?? ?? ?? 57 FF D3 40 83 7C 24 ?? ?? 74 ?? 03 + 44 24 ?? 3B C6 72 ?? C7 44 24 ?? ?? ?? ?? ?? FF 74 24 ?? 33 F6 FF D3 85 C0 74 ?? 8B + 7C 24 ?? EB ?? 8D 9B ?? ?? ?? ?? 8B 4C 24 ?? 8A 04 0E 3C ?? 74 ?? 3C ?? 74 ?? 88 07 + 47 51 46 FF D3 3B F0 72 ?? 8B 7C 24 ?? 57 33 F6 FF D3 85 C0 74 ?? 8B 4C 24 ?? 89 4C + 24 ?? 90 8A 04 3E 3C ?? 74 ?? 3C ?? 74 ?? 88 01 41 89 4C 24 ?? 57 46 FF D3 8B 4C 24 + ?? 3B F0 72 ?? 8B 74 24 ?? 8B 3D ?? ?? ?? ?? 68 ?? ?? ?? ?? 56 FF D7 56 FF 15 ?? ?? + ?? ?? 8D 4C 24 ?? 8D 34 46 56 89 74 24 ?? E8 ?? ?? ?? ?? 8D 54 24 ?? C7 44 24 ?? ?? + ?? ?? ?? 8D 4C 24 ?? C7 44 24 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 C0 75 ?? 50 FF 15 ?? + ?? ?? ?? 68 ?? ?? ?? ?? 56 FF D7 8B 7C 24 ?? 57 56 FF 15 ?? ?? ?? ?? 68 ?? ?? ?? ?? + 56 FF 15 ?? ?? ?? ?? 8B 74 24 ?? 56 FF 74 24 ?? FF 15 ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A + ?? 57 8B 3D ?? ?? ?? ?? FF D7 68 ?? ?? ?? ?? 6A ?? 56 FF D7 8B 74 24 ?? 68 ?? ?? ?? + ?? 56 FF 15 ?? ?? ?? ?? 8B 3D ?? ?? ?? ?? 56 FF D7 FF 74 24 ?? 8D 34 46 FF D3 50 56 + 6A ?? FF 74 24 ?? 6A ?? 68 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 8B 74 24 ?? 68 ?? ?? ?? ?? + 56 FF 15 ?? ?? ?? ?? 56 FF D7 8B 7C 24 ?? 57 8D 34 46 FF D3 50 56 6A ?? 57 6A ?? 68 + ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 68 ?? ?? ?? ?? FF 74 24 ?? FF 15 ?? ?? ?? ?? FF 74 24 + ?? 8B 35 ?? ?? ?? ?? FF D6 8B F8 6A ?? C1 E7 ?? 68 ?? ?? ?? ?? 83 C7 ?? 57 6A ?? FF + 15 ?? ?? ?? ?? FF 74 24 ?? 89 44 24 ?? FF D6 8D 0C C5 ?? ?? ?? ?? 8B 44 24 ?? 85 C0 + 74 ?? 3B CF 73 ?? 8B F8 EB ?? 33 FF FF 74 24 ?? FF D6 8B 0D ?? ?? ?? ?? 89 44 24 ?? + 85 C9 74 ?? 68 ?? ?? ?? ?? 6A ?? 51 FF 15 ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? 68 ?? ?? + ?? ?? FF D6 83 C0 ?? 50 6A ?? FF 15 ?? ?? ?? ?? A3 ?? ?? ?? ?? 85 C0 74 ?? 68 ?? ?? + ?? ?? 68 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 83 C4 ?? 8B 44 24 ?? 8B 4C 24 ?? 8D 34 00 + 8B D6 E8 ?? ?? ?? ?? 8B 4C 24 ?? 8D 04 CD ?? ?? ?? ?? 89 44 24 ?? 8D 44 24 ?? 50 57 + 68 ?? ?? ?? ?? 56 FF 74 24 ?? FF 15 ?? ?? ?? ?? 85 C0 75 ?? FF 15 ?? ?? ?? ?? 57 FF + D3 6A ?? 68 ?? ?? ?? ?? 8D 70 ?? 56 6A ?? FF 15 ?? ?? ?? ?? 57 89 44 24 ?? FF D3 8D + 48 ?? 8B 44 24 ?? 85 C0 74 ?? 89 44 24 ?? 3B CE 72 ?? C7 44 24 ?? ?? ?? ?? ?? 57 33 + F6 FF D3 85 C0 74 ?? 8B 4C 24 ?? 89 4C 24 ?? 8A 04 3E 3C ?? 74 ?? 3C ?? 74 ?? 88 01 + 41 89 4C 24 ?? 57 46 FF D3 8B 4C 24 ?? 3B F0 72 ?? 8B 74 24 ?? 56 FF D3 50 FF 74 24 + ?? 6A ?? 56 6A ?? 68 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 6A ?? 51 8D 54 24 ?? C7 44 24 ?? + ?? ?? ?? ?? 8B CE E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 75 ?? 8B 1D ?? ?? ?? ?? 68 ?? ?? ?? + ?? 50 8B 44 24 ?? 50 FF D3 8B 44 24 ?? 68 ?? ?? ?? ?? 6A ?? 50 FF D3 68 ?? ?? ?? ?? + 6A ?? FF 74 24 ?? FF D3 68 ?? ?? ?? ?? 6A ?? FF 74 24 ?? FF D3 8D 4C 24 ?? E8 ?? ?? + ?? ?? 33 C0 5F 5E 5B 8B E5 5D C3 + } + + $find_files = { + 55 8B EC 81 EC ?? ?? ?? ?? 53 56 57 89 55 ?? 8B F9 E8 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? + ?? ?? 8B CF E8 ?? ?? ?? ?? 85 C0 0F 85 ?? ?? ?? ?? E8 ?? ?? ?? ?? 57 FF 15 ?? ?? ?? + ?? 68 ?? ?? ?? ?? 57 8D 1C 47 89 5D ?? FF 15 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 57 FF + 15 ?? ?? ?? ?? 8B F0 33 C0 89 75 ?? 66 89 03 83 FE ?? 75 ?? B8 ?? ?? ?? ?? E9 ?? ?? + ?? ?? 8B 5D ?? 68 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 85 C0 0F 84 ?? + ?? ?? ?? 68 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 85 C0 74 ?? 8D 85 ?? + ?? ?? ?? 50 57 FF 15 ?? ?? ?? ?? F6 85 ?? ?? ?? ?? ?? 74 ?? 68 ?? ?? ?? ?? 57 FF 15 + ?? ?? ?? ?? 8B 55 ?? 8B CF 53 FF 75 ?? FF 75 ?? E8 ?? ?? ?? ?? 83 C4 ?? EB ?? FF 75 + ?? 8B 03 8D 95 ?? ?? ?? ?? 8B 73 ?? 51 8B CF 89 45 ?? E8 ?? ?? ?? ?? 01 03 59 11 53 + ?? 59 3B 73 ?? 77 ?? 72 ?? 8B 45 ?? 3B 03 73 ?? 8B 45 ?? FF 00 8B 75 ?? 8B 45 ?? 33 + C9 66 89 08 8D 85 ?? ?? ?? ?? 50 56 FF 15 ?? ?? ?? ?? 85 C0 0F 85 ?? ?? ?? ?? 56 FF + 15 ?? ?? ?? ?? 33 C0 5F 5E 5B 8B E5 5D C3 + } + + $find_files_v2 = { + 55 8B EC 81 EC ?? ?? ?? ?? 53 56 57 89 55 ?? 8B F9 E8 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? + ?? ?? 8B CF E8 ?? ?? ?? ?? 85 C0 0F 85 ?? ?? ?? ?? E8 ?? ?? ?? ?? 57 FF 15 ?? ?? ?? + ?? 8B 35 ?? ?? ?? ?? 68 ?? ?? ?? ?? 57 8D 1C 47 89 5D ?? FF D6 8D 85 ?? ?? ?? ?? 50 + 57 FF 15 ?? ?? ?? ?? 33 C9 89 45 ?? 66 89 0B 83 F8 ?? 75 ?? B8 ?? ?? ?? ?? 5F 5E 5B + 8B E5 5D C3 8B 5D ?? EB ?? 8D A4 24 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 + FF 15 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 FF 15 + ?? ?? ?? ?? 85 C0 74 ?? 8D 85 ?? ?? ?? ?? 50 57 FF D6 F6 85 ?? ?? ?? ?? ?? 74 ?? 68 + ?? ?? ?? ?? 57 FF D6 8B 55 ?? 8B CF 53 FF 75 ?? FF 75 ?? E8 ?? ?? ?? ?? 83 C4 ?? EB + ?? FF 75 ?? 8B 03 8D 95 ?? ?? ?? ?? 8B 73 ?? 51 8B CF 89 45 ?? E8 ?? ?? ?? ?? 83 C4 + ?? 01 03 11 53 ?? 3B 73 ?? 77 ?? 72 ?? 8B 45 ?? 3B 03 73 ?? 8B 45 ?? FF 00 8B 35 ?? + ?? ?? ?? 8B 45 ?? 33 C9 66 89 08 8D 85 ?? ?? ?? ?? 50 FF 75 ?? FF 15 ?? ?? ?? ?? 85 + C0 0F 85 ?? ?? ?? ?? FF 75 ?? FF 15 ?? ?? ?? ?? 5F 5E 33 C0 5B 8B E5 5D C3 + } + + $search_antivirus_processes = { + 55 8B EC 81 EC ?? ?? ?? ?? 53 56 57 B8 ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? 6A + ?? 6A ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? 89 85 ?? ?? ?? + ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? + ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C7 45 ?? ?? ?? + ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? + ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? + ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? + ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? + ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? + ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? 89 45 ?? C7 45 ?? ?? ?? ?? ?? C7 45 + ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 + ?? ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? BB ?? ?? ?? ?? 8B F8 53 6A ?? + 89 7D ?? FF 15 ?? ?? ?? ?? 8B F0 85 F6 74 ?? 89 1E 83 FF ?? 74 ?? 56 57 FF 15 ?? ?? + ?? ?? 33 DB 8D 7E ?? 57 FF B4 9D ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 85 C0 75 ?? FF 76 ?? + 50 6A ?? FF 15 ?? ?? ?? ?? 89 45 ?? 85 C0 74 ?? 6A ?? 50 FF 15 ?? ?? ?? ?? FF 75 ?? + FF 15 ?? ?? ?? ?? 43 83 FB ?? 72 ?? 8B 7D ?? 56 57 FF 15 ?? ?? ?? ?? 85 C0 75 ?? 85 + F6 74 ?? 68 ?? ?? ?? ?? 50 56 FF 15 ?? ?? ?? ?? 57 FF 15 ?? ?? ?? ?? 5F 5E 5B 8B E5 + 5D C3 + } + + $search_antivirus_processes_v2 = { + C7 44 24 ?? ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? C7 44 24 ?? + ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? + C7 44 24 ?? ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? C7 44 24 ?? + ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? + C7 44 24 ?? ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? C7 44 24 ?? + ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? + C7 44 24 ?? ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? C7 44 24 ?? + ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? C7 84 24 ?? ?? ?? ?? ?? ?? ?? ?? C7 84 24 ?? ?? + ?? ?? ?? ?? ?? ?? C7 84 24 ?? ?? ?? ?? ?? ?? ?? ?? C7 84 24 ?? ?? ?? ?? ?? ?? ?? ?? + C7 84 24 ?? ?? ?? ?? ?? ?? ?? ?? C7 84 24 ?? ?? ?? ?? ?? ?? ?? ?? C7 84 24 ?? ?? ?? + ?? ?? ?? ?? ?? C7 84 24 ?? ?? ?? ?? ?? ?? ?? ?? C7 84 24 ?? ?? ?? ?? ?? ?? ?? ?? C7 + 84 24 ?? ?? ?? ?? ?? ?? ?? ?? C7 84 24 ?? ?? ?? ?? ?? ?? ?? ?? C7 84 24 ?? ?? ?? ?? + ?? ?? ?? ?? C7 84 24 ?? ?? ?? ?? ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? + 68 ?? ?? ?? ?? 8B F0 6A ?? 89 74 24 ?? FF 15 ?? ?? ?? ?? 8B D8 85 DB 74 ?? C7 03 ?? + ?? ?? ?? 83 FE ?? 74 ?? 53 56 FF 15 ?? ?? ?? ?? 8B 3D ?? ?? ?? ?? 8D 4B ?? 33 F6 EB + ?? 8D A4 24 ?? ?? ?? ?? 90 51 FF 74 B4 ?? FF 15 ?? ?? ?? ?? 85 C0 75 ?? FF 73 ?? 50 + 6A ?? FF 15 ?? ?? ?? ?? 8B F8 85 FF 74 ?? 6A ?? 57 FF 15 ?? ?? ?? ?? 57 8B 3D ?? ?? + ?? ?? FF D7 EB ?? 8B 3D ?? ?? ?? ?? 46 8D 4B ?? 83 FE ?? 72 ?? 8B 74 24 ?? 53 56 FF + 15 ?? ?? ?? ?? 8D 4B ?? 85 C0 75 ?? 85 DB 74 ?? 68 ?? ?? ?? ?? 6A ?? 53 FF 15 ?? ?? + ?? ?? 56 FF D7 5F 5E 5B 8B E5 5D C3 + } + + $find_files_v2_1 = { + 6A ?? 6A ?? 8D 85 ?? ?? ?? ?? 50 6A ?? FF 15 ?? ?? ?? ?? 8B 1D ?? ?? ?? ?? 85 C0 74 + ?? 68 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 FF D3 8D 85 ?? ?? ?? ?? 50 56 FF 15 ?? ?? ?? + ?? F7 D8 1B C0 40 75 ?? BA ?? ?? ?? ?? 8B CE E8 ?? ?? ?? ?? 85 C0 75 ?? 8B CE E8 ?? + ?? ?? ?? 56 FF 15 ?? ?? ?? ?? 68 ?? ?? ?? ?? 56 8D 3C 46 89 7D ?? FF D3 8D 85 ?? ?? + ?? ?? 50 56 FF 15 ?? ?? ?? ?? 33 C9 89 45 ?? 66 89 0F 83 F8 ?? 75 ?? B8 ?? ?? ?? ?? + 5F 5E 5B 8B E5 5D C3 8B 7D ?? EB ?? 8D 9B ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 85 ?? ?? ?? + ?? 50 FF 15 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 + FF 15 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 56 FF D3 F6 85 ?? ?? + ?? ?? ?? 74 ?? 83 7D ?? ?? 74 ?? BA ?? ?? ?? ?? 8B CE E8 ?? ?? ?? ?? 85 C0 0F 84 ?? + ?? ?? ?? 68 ?? ?? ?? ?? 56 FF D3 8B 55 ?? 8B CE 6A ?? 57 FF 75 ?? FF 75 ?? E8 ?? ?? + ?? ?? 83 C4 ?? E9 ?? ?? ?? ?? 68 ?? ?? ?? ?? 56 FF D3 8B 55 ?? 8B CE 6A ?? 57 FF 75 + ?? FF 75 ?? E8 ?? ?? ?? ?? 83 C4 ?? E9 ?? ?? ?? ?? 8B 07 6A ?? 68 ?? ?? ?? ?? 68 ?? + ?? ?? ?? 89 45 ?? 8B 47 ?? 6A ?? 89 45 ?? FF 15 ?? ?? ?? ?? 56 8B D8 68 ?? ?? ?? ?? + 53 FF 15 ?? ?? ?? ?? 83 C4 ?? 8B CB E8 ?? ?? ?? ?? 85 C0 74 ?? 68 ?? ?? ?? ?? 6A ?? + 53 FF 15 ?? ?? ?? ?? 0F 57 C0 66 0F 13 45 ?? 8B 45 ?? 8B 4D ?? EB ?? 83 BD ?? ?? ?? + ?? ?? 0F 57 C0 66 0F 13 45 ?? 72 ?? 51 FF 75 ?? 8B CB E8 ?? ?? ?? ?? 83 C4 ?? 89 55 + ?? EB ?? 8B 45 ?? 89 45 ?? 8B 45 ?? 68 ?? ?? ?? ?? 6A ?? 53 89 45 ?? FF 15 ?? ?? ?? + ?? 8B 45 ?? 8B 4D ?? 01 0F 11 47 ?? 8B 45 ?? 3B 47 ?? 77 ?? 72 ?? 8B 45 ?? 3B 07 73 + ?? 8B 45 ?? FF 00 8B 1D ?? ?? ?? ?? 8B 45 ?? 33 C9 66 89 08 8D 85 ?? ?? ?? ?? 50 FF + 75 ?? FF 15 ?? ?? ?? ?? 85 C0 0F 85 ?? ?? ?? ?? FF 75 ?? FF 15 ?? ?? ?? ?? 5F 5E 33 + C0 5B 8B E5 5D C3 + } + + $crypt_files_v2_1 = { + FF 15 ?? ?? ?? ?? 33 D2 89 44 24 ?? 89 44 24 ?? 8D 0C B7 8D 0C CD ?? ?? ?? ?? 85 C0 + 74 ?? 3B CB 73 ?? 8D 3C 01 89 44 24 ?? 89 7C 24 ?? 8B D1 EB ?? 89 54 24 ?? 8B F8 8B + 4D ?? 8D 34 CD ?? ?? ?? ?? 85 C0 74 ?? 8D 0C 32 89 4C 24 ?? 3B CB 73 ?? 8B 54 24 ?? + 8B CF 89 7C 24 ?? 03 FE 89 7C 24 ?? EB ?? 33 C9 89 4C 24 ?? 8B 74 24 ?? 85 C0 74 ?? + 8D 04 F5 ?? ?? ?? ?? 03 C2 3B C3 72 ?? 33 FF 89 7C 24 ?? 8B 1D ?? ?? ?? ?? 85 C9 0F + 84 ?? ?? ?? ?? 8B 55 ?? 8B 1D ?? ?? ?? ?? 8D 04 12 89 44 24 ?? 8D 44 24 ?? 50 51 68 + ?? ?? ?? ?? 52 FF 75 ?? FF D3 8D 04 36 89 44 24 ?? 8D 44 24 ?? 50 57 68 ?? ?? ?? ?? + 56 FF 74 24 ?? FF D3 8B 1D ?? ?? ?? ?? 57 FF D3 FF 74 24 ?? 8B F0 FF D3 6A ?? 83 C6 + ?? 03 C6 68 ?? ?? ?? ?? 50 6A ?? 89 44 24 ?? FF 15 ?? ?? ?? ?? FF 74 24 ?? 8B F0 C7 + 44 24 ?? ?? ?? ?? ?? 89 74 24 ?? 89 74 24 ?? FF D3 40 85 F6 74 ?? 3B 44 24 ?? 73 ?? + 8D 0C 06 89 44 24 ?? 89 4C 24 ?? 89 74 24 ?? EB ?? C7 44 24 ?? ?? ?? ?? ?? 57 FF D3 + 40 85 F6 74 ?? 03 44 24 ?? 3B 44 24 ?? 72 ?? C7 44 24 ?? ?? ?? ?? ?? FF 74 24 ?? 33 + F6 FF D3 85 C0 74 ?? 8B 4C 24 ?? 8B 7C 24 ?? 89 4C 24 ?? 8A 04 3E 3C ?? 74 ?? 3C ?? + 74 ?? 88 01 41 89 4C 24 ?? 57 46 FF D3 8B 4C 24 ?? 3B F0 72 ?? 8B 7C 24 ?? 57 33 F6 + FF D3 85 C0 74 ?? 8B 4C 24 ?? 89 4C 24 ?? EB ?? 8D 49 ?? 8A 04 3E 3C ?? 74 ?? 3C ?? + 74 ?? 88 01 41 89 4C 24 ?? 57 46 FF D3 8B 4C 24 ?? 3B F0 72 ?? 8B 74 24 ?? 8B 1D ?? + ?? ?? ?? 68 ?? ?? ?? ?? 56 FF D3 56 FF 15 ?? ?? ?? ?? 8D 4C 24 ?? 8D 3C 46 57 E8 ?? + ?? ?? ?? 68 ?? ?? ?? ?? 57 FF D3 68 ?? ?? ?? ?? 57 FF D3 68 ?? ?? ?? ?? 57 FF D3 68 + ?? ?? ?? ?? 57 FF D3 8B 35 ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? FF D6 68 + ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? FF D6 68 ?? ?? ?? ?? 57 FF D3 57 FF 15 ?? ?? ?? ?? + FF 74 24 ?? 8D 34 47 FF 15 ?? ?? ?? ?? 50 56 6A ?? FF 74 24 ?? 6A ?? 68 ?? ?? ?? ?? + FF 15 ?? ?? ?? ?? 68 ?? ?? ?? ?? 57 FF D3 57 FF 15 ?? ?? ?? ?? FF 74 24 ?? 8D 34 47 + FF 15 ?? ?? ?? ?? 50 56 6A ?? FF 74 24 ?? 6A ?? 68 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 33 + C0 C7 44 24 ?? ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? C7 44 24 + ?? ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? + ?? 66 89 44 24 ?? C7 44 24 ?? ?? ?? ?? ?? 50 FF 74 24 ?? 58 58 8D 44 24 ?? 50 57 FF + D3 8B 5C 24 ?? 8B 35 ?? ?? ?? ?? 53 FF D6 6A ?? C1 E0 ?? 83 C0 ?? 68 ?? ?? ?? ?? 50 + 6A ?? 89 44 24 ?? FF 15 ?? ?? ?? ?? 8B F8 53 89 7C 24 ?? FF D6 8D 04 C5 ?? ?? ?? ?? + 85 FF 74 ?? 3B 44 24 ?? 72 ?? 33 FF 53 FF D6 8B 0D ?? ?? ?? ?? 8B F0 89 74 24 ?? 85 + C9 74 ?? 68 ?? ?? ?? ?? 6A ?? 51 FF 15 ?? ?? ?? ?? 8B 5C 24 ?? 6A ?? 68 ?? ?? ?? ?? + 53 FF 15 ?? ?? ?? ?? 83 C0 ?? 50 6A ?? FF 15 ?? ?? ?? ?? A3 ?? ?? ?? ?? 85 C0 74 ?? + 53 68 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 83 C4 ?? 8B 5C 24 ?? 03 F6 8B D6 8B CB E8 ?? + ?? ?? ?? 8B 4C 24 ?? 8D 04 CD ?? ?? ?? ?? 89 44 24 ?? 8D 44 24 ?? 50 57 68 ?? ?? ?? + ?? 56 53 FF 15 ?? ?? ?? ?? 85 C0 75 ?? FF 15 ?? ?? ?? ?? 8B 1D ?? ?? ?? ?? 57 FF D3 + 6A ?? 68 ?? ?? ?? ?? 8D 70 ?? 56 6A ?? FF 15 ?? ?? ?? ?? 57 89 44 24 ?? FF D3 8D 48 + ?? 8B 44 24 ?? 85 C0 74 ?? 89 44 24 ?? 3B CE 72 ?? C7 44 24 ?? ?? ?? ?? ?? 57 33 F6 + FF D3 85 C0 74 ?? 8B 4C 24 ?? 89 4C 24 ?? 8A 04 3E 3C ?? 74 ?? 3C ?? 74 ?? 88 01 41 + 89 4C 24 ?? 57 46 FF D3 8B 4C 24 ?? 3B F0 72 ?? 8B 74 24 ?? 56 FF D3 50 FF 74 24 ?? + 6A ?? 56 6A ?? 68 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 8B 7C 24 ?? 8D 54 24 ?? 6A ?? 57 8B + CE C7 44 24 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 75 ?? 8B 1D ?? ?? ?? ?? 68 + ?? ?? ?? ?? 50 8B 44 24 ?? 50 FF D3 68 ?? ?? ?? ?? 6A ?? FF 74 24 ?? FF D3 68 ?? ?? + ?? ?? 6A ?? FF 74 24 ?? FF D3 33 F6 EB ?? 8B 4C 24 ?? 85 C9 74 ?? 8B 45 ?? 89 08 8B + 44 24 ?? 8B 1D ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A ?? 50 FF D3 68 ?? ?? ?? ?? 6A ?? FF 74 + 24 ?? FF D3 68 ?? ?? ?? ?? 6A ?? FF 74 24 ?? FF D3 EB ?? 8B 7C 24 ?? 83 7C 24 ?? ?? + 75 ?? 68 ?? ?? ?? ?? 6A ?? 57 FF D3 BE ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A ?? FF 74 24 ?? + FF D3 8D 4C 24 ?? E8 ?? ?? ?? ?? 5F 8B C6 5E 5B 8B E5 5D C3 + } + + $remote_connection_v2_1 = { + 53 89 45 ?? FF 15 ?? ?? ?? ?? 8B 35 ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? 8D 3C 45 ?? ?? + ?? ?? 8D 47 ?? 50 6A ?? FF D6 6A ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A ?? 8B D8 FF D6 + 89 45 ?? 85 DB 74 ?? 8D 47 ?? 3B F8 73 ?? 8B F3 EB ?? 33 F6 FF 75 ?? 56 FF 15 ?? ?? + ?? ?? F3 0F 6F 05 ?? ?? ?? ?? 56 F3 0F 7F 45 ?? F3 0F 6F 05 ?? ?? ?? ?? F3 0F 7F 45 + ?? F3 0F 6F 05 ?? ?? ?? ?? F3 0F 7F 45 ?? F3 0F 6F 05 ?? ?? ?? ?? F3 0F 7F 45 ?? F3 + 0F 6F 05 ?? ?? ?? ?? F3 0F 7F 45 ?? F3 0F 6F 05 ?? ?? ?? ?? F3 0F 7F 45 ?? FF 15 ?? + ?? ?? ?? 8D 45 ?? 33 FF 50 FF 15 ?? ?? ?? ?? 50 8D 45 ?? 50 68 ?? ?? ?? ?? 83 EC ?? + 68 ?? ?? ?? ?? FF 75 ?? 56 FF 15 ?? ?? ?? ?? 50 56 FF 75 ?? 8B 75 ?? 8D 4D ?? 56 E8 + ?? ?? ?? ?? 85 C0 74 ?? 83 7D ?? ?? BF ?? ?? ?? ?? 74 ?? 8B 4D ?? 8D 55 ?? C7 45 ?? + ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 C0 74 ?? 8B 45 ?? 85 C0 74 ?? 8B 4D ?? 89 01 EB ?? 33 + FF 68 ?? ?? ?? ?? 6A ?? 56 8B 35 ?? ?? ?? ?? FF D6 68 ?? ?? ?? ?? 6A ?? FF 75 ?? FF + D6 68 ?? ?? ?? ?? 6A ?? 53 FF D6 8B 45 ?? 85 C0 74 ?? 50 FF 15 ?? ?? ?? ?? 8B C7 5F + 5E 5B 8B E5 5D C3 + } + + $search_antivirus_processes_v4_1_2 = { + C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? + ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C7 85 ?? ?? ?? ?? + ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C7 85 ?? ?? + ?? ?? ?? ?? ?? ?? 89 45 ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? + ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? + ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? + ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? + ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? + ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? 89 45 ?? C7 45 ?? ?? ?? ?? ?? C7 45 + ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 + ?? ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? BB ?? ?? ?? ?? 8B F8 53 6A ?? + 89 7D ?? FF 15 ?? ?? ?? ?? 8B F0 85 F6 74 ?? 89 1E 83 FF ?? 74 ?? 56 57 FF 15 ?? ?? + ?? ?? 33 DB 8D 7E ?? 57 FF B4 9D ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 85 C0 75 ?? FF 76 ?? + 50 6A ?? FF 15 ?? ?? ?? ?? 89 45 ?? 85 C0 74 ?? 6A ?? 50 FF 15 ?? ?? ?? ?? FF 75 ?? + FF 15 ?? ?? ?? ?? 43 83 FB ?? 72 ?? 8B 7D ?? 56 57 FF 15 ?? ?? ?? ?? 85 C0 75 ?? 85 + F6 74 ?? 68 ?? ?? ?? ?? 50 56 FF 15 ?? ?? ?? ?? 57 FF 15 ?? ?? ?? ?? 5F 5E 5B 8B E5 + 5D C3 + } + + $find_files_v4_1_2 = { + 55 8B EC 83 E4 ?? 81 EC ?? ?? ?? ?? 53 56 57 33 FF 89 54 24 ?? 8B F1 89 7C 24 ?? 39 + 7D ?? 75 ?? 8D 54 24 ?? E8 ?? ?? ?? ?? 8B 5C 24 ?? 85 C0 75 ?? 85 DB 75 ?? 33 C0 E9 + ?? ?? ?? ?? 33 DB 43 8B CE E8 ?? ?? ?? ?? 85 C0 75 ?? 66 83 3E ?? 74 ?? 8D 54 24 ?? + 89 7C 24 ?? 8B CE E8 ?? ?? ?? ?? 89 44 24 ?? 39 7C 24 ?? 75 ?? 56 FF 15 ?? ?? ?? ?? + 68 ?? ?? ?? ?? 56 8D 04 46 89 44 24 ?? FF 15 ?? ?? ?? ?? 8D 44 24 ?? 50 56 FF 15 ?? + ?? ?? ?? 8B 4C 24 ?? 33 D2 89 44 24 ?? 66 89 11 83 F8 ?? 75 ?? BF ?? ?? ?? ?? E9 ?? + ?? ?? ?? 68 ?? ?? ?? ?? 8D 44 24 ?? 50 FF 15 ?? ?? ?? ?? 85 C0 74 ?? 68 ?? ?? ?? ?? + 8D 44 24 ?? 50 FF 15 ?? ?? ?? ?? 85 C0 74 ?? 8D 44 24 ?? 50 56 FF 15 ?? ?? ?? ?? F6 + 44 24 ?? ?? 74 ?? 85 DB 74 ?? BA ?? ?? ?? ?? 8B CE E8 ?? ?? ?? ?? 85 C0 74 ?? 68 ?? + ?? ?? ?? 56 FF 15 ?? ?? ?? ?? 6A ?? 8B 54 24 ?? 8B CE E8 ?? ?? ?? ?? EB ?? 68 ?? ?? + ?? ?? 56 FF 15 ?? ?? ?? ?? 57 EB ?? FF 74 24 ?? 8D 54 24 ?? 8B CE E8 ?? ?? ?? ?? 59 + 8B 44 24 ?? 33 C9 66 89 08 8D 44 24 ?? 50 FF 74 24 ?? FF 15 ?? ?? ?? ?? 85 C0 0F 85 + ?? ?? ?? ?? FF 74 24 ?? FF 15 ?? ?? ?? ?? FF 74 24 ?? FF 15 ?? ?? ?? ?? 8B C7 5F 5E + 5B 8B E5 5D C3 + } + + $crypt_files_v4_1_2 = { + 55 8B EC 81 EC ?? ?? ?? ?? 53 56 89 4D ?? 33 DB 57 B9 ?? ?? ?? ?? 89 5D ?? 8B F2 E8 + ?? ?? ?? ?? 8B F8 8D 55 ?? 56 57 8D 4D ?? 89 7D ?? E8 ?? ?? ?? ?? 59 59 85 C0 0F 84 + ?? ?? ?? ?? 53 53 6A ?? 53 53 68 ?? ?? ?? ?? FF 75 ?? FF 15 ?? ?? ?? ?? 8B F0 83 FE + ?? 0F 84 ?? ?? ?? ?? 6A ?? 58 88 5D ?? 48 75 ?? 51 51 8D 55 ?? 8D 8D ?? ?? ?? ?? E8 + ?? ?? ?? ?? 8B 45 ?? 83 C4 ?? 89 45 ?? B9 ?? ?? ?? ?? 8B 45 ?? 89 45 ?? 89 5D ?? 89 + 5D ?? E8 ?? ?? ?? ?? B9 ?? ?? ?? ?? 89 45 ?? E8 ?? ?? ?? ?? 89 45 ?? 89 5D ?? 53 8D + 45 ?? 50 68 ?? ?? ?? ?? FF 75 ?? 56 FF 15 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? 8B 4D + ?? 85 C9 0F 84 ?? ?? ?? ?? 8B 45 ?? 81 F9 ?? ?? ?? ?? 6A ?? 5A 0F 42 C2 01 8F ?? ?? + ?? ?? 8B 55 ?? 8D 8D ?? ?? ?? ?? 11 9F ?? ?? ?? ?? 89 45 ?? 8B 45 ?? 50 FF 75 ?? 89 + 45 ?? E8 ?? ?? ?? ?? 8B 45 ?? 59 59 33 C9 F7 D8 41 99 51 53 52 50 56 FF 15 ?? ?? ?? + ?? 85 C0 75 ?? FF 15 ?? ?? ?? ?? 53 8D 45 ?? 50 FF 75 ?? FF 75 ?? 56 FF 15 ?? ?? ?? + ?? 85 C0 75 ?? 8B 7D ?? 6A ?? FF 15 ?? ?? ?? ?? 53 8D 45 ?? 50 FF 75 ?? 57 56 FF 15 + ?? ?? ?? ?? 85 C0 74 ?? 8B 7D ?? 8B 4D ?? 85 C9 0F 84 ?? ?? ?? ?? 53 8D 45 ?? 50 68 + ?? ?? ?? ?? 57 56 FF 15 ?? ?? ?? ?? 8B 4D ?? 8B D8 E8 ?? ?? ?? ?? 8B 4D ?? E8 ?? ?? + ?? ?? 56 FF 15 ?? ?? ?? ?? 8B CF E8 ?? ?? ?? ?? 5F 5E 8B C3 5B 8B E5 5D C3 33 C0 8D + 48 ?? 89 4D ?? EB + } + + $remote_connection_v4_1_2 = { + 55 8B EC 83 EC ?? 53 8B 1D ?? ?? ?? ?? 56 8B F1 57 83 7E ?? ?? 74 ?? FF 76 ?? FF D3 + 8B CE E8 ?? ?? ?? ?? 33 FF 57 57 6A ?? 57 57 FF 75 ?? FF 75 ?? FF 76 ?? FF 15 ?? ?? + ?? ?? 89 45 ?? 85 C0 0F 84 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 4D ?? E8 ?? ?? ?? ?? 68 ?? + ?? ?? ?? 8D 4D ?? E8 ?? ?? ?? ?? FF 75 ?? 8B F0 68 ?? ?? ?? ?? 56 FF 15 ?? ?? ?? ?? + 83 C4 ?? B8 ?? ?? ?? ?? 81 7D ?? ?? ?? ?? ?? B9 ?? ?? ?? ?? 0F 44 C8 57 51 57 57 68 + ?? ?? ?? ?? 56 8B 75 ?? 68 ?? ?? ?? ?? 56 FF 15 ?? ?? ?? ?? 89 45 ?? 85 C0 74 ?? FF + 75 ?? FF 75 ?? FF 75 ?? FF 75 ?? 50 FF 15 ?? ?? ?? ?? 85 C0 74 ?? 33 FF 47 EB ?? FF + 15 ?? ?? ?? ?? 8B 45 ?? 50 FF D3 56 FF D3 8D 4D ?? E8 ?? ?? ?? ?? 8B C7 5F 5E 5B 8B + E5 5D C2 + } + + $url_parameters_setup_v4_1_2 = { + 55 8B EC 81 EC ?? ?? ?? ?? 53 56 57 FF 15 ?? ?? ?? ?? 33 FF 57 57 57 FF 15 ?? ?? ?? + ?? FF 15 ?? ?? ?? ?? 83 F8 ?? 74 ?? 57 FF 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 C0 0F 85 + ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 C0 0F 85 ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 C0 74 ?? E8 ?? + ?? ?? ?? 83 EC ?? 33 DB 43 53 83 EC ?? 53 51 53 51 53 51 53 51 53 83 EC ?? 53 51 53 + 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? + E8 ?? ?? ?? ?? 8D 0C 45 ?? ?? ?? ?? E8 ?? ?? ?? ?? A3 ?? ?? ?? ?? 85 C0 74 ?? 50 8D + 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 35 ?? ?? ?? ?? 68 ?? ?? ?? ?? FF 35 ?? ?? ?? ?? FF + D6 68 ?? ?? ?? ?? FF 35 ?? ?? ?? ?? FF D6 68 ?? ?? ?? ?? FF 35 ?? ?? ?? ?? FF D6 68 + ?? ?? ?? ?? FF 35 ?? ?? ?? ?? FF D6 68 ?? ?? ?? ?? FF 35 ?? ?? ?? ?? FF D6 68 ?? ?? + ?? ?? FF 35 ?? ?? ?? ?? FF D6 68 ?? ?? ?? ?? FF 35 ?? ?? ?? ?? FF D6 FF 35 ?? ?? ?? + ?? 8B 35 ?? ?? ?? ?? FF D6 FF 35 ?? ?? ?? ?? 03 C0 A3 ?? ?? ?? ?? FF D6 03 C0 8B D0 + E8 ?? ?? ?? ?? 53 FF 15 ?? ?? ?? ?? 57 57 57 68 ?? ?? ?? ?? 57 57 FF 15 ?? ?? ?? ?? + 8B 35 ?? ?? ?? ?? 8B F8 68 ?? ?? ?? ?? FF D6 68 ?? ?? ?? ?? FF D6 BB ?? ?? ?? ?? 53 + FF D6 E8 ?? ?? ?? ?? 8B 35 ?? ?? ?? ?? 53 FF D6 68 ?? ?? ?? ?? FF D6 68 ?? ?? ?? ?? + FF D6 E8 ?? ?? ?? ?? 85 FF 74 ?? 6A ?? 57 FF 15 ?? ?? ?? ?? E8 + } + + $url_parameters_setup_v4 = { + 55 8B EC 81 EC ?? ?? ?? ?? 56 FF 15 ?? ?? ?? ?? 6A ?? 6A ?? 6A ?? FF 15 ?? ?? ?? ?? + FF 15 ?? ?? ?? ?? 83 F8 ?? 74 ?? 6A ?? FF 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 C0 0F 85 + ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 C0 0F 85 ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 C0 75 ?? 50 FF + 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? + ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 + ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 + ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 + ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 + ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 + ?? ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? 89 45 ?? E8 ?? ?? ?? ?? 8D 8D ?? + ?? ?? ?? E8 ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? 8D 04 45 ?? ?? ?? ?? 50 6A ?? FF 15 ?? + ?? ?? ?? A3 ?? ?? ?? ?? 85 C0 75 ?? 50 FF 15 ?? ?? ?? ?? 50 8D 8D ?? ?? ?? ?? E8 ?? + ?? ?? ?? 8B 35 ?? ?? ?? ?? 68 ?? ?? ?? ?? FF 35 ?? ?? ?? ?? FF D6 68 ?? ?? ?? ?? FF + 35 ?? ?? ?? ?? FF D6 68 ?? ?? ?? ?? FF 35 ?? ?? ?? ?? FF D6 68 ?? ?? ?? ?? FF 35 ?? + ?? ?? ?? FF D6 68 ?? ?? ?? ?? FF 35 ?? ?? ?? ?? FF D6 68 ?? ?? ?? ?? FF 35 ?? ?? ?? + ?? FF D6 FF 35 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 03 C0 8B D0 E8 ?? ?? ?? ?? 6A ?? FF 15 + ?? ?? ?? ?? 8B 35 ?? ?? ?? ?? 68 ?? ?? ?? ?? FF D6 68 ?? ?? ?? ?? FF D6 68 ?? ?? ?? + ?? FF D6 E8 ?? ?? ?? ?? 8B 35 ?? ?? ?? ?? 68 ?? ?? ?? ?? FF D6 68 ?? ?? ?? ?? FF D6 + 68 ?? ?? ?? ?? FF D6 E8 ?? ?? ?? ?? E8 + } + + $search_antivirus_processes_v4 = { + 55 8B EC 83 EC ?? 53 56 8B 35 ?? ?? ?? ?? 57 6A ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A + ?? FF D6 8B 5D ?? 6A ?? 68 ?? ?? ?? ?? 6A ?? 6A ?? 89 03 C7 45 ?? ?? ?? ?? ?? C7 45 + ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 + ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 + ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 + ?? ?? ?? ?? ?? FF D6 8B F8 89 7D ?? 85 FF 74 ?? 6A ?? 6A ?? C7 07 ?? ?? ?? ?? FF 15 + ?? ?? ?? ?? 89 45 ?? 83 F8 ?? 75 ?? 68 ?? ?? ?? ?? 6A ?? 57 FF 15 ?? ?? ?? ?? 5F 5E + 33 C0 5B 8B E5 5D C2 ?? ?? 33 C9 33 F6 57 50 89 4D ?? 89 4D ?? 89 4D ?? 89 75 ?? FF + 15 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? 8D 49 ?? 85 F6 0F 85 ?? ?? ?? ?? 83 C7 ?? EB + ?? 8D 49 ?? 57 FF 74 B5 ?? FF 15 ?? ?? ?? ?? 85 C0 74 ?? 46 83 FE ?? 72 ?? 8B 75 ?? + EB ?? 83 7D ?? ?? 57 FF 33 C7 45 ?? ?? ?? ?? ?? 75 ?? FF 15 ?? ?? ?? ?? 68 ?? ?? ?? + ?? FF 33 FF 15 ?? ?? ?? ?? EB ?? 8B 35 ?? ?? ?? ?? FF D6 68 ?? ?? ?? ?? FF 33 FF D6 + FF 45 ?? 57 FF 15 ?? ?? ?? ?? 8B 4D ?? 8B 75 ?? 8D 0C 41 B8 ?? ?? ?? ?? 81 F9 ?? ?? + ?? ?? 89 4D ?? 0F 47 F0 89 75 ?? 8B 7D ?? 57 FF 75 ?? FF 15 ?? ?? ?? ?? 85 C0 74 ?? + FF 15 ?? ?? ?? ?? 83 F8 ?? 0F 85 ?? ?? ?? ?? 83 7D ?? ?? 74 ?? 8B 03 66 83 38 ?? 74 + ?? 50 FF 15 ?? ?? ?? ?? 8B 0B 33 D2 66 89 54 41 ?? 8B 45 ?? 8B 4D ?? 89 08 8B 35 ?? + ?? ?? ?? 68 ?? ?? ?? ?? 6A ?? 57 FF D6 FF 75 ?? FF 15 ?? ?? ?? ?? 8B 7D ?? 85 FF 75 + ?? 68 ?? ?? ?? ?? 57 FF 33 FF D6 8B C7 5F 5E 5B 8B E5 5D C2 + } + + $find_files_v4 = { + C7 44 24 ?? ?? ?? ?? ?? 8B CE E8 ?? ?? ?? ?? 85 C0 75 ?? 66 83 3E ?? 0F 84 ?? ?? ?? + ?? 8D 54 24 ?? C7 44 24 ?? ?? ?? ?? ?? 8B CE E8 ?? ?? ?? ?? 83 7C 24 ?? ?? 89 44 24 + ?? 0F 85 ?? ?? ?? ?? 56 FF 15 ?? ?? ?? ?? 8B 3D ?? ?? ?? ?? 68 ?? ?? ?? ?? 56 8D 04 + 46 89 44 24 ?? FF D7 8D 44 24 ?? 50 56 FF 15 ?? ?? ?? ?? 8B 4C 24 ?? 33 D2 89 44 24 + ?? 66 89 11 83 F8 ?? 75 ?? FF 74 24 ?? FF 15 ?? ?? ?? ?? B8 ?? ?? ?? ?? 5F 5E 5B 8B + E5 5D C3 68 ?? ?? ?? ?? 8D 44 24 ?? 50 FF 15 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? 68 + ?? ?? ?? ?? 8D 44 24 ?? 50 FF 15 ?? ?? ?? ?? 85 C0 74 ?? 8D 44 24 ?? 50 56 FF D7 F6 + 44 24 ?? ?? 74 ?? 83 7C 24 ?? ?? 74 ?? BA ?? ?? ?? ?? 8B CE E8 ?? ?? ?? ?? 85 C0 74 + ?? 68 ?? ?? ?? ?? 56 FF D7 6A ?? 8B D3 8B CE E8 ?? ?? ?? ?? EB ?? 68 ?? ?? ?? ?? 56 + FF D7 6A ?? 8B D3 8B CE E8 ?? ?? ?? ?? EB ?? 53 8D 54 24 ?? 8B CE E8 ?? ?? ?? ?? 83 + C4 ?? 8B 44 24 ?? 33 C9 66 89 08 8D 44 24 ?? 50 FF 74 24 ?? FF 15 ?? ?? ?? ?? 85 C0 + 0F 85 ?? ?? ?? ?? FF 74 24 ?? FF 15 ?? ?? ?? ?? FF 74 24 ?? FF 15 ?? ?? ?? ?? 5F 5E + 33 C0 5B 8B E5 5D C3 + } + + $crypt_files_v4 = { + 55 8B EC 81 EC ?? ?? ?? ?? 53 56 57 6A ?? 68 ?? ?? ?? ?? 33 DB 89 4D ?? 68 ?? ?? ?? + ?? 53 8B F2 89 5D ?? FF 15 ?? ?? ?? ?? 8B F8 8D 55 ?? 56 57 8D 4D ?? 89 7D ?? E8 ?? + ?? ?? ?? 83 C4 ?? 85 C0 75 ?? 68 ?? ?? ?? ?? 50 57 FF 15 ?? ?? ?? ?? 33 C0 5F 5E 5B + 8B E5 5D C3 6A ?? 6A ?? 6A ?? 6A ?? 6A ?? 68 ?? ?? ?? ?? FF 75 ?? FF 15 ?? ?? ?? ?? + 8B F0 83 FE ?? 0F 84 ?? ?? ?? ?? B8 ?? ?? ?? ?? 88 5D ?? 48 75 ?? 8B 45 ?? 89 85 ?? + ?? ?? ?? 8B 45 ?? 89 45 ?? 8B 45 ?? 89 45 ?? 8B 45 ?? 89 45 ?? 8B 45 ?? 89 45 ?? 8B + 45 ?? 89 45 ?? 8B 45 ?? 6A ?? 89 45 ?? 8B 45 ?? 68 ?? ?? ?? ?? 89 45 ?? 8B 45 ?? 68 + ?? ?? ?? ?? 89 45 ?? 8B 45 ?? 89 5D ?? 89 5D ?? 8B 1D ?? ?? ?? ?? 6A ?? C7 05 ?? ?? + ?? ?? ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? + ?? ?? C7 45 ?? ?? ?? ?? ?? 89 45 ?? FF D3 6A ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A ?? + 89 45 ?? FF D3 33 C9 8B D8 89 4D ?? 6A ?? 8D 45 ?? 50 68 ?? ?? ?? ?? FF 75 ?? 56 FF + 15 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? 8B 45 ?? 85 C0 0F 84 ?? ?? ?? ?? 8B 4D ?? 3D + ?? ?? ?? ?? BA ?? ?? ?? ?? 0F 42 CA 01 87 ?? ?? ?? ?? 8B 55 ?? 83 97 ?? ?? ?? ?? ?? + 8B 7D ?? 89 4D ?? 8D 8D ?? ?? ?? ?? 57 53 E8 ?? ?? ?? ?? 83 C4 ?? 8B C7 F7 D8 99 6A + ?? 6A ?? 52 50 56 FF 15 ?? ?? ?? ?? 85 C0 75 ?? FF 15 ?? ?? ?? ?? 6A ?? 8D 45 ?? 50 + 57 53 56 FF 15 ?? ?? ?? ?? 85 C0 75 ?? 6A ?? FF 15 ?? ?? ?? ?? 6A ?? 8D 45 ?? 50 57 + 53 56 FF 15 ?? ?? ?? ?? 85 C0 74 ?? 8B 4D ?? 8B 7D ?? 85 C9 0F 84 ?? ?? ?? ?? 6A ?? + 8D 45 ?? 50 68 ?? ?? ?? ?? 57 56 FF 15 ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A ?? FF 75 ?? 89 + 45 ?? FF 15 ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A ?? 53 FF 15 ?? ?? ?? ?? 56 FF 15 ?? ?? ?? + ?? 8B 5D ?? 68 ?? ?? ?? ?? 6A ?? 57 FF 15 ?? ?? ?? ?? 5F 5E 8B C3 5B 8B E5 5D C3 + } + + $crypt_files_v3 = { + 55 8B EC 81 EC ?? ?? ?? ?? 53 56 57 8D 45 ?? C7 45 ?? ?? ?? ?? ?? 50 8D 45 ?? C7 45 + ?? ?? ?? ?? ?? 50 6A ?? 8B D9 8B CA 6A ?? E8 ?? ?? ?? ?? 8B 35 ?? ?? ?? ?? 6A ?? 68 + ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A ?? FF D6 8B F8 C7 45 ?? ?? ?? ?? ?? 53 57 89 7D ?? C7 + 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 8D 45 ?? 50 57 FF 15 ?? ?? + ?? ?? 66 0F 6F 05 ?? ?? ?? ?? BA ?? ?? ?? ?? F3 0F 7F 85 ?? ?? ?? ?? 51 66 0F 6F 05 + ?? ?? ?? ?? 8D 4D ?? F3 0F 7F 45 ?? C6 45 ?? ?? 66 0F 6F 05 ?? ?? ?? ?? F3 0F 7F 45 + ?? E8 ?? ?? ?? ?? BA ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 6A ?? 68 + ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A ?? FF D6 F3 0F 6F 85 ?? ?? ?? ?? 8B F8 6A ?? 68 ?? ?? + ?? ?? 68 ?? ?? ?? ?? F3 0F 7F 07 6A ?? F3 0F 6F 45 ?? 89 7D ?? F3 0F 7F 47 ?? FF D6 + F3 0F 6F 45 ?? 68 ?? ?? ?? ?? 89 45 ?? F3 0F 7F 00 8D 45 ?? C7 45 ?? ?? ?? ?? ?? 50 + 57 FF 75 ?? C7 45 ?? ?? ?? ?? ?? FF 75 ?? E8 ?? ?? ?? ?? 8B 3D ?? ?? ?? ?? 83 C4 ?? + 85 C0 75 ?? 6A ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A ?? FF 15 ?? ?? ?? ?? EB ?? 68 ?? + ?? ?? ?? 8D 45 ?? 50 FF 75 ?? FF 75 ?? FF 75 ?? E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 75 ?? + FF 15 ?? ?? ?? ?? 0F 57 C0 66 0F 13 45 ?? 8B 75 ?? 8B 5D ?? E9 ?? ?? ?? ?? 8D 85 ?? + ?? ?? ?? 50 8D 85 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 6A ?? 68 ?? ?? ?? ?? 6A ?? + 6A ?? 6A ?? 68 ?? ?? ?? ?? 53 FF 15 ?? ?? ?? ?? 89 45 ?? 83 F8 ?? 75 ?? 68 ?? ?? ?? + ?? 6A ?? FF 75 ?? FF D7 68 ?? ?? ?? ?? 6A ?? FF 75 ?? FF D7 0F 57 C0 66 0F 13 45 ?? + 8B 75 ?? 8B 5D ?? E9 ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? 6A ?? 6A ?? FF D6 6A ?? 8B D8 + 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A ?? C7 03 ?? ?? ?? ?? C7 43 ?? ?? ?? ?? ?? FF D6 8B + 3D ?? ?? ?? ?? 33 F6 33 C9 89 45 ?? 89 4D ?? EB ?? 8B 45 ?? 6A ?? 8D 4D ?? 51 68 ?? + ?? ?? ?? 50 FF 75 ?? FF 15 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? 8B 45 ?? 85 C0 0F 84 + ?? ?? ?? ?? 3D ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? B9 ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? + 0F 42 F1 01 03 83 53 ?? ?? 8B 45 ?? 89 45 ?? 89 45 ?? A8 ?? 74 ?? 8B FF 40 A8 ?? 75 + ?? 89 45 ?? 6A ?? 68 ?? ?? ?? ?? 50 6A ?? FF 15 ?? ?? ?? ?? FF 75 ?? 89 45 ?? FF 75 + ?? 50 E8 ?? ?? ?? ?? 8B 45 ?? 83 C4 ?? 89 45 ?? 6A ?? 68 ?? ?? ?? ?? 50 6A ?? FF 15 + ?? ?? ?? ?? 85 C0 74 ?? 8B 55 ?? 8B 4D ?? 50 8D 45 ?? 50 8D 85 ?? ?? ?? ?? 50 8D 45 + ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 68 ?? ?? ?? ?? 6A ?? FF 75 ?? FF D7 8B 4D ?? 8B 45 ?? + F7 D9 6A ?? 83 D0 ?? 6A ?? F7 D8 50 51 FF 75 ?? FF 15 ?? ?? ?? ?? 85 C0 75 ?? FF 15 + ?? ?? ?? ?? 6A ?? 8D 45 ?? 50 FF 75 ?? FF 75 ?? FF 75 ?? FF 15 ?? ?? ?? ?? 85 C0 75 + ?? BE ?? ?? ?? ?? 89 75 ?? 68 ?? ?? ?? ?? 6A ?? FF 75 ?? FF D7 85 F6 0F 84 ?? ?? ?? + ?? 68 ?? ?? ?? ?? 6A ?? FF 75 ?? FF D7 8B 4D ?? 8B 75 ?? 85 C9 75 ?? 51 8D 45 ?? 50 + 68 ?? ?? ?? ?? FF 75 ?? 56 FF 15 ?? ?? ?? ?? 6A ?? 8D 45 ?? 50 68 ?? ?? ?? ?? FF 75 + ?? 56 FF 15 ?? ?? ?? ?? 6A ?? 8D 45 ?? 50 6A ?? 53 56 FF 15 ?? ?? ?? ?? 56 FF 15 ?? + ?? ?? ?? 8B 03 8B 73 ?? 68 ?? ?? ?? ?? 6A ?? 53 89 45 ?? FF D7 68 ?? ?? ?? ?? 6A ?? + FF 75 ?? FF D7 68 ?? ?? ?? ?? 6A ?? FF 75 ?? FF D7 8B 5D ?? 68 ?? ?? ?? ?? 6A ?? FF + 75 ?? FF D7 5F 8B D6 8B C3 5E 5B 8B E5 5D C3 + } + + $search_antivirus_processes_v5 = { + 8B 7D ?? 6A ?? 53 6A ?? 33 DB 89 07 53 C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 + 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 + 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 + 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? FF + D6 8B F0 85 F6 75 ?? 33 C0 E9 ?? ?? ?? ?? 53 6A ?? C7 06 ?? ?? ?? ?? FF 15 ?? ?? ?? + ?? 89 45 ?? 83 F8 ?? 75 ?? 68 ?? ?? ?? ?? 53 56 FF 15 ?? ?? ?? ?? EB ?? 56 33 C9 89 + 5D ?? 50 89 5D ?? 89 4D ?? FF 15 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? 83 7D ?? ?? 0F + 85 ?? ?? ?? ?? 33 C0 8D 4E ?? 89 45 ?? 51 FF 74 85 ?? FF 15 ?? ?? ?? ?? 85 C0 74 ?? + 8B 45 ?? 8D 4E ?? 40 89 45 ?? 83 F8 ?? 72 ?? EB ?? 33 C0 39 45 ?? 8D 58 ?? 8D 46 ?? + 50 FF 37 75 ?? FF 15 ?? ?? ?? ?? EB ?? FF 15 ?? ?? ?? ?? 68 ?? ?? ?? ?? FF 37 FF 15 + ?? ?? ?? ?? FF 45 ?? 8D 46 ?? 50 FF 15 ?? ?? ?? ?? 8B 4D ?? 6A ?? 8D 0C 41 8B 45 ?? + 81 F9 ?? ?? ?? ?? 89 4D ?? 59 0F 47 C1 89 45 ?? 56 FF 75 ?? FF 15 ?? ?? ?? ?? 85 C0 + 74 ?? FF 15 ?? ?? ?? ?? 83 F8 ?? 0F 85 ?? ?? ?? ?? 85 DB 74 ?? 8B 07 33 C9 66 39 08 + 74 ?? 50 FF 15 ?? ?? ?? ?? 8B 0F 33 D2 66 89 54 41 ?? 8B 45 ?? 8B 4D ?? 89 08 68 ?? + ?? ?? ?? 33 C0 50 56 8B 35 ?? ?? ?? ?? FF D6 FF 75 ?? FF 15 ?? ?? ?? ?? 85 DB 75 ?? + 68 ?? ?? ?? ?? 33 C0 50 FF 37 FF D6 8B C3 5F 5E 5B 8B E5 5D C2 + } + + $find_files_v5 = { + 55 8B EC 83 E4 ?? 81 EC ?? ?? ?? ?? 53 56 57 33 FF 89 54 24 ?? 8B F1 89 7C 24 ?? 39 + 7D ?? 75 ?? 8D 54 24 ?? E8 ?? ?? ?? ?? 8B 5C 24 ?? 85 C0 75 ?? 85 DB 75 ?? 33 C0 E9 + ?? ?? ?? ?? 33 DB 43 8B CE E8 ?? ?? ?? ?? 85 C0 75 ?? 66 83 3E ?? 74 ?? 8D 54 24 ?? + 89 7C 24 ?? 8B CE E8 ?? ?? ?? ?? 89 44 24 ?? 39 7C 24 ?? 75 ?? 56 FF 15 ?? ?? ?? ?? + 68 ?? ?? ?? ?? 56 8D 04 46 89 44 24 ?? FF 15 ?? ?? ?? ?? 6A ?? 57 57 8D 44 24 ?? 50 + 6A ?? 56 FF 15 ?? ?? ?? ?? 8B 4C 24 ?? 33 D2 89 44 24 ?? 66 89 11 83 F8 ?? 75 ?? BF + ?? ?? ?? ?? E9 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 44 24 ?? 50 FF 15 ?? ?? ?? ?? 85 C0 74 + ?? 68 ?? ?? ?? ?? 8D 44 24 ?? 50 FF 15 ?? ?? ?? ?? 85 C0 74 ?? 8D 44 24 ?? 50 56 FF + 15 ?? ?? ?? ?? F6 44 24 ?? ?? 74 ?? 85 DB 74 ?? BA ?? ?? ?? ?? 8B CE E8 ?? ?? ?? ?? + 85 C0 74 ?? 68 ?? ?? ?? ?? 56 FF 15 ?? ?? ?? ?? 6A ?? 8B 54 24 ?? 8B CE E8 ?? ?? ?? + ?? EB ?? 68 ?? ?? ?? ?? 56 FF 15 ?? ?? ?? ?? 57 EB ?? FF 74 24 ?? 8D 54 24 ?? 8B CE + E8 ?? ?? ?? ?? 59 8B 44 24 ?? 33 C9 66 89 08 8D 44 24 ?? 50 FF 74 24 ?? FF 15 ?? ?? + ?? ?? 85 C0 0F 85 ?? ?? ?? ?? FF 74 24 ?? FF 15 ?? ?? ?? ?? FF 74 24 ?? FF 15 ?? ?? + ?? ?? 8B C7 5F 5E 5B 8B E5 5D C3 + } + + $crypt_files_v5 = { + 55 8B EC 81 EC ?? ?? ?? ?? 53 56 57 8B D9 89 55 ?? 33 FF 89 5D ?? 21 7D ?? B9 ?? ?? + ?? ?? 89 7D ?? E8 ?? ?? ?? ?? 8B F0 89 75 ?? 85 F6 75 ?? 33 C0 E9 ?? ?? ?? ?? FF 75 + ?? 8D 55 ?? 56 8D 4D ?? E8 ?? ?? ?? ?? 59 59 85 C0 75 ?? 8B CE E8 ?? ?? ?? ?? EB ?? + 33 C0 50 68 ?? ?? ?? ?? 6A ?? 50 50 68 ?? ?? ?? ?? 53 FF 15 ?? ?? ?? ?? 8B D8 83 FB + ?? 75 ?? 33 C0 50 68 ?? ?? ?? ?? 6A ?? 50 50 68 ?? ?? ?? ?? FF 75 ?? FF 15 ?? ?? ?? + ?? 8B D8 83 FB ?? 0F 84 ?? ?? ?? ?? 8B 45 ?? FF 70 ?? FF 70 ?? 6A ?? 6A ?? 53 FF 15 + ?? ?? ?? ?? 6A ?? 58 C6 45 ?? ?? 48 75 ?? 51 68 ?? ?? ?? ?? 8D 55 ?? 8D 8D ?? ?? ?? + ?? E8 ?? ?? ?? ?? 8B 45 ?? 83 C4 ?? 8B 8E ?? ?? ?? ?? 21 7D ?? 21 7D ?? 41 89 45 ?? + 8B 45 ?? 89 45 ?? E8 ?? ?? ?? ?? 8B 8E ?? ?? ?? ?? 83 C1 ?? 89 45 ?? E8 ?? ?? ?? ?? + 89 45 ?? 33 FF 6A ?? 8D 45 ?? 50 FF B6 ?? ?? ?? ?? FF 75 ?? 53 FF 15 ?? ?? ?? ?? 85 + C0 0F 84 ?? ?? ?? ?? 8B 45 ?? 85 C0 0F 84 ?? ?? ?? ?? 3B 86 ?? ?? ?? ?? 8B 55 ?? 6A + ?? 59 0F 42 F9 83 7D ?? ?? 8D 8D ?? ?? ?? ?? 0F 45 7D ?? 01 86 ?? ?? ?? ?? 89 7D ?? + 83 96 ?? ?? ?? ?? ?? 8B 45 ?? 50 FF 75 ?? 89 45 ?? E8 ?? ?? ?? ?? 8B 45 ?? 59 59 33 + C9 F7 D8 41 99 51 6A ?? 52 50 53 FF 15 ?? ?? ?? ?? 6A ?? 8D 45 ?? 50 FF 75 ?? FF 75 + ?? 53 FF 15 ?? ?? ?? ?? 85 C0 75 ?? 8B 75 ?? 8B 7D ?? 6A ?? FF 15 ?? ?? ?? ?? 6A ?? + 8D 45 ?? 50 57 56 53 FF 15 ?? ?? ?? ?? 85 C0 74 ?? 8B 75 ?? 8B 7D ?? 33 C0 40 01 86 + ?? ?? ?? ?? 83 96 ?? ?? ?? ?? ?? EB ?? 33 C0 8D 78 ?? 85 FF 0F 84 ?? ?? ?? ?? 83 7D + ?? ?? 74 ?? 6A ?? 6A ?? 0F 57 C0 66 0F 13 45 ?? FF 75 ?? FF 75 ?? 53 FF 15 ?? ?? ?? + ?? 6A ?? 8D 45 ?? 50 68 ?? ?? ?? ?? 56 53 FF 15 ?? ?? ?? ?? 8B 4D ?? 8B F8 89 7D ?? + E8 ?? ?? ?? ?? 8B 4D ?? E8 ?? ?? ?? ?? 8B CE E8 ?? ?? ?? ?? 85 DB 0F 84 ?? ?? ?? ?? + 85 FF 0F 84 ?? ?? ?? ?? 83 7D ?? ?? 74 ?? FF 75 ?? 83 65 ?? ?? 83 65 ?? ?? 8B 35 ?? + ?? ?? ?? FF D6 8D 0C 45 ?? ?? ?? ?? E8 ?? ?? ?? ?? FF 75 ?? 8B F8 33 C0 40 83 67 ?? + ?? 88 07 FF D6 FF 75 ?? 03 C0 89 47 ?? FF D6 8D 04 45 ?? ?? ?? ?? 50 FF 75 ?? 8D 47 + ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 6A ?? FF 75 ?? FF D6 8D 04 45 ?? ?? ?? ?? 50 57 8D 45 + ?? 50 53 FF 15 ?? ?? ?? ?? 8B 4D ?? 89 01 8B CF E8 ?? ?? ?? ?? 8B 7D ?? 8B 45 ?? FF + 70 ?? FF 70 ?? 6A ?? 6A ?? 53 FF 15 ?? ?? ?? ?? 53 FF 15 ?? ?? ?? ?? 8B C7 5F 5E 5B + 8B E5 5D C3 + } + + $remote_connection_v5 = { + 55 8B EC 83 EC ?? 53 8B 1D ?? ?? ?? ?? 56 8B F1 57 83 7E ?? ?? 74 ?? FF 76 ?? FF D3 + 8B CE E8 ?? ?? ?? ?? 33 FF 57 57 6A ?? 57 57 FF 75 ?? FF 75 ?? FF 76 ?? FF 15 ?? ?? + ?? ?? 89 45 ?? 85 C0 0F 84 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 4D ?? E8 ?? ?? ?? ?? 68 ?? + ?? ?? ?? 8D 4D ?? E8 ?? ?? ?? ?? FF 75 ?? 8B F0 68 ?? ?? ?? ?? 56 FF 15 ?? ?? ?? ?? + 83 C4 ?? B8 ?? ?? ?? ?? 81 7D ?? ?? ?? ?? ?? B9 ?? ?? ?? ?? 0F 44 C8 57 51 57 57 68 + ?? ?? ?? ?? 56 8B 75 ?? 68 ?? ?? ?? ?? 56 FF 15 ?? ?? ?? ?? 89 45 ?? 85 C0 74 ?? FF + 75 ?? FF 75 ?? FF 75 ?? FF 75 ?? 50 FF 15 ?? ?? ?? ?? 85 C0 74 ?? 33 FF 47 EB ?? FF + 15 ?? ?? ?? ?? 8B 45 ?? 50 FF D3 56 FF D3 8D 4D ?? E8 ?? ?? ?? ?? 8B C7 5F 5E 5B 8B + E5 5D C2 + } + + $remote_connection_v5_0_1 = { + 55 8B EC 83 EC ?? 53 8B 1D ?? ?? ?? ?? 56 8B F1 57 83 7E ?? ?? 74 ?? FF 76 ?? FF D3 + 8B CE E8 ?? ?? ?? ?? 33 FF 57 57 6A ?? 57 57 FF 75 ?? FF 75 ?? FF 76 ?? FF 15 ?? ?? + ?? ?? 89 45 ?? 85 C0 0F 84 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 4D ?? E8 ?? ?? ?? ?? 68 ?? + ?? ?? ?? 8D 4D ?? E8 ?? ?? ?? ?? FF 75 ?? 8B F0 68 ?? ?? ?? ?? 56 FF 15 ?? ?? ?? ?? + 83 C4 ?? B8 ?? ?? ?? ?? 81 7D ?? ?? ?? ?? ?? B9 ?? ?? ?? ?? 0F 44 C8 57 51 57 57 68 + ?? ?? ?? ?? 56 8B 75 ?? 68 ?? ?? ?? ?? 56 FF 15 ?? ?? ?? ?? 89 45 ?? 85 C0 74 ?? FF + 75 ?? FF 75 ?? FF 75 ?? FF 75 ?? 50 FF 15 ?? ?? ?? ?? 33 C9 41 85 C0 8B 45 ?? 0F 45 + F9 50 FF D3 56 FF D3 8D 4D ?? E8 ?? ?? ?? ?? 8B C7 5F 5E 5B 8B E5 5D C2 + } + + $url_parameters_setup_v5 = { + 68 ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? 6A ?? + 68 ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? 6A ?? + 68 ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? 6A ?? 8D 8D ?? ?? ?? ?? E8 + ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 45 + ?? 8B 45 ?? 8D 8C 00 ?? ?? ?? ?? E8 ?? ?? ?? ?? A3 ?? ?? ?? ?? 83 3D ?? ?? ?? ?? ?? + 75 ?? 6A ?? FF 15 ?? ?? ?? ?? FF 35 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 68 + ?? ?? ?? ?? FF 35 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 68 ?? ?? ?? ?? FF 35 ?? ?? ?? ?? FF + 15 ?? ?? ?? ?? 68 ?? ?? ?? ?? FF 35 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 68 ?? ?? ?? ?? FF + 35 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? 8D 45 ?? 68 ?? ?? ?? ?? FF 35 + ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 68 ?? ?? ?? ?? FF 35 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 68 + ?? ?? ?? ?? FF 35 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? FF 35 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? + D1 E0 A3 ?? ?? ?? ?? FF 35 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? D1 E0 8B D0 8B 0D ?? ?? ?? + ?? E8 ?? ?? ?? ?? 6A ?? FF 15 ?? ?? ?? ?? 6A ?? 6A ?? 6A ?? 68 ?? ?? ?? ?? 6A ?? 6A + ?? FF 15 ?? ?? ?? ?? 89 45 ?? 83 7D ?? ?? 75 ?? 6A ?? FF 75 ?? FF 15 ?? ?? ?? ?? 68 + ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 68 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 68 ?? ?? ?? ?? FF 15 + ?? ?? ?? ?? E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 68 ?? ?? ?? ?? FF 15 ?? + ?? ?? ?? 68 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 3D ?? ?? ?? + ?? 73 ?? 83 65 ?? ?? 68 ?? ?? ?? ?? 8D 45 ?? 50 E8 ?? ?? ?? ?? 59 59 85 C0 74 ?? 6A + ?? FF 75 ?? 6A ?? 6A ?? FF 15 ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A ?? FF 75 ?? FF 15 ?? ?? + ?? ?? 83 7D ?? ?? 74 ?? 6A ?? FF 75 ?? FF 15 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? + ?? ?? 8B E5 5D C3 + } + + $url_parameters_setup_v5_0_1 = { + 68 ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? 6A ?? + 68 ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? 6A ?? + 68 ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? 6A ?? 8D 8D ?? ?? ?? ?? E8 + ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 45 + ?? 8B 45 ?? 8D 8C 00 ?? ?? ?? ?? E8 ?? ?? ?? ?? A3 ?? ?? ?? ?? 83 3D ?? ?? ?? ?? ?? + 75 ?? 6A ?? FF 15 ?? ?? ?? ?? FF 35 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 68 + ?? ?? ?? ?? FF 35 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 68 ?? ?? ?? ?? FF 35 ?? ?? ?? ?? FF + 15 ?? ?? ?? ?? 68 ?? ?? ?? ?? FF 35 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 68 ?? ?? ?? ?? FF + 35 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? 8D 45 ?? 68 ?? ?? ?? ?? FF 35 + ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 68 ?? ?? ?? ?? FF 35 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 68 + ?? ?? ?? ?? FF 35 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? FF 35 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? + D1 E0 A3 ?? ?? ?? ?? FF 35 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? D1 E0 8B D0 8B 0D ?? ?? ?? + ?? E8 ?? ?? ?? ?? 6A ?? FF 15 ?? ?? ?? ?? 6A ?? 6A ?? 6A ?? 68 ?? ?? ?? ?? 6A ?? 6A + ?? FF 15 ?? ?? ?? ?? 89 45 ?? 83 7D ?? ?? 75 ?? 6A ?? FF 75 ?? FF 15 ?? ?? ?? ?? 68 + ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 68 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 68 ?? ?? ?? ?? FF 15 + ?? ?? ?? ?? E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 68 ?? ?? ?? ?? FF 15 ?? + ?? ?? ?? 68 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 3D ?? ?? ?? + ?? 73 ?? 83 65 ?? ?? 68 ?? ?? ?? ?? 8D 45 ?? 50 E8 ?? ?? ?? ?? 59 59 85 C0 74 ?? 6A + ?? FF 75 ?? 6A ?? 6A ?? FF 15 ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A ?? FF 75 ?? FF 15 ?? ?? + ?? ?? 83 7D ?? ?? 74 ?? 6A ?? FF 75 ?? FF 15 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? + ?? ?? 8B E5 5D C3 + } + + $crypt_files_v5_0_1 = { + 55 8B EC 81 EC ?? ?? ?? ?? 53 56 57 8B D9 89 55 ?? 33 FF 89 5D ?? 21 7D ?? B9 ?? ?? + ?? ?? 89 7D ?? E8 ?? ?? ?? ?? 8B F0 33 C0 89 75 ?? 85 F6 0F 84 ?? ?? ?? ?? 50 68 ?? + ?? ?? ?? 6A ?? 50 50 68 ?? ?? ?? ?? 53 FF 15 ?? ?? ?? ?? 8B D8 83 FB ?? 75 ?? 33 C0 + 50 68 ?? ?? ?? ?? 6A ?? 50 50 68 ?? ?? ?? ?? FF 75 ?? FF 15 ?? ?? ?? ?? 8B D8 83 FB + ?? 0F 84 ?? ?? ?? ?? 8B 7D ?? FF 77 ?? FF 77 ?? 6A ?? 6A ?? 53 FF 15 ?? ?? ?? ?? 6A + ?? 6A ?? 6A ?? 68 ?? ?? ?? ?? 53 FF 15 ?? ?? ?? ?? 85 C0 74 ?? 6A ?? 8D 45 ?? 50 68 + ?? ?? ?? ?? 56 53 FF 15 ?? ?? ?? ?? 85 C0 74 ?? 81 BE ?? ?? ?? ?? ?? ?? ?? ?? 75 ?? + 81 BE ?? ?? ?? ?? ?? ?? ?? ?? 75 ?? FF 77 ?? FF 77 ?? 6A ?? 6A ?? 53 FF 15 ?? ?? ?? + ?? 53 FF 15 ?? ?? ?? ?? 8B CE E8 ?? ?? ?? ?? 33 C0 E9 ?? ?? ?? ?? 6A ?? 6A ?? 0F 57 + C0 66 0F 13 45 ?? FF 75 ?? FF 75 ?? 53 FF 15 ?? ?? ?? ?? FF 75 ?? 83 65 ?? ?? 8D 55 + ?? 56 8D 4D ?? E8 ?? ?? ?? ?? 59 59 85 C0 74 ?? 6A ?? 58 C6 45 ?? ?? 48 75 ?? 51 68 + ?? ?? ?? ?? 8D 55 ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 45 ?? 83 C4 ?? 8B 8E ?? ?? + ?? ?? 83 65 ?? ?? 83 65 ?? ?? 41 89 45 ?? 8B 45 ?? 89 45 ?? E8 ?? ?? ?? ?? 8B 8E ?? + ?? ?? ?? 83 C1 ?? 89 45 ?? E8 ?? ?? ?? ?? 89 45 ?? 33 FF 6A ?? 8D 45 ?? 50 FF B6 ?? + ?? ?? ?? FF 75 ?? 53 FF 15 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? 8B 45 ?? 85 C0 0F 84 + ?? ?? ?? ?? 3B 86 ?? ?? ?? ?? 8B 55 ?? 6A ?? 59 0F 42 F9 83 7D ?? ?? 8D 8D ?? ?? ?? + ?? 0F 45 7D ?? 01 86 ?? ?? ?? ?? 89 7D ?? 83 96 ?? ?? ?? ?? ?? 8B 45 ?? 50 FF 75 ?? + 89 45 ?? E8 ?? ?? ?? ?? 8B 45 ?? 59 59 33 C9 F7 D8 41 99 51 6A ?? 52 50 53 FF 15 ?? + ?? ?? ?? 6A ?? 8D 45 ?? 50 FF 75 ?? FF 75 ?? 53 FF 15 ?? ?? ?? ?? 85 C0 75 ?? 8B 75 + ?? 8B 7D ?? 6A ?? FF 15 ?? ?? ?? ?? 6A ?? 8D 45 ?? 50 57 56 53 FF 15 ?? ?? ?? ?? 85 + C0 74 ?? 8B 75 ?? 8B 7D ?? 33 C0 40 01 86 ?? ?? ?? ?? 83 96 ?? ?? ?? ?? ?? EB ?? 33 + C0 8D 78 ?? 85 FF 0F 84 ?? ?? ?? ?? 83 7D ?? ?? 74 ?? 6A ?? 6A ?? 0F 57 C0 66 0F 13 + 45 ?? FF 75 ?? FF 75 ?? 53 FF 15 ?? ?? ?? ?? 6A ?? 8D 45 ?? 50 68 ?? ?? ?? ?? 56 53 + FF 15 ?? ?? ?? ?? 8B 4D ?? 8B F8 89 7D ?? E8 ?? ?? ?? ?? 8B 4D ?? E8 ?? ?? ?? ?? 8B + CE E8 ?? ?? ?? ?? 85 DB 0F 84 ?? ?? ?? ?? 85 FF 0F 84 ?? ?? ?? ?? 83 7D ?? ?? 74 ?? + FF 75 ?? 83 65 ?? ?? 83 65 ?? ?? 8B 35 ?? ?? ?? ?? FF D6 8D 0C 45 ?? ?? ?? ?? E8 ?? + ?? ?? ?? FF 75 ?? 8B F8 33 C0 40 83 67 ?? ?? 88 07 FF D6 FF 75 ?? 03 C0 89 47 ?? FF + D6 8D 04 45 ?? ?? ?? ?? 50 FF 75 ?? 8D 47 ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 6A ?? FF 75 + ?? FF D6 8D 04 45 ?? ?? ?? ?? 50 57 8D 45 ?? 50 53 FF 15 ?? ?? ?? ?? 8B 4D ?? 89 01 + 8B CF E8 ?? ?? ?? ?? 8B 7D ?? 8B 45 ?? FF 70 ?? FF 70 ?? 6A ?? 6A ?? 53 FF 15 ?? ?? + ?? ?? 53 FF 15 ?? ?? ?? ?? 8B C7 5F 5E 5B 8B E5 5D C3 + } + + $find_files_v5_0_1 = { + 55 8B EC 83 E4 ?? 81 EC ?? ?? ?? ?? 53 56 57 33 FF 89 54 24 ?? 8B F1 89 7C 24 ?? 39 + 7D ?? 75 ?? 8D 54 24 ?? E8 ?? ?? ?? ?? 8B 5C 24 ?? 85 C0 75 ?? 85 DB 75 ?? 33 C0 E9 + ?? ?? ?? ?? 33 DB 43 8B CE E8 ?? ?? ?? ?? 85 C0 75 ?? 66 83 3E ?? 74 ?? 8D 54 24 ?? + 89 7C 24 ?? 8B CE E8 ?? ?? ?? ?? 89 44 24 ?? 39 7C 24 ?? 75 ?? 56 FF 15 ?? ?? ?? ?? + 68 ?? ?? ?? ?? 56 8D 04 46 89 44 24 ?? FF 15 ?? ?? ?? ?? 6A ?? 57 57 8D 44 24 ?? 50 + 6A ?? 56 FF 15 ?? ?? ?? ?? 8B 4C 24 ?? 33 D2 89 44 24 ?? 66 89 11 83 F8 ?? 75 ?? BF + ?? ?? ?? ?? E9 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 44 24 ?? 50 FF 15 ?? ?? ?? ?? 85 C0 74 + ?? 68 ?? ?? ?? ?? 8D 44 24 ?? 50 FF 15 ?? ?? ?? ?? 85 C0 74 ?? 8D 44 24 ?? 50 56 FF + 15 ?? ?? ?? ?? F6 44 24 ?? ?? 74 ?? 85 DB 74 ?? BA ?? ?? ?? ?? 8B CE E8 ?? ?? ?? ?? + 85 C0 74 ?? 68 ?? ?? ?? ?? 56 FF 15 ?? ?? ?? ?? 6A ?? 8B 54 24 ?? 8B CE E8 ?? ?? ?? + ?? EB ?? 68 ?? ?? ?? ?? 56 FF 15 ?? ?? ?? ?? 57 EB ?? FF 74 24 ?? 8D 54 24 ?? 8B CE + E8 ?? ?? ?? ?? 59 8B 44 24 ?? 33 C9 66 89 08 8D 44 24 ?? 50 FF 74 24 ?? FF 15 ?? ?? + ?? ?? 85 C0 0F 85 ?? ?? ?? ?? FF 74 24 ?? FF 15 ?? ?? ?? ?? FF 74 24 ?? FF 15 ?? ?? + ?? ?? 8B C7 5F 5E 5B 8B E5 5D C3 + } + + $search_antivirus_processes_v5_0_1 = { + 55 8B EC 83 EC ?? 53 56 8B 35 ?? ?? ?? ?? BB ?? ?? ?? ?? 57 6A ?? 53 68 ?? ?? ?? ?? + 33 C0 50 FF D6 8B 7D ?? 6A ?? 53 6A ?? 33 DB 89 07 53 C7 45 ?? ?? ?? ?? ?? C7 45 ?? + ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? + ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? + ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? + ?? ?? ?? ?? FF D6 8B F0 85 F6 75 ?? 33 C0 E9 ?? ?? ?? ?? 53 6A ?? C7 06 ?? ?? ?? ?? + FF 15 ?? ?? ?? ?? 89 45 ?? 83 F8 ?? 75 ?? 68 ?? ?? ?? ?? 53 56 FF 15 ?? ?? ?? ?? EB + ?? 56 33 C9 89 5D ?? 50 89 5D ?? 89 4D ?? FF 15 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? + 83 7D ?? ?? 0F 85 ?? ?? ?? ?? 33 C0 8D 4E ?? 89 45 ?? 51 FF 74 85 ?? FF 15 ?? ?? ?? + ?? 85 C0 74 ?? 8B 45 ?? 8D 4E ?? 40 89 45 ?? 83 F8 ?? 72 ?? EB ?? 33 C0 39 45 ?? 8D + 58 ?? 8D 46 ?? 50 FF 37 75 ?? FF 15 ?? ?? ?? ?? EB ?? FF 15 ?? ?? ?? ?? 68 ?? ?? ?? + ?? FF 37 FF 15 ?? ?? ?? ?? FF 45 ?? 8D 46 ?? 50 FF 15 ?? ?? ?? ?? 8B 4D ?? 6A ?? 8D + 0C 41 8B 45 ?? 81 F9 ?? ?? ?? ?? 89 4D ?? 59 0F 47 C1 89 45 ?? 56 FF 75 ?? FF 15 ?? + ?? ?? ?? 85 C0 74 ?? FF 15 ?? ?? ?? ?? 83 F8 ?? 0F 85 ?? ?? ?? ?? 85 DB 74 ?? 8B 07 + 33 C9 66 39 08 74 ?? 50 FF 15 ?? ?? ?? ?? 8B 0F 33 D2 66 89 54 41 ?? 8B 45 ?? 8B 4D + ?? 89 08 68 ?? ?? ?? ?? 33 C0 50 56 8B 35 ?? ?? ?? ?? FF D6 FF 75 ?? FF 15 ?? ?? ?? + ?? 85 DB 75 ?? 68 ?? ?? ?? ?? 33 C0 50 FF 37 FF D6 8B C3 5F 5E 5B 8B E5 5D C2 + } + + $set_url_parameters_v5_0_2 = { + 68 ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? 6A ?? + 68 ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? 6A ?? + 68 ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? 6A ?? 8D 8D ?? ?? ?? ?? E8 + ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 45 + ?? 8B 45 ?? 8D 8C 00 ?? ?? ?? ?? E8 ?? ?? ?? ?? A3 ?? ?? ?? ?? 83 3D ?? ?? ?? ?? ?? + 75 ?? 6A ?? FF 15 ?? ?? ?? ?? FF 35 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 68 + ?? ?? ?? ?? FF 35 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 68 ?? ?? ?? ?? FF 35 ?? ?? ?? ?? FF + 15 ?? ?? ?? ?? 68 ?? ?? ?? ?? FF 35 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 68 ?? ?? ?? ?? FF + 35 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? 8D 45 ?? 68 ?? ?? ?? ?? FF 35 + ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 68 ?? ?? ?? ?? FF 35 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 68 + ?? ?? ?? ?? FF 35 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? FF 35 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? + D1 E0 A3 ?? ?? ?? ?? FF 35 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? D1 E0 8B D0 8B 0D ?? ?? ?? + ?? E8 ?? ?? ?? ?? 6A ?? FF 15 ?? ?? ?? ?? 6A ?? 6A ?? 6A ?? 68 ?? ?? ?? ?? 6A ?? 6A + ?? FF 15 ?? ?? ?? ?? 89 45 ?? 83 7D ?? ?? 75 ?? 6A ?? FF 75 ?? FF 15 ?? ?? ?? ?? 68 + ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 68 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 68 ?? ?? ?? ?? FF 15 + ?? ?? ?? ?? E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 68 ?? ?? ?? ?? FF 15 ?? + ?? ?? ?? 68 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 3D ?? ?? ?? + ?? 73 ?? 83 65 ?? ?? 68 ?? ?? ?? ?? 8D 45 ?? 50 E8 ?? ?? ?? ?? 59 59 85 C0 74 ?? 6A + ?? FF 75 ?? 6A ?? 6A ?? FF 15 ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A ?? FF 75 ?? FF 15 ?? ?? + ?? ?? 83 7D ?? ?? 74 ?? 6A ?? FF 75 ?? FF 15 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? + ?? ?? 8B E5 5D C3 + } + + $set_url_parameters_v5_0_3 = { + 68 ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? 6A ?? + 68 ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? 6A ?? + 68 ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? 6A ?? 8D 8D ?? ?? ?? ?? E8 + ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 45 + ?? 8B 45 ?? 8D 8C 00 ?? ?? ?? ?? E8 ?? ?? ?? ?? A3 ?? ?? ?? ?? 83 3D ?? ?? ?? ?? ?? + 75 ?? 6A ?? FF 15 ?? ?? ?? ?? FF 35 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 68 + ?? ?? ?? ?? FF 35 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 68 ?? ?? ?? ?? FF 35 ?? ?? ?? ?? FF + 15 ?? ?? ?? ?? 68 ?? ?? ?? ?? FF 35 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 68 ?? ?? ?? ?? FF + 35 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? 8D 45 ?? 68 ?? ?? ?? ?? FF 35 + ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 68 ?? ?? ?? ?? FF 35 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 68 + ?? ?? ?? ?? FF 35 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? FF 35 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? + D1 E0 A3 ?? ?? ?? ?? FF 35 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? D1 E0 8B D0 8B 0D ?? ?? ?? + ?? E8 ?? ?? ?? ?? 6A ?? FF 15 ?? ?? ?? ?? 68 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 68 ?? ?? + ?? ?? FF 15 ?? ?? ?? ?? 68 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 68 ?? ?? ?? + ?? FF 15 ?? ?? ?? ?? 68 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 68 ?? ?? ?? ?? FF 15 ?? ?? ?? + ?? E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 3D ?? ?? ?? ?? 73 ?? 83 65 ?? ?? 68 ?? ?? ?? ?? 8D + 45 ?? 50 E8 ?? ?? ?? ?? 59 59 85 C0 74 ?? 6A ?? FF 75 ?? 6A ?? 6A ?? FF 15 ?? ?? ?? + ?? 68 ?? ?? ?? ?? 6A ?? FF 75 ?? FF 15 ?? ?? ?? ?? 6A ?? 6A ?? 6A ?? 68 ?? ?? ?? ?? + 6A ?? 6A ?? FF 15 ?? ?? ?? ?? 89 45 ?? 83 7D ?? ?? 75 ?? 6A ?? FF 75 ?? FF 15 ?? ?? + ?? ?? 83 7D ?? ?? 74 ?? 6A ?? FF 75 ?? FF 15 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? + ?? ?? 8B E5 5D C3 + } + + $search_antivirus_processes_v5_0_2 = { + 55 8B EC 83 EC ?? 53 56 8B 35 ?? ?? ?? ?? BB ?? ?? ?? ?? 57 6A ?? 53 68 ?? ?? ?? ?? + 33 C0 50 FF D6 8B 7D ?? 6A ?? 53 6A ?? 33 DB 89 07 53 C7 45 ?? ?? ?? ?? ?? C7 45 ?? + ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? + ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? + ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? + ?? ?? ?? ?? FF D6 8B F0 85 F6 75 ?? 33 C0 E9 ?? ?? ?? ?? 53 6A ?? C7 06 ?? ?? ?? ?? + FF 15 ?? ?? ?? ?? 89 45 ?? 83 F8 ?? 75 ?? 68 ?? ?? ?? ?? 53 56 FF 15 ?? ?? ?? ?? EB + ?? 56 33 C9 89 5D ?? 50 89 5D ?? 89 4D ?? FF 15 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? + 83 7D ?? ?? 0F 85 ?? ?? ?? ?? 33 C0 8D 4E ?? 89 45 ?? 51 FF 74 85 ?? FF 15 ?? ?? ?? + ?? 85 C0 74 ?? 8B 45 ?? 8D 4E ?? 40 89 45 ?? 83 F8 ?? 72 ?? EB ?? 33 C0 39 45 ?? 8D + 58 ?? 8D 46 ?? 50 FF 37 75 ?? FF 15 ?? ?? ?? ?? EB ?? FF 15 ?? ?? ?? ?? 68 ?? ?? ?? + ?? FF 37 FF 15 ?? ?? ?? ?? FF 45 ?? 8D 46 ?? 50 FF 15 ?? ?? ?? ?? 8B 4D ?? 6A ?? 8D + 0C 41 8B 45 ?? 81 F9 ?? ?? ?? ?? 89 4D ?? 59 0F 47 C1 89 45 ?? 56 FF 75 ?? FF 15 ?? + ?? ?? ?? 85 C0 74 ?? FF 15 ?? ?? ?? ?? 83 F8 ?? 0F 85 ?? ?? ?? ?? 85 DB 74 ?? 8B 07 + 33 C9 66 39 08 74 ?? 50 FF 15 ?? ?? ?? ?? 8B 0F 33 D2 66 89 54 41 ?? 8B 45 ?? 8B 4D + ?? 89 08 68 ?? ?? ?? ?? 33 C0 50 56 8B 35 ?? ?? ?? ?? FF D6 FF 75 ?? FF 15 ?? ?? ?? + ?? 85 DB 75 ?? 68 ?? ?? ?? ?? 33 C0 50 FF 37 FF D6 8B C3 5F 5E 5B 8B E5 5D C2 + } + + $find_files_v5_0_2 = { + 55 8B EC 83 E4 ?? 81 EC ?? ?? ?? ?? 53 56 57 33 FF 89 54 24 ?? 8B F1 89 7C 24 ?? 39 + 7D ?? 75 ?? 8D 54 24 ?? E8 ?? ?? ?? ?? 8B 5C 24 ?? 85 C0 75 ?? 85 DB 75 ?? 33 C0 E9 + ?? ?? ?? ?? 33 DB 43 8B CE E8 ?? ?? ?? ?? 85 C0 75 ?? 66 83 3E ?? 74 ?? 8D 54 24 ?? + 89 7C 24 ?? 8B CE E8 ?? ?? ?? ?? 89 44 24 ?? 39 7C 24 ?? 75 ?? 56 FF 15 ?? ?? ?? ?? + 68 ?? ?? ?? ?? 56 8D 04 46 89 44 24 ?? FF 15 ?? ?? ?? ?? 6A ?? 57 57 8D 44 24 ?? 50 + 6A ?? 56 FF 15 ?? ?? ?? ?? 89 44 24 ?? 83 F8 ?? 75 ?? 8D 44 24 ?? 50 56 FF 15 ?? ?? + ?? ?? 89 44 24 ?? 8B 4C 24 ?? 33 D2 66 89 11 83 F8 ?? 75 ?? BF ?? ?? ?? ?? E9 ?? ?? + ?? ?? 68 ?? ?? ?? ?? 8D 44 24 ?? 50 FF 15 ?? ?? ?? ?? 85 C0 74 ?? 68 ?? ?? ?? ?? 8D + 44 24 ?? 50 FF 15 ?? ?? ?? ?? 85 C0 74 ?? 8D 44 24 ?? 50 56 FF 15 ?? ?? ?? ?? F6 44 + 24 ?? ?? 74 ?? 85 DB 74 ?? BA ?? ?? ?? ?? 8B CE E8 ?? ?? ?? ?? 85 C0 74 ?? 68 ?? ?? + ?? ?? 56 FF 15 ?? ?? ?? ?? 6A ?? 8B 54 24 ?? 8B CE E8 ?? ?? ?? ?? EB ?? 68 ?? ?? ?? + ?? 56 FF 15 ?? ?? ?? ?? 57 EB ?? FF 74 24 ?? 8D 54 24 ?? 8B CE E8 ?? ?? ?? ?? 59 8B + 44 24 ?? 33 C9 66 89 08 8D 44 24 ?? 50 FF 74 24 ?? FF 15 ?? ?? ?? ?? 85 C0 0F 85 ?? + ?? ?? ?? FF 74 24 ?? FF 15 ?? ?? ?? ?? FF 74 24 ?? FF 15 ?? ?? ?? ?? 8B C7 5F 5E 5B + 8B E5 5D C3 + } + + $crypt_files_v5_0_2 = { + 55 8B EC 81 EC ?? ?? ?? ?? 53 56 57 8B D9 89 55 ?? 33 FF 89 5D ?? 21 7D ?? B9 ?? ?? + ?? ?? 89 7D ?? E8 ?? ?? ?? ?? 8B F0 33 C0 89 75 ?? 85 F6 0F 84 ?? ?? ?? ?? 50 68 ?? + ?? ?? ?? 6A ?? 50 50 68 ?? ?? ?? ?? 53 FF 15 ?? ?? ?? ?? 8B D8 83 FB ?? 75 ?? 33 C0 + 50 68 ?? ?? ?? ?? 6A ?? 50 50 68 ?? ?? ?? ?? FF 75 ?? FF 15 ?? ?? ?? ?? 8B D8 83 FB + ?? 0F 84 ?? ?? ?? ?? 8B 7D ?? FF 77 ?? FF 77 ?? 6A ?? 6A ?? 53 FF 15 ?? ?? ?? ?? 6A + ?? 6A ?? 6A ?? 68 ?? ?? ?? ?? 53 FF 15 ?? ?? ?? ?? 85 C0 74 ?? 6A ?? 8D 45 ?? 50 68 + ?? ?? ?? ?? 56 53 FF 15 ?? ?? ?? ?? 85 C0 74 ?? 81 BE ?? ?? ?? ?? ?? ?? ?? ?? 75 ?? + 81 BE ?? ?? ?? ?? ?? ?? ?? ?? 75 ?? FF 77 ?? FF 77 ?? 6A ?? 6A ?? 53 FF 15 ?? ?? ?? + ?? 53 FF 15 ?? ?? ?? ?? 8B CE E8 ?? ?? ?? ?? 33 C0 E9 ?? ?? ?? ?? 6A ?? 6A ?? 0F 57 + C0 66 0F 13 45 ?? FF 75 ?? FF 75 ?? 53 FF 15 ?? ?? ?? ?? FF 75 ?? 83 65 ?? ?? 8D 55 + ?? 56 8D 4D ?? E8 ?? ?? ?? ?? 59 59 85 C0 74 ?? 6A ?? 58 C6 45 ?? ?? 48 75 ?? 51 68 + ?? ?? ?? ?? 8D 55 ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 45 ?? 83 C4 ?? 8B 8E ?? ?? + ?? ?? 83 65 ?? ?? 83 65 ?? ?? 41 89 45 ?? 8B 45 ?? 89 45 ?? E8 ?? ?? ?? ?? 8B 8E ?? + ?? ?? ?? 83 C1 ?? 89 45 ?? E8 ?? ?? ?? ?? 89 45 ?? 33 FF 6A ?? 8D 45 ?? 50 FF B6 ?? + ?? ?? ?? FF 75 ?? 53 FF 15 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? 8B 45 ?? 85 C0 0F 84 + ?? ?? ?? ?? 3B 86 ?? ?? ?? ?? 8B 55 ?? 6A ?? 59 0F 42 F9 83 7D ?? ?? 8D 8D ?? ?? ?? + ?? 0F 45 7D ?? 01 86 ?? ?? ?? ?? 89 7D ?? 83 96 ?? ?? ?? ?? ?? 8B 45 ?? 50 FF 75 ?? + 89 45 ?? E8 ?? ?? ?? ?? 8B 45 ?? 59 59 33 C9 F7 D8 41 99 51 6A ?? 52 50 53 FF 15 ?? + ?? ?? ?? 6A ?? 8D 45 ?? 50 FF 75 ?? FF 75 ?? 53 FF 15 ?? ?? ?? ?? 85 C0 75 ?? 8B 75 + ?? 8B 7D ?? 6A ?? FF 15 ?? ?? ?? ?? 6A ?? 8D 45 ?? 50 57 56 53 FF 15 ?? ?? ?? ?? 85 + C0 74 ?? 8B 75 ?? 8B 7D ?? 33 C0 40 01 86 ?? ?? ?? ?? 83 96 ?? ?? ?? ?? ?? EB ?? 33 + C0 8D 78 ?? 85 FF 0F 84 ?? ?? ?? ?? 83 7D ?? ?? 74 ?? 6A ?? 6A ?? 0F 57 C0 66 0F 13 + 45 ?? FF 75 ?? FF 75 ?? 53 FF 15 ?? ?? ?? ?? 6A ?? 8D 45 ?? 50 68 ?? ?? ?? ?? 56 53 + FF 15 ?? ?? ?? ?? 8B 4D ?? 8B F8 89 7D ?? E8 ?? ?? ?? ?? 8B 4D ?? E8 ?? ?? ?? ?? 8B + CE E8 ?? ?? ?? ?? 85 DB 0F 84 ?? ?? ?? ?? 85 FF 0F 84 ?? ?? ?? ?? 83 7D ?? ?? 74 ?? + FF 75 ?? 83 65 ?? ?? 83 65 ?? ?? 8B 35 ?? ?? ?? ?? FF D6 8D 0C 45 ?? ?? ?? ?? E8 ?? + ?? ?? ?? FF 75 ?? 8B F8 33 C0 40 83 67 ?? ?? 88 07 FF D6 FF 75 ?? 03 C0 89 47 ?? FF + D6 8D 04 45 ?? ?? ?? ?? 50 FF 75 ?? 8D 47 ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 6A ?? FF 75 + ?? FF D6 8D 04 45 ?? ?? ?? ?? 50 57 8D 45 ?? 50 53 FF 15 ?? ?? ?? ?? 8B 4D ?? 89 01 + 8B CF E8 ?? ?? ?? ?? 8B 7D ?? 8B 45 ?? FF 70 ?? FF 70 ?? 6A ?? 6A ?? 53 FF 15 ?? ?? + ?? ?? 53 FF 15 ?? ?? ?? ?? 8B C7 5F 5E 5B 8B E5 5D C3 + } + + $remote_connection_v5_0_2 = { + 55 8B EC 83 EC ?? 53 8B 1D ?? ?? ?? ?? 56 8B F1 57 83 7E ?? ?? 74 ?? FF 76 ?? FF D3 + 8B CE E8 ?? ?? ?? ?? 33 FF 57 57 6A ?? 57 57 FF 75 ?? FF 75 ?? FF 76 ?? FF 15 ?? ?? + ?? ?? 89 45 ?? 85 C0 0F 84 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 4D ?? E8 ?? ?? ?? ?? 68 ?? + ?? ?? ?? 8D 4D ?? E8 ?? ?? ?? ?? FF 75 ?? 8B F0 68 ?? ?? ?? ?? 56 FF 15 ?? ?? ?? ?? + 83 C4 ?? B8 ?? ?? ?? ?? 81 7D ?? ?? ?? ?? ?? B9 ?? ?? ?? ?? 0F 44 C8 57 51 57 57 68 + ?? ?? ?? ?? 56 8B 75 ?? 68 ?? ?? ?? ?? 56 FF 15 ?? ?? ?? ?? 89 45 ?? 85 C0 74 ?? FF + 75 ?? FF 75 ?? FF 75 ?? FF 75 ?? 50 FF 15 ?? ?? ?? ?? 33 C9 41 85 C0 8B 45 ?? 0F 45 + F9 50 FF D3 56 FF D3 8D 4D ?? E8 ?? ?? ?? ?? 8B C7 5F 5E 5B 8B E5 5D C2 + } + + $crypt_files_v5_0_3 = { + 55 8B EC 81 EC ?? ?? ?? ?? 53 56 57 8B F9 89 55 ?? 33 DB B9 ?? ?? ?? ?? 89 5D ?? E8 + ?? ?? ?? ?? 8B F0 89 75 ?? 85 F6 75 ?? 33 C0 E9 ?? ?? ?? ?? 53 68 ?? ?? ?? ?? 6A ?? + 53 53 68 ?? ?? ?? ?? 57 FF 15 ?? ?? ?? ?? 8B F8 83 FF ?? 0F 84 ?? ?? ?? ?? 6A ?? 53 + 6A ?? 68 ?? ?? ?? ?? 57 FF 15 ?? ?? ?? ?? 85 C0 74 ?? 53 8D 45 ?? 50 68 ?? ?? ?? ?? + 56 57 FF 15 ?? ?? ?? ?? 85 C0 74 ?? 81 BE ?? ?? ?? ?? ?? ?? ?? ?? 75 ?? 81 BE ?? ?? + ?? ?? ?? ?? ?? ?? 75 ?? 8B 45 ?? FF 70 ?? FF 70 ?? 53 53 57 FF 15 ?? ?? ?? ?? 57 FF + 15 ?? ?? ?? ?? 8B CE E8 ?? ?? ?? ?? E9 ?? ?? ?? ?? 53 53 0F 57 C0 66 0F 13 45 ?? FF + 75 ?? FF 75 ?? 57 FF 15 ?? ?? ?? ?? FF 75 ?? 8D 55 ?? 89 5D ?? 56 8D 4D ?? E8 ?? ?? + ?? ?? 59 59 85 C0 74 ?? 6A ?? 58 88 5D ?? 48 75 ?? 51 68 ?? ?? ?? ?? 8D 55 ?? 8D 8D + ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 45 ?? 83 C4 ?? 8B 8E ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 41 + 8B 45 ?? 89 85 ?? ?? ?? ?? 89 5D ?? 89 5D ?? E8 ?? ?? ?? ?? 8B 8E ?? ?? ?? ?? 83 C1 + ?? 89 45 ?? E8 ?? ?? ?? ?? 89 45 ?? 89 5D ?? 53 8D 45 ?? 50 FF B6 ?? ?? ?? ?? FF 75 + ?? 57 FF 15 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? 8B 4D ?? 85 C9 0F 84 ?? ?? ?? ?? 3B + 8E ?? ?? ?? ?? 8B 45 ?? 6A ?? 5A 0F 42 C2 39 5D ?? 8B 55 ?? 0F 45 45 ?? 01 8E ?? ?? + ?? ?? 8D 8D ?? ?? ?? ?? 89 45 ?? 11 9E ?? ?? ?? ?? 8B 45 ?? 8B 75 ?? 50 56 89 45 ?? + E8 ?? ?? ?? ?? 8B 45 ?? 59 59 33 C9 F7 D8 41 99 51 53 52 50 57 FF 15 ?? ?? ?? ?? 8B + C3 89 5D ?? 83 F8 ?? 7D ?? 53 8D 45 ?? 50 FF 75 ?? 56 57 FF 15 ?? ?? ?? ?? 85 C0 75 + ?? 6A ?? FF 15 ?? ?? ?? ?? 8B 45 ?? 40 89 45 ?? EB ?? 8B 75 ?? 33 C0 8B 4D ?? 40 01 + 86 ?? ?? ?? ?? 11 9E ?? ?? ?? ?? EB ?? 33 C0 8D 48 ?? 89 4D ?? 85 C9 0F 84 ?? ?? ?? + ?? 39 5D ?? 74 ?? 6A ?? 53 0F 57 C0 66 0F 13 45 ?? FF 75 ?? FF 75 ?? 57 FF 15 ?? ?? + ?? ?? 53 8D 45 ?? 50 68 ?? ?? ?? ?? 56 57 FF 15 ?? ?? ?? ?? 8B 4D ?? 8B D8 E8 ?? ?? + ?? ?? 8B 4D ?? E8 ?? ?? ?? ?? 8B CE E8 ?? ?? ?? ?? 83 FF ?? 74 ?? 8B 45 ?? 57 83 08 + ?? FF 15 ?? ?? ?? ?? 8B C3 5F 5E 5B 8B E5 5D C3 + } + + $remote_connection_v5_0_3 = { + 55 8B EC 81 EC ?? ?? ?? ?? 53 56 57 68 ?? ?? ?? ?? 33 DB 8D 85 ?? ?? ?? ?? 8B F1 53 + 50 89 75 ?? E8 ?? ?? ?? ?? 83 C4 ?? 8B FB 0F B7 04 5E 66 85 C0 74 ?? 83 F8 ?? 75 ?? + 83 C3 ?? 56 89 5D ?? FF 15 ?? ?? ?? ?? 3B D8 73 ?? 8D 14 1B 0F B7 04 32 EB ?? 66 83 + F8 ?? 74 ?? 43 0F B7 04 5E 66 85 C0 75 ?? EB ?? 8B CB 2B 4D ?? 74 ?? 03 F2 8D BD ?? + ?? ?? ?? D1 E9 F3 A5 13 C9 66 F3 A5 8B 75 ?? 8D 43 ?? 8D 04 46 50 8D 85 ?? ?? ?? ?? + 50 FF 15 ?? ?? ?? ?? 33 FF 47 43 85 FF 74 ?? 8D 4D ?? E8 ?? ?? ?? ?? 8B 15 ?? ?? ?? + ?? 8D 7D ?? 6A ?? 59 BE ?? ?? ?? ?? F3 A5 8B 0D ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B F8 85 + FF 74 ?? 51 8D 45 ?? 50 FF 15 ?? ?? ?? ?? 50 8D 45 ?? 50 83 EC ?? 57 FF 15 ?? ?? ?? + ?? 50 57 8D 85 ?? ?? ?? ?? 50 8D 85 ?? ?? ?? ?? 50 8D 4D ?? E8 ?? ?? ?? ?? 8B CF 8B + F0 E8 ?? ?? ?? ?? EB ?? 33 F6 83 7D ?? ?? 74 ?? FF 75 ?? FF 15 ?? ?? ?? ?? 5F 8B C6 + 5E 5B 8B E5 5D C3 + } + + condition: + uint16(0) == 0x5A4D and (($search_antivirus_processes and $find_files and $crypt_files and $remote_connection) or + ($find_files_v2 and $crypt_files_v2 and $search_antivirus_processes_v2 and $remote_connection_v2) or + ($search_antivirus_processes_v2 and $find_files_v2_1 and $crypt_files_v2_1 and $remote_connection_v2_1) or + ($search_antivirus_processes_v4_1_2 and $find_files_v4_1_2 and $crypt_files_v4_1_2 and $remote_connection_v4_1_2 and $url_parameters_setup_v4_1_2) or + ($search_antivirus_processes_v4 and $find_files_v4 and $crypt_files_v4 and $url_parameters_setup_v4) or + ($search_antivirus_processes_v2 and $find_files_v2_1 and $remote_connection_v2_1 and $crypt_files_v3) or + ($search_antivirus_processes_v5 and $find_files_v5 and $crypt_files_v5 and $remote_connection_v5 and $url_parameters_setup_v5) or + ($search_antivirus_processes_v5_0_1 and $find_files_v5_0_1 and $crypt_files_v5_0_1 and $url_parameters_setup_v5_0_1 and $remote_connection_v5_0_1) or + ($search_antivirus_processes_v5_0_2 and $find_files_v5_0_2 and $crypt_files_v5_0_2 and $set_url_parameters_v5_0_2 and $remote_connection_v5_0_2) or + ($search_antivirus_processes_v5_0_2 and $find_files_v5_0_2 and $crypt_files_v5_0_3 and $set_url_parameters_v5_0_3 and $remote_connection_v5_0_3)) +} \ No newline at end of file diff --git a/yara/ransomware/Win32.Ransomware.GarrantyDecrypt.yara b/yara/ransomware/Win32.Ransomware.GarrantyDecrypt.yara new file mode 100644 index 0000000..8eb4f58 --- /dev/null +++ b/yara/ransomware/Win32.Ransomware.GarrantyDecrypt.yara @@ -0,0 +1,79 @@ +rule Win32_Ransomware_GarrantyDecrypt : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "GARRANTYDECRYPT" + description = "Yara rule that detects GarrantyDecrypt ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "GarrantyDecrypt" + tc_detection_factor = 5 + + strings: + + $encrypt_files_p1 = { + 55 8B EC 81 EC ?? ?? ?? ?? 53 56 57 E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B + 35 ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A ?? 33 DB 53 53 8D 45 ?? 50 89 5D ?? FF D6 85 C0 75 + ?? 68 ?? ?? ?? ?? 6A ?? 53 53 8D 45 ?? 50 FF D6 85 C0 74 ?? 8B 45 ?? A3 ?? ?? ?? ?? + 3B C3 0F 84 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B F0 3B F3 0F 84 ?? ?? ?? ?? 8B 7E ?? 8B 46 + ?? 33 C9 3B FB 76 ?? 89 45 ?? 8D 85 ?? ?? ?? ?? 29 45 ?? 8B 55 ?? 8D 84 0D ?? ?? ?? + ?? 8A 14 02 41 88 10 3B CF 72 ?? 68 ?? ?? ?? ?? 53 53 FF 76 ?? FF 36 FF 35 ?? ?? ?? + ?? FF 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B F8 3B FB 74 ?? 8B 46 ?? 68 ?? ?? ?? ?? 89 45 + ?? 8D 45 ?? 50 8D 85 ?? ?? ?? ?? 50 53 6A ?? 53 57 FF 15 ?? ?? ?? ?? 85 C0 74 ?? 8B + 45 ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? A3 ?? ?? ?? ?? 57 FF 15 ?? ?? ?? ?? FF 36 E8 + ?? ?? ?? ?? FF 76 ?? E8 ?? ?? ?? ?? 56 E8 ?? ?? ?? ?? 83 C4 ?? E8 ?? ?? ?? ?? 53 FF + 35 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 53 FF 15 + } + + $encrypt_files_p2 = { + 55 8B EC 81 EC ?? ?? ?? ?? 53 56 57 8D 45 ?? 50 6A ?? 5F 57 FF 35 ?? ?? ?? ?? FF 15 + ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? 6A ?? 58 E8 ?? ?? ?? ?? 8B C8 33 DB 89 4D ?? 3B + CB 0F 84 ?? ?? ?? ?? 8D 45 ?? 89 7D ?? 8B F1 2B C1 8A 14 30 88 16 46 4F 75 ?? 6A ?? + 8D 45 ?? 50 51 53 6A ?? 53 FF 35 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 8B 75 ?? 53 68 ?? ?? + ?? ?? 6A ?? 53 6A ?? 68 ?? ?? ?? ?? 56 FF 15 ?? ?? ?? ?? 89 45 ?? 83 F8 ?? 0F 84 ?? + ?? ?? ?? 89 5D ?? 89 5D ?? 8B 3D ?? ?? ?? ?? 56 FF D7 8D 04 46 83 E8 ?? 66 83 38 ?? + 75 ?? 8B 4D ?? FF B1 ?? ?? ?? ?? 2B C6 83 C0 ?? D1 F8 8D 04 46 50 FF 15 ?? ?? ?? ?? + 3B C3 74 ?? 50 FF D7 8B 4D ?? FF B1 ?? ?? ?? ?? 89 45 ?? FF D7 39 45 ?? 74 ?? 83 45 + ?? ?? 83 7D ?? ?? 72 ?? EB ?? C7 45 ?? ?? ?? ?? ?? B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B + 3D ?? ?? ?? ?? 8B 35 ?? ?? ?? ?? 89 45 ?? 3B C3 0F 84 ?? ?? ?? ?? 53 8D 45 ?? 50 68 + ?? ?? ?? ?? FF 75 ?? FF 75 ?? FF 15 ?? ?? ?? ?? 8B 45 ?? 89 45 ?? 33 C0 89 5D ?? 3B + C3 72 ?? 77 ?? 39 5D ?? 76 ?? 8B 45 ?? 8B C8 81 E1 ?? ?? ?? ?? 79 ?? 49 83 C9 ?? 41 + 89 4D ?? 75 ?? 99 83 E2 ?? 03 C2 C1 F8 ?? 99 52 50 8D 85 ?? ?? ?? ?? 50 8D 45 ?? E8 + ?? ?? ?? ?? 8B 4D ?? 83 C4 ?? 8B 55 ?? 8B 45 ?? 8A 8C 0D ?? ?? ?? ?? 30 0C 10 FF 45 + ?? 8B 45 ?? 99 33 C9 3B D1 72 ?? 77 ?? 3B 45 ?? 72 ?? 8B 45 ?? 6A ?? F7 D8 99 53 52 + 50 FF 75 ?? FF D7 53 8D 45 ?? 50 FF 75 ?? FF 75 ?? FF 75 ?? FF D6 39 5D ?? 74 ?? 81 + 7D ?? ?? ?? ?? ?? 0F 84 ?? ?? ?? ?? FF 75 ?? E8 ?? ?? ?? ?? 59 6A ?? 53 53 33 C0 50 + FF 75 ?? C7 45 ?? ?? ?? ?? ?? FF D7 53 8D 45 ?? 50 6A ?? 8D 45 ?? 50 FF 75 ?? FF D6 + 53 8D 45 ?? 50 6A ?? FF 75 ?? FF 75 ?? FF D6 FF 75 ?? FF 15 ?? ?? ?? ?? B8 ?? ?? ?? + ?? E8 ?? ?? ?? ?? 8B F0 3B F3 74 ?? 68 ?? ?? ?? ?? FF 75 ?? 68 ?? ?? ?? ?? 68 ?? ?? + ?? ?? 56 FF 15 ?? ?? ?? ?? 83 C4 ?? 56 FF 75 ?? FF 15 ?? ?? ?? ?? 56 E8 ?? ?? ?? ?? + 59 FF 75 ?? E8 ?? ?? ?? ?? 59 5F 5E 5B C9 C3 + } + + $find_files = { + 55 8B EC 81 EC ?? ?? ?? ?? 53 56 57 B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B D8 89 5D ?? 85 + DB 0F 84 ?? ?? ?? ?? FF 75 ?? 8B 35 ?? ?? ?? ?? 68 ?? ?? ?? ?? BF ?? ?? ?? ?? 57 53 + FF D6 83 C4 ?? 8D 85 ?? ?? ?? ?? 50 53 FF 15 ?? ?? ?? ?? 89 45 ?? 83 F8 ?? 0F 84 ?? + ?? ?? ?? BB ?? ?? ?? ?? 83 65 ?? ?? 8B 45 ?? FF B0 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 + FF 15 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? 83 45 ?? ?? 83 7D ?? ?? 72 ?? 8D 85 ?? ?? + ?? ?? 50 FF 75 ?? 53 57 FF 75 ?? FF D6 83 C4 ?? F6 85 ?? ?? ?? ?? ?? 74 ?? 68 ?? ?? + ?? ?? 8D 85 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 85 C0 74 ?? 68 ?? ?? ?? ?? 8D 85 ?? ?? + ?? ?? 50 FF 15 ?? ?? ?? ?? 85 C0 74 ?? FF 75 ?? E8 ?? ?? ?? ?? EB ?? 68 ?? ?? ?? ?? + 8D 85 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 85 C0 74 ?? F6 85 ?? ?? ?? ?? ?? 74 ?? FF 75 + ?? E8 ?? ?? ?? ?? 59 8D 85 ?? ?? ?? ?? 50 FF 75 ?? FF 15 ?? ?? ?? ?? 85 C0 0F 85 ?? + ?? ?? ?? FF 75 ?? FF 15 ?? ?? ?? ?? 68 ?? ?? ?? ?? FF 75 ?? 53 57 FF 75 ?? FF D6 83 + C4 ?? 33 F6 56 68 ?? ?? ?? ?? 6A ?? 56 6A ?? 68 ?? ?? ?? ?? FF 75 ?? FF 15 ?? ?? ?? + ?? 8B D8 83 FB ?? 74 ?? 56 8B 35 ?? ?? ?? ?? 8D 45 ?? 50 BF ?? ?? ?? ?? 57 FF D6 50 + 57 8B 3D ?? ?? ?? ?? 53 FF D7 6A ?? 8D 45 ?? 50 FF 35 ?? ?? ?? ?? FF D6 50 FF 35 ?? + ?? ?? ?? 53 FF D7 53 FF 15 ?? ?? ?? ?? FF 75 ?? E8 ?? ?? ?? ?? 59 5F 5E 5B C9 C3 + } + + condition: + uint16(0) == 0x5A4D and $find_files and (all of ($encrypt_files_p*)) +} \ No newline at end of file diff --git a/yara/ransomware/Win32.Ransomware.Gibon.yara b/yara/ransomware/Win32.Ransomware.Gibon.yara new file mode 100644 index 0000000..6c20570 --- /dev/null +++ b/yara/ransomware/Win32.Ransomware.Gibon.yara @@ -0,0 +1,122 @@ +rule Win32_Ransomware_Gibon : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "GIBON" + description = "Yara rule that detects Gibon ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "Gibon" + tc_detection_factor = 5 + + strings: + + $remote_server_connection_1_0 = { + 53 8B DC 83 EC ?? 83 E4 ?? 83 C4 ?? 55 8B 6B ?? 89 6C 24 ?? 8B EC 6A ?? 68 ?? ?? ?? + ?? 64 A1 ?? ?? ?? ?? 50 53 B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? A1 ?? ?? ?? ?? 33 C5 89 45 + ?? 56 57 50 8D 45 ?? 64 A3 ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? BA ?? ?? ?? ?? + C7 45 ?? ?? ?? ?? ?? B9 ?? ?? ?? ?? E8 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 8D 85 + ?? ?? ?? ?? 50 68 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? B9 ?? ?? ?? ?? 85 C0 74 ?? BA ?? ?? + ?? ?? E9 ?? ?? ?? ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 6A ?? + 6A ?? 6A ?? FF 15 ?? ?? ?? ?? 8B F0 B9 ?? ?? ?? ?? 83 FE ?? 75 ?? BA ?? ?? ?? ?? E9 + ?? ?? ?? ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 68 ?? ?? ?? ?? + FF 15 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? B8 ?? ?? ?? ?? 6A ?? 66 89 85 ?? ?? ?? ?? FF 15 + ?? ?? ?? ?? 66 89 85 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 6A ?? 50 56 FF 15 ?? ?? ?? ?? 8B + 3D ?? ?? ?? ?? 85 C0 79 ?? FF D7 50 51 BA ?? ?? ?? ?? B9 ?? ?? ?? ?? E8 ?? ?? ?? ?? + 83 C4 ?? 8B C8 E8 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? BA ?? ?? ?? ?? B9 ?? ?? ?? + ?? E8 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? C6 45 ?? ?? 8D 8D ?? ?? ?? ?? 8B 43 ?? + 83 C0 ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? 50 C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C6 85 ?? ?? + ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? 8D 8D ?? + ?? ?? ?? E8 ?? ?? ?? ?? 83 7B ?? ?? 8D 43 ?? FF 73 ?? 0F 43 43 ?? 8D 8D ?? ?? ?? ?? + 50 E8 ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? E8 + } + + $remote_server_connection_1_1 = { + E8 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? C6 45 ?? ?? E8 ?? + ?? ?? ?? 8B 53 ?? 8D 4B ?? 83 FA ?? 0F 43 4B ?? 8D 41 ?? 89 85 ?? ?? ?? ?? 90 8A 01 + 41 84 C0 75 ?? 2B 8D ?? ?? ?? ?? 8D 43 ?? 6A ?? 83 FA ?? 51 0F 43 43 ?? 50 56 FF 15 + ?? ?? ?? ?? 85 C0 79 ?? FF D7 50 51 BA ?? ?? ?? ?? B9 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 + C4 ?? 8B C8 E8 ?? ?? ?? ?? EB ?? BA ?? ?? ?? ?? B9 ?? ?? ?? ?? E8 ?? ?? ?? ?? 50 E8 + ?? ?? ?? ?? 83 C4 ?? 8D 85 ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? 50 56 FF 15 ?? ?? ?? ?? + 83 F8 ?? 0F 85 ?? ?? ?? ?? BA ?? ?? ?? ?? B9 ?? ?? ?? ?? E8 ?? ?? ?? ?? 50 E8 ?? ?? + ?? ?? 83 C4 ?? BE ?? ?? ?? ?? 8B 43 ?? 83 F8 ?? 72 ?? 8B 4B ?? 40 3D ?? ?? ?? ?? 72 + ?? F6 C1 ?? 0F 85 ?? ?? ?? ?? 8B 41 ?? 3B C1 0F 83 ?? ?? ?? ?? 2B C8 83 F9 ?? 0F 82 + ?? ?? ?? ?? 83 F9 ?? 0F 87 ?? ?? ?? ?? 8B C8 51 E8 ?? ?? ?? ?? 83 C4 ?? 8B C6 8B 4D + ?? 64 89 0D ?? ?? ?? ?? 59 5F 5E 8B 4D ?? 33 CD E8 ?? ?? ?? ?? 8B E5 5D 8B E3 5B C3 + } + + $encryption_loop_1_0 = { + 66 8B 01 66 3B 02 75 ?? 83 C1 ?? 83 C2 ?? 83 EE ?? 75 ?? C6 85 ?? ?? ?? ?? ?? E9 ?? + ?? ?? ?? 8B 85 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? 6A ?? 8B 40 ?? 03 C8 8B 51 ?? 83 CA ?? + 8B C2 83 C8 ?? 83 79 ?? ?? 0F 45 C2 50 E8 ?? ?? ?? ?? E9 ?? ?? ?? ?? 32 C0 0F 85 ?? + ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B F8 C7 45 ?? ?? ?? + ?? ?? 8D 8D ?? ?? ?? ?? 83 CB ?? 68 ?? ?? ?? ?? 89 9D ?? ?? ?? ?? E8 ?? ?? ?? ?? C7 + 45 ?? ?? ?? ?? ?? 8B D7 8B 9D ?? ?? ?? ?? 83 CB ?? 83 7F ?? ?? 89 9D ?? ?? ?? ?? 89 + 9D ?? ?? ?? ?? 72 ?? 8B 17 83 78 ?? ?? 8B C8 72 ?? 8B 08 8B 70 ?? 3B 77 ?? 75 ?? 85 + F6 0F 84 + } + + $encryption_loop_1_1 = { + 66 8B 01 66 3B 02 75 ?? 83 C1 ?? 83 C2 ?? 83 EE ?? 75 ?? C6 85 ?? ?? ?? ?? ?? EB ?? + 32 C0 74 ?? C6 85 ?? ?? ?? ?? ?? EB ?? C6 85 ?? ?? ?? ?? ?? F6 C3 ?? 74 ?? 83 E3 ?? + 8D 8D ?? ?? ?? ?? 89 9D ?? ?? ?? ?? E8 ?? ?? ?? ?? F6 C3 ?? 74 ?? 83 E3 ?? 8D 8D ?? + ?? ?? ?? 89 9D ?? ?? ?? ?? E8 ?? ?? ?? ?? F6 C3 ?? 74 ?? 83 E3 ?? 8D 8D ?? ?? ?? ?? + 89 9D ?? ?? ?? ?? E8 ?? ?? ?? ?? F6 C3 ?? 74 ?? 83 E3 ?? 8D 8D ?? ?? ?? ?? 89 9D ?? + ?? ?? ?? E8 ?? ?? ?? ?? 32 C0 75 ?? 83 E3 ?? 8D 8D ?? ?? ?? ?? 89 9D ?? ?? ?? ?? E8 + ?? ?? ?? ?? 32 C0 C7 45 ?? ?? ?? ?? ?? 75 ?? 83 E3 ?? 8D 8D ?? ?? ?? ?? 89 9D ?? ?? + ?? ?? E8 ?? ?? ?? ?? 80 BD ?? ?? ?? ?? ?? 0F 84 ?? ?? ?? ?? 51 FF B5 ?? ?? ?? ?? BA + ?? ?? ?? ?? C6 45 ?? ?? 51 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 C0 0F 85 ?? ?? ?? ?? + 68 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 C0 75 ?? 8D 85 ?? ?? ?? ?? 50 8D + 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 C0 75 ?? 68 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 FF 15 + ?? ?? ?? ?? FF B5 ?? ?? ?? ?? 8B BD ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? 8B 95 + } + + $encryption_loop_1_2 = { + 57 E8 ?? ?? ?? ?? 83 C4 ?? EB ?? BA ?? ?? ?? ?? B9 ?? ?? ?? ?? E8 ?? ?? ?? ?? B8 ?? + ?? ?? ?? C3 8B 85 ?? ?? ?? ?? 8B 9D ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? + 89 85 ?? ?? ?? ?? 8B BD ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? 50 FF B5 + ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 85 C0 0F 85 ?? ?? ?? ?? FF B5 ?? ?? ?? ?? FF 15 ?? ?? + ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 33 C0 8B 4D ?? 64 89 0D ?? ?? ?? ?? 59 5F 5E + 5B 8B 4D ?? 33 CD E8 ?? ?? ?? ?? 8B E5 5D C3 51 FF B5 ?? ?? ?? ?? BA ?? ?? ?? ?? 51 + 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 C0 75 ?? 68 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? + ?? ?? ?? 85 C0 0F 85 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? + ?? 85 C0 0F 85 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 85 + C0 0F 84 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 C0 0F 85 ?? ?? ?? ?? 8D 85 + ?? ?? ?? ?? 50 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 69 0F ?? ?? ?? ?? 83 C4 ?? 8B 85 ?? ?? + ?? ?? BA ?? ?? ?? ?? 03 48 ?? 8D 85 ?? ?? ?? ?? 50 51 E8 ?? ?? ?? ?? 85 C0 74 ?? BA + ?? ?? ?? ?? B9 ?? ?? ?? ?? E8 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? E9 + } + + $encryption_loop_1_3 = { + 69 37 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 68 ?? ?? ?? ?? 03 70 ?? E8 ?? ?? ?? ?? 8B 95 ?? + ?? ?? ?? 83 C4 ?? 89 85 ?? ?? ?? ?? 81 CB ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 8D 78 ?? 8D + 4A ?? 89 08 8D 4A ?? 89 48 ?? 8D 4A ?? 89 48 ?? 8D 4A ?? 89 48 ?? 8D 4A ?? 89 48 ?? + B9 ?? ?? ?? ?? F3 A5 66 A5 C7 80 ?? ?? ?? ?? ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? C6 45 ?? + ?? E8 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C7 85 ?? ?? ?? ?? + ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? C6 45 ?? ?? 50 8D 8D ?? ?? ?? ?? E8 + ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 85 C0 74 ?? 68 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? + C6 45 ?? ?? 8B B5 ?? ?? ?? ?? 8B BD ?? ?? ?? ?? 56 C7 85 ?? ?? ?? ?? ?? ?? ?? ?? E8 + ?? ?? ?? ?? 83 C4 ?? 85 C0 74 ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 56 E8 ?? ?? ?? ?? 83 C4 + ?? 57 E8 ?? ?? ?? ?? 83 C4 ?? 8D 8D ?? ?? ?? ?? C6 45 ?? ?? E8 ?? ?? ?? ?? 8B BD ?? + ?? ?? ?? 8B 8D ?? ?? ?? ?? FF 07 8B 07 89 41 ?? 69 17 ?? ?? ?? ?? 8B 41 ?? 80 A4 02 + ?? ?? ?? ?? ?? 8B 01 48 39 07 75 ?? BA ?? ?? ?? ?? B9 ?? ?? ?? ?? E8 ?? ?? ?? ?? 50 + E8 ?? ?? ?? ?? 83 C4 ?? FF B5 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 83 BD ?? ?? ?? ?? ?? 0F + 84 ?? ?? ?? ?? E8 ?? ?? ?? ?? C6 45 ?? ?? 83 BD ?? ?? ?? ?? ?? 0F 84 ?? ?? ?? ?? E8 + ?? ?? ?? ?? BA ?? ?? ?? ?? B9 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 8D ?? ?? ?? ?? 8A 11 8B + C8 E8 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? B8 ?? ?? ?? ?? C3 + } + + condition: + uint16(0) == 0x5A4D and + ( + $remote_server_connection_1_0 and + $remote_server_connection_1_1 and + (all of ($encryption_loop_1_*)) + ) +} \ No newline at end of file diff --git a/yara/ransomware/Win32.Ransomware.GlobeImposter.yara b/yara/ransomware/Win32.Ransomware.GlobeImposter.yara new file mode 100644 index 0000000..2df3fca --- /dev/null +++ b/yara/ransomware/Win32.Ransomware.GlobeImposter.yara @@ -0,0 +1,171 @@ +rule Win32_Ransomware_GlobeImposter : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "GLOBEIMPOSTER" + description = "Yara rule that detects GlobeImposter ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "GlobeImposter" + tc_detection_factor = 5 + + strings: + + $encrypt_files_1 = { + 81 EC ?? ?? ?? ?? 83 24 24 ?? 6A ?? FF B4 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? 50 8D 44 24 + ?? 50 E8 ?? ?? ?? ?? 8D 04 24 50 E8 ?? ?? ?? ?? 85 C0 0F 85 ?? ?? ?? ?? 53 8B 1D ?? + ?? ?? ?? 55 56 57 8B 3D ?? ?? ?? ?? 8D 84 24 ?? ?? ?? ?? 50 8D 44 24 ?? 50 E8 ?? ?? + ?? ?? 8D 84 24 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 8B F0 8D 84 24 ?? ?? ?? ?? 68 ?? ?? + ?? ?? 50 89 74 24 ?? FF D3 8D 44 24 ?? 50 8D 84 24 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? + 8B E8 83 FD ?? 0F 84 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 44 24 ?? 50 FF D7 85 C0 0F 84 ?? + ?? ?? ?? 68 ?? ?? ?? ?? 8D 44 24 ?? 50 FF D7 85 C0 0F 84 ?? ?? ?? ?? 33 C0 66 89 84 + 74 ?? ?? ?? ?? 8D 44 24 ?? 50 8D 84 24 ?? ?? ?? ?? 50 FF D3 6A ?? 8D 44 24 ?? 50 E8 + ?? ?? ?? ?? F6 44 24 ?? ?? 8B F0 74 ?? 6A ?? 56 E8 ?? ?? ?? ?? 85 C0 0F 85 ?? ?? ?? + ?? 68 ?? ?? ?? ?? 8D 84 24 ?? ?? ?? ?? 50 FF D3 8D 84 24 ?? ?? ?? ?? 50 8D 44 24 ?? + 50 E8 ?? ?? ?? ?? E9 ?? ?? ?? ?? 6A ?? 56 E8 ?? ?? ?? ?? 85 C0 0F 85 ?? ?? ?? ?? 68 + ?? ?? ?? ?? 8D 44 24 ?? 50 FF D7 85 C0 0F 84 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 44 24 ?? + 50 FF D7 85 C0 0F 84 ?? ?? ?? ?? FF 35 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 50 8D 44 24 ?? + 50 FF D7 85 C0 0F 84 ?? ?? ?? ?? 8B 44 24 ?? A8 ?? 74 ?? 83 E0 ?? 50 8D 84 24 ?? ?? + ?? ?? 50 FF 15 ?? ?? ?? ?? FF B4 24 ?? ?? ?? ?? 6A ?? 56 E8 ?? ?? ?? ?? 50 FF B4 24 + ?? ?? ?? ?? 8D 84 24 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 85 C0 75 ?? 8D 84 24 ?? ?? ?? ?? + 50 8D 84 24 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? FF 35 ?? ?? ?? ?? 8D 84 24 ?? ?? ?? ?? + 50 FF D3 6A ?? 8D 84 24 ?? ?? ?? ?? 50 8D 84 24 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 8D + 84 24 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 56 E8 ?? ?? ?? ?? 8B 74 24 ?? 59 8D 44 24 ?? 50 + 55 FF 15 ?? ?? ?? ?? 85 C0 0F 85 ?? ?? ?? ?? 55 FF 15 ?? ?? ?? ?? 8D 44 24 ?? 50 E8 + ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? 5F 5E 5D 5B 81 C4 ?? ?? ?? ?? C2 + } + + $search_files_1 = { + 55 8B EC 81 EC ?? ?? ?? ?? 53 56 57 6A ?? 6A ?? FF 15 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? + ?? 8B F8 FF 15 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8B D8 C7 85 ?? ?? ?? ?? ?? ?? ?? ?? 33 F6 + 8D 85 ?? ?? ?? ?? 56 50 E8 ?? ?? ?? ?? 83 C4 ?? 85 DB 74 ?? F6 C3 ?? 74 ?? 8D 85 ?? + ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 83 F8 ?? 74 ?? 83 F8 ?? 74 ?? 83 F8 ?? 75 ?? 6A ?? 6A + ?? C6 85 ?? ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? 89 + 04 B7 51 50 FF 15 ?? ?? ?? ?? 46 FE 85 ?? ?? ?? ?? D1 EB 75 ?? EB ?? 68 ?? ?? ?? ?? + FF 34 B7 FF 15 ?? ?? ?? ?? 85 C0 74 + } + + $encrypt_files_2 = { + B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 24 24 ?? 53 55 56 57 E8 ?? ?? ?? ?? 8B D0 8D 4C 24 + ?? E8 ?? ?? ?? ?? 8D 4C 24 ?? E8 ?? ?? ?? ?? 85 C0 0F 85 ?? ?? ?? ?? 8B 1D ?? ?? ?? + ?? 8B 35 ?? ?? ?? ?? 8D 94 24 ?? ?? ?? ?? 8D 4C 24 ?? E8 ?? ?? ?? ?? 8D 84 24 ?? ?? + ?? ?? 50 FF 15 ?? ?? ?? ?? 8B F8 8D 84 24 ?? ?? ?? ?? 68 ?? ?? ?? ?? 50 89 7C 24 ?? + FF D3 8D 44 24 ?? 50 8D 84 24 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 8B E8 83 FD ?? 0F 84 + ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 44 24 ?? 50 FF D6 85 C0 0F 84 ?? ?? ?? ?? 68 ?? ?? ?? + ?? 8D 44 24 ?? 50 FF D6 85 C0 0F 84 ?? ?? ?? ?? 33 C0 66 89 84 7C ?? ?? ?? ?? 8D 44 + 24 ?? 50 8D 84 24 ?? ?? ?? ?? 50 FF D3 8D 4C 24 ?? E8 ?? ?? ?? ?? 8B F8 33 D2 F6 44 + 24 ?? ?? 8B CF 74 ?? E8 ?? ?? ?? ?? 85 C0 0F 85 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 84 24 + ?? ?? ?? ?? 50 FF D3 8D 94 24 ?? ?? ?? ?? 8D 4C 24 ?? E8 ?? ?? ?? ?? E9 ?? ?? ?? ?? + 42 E8 ?? ?? ?? ?? 85 C0 0F 85 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 44 24 ?? 50 FF D6 85 C0 + 0F 84 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 44 24 ?? 50 FF D6 85 C0 0F 84 ?? ?? ?? ?? 68 ?? + ?? ?? ?? FF 15 ?? ?? ?? ?? 50 8D 44 24 ?? 50 FF D6 85 C0 0F 84 ?? ?? ?? ?? 8B 44 24 + ?? A8 ?? 74 ?? 83 E0 ?? 50 8D 84 24 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 51 6A ?? 5A 8B + CF E8 ?? ?? ?? ?? 50 8D 8C 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 C0 75 ?? 8D 84 24 ?? ?? + ?? ?? 50 8D 84 24 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? FF 35 ?? ?? ?? ?? 8D 84 24 ?? ?? + ?? ?? 50 FF D3 6A ?? 8D 84 24 ?? ?? ?? ?? 50 8D 84 24 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? + ?? 8D 8C 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? 57 E8 ?? ?? ?? ?? 8B 7C 24 ?? 59 8D 44 24 ?? + 50 55 FF 15 ?? ?? ?? ?? 85 C0 0F 85 ?? ?? ?? ?? 55 FF 15 ?? ?? ?? ?? 8D 4C 24 ?? E8 + ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? 5F 5E 5D 5B 81 C4 ?? ?? ?? ?? C2 + } + + $kill_specific_processes_2 = { + 81 EC ?? ?? ?? ?? 56 57 6A ?? 5E 56 8D 44 24 ?? 6A ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 89 + 74 24 ?? 6A ?? 6A ?? FF 15 ?? ?? ?? ?? 8B F8 83 FF ?? 0F 84 ?? ?? ?? ?? 8D 84 24 ?? + ?? ?? ?? C7 84 24 ?? ?? ?? ?? ?? ?? ?? ?? 50 57 FF 15 ?? ?? ?? ?? 53 55 BE ?? ?? ?? + ?? 8D 8C 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B D8 8D 84 24 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? + ?? 8B E8 33 D2 85 ED 7E ?? 0F BE 0C 1A E8 ?? ?? ?? ?? 88 04 1A 42 3B D5 7C ?? FF 36 + 53 FF 15 ?? ?? ?? ?? 85 C0 75 ?? 83 C6 ?? 81 FE ?? ?? ?? ?? 7C ?? 85 C0 74 ?? 33 DB + 53 68 ?? ?? ?? ?? 53 FF 15 ?? ?? ?? ?? 68 ?? ?? ?? ?? 53 50 FF 15 ?? ?? ?? ?? FF B4 + 24 ?? ?? ?? ?? 8B F0 68 ?? ?? ?? ?? 56 FF 15 ?? ?? ?? ?? 83 C4 ?? 8D 44 24 ?? 68 ?? + ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 56 8D 44 24 ?? 50 FF 15 ?? ?? ?? ?? 8D 44 24 ?? 50 8D + 44 24 ?? 50 53 53 68 ?? ?? ?? ?? 53 53 53 8D 84 24 ?? ?? ?? ?? 50 53 FF 15 ?? ?? ?? + ?? 8D 84 24 ?? ?? ?? ?? 50 57 FF 15 ?? ?? ?? ?? 85 C0 0F 85 ?? ?? ?? ?? 57 FF 15 ?? + ?? ?? ?? 5D 5B 5F 5E 81 C4 ?? ?? ?? ?? C2 + } + + $kill_specific_processes_1 = { + 81 EC ?? ?? ?? ?? 55 56 57 6A ?? 5E 56 33 ED 8D 44 24 ?? 55 50 E8 ?? ?? ?? ?? 83 C4 + ?? 89 74 24 ?? 55 6A ?? E8 ?? ?? ?? ?? 8B F8 89 7C 24 ?? 83 FF ?? 0F 84 ?? ?? ?? ?? + 53 8D 84 24 ?? ?? ?? ?? C7 84 24 ?? ?? ?? ?? ?? ?? ?? ?? 50 57 E8 ?? ?? ?? ?? 8B 5C + 24 ?? 83 BC 24 ?? ?? ?? ?? ?? 8B F5 7E ?? 55 8D 84 24 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? + 8B E8 8D 84 24 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 33 DB 89 44 24 ?? 85 C0 7E ?? 8B F8 + 0F BE 0C 2B 51 E8 ?? ?? ?? ?? 88 04 2B 43 3B DF 7C ?? 8B 84 24 ?? ?? ?? ?? FF 34 B0 + 55 FF 15 ?? ?? ?? ?? 8B D8 85 DB 75 ?? 46 50 5D 3B B4 24 ?? ?? ?? ?? 7C ?? 8B 7C 24 + ?? 33 ED 85 DB 74 ?? 55 68 ?? ?? ?? ?? 55 FF 15 ?? ?? ?? ?? 68 ?? ?? ?? ?? 55 50 FF + 15 ?? ?? ?? ?? FF B4 24 ?? ?? ?? ?? 8B F0 68 ?? ?? ?? ?? 56 FF 15 ?? ?? ?? ?? 83 C4 + ?? 8D 44 24 ?? 68 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 56 8D 44 24 ?? 50 FF 15 ?? ?? ?? + ?? 8D 44 24 ?? 50 8D 44 24 ?? 50 55 55 68 ?? ?? ?? ?? 55 55 55 8D 84 24 ?? ?? ?? ?? + 50 55 FF 15 ?? ?? ?? ?? 8D 84 24 ?? ?? ?? ?? 50 57 E8 ?? ?? ?? ?? 85 C0 0F 85 ?? ?? + ?? ?? 57 FF 15 ?? ?? ?? ?? 5B 5F 5E 5D 81 C4 ?? ?? ?? ?? C2 + } + + $encrypt_files_3 = { + 68 ?? ?? ?? ?? 8D 44 24 ?? 50 FF D7 85 C0 0F 84 ?? ?? ?? ?? 33 C0 66 89 84 74 ?? ?? + ?? ?? 8D 44 24 ?? 50 8D 84 24 ?? ?? ?? ?? 50 FF D3 6A ?? 8D 44 24 ?? 50 E8 ?? ?? ?? + ?? F6 44 24 ?? ?? 8B F0 74 ?? 6A ?? 56 E8 ?? ?? ?? ?? 85 C0 0F 85 ?? ?? ?? ?? 68 ?? + ?? ?? ?? 8D 84 24 ?? ?? ?? ?? 50 FF D3 8D 84 24 ?? ?? ?? ?? 50 8D 44 24 ?? 50 E8 ?? + ?? ?? ?? E9 ?? ?? ?? ?? 6A ?? 56 E8 ?? ?? ?? ?? 85 C0 0F 85 ?? ?? ?? ?? 68 ?? ?? ?? + ?? 8D 44 24 ?? 50 FF D7 85 C0 0F 84 ?? ?? ?? ?? FF 35 ?? ?? ?? ?? 8D 44 24 ?? 50 FF + D7 85 C0 0F 84 ?? ?? ?? ?? FF 35 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 50 8D 44 24 ?? 50 FF + D7 85 C0 0F 84 ?? ?? ?? ?? 8B 44 24 ?? A8 ?? 74 ?? 83 E0 ?? 50 8D 84 24 ?? ?? ?? ?? + 50 FF 15 ?? ?? ?? ?? FF 74 24 ?? 6A ?? 56 E8 ?? ?? ?? ?? 50 FF 74 24 ?? 8D 84 24 ?? + ?? ?? ?? 50 E8 ?? ?? ?? ?? 85 C0 75 ?? 8D 84 24 ?? ?? ?? ?? 50 8D 84 24 ?? ?? ?? ?? + 50 FF 15 ?? ?? ?? ?? FF 35 ?? ?? ?? ?? 8D 84 24 ?? ?? ?? ?? 50 FF D3 6A ?? 8D 84 24 + ?? ?? ?? ?? 50 8D 84 24 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 8D 84 24 ?? ?? ?? ?? 50 E8 + ?? ?? ?? ?? 56 E8 ?? ?? ?? ?? 8B 74 24 ?? 59 8D 44 24 ?? 50 55 FF 15 + } + + $search_files_2 = { + 53 55 56 57 8B 3D ?? ?? ?? ?? 6A ?? 6A ?? FF D7 50 FF 15 ?? ?? ?? ?? 8B E8 FF 15 ?? + ?? ?? ?? 68 ?? ?? ?? ?? 8B D8 C7 84 24 ?? ?? ?? ?? ?? ?? ?? ?? 33 F6 8D 84 24 ?? ?? + ?? ?? 56 50 E8 ?? ?? ?? ?? 83 C4 ?? 85 DB 74 ?? F6 C3 ?? 74 ?? 8D 84 24 ?? ?? ?? ?? + 50 FF 15 ?? ?? ?? ?? 83 F8 ?? 74 ?? 83 F8 ?? 74 ?? 83 F8 ?? 75 ?? 6A ?? 6A ?? C6 84 + 24 ?? ?? ?? ?? ?? FF D7 50 FF 15 ?? ?? ?? ?? 8D 8C 24 ?? ?? ?? ?? 89 44 B5 ?? 51 50 + FF 15 ?? ?? ?? ?? 46 FE 84 24 ?? ?? ?? ?? D1 EB 75 ?? 33 FF 85 F6 7E ?? 8B 9C 24 ?? + ?? ?? ?? 8D 44 24 ?? 2B E8 6A ?? 6A ?? FF 15 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 8B 8C + 24 ?? ?? ?? ?? 89 48 ?? 8D 0C BD ?? ?? ?? ?? 03 CD 89 58 ?? 8B 4C 0C ?? 89 08 33 C9 + 51 51 50 68 ?? ?? ?? ?? 51 51 FF 15 ?? ?? ?? ?? 89 44 BC ?? 47 3B FE 7C ?? 6A ?? 6A + ?? 8D 44 24 ?? 50 56 FF 15 + } + + $kill_specific_processes_3 = { + E8 ?? ?? ?? ?? 83 C4 ?? 89 74 24 ?? 55 6A ?? E8 ?? ?? ?? ?? 8B F8 89 7C 24 ?? 83 FF + ?? 0F 84 ?? ?? ?? ?? 53 8D 84 24 ?? ?? ?? ?? C7 84 24 ?? ?? ?? ?? ?? ?? ?? ?? 50 57 + E8 ?? ?? ?? ?? 8B 5C 24 ?? 83 BC 24 ?? ?? ?? ?? ?? 8B F5 7E ?? 55 8D 84 24 ?? ?? ?? + ?? 50 E8 ?? ?? ?? ?? 8B E8 8D 84 24 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 33 DB 89 44 24 + ?? 85 C0 7E ?? 8B F8 0F BE 0C 2B 51 E8 ?? ?? ?? ?? 88 04 2B 43 3B DF 7C ?? 8B 84 24 + ?? ?? ?? ?? FF 34 B0 55 FF 15 ?? ?? ?? ?? 8B D8 85 DB 75 ?? 46 50 5D 3B B4 24 ?? ?? + ?? ?? 7C ?? 8B 7C 24 ?? 33 ED 85 DB 74 ?? 55 68 ?? ?? ?? ?? 55 FF 15 ?? ?? ?? ?? 68 + ?? ?? ?? ?? 55 50 FF 15 ?? ?? ?? ?? FF B4 24 ?? ?? ?? ?? 8B F0 68 ?? ?? ?? ?? 56 FF + 15 ?? ?? ?? ?? 83 C4 ?? 8D 44 24 ?? 68 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 56 8D 44 24 + ?? 50 FF 15 ?? ?? ?? ?? 8D 44 24 ?? 50 8D 44 24 ?? 50 55 55 68 ?? ?? ?? ?? 55 55 55 + 8D 84 24 ?? ?? ?? ?? 50 55 FF 15 ?? ?? ?? ?? 8D 84 24 ?? ?? ?? ?? 50 57 E8 ?? ?? ?? + ?? 85 C0 0F 85 ?? ?? ?? ?? 57 FF 15 + } + + condition: + uint16(0) == 0x5A4D and + ( + ( + $search_files_1 and + $encrypt_files_1 and + $kill_specific_processes_1 + ) or + ( + $search_files_1 and + $encrypt_files_2 and + $kill_specific_processes_2 + ) or + ( + $search_files_2 and + $encrypt_files_3 and + $kill_specific_processes_3 + ) + ) +} \ No newline at end of file diff --git a/yara/ransomware/Win32.Ransomware.Gomer.yara b/yara/ransomware/Win32.Ransomware.Gomer.yara new file mode 100644 index 0000000..1ae0d5f --- /dev/null +++ b/yara/ransomware/Win32.Ransomware.Gomer.yara @@ -0,0 +1,106 @@ +rule Win32_Ransomware_Gomer : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "GOMER" + description = "Yara rule that detects Gomer ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "Gomer" + tc_detection_factor = 5 + + strings: + + $find_files_p1 = { + 8B FF 55 8B EC 51 8B 4D ?? 53 57 33 DB 8D 51 ?? 66 8B 01 83 C1 ?? 66 3B C3 75 ?? 8B + 7D ?? 2B CA D1 F9 83 C8 ?? 41 2B C7 89 4D ?? 3B C8 76 ?? 6A ?? 58 EB ?? 56 8D 5F ?? + 03 D9 6A ?? 53 E8 ?? ?? ?? ?? 8B F0 59 59 85 FF 74 ?? 57 FF 75 ?? 53 56 E8 ?? ?? ?? + ?? 83 C4 ?? 85 C0 75 ?? FF 75 ?? 2B DF 8D 04 7E FF 75 ?? 53 50 E8 ?? ?? ?? ?? 83 C4 + ?? 85 C0 75 ?? 8B 4D ?? 56 E8 ?? ?? ?? ?? 6A ?? 8B F0 E8 ?? ?? ?? ?? 59 8B C6 5E 5F + 5B 8B E5 5D C3 33 C0 50 50 50 50 50 E8 ?? ?? ?? ?? CC 8B FF 55 8B EC 81 EC ?? ?? ?? + ?? A1 ?? ?? ?? ?? 33 C5 89 45 ?? 8B 55 ?? 8B 4D ?? 53 8B 5D ?? 56 57 6A ?? 5E 6A ?? + 89 95 ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? 5F EB ?? 0F B7 01 66 3B 85 ?? ?? ?? + ?? 74 ?? 66 3B C6 74 ?? 66 3B C7 74 ?? 83 E9 ?? 3B CB 75 ?? 0F B7 31 66 3B F7 75 ?? + 8D 43 ?? 3B C8 74 ?? 52 33 FF 57 57 53 E8 ?? ?? ?? ?? 83 C4 ?? E9 ?? ?? ?? ?? 6A ?? + 8B C6 33 FF 5A 66 3B C2 74 ?? 6A ?? 5A 66 3B C2 74 ?? 6A ?? 5A 66 3B C2 74 ?? 8B C7 + } + + $find_files_p2 = { + EB ?? 33 C0 40 2B CB 0F B6 C0 D1 F9 41 F7 D8 68 ?? ?? ?? ?? 1B C0 23 C1 89 85 ?? ?? + ?? ?? 8D 85 ?? ?? ?? ?? 57 50 E8 ?? ?? ?? ?? 83 C4 ?? 8D 85 ?? ?? ?? ?? 57 57 57 50 + 57 53 FF 15 ?? ?? ?? ?? 8B F0 83 FE ?? 75 ?? 8B 85 ?? ?? ?? ?? 50 57 57 53 E8 ?? ?? + ?? ?? 83 C4 ?? 8B F8 83 FE ?? 74 ?? 56 FF 15 ?? ?? ?? ?? 8B C7 8B 4D ?? 5F 5E 33 CD + 5B E8 ?? ?? ?? ?? 8B E5 5D C3 8B 8D ?? ?? ?? ?? 6A ?? 8B 41 ?? 2B 01 C1 F8 ?? 89 85 + ?? ?? ?? ?? 58 66 39 85 ?? ?? ?? ?? 75 ?? 66 39 BD ?? ?? ?? ?? 74 ?? 66 39 85 ?? ?? + ?? ?? 75 ?? 66 39 BD ?? ?? ?? ?? 74 ?? 51 FF B5 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 53 50 + E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 75 ?? 8D 85 ?? ?? ?? ?? 50 56 FF 15 ?? ?? ?? ?? 8B 8D + ?? ?? ?? ?? 85 C0 6A ?? 58 75 ?? 8B C1 8B 8D ?? ?? ?? ?? 8B 10 8B 40 ?? 2B C2 C1 F8 + ?? 3B C8 0F 84 ?? ?? ?? ?? 68 ?? ?? ?? ?? 2B C1 6A ?? 50 8D 04 8A 50 E8 ?? ?? ?? ?? + 83 C4 ?? E9 + } + + $encrypt_files = { + 55 8B EC 51 8B 45 ?? 53 56 57 8B F9 8B 4F ?? 89 4D ?? 3B C1 77 ?? 8B DF 83 F9 ?? 72 + ?? 8B 1F 8D 34 00 89 47 ?? 56 FF 75 ?? 53 E8 ?? ?? ?? ?? 83 C4 ?? 33 C0 66 89 04 1E + 8B C7 5F 5E 5B 8B E5 5D C2 ?? ?? 3D ?? ?? ?? ?? 0F 87 ?? ?? ?? ?? 8B F0 83 CE ?? 81 + FE ?? ?? ?? ?? 76 ?? BE ?? ?? ?? ?? EB ?? 8B D1 B8 ?? ?? ?? ?? D1 EA 2B C2 3B C8 76 + ?? BE ?? ?? ?? ?? EB ?? 8D 04 0A 3B F0 0F 42 F0 8D 46 ?? 8D 0C 00 3D ?? ?? ?? ?? 76 + ?? 83 C9 ?? EB ?? 81 F9 ?? ?? ?? ?? 72 ?? 8D 41 ?? 83 CA ?? 3B C1 0F 46 C2 50 E8 ?? + ?? ?? ?? 83 C4 ?? 85 C0 74 ?? 8D 58 ?? 83 E3 ?? 89 43 ?? EB ?? 85 C9 74 ?? 51 E8 ?? + ?? ?? ?? 83 C4 ?? 8B D8 EB ?? 33 DB 8B 45 ?? 89 77 ?? 89 47 ?? 8D 34 00 56 FF 75 ?? + 53 E8 ?? ?? ?? ?? 33 C0 83 C4 ?? 66 89 04 1E 8B 45 ?? 83 F8 ?? 72 ?? 8D 0C 45 ?? ?? + ?? ?? 8B 07 81 F9 ?? ?? ?? ?? 72 ?? 8B 50 ?? 83 C1 ?? 2B C2 83 C0 ?? 83 F8 ?? 77 ?? + 8B C2 51 50 E8 ?? ?? ?? ?? 83 C4 ?? 89 1F 8B C7 5F 5E 5B 8B E5 5D C2 ?? ?? E8 ?? ?? + ?? ?? E8 ?? ?? ?? ?? CC CC CC CC CC B8 ?? ?? ?? ?? C3 + } + + $enum_drives_p1 = { + 55 8B EC 6A ?? 68 ?? ?? ?? ?? 64 A1 ?? ?? ?? ?? 50 83 EC ?? A1 ?? ?? ?? ?? 33 C5 89 + 45 ?? 53 56 57 50 8D 45 ?? 64 A3 ?? ?? ?? ?? 89 4D ?? 68 ?? ?? ?? ?? C7 45 ?? ?? ?? + ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? FF 15 ?? ?? ?? ?? 89 45 ?? C7 45 ?? ?? ?? ?? ?? C7 45 + ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 45 ?? C7 45 ?? ?? ?? ?? ?? 8D 4D ?? 6A ?? 33 C0 C7 + 45 ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? 66 89 45 ?? E8 ?? ?? ?? ?? C6 + 45 ?? ?? BF ?? ?? ?? ?? 8D 45 ?? 0F A3 38 0F 83 ?? ?? ?? ?? 83 7D ?? ?? 8D 4D ?? 8D + 47 ?? 0F 43 4D ?? 66 89 01 8D 45 ?? 83 7D ?? ?? 0F 43 45 ?? 50 FF 15 ?? ?? ?? ?? 83 + F8 ?? 74 ?? 83 F8 ?? 74 ?? 83 F8 ?? 0F 85 ?? ?? ?? ?? 33 C9 C7 45 ?? ?? ?? ?? ?? C7 + 45 ?? ?? ?? ?? ?? 66 89 4D ?? C6 45 ?? ?? 83 F8 ?? 75 ?? 6A ?? 68 ?? ?? ?? ?? EB ?? + 83 F8 ?? 75 ?? 6A ?? 68 ?? ?? ?? ?? EB ?? 83 F8 ?? 75 ?? 6A ?? 68 ?? ?? ?? ?? 8D 4D + ?? E8 ?? ?? ?? ?? FF 35 ?? ?? ?? ?? 8B 35 ?? ?? ?? ?? 8D 55 ?? 56 8D 4D ?? E8 ?? ?? + ?? ?? 8B 4D ?? B8 ?? ?? ?? ?? 2B CE C6 45 ?? ?? F7 E9 83 C4 ?? C1 FA ?? 8B DA C1 EB + ?? 03 DA 8B 55 ?? 83 FA ?? 72 ?? 8B 4D ?? 8D 14 55 ?? ?? ?? ?? 8B C1 81 FA ?? ?? ?? + ?? 72 ?? 8B 49 ?? 83 C2 ?? 2B C1 83 C0 ?? 83 F8 ?? 0F 87 ?? ?? ?? ?? 52 51 E8 ?? ?? + ?? ?? 83 C4 ?? FF 35 ?? ?? ?? ?? 8B 35 ?? ?? ?? ?? 8D 55 ?? 56 8D 4D ?? E8 ?? ?? ?? + ?? 8B 4D ?? B8 ?? ?? ?? ?? 2B CE 89 7D ?? F7 E9 83 C4 ?? 89 5D ?? C1 FA ?? 8D 4D + } + + $enum_drives_p2 = { + 8B C2 C1 E8 ?? 03 C2 89 45 ?? 8D 45 ?? 50 E8 ?? ?? ?? ?? C6 45 ?? ?? 8D 45 ?? FF 75 + ?? 50 51 8D 45 ?? 50 8D 4D ?? E8 ?? ?? ?? ?? C6 45 ?? ?? 8B 55 ?? 83 FA ?? 72 ?? 8B + 4D ?? 8D 14 55 ?? ?? ?? ?? 8B C1 81 FA ?? ?? ?? ?? 72 ?? 8B 49 ?? 83 C2 ?? 2B C1 83 + C0 ?? 83 F8 ?? 0F 87 ?? ?? ?? ?? 52 51 E8 ?? ?? ?? ?? 83 C4 ?? 47 83 FF ?? 0F 8C ?? + ?? ?? ?? FF 75 ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? C7 45 ?? ?? ?? ?? ?? C7 45 + ?? ?? ?? ?? ?? 6A ?? 6A ?? E8 ?? ?? ?? ?? 8B D8 89 5D ?? C6 45 ?? ?? 8B 4D ?? 8B 31 + 3B F1 0F 84 ?? ?? ?? ?? 6A ?? E8 ?? ?? ?? ?? 83 C4 ?? 89 45 ?? FF 75 ?? 8B C8 C6 45 + ?? ?? 6A ?? E8 ?? ?? ?? ?? 8B F8 C6 45 ?? ?? 8B 4E ?? 89 4F ?? 8B 4E ?? 89 4F ?? 8D + 4F ?? 8B 46 ?? 89 47 ?? 8D 46 ?? 3B C8 74 ?? 83 78 ?? ?? 8B D0 72 ?? 8B 10 FF 70 ?? + 52 E8 ?? ?? ?? ?? 8D 45 ?? 50 6A ?? 57 68 ?? ?? ?? ?? 6A ?? 6A ?? FF 15 + } + + condition: + uint16(0) == 0x5A4D and + ( + all of ($enum_drives_p*) + ) and + ( + all of ($find_files_p*) + ) and + ( + $encrypt_files + ) +} \ No newline at end of file diff --git a/yara/ransomware/Win32.Ransomware.Good.yara b/yara/ransomware/Win32.Ransomware.Good.yara new file mode 100644 index 0000000..a0306c6 --- /dev/null +++ b/yara/ransomware/Win32.Ransomware.Good.yara @@ -0,0 +1,82 @@ +rule Win32_Ransomware_Good : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "GOOD" + description = "Yara rule that detects Good ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "Good" + tc_detection_factor = 5 + + strings: + + $find_files = { + FF D7 53 85 C0 75 ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 5F 5E 5B 8B E5 5D C3 8D + 85 ?? ?? ?? ?? 50 FF D7 53 85 C0 75 ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 5F 5E + 5B 8B E5 5D C3 8D 85 ?? ?? ?? ?? 50 FF D7 53 85 C0 75 ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? + ?? 83 C4 ?? 5F 5E 5B 8B E5 5D C3 8D 85 ?? ?? ?? ?? 50 FF D7 53 85 C0 75 ?? 68 ?? ?? + ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 5F 5E 5B 8B E5 5D C3 8D 85 ?? ?? ?? ?? 50 FF D7 53 85 + C0 75 ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 5F 5E 5B 8B E5 5D C3 8B 3D ?? ?? ?? + ?? 33 C0 66 89 45 ?? 8D 45 ?? 50 8D 85 ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? 50 C7 45 ?? + ?? ?? ?? ?? FF D7 83 C4 ?? 8D 85 ?? ?? ?? ?? 50 8D 85 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? + ?? 8B D8 83 FB ?? 75 ?? 8D 85 ?? ?? ?? ?? 50 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? + 5F 5E 5B 8B E5 5D C3 + } + + $remote_connection = { + 55 8B EC 53 8B 5D ?? 57 53 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 7D ?? 83 C4 ?? 8B 0F 8B + C1 83 E8 ?? 74 ?? 83 E8 ?? 74 ?? 83 E8 ?? 74 ?? 51 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 + C4 ?? EB ?? 68 ?? ?? ?? ?? EB ?? 68 ?? ?? ?? ?? EB ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? + 83 C4 ?? 53 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 4F ?? 83 C4 ?? 8B C1 83 E8 ?? 74 ?? 83 + E8 ?? 74 ?? 83 E8 ?? 74 ?? 51 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? EB ?? 68 ?? ?? + ?? ?? EB ?? 68 ?? ?? ?? ?? EB ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 53 68 ?? ?? + ?? ?? E8 ?? ?? ?? ?? 8B 47 ?? 83 C4 ?? 83 F8 ?? 77 ?? FF 24 85 ?? ?? ?? ?? 68 ?? ?? + ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? EB ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? EB ?? 68 + ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? EB ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? EB + ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? EB ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 + ?? EB ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? EB ?? 50 68 ?? ?? ?? ?? E8 ?? ?? ?? + ?? 83 C4 ?? FF 77 ?? 53 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 47 ?? 83 C4 ?? A8 ?? 74 ?? + 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 47 ?? 83 C4 ?? A8 ?? 74 ?? 68 ?? ?? ?? ?? E8 ?? ?? + ?? ?? 83 C4 ?? 83 7F ?? ?? 75 ?? 56 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 8B F0 FF + 77 ?? FF 15 ?? ?? ?? ?? 8D 04 45 ?? ?? ?? ?? 50 FF 77 ?? 56 E8 ?? ?? ?? ?? 83 C4 ?? + 8D 45 ?? 50 6A ?? 56 68 ?? ?? ?? ?? 6A ?? 6A ?? FF 15 ?? ?? ?? ?? 5E FF 77 ?? 53 68 + ?? ?? ?? ?? E8 ?? ?? ?? ?? FF 77 ?? 53 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? FF 77 ?? 53 68 + ?? ?? ?? ?? E8 ?? ?? ?? ?? FF 77 ?? 53 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 5F 5B + 5D C3 + } + + $encrypt_files = { + 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 95 ?? ?? ?? ?? 8B C8 8B F2 83 C4 ?? 2B CE 8D 71 ?? + 66 90 0F B7 0A 8D 52 ?? 66 89 4C 32 ?? 66 85 C9 75 ?? 50 FF 35 ?? ?? ?? ?? FF 15 ?? + ?? ?? ?? 8B 35 ?? ?? ?? ?? 47 89 7D ?? E9 ?? ?? ?? ?? FF 75 ?? 8D 85 ?? ?? ?? ?? C7 + 45 ?? ?? ?? ?? ?? FF 75 ?? 50 E8 ?? ?? ?? ?? 85 C0 75 ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? + ?? 8B 35 ?? ?? ?? ?? 83 C4 ?? EB ?? 68 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? C7 85 ?? ?? ?? + ?? ?? ?? ?? ?? 50 8D 85 ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? 50 8D 85 ?? ?? ?? + ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 83 C4 ?? 8D 85 ?? ?? ?? ?? 50 + 8D 85 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 8B 35 ?? ?? ?? ?? EB ?? 68 ?? ?? ?? ?? EB ?? + 8D 85 ?? ?? ?? ?? 50 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 8D 85 ?? ?? ?? ?? 50 53 + FF D6 8B 3D ?? ?? ?? ?? 83 F8 ?? 0F 84 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 83 F8 ?? 74 ?? + 8D 85 ?? ?? ?? ?? 50 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 5F 5E 5B 8B E5 5D C3 53 + FF 15 ?? ?? ?? ?? 85 C0 75 ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 5F 5E 5B 8B E5 + 5D C3 + } + + condition: + uint16(0) == 0x5A4D and + ( + $find_files + ) and + ( + $encrypt_files + ) and + ( + $remote_connection + ) +} \ No newline at end of file diff --git a/yara/ransomware/Win32.Ransomware.Gpcode.yara b/yara/ransomware/Win32.Ransomware.Gpcode.yara new file mode 100644 index 0000000..0c308ca --- /dev/null +++ b/yara/ransomware/Win32.Ransomware.Gpcode.yara @@ -0,0 +1,67 @@ +rule Win32_Ransomware_GPCode : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "GPCODE" + description = "Yara rule that detects Gpcode ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "GPCode" + tc_detection_factor = 5 + + strings: + $drive_loop = { + B9 19 00 00 00 BB 01 00 00 00 D3 E3 23 D8 74 ?? 80 + C1 ?? 88 0D ?? ?? ?? ?? 80 E9 ?? C7 05 ?? ?? ?? ?? + ?? ?? ?? ?? 50 51 E8 ?? ?? ?? ?? 59 58 49 7D + } + + $encrypt_routine = { + FF 75 ?? FF 75 ?? E8 ?? ?? ?? ?? 83 F8 ?? 75 ?? [0-10] + E9 ?? ?? ?? ?? 6A ?? [1-10] FF 75 ?? FF 35 ?? ?? + ?? ?? FF 75 ?? E8 ?? ?? ?? ?? 0B C0 75 ?? E9 ?? + ?? ?? ?? 68 ?? ?? ?? ?? [1-10] FF 35 ?? ?? ?? ?? + 6A ?? 6A ?? 6A ?? FF 35 ?? ?? ?? ?? (E8 | FF 15) + ?? ?? ?? ?? 0B C0 75 ?? (EB | E9) [1-4] 6A ?? + [2-10] FF 75 ?? FF 75 ?? E8 ?? ?? ?? ?? 83 F8 ?? + 75 ?? [10-40] FF 35 ?? ?? ?? ?? FF 75 ?? E8 + } + + $set_ransom_wallpaper = { + 0F B6 05 ?? ?? ?? ?? 83 F8 01 0F 85 ?? ?? ?? ?? + B9 ?? ?? ?? ?? BF ?? ?? ?? ?? 51 57 [2-20] 5F + 59 25 ?? ?? ?? ?? C1 E8 ?? 83 C0 ?? AA E2 ?? 33 + C0 AA 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? + ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? + 68 ?? ?? ?? ?? (E8 | FF 15) + } + + $read_config_file = { + 55 8B EC 83 C4 ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A + ?? E8 ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? 6A ?? E8 ?? + ?? ?? ?? 0B C0 75 04 33 C0 C9 C3 89 45 ?? 50 6A ?? + E8 ?? ?? ?? ?? 0B C0 75 04 33 C0 C9 C3 89 45 ?? FF + 75 ?? 6A ?? E8 ?? ?? ?? ?? 0B C0 75 04 33 C0 C9 C3 + 89 45 ?? 50 E8 ?? ?? ?? ?? 0B C0 75 04 33 C0 C9 C3 + 89 45 ?? FF 75 ?? 6A ?? E8 ?? ?? ?? ?? 0B C0 75 04 + 33 C0 C9 C3 89 45 ?? 8B D8 FF 75 ?? FF 75 ?? FF 75 + ?? E8 ?? ?? ?? ?? FF 75 ?? E8 ?? ?? ?? ?? 8B 5D ?? + 6A ?? 53 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C3 ?? 8B + 45 ?? 83 E8 ?? 50 53 E8 ?? ?? ?? ?? 8A 03 A2 ?? ?? + ?? ?? 83 C3 ?? 8A 03 A2 ?? ?? ?? ?? 83 C3 + } + + condition: + uint16(0) == 0x5A4D and + ($drive_loop and + $encrypt_routine and + $set_ransom_wallpaper and + $read_config_file) + +} \ No newline at end of file diff --git a/yara/ransomware/Win32.Ransomware.GusCrypter.yara b/yara/ransomware/Win32.Ransomware.GusCrypter.yara new file mode 100644 index 0000000..6f4f5c8 --- /dev/null +++ b/yara/ransomware/Win32.Ransomware.GusCrypter.yara @@ -0,0 +1,129 @@ +rule Win32_Ransomware_GusCrypter : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "GUSCRYPTER" + description = "Yara rule that detects GusCrypter ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "GusCrypter" + tc_detection_factor = 5 + + strings: + + $find_files_p1 = { + 8A 01 41 84 C0 75 ?? 2B CA 8D 85 ?? ?? ?? ?? 51 50 8D 4D ?? E8 ?? ?? ?? ?? C6 45 ?? + ?? 8D 45 ?? 8B 5D ?? 83 FB ?? 8B 75 ?? 8B 4D ?? 0F 43 C6 83 F9 ?? 75 ?? 80 38 ?? 0F + 84 ?? ?? ?? ?? 83 FB ?? 8D 45 ?? 0F 43 C6 83 F9 ?? 75 ?? BA ?? ?? ?? ?? 66 39 10 0F + 84 ?? ?? ?? ?? 83 FB ?? 8D 55 ?? 0F 43 D6 83 F9 ?? 75 ?? 66 81 3A ?? ?? 75 ?? 80 7A + ?? ?? 0F 84 ?? ?? ?? ?? 83 FB ?? 8D 45 ?? 0F 43 C6 83 F9 ?? 75 ?? 81 38 ?? ?? ?? ?? + 0F 84 ?? ?? ?? ?? 83 FB ?? 8D 55 ?? 0F 43 D6 83 F9 ?? 75 ?? 81 3A ?? ?? ?? ?? 75 ?? + 66 81 7A ?? ?? ?? 75 ?? 80 7A ?? ?? 0F 84 ?? ?? ?? ?? 8B 45 ?? 8D 4D ?? 83 FB ?? 0F + 43 CE 83 F8 ?? 75 ?? BA ?? ?? ?? ?? 8D 78 ?? 8B 01 3B 02 75 ?? 83 C1 ?? 83 C2 ?? 83 + EF ?? 73 ?? 8A 01 3A 02 0F 84 ?? ?? ?? ?? 8B 45 ?? 83 FB ?? 8D 4D ?? 0F 43 CE 83 F8 + ?? 75 ?? BA ?? ?? ?? ?? 8D 78 ?? 8B 01 3B 02 75 ?? 83 C1 ?? 83 C2 ?? 83 EF ?? 73 ?? + 66 8B 01 66 3B 02 75 ?? 8A 41 ?? 3A 42 ?? 0F 84 ?? ?? ?? ?? 8B 45 ?? 83 FB ?? 8D 4D + ?? 0F 43 CE 83 F8 ?? 75 ?? BA ?? ?? ?? ?? 8D 78 ?? 8B 01 3B 02 75 ?? 83 C1 ?? 83 C2 + ?? 83 EF ?? 73 ?? 66 8B 01 66 3B 02 75 ?? 8A 41 ?? 3A 42 ?? 0F 84 ?? ?? ?? ?? 8B 4D + ?? 8D 45 ?? 83 FB ?? 0F 43 C6 83 F9 ?? 75 ?? 81 38 ?? ?? ?? ?? 75 ?? 81 78 ?? ?? ?? + ?? ?? 75 ?? 80 78 ?? ?? 0F 84 ?? ?? ?? ?? 83 FB ?? 8D 45 ?? 0F 43 C6 83 F9 ?? 75 + } + + $find_files_p2 = { + 81 38 ?? ?? ?? ?? 75 ?? 80 78 ?? ?? 0F 84 ?? ?? ?? ?? 83 FB ?? 8D 45 ?? 0F 43 C6 83 + F9 ?? 75 ?? 81 38 ?? ?? ?? ?? 75 ?? 81 78 ?? ?? ?? ?? ?? 75 ?? 81 78 ?? ?? ?? ?? ?? + 0F 84 ?? ?? ?? ?? 83 FB ?? 8D 45 ?? 0F 43 C6 83 F9 ?? 75 ?? 81 38 ?? ?? ?? ?? 75 ?? + 81 78 ?? ?? ?? ?? ?? 75 ?? 81 78 ?? ?? ?? ?? ?? 0F 84 ?? ?? ?? ?? 83 FB ?? 8D 4D ?? + 0F 43 CE 83 7D ?? ?? 75 ?? BA ?? ?? ?? ?? BF ?? ?? ?? ?? 8B 01 3B 02 75 ?? 83 C1 ?? + 83 C2 ?? 83 EF ?? 73 ?? 66 8B 01 66 3B 02 75 ?? 8A 41 ?? 3A 42 ?? 0F 84 ?? ?? ?? ?? + 83 FB ?? 8D 45 ?? 0F 43 C6 83 7D ?? ?? 75 ?? 81 38 ?? ?? ?? ?? 75 ?? 81 78 ?? ?? ?? + ?? ?? 75 ?? 81 78 ?? ?? ?? ?? ?? 0F 84 ?? ?? ?? ?? 83 FB ?? 8D 4D ?? 0F 43 CE 83 7D + ?? ?? 75 ?? BA ?? ?? ?? ?? BF ?? ?? ?? ?? 8B 01 3B 02 75 ?? 83 C1 ?? 83 C2 ?? 83 EF + ?? 73 ?? 66 8B 01 66 3B 02 75 ?? 8A 41 ?? 3A 42 ?? 75 ?? B0 ?? EB ?? 32 C0 84 C0 75 + ?? 8D 85 ?? ?? ?? ?? 50 8D 55 ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 EC ?? C6 45 ?? + ?? 8B CC 8B D0 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? E8 ?? ?? ?? ?? C6 45 ?? ?? 83 + C4 ?? 8B 95 ?? ?? ?? ?? 83 FA ?? 72 ?? 8B 8D ?? ?? ?? ?? 42 8B C1 81 FA ?? ?? ?? ?? + 72 ?? 8B 49 ?? 83 C2 ?? 2B C1 83 C0 ?? 83 F8 ?? 0F 87 ?? ?? ?? ?? 52 51 E8 ?? ?? ?? + ?? 83 C4 ?? 8B BD ?? ?? ?? ?? C6 45 ?? ?? 83 FB ?? 72 ?? 43 8B C6 81 FB ?? ?? ?? ?? + 72 ?? 8B 76 ?? 83 C3 ?? 2B C6 83 C0 ?? 83 F8 ?? 0F 87 ?? ?? ?? ?? 53 56 E8 ?? ?? ?? + ?? 83 C4 ?? 8D 85 ?? ?? ?? ?? 50 57 FF 15 ?? ?? ?? ?? 85 C0 0F 85 ?? ?? ?? ?? 57 FF + 15 + } + + $encrypt_files_p1 = { + 88 84 05 ?? ?? ?? ?? 40 3D ?? ?? ?? ?? 7C ?? 33 FF 33 F6 8B C6 8A 9C 35 ?? ?? ?? ?? + 99 F7 7D ?? 0F B6 04 0A 03 F8 0F B6 CB 03 F9 81 E7 ?? ?? ?? ?? 79 ?? 4F 81 CF ?? ?? + ?? ?? 47 8A 84 3D ?? ?? ?? ?? 8B 8D ?? ?? ?? ?? 88 84 35 ?? ?? ?? ?? 46 88 9C 3D ?? + ?? ?? ?? 81 FE ?? ?? ?? ?? 7C ?? 83 7D ?? ?? 8D 45 ?? 68 ?? ?? ?? ?? 0F 43 45 ?? 50 + E8 ?? ?? ?? ?? 8B D8 83 C4 ?? 85 DB 0F 85 ?? ?? ?? ?? 8B 4D ?? 32 D2 E8 ?? ?? ?? ?? + 8B 55 ?? 83 FA ?? 72 ?? 8B 4D ?? 42 8B C1 81 FA ?? ?? ?? ?? 72 ?? 8B 49 ?? 83 C2 ?? + 2B C1 83 C0 ?? 83 F8 ?? 0F 87 ?? ?? ?? ?? 52 51 E8 ?? ?? ?? ?? 83 C4 ?? 8B 55 ?? C7 + 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C6 45 ?? ?? 83 FA ?? 0F 82 ?? ?? ?? ?? 8B 4D + ?? 42 8B C1 81 FA ?? ?? ?? ?? 0F 82 ?? ?? ?? ?? 8B 49 ?? 83 C2 ?? 2B C1 83 C0 ?? 83 + F8 ?? 0F 87 ?? ?? ?? ?? E9 ?? ?? ?? ?? 83 7D ?? ?? 8D 45 ?? 68 ?? ?? ?? ?? 0F 43 45 + ?? 50 E8 ?? ?? ?? ?? 8B F8 83 C4 ?? 89 BD ?? ?? ?? ?? 85 FF 0F 84 ?? ?? ?? ?? 33 F6 + 53 E8 ?? ?? ?? ?? 83 C4 ?? 88 85 ?? ?? ?? ?? 53 E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 75 + } + + $encrypt_files_p2 = { + 0F BE 85 ?? ?? ?? ?? 57 50 E8 ?? ?? ?? ?? 46 83 C4 ?? 83 FE ?? 7C ?? 53 E8 ?? ?? ?? + ?? 83 C4 ?? 88 85 ?? ?? ?? ?? 53 E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 0F 85 ?? ?? ?? ?? 83 + 7D ?? ?? 8D 4D ?? 8A 85 ?? ?? ?? ?? 0F 43 4D ?? C7 45 ?? ?? ?? ?? ?? 88 01 C6 41 ?? + ?? 33 C9 8B 75 ?? 8B C6 83 C0 ?? 0F 92 C1 F7 D9 0B C8 51 E8 ?? ?? ?? ?? 83 C4 ?? 8D + 4D ?? 83 7D ?? ?? 8B F8 0F 43 4D ?? 56 57 51 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 0F BE + 07 FF B5 ?? ?? ?? ?? 35 ?? ?? ?? ?? 83 C0 ?? 50 E8 ?? ?? ?? ?? 57 E8 ?? ?? ?? ?? 8B + BD ?? ?? ?? ?? 83 C4 ?? E9 ?? ?? ?? ?? 53 E8 ?? ?? ?? ?? 83 C4 ?? 57 E8 ?? ?? ?? ?? + 83 C4 ?? BA ?? ?? ?? ?? B9 ?? ?? ?? ?? E8 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 8D + 45 ?? 83 7D ?? ?? 0F 43 45 ?? 50 E8 ?? ?? ?? ?? 8B 4D ?? 83 C4 ?? 32 D2 C7 45 ?? ?? + ?? ?? ?? E8 ?? ?? ?? ?? 8B 45 ?? 83 F8 ?? 0F 82 ?? ?? ?? ?? 8B 4D ?? 8D 50 ?? 8B C1 + 81 FA ?? ?? ?? ?? 72 ?? 8B 49 ?? 83 C2 ?? 2B C1 83 C0 ?? 83 F8 ?? 77 ?? 52 51 E8 ?? + ?? ?? ?? 83 C4 ?? E9 ?? ?? ?? ?? 52 51 E8 ?? ?? ?? ?? 83 C4 ?? 8B 4D ?? 64 89 0D ?? + ?? ?? ?? 59 5F 5E 5B 8B 4D ?? 33 CD E8 ?? ?? ?? ?? 8B E5 5D C3 + } + + $misc_checks_p1 = { + 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 0F 84 ?? ?? ?? ?? 83 F8 ?? 74 ?? 50 E8 + ?? ?? ?? ?? 83 C4 ?? BA ?? ?? ?? ?? B9 ?? ?? ?? ?? E8 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? + 83 C4 ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 0F 84 ?? ?? ?? ?? 83 F8 ?? 74 + ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? BA ?? ?? ?? ?? B9 ?? ?? ?? ?? E8 ?? ?? ?? ?? 50 E8 ?? + ?? ?? ?? 83 C4 ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 0F 84 ?? ?? ?? ?? 83 + F8 ?? 74 ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? BA ?? ?? ?? ?? B9 ?? ?? ?? ?? E8 ?? ?? ?? ?? + 50 E8 ?? ?? ?? ?? 83 C4 ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 0F 84 ?? ?? + ?? ?? 83 F8 ?? 74 ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? BA ?? ?? ?? ?? B9 ?? ?? ?? ?? E8 ?? + ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 0F + 84 ?? ?? ?? ?? 83 F8 ?? 74 ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? BA ?? ?? ?? ?? B9 ?? ?? ?? + ?? E8 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 + } + + $misc_checks_p2 = { + 85 C0 0F 84 ?? ?? ?? ?? 83 F8 ?? 74 ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? BA ?? ?? ?? ?? B9 + ?? ?? ?? ?? E8 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? + 83 C4 ?? 85 C0 0F 84 ?? ?? ?? ?? 83 F8 ?? 74 ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? BA ?? ?? + ?? ?? B9 ?? ?? ?? ?? E8 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 68 ?? ?? ?? ?? E8 ?? + ?? ?? ?? 83 C4 ?? 85 C0 0F 84 ?? ?? ?? ?? 83 F8 ?? 74 ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? + BA ?? ?? ?? ?? B9 ?? ?? ?? ?? E8 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 68 ?? ?? ?? + ?? E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 0F 84 ?? ?? ?? ?? 83 F8 ?? 74 ?? 50 E8 ?? ?? ?? ?? + 83 C4 ?? BA ?? ?? ?? ?? B9 ?? ?? ?? ?? E8 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 68 + ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 74 ?? 83 F8 ?? 74 ?? 50 E8 ?? ?? ?? ?? 83 + C4 ?? BA ?? ?? ?? ?? B9 ?? ?? ?? ?? E8 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 68 ?? + ?? ?? ?? FF 15 ?? ?? ?? ?? E9 + } + + condition: + uint16(0) == 0x5A4D and + ( + all of ($misc_checks_p*) + ) and + ( + all of ($find_files_p*) + ) and + ( + all of ($encrypt_files_p*) + ) +} \ No newline at end of file diff --git a/yara/ransomware/Win32.Ransomware.HDDCryptor.yara b/yara/ransomware/Win32.Ransomware.HDDCryptor.yara new file mode 100644 index 0000000..50675d8 --- /dev/null +++ b/yara/ransomware/Win32.Ransomware.HDDCryptor.yara @@ -0,0 +1,157 @@ +rule Win32_Ransomware_HDDCryptor : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "HDDCRYPTOR" + description = "Yara rule that detects HDDCryptor ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "HDDCryptor" + tc_detection_factor = 5 + + strings: + + $deploy_components = { + B9 ?? ?? ?? ?? E8 ?? ?? ?? ?? E9 ?? ?? ?? ?? B9 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 85 ?? + ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 66 83 BD ?? ?? ?? ?? ?? 6A ?? 53 0F 85 ?? ?? ?? ?? FF + 15 ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? BA ?? ?? ?? ?? 8B CB E8 ?? ?? ?? ?? 6A ?? 68 ?? + ?? ?? ?? BA ?? ?? ?? ?? 8B CB 8B F0 E8 ?? ?? ?? ?? 8B F8 6A ?? 0F AF FE 68 ?? ?? ?? + ?? BA ?? ?? ?? ?? 8B CB E8 ?? ?? ?? ?? 8B F0 6A ?? 0F AF F7 68 ?? ?? ?? ?? BA ?? ?? + ?? ?? 8B CB E8 ?? ?? ?? ?? 8B F8 6A ?? 0F AF FE 68 ?? ?? ?? ?? BA ?? ?? ?? ?? 8B CB + E8 ?? ?? ?? ?? 8B F0 6A ?? 0F AF F7 68 ?? ?? ?? ?? BA ?? ?? ?? ?? 8B CB E8 ?? ?? ?? + ?? 6A ?? 68 ?? ?? ?? ?? E9 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? BA ?? + ?? ?? ?? 8B CB E8 ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? BA ?? ?? ?? ?? 8B CB 8B F0 E8 ?? + ?? ?? ?? 8B F8 6A ?? 0F AF FE 68 ?? ?? ?? ?? BA ?? ?? ?? ?? 8B CB E8 ?? ?? ?? ?? 8B + F0 6A ?? 0F AF F7 68 ?? ?? ?? ?? BA ?? ?? ?? ?? 8B CB E8 ?? ?? ?? ?? 8B F8 6A ?? 0F + AF FE 68 ?? ?? ?? ?? BA ?? ?? ?? ?? 8B CB E8 ?? ?? ?? ?? 8B F0 6A ?? 0F AF F7 68 ?? + ?? ?? ?? BA ?? ?? ?? ?? 8B CB E8 ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? 8B F8 BA ?? ?? ?? + ?? 0F AF FE 8B CB E8 + } + + $get_shares_info = { + E8 ?? ?? ?? ?? 83 C4 ?? 8D 4C 24 ?? E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 35 ?? ?? ?? ?? + 68 ?? ?? ?? ?? 85 C0 75 ?? FF 15 ?? ?? ?? ?? 85 C0 0F 85 ?? ?? ?? ?? B9 ?? ?? ?? ?? + E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 68 ?? ?? ?? ?? FF D6 68 ?? ?? + ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 68 ?? ?? ?? ?? FF D6 68 ?? ?? ?? ?? EB ?? FF 15 ?? ?? + ?? ?? 85 C0 75 ?? B9 ?? ?? ?? ?? E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 + ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 68 + ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 68 ?? ?? ?? ?? FF D6 8D 44 24 ?? 50 C7 44 24 ?? + ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? + FF 15 + } + + $encrypt_discs = { + 68 ?? ?? ?? ?? FF 74 24 ?? 0F 57 C0 66 0F 7F 44 24 ?? C7 44 24 ?? ?? ?? ?? ?? FF 15 + ?? ?? ?? ?? FF 15 ?? ?? ?? ?? FF 74 24 ?? FF 15 ?? ?? ?? ?? B9 ?? ?? ?? ?? E8 ?? ?? + ?? ?? 33 C9 EB ?? 8D 49 ?? 0F B7 81 ?? ?? ?? ?? 66 89 84 0C ?? ?? ?? ?? 8D 49 ?? 66 + 85 C0 75 ?? 8D 8C 24 ?? ?? ?? ?? 83 C1 ?? 66 8B 41 ?? 8D 49 ?? 66 85 C0 75 ?? A1 ?? + ?? ?? ?? 89 01 A1 ?? ?? ?? ?? 89 41 ?? A1 ?? ?? ?? ?? 89 41 ?? A1 ?? ?? ?? ?? 89 41 + ?? A1 ?? ?? ?? ?? 89 41 ?? 0F B7 05 ?? ?? ?? ?? 6A ?? 6A ?? 68 ?? ?? ?? ?? 66 89 41 + ?? 8D 84 24 ?? ?? ?? ?? 50 68 ?? ?? ?? ?? 6A ?? FF 15 ?? ?? ?? ?? 68 ?? ?? ?? ?? FF + D7 B9 ?? ?? ?? ?? E8 + } + + $create_diskcryptor_service = { + 83 EC ?? 53 55 56 57 68 ?? ?? ?? ?? 33 ED 8B F2 55 55 8B F9 FF 15 ?? ?? ?? ?? 85 C0 + 74 ?? 55 55 55 55 55 FF 74 24 ?? 55 6A ?? 5B 53 6A ?? 68 ?? ?? ?? ?? 56 57 50 FF 15 + ?? ?? ?? ?? 8B F0 89 5C 24 ?? B8 ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? 89 44 24 ?? 33 + C9 89 44 24 ?? 41 8D 44 24 ?? 89 4C 24 ?? 89 44 24 ?? 8D 44 24 ?? 50 53 56 89 4C 24 + ?? C7 44 24 ?? ?? ?? ?? ?? 89 6C 24 ?? FF 15 ?? ?? ?? ?? 8B C6 5F 5E 5D 5B 83 C4 ?? + C3 + } + + $extract_diskcryptor_from_resources = { + 81 EC ?? ?? ?? ?? A1 ?? ?? ?? ?? 33 C4 89 84 24 ?? ?? ?? ?? 53 55 56 8B B4 24 ?? ?? + ?? ?? 33 C0 57 50 89 54 24 ?? 8B E9 FF 15 ?? ?? ?? ?? 8B 8C 24 ?? ?? ?? ?? 8B D8 56 + 0F B7 C9 51 53 FF 15 ?? ?? ?? ?? 8B F0 56 53 FF 15 ?? ?? ?? ?? 56 53 8B F8 FF 15 ?? + ?? ?? ?? 57 89 44 24 ?? FF 15 ?? ?? ?? ?? FF 74 24 ?? 8B F0 E8 ?? ?? ?? ?? 59 FF 74 + 24 ?? 8B D8 56 53 E8 ?? ?? ?? ?? 8B 54 24 ?? 33 FF 83 C4 ?? 8B CF 85 D2 7E ?? 8A 04 + 19 3C ?? 7C ?? 3C ?? 7F ?? 04 ?? 3C ?? 76 ?? 2C ?? 88 04 19 41 3B CA 7C ?? 33 C0 68 + ?? ?? ?? ?? 66 89 44 24 ?? 8D 44 24 ?? 57 50 E8 ?? ?? ?? ?? 83 C4 ?? 8B F5 66 8B 45 + ?? 83 C5 ?? 66 3B C7 75 ?? 8D 7C 24 ?? 2B EE 83 EF ?? 33 C9 66 8B 47 ?? 83 C7 ?? 66 + 3B C1 75 ?? 8B CD C1 E9 ?? F3 A5 8B CD 83 E1 ?? F3 A4 8D 7C 24 ?? 83 EF ?? 33 ED 66 + 8B 47 ?? 8D 7F ?? 66 3B C5 75 ?? A1 ?? ?? ?? ?? 8B 54 24 ?? 8B F2 89 07 66 8B 02 83 + C2 ?? 66 3B C5 75 ?? 8D 7C 24 ?? 2B D6 83 EF ?? 66 8B 47 ?? 83 C7 ?? 66 3B C5 75 ?? + 8B CA 8D 44 24 ?? C1 E9 ?? F3 A5 55 55 6A ?? 55 55 8B CA 83 E1 ?? 68 ?? ?? ?? ?? F3 + A4 50 FF 15 ?? ?? ?? ?? 8B F0 83 FE ?? 74 ?? 55 8D 44 24 ?? 50 FF 74 24 ?? 53 56 FF + 15 ?? ?? ?? ?? 56 FF 15 ?? ?? ?? ?? 33 C0 40 EB ?? B9 ?? ?? ?? ?? E8 ?? ?? ?? ?? 33 + C0 8B 8C 24 ?? ?? ?? ?? 5F 5E 5D 5B 33 CC E8 ?? ?? ?? ?? 81 C4 ?? ?? ?? ?? C3 + } + + $encrypt_files_using_diskcryptor_p1 = { + 55 8B EC 83 E4 ?? 6A ?? 68 ?? ?? ?? ?? 64 A1 ?? ?? ?? ?? 50 81 EC ?? ?? ?? ?? A1 ?? + ?? ?? ?? 33 C4 89 84 24 ?? ?? ?? ?? 53 56 57 A1 ?? ?? ?? ?? 33 C4 50 8D 84 24 ?? ?? + ?? ?? 64 A3 ?? ?? ?? ?? 8B 1D ?? ?? ?? ?? 68 ?? ?? ?? ?? FF D3 83 7D ?? ?? 73 ?? B9 + ?? ?? ?? ?? E8 ?? ?? ?? ?? 6A ?? E8 ?? ?? ?? ?? 6A ?? FF 15 ?? ?? ?? ?? 50 FF 15 ?? + ?? ?? ?? 8B 75 ?? BA ?? ?? ?? ?? 8B 4E ?? 8A 01 41 88 02 42 84 C0 75 ?? 8B 4E ?? BA + ?? ?? ?? ?? 8A 01 41 88 02 42 84 C0 75 ?? 6A ?? 59 BE ?? ?? ?? ?? C7 05 ?? ?? ?? ?? + ?? ?? ?? ?? 8D BC 24 ?? ?? ?? ?? C7 05 ?? ?? ?? ?? ?? ?? ?? ?? F3 A5 68 ?? ?? ?? ?? + 33 F6 8D 84 24 ?? ?? ?? ?? 56 50 E8 ?? ?? ?? ?? 83 C4 ?? 8D 8C 24 ?? ?? ?? ?? E8 ?? + ?? ?? ?? 68 ?? ?? ?? ?? 8D 4C 24 ?? E8 ?? ?? ?? ?? 8D 54 24 ?? 89 B4 24 ?? ?? ?? ?? + 8D 4C 24 ?? E8 ?? ?? ?? ?? 56 6A ?? 8D 4C 24 ?? C6 84 24 ?? ?? ?? ?? ?? E8 ?? ?? ?? + ?? 83 7C 24 ?? ?? 8D 44 24 ?? 56 0F 43 44 24 ?? 56 6A ?? 56 56 68 ?? ?? ?? ?? 50 FF + 15 ?? ?? ?? ?? 68 ?? ?? ?? ?? FF D3 8D 44 24 ?? C7 44 24 ?? ?? ?? ?? ?? 33 DB C7 44 + } + + $encrypt_files_using_diskcryptor_p2 = { + 24 ?? ?? ?? ?? ?? 50 89 5C 24 ?? 89 5C 24 ?? FF 15 ?? ?? ?? ?? 85 C0 0F 85 ?? ?? ?? + ?? B9 ?? ?? ?? ?? E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 84 24 ?? ?? ?? ?? 50 53 FF 15 ?? + ?? ?? ?? FF 15 ?? ?? ?? ?? 8B F0 68 ?? ?? ?? ?? 56 E8 ?? ?? ?? ?? 8B D0 59 59 85 D2 + 75 ?? 68 ?? ?? ?? ?? 56 E8 ?? ?? ?? ?? 59 59 8B D0 8D BC 24 ?? ?? ?? ?? 83 EF ?? 66 + 8B 47 ?? 8D 7F ?? 66 3B C3 75 ?? A1 ?? ?? ?? ?? 83 C2 ?? 89 07 8B F2 66 8B 02 83 C2 + ?? 66 3B C3 75 ?? 8D BC 24 ?? ?? ?? ?? 2B D6 83 EF ?? 66 8B 47 ?? 83 C7 ?? 66 3B C3 + 75 ?? 8B CA 8D 84 24 ?? ?? ?? ?? C1 E9 ?? F3 A5 8B CA 83 E1 ?? F3 A4 51 50 83 EC ?? + 8B CC 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 4C 24 ?? E8 ?? ?? ?? ?? 83 C4 ?? 8B F0 C6 84 + 24 ?? ?? ?? ?? ?? 83 7E ?? ?? 72 ?? 8B 36 83 EC ?? 8B CC 68 ?? ?? ?? ?? E8 ?? ?? ?? + ?? 8D 8C 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 83 78 ?? ?? 72 ?? 8B 00 8B D6 8B C8 + E8 ?? ?? ?? ?? 59 59 53 6A ?? 8D 4C 24 ?? 8B F0 E8 ?? ?? ?? ?? 53 6A ?? 8D 4C 24 ?? + C6 84 24 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 F6 74 ?? B9 ?? ?? ?? ?? E8 ?? ?? ?? ?? E8 + ?? ?? ?? ?? 8B F3 EB ?? FF 15 ?? ?? ?? ?? 8B F0 53 6A ?? 8D 4C 24 ?? E8 ?? ?? ?? ?? + 8B C6 EB ?? 53 6A ?? 8D 4C 24 ?? E8 ?? ?? ?? ?? 33 C0 8B 8C 24 ?? ?? ?? ?? 64 89 0D + ?? ?? ?? ?? 59 5F 5E 5B 8B 8C 24 ?? ?? ?? ?? 33 CC E8 ?? ?? ?? ?? 8B E5 5D C3 + } + + $reboot = { + 55 8B EC 83 EC ?? A1 ?? ?? ?? ?? 33 C5 89 45 ?? 56 8D 45 ?? 50 6A ?? FF 15 ?? ?? ?? + ?? 50 FF 15 ?? ?? ?? ?? 85 C0 75 ?? 33 C0 EB ?? 8D 45 ?? 33 F6 50 68 ?? ?? ?? ?? 56 + FF 15 ?? ?? ?? ?? 56 56 56 8D 45 ?? C7 45 ?? ?? ?? ?? ?? 50 56 FF 75 ?? C7 45 ?? ?? + ?? ?? ?? FF 15 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 85 C0 75 ?? 68 ?? ?? ?? ?? 6A ?? FF 15 + ?? ?? ?? ?? F7 D8 1B C0 F7 D8 8B 4D ?? 33 CD 5E E8 ?? ?? ?? ?? 8B E5 5D C3 + } + + condition: + uint16(0) == 0x5A4D and + ( + ( + ( + $deploy_components + ) and + ( + $get_shares_info + ) and + ( + $encrypt_discs + ) + ) or + ( + ( + $extract_diskcryptor_from_resources + ) and + ( + $create_diskcryptor_service + ) and + ( + all of ($encrypt_files_using_diskcryptor_p*) + ) and + ( + $reboot + ) + ) + ) +} \ No newline at end of file diff --git a/yara/ransomware/Win32.Ransomware.HDMR.yara b/yara/ransomware/Win32.Ransomware.HDMR.yara new file mode 100644 index 0000000..de9314c --- /dev/null +++ b/yara/ransomware/Win32.Ransomware.HDMR.yara @@ -0,0 +1,161 @@ +rule Win32_Ransomware_HDMR : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "HDMR" + description = "Yara rule that detects HDMR ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "HDMR" + tc_detection_factor = 5 + + strings: + + $find_files_p1 = { + 55 8B EC 83 E4 ?? B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? A1 ?? ?? ?? ?? 33 C4 89 84 24 ?? ?? + ?? ?? 53 56 8B 75 ?? 57 33 C0 68 ?? ?? ?? ?? 50 8D 8C 24 ?? ?? ?? ?? 51 89 74 24 ?? + 66 89 84 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 56 8D 94 24 ?? ?? ?? ?? 68 ?? ?? ?? + ?? 52 FF 15 ?? ?? ?? ?? 83 C4 ?? 8D 44 24 ?? 50 8D 8C 24 ?? ?? ?? ?? 51 FF 15 ?? ?? + ?? ?? 89 44 24 ?? 83 F8 ?? 0F 84 ?? ?? ?? ?? 8B 3D ?? ?? ?? ?? 8B 1D ?? ?? ?? ?? EB + ?? 8D 49 ?? 8B 74 24 ?? F6 44 24 ?? ?? 0F 84 ?? ?? ?? ?? B9 ?? ?? ?? ?? 8D 44 24 ?? + 66 8B 10 66 3B 11 75 ?? 66 85 D2 74 ?? 66 8B 50 ?? 66 3B 51 ?? 75 ?? 83 C0 ?? 83 C1 + ?? 66 85 D2 75 ?? 33 C0 EB ?? 1B C0 83 D8 ?? 85 C0 0F 84 ?? ?? ?? ?? B9 ?? ?? ?? ?? + 8D 44 24 ?? 66 8B 10 66 3B 11 75 ?? 66 85 D2 74 ?? 66 8B 50 ?? 66 3B 51 ?? 75 ?? 83 + C0 ?? 83 C1 ?? 66 85 D2 75 ?? 33 C0 EB ?? 1B C0 83 D8 ?? 85 C0 0F 84 ?? ?? ?? ?? 8D + } + + $find_files_p2 = { + 54 24 ?? 68 ?? ?? ?? ?? 52 E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 0F 84 ?? ?? ?? ?? 8D 44 24 + ?? 68 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 0F 84 ?? ?? ?? ?? 6A ?? 8D 4C 24 + ?? 68 ?? ?? ?? ?? 51 E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 0F 84 ?? ?? ?? ?? 6A ?? 8D 54 24 + ?? 68 ?? ?? ?? ?? 52 E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 0F 84 ?? ?? ?? ?? 6A ?? 8D 44 24 + ?? 68 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 0F 84 ?? ?? ?? ?? 8D 4C 24 ?? 68 + ?? ?? ?? ?? 51 E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 0F 84 ?? ?? ?? ?? 8D 54 24 ?? 68 ?? ?? + ?? ?? 52 E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 0F 84 ?? ?? ?? ?? 33 C0 68 ?? ?? ?? ?? 50 8D + 8C 24 ?? ?? ?? ?? 51 66 89 84 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 8D 54 24 ?? 52 + 56 8D 84 24 ?? ?? ?? ?? 68 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 8D 8C 24 ?? ?? ?? ?? 51 + E8 ?? ?? ?? ?? 83 C4 ?? E9 ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A ?? E8 ?? ?? ?? ?? 8B F0 83 + C4 ?? 85 F6 74 ?? 8B 44 24 ?? 8D 54 24 ?? 52 50 68 ?? ?? ?? ?? 56 FF 15 ?? ?? ?? ?? + 8B 0D ?? ?? ?? ?? 83 C4 ?? 3B 0D ?? ?? ?? ?? 7C ?? 8D 49 ?? 6A ?? FF 15 ?? ?? ?? ?? + 8B 15 ?? ?? ?? ?? 3B 15 ?? ?? ?? ?? 7D ?? 68 ?? ?? ?? ?? FF D7 FF 05 ?? ?? ?? ?? 68 + ?? ?? ?? ?? FF D3 6A ?? 6A ?? 56 68 ?? ?? ?? ?? 6A ?? 6A ?? FF 15 ?? ?? ?? ?? 50 FF + 15 ?? ?? ?? ?? 8B 74 24 ?? 8D 44 24 ?? 50 56 FF 15 ?? ?? ?? ?? 85 C0 0F 85 ?? ?? ?? + ?? 56 FF 15 ?? ?? ?? ?? 8B 8C 24 ?? ?? ?? ?? 5F 5E 5B 33 CC E8 ?? ?? ?? ?? 8B E5 5D + C3 + } + + $encrypt_files_p1 = { + 55 8B EC 83 E4 ?? B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? A1 ?? ?? ?? ?? 33 C4 89 84 24 ?? ?? + ?? ?? 53 56 57 33 C0 8B D9 68 ?? ?? ?? ?? 50 8D 8C 24 ?? ?? ?? ?? 51 89 5C 24 ?? 66 + 89 84 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 8D 94 24 ?? ?? ?? ?? 52 6A ?? 6A ?? 6A + ?? 53 E8 ?? ?? ?? ?? 83 C4 ?? 66 83 BC 24 ?? ?? ?? ?? ?? 0F 84 ?? ?? ?? ?? BF ?? ?? + ?? ?? 33 F6 8D 84 24 ?? ?? ?? ?? 57 50 E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 0F 84 ?? ?? ?? + ?? 83 C6 ?? 83 C7 ?? 81 FE ?? ?? ?? ?? 72 ?? 6A ?? 68 ?? ?? ?? ?? 6A ?? 6A ?? 6A ?? + 68 ?? ?? ?? ?? 53 FF 15 ?? ?? ?? ?? 8B D8 83 FB ?? 0F 84 ?? ?? ?? ?? 8D 4C 24 ?? 51 + 53 FF 15 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? 8B 44 24 ?? 85 C0 0F 8C ?? ?? ?? ?? 8B + 7C 24 ?? 7F ?? 83 FF ?? 0F 82 ?? ?? ?? ?? 8B F0 89 7C 24 ?? 89 74 24 ?? 85 C0 7C ?? + 7F ?? 83 FF ?? 76 ?? 6A ?? 6A ?? 6A ?? 53 C7 44 24 ?? ?? ?? ?? ?? FF 15 ?? ?? ?? ?? + 33 C0 50 8D 54 24 ?? 52 89 44 24 ?? 89 44 24 ?? 66 89 44 24 ?? 88 44 24 ?? 6A ?? 8D + 44 24 ?? 50 53 C6 44 24 ?? ?? FF 15 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? 8B C7 83 E8 + ?? 8B CE 83 D9 ?? 33 F6 39 44 24 ?? 75 ?? 3B F1 75 ?? 8B 4C 24 ?? 3B 0D ?? ?? ?? ?? + 0F 84 ?? ?? ?? ?? 6A ?? 6A ?? 6A ?? 53 FF 15 ?? ?? ?? ?? 85 C0 0F 85 ?? ?? ?? ?? 50 + E8 ?? ?? ?? ?? 83 C4 ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 6A ?? 8D 54 24 ?? 6A ?? 52 C6 44 + } + + $encrypt_files_p2 = { + 24 ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 33 F6 E8 ?? ?? ?? ?? 25 ?? ?? ?? ?? 79 ?? 48 0D ?? + ?? ?? ?? 40 88 44 34 ?? 46 83 FE ?? 7C ?? 8B 44 24 ?? BE ?? ?? ?? ?? 85 C0 0F 8F ?? + ?? ?? ?? 0F 8C ?? ?? ?? ?? 81 FF ?? ?? ?? ?? 0F 83 ?? ?? ?? ?? 85 C0 0F 8C ?? ?? ?? + ?? 7F ?? 85 FF 0F 84 ?? ?? ?? ?? 85 C0 7F ?? 7C ?? 3B FE 73 ?? 6A ?? 6A ?? 50 57 E8 + ?? ?? ?? ?? 8B F7 2B F0 56 E8 ?? ?? ?? ?? 8B F8 33 C0 83 C4 ?? 89 44 24 ?? 89 44 24 + ?? 3B F8 74 ?? 50 8D 44 24 ?? 50 56 57 53 FF 15 ?? ?? ?? ?? 85 C0 74 ?? 39 74 24 ?? + 75 ?? 6A ?? 6A ?? 6A ?? 53 FF 15 ?? ?? ?? ?? 56 57 8D 44 24 ?? E8 ?? ?? ?? ?? 83 C4 + ?? 6A ?? 8D 4C 24 ?? 51 56 57 53 FF 15 ?? ?? ?? ?? 85 C0 0F 85 ?? ?? ?? ?? 53 FF 15 + ?? ?? ?? ?? 57 E8 ?? ?? ?? ?? 83 C4 ?? 5F 5E 5B 8B 8C 24 ?? ?? ?? ?? 33 CC E8 ?? ?? + ?? ?? 8B E5 5D C3 53 FF 15 ?? ?? ?? ?? 85 FF 0F 84 ?? ?? ?? ?? 57 E8 ?? ?? ?? ?? 83 + C4 ?? 5F 5E 5B 8B 8C 24 ?? ?? ?? ?? 33 CC E8 ?? ?? ?? ?? 8B E5 5D C3 6A ?? 68 ?? ?? + ?? ?? 50 57 E8 ?? ?? ?? ?? 8B C8 89 44 24 ?? B8 ?? ?? ?? ?? F7 E9 C1 FA ?? 8B C2 C1 + E8 ?? 03 C2 69 C0 ?? ?? ?? ?? 8B D1 2B D0 85 D2 7E ?? 41 89 4C 24 ?? 33 C0 89 44 24 + ?? 3B C8 0F 8E ?? ?? ?? ?? 89 44 24 ?? EB ?? 90 8B 7C 24 ?? 8B 44 24 ?? 8B 4C 24 + } + + $encrypt_files_p3 = { + 99 2B F8 1B CA 89 7C 24 ?? 89 4C 24 ?? 0F 88 ?? ?? ?? ?? 7F ?? 85 FF 0F 84 ?? ?? ?? + ?? 8B C6 99 3B CA 7F ?? 7C ?? 3B F8 73 ?? 6A ?? 6A ?? 51 57 E8 ?? ?? ?? ?? 8B F7 2B + F0 85 F6 0F 8E ?? ?? ?? ?? 56 E8 ?? ?? ?? ?? 8B F8 33 C0 83 C4 ?? 89 44 24 ?? 89 44 + 24 ?? 3B F8 0F 84 ?? ?? ?? ?? 50 8D 44 24 ?? 50 56 57 53 FF 15 ?? ?? ?? ?? 85 C0 0F + 84 ?? ?? ?? ?? 39 74 24 ?? 0F 85 ?? ?? ?? ?? 6A ?? 6A ?? 8B CE F7 D9 51 53 FF 15 ?? + ?? ?? ?? 56 57 8D 44 24 ?? E8 ?? ?? ?? ?? 83 C4 ?? 6A ?? 8D 54 24 ?? 52 56 57 53 FF + 15 ?? ?? ?? ?? 85 C0 74 ?? 57 E8 ?? ?? ?? ?? 83 C4 ?? 81 FE ?? ?? ?? ?? 7C ?? 83 7C + 24 ?? ?? 7C ?? 7F ?? 81 7C 24 ?? ?? ?? ?? ?? 72 ?? 6A ?? 6A ?? 68 ?? ?? ?? ?? 53 FF + 15 ?? ?? ?? ?? 8B 44 24 ?? 81 44 24 ?? ?? ?? ?? ?? 40 89 44 24 ?? 3B 44 24 ?? 0F 8C + ?? ?? ?? ?? EB ?? 53 FF 15 ?? ?? ?? ?? EB ?? 53 FF 15 ?? ?? ?? ?? 85 FF 74 ?? 57 E8 + ?? ?? ?? ?? 83 C4 ?? 68 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 8D 4C 24 ?? E8 ?? ?? ?? ?? 68 + ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 6A ?? 6A ?? 6A ?? 53 FF 15 ?? ?? ?? ?? 68 + } + + $encrypt_files_p4 = { + 8D 84 24 ?? ?? ?? ?? 6A ?? 50 E8 ?? ?? ?? ?? 8B 44 24 ?? 83 C4 ?? B9 ?? ?? ?? ?? 8D + 74 24 ?? 8D BC 24 ?? ?? ?? ?? F3 A5 8B 4C 24 ?? 6A ?? 89 8C 24 ?? ?? ?? ?? 8B D0 8D + 4C 24 ?? 51 C1 FA ?? 68 ?? ?? ?? ?? 8D 94 24 ?? ?? ?? ?? 89 84 24 ?? ?? ?? ?? A1 ?? + ?? ?? ?? 52 53 C7 44 24 ?? ?? ?? ?? ?? 89 84 24 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 53 FF + 15 ?? ?? ?? ?? 33 C0 68 ?? ?? ?? ?? 50 8D 8C 24 ?? ?? ?? ?? 51 66 89 84 24 ?? ?? ?? + ?? E8 ?? ?? ?? ?? 8B 74 24 ?? 83 C4 ?? 68 ?? ?? ?? ?? 56 68 ?? ?? ?? ?? 8D 94 24 ?? + ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 8D 94 24 ?? ?? ?? ?? 52 56 FF 15 ?? ?? ?? ?? 5F 5E + 5B 8B 8C 24 ?? ?? ?? ?? 33 CC E8 ?? ?? ?? ?? 8B E5 5D C3 53 FF 15 ?? ?? ?? ?? 8B 8C + 24 ?? ?? ?? ?? 5F 5E 5B 33 CC E8 ?? ?? ?? ?? 8B E5 5D C3 + } + + $find_MS_xchange_backups_p1 = { + 55 8B EC 83 E4 ?? B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? A1 ?? ?? ?? ?? 33 C4 89 84 24 ?? ?? + ?? ?? 53 56 57 68 ?? ?? ?? ?? 8D 44 24 ?? 6A ?? 50 E8 ?? ?? ?? ?? 8B 3D ?? ?? ?? ?? + 8B 1D ?? ?? ?? ?? B0 ?? 88 44 24 ?? 88 44 24 ?? B0 ?? 83 C4 ?? C6 44 24 ?? ?? C7 44 + 24 ?? ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? 66 C7 44 24 ?? ?? ?? C7 44 24 ?? ?? ?? ?? + ?? 88 44 24 ?? C7 44 24 ?? ?? ?? ?? ?? 66 C7 44 24 ?? ?? ?? C6 44 24 ?? ?? 88 44 24 + ?? 88 44 24 ?? BE ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? 8B FF 68 ?? ?? ?? ?? 8D 8C 24 + ?? ?? ?? ?? 6A ?? 51 C6 84 24 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 56 8D 54 24 ?? + 52 8D 84 24 ?? ?? ?? ?? 68 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 6A ?? 8D 4C 24 ?? 6A ?? 51 + E8 ?? ?? ?? ?? 83 C4 ?? 33 C0 33 D2 89 44 24 ?? 89 44 24 ?? 89 44 24 ?? 89 44 24 ?? + 8D 44 24 ?? 50 8D 4C 24 ?? 51 52 52 52 52 52 52 66 89 54 24 ?? 8D 94 24 ?? ?? ?? ?? + 52 6A ?? C7 44 24 ?? ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? FF D3 6A ?? FF D7 83 C6 ?? + FF 4C 24 ?? 0F 85 ?? ?? ?? ?? BE ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? EB ?? 8D 49 ?? + 68 ?? ?? ?? ?? 8D 84 24 ?? ?? ?? ?? 6A ?? 50 C6 84 24 ?? ?? ?? ?? ?? E8 + } + + $find_MS_xchange_backups_p2 = { + 83 C4 ?? 56 8D 4C 24 ?? 51 8D 94 24 ?? ?? ?? ?? 68 ?? ?? ?? ?? 52 E8 ?? ?? ?? ?? 6A + ?? 8D 44 24 ?? 6A ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 33 C0 33 C9 8D 54 24 ?? 52 89 44 24 + ?? 89 44 24 ?? 89 44 24 ?? 89 44 24 ?? 8D 44 24 ?? 50 51 51 51 51 51 51 66 89 4C 24 + ?? 8D 8C 24 ?? ?? ?? ?? 51 6A ?? C7 44 24 ?? ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? FF + D3 6A ?? FF D7 83 C6 ?? FF 4C 24 ?? 0F 85 ?? ?? ?? ?? 33 D2 68 ?? ?? ?? ?? 52 8D 84 + 24 ?? ?? ?? ?? 50 66 89 94 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 68 ?? ?? ?? ?? 68 + ?? ?? ?? ?? 8D 94 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 33 C0 B1 ?? EB ?? 8D 49 ?? + 30 88 ?? ?? ?? ?? 40 3D ?? ?? ?? ?? 72 ?? 68 ?? ?? ?? ?? 8D 8C 24 ?? ?? ?? ?? 6A ?? + 51 C6 84 24 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 68 ?? ?? ?? ?? 8D 94 24 ?? ?? ?? + ?? 52 8D 84 24 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 8D 8C 24 ?? ?? ?? ?? 68 ?? ?? + ?? ?? 51 E8 ?? ?? ?? ?? 8B F0 83 C4 ?? 85 F6 74 ?? 56 68 ?? ?? ?? ?? 6A ?? 68 ?? ?? + ?? ?? E8 ?? ?? ?? ?? 56 E8 ?? ?? ?? ?? 83 C4 ?? 6A ?? 8D 54 24 ?? 6A ?? 52 E8 ?? ?? + ?? ?? 83 C4 ?? 33 C0 8D 4C 24 ?? 51 8D 54 24 ?? 52 50 50 50 50 50 50 89 44 24 ?? 89 + 44 24 ?? 89 44 24 ?? 89 44 24 ?? 66 89 44 24 ?? 8D 84 24 ?? ?? ?? ?? 50 6A ?? C7 44 + 24 ?? ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? FF D3 8B 8C 24 ?? ?? ?? ?? 5F 5E 5B 33 CC + E8 ?? ?? ?? ?? 8B E5 5D C3 + } + + condition: + uint16(0) == 0x5A4D and + ( + all of ($find_files_p*) + ) and + ( + all of ($encrypt_files_p*) + ) and + ( + all of ($find_MS_xchange_backups_p*) + ) +} \ No newline at end of file diff --git a/yara/ransomware/Win32.Ransomware.HakunaMatata.yara b/yara/ransomware/Win32.Ransomware.HakunaMatata.yara new file mode 100644 index 0000000..8582933 --- /dev/null +++ b/yara/ransomware/Win32.Ransomware.HakunaMatata.yara @@ -0,0 +1,373 @@ +rule Win32_Ransomware_HakunaMatata : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "HAKUNAMATATA" + description = "Yara rule that detects HakunaMatata ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "HakunaMatata" + tc_detection_factor = 5 + + strings: + + $encrypt_files = { + 55 89 E5 57 56 53 81 EC ?? ?? ?? ?? 89 4D ?? C7 45 ?? ?? ?? ?? ?? 8B 45 ?? 8B 40 ?? + 85 C0 0F 84 ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? 8B 45 ?? 8D 55 ?? 89 14 24 89 C1 E8 ?? + ?? ?? ?? 83 EC ?? 84 C0 0F 84 ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? C7 44 24 ?? ?? ?? + ?? ?? C7 44 24 ?? ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? C7 44 + 24 ?? ?? ?? ?? ?? 8B 45 ?? 89 04 24 A1 ?? ?? ?? ?? FF D0 83 EC ?? 89 45 ?? 83 7D ?? + ?? 0F 84 ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? C7 44 24 ?? ?? + ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? 8B + 45 ?? 89 04 24 A1 ?? ?? ?? ?? FF D0 83 EC ?? 89 45 ?? 83 7D ?? ?? 0F 84 ?? ?? ?? ?? + C7 45 ?? ?? ?? ?? ?? 8D 45 ?? 89 44 24 ?? 8B 45 ?? 89 04 24 A1 ?? ?? ?? ?? FF D0 83 + EC ?? 85 C0 0F 95 C0 84 C0 0F 84 ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? + ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? 8B 45 ?? 8B 55 ?? 89 45 ?? 89 55 ?? 8B + 45 ?? 8B 40 ?? 89 04 24 E8 ?? ?? ?? ?? 89 45 ?? 8B 45 ?? 8B 50 ?? 8B 45 ?? 89 54 24 + ?? C7 44 24 ?? ?? ?? ?? ?? 89 04 24 E8 ?? ?? ?? ?? 8B 45 ?? 8B 50 ?? 89 D0 C1 E0 ?? + 01 D0 01 C0 89 45 ?? 8B 45 ?? 89 04 24 E8 ?? ?? ?? ?? 89 45 ?? C7 44 24 ?? ?? ?? ?? + ?? 8D 45 ?? 89 44 24 ?? 8B 45 ?? 89 44 24 ?? 8B 45 ?? 89 44 24 ?? 8B 45 ?? 89 04 24 + A1 ?? ?? ?? ?? FF D0 83 EC ?? 85 C0 0F 94 C0 84 C0 74 ?? C7 45 ?? ?? ?? ?? ?? E9 ?? + ?? ?? ?? 8B 45 ?? 8B 40 ?? BA ?? ?? ?? ?? 8B 4D ?? 8B 5D ?? 39 DA 72 ?? 39 DA 77 ?? + 39 C8 76 ?? 89 C8 89 DA 89 45 ?? 8B 55 ?? 8B 45 ?? C7 44 24 ?? ?? ?? ?? ?? 8D 4D ?? + 89 4C 24 ?? 89 54 24 ?? 89 44 24 ?? 8B 45 ?? 89 04 24 A1 ?? ?? ?? ?? FF D0 83 EC ?? + 83 F8 ?? 0F 94 C0 84 C0 0F 84 ?? ?? ?? ?? 8B 4D ?? 8B 55 ?? 8B 45 ?? 89 4C 24 ?? 89 + 54 24 ?? 89 04 24 E8 ?? ?? ?? ?? 8B 45 ?? 89 45 ?? 8B 45 ?? 89 C6 8B 45 ?? 89 C1 BB + ?? ?? ?? ?? 8B 45 ?? 8B 55 ?? 89 CF 31 C7 89 7D ?? 89 DF 31 D7 89 7D ?? 8B 45 ?? 0B + 45 ?? 85 C0 0F 94 C0 0F B6 C8 8B 55 ?? 8B 45 ?? 89 44 24 ?? 8D 45 ?? 89 44 24 ?? 89 + F0 89 44 24 ?? C7 44 24 ?? ?? ?? ?? ?? 89 4C 24 ?? C7 44 24 ?? ?? ?? ?? ?? 89 14 24 + A1 ?? ?? ?? ?? FF D0 83 EC ?? 89 45 ?? A1 ?? ?? ?? ?? FF D0 89 45 ?? 8B 45 ?? 85 C0 + 79 ?? C7 45 ?? ?? ?? ?? ?? E9 ?? ?? ?? ?? 8B 55 ?? 8B 45 ?? C7 44 24 ?? ?? ?? ?? ?? + 8D 4D ?? 89 4C 24 ?? 89 54 24 ?? 89 44 24 ?? 8B 45 ?? 89 04 24 A1 ?? ?? ?? ?? FF D0 + 83 EC ?? 85 C0 0F 94 C0 84 C0 74 ?? C7 45 ?? ?? ?? ?? ?? 90 EB ?? 8B 4D ?? 8B 5D ?? + 8B 45 ?? BA ?? ?? ?? ?? 29 C1 19 D3 89 C8 89 DA 89 45 ?? 89 55 ?? 8B 45 ?? BA ?? ?? + ?? ?? 01 45 ?? 11 55 ?? 8B 45 ?? 8B 55 ?? 89 C6 83 F6 ?? 89 75 ?? 89 D0 80 F4 ?? 89 + 45 ?? 8B 55 ?? 8B 4D ?? 89 C8 09 D0 85 C0 74 ?? E9 ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? + 8B 45 ?? 85 C0 74 ?? 8B 45 ?? 89 04 24 E8 ?? ?? ?? ?? 8B 45 ?? 85 C0 74 ?? 8B 45 ?? + 89 04 24 E8 ?? ?? ?? ?? 8B 45 ?? 89 04 24 A1 ?? ?? ?? ?? FF D0 83 EC ?? 8B 45 ?? 89 + 04 24 A1 ?? ?? ?? ?? FF D0 83 EC ?? 83 7D ?? ?? 74 ?? 8B 45 ?? 89 04 24 E8 ?? ?? ?? + ?? EB ?? 8B 45 ?? 89 04 24 E8 ?? ?? ?? ?? 8B 45 ?? 89 04 24 A1 ?? ?? ?? ?? FF D0 83 + EC ?? 8B 45 ?? 8D 65 ?? 5B 5E 5F 5D C2 + } + + $encrypt_files_2 = { + 55 89 E5 56 53 81 EC ?? ?? ?? ?? 89 4D ?? 8B 45 ?? 89 85 ?? ?? ?? ?? 8B 45 ?? 89 85 + ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? 8B 45 ?? 8B 40 ?? 85 C0 0F 84 ?? ?? ?? ?? C7 45 ?? + ?? ?? ?? ?? 8B 55 ?? 8D 45 ?? 89 04 24 89 D1 E8 ?? ?? ?? ?? 83 EC ?? 84 C0 0F 84 ?? + ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? C7 + 44 24 ?? ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? 8B 45 ?? 89 04 + 24 A1 ?? ?? ?? ?? FF D0 83 EC ?? 89 45 ?? 83 7D ?? ?? 0F 84 ?? ?? ?? ?? C7 44 24 ?? + ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? + C7 44 24 ?? ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? 8B 45 ?? 89 04 24 A1 ?? ?? ?? ?? FF + D0 83 EC ?? 89 45 ?? 83 7D ?? ?? 0F 84 ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? 8D 45 ?? 89 + 44 24 ?? 8B 45 ?? 89 04 24 A1 ?? ?? ?? ?? FF D0 83 EC ?? 85 C0 0F 95 C0 84 C0 0F 84 + ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? + ?? ?? ?? ?? 8B 45 ?? 8B 55 ?? 89 45 ?? 89 55 ?? 8B 45 ?? 8B 55 ?? 89 45 ?? 89 55 ?? + 8B 85 ?? ?? ?? ?? 80 F4 ?? 89 C3 8B 85 ?? ?? ?? ?? 80 F4 ?? 89 C6 89 F0 09 D8 85 C0 + 74 ?? 8B 45 ?? 8B 55 ?? 3B 95 ?? ?? ?? ?? 72 ?? 3B 95 ?? ?? ?? ?? 77 ?? 3B 85 ?? ?? + ?? ?? 76 ?? 8B 85 ?? ?? ?? ?? 8B 95 ?? ?? ?? ?? 89 45 ?? 89 55 ?? 8B 45 ?? 8B 40 ?? + 89 04 24 E8 ?? ?? ?? ?? 89 45 ?? 8B 45 ?? 8B 40 ?? 8B 55 ?? 89 44 24 ?? C7 44 24 ?? + ?? ?? ?? ?? 89 14 24 E8 ?? ?? ?? ?? 8B 45 ?? 8B 50 ?? 89 D0 C1 E0 ?? 01 D0 01 C0 89 + 45 ?? 8B 45 ?? 89 04 24 E8 ?? ?? ?? ?? 89 45 ?? C7 44 24 ?? ?? ?? ?? ?? 8D 45 ?? 89 + 44 24 ?? 8B 45 ?? 89 44 24 ?? 8B 45 ?? 89 44 24 ?? 8B 45 ?? 89 04 24 A1 ?? ?? ?? ?? + FF D0 83 EC ?? 85 C0 0F 94 C0 84 C0 74 ?? C7 45 ?? ?? ?? ?? ?? E9 ?? ?? ?? ?? 8B 45 + ?? 8B 40 ?? BA ?? ?? ?? ?? 8B 4D ?? 8B 5D ?? 39 DA 72 ?? 39 DA 77 ?? 39 C8 76 ?? 89 + C8 89 DA 89 45 ?? 8B 4D ?? 8B 55 ?? C7 44 24 ?? ?? ?? ?? ?? 8D 45 ?? 89 44 24 ?? 89 + 4C 24 ?? 89 54 24 ?? 8B 45 ?? 89 04 24 A1 ?? ?? ?? ?? FF D0 83 EC ?? 83 F8 ?? 0F 94 + C0 84 C0 0F 84 ?? ?? ?? ?? 8B 4D ?? 8B 55 ?? 8B 45 ?? 89 4C 24 ?? 89 54 24 ?? 89 04 + 24 E8 ?? ?? ?? ?? 8B 45 ?? 89 45 ?? 8B 45 ?? 89 C1 BB ?? ?? ?? ?? 8B 45 ?? 8B 55 ?? + 89 CE 31 C6 89 B5 ?? ?? ?? ?? 89 DE 31 D6 89 B5 ?? ?? ?? ?? 8B 9D ?? ?? ?? ?? 8B B5 + ?? ?? ?? ?? 89 D8 09 F0 85 C0 0F 94 C0 88 45 ?? 8B 55 ?? 0F B6 4D ?? 8B 5D ?? 8B 45 + ?? 89 44 24 ?? 8D 45 ?? 89 44 24 ?? 89 54 24 ?? C7 44 24 ?? ?? ?? ?? ?? 89 4C 24 ?? + C7 44 24 ?? ?? ?? ?? ?? 89 1C 24 A1 ?? ?? ?? ?? FF D0 83 EC ?? 89 45 ?? A1 ?? ?? ?? + ?? FF D0 89 45 ?? 8B 45 ?? 85 C0 79 ?? C7 45 ?? ?? ?? ?? ?? E9 ?? ?? ?? ?? 8B 4D ?? + 8B 55 ?? C7 44 24 ?? ?? ?? ?? ?? 8D 45 ?? 89 44 24 ?? 89 4C 24 ?? 89 54 24 ?? 8B 45 + ?? 89 04 24 A1 ?? ?? ?? ?? FF D0 83 EC ?? 85 C0 0F 94 C0 84 C0 74 ?? C7 45 ?? ?? ?? + ?? ?? 90 EB ?? 8B 4D ?? 8B 5D ?? 8B 45 ?? BA ?? ?? ?? ?? 29 C1 19 D3 89 C8 89 DA 89 + 45 ?? 89 55 ?? 8B 45 ?? BA ?? ?? ?? ?? 01 45 ?? 11 55 ?? 8B 45 ?? 8B 55 ?? 89 C6 83 + F6 ?? 89 B5 ?? ?? ?? ?? 89 D0 80 F4 ?? 89 85 ?? ?? ?? ?? 8B 9D ?? ?? ?? ?? 8B B5 ?? + ?? ?? ?? 89 F0 09 D8 85 C0 74 ?? E9 ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? 8B 85 ?? ?? ?? + ?? 80 F4 ?? 89 85 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 80 F4 ?? 89 85 ?? ?? ?? ?? 8B 9D ?? + ?? ?? ?? 8B B5 ?? ?? ?? ?? 89 F0 09 D8 85 C0 0F 84 ?? ?? ?? ?? 8B 45 ?? 8B 55 ?? 2B + 45 ?? 1B 55 ?? 89 45 ?? 89 55 ?? 8B 45 ?? 8B 40 ?? 89 C1 BB ?? ?? ?? ?? 8B 45 ?? 8B + 55 ?? 39 D3 72 ?? 39 D3 77 ?? 39 C1 76 ?? 89 C1 89 D3 89 4D ?? 8B 45 ?? C7 44 24 ?? + ?? ?? ?? ?? 8D 55 ?? 89 54 24 ?? 8B 55 ?? 89 54 24 ?? 89 44 24 ?? 8B 45 ?? 89 04 24 + A1 ?? ?? ?? ?? FF D0 83 EC ?? 83 F8 ?? 0F 94 C0 84 C0 0F 84 ?? ?? ?? ?? 8B 55 ?? 8B + 45 ?? C7 44 24 ?? ?? ?? ?? ?? 8D 4D ?? 89 4C 24 ?? 89 54 24 ?? 89 44 24 ?? 8B 45 ?? + 89 04 24 A1 ?? ?? ?? ?? FF D0 83 EC ?? 85 C0 0F 94 C0 84 C0 74 ?? C7 45 ?? ?? ?? ?? + ?? EB ?? 8B 45 ?? 8B 55 ?? 8B 4D ?? BB ?? ?? ?? ?? 29 C8 19 DA 89 45 ?? 89 55 ?? 8B + 45 ?? 8B 55 ?? 89 C3 80 F7 ?? 89 9D ?? ?? ?? ?? 89 D0 80 F4 ?? 89 85 ?? ?? ?? ?? 8B + 9D ?? ?? ?? ?? 8B B5 ?? ?? ?? ?? 89 F0 09 D8 85 C0 74 ?? E9 ?? ?? ?? ?? C7 45 ?? ?? + ?? ?? ?? 8B 45 ?? 85 C0 74 ?? 8B 45 ?? 89 04 24 E8 ?? ?? ?? ?? 8B 45 ?? 85 C0 74 ?? + 8B 45 ?? 89 04 24 E8 ?? ?? ?? ?? 8B 45 ?? 89 04 24 A1 ?? ?? ?? ?? FF D0 83 EC ?? 8B + 45 ?? 89 04 24 A1 ?? ?? ?? ?? FF D0 83 EC ?? 83 7D ?? ?? 74 ?? 8B 45 ?? 89 04 24 E8 + ?? ?? ?? ?? EB ?? 8B 45 ?? 89 04 24 E8 ?? ?? ?? ?? 8B 45 ?? 89 04 24 A1 ?? ?? ?? ?? + FF D0 83 EC ?? 8B 45 ?? 8D 65 ?? 5B 5E 5D C2 + } + + $search_files = { + E8 ?? ?? ?? ?? 83 EC ?? 85 C0 0F 95 C0 88 45 ?? 80 7D ?? ?? 74 ?? C7 44 24 ?? ?? ?? + ?? ?? C7 04 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? C7 04 24 ?? ?? ?? ?? 89 C1 E8 ?? ?? ?? ?? + 83 EC ?? C7 04 24 ?? ?? ?? ?? 89 C1 E8 ?? ?? ?? ?? 83 EC ?? 83 45 ?? ?? EB ?? A1 ?? + ?? ?? ?? FF D0 89 C3 C7 44 24 ?? ?? ?? ?? ?? C7 04 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? C7 + 04 24 ?? ?? ?? ?? 89 C1 E8 ?? ?? ?? ?? 83 EC ?? 89 1C 24 89 C1 E8 ?? ?? ?? ?? 83 EC + ?? C7 04 24 ?? ?? ?? ?? 89 C1 E8 ?? ?? ?? ?? 83 EC ?? C7 04 24 ?? ?? ?? ?? 89 C1 E8 + ?? ?? ?? ?? 83 EC ?? C7 04 24 ?? ?? ?? ?? 89 C1 E8 ?? ?? ?? ?? 83 EC ?? 8B 45 ?? 89 + C1 E8 ?? ?? ?? ?? 8B 5D ?? 85 DB 74 ?? 89 D9 E8 ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? + 89 1C 24 E8 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 85 C0 74 ?? 8B 85 ?? ?? ?? ?? 89 04 24 E8 + ?? ?? ?? ?? 90 8D 85 ?? ?? ?? ?? 89 C1 E8 ?? ?? ?? ?? EB ?? 8D 85 ?? ?? ?? ?? 89 C1 + E8 ?? ?? ?? ?? E9 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 89 C1 E8 ?? ?? ?? ?? EB ?? 90 8D 85 + ?? ?? ?? ?? 89 44 24 ?? 8B 45 ?? 89 04 24 A1 ?? ?? ?? ?? FF D0 83 EC ?? 85 C0 0F 95 + C0 84 C0 74 ?? E9 ?? ?? ?? ?? A1 ?? ?? ?? ?? FF D0 89 45 ?? 83 7D ?? ?? 0F 84 ?? ?? + ?? ?? A1 ?? ?? ?? ?? FF D0 89 C3 C7 44 24 ?? ?? ?? ?? ?? C7 04 24 ?? ?? ?? ?? E8 ?? + ?? ?? ?? C7 04 24 ?? ?? ?? ?? 89 C1 E8 ?? ?? ?? ?? 83 EC ?? 89 1C 24 89 C1 E8 ?? ?? + ?? ?? 83 EC ?? C7 04 24 ?? ?? ?? ?? 89 C1 E8 ?? ?? ?? ?? 83 EC ?? C7 44 24 ?? ?? ?? + ?? ?? 89 04 24 E8 ?? ?? ?? ?? C7 04 24 ?? ?? ?? ?? 89 C1 E8 ?? ?? ?? ?? 83 EC ?? C7 + 04 24 ?? ?? ?? ?? 89 C1 E8 ?? ?? ?? ?? 83 EC ?? BB ?? ?? ?? ?? E9 ?? ?? ?? ?? 8B 45 + ?? 89 04 24 A1 ?? ?? ?? ?? FF D0 83 EC ?? 83 7D ?? ?? 74 ?? 8B 85 ?? ?? ?? ?? 05 ?? + ?? ?? ?? 89 C1 E8 ?? ?? ?? ?? 85 C0 74 ?? B8 ?? ?? ?? ?? EB ?? B8 ?? ?? ?? ?? 84 C0 + 74 ?? 8D 85 ?? ?? ?? ?? 89 C1 E8 ?? ?? ?? ?? 89 C2 8B 85 ?? ?? ?? ?? 89 14 24 89 C1 + E8 ?? ?? ?? ?? 83 EC ?? C7 44 24 ?? ?? ?? ?? ?? C7 04 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? + 89 C2 8B 45 ?? 89 04 24 89 D1 E8 ?? ?? ?? ?? 83 EC ?? C7 04 24 ?? ?? ?? ?? 89 C1 E8 + ?? ?? ?? ?? 83 EC ?? C7 04 24 ?? ?? ?? ?? 89 C1 E8 ?? ?? ?? ?? 83 EC ?? C7 44 24 ?? + ?? ?? ?? ?? C7 04 24 ?? ?? ?? ?? E8 + } + + $search_files_2 = { + FF 15 ?? ?? ?? ?? EB ?? FF 15 ?? ?? ?? ?? 83 F8 ?? 0F 84 ?? ?? ?? ?? FF 15 ?? ?? ?? + ?? 89 C3 C7 04 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 44 24 ?? C7 44 24 ?? ?? ?? ?? ?? C7 + 04 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? A1 ?? ?? ?? ?? 8B 50 ?? 81 C2 ?? ?? ?? ?? 8B 42 ?? + 83 E0 ?? 83 C8 ?? 89 42 ?? 89 1C 24 B9 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 EC ?? 89 C3 8B + 00 89 DA 03 50 ?? 8B 42 ?? 83 E0 ?? 83 C8 ?? 89 42 ?? C7 04 24 ?? ?? ?? ?? E8 ?? ?? + ?? ?? 89 44 24 ?? C7 44 24 ?? ?? ?? ?? ?? 89 1C 24 E8 ?? ?? ?? ?? 89 1C 24 E8 ?? ?? + ?? ?? 89 C1 E8 ?? ?? ?? ?? E9 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 89 04 24 FF 15 ?? ?? ?? + ?? 83 EC ?? 83 BD ?? ?? ?? ?? ?? 74 ?? 83 BB ?? ?? ?? ?? ?? 74 ?? 8B 85 ?? ?? ?? ?? + 89 04 24 89 D9 E8 ?? ?? ?? ?? 83 EC ?? C7 04 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 44 24 + ?? C7 44 24 ?? ?? ?? ?? ?? C7 04 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 89 + 04 24 B9 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 EC ?? 89 04 24 E8 ?? ?? ?? ?? 89 C1 E8 ?? ?? + ?? ?? C7 04 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 44 24 ?? C7 44 24 ?? ?? ?? ?? ?? C7 04 + 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 89 04 24 B9 ?? ?? ?? ?? E8 ?? ?? ?? + ?? 83 EC ?? 89 04 24 E8 ?? ?? ?? ?? 89 C1 E8 + } + + $remote_connection = { + 55 89 E5 53 81 EC ?? ?? ?? ?? 89 4D ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 + 45 ?? ?? ?? ?? ?? 8B 45 ?? 89 04 24 E8 ?? ?? ?? ?? 89 45 ?? 8B 45 ?? 89 44 24 ?? C7 + 04 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 F0 ?? 84 C0 0F 85 ?? ?? ?? ?? 8D 45 ?? 89 C1 E8 + ?? ?? ?? ?? 8B 45 ?? 8B 00 89 45 ?? 8D 45 ?? 89 44 24 ?? 8D 45 ?? 89 44 24 ?? 8D 45 + ?? 89 44 24 ?? C7 44 24 ?? ?? ?? ?? ?? 8D 45 ?? 89 44 24 ?? C7 44 24 ?? ?? ?? ?? ?? + 8B 45 ?? 89 04 24 E8 ?? ?? ?? ?? 83 EC ?? 89 45 ?? 83 7D ?? ?? 74 ?? 81 7D ?? ?? ?? + ?? ?? 75 ?? 8B 45 ?? 89 45 ?? C7 45 ?? ?? ?? ?? ?? 8B 45 ?? 39 45 ?? 77 ?? 8D 45 ?? + 89 C1 E8 ?? ?? ?? ?? 8B 45 ?? 8B 10 8D 45 ?? 8D 4D ?? 89 4C 24 ?? 89 14 24 89 C1 E8 + ?? ?? ?? ?? 83 EC ?? 8D 45 ?? 8D 50 ?? 8D 45 ?? 89 04 24 89 D1 E8 ?? ?? ?? ?? 83 EC + ?? 8D 45 ?? 89 C1 E8 ?? ?? ?? ?? 8D 45 ?? 89 C1 E8 ?? ?? ?? ?? 83 45 ?? ?? 83 45 ?? + ?? EB ?? 8B 45 ?? 89 04 24 E8 ?? ?? ?? ?? 83 EC ?? 81 7D ?? ?? ?? ?? ?? 75 ?? E9 ?? + ?? ?? ?? 8D 45 ?? 83 C0 ?? 89 C1 E8 ?? ?? ?? ?? 85 C0 0F 95 C0 84 C0 74 ?? 8B 45 ?? + 05 ?? ?? ?? ?? 89 04 24 E8 ?? ?? ?? ?? 8B 45 ?? 8D 50 ?? 8D 45 ?? 89 04 24 89 D1 E8 + ?? ?? ?? ?? 83 EC ?? 8B 45 ?? 05 ?? ?? ?? ?? 89 04 24 E8 ?? ?? ?? ?? 90 8D 45 ?? 89 + C1 E8 ?? ?? ?? ?? EB ?? 89 C3 8D 45 ?? 89 C1 E8 ?? ?? ?? ?? EB ?? 89 C3 8D 45 ?? 89 + C1 E8 ?? ?? ?? ?? EB ?? 89 C3 8D 45 ?? 89 C1 E8 ?? ?? ?? ?? 89 D8 89 04 24 E8 ?? ?? + ?? ?? 90 8B 5D ?? C9 C2 + } + + $remote_connection_2 = { + 55 89 E5 57 56 53 83 EC ?? 89 4D ?? 8B 5D ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? + ?? C7 45 ?? ?? ?? ?? ?? 89 1C 24 E8 ?? ?? ?? ?? 89 45 ?? 89 44 24 ?? C7 04 24 ?? ?? + ?? ?? E8 ?? ?? ?? ?? 84 C0 0F 84 ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? + ?? C7 45 ?? ?? ?? ?? ?? 8B 03 89 45 ?? EB ?? 83 EC ?? 89 45 ?? 85 C0 74 ?? 3D ?? ?? + ?? ?? 74 ?? 81 7D ?? ?? ?? ?? ?? 0F 85 ?? ?? ?? ?? 8D 45 ?? 89 44 24 ?? 8D 45 ?? 89 + 44 24 ?? 8D 45 ?? 89 44 24 ?? C7 44 24 ?? ?? ?? ?? ?? 8D 45 ?? 89 44 24 ?? C7 44 24 + ?? ?? ?? ?? ?? 8B 45 ?? 89 04 24 E8 ?? ?? ?? ?? EB ?? 8B 45 ?? 89 45 ?? 83 7D ?? ?? + 74 ?? BE ?? ?? ?? ?? 8D 7D ?? EB ?? 83 EC ?? 8D 45 ?? 89 04 24 8D 4D ?? E8 ?? ?? ?? + ?? 83 EC ?? 8B 45 ?? 39 F8 74 ?? 89 04 24 E8 ?? ?? ?? ?? 83 C6 ?? 39 75 ?? 72 ?? 8B + 45 ?? 8B 5C B0 ?? 89 7D ?? B8 ?? ?? ?? ?? 85 DB 74 ?? 89 1C 24 E8 ?? ?? ?? ?? 8D 04 + 43 C6 44 24 ?? ?? 89 44 24 ?? 89 1C 24 8D 4D ?? E8 ?? ?? ?? ?? EB ?? 8B 45 ?? 89 04 + 24 E8 ?? ?? ?? ?? 83 EC ?? E9 ?? ?? ?? ?? 8B 45 ?? 2B 45 ?? C1 F8 ?? 69 C0 ?? ?? ?? + ?? 85 C0 74 ?? 8B 7D ?? 8D 9F ?? ?? ?? ?? 89 1C 24 E8 ?? ?? ?? ?? 8B 47 ?? 3B 47 ?? + 74 ?? 85 C0 74 ?? 8B 55 ?? 89 10 8D 48 ?? 8D 45 ?? 89 04 24 E8 ?? ?? ?? ?? 83 EC ?? + 8B 45 ?? 83 40 ?? ?? 89 1C 24 E8 ?? ?? ?? ?? EB ?? 8B 4D ?? 83 C1 ?? 8D 45 ?? 89 04 + 24 E8 ?? ?? ?? ?? 83 EC ?? EB ?? 8D 4D ?? E8 ?? ?? ?? ?? 8D 65 ?? 5B 5E 5F 5D C2 + } + + $encrypt_files_3 = { + 55 57 56 53 83 EC ?? 8B 41 ?? 85 C0 75 ?? 8B 84 24 ?? ?? ?? ?? 89 04 24 E8 ?? ?? ?? + ?? BE ?? ?? ?? ?? 89 F0 83 C4 ?? 5B 5E 5F 5D C2 ?? ?? 89 CB C7 44 24 ?? ?? ?? ?? ?? + 8D 54 24 ?? 89 54 24 ?? C7 44 24 ?? ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? 89 04 24 FF + 15 ?? ?? ?? ?? 83 EC ?? 85 C0 74 ?? C7 44 24 ?? ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? + C7 44 24 ?? ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? C7 44 24 ?? + ?? ?? ?? ?? 8B 84 24 ?? ?? ?? ?? 89 04 24 FF 15 ?? ?? ?? ?? 83 EC ?? 89 C7 BE ?? ?? + ?? ?? 83 F8 ?? 0F 84 ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? C7 + 44 24 ?? ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? C7 44 24 ?? ?? + ?? ?? ?? 8B 84 24 ?? ?? ?? ?? 89 04 24 FF 15 ?? ?? ?? ?? 83 EC ?? 89 C2 89 44 24 ?? + 83 F8 ?? 74 ?? 8D 44 24 ?? 89 44 24 ?? 89 14 24 FF 15 ?? ?? ?? ?? 83 EC ?? 89 C6 85 + C0 75 ?? 8B 44 24 ?? 89 04 24 FF 15 ?? ?? ?? ?? 83 EC ?? 89 3C 24 FF 15 ?? ?? ?? ?? + 83 EC ?? 8B 44 24 ?? 89 04 24 FF 15 ?? ?? ?? ?? 83 EC ?? 85 F6 0F 84 ?? ?? ?? ?? 8B + 84 24 ?? ?? ?? ?? 89 04 24 E8 ?? ?? ?? ?? E9 ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? C7 + 44 24 ?? ?? ?? ?? ?? 8B 44 24 ?? 8B 54 24 ?? 89 44 24 ?? 89 54 24 ?? 8B 43 ?? 89 04 + 24 E8 ?? ?? ?? ?? 89 44 24 ?? 8B 73 ?? 89 74 24 ?? C7 44 24 ?? ?? ?? ?? ?? 89 04 24 + E8 ?? ?? ?? ?? 8D 04 B6 01 C0 89 44 24 ?? 89 04 24 E8 ?? ?? ?? ?? 89 C5 C7 44 24 ?? + ?? ?? ?? ?? 8D 44 24 ?? 89 44 24 ?? C7 44 24 ?? ?? ?? ?? ?? 8B 84 24 ?? ?? ?? ?? 89 + 44 24 ?? 89 3C 24 FF 15 ?? ?? ?? ?? 83 EC ?? 89 C6 85 C0 0F 84 ?? ?? ?? ?? 8B 44 24 + ?? 8B 54 24 ?? 8B 0D ?? ?? ?? ?? 89 4C 24 ?? 89 7C 24 ?? 89 C6 89 D7 89 5C 24 ?? E9 + ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? 8D 44 24 ?? 89 44 24 ?? 89 5C 24 ?? 8B 44 24 ?? + 89 44 24 ?? 8B 4C 24 ?? 89 0C 24 FF 54 24 ?? 83 EC ?? 83 F8 ?? 0F 85 ?? ?? ?? ?? 89 + 5C 24 ?? 8B 44 24 ?? 89 44 24 ?? 89 2C 24 E8 ?? ?? ?? ?? 89 5C 24 ?? 89 5C 24 ?? C7 + 44 24 ?? ?? ?? ?? ?? 8B 44 24 ?? 89 44 24 ?? 8D 44 24 ?? 89 44 24 ?? 89 6C 24 ?? C7 + 44 24 ?? ?? ?? ?? ?? 89 DA 31 F2 09 FA 0F 94 C0 0F B6 C0 89 44 24 ?? C7 44 24 ?? ?? + ?? ?? ?? 8B 44 24 ?? 89 04 24 FF 15 ?? ?? ?? ?? 83 EC ?? 89 C3 FF 15 ?? ?? ?? ?? 85 + C0 78 ?? C7 44 24 ?? ?? ?? ?? ?? 8D 44 24 ?? 89 44 24 ?? 8B 44 24 ?? 89 44 24 ?? 89 + 6C 24 ?? 8B 4C 24 ?? 89 0C 24 FF 15 ?? ?? ?? ?? 83 EC ?? 85 C0 74 ?? 2B 74 24 ?? 1B + 7C 24 ?? 89 FA 09 F2 74 ?? 8B 44 24 ?? 8B 58 ?? B8 ?? ?? ?? ?? 39 F8 0F 82 ?? ?? ?? + ?? 39 F3 0F 47 DE E9 ?? ?? ?? ?? 8B 7C 24 ?? 89 DE EB ?? 8B 7C 24 ?? BE ?? ?? ?? ?? + 85 ED 74 ?? 89 2C 24 E8 ?? ?? ?? ?? 8B 44 24 ?? 85 C0 0F 84 ?? ?? ?? ?? 89 04 24 E8 + ?? ?? ?? ?? E9 ?? ?? ?? ?? 8B 7C 24 ?? BE ?? ?? ?? ?? EB + } + + $encrypt_files_4 = { + FF 15 ?? ?? ?? ?? 83 EC ?? 89 85 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 85 C0 0F 88 ?? ?? ?? + ?? 8B 85 ?? ?? ?? ?? 8B 8D ?? ?? ?? ?? 8D 95 ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? 89 + 34 24 89 54 24 ?? 89 44 24 ?? 89 4C 24 ?? FF 95 ?? ?? ?? ?? 83 EC ?? 85 C0 0F 84 ?? + ?? ?? ?? 8B 85 ?? ?? ?? ?? 29 85 ?? ?? ?? ?? 8B 95 ?? ?? ?? ?? 19 95 ?? ?? ?? ?? 8B + 8D ?? ?? ?? ?? 8B 95 ?? ?? ?? ?? 89 D0 89 CA 09 C2 0F 84 ?? ?? ?? ?? 31 D2 3B 95 ?? + ?? ?? ?? 8B 43 ?? 89 95 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 72 ?? 77 ?? 8B 8D ?? ?? ?? ?? + 39 C8 76 ?? 8B 85 ?? ?? ?? ?? 8B 95 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 89 95 ?? ?? ?? ?? + 89 85 ?? ?? ?? ?? 89 44 24 ?? 8D 8D ?? ?? ?? ?? 8B 95 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? + C7 44 24 ?? ?? ?? ?? ?? 89 4C 24 ?? 89 54 24 ?? 89 04 24 FF 15 ?? ?? ?? ?? 83 EC ?? + 83 F8 ?? 0F 84 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 89 04 24 E8 ?? ?? ?? ?? 8B 85 ?? ?? ?? + ?? 89 04 24 E8 ?? ?? ?? ?? 89 34 24 8B 35 ?? ?? ?? ?? FF D6 8B 85 ?? ?? ?? ?? 83 EC + ?? 89 04 24 FF D6 8B 85 ?? ?? ?? ?? 83 EC ?? 89 04 24 FF 15 ?? ?? ?? ?? 8B 8D ?? ?? + ?? ?? 83 EC ?? 85 C9 0F 84 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 89 04 24 E8 ?? ?? ?? ?? C7 + 04 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? 89 44 24 ?? C7 04 24 ?? ?? + ?? ?? E8 ?? ?? ?? ?? A1 ?? ?? ?? ?? 8B 40 ?? 8B 88 ?? ?? ?? ?? 85 C9 74 ?? 8B 01 C7 + 04 24 ?? ?? ?? ?? FF 50 ?? 83 EC ?? 0F B7 C0 B9 ?? ?? ?? ?? 89 04 24 E8 ?? ?? ?? ?? + 83 EC ?? 89 C1 E8 ?? ?? ?? ?? 83 85 ?? ?? ?? ?? ?? E9 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? + 89 04 24 FF 15 + } + + $search_files_3 = { + FF 15 ?? ?? ?? ?? 83 EC ?? 85 C0 0F 84 ?? ?? ?? ?? F6 85 ?? ?? ?? ?? ?? 75 ?? 8B 85 + ?? ?? ?? ?? 8B 3D ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? + 8B 85 ?? ?? ?? ?? 8B 80 ?? ?? ?? ?? 89 44 24 ?? 8D 85 ?? ?? ?? ?? 89 04 24 FF D7 83 + EC ?? 85 C0 0F 84 ?? ?? ?? ?? 83 85 ?? ?? ?? ?? ?? EB ?? 90 8D B4 26 ?? ?? ?? ?? 8B + 85 ?? ?? ?? ?? 83 C3 ?? 8B 50 ?? 8B 40 ?? 89 85 ?? ?? ?? ?? 29 D0 C1 F8 ?? 69 C0 ?? + ?? ?? ?? 39 C3 0F 83 ?? ?? ?? ?? 8D 04 5B 8D 34 C5 ?? ?? ?? ?? 8B 04 C2 89 44 24 ?? + 8B 85 ?? ?? ?? ?? 89 04 24 FF D7 83 EC ?? 85 C0 74 ?? 8B 85 ?? ?? ?? ?? 8B 40 ?? 8B + 1C 30 C7 04 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? 89 44 24 ?? C7 04 + 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 DB 0F 84 ?? ?? ?? ?? 89 1C 24 E8 ?? ?? ?? ?? 89 5C + 24 ?? 89 44 24 ?? C7 04 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? A1 ?? ?? ?? ?? 8B 40 ?? 8B 88 + ?? ?? ?? ?? 85 C9 0F 84 ?? ?? ?? ?? 8B 01 C7 04 24 ?? ?? ?? ?? FF 50 ?? 83 EC ?? 0F + B7 C0 B9 ?? ?? ?? ?? 89 04 24 E8 ?? ?? ?? ?? 83 EC ?? 89 C1 E8 ?? ?? ?? ?? 31 F6 E9 + ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? 89 04 24 E8 + ?? ?? ?? ?? 8B 95 ?? ?? ?? ?? 83 EC ?? 89 85 ?? ?? ?? ?? 89 95 ?? ?? ?? ?? 89 5C 24 + ?? C7 44 24 ?? ?? ?? ?? ?? 89 04 24 E8 ?? ?? ?? ?? 8B 95 ?? ?? ?? ?? 8B 85 ?? ?? ?? + ?? E9 ?? ?? ?? ?? 90 8D 74 26 ?? 8D 85 ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? 89 04 24 + E8 + } + + $install_service = { + FF 15 ?? ?? ?? ?? 83 EC ?? 85 C0 89 C1 89 44 24 ?? 0F 84 ?? ?? ?? ?? 8B 84 24 ?? ?? + ?? ?? C7 44 24 ?? ?? ?? ?? ?? 89 0C 24 89 44 24 ?? FF 15 ?? ?? ?? ?? 83 EC ?? 85 C0 + 89 C3 0F 84 ?? ?? ?? ?? 89 04 24 A1 ?? ?? ?? ?? 8D 6C 24 ?? 8D 7C 24 ?? C7 44 24 ?? + ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? 89 6C 24 ?? 89 7C 24 ?? 89 44 24 ?? FF D0 83 EC + ?? 85 C0 0F 84 ?? ?? ?? ?? 8B 44 24 ?? 83 E0 ?? 83 F8 ?? 0F 85 ?? ?? ?? ?? A1 ?? ?? + ?? ?? 89 44 24 ?? FF D0 8B 74 24 ?? 89 44 24 ?? 83 7C 24 ?? ?? 0F 85 ?? ?? ?? ?? B8 + ?? ?? ?? ?? F7 64 24 ?? B8 ?? ?? ?? ?? C1 EA ?? 81 FA ?? ?? ?? ?? 0F 47 D0 B8 ?? ?? + ?? ?? 81 FA ?? ?? ?? ?? 0F 42 D0 89 14 24 FF 15 ?? ?? ?? ?? 83 EC ?? 89 6C 24 ?? C7 + 44 24 ?? ?? ?? ?? ?? 89 7C 24 ?? C7 44 24 ?? ?? ?? ?? ?? 89 1C 24 FF 54 24 ?? 83 EC + ?? 85 C0 74 ?? 3B 74 24 ?? 8B 44 24 ?? 72 ?? FF D0 2B 44 24 ?? 3B 44 24 ?? 76 ?? 89 + 1C 24 8B 1D ?? ?? ?? ?? FF D3 83 EC ?? 8B 44 24 ?? 89 04 24 FF D3 83 EC ?? 83 C4 ?? + 5B 5E 5F 5D C2 ?? ?? 8D B4 26 ?? ?? ?? ?? 8B 44 24 ?? 89 04 24 FF 15 ?? ?? ?? ?? 83 + EC ?? 83 C4 ?? 5B 5E 5F 5D C2 ?? ?? 8D B6 ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? C7 44 + 24 ?? ?? ?? ?? ?? 89 1C 24 FF 15 ?? ?? ?? ?? 83 EC ?? 85 C0 74 ?? 89 6C 24 ?? C7 44 + 24 ?? ?? ?? ?? ?? 89 7C 24 ?? C7 44 24 ?? ?? ?? ?? ?? 89 1C 24 FF 54 24 ?? 83 EC ?? + 85 C0 0F 84 ?? ?? ?? ?? 8D B6 ?? ?? ?? ?? 8B 44 24 ?? FF D0 8B 74 24 ?? 89 44 24 ?? + 83 7C 24 ?? ?? 0F 85 ?? ?? ?? ?? B8 ?? ?? ?? ?? F7 64 24 ?? B8 ?? ?? ?? ?? C1 EA ?? + 81 FA ?? ?? ?? ?? 0F 47 D0 B8 ?? ?? ?? ?? 81 FA ?? ?? ?? ?? 0F 42 D0 89 14 24 FF 15 + ?? ?? ?? ?? 83 EC ?? 89 6C 24 ?? C7 44 24 ?? ?? ?? ?? ?? 89 7C 24 ?? C7 44 24 ?? ?? + ?? ?? ?? 89 1C 24 FF 54 24 ?? 83 EC ?? 85 C0 0F 84 ?? ?? ?? ?? 3B 74 24 ?? 72 ?? 8B + 44 24 ?? FF D0 2B 44 24 ?? 3B 44 24 ?? 76 ?? E9 + } + + $encrypt_files_5 = { + FF 15 ?? ?? ?? ?? 83 EC ?? 89 C7 BE ?? ?? ?? ?? 83 F8 ?? 0F 84 ?? ?? ?? ?? C7 44 24 + ?? ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? + ?? C7 44 24 ?? ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? 8B 84 24 ?? ?? ?? ?? 89 04 24 FF + 15 ?? ?? ?? ?? 83 EC ?? 89 C2 89 44 24 ?? 83 F8 ?? 74 ?? 8D 44 24 ?? 89 44 24 ?? 89 + 14 24 FF 15 ?? ?? ?? ?? 83 EC ?? 89 C6 85 C0 75 ?? 8B 44 24 ?? 89 04 24 FF 15 ?? ?? + ?? ?? 83 EC ?? 89 3C 24 FF 15 ?? ?? ?? ?? 83 EC ?? 8B 44 24 ?? 89 04 24 FF 15 ?? ?? + ?? ?? 83 EC ?? 85 F6 0F 84 ?? ?? ?? ?? 8B 84 24 ?? ?? ?? ?? 89 04 24 E8 ?? ?? ?? ?? + E9 ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? 8B 44 24 ?? 8B 54 24 + ?? 89 44 24 ?? 89 54 24 ?? 8B 43 ?? 89 04 24 E8 ?? ?? ?? ?? 89 44 24 ?? 8B 73 ?? 89 + 74 24 ?? C7 44 24 ?? ?? ?? ?? ?? 89 04 24 E8 ?? ?? ?? ?? 8D 04 B6 01 C0 89 44 24 ?? + 89 04 24 E8 ?? ?? ?? ?? 89 C5 C7 44 24 ?? ?? ?? ?? ?? 8D 44 24 ?? 89 44 24 ?? C7 44 + 24 ?? ?? ?? ?? ?? 8B 84 24 ?? ?? ?? ?? 89 44 24 ?? 89 3C 24 FF 15 ?? ?? ?? ?? 83 EC + ?? 89 C6 85 C0 0F 84 ?? ?? ?? ?? 8B 44 24 ?? 8B 54 24 ?? 8B 0D ?? ?? ?? ?? 89 4C 24 + ?? 89 7C 24 ?? 89 C6 89 D7 89 5C 24 ?? E9 ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? 8D 44 + 24 ?? 89 44 24 ?? 89 5C 24 ?? 8B 44 24 ?? 89 44 24 ?? 8B 4C 24 ?? 89 0C 24 FF 54 24 + ?? 83 EC ?? 83 F8 ?? 0F 85 ?? ?? ?? ?? 89 5C 24 ?? 8B 44 24 ?? 89 44 24 ?? 89 2C 24 + E8 ?? ?? ?? ?? 89 5C 24 ?? 89 5C 24 ?? C7 44 24 ?? ?? ?? ?? ?? 8B 44 24 ?? 89 44 24 + ?? 8D 44 24 ?? 89 44 24 ?? 89 6C 24 ?? C7 44 24 ?? ?? ?? ?? ?? 89 DA 31 F2 09 FA 0F + 94 C0 0F B6 C0 89 44 24 ?? C7 44 24 ?? ?? ?? ?? ?? 8B 44 24 ?? 89 04 24 FF 15 ?? ?? + ?? ?? 83 EC ?? 89 C3 FF 15 ?? ?? ?? ?? 85 C0 78 ?? C7 44 24 ?? ?? ?? ?? ?? 8D 44 24 + ?? 89 44 24 ?? 8B 44 24 ?? 89 44 24 ?? 89 6C 24 ?? 8B 4C 24 ?? 89 0C 24 FF 15 + } + + $search_files_4 = { + FF 15 ?? ?? ?? ?? EB ?? FF 15 ?? ?? ?? ?? 83 F8 ?? 0F 84 ?? ?? ?? ?? FF 15 ?? ?? ?? + ?? 89 C3 C7 04 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 44 24 ?? C7 44 24 ?? ?? ?? ?? ?? C7 + 04 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? A1 ?? ?? ?? ?? 8B 50 ?? 81 C2 ?? ?? ?? ?? 8B 42 ?? + 83 E0 ?? 83 C8 ?? 89 42 ?? 89 1C 24 B9 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 EC ?? 89 C3 8B + 00 89 DA 03 50 ?? 8B 42 ?? 83 E0 ?? 83 C8 ?? 89 42 ?? C7 04 24 ?? ?? ?? ?? E8 ?? ?? + ?? ?? 89 44 24 ?? C7 44 24 ?? ?? ?? ?? ?? 89 1C 24 E8 ?? ?? ?? ?? 89 1C 24 E8 ?? ?? + ?? ?? 89 C1 E8 ?? ?? ?? ?? E9 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 89 04 24 FF 15 ?? ?? ?? + ?? 83 EC ?? 83 BD ?? ?? ?? ?? ?? 74 ?? 83 BB ?? ?? ?? ?? ?? 74 ?? 8B 85 ?? ?? ?? ?? + 89 04 24 89 D9 E8 ?? ?? ?? ?? 83 EC ?? C7 04 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 44 24 + ?? C7 44 24 ?? ?? ?? ?? ?? C7 04 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 89 + 04 24 B9 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 EC ?? 89 04 24 E8 ?? ?? ?? ?? 89 C1 E8 ?? ?? + ?? ?? C7 04 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 44 24 ?? C7 44 24 ?? ?? ?? ?? ?? C7 04 + 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 89 04 24 B9 ?? ?? ?? ?? E8 ?? ?? ?? + ?? 83 EC ?? 89 04 24 E8 ?? ?? ?? ?? 89 C1 E8 ?? ?? ?? ?? 8B BD ?? ?? ?? ?? 3B BD ?? + ?? ?? ?? 75 ?? EB ?? 83 EC ?? 83 C7 ?? 39 BD ?? ?? ?? ?? 74 ?? 8B 45 ?? 89 44 24 ?? + 89 3C 24 89 D9 E8 ?? ?? ?? ?? EB ?? BE ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 8D 95 ?? ?? ?? + ?? 39 D0 74 ?? 89 04 24 E8 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 85 ?? ?? + ?? ?? 8D 95 ?? ?? ?? ?? 39 D0 74 ?? 89 04 24 E8 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 8D 95 + ?? ?? ?? ?? 39 D0 74 ?? 89 04 24 E8 ?? ?? ?? ?? 89 F0 8D 65 ?? 5B 5E 5F 5D C2 + } + + + $remote_connection_3 = { + 55 89 E5 57 56 53 83 EC ?? 89 4D ?? 8B 5D ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? + ?? C7 45 ?? ?? ?? ?? ?? 89 1C 24 E8 ?? ?? ?? ?? 89 45 ?? 89 44 24 ?? C7 04 24 ?? ?? + ?? ?? E8 ?? ?? ?? ?? 84 C0 0F 84 ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? + ?? C7 45 ?? ?? ?? ?? ?? 8B 03 89 45 ?? EB ?? 83 EC ?? 89 45 ?? 85 C0 74 ?? 3D ?? ?? + ?? ?? 74 ?? 81 7D ?? ?? ?? ?? ?? 0F 85 ?? ?? ?? ?? 8D 45 ?? 89 44 24 ?? 8D 45 ?? 89 + 44 24 ?? 8D 45 ?? 89 44 24 ?? C7 44 24 ?? ?? ?? ?? ?? 8D 45 ?? 89 44 24 ?? C7 44 24 + ?? ?? ?? ?? ?? 8B 45 ?? 89 04 24 E8 ?? ?? ?? ?? EB ?? 8B 45 ?? 89 45 ?? 83 7D ?? ?? + 74 ?? BE ?? ?? ?? ?? 8D 7D ?? EB ?? 83 EC ?? 8D 45 ?? 89 04 24 8D 4D ?? E8 ?? ?? ?? + ?? 83 EC ?? 8B 45 ?? 39 F8 74 ?? 89 04 24 E8 ?? ?? ?? ?? 83 C6 ?? 39 75 ?? 72 ?? 8B + 45 ?? 8B 5C B0 ?? 89 7D ?? B8 ?? ?? ?? ?? 85 DB 74 ?? 89 1C 24 E8 ?? ?? ?? ?? 8D 04 + 43 C6 44 24 ?? ?? 89 44 24 ?? 89 1C 24 8D 4D ?? E8 ?? ?? ?? ?? EB ?? 8B 45 ?? 89 04 + 24 E8 ?? ?? ?? ?? 83 EC ?? E9 ?? ?? ?? ?? 8B 45 ?? 2B 45 ?? C1 F8 ?? 69 C0 ?? ?? ?? + ?? 85 C0 74 ?? 8B 7D ?? 8D 9F ?? ?? ?? ?? 89 1C 24 E8 ?? ?? ?? ?? 8B 47 ?? 3B 47 ?? + 74 ?? 85 C0 74 ?? 8B 55 ?? 89 10 8D 48 ?? 8D 45 ?? 89 04 24 E8 ?? ?? ?? ?? 83 EC ?? + 8B 45 ?? 83 40 ?? ?? 89 1C 24 E8 ?? ?? ?? ?? EB ?? 8B 4D ?? 83 C1 ?? 8D 45 ?? 89 04 + 24 E8 ?? ?? ?? ?? 83 EC ?? EB ?? 8D 4D ?? E8 ?? ?? ?? ?? 8D 65 ?? 5B 5E 5F 5D C2 ?? + ?? 89 C3 8B 45 ?? 8D 55 ?? 39 D0 74 ?? 89 04 24 E8 ?? ?? ?? ?? 8D 4D ?? E8 ?? ?? ?? + ?? 89 1C 24 E8 ?? ?? ?? ?? 89 C3 EB ?? 53 83 EC ?? 8B 5C 24 ?? 8D 43 ?? 89 04 24 8B + 0B E8 ?? ?? ?? ?? 83 EC ?? C7 44 24 ?? ?? ?? ?? ?? 89 1C 24 E8 ?? ?? ?? ?? C7 04 24 + ?? ?? ?? ?? E8 ?? ?? ?? ?? B8 ?? ?? ?? ?? 83 C4 ?? 5B C3 + } + + condition: + uint16(0) == 0x5A4D and (($search_files and $encrypt_files and $remote_connection) or + ($encrypt_files_2 and $remote_connection and $search_files) or + ($search_files_2 and $encrypt_files_3 and $remote_connection_2) or + ($install_service and $search_files_3 and $encrypt_files_4) or + ($search_files_4 and $encrypt_files_5 and $remote_connection_3)) +} \ No newline at end of file diff --git a/yara/ransomware/Win32.Ransomware.Henry.yara b/yara/ransomware/Win32.Ransomware.Henry.yara new file mode 100644 index 0000000..baf121a --- /dev/null +++ b/yara/ransomware/Win32.Ransomware.Henry.yara @@ -0,0 +1,80 @@ +rule Win32_Ransomware_Henry : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "HENRY" + description = "Yara rule that detects Henry ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "Henry" + tc_detection_factor = 5 + + strings: + + $find_files = { + 02 6F ?? ?? ?? ?? 0A 16 0B 2B ?? 06 07 9A 0C 08 6F ?? ?? ?? ?? 73 ?? ?? ?? ?? 28 ?? ?? + ?? ?? DE ?? 26 DE ?? 07 17 58 0B 07 06 8E 69 32 ?? 02 6F ?? ?? ?? ?? 0D 16 0B 38 ?? ?? + ?? ?? 09 07 9A 13 ?? 11 ?? 6F ?? ?? ?? ?? 19 17 73 ?? ?? ?? ?? 25 6F ?? ?? ?? ?? D4 8D + ?? ?? ?? ?? 13 ?? 25 11 ?? 16 11 ?? 8E 69 6F ?? ?? ?? ?? 26 6F ?? ?? ?? ?? 11 ?? 6F ?? + ?? ?? ?? 11 ?? 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 13 ?? 11 ?? 6F ?? ?? ?? ?? 72 ?? ?? ?? ?? + 28 ?? ?? ?? ?? 18 18 73 ?? ?? ?? ?? 25 11 ?? 16 11 ?? 8E 69 6F ?? ?? ?? ?? 6F ?? ?? ?? + ?? 11 ?? 6F ?? ?? ?? ?? 28 ?? ?? ?? ?? DE ?? 26 DE ?? 07 17 58 0B 07 09 8E 69 3F ?? ?? + ?? ?? 2A + } + + $encrypt_files = { + 02 8E 2D ?? 72 ?? ?? ?? ?? 73 ?? ?? ?? ?? 7A 03 28 ?? ?? ?? ?? 2C ?? 72 ?? ?? ?? ?? 73 + ?? ?? ?? ?? 7A 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 0B 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 0C 28 ?? + ?? ?? ?? 0D 73 ?? ?? ?? ?? 13 ?? 03 08 73 ?? ?? ?? ?? 13 ?? 09 11 ?? 1F ?? 6F ?? ?? ?? + ?? 07 6F ?? ?? ?? ?? 13 ?? 11 ?? 11 ?? 17 73 ?? ?? ?? ?? 25 02 16 02 8E 69 6F ?? ?? ?? + ?? 25 6F ?? ?? ?? ?? 11 ?? 6F ?? ?? ?? ?? 0A 11 ?? 6F ?? ?? ?? ?? 11 ?? 6F ?? ?? ?? ?? + 25 6F ?? ?? ?? ?? 6F ?? ?? ?? ?? DE ?? 26 FE ?? 09 6F ?? ?? ?? ?? DC 06 2A + } + + $setup_environment = { + 02 28 ?? ?? ?? ?? 1B 28 ?? ?? ?? ?? 73 ?? ?? ?? ?? 28 ?? ?? ?? ?? 16 28 ?? ?? ?? ?? 73 + ?? ?? ?? ?? 28 ?? ?? ?? ?? 1F ?? 28 ?? ?? ?? ?? 73 ?? ?? ?? ?? 28 ?? ?? ?? ?? 1F ?? 28 + ?? ?? ?? ?? 73 ?? ?? ?? ?? 28 ?? ?? ?? ?? 1F ?? 28 ?? ?? ?? ?? 73 ?? ?? ?? ?? 28 ?? ?? + ?? ?? 02 28 ?? ?? ?? ?? 2A + } + + $init_components = { + 02 73 ?? ?? ?? ?? 7D ?? ?? ?? ?? 02 73 ?? ?? ?? ?? 7D ?? ?? ?? ?? 02 28 ?? ?? ?? ?? 02 + 7B ?? ?? ?? ?? 17 6F ?? ?? ?? ?? 02 7B ?? ?? ?? ?? 72 ?? ?? ?? ?? 22 ?? ?? ?? ?? 16 19 + 20 ?? ?? ?? ?? 73 ?? ?? ?? ?? 6F ?? ?? ?? ?? 02 7B ?? ?? ?? ?? 20 ?? ?? ?? ?? 1F ?? 73 + ?? ?? ?? ?? 6F ?? ?? ?? ?? 02 7B ?? ?? ?? ?? 72 ?? ?? ?? ?? 6F ?? ?? ?? ?? 02 7B ?? ?? + ?? ?? 20 ?? ?? ?? ?? 1F ?? 73 ?? ?? ?? ?? 6F ?? ?? ?? ?? 02 7B ?? ?? ?? ?? 16 6F ?? ?? + ?? ?? 02 7B ?? ?? ?? ?? 72 ?? ?? ?? ?? 6F ?? ?? ?? ?? 02 7B ?? ?? ?? ?? 17 6F ?? ?? ?? + ?? 02 7B ?? ?? ?? ?? 72 ?? ?? ?? ?? 22 ?? ?? ?? ?? 16 19 20 ?? ?? ?? ?? 73 ?? ?? ?? ?? + 6F ?? ?? ?? ?? 02 7B ?? ?? ?? ?? 20 ?? ?? ?? ?? 1F ?? 73 ?? ?? ?? ?? 6F ?? ?? ?? ?? 02 + 7B ?? ?? ?? ?? 72 ?? ?? ?? ?? 6F ?? ?? ?? ?? 02 7B ?? ?? ?? ?? 20 ?? ?? ?? ?? 20 ?? ?? + ?? ?? 73 ?? ?? ?? ?? 6F ?? ?? ?? ?? 02 7B ?? ?? ?? ?? 17 6F ?? ?? ?? ?? 02 7B ?? ?? ?? + ?? 72 ?? ?? ?? ?? 6F ?? ?? ?? ?? 02 22 ?? ?? ?? ?? 22 ?? ?? ?? ?? 73 ?? ?? ?? ?? 28 ?? + ?? ?? ?? 02 17 28 ?? ?? ?? ?? 02 20 ?? ?? ?? ?? 20 ?? ?? ?? ?? 73 ?? ?? ?? ?? 28 ?? ?? + ?? ?? 02 28 ?? ?? ?? ?? 02 7B ?? ?? ?? ?? 6F ?? ?? ?? ?? 02 28 ?? ?? ?? ?? 02 7B ?? ?? + ?? ?? 6F ?? ?? ?? ?? 02 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 02 72 ?? ?? ?? ?? 6F ?? ?? ?? ?? + 02 02 FE 06 ?? ?? ?? ?? 73 ?? ?? ?? ?? 28 ?? ?? ?? ?? 02 16 28 ?? ?? ?? ?? 02 28 ?? ?? + ?? ?? 2A + } + + condition: + uint16(0) == 0x5A4D and + ( + $find_files + ) and + ( + $encrypt_files + ) and + ( + $setup_environment + ) and + ( + $init_components + ) +} \ No newline at end of file diff --git a/yara/ransomware/Win32.Ransomware.HentaiOniichan.yara b/yara/ransomware/Win32.Ransomware.HentaiOniichan.yara new file mode 100644 index 0000000..3f43516 --- /dev/null +++ b/yara/ransomware/Win32.Ransomware.HentaiOniichan.yara @@ -0,0 +1,140 @@ +rule Win32_Ransomware_HentaiOniichan : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "HENTAIONIICHAN" + description = "Yara rule that detects Hentai Oniichan ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "HentaiOniichan" + tc_detection_factor = 5 + + strings: + + $find_files_p1 = { + 8B FF 55 8B EC 81 EC ?? ?? ?? ?? A1 ?? ?? ?? ?? 33 C5 89 45 ?? 8B 4D ?? 8B 55 ?? 53 + 57 8B 7D ?? 89 95 ?? ?? ?? ?? 3B CF 74 ?? 8A 01 3C ?? 74 ?? 3C ?? 74 ?? 3C ?? 74 ?? + 51 57 E8 ?? ?? ?? ?? 59 59 8B C8 3B CF 75 ?? 8B 95 ?? ?? ?? ?? 8A 01 88 85 ?? ?? ?? + ?? 3C ?? 75 ?? 8D 47 ?? 3B C8 74 ?? 52 33 DB 53 53 57 E8 ?? ?? ?? ?? 83 C4 ?? E9 ?? + ?? ?? ?? 8A 85 ?? ?? ?? ?? 33 DB 3C ?? 74 ?? 3C ?? 74 ?? 3C ?? 8A C3 75 ?? B0 ?? 2B + CF 0F B6 C0 41 89 9D ?? ?? ?? ?? F7 D8 89 9D ?? ?? ?? ?? 56 1B C0 89 9D ?? ?? ?? ?? + 23 C1 89 9D ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 89 9D ?? ?? ?? ?? 88 9D ?? ?? ?? ?? E8 ?? + ?? ?? ?? 50 8D 85 ?? ?? ?? ?? 50 57 E8 ?? ?? ?? ?? 83 C4 ?? 8D 8D ?? ?? ?? ?? F7 D8 + } + + $find_files_p2 = { + 1B C0 53 53 53 51 F7 D0 23 85 ?? ?? ?? ?? 53 50 FF 15 ?? ?? ?? ?? 8B F0 83 FE ?? 75 + ?? FF B5 ?? ?? ?? ?? 53 53 57 E8 ?? ?? ?? ?? 83 C4 ?? 8B D8 E9 ?? ?? ?? ?? 8B 85 ?? + ?? ?? ?? 8B 48 ?? 2B 08 C1 F9 ?? 89 8D ?? ?? ?? ?? 89 9D ?? ?? ?? ?? 89 9D ?? ?? ?? + ?? 89 9D ?? ?? ?? ?? 89 9D ?? ?? ?? ?? 89 9D ?? ?? ?? ?? 88 9D ?? ?? ?? ?? E8 ?? ?? + ?? ?? 50 8D 85 ?? ?? ?? ?? 50 8D 85 ?? ?? ?? ?? 50 8D 85 ?? ?? ?? ?? 50 E8 ?? ?? ?? + ?? 83 C4 ?? F7 D8 1B C0 F7 D0 23 85 ?? ?? ?? ?? 80 38 ?? 75 ?? 8A 48 ?? 84 C9 74 ?? + 80 F9 ?? 75 ?? 38 58 ?? 74 ?? FF B5 ?? ?? ?? ?? FF B5 ?? ?? ?? ?? 57 50 E8 ?? ?? ?? + ?? 83 C4 ?? 89 85 ?? ?? ?? ?? 85 C0 75 ?? 38 9D ?? ?? ?? ?? 74 ?? FF B5 ?? ?? ?? ?? + E8 ?? ?? ?? ?? 59 8D 85 ?? ?? ?? ?? 50 56 FF 15 ?? ?? ?? ?? 85 C0 0F 85 ?? ?? ?? ?? + 8B 85 ?? ?? ?? ?? 8B 8D ?? ?? ?? ?? 8B 10 8B 40 ?? 2B C2 C1 F8 ?? 3B C8 74 ?? 68 ?? + ?? ?? ?? 2B C1 6A ?? 50 8D 04 8A 50 E8 ?? ?? ?? ?? 83 C4 ?? EB ?? 38 9D ?? ?? ?? ?? + 74 ?? FF B5 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 59 8B D8 56 FF 15 ?? ?? ?? + ?? 80 BD ?? ?? ?? ?? ?? 5E 74 ?? FF B5 ?? ?? ?? ?? E8 ?? ?? ?? ?? 59 8B C3 8B 4D ?? + 5F 33 CD 5B E8 ?? ?? ?? ?? C9 C3 + } + + $inject_code_into_process = { + 33 C0 C7 85 ?? ?? ?? ?? ?? ?? ?? ?? 50 6A ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? 66 89 85 + ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 8B F8 C7 85 ?? ?? ?? ?? ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? + 50 57 FF 15 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? 0F 1F 84 00 ?? ?? ?? ?? 8B C6 8D 8D + ?? ?? ?? ?? 66 8B 11 66 3B 10 75 ?? 66 85 D2 74 ?? 66 8B 51 ?? 66 3B 50 ?? 75 ?? 83 + C1 ?? 83 C0 ?? 66 85 D2 75 ?? 33 C0 EB ?? 1B C0 83 C8 ?? 85 C0 75 ?? FF B5 ?? ?? ?? + ?? 50 6A ?? FF 15 ?? ?? ?? ?? 8B F0 85 F6 74 ?? FF 15 ?? ?? ?? ?? 39 85 ?? ?? ?? ?? + 74 ?? 6A ?? 56 FF 15 ?? ?? ?? ?? 56 FF 15 ?? ?? ?? ?? 8B B5 ?? ?? ?? ?? 8D 85 ?? ?? + ?? ?? 50 57 FF 15 ?? ?? ?? ?? 85 C0 0F 85 ?? ?? ?? ?? 57 FF 15 ?? ?? ?? ?? C6 45 ?? + ?? 8B 55 ?? 83 FA ?? 72 ?? 8B 4D ?? 42 8B C1 81 FA ?? ?? ?? ?? 72 ?? 8B 49 ?? 83 C2 + ?? 2B C1 83 C0 ?? 83 F8 ?? 0F 87 ?? ?? ?? ?? 52 51 E8 ?? ?? ?? ?? 83 C4 ?? C6 45 ?? + ?? 8B 55 ?? 83 FA ?? 72 ?? 8B 4D ?? 42 8B C1 81 FA ?? ?? ?? ?? 72 ?? 8B 49 ?? 83 C2 + ?? 2B C1 83 C0 ?? 83 F8 ?? 0F 87 ?? ?? ?? ?? 52 51 E8 ?? ?? ?? ?? 83 C4 ?? 8B 8D ?? + ?? ?? ?? 83 C1 ?? 89 8D ?? ?? ?? ?? 3B 8D ?? ?? ?? ?? 0F 85 ?? ?? ?? ?? 8B 45 ?? 8B + 4D ?? 85 C9 74 ?? 51 8B D0 E8 ?? ?? ?? ?? 8B 4D ?? B8 ?? ?? ?? ?? 8B 75 ?? 83 C4 ?? + 2B CE F7 E9 C1 FA ?? 8B C2 C1 E8 ?? 03 C2 8D 0C 40 8B C6 C1 E1 ?? 81 F9 ?? ?? ?? ?? + 72 ?? 8B 76 ?? 83 C1 ?? 2B C6 83 C0 ?? 83 F8 ?? 77 ?? 51 56 E8 ?? ?? ?? ?? 83 C4 ?? + 8B 4D ?? 64 89 0D ?? ?? ?? ?? 59 5F 5E 8B 4D ?? 33 CD E8 ?? ?? ?? ?? 8B E5 5D 8B E3 + 5B C3 E8 + } + + $remote_connection_p1 = { + 68 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? 8D 45 ?? C7 45 + ?? ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? 0F 28 45 + ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? + ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? 66 0F EF 85 ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? + C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? 0F 29 45 ?? 0F 28 45 + ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? + ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? 66 0F EF 85 ?? ?? ?? ?? 50 0F 29 45 ?? E8 ?? + ?? ?? ?? 68 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? 8D 45 + ?? C7 45 ?? ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? + 0F 28 45 ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C7 85 ?? ?? + ?? ?? ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? 66 0F EF 85 ?? ?? ?? ?? 0F 29 45 ?? + C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? + 0F 28 45 ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C7 85 ?? ?? + ?? ?? ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? 66 0F EF 85 ?? ?? ?? ?? C7 45 ?? ?? + ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? 0F 29 45 + } + + $remote_connection_p2 = { + 0F 28 45 ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C7 85 ?? ?? + ?? ?? ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? 66 0F EF 85 ?? ?? ?? ?? 50 0F 29 45 + ?? E8 ?? ?? ?? ?? 83 BD ?? ?? ?? ?? ?? 8D 95 ?? ?? ?? ?? FF B5 ?? ?? ?? ?? 0F 43 95 + ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? + ?? 85 C0 75 ?? 8B 85 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? 6A ?? 8B 40 ?? 03 C8 33 C0 39 41 + ?? 0F 94 C0 8D 04 85 ?? ?? ?? ?? 0B 41 ?? 50 E8 ?? ?? ?? ?? 8B 8D ?? ?? ?? ?? B8 ?? + ?? ?? ?? 2B C1 83 F8 ?? 0F 82 ?? ?? ?? ?? 83 BD ?? ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 51 + 0F 43 85 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? 50 6A ?? 68 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 + FF B5 ?? ?? ?? ?? E8 ?? ?? ?? ?? C6 45 ?? ?? 8D 85 ?? ?? ?? ?? 83 BD ?? ?? ?? ?? ?? + 0F 43 85 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 8D 45 ?? 6A ?? 6A ?? 50 E8 ?? ?? ?? + ?? 83 C4 ?? 8D 4D ?? E8 ?? ?? ?? ?? C6 45 ?? ?? 8D 8D ?? ?? ?? ?? 83 BD ?? ?? ?? ?? + ?? 8B 85 ?? ?? ?? ?? 0F 43 8D ?? ?? ?? ?? 03 C1 50 51 8D 85 ?? ?? ?? ?? 50 8D 4D ?? + E8 ?? ?? ?? ?? 8D 4D ?? E8 ?? ?? ?? ?? 83 BD ?? ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 0F 43 + 85 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 8B 95 ?? ?? ?? ?? 83 C4 ?? 8B F0 83 FA ?? 72 ?? 8B + 8D ?? ?? ?? ?? 8D 14 55 ?? ?? ?? ?? 8B C1 81 FA ?? ?? ?? ?? 72 ?? 8B 49 ?? 83 C2 ?? + 2B C1 83 C0 ?? 83 F8 ?? 0F 87 ?? ?? ?? ?? 52 51 E8 ?? ?? ?? ?? 83 C4 + } + + $encrypt_files = { + 8B FF 55 8B EC 83 EC ?? 8B 4D ?? 89 4D ?? 53 56 8B 75 ?? 57 8B 7D ?? 89 7D ?? 85 C9 + 0F 84 ?? ?? ?? ?? 85 FF 75 ?? E8 ?? ?? ?? ?? 83 20 ?? E8 ?? ?? ?? ?? C7 00 ?? ?? ?? + ?? E8 ?? ?? ?? ?? 83 C8 ?? E9 ?? ?? ?? ?? 8B C6 8B D6 C1 FA ?? 83 E0 ?? 6B C0 ?? 89 + 55 ?? 8B 14 95 ?? ?? ?? ?? 89 45 ?? 8A 5C 02 ?? 80 FB ?? 74 ?? 80 FB ?? 75 ?? 8B C1 + F7 D0 A8 ?? 74 ?? 8B 45 ?? F6 44 02 ?? ?? 74 ?? 6A ?? 6A ?? 6A ?? 56 E8 ?? ?? ?? ?? + 83 C4 ?? 56 E8 ?? ?? ?? ?? 59 84 C0 74 ?? 84 DB 74 ?? FE CB 80 FB ?? 0F 87 ?? ?? ?? + ?? FF 75 ?? 8D 45 ?? 57 50 E8 ?? ?? ?? ?? 83 C4 ?? 8B F0 E9 ?? ?? ?? ?? FF 75 ?? 8D + 45 ?? 57 56 50 E8 ?? ?? ?? ?? 83 C4 ?? EB ?? 8B 45 ?? 8B 0C 85 ?? ?? ?? ?? 8B 45 ?? + 80 7C 01 ?? ?? 7D ?? 0F BE C3 83 E8 ?? 74 ?? 83 E8 ?? 74 ?? 83 E8 ?? 0F 85 ?? ?? ?? + ?? FF 75 ?? 8D 45 ?? 57 56 50 E8 ?? ?? ?? ?? EB ?? FF 75 ?? 8D 45 ?? 57 56 50 E8 ?? + ?? ?? ?? EB ?? FF 75 ?? 8D 45 ?? 57 56 50 E8 ?? ?? ?? ?? EB ?? 8B 4C 01 ?? 8D 7D ?? + 33 C0 AB 6A ?? AB AB 8D 45 ?? 50 FF 75 ?? FF 75 ?? 51 FF 15 ?? ?? ?? ?? 85 C0 75 ?? + FF 15 ?? ?? ?? ?? 89 45 ?? 8D 75 ?? 8D 7D ?? A5 A5 A5 8B 45 ?? 85 C0 75 ?? 8B 45 ?? + 85 C0 74 ?? 6A ?? 5E 3B C6 75 ?? E8 ?? ?? ?? ?? C7 00 ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 + 30 E9 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 59 E9 ?? ?? ?? ?? 8B 7D ?? 8B 45 ?? 8B 4D ?? 8B + 04 85 ?? ?? ?? ?? F6 44 08 ?? ?? 74 ?? 80 3F ?? 74 ?? E8 ?? ?? ?? ?? C7 00 ?? ?? ?? + ?? E8 ?? ?? ?? ?? 83 20 ?? E9 ?? ?? ?? ?? 2B 45 ?? EB ?? 33 C0 5F 5E 5B C9 C3 + } + + condition: + uint16(0) == 0x5A4D and + ( + $inject_code_into_process + ) and + ( + all of ($find_files_p*) + ) and + ( + $encrypt_files + ) and + ( + all of ($remote_connection_p*) + ) +} \ No newline at end of file diff --git a/yara/ransomware/Win32.Ransomware.Hermes.yara b/yara/ransomware/Win32.Ransomware.Hermes.yara new file mode 100644 index 0000000..201dbed --- /dev/null +++ b/yara/ransomware/Win32.Ransomware.Hermes.yara @@ -0,0 +1,284 @@ +rule Win32_Ransomware_Hermes : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "HERMES" + description = "Yara rule that detects Hermes ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "Hermes" + tc_detection_factor = 5 + + strings: + + $hermes_find_files_v1_p1 = { + A5 A5 A5 8D BD ?? ?? ?? ?? 66 AB BE ?? ?? ?? ?? 8D BD ?? ?? ?? ?? A5 A5 66 A5 68 ?? + ?? ?? ?? 8D BD ?? ?? ?? ?? 50 AB 8D 85 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 83 65 + ?? ?? 8B 5D ?? 8B FB 4F 4F 8D 47 ?? 66 8B 4F ?? 47 47 66 85 C9 75 ?? BE ?? ?? ?? ?? + A5 A5 8D 8D ?? ?? ?? ?? 51 50 66 A5 FF 15 ?? ?? ?? ?? 68 ?? ?? ?? ?? 53 89 45 ?? E8 + ?? ?? ?? ?? 59 59 8B C8 E8 ?? ?? ?? ?? 8B CB 8B D0 E8 ?? ?? ?? ?? 2B C2 33 C9 83 7D + ?? ?? 66 89 0C 43 0F 84 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 F8 ?? 75 ?? + 8B C1 6A ?? 50 E8 ?? ?? ?? ?? 59 59 85 C0 74 ?? 8D 85 ?? ?? ?? ?? 50 FF 75 ?? FF 15 + ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 F8 ?? 75 ?? + 8B C1 68 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 59 59 85 C0 74 ?? 8D 85 ?? ?? ?? ?? 50 FF 75 + ?? FF 15 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? BE ?? ?? ?? ?? 8D 7D ?? A5 A5 A5 A5 33 + } + + $hermes_find_files_v1_p2 = { + C0 6A ?? 59 6A ?? 8D 7D ?? 66 AB BE ?? ?? ?? ?? 8D BD ?? ?? ?? ?? F3 A5 59 BE ?? ?? + ?? ?? 8D BD ?? ?? ?? ?? F3 A5 BE ?? ?? ?? ?? 8D 7D ?? A5 A5 A5 A5 6A ?? 59 8D 7D ?? + AB BE ?? ?? ?? ?? 8D BD ?? ?? ?? ?? F3 A5 8D BD ?? ?? ?? ?? AB AB 66 AB BE ?? ?? ?? + ?? 8D 7D ?? A5 A5 A5 A5 33 C0 6A ?? 8D 7D ?? AB 59 BE ?? ?? ?? ?? 8D BD ?? ?? ?? ?? + F3 A5 66 A5 8D BD ?? ?? ?? ?? AB BE ?? ?? ?? ?? 8D BD ?? ?? ?? ?? A5 A5 A5 A5 8D BD + ?? ?? ?? ?? AB AB AB 66 AB 8D 45 ?? 50 8D 85 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 59 59 85 + C0 0F 85 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 8D 85 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 59 59 + 85 C0 0F 85 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 8D 85 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 59 + 59 85 C0 75 ?? 8D 45 ?? 50 8D 85 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 59 59 85 C0 75 ?? 8D + 85 ?? ?? ?? ?? 50 8D 85 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 59 59 85 C0 75 ?? 8D 45 ?? 50 + 8D 85 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 59 59 85 C0 75 ?? 8D 85 ?? ?? ?? ?? 50 8D 85 ?? + ?? ?? ?? 50 E8 ?? ?? ?? ?? 59 59 85 C0 75 ?? 8D 85 ?? ?? ?? ?? E9 ?? ?? ?? ?? 8D 85 + ?? ?? ?? ?? 50 FF 75 ?? FF 15 ?? ?? ?? ?? 85 C0 8D 45 ?? 50 8D 85 ?? ?? ?? ?? 50 0F + } + + $hermes_find_files_v1_p3 = { + 84 ?? ?? ?? ?? E8 ?? ?? ?? ?? 59 59 85 C0 75 ?? 8D 85 ?? ?? ?? ?? 50 8D 85 ?? ?? ?? + ?? 50 E8 ?? ?? ?? ?? 59 59 85 C0 75 ?? 8D 85 ?? ?? ?? ?? 50 8D 85 ?? ?? ?? ?? 50 E8 + ?? ?? ?? ?? 59 59 85 C0 75 ?? 8D 45 ?? 50 8D 85 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 59 59 + 85 C0 75 ?? 8D 85 ?? ?? ?? ?? 50 8D 85 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 59 59 85 C0 0F + 85 ?? ?? ?? ?? 8D 45 ?? 50 8D 85 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 59 59 85 C0 0F 85 ?? + ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 8D 85 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 59 59 85 C0 0F 85 + ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 8D 85 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 59 59 85 C0 0F + 85 ?? ?? ?? ?? E9 ?? ?? ?? ?? E8 ?? ?? ?? ?? 59 59 85 C0 0F 85 ?? ?? ?? ?? 8D 85 ?? + ?? ?? ?? 50 8D 85 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 59 59 85 C0 0F 85 ?? ?? ?? ?? 8D 85 + ?? ?? ?? ?? 50 8D 85 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 59 59 85 C0 0F 85 ?? ?? ?? ?? 8D + } + + $hermes_find_files_v1_p4 = { + 45 ?? 50 8D 85 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 59 59 85 C0 0F 85 ?? ?? ?? ?? 8D 85 ?? + ?? ?? ?? 50 8D 85 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 59 59 85 C0 0F 85 ?? ?? ?? ?? 8D 45 + ?? 50 8D 85 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 59 59 85 C0 0F 85 ?? ?? ?? ?? 8D 85 ?? ?? + ?? ?? 50 8D 85 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 59 59 85 C0 0F 85 ?? ?? ?? ?? 8D 85 ?? + ?? ?? ?? 50 8D 85 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 59 59 85 C0 0F 85 ?? ?? ?? ?? F6 85 + ?? ?? ?? ?? ?? 0F 84 ?? ?? ?? ?? F6 85 ?? ?? ?? ?? ?? 0F 85 ?? ?? ?? ?? 68 ?? ?? ?? + ?? 53 E8 ?? ?? ?? ?? 59 59 85 C0 74 ?? 8B C8 E8 ?? ?? ?? ?? 83 F8 ?? 7E ?? 53 FF 75 + ?? FF 75 ?? E8 + } + + $hermes_encrypt_files_v1_p1 = { + 55 8B EC 83 EC ?? 53 56 57 FF 75 ?? FF 15 ?? ?? ?? ?? BB ?? ?? ?? ?? 3B C3 74 ?? 53 + FF 75 ?? FF 15 ?? ?? ?? ?? 33 F6 56 53 6A ?? 56 56 68 ?? ?? ?? ?? FF 75 ?? FF 15 ?? + ?? ?? ?? 89 45 ?? 3B C6 0F 84 ?? ?? ?? ?? 8D 4D ?? 51 50 FF 15 ?? ?? ?? ?? 89 45 ?? + 83 F8 ?? 0F 84 ?? ?? ?? ?? 83 F8 ?? 0F 82 ?? ?? ?? ?? 56 89 45 ?? 8D 45 ?? 50 56 56 + 6A ?? 56 FF 75 ?? FF 15 ?? ?? ?? ?? 85 C0 74 ?? 6A ?? BF ?? ?? ?? ?? 57 FF 75 ?? 56 + FF 15 ?? ?? ?? ?? 89 45 ?? 3B C6 74 ?? 56 8D 4D ?? 51 FF 75 ?? 89 75 ?? 50 FF 75 ?? + FF 15 ?? ?? ?? ?? 85 C0 74 ?? 8B 45 ?? 8B 4D ?? 8D 44 08 ?? 80 38 ?? 75 ?? 80 78 ?? + ?? 75 ?? 80 78 ?? ?? 75 ?? 80 78 ?? ?? 75 ?? 80 78 ?? ?? 75 ?? 80 78 ?? ?? 75 ?? FF + 75 ?? FF 15 ?? ?? ?? ?? 68 ?? ?? ?? ?? 56 FF 75 ?? FF 15 ?? ?? ?? ?? 33 C0 5F 5E 5B + } + + $hermes_encrypt_files_v1_p2 = { + C9 C3 FF 75 ?? 8D 45 ?? 50 51 56 6A ?? 56 FF 75 ?? FF 15 ?? ?? ?? ?? 85 C0 74 ?? 56 + 56 56 FF 75 ?? FF 15 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 59 E8 ?? ?? ?? + ?? 6A ?? 57 FF 75 ?? 88 45 ?? 56 FF 15 ?? ?? ?? ?? 8B F8 89 7D ?? 3B FE 74 ?? FF 75 + ?? 0F BE 45 ?? 50 57 E8 ?? ?? ?? ?? 83 C4 ?? 56 8D 45 ?? 50 FF 75 ?? 89 75 ?? 57 FF + 75 ?? FF 15 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? BF ?? ?? ?? ?? 57 56 FF 75 ?? FF 15 + ?? ?? ?? ?? FF 75 ?? FF 15 ?? ?? ?? ?? 56 53 6A ?? 56 56 68 ?? ?? ?? ?? FF 75 ?? FF + 15 ?? ?? ?? ?? 8B D8 3B DE 0F 84 ?? ?? ?? ?? 56 8D 45 ?? 50 FF 75 ?? 89 75 ?? FF 75 + ?? 53 FF 15 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? 56 8D 45 ?? 50 6A ?? 68 ?? ?? ?? ?? + 53 89 75 ?? FF 15 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? 53 FF 15 ?? ?? ?? ?? 57 56 FF + 75 ?? FF 15 ?? ?? ?? ?? 33 C0 40 E9 + } + + $hermes_enum_resources_v1 = { + 55 8B EC 83 EC ?? 53 56 57 8D 45 ?? 50 FF 75 ?? C7 45 ?? ?? ?? ?? ?? 6A ?? 6A ?? 6A + ?? C7 45 ?? ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 85 C0 0F 85 ?? ?? ?? ?? FF 75 ?? 6A ?? FF + 15 ?? ?? ?? ?? 8B D8 85 DB 0F 84 ?? ?? ?? ?? FF 75 ?? 6A ?? 53 E8 ?? ?? ?? ?? 83 C4 + ?? 8D 45 ?? 50 53 8D 45 ?? 50 FF 75 ?? FF 15 ?? ?? ?? ?? 85 C0 0F 85 ?? ?? ?? ?? 8B + 43 ?? 66 83 38 ?? 8D 48 ?? 75 ?? 66 83 78 ?? ?? 75 ?? 6A ?? 51 E8 ?? ?? ?? ?? 59 59 + 85 C0 74 ?? 8B 43 ?? 8B D0 66 8B 08 40 40 66 85 C9 75 ?? 8B 7D ?? 2B C2 4F 4F 66 8B + 4F ?? 47 47 66 85 C9 75 ?? 8B C8 C1 E9 ?? 8B F2 F3 A5 8B C8 83 E1 ?? F3 A4 8B 7D ?? + 4F 4F 66 8B 47 ?? 47 47 66 85 C0 75 ?? BE ?? ?? ?? ?? A5 8B 43 ?? 83 E0 ?? 3C ?? 0F + 85 ?? ?? ?? ?? FF 75 ?? 53 E8 ?? ?? ?? ?? 59 59 85 C0 0F 85 ?? ?? ?? ?? 33 C0 5F 5E + 5B C9 C3 33 C0 40 EB + } + + $hermes_encrypt_files_v2_p1 = { + 55 8B EC 81 EC ?? ?? ?? ?? 53 56 57 33 C0 8D BD ?? ?? ?? ?? AB 33 DB 89 5D ?? AB AB + AB 8B 7D ?? 57 FF 15 ?? ?? ?? ?? BE ?? ?? ?? ?? 56 57 FF 15 ?? ?? ?? ?? 53 56 6A ?? + 53 53 68 ?? ?? ?? ?? 57 FF 15 ?? ?? ?? ?? 8B F0 85 F6 75 ?? 53 FF 15 ?? ?? ?? ?? 33 + C0 E9 ?? ?? ?? ?? 33 DB 33 C0 89 5D ?? 0F 57 C0 89 45 ?? 66 0F 13 45 ?? 83 FE ?? 74 + ?? 8D 45 ?? 50 56 FF 15 ?? ?? ?? ?? 8D 45 ?? 50 56 FF 15 ?? ?? ?? ?? 8B 5D ?? 8B 45 + ?? 83 FB ?? 75 ?? 85 C0 75 ?? 33 FF 47 E9 ?? ?? ?? ?? 83 65 ?? ?? 83 7D ?? ?? 77 ?? + 81 7D ?? ?? ?? ?? ?? 0F 86 ?? ?? ?? ?? 6A ?? 6A ?? FF 75 ?? FF 75 ?? E8 ?? ?? ?? ?? + 6A ?? 6A ?? 52 50 E8 ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? 52 50 E8 ?? ?? ?? ?? 8B 4D ?? + 89 45 ?? 83 F9 ?? 72 ?? 77 ?? 81 7D ?? ?? ?? ?? ?? 76 ?? 6A ?? 6A ?? 51 FF 75 ?? E8 + ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? 52 50 E8 ?? ?? ?? ?? 89 45 ?? 3D ?? ?? ?? ?? 76 ?? + C7 45 ?? ?? ?? ?? ?? EB ?? 8B 55 ?? 8B C1 81 C2 ?? ?? ?? ?? 83 D0 ?? 83 F8 ?? 77 ?? + 72 ?? 81 FA ?? ?? ?? ?? 77 ?? 6A ?? 6A ?? 51 FF 75 ?? E8 ?? ?? ?? ?? 6A ?? 6A ?? 52 + 50 E8 ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? 52 50 E8 ?? ?? ?? ?? 89 45 ?? EB ?? 83 F9 + } + + $hermes_encrypt_files_v2_p2 = { + 77 ?? 72 ?? 81 7D ?? ?? ?? ?? ?? 73 ?? 8B 45 ?? EB ?? 8B 45 ?? 3D ?? ?? ?? ?? 0F 87 + ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? 83 7D ?? ?? 77 ?? 0F 82 ?? ?? ?? ?? 83 7D ?? ?? + 0F 82 ?? ?? ?? ?? 83 7D ?? ?? 0F 84 ?? ?? ?? ?? 83 7D ?? ?? B8 ?? ?? ?? ?? 77 ?? 39 + 45 ?? 0F 86 ?? ?? ?? ?? 6A ?? 6A ?? FF 75 ?? 2B D8 53 56 89 5D ?? FF 15 ?? ?? ?? ?? + 83 F8 ?? 75 ?? 6A ?? 58 E9 ?? ?? ?? ?? 33 DB 8D 45 ?? 53 50 6A ?? 8D 85 ?? ?? ?? ?? + 89 5D ?? 50 56 FF 15 ?? ?? ?? ?? 85 C0 75 ?? 6A ?? EB ?? 8B C3 80 BC 05 ?? ?? ?? ?? + ?? 75 ?? 80 BC 05 ?? ?? ?? ?? ?? 75 ?? 80 BC 05 ?? ?? ?? ?? ?? 75 ?? 80 BC 05 ?? ?? + ?? ?? ?? 75 ?? 80 BC 05 ?? ?? ?? ?? ?? 75 ?? 80 BC 05 ?? ?? ?? ?? ?? 74 ?? 40 83 F8 + ?? 72 ?? 53 53 53 56 FF 15 ?? ?? ?? ?? 83 F8 ?? 0F 85 ?? ?? ?? ?? 6A ?? E9 ?? ?? ?? + ?? 56 FF 15 ?? ?? ?? ?? 6A ?? 58 6A ?? 66 89 45 ?? 58 66 89 45 ?? 6A ?? 58 66 89 45 + ?? 33 C0 66 89 45 ?? 8D 45 ?? 50 57 E8 ?? ?? ?? ?? 59 59 85 C0 75 ?? 6A ?? 68 ?? ?? + ?? ?? 68 ?? ?? ?? ?? 53 FF 15 ?? ?? ?? ?? 8B F0 85 F6 74 ?? 57 56 89 1E E8 ?? ?? ?? + ?? 57 56 E8 ?? ?? ?? ?? 8D 45 ?? 50 56 E8 ?? ?? ?? ?? 83 C4 ?? 6A ?? 56 57 FF 15 ?? + ?? ?? ?? 68 ?? ?? ?? ?? 53 56 FF 15 ?? ?? ?? ?? 6A ?? E9 ?? ?? ?? ?? 33 DB 8D 45 + } + + $hermes_encrypt_files_v2_p3 = { + 50 6A ?? 68 ?? ?? ?? ?? FF 75 ?? FF 15 ?? ?? ?? ?? 85 C0 75 ?? 6A ?? E9 ?? ?? ?? ?? + 39 5D ?? 77 ?? 81 7D ?? ?? ?? ?? ?? 77 ?? 53 53 68 ?? ?? ?? ?? FF 75 ?? FF 75 ?? E8 + ?? ?? ?? ?? 89 5D ?? 5B 6A ?? 89 4D ?? 33 DB 89 45 ?? 89 55 ?? 5F EB ?? 8B 45 ?? 89 + 45 ?? 53 69 C0 ?? ?? ?? ?? 53 50 56 FF 15 ?? ?? ?? ?? 83 F8 ?? 75 ?? 6A ?? E9 ?? ?? + ?? ?? 53 8D 45 ?? 89 5D ?? 50 6A ?? 5F 57 8D 85 ?? ?? ?? ?? 50 56 FF 15 ?? ?? ?? ?? + 85 C0 75 ?? 6A ?? E9 ?? ?? ?? ?? 53 53 53 56 FF 15 ?? ?? ?? ?? 83 F8 ?? 75 ?? 6A ?? + E9 ?? ?? ?? ?? 89 5D ?? 6A ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 53 FF 15 ?? ?? ?? ?? 8B + D8 85 DB 75 ?? 6A ?? E9 ?? ?? ?? ?? 8B 55 ?? 33 C9 33 C0 C7 45 ?? ?? ?? ?? ?? 89 4D + ?? 89 45 ?? 83 65 ?? ?? C7 45 ?? ?? ?? ?? ?? 3B CA 75 ?? 8B 4D ?? 89 4D ?? C7 45 ?? + ?? ?? ?? ?? 33 C9 51 51 50 56 89 4D ?? FF 15 ?? ?? ?? ?? 83 F8 ?? 0F 84 ?? ?? ?? ?? + 6A ?? 8D 45 ?? 50 FF 75 ?? 53 56 FF 15 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? 33 C9 C7 + } + + $hermes_encrypt_files_v2_p4 = { + 45 ?? ?? ?? ?? ?? 51 8D 45 ?? 50 51 51 FF 75 ?? 51 FF 75 ?? FF 15 ?? ?? ?? ?? 85 C0 + 0F 84 ?? ?? ?? ?? FF 75 ?? 8D 45 ?? 50 53 6A ?? FF 75 ?? 6A ?? FF 75 ?? FF 15 ?? ?? + ?? ?? 85 C0 0F 84 ?? ?? ?? ?? 6A ?? 6A ?? FF 75 ?? 56 FF 15 ?? ?? ?? ?? 83 F8 ?? 0F + 84 ?? ?? ?? ?? 83 65 ?? ?? 8D 45 ?? 6A ?? 50 FF 75 ?? 53 56 FF 15 ?? ?? ?? ?? 85 C0 + 0F 84 ?? ?? ?? ?? 8B 4D ?? 8B 45 ?? 41 8B 55 ?? 05 ?? ?? ?? ?? 89 4D ?? 89 45 ?? 3B + CA 0F 86 ?? ?? ?? ?? 33 C0 C7 45 ?? ?? ?? ?? ?? 8D 7D ?? 66 C7 45 ?? ?? ?? AB AB AB + AB 66 AB 33 C0 88 45 ?? 39 45 ?? 77 ?? 81 7D ?? ?? ?? ?? ?? 77 ?? 8D 45 ?? 50 8D 45 + ?? 50 E8 ?? ?? ?? ?? 59 59 EB ?? 6A ?? 50 50 50 56 FF 15 ?? ?? ?? ?? 33 C0 8D 7D ?? + AB 6A ?? AB 66 AB 8D 45 ?? 50 8B 45 ?? 50 E8 ?? ?? ?? ?? 8D 45 ?? 68 ?? ?? ?? ?? 50 + E8 ?? ?? ?? ?? 8D 45 ?? 50 8D 45 ?? 50 E8 ?? ?? ?? ?? 8D 45 ?? 68 ?? ?? ?? ?? 50 E8 + ?? ?? ?? ?? 8D 45 ?? 50 8D 45 ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 33 FF 8D 45 ?? 57 50 8D + 45 ?? 89 7D ?? 50 E8 ?? ?? ?? ?? 59 50 8D 45 ?? 50 56 FF 15 ?? ?? ?? ?? 85 C0 75 ?? + 68 ?? ?? ?? ?? 57 53 FF 15 ?? ?? ?? ?? 6A ?? E9 ?? ?? ?? ?? 8D 45 ?? 50 57 57 6A + } + + $hermes_encrypt_files_v2_p5 = { + FF 75 ?? FF 75 ?? FF 15 ?? ?? ?? ?? 85 C0 75 ?? 68 ?? ?? ?? ?? 57 53 FF 15 ?? ?? ?? + ?? 6A ?? E9 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 57 50 E8 ?? ?? ?? ?? 83 C4 + ?? 8D 45 ?? 50 8D 85 ?? ?? ?? ?? 50 57 6A ?? FF 75 ?? FF 75 ?? FF 15 ?? ?? ?? ?? 85 + C0 75 ?? 68 ?? ?? ?? ?? 57 53 FF 15 ?? ?? ?? ?? 6A ?? E9 ?? ?? ?? ?? 57 8D 45 ?? 89 + 7D ?? 50 FF 75 ?? 8D 85 ?? ?? ?? ?? 50 56 FF 15 ?? ?? ?? ?? 85 C0 75 ?? 68 ?? ?? ?? + ?? 57 53 FF 15 ?? ?? ?? ?? 6A ?? E9 ?? ?? ?? ?? 39 7D ?? 77 ?? 81 7D ?? ?? ?? ?? ?? + 76 ?? 6A ?? 57 0F 57 C0 66 0F 13 45 ?? FF 75 ?? FF 75 ?? 56 FF 15 ?? ?? ?? ?? 83 F8 + ?? 75 ?? 68 ?? ?? ?? ?? 57 53 FF 15 ?? ?? ?? ?? 6A ?? EB ?? 57 8D 45 ?? 89 7D ?? 50 + 6A ?? 8D 85 ?? ?? ?? ?? 50 56 FF 15 ?? ?? ?? ?? 85 C0 75 ?? 68 ?? ?? ?? ?? 57 53 FF + 15 ?? ?? ?? ?? 6A ?? EB ?? 56 FF 15 ?? ?? ?? ?? 68 ?? ?? ?? ?? 57 53 E8 ?? ?? ?? ?? + 83 C4 ?? 68 ?? ?? ?? ?? 57 53 FF 15 ?? ?? ?? ?? 6A ?? 5B EB ?? 68 ?? ?? ?? ?? 6A ?? + 53 FF 15 ?? ?? ?? ?? 6A ?? 5B 56 FF 15 ?? ?? ?? ?? FF 75 ?? FF 15 ?? ?? ?? ?? 8B C3 + EB ?? FF 75 ?? FF 15 ?? ?? ?? ?? 56 FF 15 ?? ?? ?? ?? 6A ?? EB ?? FF 75 ?? FF 15 ?? + ?? ?? ?? 56 FF 15 ?? ?? ?? ?? 6A ?? EB ?? FF 75 ?? FF 15 ?? ?? ?? ?? 56 FF 15 ?? ?? + ?? ?? 6A ?? 5F EB ?? 6A ?? 5F 56 FF 15 ?? ?? ?? ?? FF 75 ?? FF 15 ?? ?? ?? ?? 68 ?? + ?? ?? ?? 6A ?? 53 FF 15 ?? ?? ?? ?? EB ?? 6A ?? E9 ?? ?? ?? ?? 6A ?? 5F 56 FF 15 ?? + ?? ?? ?? 8B C7 5F 5E 5B 8B E5 5D C3 + } + + $hermes_find_files_v2_p1 = { + 55 8B EC 81 EC ?? ?? ?? ?? 53 8B 5D ?? 8D 85 ?? ?? ?? ?? 56 57 50 68 ?? ?? ?? ?? 53 + E8 ?? ?? ?? ?? 59 59 50 FF 15 ?? ?? ?? ?? 8B F8 68 ?? ?? ?? ?? 53 89 7D ?? E8 ?? ?? + ?? ?? 50 E8 ?? ?? ?? ?? 53 8B F0 E8 ?? ?? ?? ?? 2B C6 33 C9 83 C4 ?? 66 89 0C 43 83 + FF ?? 0F 84 ?? ?? ?? ?? 33 F6 8D 85 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 59 83 F8 ?? 75 ?? + 8D 85 ?? ?? ?? ?? 6A ?? 50 E8 ?? ?? ?? ?? 59 59 85 C0 74 ?? 8D 85 ?? ?? ?? ?? 50 57 + FF 15 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 59 83 + F8 ?? 75 ?? 8D 85 ?? ?? ?? ?? 68 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 59 59 85 C0 74 ?? 8D + 85 ?? ?? ?? ?? 50 57 FF 15 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? 6A ?? 58 6A ?? 5F 6A + ?? 5A 6A ?? 66 89 45 ?? 58 6A ?? 59 6A ?? 66 89 45 ?? 58 6A ?? 66 89 45 ?? 58 6A ?? + 66 89 45 ?? 33 C0 89 45 ?? 58 6A ?? 66 89 45 ?? 58 6A ?? 66 89 45 ?? 58 6A ?? 66 89 + } + + $hermes_find_files_v2_p2 = { + 45 ?? 58 6A ?? 66 89 45 ?? 58 6A ?? 66 89 45 ?? 33 C0 66 89 45 ?? 58 6A ?? 66 89 45 + ?? 58 6A ?? 66 89 45 ?? 58 6A ?? 66 89 45 ?? 58 6A ?? 66 89 45 ?? 33 C0 66 89 55 ?? + 66 89 55 ?? 5A 6A ?? 66 89 45 ?? 58 6A ?? 66 89 85 ?? ?? ?? ?? 58 6A ?? 66 89 4D ?? + 66 89 4D ?? 66 89 8D ?? ?? ?? ?? 59 66 89 85 ?? ?? ?? ?? 6A ?? 58 66 89 85 ?? ?? ?? + ?? 33 C0 66 89 7D ?? 66 89 BD ?? ?? ?? ?? 8D 7D ?? 89 75 ?? 66 89 75 ?? 66 89 55 ?? + 89 75 ?? 66 89 75 ?? 66 89 8D ?? ?? ?? ?? 66 89 8D ?? ?? ?? ?? 66 89 85 ?? ?? ?? ?? + AB 6A ?? 66 89 4D ?? 66 89 55 ?? AB 66 89 55 ?? 89 75 ?? AB 66 AB 58 6A ?? 66 89 45 + ?? 58 6A ?? 5F 6A ?? 66 89 45 ?? 58 6A ?? 66 89 45 ?? 58 6A ?? 66 89 45 ?? 58 6A ?? + 66 89 45 ?? 58 6A ?? 66 89 45 ?? 58 6A ?? 59 66 89 45 ?? 33 C0 66 89 45 ?? 6A ?? 58 + 66 89 85 ?? ?? ?? ?? 6A ?? 58 66 89 85 ?? ?? ?? ?? 6A ?? 58 66 89 85 ?? ?? ?? ?? 6A + ?? 58 66 89 85 ?? ?? ?? ?? 6A ?? 58 66 89 85 ?? ?? ?? ?? 33 C0 66 89 7D ?? 66 89 7D + ?? 8D BD ?? ?? ?? ?? 66 89 85 ?? ?? ?? ?? 66 89 8D ?? ?? ?? ?? 66 89 8D + } + + $hermes_find_files_v2_p3 = { + AB AB AB 66 AB 8D 45 ?? 50 8D 85 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 59 59 85 C0 75 ?? 8D + 45 ?? 50 8D 85 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 59 59 85 C0 75 ?? 8D 45 ?? 50 8D 85 ?? + ?? ?? ?? 50 E8 ?? ?? ?? ?? 59 59 85 C0 75 ?? 8D 85 ?? ?? ?? ?? 50 8D 85 ?? ?? ?? ?? + 50 E8 ?? ?? ?? ?? 59 59 85 C0 75 ?? 8D 45 ?? 50 8D 85 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? + 59 59 85 C0 75 ?? 8D 85 ?? ?? ?? ?? 50 8D 85 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 59 59 85 + C0 0F 84 ?? ?? ?? ?? 8B 7D ?? E9 ?? ?? ?? ?? E8 ?? ?? ?? ?? 59 59 85 C0 75 ?? 8D 45 + ?? 50 8D 85 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 59 59 85 C0 75 ?? 8D 45 ?? 50 8D 85 ?? ?? + ?? ?? 50 E8 ?? ?? ?? ?? 59 59 85 C0 75 ?? 8D 85 ?? ?? ?? ?? 50 8D 85 ?? ?? ?? ?? 50 + E8 ?? ?? ?? ?? 59 59 85 C0 75 ?? 8D 45 ?? 50 8D 85 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 59 + 59 85 C0 75 ?? 8D 85 ?? ?? ?? ?? 50 8D 85 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 59 59 85 C0 + } + + $hermes_find_files_v2_p4 = { + 0F 84 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 57 FF 15 ?? ?? ?? ?? 85 C0 8D 45 ?? 50 8D 85 + ?? ?? ?? ?? 50 0F 85 ?? ?? ?? ?? E8 ?? ?? ?? ?? 59 59 85 C0 0F 85 ?? ?? ?? ?? 8D 45 + ?? 50 8D 85 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 59 59 85 C0 0F 85 ?? ?? ?? ?? 8D 45 ?? 50 + 8D 85 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 59 59 85 C0 0F 85 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? + 50 8D 85 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 59 59 85 C0 0F 85 ?? ?? ?? ?? 8D 45 ?? 50 8D + 85 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 59 59 85 C0 0F 85 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 + 8D 85 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 59 59 85 C0 75 ?? EB ?? 8B 7D ?? F6 85 ?? ?? ?? + ?? ?? 74 ?? 53 E8 ?? ?? ?? ?? 59 FF 75 ?? 8D 85 ?? ?? ?? ?? FF 75 ?? FF 75 ?? 50 53 + E8 ?? ?? ?? ?? 59 59 50 E8 ?? ?? ?? ?? 53 E8 ?? ?? ?? ?? 53 E8 ?? ?? ?? ?? 8B F0 8D + 85 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 2B F0 83 C4 ?? 33 C0 66 89 44 73 ?? 33 F6 8D 85 ?? + ?? ?? ?? 50 57 FF 15 ?? ?? ?? ?? 85 C0 0F 85 ?? ?? ?? ?? 57 FF 15 ?? ?? ?? ?? 5F 5E + 5B 8B E5 5D C3 + } + + $hermes_enum_resources_v2 = { + 55 8B EC 83 EC ?? 53 56 57 8D 45 ?? C7 45 ?? ?? ?? ?? ?? 50 FF 75 ?? 33 DB C7 45 ?? + ?? ?? ?? ?? 53 53 6A ?? 89 5D ?? FF 15 ?? ?? ?? ?? 85 C0 0F 85 ?? ?? ?? ?? FF 75 ?? + 6A ?? FF 15 ?? ?? ?? ?? 8B F0 85 F6 74 ?? FF 75 ?? 53 56 E8 ?? ?? ?? ?? 83 C4 ?? 8D + 45 ?? 50 56 8D 45 ?? 50 FF 75 ?? FF 15 ?? ?? ?? ?? 85 C0 75 ?? 8B 7E ?? 6A ?? 58 66 + 39 07 75 ?? 66 39 47 ?? 75 ?? 50 8D 47 ?? 50 E8 ?? ?? ?? ?? 59 59 85 C0 74 ?? 57 FF + 75 ?? E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? FF 75 ?? E8 ?? ?? ?? ?? 83 C4 ?? F7 46 ?? ?? ?? + ?? ?? 74 ?? FF 75 ?? 56 E8 ?? ?? ?? ?? 59 59 85 C0 75 ?? 33 C0 5F 5E 5B 8B E5 5D C3 + 33 C0 40 EB + } + + condition: + uint16(0) == 0x5A4D and + ( + ( + ( + all of ($hermes_find_files_v1_p*) + ) and + ( + all of ($hermes_encrypt_files_v1_p*) + ) + ) or + ( + ( + all of ($hermes_find_files_v2_p*) + ) and + ( + all of ($hermes_encrypt_files_v2_p*) + ) + ) + ) and + ( + any of ($hermes_enum_resources_v*) + ) +} \ No newline at end of file diff --git a/yara/ransomware/Win32.Ransomware.Horsedeal.yara b/yara/ransomware/Win32.Ransomware.Horsedeal.yara new file mode 100644 index 0000000..94910b5 --- /dev/null +++ b/yara/ransomware/Win32.Ransomware.Horsedeal.yara @@ -0,0 +1,106 @@ +rule Win32_Ransomware_Horsedeal : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "HORSEDEAL" + description = "Yara rule that detects Horsedeal ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "Horsedeal" + tc_detection_factor = 5 + + strings: + + $search_processes = { + 55 8B EC 81 EC ?? ?? ?? ?? 56 6A ?? 6A ?? FF 15 ?? ?? ?? ?? 8B F0 83 FE ?? 74 ?? 8D + 85 ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? 50 56 FF 15 ?? ?? ?? ?? 85 C0 74 ?? 53 + FF 35 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 85 C0 75 ?? FF B5 ?? ?? ?? + ?? 50 6A ?? FF 15 ?? ?? ?? ?? 8B D8 83 FB ?? 74 ?? 6A ?? 53 FF 15 ?? ?? ?? ?? 53 FF + 15 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 56 FF 15 ?? ?? ?? ?? 85 C0 75 ?? 5B 56 FF 15 ?? + ?? ?? ?? 5E C9 C3 + } + + $enum_resources = { + 55 8B EC 83 E4 ?? 83 EC ?? 83 0C 24 ?? 8D 44 24 ?? 53 56 57 50 FF 75 ?? C7 44 24 ?? + ?? ?? ?? ?? 6A ?? 6A ?? 6A ?? FF 15 ?? ?? ?? ?? 85 C0 75 ?? 8B 4C 24 ?? E8 ?? ?? ?? + ?? 8B F0 85 F6 74 ?? EB ?? 33 DB 39 5C 24 ?? 76 ?? 8D 7E ?? F6 47 ?? ?? 74 ?? 8D 47 + ?? 50 E8 ?? ?? ?? ?? EB ?? FF 37 E8 ?? ?? ?? ?? 43 83 C7 ?? 59 3B 5C 24 ?? 72 ?? 8D + 44 24 ?? 50 56 8D 44 24 ?? 50 FF 74 24 ?? FF 15 ?? ?? ?? ?? 85 C0 74 ?? 8B CE E8 ?? + ?? ?? ?? FF 74 24 ?? FF 15 ?? ?? ?? ?? 5F 5E 5B 8B E5 5D C3 + } + + $find_files = { + 55 8B EC 83 E4 ?? 81 EC ?? ?? ?? ?? 80 3D ?? ?? ?? ?? ?? 53 56 8B 35 ?? ?? ?? ?? 57 + 8B 7D ?? 74 ?? 68 ?? ?? ?? ?? 57 FF D6 85 C0 0F 84 ?? ?? ?? ?? B9 ?? ?? ?? ?? E8 ?? + ?? ?? ?? 8B D8 85 DB 0F 84 ?? ?? ?? ?? 57 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 53 FF 15 ?? + ?? ?? ?? 83 C4 ?? 8D 44 24 ?? 50 53 FF 15 ?? ?? ?? ?? 89 44 24 ?? 83 F8 ?? 0F 84 ?? + ?? ?? ?? FF 35 ?? ?? ?? ?? 8D 44 24 ?? 50 FF 15 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? + 8D 44 24 ?? 50 57 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 53 FF 15 ?? ?? ?? ?? 8B 44 24 ?? 83 + C4 ?? A8 ?? 74 ?? 68 ?? ?? ?? ?? 8D 44 24 ?? 50 FF D6 85 C0 74 ?? 68 ?? ?? ?? ?? 8D + 44 24 ?? 50 FF D6 85 C0 74 ?? 53 E8 ?? ?? ?? ?? 59 EB ?? 8B 44 24 ?? A8 ?? 74 ?? 68 + ?? ?? ?? ?? 8D 44 24 ?? 50 FF 15 ?? ?? ?? ?? 85 C0 75 ?? 68 ?? ?? ?? ?? 8D 44 24 ?? + 50 FF D6 85 C0 74 ?? 68 ?? ?? ?? ?? 8D 44 24 ?? 50 FF D6 85 C0 74 ?? 8B CB E8 ?? ?? + ?? ?? 8D 44 24 ?? 50 FF 74 24 ?? FF 15 ?? ?? ?? ?? 85 C0 0F 85 ?? ?? ?? ?? FF 74 24 + ?? FF 15 ?? ?? ?? ?? 68 ?? ?? ?? ?? 57 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 53 FF 15 ?? ?? + ?? ?? 83 C4 ?? 33 FF 57 68 ?? ?? ?? ?? 6A ?? 57 6A ?? 68 ?? ?? ?? ?? 53 FF 15 ?? ?? + ?? ?? 8B F0 89 74 24 ?? 83 FE ?? 74 ?? 57 8B 3D ?? ?? ?? ?? 8D 44 24 ?? 50 68 ?? ?? + ?? ?? FF D7 50 68 ?? ?? ?? ?? 56 8B 35 ?? ?? ?? ?? FF D6 6A ?? 8D 44 24 ?? 50 FF 35 + ?? ?? ?? ?? FF D7 8B 7C 24 ?? 50 FF 35 ?? ?? ?? ?? 57 FF D6 57 FF 15 ?? ?? ?? ?? 8B + CB E8 ?? ?? ?? ?? 5F 5E 5B 8B E5 5D C3 + } + + $encrypt_files_p1 = { + 55 8B EC B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 53 56 8B 35 ?? ?? ?? ?? 57 FF 35 ?? ?? ?? ?? + 8B F9 89 7D ?? FF D6 FF 35 ?? ?? ?? ?? 8B D8 57 FF 15 ?? ?? ?? ?? 85 C0 74 ?? 50 FF + D6 3B C3 0F 84 ?? ?? ?? ?? 6A ?? 59 33 DB 89 4D ?? 8B C3 88 9C 05 ?? ?? ?? ?? 40 3D + ?? ?? ?? ?? 72 ?? 8D 85 ?? ?? ?? ?? 50 51 FF 35 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 85 C0 + 0F 84 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 8B CB 89 45 ?? 8A 84 0D ?? ?? ?? ?? 88 44 0D ?? + 41 83 F9 ?? 72 ?? 68 ?? ?? ?? ?? 8D 45 ?? 50 8D 85 ?? ?? ?? ?? 50 53 6A ?? 53 FF 35 + ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 53 68 ?? ?? ?? ?? 6A ?? 58 50 53 6A ?? 68 ?? ?? ?? ?? + 57 89 45 ?? FF 15 ?? ?? ?? ?? 8B D8 83 FB ?? 0F 84 ?? ?? ?? ?? 83 65 ?? ?? 57 FF D6 + 8D 0C 47 83 E9 ?? 66 83 39 ?? 75 ?? FF 35 ?? ?? ?? ?? 2B CF 83 C1 ?? D1 F9 8D 04 4F + 50 FF 15 ?? ?? ?? ?? 89 45 ?? 85 C0 74 ?? FF 35 ?? ?? ?? ?? FF D6 FF 75 ?? 8B F0 FF + 15 ?? ?? ?? ?? 3B C6 75 ?? 33 F6 46 EB ?? 8B 75 ?? 8D 45 ?? 50 53 FF 15 ?? ?? ?? ?? + 8B 4D ?? 8B 45 ?? 85 C9 7F ?? 7C ?? 3D ?? ?? ?? ?? 77 ?? 33 F6 46 85 F6 74 ?? 8B 35 + ?? ?? ?? ?? 8B 3D ?? ?? ?? ?? 6A ?? 8D 45 ?? 50 68 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 + } + + $encrypt_files_p2 = { + 53 FF 15 ?? ?? ?? ?? 6A ?? FF 75 ?? 8D 55 ?? 6A ?? FF 75 ?? 8D 8D ?? ?? ?? ?? E8 ?? + ?? ?? ?? 8B 45 ?? 83 C4 ?? F7 D8 99 6A ?? 6A ?? 52 50 53 FF D7 6A ?? 8D 45 ?? 50 FF + 75 ?? 8D 85 ?? ?? ?? ?? 50 53 FF D6 81 7D ?? ?? ?? ?? ?? 74 ?? E9 ?? ?? ?? ?? 6A ?? + 6A ?? 51 0F 57 C0 50 66 0F 13 45 ?? E8 ?? ?? ?? ?? 8B 4D ?? 2D ?? ?? ?? ?? 8B 35 ?? + ?? ?? ?? 8B 3D ?? ?? ?? ?? 83 DA ?? 89 45 ?? 8B 45 ?? 2D ?? ?? ?? ?? 89 55 ?? 89 45 + ?? 8D 45 ?? 83 D9 ?? 89 45 ?? 89 4D ?? 6A ?? 6A ?? FF 70 ?? FF 30 53 FF D7 6A ?? 8D + 45 ?? 50 68 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 53 FF 15 ?? ?? ?? ?? 6A ?? FF 75 ?? 8D + 55 ?? 6A ?? FF 75 ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 45 ?? 83 C4 ?? F7 D8 99 6A + ?? 6A ?? 52 50 53 FF D7 6A ?? 8D 45 ?? 50 FF 75 ?? 8D 85 ?? ?? ?? ?? 50 53 FF D6 8B + 45 ?? 83 C0 ?? 83 6D ?? ?? 89 45 ?? 75 ?? 8B 7D ?? 0F 57 C0 6A ?? 6A ?? 66 0F 13 45 + ?? FF 75 ?? C7 45 ?? ?? ?? ?? ?? FF 75 ?? 53 FF 15 ?? ?? ?? ?? 6A ?? 8D 45 ?? 50 6A + ?? 8D 45 ?? 50 53 FF D6 6A ?? 8D 45 ?? 50 68 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 53 FF + D6 53 FF 15 ?? ?? ?? ?? B9 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B F0 85 F6 74 ?? 68 ?? ?? ?? + ?? 57 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 56 FF 15 ?? ?? ?? ?? 83 C4 ?? 56 57 FF 15 ?? ?? + ?? ?? 8B CE E8 ?? ?? ?? ?? 5F 5E 5B C9 C3 + } + + condition: + uint16(0) == 0x5A4D and + ( + $enum_resources + ) and + ( + $search_processes + ) and + ( + $find_files + ) and + ( + all of ($encrypt_files_p*) + ) +} \ No newline at end of file diff --git a/yara/ransomware/Win32.Ransomware.HowAreYou.yara b/yara/ransomware/Win32.Ransomware.HowAreYou.yara new file mode 100644 index 0000000..9f9b93f --- /dev/null +++ b/yara/ransomware/Win32.Ransomware.HowAreYou.yara @@ -0,0 +1,205 @@ +rule Win32_Ransomware_HowAreYou : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "HOWAREYOU" + description = "Yara rule that detects HowAreYou ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "HowAreYou" + tc_detection_factor = 5 + + strings: + + $remote_connection_p1 = { + 64 8B 0D ?? ?? ?? ?? 8B 89 ?? ?? ?? ?? 3B 61 ?? 0F 86 ?? ?? ?? ?? 83 EC ?? 8B 05 ?? + ?? ?? ?? C7 40 ?? ?? ?? ?? ?? 8B 0D ?? ?? ?? ?? 85 C9 0F 85 ?? ?? ?? ?? 8D 0D ?? ?? + ?? ?? 89 08 8B 05 ?? ?? ?? ?? 8D 0D ?? ?? ?? ?? 89 0C 24 89 44 24 ?? E8 ?? ?? ?? ?? + 8B 44 24 ?? 8B 4C 24 ?? 8B 54 24 ?? 8B 5C 24 ?? 8B 6C 24 ?? 85 C9 74 ?? 74 ?? 8B 49 + ?? C7 44 24 ?? ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? 89 4C 24 ?? 89 44 24 ?? 8D 44 24 + ?? 89 04 24 C7 44 24 ?? ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 90 E8 ?? + ?? ?? ?? 83 C4 ?? C3 89 54 24 ?? 89 5C 24 ?? 89 6C 24 ?? 8D 05 ?? ?? ?? ?? 89 04 24 + C7 44 24 ?? ?? ?? ?? ?? 8B 05 ?? ?? ?? ?? 8B 0D ?? ?? ?? ?? 89 4C 24 ?? 89 44 24 ?? + E8 ?? ?? ?? ?? 8B 44 24 ?? 8B 4C 24 ?? 8B 54 24 ?? 8B 5C 24 ?? 85 D2 74 ?? 74 ?? 8B + 4A ?? C7 44 24 ?? ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? 89 4C 24 ?? 89 44 24 ?? 8D 05 + ?? ?? ?? ?? 89 04 24 C7 44 24 ?? ?? ?? ?? ?? 8D 44 24 ?? 89 44 24 ?? C7 44 24 ?? ?? + ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 90 E8 ?? ?? ?? ?? 83 C4 ?? C3 89 D1 + } + + $remote_connection_p2 = { + EB ?? 89 4C 24 ?? 89 5C 24 ?? 84 03 89 4C 24 ?? C7 04 24 ?? ?? ?? ?? 8D 43 ?? 89 44 + 24 ?? E8 ?? ?? ?? ?? 85 C0 0F 85 ?? ?? ?? ?? 8B 44 24 ?? 8B 48 ?? 8B 54 24 ?? 89 54 + 24 ?? 8B 54 24 ?? 89 54 24 ?? 8B 54 24 ?? 89 54 24 ?? 8B 54 24 ?? 89 14 24 FF D1 8B + 44 24 ?? 8B 4C 24 ?? 85 C0 74 ?? 74 ?? 8B 40 ?? C7 44 24 ?? ?? ?? ?? ?? C7 44 24 ?? + ?? ?? ?? ?? 89 44 24 ?? 89 4C 24 ?? 8D 05 ?? ?? ?? ?? 89 04 24 C7 44 24 ?? ?? ?? ?? + ?? 8D 44 24 ?? 89 44 24 ?? C7 44 24 ?? ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? E8 ?? ?? + ?? ?? 90 E8 ?? ?? ?? ?? 83 C4 ?? C3 8D 05 ?? ?? ?? ?? 89 04 24 C7 44 24 ?? ?? ?? ?? + ?? C7 44 24 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 44 24 ?? 8B 4C 24 ?? 8B 54 24 ?? 8B 5C + 24 ?? 8B 5B ?? 89 44 24 ?? 89 4C 24 ?? 89 54 24 ?? 8B 44 24 ?? 89 04 24 FF D3 90 E8 + ?? ?? ?? ?? 83 C4 ?? C3 90 E8 ?? ?? ?? ?? 83 C4 ?? C3 89 04 24 8D 05 ?? ?? ?? ?? 89 + 44 24 ?? E8 ?? ?? ?? ?? E9 ?? ?? ?? ?? E8 ?? ?? ?? ?? E9 + } + + $find_files_p1 = { + 64 8B 0D ?? ?? ?? ?? 8B 89 ?? ?? ?? ?? 8D 44 24 ?? 3B 41 ?? 0F 86 ?? ?? ?? ?? 81 EC + ?? ?? ?? ?? 8B 84 24 ?? ?? ?? ?? 89 04 24 8B 8C 24 ?? ?? ?? ?? 89 4C 24 ?? E8 ?? ?? + ?? ?? 8B 44 24 ?? 8B 4C 24 ?? 8B 54 24 ?? 8B 5C 24 ?? 85 C9 0F 85 ?? ?? ?? ?? 89 54 + 24 ?? 89 9C 24 ?? ?? ?? ?? 31 C0 31 C9 31 ED 31 F6 EB ?? 8B 7C 24 ?? 47 8B 9C 24 ?? + ?? ?? ?? 89 CD 89 C6 89 F8 89 D1 8B 54 24 ?? 39 D0 0F 8D ?? ?? ?? ?? 89 44 24 ?? 89 + 4C 24 ?? 89 AC 24 ?? ?? ?? ?? 89 74 24 ?? 8D 0C C3 8B 11 89 94 24 ?? ?? ?? ?? 8B 49 + ?? 89 8C 24 ?? ?? ?? ?? 8B 6A ?? 89 0C 24 FF D5 0F B6 44 24 ?? 84 C0 0F 84 ?? ?? ?? + ?? 8B 84 24 ?? ?? ?? ?? 8B 40 ?? 8B 8C 24 ?? ?? ?? ?? 89 0C 24 FF D0 8B 44 24 ?? 8B + 4C 24 ?? 89 0C 24 89 44 24 ?? E8 ?? ?? ?? ?? 8B 44 24 ?? 8B 4C 24 ?? 85 C0 0F 86 ?? + ?? ?? ?? 0F B6 11 80 FA ?? 75 ?? 8B 44 24 ?? 8B 8C 24 ?? ?? ?? ?? 8B 54 24 ?? E9 ?? + ?? ?? ?? 80 FA ?? 74 ?? 89 44 24 ?? 89 8C 24 ?? ?? ?? ?? 89 0C 24 89 44 24 ?? 8B 15 + ?? ?? ?? ?? 8B 1D ?? ?? ?? ?? 8B 2D ?? ?? ?? ?? 89 6C 24 ?? 89 5C 24 ?? 89 54 24 ?? + E8 ?? ?? ?? ?? 0F B6 44 24 ?? 84 C0 74 ?? 8B 44 24 ?? 8B 8C 24 ?? ?? ?? ?? 8B 54 24 + ?? E9 ?? ?? ?? ?? 8B 44 24 ?? 83 F8 ?? 0F 85 ?? ?? ?? ?? 8B 8C 24 ?? ?? ?? ?? 8B 11 + } + + $find_files_p2 = { + 81 FA ?? ?? ?? ?? 75 ?? 0F B7 51 ?? 66 81 FA ?? ?? 75 ?? 0F B6 51 ?? 80 FA ?? 0F 84 + ?? ?? ?? ?? C7 04 24 ?? ?? ?? ?? 8B 94 24 ?? ?? ?? ?? 89 54 24 ?? 8B 9C 24 ?? ?? ?? + ?? 89 5C 24 ?? 8D 2D ?? ?? ?? ?? 89 6C 24 ?? C7 44 24 ?? ?? ?? ?? ?? 89 4C 24 ?? 89 + 44 24 ?? E8 ?? ?? ?? ?? 8B 44 24 ?? 8B 4C 24 ?? 89 04 24 89 4C 24 ?? E8 ?? ?? ?? ?? + 8B 44 24 ?? 8D 48 ?? 8B 54 24 ?? 8B 5C 24 ?? 8B 6C 24 ?? 39 E9 7F ?? 8B B4 24 ?? ?? + ?? ?? 8D 7C C6 ?? 89 1F 8D 04 C6 8B 1D ?? ?? ?? ?? 85 DB 75 ?? 89 10 89 E8 89 CA 89 + F1 E9 ?? ?? ?? ?? 89 B4 24 ?? ?? ?? ?? 89 4C 24 ?? 89 6C 24 ?? 89 04 24 89 54 24 ?? + E8 ?? ?? ?? ?? 8B 4C 24 ?? 8B 6C 24 ?? 8B B4 24 ?? ?? ?? ?? EB ?? 89 94 24 ?? ?? ?? + ?? 89 5C 24 ?? 8D 15 ?? ?? ?? ?? 89 14 24 8B 9C 24 ?? ?? ?? ?? 89 5C 24 ?? 89 44 24 + ?? 89 6C 24 ?? 89 4C 24 ?? E8 ?? ?? ?? ?? 8B 74 24 ?? 8B 44 24 ?? 8B 6C 24 ?? 8D 48 + ?? 8B 44 24 ?? 8B 94 24 ?? ?? ?? ?? 8B 5C 24 ?? E9 ?? ?? ?? ?? 8D 54 24 ?? 89 14 24 + 8B 94 24 ?? ?? ?? ?? 89 54 24 ?? 8B 9C 24 ?? ?? ?? ?? 89 5C 24 ?? 8D 2D ?? ?? ?? ?? + 89 6C 24 ?? C7 44 24 ?? ?? ?? ?? ?? 89 4C 24 ?? 89 44 24 ?? E8 ?? ?? ?? ?? 8B 44 24 + ?? 8B 4C 24 ?? 89 0C 24 89 44 24 ?? E8 ?? ?? ?? ?? 8B 44 24 ?? 8B 8C 24 ?? ?? ?? ?? + E9 ?? ?? ?? ?? 8B 8C 24 ?? ?? ?? ?? E9 ?? ?? ?? ?? 8B 84 24 ?? ?? ?? ?? 8B 40 ?? 8B + } + + $find_files_p3 = { + 8C 24 ?? ?? ?? ?? 89 0C 24 FF D0 8B 44 24 ?? 8B 4C 24 ?? 89 0C 24 89 44 24 ?? E8 ?? + ?? ?? ?? 8B 44 24 ?? 89 44 24 ?? 8B 4C 24 ?? 89 4C 24 ?? 89 04 24 89 4C 24 ?? 8B 15 + ?? ?? ?? ?? 8B 1D ?? ?? ?? ?? 8B 2D ?? ?? ?? ?? 89 6C 24 ?? 89 5C 24 ?? 89 54 24 ?? + E8 ?? ?? ?? ?? 0F B6 44 24 ?? 84 C0 74 ?? 8B 44 24 ?? 8B 8C 24 ?? ?? ?? ?? 8B 54 24 + ?? E9 ?? ?? ?? ?? 8B 44 24 ?? 89 04 24 8B 4C 24 ?? 89 4C 24 ?? E8 ?? ?? ?? ?? 8B 44 + 24 ?? 89 84 24 ?? ?? ?? ?? 8B 4C 24 ?? 89 4C 24 ?? C7 04 24 ?? ?? ?? ?? 8B 94 24 ?? + ?? ?? ?? 89 54 24 ?? 8B 9C 24 ?? ?? ?? ?? 89 5C 24 ?? 8D 2D ?? ?? ?? ?? 89 6C 24 ?? + C7 44 24 ?? ?? ?? ?? ?? 8B 74 24 ?? 89 74 24 ?? 8B 74 24 ?? 89 74 24 ?? E8 ?? ?? ?? + ?? 8B 44 24 ?? 89 44 24 ?? 8B 4C 24 ?? 89 4C 24 ?? 8B 94 24 ?? ?? ?? ?? 89 14 24 8B + 5C 24 ?? 89 5C 24 ?? 8B 2D ?? ?? ?? ?? 8B 35 ?? ?? ?? ?? 8B 3D ?? ?? ?? ?? 89 6C 24 + ?? 89 74 24 ?? 89 7C 24 ?? E8 ?? ?? ?? ?? 0F B6 44 24 ?? 84 C0 0F 84 ?? ?? ?? ?? 8B + 84 24 ?? ?? ?? ?? 85 C0 0F 86 ?? ?? ?? ?? 8B 84 24 ?? ?? ?? ?? 0F B6 08 83 C1 ?? 88 + 4C 24 ?? 0F B6 08 83 C1 ?? 88 4C 24 ?? 8D 0D ?? ?? ?? ?? 89 0C 24 8B 15 ?? ?? ?? ?? + 89 54 24 ?? 8D 54 24 ?? 89 54 24 ?? E8 ?? ?? ?? ?? 8B 44 24 ?? 8B 48 ?? 8D 51 ?? 8B + 18 8B 40 ?? 39 C2 0F 8F ?? ?? ?? ?? 89 9C 24 ?? ?? ?? ?? 89 54 24 ?? 89 44 24 ?? 8D + } + + $find_files_p4 = { + 6C CB ?? 8B 74 24 ?? 89 75 ?? 8B 2D ?? ?? ?? ?? 8D 0C CB 85 ED 75 ?? 8B 6C 24 ?? 89 + 29 8D 05 ?? ?? ?? ?? 89 04 24 8B 0D ?? ?? ?? ?? 89 4C 24 ?? 8D 4C 24 ?? 89 4C 24 ?? + E8 ?? ?? ?? ?? 8B 44 24 ?? 8B 4C 24 ?? 89 48 ?? 8B 4C 24 ?? 89 48 ?? 8B 0D ?? ?? ?? + ?? 85 C9 75 ?? 8B 8C 24 ?? ?? ?? ?? 89 08 8B 6C 24 ?? 8B 4C 24 ?? 8B B4 24 ?? ?? ?? + ?? E9 ?? ?? ?? ?? 89 04 24 8B 84 24 ?? ?? ?? ?? 89 44 24 ?? E8 ?? ?? ?? ?? EB ?? 89 + 0C 24 8B 44 24 ?? 89 44 24 ?? E8 ?? ?? ?? ?? EB ?? 89 4C 24 ?? 8D 2D ?? ?? ?? ?? 89 + 2C 24 89 5C 24 ?? 89 4C 24 ?? 89 44 24 ?? 89 54 24 ?? E8 ?? ?? ?? ?? 8B 5C 24 ?? 8B + 44 24 ?? 8B 4C 24 ?? 8D 50 ?? 89 C8 8B 4C 24 ?? E9 ?? ?? ?? ?? 8B 84 24 ?? ?? ?? ?? + 89 04 24 8B 44 24 ?? 89 44 24 ?? 8B 05 ?? ?? ?? ?? 8B 0D ?? ?? ?? ?? 8B 15 ?? ?? ?? + ?? 89 44 24 ?? 89 4C 24 ?? 89 54 24 ?? E8 ?? ?? ?? ?? 0F B6 44 24 ?? 84 C0 74 ?? 8B + 44 24 ?? 8B 8C 24 ?? ?? ?? ?? 8B 54 24 ?? E9 ?? ?? ?? ?? 8B 84 24 ?? ?? ?? ?? 85 C0 + 0F 86 ?? ?? ?? ?? 8B 84 24 ?? ?? ?? ?? 0F B6 08 88 4C 24 ?? 0F B6 08 88 4C 24 ?? 8D + } + + $find_files_p5 = { + 0D ?? ?? ?? ?? 89 0C 24 8B 15 ?? ?? ?? ?? 89 54 24 ?? 8D 54 24 ?? 89 54 24 ?? E8 ?? + ?? ?? ?? 8B 44 24 ?? 8B 48 ?? 8D 51 ?? 8B 18 8B 40 ?? 39 C2 0F 8F ?? ?? ?? ?? 89 9C + 24 ?? ?? ?? ?? 89 54 24 ?? 89 44 24 ?? 8D 6C CB ?? 8B 74 24 ?? 89 75 ?? 8B 2D ?? ?? + ?? ?? 8D 0C CB 85 ED 75 ?? 8B 6C 24 ?? 89 29 8D 05 ?? ?? ?? ?? 89 04 24 8B 0D ?? ?? + ?? ?? 89 4C 24 ?? 8D 4C 24 ?? 89 4C 24 ?? E8 ?? ?? ?? ?? 8B 44 24 ?? 8B 4C 24 ?? 89 + 48 ?? 8B 4C 24 ?? 89 48 ?? 8B 0D ?? ?? ?? ?? 85 C9 75 ?? 8B 8C 24 ?? ?? ?? ?? 89 08 + E9 ?? ?? ?? ?? 89 04 24 8B 84 24 ?? ?? ?? ?? 89 44 24 ?? E8 ?? ?? ?? ?? E9 ?? ?? ?? + ?? 89 0C 24 8B 44 24 ?? 89 44 24 ?? E8 ?? ?? ?? ?? EB ?? 89 4C 24 ?? 8D 2D ?? ?? ?? + ?? 89 2C 24 89 5C 24 ?? 89 4C 24 ?? 89 44 24 ?? 89 54 24 ?? E8 ?? ?? ?? ?? 8B 5C 24 + ?? 8B 44 24 ?? 8B 4C 24 ?? 8D 50 ?? 89 C8 8B 4C 24 ?? E9 ?? ?? ?? ?? 89 AC 24 ?? ?? + ?? ?? 89 8C 24 ?? ?? ?? ?? 89 B4 24 ?? ?? ?? ?? C7 84 24 ?? ?? ?? ?? ?? ?? ?? ?? C7 + 84 24 ?? ?? ?? ?? ?? ?? ?? ?? 81 C4 ?? ?? ?? ?? C3 C7 84 24 ?? ?? ?? ?? ?? ?? ?? ?? + C7 84 24 ?? ?? ?? ?? ?? ?? ?? ?? C7 84 24 ?? ?? ?? ?? ?? ?? ?? ?? 89 8C 24 ?? ?? ?? + ?? 89 84 24 ?? ?? ?? ?? 81 C4 ?? ?? ?? ?? C3 E8 + } + + $encrypt_files_p1 = { + 64 8B 0D ?? ?? ?? ?? 8B 89 ?? ?? ?? ?? 8D 44 24 ?? 3B 41 ?? 0F 86 ?? ?? ?? ?? 81 EC + ?? ?? ?? ?? 8B 05 ?? ?? ?? ?? C7 84 24 ?? ?? ?? ?? ?? ?? ?? ?? C7 84 24 ?? ?? ?? ?? + ?? ?? ?? ?? 8B 40 ?? 89 04 24 8D 84 24 ?? ?? ?? ?? 89 44 24 ?? E8 ?? ?? ?? ?? 8B 84 + 24 ?? ?? ?? ?? 8B 8C 24 ?? ?? ?? ?? 8D 15 ?? ?? ?? ?? 39 CA 0F 85 ?? ?? ?? ?? 8B 48 + ?? 89 4C 24 ?? 8B 00 89 84 24 ?? ?? ?? ?? C7 04 24 ?? ?? ?? ?? 89 44 24 ?? 89 4C 24 + ?? 8B 15 ?? ?? ?? ?? 8B 1D ?? ?? ?? ?? 89 54 24 ?? 89 5C 24 ?? E8 ?? ?? ?? ?? 8B 44 + 24 ?? 89 44 24 ?? 8B 4C 24 ?? 89 4C 24 ?? C6 44 24 ?? ?? C7 84 24 ?? ?? ?? ?? ?? ?? + ?? ?? C7 84 24 ?? ?? ?? ?? ?? ?? ?? ?? 8D 54 24 ?? 89 54 24 ?? 8B 94 24 ?? ?? ?? ?? + 89 54 24 ?? 8B 5C 24 ?? 89 5C 24 ?? 8D AC 24 ?? ?? ?? ?? 89 6C 24 ?? 89 4C 24 ?? 89 + 44 24 ?? C7 04 24 ?? ?? ?? ?? 8D 2D ?? ?? ?? ?? 89 6C 24 ?? E8 ?? ?? ?? ?? 85 C0 0F + 85 ?? ?? ?? ?? 8B 84 24 ?? ?? ?? ?? 89 04 24 8B 4C 24 ?? 89 4C 24 ?? C7 44 24 ?? ?? + ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 44 24 ?? 8B 4C 24 ?? 8B 54 24 ?? + 85 D2 0F 85 ?? ?? ?? ?? 89 44 24 ?? 89 44 24 ?? C7 04 24 ?? ?? ?? ?? 8D 0D ?? ?? ?? + ?? 89 4C 24 ?? E8 ?? ?? ?? ?? 85 C0 0F 85 ?? ?? ?? ?? 8B 44 24 ?? 89 04 24 8B 44 24 + ?? 89 44 24 ?? E8 ?? ?? ?? ?? 8B 44 24 ?? 8B 4C 24 ?? 8B 54 24 ?? 85 D2 0F 85 ?? ?? + ?? ?? 89 44 24 ?? C7 04 24 ?? ?? ?? ?? 8D 05 ?? ?? ?? ?? 89 44 24 ?? E8 + } + + $encrypt_files_p2 = { + 85 C0 0F 85 ?? ?? ?? ?? 8D 05 ?? ?? ?? ?? 89 04 24 C7 44 24 ?? ?? ?? ?? ?? C7 44 24 + ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 44 24 ?? 89 44 24 ?? 8B 4C 24 ?? 89 4C 24 ?? 8B 54 + 24 ?? 89 54 24 ?? 89 14 24 89 4C 24 ?? 89 44 24 ?? E8 ?? ?? ?? ?? 8B 44 24 ?? 8B 4C + 24 ?? 85 C9 0F 85 ?? ?? ?? ?? 8B 05 ?? ?? ?? ?? 8B 0D ?? ?? ?? ?? 8B 15 ?? ?? ?? ?? + 89 14 24 89 4C 24 ?? 89 44 24 ?? E8 ?? ?? ?? ?? 8B 44 24 ?? 8B 4C 24 ?? 8B 54 24 ?? + 8B 5C 24 ?? 85 C9 0F 85 ?? ?? ?? ?? 89 1C 24 89 54 24 ?? 8B 44 24 ?? 89 44 24 ?? 8B + 4C 24 ?? 89 4C 24 ?? 8B 54 24 ?? 89 54 24 ?? E8 ?? ?? ?? ?? 8B 44 24 ?? 89 44 24 ?? + 8B 4C 24 ?? 89 4C 24 ?? 8D 15 ?? ?? ?? ?? 89 14 24 8B 15 ?? ?? ?? ?? 8B 1D ?? ?? ?? + ?? 8B 2D ?? ?? ?? ?? 89 54 24 ?? 89 5C 24 ?? 89 6C 24 ?? E8 ?? ?? ?? ?? 8B 44 24 ?? + 89 44 24 ?? 8B 4C 24 ?? 89 4C 24 ?? 8D 15 ?? ?? ?? ?? 89 14 24 C7 44 24 ?? ?? ?? ?? + ?? C7 44 24 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 44 24 ?? 89 84 24 ?? ?? ?? ?? 8B 4C 24 + ?? 89 4C 24 ?? 8B 54 24 ?? 89 54 24 ?? 8B 5C 24 ?? 89 1C 24 8B 6C 24 ?? 89 6C 24 ?? + 8B 6C 24 ?? 89 6C 24 ?? 8B 6C 24 ?? 89 6C 24 ?? E8 ?? ?? ?? ?? 8B 44 24 ?? 8B 4C 24 + ?? 85 C0 0F 85 ?? ?? ?? ?? 31 C0 EB ?? 8B 4C 24 ?? 8B 54 24 ?? 8D 04 0A 89 44 24 ?? + 8B 4C 24 ?? 89 0C 24 8B 94 24 ?? ?? ?? ?? 89 54 24 ?? 8B 5C 24 ?? 89 5C 24 ?? 8B 6C + 24 ?? 89 6C 24 ?? E8 ?? ?? ?? ?? 8B 44 24 ?? 89 44 24 ?? 8B 4C 24 ?? 89 4C 24 ?? 8B + 54 24 ?? 89 54 24 ?? 85 C9 74 ?? 8B 1D ?? ?? ?? ?? 39 D9 0F 85 ?? ?? ?? ?? 89 0C 24 + } + + $encrypt_files_p3 = { + 89 54 24 ?? 8B 05 ?? ?? ?? ?? 89 44 24 ?? E8 ?? ?? ?? ?? 0F B6 44 24 ?? 84 C0 0F 84 + ?? ?? ?? ?? 8D 05 ?? ?? ?? ?? 89 04 24 8B 4C 24 ?? 89 4C 24 ?? 89 4C 24 ?? E8 ?? ?? + ?? ?? 8B 44 24 ?? 8B 4C 24 ?? 8B 54 24 ?? 8B 5C 24 ?? 8B 6C 24 ?? 39 EB 0F 87 ?? ?? + ?? ?? 89 44 24 ?? 89 4C 24 ?? 89 54 24 ?? 8B 74 24 ?? 8B 7E ?? 89 44 24 ?? 89 4C 24 + ?? 89 54 24 ?? 8B B4 24 ?? ?? ?? ?? 89 74 24 ?? 89 5C 24 ?? 89 6C 24 ?? 8B 6C 24 ?? + 89 2C 24 FF D7 8B 44 24 ?? 8B 48 ?? 8B 54 24 ?? 89 54 24 ?? 8B 5C 24 ?? 89 5C 24 ?? + 8B 6C 24 ?? 89 6C 24 ?? 8B 74 24 ?? 89 34 24 FF D1 8B 44 24 ?? 89 04 24 8B 4C 24 ?? + 89 4C 24 ?? 8B 4C 24 ?? 89 4C 24 ?? 8B 4C 24 ?? 89 4C 24 ?? E8 ?? ?? ?? ?? 8B 44 24 + ?? 85 C0 0F 85 ?? ?? ?? ?? 8B 05 ?? ?? ?? ?? 8B 4C 24 ?? 39 C1 0F 85 ?? ?? ?? ?? 89 + 0C 24 8B 44 24 ?? 89 44 24 ?? 8B 05 ?? ?? ?? ?? 89 44 24 ?? E8 ?? ?? ?? ?? 0F B6 44 + 24 ?? 84 C0 0F 84 ?? ?? ?? ?? 8B 84 24 ?? ?? ?? ?? 89 04 24 8B 44 24 ?? 89 44 24 ?? + C7 44 24 ?? ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 44 24 ?? 89 04 24 + C7 44 24 ?? ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? E8 ?? ?? ?? + ?? 8B 44 24 ?? B9 ?? ?? ?? ?? F7 E9 8B 44 24 ?? 01 C2 C1 F8 ?? C1 FA ?? 29 C2 89 D0 + 89 D3 F7 E9 8D 04 13 C1 F8 ?? C1 FB ?? 29 D8 83 C0 ?? 89 44 24 ?? 31 C9 EB ?? 8B 54 + 24 ?? 8D 4A ?? 8B 44 24 ?? 39 C1 7D ?? 89 4C 24 ?? 8B 44 24 ?? 89 04 24 8D 0D ?? ?? + ?? ?? 89 4C 24 ?? C7 44 24 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 44 24 ?? 85 C0 74 ?? 90 + E8 ?? ?? ?? ?? 81 C4 ?? ?? ?? ?? C3 90 + } + + condition: + uint16(0) == 0x5A4D and + ( + all of ($find_files_p*) + ) and + ( + all of ($encrypt_files_p*) + ) and + ( + all of ($remote_connection_p*) + ) +} \ No newline at end of file diff --git a/yara/ransomware/Win32.Ransomware.HydraCrypt.yara b/yara/ransomware/Win32.Ransomware.HydraCrypt.yara new file mode 100644 index 0000000..e8048f3 --- /dev/null +++ b/yara/ransomware/Win32.Ransomware.HydraCrypt.yara @@ -0,0 +1,174 @@ +rule Win32_Ransomware_HydraCrypt : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "HYDRACRYPT" + description = "Yara rule that detects HydraCrypt ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "HydraCrypt" + tc_detection_factor = 5 + + strings: + + $remote_connection_1 = { + 55 8B EC 83 EC ?? 53 56 68 ?? ?? ?? ?? 6A ?? E8 ?? ?? ?? ?? 59 59 BE ?? ?? ?? ?? 56 + 33 DB 53 53 6A ?? 68 ?? ?? ?? ?? FF D0 68 ?? ?? ?? ?? 6A ?? 89 45 ?? E8 ?? ?? ?? ?? + 59 59 53 53 6A ?? 53 53 6A ?? FF 75 ?? FF 75 ?? FF D0 89 45 ?? 3B C3 0F 84 ?? ?? ?? + ?? 68 ?? ?? ?? ?? 6A ?? E8 ?? ?? ?? ?? 59 59 53 56 53 53 68 ?? ?? ?? ?? FF 75 ?? 68 + ?? ?? ?? ?? FF 75 ?? FF D0 89 45 ?? 3B C3 0F 84 ?? ?? ?? ?? 57 68 ?? ?? ?? ?? 6A ?? + E8 ?? ?? ?? ?? 59 59 68 ?? ?? ?? ?? 6A ?? FF D0 8B F0 68 ?? ?? ?? ?? 56 E8 ?? ?? ?? + ?? FF 75 ?? 56 E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? 56 E8 ?? ?? ?? ?? FF 75 ?? 56 E8 ?? ?? + ?? ?? 68 ?? ?? ?? ?? 56 E8 ?? ?? ?? ?? FF 75 ?? 56 E8 ?? ?? ?? ?? 56 E8 ?? ?? ?? ?? + BF ?? ?? ?? ?? 57 89 45 ?? E8 ?? ?? ?? ?? FF 75 ?? 56 50 57 FF 75 ?? E8 ?? ?? ?? ?? + 83 C4 ?? 5F 39 5D ?? 74 ?? FF 75 ?? E8 ?? ?? ?? ?? 59 39 5D ?? 74 ?? FF 75 ?? E8 ?? + ?? ?? ?? 59 39 5D ?? 5E 5B 74 ?? FF 75 ?? E8 ?? ?? ?? ?? 59 C9 C3 + } + + $remote_connection_2 = { + 55 8B EC 83 EC ?? 53 56 57 6A ?? 59 68 ?? ?? ?? ?? 33 DB BE ?? ?? ?? ?? 8D 7D ?? 6A + ?? 89 5D ?? F3 A5 E8 ?? ?? ?? ?? 59 59 68 ?? ?? ?? ?? 53 53 53 8D 4D ?? 51 FF D0 8B + F8 3B FB 75 ?? 33 C0 E9 ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A ?? E8 ?? ?? ?? ?? 59 59 53 68 + ?? ?? ?? ?? 53 53 FF 75 ?? 57 FF D0 8B F0 3B F3 75 ?? 53 E8 ?? ?? ?? ?? 59 EB ?? 68 + ?? ?? ?? ?? 6A ?? E8 ?? ?? ?? ?? 59 59 6A ?? 8D 4D ?? 51 FF D0 68 ?? ?? ?? ?? 6A ?? + E8 ?? ?? ?? ?? 59 59 8D 4D ?? 51 6A ?? 8D 4D ?? 51 56 FF D0 39 5D ?? 75 ?? 57 E8 ?? + ?? ?? ?? 56 E8 ?? ?? ?? ?? FF 75 ?? E8 ?? ?? ?? ?? 33 C0 83 C4 ?? 40 EB ?? 68 ?? ?? + ?? ?? 6A ?? E8 ?? ?? ?? ?? 59 59 68 ?? ?? ?? ?? 8D 4D ?? 51 FF D0 33 C9 3B C8 1B C0 + F7 D8 5F 5E 5B C9 C3 + } + + $remote_connection_3 = { + 55 8B EC 81 EC ?? ?? ?? ?? 53 56 57 BE ?? ?? ?? ?? 8D 7D ?? A5 A5 33 DB 66 A5 53 8D + 45 ?? 53 50 A4 E8 ?? ?? ?? ?? 59 50 E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? + 68 ?? ?? ?? ?? 6A ?? 89 45 ?? E8 ?? ?? ?? ?? 83 C4 ?? BE ?? ?? ?? ?? 56 53 FF D0 56 + 50 89 45 ?? E8 ?? ?? ?? ?? 8D 45 ?? 50 E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A ?? E8 ?? ?? + ?? ?? 83 C4 ?? 68 ?? ?? ?? ?? 6A ?? FF D0 BF ?? ?? ?? ?? 57 50 89 45 ?? E8 ?? ?? ?? + ?? 59 59 85 DB 7E ?? 68 ?? ?? ?? ?? FF 75 ?? E8 ?? ?? ?? ?? 59 59 8B C3 6A ?? 99 59 + F7 F9 85 D2 75 ?? 68 ?? ?? ?? ?? FF 75 ?? E8 ?? ?? ?? ?? 59 59 68 ?? ?? ?? ?? 6A ?? + E8 ?? ?? ?? ?? 59 59 68 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? 51 FF D0 8B 45 ?? 0F B6 04 03 + 50 8D 85 ?? ?? ?? ?? 68 ?? ?? ?? ?? 50 FF 55 ?? 8D 85 ?? ?? ?? ?? 50 FF 75 ?? E8 ?? + ?? ?? ?? 83 C4 ?? 43 3B DE 7C ?? E8 ?? ?? ?? ?? 8B F0 E8 ?? ?? ?? ?? 50 56 8D 85 ?? + ?? ?? ?? 68 ?? ?? ?? ?? 50 FF 55 ?? 83 C4 ?? 83 7D ?? ?? BB ?? ?? ?? ?? BE ?? ?? ?? + ?? 75 ?? 53 56 57 8D 85 ?? ?? ?? ?? 50 FF 75 ?? E8 ?? ?? ?? ?? 83 C4 ?? 83 7D ?? ?? + 75 ?? 53 56 68 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 FF 75 ?? E8 ?? ?? ?? ?? 83 C4 ?? 5F + 5E 5B C9 C3 + } + + $encrypt_files_1 = { + 8A 45 ?? 04 ?? 66 98 66 89 45 ?? 0F B7 C0 50 8D 45 ?? 68 ?? ?? ?? ?? 50 FF 55 ?? 68 + ?? ?? ?? ?? 6A ?? E8 ?? ?? ?? ?? 83 C4 ?? 8D 4D ?? 51 FF D0 8B F0 83 FE ?? 74 ?? 83 + FE ?? 74 ?? 83 FE ?? 75 ?? FF 75 ?? 8D 45 ?? 68 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 + ?? 83 FE ?? 74 ?? 83 FE ?? 75 ?? 8D 45 ?? 50 E8 ?? ?? ?? ?? 59 57 6A ?? E8 ?? ?? ?? + ?? 59 59 68 ?? ?? ?? ?? FF D0 FF 45 ?? 83 7D ?? ?? 0F 8C ?? ?? ?? ?? 83 3D ?? ?? ?? + ?? ?? 75 ?? 53 E8 ?? ?? ?? ?? 59 E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 59 BE + ?? ?? ?? ?? 56 6A ?? E8 ?? ?? ?? ?? 59 59 53 53 8D 8D ?? ?? ?? ?? 51 53 FF D0 8D 85 + ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 59 E8 ?? ?? ?? ?? 83 F8 ?? 74 ?? 83 F8 ?? 74 ?? 83 F8 + ?? 74 ?? 83 F8 ?? 74 ?? 83 F8 ?? 75 ?? E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 3D ?? ?? ?? ?? + 75 ?? E8 ?? ?? ?? ?? EB ?? 68 ?? ?? ?? ?? 6A ?? E8 ?? ?? ?? ?? 59 59 53 FF D0 56 6A + ?? E8 ?? ?? ?? ?? 59 59 53 6A ?? 8D 8D ?? ?? ?? ?? 51 53 FF D0 8D 85 ?? ?? ?? ?? 50 + 8D 85 ?? ?? ?? ?? 68 ?? ?? ?? ?? 50 FF 55 ?? 68 ?? ?? ?? ?? 6A ?? E8 ?? ?? ?? ?? 83 + C4 ?? 6A ?? 53 53 8D 8D ?? ?? ?? ?? 51 68 ?? ?? ?? ?? 53 FF D0 57 6A ?? E8 ?? ?? ?? + ?? 59 59 68 ?? ?? ?? ?? FF D0 68 ?? ?? ?? ?? 6A ?? E8 ?? ?? ?? ?? 59 59 53 FF D0 5F + 5E 33 C0 5B C9 C2 + } + + $encrypt_files_2 = { + 55 8B EC 81 EC ?? ?? ?? ?? 53 56 57 BE ?? ?? ?? ?? 8D 7D ?? A5 A5 33 DB 66 A5 53 8D + 45 ?? 53 50 A4 E8 ?? ?? ?? ?? 59 50 E8 ?? ?? ?? ?? BE ?? ?? ?? ?? 8D 7D ?? A5 A5 89 + 45 ?? 8D 45 ?? 50 66 A5 E8 ?? ?? ?? ?? 50 FF 75 ?? E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A + ?? 89 45 ?? E8 ?? ?? ?? ?? 83 C4 ?? 53 FF D0 BE ?? ?? ?? ?? 8D 7D ?? A5 A5 66 A5 BE + ?? ?? ?? ?? 8D 7D ?? A5 A5 A5 53 89 45 ?? 8D 45 ?? 53 50 66 A5 E8 ?? ?? ?? ?? 59 50 + E8 ?? ?? ?? ?? 8B F0 8D 45 ?? 50 E8 ?? ?? ?? ?? 50 56 E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? + 6A ?? 89 45 ?? E8 ?? ?? ?? ?? 83 C4 ?? 53 6A ?? 8D 8D ?? ?? ?? ?? 51 53 FF D0 BF ?? + ?? ?? ?? 57 8D 85 ?? ?? ?? ?? 50 68 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 FF 55 ?? 68 ?? + ?? ?? ?? 6A ?? E8 ?? ?? ?? ?? 83 C4 ?? 53 8D 8D ?? ?? ?? ?? 51 FF D0 68 ?? ?? ?? ?? + 6A ?? E8 ?? ?? ?? ?? 59 59 68 ?? ?? ?? ?? 53 53 FF D0 8B F0 53 56 E8 ?? ?? ?? ?? 59 + 59 85 C0 74 ?? 56 E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A ?? E8 ?? ?? ?? ?? 83 C4 ?? 53 FF + D0 68 ?? ?? ?? ?? 6A ?? E8 ?? ?? ?? ?? 59 59 68 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? 51 FF + } + + $encrypt_files_3 = { + D0 E8 ?? ?? ?? ?? 50 8D 85 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A ?? E8 ?? + ?? ?? ?? 83 C4 ?? 68 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? 51 FF D0 85 C0 75 ?? BE ?? ?? ?? + ?? EB ?? 68 ?? ?? ?? ?? 6A ?? E8 ?? ?? ?? ?? 59 59 68 ?? ?? ?? ?? FF D0 56 E8 ?? ?? + ?? ?? 59 3C ?? 75 ?? BE ?? ?? ?? ?? 56 6A ?? E8 ?? ?? ?? ?? 59 59 68 ?? ?? ?? ?? 68 + ?? ?? ?? ?? FF D0 56 6A ?? E8 ?? ?? ?? ?? 59 59 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? FF D0 + E8 ?? ?? ?? ?? 56 6A ?? E8 ?? ?? ?? ?? 59 59 68 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? 51 FF + D0 68 ?? ?? ?? ?? 6A ?? E8 ?? ?? ?? ?? 59 59 68 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? 51 FF + D0 8D 85 ?? ?? ?? ?? 50 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A ?? E8 ?? ?? + ?? ?? 83 C4 ?? 53 6A ?? 8D 8D ?? ?? ?? ?? 51 53 FF D0 68 ?? ?? ?? ?? 57 8D 85 ?? ?? + ?? ?? 50 BE ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 56 50 FF 55 ?? 68 ?? ?? ?? ?? 57 8D 85 ?? + ?? ?? ?? 50 8D 85 ?? ?? ?? ?? 56 50 FF 55 ?? 68 ?? ?? ?? ?? 6A ?? E8 ?? ?? ?? ?? 83 + C4 ?? 68 ?? ?? ?? ?? FF D0 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 85 ?? ?? + ?? ?? 50 8D 85 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? BE ?? ?? ?? ?? 8D 7D ?? A5 68 ?? ?? ?? + ?? 6A ?? 66 A5 E8 ?? ?? ?? ?? 83 C4 ?? 53 FF D0 6A ?? FF 75 ?? A3 ?? ?? ?? ?? FF 55 + ?? 6A ?? FF 75 ?? 8B F0 FF 55 ?? FF 75 ?? 89 45 ?? 53 E8 ?? ?? ?? ?? 8D 45 ?? 50 FF + } + + $encrypt_files_4 = { + 35 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 66 85 C0 75 ?? 33 C0 40 E9 ?? ?? ?? ?? 8B 3D + ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A ?? E8 ?? ?? ?? ?? 59 59 8B C8 8B 45 ?? 53 57 99 53 53 + 2B C2 68 ?? ?? ?? ?? D1 F8 2D ?? ?? ?? ?? 68 ?? ?? ?? ?? 50 8B C6 99 2B C2 D1 F8 2D + ?? ?? ?? ?? 50 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 45 ?? 50 53 FF D1 A3 ?? ?? ?? ?? E8 + ?? ?? ?? ?? E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A ?? E8 ?? ?? ?? ?? 59 59 68 ?? ?? ?? ?? + 8D 8D ?? ?? ?? ?? 51 FF D0 E8 ?? ?? ?? ?? 50 8D 85 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 68 + ?? ?? ?? ?? 6A ?? E8 ?? ?? ?? ?? 83 C4 ?? 68 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? 51 FF D0 + BE ?? ?? ?? ?? 85 C0 75 ?? 56 6A ?? E8 ?? ?? ?? ?? 59 59 53 53 53 68 ?? ?? ?? ?? 53 + 53 FF D0 56 6A ?? E8 ?? ?? ?? ?? 59 59 53 53 53 68 ?? ?? ?? ?? 53 53 FF D0 39 1D ?? + ?? ?? ?? 75 ?? 6A ?? 58 EB ?? 6A ?? 59 33 C0 68 ?? ?? ?? ?? 89 5D ?? 8D 7D ?? 6A ?? + F3 AB E8 ?? ?? ?? ?? 59 59 6A ?? FF D0 EB ?? 83 F8 ?? 74 ?? 68 ?? ?? ?? ?? 6A ?? E8 + ?? ?? ?? ?? 59 59 8D 4D ?? 51 FF D0 68 ?? ?? ?? ?? 6A ?? E8 ?? ?? ?? ?? 59 59 8D 4D + ?? 51 FF D0 6A ?? 59 8D 75 ?? BF ?? ?? ?? ?? F3 A5 68 ?? ?? ?? ?? 6A ?? E8 ?? ?? ?? + ?? 59 59 53 53 53 8D 4D ?? 51 FF D0 3B C3 75 ?? 8B 45 ?? 5F 5E 5B C9 C2 ?? ?? 6A ?? + E9 + } + + $remote_connection_4 = { + 55 8B EC 51 51 53 56 68 ?? ?? ?? ?? 6A ?? E8 ?? ?? ?? ?? 59 59 33 F6 56 56 56 6A ?? + 68 ?? ?? ?? ?? FF D0 68 ?? ?? ?? ?? 6A ?? 8B D8 E8 ?? ?? ?? ?? 59 59 56 56 6A ?? 56 + 56 6A ?? FF 75 ?? 53 FF D0 68 ?? ?? ?? ?? 6A ?? 89 45 ?? E8 ?? ?? ?? ?? 59 59 56 68 + ?? ?? ?? ?? 56 56 68 ?? ?? ?? ?? FF 75 ?? 68 ?? ?? ?? ?? FF 75 ?? FF D0 68 ?? ?? ?? + ?? 6A ?? 89 45 ?? E8 ?? ?? ?? ?? 59 59 56 56 56 56 FF 75 ?? FF D0 53 E8 ?? ?? ?? ?? + FF 75 ?? E8 ?? ?? ?? ?? FF 75 ?? E8 ?? ?? ?? ?? 83 C4 ?? 5E 5B C9 C3 + } + + $remote_connection_5 = { + 55 8B EC 81 EC ?? ?? ?? ?? 53 56 57 33 FF 68 ?? ?? ?? ?? 47 57 E8 ?? ?? ?? ?? 59 59 + 68 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? 51 FF D0 FF 75 ?? 8D 85 ?? ?? ?? ?? 50 E8 ?? ?? ?? + ?? BE ?? ?? ?? ?? 56 57 E8 ?? ?? ?? ?? 83 C4 ?? 68 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? 51 + FF D0 56 57 E8 ?? ?? ?? ?? 59 59 68 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? 51 FF D0 56 57 E8 + ?? ?? ?? ?? 59 59 68 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? 51 FF D0 68 ?? ?? ?? ?? 6A ?? E8 + ?? ?? ?? ?? 59 59 8D 8D ?? ?? ?? ?? 51 6A ?? FF D0 BE ?? ?? ?? ?? 85 C0 74 ?? 56 57 + E8 ?? ?? ?? ?? 59 59 6A ?? FF D0 68 ?? ?? ?? ?? 6A ?? E8 ?? ?? ?? ?? 59 59 6A ?? 57 + 6A ?? FF D0 8B D8 85 DB 7D ?? 56 57 E8 ?? ?? ?? ?? 59 59 6A ?? FF D0 68 ?? ?? ?? ?? + E8 ?? ?? ?? ?? C7 04 24 ?? ?? ?? ?? 6A ?? 8B F0 E8 ?? ?? ?? ?? 59 59 6A ?? 8D 4D ?? + 51 FF D0 6A ?? 58 66 89 45 ?? 8B 46 ?? 8B 00 8B 00 6A ?? 89 45 ?? E8 ?? ?? ?? ?? 66 + 89 45 ?? 6A ?? 8D 45 ?? 50 53 E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? 57 E8 ?? ?? ?? ?? 83 C4 + ?? 8D 8D ?? ?? ?? ?? 51 FF D0 6A ?? 50 8D 85 ?? ?? ?? ?? 50 53 E8 ?? ?? ?? ?? 53 E8 + ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A ?? E8 ?? ?? ?? ?? 83 C4 ?? FF D0 5F 5E 5B C9 C3 + } + + condition: + uint16(0) == 0x5A4D and + ( + ( + $encrypt_files_1 and + $remote_connection_1 and + $remote_connection_2 and + $remote_connection_3 + ) or + ( + $encrypt_files_2 and + $encrypt_files_3 and + $encrypt_files_4 and + $remote_connection_4 and + $remote_connection_5 + ) + ) +} \ No newline at end of file diff --git a/yara/ransomware/Win32.Ransomware.IFN643.yara b/yara/ransomware/Win32.Ransomware.IFN643.yara new file mode 100644 index 0000000..c534d60 --- /dev/null +++ b/yara/ransomware/Win32.Ransomware.IFN643.yara @@ -0,0 +1,90 @@ +rule Win32_Ransomware_IFN643 : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "IFN643" + description = "Yara rule that detects IFN643 ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "IFN643" + tc_detection_factor = 5 + + strings: + + $search_files_1 = { + 55 8B EC 6A ?? 68 ?? ?? ?? ?? 64 A1 ?? ?? ?? ?? 50 81 EC ?? ?? ?? ?? A1 ?? ?? ?? ?? + 33 C5 89 45 ?? 53 56 57 50 8D 45 ?? 64 A3 ?? ?? ?? ?? 8B F1 89 B5 ?? ?? ?? ?? C7 45 + ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C6 45 ?? ?? 68 ?? ?? ?? ?? 8B D6 C7 45 ?? ?? ?? + ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 8D 4D ?? 50 E8 ?? ?? ?? ?? 8B 85 ?? + ?? ?? ?? 83 F8 ?? 72 ?? 8B 8D ?? ?? ?? ?? 40 3D ?? ?? ?? ?? 72 ?? F6 C1 ?? 74 ?? E8 + ?? ?? ?? ?? 8B 41 ?? 3B C1 72 ?? E8 ?? ?? ?? ?? 2B C8 83 F9 ?? 73 ?? E8 ?? ?? ?? ?? + 83 F9 ?? 76 ?? E8 ?? ?? ?? ?? 8B C8 51 E8 ?? ?? ?? ?? 83 C4 ?? 83 7D ?? ?? 8D 8D ?? + ?? ?? ?? 8D 45 ?? 0F 43 45 ?? 51 50 FF 15 ?? ?? ?? ?? 8B D8 89 9D ?? ?? ?? ?? 83 FB + ?? 0F 84 + } + + $search_files_2 = { + 80 BD ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C6 45 ?? ?? 75 ?? 33 + C0 EB ?? 8D 85 ?? ?? ?? ?? 8D 50 ?? 8A 08 40 84 C9 75 ?? 2B C2 50 8D 85 ?? ?? ?? ?? + 50 8D 4D ?? E8 ?? ?? ?? ?? C6 45 ?? ?? 8D 4D ?? F6 85 ?? ?? ?? ?? ?? 0F 84 ?? ?? ?? + ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 4D ?? E8 + ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8B D6 8D 8D ?? ?? ?? ?? E8 ?? ?? + ?? ?? 8D 8D ?? ?? ?? ?? C6 45 ?? ?? 51 8B D0 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 + ?? 8B C8 C6 45 ?? ?? E8 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 8D ?? ?? ?? + ?? C6 45 ?? ?? E8 ?? ?? ?? ?? 8B 0D ?? ?? ?? ?? B8 ?? ?? ?? ?? 2B 0D ?? ?? ?? ?? F7 + E9 C1 FA ?? 8B C2 C1 E8 ?? 03 C2 83 F8 ?? 0F 83 ?? ?? ?? ?? E9 ?? ?? ?? ?? E8 ?? ?? + ?? ?? 85 C0 0F 8E ?? ?? ?? ?? 68 ?? ?? ?? ?? 8B D6 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? + 8D 4D ?? C6 45 ?? ?? 51 8B D0 8D 4D ?? E8 ?? ?? ?? ?? 83 C4 ?? C6 45 ?? ?? 8B 85 ?? + ?? ?? ?? 83 F8 ?? 72 ?? 8B 8D ?? ?? ?? ?? 40 3D ?? ?? ?? ?? 72 ?? F6 C1 ?? 0F 85 ?? + ?? ?? ?? 8B 41 ?? 3B C1 0F 83 ?? ?? ?? ?? 2B C8 83 F9 ?? 0F 82 ?? ?? ?? ?? 83 F9 ?? + 0F 87 ?? ?? ?? ?? 8B C8 51 E8 ?? ?? ?? ?? 83 C4 ?? 8B 0D ?? ?? ?? ?? B8 ?? ?? ?? ?? + 8B 35 ?? ?? ?? ?? 33 DB 2B CE C7 85 ?? ?? ?? ?? ?? ?? ?? ?? F7 E9 C7 85 ?? ?? ?? ?? + ?? ?? ?? ?? C1 FA ?? 8B C2 C6 85 ?? ?? ?? ?? ?? C1 E8 ?? 03 C2 74 ?? 33 FF ?? ?? ?? + 8D 45 ?? 8D 0C 37 50 E8 ?? ?? ?? ?? 85 C0 75 ?? 83 7D ?? ?? 89 45 ?? 8D 45 ?? 0F 43 + 45 ?? C6 00 ?? 8B 35 ?? ?? ?? ?? 8B 0D ?? ?? ?? ?? B8 ?? ?? ?? ?? 2B CE 43 F7 E9 83 + C7 ?? C1 FA ?? 8B C2 C1 E8 ?? 03 C2 3B D8 72 ?? 83 7D ?? ?? 76 ?? 8D 45 ?? B9 ?? ?? + ?? ?? 50 E8 ?? ?? ?? ?? 8B 0D ?? ?? ?? ?? B8 ?? ?? ?? ?? 2B 0D ?? ?? ?? ?? F7 E9 C1 + FA ?? 8B C2 C1 E8 ?? 03 C2 83 F8 ?? 0F 83 ?? ?? ?? ?? C6 45 ?? ?? 8B 45 ?? 83 F8 ?? + 72 ?? 8B 4D ?? 40 3D ?? ?? ?? ?? 72 ?? F6 C1 ?? 0F 85 ?? ?? ?? ?? 8B 41 ?? 3B C1 0F + 83 ?? ?? ?? ?? 2B C8 83 F9 ?? 0F 82 ?? ?? ?? ?? 83 F9 ?? 0F 87 ?? ?? ?? ?? 8B C8 51 + E8 ?? ?? ?? ?? 83 C4 ?? 8B 9D ?? ?? ?? ?? 8B B5 ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 + 45 ?? ?? ?? ?? ?? C6 45 ?? ?? C6 45 ?? ?? 8B 45 ?? 83 F8 ?? 72 ?? 8B 4D ?? 40 3D ?? + ?? ?? ?? 72 ?? F6 C1 ?? 0F 85 ?? ?? ?? ?? 8B 41 ?? 3B C1 0F 83 ?? ?? ?? ?? 2B C8 83 + F9 ?? 0F 82 ?? ?? ?? ?? 83 F9 ?? 0F 87 ?? ?? ?? ?? 8B C8 51 E8 ?? ?? ?? ?? 83 C4 ?? + 8D 85 ?? ?? ?? ?? 50 53 FF 15 ?? ?? ?? ?? 85 C0 0F 85 ?? ?? ?? ?? E9 ?? ?? ?? ?? 8B + 45 ?? 83 F8 ?? 72 ?? 8B 4D ?? 40 3D ?? ?? ?? ?? 72 ?? F6 C1 ?? 74 ?? E8 ?? ?? ?? ?? + 8B 41 ?? 3B C1 72 ?? E8 ?? ?? ?? ?? 2B C8 83 F9 ?? 73 ?? E8 ?? ?? ?? ?? 83 F9 ?? 76 + ?? E8 ?? ?? ?? ?? 8B C8 51 E8 ?? ?? ?? ?? 83 C4 ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? + ?? ?? ?? C6 45 ?? ?? 8B 45 ?? 83 F8 ?? 72 ?? 8B 4D ?? 40 3D ?? ?? ?? ?? 72 ?? F6 C1 + ?? 74 ?? E8 ?? ?? ?? ?? 8B 41 ?? 3B C1 72 ?? E8 ?? ?? ?? ?? 2B C8 83 F9 ?? 73 ?? E8 + ?? ?? ?? ?? 83 F9 ?? 76 ?? E8 ?? ?? ?? ?? 8B C8 51 E8 ?? ?? ?? ?? 83 C4 ?? 8B 45 ?? + 83 F8 ?? 72 ?? 8B 4D ?? 40 3D ?? ?? ?? ?? 72 ?? F6 C1 ?? 74 ?? E8 ?? ?? ?? ?? 8B 41 + ?? 3B C1 72 ?? E8 ?? ?? ?? ?? 2B C8 83 F9 ?? 73 ?? E8 ?? ?? ?? ?? 83 F9 ?? 76 ?? E8 + ?? ?? ?? ?? 8B C8 51 E8 ?? ?? ?? ?? 83 C4 ?? 8B 4D ?? 64 89 0D ?? ?? ?? ?? 59 5F 5E + 5B 8B 4D ?? 33 CD E8 ?? ?? ?? ?? 8B E5 5D C3 + } + + $encrypt_files = { + 55 8B EC 6A ?? 68 ?? ?? ?? ?? 64 A1 ?? ?? ?? ?? 50 83 EC ?? 53 56 57 A1 ?? ?? ?? ?? + 33 C5 50 8D 45 ?? 64 A3 ?? ?? ?? ?? 89 65 ?? 8B C2 89 45 ?? 8B F9 8B 75 ?? 89 75 ?? + C7 45 ?? ?? ?? ?? ?? 90 3B F8 0F 84 ?? ?? ?? ?? 89 75 ?? C6 45 ?? ?? 85 F6 74 ?? 8B + 17 C7 46 ?? ?? ?? ?? ?? C7 46 ?? ?? ?? ?? ?? C7 46 ?? ?? ?? ?? ?? 83 7E ?? ?? C7 46 + ?? ?? ?? ?? ?? 72 ?? 8B 06 EB ?? 8B C6 C6 00 ?? 80 3A ?? 75 ?? 33 C0 EB ?? 8B C2 8D + 58 ?? 66 90 8A 08 40 84 C9 75 ?? 2B C3 50 52 8B CE E8 ?? ?? ?? ?? 8B 45 ?? 83 C6 ?? + C6 45 ?? ?? 89 75 ?? 83 C7 ?? EB ?? 8B 55 ?? 51 8B 4D ?? E8 ?? ?? ?? ?? 83 C4 ?? 6A + ?? 6A ?? E8 ?? ?? ?? ?? 8B C6 8B 4D ?? 64 89 0D ?? ?? ?? ?? 59 5F 5E 5B 8B E5 5D C3 + 2B 49 ?? E9 ?? ?? ?? ?? 2B 49 ?? E9 ?? ?? ?? ?? 2B 49 ?? E9 ?? ?? ?? ?? 2B 49 ?? E9 + ?? ?? ?? ?? 33 C0 57 8B F9 40 F0 0F C1 05 ?? ?? ?? ?? 75 ?? 56 BE ?? ?? ?? ?? 56 E8 + ?? ?? ?? ?? 83 C6 ?? 59 81 FE ?? ?? ?? ?? 7C ?? 5E 8B C7 5F C3 + } + + condition: + uint16(0) == 0x5A4D and $search_files_1 and $search_files_2 and $encrypt_files + +} \ No newline at end of file diff --git a/yara/ransomware/Win32.Ransomware.InfoDot.yara b/yara/ransomware/Win32.Ransomware.InfoDot.yara new file mode 100644 index 0000000..8cdd371 --- /dev/null +++ b/yara/ransomware/Win32.Ransomware.InfoDot.yara @@ -0,0 +1,115 @@ +rule Win32_Ransomware_InfoDot : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "INFODOT" + description = "Yara rule that detects InfoDot ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "InfoDot" + tc_detection_factor = 5 + + strings: + + $find_files_p1 = { + 55 8B EC 6A ?? 68 ?? ?? ?? ?? 64 A1 ?? ?? ?? ?? 50 81 EC ?? ?? ?? ?? A1 ?? ?? ?? ?? + 33 C5 89 45 ?? 53 56 57 50 8D 45 ?? 64 A3 ?? ?? ?? ?? 8B FA 8B D9 89 9D ?? ?? ?? ?? + 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 68 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 68 ?? ?? + ?? ?? 53 8D 85 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 8B 1D ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? + 50 8D 85 ?? ?? ?? ?? 50 FF D3 8B F0 83 FE ?? 0F 84 ?? ?? ?? ?? 8B 9D ?? ?? ?? ?? EB + ?? 8D 49 ?? F6 85 ?? ?? ?? ?? ?? 0F 84 ?? ?? ?? ?? B9 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? + 66 8B 10 66 3B 11 75 ?? 66 85 D2 74 ?? 66 8B 50 ?? 66 3B 51 ?? 75 ?? 83 C0 ?? 83 C1 + ?? 66 85 D2 75 ?? 33 C0 EB ?? 1B C0 83 C8 ?? 85 C0 0F 84 ?? ?? ?? ?? B9 ?? ?? ?? ?? + 8D 85 ?? ?? ?? ?? 66 8B 10 66 3B 11 75 ?? 66 85 D2 74 ?? 66 8B 50 ?? 66 3B 51 ?? 75 + ?? 83 C0 ?? 83 C1 ?? 66 85 D2 75 ?? 33 C0 EB ?? 1B C0 83 C8 ?? 85 C0 0F 84 ?? ?? ?? + ?? B9 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 66 8B 10 66 3B 11 75 ?? 66 85 D2 74 ?? 66 8B 50 + ?? 66 3B 51 ?? 75 ?? 83 C0 ?? 83 C1 ?? 66 85 D2 75 ?? 33 C0 EB ?? 1B C0 83 C8 ?? 85 + C0 74 ?? B9 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 8B FF 66 8B 10 66 3B 11 75 ?? 66 85 D2 74 + ?? 66 8B 50 ?? 66 3B 51 ?? 75 ?? 83 C0 ?? 83 C1 ?? 66 85 D2 75 ?? 33 C0 EB ?? 1B C0 + 83 C8 ?? 85 C0 74 ?? 8D 85 ?? ?? ?? ?? 50 53 8D 85 ?? ?? ?? ?? 50 FF 15 + } + + $find_files_p2 = { + 8B D7 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 56 FF 15 ?? ?? ?? ?? 85 + C0 0F 85 ?? ?? ?? ?? 56 FF 15 ?? ?? ?? ?? 8B 1D ?? ?? ?? ?? 8B B5 ?? ?? ?? ?? 8D 85 + ?? ?? ?? ?? 57 8B 3D ?? ?? ?? ?? 56 50 FF D7 8D 85 ?? ?? ?? ?? 50 8D 85 ?? ?? ?? ?? + 50 FF D3 89 85 ?? ?? ?? ?? 83 F8 ?? 0F 84 ?? ?? ?? ?? 8D 9B ?? ?? ?? ?? F6 85 ?? ?? + ?? ?? ?? 0F 85 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 8D 85 ?? ?? ?? ?? 50 8D 85 ?? ?? ?? + ?? 50 56 FF 15 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 56 8D 85 ?? ?? ?? ?? 50 FF D7 68 ?? + ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 33 C0 C7 85 ?? ?? ?? ?? ?? ?? ?? ?? + C7 85 ?? ?? ?? ?? ?? ?? ?? ?? 66 89 85 ?? ?? ?? ?? 66 39 85 ?? ?? ?? ?? 75 ?? 33 C9 + EB ?? 8D 8D ?? ?? ?? ?? 8D 51 ?? 90 66 8B 01 83 C1 ?? 66 85 C0 75 ?? 2B CA D1 F9 51 + 8D 85 ?? ?? ?? ?? 50 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 BD ?? ?? ?? ?? ?? 8D 8D ?? + ?? ?? ?? 8D 85 ?? ?? ?? ?? 0F 43 85 ?? ?? ?? ?? 51 50 E8 ?? ?? ?? ?? 99 83 C4 ?? 0B + C2 75 ?? 8B 85 ?? ?? ?? ?? 8B 9D ?? ?? ?? ?? 89 85 ?? ?? ?? ?? EB ?? C7 85 ?? ?? ?? + ?? ?? ?? ?? ?? 83 CB ?? 83 BD ?? ?? ?? ?? ?? 72 ?? FF B5 ?? ?? ?? ?? E8 ?? ?? ?? ?? + 83 C4 ?? 8D 85 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 8B F8 BA ?? ?? ?? ?? 8B CF 8D A4 24 + ?? ?? ?? ?? 66 8B 31 66 3B 32 75 ?? 66 85 F6 74 ?? 66 8B 41 ?? 66 3B 42 ?? 75 ?? 83 + } + + $find_files_p3 = { + C1 ?? 83 C2 ?? 66 85 C0 75 ?? 33 C0 EB ?? 1B C0 83 C8 ?? 85 C0 0F 84 ?? ?? ?? ?? B9 + ?? ?? ?? ?? 8B C7 8D 9B ?? ?? ?? ?? 66 8B 10 66 3B 11 75 ?? 66 85 D2 74 ?? 66 8B 50 + ?? 66 3B 51 ?? 75 ?? 83 C0 ?? 83 C1 ?? 66 85 D2 75 ?? 33 C0 EB ?? 1B C0 83 C8 ?? 85 + C0 0F 84 ?? ?? ?? ?? B9 ?? ?? ?? ?? 8B C7 8D 9B ?? ?? ?? ?? 66 8B 10 66 3B 11 75 ?? + 66 85 D2 74 ?? 66 8B 50 ?? 66 3B 51 ?? 75 ?? 83 C0 ?? 83 C1 ?? 66 85 D2 75 ?? 33 C0 + EB ?? 1B C0 83 C8 ?? 85 C0 0F 84 ?? ?? ?? ?? B9 ?? ?? ?? ?? 8B C7 8D 9B ?? ?? ?? ?? + 66 8B 10 66 3B 11 75 ?? 66 85 D2 74 ?? 66 8B 50 ?? 66 3B 51 ?? 75 ?? 83 C0 ?? 83 C1 + ?? 66 85 D2 75 ?? 33 C0 EB ?? 1B C0 83 C8 ?? 85 C0 0F 84 ?? ?? ?? ?? B9 ?? ?? ?? ?? + 8B C7 8D 9B ?? ?? ?? ?? 66 8B 10 66 3B 11 75 ?? 66 85 D2 74 ?? 66 8B 50 ?? 66 3B 51 + ?? 75 ?? 83 C0 ?? 83 C1 ?? 66 85 D2 75 ?? 33 C0 EB ?? 1B C0 83 C8 ?? 85 C0 0F 84 ?? + ?? ?? ?? B8 ?? ?? ?? ?? 66 8B 0F 66 3B 08 75 ?? 66 85 C9 74 ?? 66 8B 4F ?? 66 3B 48 + ?? 75 ?? 83 C7 ?? 83 C0 ?? 66 85 C9 75 ?? 33 C0 EB ?? 1B C0 83 C8 ?? 85 C0 0F 84 ?? + ?? ?? ?? 8B 85 ?? ?? ?? ?? 8B 8D ?? ?? ?? ?? 85 DB 7F ?? 8B 95 ?? ?? ?? ?? 7C ?? 81 + } + + $find_files_p4 = { + FA ?? ?? ?? ?? 73 ?? 3B D8 0F 8F ?? ?? ?? ?? 7C ?? 3B D1 73 ?? 8D 8D ?? ?? ?? ?? E8 + ?? ?? ?? ?? 83 EC ?? 8D 95 ?? ?? ?? ?? 8B CC 51 E8 ?? ?? ?? ?? 83 C4 ?? E8 ?? ?? ?? + ?? 83 C4 ?? 84 C0 74 ?? 8D 85 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? EB ?? 3B D8 7F + ?? 7C ?? 8B 85 ?? ?? ?? ?? 3B C1 73 ?? 8D 85 ?? ?? ?? ?? 50 8D 8D ?? ?? ?? ?? E8 ?? + ?? ?? ?? 8D 85 ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? 50 B9 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D + 8D ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? EB ?? 8B 85 ?? ?? ?? ?? 8B 3D ?? + ?? ?? ?? 8B B5 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? 51 50 FF 15 ?? ?? ?? + ?? 85 C0 8B 85 ?? ?? ?? ?? 0F 85 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 8B 4D ?? 64 89 0D + ?? ?? ?? ?? 59 5F 5E 5B 8B 4D ?? 33 CD E8 ?? ?? ?? ?? 8B E5 5D C3 + } + + $encrypt_files = { + 55 8B EC B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? A1 ?? ?? ?? ?? 33 C5 89 45 ?? 56 8B F1 C7 85 + ?? ?? ?? ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 56 50 E8 ?? ?? ?? ?? 83 C4 + ?? 85 C0 74 ?? 83 C8 ?? 5E 8B 4D ?? 33 CD E8 ?? ?? ?? ?? 8B E5 5D C3 56 8D 85 ?? ?? + ?? ?? 68 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 68 ?? ?? ?? + ?? 50 E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? + 50 8D 85 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 75 ?? 8D 85 ?? ?? ?? ?? 0F 57 + C0 68 ?? ?? ?? ?? 50 F3 0F 7F 05 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 0F 84 ?? + ?? ?? ?? 68 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 6A ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 8D 85 ?? + ?? ?? ?? 50 51 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 83 F8 ?? 0F 84 ?? ?? ?? ?? + 57 FF B5 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A ?? 50 E8 ?? ?? ?? ?? 68 ?? + ?? ?? ?? 8D 85 ?? ?? ?? ?? 68 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? FF B5 ?? ?? ?? ?? 8D 85 + ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A ?? 50 E8 ?? ?? ?? ?? 8B F8 83 C4 ?? 85 FF 74 ?? 8B FF + 81 FF ?? ?? ?? ?? 75 ?? 6A ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 57 50 + 50 E8 ?? ?? ?? ?? FF B5 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 57 6A ?? 50 E8 ?? ?? ?? ?? FF + B5 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 57 6A ?? 50 E8 ?? ?? ?? ?? 8B F8 83 C4 ?? 85 FF 75 + ?? 8B C7 25 ?? ?? ?? ?? 79 ?? 48 83 C8 ?? 40 BE ?? ?? ?? ?? 2B F0 8D 85 ?? ?? ?? ?? + 56 03 C7 56 50 E8 ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 03 F7 8D 85 ?? ?? + ?? ?? 56 50 50 E8 ?? ?? ?? ?? FF B5 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 56 6A ?? 50 E8 ?? + ?? ?? ?? FF B5 ?? ?? ?? ?? E8 ?? ?? ?? ?? FF B5 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 4D ?? + 83 C4 ?? 33 CD 33 C0 5F 5E E8 ?? ?? ?? ?? 8B E5 5D C3 + } + + condition: + uint16(0) == 0x5A4D and + ( + all of ($find_files_p*) + ) and + ( + $encrypt_files + ) +} \ No newline at end of file diff --git a/yara/ransomware/Win32.Ransomware.JSWorm.yara b/yara/ransomware/Win32.Ransomware.JSWorm.yara new file mode 100644 index 0000000..1afffa1 --- /dev/null +++ b/yara/ransomware/Win32.Ransomware.JSWorm.yara @@ -0,0 +1,93 @@ +rule Win32_Ransomware_JSWorm : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "JSWORM" + description = "Yara rule that detects JSWorm ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "JSWorm" + tc_detection_factor = 5 + + strings: + + $find_files = { + 68 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 89 BD ?? ?? ?? ?? 50 FF D6 85 C0 0F 84 ?? ?? ?? ?? + 68 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 FF D6 85 C0 0F 84 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D + 85 ?? ?? ?? ?? 50 FF D6 85 C0 0F 84 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 + FF D6 85 C0 0F 84 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 FF D6 85 C0 0F 84 + ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 FF D6 85 C0 0F 84 ?? ?? ?? ?? 68 ?? + ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 FF D6 85 C0 0F 84 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? A8 ?? + 0F 85 ?? ?? ?? ?? A8 ?? 0F 84 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 8D 95 ?? ?? ?? ?? 8D + 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 8B F0 C6 45 ?? ?? 8B 4E ?? 8B 56 ?? 3B CA 73 + ?? 8D 41 ?? 89 46 ?? 8B C6 83 FA ?? 72 ?? 8B 06 C7 04 48 ?? ?? ?? ?? EB ?? 6A ?? C6 + 85 ?? ?? ?? ?? ?? 8B CE FF B5 ?? ?? ?? ?? 6A ?? E8 + } + + $find_drives = { + 68 ?? ?? ?? ?? 6A ?? FF 15 ?? ?? ?? ?? 80 3D ?? ?? ?? ?? ?? BE ?? ?? ?? ?? 0F 84 ?? + ?? ?? ?? 8B CE C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C6 45 ?? ?? 8D 51 ?? 8A 01 + 41 84 C0 75 ?? 2B CA 51 56 8D 4D ?? E8 ?? ?? ?? ?? 83 EC ?? C7 45 ?? ?? ?? ?? ?? 8B + CC 89 65 ?? 33 C0 6A ?? 68 ?? ?? ?? ?? C7 41 ?? ?? ?? ?? ?? C7 41 ?? ?? ?? ?? ?? 66 + 89 01 E8 ?? ?? ?? ?? 83 EC ?? C6 45 ?? ?? 8D 55 ?? 8B CC E8 ?? ?? ?? ?? C6 45 ?? ?? + E8 ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? 83 C4 ?? 8B 55 ?? 83 FA ?? 72 ?? 8B 4D ?? 42 8B + C1 81 FA ?? ?? ?? ?? 72 ?? 8B 49 ?? 83 C2 ?? 2B C1 83 C0 ?? 83 F8 ?? 77 ?? 52 51 E8 + ?? ?? ?? ?? 83 C4 ?? 8B C6 8D 50 ?? 8A 08 40 84 C9 75 ?? 2B C2 46 03 F0 38 0E 0F 85 + ?? ?? ?? ?? 8B 4D ?? 64 89 0D ?? ?? ?? ?? 59 5E 8B 4D ?? 33 CD E8 ?? ?? ?? ?? 8B E5 + 5D C3 E8 ?? ?? ?? ?? E8 + } + + $encrypt_files_p1 = { + 8B 00 50 FF 15 ?? ?? ?? ?? 8B 95 ?? ?? ?? ?? 8B F0 83 FA ?? 72 ?? 8B 8D ?? ?? ?? ?? + 42 8B C1 81 FA ?? ?? ?? ?? 72 ?? 8B 49 ?? 83 C2 ?? 2B C1 83 C0 ?? 83 F8 ?? 0F 87 ?? + ?? ?? ?? 52 51 E8 ?? ?? ?? ?? 83 C4 ?? C7 45 ?? ?? ?? ?? ?? 8B 95 ?? ?? ?? ?? C7 85 + ?? ?? ?? ?? ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C6 85 ?? ?? ?? ?? ?? 83 FA ?? + 72 ?? 8B 8D ?? ?? ?? ?? 8D 14 55 ?? ?? ?? ?? 8B C1 81 FA ?? ?? ?? ?? 72 ?? 8B 49 ?? + 83 C2 ?? 2B C1 83 C0 ?? 83 F8 ?? 0F 87 ?? ?? ?? ?? 52 51 E8 ?? ?? ?? ?? 83 C4 ?? 8B + CB C7 85 ?? ?? ?? ?? ?? ?? ?? ?? 83 E6 ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? 33 C0 66 89 + 85 ?? ?? ?? ?? 8D 51 ?? 66 8B 01 83 C1 ?? 66 85 C0 75 ?? 2B CA D1 F9 51 53 8D 8D ?? + ?? ?? ?? E8 ?? ?? ?? ?? 8D 95 ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? E8 + ?? ?? ?? ?? 83 78 ?? ?? 72 ?? 8B 00 56 50 FF 15 ?? ?? ?? ?? 8B 95 ?? ?? ?? ?? 83 FA + ?? 72 ?? 8B 8D ?? ?? ?? ?? 42 8B C1 81 FA ?? ?? ?? ?? 72 ?? 8B 49 ?? 83 C2 ?? 2B C1 + 83 C0 ?? 83 F8 ?? 0F 87 ?? ?? ?? ?? 52 51 E8 ?? ?? ?? ?? 83 C4 ?? C7 45 ?? ?? ?? ?? + ?? 8B 95 ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C6 + 85 ?? ?? ?? ?? ?? 83 FA ?? 72 ?? 8B 8D ?? ?? ?? ?? 8D 14 55 ?? ?? ?? ?? 8B C1 81 FA + ?? ?? ?? ?? 72 ?? 8B 49 ?? 83 C2 ?? 2B C1 83 C0 ?? 83 F8 ?? 0F 87 ?? ?? ?? ?? 52 51 + E8 ?? ?? ?? ?? 83 C4 ?? 6A ?? 68 ?? ?? ?? ?? 6A ?? 6A ?? 6A ?? 68 ?? ?? ?? ?? 53 FF + 15 ?? ?? ?? ?? 8B D8 8D 45 ?? 50 53 89 9D ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 83 7D ?? ?? + 0F 8C ?? ?? ?? ?? 7F ?? 81 7D ?? ?? ?? ?? ?? 0F 86 ?? ?? ?? ?? 6A ?? 6A ?? 6A ?? 53 + FF 15 ?? ?? ?? ?? 6A ?? 8D 45 ?? 50 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 53 FF 15 ?? ?? ?? + ?? 68 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 6A ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? C7 85 ?? ?? ?? + ?? ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? E8 + ?? ?? ?? ?? 83 C4 ?? 8B F8 89 BD ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A ?? 57 E8 ?? ?? ?? ?? + B9 ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? BE ?? ?? ?? ?? 83 C4 ?? F3 A5 8D 8D ?? + ?? ?? ?? E8 ?? ?? ?? ?? 33 F6 + } + + + $encrypt_files_p2 = { + 8B 86 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 8B 86 ?? ?? ?? ?? 89 85 ?? ?? + ?? ?? 8D 85 ?? ?? ?? ?? 50 8D 85 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 89 + 86 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 89 86 ?? ?? ?? ?? 83 C6 ?? 81 FE ?? ?? ?? ?? 7C ?? + 6A ?? 6A ?? 6A ?? 53 FF 15 ?? ?? ?? ?? 6A ?? 8D 45 ?? 50 FF 75 ?? 68 ?? ?? ?? ?? 53 + FF 15 ?? ?? ?? ?? 53 FF 15 ?? ?? ?? ?? 8B 95 ?? ?? ?? ?? 83 EC ?? 8B F4 8B CA 33 C0 + C7 46 ?? ?? ?? ?? ?? 8D 79 ?? C7 46 ?? ?? ?? ?? ?? 66 89 06 66 8B 01 83 C1 ?? 66 85 + C0 75 ?? E9 ?? ?? ?? ?? 6A ?? 6A ?? 6A ?? 53 8B 1D ?? ?? ?? ?? FF D3 6A ?? 8D 45 ?? + 50 FF 75 ?? 68 ?? ?? ?? ?? FF B5 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 85 + ?? ?? ?? ?? 6A ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C7 85 ?? + ?? ?? ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 8B + F8 89 BD ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A ?? 57 E8 ?? ?? ?? ?? 83 C4 ?? C7 85 ?? ?? ?? + ?? ?? ?? ?? ?? B9 ?? ?? ?? ?? BE ?? ?? ?? ?? F3 A5 8B 45 ?? 8D 8D ?? ?? ?? ?? 50 68 + ?? ?? ?? ?? 50 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B B5 ?? ?? ?? ?? 6A ?? 6A ?? 6A ?? 56 + FF D3 6A ?? 8D 45 ?? 50 FF 75 ?? 68 ?? ?? ?? ?? 56 FF 15 ?? ?? ?? ?? 56 FF 15 + } + + condition: + uint16(0) == 0x5A4D and $find_drives and $find_files and (all of ($encrypt_files_p*)) +} \ No newline at end of file diff --git a/yara/ransomware/Win32.Ransomware.Jamper.yara b/yara/ransomware/Win32.Ransomware.Jamper.yara new file mode 100644 index 0000000..af17b99 --- /dev/null +++ b/yara/ransomware/Win32.Ransomware.Jamper.yara @@ -0,0 +1,110 @@ +rule Win32_Ransomware_Jamper : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "JAMPER" + description = "Yara rule that detects Jamper ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "Jamper" + tc_detection_factor = 5 + + strings: + + $encrypt_files_p1 = { + 55 8B EC 81 C4 ?? ?? ?? ?? 53 56 57 33 C9 89 8D ?? ?? ?? ?? 89 8D ?? ?? ?? ?? 89 8D + ?? ?? ?? ?? 89 8D ?? ?? ?? ?? 89 4D ?? 89 4D ?? 89 4D ?? 89 4D ?? 89 4D ?? 89 55 ?? + 89 45 ?? 8D 45 ?? E8 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? + 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 33 DB 8D 8D ?? ?? ?? ?? BA ?? ?? ?? ?? 8B + 45 ?? E8 ?? ?? ?? ?? 8B B5 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 8B 85 ?? + ?? ?? ?? 89 85 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 89 + 85 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 89 85 ?? ?? ?? + ?? 8D 85 ?? ?? ?? ?? E8 ?? ?? ?? ?? 6A ?? 8B 45 ?? E8 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? + 8B 45 ?? E8 ?? ?? ?? ?? 84 C0 0F 85 ?? ?? ?? ?? 6A ?? 8B 4D ?? B2 ?? A1 ?? ?? ?? ?? + E8 ?? ?? ?? ?? 89 45 ?? 8B 45 ?? 8B 10 FF 12 89 85 ?? ?? ?? ?? 89 95 ?? ?? ?? ?? 83 + BD ?? ?? ?? ?? ?? 75 ?? 83 BD ?? ?? ?? ?? ?? 0F 86 ?? ?? ?? ?? EB ?? 0F 8E ?? ?? ?? + ?? 83 BD ?? ?? ?? ?? ?? 75 ?? 81 BD ?? ?? ?? ?? ?? ?? ?? ?? 76 ?? EB ?? 7E ?? C7 85 + ?? ?? ?? ?? ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? EB ?? 8B 85 ?? ?? ?? ?? 89 85 + ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 8D 45 ?? E8 ?? ?? ?? ?? 8D 45 ?? E8 + ?? ?? ?? ?? BB ?? ?? ?? ?? B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B D0 8D 85 ?? ?? ?? ?? E8 + ?? ?? ?? ?? 8B 95 ?? ?? ?? ?? 8D 45 ?? E8 ?? ?? ?? ?? 83 FB ?? 7F ?? B8 + } + + $encrypt_files_p2 = { + E8 ?? ?? ?? ?? 8B D0 8D 85 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 95 ?? ?? ?? ?? 8D 45 ?? E8 + ?? ?? ?? ?? 43 83 FB ?? 75 ?? 8B 85 ?? ?? ?? ?? 8B D0 8D 45 ?? E8 ?? ?? ?? ?? 8D 45 + ?? E8 ?? ?? ?? ?? 8B D0 8B 8D ?? ?? ?? ?? 8B 45 ?? 8B 18 FF 53 ?? 83 BD ?? ?? ?? ?? + ?? 75 ?? 81 BD ?? ?? ?? ?? ?? ?? ?? ?? 75 ?? 8D 45 ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? + 8D 45 ?? E8 ?? ?? ?? ?? 8B D0 B9 ?? ?? ?? ?? 8B 45 ?? 8B 18 FF 53 ?? EB ?? 8D 45 ?? + E8 ?? ?? ?? ?? FF B5 ?? ?? ?? ?? FF B5 ?? ?? ?? ?? 33 D2 8B 45 ?? 8B 08 FF 51 ?? 83 + BD ?? ?? ?? ?? ?? 75 ?? 81 BD ?? ?? ?? ?? ?? ?? ?? ?? 75 ?? 8D 45 ?? E8 ?? ?? ?? ?? + 8B D0 B9 ?? ?? ?? ?? 8B 45 ?? 8B 18 FF 53 ?? A1 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B D0 B9 + ?? ?? ?? ?? 8B 45 ?? 8B 18 FF 53 ?? 55 E8 ?? ?? ?? ?? 59 55 E8 ?? ?? ?? ?? 59 EB ?? + 55 E8 ?? ?? ?? ?? 59 A1 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B D0 B9 ?? ?? ?? ?? 8B 45 ?? 8B + 18 FF 53 ?? 55 E8 ?? ?? ?? ?? 59 B3 ?? 8D 45 ?? E8 ?? ?? ?? ?? 84 DB 74 ?? 8D 95 ?? + ?? ?? ?? B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 95 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? E8 ?? ?? + ?? ?? 8B 8D ?? ?? ?? ?? 8D 45 ?? 8B 55 ?? E8 ?? ?? ?? ?? 8B 45 ?? E8 ?? ?? ?? ?? 8B + F8 57 8B 45 ?? E8 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 56 57 E8 ?? ?? ?? ?? 33 C0 5A 59 59 + 64 89 10 68 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? E8 ?? ?? + ?? ?? 8D 85 ?? ?? ?? ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 8B 15 ?? ?? + ?? ?? E8 ?? ?? ?? ?? 8D 45 ?? E8 ?? ?? ?? ?? 8D 45 ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? + 8D 45 ?? E8 ?? ?? ?? ?? 8D 45 ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? C3 + } + + $find_files = { + 55 8B EC 81 C4 ?? ?? ?? ?? 53 56 57 89 55 ?? 89 45 ?? 8B 45 ?? 89 45 ?? 68 ?? ?? ?? + ?? E8 ?? ?? ?? ?? 89 45 ?? 83 7D ?? ?? 74 ?? 68 ?? ?? ?? ?? 8B 45 ?? 50 E8 ?? ?? ?? + ?? 89 C3 85 DB 74 ?? 68 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 8B 45 ?? 50 FF D3 85 C0 74 + ?? 8B 45 ?? 50 8D 85 ?? ?? ?? ?? 50 8B 45 ?? 50 E8 ?? ?? ?? ?? E9 ?? ?? ?? ?? 8B 45 + ?? 80 38 ?? 75 ?? 8B 45 ?? 80 78 ?? ?? 0F 85 ?? ?? ?? ?? 8B 45 ?? 83 C0 ?? E8 ?? ?? + ?? ?? 8B F0 80 3E ?? 0F 84 ?? ?? ?? ?? 8D 46 ?? E8 ?? ?? ?? ?? 8B F0 80 3E ?? 0F 84 + ?? ?? ?? ?? EB ?? 8B 75 ?? 83 C6 ?? 8B DE 2B 5D ?? 8D 43 ?? 50 8B 45 ?? 50 8D 85 ?? + ?? ?? ?? 50 E8 ?? ?? ?? ?? E9 ?? ?? ?? ?? 8D 46 ?? E8 ?? ?? ?? ?? 8B F8 8B C7 2B C6 + 03 C3 40 3D ?? ?? ?? ?? 0F 8F ?? ?? ?? ?? 8B C7 2B C6 40 50 56 8D 85 ?? ?? ?? ?? 03 + C3 50 E8 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 8D 85 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 89 45 + ?? 83 7D ?? ?? 74 ?? 8B 45 ?? 50 E8 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? + 8D 53 ?? 03 C2 40 3D ?? ?? ?? ?? 7F ?? C6 84 1D ?? ?? ?? ?? ?? B8 ?? ?? ?? ?? 2B C3 + 48 50 8D 85 ?? ?? ?? ?? 50 8D 85 ?? ?? ?? ?? 03 C3 40 50 E8 ?? ?? ?? ?? 8D 85 ?? ?? + ?? ?? 50 E8 ?? ?? ?? ?? 40 03 D8 8B F7 80 3E ?? 0F 85 ?? ?? ?? ?? 8B 45 ?? 50 8D 85 + ?? ?? ?? ?? 50 8B 45 ?? 50 E8 ?? ?? ?? ?? 8B 45 ?? 5F 5E 5B 8B E5 5D C3 + } + + $enum_resources = { + 55 8B EC 83 C4 ?? 53 56 57 33 D2 89 55 ?? 89 55 ?? 89 55 ?? 33 D2 55 68 ?? ?? ?? ?? + 64 FF 32 64 89 22 33 D2 55 68 ?? ?? ?? ?? 64 FF 32 64 89 22 8D 55 ?? 52 50 6A ?? 6A + ?? 6A ?? E8 ?? ?? ?? ?? 89 45 ?? 83 7D ?? ?? 74 ?? 33 C0 5A 59 59 64 89 10 E9 ?? ?? + ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? 8B 45 ?? 50 6A ?? E8 ?? ?? ?? ?? 89 + 45 ?? 8D 45 ?? 50 8B 45 ?? 50 8D 45 ?? 50 8B 45 ?? 50 E8 ?? ?? ?? ?? 89 45 ?? 83 7D + ?? ?? 0F 85 ?? ?? ?? ?? 8B 45 ?? 48 85 C0 0F 82 ?? ?? ?? ?? 40 89 45 ?? 8B 45 ?? 8B + 58 ?? 85 DB 0F 84 ?? ?? ?? ?? 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 8D 45 ?? 8B + D3 E8 ?? ?? ?? ?? 8D 45 ?? 8B 55 ?? 0F B6 12 88 50 ?? C6 00 ?? 8D 55 ?? 8D 45 ?? E8 + ?? ?? ?? ?? 8D 45 ?? 8B 55 ?? 0F B6 52 ?? 88 50 ?? C6 00 ?? 8D 55 ?? 8D 45 ?? B1 ?? + E8 ?? ?? ?? ?? 8D 55 ?? 8D 45 ?? E8 ?? ?? ?? ?? 8B 45 ?? 50 8D 55 ?? B8 ?? ?? ?? ?? + E8 ?? ?? ?? ?? 8B 55 ?? 58 E8 ?? ?? ?? ?? 75 ?? A1 ?? ?? ?? ?? 8B 40 ?? 8B 55 ?? 8B + 08 FF 51 ?? 33 C0 5A 59 59 64 89 10 EB ?? E9 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 45 ?? F7 + 40 ?? ?? ?? ?? ?? 76 ?? 8B 45 ?? E8 ?? ?? ?? ?? 83 45 ?? ?? FF 4D ?? 0F 85 ?? ?? ?? + ?? EB ?? 81 7D ?? ?? ?? ?? ?? 74 ?? 8B 45 ?? 50 E8 ?? ?? ?? ?? EB ?? 8B 45 ?? 50 E8 + ?? ?? ?? ?? 81 7D ?? ?? ?? ?? ?? 0F 85 ?? ?? ?? ?? 8B 45 ?? 50 E8 ?? ?? ?? ?? 33 C0 + 5A 59 59 64 89 10 EB ?? E9 ?? ?? ?? ?? 8B 45 ?? 50 E8 ?? ?? ?? ?? 8B 45 ?? 50 E8 ?? + ?? ?? ?? E8 ?? ?? ?? ?? 33 C0 5A 59 59 64 89 10 68 ?? ?? ?? ?? 8D 45 ?? E8 ?? ?? ?? + ?? 8D 45 ?? E8 ?? ?? ?? ?? 8D 45 ?? E8 ?? ?? ?? ?? C3 + } + + condition: + uint16(0) == 0x5A4D and + ( + $enum_resources + ) and + ( + $find_files + ) and + ( + all of ($encrypt_files_p*) + ) +} \ No newline at end of file diff --git a/yara/ransomware/Win32.Ransomware.Jemd.yara b/yara/ransomware/Win32.Ransomware.Jemd.yara new file mode 100644 index 0000000..74f748e --- /dev/null +++ b/yara/ransomware/Win32.Ransomware.Jemd.yara @@ -0,0 +1,105 @@ +rule Win32_Ransomware_Jemd : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "JEMD" + description = "Yara rule that detects Jemd ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "Jemd" + tc_detection_factor = 5 + + strings: + + $find_files_1 = { + 55 8B EC 81 C4 ?? ?? ?? ?? 53 33 DB 89 9D ?? ?? ?? ?? 89 4D ?? 89 55 ?? 89 45 ?? 8B + 45 ?? E8 ?? ?? ?? ?? 8B 45 ?? E8 ?? ?? ?? ?? 8B 45 ?? E8 ?? ?? ?? ?? 8B 45 ?? E8 ?? + ?? ?? ?? 8D 85 ?? ?? ?? ?? 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 33 C0 55 68 ?? ?? ?? ?? + 64 FF 30 64 89 20 8B 45 ?? E8 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? BA ?? ?? ?? ?? B8 ?? ?? + ?? ?? E8 ?? ?? ?? ?? 85 C0 0F 85 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 83 E0 ?? 83 F8 ?? 75 + ?? 8B 85 ?? ?? ?? ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 74 ?? 8B 85 ?? ?? ?? ?? BA ?? ?? + ?? ?? E8 ?? ?? ?? ?? 74 ?? 8B 85 ?? ?? ?? ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 74 ?? 8B + 45 ?? 50 8B 45 ?? 50 8D 85 ?? ?? ?? ?? 8B 8D ?? ?? ?? ?? 8B 55 ?? E8 ?? ?? ?? ?? 8B + 85 ?? ?? ?? ?? B1 ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? E8 ?? ?? ?? ?? + 85 C0 0F 84 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? E8 ?? ?? ?? ?? 33 C0 5A 59 59 64 89 10 68 + ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 8B 15 ?? ?? ?? ?? E8 + ?? ?? ?? ?? 8D 45 ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 ?? E8 ?? ?? ?? ?? C3 + } + + $find_files_2 = { + 55 8B EC 81 C4 ?? ?? ?? ?? 53 56 33 DB 89 9D ?? ?? ?? ?? 89 9D ?? ?? ?? ?? 89 4D ?? + 89 55 ?? 89 45 ?? 8B 45 ?? E8 ?? ?? ?? ?? 8B 45 ?? E8 ?? ?? ?? ?? 8B 45 ?? E8 ?? ?? + ?? ?? 8D B5 ?? ?? ?? ?? 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 E8 ?? ?? ?? ?? 89 + C3 BB ?? ?? ?? ?? 56 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 4B 75 ?? 33 DB 8D 45 ?? 33 C9 BA + ?? ?? ?? ?? E8 ?? ?? ?? ?? 33 C0 8A 14 1E 88 54 05 ?? 40 43 80 3C 1E ?? 74 ?? 83 F8 + ?? 7E ?? 43 8D 85 ?? ?? ?? ?? 8D 55 ?? B9 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 85 ?? ?? ?? + ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 74 ?? 8B 45 ?? 50 8D 85 ?? ?? ?? ?? 8D 55 ?? B9 ?? + ?? ?? ?? E8 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 8B 4D ?? 8B 55 ?? E8 ?? ?? ?? ?? 80 7C 1E + ?? ?? 75 ?? 80 3C 1E ?? 74 ?? 81 FB ?? ?? ?? ?? 0F 8E ?? ?? ?? ?? 33 C0 5A 59 59 64 + 89 10 68 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 ?? BA ?? + ?? ?? ?? E8 ?? ?? ?? ?? C3 + } + + $encrypt_files_p1 = { + 55 8B EC 81 C4 ?? ?? ?? ?? 53 56 33 DB 89 9D ?? ?? ?? ?? 89 9D ?? ?? ?? ?? 89 9D ?? + ?? ?? ?? 89 9D ?? ?? ?? ?? 89 9D ?? ?? ?? ?? 8B D9 89 55 ?? 89 45 ?? 8B 45 ?? E8 ?? + ?? ?? ?? 8B 45 ?? E8 ?? ?? ?? ?? 8B 45 ?? E8 ?? ?? ?? ?? 8B 45 ?? E8 ?? ?? ?? ?? 8D + 85 ?? ?? ?? ?? 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 + 89 20 8B 45 ?? E8 ?? ?? ?? ?? 8B 55 ?? 80 7C 02 ?? ?? 75 ?? 8B 45 ?? E8 ?? ?? ?? ?? + 8B D0 4A 8D 45 ?? E8 ?? ?? ?? ?? FF 75 ?? 68 ?? ?? ?? ?? FF 75 ?? 8D 85 ?? ?? ?? ?? + BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? BA ?? ?? ?? ?? E8 + ?? ?? ?? ?? 85 C0 0F 85 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 8B D0 83 CA ?? 3B D0 75 ?? 80 + FB ?? 0F 85 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 0F 84 ?? ?? + ?? ?? 8B 85 ?? ?? ?? ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 0F 84 ?? ?? ?? ?? 8B 45 ?? 50 + 8B 45 ?? 50 FF 75 ?? 68 ?? ?? ?? ?? FF B5 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? BA ?? ?? ?? + ?? E8 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 8B CB 8B 55 ?? E8 ?? ?? ?? ?? E9 ?? ?? ?? ?? FF + } + + $encrypt_files_p2 = { + 75 ?? 68 ?? ?? ?? ?? FF B5 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? BA ?? ?? ?? ?? E8 ?? ?? ?? + ?? 8B 85 ?? ?? ?? ?? 8B 4D ?? 8B 55 ?? E8 ?? ?? ?? ?? E9 ?? ?? ?? ?? 8B B5 ?? ?? ?? + ?? 8B C6 83 C8 ?? 3B C6 75 ?? 80 FB ?? 0F 85 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? BA ?? ?? + ?? ?? E8 ?? ?? ?? ?? 74 ?? 8B 85 ?? ?? ?? ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 74 ?? 8B + 45 ?? 50 8B 45 ?? 50 FF 75 ?? 68 ?? ?? ?? ?? FF B5 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? BA + ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 8B CB 8B 55 ?? E8 ?? ?? ?? ?? EB ?? FF + 75 ?? 68 ?? ?? ?? ?? FF B5 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? BA ?? ?? ?? ?? E8 ?? ?? ?? + ?? 8B 85 ?? ?? ?? ?? 8B 4D ?? 8B 55 ?? E8 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? E8 ?? ?? ?? + ?? 85 C0 0F 84 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? E8 ?? ?? ?? ?? 33 C0 5A 59 59 64 89 10 + 68 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 8B + 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 ?? BA ?? + ?? ?? ?? E8 ?? ?? ?? ?? C3 + } + + $main_routine = { + 8D 55 ?? B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 55 ?? B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 55 + ?? B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 55 ?? B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? B0 ?? E8 ?? + ?? ?? ?? B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? B2 ?? E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? E8 ?? ?? + ?? ?? B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? A1 ?? ?? ?? ?? 50 A1 ?? ?? ?? ?? 50 8D 55 ?? 66 + B8 ?? ?? E8 ?? ?? ?? ?? 8B 45 ?? B1 ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? + E8 ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? B9 ?? ?? ?? ?? 8B 15 ?? ?? ?? ?? + A1 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 ?? E8 ?? ?? ?? ?? FF 75 ?? 68 ?? ?? ?? ?? FF 35 + ?? ?? ?? ?? 68 ?? ?? ?? ?? FF 35 ?? ?? ?? ?? 8D 45 ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? + 8B 45 ?? 8D 55 ?? E8 ?? ?? ?? ?? 8B 55 ?? B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 ?? 8B + 0D ?? ?? ?? ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 55 ?? 8B C6 8B 08 FF 51 ?? 8D 55 ?? + 33 C0 E8 ?? ?? ?? ?? 8D 45 ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 55 ?? 8B C6 8B 08 FF + 51 + } + + condition: + uint16(0) == 0x5A4D and + ( + $main_routine + ) and + ( + all of ($find_files_*) + ) and + ( + all of ($encrypt_files_p*) + ) +} \ No newline at end of file diff --git a/yara/ransomware/Win32.Ransomware.Jormungand.yara b/yara/ransomware/Win32.Ransomware.Jormungand.yara new file mode 100644 index 0000000..163023a --- /dev/null +++ b/yara/ransomware/Win32.Ransomware.Jormungand.yara @@ -0,0 +1,135 @@ +rule Win32_Ransomware_Jormungand : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "JORMUNGAND" + description = "Yara rule that detects Jormungand ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "Jormungand" + tc_detection_factor = 5 + + strings: + + $drop_ransom_note = { + 64 8B 0D ?? ?? ?? ?? 8B 89 ?? ?? ?? ?? 8D 44 24 ?? 3B 41 ?? 0F 86 ?? ?? ?? ?? 81 EC + ?? ?? ?? ?? 8B 05 ?? ?? ?? ?? 89 04 24 8B 84 24 ?? ?? ?? ?? 89 44 24 ?? 8B 84 24 ?? + ?? ?? ?? 89 44 24 ?? 8B 84 24 ?? ?? ?? ?? 89 44 24 ?? E8 ?? ?? ?? ?? 8B 44 24 ?? 89 + 84 24 ?? ?? ?? ?? 8B 4C 24 ?? 89 4C 24 ?? 8D 54 24 ?? 89 14 24 8B 94 24 ?? ?? ?? ?? + 89 54 24 ?? 8B 94 24 ?? ?? ?? ?? 89 54 24 ?? E8 ?? ?? ?? ?? 8B 44 24 ?? 8B 4C 24 ?? + 8B 54 24 ?? 8B 9C 24 ?? ?? ?? ?? 89 1C 24 8B 9C 24 ?? ?? ?? ?? 89 5C 24 ?? 89 44 24 + ?? 89 4C 24 ?? 89 54 24 ?? E8 ?? ?? ?? ?? 8B 44 24 ?? 89 84 24 ?? ?? ?? ?? 8B 4C 24 + ?? 89 4C 24 ?? 8B 54 24 ?? 89 54 24 ?? C7 04 24 ?? ?? ?? ?? 8B 9C 24 ?? ?? ?? ?? 89 + 5C 24 ?? 8B 9C 24 ?? ?? ?? ?? 89 5C 24 ?? 8D 1D ?? ?? ?? ?? 89 5C 24 ?? C7 44 24 ?? + ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 44 24 ?? 8B 4C 24 ?? 89 04 24 89 4C 24 ?? C7 44 24 ?? + ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 44 24 ?? 89 84 24 ?? ?? ?? ?? + 8D 4C 24 ?? 89 0C 24 8B 8C 24 ?? ?? ?? ?? 89 4C 24 ?? 8B 4C 24 ?? 89 4C 24 ?? 8B 4C + 24 ?? 89 4C 24 ?? E8 ?? ?? ?? ?? 8B 44 24 ?? 8B 4C 24 ?? 89 44 24 ?? 89 4C 24 ?? 8D + 44 24 ?? 89 04 24 8B 84 24 ?? ?? ?? ?? 89 44 24 ?? 8B 44 24 ?? 89 44 24 ?? E8 ?? ?? + ?? ?? 8B 44 24 ?? 8B 4C 24 ?? C7 04 24 ?? ?? ?? ?? 89 44 24 ?? 89 4C 24 ?? E8 ?? ?? + ?? ?? 8B 44 24 ?? 8B 4C 24 ?? 8B 54 24 ?? 8B 9C 24 ?? ?? ?? ?? 89 1C 24 89 44 24 ?? + 89 4C 24 ?? 89 54 24 ?? E8 ?? ?? ?? ?? 8B 84 24 ?? ?? ?? ?? 89 04 24 E8 ?? ?? ?? ?? + 81 C4 ?? ?? ?? ?? C3 E8 + } + + $encrypt_files_aes = { + 64 8B 0D ?? ?? ?? ?? 8B 89 ?? ?? ?? ?? 3B 61 ?? 0F 86 ?? ?? ?? ?? 83 EC ?? 8B 44 24 + ?? 89 04 24 8B 44 24 ?? 89 44 24 ?? 8B 44 24 ?? 89 44 24 ?? E8 ?? ?? ?? ?? 8B 44 24 + ?? 8B 4C 24 ?? 8B 54 24 ?? 8B 5C 24 ?? 85 D2 74 ?? C7 44 24 ?? ?? ?? ?? ?? C7 44 24 + ?? ?? ?? ?? ?? 89 54 24 ?? 89 5C 24 ?? 83 C4 ?? C3 89 44 24 ?? 89 4C 24 ?? 8B 50 ?? + 89 0C 24 FF D2 8B 44 24 ?? 8B 4C 24 ?? 89 0C 24 8B 4C 24 ?? 89 4C 24 ?? 8B 4C 24 ?? + 89 4C 24 ?? 89 44 24 ?? E8 ?? ?? ?? ?? 8B 44 24 ?? 89 44 24 ?? 8B 4C 24 ?? 89 4C 24 + ?? 8B 54 24 ?? 89 54 24 ?? C7 04 24 ?? ?? ?? ?? 8D 1D ?? ?? ?? ?? 89 5C 24 ?? C7 44 + 24 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 44 24 ?? 8B 4C 24 ?? 8B 54 24 ?? 8B 5C 24 ?? 89 + 1C 24 8B 5C 24 ?? 89 5C 24 ?? 89 44 24 ?? 89 4C 24 ?? 89 54 24 ?? E8 ?? ?? ?? ?? 8B + 44 24 ?? 89 44 24 ?? 8B 4C 24 ?? 89 4C 24 ?? 8D 15 ?? ?? ?? ?? 89 14 24 8B 54 24 ?? + 89 54 24 ?? 89 54 24 ?? E8 ?? ?? ?? ?? 8B 44 24 ?? 89 44 24 ?? 8B 4C 24 ?? 89 4C 24 + ?? 8B 54 24 ?? 89 54 24 ?? 8B 5C 24 ?? 8B 5B ?? 89 44 24 ?? 89 4C 24 ?? 89 54 24 ?? + 8B 6C 24 ?? 89 6C 24 ?? 8B 6C 24 ?? 89 6C 24 ?? 8B 6C 24 ?? 89 6C 24 ?? 8B 6C 24 ?? + 89 2C 24 FF D3 8B 05 ?? ?? ?? ?? 89 04 24 8B 44 24 ?? 89 44 24 ?? 8B 44 24 ?? 89 44 + 24 ?? 8B 44 24 ?? 89 44 24 ?? E8 ?? ?? ?? ?? 8B 44 24 ?? 8B 4C 24 ?? 89 44 24 ?? 89 + 4C 24 ?? C7 44 24 ?? ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? 83 C4 ?? C3 E8 + } + + $encrypt_files_rsa = { + 64 8B 0D ?? ?? ?? ?? 8B 89 ?? ?? ?? ?? 3B 61 ?? 0F 86 ?? ?? ?? ?? 83 EC ?? C7 04 24 + ?? ?? ?? ?? 8D 05 ?? ?? ?? ?? 89 44 24 ?? C7 44 24 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B + 44 24 ?? 8B 4C 24 ?? 8B 54 24 ?? 89 14 24 89 4C 24 ?? 89 44 24 ?? E8 ?? ?? ?? ?? 8B + 44 24 ?? 85 C0 0F 84 ?? ?? ?? ?? 8B 48 ?? 8B 50 ?? 8B 40 ?? 89 0C 24 89 54 24 ?? 89 + 44 24 ?? E8 ?? ?? ?? ?? 8B 44 24 ?? 8B 4C 24 ?? 8B 54 24 ?? 8B 5C 24 ?? 85 D2 75 ?? + 8D 15 ?? ?? ?? ?? 39 D0 0F 85 ?? ?? ?? ?? 8B 05 ?? ?? ?? ?? 8B 15 ?? ?? ?? ?? 89 04 + 24 89 54 24 ?? 89 4C 24 ?? 8B 44 24 ?? 89 44 24 ?? 8B 44 24 ?? 89 44 24 ?? 8B 44 24 + ?? 89 44 24 ?? E8 ?? ?? ?? ?? 8B 44 24 ?? 8B 4C 24 ?? 8B 54 24 ?? 8B 5C 24 ?? 8B 6C + 24 ?? 89 44 24 ?? 89 4C 24 ?? 89 54 24 ?? 89 5C 24 ?? 89 6C 24 ?? 83 C4 ?? C3 C7 44 + 24 ?? ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? 89 54 24 ?? 89 5C + 24 ?? 83 C4 ?? C3 8D 05 ?? ?? ?? ?? 89 04 24 E8 ?? ?? ?? ?? 8B 44 24 ?? C7 40 ?? ?? + ?? ?? ?? 8B 0D ?? ?? ?? ?? 85 C9 75 ?? 8D 0D ?? ?? ?? ?? 89 08 C7 44 24 ?? ?? ?? ?? + ?? C7 44 24 ?? ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? 8D 0D ?? ?? ?? ?? 89 4C 24 ?? 89 + 44 24 ?? 83 C4 ?? C3 89 44 24 ?? 89 04 24 8D 0D ?? ?? ?? ?? 89 4C 24 ?? E8 ?? ?? ?? + ?? 8B 44 24 ?? EB ?? 89 04 24 89 54 24 ?? 8D 05 ?? ?? ?? ?? 89 44 24 ?? E8 ?? ?? ?? + ?? 0F 0B + } + + $find_files = { + 64 8B 0D ?? ?? ?? ?? 8B 89 ?? ?? ?? ?? 3B 61 ?? 0F 86 ?? ?? ?? ?? 83 EC ?? C7 44 24 + ?? ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? + ?? C7 44 24 ?? ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? C7 04 24 ?? ?? ?? ?? 8D 05 ?? ?? + ?? ?? 89 44 24 ?? E8 ?? ?? ?? ?? 85 C0 75 ?? 8B 44 24 ?? 89 04 24 8B 44 24 ?? 89 44 + 24 ?? 8D 05 ?? ?? ?? ?? 89 44 24 ?? E8 ?? ?? ?? ?? 8B 05 ?? ?? ?? ?? 8B 0D ?? ?? ?? + ?? 8B 15 ?? ?? ?? ?? 89 44 24 ?? 89 4C 24 ?? 89 54 24 ?? 8B 05 ?? ?? ?? ?? 8B 0D ?? + ?? ?? ?? 8B 15 ?? ?? ?? ?? 89 44 24 ?? 89 4C 24 ?? 89 54 24 ?? 90 E8 ?? ?? ?? ?? 83 + C4 ?? C3 90 E8 ?? ?? ?? ?? 83 C4 ?? C3 E8 + } + + $remote_connection_p1 = { + 64 8B 0D ?? ?? ?? ?? 8B 89 ?? ?? ?? ?? 3B 61 ?? 0F 86 ?? ?? ?? ?? 83 EC ?? C7 04 24 + ?? ?? ?? ?? 8D 05 ?? ?? ?? ?? 89 44 24 ?? E8 ?? ?? ?? ?? 85 C0 0F 85 ?? ?? ?? ?? 8D + 05 ?? ?? ?? ?? 89 04 24 E8 ?? ?? ?? ?? 8B 44 24 ?? 89 44 24 ?? C7 40 ?? ?? ?? ?? ?? + 8D 0D ?? ?? ?? ?? 89 0C 24 E8 ?? ?? ?? ?? 8B 44 24 ?? C6 40 ?? ?? 8B 0D ?? ?? ?? ?? + 8B 54 24 ?? 8D 5A ?? 85 C9 0F 85 ?? ?? ?? ?? 89 42 ?? 8D 05 ?? ?? ?? ?? 89 04 24 E8 + ?? ?? ?? ?? 8B 44 24 ?? 89 44 24 ?? C7 40 ?? ?? ?? ?? ?? C7 40 ?? ?? ?? ?? ?? 8D 0D + ?? ?? ?? ?? 89 08 8B 0D ?? ?? ?? ?? 8D 50 ?? 85 C9 0F 85 ?? ?? ?? ?? 8B 4C 24 ?? 89 + 48 ?? C7 04 24 ?? ?? ?? ?? 8D 05 ?? ?? ?? ?? 89 44 24 ?? C7 44 24 ?? ?? ?? ?? ?? 8B + 44 24 ?? 89 44 24 ?? 8B 44 24 ?? 89 44 24 ?? 8D 05 ?? ?? ?? ?? 89 44 24 ?? C7 44 24 + ?? ?? ?? ?? ?? 8B 44 24 ?? 89 44 24 ?? 8B 44 24 ?? 89 44 24 ?? E8 ?? ?? ?? ?? 8B 44 + 24 ?? 89 44 24 ?? 8B 4C 24 ?? 89 4C 24 ?? 8D 15 ?? ?? ?? ?? 89 14 24 E8 ?? ?? ?? ?? + 8B 44 24 ?? 89 44 24 ?? 8B 4C 24 ?? 89 48 ?? 8B 0D ?? ?? ?? ?? 85 C9 0F 85 ?? ?? ?? + ?? 8B 4C 24 ?? 89 08 C7 40 ?? ?? ?? ?? ?? C7 40 ?? ?? ?? ?? ?? C7 40 + } + + $remote_connection_p2 = { + C7 04 24 ?? ?? ?? ?? 8D 0D ?? ?? ?? ?? 89 4C 24 ?? C7 44 24 ?? ?? ?? ?? ?? 8B 4C 24 + ?? 89 4C 24 ?? 8B 4C 24 ?? 89 4C 24 ?? E8 ?? ?? ?? ?? 8B 44 24 ?? 8B 4C 24 ?? 89 4C + 24 ?? 89 44 24 ?? 8D 05 ?? ?? ?? ?? 89 04 24 C7 44 24 ?? ?? ?? ?? ?? 8D 05 ?? ?? ?? + ?? 89 44 24 ?? 8B 44 24 ?? 89 44 24 ?? E8 ?? ?? ?? ?? 8B 44 24 ?? 89 44 24 ?? 8B 4C + 24 ?? 8B 54 24 ?? 89 0C 24 89 54 24 ?? E8 ?? ?? ?? ?? 8B 44 24 ?? 89 04 24 8B 44 24 + ?? 89 44 24 ?? E8 ?? ?? ?? ?? 8B 44 24 ?? 89 44 24 ?? 8B 4C 24 ?? 8B 54 24 ?? 89 0C + 24 89 54 24 ?? E8 ?? ?? ?? ?? 8B 44 24 ?? 85 C0 75 ?? 90 E8 ?? ?? ?? ?? 83 C4 ?? C3 + 8B 48 ?? 84 01 8B 40 ?? 89 44 24 ?? C7 04 24 ?? ?? ?? ?? 8D 41 ?? 89 44 24 ?? E8 ?? + ?? ?? ?? 85 C0 75 ?? EB ?? 90 E8 ?? ?? ?? ?? 83 C4 ?? C3 89 04 24 8B 4C 24 ?? 89 4C + 24 ?? E8 ?? ?? ?? ?? 8B 44 24 ?? E9 ?? ?? ?? ?? 89 14 24 8B 44 24 ?? 89 44 24 ?? E8 + ?? ?? ?? ?? E9 ?? ?? ?? ?? 89 1C 24 89 44 24 ?? E8 ?? ?? ?? ?? E9 ?? ?? ?? ?? 90 E8 + ?? ?? ?? ?? 83 C4 ?? C3 E8 + } + + condition: + uint16(0) == 0x5A4D and + ( + $find_files + ) and + ( + all of ($encrypt_files_*) + ) and + ( + all of ($remote_connection_p*) + ) and + ( + $drop_ransom_note + ) +} \ No newline at end of file diff --git a/yara/ransomware/Win32.Ransomware.JuicyLemon.yara b/yara/ransomware/Win32.Ransomware.JuicyLemon.yara new file mode 100644 index 0000000..1a210ee --- /dev/null +++ b/yara/ransomware/Win32.Ransomware.JuicyLemon.yara @@ -0,0 +1,116 @@ +rule Win32_Ransomware_JuicyLemon : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "JUICYLEMON" + description = "Yara rule that detects JuicyLemon ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "JuicyLemon" + tc_detection_factor = 5 + + strings: + + $remote_connection_1 = { + 55 8B EC 83 C4 ?? 53 56 57 89 4D ?? 8B FA 8B F0 C6 45 ?? ?? 6A ?? 6A ?? 6A ?? 6A ?? + 6A ?? FF 15 ?? ?? ?? ?? 8B D8 6A ?? 6A ?? 6A ?? 6A ?? 6A ?? 57 56 53 FF 15 ?? ?? ?? + ?? 8B F0 6A ?? 68 ?? ?? ?? ?? 6A ?? 6A ?? 6A ?? 8B 45 ?? 50 68 ?? ?? ?? ?? 56 FF 15 + ?? ?? ?? ?? 8B F8 8B 45 ?? E8 ?? ?? ?? ?? 50 8B 45 ?? 50 6A ?? 68 ?? ?? ?? ?? 57 FF + 15 ?? ?? ?? ?? 85 C0 74 ?? C6 45 ?? ?? 57 FF 15 ?? ?? ?? ?? 56 FF 15 ?? ?? ?? ?? 53 + FF 15 ?? ?? ?? ?? 8A 45 ?? 5F 5E 5B 59 59 5D C2 + } + + $remote_connection_2 = { + 55 8B EC 33 C9 51 51 51 51 51 51 51 53 56 89 55 ?? 89 45 ?? 8B 45 ?? E8 ?? ?? ?? ?? + 8B 45 ?? E8 ?? ?? ?? ?? 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 33 DB 8D 55 ?? 8B + 45 ?? E8 ?? ?? ?? ?? 8D 55 ?? 8B 45 ?? E8 ?? ?? ?? ?? 8D 55 ?? 8B 45 ?? E8 ?? ?? ?? + ?? 66 BE ?? ?? 8B 45 ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 75 ?? 66 BE ?? ?? 8D 45 ?? E8 + ?? ?? ?? ?? 50 8D 45 ?? B9 ?? ?? ?? ?? 8B 55 ?? E8 ?? ?? ?? ?? 8B 45 ?? E8 ?? ?? ?? + ?? 50 8D 45 ?? B9 ?? ?? ?? ?? 8B 55 ?? E8 ?? ?? ?? ?? 8B 45 ?? E8 ?? ?? ?? ?? 8B D6 + 59 E8 ?? ?? ?? ?? 84 C0 74 ?? B3 ?? 33 C0 5A 59 59 64 89 10 68 ?? ?? ?? ?? 8D 45 ?? + BA ?? ?? ?? ?? E8 ?? ?? ?? ?? C3 + } + + $find_files_and_encrypt = { + E8 ?? ?? ?? ?? EB ?? 8D 85 ?? ?? ?? ?? 8B 15 ?? ?? ?? ?? 8B 14 B2 E8 ?? ?? ?? ?? 8B + 85 ?? ?? ?? ?? 8B 55 ?? E8 ?? ?? ?? ?? 88 45 ?? 46 4B 75 ?? A1 ?? ?? ?? ?? BA ?? ?? + ?? ?? E8 ?? ?? ?? ?? 75 ?? 80 7D ?? ?? 75 ?? 8B 5D ?? 4B 85 DB 7C ?? 43 33 F6 8D 85 + ?? ?? ?? ?? 8B 15 ?? ?? ?? ?? 8B 14 B2 E8 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 8B 55 ?? E8 + ?? ?? ?? ?? 46 4B 75 ?? A1 ?? ?? ?? ?? E8 ?? ?? ?? ?? 50 B8 ?? ?? ?? ?? E8 ?? ?? ?? + ?? 8D 8D ?? ?? ?? ?? 5A E8 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 8D 95 ?? ?? ?? ?? E8 ?? ?? + ?? ?? 8B 95 ?? ?? ?? ?? B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? A1 ?? ?? ?? ?? BA ?? ?? ?? ?? + E8 ?? ?? ?? ?? 75 ?? B8 ?? ?? ?? ?? B9 ?? ?? ?? ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 57 + A1 ?? ?? ?? ?? 8B 00 FF D0 8B 1D ?? ?? ?? ?? 57 A1 ?? ?? ?? ?? 8B 00 FF D0 85 DB 74 + ?? 6A ?? A1 ?? ?? ?? ?? 8B 00 FF D0 EB ?? B3 ?? 8D 85 ?? ?? ?? ?? 8B D3 80 C2 ?? E8 + ?? ?? ?? ?? FF B5 ?? ?? ?? ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? BA ?? + ?? ?? ?? E8 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? E8 ?? ?? ?? ?? 50 A1 ?? ?? ?? ?? 8B 00 FF + D0 83 F8 ?? 76 ?? 83 F8 ?? 74 ?? B2 ?? A1 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B F0 8D 85 ?? + ?? ?? ?? 8B D3 80 C2 ?? E8 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? BA ?? ?? ?? ?? E8 ?? ?? ?? + ?? 8B 95 ?? ?? ?? ?? 8D 46 ?? E8 ?? ?? ?? ?? 57 A1 ?? ?? ?? ?? 8B 00 FF D0 FF 05 ?? + ?? ?? ?? 57 A1 ?? ?? ?? ?? 8B 00 FF D0 8D 46 ?? 50 6A ?? 56 68 ?? ?? ?? ?? 68 ?? ?? + ?? ?? 6A ?? A1 ?? ?? ?? ?? 8B 00 FF D0 4B 80 FB ?? 0F 85 ?? ?? ?? ?? 57 A1 ?? ?? ?? + ?? 8B 00 FF D0 8B 1D ?? ?? ?? ?? 57 A1 ?? ?? ?? ?? 8B 00 FF D0 85 DB 74 ?? 6A ?? A1 + ?? ?? ?? ?? 8B 00 FF D0 EB ?? B2 ?? A1 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B F0 8D 46 ?? BA + ?? ?? ?? ?? E8 ?? ?? ?? ?? 57 A1 ?? ?? ?? ?? 8B 00 FF D0 FF 05 ?? ?? ?? ?? 57 A1 ?? + ?? ?? ?? 8B 00 FF D0 8D 46 ?? 50 6A ?? 56 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A ?? A1 ?? + ?? ?? ?? 8B 00 FF D0 57 A1 ?? ?? ?? ?? 8B 00 FF D0 8B 1D ?? ?? ?? ?? 57 A1 ?? ?? ?? + ?? 8B 00 FF D0 85 DB 74 ?? 6A ?? A1 ?? ?? ?? ?? 8B 00 FF D0 EB ?? A1 ?? ?? ?? ?? BA + ?? ?? ?? ?? E8 ?? ?? ?? ?? 0F 85 ?? ?? ?? ?? FF 35 ?? ?? ?? ?? 68 ?? ?? ?? ?? FF 35 + ?? ?? ?? ?? FF 35 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? E8 ?? ?? ?? ?? FF B5 ?? ?? ?? ?? 68 + ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? 8B 05 ?? ?? ?? ?? 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? + 52 50 8D 85 ?? ?? ?? ?? E8 ?? ?? ?? ?? FF B5 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 45 ?? BA + ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 45 ?? E8 ?? ?? ?? ?? 50 8D 45 ?? E8 ?? ?? ?? ?? 50 B8 + ?? ?? ?? ?? E8 ?? ?? ?? ?? 5A 59 E8 ?? ?? ?? ?? 8D 95 ?? ?? ?? ?? 8B 45 ?? E8 ?? ?? + ?? ?? 8B 8D ?? ?? ?? ?? 8D 45 ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? A1 ?? ?? ?? ?? E8 ?? + ?? ?? ?? 89 45 ?? C6 45 ?? ?? A1 ?? ?? ?? ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 75 ?? 8B + 5D ?? 4B 85 DB 7C ?? 43 33 F6 80 7D ?? ?? 74 ?? 8D 85 ?? ?? ?? ?? 8B 15 ?? ?? ?? ?? + 8B 14 B2 E8 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 8B 55 ?? E8 ?? ?? ?? ?? EB ?? 8D 85 ?? ?? + ?? ?? 8B 15 ?? ?? ?? ?? 8B 14 B2 E8 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 8B 55 ?? E8 ?? ?? + ?? ?? 88 45 ?? 46 4B 75 ?? A1 ?? ?? ?? ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 75 ?? 80 7D + ?? ?? 75 ?? 8B 5D ?? 4B 85 DB 7C ?? 43 33 F6 8D 85 ?? ?? ?? ?? 8B 15 ?? ?? ?? ?? 8B + 14 B2 E8 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 8B 55 ?? E8 ?? ?? ?? ?? 46 4B 75 ?? BA ?? ?? + ?? ?? A1 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B D0 8D 85 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 85 ?? + ?? ?? ?? E8 ?? ?? ?? ?? 50 8D 85 ?? ?? ?? ?? B9 ?? ?? ?? ?? 8B 15 ?? ?? ?? ?? E8 ?? + ?? ?? ?? 8B 95 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? E8 ?? + ?? ?? ?? 8B C8 B8 ?? ?? ?? ?? 5A E8 ?? ?? ?? ?? BA ?? ?? ?? ?? A1 ?? ?? ?? ?? E8 ?? + ?? ?? ?? 8B D0 8D 85 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? E8 ?? ?? ?? ?? 50 + 8D 85 ?? ?? ?? ?? B9 ?? ?? ?? ?? 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 95 ?? ?? ?? ?? + 8D 85 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B C8 B8 ?? ?? ?? + ?? 5A E8 ?? ?? ?? ?? FF 35 ?? ?? ?? ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 85 ?? ?? ?? + ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 95 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? E8 ?? ?? ?? ?? + 8B 85 ?? ?? ?? ?? E8 ?? ?? ?? ?? 50 8D 85 ?? ?? ?? ?? 8B 55 ?? E8 ?? ?? ?? ?? 8B 85 + ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B D8 8B D3 B8 ?? ?? ?? ?? 59 E8 ?? ?? ?? ?? FF 35 ?? ?? + ?? ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? + 8B 95 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? E8 ?? ?? ?? ?? + 50 8B D3 B8 ?? ?? ?? ?? 59 E8 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? BA ?? ?? ?? ?? E8 ?? ?? + ?? ?? 8B 85 ?? ?? ?? ?? 50 FF 35 ?? ?? ?? ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 85 ?? + ?? ?? ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 95 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? E8 ?? ?? + ?? ?? 8B 85 ?? ?? ?? ?? E8 ?? ?? ?? ?? 50 8B D3 B8 ?? ?? ?? ?? 59 E8 ?? ?? ?? ?? A1 + ?? ?? ?? ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 75 ?? A1 ?? ?? ?? ?? E8 ?? ?? ?? ?? B2 ?? + E8 ?? ?? ?? ?? A1 ?? ?? ?? ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 75 ?? A1 ?? ?? ?? ?? E8 + ?? ?? ?? ?? B2 ?? E8 ?? ?? ?? ?? A1 ?? ?? ?? ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 75 ?? + A1 ?? ?? ?? ?? E8 ?? ?? ?? ?? B2 ?? E8 ?? ?? ?? ?? A1 ?? ?? ?? ?? BA ?? ?? ?? ?? E8 + ?? ?? ?? ?? 75 ?? E8 ?? ?? ?? ?? C6 05 ?? ?? ?? ?? ?? 33 C0 5A 59 59 64 89 10 68 ?? + ?? ?? ?? 8D 85 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? BA ?? ?? ?? ?? E8 ?? ?? + ?? ?? 8D 85 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? BA ?? ?? ?? ?? E8 ?? ?? ?? + ?? 8D 85 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 85 ?? ?? ?? + ?? E8 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? + E8 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? BA + ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 85 ?? + ?? ?? ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 85 ?? ?? + ?? ?? E8 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? BA ?? ?? ?? + ?? E8 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? E8 ?? ?? ?? ?? + 8D 85 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D + 85 ?? ?? ?? ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 85 + ?? ?? ?? ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? C3 + } + + condition: + uint16(0) == 0x5A4D and $find_files_and_encrypt and $remote_connection_1 and $remote_connection_2 +} \ No newline at end of file diff --git a/yara/ransomware/Win32.Ransomware.Kangaroo.yara b/yara/ransomware/Win32.Ransomware.Kangaroo.yara new file mode 100644 index 0000000..4007496 --- /dev/null +++ b/yara/ransomware/Win32.Ransomware.Kangaroo.yara @@ -0,0 +1,91 @@ +rule Win32_Ransomware_Kangaroo : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "KANGAROO" + description = "Yara rule that detects Kangaroo ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "Kangaroo" + tc_detection_factor = 5 + + strings: + + $encrypt_files_p1 = { + 83 EC ?? 53 55 8B 6C 24 ?? 56 57 33 FF 57 57 6A ?? 57 6A ?? 68 ?? ?? ?? ?? 33 DB 55 + 89 5C 24 ?? 89 7C 24 ?? 89 7C 24 ?? FF 15 ?? ?? ?? ?? 8B F0 83 FE ?? 0F 84 ?? ?? ?? + ?? 8D 44 24 ?? 50 8D 4C 24 ?? 51 8D 54 24 ?? 52 56 FF 15 ?? ?? ?? ?? 68 ?? ?? ?? ?? + 6A ?? 68 ?? ?? ?? ?? 57 8D 44 24 ?? 50 FF 15 ?? ?? ?? ?? 83 F8 ?? 0F 85 ?? ?? ?? ?? + 8B 54 24 ?? 8D 4C 24 ?? 51 57 57 68 ?? ?? ?? ?? 52 FF 15 ?? ?? ?? ?? 83 F8 ?? 0F 85 + ?? ?? ?? ?? 57 68 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 03 C0 50 8B 44 24 ?? 68 ?? ?? ?? ?? + 50 FF 15 ?? ?? ?? ?? 83 F8 ?? 0F 85 ?? ?? ?? ?? 8B 54 24 ?? 8B 44 24 ?? 8D 4C 24 ?? + 51 6A ?? 52 68 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 83 F8 ?? 0F 85 ?? ?? ?? ?? 57 56 FF + 15 ?? ?? ?? ?? 8B 54 24 ?? 57 8D 4C 24 ?? 51 57 57 6A ?? 57 52 89 44 24 ?? FF 15 ?? + ?? ?? ?? 8B 44 24 ?? 6A ?? 68 ?? ?? ?? ?? 50 57 8B 3D ?? ?? ?? ?? FF D7 8B 54 24 + } + + $encrypt_files_p2 = { + 6A ?? 8D 4C 24 ?? 51 52 8B D8 53 56 FF 15 ?? ?? ?? ?? 83 F8 ?? 0F 85 ?? ?? ?? ?? 8B + 44 24 ?? 8B 54 24 ?? 50 8D 4C 24 ?? 51 53 6A ?? 6A ?? 6A ?? 52 FF 15 ?? ?? ?? ?? 83 + F8 ?? 0F 85 ?? ?? ?? ?? 56 FF 15 ?? ?? ?? ?? 6A ?? 6A ?? 6A ?? 56 FF 15 ?? ?? ?? ?? + 8B 4C 24 ?? 6A ?? 8D 44 24 ?? 50 51 53 56 FF 15 ?? ?? ?? ?? 83 F8 ?? 75 ?? 8D 54 24 + ?? 52 8D 44 24 ?? 50 8D 4C 24 ?? 51 56 FF 15 ?? ?? ?? ?? 56 FF 15 ?? ?? ?? ?? 6A ?? + 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A ?? FF D7 68 ?? ?? ?? ?? 55 8B F8 68 ?? ?? ?? ?? 57 + FF 15 ?? ?? ?? ?? 83 C4 ?? 57 55 FF 15 ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A ?? 57 FF 15 ?? + ?? ?? ?? 8B C5 C7 44 24 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A ?? 53 FF 15 + ?? ?? ?? ?? 8B 54 24 ?? 52 FF 15 ?? ?? ?? ?? 8B 5C 24 ?? 33 FF 8B 44 24 ?? 50 FF 15 + ?? ?? ?? ?? 89 7C 24 ?? 8B 4C 24 ?? 57 51 FF 15 ?? ?? ?? ?? 56 FF 15 ?? ?? ?? ?? 5F + 5E 5D 8B C3 5B 83 C4 ?? C3 + } + + $find_files = { + 55 8B EC 83 E4 ?? 81 EC ?? ?? ?? ?? 53 56 8B 75 ?? 57 56 FF 15 ?? ?? ?? ?? 8B 3D ?? + ?? ?? ?? 33 C9 83 F8 ?? 0F 94 C1 56 8D 94 24 ?? ?? ?? ?? 68 ?? ?? ?? ?? 52 89 4C 24 + ?? FF D7 83 C4 ?? 8D 44 24 ?? 50 8D 8C 24 ?? ?? ?? ?? 51 FF 15 ?? ?? ?? ?? 89 44 24 + ?? 83 F8 ?? 0F 84 ?? ?? ?? ?? 8B 1D ?? ?? ?? ?? EB ?? EB ?? 8D A4 24 ?? ?? ?? ?? 90 + 8B 3D ?? ?? ?? ?? 83 7C 24 ?? ?? 75 ?? 8D 54 24 ?? 52 56 68 ?? ?? ?? ?? 8D 84 24 ?? + ?? ?? ?? 50 EB ?? 8D 4C 24 ?? 51 56 68 ?? ?? ?? ?? 8D 94 24 ?? ?? ?? ?? 52 FF D7 83 + C4 ?? F6 44 24 ?? ?? 74 ?? 8B 3D ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 44 24 ?? 50 FF D7 85 + C0 0F 84 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 4C 24 ?? 51 FF D7 85 C0 0F 84 ?? ?? ?? ?? 8D + 94 24 ?? ?? ?? ?? 52 E8 ?? ?? ?? ?? 83 C4 ?? E9 ?? ?? ?? ?? 33 FF 33 F6 EB ?? 8D 9B + ?? ?? ?? ?? 8B 86 ?? ?? ?? ?? 50 8D 8C 24 ?? ?? ?? ?? 51 FF D3 85 C0 74 ?? BF ?? ?? + ?? ?? 83 C6 ?? 83 FE ?? 72 ?? 68 ?? ?? ?? ?? 8D 94 24 ?? ?? ?? ?? 52 FF D3 85 C0 75 + ?? 68 ?? ?? ?? ?? 8D 84 24 ?? ?? ?? ?? 50 FF D3 85 C0 74 ?? BF ?? ?? ?? ?? 8B 44 24 + ?? A8 ?? 75 ?? A9 ?? ?? ?? ?? 75 ?? 85 FF 75 ?? 3D ?? ?? ?? ?? 74 ?? 68 ?? ?? ?? ?? + 8D 8C 24 ?? ?? ?? ?? 51 FF 15 ?? ?? ?? ?? 8D 94 24 ?? ?? ?? ?? 52 E8 ?? ?? ?? ?? 83 + C4 ?? 85 C0 75 ?? 8D 84 24 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 75 ?? 8D 8C + 24 ?? ?? ?? ?? 51 FF 15 ?? ?? ?? ?? 8B 75 ?? 8B 44 24 ?? 8D 54 24 ?? 52 50 FF 15 ?? + ?? ?? ?? 85 C0 0F 85 ?? ?? ?? ?? 8B 4C 24 ?? 51 FF 15 ?? ?? ?? ?? 5F 5E 5B 8B E5 5D + C3 + } + + $enum_resources = { + 55 8B EC 83 E4 ?? 83 EC ?? 8B 4D ?? 53 56 57 8D 44 24 ?? 50 51 6A ?? 6A ?? 6A ?? C7 + 44 24 ?? ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 C0 74 ?? 33 C0 5F 5E + 5B 8B E5 5D C2 ?? ?? 8B 54 24 ?? 52 6A ?? FF 15 ?? ?? ?? ?? 8B D8 85 DB 74 ?? 8B 4C + 24 ?? 8B C3 85 C9 74 ?? 8D 64 24 ?? C6 00 ?? 40 83 E9 ?? 75 ?? 8B 54 24 ?? 8D 44 24 + ?? 50 53 8D 4C 24 ?? 51 52 E8 ?? ?? ?? ?? 85 C0 75 ?? 33 FF 39 7C 24 ?? 76 ?? 8D 73 + ?? 8D 49 ?? 83 7E ?? ?? 75 ?? 8B 06 50 E8 ?? ?? ?? ?? 83 C4 ?? 8B 4E ?? 83 E1 ?? 80 + F9 ?? 75 ?? 8D 56 ?? 52 E8 ?? ?? ?? ?? 47 83 C6 ?? 3B 7C 24 ?? 72 ?? EB ?? 3D ?? ?? + ?? ?? 75 ?? 53 FF 15 ?? ?? ?? ?? 8B 44 24 ?? 50 E8 ?? ?? ?? ?? 5F 5E B8 ?? ?? ?? ?? + 5B 8B E5 5D C2 + } + + condition: + uint16(0) == 0x5A4D and + ( + $find_files + ) and + ( + all of ($encrypt_files_p*) + ) and + ( + $enum_resources + ) +} \ No newline at end of file diff --git a/yara/ransomware/Win32.Ransomware.KawaiiLocker.yara b/yara/ransomware/Win32.Ransomware.KawaiiLocker.yara new file mode 100644 index 0000000..c574f68 --- /dev/null +++ b/yara/ransomware/Win32.Ransomware.KawaiiLocker.yara @@ -0,0 +1,135 @@ +rule Win32_Ransomware_KawaiiLocker : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "KAWAIILOCKER" + description = "Yara rule that detects KawaiiLocker ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "KawaiiLocker" + tc_detection_factor = 5 + + strings: + + $search_files = { + 55 8B EC 51 B9 ?? ?? ?? ?? 6A ?? 6A ?? 49 75 ?? 51 87 4D ?? 53 56 57 88 4D ?? 89 55 + ?? 89 45 ?? 8B 45 ?? E8 ?? ?? ?? ?? 8B 45 ?? E8 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 8B 15 + ?? ?? ?? ?? E8 ?? ?? ?? ?? 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 8B 45 ?? E8 ?? + ?? ?? ?? 8B 55 ?? 80 7C 02 ?? ?? 75 ?? 8B 45 ?? E8 ?? ?? ?? ?? 8B D0 4A 8D 45 ?? E8 + ?? ?? ?? ?? FF 75 ?? 68 ?? ?? ?? ?? FF 75 ?? 8D 85 ?? ?? ?? ?? BA ?? ?? ?? ?? E8 ?? + ?? ?? ?? 8B 85 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 C0 0F + 85 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 8B D0 83 CA ?? 3B D0 75 ?? 80 7D ?? ?? 0F 85 ?? ?? + ?? ?? 8B 85 ?? ?? ?? ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 0F 84 ?? ?? ?? ?? 8B 85 ?? ?? + ?? ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 0F 84 ?? ?? ?? ?? FF 75 ?? 68 ?? ?? ?? ?? FF B5 + ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 8A 4D + ?? 8B 55 ?? E8 ?? ?? ?? ?? E9 ?? ?? ?? ?? BE ?? ?? ?? ?? BB ?? ?? ?? ?? FF 75 ?? 68 + ?? ?? ?? ?? FF B5 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 85 + ?? ?? ?? ?? 8D 95 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 8D 95 ?? ?? ?? ?? E8 + ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 8B 13 E8 ?? ?? ?? ?? 0F 85 ?? ?? ?? ?? FF 75 ?? 68 ?? + ?? ?? ?? FF B5 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 85 ?? + ?? ?? ?? 8D 95 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 BD ?? ?? ?? ?? ?? 0F 84 ?? ?? ?? ?? 8D + 95 ?? ?? ?? ?? 8B 45 ?? E8 ?? ?? ?? ?? 8B 95 ?? ?? ?? ?? B8 ?? ?? ?? ?? E8 ?? ?? ?? + ?? 85 C0 75 ?? FF 75 ?? 68 ?? ?? ?? ?? FF B5 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? BA ?? ?? + ?? ?? E8 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 84 C0 74 ?? + FF 75 ?? 68 ?? ?? ?? ?? FF B5 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? BA ?? ?? ?? ?? E8 ?? ?? + ?? ?? 8B 95 ?? ?? ?? ?? A1 ?? ?? ?? ?? 8B 08 FF 51 ?? 83 C3 ?? 4E 0F 85 ?? ?? ?? ?? + E9 ?? ?? ?? ?? 8B BD ?? ?? ?? ?? 8B C7 83 C8 ?? 3B C7 75 ?? 80 7D ?? ?? 0F 85 ?? ?? + ?? ?? 8B 85 ?? ?? ?? ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 0F 84 ?? ?? ?? ?? 8B 85 ?? ?? + ?? ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 0F 84 ?? ?? ?? ?? FF 75 ?? 68 ?? ?? ?? ?? FF B5 + ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 8A 4D + ?? 8B 55 ?? E8 ?? ?? ?? ?? E9 ?? ?? ?? ?? BE ?? ?? ?? ?? BB ?? ?? ?? ?? FF 75 ?? 68 + ?? ?? ?? ?? FF B5 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 85 + ?? ?? ?? ?? 8D 95 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 8D 95 ?? ?? ?? ?? E8 + ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 8B 13 E8 ?? ?? ?? ?? 0F 85 ?? ?? ?? ?? FF 75 ?? 68 ?? + ?? ?? ?? FF B5 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 85 ?? + ?? ?? ?? 8D 95 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 BD ?? ?? ?? ?? ?? 0F 84 ?? ?? ?? ?? 8D + 95 ?? ?? ?? ?? 8B 45 ?? E8 ?? ?? ?? ?? 8B 95 ?? ?? ?? ?? B8 ?? ?? ?? ?? E8 ?? ?? ?? + ?? 85 C0 75 ?? FF 75 ?? 68 ?? ?? ?? ?? FF B5 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? BA ?? ?? + ?? ?? E8 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 84 C0 74 ?? + FF 75 ?? 68 ?? ?? ?? ?? FF B5 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? BA ?? ?? ?? ?? E8 ?? ?? + ?? ?? 8B 95 ?? ?? ?? ?? A1 ?? ?? ?? ?? 8B 08 FF 51 ?? 83 C3 ?? 4E 0F 85 ?? ?? ?? ?? + 8D 85 ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? E8 ?? ?? + ?? ?? 33 C0 5A 59 59 64 89 10 68 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? BA ?? ?? ?? ?? E8 ?? + ?? ?? ?? 8D 85 ?? ?? ?? ?? 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 ?? BA ?? ?? ?? ?? + E8 ?? ?? ?? ?? C3 + } + + $remote_connection = { + 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 B2 ?? A1 ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 45 ?? B2 + ?? A1 ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 45 ?? 8D 55 ?? B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B + 45 ?? 50 8D 55 ?? B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 55 ?? 8D 45 ?? 59 E8 ?? ?? ?? ?? + 8D 4D ?? BA ?? ?? ?? ?? 33 C0 E8 ?? ?? ?? ?? FF 75 ?? 8D 45 ?? E8 ?? ?? ?? ?? FF 75 + ?? 8D 4D ?? BA ?? ?? ?? ?? B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? FF 75 ?? FF 75 ?? 8D 45 ?? + BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 4D ?? BA ?? ?? ?? ?? 8B 45 ?? E8 ?? ?? ?? ?? 8B 45 + ?? 8B 50 ?? 8B 45 ?? 8B 08 FF 51 ?? 8D 55 ?? 8B 45 ?? 8B 08 FF 51 ?? 8B 45 ?? 8D 55 + ?? E8 ?? ?? ?? ?? 8B 55 ?? B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 C0 74 ?? 6A ?? E8 ?? ?? + ?? ?? 8D 45 ?? E8 ?? ?? ?? ?? 8D 45 ?? E8 ?? ?? ?? ?? 8B C3 8B 55 ?? E8 ?? ?? ?? ?? + 33 C0 5A 59 59 64 89 10 68 ?? ?? ?? ?? 8D 45 ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? C3 + } + + $encrypt_files = { + 55 8B EC 6A ?? 6A ?? 6A ?? 53 56 57 BB ?? ?? ?? ?? 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 + 64 89 20 B2 ?? A1 ?? ?? ?? ?? E8 ?? ?? ?? ?? A3 ?? ?? ?? ?? B2 ?? A1 ?? ?? ?? ?? E8 + ?? ?? ?? ?? A3 ?? ?? ?? ?? E8 ?? ?? ?? ?? A3 ?? ?? ?? ?? A1 ?? ?? ?? ?? 8B 10 FF 52 + ?? 8B F0 8B C3 BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 43 ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? + 8D 43 ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 43 ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 43 + ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 43 ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 43 ?? BA + ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 43 ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 43 ?? BA ?? ?? + ?? ?? E8 ?? ?? ?? ?? 8D 43 ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 43 ?? BA ?? ?? ?? ?? + E8 ?? ?? ?? ?? 8D 43 ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 43 ?? BA ?? ?? ?? ?? E8 ?? + ?? ?? ?? 8D 43 ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 43 ?? BA ?? ?? ?? ?? E8 ?? ?? ?? + ?? 8D 43 ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 43 ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D + 43 ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 43 ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 43 ?? + BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 43 ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 43 ?? BA ?? + ?? ?? ?? E8 ?? ?? ?? ?? 8D 43 ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 43 ?? BA ?? ?? ?? + ?? E8 ?? ?? ?? ?? 8D 43 ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 43 ?? BA ?? ?? ?? ?? E8 + ?? ?? ?? ?? 8D 43 ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 43 ?? BA ?? ?? ?? ?? E8 ?? ?? + ?? ?? 8D 43 ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 43 ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? + 8D 43 ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 43 ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 83 + ?? ?? ?? ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 83 ?? ?? ?? ?? BA ?? ?? ?? ?? E8 ?? ?? + ?? ?? 8D 83 ?? ?? ?? ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 83 ?? ?? ?? ?? BA ?? ?? ?? + ?? E8 ?? ?? ?? ?? 8D 83 ?? ?? ?? ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 83 ?? ?? ?? ?? + BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 83 ?? ?? ?? ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 83 + ?? ?? ?? ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 83 ?? ?? ?? ?? BA ?? ?? ?? ?? E8 ?? ?? + ?? ?? 8D 83 ?? ?? ?? ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 83 ?? ?? ?? ?? BA ?? ?? ?? + ?? E8 ?? ?? ?? ?? 8D 83 ?? ?? ?? ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 83 ?? ?? ?? ?? + BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 83 ?? ?? ?? ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 83 + ?? ?? ?? ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 83 ?? ?? ?? ?? BA ?? ?? ?? ?? E8 ?? ?? + ?? ?? 8D 83 ?? ?? ?? ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 83 ?? ?? ?? ?? BA ?? ?? ?? + ?? E8 ?? ?? ?? ?? 8D 83 ?? ?? ?? ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 83 ?? ?? ?? ?? + BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 83 ?? ?? ?? ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 83 + ?? ?? ?? ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 83 ?? ?? ?? ?? BA ?? ?? ?? ?? E8 ?? ?? + ?? ?? 8D 83 ?? ?? ?? ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 83 ?? ?? ?? ?? BA ?? ?? ?? + ?? E8 ?? ?? ?? ?? 8D 83 ?? ?? ?? ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 83 ?? ?? ?? ?? + BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 83 ?? ?? ?? ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 83 + ?? ?? ?? ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 83 ?? ?? ?? ?? BA ?? ?? ?? ?? E8 ?? ?? + ?? ?? 8D 83 ?? ?? ?? ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 83 ?? ?? ?? ?? BA ?? ?? ?? + ?? E8 ?? ?? ?? ?? 8D 83 ?? ?? ?? ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 83 ?? ?? ?? ?? + BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 83 ?? ?? ?? ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 83 + ?? ?? ?? ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 83 ?? ?? ?? ?? BA ?? ?? ?? ?? E8 ?? ?? + ?? ?? 8D 83 ?? ?? ?? ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 83 ?? ?? ?? ?? BA ?? ?? ?? + ?? E8 ?? ?? ?? ?? 8D 83 ?? ?? ?? ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 83 ?? ?? ?? ?? + BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 83 ?? ?? ?? ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 83 + ?? ?? ?? ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 83 ?? ?? ?? ?? BA ?? ?? ?? ?? E8 ?? ?? + ?? ?? 8D 83 ?? ?? ?? ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 83 ?? ?? ?? ?? BA ?? ?? ?? + ?? E8 ?? ?? ?? ?? 8D 83 ?? ?? ?? ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 83 ?? ?? ?? ?? + BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 83 ?? ?? ?? ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 83 + ?? ?? ?? ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 83 ?? ?? ?? ?? BA ?? ?? ?? ?? E8 ?? ?? + ?? ?? 8D 83 ?? ?? ?? ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 83 ?? ?? ?? ?? BA ?? ?? ?? + ?? E8 ?? ?? ?? ?? 8B DE 4B 85 DB 7C ?? 43 33 F6 8D 55 ?? 33 C0 E8 ?? ?? ?? ?? 8B 45 + ?? 8D 55 ?? E8 ?? ?? ?? ?? 8D 45 ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 55 ?? A1 ?? ?? + ?? ?? 8B 08 FF 51 ?? 8D 4D ?? 8B D6 A1 ?? ?? ?? ?? 8B 38 FF 57 ?? 8B 45 ?? B1 ?? BA + ?? ?? ?? ?? E8 ?? ?? ?? ?? 46 4B 75 ?? E8 ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? 68 ?? ?? + ?? ?? 6A ?? E8 ?? ?? ?? ?? 6A ?? E8 + } + + + condition: + uint16(0) == 0x5A4D and $search_files and $encrypt_files and $remote_connection +} \ No newline at end of file diff --git a/yara/ransomware/Win32.Ransomware.KillDisk.yara b/yara/ransomware/Win32.Ransomware.KillDisk.yara new file mode 100644 index 0000000..081f6ac --- /dev/null +++ b/yara/ransomware/Win32.Ransomware.KillDisk.yara @@ -0,0 +1,80 @@ +rule Win32_Ransomware_KillDisk : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "KILLDISK" + description = "Yara rule that detects KillDisk ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "KillDisk" + tc_detection_factor = 5 + + strings: + + $encrypt_files = { + 81 EC ?? ?? ?? ?? A1 ?? ?? ?? ?? 33 C4 89 84 24 ?? ?? ?? ?? 53 55 8B AC 24 ?? ?? ?? + ?? 56 57 33 FF 8B F1 3B F7 89 7D ?? 89 7D ?? 75 ?? B8 ?? ?? ?? ?? E9 ?? ?? ?? ?? 56 + FF 15 ?? ?? ?? ?? 83 F8 ?? 0F 95 C0 84 C0 75 ?? B8 ?? ?? ?? ?? E9 ?? ?? ?? ?? 56 8D + 4C 24 ?? 89 7C 24 ?? 89 7C 24 ?? E8 ?? ?? ?? ?? 83 C4 ?? 84 C0 74 ?? B8 ?? ?? ?? ?? + E9 ?? ?? ?? ?? 8B 5C 24 ?? 3B DF 8B 44 24 ?? 89 45 ?? 89 5D ?? 77 ?? 83 F8 ?? 0F 82 + ?? ?? ?? ?? E8 ?? ?? ?? ?? 57 68 ?? ?? ?? ?? 6A ?? 57 6A ?? 68 ?? ?? ?? ?? 56 FF 15 + ?? ?? ?? ?? 8B E8 3B EF 0F 84 ?? ?? ?? ?? 83 FD ?? 0F 84 ?? ?? ?? ?? 8B 0D ?? ?? ?? + ?? 33 C0 89 44 24 ?? 89 44 24 ?? 89 44 24 ?? 89 44 24 ?? 89 44 24 ?? 89 44 24 ?? 89 + 44 24 ?? 89 44 24 ?? 8D 44 24 ?? 50 6A ?? 51 FF 15 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 54 + 24 ?? 57 52 E8 ?? ?? ?? ?? 83 C4 ?? 8D 54 24 ?? 8D 44 24 ?? E8 ?? ?? ?? ?? 85 C0 0F + 85 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 84 24 ?? ?? ?? ?? 57 50 E8 ?? ?? ?? ?? 83 C4 ?? 8D + 4C 24 ?? 51 8D 54 24 ?? 89 7C 24 ?? 52 8D BC 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? + 85 C0 0F 84 ?? ?? ?? ?? 8B 74 24 ?? 6A ?? 8B C6 05 ?? ?? ?? ?? 50 8B CB 83 D1 ?? 51 + 6A ?? 6A ?? 55 FF 15 ?? ?? ?? ?? 85 C0 89 44 24 ?? 0F 84 ?? ?? ?? ?? 83 F8 ?? 0F 84 + ?? ?? ?? ?? 8D 4C 24 ?? 51 53 56 8B F8 E8 ?? ?? ?? ?? 83 C4 ?? 84 C0 0F 84 ?? ?? ?? + ?? 68 ?? ?? ?? ?? 8D 54 24 ?? 6A ?? 52 E8 ?? ?? ?? ?? 83 C4 ?? B9 ?? ?? ?? ?? 8D B4 + 24 ?? ?? ?? ?? 8D 7C 24 ?? 8D 44 24 ?? F3 A5 50 B9 ?? ?? ?? ?? E8 ?? ?? ?? ?? E8 ?? + ?? ?? ?? 8B 08 89 8C 24 ?? ?? ?? ?? 8B 50 ?? 89 94 24 ?? ?? ?? ?? 8B 48 ?? 89 8C 24 + ?? ?? ?? ?? 8B 50 ?? 89 94 24 ?? ?? ?? ?? 8B 48 ?? 89 8C 24 ?? ?? ?? ?? 8B 50 ?? 8D + 74 24 ?? 89 94 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 44 24 ?? 6A ?? 6A ?? 53 50 55 FF 15 + ?? ?? ?? ?? 6A ?? 8D 4C 24 ?? 51 68 ?? ?? ?? ?? 8D 54 24 ?? 52 55 C7 44 24 ?? ?? ?? + ?? ?? FF 15 ?? ?? ?? ?? 8B F0 8B 44 24 ?? F7 DE 1B F6 83 E6 ?? 50 83 C6 ?? FF 15 ?? + ?? ?? ?? 55 FF 15 ?? ?? ?? ?? 8B C6 EB ?? 8B 44 24 ?? 50 BE ?? ?? ?? ?? FF 15 ?? ?? + ?? ?? 55 FF 15 ?? ?? ?? ?? 8B C6 EB ?? 55 BE ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 8B C6 EB + ?? 55 BE ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 8B C6 EB ?? 55 BE ?? ?? ?? ?? FF 15 ?? ?? ?? + ?? 8B C6 EB ?? BE ?? ?? ?? ?? 8B C6 EB ?? B8 ?? ?? ?? ?? 8B 8C 24 ?? ?? ?? ?? 5F 5E + 5D 5B 33 CC E8 ?? ?? ?? ?? 81 C4 ?? ?? ?? ?? C3 + } + + $app_whitelisting_1 = { + 81 EC ?? ?? ?? ?? A1 ?? ?? ?? ?? 33 C4 89 84 24 ?? ?? ?? ?? 53 55 56 57 32 DB FF 15 + ?? ?? ?? ?? 6A ?? 6A ?? 89 44 24 ?? FF 15 ?? ?? ?? ?? 8B E8 85 ED 89 6C 24 ?? 0F 84 + ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 44 24 ?? 6A ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 8D 4C 24 ?? + 51 55 C7 44 24 ?? ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? 8D 64 24 ?? + 8B 54 24 ?? 3B 54 24 ?? 0F 84 ?? ?? ?? ?? B8 ?? ?? ?? ?? 33 FF E8 ?? ?? ?? ?? 85 C0 + 0F 86 ?? ?? ?? ?? 8B 1D ?? ?? ?? ?? 85 DB 0F 84 ?? ?? ?? ?? 8B 0D ?? ?? ?? ?? 8B C1 + 2B C3 C1 F8 ?? 3B C7 0F 86 ?? ?? ?? ?? 3B D9 8B F3 76 ?? E8 ?? ?? ?? ?? 8B 1D ?? ?? + ?? ?? 8B 0D ?? ?? ?? ?? 89 74 24 ?? 8D 34 BE 3B F1 B8 ?? ?? ?? ?? 8B E8 77 ?? 3B F3 + 73 ?? E8 ?? ?? ?? ?? 8B 1D ?? ?? ?? ?? 3B 75 ?? 72 ?? E8 ?? ?? ?? ?? 8B 1D ?? ?? ?? + ?? 8B 44 24 ?? 39 06 74 ?? B8 ?? ?? ?? ?? 83 C7 ?? E8 ?? ?? ?? ?? 3B F8 72 ?? 8B 6C + 24 ?? 8B 74 24 ?? FF 15 ?? ?? ?? ?? 3B F0 74 ?? 85 F6 74 ?? 56 6A ?? 6A ?? FF 15 ?? + ?? ?? ?? 8B F0 85 F6 74 ?? 6A ?? 56 FF 15 ?? ?? ?? ?? 56 FF 15 ?? ?? ?? ?? EB ?? 8B + 6C 24 ?? 8D 4C 24 ?? 51 55 FF 15 ?? ?? ?? ?? 85 C0 0F 85 ?? ?? ?? ?? B3 ?? 55 FF 15 + ?? ?? ?? ?? 8B 8C 24 ?? ?? ?? ?? 5F 5E 5D 8A C3 5B 33 CC E8 ?? ?? ?? ?? 81 C4 ?? ?? + ?? ?? C3 + } + + $app_whitelisting_2 = { + 6A ?? 68 ?? ?? ?? ?? 64 A1 ?? ?? ?? ?? 50 83 EC ?? 56 A1 ?? ?? ?? ?? 33 C4 50 8D 44 + 24 ?? 64 A3 ?? ?? ?? ?? 8D 44 24 ?? 50 B9 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 70 ?? C7 44 + 24 ?? ?? ?? ?? ?? 56 C7 06 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 84 C0 74 ?? 8B 36 EB + ?? 33 F6 6A ?? 56 FF 15 ?? ?? ?? ?? 8B 44 24 ?? 85 C0 74 ?? 50 E8 ?? ?? ?? ?? 83 C4 + ?? 8B 44 24 ?? 85 C0 74 ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 83 7C 24 ?? ?? 72 ?? 8B 4C 24 + ?? 51 E8 ?? ?? ?? ?? 83 C4 ?? 68 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 8B 4C 24 ?? 64 89 0D + ?? ?? ?? ?? 59 5E 83 C4 ?? C3 + } + + condition: + uint16(0) == 0x5A4D and $encrypt_files and $app_whitelisting_1 and $app_whitelisting_2 +} \ No newline at end of file diff --git a/yara/ransomware/Win32.Ransomware.Knot.yara b/yara/ransomware/Win32.Ransomware.Knot.yara new file mode 100644 index 0000000..a7d9b06 --- /dev/null +++ b/yara/ransomware/Win32.Ransomware.Knot.yara @@ -0,0 +1,118 @@ +rule Win32_Ransomware_Knot : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "KNOT" + description = "Yara rule that detects Knot ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "Knot" + tc_detection_factor = 5 + + strings: + + $encrypt_files_p1 = { + 55 8B EC 81 EC ?? ?? ?? ?? 6A ?? 6A ?? 6A ?? 6A ?? 6A ?? 68 ?? ?? ?? ?? 8B 45 ?? 50 + FF 15 ?? ?? ?? ?? 89 45 ?? 83 7D ?? ?? 75 ?? 32 C0 E9 ?? ?? ?? ?? 6A ?? 8B 4D ?? 51 + FF 15 ?? ?? ?? ?? 89 45 ?? 83 7D ?? ?? 75 ?? 32 C0 E9 ?? ?? ?? ?? 6A ?? 6A ?? 6A ?? + 6A ?? 6A ?? 8B 55 ?? 52 FF 15 ?? ?? ?? ?? 89 45 ?? 83 7D ?? ?? 75 ?? 32 C0 E9 ?? ?? + ?? ?? 6A ?? 6A ?? 6A ?? 6A ?? 8B 45 ?? 50 FF 15 ?? ?? ?? ?? 89 45 ?? 83 7D ?? ?? 75 + ?? 32 C0 E9 ?? ?? ?? ?? 8D 4D ?? 51 6A ?? 6A ?? 68 ?? ?? ?? ?? 8B 15 ?? ?? ?? ?? 52 + FF 15 ?? ?? ?? ?? 85 C0 75 ?? 32 C0 E9 ?? ?? ?? ?? 6A ?? 8B 45 ?? 50 8B 4D ?? 51 8B + 55 ?? 52 FF 15 ?? ?? ?? ?? 85 C0 75 ?? 32 C0 E9 ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? + ?? ?? 8D 85 ?? ?? ?? ?? 50 6A ?? 6A ?? 6A ?? 6A ?? 8B 4D ?? 51 FF 15 ?? ?? ?? ?? 85 + C0 75 ?? 32 C0 E9 ?? ?? ?? ?? 8B 95 ?? ?? ?? ?? 52 6A ?? FF 15 ?? ?? ?? ?? 50 FF 15 + ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 83 BD ?? ?? ?? ?? ?? 75 ?? 32 C0 E9 ?? ?? ?? ?? 8D 85 + ?? ?? ?? ?? 50 8B 8D ?? ?? ?? ?? 51 6A ?? 6A ?? 6A ?? 8B 55 ?? 52 FF 15 + } + + $encrypt_files_p2 = { + 85 C0 75 ?? 32 C0 E9 ?? ?? ?? ?? 8B 45 ?? 50 68 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? 51 FF + 15 ?? ?? ?? ?? 83 C4 ?? 6A ?? 68 ?? ?? ?? ?? 6A ?? 6A ?? 6A ?? 68 ?? ?? ?? ?? 8D 95 + ?? ?? ?? ?? 52 FF 15 ?? ?? ?? ?? 89 45 ?? 83 7D ?? ?? 0F 84 ?? ?? ?? ?? C7 85 ?? ?? + ?? ?? ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 6A ?? 8D 8D ?? ?? ?? ?? 51 6A + ?? 8D 95 ?? ?? ?? ?? 52 8B 45 ?? 50 FF 15 ?? ?? ?? ?? 6A ?? 8D 8D ?? ?? ?? ?? 51 8B + 95 ?? ?? ?? ?? 52 8B 85 ?? ?? ?? ?? 50 8B 4D ?? 51 FF 15 ?? ?? ?? ?? 8B 55 ?? 52 6A + ?? FF 15 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 83 BD ?? ?? ?? ?? ?? 74 + ?? 8B 85 ?? ?? ?? ?? 50 8B 8D ?? ?? ?? ?? 51 8B 95 ?? ?? ?? ?? 52 8B 45 ?? 50 8B 4D + ?? 51 E8 ?? ?? ?? ?? 83 C4 ?? 6A ?? 8D 95 ?? ?? ?? ?? 52 8B 45 ?? 50 8B 8D ?? ?? ?? + ?? 51 8B 55 ?? 52 FF 15 ?? ?? ?? ?? 8B 45 ?? 50 FF 15 ?? ?? ?? ?? 8B 4D ?? 51 FF 15 + ?? ?? ?? ?? 8B 55 ?? 52 FF 15 ?? ?? ?? ?? 8B 45 ?? 50 FF 15 ?? ?? ?? ?? 8B 4D ?? 51 + FF 15 ?? ?? ?? ?? B0 ?? 8B E5 5D C3 + } + + $find_files_p1 = { + 55 8B EC 81 EC ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C6 85 ?? ?? ?? ?? ?? C6 85 + ?? ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 68 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 89 85 ?? ?? ?? + ?? 83 BD ?? ?? ?? ?? ?? 0F 84 ?? ?? ?? ?? 0F B7 8D ?? ?? ?? ?? 83 F9 ?? 0F 84 ?? ?? + ?? ?? 8B 95 ?? ?? ?? ?? 83 E2 ?? 89 95 ?? ?? ?? ?? 74 ?? 8D 85 ?? ?? ?? ?? 50 FF 15 + ?? ?? ?? ?? 83 F8 ?? 75 ?? 8B 4D ?? 51 E8 ?? ?? ?? ?? 83 C4 ?? 68 ?? ?? ?? ?? FF 15 + ?? ?? ?? ?? E9 ?? ?? ?? ?? 8D 95 ?? ?? ?? ?? 52 8D 85 ?? ?? ?? ?? 50 68 ?? ?? ?? ?? + 8D 8D ?? ?? ?? ?? 51 FF 15 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 95 + ?? ?? ?? ?? 52 FF 15 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 8D 8D ?? ?? ?? ?? 51 E8 ?? ?? + ?? ?? 83 C4 ?? 8D 95 ?? ?? ?? ?? 52 FF 15 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 FF 15 ?? + ?? ?? ?? 89 85 ?? ?? ?? ?? 83 BD ?? ?? ?? ?? ?? 0F 84 ?? ?? ?? ?? C7 85 ?? ?? ?? ?? + ?? ?? ?? ?? EB ?? 8B 8D ?? ?? ?? ?? 83 C1 ?? 89 8D ?? ?? ?? ?? 83 BD ?? ?? ?? ?? ?? + 73 ?? 8B 95 ?? ?? ?? ?? 8B 04 95 ?? ?? ?? ?? 50 8D 8D ?? ?? ?? ?? 51 E8 ?? ?? ?? ?? + 83 C4 ?? 85 C0 74 ?? C6 85 ?? ?? ?? ?? ?? EB ?? 0F B6 95 ?? ?? ?? ?? 83 FA ?? 75 + } + + $find_files_p2 = { + C7 85 ?? ?? ?? ?? ?? ?? ?? ?? EB ?? 8B 85 ?? ?? ?? ?? 83 C0 ?? 89 85 ?? ?? ?? ?? 83 + BD ?? ?? ?? ?? ?? 73 ?? 8B 8D ?? ?? ?? ?? 8B 14 8D ?? ?? ?? ?? 52 8B 85 ?? ?? ?? ?? + 50 E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 74 ?? C6 85 ?? ?? ?? ?? ?? EB ?? 0F B6 8D ?? ?? ?? + ?? 83 F9 ?? 0F 85 ?? ?? ?? ?? 8D 95 ?? ?? ?? ?? 52 E8 ?? ?? ?? ?? 83 C4 ?? 8D 85 ?? + ?? ?? ?? 50 68 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? 51 FF 15 ?? ?? ?? ?? 83 C4 ?? 68 ?? ?? + ?? ?? 8D 95 ?? ?? ?? ?? 52 E8 ?? ?? ?? ?? 83 C4 ?? 89 85 ?? ?? ?? ?? 83 BD ?? ?? ?? + ?? ?? 0F 84 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? + 68 ?? ?? ?? ?? 8B 8D ?? ?? ?? ?? 51 E8 ?? ?? ?? ?? 83 C4 ?? 68 ?? ?? ?? ?? 8B 95 ?? + ?? ?? ?? 52 E8 ?? ?? ?? ?? 83 C4 ?? 68 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 50 E8 ?? ?? ?? + ?? 83 C4 ?? 68 ?? ?? ?? ?? 8B 8D ?? ?? ?? ?? 51 E8 ?? ?? ?? ?? 83 C4 ?? 68 ?? ?? ?? + ?? 8B 95 ?? ?? ?? ?? 52 E8 ?? ?? ?? ?? 83 C4 ?? 68 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 50 + E8 ?? ?? ?? ?? 83 C4 ?? 68 ?? ?? ?? ?? 8B 8D ?? ?? ?? ?? 51 E8 ?? ?? ?? ?? 83 C4 ?? + 8B 95 ?? ?? ?? ?? 52 E8 ?? ?? ?? ?? 83 C4 ?? 8D 85 ?? ?? ?? ?? 50 8B 8D ?? ?? ?? ?? + 51 FF 15 ?? ?? ?? ?? 85 C0 0F 85 ?? ?? ?? ?? 8B 95 ?? ?? ?? ?? 52 FF 15 ?? ?? ?? ?? + 8B E5 5D C3 + } + + $remote_connection = { + 55 8B EC 81 EC ?? ?? ?? ?? 68 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A ?? 6A + ?? FF 15 ?? ?? ?? ?? 89 45 ?? FF 15 ?? ?? ?? ?? 3D ?? ?? ?? ?? 75 ?? 6A ?? FF 15 ?? + ?? ?? ?? E8 ?? ?? ?? ?? 0F B6 C0 83 F8 ?? 0F 85 ?? ?? ?? ?? 68 ?? ?? ?? ?? FF 15 ?? + ?? ?? ?? E8 ?? ?? ?? ?? 0F B6 C8 83 F9 ?? 0F 85 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 50 E8 + ?? ?? ?? ?? 83 C4 ?? 68 ?? ?? ?? ?? 8D 95 ?? ?? ?? ?? 52 68 ?? ?? ?? ?? FF 15 ?? ?? + ?? ?? E8 ?? ?? ?? ?? 99 B9 ?? ?? ?? ?? F7 F9 81 C2 ?? ?? ?? ?? 52 8D 95 ?? ?? ?? ?? + 52 68 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 83 C4 ?? 6A ?? 6A ?? 8D 8D + ?? ?? ?? ?? 51 68 ?? ?? ?? ?? 6A ?? E8 ?? ?? ?? ?? 85 C0 0F 85 ?? ?? ?? ?? 68 ?? ?? + ?? ?? 6A ?? 6A ?? 6A ?? 68 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 8D 95 ?? ?? ?? ?? 52 E8 ?? + ?? ?? ?? 83 C4 ?? 89 85 ?? ?? ?? ?? 83 BD ?? ?? ?? ?? ?? 75 ?? 8D 85 ?? ?? ?? ?? 50 + FF 15 ?? ?? ?? ?? 33 C0 E9 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? 51 FF 15 ?? ?? ?? ?? 6A ?? + 6A ?? 6A ?? 68 ?? ?? ?? ?? 6A ?? 6A ?? FF 15 ?? ?? ?? ?? 6A ?? 6A ?? FF 15 ?? ?? ?? + ?? E8 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? EB ?? 8B 95 ?? ?? + ?? ?? 83 C2 ?? 89 95 ?? ?? ?? ?? 83 BD ?? ?? ?? ?? ?? 7F ?? 8D 85 ?? ?? ?? ?? 50 8B + 8D ?? ?? ?? ?? 51 8B 95 ?? ?? ?? ?? 52 E8 ?? ?? ?? ?? 83 C4 ?? 89 85 ?? ?? ?? ?? 8B + 85 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 83 BD ?? ?? ?? ?? ?? 74 ?? 83 BD ?? ?? ?? ?? ?? 74 + ?? EB ?? 8D 8D ?? ?? ?? ?? 51 FF 15 ?? ?? ?? ?? 83 F8 ?? 75 ?? 8D 95 ?? ?? ?? ?? 52 + E8 ?? ?? ?? ?? 83 C4 ?? EB ?? E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 FF + 15 ?? ?? ?? ?? 83 C4 ?? 6A ?? 6A ?? 8D 8D ?? ?? ?? ?? 51 68 ?? ?? ?? ?? 68 ?? ?? ?? + ?? 6A ?? FF 15 ?? ?? ?? ?? 33 C0 8B E5 5D C2 + } + + condition: + uint16(0) == 0x5A4D and + ( + all of ($find_files_p*) + ) and + ( + all of ($encrypt_files_p*) + ) and + ( + $remote_connection + ) +} \ No newline at end of file diff --git a/yara/ransomware/Win32.Ransomware.Kovter.yara b/yara/ransomware/Win32.Ransomware.Kovter.yara new file mode 100644 index 0000000..cedf783 --- /dev/null +++ b/yara/ransomware/Win32.Ransomware.Kovter.yara @@ -0,0 +1,141 @@ +rule Win32_Ransomware_Kovter : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "KOVTER" + description = "Yara rule that detects Kovter ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "Kovter" + tc_detection_factor = 5 + + strings: + + $remote_connection_1 = { + 55 8B EC 81 C4 ?? ?? ?? ?? 53 56 57 33 DB 89 9D ?? ?? ?? ?? 89 9D ?? ?? ?? ?? 89 9D + ?? ?? ?? ?? 89 9D ?? ?? ?? ?? 89 9D ?? ?? ?? ?? 89 9D ?? ?? ?? ?? 89 9D ?? ?? ?? ?? + 89 5D ?? 89 5D ?? 8B D9 89 55 ?? 89 45 ?? 8B 75 ?? 8B 45 ?? E8 ?? ?? ?? ?? 8B 45 ?? + E8 ?? ?? ?? ?? 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 A1 ?? ?? ?? ?? 80 38 ?? 74 + ?? 8B CE 8B 55 ?? 8B 45 ?? E8 ?? ?? ?? ?? E9 ?? ?? ?? ?? 8B C6 E8 ?? ?? ?? ?? 33 C0 + 89 45 ?? 33 C0 89 45 ?? C7 45 ?? ?? ?? ?? ?? 8B 55 ?? B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? + 48 75 ?? B3 ?? 8D 45 ?? 50 8B 55 ?? B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 50 8B 45 ?? E8 ?? + ?? ?? ?? 5A 2B C2 83 C0 ?? 50 8B 55 ?? B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B D0 83 C2 ?? + 8B 45 ?? 59 E8 ?? ?? ?? ?? 8D 45 ?? 50 8D 85 ?? ?? ?? ?? 8B 55 ?? E8 ?? ?? ?? ?? 8B + 85 ?? ?? ?? ?? 66 BA ?? ?? E8 ?? ?? ?? ?? 50 8B 45 ?? E8 ?? ?? ?? ?? 5A 2B C2 50 8D + 85 ?? ?? ?? ?? 8B 55 ?? E8 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 66 BA ?? ?? E8 ?? ?? ?? ?? + 8B D0 42 8B 45 ?? 59 E8 ?? ?? ?? ?? 8D 45 ?? 50 8D 85 ?? ?? ?? ?? 8B 55 ?? E8 ?? ?? + ?? ?? 8B 85 ?? ?? ?? ?? 66 BA ?? ?? E8 ?? ?? ?? ?? 8B C8 49 BA ?? ?? ?? ?? 8B 45 ?? + E8 ?? ?? ?? ?? 84 DB 0F 84 ?? ?? ?? ?? 8B 45 ?? E8 ?? ?? ?? ?? 48 0F 8E ?? ?? ?? ?? + 6A ?? 6A ?? 6A ?? 6A ?? 8D 85 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? E8 ?? ?? + ?? ?? 50 E8 ?? ?? ?? ?? 8B D8 85 DB 0F 84 ?? ?? ?? ?? 6A ?? 6A ?? 6A ?? 6A ?? 6A ?? + 68 ?? ?? ?? ?? 8B 45 ?? E8 ?? ?? ?? ?? 50 53 E8 ?? ?? ?? ?? 8B F8 85 FF 0F 84 ?? ?? + ?? ?? 6A ?? 68 ?? ?? ?? ?? 6A ?? 6A ?? 68 ?? ?? ?? ?? 8B 45 ?? E8 ?? ?? ?? ?? 50 68 + ?? ?? ?? ?? 57 E8 ?? ?? ?? ?? 89 45 ?? 83 7D ?? ?? 0F 84 ?? ?? ?? ?? 8D 45 ?? 50 8D + } + + $remote_connection_2 = { + 45 ?? 50 6A ?? 8B 45 ?? 50 E8 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? 8B 45 ?? 0D ?? ?? + ?? ?? 0D ?? ?? ?? ?? 89 45 ?? 8B 45 ?? 50 8D 45 ?? 50 6A ?? 8B 45 ?? 50 E8 ?? ?? ?? + ?? 85 C0 0F 84 ?? ?? ?? ?? 8B 45 ?? E8 ?? ?? ?? ?? 50 8B 45 ?? E8 ?? ?? ?? ?? 50 6A + ?? 68 ?? ?? ?? ?? 8B 45 ?? 50 E8 ?? ?? ?? ?? 85 C0 74 ?? 8D 45 ?? 50 68 ?? ?? ?? ?? + 8D 85 ?? ?? ?? ?? 50 8B 45 ?? 50 E8 ?? ?? ?? ?? 85 C0 74 ?? 83 7D ?? ?? 74 ?? 8D 45 + ?? 8B 55 ?? E8 ?? ?? ?? ?? 8D 45 ?? E8 ?? ?? ?? ?? 8D 95 ?? ?? ?? ?? 8B 4D ?? E8 ?? + ?? ?? ?? 8B C6 8B 55 ?? E8 ?? ?? ?? ?? 8B 45 ?? 01 45 ?? 81 7D ?? ?? ?? ?? ?? 77 ?? + 83 7D ?? ?? 75 ?? 8B 45 ?? 50 E8 ?? ?? ?? ?? 57 E8 ?? ?? ?? ?? 53 E8 ?? ?? ?? ?? E9 + ?? ?? ?? ?? 6A ?? 6A ?? 6A ?? 6A ?? 8D 85 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 85 ?? ?? ?? + ?? E8 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 8B D8 85 DB 0F 84 ?? ?? ?? ?? 6A ?? 6A ?? 6A ?? + 6A ?? 6A ?? 68 ?? ?? ?? ?? 8B 45 ?? E8 ?? ?? ?? ?? 50 53 E8 ?? ?? ?? ?? 8B F8 85 FF + 0F 84 ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? 6A ?? 6A ?? 68 ?? ?? ?? ?? 8B 45 ?? E8 ?? ?? + ?? ?? 50 68 ?? ?? ?? ?? 57 E8 ?? ?? ?? ?? 89 45 ?? 83 7D ?? ?? 0F 84 ?? ?? ?? ?? 8D + 45 ?? 50 8D 45 ?? 50 6A ?? 8B 45 ?? 50 E8 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? 8B 45 + ?? 0D ?? ?? ?? ?? 0D ?? ?? ?? ?? 89 45 ?? 8B 45 ?? 50 8D 45 ?? 50 6A ?? 8B 45 ?? 50 + E8 ?? ?? ?? ?? 85 C0 74 ?? 6A ?? 6A ?? 6A ?? 68 ?? ?? ?? ?? 8B 45 ?? 50 E8 ?? ?? ?? + ?? 85 C0 74 ?? 8D 45 ?? 50 68 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 8B 45 ?? 50 E8 ?? ?? + ?? ?? 85 C0 74 ?? 83 7D ?? ?? 74 ?? 8D 45 ?? 8B 55 ?? E8 ?? ?? ?? ?? 8D 45 ?? E8 ?? + ?? ?? ?? 8D 95 ?? ?? ?? ?? 8B 4D ?? E8 ?? ?? ?? ?? 8B C6 8B 55 ?? E8 ?? ?? ?? ?? 8B + 45 ?? 01 45 ?? 81 7D ?? ?? ?? ?? ?? 77 ?? 83 7D ?? ?? 75 ?? 8B 45 ?? 50 E8 ?? ?? ?? + ?? 57 E8 ?? ?? ?? ?? 53 E8 ?? ?? ?? ?? 83 3E ?? 0F 85 ?? ?? ?? ?? 8B 45 ?? E8 ?? ?? + ?? ?? 48 0F 8E ?? ?? ?? ?? 6A ?? 6A ?? 6A ?? 6A ?? 8D 85 ?? ?? ?? ?? E8 ?? ?? ?? ?? + 8B 85 ?? ?? ?? ?? E8 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 8B D8 85 DB 0F 84 ?? ?? ?? ?? 6A + ?? 6A ?? 6A ?? 6A ?? 6A ?? 6A ?? 8B 45 ?? E8 ?? ?? ?? ?? 50 53 E8 ?? ?? ?? ?? 8B F8 + 85 FF 0F 84 ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? 6A ?? 6A ?? 68 ?? ?? ?? ?? 8B 45 ?? E8 + ?? ?? ?? ?? 50 68 ?? ?? ?? ?? 57 E8 ?? ?? ?? ?? 89 45 ?? 83 7D ?? ?? 0F 84 ?? ?? ?? + ?? 8B 45 ?? E8 ?? ?? ?? ?? 50 8B 45 ?? E8 ?? ?? ?? ?? 50 6A ?? 68 ?? ?? ?? ?? 8B 45 + ?? 50 E8 ?? ?? ?? ?? 85 C0 74 ?? 8D 45 ?? 50 68 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 8B + } + + $remote_connection_3 = { + 45 ?? 50 E8 ?? ?? ?? ?? 85 C0 74 ?? 83 7D ?? ?? 74 ?? 8D 45 ?? 8B 55 ?? E8 ?? ?? ?? + ?? 8D 45 ?? E8 ?? ?? ?? ?? 8D 95 ?? ?? ?? ?? 8B 4D ?? E8 ?? ?? ?? ?? 8B C6 8B 55 ?? + E8 ?? ?? ?? ?? 8B 45 ?? 01 45 ?? 81 7D ?? ?? ?? ?? ?? 77 ?? 83 7D ?? ?? 75 ?? 8B 45 + ?? 50 E8 ?? ?? ?? ?? 57 E8 ?? ?? ?? ?? 53 E8 ?? ?? ?? ?? E9 ?? ?? ?? ?? 6A ?? 6A ?? + 6A ?? 6A ?? 8D 85 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? E8 ?? ?? ?? ?? 50 E8 + ?? ?? ?? ?? 8B D8 85 DB 0F 84 ?? ?? ?? ?? 6A ?? 6A ?? 6A ?? 6A ?? 6A ?? 6A ?? 8B 45 + ?? E8 ?? ?? ?? ?? 50 53 E8 ?? ?? ?? ?? 8B F8 85 FF 0F 84 ?? ?? ?? ?? 6A ?? 68 ?? ?? + ?? ?? 6A ?? 6A ?? 68 ?? ?? ?? ?? 8B 45 ?? E8 ?? ?? ?? ?? 50 68 ?? ?? ?? ?? 57 E8 ?? + ?? ?? ?? 89 45 ?? 83 7D ?? ?? 0F 84 ?? ?? ?? ?? 6A ?? 6A ?? 6A ?? 68 ?? ?? ?? ?? 8B + 45 ?? 50 E8 ?? ?? ?? ?? 85 C0 74 ?? 8D 45 ?? 50 68 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 + 8B 45 ?? 50 E8 ?? ?? ?? ?? 85 C0 74 ?? 83 7D ?? ?? 74 ?? 8D 45 ?? 8B 55 ?? E8 ?? ?? + ?? ?? 8D 45 ?? E8 ?? ?? ?? ?? 8D 95 ?? ?? ?? ?? 8B 4D ?? E8 ?? ?? ?? ?? 8B C6 8B 55 + ?? E8 ?? ?? ?? ?? 8B 45 ?? 01 45 ?? 81 7D ?? ?? ?? ?? ?? 77 ?? 83 7D ?? ?? 75 ?? 8B + 45 ?? 50 E8 ?? ?? ?? ?? 57 E8 ?? ?? ?? ?? 53 E8 ?? ?? ?? ?? 33 C0 5A 59 59 64 89 10 + 68 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? BA + ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 ?? E8 ?? ?? ?? ?? 8D 45 ?? E8 ?? ?? ?? ?? 8D 45 ?? + BA ?? ?? ?? ?? E8 ?? ?? ?? ?? C3 + } + + $find_files = { + 50 E8 ?? ?? ?? ?? 8B D8 83 FB ?? 0F 84 ?? ?? ?? ?? 33 F6 46 81 FE ?? ?? ?? ?? 0F 87 + ?? ?? ?? ?? 83 FB ?? 0F 84 ?? ?? ?? ?? 8D 45 ?? 8D 57 ?? B9 ?? ?? ?? ?? E8 ?? ?? ?? + ?? 8B 45 ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 0F 84 ?? ?? ?? ?? 8B 45 ?? BA ?? ?? ?? ?? + E8 ?? ?? ?? ?? 0F 84 ?? ?? ?? ?? F6 07 ?? 0F 85 ?? ?? ?? ?? F6 47 ?? ?? 0F 85 ?? ?? + ?? ?? FF 75 ?? 68 ?? ?? ?? ?? FF 75 ?? 8D 85 ?? ?? ?? ?? BA ?? ?? ?? ?? E8 ?? ?? ?? + ?? 8B 85 ?? ?? ?? ?? E8 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? F7 D8 1B C0 F7 D8 84 C0 75 ?? + 6A ?? FF 75 ?? 68 ?? ?? ?? ?? FF 75 ?? 8D 85 ?? ?? ?? ?? BA ?? ?? ?? ?? E8 ?? ?? ?? + ?? 8B 85 ?? ?? ?? ?? E8 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? FF 75 ?? 68 ?? ?? ?? ?? FF 75 + ?? 8D 85 ?? ?? ?? ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? E8 ?? ?? ?? ?? + 50 E8 ?? ?? ?? ?? 57 53 E8 ?? ?? ?? ?? F7 D8 1B C0 F7 D8 84 C0 0F 85 ?? ?? ?? ?? 83 + FB ?? 74 ?? 53 E8 ?? ?? ?? ?? 57 8D 85 ?? ?? ?? ?? B9 ?? ?? ?? ?? 8B 55 ?? E8 ?? ?? + ?? ?? 8B 85 ?? ?? ?? ?? E8 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 8B D8 83 FB ?? 0F 84 ?? ?? + ?? ?? 33 F6 46 81 FE ?? ?? ?? ?? 0F 87 ?? ?? ?? ?? 83 FB ?? 0F 84 ?? ?? ?? ?? 8D 45 + ?? 8D 57 ?? B9 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 45 ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 0F + 84 ?? ?? ?? ?? 8B 45 ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 0F 84 ?? ?? ?? ?? F6 07 ?? 0F + 84 ?? ?? ?? ?? F6 47 ?? ?? 75 ?? FF 75 ?? 68 ?? ?? ?? ?? FF 75 ?? 8D 85 ?? ?? ?? ?? + BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? E8 ?? ?? ?? ?? E9 ?? ?? ?? ?? FF 75 + ?? 68 ?? ?? ?? ?? FF 75 ?? 68 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? BA ?? ?? ?? ?? E8 ?? ?? + ?? ?? 8B 85 ?? ?? ?? ?? E8 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? F7 D8 1B C0 F7 D8 84 C0 75 + ?? 6A ?? FF 75 ?? 68 ?? ?? ?? ?? FF 75 ?? 68 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? BA ?? ?? + ?? ?? E8 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? E8 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? FF 75 ?? 68 + ?? ?? ?? ?? FF 75 ?? 68 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? + 8B 85 ?? ?? ?? ?? E8 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 57 53 E8 ?? ?? ?? ?? F7 D8 1B C0 + F7 D8 84 C0 0F 85 ?? ?? ?? ?? 83 FB ?? 74 ?? 53 E8 ?? ?? ?? ?? 8D 45 ?? BA ?? ?? ?? + ?? E8 ?? ?? ?? ?? 8B 45 ?? E8 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? F7 D8 1B DB F7 DB 84 DB + 75 ?? 6A ?? 8B 45 ?? E8 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 8B 45 ?? E8 ?? ?? ?? ?? 50 E8 + ?? ?? ?? ?? 33 C0 5A 59 59 64 89 10 68 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? BA ?? ?? ?? ?? + E8 ?? ?? ?? ?? 8D 45 ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? C3 + } + + $decrypt_payload_script = { + FF 75 ?? FF 75 ?? 68 ?? ?? ?? ?? FF 75 ?? 68 ?? ?? ?? ?? 8D 45 ?? E8 ?? ?? ?? ?? FF + 75 ?? FF 75 ?? 68 ?? ?? ?? ?? FF 75 ?? 68 ?? ?? ?? ?? FF 75 ?? 68 ?? ?? ?? ?? FF 75 + ?? 68 ?? ?? ?? ?? FF 75 ?? 68 ?? ?? ?? ?? FF 75 ?? 68 ?? ?? ?? ?? FF 75 ?? 68 ?? ?? + ?? ?? FF 75 ?? 68 ?? ?? ?? ?? 8D 45 ?? E8 ?? ?? ?? ?? FF 75 ?? 8B C3 BA ?? ?? ?? ?? + E8 ?? ?? ?? ?? 8D 55 ?? B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 55 ?? B8 ?? ?? ?? ?? E8 ?? + ?? ?? ?? 8D 55 ?? B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 55 ?? B8 ?? ?? ?? ?? E8 ?? ?? ?? + ?? FF 33 FF 75 ?? 68 ?? ?? ?? ?? FF 75 ?? 68 ?? ?? ?? ?? FF 75 ?? 68 ?? ?? ?? ?? FF + 75 ?? 68 ?? ?? ?? ?? FF 75 ?? 68 ?? ?? ?? ?? FF 75 ?? 68 ?? ?? ?? ?? FF 75 ?? 68 ?? + ?? ?? ?? FF 75 ?? 68 ?? ?? ?? ?? FF 75 ?? 68 ?? ?? ?? ?? FF 75 ?? 68 ?? ?? ?? ?? FF + 75 ?? 68 ?? ?? ?? ?? FF 75 ?? 68 ?? ?? ?? ?? FF 75 ?? 68 ?? ?? ?? ?? FF 75 ?? 68 ?? + ?? ?? ?? FF 75 ?? 68 ?? ?? ?? ?? FF 75 ?? 68 ?? ?? ?? ?? FF 75 ?? 68 ?? ?? ?? ?? 8D + 45 ?? E8 ?? ?? ?? ?? FF 75 ?? 68 ?? ?? ?? ?? FF 75 ?? 68 ?? ?? ?? ?? 8D 45 ?? E8 + } + + condition: + uint16(0) == 0x5A4D and $find_files and $decrypt_payload_script and (all of ($remote_connection_*)) +} \ No newline at end of file diff --git a/yara/ransomware/Win32.Ransomware.Koxic.yara b/yara/ransomware/Win32.Ransomware.Koxic.yara new file mode 100644 index 0000000..d1c2163 --- /dev/null +++ b/yara/ransomware/Win32.Ransomware.Koxic.yara @@ -0,0 +1,87 @@ +rule Win32_Ransomware_Koxic : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "KOXIC" + description = "Yara rule that detects Koxic ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "Koxic" + tc_detection_factor = 5 + + strings: + + $enum_shares_p1 = { + 8B 45 ?? 50 6A ?? 8B 4D ?? 51 E8 ?? ?? ?? ?? 83 C4 ?? 8D 55 ?? 52 8B 45 ?? 50 8D 4D + ?? 51 8B 55 ?? 52 FF 15 ?? ?? ?? ?? 89 45 ?? 83 7D ?? ?? 0F 85 ?? ?? ?? ?? C7 45 ?? + ?? ?? ?? ?? EB ?? 8B 45 ?? 83 C0 ?? 89 45 ?? 8B 4D ?? 3B 4D ?? 0F 83 ?? ?? ?? ?? 8B + 55 ?? C1 E2 ?? 8B 45 ?? 83 7C 10 ?? ?? 0F 85 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8B 4D ?? C1 + E1 ?? 8B 55 ?? 8B 44 0A ?? 50 FF 15 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? 68 ?? ?? ?? + ?? 8B 4D ?? C1 E1 ?? 8B 55 ?? 8B 44 0A ?? 50 FF 15 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? + ?? 8B 4D ?? C1 E1 ?? 8B 55 ?? 8B 44 0A ?? 50 8D 8D ?? ?? ?? ?? 51 FF 15 ?? ?? ?? ?? + 68 ?? ?? ?? ?? 8D 95 ?? ?? ?? ?? 52 FF 15 ?? ?? ?? ?? 8B 45 ?? C1 E0 ?? 8B 4D ?? 8B + } + + $enum_shares_p2 = { + 54 01 ?? 52 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? C6 45 ?? ?? C7 45 ?? ?? ?? ?? ?? + 0F B6 45 ?? 85 C0 0F 84 ?? ?? ?? ?? 83 7D ?? ?? 0F 84 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? + 51 FF 15 ?? ?? ?? ?? 83 E8 ?? 89 45 ?? EB ?? 8B 55 ?? 83 EA ?? 89 55 ?? 83 7D ?? ?? + 0F 8C ?? ?? ?? ?? 8B 45 ?? 0F B7 8C 45 ?? ?? ?? ?? 83 F9 ?? 0F 85 ?? ?? ?? ?? 8B 55 + ?? 0F B7 84 55 ?? ?? ?? ?? 83 F8 ?? 75 ?? C6 45 ?? ?? EB ?? 8B 4D ?? 8D 94 4D ?? ?? + ?? ?? 52 8D 85 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 33 C9 8B 55 ?? 66 89 8C 55 ?? ?? FF + FF 8D 85 ?? ?? ?? ?? 50 8D 8D ?? ?? ?? ?? 51 FF 15 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 95 + ?? ?? ?? ?? 52 FF 15 ?? ?? ?? ?? 8B 45 ?? 50 8B 4D ?? 51 8D 95 ?? ?? ?? ?? 52 8D 85 + ?? ?? ?? ?? 50 8B 4D ?? 51 E8 ?? ?? ?? ?? EB ?? E9 ?? ?? ?? ?? 8B 55 ?? 83 EA ?? 89 + 55 ?? E9 ?? ?? ?? ?? EB ?? 8B 45 ?? C1 E0 ?? 8B 4D ?? 8B 54 01 ?? 83 E2 ?? 74 ?? 8B + 45 ?? C1 E0 ?? 8B 4D ?? 8B 54 01 ?? 52 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 8B 45 + ?? C1 E0 ?? 03 45 ?? B9 ?? ?? ?? ?? 6B D1 ?? 89 44 15 ?? B8 ?? ?? ?? ?? C1 E0 ?? 8B + 4D ?? 89 4C 05 ?? BA ?? ?? ?? ?? D1 E2 8B 45 ?? 89 44 15 ?? 8D 4D ?? 51 E8 ?? ?? ?? + ?? 83 C4 ?? E9 ?? ?? ?? ?? EB ?? 81 7D ?? ?? ?? ?? ?? 74 ?? EB ?? 81 7D ?? ?? ?? ?? + ?? 0F 85 ?? ?? ?? ?? 8B 55 ?? 52 FF 15 ?? ?? ?? ?? 8B 45 ?? 50 FF 15 ?? ?? ?? ?? 85 + C0 75 ?? B8 ?? ?? ?? ?? EB ?? 33 C0 + } + + $find_files = { + 8D 85 ?? ?? ?? ?? 50 8B 4D ?? 51 FF 15 ?? ?? ?? ?? 89 45 ?? 33 D2 8B 45 ?? 66 89 10 + 8B 4D ?? 51 FF 15 ?? ?? ?? ?? 89 45 ?? 83 7D ?? ?? 75 ?? 33 C0 E9 ?? ?? ?? ?? 68 ?? + ?? ?? ?? 8D 95 ?? ?? ?? ?? 52 E8 ?? ?? ?? ?? 83 C4 ?? 0F B6 C0 83 F8 ?? 75 ?? E9 ?? + ?? ?? ?? 8D 8D ?? ?? ?? ?? 51 FF 15 ?? ?? ?? ?? 8B 55 ?? 8D 44 02 ?? 3D ?? ?? ?? ?? + 72 ?? E9 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? 51 8B 55 ?? 52 FF 15 ?? ?? ?? ?? 8B 45 ?? 8B + 48 ?? 81 79 ?? ?? ?? ?? ?? 76 ?? 6A ?? FF 15 ?? ?? ?? ?? EB ?? 8B 95 ?? ?? ?? ?? 83 + E2 ?? 74 ?? 68 ?? ?? ?? ?? 8B 45 ?? 50 FF 15 ?? ?? ?? ?? 6A ?? 8B 0D ?? ?? ?? ?? 51 + FF 15 ?? ?? ?? ?? 85 C0 75 ?? 8B 55 ?? 52 8B 45 ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 8B 0D + ?? ?? ?? ?? 51 FF 15 ?? ?? ?? ?? BA ?? ?? ?? ?? C1 E2 ?? 8B 45 ?? 89 44 15 ?? 8D 4D + ?? 51 E8 ?? ?? ?? ?? E9 ?? ?? ?? ?? 8D 95 ?? ?? ?? ?? 52 E8 ?? ?? ?? ?? 83 C4 ?? 85 + C0 75 ?? 6A ?? A1 + } + + $encrypt_files = { + 8D 4D ?? 51 8B 55 ?? 52 FF 15 ?? ?? ?? ?? 83 7D ?? ?? 7F ?? 7C ?? 83 7D ?? ?? 73 ?? + E9 ?? ?? ?? ?? 6A ?? 6A ?? 8B 45 ?? 50 8B 4D ?? 51 E8 ?? ?? ?? ?? 8B 4D ?? 2B C8 8B + 45 ?? 1B C2 89 4D ?? 89 45 ?? 6A ?? 8B 4D ?? 51 8B 55 ?? 52 6A ?? 6A ?? 8B 45 ?? 50 + FF 15 ?? ?? ?? ?? 89 45 ?? 83 7D ?? ?? 75 ?? E9 ?? ?? ?? ?? 83 7D ?? ?? 77 ?? 72 ?? + 81 7D ?? ?? ?? ?? ?? 73 ?? 8B 4D ?? 51 8B 55 ?? 52 8B 45 ?? 50 6A ?? 8B 4D ?? 51 FF + 15 ?? ?? ?? ?? 89 45 ?? 83 7D ?? ?? 74 ?? 8B 55 ?? 52 8B 45 ?? 50 8B 4D ?? 51 E8 ?? + ?? ?? ?? 83 C4 ?? 8B 55 ?? 52 FF 15 ?? ?? ?? ?? EB ?? E9 ?? ?? ?? ?? E9 ?? ?? ?? ?? + EB ?? 68 ?? ?? ?? ?? 8B 45 ?? 50 8B 4D ?? 51 6A ?? 8B 55 ?? 52 FF 15 ?? ?? ?? ?? 89 + 45 + } + + condition: + uint16(0) == 0x5A4D and + ( + $find_files + ) and + ( + $encrypt_files + ) and + ( + all of ($enum_shares_p*) + ) +} \ No newline at end of file diff --git a/yara/ransomware/Win32.Ransomware.Kraken.yara b/yara/ransomware/Win32.Ransomware.Kraken.yara new file mode 100644 index 0000000..ddd2100 --- /dev/null +++ b/yara/ransomware/Win32.Ransomware.Kraken.yara @@ -0,0 +1,151 @@ +rule Linux_Ransomware_Kraken : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "KRAKEN" + description = "Yara rule that detects Kraken ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "Kraken" + tc_detection_factor = 5 + + strings: + + $enum_volumes = { + 55 8B EC 6A ?? 68 ?? ?? ?? ?? 64 A1 ?? ?? ?? ?? ?? ?? ?? ?? 04 ?? 00 A1 ?? ?? ?? ?? + 33 C5 89 45 ?? 53 56 57 50 8D 45 ?? 64 A3 ?? ?? ?? ?? ?? ?? ?? ?? 50 45 4C 00 C7 45 + FC 00 00 00 00 B9 ?? ?? ?? ?? E8 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 8D 85 ?? ?? + ?? ?? 50 68 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 8D B5 ?? ?? ?? ?? 0F 1F 84 00 ?? ?? ?? ?? + 8A 06 84 C0 0F 84 ?? ?? ?? ?? 3C ?? 0F 84 ?? ?? ?? ?? BA ?? ?? ?? ?? B9 ?? ?? ?? ?? + E8 ?? ?? ?? ?? 8B D6 8B C8 E8 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 83 EC ?? 8B D4 + C7 42 ?? ?? ?? ?? ?? C7 42 ?? ?? ?? ?? ?? 83 7A ?? ?? 72 ?? 8B 02 EB ?? 8B C2 C6 00 + ?? 80 3E ?? 75 ?? 33 C9 EB ?? 8B CE 8D 79 ?? 8A 01 41 84 C0 75 ?? 2B CF 51 56 8B CA + E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? BA ?? ?? ?? ?? B9 ?? ?? ?? ?? E8 ?? ?? ?? ?? + 8B D6 8B C8 E8 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 83 C6 ?? E9 ?? ?? ?? ?? BA ?? + ?? ?? ?? B9 ?? ?? ?? ?? E8 ?? ?? ?? ?? BA ?? ?? ?? ?? 8B C8 E8 ?? ?? ?? ?? 50 E8 ?? + ?? ?? ?? 83 C4 ?? 83 EC ?? 8B CC C7 41 ?? ?? ?? ?? ?? C7 41 ?? ?? ?? ?? ?? 83 79 ?? + ?? 72 ?? 8B 01 EB ?? 8B C1 6A ?? 68 ?? ?? ?? ?? C6 00 ?? E8 ?? ?? ?? ?? E8 ?? ?? ?? + ?? 83 C4 ?? BA ?? ?? ?? ?? B9 ?? ?? ?? ?? E8 ?? ?? ?? ?? BA ?? ?? ?? ?? 8B C8 E8 ?? + ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? BA ?? ?? ?? ?? B9 ?? ?? ?? ?? E8 ?? ?? ?? ?? 50 + E8 ?? ?? ?? ?? 83 C4 ?? 8B 4D ?? 64 89 0D ?? ?? ?? ?? 59 5F 5E 5B 8B 4D ?? 33 CD E8 + ?? ?? ?? ?? 8B E5 5D C3 BA ?? ?? ?? ?? B9 ?? ?? ?? ?? E8 ?? ?? ?? ?? 50 E8 ?? ?? ?? + ?? 83 C4 ?? B8 ?? ?? ?? ?? C3 + } + + $enum_shares_p1 = { + 50 56 6A ?? 6A ?? 6A ?? FF 15 ?? ?? ?? ?? 85 C0 74 ?? BA ?? ?? ?? ?? B9 ?? ?? ?? ?? + E8 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 32 C0 8B 4D ?? 64 89 0D ?? ?? ?? ?? 59 5F + 5E 5B 8B 4D ?? 33 CD E8 ?? ?? ?? ?? 8B E5 5D C3 66 0F 1F 44 00 ?? FF 75 ?? 6A ?? FF + 15 ?? ?? ?? ?? 8B F0 8D 45 ?? 50 56 8D 45 ?? 89 75 ?? 50 FF 75 ?? FF 15 ?? ?? ?? ?? + 85 C0 0F 85 ?? ?? ?? ?? 33 FF 0F 1F 40 ?? 3B 7D ?? 0F 83 ?? ?? ?? ?? 8B C7 C1 E0 ?? + 03 F0 F7 46 ?? ?? ?? ?? ?? 74 ?? 6A ?? E8 ?? ?? ?? ?? 0F 10 06 83 C4 ?? 8B C8 0F 11 + 00 0F 10 46 ?? 0F 11 40 ?? E8 ?? ?? ?? ?? 8B 75 ?? B3 ?? 47 EB ?? F7 46 ?? ?? ?? ?? + ?? 0F 84 ?? ?? ?? ?? 8B 56 ?? 85 D2 0F 84 ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? + ?? ?? ?? ?? C6 45 ?? ?? 80 3A ?? 75 ?? 33 C9 EB ?? 8B CA 8D 71 ?? 8A 01 41 84 C0 75 + ?? 2B CE 51 52 8D 4D ?? E8 ?? ?? ?? ?? 51 8D 55 ?? C6 45 ?? ?? 8D 4D ?? E8 ?? ?? ?? + ?? 83 C4 ?? 8B F0 BA ?? ?? ?? ?? C6 45 ?? ?? B9 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B D6 8B + C8 E8 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? C6 45 ?? ?? 83 C4 ?? 8B 45 ?? 83 F8 ?? 72 ?? 8B + } + + $enum_shares_p2 = { + 4D ?? 40 3D ?? ?? ?? ?? 72 ?? F6 C1 ?? 74 ?? E8 ?? ?? ?? ?? 8B 41 ?? 3B C1 72 ?? E8 + ?? ?? ?? ?? 2B C8 83 F9 ?? 73 ?? E8 ?? ?? ?? ?? 83 F9 ?? 76 ?? E8 ?? ?? ?? ?? 8B C8 + 51 E8 ?? ?? ?? ?? 83 C4 ?? 83 EC ?? 8D 55 ?? 8B CC 51 E8 ?? ?? ?? ?? 83 C4 ?? E8 ?? + ?? ?? ?? 83 C4 ?? 8D 55 ?? 51 8D 4D ?? E8 ?? ?? ?? ?? 83 C4 ?? 8B F0 BA ?? ?? ?? ?? + C6 45 ?? ?? B9 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B D6 8B C8 E8 ?? ?? ?? ?? 50 E8 ?? ?? ?? + ?? C6 45 ?? ?? 83 C4 ?? 8B 45 ?? 83 F8 ?? 72 ?? 8B 4D ?? 40 3D ?? ?? ?? ?? 72 ?? F6 + C1 ?? 74 ?? E8 ?? ?? ?? ?? 8B 41 ?? 3B C1 72 ?? E8 ?? ?? ?? ?? 2B C8 83 F9 ?? 73 ?? + E8 ?? ?? ?? ?? 83 F9 ?? 76 ?? E8 ?? ?? ?? ?? 8B C8 51 E8 ?? ?? ?? ?? 83 C4 ?? C6 45 + ?? ?? 8B 45 ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C6 45 ?? ?? 83 F8 ?? 72 ?? + 8B 4D ?? 40 3D ?? ?? ?? ?? 72 ?? F6 C1 ?? 74 ?? E8 ?? ?? ?? ?? 8B 41 ?? 3B C1 72 ?? + E8 ?? ?? ?? ?? 2B C8 83 F9 ?? 73 ?? E8 ?? ?? ?? ?? 83 F9 ?? 76 ?? E8 ?? ?? ?? ?? 8B + C8 51 E8 ?? ?? ?? ?? 83 C4 ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C6 45 ?? ?? + 8B 75 ?? B3 ?? 47 E9 ?? ?? ?? ?? 56 FF 15 ?? ?? ?? ?? FF 75 ?? FF 15 ?? ?? ?? ?? BA + ?? ?? ?? ?? B9 ?? ?? ?? ?? E8 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 8A C3 E9 ?? ?? + ?? ?? BA ?? ?? ?? ?? B9 ?? ?? ?? ?? E8 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? B8 ?? + ?? ?? ?? C3 + } + + $find_files = { + 55 8B EC 6A ?? 68 ?? ?? ?? ?? 64 A1 ?? ?? ?? ?? ?? ?? ?? ?? A1 ?? ?? ?? ?? ?? ?? ?? + ?? EC 53 56 57 50 8D 45 ?? 64 A3 ?? ?? ?? ?? ?? ?? ?? ?? 45 FC 00 00 00 00 8D 4D ?? + C6 45 ?? ?? 8B 75 ?? 83 FE ?? 8B 7D ?? 8B 55 ?? 0F 43 CF 6A ?? 68 ?? ?? ?? ?? E8 ?? + ?? ?? ?? 83 C4 ?? 8D 4D ?? 85 C0 0F 84 ?? ?? ?? ?? 83 FE ?? 6A ?? 0F 43 CF 68 ?? ?? + ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 8D 4D ?? 85 C0 0F 84 ?? ?? ?? ?? 83 FE ?? 6A ?? 0F 43 + CF 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 8D 4D ?? 85 C0 0F 84 ?? ?? ?? ?? 83 FE ?? + 6A ?? 0F 43 CF 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 0F 84 ?? ?? ?? ?? 0F 57 + C0 C7 45 ?? ?? ?? ?? ?? 66 0F D6 45 ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 + 45 ?? ?? ?? ?? ?? 83 FE ?? C6 45 ?? ?? 8D 4D ?? 0F 43 CF E8 ?? ?? ?? ?? 8B F0 89 75 + ?? 85 F6 0F 84 ?? ?? ?? ?? 8D 45 ?? 8B D6 50 8B CE E8 ?? ?? ?? ?? 8B 5D ?? 83 C4 ?? + 85 DB 0F 84 ?? ?? ?? ?? 8D 7B ?? B9 ?? ?? ?? ?? 8B C7 66 0F 1F 44 00 ?? 8A 10 3A 11 + 75 ?? 84 D2 74 ?? 8A 50 ?? 3A 51 ?? 75 ?? 83 C0 ?? 83 C1 ?? 84 D2 75 ?? 33 F6 EB ?? + 1B F6 83 CE ?? B9 ?? ?? ?? ?? 8B C7 0F 1F 40 ?? 8A 10 3A 11 75 ?? 84 D2 74 ?? 8A 50 + ?? 3A 51 ?? 75 ?? 83 C0 ?? 83 C1 ?? 84 D2 75 ?? 33 C0 EB ?? 1B C0 83 C8 ?? 3B F0 8B + 75 ?? 0F 85 ?? ?? ?? ?? 8B 43 ?? 85 C0 0F 84 ?? ?? ?? ?? 8D 4D ?? 57 3D ?? ?? ?? ?? + 75 ?? E8 ?? ?? ?? ?? 50 8D 55 ?? C6 45 ?? ?? 8D 4D ?? E8 ?? ?? ?? ?? 83 C4 ?? 83 EC + ?? C6 45 ?? ?? 8B CC 8B D0 51 E8 ?? ?? ?? ?? 83 C4 ?? E8 ?? ?? ?? ?? 83 C4 ?? 8D 4D + ?? E8 ?? ?? ?? ?? 8D 4D ?? C6 45 ?? ?? E8 ?? ?? ?? ?? E9 ?? ?? ?? ?? E8 ?? ?? ?? ?? + 83 EC ?? C6 45 ?? ?? 8B CC 8D 55 ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? E8 ?? ?? ?? ?? 83 C4 + ?? C6 45 ?? ?? 8D 4D ?? E8 ?? ?? ?? ?? 8B 75 ?? E9 ?? ?? ?? ?? 8B CE E8 ?? ?? ?? ?? + 83 EC ?? 8D 45 ?? 8B CC 50 E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? EB ?? BA ?? ?? ?? + ?? B9 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 55 ?? 8B C8 E8 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 + C4 ?? B8 ?? ?? ?? ?? C3 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 8D 4D ?? E8 ?? ?? ?? + ?? 8D 4D ?? E8 ?? ?? ?? ?? 8B 4D ?? 64 89 0D ?? ?? ?? ?? 59 5F 5E 5B 8B 4D ?? 33 CD + E8 ?? ?? ?? ?? 8B E5 5D C3 + } + + $encrypt_files_p1 = { + 55 8B EC 6A ?? 68 ?? ?? ?? ?? 64 A1 ?? ?? ?? ?? ?? ?? ?? ?? A1 ?? ?? ?? ?? ?? ?? ?? + ?? EC 53 56 57 50 8D 45 ?? 64 A3 ?? ?? ?? ?? ?? ?? ?? ?? 45 FC 00 00 00 00 C6 45 ?? + ?? 83 05 ?? ?? ?? ?? ?? 83 15 ?? ?? ?? ?? ?? 83 EC ?? 8B CC C7 41 ?? ?? ?? ?? ?? C7 + 41 ?? ?? ?? ?? ?? 83 79 ?? ?? 72 ?? 8B 01 EB ?? 8B C1 6A ?? C6 00 ?? 8D 45 ?? 6A ?? + 50 E8 ?? ?? ?? ?? 8D 4D ?? E8 ?? ?? ?? ?? 83 C4 ?? 83 EC ?? C6 45 ?? ?? 8B CC C7 41 + ?? ?? ?? ?? ?? C7 41 ?? ?? ?? ?? ?? 83 79 ?? ?? 72 ?? 8B 01 EB ?? 8B C1 6A ?? C6 00 + ?? 8D 45 ?? 6A ?? 50 E8 ?? ?? ?? ?? 8D 4D ?? E8 ?? ?? ?? ?? 83 C4 ?? C6 45 ?? ?? 8D + 4D ?? 83 3D ?? ?? ?? ?? ?? B8 ?? ?? ?? ?? 8B 7D ?? 0F 43 05 ?? ?? ?? ?? 83 FF ?? FF + 35 ?? ?? ?? ?? 8B 75 ?? 0F 43 CE 8B 55 ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 0F 84 ?? + ?? ?? ?? 83 FF ?? 8D 4D ?? 6A ?? 0F 43 CE 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 85 + C0 0F 84 ?? ?? ?? ?? 83 FF ?? 8D 4D ?? 6A ?? 0F 43 CE 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? + 83 C4 ?? 85 C0 0F 84 ?? ?? ?? ?? 83 FF ?? 8D 4D ?? 6A ?? 0F 43 CE 68 ?? ?? ?? ?? E8 + ?? ?? ?? ?? 83 C4 ?? 85 C0 0F 84 ?? ?? ?? ?? BA ?? ?? ?? ?? 8D 4D ?? E8 + } + + $encrypt_files_p2 = { + 84 C0 0F 85 ?? ?? ?? ?? BA ?? ?? ?? ?? 8D 4D ?? E8 ?? ?? ?? ?? 84 C0 0F 85 ?? ?? ?? + ?? BA ?? ?? ?? ?? 8D 4D ?? E8 ?? ?? ?? ?? 84 C0 0F 85 ?? ?? ?? ?? 83 7D ?? ?? 8D 45 + ?? 6A ?? 0F 43 45 ?? 6A ?? 6A ?? 6A ?? 6A ?? 68 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 8B + D8 83 FB ?? 0F 84 ?? ?? ?? ?? E8 ?? ?? ?? ?? 99 6A ?? 8B F0 8B FA 8D 45 ?? 50 68 ?? + ?? ?? ?? FF 35 ?? ?? ?? ?? 53 FF 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 99 2B C6 1B D7 01 05 + ?? ?? ?? ?? 11 15 ?? ?? ?? ?? 83 65 ?? ?? 0F 84 ?? ?? ?? ?? E8 ?? ?? ?? ?? 99 8B FA + 8B F0 8B 55 ?? E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 99 2B C6 6A ?? 1B D7 01 05 ?? ?? ?? ?? + 8B 45 ?? 11 15 ?? ?? ?? ?? 01 05 ?? ?? ?? ?? 6A ?? 83 15 ?? ?? ?? ?? ?? 6A ?? 53 FF + 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 99 6A ?? 8B F0 8B FA 8D 45 ?? 50 FF 75 ?? FF 35 ?? ?? + ?? ?? 53 FF 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 99 2B C6 53 1B D7 01 05 ?? ?? ?? ?? 11 15 + ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 51 8D 55 ?? 8D 4D ?? E8 ?? ?? ?? ?? 8B C8 83 C4 ?? 83 + 79 ?? ?? 72 ?? 8B 09 83 7D ?? ?? 8D 45 ?? 51 0F 43 45 ?? 50 FF 15 ?? ?? ?? ?? 8D 4D + ?? E8 ?? ?? ?? ?? 83 05 ?? ?? ?? ?? ?? 83 15 ?? ?? ?? ?? ?? EB ?? 53 FF 15 ?? ?? ?? + ?? 8D 4D ?? E8 ?? ?? ?? ?? 8D 4D ?? E8 ?? ?? ?? ?? 8D 4D ?? E8 ?? ?? ?? ?? 8B 4D ?? + 64 89 0D ?? ?? ?? ?? 59 5F 5E 5B 8B 4D ?? 33 CD E8 ?? ?? ?? ?? 8B E5 5D C3 + } + + + condition: + uint16(0) == 0x5A4D and + ( + $enum_volumes and + $find_files and + ( + all of ($enum_shares_p*) + ) and + ( + all of ($encrypt_files_p*) + ) + ) + +} \ No newline at end of file diff --git a/yara/ransomware/Win32.Ransomware.Ladon.yara b/yara/ransomware/Win32.Ransomware.Ladon.yara new file mode 100644 index 0000000..c29998e --- /dev/null +++ b/yara/ransomware/Win32.Ransomware.Ladon.yara @@ -0,0 +1,101 @@ +rule Win32_Ransomware_Ladon : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "LADON" + description = "Yara rule that detects Ladon ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "Ladon" + tc_detection_factor = 5 + + strings: + + $find_files = { + F6 85 ?? ?? ?? ?? ?? 0F 84 ?? ?? ?? ?? B9 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 66 8B 10 66 + 3B 11 75 ?? 66 85 D2 74 ?? 66 8B 50 ?? 66 3B 51 ?? 75 ?? 83 C0 ?? 83 C1 ?? 66 85 D2 + 75 ?? 33 C0 EB ?? 1B C0 83 C8 ?? 85 C0 0F 84 ?? ?? ?? ?? B9 ?? ?? ?? ?? 8D 85 ?? ?? + ?? ?? 66 8B 10 66 3B 11 75 ?? 66 85 D2 74 ?? 66 8B 50 ?? 66 3B 51 ?? 75 ?? 83 C0 ?? + 83 C1 ?? 66 85 D2 75 ?? 33 C0 EB ?? 1B C0 83 C8 ?? 85 C0 0F 84 ?? ?? ?? ?? 8D 85 ?? + ?? ?? ?? 50 57 8D 85 ?? ?? ?? ?? 68 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? FF 75 ?? 8D 85 + ?? ?? ?? ?? 53 56 50 E8 ?? ?? ?? ?? 83 C4 ?? EB ?? 33 FF 85 DB 74 ?? 90 8B 45 ?? 8B + 34 B8 8D 85 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 66 8B 08 66 3B 0E 75 ?? 66 85 C9 74 ?? + 66 8B 48 ?? 66 3B 4E ?? 75 ?? 83 C0 ?? 83 C6 ?? 66 85 C9 75 ?? 33 C0 EB ?? 1B C0 83 + C8 ?? 85 C0 74 ?? 47 3B FB 72 ?? 8B 75 ?? 8B 7D ?? 8D 85 ?? ?? ?? ?? 50 FF 75 ?? FF + 15 ?? ?? ?? ?? 85 C0 0F 85 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? FF 75 ?? 33 DB 83 F8 ?? 0F + 95 C3 FF 15 ?? ?? ?? ?? 5E 8B C3 5B 5F 8B E5 5D C3 + } + + $encrypt_files_p1 = { + 55 8B EC 81 EC ?? ?? ?? ?? 53 56 57 FF 75 ?? 33 DB 89 5D ?? E8 ?? ?? ?? ?? 8B F8 83 + C4 ?? 89 7D ?? 85 FF 0F 84 ?? ?? ?? ?? 83 3F ?? 0F 85 ?? ?? ?? ?? 53 68 ?? ?? ?? ?? + FF 77 ?? E8 ?? ?? ?? ?? 8B F0 83 C4 ?? 85 F6 0F 84 ?? ?? ?? ?? 53 68 ?? ?? ?? ?? FF + 77 ?? E8 ?? ?? ?? ?? 83 C4 ?? 89 45 ?? 85 C0 0F 84 ?? ?? ?? ?? 53 68 ?? ?? ?? ?? FF + 77 ?? E8 ?? ?? ?? ?? 83 C4 ?? 89 45 ?? 85 C0 0F 84 ?? ?? ?? ?? 53 68 ?? ?? ?? ?? FF + 77 ?? E8 ?? ?? ?? ?? 83 C4 ?? 89 45 ?? 85 C0 0F 84 ?? ?? ?? ?? 53 68 ?? ?? ?? ?? FF + 77 ?? E8 ?? ?? ?? ?? 8B C8 83 C4 ?? 89 4D ?? 85 C9 0F 84 ?? ?? ?? ?? 83 3E ?? 0F 85 + ?? ?? ?? ?? 8B 45 ?? 83 38 ?? 0F 85 ?? ?? ?? ?? 8B 45 ?? 83 38 ?? 0F 85 ?? ?? ?? ?? + 8B 45 ?? 83 38 ?? 0F 85 ?? ?? ?? ?? 83 39 ?? 0F 85 ?? ?? ?? ?? 68 ?? ?? ?? ?? FF 70 + ?? FF 15 ?? ?? ?? ?? 85 C0 0F 85 ?? ?? ?? ?? 57 E8 ?? ?? ?? ?? FF 75 ?? 33 FF C7 45 + ?? ?? ?? ?? ?? 89 5D ?? E8 ?? ?? ?? ?? 8B F0 83 C4 ?? 85 F6 74 ?? 83 3E ?? 75 ?? 57 + 68 ?? ?? ?? ?? FF 76 ?? E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 74 ?? FF 70 ?? 68 ?? ?? ?? ?? + E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 74 ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 74 + ?? 8D 45 ?? 50 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? E8 ?? ?? ?? ?? 8D 7B ?? A1 ?? + ?? ?? ?? 85 C0 74 ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 89 1D ?? ?? ?? ?? 85 F6 74 ?? 56 E8 + ?? ?? ?? ?? 83 C4 ?? 8B C7 5F 5E 5B 8B E5 5D C3 FF 76 ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? + ?? 83 C4 ?? 85 C0 0F 84 ?? ?? ?? ?? 8B 45 ?? 8B 78 ?? 85 FF 74 ?? 8B 47 ?? 89 45 + } + + $encrypt_files_p2 = { + 8B 70 ?? 8D 4E ?? 8A 06 46 84 C0 75 ?? 2B F1 8D 04 75 ?? ?? ?? ?? 50 6A ?? FF 15 ?? + ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 89 84 9D ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? 8D 0C 75 + ?? ?? ?? ?? 51 50 8D 46 ?? 50 8B 45 ?? FF 70 ?? 6A ?? 6A ?? FF 15 ?? ?? ?? ?? 8B 3F + 43 85 FF 75 ?? 68 ?? ?? ?? ?? C7 84 9D ?? ?? ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 + ?? 85 C0 0F 84 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 + ?? E8 ?? ?? ?? ?? 8B 7D ?? 8B 77 ?? 8D 4E ?? 8A 06 46 84 C0 75 ?? 2B F1 8D 46 ?? 50 + 6A ?? FF 15 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 8B C8 89 4D ?? 85 C9 0F 84 ?? ?? ?? ?? + 8B C6 99 6A ?? 2B C2 D1 F8 6A ?? 89 45 ?? 8D 45 ?? 50 51 6A ?? 56 FF 77 ?? FF 15 ?? + ?? ?? ?? 8B 7D ?? 6A ?? 68 ?? ?? ?? ?? 6A ?? 6A ?? 6A ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? + ?? FF 15 ?? ?? ?? ?? 6A ?? 6A ?? 57 8B 7D ?? 8B F0 57 56 FF 15 ?? ?? ?? ?? 56 FF 15 + ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? 6A ?? 6A ?? FF 15 ?? ?? ?? ?? 57 6A ?? FF 15 ?? ?? + ?? ?? 50 FF 15 ?? ?? ?? ?? 8B 45 ?? FF 70 ?? E8 ?? ?? ?? ?? 83 C4 ?? C7 45 ?? ?? ?? + ?? ?? 8B 7D ?? A1 ?? ?? ?? ?? 85 C0 74 ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? C7 05 ?? ?? ?? + ?? ?? ?? ?? ?? 85 FF 74 ?? 57 E8 ?? ?? ?? ?? 83 C4 ?? 33 F6 85 DB 74 ?? FF B4 B5 ?? + ?? ?? ?? 6A ?? FF 15 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 46 3B F3 72 ?? 8B 45 ?? 5F 5E + 5B 8B E5 5D C3 + } + + $remote_connection = { + 8B EC B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 C0 75 ?? 50 68 ?? ?? ?? ?? 68 + ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 8B E5 5D C3 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? + C6 85 ?? ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 50 E8 ?? ?? ?? + ?? 85 C0 0F 88 ?? ?? ?? ?? E8 ?? ?? ?? ?? 50 68 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 E8 + ?? ?? ?? ?? 85 C0 0F 88 ?? ?? ?? ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? + 50 E8 ?? ?? ?? ?? 85 C0 0F 88 ?? ?? ?? ?? E8 ?? ?? ?? ?? 50 68 ?? ?? ?? ?? 8D 85 ?? + ?? ?? ?? 50 E8 ?? ?? ?? ?? 85 C0 0F 88 ?? ?? ?? ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D + 85 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 85 C0 0F 88 ?? ?? ?? ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? + ?? 8D 85 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 85 C0 78 ?? 56 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? + 68 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 8B F0 83 C4 ?? + 85 F6 74 ?? E8 ?? ?? ?? ?? 85 C0 74 ?? E8 ?? ?? ?? ?? 85 C0 74 ?? 56 E8 ?? ?? ?? ?? + 83 C4 ?? 56 6A ?? FF 15 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? E8 ?? ?? ?? + ?? E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 5E 8B E5 5D C3 + } + + condition: + uint16(0) == 0x5A4D and + ( + $find_files + ) and + ( + all of ($encrypt_files_p*) + ) and + ( + $remote_connection + ) +} \ No newline at end of file diff --git a/yara/ransomware/Win32.Ransomware.LeChiffre.yara b/yara/ransomware/Win32.Ransomware.LeChiffre.yara new file mode 100644 index 0000000..640a564 --- /dev/null +++ b/yara/ransomware/Win32.Ransomware.LeChiffre.yara @@ -0,0 +1,123 @@ +rule Win32_Ransomware_LeChiffre : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "LECHIFFRE" + description = "Yara rule that detects LeChiffre ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "LeChiffre" + tc_detection_factor = 5 + + strings: + + $remote_connection_1 = { + 55 8B EC 33 C9 51 51 51 51 51 51 51 53 56 57 89 45 ?? 33 C0 55 68 ?? ?? ?? ?? 64 FF + 30 64 89 20 8B 45 ?? 33 D2 E8 ?? ?? ?? ?? B2 ?? A1 ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 45 + ?? 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 B9 ?? ?? ?? ?? BA ?? ?? ?? ?? 8B 45 ?? + E8 ?? ?? ?? ?? B2 ?? A1 ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 45 ?? 8B 45 ?? 8B 50 ?? 8B 45 + ?? 8B 08 FF 51 ?? 8B 45 ?? 8B 10 FF 52 ?? 8B F0 4E 85 F6 7C ?? 46 33 DB 8D 4D ?? 8B + D3 8B 45 ?? 8B 38 FF 57 ?? 8B 55 ?? B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 C0 7E ?? 8D 45 + ?? 50 8D 4D ?? 8B D3 8B 45 ?? 8B 38 FF 57 ?? 8B 55 ?? B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? + 83 E8 ?? 50 8D 4D ?? 8B D3 8B 45 ?? 8B 38 FF 57 ?? 8B 45 ?? BA ?? ?? ?? ?? 59 E8 ?? + ?? ?? ?? 43 4E 75 ?? 33 C0 5A 59 59 64 89 10 68 ?? ?? ?? ?? 8B 45 ?? E8 ?? ?? ?? ?? + 8B 45 ?? E8 ?? ?? ?? ?? C3 + } + + $remote_connection_2 = { + 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 B2 ?? A1 ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 45 ?? 33 + C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 8B 45 ?? 8B 80 ?? ?? ?? ?? 66 BE ?? ?? E8 ?? + ?? ?? ?? 68 ?? ?? ?? ?? 8D 55 ?? B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 45 ?? 8D 55 ?? E8 + ?? ?? ?? ?? FF 75 ?? 68 ?? ?? ?? ?? 8D 45 ?? 8B 15 ?? ?? ?? ?? B9 ?? ?? ?? ?? E8 ?? + ?? ?? ?? 8B 45 ?? 8D 55 ?? E8 ?? ?? ?? ?? FF 75 ?? 8D 45 ?? BA ?? ?? ?? ?? E8 ?? ?? + ?? ?? 8B 55 ?? 8D 45 ?? E8 ?? ?? ?? ?? 8B 4D ?? BA ?? ?? ?? ?? 8B 45 ?? E8 ?? ?? ?? + ?? 33 C0 5A 59 59 64 89 10 68 ?? ?? ?? ?? 8B 45 ?? E8 ?? ?? ?? ?? C3 + } + + $remote_connection_3 = { + E8 ?? ?? ?? ?? 8B 45 ?? 8B 80 ?? ?? ?? ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? B2 ?? A1 ?? + ?? ?? ?? E8 ?? ?? ?? ?? 89 45 ?? 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 E8 ?? ?? + ?? ?? DD 5D ?? 9B FF 75 ?? FF 75 ?? 8D 45 ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? B8 ?? ?? + ?? ?? 8B 55 ?? E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 45 ?? 8B 15 ?? ?? ?? ?? B9 ?? ?? ?? + ?? E8 ?? ?? ?? ?? 8B 45 ?? 8D 55 ?? E8 ?? ?? ?? ?? FF 75 ?? 68 ?? ?? ?? ?? 8D 45 ?? + 8B 15 ?? ?? ?? ?? B9 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 45 ?? 8D 55 ?? E8 ?? ?? ?? ?? FF + 75 ?? 8D 45 ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 55 ?? 8D 45 ?? E8 ?? ?? ?? ?? 8B 4D + ?? BA ?? ?? ?? ?? 8B 45 ?? E8 ?? ?? ?? ?? 33 C0 5A 59 59 64 89 10 68 ?? ?? ?? ?? 8B + 45 ?? E8 ?? ?? ?? ?? C3 + } + + $encrypt_files_1 = { + E8 ?? ?? ?? ?? 8D 55 ?? 8B 45 ?? E8 ?? ?? ?? ?? 8B 55 ?? B8 ?? ?? ?? ?? E8 ?? ?? ?? + ?? 85 C0 0F 85 ?? ?? ?? ?? 8D 55 ?? 8B 45 ?? E8 ?? ?? ?? ?? 8B 55 ?? B8 ?? ?? ?? ?? + E8 ?? ?? ?? ?? 85 C0 0F 85 ?? ?? ?? ?? 8D 55 ?? 8B 45 ?? E8 ?? ?? ?? ?? 8B 55 ?? B8 + ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 C0 0F 85 ?? ?? ?? ?? 8D 55 ?? 8B 45 ?? E8 ?? ?? ?? ?? + 8B 55 ?? B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 C0 0F 85 ?? ?? ?? ?? 8D 55 ?? 8B 45 ?? E8 + ?? ?? ?? ?? 8B 55 ?? B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 C0 0F 85 ?? ?? ?? ?? 8D 55 ?? + 8B 45 ?? E8 ?? ?? ?? ?? 8B 55 ?? B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 C0 0F 85 ?? ?? ?? + ?? 83 7B ?? ?? 0F 84 ?? ?? ?? ?? 8B 13 B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 C0 75 ?? 8B + 03 E8 ?? ?? ?? ?? 84 C0 75 ?? 8B 03 BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 74 ?? FF 86 ?? ?? + ?? ?? B2 ?? 8B 86 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 55 ?? 8B 03 E8 ?? ?? ?? ?? FF 75 ?? + 68 ?? ?? ?? ?? 8B 43 ?? C1 E8 ?? 33 D2 52 50 8D 45 ?? E8 ?? ?? ?? ?? FF 75 ?? 68 ?? + ?? ?? ?? 8D 45 ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 55 ?? 8B 86 ?? ?? ?? ?? E8 ?? ?? + ?? ?? 8B 03 E8 ?? ?? ?? ?? 33 C0 5A 59 59 64 89 10 68 ?? ?? ?? ?? 8D 45 ?? BA ?? ?? + ?? ?? E8 ?? ?? ?? ?? C3 + } + + $encrypt_files_2 = { + E8 ?? ?? ?? ?? 8D 45 ?? 8B 15 ?? ?? ?? ?? 8B 12 8B 92 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D + 45 ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 45 ?? 8B 40 ?? 8B 55 ?? E8 ?? ?? ?? ?? 3D ?? + ?? ?? ?? 0F 85 ?? ?? ?? ?? 8B 45 ?? FF 70 ?? 68 ?? ?? ?? ?? FF 75 ?? 8D 85 ?? ?? ?? + ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? E8 ?? ?? ?? ?? 50 8B 45 ?? 8B 40 + ?? E8 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 8B 45 ?? 50 68 ?? ?? ?? ?? 8B 45 ?? E8 ?? ?? ?? + ?? 8D 85 ?? ?? ?? ?? B9 ?? ?? ?? ?? 8B 55 ?? E8 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? E8 ?? + ?? ?? ?? 84 C0 0F 85 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? B9 ?? ?? ?? ?? 8B 55 ?? E8 ?? ?? + ?? ?? 8B 95 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? E8 ?? ?? ?? ?? 33 C0 55 68 ?? ?? ?? ?? 64 + FF 30 64 89 20 8D 85 ?? ?? ?? ?? E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? A1 ?? ?? ?? ?? 8B 00 + 8B 90 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 33 + C0 5A 59 59 64 89 10 68 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? + C3 E9 ?? ?? ?? ?? EB ?? 8D 85 ?? ?? ?? ?? B9 ?? ?? ?? ?? 8B 55 ?? E8 ?? ?? ?? ?? 8B + 85 ?? ?? ?? ?? E8 ?? ?? ?? ?? 84 C0 0F 85 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? B9 ?? ?? ?? + ?? 8B 55 ?? E8 ?? ?? ?? ?? 8B 95 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? E8 ?? ?? ?? ?? 33 C0 + 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 8D 85 ?? ?? ?? ?? E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? + A1 ?? ?? ?? ?? 8B 00 8B 90 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? E8 ?? ?? ?? ?? E8 ?? ?? ?? + ?? E8 ?? ?? ?? ?? 33 C0 5A 59 59 64 89 10 68 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? E8 ?? ?? + ?? ?? E8 ?? ?? ?? ?? C3 E9 ?? ?? ?? ?? EB ?? 8B 45 ?? 50 68 ?? ?? ?? ?? 8B 45 ?? E8 + ?? ?? ?? ?? 33 C0 5A 59 59 64 89 10 68 ?? ?? ?? ?? 8B 45 ?? 50 68 ?? ?? ?? ?? 8B 45 + ?? E8 ?? ?? ?? ?? C3 E9 ?? ?? ?? ?? EB ?? 33 C0 5A 59 59 64 89 10 68 ?? ?? ?? ?? 8D + 85 ?? ?? ?? ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? + C3 E9 ?? ?? ?? ?? EB ?? 8B E5 5D C3 + } + + $find_files = { + E8 ?? ?? ?? ?? 53 68 ?? ?? ?? ?? 8B C3 E8 ?? ?? ?? ?? 8B 55 ?? 8B C3 E8 ?? ?? ?? ?? + 84 C0 0F 85 ?? ?? ?? ?? 33 C0 89 43 ?? 8B 43 ?? E8 ?? ?? ?? ?? 8B F0 85 F6 7C ?? 46 + 33 FF 8B 43 ?? C7 04 B8 ?? ?? ?? ?? 47 4E 75 ?? 8B 43 ?? 8B 40 ?? E8 ?? ?? ?? ?? 8B + F0 85 F6 7C ?? 46 33 FF 8B 43 ?? 8B 40 ?? 8B 14 B8 8D 8D ?? ?? ?? ?? 8B 45 ?? E8 ?? + ?? ?? ?? 8B 95 ?? ?? ?? ?? 8B C3 E8 ?? ?? ?? ?? 8B 43 ?? 8B 53 ?? 89 14 B8 47 4E 75 + ?? 8B 73 ?? 4E 85 F6 7C ?? 46 33 FF 80 7B ?? ?? 0F 85 ?? ?? ?? ?? 8D 04 BF 8B 53 ?? + 8D 04 C2 89 43 ?? 89 45 ?? 8D 8D ?? ?? ?? ?? 8B 45 ?? 8B 10 8B 45 ?? E8 ?? ?? ?? ?? + 8B 95 ?? ?? ?? ?? 8B 45 ?? E8 ?? ?? ?? ?? 53 68 ?? ?? ?? ?? 8B C3 E8 ?? ?? ?? ?? 8B + 45 ?? 33 D2 E8 ?? ?? ?? ?? 47 4E 75 ?? 8B 43 ?? 8B 40 ?? 80 78 ?? ?? 0F 84 ?? ?? ?? + ?? 80 7B ?? ?? 0F 85 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 8D 8D ?? ?? ?? ?? BA ?? ?? ?? + ?? 8B 45 ?? E8 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? E8 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 89 45 + ?? 83 7D ?? ?? 0F 84 ?? ?? ?? ?? 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 F6 85 ?? + ?? ?? ?? ?? 0F 84 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 8D 95 ?? ?? ?? ?? B9 ?? ?? ?? ?? E8 + ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 74 ?? 8D 85 ?? ?? ?? ?? + 8D 95 ?? ?? ?? ?? B9 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? BA ?? ?? ?? ?? E8 + ?? ?? ?? ?? 74 ?? 8D 85 ?? ?? ?? ?? 8D 95 ?? ?? ?? ?? B9 ?? ?? ?? ?? E8 ?? ?? ?? ?? + 8B 95 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? 8B 45 ?? E8 ?? ?? ?? ?? 8B 95 ?? ?? ?? ?? 8B C3 + E8 ?? ?? ?? ?? 80 7B ?? ?? 75 ?? 8D 85 ?? ?? ?? ?? 50 8B 45 ?? 50 E8 ?? ?? ?? ?? 85 + C0 0F 85 ?? ?? ?? ?? 33 C0 5A 59 59 64 89 10 68 ?? ?? ?? ?? 8B 45 ?? 50 E8 ?? ?? ?? + ?? C3 E9 ?? ?? ?? ?? EB ?? 33 C0 5A 59 59 64 89 10 68 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? + BA ?? ?? ?? ?? E8 ?? ?? ?? ?? C3 E9 ?? ?? ?? ?? EB ?? 5F 5E 5B 8B E5 5D C3 + } + + condition: + uint16(0) == 0x5A4D and $find_files and $encrypt_files_1 and $encrypt_files_2 and $remote_connection_1 and $remote_connection_2 and $remote_connection_3 +} \ No newline at end of file diff --git a/yara/ransomware/Win32.Ransomware.LockBit.yara b/yara/ransomware/Win32.Ransomware.LockBit.yara new file mode 100644 index 0000000..d94c8e9 --- /dev/null +++ b/yara/ransomware/Win32.Ransomware.LockBit.yara @@ -0,0 +1,282 @@ +rule Win32_Ransomware_LockBit : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "LOCKBIT" + description = "Yara rule that detects LockBit ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "LockBit" + tc_detection_factor = 5 + + strings: + + $enum_resources_v1 = { + 55 8B EC 83 EC ?? 57 8D 45 ?? C7 45 ?? ?? ?? ?? ?? 50 51 6A ?? 6A ?? 6A ?? C7 45 ?? + ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 85 C0 0F 85 ?? ?? ?? ?? FF 75 ?? 6A ?? FF 15 ?? ?? ?? + ?? 8B F8 89 7D ?? 85 FF 0F 84 ?? ?? ?? ?? 53 56 FF 75 ?? 6A ?? 57 E8 ?? ?? ?? ?? 83 + C4 ?? 8D 45 ?? 50 57 8D 45 ?? 50 FF 75 ?? FF 15 ?? ?? ?? ?? 85 C0 0F 85 ?? ?? ?? ?? + 33 DB 39 5D ?? 76 ?? 8B F7 0F 1F 80 ?? ?? ?? ?? F7 46 ?? ?? ?? ?? ?? 74 ?? 8B CE E8 + ?? ?? ?? ?? 83 7F ?? ?? 74 ?? 68 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 8B F8 83 C4 ?? 8B 45 + ?? FF 70 ?? FF 15 ?? ?? ?? ?? 8D 04 45 ?? ?? ?? ?? 50 8B 45 ?? FF 70 ?? 57 E8 ?? ?? + ?? ?? 83 C4 ?? 8D 45 ?? 50 6A ?? 57 68 ?? ?? ?? ?? 6A ?? 6A ?? FF 15 ?? ?? ?? ?? 8B + 0D ?? ?? ?? ?? 89 04 8D ?? ?? ?? ?? F0 FF 05 ?? ?? ?? ?? 8B 7D ?? 43 83 C6 ?? 3B 5D + ?? 72 ?? E9 ?? ?? ?? ?? 57 FF 15 ?? ?? ?? ?? FF 75 ?? FF 15 ?? ?? ?? ?? 5E 5B 85 C0 + 75 ?? B8 ?? ?? ?? ?? 5F 8B E5 5D C3 33 C0 5F 8B E5 5D C3 + } + + $find_files_v1_1 = { + 55 8B EC 81 EC ?? ?? ?? ?? 53 56 8B C1 C7 45 ?? ?? ?? ?? ?? 57 50 89 45 ?? 33 C9 8D + 45 ?? C7 45 ?? ?? ?? ?? ?? 50 8D 85 ?? ?? ?? ?? 66 89 4D ?? 50 FF 15 ?? ?? ?? ?? 83 + C4 ?? 8D 85 ?? ?? ?? ?? 6A ?? 6A ?? 6A ?? 50 6A ?? 8D 85 ?? ?? ?? ?? 50 FF 15 ?? ?? + ?? ?? 8B F8 89 7D ?? 83 FF ?? 0F 84 ?? ?? ?? ?? 8B 1D ?? ?? ?? ?? 33 C0 8B 35 ?? ?? + ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? 66 89 45 ?? C7 45 ?? ?? ?? ?? ?? C7 + 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? 0F 1F 80 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 8D + 45 ?? 50 FF D3 85 C0 0F 84 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 8D 45 ?? 50 FF D3 85 C0 + 0F 84 ?? ?? ?? ?? F6 85 ?? ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 0F 84 ?? ?? ?? ?? 68 ?? ?? + ?? ?? 50 FF D3 85 C0 0F 84 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 FF D3 85 + C0 0F 84 + } + + $find_files_v1_2 = { + 45 ?? 50 8D 85 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 83 C4 ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? + ?? ?? E9 ?? ?? ?? ?? 33 C9 66 39 8D ?? ?? ?? ?? 74 ?? 8D 40 ?? 41 66 83 38 ?? 75 ?? + 83 F9 ?? 0F 8E ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 8B F0 56 68 ?? ?? + ?? ?? FF D3 85 C0 0F 84 ?? ?? ?? ?? 56 68 ?? ?? ?? ?? FF D3 85 C0 0F 84 ?? ?? ?? ?? + 56 68 ?? ?? ?? ?? FF D3 85 C0 0F 84 ?? ?? ?? ?? 56 68 ?? ?? ?? ?? FF D3 85 C0 0F 84 + } + + $find_files_v1_3 = { + 85 C0 0F 84 ?? ?? ?? ?? 56 68 ?? ?? ?? ?? FF D3 85 C0 0F 84 ?? ?? ?? ?? 56 68 ?? ?? + ?? ?? FF D3 85 C0 0F 84 ?? ?? ?? ?? 56 68 ?? ?? ?? ?? FF D3 85 C0 0F 84 ?? ?? ?? ?? + 56 68 ?? ?? ?? ?? FF D3 85 C0 0F 84 ?? ?? ?? ?? 56 68 ?? ?? ?? ?? FF D3 85 C0 0F 84 + ?? ?? ?? ?? 0F 28 05 ?? ?? ?? ?? 33 C9 0F 11 45 ?? C7 45 ?? ?? ?? ?? ?? 66 C7 45 ?? + ?? ?? 66 90 8A 45 ?? 30 44 0D ?? 41 83 F9 ?? 72 ?? 33 C0 C6 45 ?? ?? 66 89 45 ?? 8D + 45 ?? 50 8D 45 ?? C7 45 ?? ?? ?? ?? ?? 50 8D 85 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 83 + C4 ?? 8D 85 ?? ?? ?? ?? 50 8D 85 ?? ?? ?? ?? 50 FF D3 85 C0 0F 84 ?? ?? ?? ?? 8D 85 + ?? ?? ?? ?? 50 68 ?? ?? ?? ?? FF D3 85 C0 0F 84 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 68 + ?? ?? ?? ?? FF D3 85 C0 0F 84 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 68 ?? ?? ?? ?? FF D3 + 85 C0 0F 84 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 68 ?? ?? ?? ?? FF D3 85 C0 0F 84 ?? ?? + ?? ?? 8B 4D ?? 8D 95 ?? ?? ?? ?? 2B D1 0F B7 01 8D 49 ?? 66 89 44 11 ?? 66 85 C0 75 + ?? 8D 85 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 8D 95 ?? ?? ?? ?? 8B F2 66 8B 02 83 C2 ?? + 66 85 C0 75 ?? 8D BD ?? ?? ?? ?? 2B D6 83 C7 ?? 0F 1F 40 ?? 66 8B 47 ?? 83 C7 ?? 66 + 85 C0 75 ?? 8B 85 ?? ?? ?? ?? 8B CA C1 E9 ?? F3 A5 8B CA 83 E1 ?? F3 A4 A8 ?? 75 ?? + A8 ?? 74 ?? 68 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 85 C0 74 ?? 8D 8D + ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 7D ?? 8B 35 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 57 FF D6 + 83 F8 ?? 0F 84 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 83 F8 ?? 75 ?? 57 FF 15 ?? ?? ?? ?? 5F + 5E 5B 8B E5 5D C3 + } + + $encrypt_files_v1_1 = { + 55 8B EC 81 EC ?? ?? ?? ?? 33 C0 C7 45 ?? ?? ?? ?? ?? 53 56 57 8B F9 C7 45 ?? ?? ?? + ?? ?? 89 7D ?? 66 89 45 ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? 66 89 45 ?? C7 + 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? 66 + 89 45 ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C7 85 + } + + $encrypt_files_v1_2 = { + C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? 89 85 ?? ?? ?? ?? C7 85 + ?? ?? ?? ?? ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 8B F8 33 DB 89 7D ?? 33 F6 0F 1F 00 8B 84 + B5 ?? ?? ?? ?? 85 C0 74 ?? 57 50 FF 15 ?? ?? ?? ?? 85 C0 B8 ?? ?? ?? ?? 0F 44 D8 46 + 81 FE ?? ?? ?? ?? 7C ?? 8B 7D ?? 33 C0 66 89 85 ?? ?? ?? ?? 66 89 85 ?? ?? ?? ?? 8D + 85 ?? ?? ?? ?? 57 50 8D 85 ?? ?? ?? ?? 89 5D ?? 50 C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C7 + 85 ?? ?? ?? ?? ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? + ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? + ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? FF 15 ?? ?? ?? + ?? 8B 1D ?? ?? ?? ?? 83 C4 ?? 33 F6 8D 85 ?? ?? ?? ?? 50 FF 75 ?? FF 15 ?? ?? ?? ?? + 85 C0 74 ?? 8D 85 ?? ?? ?? ?? 50 57 FF 15 ?? ?? ?? ?? 85 C0 75 ?? FF D3 83 F8 ?? 75 + ?? 8B CF E8 ?? ?? ?? ?? 83 F8 ?? 74 ?? 8B + } + + $encrypt_files_v1_3 = { + CF E8 ?? ?? ?? ?? 83 F8 ?? 75 ?? 83 FE ?? 7D ?? 46 EB ?? 6A ?? 68 ?? ?? ?? ?? 6A ?? + 6A ?? 6A ?? 68 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 8B D8 89 5D ?? 83 + FB ?? 75 ?? 8B 1D ?? ?? ?? ?? EB ?? FF 35 ?? ?? ?? ?? 6A ?? FF 35 ?? ?? ?? ?? 53 FF + 15 ?? ?? ?? ?? A3 ?? ?? ?? ?? 83 F8 ?? 75 ?? 53 FF 15 ?? ?? ?? ?? 33 C0 5F 5E 5B 8B + E5 5D C3 68 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 8B D8 83 C4 ?? 85 DB 75 ?? FF 75 ?? FF 15 + ?? ?? ?? ?? 33 C0 5F 5E 5B 8B E5 5D C3 8B 45 ?? 8B 75 ?? 89 43 ?? 8D 43 ?? 50 56 C7 + 43 ?? ?? ?? ?? ?? C7 43 ?? ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 85 C0 75 ?? 53 FF 15 ?? ?? + ?? ?? 83 C4 ?? 56 FF 15 ?? ?? ?? ?? 33 C0 5F 5E 5B 8B E5 5D C3 8B 4B ?? 8B 43 ?? 85 + C9 7F ?? 7C ?? 83 F8 ?? 72 ?? 83 E8 ?? C7 43 ?? ?? ?? ?? ?? 89 43 ?? 8B 43 ?? 83 D9 + ?? 89 43 ?? 8B 43 ?? 89 43 ?? 8D 83 ?? ?? ?? ?? 6A ?? 50 89 4B ?? C7 43 ?? ?? ?? ?? + ?? 89 73 ?? E8 ?? ?? ?? ?? 6A ?? 8D 83 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 53 6A ?? 6A ?? + 8D 73 ?? 56 FF 73 ?? FF 15 ?? ?? ?? ?? 89 45 ?? 85 C0 75 ?? FF 15 ?? ?? ?? ?? 3D ?? + ?? ?? ?? 74 ?? 56 8B 35 ?? ?? ?? ?? FF D6 83 C4 ?? 53 FF D6 83 C4 ?? FF 75 ?? FF 15 + ?? ?? ?? ?? 8B 45 ?? 5F 5E 5B 8B E5 5D C3 F0 FF 05 ?? ?? ?? ?? 8B CF E8 ?? ?? ?? ?? + B8 ?? ?? ?? ?? F0 0F C1 05 ?? ?? ?? ?? 40 3D ?? ?? ?? ?? 7E ?? 8B 35 ?? ?? ?? ?? 6A + ?? FF D6 83 3D ?? ?? ?? ?? ?? 7D ?? 5F 5E B8 ?? ?? ?? ?? 5B 8B E5 5D C3 + } + + $check_blacklisted_languages_v2 = { + FF D0 0F B7 C0 B9 2C 08 ?? ?? 66 3B C1 0F 84 ?? ?? ?? ?? B9 2C 04 ?? ?? 66 3B C1 74 + ?? B9 2B 04 ?? ?? 66 3B C1 74 ?? B9 23 04 ?? ?? 66 3B C1 74 ?? B9 37 04 ?? ?? 66 3B + C1 74 ?? B9 3F 04 ?? ?? 66 3B C1 74 ?? B9 40 04 ?? ?? 66 3B C1 74 ?? B9 19 08 ?? ?? + 66 3B C1 74 ?? B9 19 04 ?? ?? 66 3B C1 74 ?? B9 28 04 ?? ?? 66 3B C1 74 ?? B9 42 04 + ?? ?? 66 3B C1 74 ?? B9 43 08 ?? ?? 66 3B C1 74 ?? B9 43 04 ?? ?? 66 3B C1 74 ?? B9 + 22 04 ?? ?? 66 3B C1 0F 85 ?? ?? ?? ?? 8B 1D ?? ?? ?? ?? 85 DB 0F 85 ?? ?? ?? ?? 64 + A1 ?? ?? ?? ?? 8B 40 ?? 8B 40 ?? 8B 00 8B C8 89 45 ?? 8B D0 89 4D ?? 0F B7 59 ?? 33 + FF 8B 71 ?? D1 EB C7 45 ?? ?? ?? ?? ?? 8D 04 5E 3B F0 0F 47 DF 85 DB 74 ?? 8A 0E 8D + 76 ?? 0F BE D1 80 E9 ?? 8B C2 83 C8 ?? 80 F9 ?? 0F 47 C2 47 33 45 ?? 69 C0 ?? ?? ?? + ?? 89 45 ?? 3B FB 75 ?? 3D ?? ?? ?? ?? 0F 84 ?? ?? ?? ?? 8B 4D ?? 8B 55 ?? 8B 01 8B + C8 89 4D ?? 3B C2 74 ?? 83 79 ?? ?? 75 ?? 33 DB 89 1D ?? ?? ?? ?? A1 ?? ?? ?? ?? 85 + C0 0F 85 ?? ?? ?? ?? 85 DB 0F 84 ?? ?? ?? ?? 8B 43 ?? 8B 4C 18 ?? 8D 04 19 89 45 ?? + 3B C3 74 ?? 33 C9 89 4D ?? 39 48 ?? 74 ?? 8B 40 ?? 8B 55 ?? 03 C3 89 45 ?? 0F 1F 40 + ?? 8B 30 BF ?? ?? ?? ?? 8A 04 1E 03 F3 46 84 C0 74 ?? 0F BE D0 8D 76 ?? 2C ?? 8B CA + 83 C9 ?? 3C ?? 8A 46 ?? 0F 47 CA 33 CF 69 F9 ?? ?? ?? ?? 84 C0 75 ?? 8B 4D ?? 8B 55 + ?? 81 FF ?? ?? ?? ?? 0F 84 ?? ?? ?? ?? 8B 45 ?? 41 83 C0 ?? 89 4D ?? 89 45 ?? 3B 4A + ?? 75 ?? 33 C0 A3 ?? ?? ?? ?? 6A ?? FF D0 5F 5E 5B 8B E5 5D C3 + } + + $create_net_host_trav_threads_v2 = { + 55 8B EC 83 E4 ?? 81 EC ?? ?? ?? ?? 53 56 57 6A ?? 6A ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? + ?? 64 A1 ?? ?? ?? ?? 83 C4 ?? 8B 40 ?? 50 6A ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? A3 ?? + ?? ?? ?? E8 ?? ?? ?? ?? FF D0 85 C0 78 ?? A1 ?? ?? ?? ?? 8D 0C 85 ?? ?? ?? ?? E8 ?? + ?? ?? ?? A3 ?? ?? ?? ?? 85 C0 0F 85 ?? ?? ?? ?? E8 ?? ?? ?? ?? F0 FF 0D ?? ?? ?? ?? + E8 ?? ?? ?? ?? 8B 35 + } + + $fnv1a_hashing_v2 = { + 55 8B EC 83 EC ?? 64 A1 ?? ?? ?? ?? 8B 40 ?? 8B 40 ?? 8B 00 8B 50 ?? A1 ?? ?? ?? ?? + 89 55 ?? 85 C0 0F 85 ?? ?? ?? ?? 85 D2 75 ?? 33 C0 A3 ?? ?? ?? ?? 8B E5 5D C3 8B 42 + ?? 8B 4C 10 ?? 8B 44 10 ?? 89 45 ?? 8D 04 11 89 45 ?? 3B C2 74 ?? 53 33 C9 56 57 89 + 4D ?? 39 48 ?? 74 ?? 8B 78 ?? 03 FA 8B 07 BE + } + + $decrypt_configuration_v2_1 = { + 55 8B EC 51 53 56 57 B9 ?? ?? ?? ?? BA ?? ?? ?? ?? 03 C9 83 EA ?? 75 ?? 68 ?? ?? ?? + ?? 68 ?? ?? ?? ?? BA 25 1B 00 00 B9 ?? ?? ?? ?? E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? 68 ?? + ?? ?? ?? BA 78 0C 00 00 B9 ?? ?? ?? ?? E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? + BA 39 28 00 00 B9 ?? ?? ?? ?? E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? BA F1 40 + 00 00 B9 ?? ?? ?? ?? E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? BA BF 11 00 00 B9 + ?? ?? ?? ?? E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? BA 28 02 00 00 B9 ?? ?? ?? + ?? E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? BA 3B 07 00 00 B9 ?? ?? ?? ?? E8 ?? + ?? ?? ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? BA A5 04 00 00 B9 ?? ?? ?? ?? E8 ?? ?? ?? ?? + 83 C4 ?? BA 0F 03 00 00 B9 ?? ?? ?? ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? + 83 C4 ?? E8 ?? ?? ?? ?? 8B 3D ?? ?? ?? ?? 33 C9 BE ?? ?? ?? ?? 85 FF 74 ?? 8B 15 ?? + ?? ?? ?? 0F 1F 44 00 ?? 80 3C 0A ?? 8D 46 ?? 0F 45 C6 41 8B F0 3B CF 72 ?? 8D 0C B5 + ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B D8 89 1D ?? ?? ?? ?? 85 DB 74 ?? 33 FF 85 F6 74 ?? 90 + B9 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 1D ?? ?? ?? ?? 89 04 BB 47 3B FE 72 ?? 8B 0D ?? ?? + ?? ?? 33 F6 E8 ?? ?? ?? ?? 85 C0 74 ?? 0F 1F 80 ?? ?? ?? ?? 8B 14 B3 8A 08 8D 40 ?? + 88 0A 8D 52 ?? 84 C9 75 ?? 33 C9 E8 ?? ?? ?? ?? 46 85 C0 75 ?? C7 04 B3 ?? ?? ?? ?? + 5F 5E 5B 8B E5 5D C3 + } + + $decrypt_configuration_v2_2 = { + 55 8B EC 51 53 56 57 8B F2 8B F9 6B CE ?? E8 ?? ?? ?? ?? 8B C8 33 C0 89 4D ?? 85 C9 + 0F 84 ?? ?? ?? ?? 85 F6 74 ?? 83 FE ?? 72 ?? 0F 28 0D ?? ?? ?? ?? 8B CE 83 E1 ?? 66 + 0F 1F 84 00 ?? ?? ?? ?? 0F 10 04 07 66 0F EF C1 0F 11 04 07 0F 10 44 07 ?? 66 0F EF + C1 0F 11 44 07 ?? 0F 10 44 07 ?? 66 0F EF C1 0F 11 44 07 ?? 0F 10 44 07 ?? 66 0F EF + C1 0F 11 44 07 ?? 83 C0 ?? 3B C1 72 ?? 8B 4D ?? 3B C6 73 ?? 80 34 38 5F 40 3B C6 72 + ?? 8B 5D ?? 8B D6 51 53 51 8B CF E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 75 ?? 8B 0B E8 ?? ?? + ?? ?? 8B F8 8B 45 ?? 89 38 8B 45 ?? 85 FF 74 ?? 8B 0B 8B F0 F3 A4 8B C8 BE ?? ?? ?? + ?? E8 ?? ?? ?? ?? 8B C6 5F 5E 5B 8B E5 5D C3 + } + + $encrypt_files_v2_p1 = { + 55 8B EC 83 E4 ?? 81 EC ?? ?? ?? ?? 56 57 66 90 64 A1 ?? ?? ?? ?? 0F 57 C0 C7 44 24 + ?? ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? 66 0F 13 44 24 ?? 8B 40 ?? 8B 40 ?? 8B 00 8B + 50 ?? A1 ?? ?? ?? ?? 89 54 24 ?? 85 C0 0F 85 ?? ?? ?? ?? 85 D2 0F 84 ?? ?? ?? ?? 8B + 42 ?? 8B 4C 10 ?? 8D 04 11 89 44 24 ?? 3B C2 74 ?? 33 C9 89 4C 24 ?? 39 48 ?? 74 ?? + 8B 40 ?? 03 C2 89 44 24 ?? 0F 1F 80 ?? ?? ?? ?? 8B 30 BF C5 9D 1C 81 8A 04 16 03 F2 + 46 84 C0 74 ?? 0F BE D0 8D 76 ?? 2C ?? 8B CA 83 C9 ?? 3C ?? 8A 46 ?? 0F 47 CA 33 CF + 69 F9 93 01 00 01 84 C0 75 ?? 8B 54 24 ?? 8B 4C 24 ?? 81 FF ?? ?? ?? ?? 74 ?? 8B 74 + 24 ?? 41 8B 44 24 ?? 83 C0 ?? 89 4C 24 ?? 89 44 24 ?? 3B 4E ?? 75 ?? 33 C0 A3 ?? ?? + ?? ?? 6A ?? 8D 4C 24 ?? 51 8D 4C 24 ?? 51 8D 4C 24 ?? 51 FF 35 ?? ?? ?? ?? FF D0 85 + C0 0F 88 ?? ?? ?? ?? 8B 74 24 ?? 85 F6 0F 84 ?? ?? ?? ?? 8B 7C 24 ?? 8B 07 48 83 F8 + ?? 0F 87 ?? ?? ?? ?? FF 24 85 ?? ?? ?? ?? 8B 74 24 ?? 8B 46 ?? 8D 04 48 0F B7 0C 10 + 8B 46 ?? 8D 04 88 8B 04 10 03 C2 EB ?? 83 7F ?? ?? 0F 85 ?? ?? ?? ?? 83 7F ?? ?? 0F + 85 ?? ?? ?? ?? C7 07 ?? ?? ?? ?? 8B 4C 24 ?? 8B 54 24 ?? 68 ?? ?? ?? ?? 6A ?? 8B 41 + ?? 89 42 ?? 8B 41 ?? 89 42 ?? 8B 44 24 ?? 6A ?? 8B 40 ?? 8D 88 ?? ?? ?? ?? F7 D8 23 + C8 8B 44 24 ?? 89 48 ?? 8D 4C 24 ?? 8B 54 24 ?? 8B 74 24 ?? E8 ?? ?? ?? ?? 83 C4 ?? + 8D 84 24 ?? ?? ?? ?? 6A ?? FF 35 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 8D 84 24 ?? + ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 8D 84 24 ?? ?? ?? ?? 6A ?? + 68 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? FF 76 ?? FF 76 ?? FF 15 ?? ?? ?? ?? 8B 4E + ?? 8D 44 24 ?? 68 ?? ?? ?? ?? 50 8B 46 ?? 81 C1 ?? ?? ?? ?? 03 C1 50 E8 ?? ?? ?? ?? + 8B 4C 24 ?? 83 C4 ?? 8B 74 24 ?? 89 74 24 ?? 6A ?? 8D 41 ?? 50 FF 71 ?? 8D 41 ?? FF + } + + $encrypt_files_v2_p2 = { + 71 ?? 50 51 6A ?? 6A ?? FF 76 ?? E8 ?? ?? ?? ?? FF D0 85 C0 0F 89 ?? ?? ?? ?? 83 C8 + ?? F0 0F C1 46 ?? 0F 85 ?? ?? ?? ?? 6A ?? 6A ?? 56 E8 ?? ?? ?? ?? 8B 46 ?? 83 C4 ?? + 33 FF 85 C0 0F 84 ?? ?? ?? ?? 83 C6 ?? 8B 0E E8 ?? ?? ?? ?? 8B 44 24 ?? 8D 76 ?? 47 + 8B 40 ?? 3B F8 72 ?? 8B 74 24 ?? 85 C0 E9 ?? ?? ?? ?? B9 ?? ?? ?? ?? 8D 56 ?? 8B C1 + F0 0F B1 0A 83 F8 ?? 75 ?? 8B 46 ?? 89 44 24 ?? 0F B7 46 ?? 83 C0 ?? 8B C8 89 44 24 + ?? E8 ?? ?? ?? ?? 8B F8 85 FF 74 ?? 0F B7 4E ?? 51 FF 76 ?? 8D 4F ?? 51 E8 ?? ?? ?? + ?? 0F B7 46 ?? 83 C4 ?? 89 47 ?? 0F 57 C0 8D 44 24 ?? C6 07 ?? C7 47 ?? ?? ?? ?? ?? + 6A ?? FF 74 24 ?? 66 0F 13 44 24 ?? 57 50 FF 74 24 ?? E8 ?? ?? ?? ?? FF D0 8B CF E8 + ?? ?? ?? ?? 8D 56 ?? 85 F6 0F 84 ?? ?? ?? ?? 83 C8 ?? F0 0F C1 02 0F 85 ?? ?? ?? ?? + 6A ?? 6A ?? 56 E8 ?? ?? ?? ?? 8B 4E ?? 83 C4 ?? C7 44 24 ?? ?? ?? ?? ?? 85 C9 0F 84 + ?? ?? ?? ?? 8D 7E ?? 90 8B 0F E8 ?? ?? ?? ?? 8B 44 24 ?? 8D 7F ?? 8B 4E ?? 40 89 44 + 24 ?? 3B C1 72 ?? E9 ?? ?? ?? ?? 80 3D ?? ?? ?? ?? ?? 8D 56 ?? 74 ?? 8D 8C 24 ?? ?? + ?? ?? E8 ?? ?? ?? ?? 8B 47 ?? 8B 57 ?? 50 50 8D 47 ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 8B + C1 6A ?? EB ?? 8D 8C 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 47 ?? 8D 8C 24 ?? ?? ?? ?? 8B + 57 ?? 50 50 8D 47 ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 8D 84 24 ?? ?? ?? ?? 68 ?? ?? ?? ?? + 68 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 8B 54 24 ?? 83 C4 ?? 83 7A ?? ?? 8B 42 ?? 0F 8F ?? + ?? ?? ?? 7C ?? 39 42 ?? 0F 87 ?? ?? ?? ?? 8B 74 24 ?? 8D 8C 24 ?? ?? ?? ?? 68 ?? ?? + ?? ?? 6A ?? 6A ?? E8 ?? ?? ?? ?? 83 C4 ?? 8D 84 24 ?? ?? ?? ?? 6A ?? FF 35 ?? ?? ?? + ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 8D 84 24 ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? 50 E8 ?? ?? + ?? ?? 83 C4 ?? 8D 84 24 ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 8B 4E + } + + $encrypt_files_v2_p3 = { + 8D 84 24 ?? ?? ?? ?? 83 C4 ?? 81 C1 ?? ?? ?? ?? 68 ?? ?? ?? ?? 50 8B 46 ?? 03 C1 50 + E8 ?? ?? ?? ?? 8B 44 24 ?? 83 C4 ?? C7 00 ?? ?? ?? ?? EB ?? 8B 44 24 ?? C7 00 ?? ?? + ?? ?? 8B 4C 24 ?? 8B 74 24 ?? 6A ?? 89 74 24 ?? 8D 41 ?? 50 FF 71 ?? 8D 41 ?? FF 71 + ?? 50 51 6A ?? 6A ?? FF 76 ?? E8 ?? ?? ?? ?? FF D0 85 C0 0F 89 ?? ?? ?? ?? 83 C8 ?? + F0 0F C1 46 ?? 0F 85 ?? ?? ?? ?? 6A ?? 6A ?? 56 E8 ?? ?? ?? ?? 8B 46 ?? 83 C4 ?? 33 + FF 85 C0 0F 84 ?? ?? ?? ?? 83 C6 ?? 8B 0E E8 ?? ?? ?? ?? 8B 44 24 ?? 8D 76 ?? 47 8B + 40 ?? 3B F8 72 ?? 8B 74 24 ?? 85 C0 E9 ?? ?? ?? ?? 83 C8 ?? F0 0F C1 46 ?? 0F 85 ?? + ?? ?? ?? 6A ?? 6A ?? 56 E8 ?? ?? ?? ?? 8B 4E ?? 83 C4 ?? C7 44 24 ?? ?? ?? ?? ?? 85 + C9 0F 84 ?? ?? ?? ?? 8D 7E ?? 66 0F 1F 44 00 ?? 8B 0F E8 ?? ?? ?? ?? 8B 44 24 ?? 8D + 7F ?? 8B 4E ?? 40 89 44 24 ?? 3B C1 72 ?? E9 ?? ?? ?? ?? B9 ?? ?? ?? ?? 8D 56 ?? 8B + C1 F0 0F B1 0A 83 F8 ?? 75 ?? 8B 46 ?? 89 44 24 ?? 0F B7 46 ?? 83 C0 ?? 8B C8 89 44 + 24 ?? E8 ?? ?? ?? ?? 8B F8 85 FF 74 ?? 0F B7 4E ?? 51 FF 76 ?? 8D 4F ?? 51 E8 ?? ?? + ?? ?? 0F B7 46 ?? 83 C4 ?? 89 47 ?? 0F 57 C0 8D 44 24 ?? C6 07 ?? C7 47 ?? ?? ?? ?? + ?? 6A ?? FF 74 24 ?? 66 0F 13 44 24 ?? 57 50 FF 74 24 ?? E8 ?? ?? ?? ?? FF D0 8B CF + E8 ?? ?? ?? ?? 8D 56 ?? 85 F6 0F 84 ?? ?? ?? ?? 83 C8 ?? F0 0F C1 02 0F 85 ?? ?? ?? + ?? 6A ?? 6A ?? 56 E8 ?? ?? ?? ?? 8B 4E ?? 83 C4 ?? C7 44 24 ?? ?? ?? ?? ?? 85 C9 74 + ?? 8D 7E ?? 8B 0F E8 ?? ?? ?? ?? 8B 44 24 ?? 8D 7F ?? 8B 4E ?? 40 89 44 24 ?? 3B C1 + 72 ?? 85 C9 74 ?? F0 FF 05 ?? ?? ?? ?? F0 FF 0D ?? ?? ?? ?? 8B 46 ?? 85 C0 74 ?? 50 + E8 ?? ?? ?? ?? FF D0 8D 46 ?? 50 E8 ?? ?? ?? ?? FF D0 8B CE E8 ?? ?? ?? ?? E9 ?? ?? + ?? ?? 5F 33 C0 5E 8B E5 5D C2 + } + + condition: + uint16(0) == 0x5A4D and + ( + ( + ( + $enum_resources_v1 + ) and + ( + all of ($find_files_v1_*) + ) and + ( + all of ($encrypt_files_v1_*) + ) + ) or + ( + ( + $check_blacklisted_languages_v2 + ) and + ( + $fnv1a_hashing_v2 + ) and + ( + $create_net_host_trav_threads_v2 + ) and + ( + all of ($decrypt_configuration_v2_*) + ) and + ( + all of ($encrypt_files_v2_p*) + ) + ) + ) +} \ No newline at end of file diff --git a/yara/ransomware/Win32.Ransomware.Lolkek.yara b/yara/ransomware/Win32.Ransomware.Lolkek.yara new file mode 100644 index 0000000..13102a9 --- /dev/null +++ b/yara/ransomware/Win32.Ransomware.Lolkek.yara @@ -0,0 +1,106 @@ +rule Win32_Ransomware_Lolkek : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "LOLKEK" + description = "Yara rule that detects Lolkek ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "Lolkek" + tc_detection_factor = 5 + + strings: + + $encrypt_files = { + 57 6A ?? FF 35 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 68 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? A1 ?? + ?? ?? ?? B9 ?? ?? ?? ?? FF 0D ?? ?? ?? ?? 68 ?? ?? ?? ?? 8B 3C 85 ?? ?? ?? ?? 40 99 + F7 F9 89 15 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 6A ?? 6A ?? FF 35 ?? ?? ?? ?? FF 15 ?? ?? + ?? ?? 85 FF 0F 84 ?? ?? ?? ?? 53 8B 1D ?? ?? ?? ?? 56 8B CF E8 ?? ?? ?? ?? 85 C0 74 + ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? 57 8B F0 68 ?? ?? ?? ?? 56 FF D3 83 + C4 ?? 56 57 FF 15 ?? ?? ?? ?? 56 E8 ?? ?? ?? ?? 83 C4 ?? 57 E8 ?? ?? ?? ?? 83 C4 ?? + 6A ?? FF 35 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 68 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? A1 ?? ?? + ?? ?? B9 ?? ?? ?? ?? FF 0D ?? ?? ?? ?? 68 ?? ?? ?? ?? 8B 3C 85 ?? ?? ?? ?? 40 99 F7 + F9 89 15 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 6A ?? 6A ?? FF 35 ?? ?? ?? ?? FF 15 ?? ?? ?? + ?? 85 FF 0F 85 ?? ?? ?? ?? 5E 5B 33 C0 5F C2 + } + + $find_volumes_p1 = { + 55 8B EC 83 E4 ?? 81 EC ?? ?? ?? ?? A1 ?? ?? ?? ?? 33 C4 89 84 24 ?? ?? ?? ?? 53 56 + 57 E8 ?? ?? ?? ?? 6A ?? 8D 84 24 ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? 6A ?? 50 C7 44 + 24 ?? ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? C7 44 24 ?? ?? ?? + ?? ?? C7 44 24 ?? ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? C7 44 + 24 ?? ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? C7 44 24 ?? ?? ?? + ?? ?? C7 44 24 ?? ?? ?? ?? ?? C7 84 24 ?? ?? ?? ?? ?? ?? ?? ?? C7 84 24 ?? ?? ?? ?? + ?? ?? ?? ?? C7 84 24 ?? ?? ?? ?? ?? ?? ?? ?? C7 84 24 ?? ?? ?? ?? ?? ?? ?? ?? C7 84 + 24 ?? ?? ?? ?? ?? ?? ?? ?? C7 84 24 ?? ?? ?? ?? ?? ?? ?? ?? C7 84 24 ?? ?? ?? ?? ?? + ?? ?? ?? C7 84 24 ?? ?? ?? ?? ?? ?? ?? ?? C7 84 24 ?? ?? ?? ?? ?? ?? ?? ?? C7 84 24 + ?? ?? ?? ?? ?? ?? ?? ?? C7 84 24 ?? ?? ?? ?? ?? ?? ?? ?? C7 84 24 ?? ?? ?? ?? ?? ?? + ?? ?? C7 84 24 ?? ?? ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 33 F6 83 C4 ?? 89 74 24 ?? 33 + } + + $find_volumes_p2 = { + FF 8B 5C BC ?? 53 FF 15 ?? ?? ?? ?? 83 F8 ?? 75 ?? 89 9C B4 ?? ?? ?? ?? 46 47 83 FF + ?? 7C ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B F8 83 C4 ?? 85 FF 0F 84 ?? ?? ?? ?? 68 ?? + ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 89 44 24 ?? 85 C0 74 ?? 68 ?? ?? ?? ?? 57 FF 15 ?? + ?? ?? ?? 8B D8 0F 1F 00 85 F6 74 ?? 8D 44 24 ?? 50 6A ?? 8D 84 24 ?? ?? ?? ?? 50 57 + FF 15 ?? ?? ?? ?? 85 C0 74 ?? 8D 84 24 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 83 F8 ?? 74 + ?? 4E 57 FF B4 B4 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 68 ?? ?? ?? ?? 57 53 FF 15 ?? ?? ?? + ?? 85 C0 75 ?? 53 FF 15 ?? ?? ?? ?? FF 74 24 ?? E8 ?? ?? ?? ?? 83 C4 ?? 57 E8 ?? ?? + ?? ?? 83 C4 ?? 8B 3D ?? ?? ?? ?? 33 F6 8B 1D ?? ?? ?? ?? C6 84 24 ?? ?? ?? ?? ?? FF + D7 33 D2 B9 ?? ?? ?? ?? F7 F1 68 ?? ?? ?? ?? 80 C2 ?? 88 94 34 ?? ?? ?? ?? FF D3 46 + 83 FE ?? 7C ?? 8D 84 24 ?? ?? ?? ?? 50 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? FF 15 ?? ?? ?? + ?? 83 C4 ?? 8D 44 24 ?? 68 ?? ?? ?? ?? 6A ?? 6A ?? 6A ?? 50 FF 15 + } + + $find_files_p1 = { + 8B FF 55 8B EC 51 8B 4D ?? 8D 51 ?? 8A 01 41 84 C0 75 ?? 57 8B 7D ?? 2B CA 8B C7 41 + F7 D0 89 4D ?? 3B C8 76 ?? 6A ?? 58 5F C9 C3 53 56 8D 5F ?? 03 D9 6A ?? 53 E8 ?? ?? + ?? ?? 8B F0 59 59 85 FF 74 ?? 57 FF 75 ?? 53 56 E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 75 ?? + FF 75 ?? 2B DF 8D 04 3E FF 75 ?? 53 50 E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 75 ?? 8B 5D ?? + 8B CB E8 ?? ?? ?? ?? 33 FF 89 45 ?? 85 C0 74 ?? 56 E8 ?? ?? ?? ?? 8B 75 ?? 59 EB ?? + 8B 43 ?? 89 30 8B F7 83 43 ?? ?? 57 E8 ?? ?? ?? ?? 59 8B C6 5E 5B EB ?? 33 FF 57 57 + 57 57 57 E8 ?? ?? ?? ?? CC 8B FF 55 8B EC 81 EC ?? ?? ?? ?? A1 ?? ?? ?? ?? 33 C5 89 + 45 ?? 8B 4D ?? 8B 55 ?? 53 57 8B 7D ?? 89 95 ?? ?? ?? ?? 3B CF 74 ?? 8A 01 3C ?? 74 + ?? 3C ?? 74 ?? 3C ?? 74 ?? 51 57 E8 ?? ?? ?? ?? 59 59 8B C8 3B CF 75 ?? 8B 95 ?? ?? + ?? ?? 8A 01 88 85 ?? ?? ?? ?? 3C ?? 75 ?? 8D 47 ?? 3B C8 74 ?? 52 33 DB 53 53 57 E8 + ?? ?? ?? ?? 83 C4 ?? E9 ?? ?? ?? ?? 8A 85 ?? ?? ?? ?? 33 DB 3C ?? 74 ?? 3C ?? 74 ?? + 3C ?? 8A C3 75 ?? B0 ?? 2B CF 0F B6 C0 41 89 9D ?? ?? ?? ?? F7 D8 89 9D + } + + $find_files_p2 = { + 56 1B C0 89 9D ?? ?? ?? ?? 23 C1 89 9D ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 89 9D ?? ?? ?? + ?? 88 9D ?? ?? ?? ?? E8 ?? ?? ?? ?? 50 8D 85 ?? ?? ?? ?? 50 57 E8 ?? ?? ?? ?? 83 C4 + ?? 8D 8D ?? ?? ?? ?? F7 D8 1B C0 53 53 53 51 F7 D0 23 85 ?? ?? ?? ?? 53 50 FF 15 ?? + ?? ?? ?? 8B F0 83 FE ?? 75 ?? FF B5 ?? ?? ?? ?? 53 53 57 E8 ?? ?? ?? ?? 83 C4 ?? 8B + D8 E9 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 8B 48 ?? 2B 08 C1 F9 ?? 89 8D ?? ?? ?? ?? 89 9D + ?? ?? ?? ?? 89 9D ?? ?? ?? ?? 89 9D ?? ?? ?? ?? 89 9D ?? ?? ?? ?? 89 9D ?? ?? ?? ?? + 88 9D ?? ?? ?? ?? E8 ?? ?? ?? ?? 50 8D 85 ?? ?? ?? ?? 50 8D 85 ?? ?? ?? ?? 50 8D 85 + ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? F7 D8 1B C0 F7 D0 23 85 ?? ?? ?? ?? 80 38 ?? + 75 ?? 8A 48 ?? 84 C9 74 ?? 80 F9 ?? 75 ?? 38 58 ?? 74 ?? FF B5 ?? ?? ?? ?? FF B5 ?? + ?? ?? ?? 57 50 E8 ?? ?? ?? ?? 83 C4 ?? 89 85 ?? ?? ?? ?? 85 C0 75 ?? 38 9D ?? ?? ?? + ?? 74 ?? FF B5 ?? ?? ?? ?? E8 ?? ?? ?? ?? 59 8D 85 ?? ?? ?? ?? 50 56 FF 15 ?? ?? ?? + ?? 85 C0 0F 85 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 8B 8D ?? ?? ?? ?? 8B 10 8B 40 ?? 2B C2 + C1 F8 ?? 3B C8 74 ?? 68 ?? ?? ?? ?? 2B C1 6A ?? 50 8D 04 8A 50 E8 ?? ?? ?? ?? 83 C4 + ?? EB ?? 38 9D ?? ?? ?? ?? 74 ?? FF B5 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? + 59 8B D8 56 FF 15 ?? ?? ?? ?? 80 BD ?? ?? ?? ?? ?? 5E 74 ?? FF B5 ?? ?? ?? ?? E8 ?? + ?? ?? ?? 59 8B C3 8B 4D ?? 5F 33 CD 5B E8 ?? ?? ?? ?? C9 C3 + } + + condition: + uint16(0) == 0x5A4D and + ( + all of ($find_volumes_p*) + ) and + ( + all of ($find_files_p*) + ) and + ( + $encrypt_files + ) +} \ No newline at end of file diff --git a/yara/ransomware/Win32.Ransomware.LooCipher.yara b/yara/ransomware/Win32.Ransomware.LooCipher.yara new file mode 100644 index 0000000..67c27c4 --- /dev/null +++ b/yara/ransomware/Win32.Ransomware.LooCipher.yara @@ -0,0 +1,87 @@ +rule Win32_Ransomware_LooCipher : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "LOOCIPHER" + description = "Yara rule that detects LooCipher ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "LooCipher" + tc_detection_factor = 5 + + strings: + + $remote_connection = { + 6A ?? 83 EC ?? 8B CC 89 A5 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 8D 8D ?? + ?? ?? ?? 51 E8 ?? ?? ?? ?? 83 C4 ?? 50 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 8D ?? ?? + ?? ?? E8 ?? ?? ?? ?? 6A ?? 8D 85 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 50 B9 ?? ?? + ?? ?? E8 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 E8 ?? ?? + ?? ?? 83 C4 ?? 68 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 50 8D 85 ?? ?? ?? ?? + 50 68 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 50 8D 8D ?? ?? ?? ?? 51 68 ?? ?? + ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 50 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 8D ?? ?? + ?? ?? E8 ?? ?? ?? ?? 50 8D 95 ?? ?? ?? ?? 52 E8 ?? ?? ?? ?? 83 C4 ?? 50 8D 85 ?? ?? + ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 50 8D 8D ?? ?? ?? ?? 51 E8 ?? ?? ?? ?? 83 C4 ?? 50 + 8D 95 ?? ?? ?? ?? 52 E8 ?? ?? ?? ?? 83 C4 ?? 50 8D 85 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? + 83 C4 ?? 50 8D 8D ?? ?? ?? ?? 51 E8 ?? ?? ?? ?? 83 C4 ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? + ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 8D ?? ?? + ?? ?? E8 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? + ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 8D ?? ?? ?? + ?? E8 + } + + $encrypt_files = { + 55 8B EC 6A ?? 68 ?? ?? ?? ?? 64 A1 ?? ?? ?? ?? 50 81 EC ?? ?? ?? ?? 53 56 57 8D BD + ?? ?? ?? ?? B9 ?? ?? ?? ?? B8 ?? ?? ?? ?? F3 AB A1 ?? ?? ?? ?? 33 C5 89 45 ?? 50 8D + 45 ?? 64 A3 ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? 6A ?? E8 ?? ?? ?? ?? 83 C4 ?? + 50 E8 ?? ?? ?? ?? 83 C4 ?? 68 ?? ?? ?? ?? 8D 4D ?? E8 ?? ?? ?? ?? C7 45 ?? ?? ?? ?? + ?? 8D 4D ?? E8 ?? ?? ?? ?? C6 45 ?? ?? 8D 4D ?? E8 ?? ?? ?? ?? 0F B7 4D ?? 3B C1 74 + ?? E8 ?? ?? ?? ?? 8B F0 8D 4D ?? E8 ?? ?? ?? ?? 8B C8 83 E9 ?? 8B C6 33 D2 F7 F1 89 + 55 ?? 6A ?? 8B 45 ?? 50 8D 8D ?? ?? ?? ?? 51 8D 4D ?? E8 ?? ?? ?? ?? 89 85 ?? ?? ?? + ?? 8B 95 ?? ?? ?? ?? 89 95 ?? ?? ?? ?? C6 45 ?? ?? 8B 85 ?? ?? ?? ?? 50 8D 4D ?? E8 + ?? ?? ?? ?? C6 45 ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? EB ?? 8D 45 ?? 50 8B 4D ?? + E8 ?? ?? ?? ?? 8B 8D ?? ?? ?? ?? 83 C9 ?? 89 8D ?? ?? ?? ?? C6 45 ?? ?? 8D 4D ?? E8 + ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? 8D 4D ?? E8 ?? ?? ?? ?? 8B 45 ?? 52 8B CD 50 8D 15 + ?? ?? ?? ?? E8 ?? ?? ?? ?? 58 5A 8B 4D ?? 64 89 0D ?? ?? ?? ?? 59 5F 5E 5B 8B 4D ?? + 33 CD E8 ?? ?? ?? ?? 81 C4 ?? ?? ?? ?? 3B EC E8 ?? ?? ?? ?? 8B E5 5D C3 + } + + $find_files = { + 52 B9 ?? ?? ?? ?? E8 ?? ?? ?? ?? 88 85 ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? 8D 8D ?? ?? + ?? ?? E8 ?? ?? ?? ?? 0F B6 85 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? 68 ?? ?? ?? ?? B9 + ?? ?? ?? ?? E8 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 0F B6 C0 85 C0 0F 84 ?? ?? ?? + ?? 68 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? 68 ?? ?? ?? + ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? C6 45 ?? ?? 68 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? E8 + ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 EC ?? 8B F4 89 + A5 ?? ?? ?? ?? 50 8D 85 ?? ?? ?? ?? 50 8D 8D ?? ?? ?? ?? 51 8D 8D ?? ?? ?? ?? E8 ?? + ?? ?? ?? 8B 50 ?? 52 8B 00 50 8B CE E8 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? C6 45 ?? ?? B9 + ?? ?? ?? ?? E8 ?? ?? ?? ?? 50 6A ?? 8D 8D ?? ?? ?? ?? 51 C6 45 ?? ?? E8 ?? ?? ?? ?? + 83 C4 ?? 89 85 ?? ?? ?? ?? 8B 95 ?? ?? ?? ?? 89 95 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 50 + B9 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? + 68 ?? ?? ?? ?? 6A ?? 6A ?? 8D 8D ?? ?? ?? ?? 51 E8 ?? ?? ?? ?? EB ?? 83 EC ?? 8B CC + 89 A5 ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? B9 ?? ?? ?? + ?? E8 ?? ?? ?? ?? 50 6A ?? 8D 85 ?? ?? ?? ?? 50 C7 45 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? + 83 C4 ?? 89 85 ?? ?? ?? ?? 8B 8D ?? ?? ?? ?? 89 8D ?? ?? ?? ?? 8B 95 ?? ?? ?? ?? 52 + B9 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? C7 05 ?? ?? ?? ?? ?? + ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 B9 ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 8B 8D + ?? ?? ?? ?? 89 8D ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? 8B 95 ?? ?? ?? ?? 52 B9 ?? ?? ?? + ?? E8 ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? EB + } + + condition: + uint16(0) == 0x5A4D and + ( + $find_files + ) and + ( + $encrypt_files + ) and + ( + $remote_connection + ) +} \ No newline at end of file diff --git a/yara/ransomware/Win32.Ransomware.Lorenz.yara b/yara/ransomware/Win32.Ransomware.Lorenz.yara new file mode 100644 index 0000000..33bafa2 --- /dev/null +++ b/yara/ransomware/Win32.Ransomware.Lorenz.yara @@ -0,0 +1,252 @@ +rule Win32_Ransomware_Lorenz : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "LORENZ" + description = "Yara rule that detects Lorenz ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "Lorenz" + tc_detection_factor = 5 + + strings: + + $encrypt_files_v1_p1 = { + BE ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? 6A ?? A5 6A ?? 6A ?? 68 ?? ?? ?? ?? FF B5 ?? ?? + ?? ?? A5 A5 A4 8B 35 ?? ?? ?? ?? FF D6 89 85 ?? ?? ?? ?? 33 C0 50 68 ?? ?? ?? ?? 6A + ?? 50 50 68 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 FF D6 68 ?? ?? ?? ?? 6A ?? 6A ?? 89 85 + ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 6A ?? 50 FF 15 ?? ?? ?? ?? 8B 35 ?? ?? ?? ?? 85 C0 75 + ?? FF D6 8B 3D ?? ?? ?? ?? 6A ?? FF B5 ?? ?? ?? ?? FF D7 EB ?? 8B 3D ?? ?? ?? ?? 8D + 85 ?? ?? ?? ?? 50 6A ?? 6A ?? 68 ?? ?? ?? ?? FF B5 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 85 + C0 75 ?? FF D6 6A ?? FF B5 ?? ?? ?? ?? FF D7 6A ?? 6A ?? 53 FF B5 ?? ?? ?? ?? FF 15 + ?? ?? ?? ?? 85 C0 75 ?? FF D6 8D 85 ?? ?? ?? ?? 33 DB 50 53 FF B5 ?? ?? ?? ?? 68 ?? + ?? ?? ?? FF B5 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 85 C0 75 ?? FF D6 53 FF B5 ?? ?? ?? ?? + FF D7 6A ?? 8D 45 ?? 53 50 E8 ?? ?? ?? ?? 83 C4 ?? 89 9D ?? ?? ?? ?? 89 9D ?? ?? ?? + ?? 89 9D ?? ?? ?? ?? 89 9D ?? ?? ?? ?? 53 8B 9D ?? ?? ?? ?? 53 FF 15 ?? ?? ?? ?? 8B + 0D ?? ?? ?? ?? 83 A5 ?? ?? ?? ?? ?? 89 4D ?? 66 8B 0D ?? ?? ?? ?? 66 89 4D ?? 8D 4D + ?? 89 85 ?? ?? ?? ?? 8D 51 ?? 8A 01 41 84 C0 75 ?? 8B B5 ?? ?? ?? ?? 8D 85 ?? ?? ?? + ?? 6A ?? 50 2B CA 8D 45 ?? 51 50 56 FF 15 ?? ?? ?? ?? 6A ?? 8D 85 ?? ?? ?? ?? 50 68 + ?? ?? ?? ?? FF B5 ?? ?? ?? ?? 56 FF 15 ?? ?? ?? ?? E9 ?? ?? ?? ?? 6A ?? 33 C0 50 50 + } + + $encrypt_files_v1_p2 = { + 50 8D 85 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 33 D2 42 3B C2 75 ?? 83 BD ?? ?? ?? ?? ?? + 0F 84 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 FF 15 + ?? ?? ?? ?? 33 D2 42 83 BD ?? ?? ?? ?? ?? 0F 84 ?? ?? ?? ?? 8B 8D ?? ?? ?? ?? 03 8D + ?? ?? ?? ?? 3B 8D ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 6A ?? 89 8D ?? ?? ?? ?? 0F 44 C2 8D + 8D ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 51 8D 4D ?? 51 6A ?? 50 6A ?? FF B5 ?? ?? ?? ?? FF + 15 ?? ?? ?? ?? 85 C0 74 ?? 83 A5 ?? ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 6A ?? 50 FF B5 ?? + ?? ?? ?? 8D 45 ?? 50 56 FF 15 ?? ?? ?? ?? 85 C0 74 ?? 6A ?? 8D 45 ?? 6A ?? 50 E8 ?? + ?? ?? ?? 83 C4 ?? 6A ?? 8D 85 ?? ?? ?? ?? 50 6A ?? 8D 45 ?? 50 53 FF 15 ?? ?? ?? ?? + 85 C0 0F 85 ?? ?? ?? ?? 6A ?? FF B5 ?? ?? ?? ?? FF D7 FF B5 ?? ?? ?? ?? FF 15 ?? ?? + ?? ?? FF B5 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 8B 35 ?? ?? ?? ?? 53 FF D6 8B 85 ?? ?? ?? + ?? 50 FF D6 FF B5 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 8B 4D ?? 64 89 0D ?? ?? ?? ?? 59 5F + 5E 5B 8B 4D ?? 33 CD E8 ?? ?? ?? ?? 8B E5 5D C2 + } + + $find_files_v1_p1 = { + FF 15 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 83 F8 ?? 0F 84 ?? ?? ?? ?? 6A ?? 0F 57 C0 C6 45 + ?? ?? 6A ?? 6A ?? 0F 11 85 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 89 85 ?? ?? ?? ?? 85 + C0 74 ?? 89 18 89 58 ?? 8B 85 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? 89 08 8B 3D ?? ?? ?? ?? + 8B B5 ?? ?? ?? ?? C6 45 ?? ?? F6 85 ?? ?? ?? ?? ?? 0F 84 ?? ?? ?? ?? 68 ?? ?? ?? ?? + 8D 85 ?? ?? ?? ?? 50 FF D7 85 C0 0F 84 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? + 50 FF D7 85 C0 0F 84 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 FF D7 85 C0 0F + 84 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 FF D7 85 C0 0F 84 ?? ?? ?? ?? 68 + ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 FF D7 85 C0 0F 84 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 85 + ?? ?? ?? ?? 50 FF D7 85 C0 0F 84 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 FF + D7 85 C0 0F 84 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 FF D7 85 C0 0F 84 ?? + ?? ?? ?? 68 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 FF D7 85 C0 0F 84 ?? ?? ?? ?? 68 ?? ?? + ?? ?? 8D 85 ?? ?? ?? ?? 50 FF D7 85 C0 0F 84 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 85 ?? ?? + ?? ?? 50 FF D7 85 C0 0F 84 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 FF D7 85 + C0 0F 84 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 FF D7 85 C0 0F 84 ?? ?? ?? + ?? 8D 85 ?? ?? ?? ?? 50 8D 4D ?? E8 ?? ?? ?? ?? 8B F0 C6 45 ?? ?? 8D 8D + } + + $find_files_v1_p2 = { + 8B 95 ?? ?? ?? ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 59 56 8B D0 C6 45 ?? ?? 8D 4D ?? E8 + ?? ?? ?? ?? 59 50 8D 4D ?? E8 ?? ?? ?? ?? 8D 4D ?? E8 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? + E8 ?? ?? ?? ?? 8D 4D ?? C6 45 ?? ?? E8 ?? ?? ?? ?? 83 7D ?? ?? 8D 75 ?? 68 ?? ?? ?? + ?? 0F 43 75 ?? E8 ?? ?? ?? ?? C7 04 24 ?? ?? ?? ?? 56 50 89 85 ?? ?? ?? ?? E8 ?? ?? + ?? ?? 8B B5 ?? ?? ?? ?? 83 C4 ?? F6 85 ?? ?? ?? ?? ?? 75 ?? 56 8D 4D ?? E8 ?? ?? ?? + ?? 8D 45 ?? C6 45 ?? ?? 50 E8 ?? ?? ?? ?? 8D 4D ?? C6 45 ?? ?? E8 ?? ?? ?? ?? 56 E8 + ?? ?? ?? ?? F6 85 ?? ?? ?? ?? ?? 59 74 ?? 8D 45 ?? 50 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? + ?? 83 7D ?? ?? 8D 75 ?? 68 ?? ?? ?? ?? 0F 43 75 ?? E8 ?? ?? ?? ?? C7 04 24 ?? ?? ?? + ?? 56 50 89 85 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B B5 ?? ?? ?? ?? 68 ?? ?? ?? ?? 56 E8 ?? + ?? ?? ?? 83 C4 ?? 85 C0 74 ?? 8D 4D ?? E8 ?? ?? ?? ?? 56 E8 ?? ?? ?? ?? C7 45 ?? ?? + ?? ?? ?? EB ?? 8D 85 ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 59 + B8 ?? ?? ?? ?? C3 C7 45 ?? ?? ?? ?? ?? 33 DB 8B 85 ?? ?? ?? ?? 8B 3D ?? ?? ?? ?? 89 + 85 ?? ?? ?? ?? 8B B5 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 56 FF 15 ?? ?? ?? ?? 85 C0 0F + 85 ?? ?? ?? ?? 56 FF 15 ?? ?? ?? ?? 8D 8D + } + + $create_scheduled_task_v1 = { + FF 15 ?? ?? ?? ?? 33 FF 85 C0 74 ?? 8B CF 8A 84 0D ?? ?? ?? ?? 88 84 0D ?? ?? ?? ?? + 41 84 C0 75 ?? 8D BD ?? ?? ?? ?? 4F 8A 47 ?? 47 84 C0 75 ?? BE ?? ?? ?? ?? A5 A5 66 + A5 33 FF 57 68 ?? ?? ?? ?? 6A ?? 57 57 68 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 FF 15 ?? + ?? ?? ?? 8B 4B ?? 8B F0 89 BD ?? ?? ?? ?? 8D 51 ?? 8A 01 41 84 C0 75 ?? 57 8D 85 ?? + ?? ?? ?? 2B CA 50 51 FF 73 ?? 56 FF 15 ?? ?? ?? ?? 56 FF 15 ?? ?? ?? ?? 68 ?? ?? ?? + ?? 8D 85 ?? ?? ?? ?? 68 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 8D 95 ?? ?? ?? ?? 83 C4 ?? 8B + F2 8A 02 42 84 C0 75 ?? 8D BD ?? ?? ?? ?? 2B D6 4F 8A 47 ?? 47 84 C0 75 ?? 8B CA C1 + E9 ?? F3 A5 8B CA 83 E1 ?? F3 A4 8D 8D ?? ?? ?? ?? 49 8A 41 ?? 41 84 C0 75 ?? 66 A1 + ?? ?? ?? ?? 33 DB 8B 35 ?? ?? ?? ?? BF ?? ?? ?? ?? 66 89 01 A0 ?? ?? ?? ?? 53 53 88 + 41 ?? 8D 85 ?? ?? ?? ?? 50 57 53 53 FF D6 68 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 53 53 68 + ?? ?? ?? ?? 57 53 53 FF D6 8B 4D ?? 5F 5E 33 CD 5B E8 ?? ?? ?? ?? 8B E5 5D C3 + } + + $remote_connection_v1 = { + 55 8B EC 83 E4 ?? 81 EC ?? ?? ?? ?? A1 ?? ?? ?? ?? 33 C4 89 84 24 ?? ?? ?? ?? 53 8B + 5D ?? 8D 44 24 ?? 56 57 8B 7D ?? 50 68 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 85 C0 75 ?? 6A + ?? 6A ?? 6A ?? 58 50 FF 15 ?? ?? ?? ?? 8B F0 83 FE ?? 74 ?? 6A ?? 58 53 66 89 44 24 + ?? FF 15 ?? ?? ?? ?? FF 75 ?? 89 44 24 ?? FF 15 ?? ?? ?? ?? 66 89 44 24 ?? 8D 44 24 + ?? 6A ?? 50 56 FF 15 ?? ?? ?? ?? 83 F8 ?? 74 ?? 8B CF 8D 51 ?? 8A 01 41 84 C0 75 ?? + 6A ?? 2B CA 51 57 56 FF 15 ?? ?? ?? ?? 83 F8 ?? 75 ?? 56 FF 15 ?? ?? ?? ?? FF 15 ?? + ?? ?? ?? 33 C0 8B 8C 24 ?? ?? ?? ?? 5F 5E 5B 33 CC E8 ?? ?? ?? ?? 8B E5 5D C2 + } + + $check_mutex_v1 = { + E8 ?? ?? ?? ?? 59 59 56 C6 45 ?? ?? FF 15 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 8D 85 ?? + ?? ?? ?? 50 FF B5 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 83 E0 ?? 50 FF B5 + ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 83 7D ?? ?? 7E ?? 8B 57 ?? E8 ?? ?? ?? ?? 50 E8 ?? ?? + ?? ?? 59 FF 77 ?? 8D 85 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 8B C8 C6 45 ?? ?? E8 ?? ?? ?? + ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? E9 ?? ?? ?? ?? 8B 1D ?? ?? ?? ?? 8D 85 ?? ?? ?? + ?? 68 ?? ?? ?? ?? 50 56 FF D3 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A ?? + 56 FF 15 ?? ?? ?? ?? 8B F8 FF 15 ?? ?? ?? ?? 3D ?? ?? ?? ?? 0F 94 C0 85 FF 74 ?? 84 + C0 74 ?? 57 FF 15 ?? ?? ?? ?? 57 FF 15 ?? ?? ?? ?? 56 + } + + $find_files_v2 = { + 55 8B EC 6A ?? 68 ?? ?? ?? ?? 64 A1 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 83 EC ?? 53 + 56 57 89 65 ?? 8D 4D ?? C7 45 ?? ?? ?? ?? ?? FF 75 ?? E8 ?? ?? ?? ?? 83 EC ?? C6 45 + ?? ?? 8D 4D ?? 54 E8 ?? ?? ?? ?? 83 EC ?? 8D 4D ?? 54 E8 ?? ?? ?? ?? 83 EC ?? 8D 4D + ?? 54 E8 ?? ?? ?? ?? BA ?? ?? ?? ?? 8D 4D ?? E8 ?? ?? ?? ?? 83 C4 ?? 8D 4D ?? E8 ?? + ?? ?? ?? 83 EC ?? C7 45 ?? ?? ?? ?? ?? 8D 45 ?? 8D 4D ?? 50 E8 ?? ?? ?? ?? 8D 4D ?? + 3B 45 ?? 0F 87 ?? ?? ?? ?? 83 EC ?? C7 45 ?? ?? ?? ?? ?? 8D 45 ?? 50 E8 ?? ?? ?? ?? + 51 50 8D 45 ?? 50 8D 4D ?? E8 ?? ?? ?? ?? 8B F0 8D 45 ?? 3B C6 74 ?? 8B 45 ?? 83 F8 + ?? 72 ?? 6A ?? 40 50 FF 75 ?? E8 ?? ?? ?? ?? 83 C4 ?? 33 C0 C7 45 ?? ?? ?? ?? ?? 56 + 8D 4D ?? C7 45 ?? ?? ?? ?? ?? 66 89 45 ?? E8 ?? ?? ?? ?? 8D 4D ?? E8 ?? ?? ?? ?? 8B + 7D ?? 33 F6 8B 5D ?? 83 FE ?? 73 ?? 8B 0C B5 ?? ?? ?? ?? 8D 45 ?? 83 FF ?? 0F 43 C3 + 66 8B 10 66 3B 11 75 ?? 66 85 D2 74 ?? 66 8B 50 ?? 66 3B 51 ?? 75 ?? 83 C0 ?? 83 C1 + ?? 66 85 D2 75 ?? 33 C0 EB ?? 1B C0 83 C8 ?? 85 C0 74 ?? 46 EB ?? 8D 4D ?? E8 ?? ?? + ?? ?? B0 ?? 8B 4D ?? 64 89 0D ?? ?? ?? ?? 5F 5E 5B 8B E5 5D C2 ?? ?? 8D 4D ?? E8 ?? + ?? ?? ?? 8B 4D ?? 32 C0 5F 5E 64 89 0D ?? ?? ?? ?? 5B 8B E5 5D C2 ?? ?? 8D 45 + } + + $encrypt_files_v2_p1 = { + 55 8B EC 6A ?? 68 ?? ?? ?? ?? 64 A1 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 51 B8 ?? ?? + ?? ?? E8 ?? ?? ?? ?? 53 56 57 C7 45 ?? ?? ?? ?? ?? 8B F1 8B 7D ?? 8D 4D ?? 89 65 ?? + 57 C7 45 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 ?? C6 45 ?? ?? 50 8D 45 ?? 8B CE 50 E8 + ?? ?? ?? ?? 8B D8 C6 45 ?? ?? 8D 4D ?? 89 5D ?? E8 ?? ?? ?? ?? 8B 75 ?? 56 E8 ?? ?? + ?? ?? 83 C4 ?? 56 53 50 E8 ?? ?? ?? ?? 8B 75 ?? 8D 85 ?? ?? ?? ?? 68 ?? ?? ?? ?? 56 + 50 E8 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? 83 C4 ?? 49 0F 1F 40 ?? 8A 41 ?? 8D 49 ?? 84 C0 + 75 ?? A1 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 08 89 ?? ?? ?? ?? 4E 00 6A ?? 6A ?? 89 41 ?? + A1 ?? ?? ?? ?? ?? ?? ?? ?? 08 A0 ?? ?? ?? ?? 68 ?? ?? ?? ?? 56 8B 35 ?? ?? ?? ?? 88 + 41 ?? FF D6 6A ?? 68 ?? ?? ?? ?? 6A ?? 6A ?? 6A ?? 89 45 ?? 8D 85 ?? ?? ?? ?? 68 ?? + ?? ?? ?? 50 FF D6 68 ?? ?? ?? ?? 6A ?? 6A ?? 89 45 ?? 8D 45 ?? 6A ?? 50 FF 15 ?? ?? + ?? ?? 8B 35 ?? ?? ?? ?? 85 C0 75 ?? FF D6 8B 1D ?? ?? ?? ?? 6A ?? FF 75 ?? FF D3 EB + ?? 8B 1D ?? ?? ?? ?? 8D 45 ?? 50 6A ?? 6A ?? 68 ?? ?? ?? ?? FF 75 ?? FF 15 ?? ?? ?? + ?? 85 C0 75 ?? FF D6 6A ?? FF 75 ?? FF D3 6A ?? 6A ?? 57 FF 75 ?? FF 15 ?? ?? ?? ?? + 85 C0 75 ?? FF D6 8D 45 ?? 50 6A ?? FF 75 ?? 68 ?? ?? ?? ?? FF 75 ?? FF 15 ?? ?? ?? + ?? 85 C0 75 ?? FF D6 6A ?? FF 75 ?? FF D3 68 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 6A ?? 50 + } + + $encrypt_files_v2_p2 = { + E8 ?? ?? ?? ?? 8B 7D ?? 83 C4 ?? 33 F6 C7 45 ?? ?? ?? ?? ?? 33 DB 89 5D ?? 56 57 FF + 15 ?? ?? ?? ?? 8B 0D ?? ?? ?? ?? 89 4D ?? 66 8B 0D ?? ?? 4E 00 66 89 4D ?? 8D 4D ?? + 89 45 ?? 8D 51 ?? 89 5D ?? 8A 01 41 84 C0 75 ?? 6A ?? 8D 45 ?? 2B CA 50 51 8D 45 ?? + 50 FF 75 ?? FF 15 ?? ?? ?? ?? 6A ?? 8D 45 ?? 50 68 ?? ?? ?? ?? FF 75 ?? FF 75 ?? FF + 15 ?? ?? ?? ?? 6A ?? 8D 45 ?? 50 68 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 57 FF 15 ?? ?? + ?? ?? 85 C0 0F 84 ?? ?? ?? ?? 66 0F 1F 44 00 ?? 8B 45 ?? 85 C0 0F 84 ?? ?? ?? ?? 03 + F0 33 C9 3B 75 ?? 75 ?? 85 C9 75 ?? 33 DB 83 F8 ?? 0F 95 C3 68 ?? ?? ?? ?? 8D 45 ?? + 50 8D 85 ?? ?? ?? ?? 50 6A ?? 53 6A ?? FF 75 ?? FF 15 ?? ?? ?? ?? 85 C0 74 ?? 6A ?? + 8D 45 ?? C7 45 ?? ?? ?? ?? ?? 50 FF 75 ?? 8D 85 ?? ?? ?? ?? 50 FF 75 ?? FF 15 ?? ?? + ?? ?? 85 C0 74 ?? 68 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 6A ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? + 8D 45 ?? 6A ?? 50 68 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 57 FF 15 ?? ?? ?? ?? 85 C0 0F + 85 ?? ?? ?? ?? 6A ?? FF 75 ?? FF 15 ?? ?? ?? ?? FF 75 ?? FF 15 ?? ?? ?? ?? FF 75 ?? + FF 15 ?? ?? ?? ?? 8B 35 ?? ?? ?? ?? 57 FF D6 FF 75 ?? FF D6 8B 4D ?? 5F 5E 64 89 0D + ?? ?? ?? ?? 5B 8B E5 5D C2 ?? ?? 8D 45 + } + + $remote_connection_v2 = { + 55 8B EC 51 53 56 57 6A ?? 6A ?? 6A ?? 6A ?? 68 ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? FF + 15 ?? ?? ?? ?? 6A ?? 6A ?? 6A ?? 6A ?? 6A ?? 68 ?? ?? ?? ?? 8B F0 68 ?? ?? ?? ?? 56 + FF 15 ?? ?? ?? ?? 6A ?? 6A ?? 6A ?? 6A ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8B D8 6A ?? + 53 FF 15 ?? ?? ?? ?? 6A ?? 6A ?? 6A ?? 8B F8 6A ?? 57 FF 15 ?? ?? ?? ?? 6A ?? 6A ?? + 8D 45 ?? 50 57 FF 15 ?? ?? ?? ?? 56 8B 35 ?? ?? ?? ?? FF D6 53 FF D6 57 FF D6 5F 5E + 33 C0 5B 8B E5 5D C3 + } + + $drop_ransom_note_v2_p1 = { + 6A ?? 68 ?? ?? ?? ?? 6A ?? 6A ?? 6A ?? 68 ?? ?? ?? ?? 53 FF 15 ?? ?? ?? ?? 89 45 ?? + C7 45 ?? ?? ?? ?? ?? C6 45 ?? ?? 6A ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 + 45 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 89 45 ?? 85 C0 74 ?? C7 00 ?? ?? ?? ?? C7 + 40 ?? ?? ?? ?? ?? 8B 45 ?? 8D 4D ?? 89 08 68 ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 + ?? ?? ?? ?? ?? C6 45 ?? ?? E8 ?? ?? ?? ?? 8B F8 83 C4 ?? 85 FF 74 ?? 68 ?? ?? ?? ?? + 68 ?? ?? ?? ?? 57 E8 ?? ?? ?? ?? A1 ?? ?? ?? ?? ?? ?? ?? ?? 87 FB 00 00 00 A0 ?? ?? + ?? ?? 88 87 ?? ?? ?? ?? 8B F7 8D 4E ?? 0F 1F 40 ?? 8A 06 46 84 C0 75 ?? 2B F1 8D 46 + ?? 50 E8 ?? ?? ?? ?? 8B D8 83 C4 ?? 85 DB 74 ?? 56 57 53 E8 ?? ?? ?? ?? 6A ?? 8D 04 + 33 68 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 8B F3 8D 4E ?? 0F 1F 44 00 ?? 8A 06 46 + 84 C0 75 ?? 2B F1 8D 86 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 8B F8 83 C4 ?? 85 FF 74 ?? 56 + 53 57 E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 04 37 68 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 + ?? 8B F7 8D 4E ?? 8A 06 46 84 C0 75 ?? 2B F1 8D 86 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 8B + D8 83 C4 ?? 85 DB 74 ?? 56 57 53 E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 04 33 68 ?? ?? ?? + ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 8B F3 8D 4E ?? 8A 06 46 84 C0 75 ?? 2B F1 8D 46 ?? 50 + } + + $drop_ransom_note_v2_p2 = { + E8 ?? ?? ?? ?? 8B F8 83 C4 ?? 85 FF 74 ?? 56 53 57 E8 ?? ?? ?? ?? 6A ?? 8D 04 37 68 + ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 8B F7 8D 4E ?? 0F 1F 00 8A 06 46 84 C0 75 ?? + 2B F1 8D 46 ?? 50 E8 ?? ?? ?? ?? 8B D8 83 C4 ?? 85 DB 74 ?? 56 57 53 E8 ?? ?? ?? ?? + F3 0F 7E 05 ?? ?? ?? ?? 83 C4 ?? 66 0F D6 04 33 8B F3 8D 4E ?? 8A 06 46 84 C0 75 ?? + 2B F1 8D 46 ?? 50 E8 ?? ?? ?? ?? 8B F8 83 C4 ?? 85 FF 74 ?? 56 53 57 E8 ?? ?? ?? ?? + 6A ?? 8D 04 37 68 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 8B F7 8D 4E ?? 8A 06 46 84 + C0 75 ?? 2B F1 8D 46 ?? 50 E8 ?? ?? ?? ?? 8B D8 83 C4 ?? 85 DB 74 ?? 56 57 53 E8 ?? + ?? ?? ?? 6A ?? 8D 04 33 68 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 8B F3 8D 4E ?? 66 + 90 8A 06 46 84 C0 75 ?? 2B F1 8D 46 ?? 50 E8 ?? ?? ?? ?? 8B F8 83 C4 ?? 85 FF 74 ?? + 56 53 57 E8 ?? ?? ?? ?? 6A ?? 8D 04 37 68 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 8B + CF 5B 8D 51 ?? 0F 1F 40 ?? 8A 01 41 84 C0 75 ?? 8B 75 ?? 8D 45 ?? 6A ?? 50 2B CA 51 + 57 56 FF 15 ?? ?? ?? ?? FF 75 ?? E8 ?? ?? ?? ?? 83 C4 ?? 56 FF 15 ?? ?? ?? ?? 8D 4D + ?? E8 ?? ?? ?? ?? 8B 4D ?? 5F 5E 64 89 0D ?? ?? ?? ?? 8B E5 5D C2 + } + + condition: + uint16(0) == 0x5A4D and + ( + ( + ( + all of ($encrypt_files_v1_p*) + ) and + ( + all of ($find_files_v1_p*) + ) and + ( + $create_scheduled_task_v1 + ) and + ( + $remote_connection_v1 + ) and + ( + $check_mutex_v1 + ) + ) or + ( + ( + $find_files_v2 + ) and + ( + all of ($encrypt_files_v2_p*) + ) and + ( + $remote_connection_v2 + ) and + ( + all of ($drop_ransom_note_v2_p*) + ) + ) + ) +} \ No newline at end of file diff --git a/yara/ransomware/Win32.Ransomware.MRAC.yara b/yara/ransomware/Win32.Ransomware.MRAC.yara new file mode 100644 index 0000000..9901942 --- /dev/null +++ b/yara/ransomware/Win32.Ransomware.MRAC.yara @@ -0,0 +1,69 @@ +rule Win32_Ransomware_MRAC : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "MRAC" + description = "Yara rule that detects MRAC ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "MRAC" + tc_detection_factor = 5 + + strings: + + $encrypt_files = { + B8 ?? ?? ?? ?? 66 8B 11 66 3B 10 75 ?? 66 85 D2 74 ?? 66 8B 51 ?? 66 3B 50 ?? 75 ?? + 83 C1 ?? 83 C0 ?? 66 85 D2 75 ?? 33 C0 EB ?? 1B C0 83 C8 ?? 8B 75 ?? 85 C0 75 ?? B1 + ?? EB ?? 32 C9 8B 45 ?? 88 4D ?? 83 F8 ?? 72 ?? 8D 0C 45 ?? ?? ?? ?? 8B C6 81 F9 ?? + ?? ?? ?? 72 ?? 8B 76 ?? 83 C1 ?? 2B C6 83 C0 ?? 83 F8 ?? 77 ?? 51 56 E8 ?? ?? ?? ?? + 8A 4D ?? 83 C4 ?? 8A C1 8B 4D ?? 64 89 0D ?? ?? ?? ?? 59 5F 5E 8B 4D ?? 33 CD E8 ?? + ?? ?? ?? 8B E5 5D C2 ?? ?? E8 ?? ?? ?? ?? E8 + } + + $import_key = { + 8D 45 ?? 50 6A ?? 6A ?? 6A ?? FF 75 ?? 56 6A ?? 68 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 85 + C0 0F 84 ?? ?? ?? ?? FF 75 ?? 6A ?? FF 15 ?? ?? ?? ?? FF 75 ?? E8 ?? ?? ?? ?? 83 C4 + ?? 89 45 ?? 8D 4D ?? 51 50 6A ?? 6A ?? FF 75 ?? 56 6A ?? 68 ?? ?? ?? ?? FF 15 ?? ?? + ?? ?? 85 C0 0F 84 ?? ?? ?? ?? 8D 45 ?? 50 6A ?? 6A ?? FF 75 ?? FF 75 ?? FF 75 ?? FF + 15 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? 8D 45 ?? 50 6A ?? 68 ?? ?? ?? ?? FF 75 ?? FF + 15 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? 8B 35 ?? ?? ?? ?? 8D 45 ?? 6A ?? 50 6A ?? FF + 75 ?? FF D6 85 C0 0F 84 ?? ?? ?? ?? 6A ?? 8D 45 ?? 50 6A ?? FF 75 ?? FF D6 85 C0 0F + 84 ?? ?? ?? ?? 8D 45 ?? 50 6A ?? FF 75 ?? FF 15 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? + 6A ?? 8D 45 ?? 50 6A ?? FF 75 ?? FF D6 85 C0 0F 84 ?? ?? ?? ?? 6A ?? FF 75 ?? FF 15 + ?? ?? ?? ?? 8B C8 F6 C1 ?? 75 ?? B8 ?? ?? ?? ?? EB ?? 8B C1 C1 E8 ?? 40 C1 E0 ?? 2B + C1 68 ?? ?? ?? ?? 89 45 ?? E8 ?? ?? ?? ?? 8B F8 83 C4 ?? 85 FF 0F 84 ?? ?? ?? ?? 6A + ?? 8D 45 ?? 50 68 ?? ?? ?? ?? 57 FF 75 ?? FF 15 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? + 8B 45 ?? 3D ?? ?? ?? ?? 0F 92 C3 85 C0 74 ?? 68 ?? ?? ?? ?? 8D 45 ?? 50 57 6A ?? 0F + B6 C3 50 6A ?? FF 75 ?? FF 15 ?? ?? ?? ?? 8B 75 ?? 85 C0 0F 84 ?? ?? ?? ?? 6A ?? 8D + 45 ?? 50 FF 75 ?? 57 56 FF 15 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? EB ?? 8B 75 ?? 84 + DB 74 + } + + $find_files = { + 55 8B EC 6A ?? 68 ?? ?? ?? ?? 64 A1 ?? ?? ?? ?? 50 83 EC ?? A1 ?? ?? ?? ?? 33 C5 89 + 45 ?? 53 56 57 50 8D 45 ?? 64 A3 ?? ?? ?? ?? 89 4D ?? 8B 45 ?? 50 E8 ?? ?? ?? ?? 83 + C4 ?? 85 C0 74 ?? 32 C0 E9 ?? ?? ?? ?? 6A ?? E8 ?? ?? ?? ?? 83 C4 ?? 8B F0 68 ?? ?? + ?? ?? 68 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 8B 3D ?? ?? ?? ?? 68 ?? ?? ?? ?? 50 89 06 FF + D7 85 C0 0F 84 ?? ?? ?? ?? 8B 1D ?? ?? ?? ?? 90 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? FF D3 + F6 05 ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? 0F 84 ?? ?? ?? ?? E8 ?? ?? ?? ?? 84 C0 75 ?? 8B + 4D ?? 6A ?? 68 ?? ?? ?? ?? E8 + } + + condition: + uint16(0) == 0x5A4D and + ( + $find_files + ) and + ( + $import_key + ) and + ( + $encrypt_files + ) +} \ No newline at end of file diff --git a/yara/ransomware/Win32.Ransomware.MZP.yara b/yara/ransomware/Win32.Ransomware.MZP.yara new file mode 100644 index 0000000..8fd09af --- /dev/null +++ b/yara/ransomware/Win32.Ransomware.MZP.yara @@ -0,0 +1,147 @@ +rule Win32_Ransomware_MZP : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "MZP" + description = "Yara rule that detects MZP ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "MZP" + tc_detection_factor = 5 + + strings: + + $show_ransom_note_p1 = { + 55 8B EC B9 ?? ?? ?? ?? 6A ?? 6A ?? 49 75 ?? 53 56 84 D2 74 ?? 83 C4 ?? E8 ?? ?? ?? + ?? 88 55 ?? 8B D8 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 33 D2 8B C3 E8 ?? ?? ?? + ?? 89 1D ?? ?? ?? ?? 33 C9 B2 ?? A1 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B F0 89 73 ?? 33 C0 + 89 46 ?? 33 C0 89 86 ?? ?? ?? ?? 33 C0 89 86 ?? ?? ?? ?? C7 86 ?? ?? ?? ?? ?? ?? ?? + ?? C7 86 ?? ?? ?? ?? ?? ?? ?? ?? C6 86 ?? ?? ?? ?? ?? C7 86 ?? ?? ?? ?? ?? ?? ?? ?? + 6A ?? 6A ?? 8D 45 ?? 50 33 C9 B2 ?? B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 55 ?? 8D 86 ?? + ?? ?? ?? 8B 0D ?? ?? ?? ?? E8 ?? ?? ?? ?? C6 86 ?? ?? ?? ?? ?? C6 86 ?? ?? ?? ?? ?? + C6 86 ?? ?? ?? ?? ?? 33 C0 89 86 ?? ?? ?? ?? C6 86 ?? ?? ?? ?? ?? 33 C0 89 86 ?? ?? + ?? ?? C6 86 ?? ?? ?? ?? ?? C6 86 ?? ?? ?? ?? ?? 8D 86 ?? ?? ?? ?? 33 D2 E8 ?? ?? ?? + ?? 8D 86 ?? ?? ?? ?? 33 D2 E8 ?? ?? ?? ?? 33 C0 89 86 ?? ?? ?? ?? 33 C0 89 86 ?? ?? + ?? ?? C6 86 ?? ?? ?? ?? ?? 8D 45 ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 55 ?? 8B C6 E8 + ?? ?? ?? ?? B2 ?? 8B C6 E8 ?? ?? ?? ?? C6 86 ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? A1 ?? ?? + ?? ?? 8B 00 50 E8 ?? ?? ?? ?? 8B D0 8B C6 E8 ?? ?? ?? ?? 33 D2 8B C6 E8 + } + + $show_ransom_note_p2 = { + C6 86 ?? ?? ?? ?? ?? C7 86 ?? ?? ?? ?? ?? ?? ?? ?? 8D 86 ?? ?? ?? ?? 33 D2 E8 ?? ?? + ?? ?? C6 86 ?? ?? ?? ?? ?? C6 86 ?? ?? ?? ?? ?? 89 B6 ?? ?? ?? ?? C7 86 ?? ?? ?? ?? + ?? ?? ?? ?? 33 C0 89 86 ?? ?? ?? ?? 33 C0 89 86 ?? ?? ?? ?? 8B C6 8B 10 FF 52 ?? B2 + ?? A1 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B F0 89 73 ?? 8D 46 ?? BA ?? ?? ?? ?? E8 ?? ?? ?? + ?? C6 46 ?? ?? C6 46 ?? ?? B2 ?? A1 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B F0 89 73 ?? C6 46 + ?? ?? 8D 46 ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? B2 ?? A1 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B + F0 89 73 ?? BA ?? ?? ?? ?? 8B C6 E8 ?? ?? ?? ?? B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B D0 + 8D 46 ?? E8 ?? ?? ?? ?? B2 ?? A1 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B F0 89 73 ?? 8B C6 C6 + 40 ?? ?? 66 BA ?? ?? E8 ?? ?? ?? ?? B2 ?? A1 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B F0 89 73 + ?? 8B C6 C6 40 ?? ?? 66 BA ?? ?? E8 ?? ?? ?? ?? B2 ?? A1 ?? ?? ?? ?? E8 ?? ?? ?? ?? + 89 43 ?? 8B 73 ?? 8D 46 ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 46 ?? 33 D2 E8 ?? ?? ?? + ?? C6 46 ?? ?? C6 46 ?? ?? C6 46 ?? ?? C6 46 ?? ?? C6 46 ?? ?? 8D 46 ?? BA ?? ?? ?? + ?? E8 ?? ?? ?? ?? B2 ?? A1 ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 43 ?? B2 ?? A1 ?? ?? ?? ?? + E8 ?? ?? ?? ?? 89 43 ?? 8B 73 ?? 8D 46 ?? 33 D2 E8 ?? ?? ?? ?? 8D 46 ?? BA ?? ?? ?? + ?? E8 + } + + $search_config_file = { + 8B C0 53 56 8B F0 8A 9E ?? ?? ?? ?? C6 86 ?? ?? ?? ?? ?? 80 BE ?? ?? ?? ?? ?? 75 ?? + 8B 46 ?? 8B 48 ?? A1 ?? ?? ?? ?? 33 D2 E8 ?? ?? ?? ?? 8B C6 E8 ?? ?? ?? ?? 33 D2 8B + 86 ?? ?? ?? ?? FF 96 ?? ?? ?? ?? 83 BE ?? ?? ?? ?? ?? 74 ?? 8B 96 ?? ?? ?? ?? B8 ?? + ?? ?? ?? E8 ?? ?? ?? ?? 85 C0 75 ?? 89 B6 ?? ?? ?? ?? C7 86 ?? ?? ?? ?? ?? ?? ?? ?? + EB ?? 89 B6 ?? ?? ?? ?? C7 86 ?? ?? ?? ?? ?? ?? ?? ?? 88 9E ?? ?? ?? ?? 8A 96 ?? ?? + ?? ?? 8B C6 E8 ?? ?? ?? ?? 80 BE ?? ?? ?? ?? ?? 74 ?? 8B 46 ?? 8B 8E ?? ?? ?? ?? 8B + 96 ?? ?? ?? ?? E8 ?? ?? ?? ?? 56 68 ?? ?? ?? ?? 8B 46 ?? E8 ?? ?? ?? ?? 8B 46 ?? 89 + 70 ?? 5E 5B C3 + } + + $track_mouse_event_for_entropy = { + 53 56 83 C4 ?? 8B F0 8B 42 ?? 05 ?? ?? ?? ?? 83 E8 ?? 72 ?? 2D ?? ?? ?? ?? 0F 84 ?? + ?? ?? ?? E9 ?? ?? ?? ?? 8A 86 ?? ?? ?? ?? 88 44 24 ?? 66 83 BE ?? ?? ?? ?? ?? 74 ?? + 8B D6 8B 86 ?? ?? ?? ?? FF 96 ?? ?? ?? ?? 8B D8 EB ?? 54 E8 ?? ?? ?? ?? 8D 4C 24 ?? + 8B D4 8B C6 E8 ?? ?? ?? ?? 8B 44 24 ?? 89 04 24 8B 44 24 ?? 89 44 24 ?? 8D 54 24 ?? + 8B C6 E8 ?? ?? ?? ?? 8D 54 24 ?? 8B C4 E8 ?? ?? ?? ?? 8B D8 3A 5C 24 ?? 0F 84 ?? ?? + ?? ?? 8B C6 E8 ?? ?? ?? ?? 84 DB 74 ?? C6 86 ?? ?? ?? ?? ?? 66 83 BE ?? ?? ?? ?? ?? + 74 ?? 8B D6 8B 86 ?? ?? ?? ?? FF 96 ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? C7 44 24 ?? + ?? ?? ?? ?? 8B 46 ?? 89 44 24 ?? 8D 44 24 ?? E8 ?? ?? ?? ?? 8B C6 E8 ?? ?? ?? ?? EB + ?? C6 86 ?? ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? 8B 46 ?? 89 + 44 24 ?? 8D 44 24 ?? E8 ?? ?? ?? ?? 66 83 BE ?? ?? ?? ?? ?? 74 ?? 8B D6 8B 86 ?? ?? + ?? ?? FF 96 ?? ?? ?? ?? 8B C6 E8 ?? ?? ?? ?? EB ?? 80 BE ?? ?? ?? ?? ?? 74 ?? C6 86 + ?? ?? ?? ?? ?? 66 83 BE ?? ?? ?? ?? ?? 74 ?? 8B D6 8B 86 ?? ?? ?? ?? FF 96 ?? ?? ?? + ?? 8B C6 E8 ?? ?? ?? ?? 33 C0 83 C4 ?? 5E 5B C3 + } + + $find_files_p1 = { + 55 8B EC 81 C4 ?? ?? ?? ?? 53 56 57 33 C9 89 8D ?? ?? ?? ?? 89 8D ?? ?? ?? ?? 8B FA + 8B D8 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 8D 85 ?? ?? ?? ?? 50 8D 85 ?? ?? ?? + ?? B9 ?? ?? ?? ?? 8B D7 E8 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? E8 ?? ?? ?? ?? 50 E8 ?? ?? + ?? ?? 8B F0 83 FE ?? 0F 84 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 89 43 ?? 8D 85 ?? ?? ?? ?? + 8D 95 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? BA ?? ?? ?? ?? 33 C9 8A 08 41 E8 + ?? ?? ?? ?? 0F 84 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 8D 95 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B + 85 ?? ?? ?? ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 0F 84 ?? ?? ?? ?? F6 85 ?? ?? ?? ?? ?? + 0F 84 ?? ?? ?? ?? 80 7B ?? ?? 76 ?? 8D 85 ?? ?? ?? ?? 8D 95 ?? ?? ?? ?? B9 ?? ?? ?? + ?? E8 ?? ?? ?? ?? 8B 8D ?? ?? ?? ?? 8B D7 8B C3 E8 ?? ?? ?? ?? 80 7B ?? ?? 0F 85 ?? + ?? ?? ?? 57 8D 85 ?? ?? ?? ?? 8D 95 ?? ?? ?? ?? B9 ?? ?? ?? ?? E8 ?? ?? ?? ?? FF B5 + ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 95 ?? + ?? ?? ?? 8B C3 E8 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 89 43 ?? E9 ?? ?? ?? ?? 8D 85 ?? ?? + ?? ?? 8D 95 ?? ?? ?? ?? B9 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 8D 95 ?? ?? + ?? ?? E8 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 8B 53 ?? E8 ?? ?? ?? ?? 84 C0 74 ?? FF 43 + } + + $find_files_p2 = { + 80 7B ?? ?? 0F 84 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 8D 95 ?? ?? ?? ?? B9 ?? ?? ?? ?? E8 + ?? ?? ?? ?? 8B 8D ?? ?? ?? ?? 8B D7 8B C3 E8 ?? ?? ?? ?? EB ?? 80 7B ?? ?? 74 ?? 8D + 85 ?? ?? ?? ?? 8D 95 ?? ?? ?? ?? B9 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 8D ?? ?? ?? ?? 8D + 85 ?? ?? ?? ?? 8B D7 E8 ?? ?? ?? ?? 8B 95 ?? ?? ?? ?? 8D 43 ?? E8 ?? ?? ?? ?? EB ?? + 8D 85 ?? ?? ?? ?? 8D 95 ?? ?? ?? ?? B9 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 95 ?? ?? ?? ?? + 8D 43 ?? E8 ?? ?? ?? ?? 80 7B ?? ?? 75 ?? 8D 85 ?? ?? ?? ?? 50 56 E8 ?? ?? ?? ?? 85 + C0 0F 85 ?? ?? ?? ?? 56 E8 ?? ?? ?? ?? 33 C0 5A 59 59 64 89 10 68 ?? ?? ?? ?? 8D 85 + ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? E8 ?? ?? ?? ?? C3 + } + + $encrypt_files = { + 8B C0 33 D2 89 50 ?? 89 50 ?? 52 8D 50 ?? 52 FF 70 ?? FF 70 ?? FF 30 E8 ?? ?? ?? ?? + 85 C0 74 ?? 33 C0 C3 E8 ?? ?? ?? ?? 83 F8 ?? 74 ?? C3 33 C0 C3 51 8B 50 ?? 85 D2 7E + ?? 33 C9 89 48 ?? 51 8D 4C 24 ?? 51 52 FF 70 ?? FF 30 E8 ?? ?? ?? ?? 85 C0 74 ?? 33 + C0 59 C3 E8 ?? ?? ?? ?? EB ?? FF 30 C7 40 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 75 ?? C3 + E8 ?? ?? ?? ?? C3 56 8B F0 33 C0 89 46 ?? 89 46 ?? 8B 46 ?? 2D ?? ?? ?? ?? 74 ?? 48 + 74 ?? 48 74 ?? E9 ?? ?? ?? ?? B8 ?? ?? ?? ?? BA ?? ?? ?? ?? B9 ?? ?? ?? ?? C7 46 ?? + ?? ?? ?? ?? EB ?? B8 ?? ?? ?? ?? BA ?? ?? ?? ?? B9 ?? ?? ?? ?? EB ?? B8 ?? ?? ?? ?? + BA ?? ?? ?? ?? B9 ?? ?? ?? ?? C7 46 ?? ?? ?? ?? ?? C7 46 ?? ?? ?? ?? ?? C7 46 ?? ?? + ?? ?? ?? 80 7E ?? ?? 0F 84 ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? 51 6A ?? 52 50 8D 46 ?? + 50 E8 ?? ?? ?? ?? 83 F8 ?? 0F 84 ?? ?? ?? ?? 89 06 81 7E ?? ?? ?? ?? ?? 0F 85 ?? ?? + ?? ?? FF 4E ?? 6A ?? FF 36 E8 ?? ?? ?? ?? 40 0F 84 ?? ?? ?? ?? 2D ?? ?? ?? ?? 73 ?? + 33 C0 6A ?? 6A ?? 50 FF 36 E8 ?? ?? ?? ?? 40 0F 84 ?? ?? ?? ?? 6A ?? 8B D4 6A ?? 52 + 68 ?? ?? ?? ?? 8D 96 ?? ?? ?? ?? 52 FF 36 E8 ?? ?? ?? ?? 5A 48 0F 85 ?? ?? ?? ?? 33 + C0 3B C2 73 ?? 80 BC 06 ?? ?? ?? ?? ?? 74 ?? 40 EB ?? 6A ?? 6A ?? 2B C2 50 FF 36 E8 + ?? ?? ?? ?? 40 74 ?? FF 36 E8 ?? ?? ?? ?? 48 75 ?? EB ?? C7 46 ?? ?? ?? ?? ?? 81 7E + ?? ?? ?? ?? ?? 74 ?? 6A ?? EB ?? 6A ?? E8 ?? ?? ?? ?? 83 F8 ?? 74 ?? 89 06 81 7E ?? + ?? ?? ?? ?? 74 ?? FF 36 E8 ?? ?? ?? ?? 85 C0 74 ?? 83 F8 ?? 75 ?? C7 46 ?? ?? ?? ?? + ?? 33 C0 5E C3 + } + + condition: + uint16(0) == 0x5A4D and + ( + $search_config_file + ) and + ( + all of ($find_files_p*) + ) and + ( + $track_mouse_event_for_entropy + ) and + ( + $encrypt_files + ) and + ( + all of ($show_ransom_note_p*) + ) +} \ No newline at end of file diff --git a/yara/ransomware/Win32.Ransomware.Mafia.yara b/yara/ransomware/Win32.Ransomware.Mafia.yara new file mode 100644 index 0000000..7c7a660 --- /dev/null +++ b/yara/ransomware/Win32.Ransomware.Mafia.yara @@ -0,0 +1,142 @@ +rule Win32_Ransomware_Mafia : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "MAFIA" + description = "Yara rule that detects Mafia ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "Mafia" + tc_detection_factor = 5 + + strings: + + $find_files = { + 55 8B EC 83 E4 ?? B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? A1 ?? ?? ?? ?? 33 C4 89 84 24 ?? ?? + ?? ?? 53 56 57 68 ?? ?? ?? ?? 8D 44 24 ?? 8B F1 6A ?? 50 89 74 24 ?? C7 44 24 ?? ?? + ?? ?? ?? E8 ?? ?? ?? ?? 33 C9 68 ?? ?? ?? ?? 51 8D 94 24 ?? ?? ?? ?? 52 66 89 8C 24 + ?? ?? ?? ?? E8 ?? ?? ?? ?? 33 C0 68 ?? ?? ?? ?? 50 8D 8C 24 ?? ?? ?? ?? 51 66 89 84 + 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? 56 8D 94 24 ?? ?? ?? ?? 68 ?? ?? ?? ?? 52 E8 ?? ?? ?? + ?? 83 C4 ?? 8D 44 24 ?? 50 8D 8C 24 ?? ?? ?? ?? 51 FF 15 ?? ?? ?? ?? 8B D8 83 FB ?? + 0F 85 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 50 8D 94 24 ?? ?? ?? ?? 68 ?? ?? ?? ?? 52 E8 ?? + ?? ?? ?? 8B 35 ?? ?? ?? ?? 83 C4 ?? 8D 84 24 ?? ?? ?? ?? 50 FF D6 68 ?? ?? ?? ?? 8D + 8C 24 ?? ?? ?? ?? 6A ?? 51 E8 ?? ?? ?? ?? 8D 94 24 ?? ?? ?? ?? 52 8D 84 24 ?? ?? ?? + ?? 68 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 8D 8C 24 ?? ?? ?? ?? 51 FF D6 B8 ?? ?? + ?? ?? 5F 5E 5B 8B 8C 24 ?? ?? ?? ?? 33 CC E8 ?? ?? ?? ?? 8B E5 5D C3 56 81 EC ?? ?? + ?? ?? B9 ?? ?? ?? ?? 8D B4 24 ?? ?? ?? ?? 8B FC F3 A5 E8 ?? ?? ?? ?? 81 C4 ?? ?? ?? + ?? 8D 54 24 ?? 52 53 FF 15 ?? ?? ?? ?? 85 C0 74 ?? 8B 44 24 ?? 50 81 EC ?? ?? ?? ?? + B9 ?? ?? ?? ?? 8D B4 24 ?? ?? ?? ?? 8B FC F3 A5 E8 ?? ?? ?? ?? 81 C4 ?? ?? ?? ?? 8D + 4C 24 ?? 51 53 FF 15 ?? ?? ?? ?? 85 C0 75 ?? 53 FF 15 ?? ?? ?? ?? 8B 8C 24 ?? ?? ?? + ?? 5F 5E 5B 33 CC 33 C0 E8 ?? ?? ?? ?? 8B E5 5D C3 + } + + $remote_connection_p1 = { + 55 8B EC B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? A1 ?? ?? ?? ?? 33 C5 89 45 ?? 53 56 33 C0 57 + 68 ?? ?? ?? ?? 50 8D 8D ?? ?? ?? ?? 51 66 89 85 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 89 85 + ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 66 89 85 ?? ?? ?? ?? 88 85 ?? ?? ?? ?? E8 ?? ?? ?? ?? + 68 ?? ?? ?? ?? 8D 95 ?? ?? ?? ?? 6A ?? 52 C6 85 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 68 ?? + ?? ?? ?? 8D 85 ?? ?? ?? ?? 6A ?? 50 C6 85 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 68 ?? ?? ?? + ?? 8D 8D ?? ?? ?? ?? 6A ?? 51 C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C6 85 ?? ?? ?? ?? ?? E8 + ?? ?? ?? ?? 83 C4 ?? 68 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 85 C0 75 ?? + 68 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 5F 5E 5B 8B 4D ?? 33 CD E8 ?? ?? ?? ?? 8B E5 5D C3 + 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 95 ?? ?? ?? ?? 68 ?? + ?? ?? ?? 52 E8 ?? ?? ?? ?? 8B 3D ?? ?? ?? ?? 8B 1D ?? ?? ?? ?? 83 C4 ?? 33 C0 68 ?? + ?? ?? ?? 50 89 85 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? + 8D 85 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? 6A ?? 51 E8 ?? + ?? ?? ?? 83 C4 ?? 6A ?? 6A ?? 6A ?? FF 15 ?? ?? ?? ?? 8B F0 33 C0 89 85 + } + + $remote_connection_p2 = { + 89 85 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? BA ?? ?? ?? + ?? 66 89 95 ?? ?? ?? ?? 8B 48 ?? 8B 11 8B 02 68 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? 51 8D + 95 ?? ?? ?? ?? 68 ?? ?? ?? ?? 52 89 85 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 6A ?? FF + 15 ?? ?? ?? ?? 66 89 85 ?? ?? ?? ?? 6A ?? 8D 85 ?? ?? ?? ?? 50 56 FF 15 ?? ?? ?? ?? + 83 F8 ?? 0F 84 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 8D 50 ?? 8B FF 8A 08 40 84 C9 75 ?? 6A + ?? 2B C2 50 8D 8D ?? ?? ?? ?? 51 56 FF 15 ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? 8D 95 ?? + ?? ?? ?? 52 56 FF D3 8D 85 ?? ?? ?? ?? 68 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 85 + C0 0F 85 ?? ?? ?? ?? 68 ?? ?? ?? ?? FF D7 8B 8D ?? ?? ?? ?? 51 FF 15 ?? ?? ?? ?? 50 + 8D 95 ?? ?? ?? ?? 68 ?? ?? ?? ?? 52 E8 ?? ?? ?? ?? 83 C4 ?? 8D 85 ?? ?? ?? ?? 50 FF + D7 68 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? 6A ?? 51 E8 ?? ?? ?? ?? 8D 95 ?? ?? ?? ?? 52 8D + 85 ?? ?? ?? ?? 68 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 8D 8D ?? ?? ?? ?? 51 FF D7 + 68 ?? ?? ?? ?? 8D 95 ?? ?? ?? ?? 6A ?? 52 E8 ?? ?? ?? ?? 53 8D 85 ?? ?? ?? ?? 68 ?? + ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 8D 8D ?? ?? ?? ?? 51 FF D7 68 ?? ?? ?? ?? 8D 95 + ?? ?? ?? ?? 6A ?? 52 E8 ?? ?? ?? ?? 83 C4 ?? 56 FF 15 ?? ?? ?? ?? 68 ?? ?? ?? ?? FF + 15 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 40 89 85 ?? ?? ?? ?? 83 F8 ?? 0F 85 ?? ?? ?? ?? EB + ?? 68 ?? ?? ?? ?? FF D7 56 FF 15 ?? ?? ?? ?? 5F 5E 5B 8B 4D ?? 33 CD E8 ?? ?? ?? ?? + 8B E5 5D C3 68 + } + + $encrypt_files_p1 = { + 55 8B EC 83 E4 ?? B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? A1 ?? ?? ?? ?? 33 C4 89 84 24 ?? ?? + ?? ?? 53 56 8B 75 ?? 57 68 ?? ?? ?? ?? 33 DB 8D 8C 24 ?? ?? ?? ?? 33 C0 53 51 66 89 + 84 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 68 ?? ?? ?? ?? 8D 54 24 ?? 53 52 89 5C 24 + ?? E8 ?? ?? ?? ?? 83 C4 ?? 6A ?? 8D 44 24 ?? 53 50 89 5C 24 ?? E8 ?? ?? ?? ?? 83 C4 + ?? 33 C0 68 ?? ?? ?? ?? 8D 8C 24 ?? ?? ?? ?? 53 51 89 5C 24 ?? 89 44 24 ?? 89 44 24 + ?? 89 44 24 ?? C7 44 24 ?? ?? ?? ?? ?? 88 84 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? + 68 ?? ?? ?? ?? 8D 94 24 ?? ?? ?? ?? 53 52 88 9C 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 + ?? 68 ?? ?? ?? ?? 8D 84 24 ?? ?? ?? ?? 53 50 88 9C 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 + C4 ?? 68 ?? ?? ?? ?? 8D 94 24 ?? ?? ?? ?? 33 C9 53 52 66 89 8C 24 ?? ?? ?? ?? E8 ?? + ?? ?? ?? 8B 4D ?? 8B C1 83 C4 ?? 48 74 ?? 48 74 ?? 8B 45 ?? 8B 55 ?? 50 52 51 56 FF + 15 ?? ?? ?? ?? 5F 5E 5B 8B 8C 24 ?? ?? ?? ?? 33 CC E8 ?? ?? ?? ?? 8B E5 5D C2 + } + + $encrypt_files_p2 = { + 53 FF 15 ?? ?? ?? ?? 8B 8C 24 ?? ?? ?? ?? 5F 5E 5B 33 CC 33 C0 E8 ?? ?? ?? ?? 8B E5 + 5D C2 ?? ?? 68 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 8D 84 24 ?? ?? ?? ?? 50 68 ?? ?? ?? ?? + FF 15 ?? ?? ?? ?? 68 ?? ?? ?? ?? 53 E8 ?? ?? ?? ?? 53 E8 ?? ?? ?? ?? 83 C4 ?? 50 E8 + ?? ?? ?? ?? 83 C4 ?? 33 F6 E8 ?? ?? ?? ?? 25 ?? ?? ?? ?? 79 ?? 48 0D ?? ?? ?? ?? 40 + 88 86 ?? ?? ?? ?? 46 83 FE ?? 7C ?? 33 F6 E8 ?? ?? ?? ?? 25 ?? ?? ?? ?? 79 ?? 48 0D + ?? ?? ?? ?? 40 88 86 ?? ?? ?? ?? 46 83 FE ?? 7C ?? 68 ?? ?? ?? ?? 8D 8C 24 ?? ?? ?? + ?? 68 ?? ?? ?? ?? 51 E8 ?? ?? ?? ?? 83 C4 ?? EB ?? 8D 49 ?? 0F B6 83 ?? ?? ?? ?? 6A + ?? 8D 94 24 ?? ?? ?? ?? 52 50 E8 ?? ?? ?? ?? 83 C4 ?? 8D 8C 24 ?? ?? ?? ?? 51 8D 94 + 24 ?? ?? ?? ?? 68 ?? ?? ?? ?? 52 E8 ?? ?? ?? ?? 8D 84 24 ?? ?? ?? ?? 83 C4 ?? 8B C8 + 8A 10 40 84 D2 75 ?? 8D BC 24 ?? ?? ?? ?? 2B C1 8B F1 4F 8A 4F ?? 47 84 C9 75 ?? 8B + C8 C1 E9 ?? F3 A5 8B C8 83 E1 ?? 8D 84 24 ?? ?? ?? ?? F3 A4 8B C8 8A 10 40 84 D2 75 + ?? BF ?? ?? ?? ?? 2B C1 8B F1 4F 8A 4F ?? 47 84 C9 75 ?? 8B C8 C1 E9 ?? F3 A5 8B C8 + } + + $encrypt_files_p3 = { + 68 ?? ?? ?? ?? 8D 84 24 ?? ?? ?? ?? 83 E1 ?? 6A ?? 50 F3 A4 E8 ?? ?? ?? ?? 83 C4 ?? + 68 ?? ?? ?? ?? 8D 8C 24 ?? ?? ?? ?? 6A ?? 51 E8 ?? ?? ?? ?? 43 83 C4 ?? 83 FB ?? 0F + 8C ?? ?? ?? ?? 8D 94 24 ?? ?? ?? ?? 52 FF 15 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 84 24 ?? + ?? ?? ?? 6A ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 68 ?? ?? ?? ?? 8D 8C 24 ?? ?? ?? ?? 68 ?? + ?? ?? ?? 51 E8 ?? ?? ?? ?? 83 C4 ?? 33 DB EB ?? 8D A4 24 ?? ?? ?? ?? EB ?? 8D 49 ?? + 0F B6 83 ?? ?? ?? ?? 6A ?? 8D 94 24 ?? ?? ?? ?? 52 50 E8 ?? ?? ?? ?? 83 C4 ?? 8D 8C + 24 ?? ?? ?? ?? 51 8D 94 24 ?? ?? ?? ?? 68 ?? ?? ?? ?? 52 E8 ?? ?? ?? ?? 8D 84 24 ?? + ?? ?? ?? 83 C4 ?? 8B C8 8A 10 40 84 D2 75 ?? 8D BC 24 ?? ?? ?? ?? 2B C1 8B F1 4F 8A + 4F ?? 47 84 C9 75 ?? 8B C8 C1 E9 ?? F3 A5 8B C8 83 E1 ?? 8D 84 24 ?? ?? ?? ?? F3 A4 + 8B C8 8A 10 40 84 D2 75 ?? BF ?? ?? ?? ?? 2B C1 8B F1 4F 8A 4F ?? 47 84 C9 75 ?? 8B + } + + $encrypt_files_p4 = { + C8 C1 E9 ?? F3 A5 8B C8 68 ?? ?? ?? ?? 8D 84 24 ?? ?? ?? ?? 83 E1 ?? 6A ?? 50 F3 A4 + E8 ?? ?? ?? ?? 83 C4 ?? 68 ?? ?? ?? ?? 8D 8C 24 ?? ?? ?? ?? 6A ?? 51 E8 ?? ?? ?? ?? + 43 83 C4 ?? 83 FB ?? 0F 8C ?? ?? ?? ?? 8D 94 24 ?? ?? ?? ?? 52 FF 15 ?? ?? ?? ?? 68 + ?? ?? ?? ?? 8D 84 24 ?? ?? ?? ?? 6A ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? E8 ?? ?? ?? ?? E8 + ?? ?? ?? ?? 8B 1D ?? ?? ?? ?? BF ?? ?? ?? ?? 8D B4 24 ?? ?? ?? ?? 57 68 ?? ?? ?? ?? + 56 FF D3 83 C4 ?? 56 FF 15 ?? ?? ?? ?? 83 F8 ?? 75 ?? 6A ?? 6A ?? 56 68 ?? ?? ?? ?? + 6A ?? 6A ?? E8 ?? ?? ?? ?? 8B 4C 24 ?? 83 C4 ?? 89 44 8C ?? 41 89 4C 24 ?? 47 83 C6 + ?? 83 FF ?? 7E ?? 8B 54 24 ?? 6A ?? 6A ?? 8D 4C 24 ?? 51 52 FF 15 ?? ?? ?? ?? 8D 44 + 24 ?? 50 8D 4C 24 ?? 51 6A ?? 6A ?? 6A ?? 6A ?? 6A ?? 6A ?? 6A ?? 68 ?? ?? ?? ?? FF + 15 ?? ?? ?? ?? 85 C0 75 ?? 68 ?? ?? ?? ?? EB ?? 68 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? E8 + ?? ?? ?? ?? 68 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 6A ?? FF 15 + } + + condition: + uint16(0) == 0x5A4D and + ( + $find_files + ) and + ( + all of ($encrypt_files_p*) + ) and + ( + all of ($remote_connection_p*) + ) +} \ No newline at end of file diff --git a/yara/ransomware/Win32.Ransomware.Magniber.yara b/yara/ransomware/Win32.Ransomware.Magniber.yara new file mode 100644 index 0000000..58dbb74 --- /dev/null +++ b/yara/ransomware/Win32.Ransomware.Magniber.yara @@ -0,0 +1,114 @@ +rule Win32_Ransomware_Magniber : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "MAGNIBER" + description = "Yara rule that detects Magniber ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "Magniber" + tc_detection_factor = 5 + + strings: + + $remote_connection = { + E8 ?? ?? ?? ?? 83 C4 ?? 68 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? 51 FF 15 ?? ?? ?? ?? 8B 55 + ?? 52 8D 85 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? 51 FF + 15 ?? ?? ?? ?? 8B 55 ?? 52 8D 85 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D + 8D ?? ?? ?? ?? 51 FF 15 ?? ?? ?? ?? 8B 55 ?? 52 8D 85 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? + ?? 6A ?? 6A ?? 6A ?? 6A ?? 6A ?? FF 15 ?? ?? ?? ?? 89 45 ?? 6A ?? 6A ?? 6A ?? 6A ?? + 8D 8D ?? ?? ?? ?? 51 8B 55 ?? 52 FF 15 ?? ?? ?? ?? 89 45 ?? C7 45 ?? ?? ?? ?? ?? 6A + ?? 8D 45 ?? 50 8D 4D ?? 51 68 ?? ?? ?? ?? 8B 55 ?? 52 FF 15 ?? ?? ?? ?? 83 7D ?? ?? + 74 ?? 8B 45 ?? 50 FF 15 ?? ?? ?? ?? 8B 4D ?? 51 FF 15 ?? ?? ?? ?? 33 C0 E9 ?? ?? ?? + ?? 8B 55 ?? 83 C2 ?? 52 6A ?? FF 15 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 89 45 ?? 83 7D + ?? ?? 75 ?? 8B 45 ?? 50 FF 15 ?? ?? ?? ?? 8B 4D ?? 51 FF 15 ?? ?? ?? ?? 33 C0 EB ?? + C7 45 ?? ?? ?? ?? ?? 8D 55 ?? 52 8B 45 ?? 50 8B 4D ?? 51 8B 55 ?? 52 FF 15 ?? ?? ?? + ?? 8B 45 ?? 50 FF 15 ?? ?? ?? ?? 8B 4D ?? 51 FF 15 + } + + $encrypt_files_1 = { + 55 8B EC 83 EC ?? 56 C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? + C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? + C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? 8B 45 ?? 50 FF 15 ?? + ?? ?? ?? 89 45 ?? 8B 4D ?? 51 FF 15 ?? ?? ?? ?? 89 45 ?? 8B 55 ?? 03 55 ?? 8D 44 12 + ?? 50 6A ?? FF 15 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 89 45 ?? C7 45 ?? ?? ?? ?? ?? EB + ?? 8B 4D ?? 83 C1 ?? 89 4D ?? 8B 55 ?? 3B 55 ?? 7D ?? 8B 45 ?? 8B 4D ?? 8B 55 ?? 8B + 75 ?? 66 8B 14 56 66 89 14 41 EB ?? B8 ?? ?? ?? ?? 8B 4D ?? 8B 55 ?? 66 89 04 4A C7 + 45 ?? ?? ?? ?? ?? EB ?? 8B 45 ?? 83 C0 ?? 89 45 ?? 8B 4D ?? 3B 4D ?? 7D ?? 8B 55 ?? + 03 55 ?? 8B 45 ?? 8B 4D ?? 8B 75 ?? 66 8B 0C 4E 66 89 4C 50 ?? EB ?? 8B 55 ?? 03 55 + ?? 33 C0 8B 4D ?? 66 89 44 51 ?? 8D 55 ?? 52 8D 45 ?? 50 8D 4D ?? 51 8B 55 ?? 52 8B + } + + $encrypt_files_2 = { + 45 ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 89 45 ?? 83 7D ?? ?? 0F 84 ?? ?? ?? ?? 6A ?? 68 ?? + ?? ?? ?? 6A ?? 6A ?? 6A ?? 68 ?? ?? ?? ?? 8B 4D ?? 51 FF 15 ?? ?? ?? ?? 89 45 ?? 83 + 7D ?? ?? 75 ?? 33 C0 E9 ?? ?? ?? ?? 8D 55 ?? 52 8B 45 ?? 50 FF 15 ?? ?? ?? ?? 85 C0 + 75 ?? 8B 4D ?? 51 FF 15 ?? ?? ?? ?? 33 C0 E9 ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? 6A ?? + 6A ?? 6A ?? 68 ?? ?? ?? ?? 8B 55 ?? 52 FF 15 ?? ?? ?? ?? 89 45 ?? 83 7D ?? ?? 0F 84 + ?? ?? ?? ?? 8B 45 ?? 83 C0 ?? 50 6A ?? FF 15 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 89 45 + ?? 83 7D ?? ?? 0F 84 ?? ?? ?? ?? 66 0F 57 C0 66 0F 13 45 ?? 6A ?? 8D 4D ?? 51 6A ?? + 8B 55 ?? 52 8B 45 ?? 50 FF 15 ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? 8B 45 ?? 99 8B 4D ?? + 2B 4D ?? 8B 75 ?? 1B 75 ?? 89 45 ?? 89 55 ?? 89 4D ?? 89 75 ?? 8B 55 ?? 3B 55 ?? 7C + ?? 7F ?? 8B 45 ?? 3B 45 ?? 76 ?? 8B 4D ?? 2B 4D ?? 8B 55 ?? 1B 55 ?? 89 4D ?? 89 55 + ?? EB ?? 8B 45 ?? 99 89 45 ?? 89 55 ?? 6A ?? 8D 45 ?? 50 8B 4D ?? 51 8B 55 ?? 52 8B + } + + $encrypt_files_3 = { + 45 ?? 50 FF 15 ?? ?? ?? ?? 89 45 ?? 83 7D ?? ?? 75 ?? 33 C0 E9 ?? ?? ?? ?? 83 7D ?? + ?? 75 ?? E9 ?? ?? ?? ?? 8B 4D ?? 3B 4D ?? 73 ?? C7 45 ?? ?? ?? ?? ?? 8B 55 ?? 89 55 + ?? 8B 45 ?? 50 8D 4D ?? 51 6A ?? 6A ?? 8B 55 ?? 52 6A ?? 8B 45 ?? 50 FF 15 ?? ?? ?? + ?? 89 45 ?? 83 7D ?? ?? 74 ?? 8B 4D ?? 51 8D 55 ?? 52 8B 45 ?? 50 6A ?? 8B 4D ?? 51 + 6A ?? 8B 55 ?? 52 FF 15 ?? ?? ?? ?? 6A ?? 8D 45 ?? 50 8B 4D ?? 51 8B 55 ?? 52 8B 45 + ?? 50 FF 15 ?? ?? ?? ?? 8B 4D ?? 51 8B 55 ?? 52 E8 ?? ?? ?? ?? 83 C4 ?? EB ?? EB ?? + E9 ?? ?? ?? ?? 8B 45 ?? 50 6A ?? FF 15 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 83 7D ?? ?? + 74 ?? 8B 4D ?? 51 FF 15 ?? ?? ?? ?? 83 7D ?? ?? 74 ?? 8B 55 ?? 52 FF 15 ?? ?? ?? ?? + 83 7D ?? ?? 74 ?? 6A ?? 8B 45 ?? 50 FF 15 ?? ?? ?? ?? 8D 4D ?? 51 8B 55 ?? 52 FF 15 + ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? 8B 45 ?? 3B 45 ?? 7C ?? 7F ?? 8B 4D ?? 3B 4D ?? + 76 ?? 83 7D ?? ?? 74 ?? 8B 55 ?? 52 FF 15 ?? ?? ?? ?? 8B 45 ?? 50 FF 15 ?? ?? ?? ?? + 8B 4D ?? 51 6A ?? FF 15 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 8B 55 ?? 52 E8 ?? ?? ?? ?? + 83 C4 ?? B8 ?? ?? ?? ?? EB + } + + $search_files = { + C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 + 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 + 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 + 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 + 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 + 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 + 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 + 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 + 45 ?? ?? ?? ?? ?? EB ?? 8B 45 ?? 83 C0 ?? 89 45 ?? 83 7D ?? ?? 7D ?? 8B 4D ?? 8B 94 + 8D ?? ?? ?? ?? 52 8B 45 ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 74 ?? 33 C0 E9 ?? ?? ?? + ?? EB ?? 8B 4D ?? 8B 55 ?? 8B 81 ?? ?? ?? ?? 3B 82 ?? ?? ?? ?? 76 ?? B8 ?? ?? ?? ?? + E9 ?? ?? ?? ?? 8B 4D ?? 51 E8 ?? ?? ?? ?? 83 C4 ?? 89 45 ?? 83 7D ?? ?? 75 ?? B8 ?? + ?? ?? ?? E9 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8B 55 ?? 52 8D 85 ?? ?? ?? ?? 50 E8 ?? ?? ?? + ?? 83 C4 ?? 8B 8D ?? ?? ?? ?? 83 C1 ?? 89 8D ?? ?? ?? ?? 8B 55 ?? 52 E8 ?? ?? ?? ?? + 83 C4 ?? 89 45 ?? 83 7D ?? ?? 0F 84 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8B 45 ?? 83 C0 ?? 50 + FF 15 ?? ?? ?? ?? 85 C0 74 ?? 68 ?? ?? ?? ?? 8B 4D ?? 83 C1 ?? 51 FF 15 ?? ?? ?? ?? + 85 C0 75 ?? EB ?? 8B 55 ?? 52 8D 85 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 8B 4D ?? 83 C1 + ?? 51 8D 95 ?? ?? ?? ?? 52 FF 15 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 + C4 ?? 85 C0 74 ?? 8B 4D ?? 81 79 ?? ?? ?? ?? ?? 75 ?? 68 ?? ?? ?? ?? 8D 95 ?? ?? ?? + ?? 52 FF 15 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? EB ?? 8B 4D ?? + 81 79 ?? ?? ?? ?? ?? 75 ?? 8D 95 ?? ?? ?? ?? 52 8D 85 ?? ?? ?? ?? 50 8B 8D ?? ?? ?? + ?? 51 8D 95 ?? ?? ?? ?? 52 8D 85 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 03 45 ?? 89 + 45 ?? E9 ?? ?? ?? ?? 83 7D ?? ?? 74 ?? 6A ?? 8B 4D ?? 81 C1 ?? ?? ?? ?? 51 8B 55 ?? + 81 C2 ?? ?? ?? ?? 52 8B 45 ?? 05 ?? ?? ?? ?? 50 8B 4D ?? 81 C1 ?? ?? ?? ?? 51 8B 55 + ?? 81 C2 ?? ?? ?? ?? 52 8B 45 ?? 05 ?? ?? ?? ?? 50 8B 4D ?? 81 C1 ?? ?? ?? ?? 51 8B + 55 ?? 52 E8 ?? ?? ?? ?? 83 C4 ?? 8B 45 ?? 50 E8 + } + + condition: + uint16(0) == 0x5A4D and + ( + $search_files and + (all of ($encrypt_files_*)) and + $remote_connection + ) +} \ No newline at end of file diff --git a/yara/ransomware/Win32.Ransomware.Major.yara b/yara/ransomware/Win32.Ransomware.Major.yara new file mode 100644 index 0000000..16043b1 --- /dev/null +++ b/yara/ransomware/Win32.Ransomware.Major.yara @@ -0,0 +1,261 @@ +rule Win32_Ransomware_Major : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "MAJOR" + description = "Yara rule that detects Major ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "Major" + tc_detection_factor = 5 + + strings: + $find_files_p1 = { + 55 8B EC 81 EC ?? ?? ?? ?? 53 56 33 C0 89 4D ?? 57 50 66 89 45 ?? 8D 8D ?? ?? ?? ?? + 8D 85 ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? 0F 57 C0 C7 45 ?? ?? ?? ?? ?? 50 C7 45 ?? ?? + ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C7 85 ?? ?? ?? + ?? ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? 66 0F 13 85 ?? ?? ?? ?? E8 ?? ?? ?? ?? + 8B 85 ?? ?? ?? ?? 8B 40 ?? C7 84 05 ?? ?? ?? ?? ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 8B 48 + ?? 8D 41 ?? 89 84 0D ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 8B 40 ?? C7 84 05 ?? ?? ?? ?? ?? + ?? ?? ?? 8B 85 ?? ?? ?? ?? 8B 48 ?? 8D 41 ?? 89 84 0D ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? + 8B 40 ?? C7 84 05 ?? ?? ?? ?? ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 8B 48 ?? 8D 41 ?? 89 84 + 0D ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 6A ?? 6A ?? 8D 4D ?? C7 85 ?? ?? ?? + ?? ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? E8 ?? ?? + ?? ?? 33 C9 8B F8 51 89 4D ?? 51 8D 4D ?? 89 7D ?? E8 ?? ?? ?? ?? 89 45 ?? 8D 4D ?? + 8D 45 ?? 50 FF 77 ?? 57 E8 ?? ?? ?? ?? B9 ?? ?? ?? ?? 89 47 ?? 89 4D ?? BB ?? ?? ?? + ?? 8B 48 ?? 89 01 8B 07 8D 4D ?? 83 C0 ?? 3B C8 74 ?? 6A ?? 6A ?? 50 E8 ?? ?? ?? ?? + 68 ?? ?? ?? ?? 8D 45 ?? 50 8D 45 ?? 50 E8 ?? ?? ?? ?? 8B F0 83 C4 ?? 8D 45 ?? 3B C6 + } + + $find_files_p2 = { + 0F 84 ?? ?? ?? ?? 8B 45 ?? 83 F8 ?? 72 ?? 8B 4D ?? 40 3D ?? ?? ?? ?? 0F 87 ?? ?? ?? + ?? 03 C0 3D ?? ?? ?? ?? 72 ?? F6 C1 ?? 0F 85 ?? ?? ?? ?? 8B 41 ?? 3B C1 0F 83 ?? ?? + ?? ?? 2B C8 83 F9 ?? 0F 82 ?? ?? ?? ?? 83 F9 ?? 0F 87 ?? ?? ?? ?? 8B C8 51 E8 ?? ?? + ?? ?? 83 C4 ?? 33 C0 C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? 66 89 45 ?? 83 7E ?? + ?? 73 ?? 8B 46 ?? 83 C0 ?? 74 ?? 03 C0 50 8D 45 ?? 56 50 E8 ?? ?? ?? ?? 83 C4 ?? EB + ?? 8B 06 89 45 ?? C7 06 ?? ?? ?? ?? 8B 46 ?? 89 45 ?? 8B 46 ?? 89 45 ?? C7 46 ?? ?? + ?? ?? ?? 83 7E ?? ?? C7 46 ?? ?? ?? ?? ?? 72 ?? 8B 36 33 C0 66 89 06 8B 45 ?? 83 F8 + ?? 72 ?? 8B 4D ?? 40 3D ?? ?? ?? ?? 0F 87 ?? ?? ?? ?? 03 C0 3D ?? ?? ?? ?? 72 ?? F6 + C1 ?? 0F 85 ?? ?? ?? ?? 8B 41 ?? 3B C1 0F 83 ?? ?? ?? ?? 2B C8 83 F9 ?? 0F 82 ?? ?? + ?? ?? 83 F9 ?? 0F 87 ?? ?? ?? ?? 8B C8 51 E8 ?? ?? ?? ?? 83 C4 ?? 8B 3F 8D 77 ?? 8B + 4F ?? 8B 07 89 01 8B 0F 8B 47 ?? 89 41 ?? 8B 45 ?? 48 89 45 ?? 89 45 ?? 8B 46 ?? 83 + F8 ?? 72 ?? 8B 0E 40 3D ?? ?? ?? ?? 0F 87 ?? ?? ?? ?? 03 C0 3D ?? ?? ?? ?? 72 ?? F6 + } + + $find_files_p3 = { + C1 ?? 0F 85 ?? ?? ?? ?? 8B 41 ?? 3B C1 0F 83 ?? ?? ?? ?? 2B C8 83 F9 ?? 0F 82 ?? ?? + ?? ?? 83 F9 ?? 0F 87 ?? ?? ?? ?? 8B C8 51 E8 ?? ?? ?? ?? 83 C4 ?? C7 46 ?? ?? ?? ?? + ?? 83 7E ?? ?? C7 46 ?? ?? ?? ?? ?? 72 ?? 8B 36 33 C0 57 66 89 06 E8 ?? ?? ?? ?? 83 + C4 ?? 8D 8D ?? ?? ?? ?? 83 7D ?? ?? 8D 45 ?? 0F 43 45 ?? 51 50 FF 15 ?? ?? ?? ?? 8B + F8 89 7D ?? 83 FF ?? 0F 84 ?? ?? ?? ?? 66 66 66 0F 1F 84 00 ?? ?? ?? ?? 33 C0 C7 45 + ?? ?? ?? ?? ?? F6 85 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? 66 89 45 ?? 0F 84 ?? ?? ?? + ?? 8B 85 ?? ?? ?? ?? 8B 08 85 C9 74 ?? 8B 85 ?? ?? ?? ?? 8B 00 8D 14 41 EB ?? 8B 85 + ?? ?? ?? ?? 8B 08 8B 85 ?? ?? ?? ?? 8B 00 8D 14 48 8B 85 ?? ?? ?? ?? 8B 08 2B D1 D1 + FA 81 FA ?? ?? ?? ?? 0F 87 ?? ?? ?? ?? 8D 04 12 3D ?? ?? ?? ?? 72 ?? F6 C1 ?? 0F 85 + ?? ?? ?? ?? 8B 41 ?? 3B C1 0F 83 ?? ?? ?? ?? 2B C8 83 F9 ?? 0F 82 ?? ?? ?? ?? 83 F9 + ?? 0F 87 ?? ?? ?? ?? 8B C8 51 E8 ?? ?? ?? ?? 83 C4 ?? 8B 85 ?? ?? ?? ?? 8D 8D ?? ?? + ?? ?? C7 00 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? C7 00 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? C7 00 + ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? C7 00 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? C7 00 ?? ?? ?? ?? + 8B 85 ?? ?? ?? ?? C7 00 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 83 E0 ?? C7 85 ?? ?? ?? ?? ?? + ?? ?? ?? 50 89 85 ?? ?? ?? ?? 8D 45 ?? 6A ?? 50 E8 ?? ?? ?? ?? 8B 45 ?? 83 F8 ?? 72 + ?? 8B 4D ?? 40 3D ?? ?? ?? ?? 0F 87 ?? ?? ?? ?? 03 C0 3D ?? ?? ?? ?? 72 ?? F6 C1 + } + + $find_files_p4 = { + 0F 85 ?? ?? ?? ?? 8B 41 ?? 3B C1 0F 83 ?? ?? ?? ?? 2B C8 83 F9 ?? 0F 82 ?? ?? ?? ?? + 83 F9 ?? 0F 87 ?? ?? ?? ?? 8B C8 51 E8 ?? ?? ?? ?? 83 C4 ?? 8D 85 ?? ?? ?? ?? 50 68 + ?? ?? ?? ?? 8D 45 ?? 50 8D 85 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 50 E8 ?? ?? ?? + ?? 83 C4 ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 83 EC ?? F6 85 ?? ?? ?? ?? ?? 0F 84 ?? ?? ?? + ?? 8B D4 33 C0 C7 42 ?? ?? ?? ?? ?? C7 42 ?? ?? ?? ?? ?? 66 89 02 66 39 85 ?? ?? ?? + ?? 75 ?? 33 C9 EB ?? 8D 8D ?? ?? ?? ?? 8D 71 ?? 66 8B 01 83 C1 ?? 66 85 C0 75 ?? 2B + CE D1 F9 51 8D 85 ?? ?? ?? ?? 8B CA 50 E8 ?? ?? ?? ?? 8B 4D ?? E8 ?? ?? ?? ?? 85 C0 + 0F 84 ?? ?? ?? ?? 6A ?? 33 C0 C7 45 ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 4D ?? C7 45 ?? + ?? ?? ?? ?? 66 89 45 ?? E8 ?? ?? ?? ?? 33 C0 C7 45 ?? ?? ?? ?? ?? 83 CB ?? C7 45 ?? + ?? ?? ?? ?? 66 89 45 ?? 66 39 85 ?? ?? ?? ?? 75 ?? 33 C9 EB ?? 8D 8D ?? ?? ?? ?? 8D + 51 ?? 66 8B 01 83 C1 ?? 66 85 C0 75 ?? 2B CA D1 F9 51 8D 85 ?? ?? ?? ?? 50 8D 4D ?? + E8 ?? ?? ?? ?? 8D 45 ?? 83 CB ?? 50 8D 45 ?? 6A ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 + 0F 85 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 85 + } + + $find_files_p5 = { + 83 CB ?? 50 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 83 CB ?? 50 8D 85 ?? + ?? ?? ?? 6A ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 75 ?? 68 ?? ?? ?? ?? 8D 8D ?? ?? ?? + ?? E8 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 83 CB ?? 50 8D 4D ?? E8 ?? ?? ?? ?? 8D 85 ?? ?? + ?? ?? 83 CB ?? 50 8D 45 ?? 6A ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? C6 45 ?? ?? 85 C0 74 ?? + C6 45 ?? ?? F6 C3 ?? 74 ?? 8B 45 ?? 83 E3 ?? 83 F8 ?? 72 ?? 40 8D 4D ?? 50 FF 75 ?? + E8 ?? ?? ?? ?? 33 C0 C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? 66 89 45 ?? F6 C3 ?? + 74 ?? 8B 85 ?? ?? ?? ?? 83 E3 ?? 83 F8 ?? 72 ?? 40 8D 8D ?? ?? ?? ?? 50 FF B5 ?? ?? + ?? ?? E8 ?? ?? ?? ?? 33 C0 C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? + ?? 66 89 85 ?? ?? ?? ?? F6 C3 ?? 74 ?? 8B 85 ?? ?? ?? ?? 83 E3 ?? 83 F8 ?? 72 ?? 40 + 8D 8D ?? ?? ?? ?? 50 FF B5 ?? ?? ?? ?? E8 ?? ?? ?? ?? 33 C0 C7 85 ?? ?? ?? ?? ?? ?? + ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? 66 89 85 ?? ?? ?? ?? F6 C3 ?? 74 ?? 8B 85 ?? ?? + ?? ?? 83 E3 ?? 83 F8 ?? 72 ?? 40 8D 8D ?? ?? ?? ?? 50 FF B5 ?? ?? ?? ?? E8 ?? ?? ?? + ?? 33 C0 C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? 66 89 85 ?? ?? + ?? ?? 8B 45 ?? 83 E3 ?? 83 F8 ?? 72 ?? 40 8D 4D ?? 50 FF 75 ?? E8 ?? ?? ?? ?? 33 C0 + } + + $find_files_p6 = { + C7 45 ?? ?? ?? ?? ?? 66 89 45 ?? 83 E3 ?? 8B 45 ?? C7 45 ?? ?? ?? ?? ?? 83 F8 ?? 72 + ?? 40 8D 4D ?? 50 FF 75 ?? E8 ?? ?? ?? ?? 80 7D ?? ?? 0F 84 ?? ?? ?? ?? 8D 45 ?? 50 + 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 75 ?? 8D 45 ?? 50 8D 4D ?? FF 76 ?? 56 E8 ?? ?? + ?? ?? 8B 55 ?? B9 ?? ?? ?? ?? 2B CA 83 F9 ?? 0F 82 ?? ?? ?? ?? 89 46 ?? 42 8B 48 ?? + 89 55 ?? 89 01 E9 ?? ?? ?? ?? 8D 45 ?? 50 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 75 ?? + 8D 45 ?? 50 8D 4D ?? FF 76 ?? 56 E8 ?? ?? ?? ?? 8B 55 ?? B9 ?? ?? ?? ?? 2B CA 83 F9 + ?? 0F 82 ?? ?? ?? ?? 89 46 ?? 42 8B 48 ?? 89 55 ?? 89 55 ?? 89 01 8B 45 ?? 83 F8 ?? + 72 ?? 40 8D 4D ?? 50 FF 75 ?? E8 ?? ?? ?? ?? 83 EC ?? 8D 8D ?? ?? ?? ?? 54 E8 ?? ?? + ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? EB ?? 8D 85 ?? ?? ?? ?? 8B CC 50 E8 ?? ?? ?? ?? 8B 75 + ?? 8B CE E8 ?? ?? ?? ?? 85 C0 74 ?? 8D 45 ?? 50 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D + 45 ?? 8B CE 50 E8 ?? ?? ?? ?? 8B 45 ?? 83 F8 ?? 72 ?? 40 8D 4D ?? 50 FF 75 ?? E8 ?? + ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 57 FF 15 ?? ?? ?? ?? 85 C0 0F 85 ?? ?? ?? ?? 8B 7D ?? + 8B CF E8 ?? ?? ?? ?? 8B 4D ?? 85 C9 74 ?? 8B 7D ?? E9 ?? ?? ?? ?? 8B 4D ?? 85 C9 0F + 84 ?? ?? ?? ?? 0F 1F 00 8B 45 ?? 8D 4D ?? 8B 00 83 C0 ?? 3B C8 74 ?? 6A ?? 6A ?? 50 + E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 45 ?? 50 8D 45 ?? 50 E8 ?? ?? ?? ?? 8B F0 83 C4 + } + + $find_files_p7 = { + 8D 45 ?? 3B C6 74 ?? 8B 4D ?? 83 F9 ?? 72 ?? 41 51 FF 75 ?? 8B C8 E8 ?? ?? ?? ?? 33 + C0 C7 45 ?? ?? ?? ?? ?? 56 8D 4D ?? C7 45 ?? ?? ?? ?? ?? 66 89 45 ?? E8 ?? ?? ?? ?? + 8B 45 ?? 83 F8 ?? 72 ?? 40 8D 4D ?? 50 FF 75 ?? E8 ?? ?? ?? ?? 8D 4D ?? E8 ?? ?? ?? + ?? 83 7D ?? ?? 8D 8D ?? ?? ?? ?? 8D 45 ?? 0F 43 45 ?? 51 50 FF 15 ?? ?? ?? ?? 8B 75 + ?? 89 45 ?? 83 F8 ?? 0F 84 ?? ?? ?? ?? 0F 1F 00 33 C0 C7 45 ?? ?? ?? ?? ?? 8D 8D ?? + ?? ?? ?? C7 45 ?? ?? ?? ?? ?? 66 89 45 ?? E8 ?? ?? ?? ?? FF B5 ?? ?? ?? ?? 8D 45 ?? + 6A ?? 50 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 45 ?? 83 F8 ?? 72 ?? 40 8D 4D ?? 50 FF + 75 ?? E8 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 68 ?? ?? ?? ?? 8D 45 ?? 50 8D 85 ?? ?? ?? + ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? + 8D 85 ?? ?? ?? ?? 83 EC ?? F6 85 ?? ?? ?? ?? ?? 8B CC 50 0F 84 ?? ?? ?? ?? E8 ?? ?? + ?? ?? 8B CF E8 ?? ?? ?? ?? 85 C0 0F 85 ?? ?? ?? ?? 8D 45 ?? 50 8D 8D ?? ?? ?? ?? E8 + ?? ?? ?? ?? 8B 5D ?? 8D 45 ?? 50 8D 4D ?? FF 73 ?? 53 E8 ?? ?? ?? ?? B9 ?? ?? ?? ?? + 2B CE 83 F9 ?? 0F 82 ?? ?? ?? ?? 89 43 ?? 46 8B 48 ?? 89 75 ?? 89 01 8B 45 ?? 83 F8 + ?? 72 ?? 40 8D 4D ?? 50 FF 75 ?? E8 ?? ?? ?? ?? 83 EC ?? 8D 8D ?? ?? ?? ?? 54 E8 ?? + ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? EB ?? E8 ?? ?? ?? ?? 8B CF E8 ?? ?? ?? ?? 85 C0 74 + ?? 8D 45 ?? 50 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 ?? 8B CF 50 E8 ?? ?? ?? ?? 8B + 45 ?? 83 F8 ?? 72 ?? 40 8D 4D ?? 50 FF 75 ?? E8 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 FF + 75 ?? FF 15 ?? ?? ?? ?? 85 C0 0F 85 ?? ?? ?? ?? 8B CF E8 ?? ?? ?? ?? 85 F6 0F 85 ?? + ?? ?? ?? FF 75 ?? FF 15 + } + + $encrypt_files_p1 = { + FF 15 ?? ?? ?? ?? 85 C0 75 ?? 50 FF 35 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? E9 ?? ?? ?? ?? + 6A ?? 68 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 68 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 8D + 45 ?? 83 7D ?? ?? 0F 43 45 ?? 68 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 33 C0 C7 45 ?? ?? + ?? ?? ?? 6A ?? 50 66 89 45 ?? 8D 4D ?? 8D 45 ?? C7 45 ?? ?? ?? ?? ?? 50 E8 ?? ?? ?? + ?? 6A ?? 6A ?? 68 ?? ?? ?? ?? 8D 4D ?? E8 ?? ?? ?? ?? 83 7D ?? ?? 8D 45 ?? 6A ?? 0F + 43 45 ?? 68 ?? ?? ?? ?? 6A ?? 6A ?? 6A ?? 68 ?? ?? ?? ?? 50 89 45 ?? FF 15 ?? ?? ?? + ?? 8B D8 83 FB ?? 0F 84 ?? ?? ?? ?? 8D 45 ?? 50 53 FF 15 ?? ?? ?? ?? 85 C0 0F 84 ?? + ?? ?? ?? 8B 4D ?? 01 0D ?? ?? ?? ?? 8B 55 ?? 11 15 ?? ?? ?? ?? 83 FA ?? 0F 8C ?? ?? + ?? ?? 7F ?? 85 C9 0F 84 ?? ?? ?? ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? F2 0F 59 05 ?? ?? + ?? ?? E8 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 8B F8 83 C4 ?? 85 FF 75 ?? 66 66 0F 1F 84 00 + ?? ?? ?? ?? 68 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 8B 55 ?? 8B 4D ?? 68 ?? ?? ?? ?? E8 ?? + ?? ?? ?? F2 0F 59 05 ?? ?? ?? ?? E8 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 8B F8 83 C4 ?? 85 + FF 74 ?? 8B 55 ?? 8B 4D ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? F2 0F 59 05 ?? ?? ?? ?? E8 + ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 8B F0 83 C4 ?? 85 F6 75 ?? 68 ?? ?? ?? ?? FF 15 ?? ?? + ?? ?? 8B 55 ?? 8B 4D ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? F2 0F 59 05 ?? ?? ?? ?? E8 ?? + ?? ?? ?? 50 E8 ?? ?? ?? ?? 8B F0 83 C4 ?? 85 F6 74 ?? C7 45 ?? ?? ?? ?? ?? 8D 85 ?? + ?? ?? ?? 68 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 8B 55 ?? 8D 45 ?? 8B 4D ?? 83 C4 ?? 6A + } + + $encrypt_files_p2 = { + 50 E8 ?? ?? ?? ?? F2 0F 59 05 ?? ?? ?? ?? E8 ?? ?? ?? ?? 50 57 53 FF 15 ?? ?? ?? ?? + 8B 55 ?? 8B 4D ?? E8 ?? ?? ?? ?? F2 0F 59 05 ?? ?? ?? ?? E8 ?? ?? ?? ?? 50 56 8D 85 + ?? ?? ?? ?? 57 50 E8 ?? ?? ?? ?? 8B 45 ?? 83 C4 ?? F7 D8 6A ?? 6A ?? 50 53 FF 15 ?? + ?? ?? ?? 8B 55 ?? 8D 45 ?? 8B 4D ?? 6A ?? 50 E8 ?? ?? ?? ?? F2 0F 59 05 ?? ?? ?? ?? + E8 ?? ?? ?? ?? 50 56 53 FF 15 ?? ?? ?? ?? 83 6D ?? ?? 0F 85 ?? ?? ?? ?? 57 E8 ?? ?? + ?? ?? 56 E9 ?? ?? ?? ?? 8B F1 8B C2 81 C6 ?? ?? ?? ?? 83 D0 ?? 83 F8 ?? 0F 87 ?? ?? + ?? ?? 72 ?? 81 FE ?? ?? ?? ?? 0F 87 ?? ?? ?? ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? F2 0F + 59 05 ?? ?? ?? ?? E8 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 8B F8 83 C4 ?? 85 FF 75 ?? 66 90 + 68 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 8B 55 ?? 8B 4D ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? F2 + 0F 59 05 ?? ?? ?? ?? E8 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 8B F8 83 C4 ?? 85 FF 74 ?? 8B + 55 ?? 8B 4D ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? F2 0F 59 05 ?? ?? ?? ?? E8 ?? ?? ?? ?? + 50 E8 ?? ?? ?? ?? 8B F0 83 C4 ?? 85 F6 75 ?? 68 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 8B 55 + ?? 8B 4D ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? F2 0F 59 05 ?? ?? ?? ?? E8 ?? ?? ?? ?? 50 + } + + $encrypt_files_p3 = { + E8 ?? ?? ?? ?? 8B F0 83 C4 ?? 85 F6 74 ?? C7 45 ?? ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 68 + ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 8B 55 ?? 8D 45 ?? 8B 4D ?? 83 C4 ?? 6A ?? 50 E8 ?? ?? + ?? ?? F2 0F 59 05 ?? ?? ?? ?? E8 ?? ?? ?? ?? 50 57 53 FF 15 ?? ?? ?? ?? 8B 55 ?? 8B + 4D ?? E8 ?? ?? ?? ?? F2 0F 59 05 ?? ?? ?? ?? E8 ?? ?? ?? ?? 50 56 8D 85 ?? ?? ?? ?? + 57 50 E8 ?? ?? ?? ?? 8B 45 ?? 83 C4 ?? F7 D8 6A ?? 6A ?? 50 53 FF 15 ?? ?? ?? ?? 8B + 55 ?? 8D 45 ?? 8B 4D ?? 6A ?? 50 E8 ?? ?? ?? ?? F2 0F 59 05 ?? ?? ?? ?? E8 ?? ?? ?? + ?? 50 56 53 FF 15 ?? ?? ?? ?? 83 6D ?? ?? 0F 85 ?? ?? ?? ?? 57 E8 ?? ?? ?? ?? 56 E9 + ?? ?? ?? ?? 8B F1 8B C2 81 C6 ?? ?? ?? ?? 83 D0 ?? 83 F8 ?? 0F 87 ?? ?? ?? ?? 72 ?? + 81 FE ?? ?? ?? ?? 0F 87 ?? ?? ?? ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? F2 0F 59 05 ?? ?? + ?? ?? E8 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 8B F8 83 C4 ?? 85 FF 75 ?? 66 90 68 ?? ?? ?? + ?? FF 15 ?? ?? ?? ?? 8B 55 ?? 8B 4D ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? F2 0F 59 05 ?? + ?? ?? ?? E8 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 8B F8 83 C4 ?? 85 FF 74 ?? 8B 55 ?? 8B 4D + ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? F2 0F 59 05 ?? ?? ?? ?? E8 ?? ?? ?? ?? 50 E8 ?? ?? + ?? ?? 8B F0 83 C4 ?? 85 F6 75 ?? 68 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 8B 55 ?? 8B 4D ?? + 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? F2 0F 59 05 ?? ?? ?? ?? E8 ?? ?? ?? ?? 50 E8 ?? ?? ?? + ?? 8B F0 83 C4 ?? 85 F6 74 ?? C7 45 ?? ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 68 + } + + $encrypt_files_p4 = { + 50 E8 ?? ?? ?? ?? 8B 55 ?? 8D 45 ?? 8B 4D ?? 83 C4 ?? 6A ?? 50 E8 ?? ?? ?? ?? F2 0F + 59 05 ?? ?? ?? ?? E8 ?? ?? ?? ?? 50 57 53 FF 15 ?? ?? ?? ?? 8B 55 ?? 8B 4D ?? E8 ?? + ?? ?? ?? F2 0F 59 05 ?? ?? ?? ?? E8 ?? ?? ?? ?? 50 56 8D 85 ?? ?? ?? ?? 57 50 E8 ?? + ?? ?? ?? 8B 45 ?? 83 C4 ?? F7 D8 6A ?? 6A ?? 50 53 FF 15 ?? ?? ?? ?? 8B 55 ?? 8D 45 + ?? 8B 4D ?? 6A ?? 50 E8 ?? ?? ?? ?? F2 0F 59 05 ?? ?? ?? ?? E8 ?? ?? ?? ?? 50 56 53 + FF 15 ?? ?? ?? ?? 83 6D ?? ?? 0F 85 ?? ?? ?? ?? 57 E8 ?? ?? ?? ?? 56 E9 ?? ?? ?? ?? + 68 ?? ?? ?? ?? 51 E8 ?? ?? ?? ?? 8B F0 83 C4 ?? 85 F6 75 ?? 0F 1F 84 00 ?? ?? ?? ?? + 68 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 68 ?? ?? ?? ?? FF 75 ?? E8 ?? ?? ?? ?? 8B F0 83 C4 + ?? 85 F6 74 ?? 68 ?? ?? ?? ?? FF 75 ?? E8 ?? ?? ?? ?? 8B F8 83 C4 ?? 85 FF 75 ?? 66 + 0F 1F 84 00 ?? ?? ?? ?? 68 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 68 ?? ?? ?? ?? FF 75 ?? E8 + ?? ?? ?? ?? 8B F8 83 C4 ?? 85 FF 74 ?? 8D 85 ?? ?? ?? ?? 68 ?? ?? ?? ?? 50 E8 ?? ?? + ?? ?? 83 C4 ?? 8D 45 ?? 6A ?? 50 FF 75 ?? 56 53 FF 15 ?? ?? ?? ?? FF 75 ?? 8D 85 ?? + ?? ?? ?? 57 56 50 E8 ?? ?? ?? ?? 8B 45 ?? 83 C4 ?? F7 D8 6A ?? 6A ?? 50 53 FF 15 ?? + ?? ?? ?? 6A ?? 8D 45 ?? 50 FF 75 ?? 57 53 FF 15 ?? ?? ?? ?? 56 E8 ?? ?? ?? ?? 57 E8 + ?? ?? ?? ?? 83 C4 ?? 8D 45 ?? 0F 57 C0 66 0F 13 45 ?? 6A ?? 50 6A ?? 53 FF 15 ?? ?? + ?? ?? 8B 75 ?? 8D 45 ?? 6A ?? 50 FF B6 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 8B 3D ?? ?? ?? + ?? 50 FF B6 ?? ?? ?? ?? 53 FF D7 8B 35 ?? ?? ?? ?? 8D 45 ?? 6A ?? 50 6A ?? 6A ?? 6A + ?? 6A ?? FF 35 ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? FF D6 85 C0 0F + 84 ?? ?? ?? ?? FF 75 ?? 8D 45 ?? 50 68 ?? ?? ?? ?? 6A ?? 6A ?? 6A ?? FF 35 ?? ?? ?? + ?? FF D6 85 C0 0F 84 ?? ?? ?? ?? 8D 45 ?? 50 6A ?? 68 ?? ?? ?? ?? FF 75 ?? 68 ?? ?? + ?? ?? FF 15 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? 0F 1F 40 ?? 8B 45 ?? 03 C0 50 E8 ?? + ?? ?? ?? 8B F0 83 C4 ?? 80 3E ?? 74 ?? 8B 45 ?? 8B CE 85 C0 74 ?? 66 90 C6 01 ?? 8D + 49 ?? 83 E8 ?? 75 ?? 8D 45 ?? 50 56 68 ?? ?? ?? ?? FF 75 ?? 68 ?? ?? ?? ?? FF 15 ?? + ?? ?? ?? 6A ?? 8D 45 ?? 50 FF 75 ?? 56 53 FF D7 6A ?? 8D 45 ?? 50 8B 45 ?? FF B0 ?? + ?? ?? ?? FF 15 ?? ?? ?? ?? 50 8B 45 ?? FF B0 ?? ?? ?? ?? 53 FF D7 53 FF 15 ?? ?? ?? + ?? 56 E8 ?? ?? ?? ?? 83 C4 ?? 8D 45 ?? 83 7D ?? ?? 0F 43 45 ?? 6A ?? 50 FF 75 ?? FF + 15 + } + + $remote_connection = { + FF 15 ?? ?? ?? ?? 8B F8 89 7D ?? 85 FF 0F 84 ?? ?? ?? ?? 8B 4D ?? 83 79 ?? ?? 72 ?? + 8B 09 6A ?? 6A ?? 6A ?? 6A ?? 6A ?? 6A ?? 51 57 FF 15 ?? ?? ?? ?? 8B F0 89 75 ?? 85 + F6 0F 84 ?? ?? ?? ?? 8B 4D ?? 53 83 79 ?? ?? 75 ?? 68 ?? ?? ?? ?? 8D 4D ?? E8 ?? ?? + ?? ?? BB ?? ?? ?? ?? EB ?? 51 8D 45 ?? 68 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? BB + ?? ?? ?? ?? 6A ?? 6A ?? FF 75 ?? 8B C8 6A ?? E8 ?? ?? ?? ?? 33 C9 C7 45 ?? ?? ?? ?? + ?? 66 89 4D ?? 8D 4D ?? 50 C7 45 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? F6 C3 ?? 74 ?? 8D 4D + ?? 83 E3 ?? E8 ?? ?? ?? ?? F6 C3 ?? 5B 74 ?? 8D 4D ?? E8 ?? ?? ?? ?? 83 7D ?? ?? 8D + 4D ?? 6A ?? 68 ?? ?? ?? ?? 51 6A ?? 68 ?? ?? ?? ?? 8D 45 ?? C7 45 ?? ?? ?? ?? ?? 0F + 43 45 ?? 50 68 ?? ?? ?? ?? 56 C7 45 ?? ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 8B F0 85 F6 0F + 84 ?? ?? ?? ?? 6A ?? 6A ?? 6A ?? 6A ?? 56 FF 15 ?? ?? ?? ?? 85 C0 74 ?? 8B 3D ?? ?? + ?? ?? 8D 45 ?? 50 68 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 56 FF D7 85 C0 74 ?? 8B 45 ?? + 85 C0 74 ?? C6 84 05 ?? ?? ?? ?? ?? 80 BD ?? ?? ?? ?? ?? 75 ?? 33 C9 EB ?? 8D 8D ?? + ?? ?? ?? 8D 51 ?? 8A 01 41 84 C0 75 ?? 2B CA 51 8D 85 ?? ?? ?? ?? 50 8D 4D ?? E8 ?? + ?? ?? ?? 8D 45 ?? 50 68 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 56 FF D7 85 C0 75 ?? 8B 7D + ?? 56 E8 ?? ?? ?? ?? 83 C4 ?? 56 FF 15 ?? ?? ?? ?? FF 75 ?? FF 15 ?? ?? ?? ?? 8B 45 + ?? 83 F8 ?? 72 ?? 40 8D 4D ?? 50 FF 75 ?? E8 ?? ?? ?? ?? 57 FF 15 ?? ?? ?? ?? 83 7D + ?? ?? 8D 4D ?? 8B 45 ?? 8D 55 ?? 0F 43 4D ?? 8B 75 ?? 03 C1 83 7D ?? ?? 8D 4D ?? 52 + 0F 43 4D ?? 50 51 8B CE E8 ?? ?? ?? ?? 8B 4D ?? 83 F9 ?? 72 ?? 41 51 FF 75 ?? 8D 4D + ?? E8 + } + + condition: + uint16(0) == 0x5A4D and + ( + ( + all of ($find_files_p*) + ) and + ( + all of ($encrypt_files_p*) + ) and + $remote_connection + ) +} \ No newline at end of file diff --git a/yara/ransomware/Win32.Ransomware.Makop.yara b/yara/ransomware/Win32.Ransomware.Makop.yara new file mode 100644 index 0000000..aa9535d --- /dev/null +++ b/yara/ransomware/Win32.Ransomware.Makop.yara @@ -0,0 +1,99 @@ +rule Win32_Ransomware_Makop : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "MAKOP" + description = "Yara rule that detects Makop ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "Makop" + tc_detection_factor = 5 + + strings: + + $find_files_p1 = { + 8D 54 24 ?? 52 56 FF 15 ?? ?? ?? ?? 56 8B F8 6A ?? 89 7C 24 ?? FF 15 ?? ?? ?? ?? 50 + FF 15 ?? ?? ?? ?? 83 FF ?? 75 ?? 8B 45 ?? 50 FF 15 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 + C4 ?? 5F 5E 5B 8B E5 5D C3 33 F6 89 74 24 ?? EB ?? 8D A4 24 ?? ?? ?? ?? 8D 64 24 ?? + 66 8B 44 24 ?? 66 85 C0 0F 84 ?? ?? ?? ?? 66 3D ?? ?? 75 ?? 66 8B 44 24 ?? 66 85 C0 + 0F 84 ?? ?? ?? ?? 66 3D ?? ?? 75 ?? 66 83 7C 24 ?? ?? 0F 84 ?? ?? ?? ?? 8D 44 24 ?? + EB ?? 8D 9B ?? ?? ?? ?? 66 8B 08 83 C0 ?? 66 85 C9 75 ?? 8D 54 24 ?? 2B C2 D1 F8 83 + E8 ?? 85 F6 8B F8 89 7C 24 ?? 75 ?? 8B 45 ?? 05 ?? ?? ?? ?? 03 C0 0F 84 ?? ?? ?? ?? + 50 56 FF 15 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 85 C0 89 44 24 ?? 8B F0 0F 84 ?? ?? ?? + ?? F6 44 24 ?? ?? 0F 84 ?? ?? ?? ?? A1 ?? ?? ?? ?? 8B 38 85 FF 74 ?? 8B 1F 8D 54 24 + ?? 8B CA 2B D9 8D 49 ?? 0F B7 04 13 66 3D ?? ?? 72 ?? 66 3D ?? ?? 77 ?? 83 C0 ?? 0F + B7 C8 0F B7 02 66 3D ?? ?? 72 ?? 66 3D ?? ?? 77 ?? 83 C0 ?? 83 C2 ?? 66 85 C9 0F B7 + C0 74 ?? 66 3B C8 74 ?? 0F B7 D0 0F B7 C1 2B C2 0F 84 ?? ?? ?? ?? 8B 7F ?? 85 FF 75 + ?? 8B 7D ?? 8B 55 ?? 81 C7 ?? ?? ?? ?? 8B DE E8 ?? ?? ?? ?? 8B 4D ?? 8D 5C 4E ?? BA + ?? ?? ?? ?? BF ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 55 ?? 8D 1C 56 8D 54 24 ?? BF ?? ?? ?? + ?? E8 ?? ?? ?? ?? 8B 44 24 ?? 8B 4D ?? 8D 54 08 ?? 8B 45 ?? 52 56 50 E8 + } + + $find_files_p2 = { + 83 C4 ?? E9 ?? ?? ?? ?? 8D 5C 24 ?? E8 ?? ?? ?? ?? 84 C0 0F 84 ?? ?? ?? ?? 8B 4D ?? + 80 79 ?? ?? 0F 85 ?? ?? ?? ?? 8B 55 ?? 03 FA 81 FF ?? ?? ?? ?? 0F 82 ?? ?? ?? ?? 8B + 15 ?? ?? ?? ?? C6 44 24 ?? ?? 8B 7D ?? 81 C7 ?? ?? ?? ?? 8B DE E8 ?? ?? ?? ?? 8A 44 + 24 ?? 84 C0 75 ?? 8B 55 ?? 83 C7 ?? 8D 5E ?? E8 ?? ?? ?? ?? 8A 44 24 ?? 8A C8 8B 54 + 24 ?? F6 D9 1B C9 83 E1 ?? F6 D8 8B F1 8D BE ?? ?? ?? ?? 1B C0 83 E0 ?? 83 C0 ?? 03 + 45 ?? 8D 04 42 89 44 24 ?? 8D 58 ?? B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 5C 24 ?? 8D BE + ?? ?? ?? ?? 8D 44 24 ?? E8 ?? ?? ?? ?? 8B 54 24 ?? 85 D2 8B 74 24 ?? 8B 45 ?? 77 ?? + 3B 70 ?? 77 ?? B1 ?? EB ?? 8B 55 ?? C6 44 24 ?? ?? E9 ?? ?? ?? ?? 32 C9 88 48 ?? 8B + 4C 24 ?? F6 C1 ?? 74 ?? C6 40 ?? ?? 89 48 ?? EB ?? C6 40 ?? ?? 50 89 50 ?? 89 70 ?? + 8B 44 24 ?? 50 E8 ?? ?? ?? ?? 8B 74 24 ?? 83 C4 ?? A1 ?? ?? ?? ?? 85 C0 74 ?? 6A ?? + 50 FF 15 ?? ?? ?? ?? 85 C0 74 ?? 8B 54 24 ?? 8D 4C 24 ?? 51 52 FF 15 ?? ?? ?? ?? 85 + C0 0F 85 ?? ?? ?? ?? EB ?? C7 44 24 ?? ?? ?? ?? ?? 8B 74 24 ?? EB ?? 56 6A ?? FF 15 + ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 8B 44 24 ?? 50 FF 15 ?? ?? ?? ?? 56 6A ?? FF 15 ?? + ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 5F 5E 5B 8B E5 5D C3 + } + + $encrypt_files = { + 8B 50 ?? 8B 00 83 EC ?? 55 8B 2D ?? ?? ?? ?? 56 57 6A ?? 8B F9 8D 4C 24 ?? 51 52 50 + 53 FF D5 85 C0 0F 84 ?? ?? ?? ?? 8B 57 ?? 8B 47 ?? 33 F6 56 8D 4C 24 ?? 51 52 50 53 + FF 15 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? 8B 44 24 ?? 85 C0 75 ?? B0 ?? 5F 5E 5D 83 + C4 ?? C3 3B 47 ?? 73 ?? 8B C8 83 E1 ?? 74 ?? BE ?? ?? ?? ?? 2B F1 8B 4F ?? 56 03 C8 + 6A ?? 51 E8 ?? ?? ?? ?? 8B 44 24 ?? 83 C4 ?? 8B 4F ?? 03 C6 50 8D 54 24 ?? 52 51 6A + ?? 6A ?? 89 44 24 ?? 8B 44 24 ?? 6A ?? 50 FF 15 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? + 8B 4C 24 ?? 8B 54 24 ?? 6A ?? 6A ?? 51 52 53 FF D5 85 C0 74 ?? 8B 4C 24 ?? 8B 57 ?? + 8B 3D ?? ?? ?? ?? 6A ?? 8D 44 24 ?? 50 03 CE 51 52 53 FF D7 85 C0 74 ?? 8B 44 24 ?? + 8D 0C 30 8B 44 24 ?? 3B C1 72 ?? 01 44 24 ?? 8B 44 24 ?? 8B 50 ?? 8B 00 83 54 24 ?? + ?? 6A ?? 6A ?? 52 50 53 FF D5 85 C0 74 ?? 6A ?? 8D 4C 24 ?? 51 6A ?? 8D 54 24 ?? 52 + 53 FF D7 85 C0 74 ?? 83 7C 24 ?? ?? 0F 83 ?? ?? ?? ?? 5F 5E 32 C0 5D 83 C4 ?? C3 + } + + $enum_network_resources = { + 55 8B EC 83 E4 ?? 83 EC ?? 53 56 57 68 ?? ?? ?? ?? 6A ?? C7 44 24 ?? ?? ?? ?? ?? C7 + 44 24 ?? ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? + 8B F0 85 F6 89 74 24 ?? 0F 84 ?? ?? ?? ?? 8B 4D ?? 8B 7D ?? 8D 44 24 ?? 50 51 6A ?? + 6A ?? 57 E8 ?? ?? ?? ?? 85 C0 74 ?? 57 50 E8 ?? ?? ?? ?? 83 C4 ?? E9 ?? ?? ?? ?? 8B + 7D ?? 68 ?? ?? ?? ?? 6A ?? 56 C7 44 24 ?? ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? E8 ?? + ?? ?? ?? 8B 4C 24 ?? 83 C4 ?? 8D 54 24 ?? 52 56 8D 44 24 ?? 50 51 E8 ?? ?? ?? ?? 85 + C0 0F 85 ?? ?? ?? ?? 8B 45 ?? 85 C0 75 ?? 8B 54 24 ?? 8B 45 ?? 52 50 EB ?? 8B 4C 24 + ?? 8B 50 ?? 51 52 E8 ?? ?? ?? ?? 33 DB 83 C4 ?? 39 5C 24 ?? 76 ?? 83 C6 ?? 8D 49 ?? + 8B 46 ?? 85 C0 8B C8 75 ?? B9 ?? ?? ?? ?? 8B 46 ?? 85 C0 75 ?? B8 ?? ?? ?? ?? 51 8B + 0E 51 50 E8 ?? ?? ?? ?? 8B 46 ?? 83 C4 ?? A8 ?? 74 ?? 8B 56 ?? 85 D2 74 ?? 85 FF 7E + ?? 8B 45 ?? 85 C0 74 ?? 8B 40 ?? E8 ?? ?? ?? ?? 85 C0 74 ?? 8B 55 ?? 8B 4D ?? 52 83 + EF ?? 57 8D 46 ?? 50 51 E8 ?? ?? ?? ?? 83 C4 ?? EB ?? F6 06 ?? 74 ?? 50 E8 ?? ?? ?? + ?? 8B 56 ?? 8B 45 ?? 83 C4 ?? 52 50 E8 ?? ?? ?? ?? 83 C3 ?? 83 C6 ?? 3B 5C 24 ?? 0F + 82 ?? ?? ?? ?? 8B 74 24 ?? E9 ?? ?? ?? ?? 3D ?? ?? ?? ?? 74 ?? 50 E8 ?? ?? ?? ?? 83 + C4 ?? 8B 44 24 ?? 85 C0 74 ?? 50 E8 ?? ?? ?? ?? 56 6A ?? FF 15 ?? ?? ?? ?? 50 FF 15 + ?? ?? ?? ?? 5F 5E 5B 8B E5 5D C3 + } + + condition: + uint16(0) == 0x5A4D and + ( + $enum_network_resources + ) and + ( + all of ($find_files_p*) + ) and + ( + $encrypt_files + ) +} \ No newline at end of file diff --git a/yara/ransomware/Win32.Ransomware.Maktub.yara b/yara/ransomware/Win32.Ransomware.Maktub.yara new file mode 100644 index 0000000..8d30fbd --- /dev/null +++ b/yara/ransomware/Win32.Ransomware.Maktub.yara @@ -0,0 +1,116 @@ +rule Win32_Ransomware_Maktub : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "MAKTUB" + description = "Yara rule that detects Maktub ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "Maktub" + tc_detection_factor = 5 + + strings: + + $encrypt_files = { + 55 8B EC 83 EC ?? 53 8B 1D ?? ?? ?? ?? 56 68 ?? ?? ?? ?? 8D 8B ?? ?? ?? ?? E8 ?? ?? + ?? ?? 51 8D B3 ?? ?? ?? ?? 8B CB 56 E8 ?? ?? ?? ?? 85 C0 74 ?? 50 8B 43 ?? FF D0 8D + 45 ?? C7 45 ?? ?? ?? ?? ?? 50 8B 43 ?? 6A ?? 6A ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? FF + B3 ?? ?? ?? ?? FF D0 85 C0 74 ?? 6A ?? 8D 45 ?? C7 45 ?? ?? ?? ?? ?? 50 8B 43 ?? 6A + ?? 6A ?? 6A ?? 6A ?? FF 75 ?? C7 45 ?? ?? ?? ?? ?? FF D0 85 C0 75 ?? FF 75 ?? 8B 43 + ?? FF D0 5E 33 C0 5B 8B E5 5D C3 A1 ?? ?? ?? ?? 57 8B 7D ?? 85 C0 75 ?? FF 15 ?? ?? + ?? ?? A3 ?? ?? ?? ?? 57 6A ?? 50 FF 15 ?? ?? ?? ?? 8B 4D ?? 8B F8 89 7D ?? 85 C9 74 + ?? 8B D1 33 C0 C1 E9 ?? F3 AB 8B CA 83 E1 ?? F3 AA 8B 7D ?? B9 ?? ?? ?? ?? 3B FE 76 + ?? 8D 46 ?? 3B F8 73 ?? 8D 57 ?? 8D 70 ?? 8B FF 8A 06 8D 52 ?? 88 42 ?? 8D 76 ?? 49 + 75 ?? EB ?? 8B D7 2B D6 8A 06 8D 76 ?? 88 44 32 ?? 49 75 ?? E8 ?? ?? ?? ?? 89 83 ?? + ?? ?? ?? 8D 4F ?? 8B 83 ?? ?? ?? ?? 89 47 ?? FF B3 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 + ?? 8D 45 ?? FF 75 ?? 50 8B 43 ?? 57 6A ?? 6A ?? 6A ?? FF 75 ?? FF D0 85 C0 75 ?? A1 + ?? ?? ?? ?? 85 C0 75 ?? A1 ?? ?? ?? ?? FF D0 A3 ?? ?? ?? ?? 57 6A ?? 50 FF 15 ?? ?? + ?? ?? FF 75 ?? 8B 43 ?? FF D0 5F 5E 33 C0 5B 8B E5 5D C3 FF 75 ?? 8D 45 ?? 57 50 E8 + ?? ?? ?? ?? 50 8D 8B ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 4D ?? E8 ?? ?? ?? ?? A1 ?? ?? ?? + ?? 85 C0 75 ?? A1 ?? ?? ?? ?? FF D0 A3 ?? ?? ?? ?? 57 6A ?? 50 FF 15 ?? ?? ?? ?? FF + 75 ?? 8B 43 ?? FF D0 5F 5E B8 ?? ?? ?? ?? 5B 8B E5 5D C3 + } + + $search_files = { + 55 8B EC 83 EC ?? 53 56 57 8B F9 68 ?? ?? ?? ?? FF 75 ?? 8B 47 ?? FF D0 85 C0 0F 84 + ?? ?? ?? ?? 8B 47 ?? 6A ?? 68 ?? ?? ?? ?? 6A ?? 6A ?? 6A ?? 68 ?? ?? ?? ?? FF 75 ?? + FF D0 8B D8 83 FB ?? 0F 84 ?? ?? ?? ?? 8B 4F ?? 8D 45 ?? 50 0F 57 C0 53 66 0F 13 45 + ?? FF D1 85 C0 0F 84 ?? ?? ?? ?? 8B 75 ?? 8B C6 0B 45 ?? 0F 84 ?? ?? ?? ?? 68 ?? ?? + ?? ?? FF 15 ?? ?? ?? ?? 8B 55 ?? 8D 45 ?? 6A ?? 50 8D 4D ?? C7 45 ?? ?? ?? ?? ?? FF + 72 ?? C6 45 ?? ?? E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 8B 87 ?? ?? ?? ?? + 8B 55 ?? 8D 4A ?? C7 45 ?? ?? ?? ?? ?? 89 4D ?? FF 70 ?? 50 FF 31 8D 4D ?? E8 ?? ?? + ?? ?? 8B 45 ?? 83 C0 ?? 50 FF 15 ?? ?? ?? ?? 85 C0 7F ?? A1 ?? ?? ?? ?? 85 C0 75 ?? + FF 15 ?? ?? ?? ?? A3 ?? ?? ?? ?? FF 75 ?? 6A ?? 50 FF 15 ?? ?? ?? ?? 8B 45 ?? 85 C0 + 7C ?? 7F ?? 81 FE ?? ?? ?? ?? 72 ?? 50 8B 45 ?? 56 53 8B 1D ?? ?? ?? ?? 33 F6 51 8D + 48 ?? 89 65 ?? 39 31 7C ?? 51 8D 70 ?? FF D3 8B 4D ?? 8D 46 ?? 51 33 F6 89 65 ?? 89 + 01 8B 45 ?? 39 70 ?? 8D 48 ?? 7C ?? 51 8D 70 ?? FF D3 8B 4D ?? 8D 46 ?? 89 01 8B CF + E8 ?? ?? ?? ?? 8B 75 ?? 8B F8 E9 ?? ?? ?? ?? 8B 75 ?? 8B 47 ?? 6A ?? 6A ?? 6A ?? 6A + ?? 6A ?? 68 ?? ?? ?? ?? 56 FF D0 89 45 ?? 83 F8 ?? 75 ?? 8B 47 ?? 53 FF D0 33 FF E9 + ?? ?? ?? ?? 51 8D 87 ?? ?? ?? ?? 8B CF 50 E8 ?? ?? ?? ?? 89 45 ?? 85 C0 0F 84 ?? ?? + ?? ?? 8B 4D ?? E8 ?? ?? ?? ?? 89 45 ?? 85 C0 0F 84 ?? ?? ?? ?? 6A ?? 8D 4D ?? C7 45 + ?? ?? ?? ?? ?? 51 FF 75 ?? 50 8B 47 ?? 53 FF D0 85 C0 75 ?? 8B 4D ?? E9 ?? ?? ?? ?? + 8D 45 ?? C7 45 ?? ?? ?? ?? ?? 50 8D 45 ?? C7 45 ?? ?? ?? ?? ?? 50 8D 45 ?? C7 45 ?? + ?? ?? ?? ?? 50 FF 75 ?? FF 75 ?? E8 ?? ?? ?? ?? 8B 4D ?? 85 C0 74 ?? E8 ?? ?? ?? ?? + 8B 45 ?? 6A ?? 89 45 ?? 8D 45 ?? 50 8B 47 ?? 6A ?? 6A ?? 6A ?? 6A ?? FF 75 ?? FF D0 + 85 C0 75 ?? 8B 4D ?? EB ?? FF 75 ?? 8D 45 ?? 50 FF 75 ?? 8B 47 ?? 6A ?? 6A ?? 6A ?? + FF 75 ?? FF D0 85 C0 75 ?? 8B 4D ?? EB ?? 6A ?? 8D 45 ?? C7 45 ?? ?? ?? ?? ?? 50 FF + 75 ?? 8B 45 ?? 50 FF 75 ?? 8B 47 ?? FF D0 8B 4D ?? 85 C0 74 ?? 8B 45 ?? 3B 45 ?? 74 + ?? E8 ?? ?? ?? ?? FF 75 ?? 8B 47 ?? FF D0 8B 47 ?? 53 FF D0 FF 75 ?? 8B 47 ?? FF D0 + 8B 47 ?? 56 FF D0 33 FF E9 ?? ?? ?? ?? E8 ?? ?? ?? ?? FF 75 ?? 8B 47 ?? FF D0 FF 75 + ?? 8B 47 ?? FF D0 8B 47 ?? 53 FF D0 51 8D 45 ?? 8B CC 50 E8 ?? ?? ?? ?? 8B CF E8 ?? + ?? ?? ?? 85 C0 74 ?? 68 ?? ?? ?? ?? 51 8D 45 ?? 8B CC 50 E8 ?? ?? ?? ?? 8B CF E8 ?? + ?? ?? ?? 6A ?? 51 8D 45 ?? 8B CC 50 E8 ?? ?? ?? ?? 8B CF E8 ?? ?? ?? ?? 68 ?? ?? ?? + ?? 51 8D 45 ?? 8B CC 50 E8 ?? ?? ?? ?? 8B CF E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? 51 8D 45 + ?? 8B CC 50 E8 ?? ?? ?? ?? 8B CF E8 ?? ?? ?? ?? FF 75 ?? 8B 47 ?? FF D0 85 C0 75 ?? + 8B 47 ?? 56 FF D0 33 FF EB ?? BF ?? ?? ?? ?? 83 C6 ?? 8D 46 ?? 50 FF 15 ?? ?? ?? ?? + 85 C0 7F ?? A1 ?? ?? ?? ?? 85 C0 75 ?? FF 15 ?? ?? ?? ?? A3 ?? ?? ?? ?? 8B 1D ?? ?? + ?? ?? 56 6A ?? 50 FF D3 EB ?? 8B 47 ?? 53 FF D0 33 FF 8B 1D ?? ?? ?? ?? 8B 75 ?? 83 + C6 ?? 8D 46 ?? 50 FF 15 ?? ?? ?? ?? 85 C0 7F ?? A1 ?? ?? ?? ?? 85 C0 75 ?? FF 15 ?? + ?? ?? ?? A3 ?? ?? ?? ?? 56 6A ?? 50 FF D3 8B C7 5F 5E 5B 8B E5 5D C2 + } + + $previous_encrypt_files = { + 0F 84 ?? ?? ?? ?? BA ?? ?? ?? ?? 8D 4D ?? E8 ?? ?? ?? ?? FF 30 FF 77 ?? FF D3 8D 4D + ?? 89 87 ?? ?? ?? ?? E8 ?? ?? ?? ?? BA ?? ?? ?? ?? 8D 4D ?? E8 ?? ?? ?? ?? FF 30 FF + 77 ?? FF D3 8D 4D ?? 89 87 ?? ?? ?? ?? E8 ?? ?? ?? ?? BA ?? ?? ?? ?? 8D 4D ?? E8 ?? + ?? ?? ?? FF 30 FF 77 ?? FF D3 8B F0 8D 4D ?? 89 B7 ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 F6 + 0F 84 ?? ?? ?? ?? BA ?? ?? ?? ?? 8D 4D ?? E8 ?? ?? ?? ?? FF 30 FF 77 ?? FF D3 8B F0 + 8D 4D ?? 89 B7 ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 F6 0F 84 ?? ?? ?? ?? BA ?? ?? ?? ?? 8D + 4D ?? E8 ?? ?? ?? ?? FF 30 FF 77 ?? FF D3 8B F0 8D 4D ?? 89 B7 ?? ?? ?? ?? E8 ?? ?? + ?? ?? 85 F6 0F 84 ?? ?? ?? ?? BA ?? ?? ?? ?? 8D 4D ?? E8 ?? ?? ?? ?? FF 30 FF 77 ?? + FF D3 8B F0 8D 4D ?? 89 B7 ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 F6 0F 84 ?? ?? ?? ?? BA ?? + ?? ?? ?? 8D 4D ?? E8 ?? ?? ?? ?? FF 30 FF 77 ?? FF D3 8B F0 8D 4D ?? 89 B7 ?? ?? ?? + ?? E8 ?? ?? ?? ?? 85 F6 0F 84 ?? ?? ?? ?? BA ?? ?? ?? ?? 8D 4D ?? E8 ?? ?? ?? ?? FF + 30 FF 77 ?? FF D3 8B F0 8D 4D ?? 89 B7 ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 F6 0F 84 ?? ?? + ?? ?? BA ?? ?? ?? ?? 8D 4D ?? E8 ?? ?? ?? ?? FF 30 FF 77 ?? FF D3 8B F0 8D 4D ?? 89 + B7 ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 F6 0F 84 ?? ?? ?? ?? BA ?? ?? ?? ?? 8D 4D ?? E8 ?? + ?? ?? ?? FF 30 FF 77 ?? FF D3 8B F0 8D 4D ?? 89 B7 ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 F6 + 0F 84 ?? ?? ?? ?? BA ?? ?? ?? ?? 8D 4D ?? E8 ?? ?? ?? ?? FF 30 FF 77 ?? FF D3 8B F0 + 8D 4D ?? 89 B7 ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 F6 0F 84 ?? ?? ?? ?? BA ?? ?? ?? ?? 8D + 4D ?? E8 ?? ?? ?? ?? FF 30 FF 15 ?? ?? ?? ?? 8B F0 8D 4D ?? 89 B7 ?? ?? ?? ?? E8 ?? + ?? ?? ?? 85 F6 0F 84 ?? ?? ?? ?? BA ?? ?? ?? ?? 8D 4D ?? E8 ?? ?? ?? ?? FF 30 FF B7 + ?? ?? ?? ?? FF D3 8B F0 8D 4D ?? 89 B7 ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 F6 0F 84 ?? ?? + ?? ?? BA ?? ?? ?? ?? 8D 4D ?? E8 ?? ?? ?? ?? FF 30 FF B7 ?? ?? ?? ?? FF D3 8B F0 8D + 4D ?? 89 B7 ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 F6 0F 84 ?? ?? ?? ?? BA ?? ?? ?? ?? 8D 4D + ?? E8 ?? ?? ?? ?? FF 30 FF 15 ?? ?? ?? ?? 8B F0 8D 4D ?? 89 B7 ?? ?? ?? ?? E8 ?? ?? + ?? ?? 85 F6 0F 84 ?? ?? ?? ?? BA ?? ?? ?? ?? 8D 4D ?? E8 ?? ?? ?? ?? FF 30 FF B7 ?? + ?? ?? ?? FF D3 8B F0 8D 4D ?? 89 B7 ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 F6 0F 84 ?? ?? ?? + ?? BA ?? ?? ?? ?? 8D 4D ?? E8 ?? ?? ?? ?? FF 30 FF B7 ?? ?? ?? ?? FF D3 8B F0 8D 4D + ?? 89 B7 ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 F6 0F 84 ?? ?? ?? ?? BA ?? ?? ?? ?? 8D 4D ?? + E8 ?? ?? ?? ?? FF 30 FF B7 ?? ?? ?? ?? FF D3 8B F0 8D 4D ?? 89 B7 ?? ?? ?? ?? E8 ?? + ?? ?? ?? 85 F6 0F 84 ?? ?? ?? ?? BA ?? ?? ?? ?? 8D 4D ?? E8 ?? ?? ?? ?? 68 ?? ?? ?? + ?? 6A ?? 8D B7 ?? ?? ?? ?? FF 30 8B 47 ?? 6A ?? 56 FF D0 85 C0 8D 4D ?? 0F 94 C3 E8 + ?? ?? ?? ?? 84 DB 74 ?? BA ?? ?? ?? ?? 8D 4D ?? E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A ?? + FF 30 8B 47 ?? 6A ?? 56 FF D0 85 C0 8D 4D ?? 0F 94 C3 E8 ?? ?? ?? ?? 84 DB 0F 85 ?? + ?? ?? ?? 5F 5E B8 ?? ?? ?? ?? 5B 8B E5 5D C3 + } + + condition: + uint16(0) == 0x5A4D and $search_files and $previous_encrypt_files and $encrypt_files +} \ No newline at end of file diff --git a/yara/ransomware/Win32.Ransomware.Marlboro.yara b/yara/ransomware/Win32.Ransomware.Marlboro.yara new file mode 100644 index 0000000..9303809 --- /dev/null +++ b/yara/ransomware/Win32.Ransomware.Marlboro.yara @@ -0,0 +1,117 @@ +rule Win32_Ransomware_Marlboro : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "MARLBORO" + description = "Yara rule that detects Marlboro ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "Marlboro" + tc_detection_factor = 5 + + strings: + + $ping_apnic = { + 55 8B EC 81 EC ?? ?? ?? ?? A1 ?? ?? ?? ?? 33 C5 89 45 ?? 6A ?? 8D 85 ?? ?? ?? ?? C7 + 85 ?? ?? ?? ?? ?? ?? ?? ?? 6A ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 8D 85 ?? ?? ?? ?? 0F 57 + C0 F3 0F 7F 85 ?? ?? ?? ?? 68 ?? ?? ?? ?? 50 6A ?? FF 15 ?? ?? ?? ?? 8D 85 ?? ?? ?? + ?? 50 68 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 68 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 8D + 85 ?? ?? ?? ?? 50 8D 85 ?? ?? ?? ?? 50 6A ?? 6A ?? 68 ?? ?? ?? ?? 6A ?? 6A ?? 6A ?? + 8D 85 ?? ?? ?? ?? 50 6A ?? FF 15 ?? ?? ?? ?? FF B5 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? FF + B5 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 8B 4D ?? 33 CD E8 ?? ?? ?? ?? 8B E5 5D C3 + } + + $remote_server_connection_1 = { + BA ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B D7 8B C8 E8 ?? ?? ?? ?? BA ?? ?? + ?? ?? 8B C8 E8 ?? ?? ?? ?? BA ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B D6 8B + C8 E8 ?? ?? ?? ?? BA ?? ?? ?? ?? 8B C8 E8 ?? ?? ?? ?? BA ?? ?? ?? ?? 8D 8D ?? ?? ?? + ?? E8 ?? ?? ?? ?? BA ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? C7 45 ?? ?? ?? ?? + ?? C7 45 ?? ?? ?? ?? ?? C6 45 ?? ?? 8D 55 ?? C6 45 ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? + ?? ?? 8D 85 ?? ?? ?? ?? 50 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 + 45 ?? ?? ?? ?? ?? C6 45 ?? ?? 8D 55 ?? C6 45 ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? + 8B 85 ?? ?? ?? ?? 8B 40 ?? F6 84 05 ?? ?? ?? ?? ?? 74 ?? 83 EC ?? 8D 45 ?? 8D 4D ?? + 50 E8 ?? ?? ?? ?? C6 45 ?? ?? BA ?? ?? ?? ?? 8B C8 C7 85 ?? ?? ?? ?? ?? ?? ?? ?? E8 + } + + $remote_server_connection_2 = { + 84 C0 74 ?? B3 ?? EB ?? 32 DB C7 45 ?? ?? ?? ?? ?? F6 85 ?? ?? ?? ?? ?? 74 ?? 83 7D + ?? ?? 72 ?? FF 75 ?? E8 ?? ?? ?? ?? 83 C4 ?? 84 DB 74 ?? 68 ?? ?? ?? ?? 8D 85 ?? ?? + ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 3D ?? ?? ?? + ?? 74 ?? 8D 80 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 68 ?? ?? ?? ?? 50 E8 + ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C6 45 ?? ?? [0-3] 8B 85 ?? + ?? ?? ?? 8D 8D ?? ?? ?? ?? 8B 40 ?? 03 C8 8D 85 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 50 C6 + 45 ?? ?? E8 ?? ?? ?? ?? C6 45 ?? ?? 83 C4 ?? 8B 8D ?? ?? ?? ?? 8B F0 85 C9 74 ?? 8B + 01 FF 50 ?? 85 C0 74 ?? 8B 10 8B C8 6A ?? FF 12 8B 06 8B CE 6A ?? 8B 40 ?? FF D0 + } + + $remote_server_connection_3 = { + 50 8D 55 ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 5D ?? 83 C4 ?? 8B 7D ?? 8B 08 8B 49 + ?? F6 44 01 ?? ?? 75 ?? 8B 75 ?? 8D 4D ?? 83 FB ?? B8 ?? ?? ?? ?? BA ?? ?? ?? ?? 0F + 43 CF 3B F0 0F 42 C6 50 E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 75 ?? 83 FE ?? 73 ?? 83 C8 ?? + EB ?? 33 C0 83 FE ?? 0F 95 C0 85 C0 0F 94 C0 84 C0 0F 94 C0 84 C0 0F 85 ?? ?? ?? ?? + 68 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 6A ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 8D 8D ?? ?? ?? ?? + E8 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? C6 45 ?? ?? 50 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B + B5 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? 56 E8 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? C6 45 ?? ?? E8 + ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 + ?? 83 FB ?? 72 + } + + $remote_server_connection_4 = { + 57 E8 ?? ?? ?? ?? 83 C4 ?? 83 7D ?? ?? 72 ?? FF 75 ?? E8 ?? ?? ?? ?? 83 C4 ?? 83 7D + ?? ?? 72 ?? FF 75 ?? E8 ?? ?? ?? ?? 83 C4 ?? 8D 8D ?? ?? ?? ?? C6 45 ?? ?? E8 ?? ?? + ?? ?? 8D 85 ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 8B + C6 EB ?? 8B 8D ?? ?? ?? ?? 8B 01 FF 50 ?? 8B 8D ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? B8 ?? + ?? ?? ?? C3 8B 85 ?? ?? ?? ?? 8B 4D ?? 64 89 0D ?? ?? ?? ?? 59 5F 5E 5B 8B 4D ?? 33 + CD E8 ?? ?? ?? ?? 8B E5 5D + } + + $encrypt_file = { + 55 8B EC 6A ?? 68 ?? ?? ?? ?? 64 A1 ?? ?? ?? ?? 50 81 EC ?? ?? ?? ?? A1 ?? ?? ?? ?? + 33 C5 89 45 ?? 56 57 50 8D 45 ?? 64 A3 ?? ?? ?? ?? 51 C7 45 ?? ?? ?? ?? ?? 8D 55 ?? + 8B 35 ?? ?? ?? ?? 8D 4D ?? E8 ?? ?? ?? ?? 83 C4 ?? 68 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? + C6 45 ?? ?? 6A ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 68 ?? + ?? ?? ?? 8D 85 ?? ?? ?? ?? C6 45 ?? ?? 6A ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 8D 8D ?? ?? + ?? ?? E8 ?? ?? ?? ?? C6 45 ?? ?? 8D 45 ?? 83 7D ?? ?? 51 0F 43 45 ?? 8D 8D ?? ?? ?? + ?? 6A ?? 50 E8 ?? ?? ?? ?? 85 C0 8D 8D ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? BF ?? ?? ?? ?? + 8B 40 ?? 75 ?? 03 C8 8B 41 ?? 83 C8 ?? 83 79 ?? ?? 75 ?? 0B C7 EB ?? 03 C8 33 C0 39 + 41 ?? 0F 44 C7 6A ?? 50 E8 ?? ?? ?? ?? 83 7D ?? ?? 8D 45 ?? 51 0F 43 45 ?? 8D 8D ?? + ?? ?? ?? 6A ?? 50 E8 ?? ?? ?? ?? 85 C0 8D 8D ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 8B 40 ?? + 75 ?? 03 C8 8B 41 ?? 83 C8 ?? 83 79 ?? ?? 75 ?? 83 C8 ?? EB ?? 03 C8 33 C0 39 41 ?? + 0F 44 C7 6A ?? 50 E8 ?? ?? ?? ?? 83 BD ?? ?? ?? ?? ?? 0F 84 ?? ?? ?? ?? 6A ?? 83 EC + ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 8D 8D ?? ?? ?? ?? E8 ?? ?? + ?? ?? 6A ?? 83 EC ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 EC ?? 8D 45 ?? 8D 8D ?? ?? + ?? ?? 50 E8 ?? ?? ?? ?? 8B 08 8B 49 ?? F6 44 01 ?? ?? 75 ?? 8D 64 24 ?? 51 8D 55 ?? + 8B CE E8 ?? ?? ?? ?? 51 8D 45 ?? 50 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 EC ?? 8D 45 + ?? 8D 8D ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 8B 08 8B 49 ?? F6 44 01 ?? ?? 74 ?? 8D 8D ?? + ?? ?? ?? E8 ?? ?? ?? ?? 85 C0 75 ?? 8B 85 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? 8B 40 ?? 03 + C8 8B 41 ?? 83 C8 ?? 83 79 ?? ?? 75 ?? 83 C8 ?? 6A ?? 50 E8 ?? ?? ?? ?? 8D 8D ?? ?? + ?? ?? E8 ?? ?? ?? ?? 85 C0 75 ?? 8B 85 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? 8B 40 ?? 03 C8 + 8B 41 ?? 83 C8 ?? 83 79 ?? ?? 75 ?? 83 C8 ?? 6A ?? 50 E8 ?? ?? ?? ?? 83 7D ?? ?? 8D + 45 ?? 0F 43 45 ?? 50 E8 ?? ?? ?? ?? C6 45 ?? ?? 83 C4 ?? 8B 85 ?? ?? ?? ?? 8B 40 ?? + C7 84 05 ?? ?? ?? ?? ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 8B 48 ?? 8D 41 ?? 89 84 0D ?? ?? + ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 8B 40 ?? C7 84 05 ?? ?? ?? + ?? ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 8B 48 ?? 8D 41 ?? 89 84 0D ?? ?? ?? ?? 8D 85 ?? ?? + ?? ?? 50 C7 85 ?? ?? ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? C6 45 ?? ?? 83 C4 ?? 8B 85 ?? + ?? ?? ?? 8B 40 ?? C7 84 05 ?? ?? ?? ?? ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 8B 48 ?? 8D 41 + ?? 89 84 0D ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 8B 40 ?? + C7 84 05 ?? ?? ?? ?? ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 8B 48 ?? 8D 41 ?? 89 84 0D ?? ?? + ?? ?? 8D 45 ?? 50 C7 45 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 83 7D ?? ?? 72 ?? FF + 75 ?? E8 ?? ?? ?? ?? 83 C4 ?? 33 C0 C7 45 ?? ?? ?? ?? ?? 83 7D ?? ?? C7 45 ?? ?? ?? + ?? ?? 66 89 45 ?? 72 ?? FF 75 ?? E8 ?? ?? ?? ?? 83 C4 ?? 8B 4D ?? 64 89 0D ?? ?? ?? + ?? 59 5F 5E 8B 4D ?? 33 CD E8 ?? ?? ?? ?? 8B E5 5D C3 + } + + condition: + uint16(0) == 0x5A4D and $ping_apnic and + $remote_server_connection_1 and + $remote_server_connection_2 and + $remote_server_connection_3 and + $remote_server_connection_4 and + $encrypt_file +} \ No newline at end of file diff --git a/yara/ransomware/Win32.Ransomware.MarsJoke.yara b/yara/ransomware/Win32.Ransomware.MarsJoke.yara new file mode 100644 index 0000000..aa97aef --- /dev/null +++ b/yara/ransomware/Win32.Ransomware.MarsJoke.yara @@ -0,0 +1,157 @@ +rule Win32_Ransomware_MarsJoke : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "MARSJOKE" + description = "Yara rule that detects MarsJoke ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "MarsJoke" + tc_detection_factor = 5 + + strings: + + $search_and_encrypt_files = { + 55 8B EC 83 E4 ?? 81 EC ?? ?? ?? ?? A1 ?? ?? ?? ?? 33 C4 89 84 24 ?? ?? ?? ?? 8B 45 + ?? 53 56 89 44 24 ?? 8B 45 ?? 57 89 44 24 ?? 8B 45 ?? BE ?? ?? ?? ?? 33 DB 56 89 44 + 24 ?? 8D 84 24 ?? ?? ?? ?? 8B F9 53 50 89 7C 24 ?? 66 89 9C 24 ?? ?? ?? ?? E8 ?? ?? + ?? ?? 83 C4 ?? 56 8D 84 24 ?? ?? ?? ?? 53 50 66 89 9C 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? + 83 C4 ?? 8D 84 24 ?? ?? ?? ?? 57 50 E8 ?? ?? ?? ?? 57 8D 4C 24 ?? 88 5C 24 ?? E8 ?? + ?? ?? ?? 83 C4 ?? 84 C0 0F 85 ?? ?? ?? ?? 38 5C 24 ?? 0F 85 ?? ?? ?? ?? 8D 84 24 ?? + ?? ?? ?? 57 50 E8 ?? ?? ?? ?? 59 59 8D 84 24 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 8D 84 + 24 ?? ?? ?? ?? 68 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 8B 3D ?? ?? ?? ?? 59 59 BE ?? ?? ?? + ?? 56 8D 84 24 ?? ?? ?? ?? 50 FF D7 8D 84 24 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 56 FF + 74 24 ?? FF D7 FF 74 24 ?? 8D 84 24 ?? ?? ?? ?? 50 FF 74 24 ?? E8 ?? ?? ?? ?? 83 C4 + ?? 84 C0 8D 84 24 ?? ?? ?? ?? 75 ?? 50 FF 15 ?? ?? ?? ?? FF 74 24 ?? E9 ?? ?? ?? ?? + 6A ?? 50 FF D7 53 68 ?? ?? ?? ?? 6A ?? 53 6A ?? 68 ?? ?? ?? ?? 8D 84 24 ?? ?? ?? ?? + 50 FF 15 ?? ?? ?? ?? 83 F8 ?? 89 44 24 ?? 75 ?? 56 8D 84 24 ?? ?? ?? ?? 50 FF D7 8D + 84 24 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 8D 84 24 ?? ?? ?? ?? 50 E9 ?? ?? ?? ?? 8D 4C + 24 ?? 51 50 FF 15 ?? ?? ?? ?? 53 68 ?? ?? ?? ?? FF 74 24 ?? FF 74 24 ?? E8 ?? ?? ?? + ?? 89 5C 24 ?? 33 DB 68 ?? ?? ?? ?? 89 44 24 ?? 8D 84 24 ?? ?? ?? ?? 53 50 89 54 24 + ?? 89 4C 24 ?? 66 89 9C 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? FF 74 24 ?? 8D 84 24 + ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 59 59 8D 84 24 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 8D 84 + 24 ?? ?? ?? ?? 68 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 59 59 56 8D 84 24 ?? ?? ?? ?? 50 FF + D7 8D 84 24 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 53 56 6A ?? 53 6A ?? 68 ?? ?? ?? ?? 8D + 84 24 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 83 F8 ?? 89 44 24 ?? 75 ?? 56 8D 84 24 ?? ?? + ?? ?? 50 FF D7 8D 84 24 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 8D 84 24 ?? ?? ?? ?? E9 ?? + ?? ?? ?? 6A ?? 59 33 C0 66 89 9C 24 ?? ?? ?? ?? 8D BC 24 ?? ?? ?? ?? F3 AB 6A ?? FF + 74 24 ?? 66 AB 8D 84 24 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 8D 44 24 ?? 8D 8C 24 + ?? ?? ?? ?? E8 ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? BF ?? ?? ?? ?? 57 53 FF 15 ?? ?? ?? + ?? 57 53 50 89 44 24 ?? E8 ?? ?? ?? ?? 8B 44 24 ?? 83 C4 ?? 0B 44 24 ?? 74 ?? 83 44 + 24 ?? ?? 11 5C 24 ?? EB ?? 89 7C 24 ?? 89 5C 24 ?? BF ?? ?? ?? ?? 57 E8 ?? ?? ?? ?? + 59 50 57 8B 7C 24 ?? 57 E8 ?? ?? ?? ?? 8B 44 24 ?? 83 C4 ?? 89 47 ?? 8B 44 24 ?? 53 + 89 47 ?? 8D 44 24 ?? 50 68 ?? ?? ?? ?? 57 FF 74 24 ?? C7 47 ?? ?? ?? ?? ?? 88 5C 24 + ?? FF 15 ?? ?? ?? ?? 85 C0 75 ?? C6 44 24 ?? ?? E9 ?? ?? ?? ?? 8B 7C 24 ?? 3B FB 89 + 5C 24 ?? 0F 8C ?? ?? ?? ?? 7F ?? 39 5C 24 ?? 0F 86 ?? ?? ?? ?? 8B 74 24 ?? 83 EE ?? + 1B FB 89 74 24 ?? 89 7C 24 ?? 89 5C 24 ?? 33 C0 EB ?? 8B 7C 24 ?? 8B 74 24 ?? 39 74 + 24 ?? 75 ?? 3B C7 75 ?? 8B 44 24 ?? 89 44 24 ?? EB ?? C7 44 24 ?? ?? ?? ?? ?? 68 ?? + ?? ?? ?? 53 FF 74 24 ?? E8 ?? ?? ?? ?? 83 C4 ?? 53 8D 44 24 ?? 50 FF 74 24 ?? FF 74 + 24 ?? FF 74 24 ?? FF 15 ?? ?? ?? ?? 6A ?? 58 39 44 24 ?? 73 ?? 89 44 24 ?? 39 74 24 + ?? 75 ?? 33 C0 3B C7 75 ?? 39 5C 24 ?? 7C ?? 7F ?? 83 7C 24 ?? ?? 76 ?? 8B 44 24 ?? + 83 E0 ?? 74 ?? 8B 4C 24 ?? 2B C8 03 C9 89 4C 24 ?? 6A ?? 68 ?? ?? ?? ?? FF 74 24 ?? + 53 FF 15 ?? ?? ?? ?? FF 74 24 ?? 89 44 24 ?? 53 50 E8 ?? ?? ?? ?? 83 C4 ?? 8D 44 24 + ?? 50 81 EC ?? ?? ?? ?? 6A ?? 59 8B FC FF B4 24 ?? ?? ?? ?? 8D B4 24 ?? ?? ?? ?? FF + B4 24 ?? ?? ?? ?? F3 A5 8B B4 24 ?? ?? ?? ?? 8B CE E8 ?? ?? ?? ?? 81 C4 ?? ?? ?? ?? + 53 8D 44 24 ?? 50 FF 74 24 ?? 56 FF 74 24 ?? FF 15 ?? ?? ?? ?? 85 C0 68 ?? ?? ?? ?? + 53 56 74 ?? FF 15 ?? ?? ?? ?? FF 44 24 ?? 8B 44 24 ?? 89 44 24 ?? 33 C0 3B 44 24 ?? + 0F 8C ?? ?? ?? ?? 7F ?? 8B 4C 24 ?? 3B 4C 24 ?? 0F 82 ?? ?? ?? ?? EB ?? C6 44 24 ?? + ?? FF 15 ?? ?? ?? ?? BE ?? ?? ?? ?? 68 ?? ?? ?? ?? 53 FF 74 24 ?? FF 15 ?? ?? ?? ?? + FF 74 24 ?? 8B 3D ?? ?? ?? ?? FF D7 FF 74 24 ?? FF D7 56 8D 84 24 ?? ?? ?? ?? 50 FF + 15 ?? ?? ?? ?? 8B 35 ?? ?? ?? ?? 8D 84 24 ?? ?? ?? ?? 50 FF D6 38 5C 24 ?? 8D 84 24 + ?? ?? ?? ?? 75 ?? 6A ?? FF 74 24 ?? 50 FF 15 ?? ?? ?? ?? 85 C0 FF 74 24 ?? 68 ?? ?? + ?? ?? 75 ?? E8 ?? ?? ?? ?? 59 59 8D 84 24 ?? ?? ?? ?? 50 FF D6 EB ?? E8 ?? ?? ?? ?? + 59 59 B0 ?? EB ?? 57 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 59 59 32 C0 8B 8C 24 ?? ?? ?? ?? + 5F 5E 5B 33 CC E8 ?? ?? ?? ?? 8B E5 5D C3 + } + + $remote_connection_2 = { + 55 8D 6C 24 ?? B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? A1 ?? ?? ?? ?? 33 C5 89 45 ?? 8B 45 ?? + 53 56 57 BE ?? ?? ?? ?? 56 89 85 ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? C7 04 + 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B F8 56 89 BD ?? ?? ?? ?? E8 ?? ?? ?? ?? 66 83 A5 ?? + ?? ?? ?? ?? 68 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 6A ?? 50 E8 ?? ?? ?? + ?? BE ?? ?? ?? ?? 56 FF B5 ?? ?? ?? ?? E8 ?? ?? ?? ?? 56 FF B5 ?? ?? ?? ?? E8 ?? ?? + ?? ?? 68 ?? ?? ?? ?? 57 E8 ?? ?? ?? ?? 6A ?? 8D 5D ?? E8 ?? ?? ?? ?? 6A ?? 8D 5D ?? + E8 ?? ?? ?? ?? 6A ?? 6A ?? 8B C3 50 8D 45 ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 68 ?? ?? ?? + ?? 57 E8 ?? ?? ?? ?? 6A ?? 8D 5D ?? E8 ?? ?? ?? ?? 6A ?? 8D 5D ?? E8 ?? ?? ?? ?? 6A + ?? 8D 5D ?? E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? FF B5 ?? ?? ?? ?? E8 ?? ?? ?? ?? BE ?? ?? + ?? ?? 56 FF B5 ?? ?? ?? ?? E8 ?? ?? ?? ?? 66 83 A5 ?? ?? ?? ?? ?? BF ?? ?? ?? ?? 57 + 8D 85 ?? ?? ?? ?? 6A ?? 50 E8 ?? ?? ?? ?? FF B5 ?? ?? ?? ?? E8 ?? ?? ?? ?? 50 8D 85 + ?? ?? ?? ?? 68 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 6A ?? 8D 5D ?? E8 ?? ?? ?? ?? + 6A ?? 8D 5D ?? E8 ?? ?? ?? ?? 6A ?? 8D 5D ?? E8 ?? ?? ?? ?? 8D 45 ?? 50 8D 85 ?? ?? + ?? ?? 50 E8 ?? ?? ?? ?? 66 83 A5 ?? ?? ?? ?? ?? 57 8D 85 ?? ?? ?? ?? 6A ?? 50 E8 ?? + ?? ?? ?? FF B5 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 68 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 8D 85 + ?? ?? ?? ?? 50 8D 85 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 6A ?? 8D 5D ?? E8 ?? ?? ?? ?? 6A + ?? 8D 5D ?? E8 ?? ?? ?? ?? 6A ?? 8D 5D ?? E8 ?? ?? ?? ?? 83 C4 ?? 8D 45 ?? 50 8D 85 + ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 8D 45 ?? 50 8D 85 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 8B C3 + 50 8D 85 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 8D 45 ?? 50 8D 85 ?? ?? ?? ?? 50 E8 ?? ?? ?? + ?? 8D 85 ?? ?? ?? ?? 50 8D 85 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 56 50 + E8 ?? ?? ?? ?? 8D 45 ?? 50 8D 85 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 + FF B5 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? FF B5 ?? ?? ?? ?? FF B5 ?? ?? ?? ?? E8 ?? + ?? ?? ?? 83 BD ?? ?? ?? ?? ?? 59 59 5F 5E 5B 74 ?? FF B5 ?? ?? ?? ?? E8 ?? ?? ?? ?? + 59 83 BD ?? ?? ?? ?? ?? 74 ?? FF B5 ?? ?? ?? ?? E8 ?? ?? ?? ?? 59 8B 4D ?? 8B 85 ?? + ?? ?? ?? 33 CD E8 ?? ?? ?? ?? 83 C5 ?? C9 C3 + } + + $remote_connection_1 = { + 55 8B EC B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? A1 ?? ?? ?? ?? 33 C5 89 45 ?? 53 56 57 8D 85 + ?? ?? ?? ?? 50 8B F9 8B F2 68 ?? ?? ?? ?? 89 BD ?? ?? ?? ?? 89 B5 ?? ?? ?? ?? FF 15 + ?? ?? ?? ?? 33 DB 53 6A ?? 6A ?? FF 15 ?? ?? ?? ?? 6A ?? 89 85 ?? ?? ?? ?? 66 C7 85 + ?? ?? ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 6A ?? 66 89 85 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 53 + 88 1F 50 88 1E 66 89 9D ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 8D 85 ?? ?? ?? ?? 50 8D + 85 ?? ?? ?? ?? 50 8D 8D ?? ?? ?? ?? 88 9D ?? ?? ?? ?? E8 ?? ?? ?? ?? 38 9D ?? ?? ?? + ?? 59 59 75 ?? 68 ?? ?? ?? ?? C6 07 ?? E8 ?? ?? ?? ?? 59 E9 ?? ?? ?? ?? 8D 85 ?? ?? + ?? ?? 50 E8 ?? ?? ?? ?? 89 9D ?? ?? ?? ?? 59 89 85 ?? ?? ?? ?? 33 F6 BB ?? ?? ?? ?? + 56 8D 85 ?? ?? ?? ?? 50 53 E8 ?? ?? ?? ?? 83 C4 ?? 6A ?? 8D 85 ?? ?? ?? ?? 50 FF B5 + ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 83 F8 ?? 75 ?? 56 53 E8 ?? ?? ?? ?? FF 85 ?? ?? ?? ?? + 46 83 FE ?? 59 59 7C ?? EB ?? 53 E8 ?? ?? ?? ?? 59 83 BD ?? ?? ?? ?? ?? 7C ?? C6 07 + ?? 53 E8 ?? ?? ?? ?? E9 ?? ?? ?? ?? 33 F6 68 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 56 50 66 + 89 B5 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 6A ?? 8D 85 ?? ?? ?? ?? 50 68 ?? ?? ?? ?? + 68 ?? ?? ?? ?? FF B5 ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? FF 15 ?? ?? ?? ?? FF + B5 ?? ?? ?? ?? 53 E8 ?? ?? ?? ?? 59 59 56 FF B5 ?? ?? ?? ?? E8 ?? ?? ?? ?? 59 50 FF + B5 ?? ?? ?? ?? FF B5 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 83 F8 ?? 0F 84 ?? ?? ?? ?? 56 68 + ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 FF B5 ?? ?? ?? ?? C6 85 ?? ?? ?? ?? ?? FF 15 ?? ?? + ?? ?? 3B C6 0F 8E ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 53 E8 ?? ?? ?? ?? 8D 85 ?? ?? ?? + ?? 68 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 8B F0 83 C4 ?? 85 F6 89 B5 ?? ?? ?? ?? 0F 84 ?? + ?? ?? ?? 83 A5 ?? ?? ?? ?? ?? 83 A5 ?? ?? ?? ?? ?? 83 8D ?? ?? ?? ?? ?? 56 E8 ?? ?? + ?? ?? 59 50 56 8D B5 ?? ?? ?? ?? 8D 95 ?? ?? ?? ?? E8 ?? ?? ?? ?? 59 59 8B C8 85 C9 + 89 8D ?? ?? ?? ?? 7D ?? C6 07 ?? 51 E9 ?? ?? ?? ?? 83 F9 ?? 0F 8C ?? ?? ?? ?? 83 BD + ?? ?? ?? ?? ?? 0F 85 ?? ?? ?? ?? 66 83 A5 ?? ?? ?? ?? ?? 33 C0 8D BD ?? ?? ?? ?? 66 + AB 40 3B C8 89 85 ?? ?? ?? ?? 0F 8E ?? ?? ?? ?? 8D BD ?? ?? ?? ?? 68 ?? ?? ?? ?? FF + B5 ?? ?? ?? ?? 8D 47 ?? E8 ?? ?? ?? ?? 85 C0 59 59 0F 85 ?? ?? ?? ?? 8B 77 ?? 2B 37 + 8D 46 ?? 50 E8 ?? ?? ?? ?? 59 56 6A ?? 50 89 85 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 07 8B + 8D ?? ?? ?? ?? 83 C4 ?? 03 C8 51 8B 4F ?? 2B C8 51 68 ?? ?? ?? ?? FF B5 ?? ?? ?? ?? + E8 ?? ?? ?? ?? 83 C4 ?? 6A ?? FF B5 ?? ?? ?? ?? E8 ?? ?? ?? ?? 59 8B 8D ?? ?? ?? ?? + E8 ?? ?? ?? ?? 59 50 89 85 ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 59 40 50 E8 + ?? ?? ?? ?? 59 FF B5 ?? ?? ?? ?? 8B F0 6A ?? 56 89 B5 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 + C4 ?? FF B5 ?? ?? ?? ?? 8B C6 E8 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 59 56 53 C6 04 06 ?? + E8 ?? ?? ?? ?? 83 A5 ?? ?? ?? ?? ?? 83 A5 ?? ?? ?? ?? ?? 83 8D ?? ?? ?? ?? ?? 56 E8 + ?? ?? ?? ?? 83 C4 ?? 50 56 8D B5 ?? ?? ?? ?? 8D 95 ?? ?? ?? ?? E8 ?? ?? ?? ?? 33 F6 + 3B C6 59 59 0F 8C ?? ?? ?? ?? 83 F8 ?? 0F 8C ?? ?? ?? ?? 83 BD ?? ?? ?? ?? ?? 0F 85 + ?? ?? ?? ?? 83 F8 ?? 7E ?? 48 8D B5 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 68 ?? ?? ?? ?? FF + B5 ?? ?? ?? ?? 8D 46 ?? E8 ?? ?? ?? ?? 85 C0 59 59 75 ?? 8B 06 8B 8D ?? ?? ?? ?? 03 + C8 51 8B 4E ?? 2B C8 51 8D 85 ?? ?? ?? ?? 68 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? + 83 C6 ?? FF 8D ?? ?? ?? ?? 75 ?? 33 F6 39 B5 ?? ?? ?? ?? 74 ?? FF B5 ?? ?? ?? ?? E8 + ?? ?? ?? ?? 59 39 B5 ?? ?? ?? ?? 74 ?? FF B5 ?? ?? ?? ?? E8 ?? ?? ?? ?? 59 39 B5 ?? + ?? ?? ?? 74 ?? FF B5 ?? ?? ?? ?? E8 ?? ?? ?? ?? 59 FF 85 ?? ?? ?? ?? 8B 85 ?? ?? ?? + ?? 83 C7 ?? 3B 85 ?? ?? ?? ?? 0F 8C ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 68 ?? ?? ?? ?? 50 + E8 ?? ?? ?? ?? 85 C0 59 59 0F 85 ?? ?? ?? ?? 39 85 ?? ?? ?? ?? 74 ?? FF B5 ?? ?? ?? + ?? E8 ?? ?? ?? ?? 59 FF B5 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 8D 85 ?? + ?? ?? ?? 50 53 E8 ?? ?? ?? ?? 59 59 B0 ?? E9 ?? ?? ?? ?? 8B 8D ?? ?? ?? ?? 50 53 C6 + 01 ?? E8 ?? ?? ?? ?? 59 39 B5 ?? ?? ?? ?? 59 74 ?? FF B5 ?? ?? ?? ?? E8 ?? ?? ?? ?? + 59 39 B5 ?? ?? ?? ?? 74 ?? FF B5 ?? ?? ?? ?? E8 ?? ?? ?? ?? 59 39 B5 ?? ?? ?? ?? 74 + ?? FF B5 ?? ?? ?? ?? E8 ?? ?? ?? ?? EB ?? 8B 85 ?? ?? ?? ?? 53 C6 00 ?? E8 ?? ?? ?? + ?? EB ?? 8D 85 ?? ?? ?? ?? 50 53 E8 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? C6 00 ?? EB ?? 0F + 84 ?? ?? ?? ?? C6 07 ?? FF 15 ?? ?? ?? ?? 50 53 E8 ?? ?? ?? ?? 59 59 83 BD ?? ?? ?? + ?? ?? 74 ?? FF B5 ?? ?? ?? ?? E8 ?? ?? ?? ?? 59 FF B5 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? + FF 15 ?? ?? ?? ?? 32 C0 8B 4D ?? 5F 5E 33 CD 5B E8 ?? ?? ?? ?? C9 C3 + } + + condition: + uint16(0) == 0x5A4D and $search_and_encrypt_files and $remote_connection_1 and $remote_connection_2 +} \ No newline at end of file diff --git a/yara/ransomware/Win32.Ransomware.Matsnu.yara b/yara/ransomware/Win32.Ransomware.Matsnu.yara new file mode 100644 index 0000000..fe15c67 --- /dev/null +++ b/yara/ransomware/Win32.Ransomware.Matsnu.yara @@ -0,0 +1,116 @@ +rule Win32_Ransomware_Matsnu : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "MATSNU" + description = "Yara rule that detects Matsnu ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "Matsnu" + tc_detection_factor = 5 + + strings: + + $remote_connection = { + 55 89 E5 81 EC ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? + ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? + ?? C6 45 ?? ?? 89 9D ?? ?? ?? ?? E8 ?? ?? ?? ?? 5B 8D 83 ?? ?? ?? ?? 8B 00 6A ?? 50 + FF 93 ?? ?? ?? ?? 8D B3 ?? ?? ?? ?? 8B 36 8D 7D ?? 57 56 FF 93 ?? ?? ?? ?? 85 C0 74 + ?? 57 8D BB ?? ?? ?? ?? 89 07 5F EB ?? 8D B3 ?? ?? ?? ?? 8B 36 57 8D BB ?? ?? ?? ?? + 89 37 5F 68 ?? ?? ?? ?? FF 93 ?? ?? ?? ?? EB ?? 8D BD ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A + ?? 57 FF 93 ?? ?? ?? ?? 8D B3 ?? ?? ?? ?? 8B 36 8D BD ?? ?? ?? ?? 68 ?? ?? ?? ?? 56 + 57 FF 93 ?? ?? ?? ?? 8D 83 ?? ?? ?? ?? 8D BD ?? ?? ?? ?? 50 57 FF 93 ?? ?? ?? ?? 85 + C0 74 ?? C6 00 ?? 8D BD ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? 8D B3 ?? ?? ?? ?? 8D 93 ?? ?? + ?? ?? FF 75 ?? 52 51 56 57 FF 93 ?? ?? ?? ?? 8D BD ?? ?? ?? ?? 8D 4D ?? 51 57 E8 ?? + ?? ?? ?? 85 C0 74 ?? 89 45 ?? 8D 4D ?? 51 50 E8 ?? ?? ?? ?? 85 C0 75 ?? FF 75 ?? FF + 93 ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? EB ?? 89 85 ?? ?? ?? ?? FF 75 ?? FF 93 ?? ?? ?? + ?? 8B 45 ?? 8B 75 ?? 89 06 50 FF B5 ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 C0 75 ?? 83 BD ?? + ?? ?? ?? ?? 74 ?? FF B5 ?? ?? ?? ?? FF 93 ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? + 68 ?? ?? ?? ?? FF 93 ?? ?? ?? ?? 8D B3 ?? ?? ?? ?? 8B 36 8D 83 ?? ?? ?? ?? 50 56 FF + 93 ?? ?? ?? ?? 85 C0 74 ?? 40 57 8D BB ?? ?? ?? ?? 89 07 5F E9 ?? ?? ?? ?? 8D B3 ?? + ?? ?? ?? 8B 36 57 8D BB ?? ?? ?? ?? 89 37 5F 68 ?? ?? ?? ?? FF 93 ?? ?? ?? ?? E9 ?? + ?? ?? ?? 8D 83 ?? ?? ?? ?? 8B 00 50 FF 93 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 8B 9D ?? ?? + ?? ?? C9 C2 + } + + $crypto_file = { + 55 89 E5 83 EC ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C6 45 ?? ?? C6 45 ?? ?? + C6 45 ?? ?? C6 45 ?? ?? C6 45 ?? ?? C6 45 ?? ?? C6 45 ?? ?? C6 45 ?? ?? C7 45 ?? ?? + ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? 89 5D ?? E8 + ?? ?? ?? ?? 5B 8D 83 ?? ?? ?? ?? 8B 00 85 C0 74 ?? 89 45 ?? 8D 83 ?? ?? ?? ?? 8B 00 + 85 C0 74 ?? 8D 7D ?? 8D 75 ?? 8D 4D ?? 51 56 57 FF 75 ?? E8 ?? ?? ?? ?? 85 C0 74 ?? + 89 45 ?? 83 7D ?? ?? 74 ?? FF 75 ?? FF 75 ?? E8 ?? ?? ?? ?? EB ?? FF 75 ?? FF 75 ?? + FF 93 ?? ?? ?? ?? FF 75 ?? FF 75 ?? E8 ?? ?? ?? ?? EB ?? C7 45 ?? ?? ?? ?? ?? 8B 45 + ?? 8B 5D ?? C9 C2 + } + + $crypt_file = { + 55 89 E5 81 EC ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? + ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? + ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? + ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? + ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? + ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? 89 9D ?? ?? ?? ?? E8 ?? ?? ?? ?? + 5B 8D BD ?? ?? ?? ?? FF 75 ?? 57 FF 93 ?? ?? ?? ?? 8D BD ?? ?? ?? ?? 8D B3 ?? ?? ?? + ?? 56 57 FF 93 ?? ?? ?? ?? 8D BD ?? ?? ?? ?? 57 FF 93 ?? ?? ?? ?? 89 45 ?? 8D 85 ?? + ?? ?? ?? 68 ?? ?? ?? ?? 6A ?? 6A ?? 6A ?? 50 FF 93 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? + ?? 8D 8D ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 51 6A ?? 6A ?? 68 ?? ?? ?? ?? FF 30 FF 93 ?? + ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? 8D B5 ?? ?? ?? ?? 8D 4D ?? 8D 85 ?? ?? ?? ?? 6A ?? + FF 31 50 FF 36 FF 93 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? 8D 85 ?? + ?? ?? ?? 8D B5 ?? ?? ?? ?? 51 6A ?? FF 36 68 ?? ?? ?? ?? FF 30 FF 93 ?? ?? ?? ?? 85 + C0 0F 84 ?? ?? ?? ?? FF 75 ?? 6A ?? FF 93 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? 89 45 + ?? 6A ?? FF 75 ?? FF 93 ?? ?? ?? ?? 6A ?? 6A ?? 6A ?? 6A ?? 6A ?? 68 ?? ?? ?? ?? FF + 75 ?? FF 93 ?? ?? ?? ?? 83 F8 ?? 0F 84 ?? ?? ?? ?? 89 45 ?? 8D 7D ?? 8D 75 ?? 8D 55 + ?? 52 56 57 FF 75 ?? FF 93 ?? ?? ?? ?? 8B 45 ?? 3D ?? ?? ?? ?? 0F 84 ?? ?? ?? ?? 8D + 45 ?? 6A ?? 50 FF 75 ?? FF 75 ?? FF 75 ?? FF 93 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? + FF 75 ?? FF 93 ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? 83 7D ?? ?? 0F 84 ?? ?? ?? ?? FF 75 + ?? FF 75 ?? E8 ?? ?? ?? ?? 8D 7D ?? 8D B5 ?? ?? ?? ?? FF 75 ?? 57 FF 75 ?? 6A ?? 6A + ?? 6A ?? FF 36 FF 93 ?? ?? ?? ?? 85 C0 74 ?? 6A ?? 6A ?? 6A ?? 6A ?? 6A ?? 68 ?? ?? + ?? ?? FF 75 ?? FF 93 ?? ?? ?? ?? 83 F8 ?? 74 ?? 89 45 ?? 8D 45 ?? 6A ?? 50 FF 75 ?? + FF 75 ?? FF 75 ?? FF 93 ?? ?? ?? ?? 85 C0 74 ?? 8D 7D ?? 8D 75 ?? 8D 55 ?? 52 56 57 + FF 75 ?? FF 93 ?? ?? ?? ?? FF 75 ?? FF 93 ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? 8D B3 ?? + ?? ?? ?? FF 06 C7 85 ?? ?? ?? ?? ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 50 FF 93 ?? ?? ?? ?? + 8B 85 ?? ?? ?? ?? 50 FF 93 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 6A ?? 50 FF 93 ?? ?? ?? ?? + 83 7D ?? ?? 74 ?? FF 75 ?? FF 93 ?? ?? ?? ?? 83 7D ?? ?? 74 ?? FF 75 ?? FF 93 ?? ?? + ?? ?? 8B 85 ?? ?? ?? ?? 8B 9D ?? ?? ?? ?? C9 C2 + } + + $enum_files_1 = { + 89 E5 81 EC ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? + C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? 89 9D ?? ?? ?? ?? E8 ?? ?? ?? ?? 5B E8 ?? + ?? ?? ?? 8D 7D ?? 6A ?? FF 75 ?? 57 FF 93 ?? ?? ?? ?? 8D 7D ?? 57 FF 93 ?? ?? ?? ?? + 83 F8 ?? 74 ?? EB ?? 8D 75 ?? 56 E8 ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? E8 ?? + ?? ?? ?? 8B 85 ?? ?? ?? ?? 8B 9D ?? ?? ?? ?? C9 C2 + } + + $enum_files_2 = { + 55 89 E5 81 EC ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? + ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? + ?? C7 45 ?? ?? ?? ?? ?? C6 45 ?? ?? C6 45 ?? ?? C6 45 ?? ?? C6 45 ?? ?? C6 45 ?? ?? + 66 C7 45 ?? ?? ?? C6 45 ?? ?? 89 9D ?? ?? ?? ?? E8 ?? ?? ?? ?? 5B 83 7D ?? ?? 0F 84 + ?? ?? ?? ?? FF 75 ?? FF 93 ?? ?? ?? ?? 83 C0 ?? 89 45 ?? 40 50 6A ?? FF 93 ?? ?? ?? + ?? 85 C0 0F 84 ?? ?? ?? ?? 89 45 ?? FF 75 ?? FF 75 ?? FF 93 ?? ?? ?? ?? 8D 75 ?? 56 + FF 75 ?? FF 93 ?? ?? ?? ?? 8D BD ?? ?? ?? ?? 57 FF 75 ?? FF 93 ?? ?? ?? ?? 83 F8 ?? + 0F 84 ?? ?? ?? ?? 89 45 ?? 6A ?? FF 93 ?? ?? ?? ?? 8D B5 ?? ?? ?? ?? 8D 55 ?? 8D B5 + ?? ?? ?? ?? 52 56 FF 93 ?? ?? ?? ?? 0F 84 ?? ?? ?? ?? 8D 55 ?? 8D B5 ?? ?? ?? ?? 52 + 56 FF 93 ?? ?? ?? ?? 0F 84 ?? ?? ?? ?? FF 75 ?? FF 93 ?? ?? ?? ?? 40 89 45 ?? 8D BD + ?? ?? ?? ?? 57 FF 93 ?? ?? ?? ?? 03 45 ?? 89 45 ?? 40 50 6A ?? FF 93 ?? ?? ?? ?? 85 + C0 0F 84 ?? ?? ?? ?? 89 45 ?? FF 75 ?? FF 75 ?? FF 93 ?? ?? ?? ?? 8D 75 ?? 56 FF 75 + ?? FF 93 ?? ?? ?? ?? 8D B5 ?? ?? ?? ?? 56 FF 75 ?? FF 93 ?? ?? ?? ?? 8B 85 ?? ?? ?? + ?? A9 ?? ?? ?? ?? 74 ?? FF 75 ?? E8 ?? ?? ?? ?? 85 C0 75 ?? FF 75 ?? E8 ?? ?? ?? ?? + EB ?? 8D B5 ?? ?? ?? ?? FF 75 ?? 56 FF 75 ?? E8 ?? ?? ?? ?? 83 7D ?? ?? 74 ?? FF 75 + ?? FF 93 ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? 8D BD ?? ?? ?? ?? 57 FF 75 ?? FF 93 ?? ?? + ?? ?? 85 C0 74 ?? E9 ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? 83 7D ?? ?? 74 ?? FF + 75 ?? FF 93 ?? ?? ?? ?? 83 7D ?? ?? 74 ?? FF 75 ?? FF 93 ?? ?? ?? ?? 83 7D ?? ?? 74 + ?? FF 75 ?? FF 93 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 8B 9D ?? ?? ?? ?? C9 C2 + } + + condition: + uint16(0) == 0x5A4D and $enum_files_1 and $enum_files_2 and $crypto_file and $crypt_file and $remote_connection +} \ No newline at end of file diff --git a/yara/ransomware/Win32.Ransomware.MedusaLocker.yara b/yara/ransomware/Win32.Ransomware.MedusaLocker.yara new file mode 100644 index 0000000..0e11e52 --- /dev/null +++ b/yara/ransomware/Win32.Ransomware.MedusaLocker.yara @@ -0,0 +1,174 @@ +rule Win32_Ransomware_MedusaLocker : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "MEDUSALOCKER" + description = "Yara rule that detects MedusaLocker ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "MedusaLocker" + tc_detection_factor = 5 + + strings: + + $encrypt_files_p1 = { + 55 8B EC 6A ?? 68 ?? ?? ?? ?? 64 A1 ?? ?? ?? ?? 50 81 EC ?? ?? ?? ?? A1 ?? ?? ?? ?? + 33 C5 89 45 ?? 50 8D 45 ?? 64 A3 ?? ?? ?? ?? 89 8D ?? ?? ?? ?? 83 7D ?? ?? 74 ?? 83 + 7D ?? ?? 75 ?? 32 C0 E9 ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A ?? 8B 45 ?? 50 8B 8D ?? ?? ?? + ?? E8 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 81 BD ?? ?? ?? ?? ?? ?? ?? ?? 73 ?? 32 C0 E9 ?? + ?? ?? ?? C7 45 ?? ?? ?? ?? ?? 33 C9 89 4D ?? 8D 55 ?? 52 8B 45 ?? 50 FF 15 ?? ?? ?? + ?? 85 C0 75 ?? 32 C0 E9 ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? 6A ?? + 8B 8D ?? ?? ?? ?? 51 8D 4D ?? E8 ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? 8D 4D ?? E8 ?? ?? + ?? ?? C7 45 ?? ?? ?? ?? ?? 33 D2 89 55 ?? C7 45 ?? ?? ?? ?? ?? 33 C0 89 45 ?? 0F 57 + C0 66 0F 13 85 ?? ?? ?? ?? EB ?? 8B 8D ?? ?? ?? ?? 81 C1 ?? ?? ?? ?? 8B 95 ?? ?? ?? + ?? 83 D2 ?? 89 8D ?? ?? ?? ?? 89 95 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 3B 45 ?? 0F 8F ?? + ?? ?? ?? 7C ?? 8B 8D ?? ?? ?? ?? 3B 4D ?? 0F 83 ?? ?? ?? ?? 0F 57 C0 66 0F 13 45 ?? + 6A ?? 8D 55 ?? 52 8B 45 ?? 50 8B 4D ?? 51 8B 55 ?? 52 FF 15 ?? ?? ?? ?? 85 C0 75 ?? + C6 45 ?? ?? 8D 4D ?? E8 ?? ?? ?? ?? 8D 4D ?? E8 ?? ?? ?? ?? 8A 45 ?? E9 ?? ?? ?? ?? + 6A ?? 8D 45 ?? 50 68 ?? ?? ?? ?? 6A ?? 8D 4D ?? E8 ?? ?? ?? ?? 50 8B 4D ?? 51 FF 15 + ?? ?? ?? ?? 85 C0 75 ?? C6 45 ?? ?? 8D 4D ?? E8 ?? ?? ?? ?? 8D 4D ?? E8 + } + + $encrypt_files_p2 = { + 8A 45 ?? E9 ?? ?? ?? ?? 6A ?? 8D 55 ?? 52 8B 45 ?? 50 8B 4D ?? 51 8B 55 ?? 52 FF 15 + ?? ?? ?? ?? 85 C0 75 ?? C6 45 ?? ?? 8D 4D ?? E8 ?? ?? ?? ?? 8D 4D ?? E8 ?? ?? ?? ?? + 8A 45 ?? E9 ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? EB ?? 8B 85 ?? ?? ?? ?? 05 ?? + ?? ?? ?? 89 85 ?? ?? ?? ?? 8B 8D ?? ?? ?? ?? 3B 4D ?? 0F 83 ?? ?? ?? ?? 68 ?? ?? ?? + ?? 8D 4D ?? E8 ?? ?? ?? ?? 03 85 ?? ?? ?? ?? 50 6A ?? 8D 4D ?? E8 ?? ?? ?? ?? 50 E8 + ?? ?? ?? ?? 83 C4 ?? 8B 95 ?? ?? ?? ?? 52 68 ?? ?? ?? ?? 8D 45 ?? 50 E8 ?? ?? ?? ?? + 83 C4 ?? 50 6A ?? 8B 4D ?? 51 8B 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 0F B6 D0 85 D2 75 ?? + C6 45 ?? ?? 8D 4D ?? E8 ?? ?? ?? ?? 8D 4D ?? E8 ?? ?? ?? ?? 8A 45 ?? E9 ?? ?? ?? ?? + 6A ?? 8D 45 ?? 50 8B 8D ?? ?? ?? ?? 51 8D 4D ?? E8 ?? ?? ?? ?? 50 8B 55 ?? 52 FF 15 + ?? ?? ?? ?? 85 C0 75 ?? C6 45 ?? ?? 8D 4D ?? E8 ?? ?? ?? ?? 8D 4D ?? E8 ?? ?? ?? ?? + 8A 45 ?? E9 ?? ?? ?? ?? E9 ?? ?? ?? ?? 83 7D ?? ?? 75 ?? EB ?? E9 ?? ?? ?? ?? C7 85 + ?? ?? ?? ?? ?? ?? ?? ?? 33 C0 89 85 ?? ?? ?? ?? 8B 8D ?? ?? ?? ?? 89 4D ?? 8B 95 ?? + ?? ?? ?? 89 55 ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? 33 C0 89 85 ?? ?? ?? ?? 8B 8D ?? ?? + ?? ?? 89 4D ?? 8B 95 ?? ?? ?? ?? 89 55 ?? 6A ?? 8D 45 ?? 50 8B 4D ?? 51 8B 55 ?? 52 + } + + $encrypt_files_p3 = { + 8B 45 ?? 50 FF 15 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? 6A ?? 8D 4D ?? 51 8B 8D ?? ?? + ?? ?? 83 C1 ?? E8 ?? ?? ?? ?? 50 8B 8D ?? ?? ?? ?? 83 C1 ?? E8 ?? ?? ?? ?? 50 8B 55 + ?? 52 FF 15 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? 8B 8D ?? ?? ?? ?? 83 C1 ?? E8 ?? ?? + ?? ?? 39 45 ?? 0F 85 ?? ?? ?? ?? 0F 57 C0 66 0F 13 45 ?? C7 45 ?? ?? ?? ?? ?? C7 45 + ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? 8B 45 ?? 89 45 ?? 8B 4D ?? + 89 4D ?? B9 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B C8 E8 ?? ?? ?? ?? 89 45 ?? 8B 55 ?? 52 8B + 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 45 ?? 8B 8D ?? ?? ?? ?? 83 C1 ?? E8 ?? ?? ?? ?? 89 + 45 ?? 8B 45 ?? 89 45 ?? 6A ?? 8D 4D ?? 51 6A ?? 8D 55 ?? 52 8B 45 ?? 50 FF 15 ?? ?? + ?? ?? 85 C0 74 ?? 83 7D ?? ?? 75 ?? C6 45 ?? ?? 8D 4D ?? E8 ?? ?? ?? ?? 8D 4D ?? E8 + ?? ?? ?? ?? 8A 45 ?? EB ?? C6 45 ?? ?? 8D 4D ?? E8 ?? ?? ?? ?? 8D 4D ?? E8 ?? ?? ?? + ?? 8A 45 ?? 8B 4D ?? 64 89 0D ?? ?? ?? ?? 59 8B 4D ?? 33 CD E8 ?? ?? ?? ?? 8B E5 5D + C2 + } + + $search_files_1 = { + 55 8B EC 81 EC ?? ?? ?? ?? A1 ?? ?? ?? ?? 33 C5 89 45 ?? 8B 4D ?? 8B 45 ?? 53 8B 5D + ?? 56 89 8D ?? ?? ?? ?? 8B 4D ?? 57 89 8D ?? ?? ?? ?? 8D 4D ?? 50 E8 ?? ?? ?? ?? 83 + 7D ?? ?? 74 ?? 68 ?? ?? ?? ?? 8D 4D ?? E8 ?? ?? ?? ?? 83 7D ?? ?? 8D 45 ?? 72 ?? 8B + 45 ?? 33 F6 8D 8D ?? ?? ?? ?? 56 56 56 51 56 50 FF 15 ?? ?? ?? ?? 8B F8 8B 85 ?? ?? + ?? ?? 83 FF ?? 75 ?? C7 00 ?? ?? ?? ?? 33 C0 66 89 03 EB ?? 6A ?? 89 30 58 66 39 85 + ?? ?? ?? ?? 75 ?? 66 39 B5 ?? ?? ?? ?? 74 ?? 66 39 85 ?? ?? ?? ?? 75 ?? 66 39 B5 ?? + ?? ?? ?? 75 ?? 8B 8D ?? ?? ?? ?? 51 57 53 E8 ?? ?? ?? ?? 83 C4 ?? 66 39 33 75 ?? 57 + FF 15 ?? ?? ?? ?? EB ?? 8D 85 ?? ?? ?? ?? 50 53 E8 ?? ?? ?? ?? FF B5 ?? ?? ?? ?? E8 + ?? ?? ?? ?? 8B 8D ?? ?? ?? ?? 83 C4 ?? 89 01 8B F7 8D 4D ?? E8 ?? ?? ?? ?? 8B 4D ?? + 8B C6 5F 5E 33 CD 5B E8 ?? ?? ?? ?? C9 C3 + } + + $search_files_2 = { + 55 8B EC 81 EC ?? ?? ?? ?? A1 ?? ?? ?? ?? 33 C5 89 45 ?? 53 8B 5D ?? 8D 85 ?? ?? ?? + ?? 56 8B 75 ?? 57 8B 7D ?? 50 57 FF 15 ?? ?? ?? ?? 85 C0 74 ?? 6A ?? 58 66 39 85 ?? + ?? ?? ?? 75 ?? 66 83 BD ?? ?? ?? ?? ?? 74 ?? 66 39 85 ?? ?? ?? ?? 75 ?? 66 83 BD ?? + ?? ?? ?? ?? 75 ?? 8D 85 ?? ?? ?? ?? 50 57 FF 15 ?? ?? ?? ?? 6A ?? 85 C0 58 75 ?? 68 + ?? ?? ?? ?? 56 C7 03 ?? ?? ?? ?? E8 ?? ?? ?? ?? 59 59 8B 4D ?? 5F 5E 33 CD 5B E8 ?? + ?? ?? ?? C9 C3 FF B5 ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 03 8D 85 ?? ?? ?? ?? 50 56 E8 ?? + ?? ?? ?? 83 C4 ?? EB + } + + $enum_resources = { + 55 8B EC 6A ?? 68 ?? ?? ?? ?? 64 A1 ?? ?? ?? ?? 50 83 EC ?? A1 ?? ?? ?? ?? 33 C5 89 + 45 ?? 50 8D 45 ?? 64 A3 ?? ?? ?? ?? 89 4D ?? 33 C0 89 45 ?? 66 89 45 ?? B9 ?? ?? ?? + ?? 6B D1 ?? 66 8B 45 ?? 66 89 44 15 ?? B9 ?? ?? ?? ?? C1 E1 ?? BA ?? ?? ?? ?? 66 89 + 54 0D ?? C7 45 ?? ?? ?? ?? ?? 6A ?? 8B 45 ?? 50 8D 4D ?? E8 ?? ?? ?? ?? 8D 4D ?? 51 + 6A ?? 8D 4D ?? E8 ?? ?? ?? ?? 50 8D 55 ?? 52 FF 15 ?? ?? ?? ?? 33 C0 66 89 45 ?? 8D + 4D ?? 51 8D 55 ?? 52 E8 ?? ?? ?? ?? 83 C4 ?? 8B 00 89 45 ?? 8D 4D ?? 51 8D 55 ?? 52 + 8D 45 ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 8B 08 51 8D 55 ?? 52 8D 45 ?? 50 E8 ?? ?? ?? ?? + 83 C4 ?? 8B 08 51 8D 55 ?? 52 E8 ?? ?? ?? ?? 83 C4 ?? 8B 00 89 45 ?? 8B 4D ?? 51 8B + 55 ?? 52 8D 45 ?? 50 8D 4D ?? E8 ?? ?? ?? ?? 8D 4D ?? 51 E8 ?? ?? ?? ?? 83 C4 ?? 50 + 8B 4D ?? E8 ?? ?? ?? ?? 8D 4D ?? E8 ?? ?? ?? ?? 8B 45 ?? 8B 4D ?? 64 89 0D ?? ?? ?? + ?? 59 8B 4D ?? 33 CD E8 ?? ?? ?? ?? 8B E5 5D C2 + } + + $kill_processes = { + 55 8B EC 6A ?? 68 ?? ?? ?? ?? 64 A1 ?? ?? ?? ?? 50 81 EC ?? ?? ?? ?? A1 ?? ?? ?? ?? + 33 C5 89 45 ?? 50 8D 45 ?? 64 A3 ?? ?? ?? ?? 89 8D ?? ?? ?? ?? 33 C0 88 85 ?? ?? ?? + ?? 8B 4D ?? E8 ?? ?? ?? ?? 0F B6 C8 85 C9 0F 85 ?? ?? ?? ?? 6A ?? 6A ?? FF 15 ?? ?? + ?? ?? 89 85 ?? ?? ?? ?? 83 BD ?? ?? ?? ?? ?? 0F 84 ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A ?? + 8D 95 ?? ?? ?? ?? 52 E8 ?? ?? ?? ?? 83 C4 ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? 8D 85 ?? + ?? ?? ?? 50 8B 8D ?? ?? ?? ?? 51 FF 15 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? 8D 95 ?? + ?? ?? ?? 52 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 8B 4D ?? 51 8D 4D + ?? E8 ?? ?? ?? ?? 88 85 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 0F B6 95 ?? ?? + ?? ?? 85 D2 74 ?? 8B 85 ?? ?? ?? ?? 50 6A ?? 6A ?? FF 15 ?? ?? ?? ?? 89 85 ?? ?? ?? + ?? 83 BD ?? ?? ?? ?? ?? 74 ?? 6A ?? 8B 8D ?? ?? ?? ?? 51 FF 15 ?? ?? ?? ?? 8B 95 ?? + ?? ?? ?? 52 FF 15 ?? ?? ?? ?? B0 ?? EB ?? 8D 85 ?? ?? ?? ?? 50 8B 8D ?? ?? ?? ?? 51 + FF 15 ?? ?? ?? ?? 85 C0 0F 85 ?? ?? ?? ?? 8B 95 ?? ?? ?? ?? 52 FF 15 ?? ?? ?? ?? 32 + C0 8B 4D ?? 64 89 0D ?? ?? ?? ?? 59 8B 4D ?? 33 CD E8 ?? ?? ?? ?? 8B E5 5D C2 + } + + $kill_processes_call = { + 68 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B C8 E8 ?? ?? ?? ?? B9 ?? ?? ?? ?? + E8 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 8B 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? + 8B 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? EB ?? 8B 8D ?? ?? ?? ?? 83 C1 ?? + 89 8D ?? ?? ?? ?? 8B 95 ?? ?? ?? ?? 3B 95 ?? ?? ?? ?? 74 ?? 8B 85 ?? ?? ?? ?? 50 8D + 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? 51 E8 ?? ?? ?? ?? 83 C4 ?? 50 8D 4D + ?? E8 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? EB + } + + $enum_resources_call = { + 68 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B C8 E8 ?? ?? ?? ?? 8D 4D ?? E8 ?? + ?? ?? ?? 68 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 95 ?? ?? ?? ?? 52 8D 4D + ?? E8 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? + E8 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 8D 4D ?? E8 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? + ?? ?? ?? 68 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? 51 8D 4D + ?? E8 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? + E8 ?? ?? ?? ?? 8D 95 ?? ?? ?? ?? 52 8D 4D ?? E8 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? + ?? ?? ?? 68 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 8D 4D + ?? E8 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? + E8 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? 51 8D 4D ?? E8 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? + ?? ?? ?? 6A ?? E8 ?? ?? ?? ?? 83 C4 ?? 68 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? + ?? 68 ?? ?? ?? ?? 8D 95 ?? ?? ?? ?? 52 8D 4D ?? E8 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? E8 + ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 8D + 4D ?? E8 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 4D ?? E8 ?? ?? ?? ?? 6A ?? + 8D 4D ?? E8 ?? ?? ?? ?? 8D 4D ?? E8 ?? ?? ?? ?? 8D 4D ?? E8 ?? ?? ?? ?? 6A ?? 8D 4D + ?? E8 ?? ?? ?? ?? 8D 4D ?? E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? + ?? ?? 8B C8 E8 ?? ?? ?? ?? 6A ?? 8D 4D ?? E8 ?? ?? ?? ?? 8D 4D ?? 51 8D 4D ?? E8 ?? + ?? ?? ?? 8D 55 ?? 89 95 ?? ?? ?? ?? 8B 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 85 ?? ?? ?? + ?? 8B 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? EB + } + + condition: + uint16(0) == 0x5A4D and + ( + $kill_processes_call + ) and + ( + $kill_processes + ) and + ( + $enum_resources + ) and + ( + all of ($search_files_*) + ) and + ( + all of ($encrypt_files_p*) + ) and + ( + $enum_resources_call + ) +} \ No newline at end of file diff --git a/yara/ransomware/Win32.Ransomware.Meow.yara b/yara/ransomware/Win32.Ransomware.Meow.yara new file mode 100644 index 0000000..0174bd9 --- /dev/null +++ b/yara/ransomware/Win32.Ransomware.Meow.yara @@ -0,0 +1,84 @@ +rule Win32_Ransomware_Meow : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "MEOW" + description = "Yara rule that detects Meow ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "Meow" + tc_detection_factor = 5 + + strings: + + $encrypt_files_p1 = { + 72 ?? 8D 45 ?? BA ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? E8 ?? ?? ?? ?? + 83 C4 ?? 68 ?? ?? ?? ?? 57 FF D0 85 C0 75 ?? 33 F6 6A ?? 68 ?? ?? ?? ?? BA ?? ?? ?? + ?? E8 ?? ?? ?? ?? 83 C4 ?? FF B4 B5 ?? ?? ?? ?? 57 FF D0 85 C0 75 ?? 46 83 FE ?? 7C + ?? 5F 5E B8 ?? ?? ?? ?? 5B 8B E5 5D C3 5F 5E 33 C0 5B 8B E5 5D C3 CC 55 8B EC 83 EC + ?? A1 ?? ?? ?? ?? 33 C5 89 45 ?? 56 57 C6 45 ?? ?? C6 45 ?? ?? C6 45 ?? ?? C6 45 ?? + ?? C6 45 ?? ?? C6 45 ?? ?? C6 45 ?? ?? C6 45 ?? ?? C6 45 ?? ?? C6 45 ?? ?? C6 45 ?? + ?? C6 45 ?? ?? C6 45 ?? ?? C6 45 ?? ?? C6 45 ?? ?? C6 45 ?? ?? C6 45 ?? ?? C6 45 ?? + ?? C6 45 ?? ?? C6 45 ?? ?? C6 45 ?? ?? C6 45 ?? ?? C6 45 ?? ?? 8A 45 ?? 80 7D ?? ?? + 75 + } + + $encrypt_files_p2 = { + 8B 45 ?? 40 89 45 ?? 8B 45 ?? 99 F7 F9 85 D2 74 ?? E9 ?? ?? ?? ?? 8B 45 ?? 25 ?? ?? + ?? ?? 79 ?? 48 83 C8 ?? 83 C0 ?? 74 ?? 8B 4D ?? 8D 46 ?? 03 CF 0F AF C8 89 4D ?? 8B + 45 ?? 25 ?? ?? ?? ?? 79 ?? 48 83 C8 ?? 83 C0 ?? 75 ?? B9 ?? ?? ?? ?? 90 8B 45 ?? 99 + F7 F9 8B 45 ?? 85 D2 74 ?? 48 EB ?? 40 89 45 ?? 8B 45 ?? 25 ?? ?? ?? ?? 79 ?? 48 83 + C8 ?? 83 C0 ?? 74 ?? EB ?? 8B 45 ?? B9 ?? ?? ?? ?? 99 F7 F9 85 D2 74 ?? 8B 45 ?? 8D + 4E ?? 83 C0 ?? 99 F7 F9 B9 ?? ?? ?? ?? 89 45 ?? 8B 45 ?? 99 F7 F9 85 D2 75 ?? 8B 45 + ?? 99 F7 7D ?? 8B 45 ?? 85 D2 74 ?? 40 EB ?? 48 89 45 ?? 8B 45 ?? 99 F7 F9 85 D2 74 + ?? 6A ?? 68 ?? ?? ?? ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 68 ?? ?? ?? ?? 56 FF + D0 C7 45 ?? ?? ?? ?? ?? B9 ?? ?? ?? ?? 8B 45 ?? 99 F7 F9 8B 45 ?? 85 D2 74 ?? 83 C0 + ?? 03 C3 89 45 ?? 8B 45 ?? 25 ?? ?? ?? ?? 79 ?? 48 83 C8 ?? 83 C0 ?? 0F 85 + } + + $drop_ransom_note = { + 66 8B 01 83 C1 ?? 66 85 C0 75 ?? 2B CA D1 F9 51 53 B9 ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 + FF 74 ?? 8B CF E8 ?? ?? ?? ?? C6 05 ?? ?? ?? ?? ?? 8B B5 ?? ?? ?? ?? 85 F6 74 ?? 6A + ?? 68 ?? ?? ?? ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 68 ?? ?? ?? ?? FF D0 6A ?? + 68 ?? ?? ?? ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 6A ?? 68 ?? ?? ?? ?? 6A ?? 6A + ?? 6A ?? 68 ?? ?? ?? ?? 56 FF D0 8B F0 BA ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? 89 35 ?? + ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 6A ?? 6A ?? 6A ?? 56 FF D0 B9 ?? ?? ?? ?? 8D BD ?? + ?? ?? ?? BE ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? F3 A5 68 ?? ?? ?? ?? 6A ?? 50 66 A5 A4 E8 + ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 68 ?? + ?? ?? ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 4D ?? 83 C4 ?? 33 CD B8 ?? + ?? ?? ?? 5F 5B 5E E8 ?? ?? ?? ?? 8B E5 5D C3 + } + + $find_files = { + 53 53 53 51 F7 D0 23 85 ?? ?? ?? ?? 53 50 FF 15 ?? ?? ?? ?? 8B F0 83 FE ?? 75 ?? FF + B5 ?? ?? ?? ?? 53 53 57 E8 ?? ?? ?? ?? 83 C4 ?? 8B D8 E9 ?? ?? ?? ?? 8B 85 ?? ?? ?? + ?? 8B 48 ?? 2B 08 C1 F9 ?? 89 8D ?? ?? ?? ?? 89 9D ?? ?? ?? ?? 89 9D ?? ?? ?? ?? 89 + 9D ?? ?? ?? ?? 89 9D ?? ?? ?? ?? 89 9D ?? ?? ?? ?? 88 9D ?? ?? ?? ?? E8 ?? ?? ?? ?? + 50 8D 85 ?? ?? ?? ?? 50 8D 85 ?? ?? ?? ?? 50 8D 85 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 + C4 ?? F7 D8 1B C0 F7 D0 23 85 ?? ?? ?? ?? 80 38 ?? 75 ?? 8A 48 ?? 84 C9 74 ?? 80 F9 + ?? 75 ?? 38 58 ?? 74 ?? FF B5 ?? ?? ?? ?? FF B5 ?? ?? ?? ?? 57 50 E8 ?? ?? ?? ?? 83 + C4 ?? 89 85 ?? ?? ?? ?? 85 C0 75 ?? 38 9D ?? ?? ?? ?? 74 ?? FF B5 ?? ?? ?? ?? E8 ?? + ?? ?? ?? 59 8D 85 ?? ?? ?? ?? 50 56 FF 15 ?? ?? ?? ?? 85 C0 0F 85 ?? ?? ?? ?? 8B 85 + ?? ?? ?? ?? 8B 8D ?? ?? ?? ?? 8B 10 8B 40 ?? 2B C2 C1 F8 ?? 3B C8 74 ?? 68 ?? ?? ?? + ?? 2B C1 6A ?? 50 8D 04 8A 50 E8 ?? ?? ?? ?? 83 C4 ?? EB ?? 38 9D ?? ?? ?? ?? 74 ?? + FF B5 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 59 8B D8 56 FF 15 + } + + condition: + uint16(0) == 0x5A4D and + ( + $find_files + ) and + ( + all of ($encrypt_files_p*) + ) and + ( + $drop_ransom_note + ) +} \ No newline at end of file diff --git a/yara/ransomware/Win32.Ransomware.Monalisa.yara b/yara/ransomware/Win32.Ransomware.Monalisa.yara new file mode 100644 index 0000000..f3c5207 --- /dev/null +++ b/yara/ransomware/Win32.Ransomware.Monalisa.yara @@ -0,0 +1,83 @@ +rule Win32_Ransomware_Monalisa : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "MONALISA" + description = "Yara rule that detects Monalisa ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "Monalisa" + tc_detection_factor = 5 + + strings: + + $find_files = { + 55 8B EC 6A ?? 68 ?? ?? ?? ?? 64 A1 ?? ?? ?? ?? 50 83 EC ?? 53 56 A1 ?? ?? ?? ?? 33 + C5 50 8D 45 ?? 64 A3 ?? ?? ?? ?? 8B 75 ?? 83 EC ?? C7 45 ?? ?? ?? ?? ?? 8B CC 89 65 + ?? 8D 45 ?? B3 ?? 51 50 E8 ?? ?? ?? ?? 83 EC ?? C6 45 ?? ?? 8B CC 89 65 ?? 33 C0 6A + ?? 68 ?? ?? ?? ?? C7 41 ?? ?? ?? ?? ?? C7 41 ?? ?? ?? ?? ?? 66 89 01 E8 ?? ?? ?? ?? + 83 EC ?? C6 45 ?? ?? 8D 45 ?? 8B CC 50 E8 ?? ?? ?? ?? 8A D3 88 5D ?? 8B CE E8 ?? ?? + ?? ?? 8B 55 ?? 83 C4 ?? 83 FA ?? 72 ?? 8B 4D ?? 8D 14 55 ?? ?? ?? ?? 8B C1 81 FA ?? + ?? ?? ?? 72 ?? 8B 49 ?? 83 C2 ?? 2B C1 83 C0 ?? 83 F8 ?? 77 ?? 52 51 E8 ?? ?? ?? ?? + 83 C4 ?? 33 C0 C7 45 ?? ?? ?? ?? ?? 8D 4D ?? C7 45 ?? ?? ?? ?? ?? 66 89 45 ?? E8 ?? + ?? ?? ?? 8B 4D ?? 64 89 0D ?? ?? ?? ?? 59 5E 5B 8B E5 5D C3 + } + + $write_proc_mem = { + 8D 45 ?? 50 FF 76 ?? 8B 46 ?? 03 C7 50 8B 06 03 45 ?? 50 FF 75 ?? FF 15 ?? ?? ?? ?? + 85 C0 0F 84 ?? ?? ?? ?? 8B 8D ?? ?? ?? ?? 8B 3E 0F B7 41 ?? 48 3B D8 75 ?? 8B 51 ?? + EB ?? 8B 4D ?? 8B 35 ?? ?? ?? ?? E9 ?? ?? ?? ?? 8B 56 ?? 8B 4E ?? 2B D7 8B C1 25 ?? + ?? ?? ?? 3D ?? ?? ?? ?? 75 ?? B8 ?? ?? ?? ?? EB ?? 8B C1 25 ?? ?? ?? ?? 3D ?? ?? ?? + ?? 75 ?? B8 ?? ?? ?? ?? EB ?? 8B C1 25 ?? ?? ?? ?? 3D ?? ?? ?? ?? 75 ?? B8 ?? ?? ?? + ?? EB ?? 8B C1 25 ?? ?? ?? ?? 3D ?? ?? ?? ?? 75 ?? B8 ?? ?? ?? ?? EB ?? F7 C1 ?? ?? + ?? ?? 74 ?? B8 ?? ?? ?? ?? EB ?? F7 C1 ?? ?? ?? ?? 74 ?? B8 ?? ?? ?? ?? EB ?? 85 C9 + B8 ?? ?? ?? ?? B9 ?? ?? ?? ?? 0F 48 C1 8D 4D ?? 51 50 8B 45 ?? 52 03 C7 50 FF 75 ?? + FF 15 + } + + $encrypt_files = { + 55 8B EC 6A ?? 68 ?? ?? ?? ?? 64 A1 ?? ?? ?? ?? 50 83 EC ?? A1 ?? ?? ?? ?? 33 C5 50 + 8D 45 ?? 64 A3 ?? ?? ?? ?? 8B 0D ?? ?? ?? ?? B8 ?? ?? ?? ?? 2B C1 83 F8 ?? 0F 82 ?? + ?? ?? ?? 83 3D ?? ?? ?? ?? ?? B8 ?? ?? ?? ?? 51 0F 43 05 ?? ?? ?? ?? 50 6A ?? 68 ?? + ?? ?? ?? 51 FF 75 ?? 8D 4D ?? E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 4D ?? C7 45 ?? ?? ?? + ?? ?? E8 ?? ?? ?? ?? C7 05 ?? ?? ?? ?? ?? ?? ?? ?? 33 C9 C7 05 ?? ?? ?? ?? ?? ?? ?? + ?? 0F 10 00 0F 11 05 ?? ?? ?? ?? F3 0F 7E 40 ?? 66 0F D6 05 ?? ?? ?? ?? C7 40 ?? ?? + ?? ?? ?? C7 40 ?? ?? ?? ?? ?? 66 89 08 8B 55 ?? 83 FA ?? 72 ?? 8B 4D ?? 8D 14 55 ?? + ?? ?? ?? 8B C1 81 FA ?? ?? ?? ?? 72 ?? 8B 49 ?? 83 C2 ?? 2B C1 83 C0 ?? 83 F8 ?? 77 + ?? 52 51 E8 ?? ?? ?? ?? 83 C4 ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 8B 4D ?? 64 + 89 0D ?? ?? ?? ?? 59 8B E5 5D C3 + } + + $generate_key = { + 55 8B EC 6A ?? 68 ?? ?? ?? ?? 64 A1 ?? ?? ?? ?? 50 83 EC ?? A1 ?? ?? ?? ?? 33 C5 89 + 45 ?? 56 50 8D 45 ?? 64 A3 ?? ?? ?? ?? 64 A1 ?? ?? ?? ?? 8B 0D ?? ?? ?? ?? 8B 75 ?? + 8B 0C 88 A1 ?? ?? ?? ?? 3B 81 ?? ?? ?? ?? 7F ?? 56 FF 75 ?? FF 35 ?? ?? ?? ?? FF 15 + ?? ?? ?? ?? 85 C0 74 ?? 8B 4D ?? 64 89 0D ?? ?? ?? ?? 59 5E 8B 4D ?? 33 CD E8 ?? ?? + ?? ?? 8B E5 5D C2 ?? ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 83 3D ?? ?? ?? ?? ?? + 75 ?? B9 ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? + ?? 68 ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? EB ?? 68 ?? ?? ?? ?? + 8D 4D ?? E8 ?? ?? ?? ?? 8D 45 ?? C7 45 ?? ?? ?? ?? ?? 50 8D 4D ?? E8 ?? ?? ?? ?? 68 + ?? ?? ?? ?? 8D 45 ?? 50 E8 + } + + condition: + uint16(0) == 0x5A4D and + ( + $find_files + ) and + ( + $write_proc_mem + ) and + ( + $generate_key + ) and + ( + $encrypt_files + ) +} \ No newline at end of file diff --git a/yara/ransomware/Win32.Ransomware.Montserrat.yara b/yara/ransomware/Win32.Ransomware.Montserrat.yara new file mode 100644 index 0000000..3d13ef1 --- /dev/null +++ b/yara/ransomware/Win32.Ransomware.Montserrat.yara @@ -0,0 +1,118 @@ +rule Win32_Ransomware_Montserrat : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "MONTSERRAT" + description = "Yara rule that detects Montserrat ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "Montserrat" + tc_detection_factor = 5 + + strings: + + $find_files_p1 = { + 8B FF 55 8B EC 51 8B 4D ?? 53 57 33 DB 8D 51 ?? 66 8B 01 83 C1 ?? 66 3B C3 75 ?? 8B + 7D ?? 2B CA D1 F9 83 C8 ?? 41 2B C7 89 4D ?? 3B C8 76 ?? 6A ?? 58 EB ?? 56 8D 5F ?? + 03 D9 6A ?? 53 E8 ?? ?? ?? ?? 8B F0 59 59 85 FF 74 ?? 57 FF 75 ?? 53 56 E8 ?? ?? ?? + ?? 83 C4 ?? 85 C0 75 ?? FF 75 ?? 2B DF 8D 04 7E FF 75 ?? 53 50 E8 ?? ?? ?? ?? 83 C4 + ?? 85 C0 75 ?? 8B 4D ?? 56 E8 ?? ?? ?? ?? 6A ?? 8B F0 E8 ?? ?? ?? ?? 59 8B C6 5E 5F + 5B 8B E5 5D C3 33 C0 50 50 50 50 50 E8 ?? ?? ?? ?? CC 8B FF 55 8B EC 81 EC ?? ?? ?? + ?? A1 ?? ?? ?? ?? 33 C5 89 45 ?? 8B 55 ?? 8B 4D ?? 53 8B 5D ?? 56 57 6A ?? 5E 6A ?? + 89 95 ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? 5F EB ?? 0F B7 01 66 3B 85 ?? ?? ?? + ?? 74 ?? 66 3B C6 74 ?? 66 3B C7 74 ?? 83 E9 ?? 3B CB 75 ?? 0F B7 31 66 3B F7 75 ?? + 8D 43 ?? 3B C8 74 ?? 52 33 FF 57 57 53 E8 ?? ?? ?? ?? 83 C4 ?? E9 ?? ?? ?? ?? 6A ?? + 8B C6 33 FF 5A 66 3B C2 74 ?? 6A ?? 5A 66 3B C2 74 ?? 6A ?? 5A 66 3B C2 74 ?? 8B C7 + } + + $find_files_p2 = { + EB ?? 33 C0 40 2B CB 0F B6 C0 D1 F9 41 F7 D8 68 ?? ?? ?? ?? 1B C0 23 C1 89 85 ?? ?? + ?? ?? 8D 85 ?? ?? ?? ?? 57 50 E8 ?? ?? ?? ?? 83 C4 ?? 8D 85 ?? ?? ?? ?? 57 57 57 50 + 57 53 FF 15 ?? ?? ?? ?? 8B F0 83 FE ?? 75 ?? 8B 85 ?? ?? ?? ?? 50 57 57 53 E8 ?? ?? + ?? ?? 83 C4 ?? 8B F8 83 FE ?? 74 ?? 56 FF 15 ?? ?? ?? ?? 8B C7 8B 4D ?? 5F 5E 33 CD + 5B E8 ?? ?? ?? ?? 8B E5 5D C3 8B 8D ?? ?? ?? ?? 6A ?? 8B 41 ?? 2B 01 C1 F8 ?? 89 85 + ?? ?? ?? ?? 58 66 39 85 ?? ?? ?? ?? 75 ?? 66 39 BD ?? ?? ?? ?? 74 ?? 66 39 85 ?? ?? + ?? ?? 75 ?? 66 39 BD ?? ?? ?? ?? 74 ?? 51 FF B5 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 53 50 + E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 75 ?? 8D 85 ?? ?? ?? ?? 50 56 FF 15 ?? ?? ?? ?? 8B 8D + ?? ?? ?? ?? 85 C0 6A ?? 58 75 ?? 8B C1 8B 8D ?? ?? ?? ?? 8B 10 8B 40 ?? 2B C2 C1 F8 + ?? 3B C8 0F 84 ?? ?? ?? ?? 68 ?? ?? ?? ?? 2B C1 6A ?? 50 8D 04 8A 50 E8 ?? ?? ?? ?? + 83 C4 ?? E9 + } + + $encrypt_files_p1 = { + 8B FF 55 8B EC 83 EC ?? 53 56 57 FF 75 ?? 8D 45 ?? FF 75 ?? FF 75 ?? 50 E8 ?? ?? ?? + ?? 83 C4 ?? 8D 7D ?? 8B F0 6A ?? 59 F3 A5 83 CE ?? 39 75 ?? 75 ?? E8 ?? ?? ?? ?? 83 + 20 ?? 8B 45 ?? 89 30 E8 ?? ?? ?? ?? 8B 00 E9 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 5D ?? 89 + 03 3B C6 75 ?? E8 ?? ?? ?? ?? 83 20 ?? 89 33 E8 ?? ?? ?? ?? C7 00 ?? ?? ?? ?? EB ?? + 8B 45 ?? 8D 75 ?? 83 65 ?? ?? 33 C9 41 C7 45 ?? ?? ?? ?? ?? 83 EC ?? 89 08 8B 45 ?? + C1 E8 ?? F7 D0 23 C1 6A ?? 59 89 45 ?? 8B FC 8D 45 ?? 50 FF 75 ?? F3 A5 E8 ?? ?? ?? + ?? 8B F8 83 C4 ?? 89 7D ?? BA ?? ?? ?? ?? 83 FF ?? 75 ?? 8B 4D ?? 8B C1 23 C2 3B C2 + 75 ?? F6 45 ?? ?? 74 ?? 83 EC ?? 8D 45 ?? 81 E1 ?? ?? ?? ?? 8D 75 ?? 89 4D ?? 6A ?? + 59 8B FC 50 FF 75 ?? F3 A5 E8 ?? ?? ?? ?? 8B F8 83 C4 ?? 89 7D ?? 83 FF ?? 75 ?? 8B + 0B 8B C1 83 E1 ?? C1 F8 ?? 6B C9 ?? 8B 04 85 ?? ?? ?? ?? 80 64 08 ?? ?? FF 15 ?? ?? + ?? ?? 50 E8 ?? ?? ?? ?? 59 E9 ?? ?? ?? ?? 57 FF 15 ?? ?? ?? ?? 85 C0 75 ?? FF 15 ?? + ?? ?? ?? 8B F0 56 E8 ?? ?? ?? ?? 59 8B 0B 8B C1 83 E1 ?? C1 F8 ?? 6B C9 ?? 57 8B 04 + 85 ?? ?? ?? ?? 80 64 08 ?? ?? FF 15 ?? ?? ?? ?? 85 F6 0F 85 ?? ?? ?? ?? E8 ?? ?? ?? + ?? C7 00 ?? ?? ?? ?? E9 ?? ?? ?? ?? 83 F8 ?? 75 ?? 8A 45 ?? 0C ?? EB ?? 83 F8 ?? 8A + } + + $encrypt_files_p2 = { + 45 ?? 75 ?? 0C ?? 57 FF 33 88 45 ?? E8 ?? ?? ?? ?? 8A 55 ?? 59 59 8B 0B 80 CA ?? 8B + C1 88 55 ?? 83 E1 ?? C1 F8 ?? 6B C9 ?? 88 55 ?? 8B 04 85 ?? ?? ?? ?? 88 54 08 ?? 8B + 0B 8B C1 83 E1 ?? C1 F8 ?? 6B C9 ?? F6 45 ?? ?? 8B 04 85 ?? ?? ?? ?? C6 44 08 ?? ?? + 74 ?? FF 33 E8 ?? ?? ?? ?? 8B F0 59 85 F6 75 ?? 8D 45 ?? C6 45 ?? ?? 50 FF 75 ?? 8D + 75 ?? 83 EC ?? 6A ?? 59 8B FC FF 33 F3 A5 E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 74 ?? 8B F0 + FF 33 E8 ?? ?? ?? ?? 59 8B C6 E9 ?? ?? ?? ?? 8B 03 8B C8 83 E0 ?? C1 F9 ?? 6B D0 ?? + 8A 45 ?? 8B 0C 8D ?? ?? ?? ?? 88 44 11 ?? 8B 0B 8B C1 C1 F8 ?? 83 E1 ?? 6B D1 ?? 8B + 0C 85 ?? ?? ?? ?? 8B 45 ?? C1 E8 ?? 32 44 11 ?? 24 ?? 30 44 11 ?? F6 45 ?? ?? 75 ?? + F6 45 ?? ?? 74 ?? 8B 0B 8B C1 83 E1 ?? C1 F8 ?? 6B C9 ?? 8B 04 85 ?? ?? ?? ?? 80 4C + 08 ?? ?? 8B 75 ?? B9 ?? ?? ?? ?? 8B C6 23 C1 3B C1 0F 85 ?? ?? ?? ?? F6 45 ?? ?? 74 + ?? FF 75 ?? FF 15 ?? ?? ?? ?? 83 EC ?? 8D 45 ?? 81 E6 ?? ?? ?? ?? 89 75 ?? 8D 75 ?? + 6A ?? 59 8B FC 50 FF 75 ?? F3 A5 E8 ?? ?? ?? ?? 8B D0 83 C4 ?? 83 FA ?? 75 ?? FF 15 + ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 8B 0B 8B C1 83 E1 ?? C1 F8 ?? 6B C9 ?? 8B 04 85 ?? ?? + ?? ?? 80 64 08 ?? ?? FF 33 E8 ?? ?? ?? ?? 59 E9 ?? ?? ?? ?? 8B 0B 8B C1 C1 F8 ?? 83 + E1 ?? 6B C9 ?? 8B 04 85 ?? ?? ?? ?? 89 54 08 ?? 33 C0 5F 5E 5B 8B E5 5D C3 + } + + $shutdown_services_p1 = { + 55 8B EC 6A ?? 68 ?? ?? ?? ?? 64 A1 ?? ?? ?? ?? 50 81 EC ?? ?? ?? ?? A1 ?? ?? ?? ?? + 33 C5 89 45 ?? 53 56 57 50 8D 45 ?? 64 A3 ?? ?? ?? ?? 89 65 ?? 8B F9 8B 75 ?? 8B 1D + ?? ?? ?? ?? FF D3 83 7E ?? ?? 89 45 ?? 72 ?? 8B 36 6A ?? 56 FF 37 FF 15 ?? ?? ?? ?? + 8B F0 89 75 ?? 85 F6 0F 84 ?? ?? ?? ?? 8D 45 ?? 50 6A ?? 8D 45 ?? 50 6A ?? 56 FF 15 + ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? 8B 45 ?? 83 F8 ?? 75 ?? 56 FF 15 ?? ?? ?? ?? 8B + 4D ?? 64 89 0D ?? ?? ?? ?? 59 5F 5E 5B 8B 4D ?? 33 CD E8 ?? ?? ?? ?? 8B E5 5D C2 ?? + ?? 83 F8 ?? 75 ?? 66 90 FF 77 ?? FF 15 ?? ?? ?? ?? 8D 45 ?? 50 6A ?? 8D 45 ?? 50 6A + ?? 56 FF 15 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? 83 7D ?? ?? 74 ?? FF D3 2B 45 ?? 3B + 47 ?? 0F 87 ?? ?? ?? ?? 83 7D ?? ?? 74 ?? 8D 45 ?? C7 45 ?? ?? ?? ?? ?? 50 8B CF E8 + ?? ?? ?? ?? 8D 45 ?? C7 45 ?? ?? ?? ?? ?? 8B 75 ?? 50 6A ?? 56 FF 15 ?? ?? ?? ?? 85 + C0 0F 84 ?? ?? ?? ?? 83 7D ?? ?? 0F 84 + } + + $shutdown_services_p2 = { + FF 77 ?? FF 15 ?? ?? ?? ?? 8D 45 ?? 50 6A ?? 8D 45 ?? 50 6A ?? 56 FF 15 ?? ?? ?? ?? + 85 C0 0F 84 ?? ?? ?? ?? 83 7D ?? ?? 0F 84 ?? ?? ?? ?? FF D3 2B 45 ?? 3B 47 ?? 0F 87 + ?? ?? ?? ?? 83 7D ?? ?? 75 ?? E9 ?? ?? ?? ?? FF 75 ?? FF 15 ?? ?? ?? ?? 6A ?? 6A ?? + E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 4D ?? E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 45 ?? 50 E8 + ?? ?? ?? ?? 56 FF 15 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 4D ?? E8 ?? ?? ?? ?? 68 ?? ?? ?? + ?? 8D 45 ?? 50 E8 ?? ?? ?? ?? 56 FF 15 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 4D ?? E8 ?? ?? + ?? ?? 68 ?? ?? ?? ?? 8D 45 ?? 50 E8 ?? ?? ?? ?? 56 FF 15 ?? ?? ?? ?? 68 + } + + condition: + uint16(0) == 0x5A4D and + ( + all of ($find_files_p*) + ) and + ( + all of ($encrypt_files_p*) + ) and + ( + all of ($shutdown_services_p*) + ) +} \ No newline at end of file diff --git a/yara/ransomware/Win32.Ransomware.Motocos.yara b/yara/ransomware/Win32.Ransomware.Motocos.yara new file mode 100644 index 0000000..0f4bcc6 --- /dev/null +++ b/yara/ransomware/Win32.Ransomware.Motocos.yara @@ -0,0 +1,75 @@ +rule Win32_Ransomware_Motocos : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "MOTOCOS" + description = "Yara rule that detects Motocos ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "Motocos" + tc_detection_factor = 5 + + strings: + + $generate_key = { + 55 8B EC 83 C4 ?? 53 89 4D ?? 89 55 ?? 8B D8 8B 45 ?? E8 ?? ?? ?? ?? 8B 45 ?? E8 ?? + ?? ?? ?? 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 83 7D ?? ?? 74 ?? 8B 45 ?? 8B 15 + ?? ?? ?? ?? 8B 12 E8 ?? ?? ?? ?? 75 ?? B9 ?? ?? ?? ?? B2 ?? A1 ?? ?? ?? ?? E8 ?? ?? + ?? ?? E8 ?? ?? ?? ?? BA ?? ?? ?? ?? 8B C3 E8 ?? ?? ?? ?? 89 45 ?? 33 D2 55 68 ?? ?? + ?? ?? 64 FF 32 64 89 22 8B 4D ?? 8B 55 ?? 8B C3 E8 ?? ?? ?? ?? 89 45 ?? 33 D2 55 68 + ?? ?? ?? ?? 64 FF 32 64 89 22 8B 45 ?? 85 C0 74 ?? 83 E8 ?? 8B 00 8B D8 89 5D ?? 80 + 7D ?? ?? 75 ?? 8B 5D ?? 03 DB 53 8D 45 ?? B9 ?? ?? ?? ?? 8B 15 ?? ?? ?? ?? E8 ?? ?? + ?? ?? 83 C4 ?? 53 8D 45 ?? 50 8B 45 ?? 50 6A ?? 80 7D ?? ?? F5 1B C0 50 6A ?? 8B 45 + ?? 50 E8 ?? ?? ?? ?? 83 F8 ?? 1B C0 40 84 C0 75 ?? B9 ?? ?? ?? ?? B2 ?? A1 ?? ?? ?? + ?? E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 45 ?? 50 8D 45 ?? B9 ?? ?? ?? ?? 8B 15 ?? ?? ?? + ?? E8 ?? ?? ?? ?? 83 C4 ?? 8B 45 ?? 8B 55 ?? 8B 0D ?? ?? ?? ?? E8 ?? ?? ?? ?? 33 C0 + 5A 59 59 64 89 10 68 ?? ?? ?? ?? 8B 45 ?? 50 E8 ?? ?? ?? ?? C3 E9 ?? ?? ?? ?? EB ?? + 33 C0 5A 59 59 64 89 10 68 ?? ?? ?? ?? 6A ?? 8B 45 ?? 50 E8 ?? ?? ?? ?? C3 E9 ?? ?? + ?? ?? EB ?? 33 C0 5A 59 59 64 89 10 68 ?? ?? ?? ?? 8D 45 ?? E8 ?? ?? ?? ?? 8D 45 ?? + 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? C3 E9 ?? ?? ?? ?? EB ?? 5B 8B E5 5D C2 + } + + $encrypt_files = { + 55 8B EC 83 C4 ?? 53 56 57 33 C9 89 4D ?? 89 4D ?? 89 55 ?? 8B 45 ?? E8 ?? ?? ?? ?? + 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 C6 45 ?? ?? 33 D2 55 68 ?? ?? ?? ?? 64 FF + 32 64 89 22 B2 ?? 8B 45 ?? E8 ?? ?? ?? ?? B2 ?? 8B 45 ?? E8 ?? ?? ?? ?? E8 ?? ?? ?? + ?? 8B D8 8B C3 8B D8 F6 C3 ?? 74 ?? 66 83 E3 ?? B2 ?? 8B 45 ?? E8 ?? ?? ?? ?? 8B C3 + E8 ?? ?? ?? ?? 8B D0 B1 ?? 8B 45 ?? E8 ?? ?? ?? ?? 6A ?? 6A ?? 8B 4D ?? B2 ?? A1 ?? + ?? ?? ?? E8 ?? ?? ?? ?? 89 45 ?? B2 ?? A1 ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 45 ?? 33 D2 + 55 68 ?? ?? ?? ?? 64 FF 32 64 89 22 8B 45 ?? 8B 10 FF 12 8B C8 8B 55 ?? A1 ?? ?? ?? + ?? E8 ?? ?? ?? ?? 8B C8 8B 55 ?? 8B 45 ?? E8 ?? ?? ?? ?? 88 45 ?? 33 C0 5A 59 59 64 + 89 10 68 ?? ?? ?? ?? 8B 45 ?? E8 ?? ?? ?? ?? 8B 45 ?? E8 ?? ?? ?? ?? C3 E9 ?? ?? ?? + ?? EB ?? 80 7D ?? ?? 75 ?? 8D 45 ?? 50 8B 45 ?? 89 45 ?? C6 45 ?? ?? B8 ?? ?? ?? ?? + 89 45 ?? C6 45 ?? ?? 8D 55 ?? B9 ?? ?? ?? ?? B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 45 ?? + E8 ?? ?? ?? ?? 50 8B 45 ?? E8 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 F8 ?? 1B C0 40 88 45 + ?? 33 C0 5A 59 59 64 89 10 E9 ?? ?? ?? ?? E9 + } + + $find_files = { + 55 8B EC 83 C4 ?? 53 56 57 33 C9 89 4D ?? 8B FA 89 45 ?? 33 C0 55 68 ?? ?? ?? ?? 64 + FF 30 64 89 20 8D 45 ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B D8 85 DB 7C ?? 8B 45 ?? 66 + 83 3C 58 ?? 75 ?? 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 8D 45 ?? E8 ?? ?? ?? ?? + 8B 75 ?? 85 F6 74 ?? 83 EE ?? 8B 36 8D 45 ?? 50 8D 53 ?? 8B CE 8B 45 ?? E8 ?? ?? ?? + ?? 8B C7 8B 55 ?? E8 ?? ?? ?? ?? 33 C0 5A 59 59 64 89 10 68 ?? ?? ?? ?? 8D 45 ?? E8 + ?? ?? ?? ?? C3 E9 ?? ?? ?? ?? EB ?? 8B C7 E8 ?? ?? ?? ?? 33 C0 5A 59 59 64 89 10 68 + ?? ?? ?? ?? 8D 45 ?? E8 ?? ?? ?? ?? C3 E9 ?? ?? ?? ?? EB ?? 5F 5E 5B 59 59 5D C3 + } + + condition: + uint16(0) == 0x5A4D and + ( + $generate_key + ) and + ( + $find_files + ) and + ( + $encrypt_files + ) +} \ No newline at end of file diff --git a/yara/ransomware/Win32.Ransomware.MountLocker.yara b/yara/ransomware/Win32.Ransomware.MountLocker.yara new file mode 100644 index 0000000..f68e92d --- /dev/null +++ b/yara/ransomware/Win32.Ransomware.MountLocker.yara @@ -0,0 +1,86 @@ +rule Win32_Ransomware_MountLocker : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "MOUNTLOCKER" + description = "Yara rule that detects MountLocker ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "MountLocker" + tc_detection_factor = 5 + + strings: + + $encrypt_files_p1 = { + 55 8B EC 83 E4 ?? 83 EC ?? 53 56 57 8B 3D ?? ?? ?? ?? 8B DA 8B F1 FF D7 89 44 24 ?? + 33 C0 50 68 ?? ?? ?? ?? 6A ?? 50 50 68 ?? ?? ?? ?? 56 89 54 24 ?? 89 44 24 ?? FF 15 + ?? ?? ?? ?? 89 44 24 ?? 83 F8 ?? 0F 84 ?? ?? ?? ?? 8D 4C 24 ?? 51 50 FF 15 ?? ?? ?? + ?? 85 C0 0F 84 ?? ?? ?? ?? 6A ?? FF 74 24 ?? FF 74 24 ?? 6A ?? 6A ?? FF 74 24 ?? FF + 15 ?? ?? ?? ?? 89 44 24 ?? 85 C0 0F 84 ?? ?? ?? ?? 33 C9 0F 31 89 44 8C ?? 41 83 F9 + ?? 72 ?? FF 75 ?? 8B D3 8D 4C 24 ?? E8 ?? ?? ?? ?? 89 44 24 ?? 59 85 C0 74 ?? 8D 4C + 24 ?? E8 ?? ?? ?? ?? 89 44 24 ?? 8B 7C 24 ?? 8B 44 24 ?? 89 7C 24 ?? 89 44 24 ?? 8B + 35 ?? ?? ?? ?? 8B DE 8B 15 ?? ?? ?? ?? 03 DF 8B CA 89 54 24 ?? 13 C8 BF ?? ?? ?? ?? + 8B C6 F0 0F C7 0F 8B 7C 24 ?? 3B C6 8B 44 24 ?? 75 ?? 3B 54 24 ?? 75 ?? FF 74 24 ?? + 8B 35 ?? ?? ?? ?? FF D6 FF 74 24 ?? FF D6 8B 3D ?? ?? ?? ?? FF D7 8B F8 8B C2 2B 7C + 24 ?? 89 7C 24 ?? 1B 44 24 ?? 89 44 24 ?? 75 ?? 85 FF 0F 84 ?? ?? ?? ?? 8B 35 ?? ?? + ?? ?? 8B DE 8B 15 ?? ?? ?? ?? 03 DF 8B CA 89 54 24 ?? 13 C8 BF ?? ?? ?? ?? 8B C6 F0 + 0F C7 0F 8B 7C 24 ?? 3B C6 8B 44 24 ?? 75 ?? 3B 54 24 ?? 75 ?? 50 57 FF 74 24 ?? FF + 74 24 ?? E8 ?? ?? ?? ?? 89 44 24 ?? 8B C2 81 E2 ?? ?? ?? ?? 25 ?? ?? ?? ?? 89 54 24 + ?? DF 6C 24 ?? 83 64 24 ?? ?? 89 44 24 ?? DF 6C 24 ?? D9 E0 DE C1 D9 5C 24 ?? D9 44 + 24 ?? D9 05 ?? ?? ?? ?? D8 D9 DF E0 F6 C4 ?? 7A ?? D9 1D ?? ?? ?? ?? EB ?? DD D8 8B + 44 24 ?? EB ?? 8B 44 24 ?? 85 C0 8B 35 ?? ?? ?? ?? 74 ?? 50 FF D6 FF 74 24 ?? FF D6 + 33 C0 5F 5E 5B 8B E5 5D C3 + } + + $encrypt_files_p2 = { + 55 8B EC 83 EC ?? 53 56 57 33 FF 6A ?? 8B F7 5B 0F 31 6A ?? 89 86 ?? ?? ?? ?? FF 15 + ?? ?? ?? ?? 83 C6 ?? 3B F3 72 ?? 8B D3 B9 ?? ?? ?? ?? 8A 01 88 41 ?? 41 83 EA ?? 75 + ?? 68 ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? 57 8D 45 ?? 89 5D ?? 50 89 7D ?? 89 7D ?? FF + 15 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? 8D 45 ?? 50 57 57 68 ?? ?? ?? ?? 68 ?? ?? ?? + ?? FF 75 ?? FF 15 ?? ?? ?? ?? 8B F0 85 F6 74 ?? 68 ?? ?? ?? ?? 8D 45 ?? 50 68 ?? ?? + ?? ?? 57 6A ?? 57 FF 75 ?? FF 15 ?? ?? ?? ?? FF 75 ?? 8B F0 FF 15 ?? ?? ?? ?? 57 FF + 75 ?? FF 15 ?? ?? ?? ?? 85 F6 74 ?? E8 ?? ?? ?? ?? FF 35 ?? ?? ?? ?? 68 ?? ?? ?? ?? + 68 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 8B 0D ?? ?? ?? ?? 83 C4 ?? E8 ?? ?? ?? ?? 33 C0 40 + EB ?? FF 15 ?? ?? ?? ?? 50 68 ?? ?? ?? ?? 6A ?? E8 ?? ?? ?? ?? 83 C4 ?? 33 C0 5F 5E + 5B 8B E5 5D C3 + } + + $find_files_p1 = { + 53 55 56 8B 74 24 ?? 8B EA 57 8B F9 6A ?? 83 26 ?? 58 66 89 44 6F ?? 8D 5F ?? 33 C0 + 66 89 44 6F ?? 8D 87 ?? ?? ?? ?? 50 A1 ?? ?? ?? ?? 53 89 44 24 ?? FF D0 33 C9 66 89 + 4C 6F ?? 83 F8 ?? 0F 85 ?? ?? ?? ?? 39 4F ?? 0F 84 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 83 + F8 ?? 0F 85 ?? ?? ?? ?? 8D 46 ?? 50 6A ?? 8D 4E ?? 51 8D 56 ?? 52 8D 46 ?? 50 6A ?? + 6A ?? 8D 5F ?? 53 FF 15 ?? ?? ?? ?? F7 D8 1B C0 83 C0 ?? 89 06 74 ?? 8B CB E8 ?? ?? + ?? ?? 85 C0 74 ?? 6A ?? 58 66 89 44 6F ?? 33 C0 66 89 44 6F ?? 8D 87 ?? ?? ?? ?? 50 + 53 FF 54 24 ?? 33 C9 66 89 4C 6F ?? 83 F8 ?? 75 ?? 39 0E 74 ?? 51 FF 76 ?? FF 76 ?? + FF 76 ?? 6A ?? 6A ?? 53 FF 15 ?? ?? ?? ?? 83 3E ?? 74 ?? FF 76 ?? FF 15 ?? ?? ?? ?? + 83 26 ?? 83 C8 ?? 5F 5E 5D 5B C3 + } + + $find_files_p2 = { + 55 8B EC 83 E4 ?? 83 EC ?? 53 55 56 8B F1 57 FF 46 ?? 8D 7E ?? 8B 07 8D 5E ?? 89 44 + 24 ?? 8B 46 ?? 53 89 07 FF 15 ?? ?? ?? ?? 8D 4C 24 ?? 89 44 24 ?? 51 8B D0 8B CE E8 + ?? ?? ?? ?? 8B E8 59 83 FD ?? 75 ?? 33 C0 E9 ?? ?? ?? ?? 53 8D 86 ?? ?? ?? ?? 50 FF + 15 ?? ?? ?? ?? 8D 9E ?? ?? ?? ?? F6 03 ?? 74 ?? 8B 54 24 ?? 8B CE E8 ?? ?? ?? ?? EB + ?? 8D 86 ?? ?? ?? ?? 50 8B 44 24 ?? 05 ?? ?? ?? ?? 8D 04 46 50 FF 15 ?? ?? ?? ?? FF + 76 ?? 57 6A ?? FF 16 83 C4 ?? 85 C0 74 ?? 53 55 FF 15 ?? ?? ?? ?? 85 C0 75 ?? 55 FF + 15 ?? ?? ?? ?? 83 7E ?? ?? 8D 5E ?? 74 ?? 83 7C 24 ?? ?? 74 ?? 6A ?? FF 74 24 ?? FF + 74 24 ?? FF 74 24 ?? 6A ?? 6A ?? 53 FF 15 ?? ?? ?? ?? 83 7C 24 ?? ?? 74 ?? FF 74 24 + ?? FF 15 ?? ?? ?? ?? 8B 4C 24 ?? 33 C0 89 0F 40 5F 5E 5D 5B 8B E5 5D C3 + } + + condition: + uint16(0) == 0x5A4D and + ( + all of ($find_files_p*) + ) and + ( + all of ($encrypt_files_p*) + ) +} \ No newline at end of file diff --git a/yara/ransomware/Win32.Ransomware.NB65.yara b/yara/ransomware/Win32.Ransomware.NB65.yara new file mode 100644 index 0000000..aab2788 --- /dev/null +++ b/yara/ransomware/Win32.Ransomware.NB65.yara @@ -0,0 +1,68 @@ +rule Win32_Ransomware_NB65 : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "NB65" + description = "Yara rule that detects NB65 ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "NB65" + tc_detection_factor = 5 + + strings: + + $encrypt_files = { + E8 ?? ?? ?? ?? 89 45 ?? C6 45 ?? ?? C6 45 ?? ?? C6 45 ?? ?? C6 45 ?? ?? C6 45 ?? ?? + C6 45 ?? ?? C6 45 ?? ?? C6 45 ?? ?? C6 45 ?? ?? C6 45 ?? ?? C6 45 ?? ?? C6 45 ?? ?? + C6 45 ?? ?? C6 45 ?? ?? C6 45 ?? ?? C6 45 ?? ?? C6 45 ?? ?? C6 45 ?? ?? C6 45 ?? ?? + C6 45 ?? ?? C6 45 ?? ?? C6 45 ?? ?? C6 45 ?? ?? C6 45 ?? ?? C6 45 ?? ?? C6 45 ?? ?? + C6 45 ?? ?? C6 45 ?? ?? C6 45 ?? ?? 8A 45 ?? 80 7D ?? ?? 75 ?? 33 C9 90 8A 44 0D ?? + 0F B6 C0 83 E8 ?? 6B C0 ?? 99 F7 FB 8D 42 ?? 99 F7 FB 88 54 0D ?? 41 83 F9 ?? 72 ?? + 8D 45 ?? 89 45 ?? A1 ?? ?? ?? ?? 8B 80 ?? ?? ?? ?? 85 C0 75 ?? 68 ?? ?? ?? ?? 8D 50 + ?? 33 C9 E8 ?? ?? ?? ?? 8B 0D ?? ?? ?? ?? 89 81 ?? ?? ?? ?? 68 ?? ?? ?? ?? 57 FF D0 + 85 C0 75 ?? 33 F6 66 90 A1 ?? ?? ?? ?? 8B 80 ?? ?? ?? ?? 85 C0 75 ?? 68 ?? ?? ?? ?? + 8D 50 ?? 33 C9 E8 ?? ?? ?? ?? 8B 0D ?? ?? ?? ?? 89 81 ?? ?? ?? ?? FF B4 B5 ?? ?? ?? + ?? 57 FF D0 85 C0 75 ?? 46 83 FE ?? 7C ?? 5F 5E B8 ?? ?? ?? ?? 5B 8B E5 5D C3 + } + + $find_files = { + 57 57 57 50 57 53 FF 15 ?? ?? ?? ?? 8B F0 8B 85 ?? ?? ?? ?? 83 FE ?? 75 ?? 50 57 57 + 53 E8 ?? ?? ?? ?? 83 C4 ?? 8B F8 83 FE ?? 74 ?? 56 FF 15 ?? ?? ?? ?? 8B C7 8B 4D ?? + 5F 5E 33 CD 5B E8 ?? ?? ?? ?? 8B E5 5D C3 8B 48 ?? 2B 08 C1 F9 ?? 89 8D ?? ?? ?? ?? + 80 BD ?? ?? ?? ?? ?? 75 ?? 8A 8D ?? ?? ?? ?? 84 C9 74 ?? 80 F9 ?? 75 ?? 80 BD ?? ?? + ?? ?? ?? 74 ?? 50 FF B5 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 53 50 E8 ?? ?? ?? ?? 83 C4 ?? + 85 C0 75 ?? 8D 85 ?? ?? ?? ?? 50 56 FF 15 ?? ?? ?? ?? 85 C0 8B 85 ?? ?? ?? ?? 75 ?? + 8B 10 8B 40 ?? 8B 8D ?? ?? ?? ?? 2B C2 C1 F8 ?? 3B C8 0F 84 ?? ?? ?? ?? 68 ?? ?? ?? + ?? 2B C1 6A ?? 50 8D 04 8A 50 E8 ?? ?? ?? ?? 83 C4 ?? E9 + } + + $enum_procs = { + 33 C9 66 90 8A 84 0D ?? ?? ?? ?? 0F B6 C0 83 E8 ?? 8D 04 C0 99 F7 BD ?? ?? ?? ?? 8D + 42 ?? 99 F7 BD ?? ?? ?? ?? 88 94 0D ?? ?? ?? ?? 41 83 F9 ?? 72 ?? A1 ?? ?? ?? ?? 8B + 40 ?? 85 C0 75 ?? 68 ?? ?? ?? ?? 33 D2 33 C9 E8 ?? ?? ?? ?? 8B 0D ?? ?? ?? ?? 89 41 + ?? 8D 8D ?? ?? ?? ?? 51 8D 8D ?? ?? ?? ?? 51 FF D0 85 C0 75 ?? 6A ?? E8 ?? ?? ?? ?? + 83 C4 ?? 85 C0 74 ?? C7 00 ?? ?? ?? ?? 8D 50 ?? 8B 8D ?? ?? ?? ?? 89 08 C7 02 ?? ?? + ?? ?? 8B 4E ?? 89 48 ?? 8B 4E ?? 89 01 89 56 ?? 8D 85 ?? ?? ?? ?? 50 57 FF D3 85 C0 + 0F 85 ?? ?? ?? ?? 5B A1 ?? ?? ?? ?? 8B 40 ?? 85 C0 75 ?? 68 ?? ?? ?? ?? 33 D2 33 C9 + E8 ?? ?? ?? ?? 8B 0D ?? ?? ?? ?? 89 41 ?? 57 FF D0 8B 4D ?? 5F 33 CD 5E E8 ?? ?? ?? + ?? 8B E5 5D C3 + } + + condition: + uint16(0) == 0x5A4D and + ( + $find_files + ) and + ( + $enum_procs + ) and + ( + $encrypt_files + ) +} \ No newline at end of file diff --git a/yara/ransomware/Win32.Ransomware.NanoLocker.yara b/yara/ransomware/Win32.Ransomware.NanoLocker.yara new file mode 100644 index 0000000..2b922a2 --- /dev/null +++ b/yara/ransomware/Win32.Ransomware.NanoLocker.yara @@ -0,0 +1,79 @@ +rule Win32_Ransomware_NanoLocker : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "NANOLOCKER" + description = "Yara rule that detects NanoLocker ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "NanoLocker" + tc_detection_factor = 5 + + strings: + + $encrypt_file_1 = { + 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A ?? 6A ?? 6A ?? FF 35 ?? ?? ?? ?? E8 + ?? ?? ?? ?? C7 05 ?? ?? ?? ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A ?? 68 ?? + ?? ?? ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? C6 05 ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? 68 ?? ?? + ?? ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? C6 05 ?? ?? ?? ?? ?? 68 + ?? ?? ?? ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? C6 + 05 ?? ?? ?? ?? ?? 8D 3D ?? ?? ?? ?? 33 C9 C6 07 ?? 47 41 81 F9 ?? ?? ?? ?? 75 ?? C7 + 05 ?? ?? ?? ?? ?? ?? ?? ?? C7 05 ?? ?? ?? ?? ?? ?? ?? ?? FF 35 ?? ?? ?? ?? FF 35 ?? + ?? ?? ?? E8 ?? ?? ?? ?? 0B C0 0F 84 ?? ?? ?? ?? A3 ?? ?? ?? ?? FF 35 ?? ?? ?? ?? 6A + ?? E8 ?? ?? ?? ?? A3 ?? ?? ?? ?? FF 35 ?? ?? ?? ?? E8 ?? ?? ?? ?? A3 ?? ?? ?? ?? 6A + ?? 6A ?? 6A ?? FF 35 ?? ?? ?? ?? E8 ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? FF 35 ?? ?? ?? + ?? FF 35 ?? ?? ?? ?? FF 35 ?? ?? ?? ?? E8 ?? ?? ?? ?? 0B C0 0F 84 ?? ?? ?? ?? 81 3D + ?? ?? ?? ?? ?? ?? ?? ?? 0F 86 ?? ?? ?? ?? 8B 35 ?? ?? ?? ?? 81 C6 ?? ?? ?? ?? 56 E8 + ?? ?? ?? ?? 3D ?? ?? ?? ?? 0F 83 ?? ?? ?? ?? C6 05 ?? ?? ?? ?? ?? 56 68 ?? ?? ?? ?? + E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 03 F0 46 8A 06 3C ?? 0F 85 ?? ?? ?? ?? + 6A ?? 68 ?? ?? ?? ?? 6A ?? 6A ?? 6A ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? E8 + } + + $encrypt_file_2 = { + A3 ?? ?? ?? ?? C7 05 ?? ?? ?? ?? ?? ?? ?? ?? FF 35 ?? ?? ?? ?? FF 35 ?? ?? ?? ?? E8 + ?? ?? ?? ?? A3 ?? ?? ?? ?? 83 3D ?? ?? ?? ?? ?? 0F 86 ?? ?? ?? ?? 81 3D ?? ?? ?? ?? + ?? ?? ?? ?? 0F 86 ?? ?? ?? ?? C7 05 ?? ?? ?? ?? ?? ?? ?? ?? FF 35 ?? ?? ?? ?? 6A ?? + E8 ?? ?? ?? ?? A3 ?? ?? ?? ?? FF 35 ?? ?? ?? ?? E8 ?? ?? ?? ?? A3 ?? ?? ?? ?? A1 ?? + ?? ?? ?? 2D ?? ?? ?? ?? A3 ?? ?? ?? ?? FF 35 ?? ?? ?? ?? 6A ?? E8 ?? ?? ?? ?? A3 ?? + ?? ?? ?? FF 35 ?? ?? ?? ?? E8 ?? ?? ?? ?? A3 ?? ?? ?? ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? + ?? E8 ?? ?? ?? ?? C7 05 ?? ?? ?? ?? ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? + 6A ?? 6A ?? 6A ?? FF 35 ?? ?? ?? ?? E8 ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? + ?? FF 35 ?? ?? ?? ?? FF 35 ?? ?? ?? ?? E8 ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? FF 35 ?? + ?? ?? ?? FF 35 ?? ?? ?? ?? FF 35 ?? ?? ?? ?? E8 ?? ?? ?? ?? C7 05 ?? ?? ?? ?? ?? ?? + ?? ?? FF 35 ?? ?? ?? ?? 68 ?? ?? ?? ?? FF 35 ?? ?? ?? ?? 6A ?? 6A ?? 6A ?? FF 35 ?? + ?? ?? ?? E8 + } + + $remote_server_1 = { + E8 ?? ?? ?? ?? A3 ?? ?? ?? ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? A3 ?? ?? ?? ?? A1 ?? ?? + ?? ?? 83 F8 ?? 72 ?? C6 05 ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? + ?? 6A ?? 6A ?? 68 ?? ?? ?? ?? FF 35 ?? ?? ?? ?? FF 35 ?? ?? ?? ?? E8 ?? ?? ?? ?? FF + 35 ?? ?? ?? ?? E8 + } + + $remote_server_2 = { + E8 ?? ?? ?? ?? A3 ?? ?? ?? ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? A3 ?? ?? ?? ?? FF 35 ?? + ?? ?? ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? A3 ?? + ?? ?? ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A ?? FF 35 ?? ?? ?? ?? 68 ?? + ?? ?? ?? FF 35 ?? ?? ?? ?? FF 35 ?? ?? ?? ?? E8 ?? ?? ?? ?? FF 35 ?? ?? ?? ?? E8 + } + + $enum_shares_and_encrypt_files = { + E8 ?? ?? ?? ?? C1 C8 ?? BA ?? ?? ?? ?? 23 D0 60 83 FA ?? 75 ?? 68 ?? ?? ?? ?? E8 ?? + ?? ?? ?? 83 F8 ?? 76 ?? 83 F8 ?? 74 ?? 8D 35 ?? ?? ?? ?? 60 68 ?? ?? ?? ?? 56 68 ?? + ?? ?? ?? E8 ?? ?? ?? ?? 61 8A 06 46 0A C0 75 ?? 8A 06 0A C0 75 ?? 61 D1 C8 8A 1D ?? + ?? ?? ?? FE C3 88 1D ?? ?? ?? ?? 80 FB ?? 76 ?? 6A ?? 6A ?? 6A ?? 6A ?? 6A ?? 68 ?? + ?? ?? ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? A3 ?? ?? ?? ?? 6A ?? 6A ?? 6A ?? FF 35 ?? ?? + ?? ?? E8 ?? ?? ?? ?? C6 05 ?? ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? + FF 35 ?? ?? ?? ?? E8 ?? ?? ?? ?? FF 35 ?? ?? ?? ?? E8 + } + + condition: + uint16(0) == 0x5A4D and $encrypt_file_1 and $encrypt_file_2 and $remote_server_1 and $remote_server_2 and $enum_shares_and_encrypt_files +} \ No newline at end of file diff --git a/yara/ransomware/Win32.Ransomware.Nefilim.yara b/yara/ransomware/Win32.Ransomware.Nefilim.yara new file mode 100644 index 0000000..8e4ff8e --- /dev/null +++ b/yara/ransomware/Win32.Ransomware.Nefilim.yara @@ -0,0 +1,150 @@ +rule Win32_Ransomware_Nefilim : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "NEFILIM" + description = "Yara rule that detects Nefilim ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "Nefilim" + tc_detection_factor = 5 + + strings: + + $create_encryption_key = { + 55 8B EC 51 A1 ?? ?? ?? ?? C1 E8 ?? 6B C0 ?? 56 50 E8 ?? ?? ?? ?? 83 3D ?? ?? ?? ?? + ?? 8B F0 A1 ?? ?? ?? ?? 59 89 75 ?? 73 ?? B8 ?? ?? ?? ?? FF 35 ?? ?? ?? ?? 50 E8 ?? + ?? ?? ?? 33 F6 59 59 39 35 ?? ?? ?? ?? 75 ?? 53 57 8B 3D ?? ?? ?? ?? 56 6A ?? 56 BE + ?? ?? ?? ?? 56 BB ?? ?? ?? ?? 53 FF D7 85 C0 75 ?? 6A ?? 6A ?? 50 56 53 FF D7 85 C0 + 75 ?? 50 FF 15 ?? ?? ?? ?? 5F 33 F6 5B A1 ?? ?? ?? ?? C1 E8 ?? 6B C0 ?? 68 ?? ?? ?? + ?? 56 56 50 FF 75 ?? FF 35 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 85 C0 75 ?? 56 EB ?? 5E C9 + C3 + } + + $encrypt_encryption_key = { + 55 8B EC 83 EC ?? A1 ?? ?? ?? ?? 33 C5 89 45 ?? 68 ?? ?? ?? ?? 8D 45 ?? 8D 4D ?? E8 + ?? ?? ?? ?? 83 78 ?? ?? 59 72 ?? 8B 00 53 56 57 33 DB 53 53 6A ?? 53 53 68 ?? ?? ?? + ?? 50 FF 15 ?? ?? ?? ?? 6A ?? 33 FF 8D 75 ?? 89 45 ?? E8 ?? ?? ?? ?? 39 5D ?? 0F 84 + ?? ?? ?? ?? 8B 1D ?? ?? ?? ?? BF ?? ?? ?? ?? 57 FF D3 99 83 E2 ?? 03 C2 C1 F8 ?? 6B + C0 ?? 50 6A ?? FF 15 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 57 8B F0 FF D3 50 57 E8 ?? ?? + ?? ?? 59 59 57 FF D3 99 83 E2 ?? 03 C2 C1 F8 ?? 6B C0 ?? 89 45 ?? 8D 45 ?? 50 56 6A + ?? 6A ?? 6A ?? FF 35 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 6A ?? 85 C0 75 ?? FF 15 ?? ?? ?? + ?? 8D 45 ?? 50 57 FF D3 99 83 E2 ?? 03 C2 C1 F8 ?? 6B C0 ?? 50 56 FF 75 ?? FF 15 ?? + ?? ?? ?? FF 75 ?? FF 15 ?? ?? ?? ?? 56 6A ?? FF 15 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? + 6A ?? 33 FF 8D 75 ?? E8 ?? ?? ?? ?? 8B 4D ?? 5F 5E 33 CD 5B E8 ?? ?? ?? ?? C9 C3 + } + + $encrypt_files_p1 = { + 55 8B EC 83 E4 ?? 83 EC ?? A1 ?? ?? ?? ?? 33 C4 89 44 24 ?? 83 7D ?? ?? 8B 45 ?? 53 + 56 57 73 ?? 8D 45 ?? 33 DB 53 53 6A ?? 53 53 68 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 89 + 44 24 ?? 3B C3 0F 84 ?? ?? ?? ?? 8D 4C 24 ?? 51 50 FF 15 ?? ?? ?? ?? A1 ?? ?? ?? ?? + 6B C0 ?? 83 C0 ?? 83 F8 ?? 0F 8E ?? ?? ?? ?? 6A ?? E8 ?? ?? ?? ?? 6A ?? 89 44 24 ?? + E8 ?? ?? ?? ?? FF 74 24 ?? 89 44 24 ?? E8 ?? ?? ?? ?? FF 74 24 ?? E8 ?? ?? ?? ?? BE + ?? ?? ?? ?? 56 E8 ?? ?? ?? ?? 56 89 44 24 ?? E8 ?? ?? ?? ?? FF 74 24 ?? 8B 54 24 ?? + 89 44 24 ?? E8 ?? ?? ?? ?? FF 74 24 ?? 8B 54 24 ?? E8 ?? ?? ?? ?? 83 C4 ?? FF 15 ?? + ?? ?? ?? 83 3D ?? ?? ?? ?? ?? 7E ?? 68 ?? ?? ?? ?? 8D 74 24 ?? E8 ?? ?? ?? ?? 6A ?? + 33 FF E8 ?? ?? ?? ?? BE ?? ?? ?? ?? 8B 3D ?? ?? ?? ?? 53 53 FF 74 24 ?? FF 74 24 ?? + FF 74 24 ?? FF D7 53 FF 15 ?? ?? ?? ?? 53 8D 44 24 ?? 50 56 FF 74 24 ?? FF 74 24 ?? + FF 15 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 83 F8 ?? 0F 84 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 83 + F8 ?? 0F 84 ?? ?? ?? ?? 8B 44 24 ?? 8B 4C 24 ?? 53 03 C6 53 13 CB 51 50 FF 74 24 ?? + FF D7 53 8D 44 24 ?? 50 56 FF 74 24 ?? FF 74 24 ?? FF 15 ?? ?? ?? ?? 8B 44 24 ?? 8B + } + + $encrypt_files_p2 = { + 4C 24 ?? 53 05 ?? ?? ?? ?? 53 13 CB 51 50 FF 74 24 ?? FF D7 53 E8 ?? ?? ?? ?? 0B C2 + 59 74 ?? 68 ?? ?? ?? ?? 8D 44 24 ?? E8 ?? ?? ?? ?? 6A ?? 33 FF 8D 74 24 ?? E8 ?? ?? + ?? ?? 8B 3D ?? ?? ?? ?? 53 8D 44 24 ?? 50 FF 35 ?? ?? ?? ?? FF 35 ?? ?? ?? ?? FF 74 + 24 ?? FF 15 ?? ?? ?? ?? 8B 44 24 ?? 8B 4C 24 ?? 3B C3 0F 8C ?? ?? ?? ?? 7F ?? 81 F9 + ?? ?? ?? ?? 0F 86 ?? ?? ?? ?? 89 5C 24 ?? 89 5C 24 ?? 3B C3 0F 8C ?? ?? ?? ?? 7F ?? + 3B CB 0F 86 ?? ?? ?? ?? BE ?? ?? ?? ?? EB ?? 8B 4C 24 ?? 2B 4C 24 ?? 1B 44 24 ?? 89 + 44 24 ?? 0F 88 ?? ?? ?? ?? 7F ?? 81 F9 ?? ?? ?? ?? 0F 82 ?? ?? ?? ?? 56 53 FF 15 ?? + ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 53 53 FF 74 24 ?? 89 44 24 ?? FF 74 24 ?? FF 74 24 ?? + FF D7 53 8D 44 24 ?? 50 56 FF 74 24 ?? FF 74 24 ?? FF 15 ?? ?? ?? ?? 8B 4C 24 ?? 8B + 54 24 ?? 51 56 FF 74 24 ?? E8 ?? ?? ?? ?? 83 C4 ?? 53 53 FF 74 24 ?? FF 74 24 ?? FF + 74 24 ?? FF D7 53 8D 44 24 ?? 50 56 FF 74 24 ?? FF 74 24 ?? FF 15 ?? ?? ?? ?? FF 15 + ?? ?? ?? ?? FF 74 24 ?? 53 50 FF 15 ?? ?? ?? ?? 81 44 24 ?? ?? ?? ?? ?? 8B 44 24 ?? + 11 5C 24 ?? 39 44 24 ?? 0F 8C ?? ?? ?? ?? 0F 8F ?? ?? ?? ?? 8B 4C 24 ?? 39 4C 24 ?? + 0F 82 ?? ?? ?? ?? E9 ?? ?? ?? ?? 3B C3 0F 8C ?? ?? ?? ?? 7F ?? 81 F9 ?? ?? ?? ?? 0F + } + + $encrypt_files_p3 = { + 86 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 74 24 ?? E8 ?? ?? ?? ?? BE ?? ?? ?? ?? 56 E8 ?? ?? + ?? ?? 59 89 44 24 ?? FF 15 ?? ?? ?? ?? 53 53 33 C9 51 33 C0 50 FF 74 24 ?? FF D7 53 + 8D 44 24 ?? 50 56 FF 74 24 ?? FF 74 24 ?? FF 15 ?? ?? ?? ?? 8B 4C 24 ?? 8B 54 24 ?? + 51 56 FF 74 24 ?? E8 ?? ?? ?? ?? 83 C4 ?? 53 53 33 C0 50 50 FF 74 24 ?? FF D7 53 8D + 44 24 ?? 50 56 FF 74 24 ?? FF 74 24 ?? FF 15 ?? ?? ?? ?? FF 74 24 ?? E8 ?? ?? ?? ?? + 59 E9 ?? ?? ?? ?? 51 53 FF 15 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 89 44 24 ?? FF 15 ?? + ?? ?? ?? 53 53 33 C0 50 53 FF 74 24 ?? FF D7 53 8D 44 24 ?? 50 FF 74 24 ?? FF 74 24 + ?? FF 74 24 ?? FF 15 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 74 24 ?? E8 ?? ?? ?? ?? 8B 4C 24 + ?? 8B 54 24 ?? 51 FF 74 24 ?? FF 74 24 ?? E8 ?? ?? ?? ?? 83 C4 ?? 53 53 33 C0 50 53 + FF 74 24 ?? FF D7 53 8D 44 24 ?? 50 FF 74 24 ?? FF 74 24 ?? FF 74 24 ?? FF 15 ?? ?? + ?? ?? FF 74 24 ?? 53 FF 15 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 6A ?? 33 FF 8D 74 24 ?? + E8 ?? ?? ?? ?? FF 74 24 ?? FF 15 ?? ?? ?? ?? FF 74 24 ?? E8 ?? ?? ?? ?? FF 74 24 ?? + E8 ?? ?? ?? ?? FF 74 24 ?? E8 ?? ?? ?? ?? FF 74 24 ?? E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? + 8D 45 ?? 8D 4C 24 ?? E8 ?? ?? ?? ?? 83 C4 ?? 83 78 ?? ?? 72 ?? 8B 00 83 7D ?? ?? 8B + 4D ?? 73 ?? 8D 4D ?? 50 51 FF 15 ?? ?? ?? ?? 6A ?? 33 FF 8D 74 24 ?? E8 ?? ?? ?? ?? + 6A ?? 33 FF 8D 75 ?? E8 ?? ?? ?? ?? 8B 4C 24 ?? 5F 5E 5B 33 CC E8 ?? ?? ?? ?? 8B E5 + 5D C3 + } + + $find_files_1 = { + 55 8B EC 83 E4 ?? 81 EC ?? ?? ?? ?? A1 ?? ?? ?? ?? 33 C4 89 84 24 ?? ?? ?? ?? 53 56 + 57 6A ?? 5E 33 C0 33 FF 6A ?? 66 89 44 24 ?? 57 8D 45 ?? 8D 4C 24 ?? 89 74 24 ?? 89 + 7C 24 ?? E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 84 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? 33 C0 66 + 89 44 24 ?? 66 89 44 24 ?? 8B 84 24 ?? ?? ?? ?? 03 44 24 ?? 8D 4C 24 ?? 89 74 24 ?? + 89 7C 24 ?? 89 74 24 ?? 89 7C 24 ?? E8 ?? ?? ?? ?? 57 8D 44 24 ?? 50 83 C8 ?? 8D 74 + 24 ?? E8 ?? ?? ?? ?? 57 8D 84 24 ?? ?? ?? ?? 50 83 C8 ?? E8 ?? ?? ?? ?? 8B DE 8D 44 + 24 ?? E8 ?? ?? ?? ?? 6A ?? E8 ?? ?? ?? ?? 83 7C 24 ?? ?? 8B 44 24 ?? 73 ?? 8D 44 24 + ?? 8D 8C 24 ?? ?? ?? ?? 51 50 FF 15 ?? ?? ?? ?? 89 44 24 ?? 83 F8 ?? 0F 84 ?? ?? ?? + ?? 8B 35 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 84 24 + } + + $find_files_2 = { + D6 85 C0 0F 84 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 84 24 ?? ?? ?? ?? 50 FF D6 85 C0 0F 84 + ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 84 24 ?? ?? ?? ?? 50 FF D6 85 C0 0F 84 ?? ?? ?? ?? F6 + 84 24 ?? ?? ?? ?? ?? 8D 84 24 ?? ?? ?? ?? 50 8D 4C 24 ?? 8D 44 24 ?? 74 ?? E8 ?? ?? + ?? ?? 8D 4C 24 ?? 51 E8 ?? ?? ?? ?? 59 8B D8 59 8D 44 24 ?? E8 ?? ?? ?? ?? 6A ?? 33 + FF 8D 74 24 ?? E8 ?? ?? ?? ?? 6A ?? 8D 74 24 ?? E8 ?? ?? ?? ?? 83 EC ?? 8B CC 21 79 + ?? 33 C0 6A ?? C7 41 ?? ?? ?? ?? ?? 66 89 01 50 8D 44 24 ?? E8 ?? ?? ?? ?? E8 ?? ?? + ?? ?? 83 C4 ?? E9 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B D8 59 8D 44 24 ?? E8 ?? ?? ?? ?? 6A + ?? 33 FF 8D 74 24 ?? E8 ?? ?? ?? ?? 8D 84 24 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 50 8D + 44 24 ?? E8 ?? ?? ?? ?? 8B 44 24 ?? 6A ?? 5F 39 7C 24 ?? 73 ?? 8D 44 24 ?? 8B 35 ?? + ?? ?? ?? 68 + } + + $find_files_3 = { + 50 FF D6 85 C0 0F 84 ?? ?? ?? ?? 8B 44 24 ?? 39 7C 24 ?? 73 ?? 8D 44 24 ?? 68 ?? ?? + ?? ?? 50 FF D6 85 C0 0F 84 ?? ?? ?? ?? 8B 44 24 ?? 39 7C 24 ?? 73 ?? 8D 44 24 ?? 68 + ?? ?? ?? ?? 50 FF D6 85 C0 0F 84 ?? ?? ?? ?? 8B 44 24 ?? 39 7C 24 ?? 73 ?? 8D 44 24 + ?? 68 ?? ?? ?? ?? 50 FF D6 85 C0 74 ?? 8B 44 24 ?? 39 7C 24 ?? 73 ?? 8D 44 24 ?? 68 + ?? ?? ?? ?? 50 FF D6 85 C0 74 ?? 8B 44 24 ?? 39 7C 24 ?? 73 ?? 8D 44 24 ?? 68 ?? ?? + ?? ?? 50 FF D6 85 C0 74 ?? 68 ?? ?? ?? ?? 8D 84 24 ?? ?? ?? ?? 50 FF D6 85 C0 74 ?? + 8B 4C 24 ?? 39 7C 24 ?? 73 ?? 8D 4C 24 ?? 83 EC ?? 8B C4 51 E8 ?? ?? ?? ?? E8 ?? ?? + ?? ?? 83 C4 ?? 6A ?? 33 FF 8D 74 24 ?? E8 ?? ?? ?? ?? 8D 84 24 ?? ?? ?? ?? 50 FF 74 + 24 ?? FF 15 ?? ?? ?? ?? 85 C0 0F 85 ?? ?? ?? ?? FF 74 24 ?? FF 15 ?? ?? ?? ?? 33 DB + 43 53 33 FF 8D 74 24 ?? E8 ?? ?? ?? ?? 53 8D B4 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? 53 8D + 74 24 ?? E8 ?? ?? ?? ?? 53 8D 75 ?? E8 ?? ?? ?? ?? 8B 8C 24 ?? ?? ?? ?? 5F 5E 5B 33 + CC E8 ?? ?? ?? ?? 8B E5 5D C3 + } + + condition: + uint16(0) == 0x5A4D and + ( + all of ($find_files_*) + ) and + ( + $create_encryption_key + ) and + ( + $encrypt_encryption_key + ) and + ( + all of ($encrypt_files_p*) + ) +} \ No newline at end of file diff --git a/yara/ransomware/Win32.Ransomware.Nemty.yara b/yara/ransomware/Win32.Ransomware.Nemty.yara new file mode 100644 index 0000000..3e22949 --- /dev/null +++ b/yara/ransomware/Win32.Ransomware.Nemty.yara @@ -0,0 +1,205 @@ +rule Win32_Ransomware_Nemty : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "NEMTY" + description = "Yara rule that detects Nemty ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "Nemty" + tc_detection_factor = 5 + + strings: + + $remote_connection_p1 = { + 55 8B EC 83 EC ?? A1 ?? ?? ?? ?? 33 C5 89 45 ?? 53 56 57 33 DB 68 ?? ?? ?? ?? 8D 75 + ?? 89 5D ?? E8 ?? ?? ?? ?? 50 8D 45 ?? E8 ?? ?? ?? ?? 83 78 ?? ?? 59 59 72 ?? 8B 00 + 53 53 50 68 ?? ?? ?? ?? 53 FF 15 ?? ?? ?? ?? 6A ?? 33 FF 8D 75 ?? E8 ?? ?? ?? ?? 6A + ?? 8D 75 ?? E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 75 ?? E8 ?? ?? ?? ?? 50 8D 45 ?? E8 ?? + ?? ?? ?? 83 78 ?? ?? 59 59 72 ?? 8B 00 53 50 FF 15 ?? ?? ?? ?? 85 C0 75 ?? FF 15 ?? + ?? ?? ?? 3D ?? ?? ?? ?? 74 ?? 32 DB EB ?? B3 ?? 6A ?? 33 FF 8D 75 ?? E8 ?? ?? ?? ?? + 6A ?? 8D 75 ?? E8 ?? ?? ?? ?? 84 DB 0F 84 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 75 ?? E8 ?? + ?? ?? ?? 50 8D 45 ?? E8 ?? ?? ?? ?? 83 78 ?? ?? 59 59 72 ?? 8B 00 8B 1D ?? ?? ?? ?? + 50 FF D3 6A ?? 33 FF 8D 75 ?? 89 45 ?? E8 ?? ?? ?? ?? 6A ?? 8D 75 ?? E8 ?? ?? ?? ?? + 68 ?? ?? ?? ?? 8D 75 ?? E8 ?? ?? ?? ?? 50 8D 45 ?? E8 ?? ?? ?? ?? 83 78 ?? ?? 59 59 + 72 ?? 8B 00 50 FF D3 33 DB 43 53 33 FF 8D 75 ?? 89 45 ?? E8 ?? ?? ?? ?? 53 8D 75 ?? + E8 ?? ?? ?? ?? FF 75 ?? FF 75 ?? E8 ?? ?? ?? ?? 8B 35 ?? ?? ?? ?? 59 59 FF 75 ?? FF + } + + $remote_connection_p2 = { + D6 FF 75 ?? FF D6 68 ?? ?? ?? ?? 8D 75 ?? E8 ?? ?? ?? ?? 50 8D 45 ?? E8 ?? ?? ?? ?? + 83 78 ?? ?? 59 59 72 ?? 8B 00 50 FF 15 ?? ?? ?? ?? 53 33 FF 8D 75 ?? E8 ?? ?? ?? ?? + 53 8D 75 ?? E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 75 ?? E8 ?? ?? ?? ?? 50 8D 45 ?? E8 ?? + ?? ?? ?? 83 78 ?? ?? 59 59 72 ?? 8B 00 33 C9 51 51 51 50 68 ?? ?? ?? ?? 51 FF 15 ?? + ?? ?? ?? 53 33 FF 8D 75 ?? E8 ?? ?? ?? ?? 53 8D 75 ?? E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? + FF 15 ?? ?? ?? ?? 8B 4D ?? 6A ?? 5A 8B C1 39 55 ?? 73 ?? 8D 45 ?? 03 45 ?? 39 55 ?? + 73 ?? 8D 4D ?? EB ?? 80 39 ?? 75 ?? C6 01 ?? 41 3B C8 75 ?? 8B 45 ?? 39 55 ?? 73 ?? + 8D 45 ?? 03 45 ?? 8B 4D ?? 39 55 ?? 73 ?? 8D 4D ?? EB ?? 80 39 ?? 75 ?? C6 01 ?? 41 + 3B C8 75 ?? 8B 45 ?? 39 55 ?? 73 ?? 8D 45 ?? 03 45 ?? 8B 4D ?? 39 55 ?? 73 ?? 8D 4D + ?? EB ?? 80 39 ?? 75 ?? C6 01 ?? 41 3B C8 75 ?? 83 EC ?? 8D 45 ?? 8B F4 50 E8 ?? ?? + ?? ?? 83 EC ?? 8B F4 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 6A ?? 33 + FF 8D 75 ?? E8 ?? ?? ?? ?? 8B 4D ?? 5F 5E 33 CD 5B E8 ?? ?? ?? ?? C9 C3 + } + + $enum_resources_p1 = { + 55 8B EC 83 E4 ?? 83 EC ?? A1 ?? ?? ?? ?? 33 C4 89 44 24 ?? 53 56 57 FF 15 ?? ?? ?? + ?? 83 64 24 ?? ?? 89 44 24 ?? BB ?? ?? ?? ?? 8B 54 24 ?? 8B 4C 24 ?? D3 EA 33 C0 40 + 23 D0 0F 84 ?? ?? ?? ?? 83 64 24 ?? ?? 6A ?? 80 C1 ?? 5F 88 4C 24 ?? FF 74 24 ?? 8D + 74 24 ?? 89 7C 24 ?? C6 44 24 ?? ?? E8 ?? ?? ?? ?? 83 64 24 ?? ?? 8B 74 24 ?? 53 89 + 7C 24 ?? C6 44 24 ?? ?? E8 ?? ?? ?? ?? 59 03 C6 8D 4C 24 ?? E8 ?? ?? ?? ?? 6A ?? 8D + 44 24 ?? 50 83 C8 ?? 8D 74 24 ?? E8 ?? ?? ?? ?? 53 E8 ?? ?? ?? ?? 59 8B F8 53 8B C6 + E8 ?? ?? ?? ?? 83 7C 24 ?? ?? 8B 44 24 ?? 73 ?? 8B C6 50 FF 15 ?? ?? ?? ?? 6A ?? 33 + FF 8D 74 24 ?? 89 44 24 ?? E8 ?? ?? ?? ?? 83 7C 24 ?? ?? 75 ?? 53 E8 ?? ?? ?? ?? 59 + 8B F8 53 8D 44 24 ?? E8 ?? ?? ?? ?? 8D 44 24 ?? BF ?? ?? ?? ?? E8 ?? ?? ?? ?? 68 ?? + ?? ?? ?? 8D 44 24 ?? E8 ?? ?? ?? ?? 8D 44 24 ?? BF ?? ?? ?? ?? E8 ?? ?? ?? ?? 6A ?? + 33 FF 8D 74 24 ?? E8 ?? ?? ?? ?? 83 7C 24 ?? ?? 75 ?? 53 E8 ?? ?? ?? ?? 59 8B F8 53 + 8D 44 24 ?? E8 ?? ?? ?? ?? 8D 44 24 ?? BF ?? ?? ?? ?? E8 ?? ?? ?? ?? 68 + } + + $enum_resources_p2 = { + 8D 44 24 ?? E8 ?? ?? ?? ?? 8D 44 24 ?? BF ?? ?? ?? ?? E8 ?? ?? ?? ?? 6A ?? 33 FF 8D + 74 24 ?? E8 ?? ?? ?? ?? 83 7C 24 ?? ?? 75 ?? 53 E8 ?? ?? ?? ?? 59 8B F8 53 8D 44 24 + ?? E8 ?? ?? ?? ?? 8D 44 24 ?? BF ?? ?? ?? ?? E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 44 24 + ?? E8 ?? ?? ?? ?? 8D 44 24 ?? BF ?? ?? ?? ?? E8 ?? ?? ?? ?? 6A ?? 33 FF 8D 74 24 ?? + E8 ?? ?? ?? ?? 83 7C 24 ?? ?? 8B 44 24 ?? 73 ?? 8D 44 24 ?? 6A ?? 8D 4C 24 ?? 51 8D + 4C 24 ?? 51 50 FF 15 ?? ?? ?? ?? 8B 44 24 ?? 8B 4C 24 ?? 0F AC C8 ?? 89 44 24 ?? 8D + 44 24 ?? BE ?? ?? ?? ?? C1 E9 ?? E8 ?? ?? ?? ?? 8B 44 24 ?? 8B 4C 24 ?? 0F AC C8 ?? + 89 44 24 ?? 8D 44 24 ?? BE ?? ?? ?? ?? C1 E9 ?? E8 ?? ?? ?? ?? 8B 44 24 ?? 2B 44 24 + ?? 8B 4C 24 ?? 1B 4C 24 ?? BE ?? ?? ?? ?? 0F AC C8 ?? 89 44 24 ?? 8D 44 24 ?? C1 E9 + ?? E8 ?? ?? ?? ?? 6A ?? 33 FF 8D 74 24 ?? E8 ?? ?? ?? ?? FF 44 24 ?? 83 7C 24 ?? ?? + 0F 8C ?? ?? ?? ?? 8B 4C 24 ?? 5F 5E 5B 33 CC E8 ?? ?? ?? ?? 8B E5 5D C3 + } + + $find_files_1_p1 = { + 6A ?? 8D 74 24 ?? E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 44 24 ?? E8 ?? ?? ?? ?? 59 84 C0 + 0F 85 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 44 24 ?? E8 ?? ?? ?? ?? 59 84 C0 0F 85 ?? ?? ?? + ?? 68 ?? ?? ?? ?? 8D 44 24 ?? E8 ?? ?? ?? ?? 59 84 C0 0F 85 ?? ?? ?? ?? 68 ?? ?? ?? + ?? 8D 44 24 ?? E8 ?? ?? ?? ?? 59 84 C0 0F 85 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 44 24 ?? + E8 ?? ?? ?? ?? 59 84 C0 0F 85 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 44 24 ?? E8 ?? ?? ?? ?? + 59 84 C0 0F 85 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 44 24 ?? E8 ?? ?? ?? ?? 59 84 C0 0F 85 + ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 44 24 ?? E8 ?? ?? ?? ?? 59 84 C0 0F 85 ?? ?? ?? ?? 68 + ?? ?? ?? ?? 8D 44 24 ?? E8 ?? ?? ?? ?? 59 84 C0 0F 85 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D + 44 24 ?? E8 ?? ?? ?? ?? 59 84 C0 0F 85 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 44 24 ?? E8 ?? + ?? ?? ?? 59 84 C0 0F 85 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 44 24 ?? E8 ?? ?? ?? ?? 59 84 + } + + $find_files_1_p2 = { + C0 0F 85 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 44 24 ?? E8 ?? ?? ?? ?? 59 84 C0 0F 85 ?? ?? + ?? ?? 68 ?? ?? ?? ?? 8D 44 24 ?? E8 ?? ?? ?? ?? 59 84 C0 0F 85 ?? ?? ?? ?? 68 ?? ?? + ?? ?? 8D 44 24 ?? E8 ?? ?? ?? ?? 59 84 C0 0F 85 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 44 24 + ?? E8 ?? ?? ?? ?? 59 84 C0 0F 85 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 44 24 ?? E8 ?? ?? ?? + ?? 59 84 C0 0F 85 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 44 24 ?? E8 ?? ?? ?? ?? 59 84 C0 0F + 85 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 44 24 ?? E8 ?? ?? ?? ?? 59 84 C0 75 ?? 68 ?? ?? ?? + ?? 8D 44 24 ?? E8 ?? ?? ?? ?? 59 84 C0 75 ?? 68 ?? ?? ?? ?? 8D 44 24 ?? E8 ?? ?? ?? + ?? 59 84 C0 75 ?? 68 ?? ?? ?? ?? 8D 44 24 ?? E8 ?? ?? ?? ?? 59 84 C0 75 ?? 68 ?? ?? + ?? ?? 8D 44 24 ?? E8 ?? ?? ?? ?? 59 84 C0 75 ?? 68 ?? ?? ?? ?? 8D 44 24 ?? E8 ?? ?? + ?? ?? 59 84 C0 75 ?? 83 EC ?? 8D 44 24 ?? 8B F4 50 E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 + C4 ?? 6A ?? 33 FF 8D 74 24 ?? E8 ?? ?? ?? ?? 6A ?? 8D 74 24 ?? E8 ?? ?? ?? ?? 8D 84 + 24 ?? ?? ?? ?? 50 FF 74 24 ?? FF 15 ?? ?? ?? ?? 85 C0 0F 85 ?? ?? ?? ?? FF 74 24 ?? + FF 15 + } + + $find_files_2_p1 = { + 8D 44 24 ?? 8D 8C 24 ?? ?? ?? ?? 51 50 FF 15 ?? ?? ?? ?? 89 44 24 ?? 83 F8 ?? 0F 84 + ?? ?? ?? ?? 8B 35 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 84 24 ?? ?? ?? ?? 50 FF D6 85 C0 0F + 84 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 84 24 ?? ?? ?? ?? 50 FF D6 85 C0 0F 84 ?? ?? ?? ?? + 68 ?? ?? ?? ?? 8D 84 24 ?? ?? ?? ?? 50 FF D6 85 C0 0F 84 ?? ?? ?? ?? 68 ?? ?? ?? ?? + 8D 84 24 ?? ?? ?? ?? 50 FF D6 85 C0 0F 84 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 84 24 ?? ?? + ?? ?? 50 FF D6 85 C0 0F 84 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 84 24 ?? ?? ?? ?? 50 FF D6 + 85 C0 0F 84 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 84 24 ?? ?? ?? ?? 50 FF D6 85 C0 0F 84 ?? + ?? ?? ?? 68 ?? ?? ?? ?? 8D 84 24 ?? ?? ?? ?? 50 FF D6 85 C0 0F 84 ?? ?? ?? ?? 68 ?? + ?? ?? ?? 8D 84 24 ?? ?? ?? ?? 50 FF D6 85 C0 0F 84 ?? ?? ?? ?? BF ?? ?? ?? ?? 57 8D + 84 24 ?? ?? ?? ?? 50 FF D6 85 C0 0F 84 ?? ?? ?? ?? 57 8D 84 24 ?? ?? ?? ?? 50 FF D6 + 85 C0 0F 84 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 84 24 ?? ?? ?? ?? 50 FF D6 85 C0 0F 84 ?? + ?? ?? ?? 68 ?? ?? ?? ?? 8D 84 24 ?? ?? ?? ?? 50 FF D6 85 C0 0F 84 ?? ?? ?? ?? 68 ?? + ?? ?? ?? 8D 84 24 ?? ?? ?? ?? 50 FF D6 85 C0 0F 84 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 84 + 24 ?? ?? ?? ?? 50 FF D6 85 C0 0F 84 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 84 24 + } + + $find_files_2_p2 = { + 50 FF D6 85 C0 0F 84 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 84 24 ?? ?? ?? ?? 50 FF D6 85 C0 + 0F 84 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 84 24 ?? ?? ?? ?? 50 FF D6 85 C0 0F 84 ?? ?? ?? + ?? 68 ?? ?? ?? ?? 8D 84 24 ?? ?? ?? ?? 50 FF D6 85 C0 0F 84 ?? ?? ?? ?? 68 ?? ?? ?? + ?? 8D 84 24 ?? ?? ?? ?? 50 FF D6 85 C0 0F 84 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 84 24 ?? + ?? ?? ?? 50 FF D6 85 C0 0F 84 ?? ?? ?? ?? 8D 84 24 ?? ?? ?? ?? 50 8D 44 24 ?? E8 ?? + ?? ?? ?? 83 4C 24 ?? ?? 83 EC ?? 8B C4 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 EC ?? 8D 4C + 24 ?? 8B C4 51 E8 ?? ?? ?? ?? 59 E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 75 ?? 8D 84 24 ?? ?? + ?? ?? 50 8D 44 24 ?? E8 ?? ?? ?? ?? 83 4C 24 ?? ?? 83 EC ?? 8B C4 68 ?? ?? ?? ?? E8 + ?? ?? ?? ?? 83 EC ?? 8D 8C 24 ?? ?? ?? ?? 8B C4 51 E8 ?? ?? ?? ?? 59 E8 ?? ?? ?? ?? + 83 C4 ?? 85 C0 75 ?? 32 DB EB ?? B3 ?? F6 44 24 ?? ?? 74 ?? 83 64 24 ?? ?? 6A ?? 33 + FF 8D 74 24 ?? E8 ?? ?? ?? ?? F6 44 24 ?? ?? 74 ?? 83 64 24 ?? ?? 6A ?? 33 FF 8D 74 + } + + $find_files_2_p3 = { + 24 ?? E8 ?? ?? ?? ?? 84 DB 0F 85 ?? ?? ?? ?? F6 84 24 ?? ?? ?? ?? ?? 8D 84 24 ?? ?? + ?? ?? 50 0F 84 ?? ?? ?? ?? 8D 84 24 ?? ?? ?? ?? 8D 4C 24 ?? E8 ?? ?? ?? ?? 8B F0 8B + 46 ?? 59 83 C9 ?? 2B C8 83 F9 ?? 0F 86 ?? ?? ?? ?? 8D 58 ?? 6A ?? 8B C6 E8 ?? ?? ?? + ?? 84 C0 74 ?? 83 7E ?? ?? 8B 4E ?? 72 ?? 8B 06 EB ?? 8B C6 6A ?? 5A 66 89 14 48 83 + 7E ?? ?? 89 5E ?? 72 ?? 8B 06 EB ?? 8B C6 33 C9 66 89 0C 58 8B DE 8D 74 24 ?? E8 ?? + ?? ?? ?? 8B DE 8D 44 24 ?? E8 ?? ?? ?? ?? 6A ?? 33 FF E8 ?? ?? ?? ?? 6A ?? 8D 74 24 + ?? E8 ?? ?? ?? ?? 83 EC ?? 8D 44 24 ?? 8B F4 50 E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 44 + 24 ?? 8B F4 50 E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? E9 ?? ?? ?? ?? 8D 44 24 ?? E8 + ?? ?? ?? ?? 8D 44 24 ?? 50 8D 44 24 ?? E8 ?? ?? ?? ?? 59 6A ?? 33 FF 8D 74 24 ?? E8 + ?? ?? ?? ?? 6A ?? 8D 44 24 ?? E8 ?? ?? ?? ?? 40 33 C9 8D 74 24 ?? E8 ?? ?? ?? ?? 8D + 84 24 ?? ?? ?? ?? 50 8D 44 24 ?? E8 ?? ?? ?? ?? 8D 44 24 ?? 50 8D 44 24 ?? E8 ?? ?? + ?? ?? 59 6A ?? 8D 74 24 ?? E8 ?? ?? ?? ?? 6A ?? 8D 44 24 ?? E8 ?? ?? ?? ?? 40 33 C9 + 8D 74 24 ?? E8 + } + + $encrypt_files_p1 = { + 55 8B EC 81 EC ?? ?? ?? ?? A1 ?? ?? ?? ?? 33 C5 89 45 ?? 53 56 8B D9 33 F6 C7 43 ?? + ?? ?? ?? ?? 89 73 ?? C6 03 ?? A1 ?? ?? ?? ?? 8B 0D ?? ?? ?? ?? 57 2B C1 6A ?? 99 5F + F7 FF 89 9D ?? ?? ?? ?? 89 B5 ?? ?? ?? ?? 85 C0 74 ?? 89 B5 ?? ?? ?? ?? 8B 85 ?? ?? + ?? ?? 83 EC ?? 03 C1 8B F4 50 E8 ?? ?? ?? ?? 8D 45 ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 6A + ?? 50 83 C8 ?? 8B F3 E8 ?? ?? ?? ?? 6A ?? 33 FF 8D 75 ?? E8 ?? ?? ?? ?? A1 ?? ?? ?? + ?? 8B 0D ?? ?? ?? ?? 2B C1 6A ?? 99 5E F7 FE FF 85 ?? ?? ?? ?? 83 85 ?? ?? ?? ?? ?? + 39 85 ?? ?? ?? ?? 72 ?? 8B 53 ?? 6A ?? 5F C6 85 ?? ?? ?? ?? ?? 3B D7 72 ?? 8B 0B EB + ?? 8B CB 8B 43 ?? 03 C1 3B D7 72 ?? 8B 0B EB ?? 8B CB 50 51 8D 85 ?? ?? ?? ?? 50 8D + 85 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 39 7B ?? 72 ?? 8B 03 EB ?? 8B C3 8B 5B ?? 8B + B5 ?? ?? ?? ?? 03 D8 53 FF B5 ?? ?? ?? ?? 8D 9D ?? ?? ?? ?? 8B C6 E8 ?? ?? ?? ?? 8B + 4E ?? C6 85 ?? ?? ?? ?? ?? 3B CF 72 ?? 8B 16 EB ?? 8B D6 8B 46 ?? 03 C2 3B CF 72 ?? + 8B 0E EB ?? 8B CE 50 51 8D 85 ?? ?? ?? ?? 50 8D 85 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 + ?? 39 7E ?? 72 ?? 8B 0E EB ?? 8B CE 8B 46 ?? 03 C1 50 FF B5 ?? ?? ?? ?? 8D 9D ?? ?? + ?? ?? 8B C6 E8 ?? ?? ?? ?? 8B 46 ?? 50 89 85 ?? ?? ?? ?? E8 ?? ?? ?? ?? 59 8B 4E + } + + $encrypt_files_p2 = { + 89 85 ?? ?? ?? ?? 3B CF 72 ?? 8B 16 EB ?? 8B D6 8B 46 ?? 03 C2 3B CF 72 ?? 8B 0E EB + ?? 8B CE 3B C8 74 ?? 8B B5 ?? ?? ?? ?? 2B F1 8A 11 88 14 0E 41 3B C8 75 ?? 8D 45 ?? + 50 B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 75 ?? 8B F8 C7 04 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? + 50 8D 45 ?? E8 ?? ?? ?? ?? 8B F0 8B 46 ?? 8B 56 ?? 59 59 8B 4F ?? 2B C2 3B C8 76 ?? + 8B 47 ?? 2B C1 3B C2 72 ?? 56 8B F7 E8 ?? ?? ?? ?? EB ?? 6A ?? 57 83 C8 ?? E8 ?? ?? + ?? ?? 8B D8 8D 75 ?? E8 ?? ?? ?? ?? 8B C6 68 ?? ?? ?? ?? 50 8D 85 ?? ?? ?? ?? E8 ?? + ?? ?? ?? 83 78 ?? ?? 59 59 72 ?? 8B 00 33 DB 53 68 ?? ?? ?? ?? 6A ?? 53 53 68 ?? ?? + ?? ?? 50 FF 15 ?? ?? ?? ?? 6A ?? 33 FF 8D B5 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? E8 ?? ?? + ?? ?? 6A ?? 8D 75 ?? E8 ?? ?? ?? ?? 6A ?? 8D 75 ?? E8 ?? ?? ?? ?? 6A ?? 8D 75 ?? E8 + ?? ?? ?? ?? 6A ?? 8D 75 ?? E8 ?? ?? ?? ?? 8B B5 ?? ?? ?? ?? 3B F3 74 ?? 53 53 53 56 + FF 15 ?? ?? ?? ?? 53 8D 85 ?? ?? ?? ?? 50 FF B5 ?? ?? ?? ?? FF B5 ?? ?? ?? ?? 56 FF + 15 ?? ?? ?? ?? 56 FF 15 ?? ?? ?? ?? FF B5 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 85 ?? ?? ?? + ?? 59 8B 4D ?? 5F 5E 33 CD 5B E8 ?? ?? ?? ?? C9 C3 + } + + condition: + uint16(0) == 0x5A4D and + ( + all of ($find_files_1_p*) + ) and + ( + all of ($find_files_2_p*) + ) and + ( + all of ($enum_resources_p*) + ) and + ( + all of ($encrypt_files_p*) + ) and + ( + all of ($remote_connection_p*) + ) +} \ No newline at end of file diff --git a/yara/ransomware/Win32.Ransomware.Networm.yara b/yara/ransomware/Win32.Ransomware.Networm.yara new file mode 100644 index 0000000..5c27524 --- /dev/null +++ b/yara/ransomware/Win32.Ransomware.Networm.yara @@ -0,0 +1,103 @@ +rule Win32_Ransomware_Networm : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "NETWORM" + description = "Yara rule that detects Networm ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "Networm" + tc_detection_factor = 5 + + strings: + + $find_files = { + 68 ?? ?? ?? ?? B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B F1 89 B5 ?? ?? ?? ?? 8B 7D ?? 33 DB + 6A ?? 59 33 C0 89 5D ?? 89 4D ?? 66 89 45 ?? 89 5D ?? 89 5D ?? 89 4D ?? 66 89 45 ?? + 68 ?? ?? ?? ?? 8B D7 C6 45 ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 59 8D 4D ?? 3B C8 + 74 ?? 88 9D ?? ?? ?? ?? FF B5 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? + ?? ?? ?? 83 7D ?? ?? 8D 8D ?? ?? ?? ?? 8D 45 ?? 0F 43 45 ?? 51 50 FF 15 ?? ?? ?? ?? + 8B D8 83 FB ?? 0F 84 ?? ?? ?? ?? 66 83 BD ?? ?? ?? ?? ?? 0F 84 ?? ?? ?? ?? 6A ?? 8D + 4D ?? E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8B D7 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 59 8D 8D + ?? ?? ?? ?? C6 45 ?? ?? 51 8B C8 E8 ?? ?? ?? ?? 50 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? + C6 85 ?? ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? FF B5 ?? ?? ?? ?? 8D 4D ?? 50 E8 ?? ?? ?? ?? + 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? C6 45 ?? ?? E8 ?? ?? ?? ?? F6 85 + ?? ?? ?? ?? ?? 8D 45 ?? 74 ?? 6A ?? 50 8B CE E8 ?? ?? ?? ?? 8B F0 85 F6 0F 85 ?? ?? + ?? ?? 8B B5 ?? ?? ?? ?? EB ?? 83 7D ?? ?? 68 ?? ?? ?? ?? 0F 43 45 ?? 50 FF 15 ?? ?? + ?? ?? 85 C0 74 ?? 83 7D ?? ?? 8D 45 ?? 0F 43 45 ?? 50 FF 15 ?? ?? ?? ?? 85 C0 74 ?? + 8D 85 ?? ?? ?? ?? 50 53 FF 15 ?? ?? ?? ?? 83 F8 ?? 0F 84 ?? ?? ?? ?? 53 FF 15 ?? ?? + ?? ?? 8B 1D ?? ?? ?? ?? FF D3 8B F0 83 FE ?? 75 ?? 83 7F ?? ?? 8B C7 72 ?? 8B 07 68 + ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 85 C0 74 ?? 83 7F ?? ?? 72 ?? 8B 3F 57 FF 15 ?? ?? + ?? ?? 85 C0 75 ?? FF D3 8B F0 EB ?? FF 15 ?? ?? ?? ?? EB ?? 33 F6 8D 4D ?? E8 ?? ?? + ?? ?? 8D 4D ?? E8 ?? ?? ?? ?? 8B C6 E8 ?? ?? ?? ?? C2 + } + + $remote_connection_p1 = { + 55 8B EC 83 EC ?? A1 ?? ?? ?? ?? 33 C5 89 45 ?? 53 8B 5D ?? 56 57 6A ?? 8B FA 8B F1 + FF 15 ?? ?? ?? ?? 33 C0 50 50 89 45 ?? 89 45 ?? 8D 45 ?? 50 8D 45 ?? 50 6A ?? 57 56 + FF 15 ?? ?? ?? ?? 8B D3 8B C8 E8 ?? ?? ?? ?? 83 3B ?? 8B F0 75 ?? 68 ?? ?? ?? ?? EB + ?? 81 3B ?? ?? ?? ?? 75 ?? 68 ?? ?? ?? ?? 8B CB E8 ?? ?? ?? ?? EB ?? 81 3B ?? ?? ?? + ?? 74 ?? 81 3B ?? ?? ?? ?? 74 ?? 85 F6 74 ?? 83 C8 ?? EB ?? 83 65 ?? ?? 8D 75 ?? 8B + 45 ?? 8B FB C6 45 ?? ?? C7 45 ?? ?? ?? ?? ?? A5 A5 A5 8B 4D ?? 5F 5E 33 CD 5B E8 ?? + ?? ?? ?? C9 C3 + } + + $remote_connection_p2 = { + 55 8B EC 83 EC ?? A1 ?? ?? ?? ?? 33 C5 89 45 ?? 53 8B 5D ?? 56 57 6A ?? 8B FA 8B F1 + FF 15 ?? ?? ?? ?? 33 C0 50 50 50 89 45 ?? 8D 45 ?? 50 FF 75 ?? 57 56 FF 15 ?? ?? ?? + ?? 8B D3 8B C8 E8 ?? ?? ?? ?? 83 3B ?? 8B F0 75 ?? 68 ?? ?? ?? ?? EB ?? 81 3B ?? ?? + ?? ?? 75 ?? 68 ?? ?? ?? ?? 8B CB E8 ?? ?? ?? ?? 85 F6 74 ?? 83 C8 ?? EB ?? 83 65 ?? + ?? 8D 75 ?? 8B 45 ?? 8B FB C6 45 ?? ?? C7 45 ?? ?? ?? ?? ?? A5 A5 A5 8B 4D ?? 5F 5E + 33 CD 5B E8 ?? ?? ?? ?? C9 C3 + } + + $encrypt_files_p1 = { + 55 8B EC 6A ?? 68 ?? ?? ?? ?? 64 A1 ?? ?? ?? ?? 50 83 EC ?? 53 56 57 A1 ?? ?? ?? ?? + 33 C5 50 8D 45 ?? 64 A3 ?? ?? ?? ?? 8B F1 8B 45 ?? 83 F8 ?? C7 45 ?? ?? ?? ?? ?? 0F + 94 C7 83 F8 ?? 0F 94 C3 83 F8 ?? 75 ?? B8 ?? ?? ?? ?? EB ?? 0F B6 C3 83 F0 ?? 8D 04 + 45 ?? ?? ?? ?? 6A ?? 6A ?? 6A ?? 50 6A ?? FF 76 ?? FF 15 ?? ?? ?? ?? 8B C8 89 4E ?? + 85 C9 0F 84 ?? ?? ?? ?? 84 FF 74 ?? BF ?? ?? ?? ?? EB ?? 0F B6 C3 8D 3C 45 ?? ?? ?? + ?? 8B 56 ?? 8B 46 ?? 85 D2 7C ?? 0F 8F ?? ?? ?? ?? 85 C0 72 ?? 85 D2 7C ?? 0F 8F ?? + ?? ?? ?? 83 F8 ?? 0F 87 ?? ?? ?? ?? 83 F8 ?? 74 ?? 89 55 ?? EB ?? 0F 57 C0 66 0F 13 + 45 ?? 8B 45 ?? FF 75 ?? 50 FF 75 ?? FF 75 ?? 57 51 FF 15 ?? ?? ?? ?? 85 C0 74 ?? 8D + 4D ?? 89 46 ?? E8 ?? ?? ?? ?? 8D 4D ?? E8 ?? ?? ?? ?? 8B 4D ?? 64 89 0D ?? ?? ?? ?? + 59 5F 5E 5B 8B E5 5D C2 + } + + $encrypt_files_p2 = { + 55 8B EC 6A ?? 68 ?? ?? ?? ?? 64 A1 ?? ?? ?? ?? 50 83 EC ?? 56 A1 ?? ?? ?? ?? 33 C5 + 50 8D 45 ?? 64 A3 ?? ?? ?? ?? 8B F1 83 7E ?? ?? C7 45 ?? ?? ?? ?? ?? 0F 85 ?? ?? ?? + ?? 8B 4D ?? 85 C9 74 ?? 83 7D ?? ?? 0F 85 ?? ?? ?? ?? EB ?? 8B 45 ?? 85 C0 74 ?? 0F + 8E ?? ?? ?? ?? 83 F8 ?? 7E ?? 83 F8 ?? 0F 85 ?? ?? ?? ?? EB ?? F6 C1 ?? C7 45 ?? ?? + ?? ?? ?? B8 ?? ?? ?? ?? 0F 95 C0 40 89 45 ?? 83 7D ?? ?? 7F ?? 0F 8C ?? ?? ?? ?? 83 + 7D ?? ?? 0F 82 ?? ?? ?? ?? 83 7D ?? ?? 7F ?? 0F 8C ?? ?? ?? ?? 83 7D ?? ?? 0F 82 ?? + ?? ?? ?? 83 EC ?? 8D 45 ?? 8B CC 50 E8 ?? ?? ?? ?? 8B CE E8 ?? ?? ?? ?? 8D 45 ?? 8B + CE 50 E8 ?? ?? ?? ?? 8D 45 ?? 8B CE 50 E8 ?? ?? ?? ?? 8D 4D ?? E8 ?? ?? ?? ?? 8D 4D + ?? E8 ?? ?? ?? ?? 8B 4D ?? 64 89 0D ?? ?? ?? ?? 59 5E 8B E5 5D C2 ?? ?? 8D 45 ?? 6A + ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 8D 4D ?? 50 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 50 C6 45 ?? + ?? E8 ?? ?? ?? ?? 8D 45 ?? 6A ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 8D 4D ?? 50 68 ?? ?? ?? + ?? E8 ?? ?? ?? ?? 50 C6 45 ?? ?? E8 ?? ?? ?? ?? 8D 45 ?? 6A ?? 50 E8 ?? ?? ?? ?? 83 + C4 ?? 8D 4D ?? 50 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 50 C6 45 ?? ?? E8 ?? ?? ?? ?? 8D 45 + ?? 6A ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 8D 4D ?? 50 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 50 C6 + 45 ?? ?? E8 ?? ?? ?? ?? 8D 45 ?? 6A ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 8D 4D ?? 50 68 ?? + ?? ?? ?? E8 ?? ?? ?? ?? 50 C6 45 ?? ?? E8 + } + + condition: + uint16(0) == 0x5A4D and + ( + $find_files + ) and + ( + all of ($encrypt_files_p*) + ) and + ( + all of ($remote_connection_p*) + ) +} \ No newline at end of file diff --git a/yara/ransomware/Win32.Ransomware.NotPetya.yara b/yara/ransomware/Win32.Ransomware.NotPetya.yara new file mode 100644 index 0000000..976da64 --- /dev/null +++ b/yara/ransomware/Win32.Ransomware.NotPetya.yara @@ -0,0 +1,73 @@ +rule Win32_Ransomware_NotPetya : tc_detection malicious +{ + + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "NOTPETYA" + description = "Yara rule that detects NotPetya ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "NotPetya" + tc_detection_factor = 5 + + strings: + $encrypt_file = { + 8B EC 83 EC ?? 53 56 57 33 F6 56 56 6A ?? 56 56 68 ?? ?? ?? ?? FF 75 ?? FF 15 ?? ?? + ?? ?? 8B F8 89 7D ?? 83 FF ?? 0F 84 ?? ?? ?? ?? 8D 45 ?? 50 57 FF 15 ?? ?? ?? ?? 89 + 75 ?? 39 75 ?? 7C ?? B8 ?? ?? ?? ?? 7F ?? 39 45 ?? 76 ?? 89 45 ?? 8B D8 56 53 56 6A + ?? 56 57 FF 15 ?? ?? ?? ?? 89 45 ?? 3B C6 74 ?? FF 75 ?? 56 56 6A ?? 50 FF 15 ?? ?? + ?? ?? 8B F8 3B FE 74 ?? 53 8D 45 ?? 50 8B 45 ?? 57 56 FF 75 ?? 56 FF 70 ?? FF 15 ?? + ?? ?? ?? 85 C0 74 ?? FF 75 ?? 57 FF 15 ?? ?? ?? ?? 57 FF 15 ?? ?? ?? ?? FF 75 ?? FF + 15 ?? ?? ?? ?? FF 75 ?? FF 15 ?? ?? ?? ?? 5F 5E 5B C9 C2 ?? ?? 8B 45 ?? 89 45 ?? C1 + E8 ?? 8D 58 ?? C7 45 ?? ?? ?? ?? ?? C1 E3 ?? E9 + } + + $main = { + 55 8B EC 8B 45 ?? 53 56 8B 35 ?? ?? ?? ?? 57 BF ?? ?? ?? ?? 57 6A ?? BB ?? ?? ?? ?? + 53 83 C0 ?? 6A ?? 50 FF D6 85 C0 75 ?? FF 15 ?? ?? ?? ?? 3D ?? ?? ?? ?? 75 ?? 57 6A + ?? 6A ?? EB ?? 3D ?? ?? ?? ?? 75 ?? 6A ?? 6A ?? 53 8B 45 ?? 6A ?? 83 C0 ?? 50 FF D6 + 85 C0 74 ?? 8B 75 ?? 8B C6 E8 ?? ?? ?? ?? 85 C0 74 ?? 56 6A ?? 56 E8 ?? ?? ?? ?? 56 + E8 ?? ?? ?? ?? FF 76 ?? FF 15 ?? ?? ?? ?? 6A ?? FF 76 ?? FF 15 ?? ?? ?? ?? EB ?? 8B + 75 ?? 56 FF 15 ?? ?? ?? ?? 5F 5E 33 C0 5B 5D C2 + } + + $encryption_loop = { + 55 8B EC 83 E4 ?? 81 EC ?? ?? ?? ?? 83 7D ?? ?? 53 56 0F 84 ?? ?? ?? ?? 68 ?? ?? ?? + ?? FF 75 ?? 8D 84 24 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? 8D 44 + 24 ?? 50 8D 84 24 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 89 44 24 ?? 83 F8 ?? 0F 84 ?? ?? + ?? ?? 8B 1D ?? ?? ?? ?? 8B 75 ?? 8B 46 ?? 85 C0 74 ?? 6A ?? 50 FF 15 ?? ?? ?? ?? 85 + C0 0F 84 ?? ?? ?? ?? 83 F8 ?? 0F 84 ?? ?? ?? ?? B9 ?? ?? ?? ?? 8D 44 24 ?? 66 8B 10 + 66 3B 11 75 ?? 66 85 D2 74 ?? 66 8B 50 ?? 66 3B 51 ?? 75 ?? 83 C0 ?? 83 C1 ?? 66 85 + D2 75 ?? 33 C0 EB ?? 1B C0 83 D8 ?? 85 C0 0F 84 ?? ?? ?? ?? B9 ?? ?? ?? ?? 8D 44 24 + ?? 66 8B 10 66 3B 11 75 ?? 66 85 D2 74 ?? 66 8B 50 ?? 66 3B 51 ?? 75 ?? 83 C0 ?? 83 + C1 ?? 66 85 D2 75 ?? 33 C0 EB ?? 1B C0 83 D8 ?? 85 C0 0F 84 ?? ?? ?? ?? 8D 44 24 ?? + 50 FF 75 ?? 8D 84 24 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? F6 44 + 24 ?? ?? 74 ?? F7 44 24 ?? ?? ?? ?? ?? 75 ?? 8D 84 24 ?? ?? ?? ?? 50 68 ?? ?? ?? ?? + FF D3 85 C0 75 ?? 8B 45 ?? 56 48 50 8D 84 24 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? EB ?? 8D + 44 24 ?? 50 FF 15 ?? ?? ?? ?? 8D 4C 24 ?? 8D 51 ?? 66 8B 31 83 C1 ?? 66 85 F6 75 ?? + 2B CA D1 F9 8D 4C 4C ?? 3B C1 74 ?? 50 8D 84 24 ?? ?? ?? ?? 68 ?? ?? ?? ?? 50 FF 15 + ?? ?? ?? ?? 83 C4 ?? 8D 84 24 ?? ?? ?? ?? 50 68 ?? ?? ?? ?? FF D3 85 C0 74 ?? FF 75 + ?? 8D 84 24 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 8D 44 24 ?? 50 FF 74 24 ?? FF 15 ?? ?? ?? + ?? 85 C0 0F 85 ?? ?? ?? ?? FF 74 24 ?? FF 15 ?? ?? ?? ?? 5E 5B 8B E5 5D C2 + } + + $shutdown = { + 68 ?? ?? ?? ?? 8B CA 8B D0 0F B7 45 ?? 03 C2 33 D2 F7 F6 0F B7 75 ?? 8D 85 ?? ?? ?? + ?? 50 03 F1 8B FA FF 15 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 85 ?? + ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 85 C0 74 ?? E8 ?? ?? ?? ?? 85 C0 74 ?? F6 05 ?? ?? ?? + ?? ?? B8 ?? ?? ?? ?? 75 ?? B8 ?? ?? ?? ?? 56 57 8D 8D ?? ?? ?? ?? 51 50 8D 85 ?? ?? + ?? ?? 68 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 83 C4 ?? EB ?? 8D 85 ?? ?? ?? ?? 50 56 57 + 8D 85 ?? ?? ?? ?? 68 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 83 C4 ?? 33 C0 66 89 85 ?? ?? + ?? ?? 50 8D 85 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B D8 5F 5E 8B C3 5B C9 C3 + } + + condition: + uint16(0) == 0x5A4D and $encrypt_file and $main and $encryption_loop and $shutdown + +} \ No newline at end of file diff --git a/yara/ransomware/Win32.Ransomware.Oni.yara b/yara/ransomware/Win32.Ransomware.Oni.yara new file mode 100644 index 0000000..21fa671 --- /dev/null +++ b/yara/ransomware/Win32.Ransomware.Oni.yara @@ -0,0 +1,82 @@ +rule Win32_Ransomware_ONI : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "ONI" + description = "Yara rule that detects Oni ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "ONI" + tc_detection_factor = 5 + + strings: + + $find_files = { + 8A 10 3A 11 75 ?? 84 D2 74 ?? 8A 50 ?? 3A 51 ?? 75 ?? 83 C0 ?? 83 C1 ?? 84 D2 75 ?? + 33 C0 EB ?? 1B C0 83 C8 ?? 85 C0 0F 84 ?? ?? ?? ?? B9 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? + 8A 10 3A 11 75 ?? 84 D2 74 ?? 8A 50 ?? 3A 51 ?? 75 ?? 83 C0 ?? 83 C1 ?? 84 D2 75 ?? + 33 C0 EB ?? 1B C0 83 C8 ?? 85 C0 0F 84 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 68 ?? ?? ?? + ?? 53 8D 85 ?? ?? ?? ?? 68 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? F6 85 ?? ?? ?? ?? + ?? 0F 84 ?? ?? ?? ?? 83 EC ?? 8B D4 C7 42 ?? ?? ?? ?? ?? C7 42 ?? ?? ?? ?? ?? C6 02 + ?? 80 BD ?? ?? ?? ?? ?? 75 ?? 33 C9 EB ?? 8D 8D ?? ?? ?? ?? 8D 71 ?? 90 8A 01 41 84 + C0 75 ?? 2B CE 51 8D 85 ?? ?? ?? ?? 8B CA 50 E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? + 84 C0 74 ?? 83 EC ?? 8D 45 ?? 8B CC 6A ?? 6A ?? C7 41 ?? ?? ?? ?? ?? C7 41 ?? ?? ?? + ?? ?? 50 C6 01 ?? E8 ?? ?? ?? ?? 83 EC ?? 8D 45 ?? 8B CC 6A ?? 6A ?? C7 41 ?? ?? ?? + ?? ?? C7 41 ?? ?? ?? ?? ?? 50 C6 01 ?? E8 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? + ?? 83 C4 ?? 8D 85 ?? ?? ?? ?? 50 57 FF 15 ?? ?? ?? ?? 85 C0 0F 85 ?? ?? ?? ?? 57 FF + 15 ?? ?? ?? ?? 8B 45 ?? 83 F8 ?? 72 ?? 8B 4D ?? 40 3D ?? ?? ?? ?? 72 ?? F6 C1 ?? 75 + ?? 8B 41 ?? 3B C1 73 ?? 2B C8 83 F9 ?? 72 ?? 83 F9 ?? 77 ?? 8B C8 51 E8 ?? ?? ?? ?? + 83 C4 ?? 8B 45 ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C6 45 ?? ?? 83 F8 ?? 72 + ?? 8B 4D ?? 40 3D ?? ?? ?? ?? 72 ?? F6 C1 ?? 75 ?? 8B 41 ?? 3B C1 73 ?? 2B C8 83 F9 + ?? 72 ?? 83 F9 ?? 77 ?? 8B C8 51 E8 ?? ?? ?? ?? 83 C4 ?? 8B 4D ?? 5F 5E 33 CD 5B E8 + ?? ?? ?? ?? 8B E5 5D C3 + } + + $encrypt_files = { + 55 8B EC 83 EC ?? A1 ?? ?? ?? ?? 33 C5 89 45 ?? 56 57 8B 3D ?? ?? ?? ?? 8D 45 ?? 68 + ?? ?? ?? ?? 6A ?? 33 F6 89 55 ?? 56 56 50 89 4D ?? 89 75 ?? FF D7 85 C0 75 ?? 68 ?? + ?? ?? ?? 6A ?? 50 50 8D 45 ?? 50 FF D7 8B 7D ?? 85 FF 0F 84 ?? ?? ?? ?? 53 8D 45 ?? + 89 75 ?? 50 68 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 8B D0 E8 ?? ?? ?? ?? 8B D8 83 C4 ?? 85 + DB 74 ?? 8D 45 ?? 50 6A ?? 6A ?? FF 75 ?? 53 57 FF 15 ?? ?? ?? ?? 53 6A ?? FF 15 ?? + ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 8B 5D ?? 85 DB 74 ?? 68 ?? ?? ?? ?? 6A ?? FF 15 ?? ?? + ?? ?? 50 FF 15 ?? ?? ?? ?? FF 75 ?? 8B F0 56 FF 15 ?? ?? ?? ?? FF 75 ?? FF 15 ?? ?? + ?? ?? 68 ?? ?? ?? ?? 89 45 ?? 8D 45 ?? 50 56 6A ?? 6A ?? 6A ?? 53 FF 15 ?? ?? ?? ?? + 8B 4D ?? 85 C9 74 ?? 8B 45 ?? 89 01 53 FF 15 ?? ?? ?? ?? 6A ?? 57 FF 15 ?? ?? ?? ?? + 5B 8B 4D ?? 8B C6 5F 33 CD 5E E8 ?? ?? ?? ?? 8B E5 5D C3 + } + + $search_processes = { + 6A ?? 68 ?? ?? ?? ?? 8D 8C 24 ?? ?? ?? ?? C7 84 24 ?? ?? ?? ?? ?? ?? ?? ?? C7 84 24 + ?? ?? ?? ?? ?? ?? ?? ?? C6 84 24 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 8C 24 ?? ?? ?? ?? + E8 ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? 8D 8C 24 ?? ?? ?? ?? C7 84 24 ?? ?? ?? ?? ?? ?? + ?? ?? C7 84 24 ?? ?? ?? ?? ?? ?? ?? ?? C6 84 24 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 51 B9 + ?? ?? ?? ?? E8 ?? ?? ?? ?? C6 44 24 ?? ?? 8D 84 24 ?? ?? ?? ?? FF 74 24 ?? C7 05 ?? + ?? ?? ?? ?? ?? ?? ?? 50 8D 44 24 ?? C7 05 ?? ?? ?? ?? ?? ?? ?? ?? 50 C7 05 ?? ?? ?? + ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? BF ?? ?? ?? ?? 8D B4 24 ?? ?? ?? ?? 83 EE ?? 4F 83 7E + ?? ?? 72 ?? 8B 1E 8B CE 56 E8 ?? ?? ?? ?? 8B 46 ?? 40 3D ?? ?? ?? ?? 72 ?? F6 C3 ?? + 75 ?? 8B 43 ?? 3B C3 73 ?? 2B D8 83 FB ?? 72 ?? 83 FB ?? 77 ?? 8B D8 53 E8 ?? ?? ?? + ?? 83 C4 ?? C7 46 ?? ?? ?? ?? ?? 83 7E ?? ?? C7 46 ?? ?? ?? ?? ?? 72 ?? 8B 06 EB ?? + 8B C6 8B CE C6 00 ?? E8 ?? ?? ?? ?? 85 FF 75 ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 + ?? 5F 5E 5B 8B E5 5D C3 E8 ?? ?? ?? ?? CC CC CC CC CC B9 ?? ?? ?? ?? E8 ?? ?? ?? ?? + 6A ?? 68 ?? ?? ?? ?? B9 ?? ?? ?? ?? C7 05 ?? ?? ?? ?? ?? ?? ?? ?? C7 05 ?? ?? ?? ?? + ?? ?? ?? ?? C6 05 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 59 C3 + } + + condition: + uint16(0) == 0x5A4D and + ( + $search_processes + ) and + ( + $find_files + ) and + ( + $encrypt_files + ) +} \ No newline at end of file diff --git a/yara/ransomware/Win32.Ransomware.OphionLocker.yara b/yara/ransomware/Win32.Ransomware.OphionLocker.yara new file mode 100644 index 0000000..165f7a5 --- /dev/null +++ b/yara/ransomware/Win32.Ransomware.OphionLocker.yara @@ -0,0 +1,105 @@ +rule Win32_Ransomware_OphionLocker : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "OPHIONLOCKER" + description = "Yara rule that detects OphionLocker ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "OphionLocker" + tc_detection_factor = 5 + + strings: + $ol_do_filetypes_1 = { + B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 81 EC ?? ?? ?? ?? 53 56 57 33 DB 53 89 5D ?? 53 89 5D ?? 89 5D ?? E8 ?? ?? ?? ?? 89 45 ?? + 68 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? C6 45 ?? ?? E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? C6 45 ?? ?? E8 ?? ?? ?? ?? + 68 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? C6 45 ?? ?? E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? C6 45 ?? ?? E8 ?? ?? ?? ?? + 68 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? C6 45 ?? ?? E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? C6 45 ?? ?? E8 ?? ?? ?? ?? + 68 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? C6 45 ?? ?? E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? C6 45 ?? ?? E8 ?? ?? ?? ?? + 68 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? C6 45 ?? ?? E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? C6 45 ?? ?? E8 ?? ?? ?? ?? + 68 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? C6 45 ?? ?? E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? C6 45 ?? ?? E8 ?? ?? ?? ?? + 68 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? C6 45 ?? ?? E8 ?? ?? ?? ?? C6 45 ?? ?? 8D 8D ?? ?? ?? ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? + 68 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? C6 45 ?? ?? E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? C6 45 ?? ?? E8 ?? ?? ?? ?? + 68 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? C6 45 ?? ?? E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? C6 45 ?? ?? E8 ?? ?? ?? ?? + 68 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? C6 45 ?? ?? E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? C6 45 ?? ?? E8 ?? ?? ?? ?? + } + + $ol_do_filetypes_2 = { + 68 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? C6 45 ?? ?? E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? C6 45 ?? ?? E8 ?? ?? ?? ?? + C6 45 ?? ?? 68 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? C6 45 ?? ?? E8 ?? ?? ?? ?? + 68 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? C6 45 ?? ?? E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? C6 45 ?? ?? E8 ?? ?? ?? ?? + 68 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? C6 45 ?? ?? E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? C6 45 ?? ?? E8 ?? ?? ?? ?? + 68 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? C6 45 ?? ?? E8 ?? ?? ?? ?? C6 45 ?? ?? 8D 85 ?? ?? ?? ?? FF 75 ?? 8D 4D ?? 89 5D ?? 50 + 8D 85 ?? ?? ?? ?? 89 5D ?? 50 53 89 5D ?? E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A ?? 6A ?? 8D 85 ?? ?? ?? ?? C6 45 ?? ?? 50 E8 + ?? ?? ?? ?? 83 EC ?? 8D 45 ?? 8B CC 89 65 ?? 50 E8 ?? ?? ?? ?? 83 EC ?? C6 45 ?? ?? 8D 45 ?? 8B CC 8D 75 ?? 50 E8 ?? ?? + ?? ?? 8B CE C6 45 ?? ?? E8 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 6A ?? 58 89 45 ?? 89 5D ?? 88 5D ?? 89 45 ?? 89 + 5D ?? 88 5D ?? 83 C4 ?? C6 45 ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? C6 45 ?? ?? 8B 4D ?? 8B 39 E9 00 01 00 00 8B 77 ?? + 8D 47 ?? 89 45 ?? 3B 77 ?? 0F 84 EC 00 00 00 8B F8 68 ?? ?? ?? ?? 8B D7 8D 4D ?? E8 ?? ?? ?? ?? 56 8B D0 C6 45 ?? ?? 8D + 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 59 59 50 8D 4D ?? E8 ?? ?? ?? ?? 53 6A ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 53 6A ?? 8D 4D + } + + $ol_do_filetypes_3 = { + ?? C6 45 ?? ?? E8 ?? ?? ?? ?? 81 EC ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 8B CC 89 65 ?? 50 E8 ?? ?? ?? ?? 83 EC ?? C6 45 ?? ?? + 89 65 ?? 8D 45 ?? 83 EC ?? 8B CC 50 E8 ?? ?? ?? ?? 8B 4D ?? E8 ?? ?? ?? ?? 83 C4 ?? C6 45 ?? ?? 8D 4D ?? E8 ?? ?? ?? ?? + 81 C4 ?? ?? ?? ?? 8D 4D ?? 50 E8 ?? ?? ?? ?? 53 6A ?? 8D 4D ?? E8 ?? ?? ?? ?? 83 EC ?? 8D 45 ?? 8B CC 89 65 ?? 50 E8 ?? + ?? ?? ?? 83 EC ?? C6 45 ?? ?? 8D 45 ?? 8B CC 50 E8 ?? ?? ?? ?? C6 45 ?? ?? E8 ?? ?? ?? ?? 83 C6 ?? 83 C4 ?? 3B 77 ?? 0F + 85 1C FF FF FF 8B 4D ?? 8B 7D ?? 8B 3F 89 7D ?? 3B F9 0F 85 F5 FE FF FF 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 EC ?? C6 45 + ?? ?? 8D 85 ?? ?? ?? ?? 89 65 ?? 8B CC BA ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 EC ?? C6 45 ?? ?? 8B CC E8 ?? ?? ?? ?? C6 45 + ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 8D 85 ?? ?? ?? ?? 8B CC 89 65 ?? BA ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 EC ?? C6 45 ?? ?? 8B + CC E8 ?? ?? ?? ?? C6 45 ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 53 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 53 FF 15 ?? ?? ?? ?? 33 F6 8D 8D + ?? ?? ?? ?? 53 46 56 E8 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? C6 45 ?? ?? E8 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? + ?? ?? ?? 50 E8 ?? ?? ?? ?? 59 53 56 8D 4D ?? E8 ?? ?? ?? ?? 53 56 8D 4D ?? E8 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? C6 45 ?? ?? + E8 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 4D ?? E8 ?? ?? ?? ?? 8D 4D ?? E8 ?? ?? ?? ?? 53 56 8D 4D ?? E8 ?? ?? + ?? ?? 8B 4D ?? 5F 5E 64 89 0D ?? ?? ?? ?? 5B 8B E5 5D C3 + } + + $ol_ecies_key_1 = { + B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 81 EC ?? ?? ?? ?? 53 56 57 8B F9 33 DB 89 5D ?? 8D 8D ?? ?? ?? ?? 89 7D ?? 89 5D ?? E8 ?? + ?? ?? ?? 33 F6 8D 85 ?? ?? ?? ?? 46 8D 8D ?? ?? ?? ?? 50 BA ?? ?? ?? ?? 89 75 ?? E8 ?? ?? ?? ?? 83 EC ?? C6 45 ?? ?? 8B + CC 8B D0 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 59 8D 4D ?? E8 ?? ?? ?? ?? 83 C4 ?? 53 56 8D 8D ?? ?? ?? ?? C6 45 ?? ?? E8 ?? ?? + ?? ?? BE ?? ?? ?? ?? 56 E8 ?? ?? ?? ?? 59 50 56 FF 75 ?? 51 8D 4D ?? E8 ?? ?? ?? ?? 85 C0 0F 85 40 03 00 00 8D 8D ?? ?? + ?? ?? E8 ?? ?? ?? ?? 50 51 8D 8D ?? ?? ?? ?? C6 45 ?? ?? E8 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? C6 45 ?? ?? E8 ?? ?? ?? ?? 51 + 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? + ?? C6 45 ?? ?? 8D 8D ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 8B 40 ?? 8B B4 05 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? FF 50 ?? 50 8B 85 ?? + ?? ?? ?? 8D 8D ?? ?? ?? ?? 8B 40 ?? 03 C8 FF 56 ?? 68 ?? ?? ?? ?? 8D 4D ?? C6 45 ?? ?? E8 ?? ?? ?? ?? C6 45 ?? ?? 8D 8D + ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? FF 50 ?? 8D 55 ?? 8B C8 E8 ?? ?? ?? ?? 53 6A ?? 8D 4D ?? C6 45 ?? ?? E8 ?? ?? ?? ?? BB ?? + ?? ?? ?? 8D 4D ?? 53 E8 ?? ?? ?? ?? C6 45 ?? ?? 8D 8D ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? FF 50 ?? 83 7D ?? ?? 8D 4D ?? 8B F0 + 0F 43 4D ?? 51 51 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? C6 45 ?? ?? 8D 95 ?? ?? ?? ?? 8B 06 52 8B 48 ?? 03 CE 8B 01 FF 50 ?? + C6 45 ?? ?? 8B 8D ?? ?? ?? ?? 85 C9 74 0D 8B 01 6A ?? 8B 40 ?? 03 C8 8B 01 FF 10 33 F6 C6 45 ?? ?? 56 6A ?? 8D 4D ?? E8 + ?? ?? ?? ?? 83 EC ?? 8B CC 53 E8 ?? ?? ?? ?? 8D 4D ?? E8 ?? ?? ?? ?? 83 C4 ?? 8B D0 C6 45 ?? ?? 8D 4D ?? E8 ?? ?? ?? ?? + } + + $ol_ecies_key_2 = { + 56 6A ?? 8D 4D ?? C6 45 ?? ?? E8 ?? ?? ?? ?? 83 EC ?? 8B CC 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? + ?? 83 C4 ?? 8B D0 C6 45 ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 56 6A ?? 8D 8D ?? ?? ?? ?? C6 45 ?? ?? E8 ?? ?? ?? ?? 53 + E8 ?? ?? ?? ?? C7 04 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 4D ?? C7 04 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? C6 45 + ?? ?? 50 8D 55 ?? 8D 4D ?? E8 ?? ?? ?? ?? 59 50 8D 4D ?? E8 ?? ?? ?? ?? 56 6A ?? 8D 4D ?? E8 ?? ?? ?? ?? BE ?? ?? ?? ?? + 56 E8 ?? ?? ?? ?? 59 50 56 8D 4D ?? E8 ?? ?? ?? ?? 6A ?? 6A ?? 8D 45 ?? 50 8D 4D ?? E8 ?? ?? ?? ?? BE ?? ?? ?? ?? 56 E8 + ?? ?? ?? ?? 59 50 56 8D 4D ?? E8 ?? ?? ?? ?? 6A ?? 6A ?? 8D 85 ?? ?? ?? ?? 50 8D 4D ?? E8 ?? ?? ?? ?? BE ?? ?? ?? ?? 56 + E8 ?? ?? ?? ?? 59 50 56 8D 4D ?? E8 ?? ?? ?? ?? 8D 4D ?? E8 ?? ?? ?? ?? 6A ?? 33 F6 C6 45 ?? ?? 56 50 8D 4D ?? E8 ?? ?? + ?? ?? 56 6A ?? 8D 4D ?? C6 45 ?? ?? E8 ?? ?? ?? ?? 83 EC ?? 8D 45 ?? 8B CC BA ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 59 8D 8D ?? + ?? ?? ?? E8 ?? ?? ?? ?? C6 45 ?? ?? 8D 95 ?? ?? ?? ?? 8B CC 89 65 ?? E8 ?? ?? ?? ?? 83 EC ?? C6 45 ?? ?? 8B CC 53 E8 ?? + ?? ?? ?? C6 45 ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 8D 8D ?? ?? ?? ?? 56 6A ?? E8 ?? ?? ?? ?? 56 6A ?? 8D 4D ?? E8 ?? ?? ?? ?? + 56 6A ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 56 6A ?? 8D 4D ?? E8 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? C6 45 ?? ?? E8 ?? ?? ?? ?? + } + + $ol_ecies_key_3 = { + 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? C6 45 ?? ?? E8 ?? ?? ?? ?? EB 30 83 EC ?? 8D 55 ?? 8B CC 89 65 ?? E8 + ?? ?? ?? ?? 83 EC ?? C6 45 ?? ?? 8B CC BB ?? ?? ?? ?? 53 E8 ?? ?? ?? ?? C6 45 ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 51 8D 4F ?? + E8 ?? ?? ?? ?? 8D 77 ?? C7 07 ?? ?? ?? ?? C7 06 ?? ?? ?? ?? C7 47 ?? ?? ?? ?? ?? 53 8D 4D ?? C7 45 ?? ?? ?? ?? ?? E8 ?? + ?? ?? ?? 8D 46 ?? C6 45 ?? ?? 85 C0 74 05 8D 4E ?? EB 02 33 C9 8D 55 ?? E8 ?? ?? ?? ?? 6A ?? 6A ?? 8D 4D ?? C6 45 ?? ?? + E8 ?? ?? ?? ?? 8B 06 8B CE FF 50 ?? 6A ?? 68 ?? ?? ?? ?? 8B 08 8B 49 ?? 03 C8 8B 01 FF 50 ?? 53 E8 ?? ?? ?? ?? 59 6A ?? + 6A ?? 8D 4D ?? E8 ?? ?? ?? ?? 6A ?? 6A ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 4D ?? 8B C7 5F 5E 64 89 0D ?? ?? ?? ?? 5B + 8B E5 5D C3 + } + + condition: + uint16(0) == 0x5A4D and + (($ol_do_filetypes_1 and $ol_do_filetypes_2 and $ol_do_filetypes_3) and ($ol_ecies_key_1 and $ol_ecies_key_2 and $ol_ecies_key_3)) +} \ No newline at end of file diff --git a/yara/ransomware/Win32.Ransomware.Ouroboros.yara b/yara/ransomware/Win32.Ransomware.Ouroboros.yara new file mode 100644 index 0000000..74f01d8 --- /dev/null +++ b/yara/ransomware/Win32.Ransomware.Ouroboros.yara @@ -0,0 +1,175 @@ +rule Win32_Ransomware_Ouroboros : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "OUROBOROS" + description = "Yara rule that detects Ouroboros ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "Ouroboros" + tc_detection_factor = 5 + + strings: + + $remote_connection_p1 = { + 55 8B EC 6A ?? 68 ?? ?? ?? ?? 64 A1 ?? ?? ?? ?? 50 81 EC ?? ?? ?? ?? A1 ?? ?? ?? ?? + 33 C5 89 45 ?? 56 50 8D 45 ?? 64 A3 ?? ?? ?? ?? 8B 75 ?? 8D 8D ?? ?? ?? ?? 6A ?? 68 + ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C6 85 ?? ?? + ?? ?? ?? E8 ?? ?? ?? ?? 6A ?? 8D 85 ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? 50 8D 8D ?? ?? + ?? ?? E8 ?? ?? ?? ?? 8B 95 ?? ?? ?? ?? C6 45 ?? ?? 83 FA ?? 72 ?? 8B 8D ?? ?? ?? ?? + 42 8B C1 81 FA ?? ?? ?? ?? 72 ?? 8B 49 ?? 83 C2 ?? 2B C1 83 C0 ?? 83 F8 ?? 0F 87 ?? + ?? ?? ?? 52 51 E8 ?? ?? ?? ?? 83 C4 ?? 6A ?? 68 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? C7 85 + ?? ?? ?? ?? ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C6 85 ?? ?? ?? ?? ?? C7 85 ?? + ?? ?? ?? ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C6 85 ?? ?? ?? ?? ?? E8 ?? ?? ?? + ?? 6A ?? 68 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? C6 45 ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? + C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C6 85 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 85 + } + + $remote_connection_p2 = { + C6 45 ?? ?? 50 6A ?? 8D 85 ?? ?? ?? ?? 50 8D 4D ?? E8 ?? ?? ?? ?? 8B 95 ?? ?? ?? ?? + C6 45 ?? ?? 83 FA ?? 72 ?? 8B 8D ?? ?? ?? ?? 42 8B C1 81 FA ?? ?? ?? ?? 72 ?? 8B 49 + ?? 83 C2 ?? 2B C1 83 C0 ?? 83 F8 ?? 0F 87 ?? ?? ?? ?? 52 51 E8 ?? ?? ?? ?? 83 C4 ?? + C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C6 85 ?? ?? ?? ?? ?? 8B + 95 ?? ?? ?? ?? C6 45 ?? ?? 83 FA ?? 72 ?? 8B 8D ?? ?? ?? ?? 42 8B C1 81 FA ?? ?? ?? + ?? 72 ?? 8B 49 ?? 83 C2 ?? 2B C1 83 C0 ?? 83 F8 ?? 0F 87 ?? ?? ?? ?? 52 51 E8 ?? ?? + ?? ?? 83 C4 ?? FF 75 ?? 8D 45 ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? FF 75 ?? 8D 8D ?? ?? + ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? 50 8D 45 ?? C6 85 ?? ?? ?? ?? ?? 50 E8 ?? ?? ?? + ?? 8D 4D ?? C6 45 ?? ?? E8 ?? ?? ?? ?? 3D ?? ?? ?? ?? 0F 85 ?? ?? ?? ?? 8D 4D ?? E8 + ?? ?? ?? ?? 50 8B CE C7 06 ?? ?? ?? ?? C6 46 ?? ?? E8 ?? ?? ?? ?? 8B 55 ?? 83 FA ?? + 72 ?? 8B 4D ?? 42 8B C1 81 FA ?? ?? ?? ?? 72 ?? 8B 49 ?? 83 C2 ?? 2B C1 83 C0 ?? 83 + } + + $remote_connection_p3 = { + F8 ?? 0F 87 ?? ?? ?? ?? 52 51 E8 ?? ?? ?? ?? 83 C4 ?? 8B 45 ?? C7 45 ?? ?? ?? ?? ?? + C7 45 ?? ?? ?? ?? ?? C6 45 ?? ?? FF 70 ?? 8D 45 ?? 50 8B C8 E8 ?? ?? ?? ?? 6A ?? FF + 75 ?? E8 ?? ?? ?? ?? 8B 55 ?? 83 C4 ?? 83 FA ?? 72 ?? 8B 4D ?? 42 8B C1 81 FA ?? ?? + ?? ?? 72 ?? 8B 49 ?? 83 C2 ?? 2B C1 83 C0 ?? 83 F8 ?? 0F 87 ?? ?? ?? ?? 52 51 E8 ?? + ?? ?? ?? 83 C4 ?? 8B 55 ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C6 45 ?? ?? 83 + FA ?? 72 ?? 8B 4D ?? 42 8B C1 81 FA ?? ?? ?? ?? 72 ?? 8B 49 ?? 83 C2 ?? 2B C1 83 C0 + ?? 83 F8 ?? 0F 87 ?? ?? ?? ?? 52 51 E8 ?? ?? ?? ?? 83 C4 ?? 8B 45 ?? C7 45 ?? ?? ?? + ?? ?? C7 45 ?? ?? ?? ?? ?? C6 45 ?? ?? FF 70 ?? 8D 45 ?? 50 8B C8 E8 ?? ?? ?? ?? 6A + ?? FF 75 ?? E8 ?? ?? ?? ?? 8B 95 ?? ?? ?? ?? 83 C4 ?? 83 FA ?? 72 ?? 8B 8D ?? ?? ?? + ?? 42 8B C1 81 FA ?? ?? ?? ?? 72 ?? 8B 49 ?? 83 C2 ?? 2B C1 83 C0 ?? 83 F8 ?? 0F 87 + ?? ?? ?? ?? 52 51 E8 ?? ?? ?? ?? 83 C4 ?? 8B 8D ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? + ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C6 85 ?? ?? ?? ?? ?? 85 C9 74 ?? 8B 95 ?? ?? ?? + ?? 8B C1 2B D1 81 FA ?? ?? ?? ?? 72 ?? 8B 49 ?? 83 C2 ?? 2B C1 83 C0 ?? 83 F8 ?? 0F + 87 ?? ?? ?? ?? 52 51 E8 ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? 83 C4 ?? C7 85 ?? + ?? ?? ?? ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? + 8B C6 8B 4D ?? 64 89 0D ?? ?? ?? ?? 59 5E 8B 4D ?? 33 CD E8 ?? ?? ?? ?? 8B E5 5D C3 + } + + $remote_connection_p4 = { + 8B 55 ?? C7 06 ?? ?? ?? ?? C6 46 ?? ?? 83 FA ?? 72 ?? 8B 4D ?? 42 8B C1 81 FA ?? ?? + ?? ?? 72 ?? 8B 49 ?? 83 C2 ?? 2B C1 83 C0 ?? 83 F8 ?? 0F 87 ?? ?? ?? ?? 52 51 E8 ?? + ?? ?? ?? 83 C4 ?? 8B 45 ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C6 45 ?? ?? FF + 70 ?? 8D 45 ?? 50 8B C8 E8 ?? ?? ?? ?? 6A ?? FF 75 ?? E8 ?? ?? ?? ?? 8B 55 ?? 83 C4 + ?? 83 FA ?? 72 ?? 8B 4D ?? 42 8B C1 81 FA ?? ?? ?? ?? 72 ?? 8B 49 ?? 83 C2 ?? 2B C1 + 83 C0 ?? 83 F8 ?? 0F 87 ?? ?? ?? ?? 52 51 E8 ?? ?? ?? ?? 83 C4 ?? 8B 55 ?? C7 45 ?? + ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C6 45 ?? ?? 83 FA ?? 72 ?? 8B 4D ?? 42 8B C1 81 FA + ?? ?? ?? ?? 72 ?? 8B 49 ?? 83 C2 ?? 2B C1 83 C0 ?? 83 F8 ?? 0F 87 ?? ?? ?? ?? 52 51 + E8 ?? ?? ?? ?? 83 C4 ?? 8B 45 ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C6 45 ?? + ?? FF 70 ?? 8D 45 ?? 50 8B C8 E8 ?? ?? ?? ?? 6A ?? FF 75 ?? E8 ?? ?? ?? ?? 8B 95 ?? + ?? ?? ?? 83 C4 ?? 83 FA ?? 72 ?? 8B 8D ?? ?? ?? ?? 42 8B C1 81 FA ?? ?? ?? ?? 72 ?? + 8B 49 ?? 83 C2 ?? 2B C1 83 C0 ?? 83 F8 ?? 77 ?? 52 51 E8 ?? ?? ?? ?? 83 C4 ?? 8B 8D + ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C6 85 ?? ?? + ?? ?? ?? 85 C9 0F 84 ?? ?? ?? ?? 8B 95 ?? ?? ?? ?? 8B C1 2B D1 81 FA ?? ?? ?? ?? 0F + 82 ?? ?? ?? ?? 8B 49 ?? 83 C2 ?? 2B C1 83 C0 ?? 83 F8 ?? 0F 86 ?? ?? ?? ?? E8 ?? ?? + ?? ?? E8 ?? ?? ?? ?? E8 + } + + $find_files = { + 8B FF 55 8B EC 51 8B 4D ?? 8D 51 ?? 8A 01 41 84 C0 75 ?? 2B CA 83 C8 ?? 57 8B 7D ?? + 41 2B C7 89 4D ?? 3B C8 76 ?? 6A ?? 58 EB ?? 53 56 8D 5F ?? 03 D9 6A ?? 53 E8 ?? ?? + ?? ?? 8B F0 59 59 85 FF 74 ?? 57 FF 75 ?? 53 56 E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 75 ?? + FF 75 ?? 2B DF 8D 04 3E FF 75 ?? 53 50 E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 75 ?? 8B 4D ?? + 56 E8 ?? ?? ?? ?? 6A ?? 8B F0 E8 ?? ?? ?? ?? 59 8B C6 5E 5B 5F 8B E5 5D C3 33 C0 50 + 50 50 50 50 E8 ?? ?? ?? ?? CC 8B FF 55 8B EC 81 EC ?? ?? ?? ?? A1 ?? ?? ?? ?? 33 C5 + 89 45 ?? 8B 4D ?? 53 8B 5D ?? 56 8B 75 ?? 57 89 B5 ?? ?? ?? ?? EB ?? 8A 01 3C ?? 74 + ?? 3C ?? 74 ?? 3C ?? 74 ?? 51 53 E8 ?? ?? ?? ?? 59 59 8B C8 3B CB 75 ?? 8A 11 80 FA + ?? 75 ?? 8D 43 ?? 3B C8 74 ?? 56 33 FF 57 57 53 E8 ?? ?? ?? ?? 83 C4 ?? EB ?? 33 FF + 80 FA ?? 74 ?? 80 FA ?? 74 ?? 80 FA ?? 74 ?? 8B C7 EB ?? 33 C0 40 0F B6 C0 2B CB 41 + F7 D8 68 ?? ?? ?? ?? 1B C0 23 C1 89 85 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 57 50 E8 ?? ?? + ?? ?? 83 C4 ?? 8D 85 ?? ?? ?? ?? 57 57 57 50 57 53 FF 15 ?? ?? ?? ?? 8B F0 8B 85 ?? + ?? ?? ?? 83 FE ?? 75 ?? 50 57 57 53 E8 ?? ?? ?? ?? 83 C4 ?? 8B F8 83 FE ?? 74 ?? 56 + FF 15 ?? ?? ?? ?? 8B C7 8B 4D ?? 5F 5E 33 CD 5B E8 ?? ?? ?? ?? 8B E5 5D C3 8B 48 ?? + 2B 08 C1 F9 ?? 89 8D ?? ?? ?? ?? 80 BD ?? ?? ?? ?? ?? 75 ?? 8A 8D ?? ?? ?? ?? 84 C9 + 74 ?? 80 F9 ?? 75 ?? 80 BD ?? ?? ?? ?? ?? 74 ?? 50 FF B5 ?? ?? ?? ?? 8D 85 ?? ?? ?? + ?? 53 50 E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 75 ?? 8D 85 ?? ?? ?? ?? 50 56 FF 15 ?? ?? ?? + ?? 85 C0 8B 85 ?? ?? ?? ?? 75 ?? 8B 10 8B 40 ?? 8B 8D ?? ?? ?? ?? 2B C2 C1 F8 ?? 3B + C8 0F 84 ?? ?? ?? ?? 68 ?? ?? ?? ?? 2B C1 6A ?? 50 8D 04 8A 50 E8 ?? ?? ?? ?? 83 C4 + ?? E9 + } + + $encrypt_files_p1 = { + 83 EC ?? 8B 44 24 ?? 53 55 56 8B F1 89 44 24 ?? 57 8B 7C 24 ?? 8B 6E ?? 3B FD 77 ?? + 8B DE 83 FD ?? 72 ?? 8B 1E 57 50 53 89 7E ?? E8 ?? ?? ?? ?? 83 C4 ?? C6 04 1F ?? 8B + C6 5F 5E 5D 5B 83 C4 ?? C2 ?? ?? 81 FF ?? ?? ?? ?? 0F 87 ?? ?? ?? ?? 8B DF 83 CB ?? + 81 FB ?? ?? ?? ?? 76 ?? BB ?? ?? ?? ?? EB ?? 8B CD B8 ?? ?? ?? ?? D1 E9 2B C1 3B E8 + 76 ?? BB ?? ?? ?? ?? EB ?? 8D 04 29 3B D8 0F 42 D8 33 C9 8B C3 83 C0 ?? 0F 92 C1 F7 + D9 0B C8 51 8B CE E8 ?? ?? ?? ?? 57 FF 74 24 ?? 89 44 24 ?? 50 89 7E ?? 89 5E ?? E8 + ?? ?? ?? ?? 8B 5C 24 ?? 83 C4 ?? C6 04 1F ?? 83 FD ?? 72 ?? 8B 06 45 81 FD ?? ?? ?? + ?? 72 ?? 8B 48 ?? 83 C5 ?? 2B C1 83 C0 ?? 83 F8 ?? 77 ?? 8B C1 55 50 E8 ?? ?? ?? ?? + 83 C4 ?? 5F 89 1E 8B C6 5E 5D 5B 83 C4 ?? C2 ?? ?? E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? CC + CC CC CC CC 83 EC ?? 53 55 8B 6C 24 ?? 56 57 8B F9 8B 4C 24 ?? 89 4C 24 ?? 8B 5F ?? + 3B EB 77 ?? 89 7C 24 ?? 8B C7 83 FB ?? 72 ?? 8B 07 89 44 24 ?? 8D 34 6D + } + + $encrypt_files_p2 = { + 89 6F ?? 56 51 50 E8 ?? ?? ?? ?? 8B 44 24 ?? 83 C4 ?? 33 C9 66 89 0C 06 8B C7 5F 5E + 5D 5B 83 C4 ?? C2 ?? ?? 81 FD ?? ?? ?? ?? 0F 87 ?? ?? ?? ?? 8B F5 83 CE ?? 81 FE ?? + ?? ?? ?? 76 ?? BE ?? ?? ?? ?? EB ?? 8B CB B8 ?? ?? ?? ?? D1 E9 2B C1 3B D8 76 ?? BE + ?? ?? ?? ?? EB ?? 8D 04 19 3B F0 0F 42 F0 33 C9 8B C6 83 C0 ?? 0F 92 C1 F7 D9 0B C8 + 51 8B CF E8 ?? ?? ?? ?? 89 77 ?? 8D 34 6D ?? ?? ?? ?? 56 FF 74 24 ?? 89 44 24 ?? 50 + 89 6F ?? E8 ?? ?? ?? ?? 8B 6C 24 ?? 33 C0 83 C4 ?? 66 89 04 2E 83 FB ?? 72 ?? 8B 07 + 8D 1C 5D ?? ?? ?? ?? 81 FB ?? ?? ?? ?? 72 ?? 8B 48 ?? 83 C3 ?? 2B C1 83 C0 ?? 83 F8 + ?? 77 ?? 8B C1 53 50 E8 ?? ?? ?? ?? 83 C4 ?? 89 2F 8B C7 5F 5E 5D 5B 83 C4 ?? C2 ?? + ?? E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? CC 8B 44 24 ?? 83 EC ?? 83 E0 ?? 89 41 ?? 8B 49 ?? + 23 C8 75 ?? 83 C4 ?? C2 ?? ?? 56 F6 C1 ?? 74 ?? BE ?? ?? ?? ?? EB ?? F6 C1 ?? BE ?? + ?? ?? ?? B8 ?? ?? ?? ?? 0F 44 F0 8D 44 24 ?? 6A ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 8D 4C + 24 ?? 50 56 E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 44 24 ?? 50 E8 ?? ?? ?? ?? 5E + } + + $encrypt_files_angus_version = { + 6A ?? 68 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C7 85 ?? ?? ?? + ?? ?? ?? ?? ?? C6 85 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? E8 ?? ?? ?? + ?? 50 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 BD ?? ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? 8B 85 + ?? ?? ?? ?? 0F 43 8D ?? ?? ?? ?? 03 C1 83 BD ?? ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? 0F 43 + 8D ?? ?? ?? ?? 50 51 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? C7 85 ?? ?? ?? ?? ?? + ?? ?? ?? B9 ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? 39 8D ?? ?? ?? ?? 8D 85 ?? ?? + ?? ?? C6 85 ?? ?? ?? ?? ?? 0F 42 8D ?? ?? ?? ?? 83 BD ?? ?? ?? ?? ?? 51 0F 43 85 ?? + ?? ?? ?? 8D 8D ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? 8B 95 ?? ?? ?? ?? + C7 85 ?? ?? ?? ?? ?? ?? ?? ?? 83 FA ?? 72 ?? 8B 8D ?? ?? ?? ?? 42 8B C1 81 FA ?? ?? + ?? ?? 72 ?? 8B 49 ?? 83 C2 ?? 2B C1 83 C0 ?? 83 F8 ?? 0F 87 ?? ?? ?? ?? 52 51 E8 ?? + ?? ?? ?? 83 C4 ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C6 85 + ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? C7 85 ?? + ?? ?? ?? ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C6 85 ?? ?? ?? ?? ?? E8 ?? ?? ?? + ?? C6 45 ?? ?? 8D 8D ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? + C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C6 85 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? + C6 45 ?? ?? E8 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? C6 45 ?? ?? E8 ?? ?? ?? ?? 8D 8D ?? ?? + ?? ?? C6 45 ?? ?? E8 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? C6 45 ?? ?? E8 ?? ?? ?? ?? 8D 8D + ?? ?? ?? ?? C6 45 ?? ?? E8 ?? ?? ?? ?? C6 45 ?? ?? E8 + } + + condition: + uint16(0) == 0x5A4D and + ( + $find_files + ) and + ( + ( + all of ($encrypt_files_p*) + ) or + ( + $encrypt_files_angus_version + ) + ) and + ( + all of ($remote_connection_p*) + ) +} \ No newline at end of file diff --git a/yara/ransomware/Win32.Ransomware.Outsider.yara b/yara/ransomware/Win32.Ransomware.Outsider.yara new file mode 100644 index 0000000..8ded84c --- /dev/null +++ b/yara/ransomware/Win32.Ransomware.Outsider.yara @@ -0,0 +1,88 @@ +rule Win32_Ransomware_Outsider : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "OUTSIDER" + description = "Yara rule that detects Outsider ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "Outsider" + tc_detection_factor = 5 + + strings: + + $encrypt_files_p1 = { + 55 8B EC 81 EC ?? ?? ?? ?? 53 56 57 8D 45 ?? 8B D9 50 6A ?? 5E 56 FF 35 ?? ?? ?? ?? + 89 5D ?? FF 15 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? 6A ?? 6A ?? FF 15 ?? ?? ?? ?? 50 + FF 15 ?? ?? ?? ?? 8B F8 89 7D ?? 85 FF 0F 84 ?? ?? ?? ?? 8D 55 ?? 89 75 ?? 8B CF 2B + D7 8A 04 0A 88 01 41 83 EE ?? 75 ?? 6A ?? 8D 45 ?? 50 57 56 6A ?? 56 FF 35 ?? ?? ?? + ?? FF 15 ?? ?? ?? ?? 56 68 ?? ?? ?? ?? 6A ?? 56 6A ?? 68 ?? ?? ?? ?? 53 FF 15 ?? ?? + ?? ?? 89 45 ?? 83 F8 ?? 0F 84 ?? ?? ?? ?? 89 75 ?? 89 75 ?? 53 FF 15 ?? ?? ?? ?? 8D + 04 43 83 E8 ?? 66 83 38 ?? 75 ?? FF B6 ?? ?? ?? ?? 2B C3 83 C0 ?? D1 F8 8D 04 43 50 + FF 15 ?? ?? ?? ?? 89 45 ?? 85 C0 74 ?? FF B6 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? FF 75 ?? + 8B F0 FF 15 ?? ?? ?? ?? 3B C6 74 ?? 8B 75 ?? 83 C6 ?? 89 75 ?? 83 FE ?? 72 ?? EB ?? + C7 45 ?? ?? ?? ?? ?? 8B 35 ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A ?? FF D6 50 FF 15 ?? ?? ?? + ?? 89 45 ?? 85 C0 0F 84 ?? ?? ?? ?? 8B 7D ?? 8B D8 33 C0 50 8D 45 ?? 50 68 ?? ?? ?? + ?? 53 57 FF 15 ?? ?? ?? ?? 8B 4D ?? 33 C0 89 4D ?? 3B C8 76 ?? 8B F8 8B C7 25 ?? ?? + ?? ?? 79 ?? 48 83 C8 ?? 40 89 45 ?? 75 ?? 8B C7 99 83 E2 ?? 03 C2 C1 F8 ?? 99 52 50 + } + + $encrypt_files_p2 = { + 51 51 8D 55 ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 4D ?? 83 C4 ?? 8B 45 ?? 8A 84 05 + ?? ?? ?? ?? 30 04 1F 47 8B C7 99 85 D2 72 ?? 77 ?? 3B C1 72 ?? 8B 4D ?? 8B 7D ?? 6A + ?? F7 D9 8B C1 6A ?? 99 52 50 57 FF 15 ?? ?? ?? ?? 33 C0 50 8D 45 ?? 50 FF 75 ?? 53 + 57 FF 15 ?? ?? ?? ?? 83 7D ?? ?? 74 ?? 81 7D ?? ?? ?? ?? ?? 0F 84 ?? ?? ?? ?? 53 33 + C0 50 FF D6 50 FF 15 ?? ?? ?? ?? 8B 7D ?? 8B 5D ?? 6A ?? 33 C0 C7 45 ?? ?? ?? ?? ?? + 50 0F 57 C0 66 0F 13 45 ?? FF 75 ?? FF 75 ?? FF 75 ?? FF 15 ?? ?? ?? ?? 33 C0 50 8D + 45 ?? 50 6A ?? 8D 45 ?? 50 FF 75 ?? FF 15 ?? ?? ?? ?? 33 C0 50 8D 45 ?? 50 6A ?? 57 + FF 75 ?? FF 15 ?? ?? ?? ?? FF 75 ?? FF 15 ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A ?? FF D6 50 + FF 15 ?? ?? ?? ?? 8B F0 85 F6 74 ?? 68 ?? ?? ?? ?? 53 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? + 56 FF 15 ?? ?? ?? ?? 83 C4 ?? 56 53 FF 15 ?? ?? ?? ?? 56 33 F6 56 FF 15 ?? ?? ?? ?? + 50 FF 15 ?? ?? ?? ?? EB ?? 33 F6 57 56 FF 15 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 5F 5E + 5B 8B E5 5D C3 + } + + $find_files = { + 8B EC 83 E4 ?? 81 EC ?? ?? ?? ?? 53 8B 1D ?? ?? ?? ?? 56 57 68 ?? ?? ?? ?? 6A ?? FF + D3 50 FF 15 ?? ?? ?? ?? 8B F0 85 F6 0F 84 ?? ?? ?? ?? FF 75 ?? 68 ?? ?? ?? ?? 68 ?? + ?? ?? ?? 56 FF 15 ?? ?? ?? ?? 83 C4 ?? 8D 44 24 ?? 50 56 FF 15 ?? ?? ?? ?? 83 F8 ?? + 0F 84 ?? ?? ?? ?? 8B D8 33 FF FF B7 ?? ?? ?? ?? 8D 44 24 ?? 50 FF 15 ?? ?? ?? ?? 85 + C0 0F 84 ?? ?? ?? ?? 83 C7 ?? 83 FF ?? 72 ?? 8D 44 24 ?? 50 FF 75 ?? 68 ?? ?? ?? ?? + 68 ?? ?? ?? ?? 56 FF 15 ?? ?? ?? ?? 8B 44 24 ?? 83 C4 ?? A8 ?? 74 ?? 68 ?? ?? ?? ?? + 8D 44 24 ?? 50 FF 15 ?? ?? ?? ?? 85 C0 74 ?? 68 ?? ?? ?? ?? 8D 44 24 ?? 50 FF 15 ?? + ?? ?? ?? 85 C0 74 ?? 56 E8 ?? ?? ?? ?? 59 EB ?? 8B 44 24 ?? A8 ?? 74 ?? 68 ?? ?? ?? + ?? 8D 44 24 ?? 50 FF 15 ?? ?? ?? ?? 85 C0 75 ?? 68 ?? ?? ?? ?? 8D 44 24 ?? 50 FF 15 + ?? ?? ?? ?? 85 C0 74 ?? 8B CE E8 ?? ?? ?? ?? 8D 44 24 ?? 50 53 FF 15 ?? ?? ?? ?? 85 + C0 0F 85 ?? ?? ?? ?? 53 FF 15 ?? ?? ?? ?? 68 ?? ?? ?? ?? FF 75 ?? 68 ?? ?? ?? ?? 68 + ?? ?? ?? ?? 56 FF 15 ?? ?? ?? ?? 83 C4 ?? 8B CE E8 ?? ?? ?? ?? 8B 1D ?? ?? ?? ?? 56 + 6A ?? FF D3 50 FF 15 ?? ?? ?? ?? 5F 5E 5B 8B E5 5D C3 + } + + $enum_resources = { + 55 8B EC 83 E4 ?? 83 EC ?? 83 0C 24 ?? 8D 44 24 ?? 53 56 57 50 FF 75 ?? C7 44 24 ?? + ?? ?? ?? ?? 6A ?? 6A ?? 6A ?? FF 15 ?? ?? ?? ?? 85 C0 0F 85 ?? ?? ?? ?? 8B 44 24 ?? + 83 C0 ?? 50 6A ?? FF 15 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 8B F8 85 FF 74 ?? EB ?? 33 + DB 39 5C 24 ?? 76 ?? 8D 77 ?? F6 46 ?? ?? 74 ?? 8D 46 ?? 50 E8 ?? ?? ?? ?? EB ?? FF + 36 E8 ?? ?? ?? ?? 43 83 C6 ?? 59 3B 5C 24 ?? 72 ?? 8D 44 24 ?? 50 57 8D 44 24 ?? 50 + FF 74 24 ?? FF 15 ?? ?? ?? ?? 85 C0 74 ?? 57 6A ?? FF 15 ?? ?? ?? ?? 50 FF 15 ?? ?? + ?? ?? FF 74 24 ?? FF 15 ?? ?? ?? ?? 5F 5E 5B 8B E5 5D C3 + } + + condition: + uint16(0) == 0x5A4D and + ( + $enum_resources + ) and + ( + $find_files + ) and + ( + all of ($encrypt_files_p*) + ) +} \ No newline at end of file diff --git a/yara/ransomware/Win32.Ransomware.PXJ.yara b/yara/ransomware/Win32.Ransomware.PXJ.yara new file mode 100644 index 0000000..234cce5 --- /dev/null +++ b/yara/ransomware/Win32.Ransomware.PXJ.yara @@ -0,0 +1,158 @@ +rule Win32_Ransomware_PXJ : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "PXJ" + description = "Yara rule that detects PXJ ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "PXJ" + tc_detection_factor = 5 + + strings: + + $find_files_p1 = { + 55 8B EC 81 EC ?? ?? ?? ?? A1 ?? ?? ?? ?? 33 C5 89 45 ?? 53 56 8B D9 68 ?? ?? ?? ?? + 33 F6 8D 8D ?? ?? ?? ?? 33 C0 56 51 89 9D ?? ?? ?? ?? 66 89 85 ?? ?? ?? ?? E8 ?? ?? + ?? ?? 83 C4 ?? 53 8D 95 ?? ?? ?? ?? 68 ?? ?? ?? ?? 52 E8 ?? ?? ?? ?? 83 C4 ?? 68 ?? + ?? ?? ?? 8D 85 ?? ?? ?? ?? 68 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 8D 8D ?? ?? ?? + ?? 51 8D 95 ?? ?? ?? ?? 52 FF 15 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 83 F8 ?? 0F 84 ?? ?? + ?? ?? 8A 85 ?? ?? ?? ?? A8 ?? 0F 85 ?? ?? ?? ?? A8 ?? 0F 84 ?? ?? ?? ?? 53 8D 85 ?? + ?? ?? ?? 68 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 8D 8D ?? ?? ?? ?? 51 8D 95 ?? ?? + ?? ?? 68 ?? ?? ?? ?? 52 E8 ?? ?? ?? ?? 83 C4 ?? 8D 85 ?? ?? ?? ?? 68 ?? ?? ?? ?? 50 + E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 0F 84 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? 68 ?? ?? ?? ?? 51 + E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 75 ?? 8D 95 ?? ?? ?? ?? 52 FF 15 ?? ?? ?? ?? E9 ?? ?? + ?? ?? B9 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 66 8B 10 66 3B 11 75 ?? 66 3B D6 74 ?? 66 8B + 50 ?? 66 3B 51 ?? 75 ?? 83 C0 ?? 83 C1 ?? 66 3B D6 75 ?? 33 C0 EB ?? 1B C0 83 D8 ?? + 3B C6 0F 84 ?? ?? ?? ?? B9 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 66 8B 10 66 3B 11 75 ?? 66 + } + + $find_files_p2 = { + 3B D6 74 ?? 66 8B 50 ?? 66 3B 51 ?? 75 ?? 83 C0 ?? 83 C1 ?? 66 3B D6 75 ?? 33 C0 EB + ?? 1B C0 83 D8 ?? 3B C6 0F 84 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 8D 9F ?? ?? ?? ?? E8 + ?? ?? ?? ?? 8B 9D ?? ?? ?? ?? E9 ?? ?? ?? ?? B9 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 8B FF + 66 8B 10 66 3B 11 75 ?? 66 3B D6 74 ?? 66 8B 50 ?? 66 3B 51 ?? 75 ?? 83 C0 ?? 83 C1 + ?? 66 3B D6 75 ?? 33 C0 EB ?? 1B C0 83 D8 ?? 3B C6 0F 84 ?? ?? ?? ?? B9 ?? ?? ?? ?? + 8D 85 ?? ?? ?? ?? 8B FF 66 8B 10 66 3B 11 75 ?? 66 3B D6 74 ?? 66 8B 50 ?? 66 3B 51 + ?? 75 ?? 83 C0 ?? 83 C1 ?? 66 3B D6 75 ?? 33 C0 EB ?? 1B C0 83 D8 ?? 3B C6 0F 84 ?? + ?? ?? ?? 53 8D 8D ?? ?? ?? ?? 68 ?? ?? ?? ?? 51 E8 ?? ?? ?? ?? 83 C4 ?? 8D 95 ?? ?? + ?? ?? 52 8D 85 ?? ?? ?? ?? 68 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 8B 8D ?? ?? ?? ?? 8B 85 + ?? ?? ?? ?? 8B D1 83 C4 ?? 0B D0 89 B5 ?? ?? ?? ?? 89 B5 ?? ?? ?? ?? 74 ?? 50 51 8D + 85 ?? ?? ?? ?? 50 57 E8 ?? ?? ?? ?? B9 ?? ?? ?? ?? 3A C1 75 ?? 01 8F ?? ?? ?? ?? 11 + B7 ?? ?? ?? ?? EB ?? 01 8F ?? ?? ?? ?? 11 B7 ?? ?? ?? ?? 8B 95 ?? ?? ?? ?? 8D 8D ?? + ?? ?? ?? 51 52 FF 15 ?? ?? ?? ?? 85 C0 0F 85 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 50 FF 15 + ?? ?? ?? ?? 8B 4D ?? 5E 33 CD B0 ?? 5B E8 ?? ?? ?? ?? 8B E5 5D C3 + } + + $encrypt_files_p1 = { + 55 8B EC 6A ?? 68 ?? ?? ?? ?? 64 A1 ?? ?? ?? ?? 50 B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? A1 + ?? ?? ?? ?? 33 C5 89 45 ?? 53 56 57 50 8D 45 ?? 64 A3 ?? ?? ?? ?? 8B 45 ?? 6A ?? 68 + ?? ?? ?? ?? 6A ?? 6A ?? 6A ?? 89 85 ?? ?? ?? ?? 8B 45 ?? 68 ?? ?? ?? ?? 50 89 85 ?? + ?? ?? ?? FF 15 ?? ?? ?? ?? 8B D8 89 9D ?? ?? ?? ?? 83 FB ?? 0F 84 ?? ?? ?? ?? 8B 4D + ?? 8B 55 ?? 51 52 E8 ?? ?? ?? ?? 0B C2 74 ?? 53 FF 15 ?? ?? ?? ?? B0 ?? E9 ?? ?? ?? + ?? 68 ?? ?? ?? ?? 33 DB 8D 85 ?? ?? ?? ?? 53 50 C6 85 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? + 83 C4 ?? 68 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? 53 51 88 9D ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 + C4 ?? 89 9D ?? ?? ?? ?? 89 9D ?? ?? ?? ?? 33 F6 6A ?? 53 E8 ?? ?? ?? ?? 88 44 35 ?? + 46 83 FE ?? 7C ?? 8D 55 ?? 52 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? BF ?? ?? ?? ?? B8 ?? + ?? ?? ?? 8D B5 ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? 89 9D ?? ?? ?? ?? 88 9D ?? + ?? ?? ?? E8 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 8B CE 89 5D ?? E8 ?? ?? ?? ?? 81 EC ?? + ?? ?? ?? 8D 85 ?? ?? ?? ?? 8B F4 89 A5 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 4D ?? 6A ?? 51 + } + + $encrypt_files_p2 = { + 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 81 C4 ?? ?? ?? ?? 83 BD ?? ?? ?? ?? ?? 72 ?? 8B 95 + ?? ?? ?? ?? 52 E8 ?? ?? ?? ?? 83 C4 ?? 8B B5 ?? ?? ?? ?? 53 53 33 C9 51 33 C0 50 56 + FF 15 ?? ?? ?? ?? 85 C0 75 ?? 56 FF 15 ?? ?? ?? ?? 32 C0 E9 ?? ?? ?? ?? 53 8D 85 ?? + ?? ?? ?? 50 68 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? 51 56 89 9D ?? ?? ?? ?? 89 9D ?? ?? ?? + ?? 89 9D ?? ?? ?? ?? 89 9D ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 83 F8 ?? 0F 85 ?? ?? ?? ?? + 8B 3D ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 3B C3 0F 84 ?? ?? ?? ?? 6A ?? F7 D8 99 53 52 50 + 56 FF 15 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? 8B 8D ?? ?? ?? ?? 8D 95 ?? ?? ?? ?? 52 + 8D 85 ?? ?? ?? ?? 50 8D 95 ?? ?? ?? ?? E8 ?? ?? ?? ?? 53 8D 8D ?? ?? ?? ?? 51 50 8D + 95 ?? ?? ?? ?? 52 56 FF D7 85 C0 0F 84 ?? ?? ?? ?? 39 9D ?? ?? ?? ?? 0F 84 ?? ?? ?? + ?? 81 BD ?? ?? ?? ?? ?? ?? ?? ?? 0F 82 ?? ?? ?? ?? 39 9D ?? ?? ?? ?? 77 ?? 81 BD ?? + ?? ?? ?? ?? ?? ?? ?? 0F 82 ?? ?? ?? ?? 83 85 ?? ?? ?? ?? ?? 11 9D ?? ?? ?? ?? 8B 9D + ?? ?? ?? ?? 8B 83 ?? ?? ?? ?? 83 F8 ?? 0F 84 ?? ?? ?? ?? 33 D2 52 52 52 33 C9 51 50 + FF 15 ?? ?? ?? ?? 8B 83 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 8B B5 ?? ?? ?? ?? 8B C6 8D + } + + $encrypt_files_p3 = { + 48 ?? 8B FF 66 8B 10 83 C0 ?? 66 85 D2 75 ?? 2B C1 6A ?? D1 F8 8D 8D ?? ?? ?? ?? 51 + 8D 14 00 8B 83 ?? ?? ?? ?? 52 56 50 FF D7 8B 93 ?? ?? ?? ?? 6A ?? 8D 8D ?? ?? ?? ?? + 51 6A ?? 68 ?? ?? ?? ?? 52 FF D7 8B 93 ?? ?? ?? ?? 6A ?? 8D 85 ?? ?? ?? ?? 50 6A ?? + 8D 4D ?? 51 52 FF D7 8B 8B ?? ?? ?? ?? 6A ?? 8D 85 ?? ?? ?? ?? 50 6A ?? 68 ?? ?? ?? + ?? 51 FF D7 8B 8B ?? ?? ?? ?? 6A ?? 8D 95 ?? ?? ?? ?? 52 6A ?? 8D 85 ?? ?? ?? ?? 50 + 51 FF D7 8B B5 ?? ?? ?? ?? 6A ?? 33 C9 51 51 B8 ?? ?? ?? ?? 50 56 FF 15 ?? ?? ?? ?? + 85 C0 74 ?? 33 DB EB ?? 83 85 ?? ?? ?? ?? ?? 11 9D ?? ?? ?? ?? 53 8D 95 ?? ?? ?? ?? + 52 68 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 56 FF 15 ?? ?? ?? ?? 83 F8 ?? 0F 84 ?? ?? ?? + ?? 8B 9D ?? ?? ?? ?? 8B 4D ?? 8B 55 ?? 51 52 8D BD ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B B5 + ?? ?? ?? ?? 68 ?? ?? ?? ?? 56 8D 85 ?? ?? ?? ?? 68 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 68 + ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? 68 ?? ?? ?? ?? 51 E8 ?? ?? ?? ?? 8B 95 + ?? ?? ?? ?? 83 C4 ?? 52 FF 15 ?? ?? ?? ?? 33 C9 51 51 33 C0 51 50 8B 83 ?? ?? ?? ?? + 50 FF 15 ?? ?? ?? ?? 8B 8B ?? ?? ?? ?? 51 FF 15 ?? ?? ?? ?? 8D 95 ?? ?? ?? ?? 52 56 + E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 0F 94 C0 8B 4D ?? 64 89 0D ?? ?? ?? ?? 59 5F 5E 5B 8B + 4D ?? 33 CD E8 ?? ?? ?? ?? 8B E5 5D C2 + } + + $delete_volumes_snapshots_p1 = { + 55 8B EC 6A ?? 68 ?? ?? ?? ?? 64 A1 ?? ?? ?? ?? 50 81 EC ?? ?? ?? ?? A1 ?? ?? ?? ?? + 33 C5 89 45 ?? 53 56 57 50 8D 45 ?? 64 A3 ?? ?? ?? ?? 8B 45 ?? 6A ?? 33 FF 57 57 89 + 85 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 8B 35 ?? ?? ?? ?? 57 68 ?? ?? ?? ?? FF D6 57 68 ?? + ?? ?? ?? FF D6 57 68 ?? ?? ?? ?? FF D6 57 68 ?? ?? ?? ?? FF D6 57 68 ?? ?? ?? ?? FF + D6 57 57 8D 8D ?? ?? ?? ?? 51 57 89 BD ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 85 C0 0F 84 ?? + ?? ?? ?? 68 ?? ?? ?? ?? 8D 95 ?? ?? ?? ?? 68 ?? ?? ?? ?? 52 E8 ?? ?? ?? ?? 68 ?? ?? + ?? ?? 8D 85 ?? ?? ?? ?? 68 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 57 68 ?? ?? ?? ?? + 6A ?? 57 57 68 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? 51 FF 15 ?? ?? ?? ?? 8B D8 83 FB ?? 0F + 84 ?? ?? ?? ?? 83 EC ?? 8B F4 89 7E ?? C7 46 ?? ?? ?? ?? ?? BF ?? ?? ?? ?? B8 ?? ?? + ?? ?? 89 A5 ?? ?? ?? ?? C6 06 ?? E8 ?? ?? ?? ?? 8D B5 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 + C4 ?? 33 FF 89 7D ?? 83 78 ?? ?? 72 ?? 8B 00 8D 50 ?? 8D 9B ?? ?? ?? ?? 8A 08 40 84 + C9 75 ?? 2B C2 57 8D 95 ?? ?? ?? ?? 52 50 83 EC ?? 8B F4 89 7E ?? C7 46 ?? ?? ?? ?? + ?? BF ?? ?? ?? ?? B8 ?? ?? ?? ?? 89 A5 ?? ?? ?? ?? 88 0E E8 ?? ?? ?? ?? 8D B5 ?? ?? + ?? ?? E8 ?? ?? ?? ?? BE ?? ?? ?? ?? 83 C4 ?? 39 70 ?? 72 ?? 8B 00 50 53 FF 15 ?? ?? + ?? ?? 39 B5 ?? ?? ?? ?? 72 ?? 8B 85 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? C7 45 ?? + ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C6 85 ?? ?? + ?? ?? ?? 39 B5 ?? ?? ?? ?? 72 ?? 8B 8D ?? ?? ?? ?? 51 E8 ?? ?? ?? ?? 83 C4 ?? 53 FF + 15 ?? ?? ?? ?? 8B BD ?? ?? ?? ?? B9 ?? ?? ?? ?? 8B C7 8B FF 66 8B 10 66 3B 11 75 ?? + 66 85 D2 74 ?? 66 8B 50 ?? 66 3B 51 ?? 75 ?? 83 C0 ?? 83 C1 ?? 66 85 D2 75 ?? 33 C0 + } + + $delete_volumes_snapshots_p2 = { + EB ?? 1B C0 83 D8 ?? 85 C0 0F 85 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? BE ?? ?? ?? ?? 89 85 + ?? ?? ?? ?? 89 B5 ?? ?? ?? ?? EB ?? 8D 64 24 ?? 8B BD ?? ?? ?? ?? BA ?? ?? ?? ?? 8B + CE D3 E2 85 95 ?? ?? ?? ?? 0F 84 ?? ?? ?? ?? 8D 4E ?? 66 89 8D ?? ?? ?? ?? 33 C9 6A + ?? 51 8D 95 ?? ?? ?? ?? 52 C7 85 ?? ?? ?? ?? ?? ?? ?? ?? 66 89 8D ?? ?? ?? ?? E8 ?? + ?? ?? ?? 83 C4 ?? 8D 85 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 83 F8 ?? 0F 84 ?? ?? ?? ?? + 83 F8 ?? 0F 84 ?? ?? ?? ?? 83 F8 ?? 0F 84 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? 51 8D 9F ?? + ?? ?? ?? E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 95 ?? ?? ?? ?? 6A ?? 52 E8 ?? ?? ?? ?? 83 + C4 ?? 6A ?? 68 ?? ?? ?? ?? 6A ?? 6A ?? 6A ?? 68 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 FF + 15 ?? ?? ?? ?? 8B D8 83 FB ?? 0F 84 ?? ?? ?? ?? 83 EC ?? B8 ?? ?? ?? ?? 8B CC 89 A5 + ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D B5 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? C7 45 ?? ?? ?? + ?? ?? 83 78 ?? ?? 72 ?? 8B 00 8D 50 ?? 8D A4 24 ?? ?? ?? ?? 8A 08 40 84 C9 75 ?? 33 + FF 57 8D 8D ?? ?? ?? ?? 51 2B C2 50 83 EC ?? B8 ?? ?? ?? ?? 8B CC 89 A5 ?? ?? ?? ?? + E8 ?? ?? ?? ?? 8D B5 ?? ?? ?? ?? E8 ?? ?? ?? ?? BE ?? ?? ?? ?? 83 C4 ?? 39 70 ?? 72 + ?? 8B 00 50 53 FF 15 ?? ?? ?? ?? 39 B5 ?? ?? ?? ?? 72 ?? 8B 95 ?? ?? ?? ?? 52 E8 ?? + ?? ?? ?? 83 C4 ?? BE ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? 83 BD ?? ?? ?? ?? ?? 89 B5 ?? + ?? ?? ?? 89 BD ?? ?? ?? ?? C6 85 ?? ?? ?? ?? ?? 72 ?? 8B 85 ?? ?? ?? ?? 50 E8 ?? ?? + ?? ?? 83 C4 ?? 53 89 B5 ?? ?? ?? ?? 89 BD ?? ?? ?? ?? C6 85 ?? ?? ?? ?? ?? FF 15 ?? + ?? ?? ?? 8B B5 ?? ?? ?? ?? 46 89 B5 ?? ?? ?? ?? 83 FE ?? 0F 8C ?? ?? ?? ?? EB ?? 57 + 8D 9F ?? ?? ?? ?? E8 ?? ?? ?? ?? B0 ?? 8B 4D ?? 64 89 0D ?? ?? ?? ?? 59 5F 5E 5B 8B + 4D ?? 33 CD E8 ?? ?? ?? ?? 8B E5 5D C2 + } + + condition: + uint16(0) == 0x5A4D and + ( + all of ($delete_volumes_snapshots_p*) + ) and + ( + all of ($find_files_p*) + ) and + ( + all of ($encrypt_files_p*) + ) +} \ No newline at end of file diff --git a/yara/ransomware/Win32.Ransomware.Paradise.yara b/yara/ransomware/Win32.Ransomware.Paradise.yara new file mode 100644 index 0000000..ed45349 --- /dev/null +++ b/yara/ransomware/Win32.Ransomware.Paradise.yara @@ -0,0 +1,81 @@ +rule Win32_Ransomware_Paradise : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "PARADISE" + description = "Yara rule that detects Paradise ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "Paradise" + tc_detection_factor = 5 + + strings: + + $search_files = { + 53 56 57 68 ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? + ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B F0 59 89 75 ?? 85 F6 + 0F 84 ?? ?? ?? ?? FF 75 ?? 8B 3D ?? ?? ?? ?? 68 ?? ?? ?? ?? BB ?? ?? ?? ?? 53 56 FF + D7 83 C4 ?? 8D 85 ?? ?? ?? ?? 50 56 FF 15 ?? ?? ?? ?? 89 45 ?? 83 F8 ?? 0F 84 ?? ?? + ?? ?? 83 65 ?? ?? 8B 45 ?? 8B 74 85 ?? 8D 95 ?? ?? ?? ?? 85 F6 74 ?? 0F B7 02 83 F8 + ?? 72 ?? 8D 48 ?? 83 F8 ?? 76 ?? 8B C8 0F B7 06 83 F8 ?? 72 ?? 83 F8 ?? 77 ?? 83 C0 + ?? 3B C8 0F B7 02 75 ?? 66 85 C0 74 ?? 83 C2 ?? 83 C6 ?? EB ?? 0F B7 02 EB ?? 66 3B + 06 1B C0 83 E0 ?? 40 EB ?? 33 C0 85 C0 0F 84 ?? ?? ?? ?? FF 45 ?? 83 7D ?? ?? 72 ?? + 8B 75 ?? 8D 85 ?? ?? ?? ?? 50 FF 75 ?? 68 ?? ?? ?? ?? 53 56 FF D7 83 C4 ?? F6 85 ?? + ?? ?? ?? ?? 74 ?? BA ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 C0 74 ?? BA ?? + ?? ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 C0 74 ?? 80 3D ?? ?? ?? ?? ?? 74 ?? BA + ?? ?? ?? ?? 8B CE E8 ?? ?? ?? ?? 85 C0 74 ?? 56 E8 ?? ?? ?? ?? EB ?? F6 85 ?? ?? ?? + ?? ?? 74 ?? A1 ?? ?? ?? ?? 05 ?? ?? ?? ?? 50 8D 85 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? + 85 C0 75 ?? BA ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 C0 74 ?? BA ?? ?? ?? + ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 C0 74 ?? 56 E8 ?? ?? ?? ?? 59 8D 85 ?? ?? ?? + ?? 50 FF 75 ?? FF 15 ?? ?? ?? ?? 85 C0 0F 85 ?? ?? ?? ?? 68 ?? ?? ?? ?? FF 75 ?? 68 + ?? ?? ?? ?? 53 FF 75 ?? FF D7 83 C4 ?? FF 75 ?? E8 ?? ?? ?? ?? 59 FF 75 ?? FF 15 ?? + ?? ?? ?? FF 75 ?? E8 ?? ?? ?? ?? 59 5F 5E 5B C9 C3 + } + + $encrypt_files_p1 = { + 56 57 6A ?? BE ?? ?? ?? ?? 5F E8 ?? ?? ?? ?? 89 45 ?? 6A ?? 8D 45 ?? 50 56 E8 ?? ?? + ?? ?? 83 C4 ?? 83 C6 ?? 4F 75 ?? 33 F6 39 75 ?? 74 ?? 8D 45 ?? 50 A1 ?? ?? ?? ?? 0F + B7 88 ?? ?? ?? ?? 56 56 51 50 FF 75 ?? FF 15 ?? ?? ?? ?? 85 C0 74 ?? 6A ?? 59 89 4D + ?? 33 C0 8A 90 ?? ?? ?? ?? 88 90 ?? ?? ?? ?? 3B C6 75 ?? 33 C0 40 3B C1 72 ?? 68 ?? + ?? ?? ?? 8D 45 ?? 50 68 ?? ?? ?? ?? 56 6A ?? 56 FF 75 ?? FF 15 ?? ?? ?? ?? FF 75 ?? + FF 15 ?? ?? ?? ?? 5F 5E C9 C3 56 FF 75 ?? FF 15 ?? ?? ?? ?? 56 FF 15 + } + + $encrypt_files_p2 = { + 53 56 57 E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 35 ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A ?? 33 DB + 53 53 8D 44 24 ?? 50 89 5C 24 ?? FF D6 85 C0 75 ?? 68 ?? ?? ?? ?? 6A ?? 53 53 8D 44 + 24 ?? 50 FF D6 85 C0 75 ?? 89 5C 24 ?? 39 5C 24 ?? 75 ?? 53 FF 15 ?? ?? ?? ?? A1 ?? + ?? ?? ?? 0F B6 80 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 59 E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? FF + 74 24 ?? E8 ?? ?? ?? ?? 59 53 FF 74 24 ?? FF 15 ?? ?? ?? ?? BE ?? ?? ?? ?? 56 53 53 + 53 53 C6 05 ?? ?? ?? ?? ?? FF 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 56 88 1D ?? ?? ?? ?? E8 + ?? ?? ?? ?? 59 33 C0 88 98 ?? ?? ?? ?? 3B C3 75 ?? 33 C0 40 83 F8 ?? 72 ?? 6A ?? 5E + 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 44 24 ?? 68 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 83 C4 + ?? 6A ?? 53 53 8D 44 24 ?? 50 68 ?? ?? ?? ?? 53 FF 15 ?? ?? ?? ?? 4E 75 ?? 8B 3D ?? + ?? ?? ?? 81 C7 ?? ?? ?? ?? 6A ?? BB ?? ?? ?? ?? E8 ?? ?? ?? ?? 59 85 C0 75 ?? 57 E8 + ?? ?? ?? ?? 59 5F 5E 5B 8B E5 5D C3 + } + + $http_remote_connection = { + 53 56 57 FF 75 ?? 33 FF 8D 75 ?? 89 7D ?? E8 ?? ?? ?? ?? 59 89 7D ?? 57 57 57 FF 75 + ?? 57 FF 15 ?? ?? ?? ?? 89 45 ?? 3B C7 0F 84 ?? ?? ?? ?? 57 57 6A ?? 57 57 FF 75 ?? + FF 75 ?? 50 FF 15 ?? ?? ?? ?? 89 45 ?? 3B C7 0F 84 ?? ?? ?? ?? 33 C9 80 7D ?? ?? 57 + 0F 95 C1 B8 ?? ?? ?? ?? 49 23 C8 03 C8 51 57 57 57 FF 75 ?? 68 ?? ?? ?? ?? FF 75 ?? + FF 15 ?? ?? ?? ?? 8B D8 3B DF 74 ?? 57 57 57 57 53 FF 15 ?? ?? ?? ?? 85 C0 74 ?? 33 + F6 57 57 8D 45 ?? 50 53 89 7D ?? FF 15 ?? ?? ?? ?? 85 C0 74 ?? 8B 45 ?? 03 C6 3B C7 + 75 ?? 89 7D ?? EB ?? 50 39 7D ?? 75 ?? E8 ?? ?? ?? ?? 59 EB ?? FF 75 ?? 6A ?? FF 15 + ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 89 45 ?? 8D 45 ?? 50 FF 75 ?? 8B 45 ?? 03 C6 50 53 + FF 15 ?? ?? ?? ?? 03 75 ?? 39 7D ?? 75 ?? 53 FF 15 ?? ?? ?? ?? FF 75 ?? FF 15 ?? ?? + ?? ?? FF 75 ?? FF 15 ?? ?? ?? ?? 39 7D ?? 75 ?? 33 C0 40 39 45 ?? 74 ?? 89 45 ?? E9 + ?? ?? ?? ?? FF 75 ?? E8 ?? ?? ?? ?? FF 75 ?? E8 ?? ?? ?? ?? 8B 45 ?? 59 59 5F 5E 5B + C9 C3 + } + + condition: + uint16(0) == 0x5A4D and $search_files and $http_remote_connection and (all of ($encrypt_files_p*)) +} \ No newline at end of file diff --git a/yara/ransomware/Win32.Ransomware.Pay2Key.yara b/yara/ransomware/Win32.Ransomware.Pay2Key.yara new file mode 100644 index 0000000..cdaaf6f --- /dev/null +++ b/yara/ransomware/Win32.Ransomware.Pay2Key.yara @@ -0,0 +1,99 @@ +rule Win32_Ransomware_Pay2Key : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "PAY2KEY" + description = "Yara rule that detects Pay2Key ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "Pay2Key" + tc_detection_factor = 5 + + strings: + + $find_files = { + 8B FF 55 8B EC 51 8B 4D ?? 8D 51 ?? 8A 01 41 84 C0 75 ?? 2B CA 83 C8 ?? 57 8B 7D ?? + 41 2B C7 89 4D ?? 3B C8 76 ?? 6A ?? 58 EB ?? 53 56 8D 5F ?? 03 D9 6A ?? 53 E8 ?? ?? + ?? ?? 8B F0 59 59 85 FF 74 ?? 57 FF 75 ?? 53 56 E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 75 ?? + FF 75 ?? 2B DF 8D 04 3E FF 75 ?? 53 50 E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 75 ?? 8B 4D ?? + 56 E8 ?? ?? ?? ?? 6A ?? 8B F0 E8 ?? ?? ?? ?? 59 8B C6 5E 5B 5F 8B E5 5D C3 33 C0 50 + 50 50 50 50 E8 ?? ?? ?? ?? CC 8B FF 55 8B EC 81 EC ?? ?? ?? ?? A1 ?? ?? ?? ?? 33 C5 + 89 45 ?? 8B 4D ?? 53 8B 5D ?? 56 8B 75 ?? 57 89 B5 ?? ?? ?? ?? EB ?? 8A 01 3C ?? 74 + ?? 3C ?? 74 ?? 3C ?? 74 ?? 51 53 E8 ?? ?? ?? ?? 59 59 8B C8 3B CB 75 ?? 8A 11 80 FA + ?? 75 ?? 8D 43 ?? 3B C8 74 ?? 56 33 FF 57 57 53 E8 ?? ?? ?? ?? 83 C4 ?? EB ?? 33 FF + 80 FA ?? 74 ?? 80 FA ?? 74 ?? 80 FA ?? 74 ?? 8B C7 EB ?? 33 C0 40 0F B6 C0 2B CB 41 + F7 D8 68 ?? ?? ?? ?? 1B C0 23 C1 89 85 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 57 50 E8 ?? ?? + ?? ?? 83 C4 ?? 8D 85 ?? ?? ?? ?? 57 57 57 50 57 53 FF 15 ?? ?? ?? ?? 8B F0 8B 85 ?? + ?? ?? ?? 83 FE ?? 75 ?? 50 57 57 53 E8 ?? ?? ?? ?? 83 C4 ?? 8B F8 83 FE ?? 74 ?? 56 + FF 15 ?? ?? ?? ?? 8B C7 8B 4D ?? 5F 5E 33 CD 5B E8 ?? ?? ?? ?? 8B E5 5D C3 8B 48 ?? + 2B 08 C1 F9 ?? 89 8D ?? ?? ?? ?? 80 BD ?? ?? ?? ?? ?? 75 ?? 8A 8D ?? ?? ?? ?? 84 C9 + 74 ?? 80 F9 ?? 75 ?? 80 BD ?? ?? ?? ?? ?? 74 ?? 50 FF B5 ?? ?? ?? ?? 8D 85 ?? ?? ?? + ?? 53 50 E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 75 ?? 8D 85 ?? ?? ?? ?? 50 56 FF 15 ?? ?? ?? + ?? 85 C0 8B 85 ?? ?? ?? ?? 75 ?? 8B 10 8B 40 ?? 8B 8D ?? ?? ?? ?? 2B C2 C1 F8 ?? 3B + C8 0F 84 ?? ?? ?? ?? 68 ?? ?? ?? ?? 2B C1 6A ?? 50 8D 04 8A 50 E8 ?? ?? ?? ?? 83 C4 + ?? E9 + } + + $encrypt_files = { + 55 8B EC 6A ?? 68 ?? ?? ?? ?? 64 A1 ?? ?? ?? ?? 50 83 EC ?? 53 56 57 A1 ?? ?? ?? ?? + 33 C5 50 8D 45 ?? 64 A3 ?? ?? ?? ?? 8B D9 C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? + 8B 43 ?? 2B 43 ?? 75 ?? 8B 75 ?? 8B 45 ?? 8B 4D ?? C7 45 ?? ?? ?? ?? ?? 89 06 89 4E + ?? 8B 4D ?? 89 4E ?? 8D 4D ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? E8 ?? ?? ?? + ?? 8B C6 8B 4D ?? 64 89 0D ?? ?? ?? ?? 59 5F 5E 5B 8B E5 5D C2 ?? ?? 83 7B ?? ?? 74 + ?? 8B 45 ?? 2B 45 ?? 50 E8 ?? ?? ?? ?? 8B 75 ?? 8B F8 8B 55 ?? 2B F2 56 52 57 E8 ?? + ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C6 45 ?? ?? + 56 89 75 ?? E8 ?? ?? ?? ?? 56 57 50 89 45 ?? E8 ?? ?? ?? ?? 8B 75 ?? 8D 45 ?? 83 C4 + ?? 50 56 6A ?? 6A ?? 6A ?? FF 73 ?? FF 15 ?? ?? ?? ?? 8D 4D ?? 85 C0 75 ?? 8B 75 ?? + 89 45 ?? 89 45 ?? 89 45 ?? 89 06 89 46 ?? 89 46 ?? E8 ?? ?? ?? ?? 8D 4D ?? E8 ?? ?? + ?? ?? 8B C6 8B 4D ?? 64 89 0D ?? ?? ?? ?? 59 5F 5E 5B 8B E5 5D C2 ?? ?? FF 75 ?? E8 + ?? ?? ?? ?? FF 75 ?? 56 8B 75 ?? 56 E8 ?? ?? ?? ?? 8B 7D ?? 83 C4 ?? 8B 4D ?? 8B 45 + ?? C7 45 ?? ?? ?? ?? ?? 89 4F ?? 8D 4D ?? 89 37 89 47 ?? C7 45 ?? ?? ?? ?? ?? C7 45 + ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 4D ?? E8 ?? ?? ?? ?? 8B C7 8B 4D ?? 64 89 0D ?? ?? + ?? ?? 59 5F 5E 5B 8B E5 5D C2 + } + + $remote_connection_p1 = { + 55 8B EC 83 EC ?? 56 57 6A ?? 8B F2 8B F9 FF 15 ?? ?? ?? ?? 6A ?? 6A ?? 8D 45 ?? C7 + 45 ?? ?? ?? ?? ?? 50 8D 45 ?? C7 45 ?? ?? ?? ?? ?? 50 6A ?? 56 57 FF 15 ?? ?? ?? ?? + 8B 75 ?? 8B C8 8B D6 E8 ?? ?? ?? ?? 8B 0E 8B F8 83 F9 ?? 75 ?? 68 ?? ?? ?? ?? 8B CE + E8 ?? ?? ?? ?? EB ?? 81 F9 ?? ?? ?? ?? 75 ?? 68 ?? ?? ?? ?? 8B CE E8 ?? ?? ?? ?? EB + ?? 81 F9 ?? ?? ?? ?? 74 ?? 81 F9 ?? ?? ?? ?? 74 ?? 85 FF 74 ?? 5F 83 C8 ?? 5E 8B E5 + 5D C3 + } + + $remote_connection_p2 = { + 55 8B EC 51 53 56 8B F1 57 8B 46 ?? 83 C0 ?? 50 FF 15 ?? ?? ?? ?? 80 7D ?? ?? 6A ?? + 74 ?? 8B 4E ?? 6A ?? FF 75 ?? E8 ?? ?? ?? ?? 5F 5E 5B 59 5D C2 ?? ?? 8B 45 ?? 8B 08 + 83 F9 ?? 75 ?? 8B 4E ?? 68 ?? ?? ?? ?? FF 75 ?? E8 ?? ?? ?? ?? 5F 5E 5B 59 5D C2 ?? + ?? 8B 45 ?? 8B 7D ?? 57 89 45 ?? 8D 45 ?? 50 8D 45 ?? C7 45 ?? ?? ?? ?? ?? 50 FF 75 + ?? FF 75 ?? 51 FF 15 ?? ?? ?? ?? 8B D8 FF 15 ?? ?? ?? ?? 83 F8 ?? 75 ?? B8 ?? ?? ?? + ?? EB ?? 3D ?? ?? ?? ?? B9 ?? ?? ?? ?? 0F 44 C1 85 DB 74 ?? 3D ?? ?? ?? ?? 74 ?? FF + 75 ?? 8B 4E ?? 50 57 E8 ?? ?? ?? ?? 5F 5E 5B 59 5D C2 ?? ?? 8B 4E ?? 57 E8 ?? ?? ?? + ?? 5F 5E 5B 59 5D C2 + } + + $remote_connection_p3 = { + 55 8B EC 83 EC ?? 56 57 6A ?? 8B F2 8B F9 FF 15 ?? ?? ?? ?? 6A ?? 6A ?? 6A ?? 8D 45 + ?? C7 45 ?? ?? ?? ?? ?? 50 FF 75 ?? 56 57 FF 15 ?? ?? ?? ?? 8B 75 ?? 8B C8 8B D6 E8 + ?? ?? ?? ?? 8B 0E 8B F8 83 F9 ?? 75 ?? 68 ?? ?? ?? ?? EB ?? 81 F9 ?? ?? ?? ?? 75 ?? + 68 ?? ?? ?? ?? 8B CE E8 ?? ?? ?? ?? 85 FF 74 ?? 5F 83 C8 ?? 5E 8B E5 5D C3 + } + + condition: + uint16(0) == 0x5A4D and + ( + $find_files + ) and + ( + $encrypt_files + ) and + ( + all of ($remote_connection_p*) + ) +} \ No newline at end of file diff --git a/yara/ransomware/Win32.Ransomware.Petya.yara b/yara/ransomware/Win32.Ransomware.Petya.yara new file mode 100644 index 0000000..e28fde8 --- /dev/null +++ b/yara/ransomware/Win32.Ransomware.Petya.yara @@ -0,0 +1,58 @@ +import "pe" + +rule Win32_Ransomware_Petya : tc_detection malicious +{ + + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "PETYA" + description = "Yara rule that detects Petya ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "Petya" + tc_detection_factor = 5 + + strings: + $entry_point = { + 55 8B EC 56 8B 75 ?? 57 83 FE ?? 75 ?? E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? + E8 ?? ?? ?? ?? 83 C4 ?? FF 75 ?? 56 FF 75 ?? E8 ?? ?? ?? ?? 8B F8 85 F6 75 ?? E8 ?? + ?? ?? ?? 8B C7 5F 5E 5D C2 + } + + $shutdown_pattern = { + 55 8B EC 83 EC ?? 8D 45 ?? 56 50 6A ?? FF 15 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 85 C0 + 75 ?? 33 C0 EB ?? 8D 45 ?? 33 F6 50 68 ?? ?? ?? ?? 56 FF 15 ?? ?? ?? ?? 56 56 56 8D + 45 ?? C7 45 ?? ?? ?? ?? ?? 50 56 FF 75 ?? C7 45 ?? ?? ?? ?? ?? FF 15 ?? ?? ?? ?? FF + 15 ?? ?? ?? ?? 85 C0 75 ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 50 FF 15 + ?? ?? ?? ?? 8D 4D ?? 51 6A ?? 56 56 56 68 ?? ?? ?? ?? FF D0 33 C0 83 C4 ?? 40 5E 8B + E5 5D C3 + } + + $sectionxxxx_pattern = { + 83 EC ?? 53 55 8B C2 89 4C 24 ?? 56 57 8B C8 89 44 24 ?? 33 D2 E8 ?? ?? ?? ?? 85 C0 + 74 ?? 0F B7 48 ?? 8B FA 83 C1 ?? 03 C8 0F B7 40 ?? 89 44 24 ?? 85 C0 74 ?? BE ?? ?? + ?? ?? 2B F1 80 39 ?? 8D 59 ?? 6A ?? 5D 75 ?? 85 ED 74 ?? 0F BE 2C 1E 0F BE 03 43 3B + E8 74 ?? 83 C1 ?? 83 EE ?? 47 3B 7C 24 ?? 72 ?? 8B CA 85 C9 74 ?? 8B 51 ?? 8B 5C 24 + ?? 8B FB 03 54 24 ?? 8B F2 8B 4A ?? A5 83 C1 ?? 03 CA 89 4B ?? A5 A5 8B 43 ?? 8D 72 + ?? 89 43 ?? 8B 43 ?? 89 43 ?? B8 ?? ?? ?? ?? 89 73 ?? 66 39 01 74 ?? 8B 7A ?? 8B 2A + 03 7A ?? 74 ?? 33 DB 43 2B DE 33 D2 8D 0C 33 8B C5 F7 F1 30 16 46 4F 75 ?? B2 ?? 5F + 5E 5D 0F B6 C2 5B 83 C4 ?? C3 + } + + $crypt_gen_pattern = { + 55 8B EC 53 57 8B 7D ?? 8D 45 ?? 68 ?? ?? ?? ?? 6A ?? 33 DB 53 53 50 89 1F FF 15 ?? + ?? ?? ?? 85 C0 75 ?? 6A ?? 58 EB ?? 56 FF 75 ?? 8B 75 ?? 56 FF 75 ?? FF 15 ?? ?? ?? + ?? 85 C0 75 ?? 6A ?? 58 EB ?? 53 FF 75 ?? FF 15 ?? ?? ?? ?? 89 37 33 C0 5E 5F 5B 5D + C3 + } + + condition: + uint16(0) == 0x5A4D and ($entry_point at pe.entry_point) and $shutdown_pattern and $sectionxxxx_pattern and $crypt_gen_pattern + +} \ No newline at end of file diff --git a/yara/ransomware/Win32.Ransomware.Plague17.yara b/yara/ransomware/Win32.Ransomware.Plague17.yara new file mode 100644 index 0000000..28be72d --- /dev/null +++ b/yara/ransomware/Win32.Ransomware.Plague17.yara @@ -0,0 +1,263 @@ +rule Win32_Ransomware_Plague17 : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "PLAGUE17" + description = "Yara rule that detects Plague17 ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "Plague17" + tc_detection_factor = 5 + + strings: + + $find_files_p1 = { + 55 89 E5 57 56 8D 85 ?? ?? ?? ?? 53 81 EC ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 31 C0 66 89 + 85 ?? ?? ?? ?? 8B 45 ?? 89 8D ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? 8B 50 ?? 8B + 00 66 83 7C 50 ?? ?? 74 ?? C7 04 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 4D ?? BA ?? ?? ?? + ?? 2B 51 ?? 39 D0 0F 87 ?? ?? ?? ?? 8B 4D ?? 89 44 24 ?? C7 04 24 ?? ?? ?? ?? E8 ?? + ?? ?? ?? 8B 45 ?? 8B 7D ?? 83 EC ?? 8B 00 8B 57 ?? 8D 8D ?? ?? ?? ?? 8D 14 50 C6 44 + 24 ?? ?? 89 04 24 89 8D ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? 89 54 24 ?? E8 ?? ?? ?? ?? 83 + EC ?? C7 04 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? BA ?? ?? ?? ?? 2B 95 ?? ?? ?? ?? 39 D0 0F + 87 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? 89 44 24 ?? C7 04 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D + 85 ?? ?? ?? ?? 83 EC ?? 8D 8D ?? ?? ?? ?? 8D BD ?? ?? ?? ?? 89 04 24 E8 ?? ?? ?? ?? + 8B 85 ?? ?? ?? ?? 83 EC ?? 39 F8 74 ?? 89 04 24 E8 ?? ?? ?? ?? 8B 45 ?? 8B 7D ?? 8D + } + + $find_files_p2 = { + 9D ?? ?? ?? ?? 8D B5 ?? ?? ?? ?? 89 D9 8B 00 C6 44 24 ?? ?? 8B 57 ?? 89 B5 ?? ?? ?? + ?? 89 04 24 8D 14 50 89 54 24 ?? E8 ?? ?? ?? ?? 8B 8D ?? ?? ?? ?? 83 EC ?? 89 1C 24 + E8 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 83 EC ?? 39 F0 74 ?? 89 04 24 E8 ?? ?? ?? ?? 8B 85 + ?? ?? ?? ?? 89 5C 24 ?? 89 04 24 FF 15 ?? ?? ?? ?? 83 EC ?? 83 F8 ?? 89 C6 0F 84 ?? + ?? ?? ?? 8D BD ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? 89 3C 24 E8 ?? ?? ?? ?? 85 C0 74 + ?? C7 44 24 ?? ?? ?? ?? ?? 89 3C 24 E8 ?? ?? ?? ?? 85 C0 74 ?? 8B 45 ?? F6 85 ?? ?? + ?? ?? ?? 89 7C 24 ?? 89 44 24 ?? 8D 85 ?? ?? ?? ?? 89 04 24 0F 85 ?? ?? ?? ?? E8 ?? + ?? ?? ?? 8D 85 ?? ?? ?? ?? 8B 8D ?? ?? ?? ?? 89 04 24 E8 ?? ?? ?? ?? 8B 85 ?? ?? ?? + ?? 8D 8D ?? ?? ?? ?? 83 EC ?? 39 C8 74 ?? 89 04 24 E8 ?? ?? ?? ?? EB ?? C7 44 24 ?? + ?? ?? ?? ?? 89 3C 24 E8 ?? ?? ?? ?? 85 C0 75 ?? 89 5C 24 ?? 89 34 24 FF 15 ?? ?? ?? + ?? 83 EC ?? 85 C0 75 ?? 89 34 24 FF 15 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 8D 9D ?? ?? ?? + ?? 83 EC ?? 39 D8 74 ?? 89 04 24 E8 ?? ?? ?? ?? 8D 65 ?? 5B 5E 5F 5D C2 ?? ?? 8D 76 + ?? 8D BC 27 ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? 89 3C 24 E8 ?? ?? ?? ?? 85 C0 74 + } + + $find_files_p3 = { + 8B 45 ?? F6 85 ?? ?? ?? ?? ?? 89 7C 24 ?? 89 44 24 ?? 8D 85 ?? ?? ?? ?? 89 04 24 75 + ?? E8 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 8B 8D ?? ?? ?? ?? 89 04 24 E8 ?? ?? ?? ?? E9 ?? + ?? ?? ?? E8 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 8B 8D ?? ?? ?? ?? 89 04 24 E8 ?? ?? ?? ?? + 8B 85 ?? ?? ?? ?? 8D 95 ?? ?? ?? ?? 83 EC ?? 39 D0 0F 85 ?? ?? ?? ?? E9 ?? ?? ?? ?? + E8 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 8B 8D ?? ?? ?? ?? 89 04 24 E8 ?? ?? ?? ?? EB ?? 89 + C3 8B 85 ?? ?? ?? ?? 8D B5 ?? ?? ?? ?? 39 F0 74 ?? 89 04 24 E8 ?? ?? ?? ?? 8B 85 ?? + ?? ?? ?? 8D B5 ?? ?? ?? ?? 39 F0 74 ?? 89 04 24 E8 ?? ?? ?? ?? 89 1C 24 E8 ?? ?? ?? + ?? EB ?? 89 C3 8B 85 ?? ?? ?? ?? 39 F0 75 ?? EB ?? EB ?? EB ?? 89 C3 EB ?? C7 04 24 + ?? ?? ?? ?? E8 ?? ?? ?? ?? C7 04 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? EB + } + + $encrypt_files_p1 = { + 55 89 E5 57 56 53 81 EC ?? ?? ?? ?? 8B 45 ?? 89 8D ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? + ?? C7 44 24 ?? ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? C7 44 24 + ?? ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? 8B 00 89 04 24 FF 15 ?? ?? ?? ?? 83 EC ?? 83 + F8 ?? 89 85 ?? ?? ?? ?? 0F 84 ?? ?? ?? ?? 89 C6 8D 85 ?? ?? ?? ?? 8D BD ?? ?? ?? ?? + 89 34 24 89 44 24 ?? FF 15 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 83 EC ?? 8B 95 ?? ?? ?? ?? + 89 7C 24 ?? C7 44 24 ?? ?? ?? ?? ?? 8D BD ?? ?? ?? ?? 89 34 24 05 ?? ?? ?? ?? 89 85 + ?? ?? ?? ?? 89 44 24 ?? 83 D2 ?? A1 ?? ?? ?? ?? 89 95 ?? ?? ?? ?? 89 54 24 ?? 89 85 + ?? ?? ?? ?? FF D0 31 C0 83 EC ?? 83 BD ?? ?? ?? ?? ?? B9 ?? ?? ?? ?? F3 AB 7C ?? 0F + 8E ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 8D B5 ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? C7 44 24 + ?? ?? ?? ?? ?? 89 44 24 ?? 8B 85 ?? ?? ?? ?? 89 74 24 ?? 89 04 24 FF 15 ?? ?? ?? ?? + 83 EC ?? 8D 85 ?? ?? ?? ?? B9 ?? ?? ?? ?? 89 04 24 E8 ?? ?? ?? ?? 83 EC ?? 85 C0 0F + 85 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 35 ?? ?? ?? ?? 0B 85 ?? ?? ?? ?? 0F 85 ?? ?? ?? ?? + 80 7D ?? ?? 0F 85 ?? ?? ?? ?? C7 04 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 C3 8D 85 ?? ?? + ?? ?? 89 D9 89 04 24 89 85 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 8B 95 ?? ?? + ?? ?? 83 EC ?? 8B B5 ?? ?? ?? ?? 89 D9 89 85 ?? ?? ?? ?? 89 95 ?? ?? ?? ?? 8B 85 ?? + ?? ?? ?? 8B 95 ?? ?? ?? ?? 89 1E 0F A4 C2 ?? C1 E0 ?? 89 95 ?? ?? ?? ?? 89 85 ?? ?? + ?? ?? E8 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 89 85 ?? + ?? ?? ?? 8B 85 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 8D + } + + $encrypt_files_p2 = { + 85 ?? ?? ?? ?? 89 04 24 8B 0E E8 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 83 EC ?? 89 04 24 8B + 85 ?? ?? ?? ?? 89 44 24 ?? 8B 85 ?? ?? ?? ?? 89 44 24 ?? 8B 85 ?? ?? ?? ?? 89 44 24 + ?? 8B 0E E8 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 8B 95 ?? ?? ?? ?? 83 EC ?? 89 04 24 89 54 + 24 ?? 8B 0E 8D B5 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B BD ?? ?? ?? ?? 83 EC ?? 8B 85 ?? ?? + ?? ?? 85 FF 0F 84 ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 8B 95 + ?? ?? ?? ?? 8D BD ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? 89 7C 24 ?? 89 44 24 ?? 8B 85 + ?? ?? ?? ?? 89 54 24 ?? 89 04 24 FF 95 ?? ?? ?? ?? 83 EC ?? C6 45 ?? ?? C7 04 24 ?? + ?? ?? ?? E8 ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? 89 04 24 89 + 85 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 2B 85 ?? ?? ?? ?? 8B 95 ?? ?? ?? ?? + 1B 95 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 89 95 ?? ?? ?? ?? 0F AC D0 ?? C1 EA ?? 89 D3 09 + C3 0F 84 ?? ?? ?? ?? 83 C0 ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? + ?? ?? 89 85 ?? ?? ?? ?? A1 ?? ?? ?? ?? 83 D2 ?? 89 95 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? + 90 8D B4 26 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? 89 74 24 ?? C7 44 + 24 ?? ?? ?? ?? ?? 89 44 24 ?? 8B 85 ?? ?? ?? ?? 89 04 24 FF 95 ?? ?? ?? ?? 8B 8D ?? + ?? ?? ?? 8B 9D ?? ?? ?? ?? 83 EC ?? 8B 95 ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? 89 5C + } + + $encrypt_files_p3 = { + 24 ?? 89 0C 24 8B 0A E8 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 8B 95 ?? ?? ?? ?? 83 EC ?? 8B + 9D ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? 89 7C 24 ?? 89 44 24 ?? 89 54 24 ?? 89 1C 24 + FF 95 ?? ?? ?? ?? 8B 8D ?? ?? ?? ?? 83 EC ?? 89 9D ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? + ?? 89 74 24 ?? C7 44 24 ?? ?? ?? ?? ?? 89 1C 24 89 4C 24 ?? FF 15 ?? ?? ?? ?? 8B 85 + ?? ?? ?? ?? 83 EC ?? 8B 95 ?? ?? ?? ?? 8D 9D ?? ?? ?? ?? 81 85 ?? ?? ?? ?? ?? ?? ?? + ?? C7 44 24 ?? ?? ?? ?? ?? 83 95 ?? ?? ?? ?? ?? 89 44 24 ?? 8B 85 ?? ?? ?? ?? 89 5C + 24 ?? 89 54 24 ?? 89 04 24 FF 95 ?? ?? ?? ?? 8B 95 ?? ?? ?? ?? 8D 9D ?? ?? ?? ?? 83 + EC ?? 81 85 ?? ?? ?? ?? ?? ?? ?? ?? 89 D9 83 95 ?? ?? ?? ?? ?? 8B 02 89 04 24 E8 ?? + ?? ?? ?? 8B 9D ?? ?? ?? ?? 8B 8D ?? ?? ?? ?? 83 EC ?? 8B 95 ?? ?? ?? ?? 8B 85 ?? ?? + ?? ?? 89 9D ?? ?? ?? ?? 89 9D ?? ?? ?? ?? 8B 9D ?? ?? ?? ?? 89 8D ?? ?? ?? ?? 89 8D + ?? ?? ?? ?? 89 95 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 89 95 ?? ?? ?? ?? 8B 0B 89 85 ?? ?? + ?? ?? E8 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 89 04 24 8B 0B E8 ?? ?? ?? ?? 8B 85 ?? ?? ?? + ?? 83 EC ?? 89 04 24 8B 85 ?? ?? ?? ?? 89 44 24 ?? 8B 85 ?? ?? ?? ?? 89 44 24 ?? 8B + 85 ?? ?? ?? ?? 89 44 24 ?? 8B 0B E8 ?? ?? ?? ?? 8B 0B 83 EC ?? E8 ?? ?? ?? ?? 8B 9D + ?? ?? ?? ?? 89 95 ?? ?? ?? ?? 8D 95 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? C7 44 24 ?? ?? ?? + ?? ?? 89 74 24 ?? C7 44 24 ?? ?? ?? ?? ?? 89 54 24 ?? 89 1C 24 FF 15 ?? ?? ?? ?? 8B + } + + $encrypt_files_p4 = { + 85 ?? ?? ?? ?? 8B 95 ?? ?? ?? ?? 83 EC ?? C7 44 24 ?? ?? ?? ?? ?? 89 7C 24 ?? 89 1C + 24 89 44 24 ?? 89 54 24 ?? FF 95 ?? ?? ?? ?? 83 EC ?? 83 85 ?? ?? ?? ?? ?? 8B 9D ?? + ?? ?? ?? 83 95 ?? ?? ?? ?? ?? 8B 95 ?? ?? ?? ?? 8B 8D ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? + 31 CB 31 D0 89 DA 09 C2 0F 85 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 2B 85 ?? ?? ?? ?? 8B 95 + ?? ?? ?? ?? 1B 95 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 89 95 ?? ?? ?? ?? 8B 8D ?? ?? ?? ?? + 8B 85 ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? 89 74 24 ?? 89 4C 24 ?? 8B 8D ?? ?? ?? ?? + 89 C3 89 44 24 ?? 89 0C 24 FF 95 ?? ?? ?? ?? 8B 95 ?? ?? ?? ?? 83 EC ?? 8B 85 ?? ?? + ?? ?? C7 44 24 ?? ?? ?? ?? ?? 89 54 24 ?? 8B 95 ?? ?? ?? ?? 89 14 24 8B 08 E8 ?? ?? + ?? ?? 83 EC ?? 8B 85 ?? ?? ?? ?? 8B 95 ?? ?? ?? ?? 89 7C 24 ?? 8B BD ?? ?? ?? ?? C7 + 44 24 ?? ?? ?? ?? ?? 89 44 24 ?? 89 54 24 ?? 89 3C 24 FF 95 ?? ?? ?? ?? 83 EC ?? 8B + 95 ?? ?? ?? ?? 89 BD ?? ?? ?? ?? 89 5C 24 ?? 8B 1D ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? + ?? 89 74 24 ?? 89 54 24 ?? 89 3C 24 89 9D ?? ?? ?? ?? FF D3 8B 95 ?? ?? ?? ?? 8B 85 + ?? ?? ?? ?? 8D 9D ?? ?? ?? ?? 83 EC ?? B9 ?? ?? ?? ?? C7 85 + } + + $encrypt_files_p5 = { + 89 DF C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? 0F AC D0 ?? C1 EA + ?? 01 85 ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? 11 95 ?? ?? ?? ?? 31 C0 C7 85 ?? + ?? ?? ?? ?? ?? ?? ?? F3 AB C7 44 24 ?? ?? ?? ?? ?? C7 04 24 ?? ?? ?? ?? C7 85 ?? ?? + ?? ?? ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C6 45 + ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 95 ?? ?? ?? ?? C7 44 24 ?? ?? + ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? 89 04 24 89 54 24 ?? E8 ?? ?? ?? ?? 8B BD ?? ?? ?? + ?? C7 44 24 ?? ?? ?? ?? ?? 89 44 24 ?? 89 5C 24 ?? C7 04 24 ?? ?? ?? ?? 89 85 ?? ?? + ?? ?? 89 7C 24 ?? E8 ?? ?? ?? ?? B9 ?? ?? ?? ?? 31 C0 F3 AB 8B BD ?? ?? ?? ?? 89 74 + 24 ?? 8D B5 ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? 89 74 24 ?? + 89 3C 24 FF 95 ?? ?? ?? ?? 83 EC ?? 89 3C 24 FF 15 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 83 + EC ?? 8B 18 85 DB 74 ?? 89 D9 E8 ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? 89 1C 24 E8 ?? + ?? ?? ?? 8B 85 ?? ?? ?? ?? C7 00 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 89 04 24 E8 ?? ?? ?? + ?? 8D 65 ?? 31 C0 5B 5E 5F 5D C2 ?? ?? 8D BD ?? ?? ?? ?? 31 C0 B9 ?? ?? ?? ?? 8B B5 + ?? ?? ?? ?? 31 D2 C7 85 ?? ?? ?? ?? ?? ?? ?? ?? F3 AB 8B BD ?? ?? ?? ?? C7 85 ?? ?? + ?? ?? ?? ?? ?? ?? 89 F9 C1 F9 ?? 83 E1 ?? 89 C8 01 F0 11 FA 0F AC D0 ?? C1 FA ?? 83 + } + + $encrypt_files_p6 = { + C0 ?? 83 D2 ?? 0F A4 C2 ?? C1 E0 ?? 89 95 ?? ?? ?? ?? 89 95 ?? ?? ?? ?? 89 FA 09 F2 + 89 85 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 0F 85 ?? ?? ?? ?? 8B B5 ?? ?? ?? ?? 8D 85 ?? ?? + ?? ?? 8D 95 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 89 F7 C6 00 ?? 83 C0 ?? 39 C2 75 ?? 89 BD + ?? ?? ?? ?? C7 04 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 C3 8B 85 ?? ?? ?? ?? 89 D9 89 04 + 24 E8 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 83 EC ?? 89 18 A1 ?? ?? ?? ?? 89 44 24 ?? 8D 85 + ?? ?? ?? ?? 89 04 24 E8 ?? ?? ?? ?? C7 04 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 4D ?? 89 + 44 24 ?? C7 44 24 ?? ?? ?? ?? ?? C7 04 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 75 ?? 83 C0 + ?? 83 EC ?? 8B 56 ?? 39 D0 0F 87 ?? ?? ?? ?? 8B 7D ?? 29 C2 8D B5 ?? ?? ?? ?? 8D 9D + ?? ?? ?? ?? 8B 0F C6 44 24 ?? ?? 89 9D ?? ?? ?? ?? 8D 0C 41 8D 04 51 89 0C 24 89 F1 + 89 44 24 ?? E8 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 83 EC ?? 89 34 24 8D 48 ?? E8 ?? ?? ?? + ?? 8B 85 ?? ?? ?? ?? 83 EC ?? 39 D8 74 ?? 89 04 24 E8 ?? ?? ?? ?? 8B BD ?? ?? ?? ?? + 8D B5 ?? ?? ?? ?? 8D 9D ?? ?? ?? ?? 8B 47 ?? 89 34 24 89 44 24 ?? E8 ?? ?? ?? ?? 8B + 85 ?? ?? ?? ?? 8B 95 ?? ?? ?? ?? 8B 0F C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C7 85 ?? ?? ?? + ?? ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 89 95 ?? ?? ?? ?? E8 ?? ?? ?? ?? 66 90 89 34 24 8B + 0F 83 C6 ?? E8 ?? ?? ?? ?? 83 EC ?? 39 DE 75 ?? 8B BD ?? ?? ?? ?? 8B B5 + } + + $encrypt_files_p7 = { + 8B 0F E8 ?? ?? ?? ?? 8B 07 8D 8D ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C7 85 ?? + ?? ?? ?? ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? 89 + 04 24 E8 ?? ?? ?? ?? 8B 8D ?? ?? ?? ?? 8B 95 ?? ?? ?? ?? 83 EC ?? 8B 85 ?? ?? ?? ?? + 8B 9D ?? ?? ?? ?? 89 8D ?? ?? ?? ?? 89 8D ?? ?? ?? ?? 8B 0F 89 95 ?? ?? ?? ?? 89 95 + ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 89 9D ?? ?? ?? ?? 89 9D ?? ?? ?? ?? + E8 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 89 04 24 8B 0F E8 ?? ?? ?? ?? 8B 0F 83 EC ?? E8 ?? + ?? ?? ?? 8B 0F 89 F7 E8 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 89 95 ?? ?? + ?? ?? 8B 95 ?? ?? ?? ?? 89 34 24 8D B5 ?? ?? ?? ?? 89 44 24 ?? 8B 85 ?? ?? ?? ?? C7 + 44 24 ?? ?? ?? ?? ?? 89 54 24 ?? 89 44 24 ?? FF 95 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 83 + EC ?? 89 3C 24 C7 44 24 ?? ?? ?? ?? ?? 89 74 24 ?? C7 44 24 ?? ?? ?? ?? ?? 89 44 24 + ?? FF 15 ?? ?? ?? ?? 8B BD ?? ?? ?? ?? 83 EC ?? 8B 85 ?? ?? ?? ?? 85 FF 0F 85 ?? ?? + ?? ?? 3D ?? ?? ?? ?? 0F 87 ?? ?? ?? ?? 3D ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? + 0F 87 ?? ?? ?? ?? 3D ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? 0F 87 ?? ?? ?? ?? 3D + ?? ?? ?? ?? 0F 97 C0 0F B6 C0 89 85 ?? ?? ?? ?? E9 ?? ?? ?? ?? 8D 65 ?? B8 ?? ?? ?? + ?? 5B 5E 5F 5D C2 ?? ?? 8B 85 ?? ?? ?? ?? 89 04 24 FF 15 ?? ?? ?? ?? 83 EC ?? 8D 65 + ?? B8 ?? ?? ?? ?? 5B 5E 5F 5D C2 ?? ?? 8B 85 ?? ?? ?? ?? 89 04 24 FF 15 + } + + $encrypt_files_p8 = { + 83 EC ?? 8D 65 ?? 31 C0 5B 5E 5F 5D C2 ?? ?? C7 04 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? C7 + 04 24 ?? ?? ?? ?? 89 C6 89 85 ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 04 24 C1 F8 ?? 89 F1 89 + 44 24 ?? 8D B5 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 83 EC ?? 89 B5 ?? ?? ?? + ?? 89 85 ?? ?? ?? ?? 89 C3 A1 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 89 85 + ?? ?? ?? ?? 8B 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B B5 ?? ?? ?? ?? 8B BD ?? ?? ?? ?? 89 + 04 24 89 54 24 ?? 89 74 24 ?? 89 7C 24 ?? E8 ?? ?? ?? ?? 8B B5 ?? ?? ?? ?? 8B BD ?? + ?? ?? ?? 89 95 ?? ?? ?? ?? 89 54 24 ?? 89 85 ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? 89 + 7C 24 ?? 89 44 24 ?? 89 34 24 FF 95 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 83 EC ?? 89 5C 24 + ?? C7 44 24 ?? ?? ?? ?? ?? 83 C3 ?? C7 44 24 ?? ?? ?? ?? ?? 89 34 24 89 44 24 ?? FF + 95 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 83 EC ?? 39 C3 0F 85 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? + C7 44 24 ?? ?? ?? ?? ?? 89 04 24 E8 ?? ?? ?? ?? E9 ?? ?? ?? ?? 8D 76 ?? 81 BD ?? ?? + ?? ?? ?? ?? ?? ?? 0F 86 ?? ?? ?? ?? E9 ?? ?? ?? ?? A1 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? + E9 ?? ?? ?? ?? 89 54 24 ?? 89 44 24 ?? C7 44 24 ?? ?? ?? ?? ?? C7 04 24 ?? ?? ?? ?? + E8 ?? ?? ?? ?? 89 C6 C7 44 24 ?? ?? ?? ?? ?? 89 1C 24 E8 ?? ?? ?? ?? 89 34 24 E8 ?? + ?? ?? ?? 89 C3 8B 85 ?? ?? ?? ?? 89 04 24 E8 ?? ?? ?? ?? 89 1C 24 E8 ?? ?? ?? ?? EB + } + + $remote_connection_p1 = { + 55 57 56 53 81 EC ?? ?? ?? ?? 8B 1A 39 18 0F 84 ?? ?? ?? ?? 89 54 24 ?? 89 C6 8D 5C + 24 ?? F6 05 ?? ?? ?? ?? ?? 0F 85 ?? ?? ?? ?? B8 ?? ?? ?? ?? 89 DF 8B 56 ?? 89 54 24 + ?? 8B 56 ?? 89 54 24 ?? 8B 56 ?? 89 54 24 ?? C7 44 24 ?? ?? ?? ?? ?? 89 44 24 ?? 89 + 3C 24 E8 ?? ?? ?? ?? 89 3C 24 E8 ?? ?? ?? ?? 01 C7 89 F8 29 D8 BA ?? ?? ?? ?? 89 D5 + 29 C5 F6 05 ?? ?? ?? ?? ?? 0F 85 ?? ?? ?? ?? 8B 06 89 44 24 ?? 8B 46 ?? 89 44 24 ?? + C7 44 24 ?? ?? ?? ?? ?? 89 6C 24 ?? 89 3C 24 E8 ?? ?? ?? ?? 89 5C 24 ?? 8B 7C 24 ?? + 8B 07 89 04 24 E8 ?? ?? ?? ?? FF 47 ?? 8B 46 ?? 01 47 ?? 8B 6E ?? 85 ED 0F 84 ?? ?? + ?? ?? 89 6C 24 ?? 8D 44 24 ?? 89 04 24 E8 ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? E9 ?? + ?? ?? ?? 8D B6 ?? ?? ?? ?? 8D BC 27 ?? ?? ?? ?? 85 C0 74 ?? C6 03 ?? A8 ?? 0F 85 ?? + ?? ?? ?? 8B 7D ?? 8B 75 ?? 89 2C 24 E8 ?? ?? ?? ?? 89 7C 24 ?? 89 74 24 ?? 89 44 24 + ?? C7 44 24 ?? ?? ?? ?? ?? B8 ?? ?? ?? ?? 8B 74 24 ?? 29 F0 89 44 24 ?? 8D 04 33 89 + 04 24 E8 ?? ?? ?? ?? 89 DF 8B 17 83 C7 ?? 8D 82 ?? ?? ?? ?? F7 D2 21 D0 25 ?? ?? ?? + ?? 74 ?? A9 ?? ?? ?? ?? 75 ?? C1 E8 ?? 83 C7 ?? 88 C1 00 C1 83 DF ?? 29 DF 8B 75 + } + + $remote_connection_p2 = { + 89 34 24 E8 ?? ?? ?? ?? B9 ?? ?? ?? ?? 29 F9 39 C1 0F 8D ?? ?? ?? ?? 8D 04 3B 83 F9 + ?? 0F 83 ?? ?? ?? ?? 85 C9 74 ?? 8A 16 88 10 F6 C1 ?? 0F 85 ?? ?? ?? ?? BA ?? ?? ?? + ?? B8 ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? 89 54 24 ?? 01 D8 89 04 24 E8 ?? ?? ?? ?? + 89 5C 24 ?? 8B 44 24 ?? 8B 00 89 04 24 E8 ?? ?? ?? ?? 8B 6D ?? 85 ED 74 ?? 8D 44 24 + ?? 89 44 24 ?? 89 2C 24 E8 ?? ?? ?? ?? 85 C0 75 ?? FF 44 24 ?? 8B 44 24 ?? 83 F8 ?? + 0F 82 ?? ?? ?? ?? C7 44 03 ?? ?? ?? ?? ?? 8D 48 ?? C1 E9 ?? 89 DF B8 ?? ?? ?? ?? F3 + AB E9 ?? ?? ?? ?? 8D B6 ?? ?? ?? ?? 81 C4 ?? ?? ?? ?? 5B 5E 5F 5D C3 90 8D 74 26 ?? + 8D 40 ?? 89 04 24 E8 ?? ?? ?? ?? 8B 10 89 54 24 ?? 8B 50 ?? 89 54 24 ?? 8B 40 ?? 89 + 44 24 ?? C7 44 24 ?? ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? 89 1C 24 E8 ?? ?? ?? ?? 89 + DA 8B 0A 83 C2 ?? 8D 81 ?? ?? ?? ?? F7 D1 21 C8 25 ?? ?? ?? ?? 74 ?? A9 + } + + $remote_connection_p3 = { + 75 ?? C1 E8 ?? 83 C2 ?? 88 C1 00 C1 83 DA ?? 29 DA 8D 3C 13 B8 ?? ?? ?? ?? 29 D0 E9 + ?? ?? ?? ?? 8D B6 ?? ?? ?? ?? 8D BF ?? ?? ?? ?? B8 ?? ?? ?? ?? 29 F8 89 44 24 ?? 89 + 74 24 ?? 01 DF 89 3C 24 E8 ?? ?? ?? ?? 89 D8 8B 08 83 C0 ?? 8D 91 ?? ?? ?? ?? F7 D1 + 21 CA 81 E2 ?? ?? ?? ?? 74 ?? F7 C2 ?? ?? ?? ?? 75 ?? C1 EA ?? 83 C0 ?? 88 D1 00 D1 + 83 D8 ?? 29 D8 BA ?? ?? ?? ?? 29 C2 E9 ?? ?? ?? ?? 8D 74 26 ?? 8D BC 27 ?? ?? ?? ?? + 8B 16 89 10 8B 54 0E ?? 89 54 08 ?? 8D 78 ?? 83 E7 ?? 29 F8 29 C6 01 C1 C1 E9 ?? F3 + A5 E9 ?? ?? ?? ?? 8D B4 26 ?? ?? ?? ?? 8D BC 27 ?? ?? ?? ?? 89 54 24 ?? 8D 46 ?? 89 + 04 24 E8 ?? ?? ?? ?? 89 44 24 ?? C7 44 24 ?? ?? ?? ?? ?? 89 6C 24 ?? 89 3C 24 E8 ?? + ?? ?? ?? 89 3C 24 E8 ?? ?? ?? ?? 01 C7 89 F8 29 D8 8B 54 24 ?? 29 C2 89 D5 E9 ?? ?? + ?? ?? 8D B4 26 ?? ?? ?? ?? 8D BC 27 ?? ?? ?? ?? 8B 44 24 ?? 66 C7 44 03 ?? ?? ?? E9 + ?? ?? ?? ?? 66 8B 54 0E ?? 66 89 54 08 ?? E9 ?? ?? ?? ?? 90 8B 54 24 ?? 8B 44 24 ?? + E9 + } + + condition: + uint16(0) == 0x5A4D and + ( + all of ($find_files_p*) + ) and + ( + all of ($encrypt_files_p*) + ) and + ( + all of ($remote_connection_p*) + ) +} \ No newline at end of file diff --git a/yara/ransomware/Win32.Ransomware.PrincessLocker.yara b/yara/ransomware/Win32.Ransomware.PrincessLocker.yara new file mode 100644 index 0000000..e95ec59 --- /dev/null +++ b/yara/ransomware/Win32.Ransomware.PrincessLocker.yara @@ -0,0 +1,92 @@ +rule Win32_Ransomware_PrincessLocker : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "PRINCESSLOCKER" + description = "Yara rule that detects PrincessLocker ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "PrincessLocker" + tc_detection_factor = 5 + + strings: + + $encrypt_files = { + 6A ?? 6A ?? FF 15 ?? ?? ?? ?? 83 C4 ?? 85 C0 0F 85 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 + 6A ?? 6A ?? 68 ?? ?? ?? ?? FF B5 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? + ?? BA ?? ?? ?? ?? 8D 4D ?? E8 ?? ?? ?? ?? C6 45 ?? ?? 8D 45 ?? 83 7D ?? ?? 0F 43 45 + ?? 50 53 FF D7 6A ?? FF B5 ?? ?? ?? ?? 8B F0 FF 15 ?? ?? ?? ?? 50 FF B5 ?? ?? ?? ?? + FF B5 ?? ?? ?? ?? FF D6 85 C0 75 ?? 83 7D ?? ?? 72 ?? FF 75 ?? E8 ?? ?? ?? ?? 83 C4 + ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C6 45 ?? ?? E9 ?? ?? ?? ?? 8D 85 ?? ?? + ?? ?? 50 6A ?? FF B5 ?? ?? ?? ?? 68 ?? ?? ?? ?? FF B5 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? + 85 C0 0F 84 ?? ?? ?? ?? BA ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? C6 45 ?? ?? + 8D 85 ?? ?? ?? ?? 83 BD ?? ?? ?? ?? ?? 0F 43 85 ?? ?? ?? ?? 50 53 FF D7 68 ?? ?? ?? + ?? 8D 4D ?? 89 85 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 8D ?? ?? ?? ?? 68 ?? ?? ?? ?? E8 ?? + ?? ?? ?? 68 ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? + E8 ?? ?? ?? ?? 8B D8 83 C4 ?? 89 9D ?? ?? ?? ?? 85 DB 75 ?? 8D 8D ?? ?? ?? ?? E8 ?? + ?? ?? ?? 8D 4D ?? E8 ?? ?? ?? ?? 8D 4D ?? E8 ?? ?? ?? ?? 8D 4D ?? E8 ?? ?? ?? ?? 8D + 4D ?? E8 ?? ?? ?? ?? 8D 4D ?? E8 ?? ?? ?? ?? B8 ?? ?? ?? ?? E9 ?? ?? ?? ?? A1 ?? ?? + ?? ?? 8B 30 89 B5 ?? ?? ?? ?? 3B F0 0F 84 ?? ?? ?? ?? 33 C9 C6 45 ?? ?? 6A ?? 51 8D + 46 ?? 66 89 8D ?? ?? ?? ?? 50 8D 8D ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C7 85 + ?? ?? ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 EC ?? C6 45 ?? ?? 8D 85 ?? ?? ?? ?? C7 85 + ?? ?? ?? ?? ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 50 6A ?? 8D 85 ?? ?? ?? + ?? 50 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8B D0 C6 45 ?? ?? 8D 8D ?? ?? + ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? C6 45 ?? ?? 83 BD ?? ?? ?? ?? ?? 72 ?? FF B5 ?? ?? ?? + ?? E8 ?? ?? ?? ?? 83 C4 ?? FF 75 ?? 33 C0 C7 85 ?? ?? ?? ?? ?? ?? ?? ?? 83 7D ?? ?? + 66 89 85 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 0F 43 85 ?? ?? ?? ?? 50 FF 75 ?? C7 85 ?? ?? + ?? ?? ?? ?? ?? ?? 51 8D 4D ?? E8 ?? ?? ?? ?? 85 C0 74 ?? 83 EC ?? C6 45 ?? ?? 8B CC + 33 C0 6A ?? C7 41 ?? ?? ?? ?? ?? C7 41 ?? ?? ?? ?? ?? 50 66 89 01 8D 85 ?? ?? ?? ?? + 50 E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? C7 45 ?? ?? ?? ?? ?? EB ?? B8 ?? ?? ?? ?? + C3 C7 45 ?? ?? ?? ?? ?? 8B B5 ?? ?? ?? ?? 6A ?? 6A ?? 8D 85 ?? ?? ?? ?? 50 8D 4D ?? + E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 95 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 + C4 ?? 68 ?? ?? ?? ?? 8B D0 C6 45 ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? C6 + 45 ?? ?? 83 BD ?? ?? ?? ?? ?? 72 ?? FF B5 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 6A ?? + 68 ?? ?? ?? ?? 33 C0 C7 85 ?? ?? ?? ?? ?? ?? ?? ?? 83 BD ?? ?? ?? ?? ?? 8D BD ?? ?? + ?? ?? 6A ?? 6A ?? 66 89 85 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 0F 43 85 ?? ?? ?? ?? 83 BD + ?? ?? ?? ?? ?? 6A ?? 0F 43 BD ?? ?? ?? ?? 6A ?? 50 C7 85 ?? ?? ?? ?? ?? ?? ?? ?? 89 + 85 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 8B D8 83 FB ?? 0F 84 ?? ?? ?? ?? 85 DB 0F 84 ?? ?? + ?? ?? 6A ?? 68 ?? ?? ?? ?? 6A ?? 6A ?? 6A ?? 6A ?? 57 FF 15 ?? ?? ?? ?? 8B F8 83 FF + ?? 0F 84 ?? ?? ?? ?? 85 FF 0F 84 ?? ?? ?? ?? C6 85 ?? ?? ?? ?? ?? 6A ?? 8D 85 ?? ?? + ?? ?? 50 FF B5 ?? ?? ?? ?? FF B5 ?? ?? ?? ?? 53 FF 15 ?? ?? ?? ?? 85 C0 74 ?? 8B 85 + ?? ?? ?? ?? FF B5 ?? ?? ?? ?? 8B 8D ?? ?? ?? ?? 48 39 85 ?? ?? ?? ?? B8 ?? ?? ?? ?? + 0F B6 C9 0F 46 C8 8D 85 ?? ?? ?? ?? 50 FF B5 ?? ?? ?? ?? 0F B6 C1 6A ?? 50 6A ?? FF + B5 ?? ?? ?? ?? 89 8D ?? ?? ?? ?? FF 95 ?? ?? ?? ?? 6A ?? 8D 85 ?? ?? ?? ?? 50 FF B5 + ?? ?? ?? ?? FF B5 ?? ?? ?? ?? 57 FF 15 + } + + $remote_connection_1 = { + 6A ?? 68 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C7 85 ?? ?? ?? + ?? ?? ?? ?? ?? C6 85 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? C6 45 ?? ?? 84 DB 0F 85 ?? ?? ?? + ?? 6A ?? 6A ?? 8D 45 ?? C7 45 ?? ?? ?? ?? ?? 50 8D 8D ?? ?? ?? ?? C7 45 ?? ?? ?? ?? + ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? + ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? + ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? + ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? 66 C7 45 ?? ?? ?? 88 5D ?? C7 45 ?? ?? + ?? ?? ?? 66 C7 45 ?? ?? ?? 88 5D ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C7 85 ?? ?? ?? ?? + ?? ?? ?? ?? 88 9D ?? ?? ?? ?? E8 ?? ?? ?? ?? C6 45 ?? ?? 8D 8D ?? ?? ?? ?? 8B 85 ?? + ?? ?? ?? BA ?? ?? ?? ?? 89 45 ?? E8 ?? ?? ?? ?? 8B F0 8D 55 ?? C6 45 ?? ?? 8D 8D ?? + ?? ?? ?? E8 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? C6 45 ?? ?? 51 8B D0 8D 8D ?? ?? ?? ?? E8 + ?? ?? ?? ?? 56 8B D0 C6 45 ?? ?? 8D 8D ?? ?? ?? ?? E8 + } + + $remote_connection_2 = { + BA ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? 66 C7 45 ?? ?? ?? C7 45 ?? ?? + ?? ?? ?? C7 45 ?? ?? ?? ?? ?? 66 C7 45 ?? ?? ?? E8 ?? ?? ?? ?? 8B D8 8D 55 ?? C6 45 + ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B F8 BA ?? ?? ?? ?? C6 45 ?? ?? 8D 8D ?? ?? + ?? ?? E8 ?? ?? ?? ?? 8B F0 8D 55 ?? C6 45 ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 56 + 8B D0 C6 45 ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 57 8B D0 C6 45 ?? ?? 8D 8D ?? ?? + ?? ?? E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8B D0 C6 45 ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? + ?? 53 8B D0 C6 45 ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? C6 45 ?? + ?? 51 8B D0 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8B D0 C6 45 ?? ?? 8D 8D + ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 8D 8D ?? ?? ?? ?? 50 E8 + } + + condition: + uint16(0) == 0x5A4D and $encrypt_files and $remote_connection_1 and $remote_connection_2 +} \ No newline at end of file diff --git a/yara/ransomware/Win32.Ransomware.Prometey.yara b/yara/ransomware/Win32.Ransomware.Prometey.yara new file mode 100644 index 0000000..41cfd86 --- /dev/null +++ b/yara/ransomware/Win32.Ransomware.Prometey.yara @@ -0,0 +1,156 @@ +rule Win32_Ransomware_Prometey : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "PROMETEY" + description = "Yara rule that detects Prometey ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "Prometey" + tc_detection_factor = 5 + + strings: + + $remote_connection_p1 = { + 55 8D AC 24 ?? ?? ?? ?? 81 EC ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? 64 A1 ?? ?? ?? ?? 50 + 81 EC ?? ?? ?? ?? A1 ?? ?? ?? ?? 33 C5 89 85 ?? ?? ?? ?? 53 56 57 50 8D 45 ?? 64 A3 + ?? ?? ?? ?? 6A ?? 5E 8D 85 ?? ?? ?? ?? 89 75 ?? 50 BA ?? ?? ?? ?? 8D 4D ?? E8 ?? ?? + ?? ?? C6 45 ?? ?? C7 04 24 ?? ?? ?? ?? 50 8D 85 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 + ?? 8D 8D ?? ?? ?? ?? C6 45 ?? ?? 51 8B C8 E8 ?? ?? ?? ?? 50 8D 4D ?? E8 ?? ?? ?? ?? + 68 ?? ?? ?? ?? 8D 45 ?? C6 45 ?? ?? 50 8D 85 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? + 8D 8D ?? ?? ?? ?? C6 45 ?? ?? 51 8B C8 E8 ?? ?? ?? ?? 50 8D 4D ?? E8 ?? ?? ?? ?? 68 + ?? ?? ?? ?? 8D 45 ?? C6 45 ?? ?? 50 8D 45 ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 8D 8D ?? ?? + ?? ?? C6 45 ?? ?? 51 8B C8 E8 ?? ?? ?? ?? 50 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 4D + ?? E8 ?? ?? ?? ?? 8D 4D ?? E8 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 4D ?? + E8 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 6A ?? 5B 8D 4D ?? 88 5D ?? E8 ?? ?? + ?? ?? 39 9D ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 0F 43 8D ?? ?? ?? ?? 03 + C1 39 9D ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? 0F 43 8D ?? ?? ?? ?? 51 50 51 8D 8D ?? ?? ?? + ?? E8 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? C6 45 ?? ?? 50 8D 95 ?? ?? ?? ?? 8D 4D ?? E8 ?? + ?? ?? ?? 59 8D 8D ?? ?? ?? ?? C6 45 ?? ?? 51 8B C8 E8 ?? ?? ?? ?? 50 8D 8D ?? ?? ?? + ?? E8 ?? ?? ?? ?? 8D 4D ?? C6 45 ?? ?? E8 ?? ?? ?? ?? 39 9D ?? ?? ?? ?? 8D 8D ?? ?? + ?? ?? 8B 85 ?? ?? ?? ?? 0F 43 8D ?? ?? ?? ?? 03 C1 39 9D ?? ?? ?? ?? 8D 8D ?? ?? ?? + ?? 0F 43 8D ?? ?? ?? ?? 51 50 51 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? C6 45 ?? ?? 8D 85 + ?? ?? ?? ?? 83 BD ?? ?? ?? ?? ?? 0F 43 85 ?? ?? ?? ?? 33 DB 53 53 53 53 50 88 5D + } + + $remote_connection_p2 = { + FF 15 ?? ?? ?? ?? 89 45 ?? 85 C0 0F 84 ?? ?? ?? ?? 6A ?? 53 56 53 53 6A ?? 68 ?? ?? + ?? ?? 50 FF 15 ?? ?? ?? ?? 8B 3D ?? ?? ?? ?? 8B D8 85 DB 74 ?? 6A ?? 68 ?? ?? ?? ?? + 33 C0 50 50 50 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 53 FF 15 ?? ?? ?? ?? 8B F0 85 F6 74 ?? + 33 C0 50 50 50 50 56 FF 15 ?? ?? ?? ?? 85 C0 74 ?? 68 ?? ?? ?? ?? 8D 45 ?? 6A ?? 50 + E8 ?? ?? ?? ?? 51 8D 4D ?? E8 ?? ?? ?? ?? C6 45 ?? ?? 83 7D ?? ?? 0F 85 ?? ?? ?? ?? + 8D 4D ?? E8 ?? ?? ?? ?? 56 FF D7 53 FF D7 FF 75 ?? FF D7 80 7D ?? ?? 74 ?? 68 ?? ?? + ?? ?? E8 ?? ?? ?? ?? 59 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? + ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 8D ?? ?? + ?? ?? E8 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? + ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 4D ?? 64 89 0D ?? ?? ?? ?? 59 5F 5E 5B 8B 8D + ?? ?? ?? ?? 33 CD E8 ?? ?? ?? ?? 81 C5 ?? ?? ?? ?? C9 C3 8B 85 ?? ?? ?? ?? 85 C0 0F + 84 ?? ?? ?? ?? 3D ?? ?? ?? ?? 73 ?? 8D 95 ?? ?? ?? ?? C6 84 05 ?? ?? ?? ?? ?? 8D 4D + ?? E8 ?? ?? ?? ?? C6 45 ?? ?? 8D 85 ?? ?? ?? ?? 50 68 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? + 50 56 FF 15 ?? ?? ?? ?? 85 C0 75 ?? E9 ?? ?? ?? ?? E8 + } + + $find_files_p1 = { + 68 ?? ?? ?? ?? B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 5D ?? 8D 8D ?? ?? ?? ?? 68 ?? ?? ?? + ?? BA ?? ?? ?? ?? 89 9D ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 65 ?? ?? 8D 4D ?? 8B D3 C7 04 + 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? 59 C6 45 ?? ?? 8D 8D ?? ?? ?? ?? 83 7D ?? ?? 8D 45 ?? + 51 0F 43 45 ?? 50 FF 15 ?? ?? ?? ?? 8B D8 89 9D ?? ?? ?? ?? 83 FB ?? 0F 84 ?? ?? ?? + ?? 33 C0 8D 7D ?? AB AB AB 33 C0 89 45 ?? 89 45 ?? 89 45 ?? C6 45 ?? ?? F6 85 ?? ?? + ?? ?? ?? 74 ?? 68 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 85 C0 0F 84 ?? + ?? ?? ?? 68 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? + ?? 8D 85 ?? ?? ?? ?? 50 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B F0 8B 95 ?? ?? ?? ?? 8D + 8D ?? ?? ?? ?? 68 ?? ?? ?? ?? C6 45 ?? ?? E8 ?? ?? ?? ?? 59 8B D0 C6 45 ?? ?? 8B 4A + ?? 8B 7A ?? 2B CF 39 4E ?? 76 ?? 8B 46 ?? 2B 46 ?? 3B C7 72 ?? 83 7A ?? ?? 72 ?? 8B + 12 57 52 51 8B CE E8 ?? ?? ?? ?? EB ?? 56 8B CA E8 ?? ?? ?? ?? 50 8D 4D ?? E8 ?? ?? + ?? ?? C6 85 ?? ?? ?? ?? ?? 8D 45 ?? FF B5 ?? ?? ?? ?? 8D 4D ?? 50 E8 ?? ?? ?? ?? 8D + 4D ?? E8 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? C6 45 ?? ?? + E8 ?? ?? ?? ?? 83 7D ?? ?? 8D 4D ?? 8B 45 ?? 0F 43 4D ?? 8D 04 41 8D 4D ?? 0F 43 4D + ?? 51 50 51 8D 4D ?? E8 ?? ?? ?? ?? C6 45 ?? ?? 8D 8D ?? ?? ?? ?? 83 7D ?? ?? 8D 7D + ?? 8B 9D ?? ?? ?? ?? 0F 43 8D ?? ?? ?? ?? 83 7D ?? ?? 8B 45 ?? 0F 43 7D ?? 89 8D ?? + ?? ?? ?? 3B D8 77 ?? 85 DB 75 ?? 8B F3 EB ?? 0F BE 09 2B C3 40 89 8D ?? ?? ?? ?? 03 + } + + $find_files_p2 = { + C7 89 85 ?? ?? ?? ?? 2B C7 50 51 57 EB ?? 53 FF B5 ?? ?? ?? ?? 56 E8 ?? ?? ?? ?? 83 + C4 ?? 85 C0 74 ?? 8B 85 ?? ?? ?? ?? 46 2B C6 50 FF B5 ?? ?? ?? ?? 56 E8 ?? ?? ?? ?? + 8B F0 83 C4 ?? 85 F6 75 ?? 83 CE ?? 33 DB 56 BA ?? ?? ?? ?? B9 ?? ?? ?? ?? E8 ?? ?? + ?? ?? 8B C8 E8 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 59 8D 45 ?? 89 5D ?? 50 8D 4D ?? 89 5D + ?? E8 ?? ?? ?? ?? C6 45 ?? ?? 8D 7D ?? 83 7D ?? ?? 8B 55 ?? 0F 43 7D ?? 85 D2 74 ?? + 83 C9 ?? 8D 42 ?? 3B C1 0F 42 C8 03 CF EB ?? 2B F7 EB ?? 3B CF 74 ?? 49 80 39 ?? 75 + ?? 2B CF EB ?? 83 C9 ?? 83 F9 ?? 0F 84 ?? ?? ?? ?? 8D 79 ?? 89 5D ?? C7 45 ?? ?? ?? + ?? ?? 88 5D ?? 3B D7 0F 82 ?? ?? ?? ?? 2B D7 8D 45 ?? 83 C9 ?? 83 FA ?? 0F 42 CA 83 + 7D ?? ?? 51 0F 43 45 ?? 8D 4D ?? 03 C7 50 E8 ?? ?? ?? ?? 83 EC ?? C6 45 ?? ?? 8B CC + 8D 45 ?? 50 89 59 ?? 89 59 ?? E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 83 F8 ?? 0F 85 + ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 53 50 E8 ?? ?? ?? ?? 59 59 8D 8D ?? ?? + ?? ?? E8 ?? ?? ?? ?? 51 51 8D 45 ?? C6 45 ?? ?? 50 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? + 6A ?? 53 53 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 8D 8D ?? ?? ?? ?? + E8 ?? ?? ?? ?? BB ?? ?? ?? ?? 8B 78 ?? 03 38 3B FB 7D ?? 81 FE ?? ?? ?? ?? 76 ?? 8D + } + + $find_files_p3 = { + 4D ?? E8 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 3B FB 7D ?? 81 FE ?? ?? ?? ?? + 76 ?? 8D 4D ?? E8 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 4D ?? C6 45 ?? ?? + E8 ?? ?? ?? ?? E9 ?? ?? ?? ?? 6A ?? 8D 85 ?? ?? ?? ?? 53 50 E8 ?? ?? ?? ?? 83 C4 ?? + 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? C6 45 ?? ?? 8D 4D ?? 83 7D ?? ?? 8B 45 ?? 0F 43 4D + ?? 8D 04 41 50 51 8D 45 ?? 50 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? BE ?? ?? ?? ?? C6 45 + ?? ?? 56 BA ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? C6 45 ?? ?? C7 04 24 ?? ?? + ?? ?? 50 8D 85 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 50 8D 4D ?? C6 45 ?? ?? E8 ?? + ?? ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? C6 45 ?? ?? E8 ?? ?? ?? + ?? BA ?? ?? ?? ?? B9 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 55 ?? 8B C8 E8 ?? ?? ?? ?? 50 E8 + ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 53 50 E8 ?? ?? ?? ?? 83 C4 ?? 8D 8D ?? + ?? ?? ?? E8 ?? ?? ?? ?? C6 45 ?? ?? 8D 45 ?? 83 7D ?? ?? 51 0F 43 45 ?? 51 50 8D 8D + ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 BD ?? ?? ?? ?? ?? 0F 84 ?? ?? ?? ?? 56 BA ?? ?? ?? ?? + 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? C6 45 ?? ?? C7 04 24 ?? ?? ?? ?? 50 8D 85 ?? ?? ?? + ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 56 8B C8 C6 45 ?? ?? E8 ?? ?? ?? ?? 50 8D 8D ?? ?? ?? + ?? E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? C6 45 ?? ?? 50 8D 85 + } + + $find_files_p4 = { + 50 E8 ?? ?? ?? ?? 83 C4 ?? 68 ?? ?? ?? ?? 8B C8 C6 45 ?? ?? E8 ?? ?? ?? ?? 50 8D 8D + ?? ?? ?? ?? E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? C6 45 ?? ?? 50 8D 85 ?? + ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 8B D0 C6 45 ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? + ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 8D ?? ?? ?? + ?? E8 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? + 8D 8D ?? ?? ?? ?? C6 45 ?? ?? E8 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 8D + ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 4D ?? E8 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? C6 45 ?? ?? E8 + ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 4D ?? E8 ?? ?? ?? ?? F6 85 ?? ?? ?? ?? ?? 74 ?? 8B 45 + ?? 8D 4D ?? 51 3B 45 ?? 74 ?? 8B C8 E8 ?? ?? ?? ?? 83 45 ?? ?? EB ?? 50 8D 4D ?? E8 + ?? ?? ?? ?? 8D 4D ?? E8 ?? ?? ?? ?? 8D 4D ?? C6 45 ?? ?? E8 ?? ?? ?? ?? 8B 9D ?? ?? + ?? ?? 8D 85 ?? ?? ?? ?? 50 53 FF 15 ?? ?? ?? ?? 85 C0 0F 85 ?? ?? ?? ?? 53 FF 15 ?? + ?? ?? ?? 8B 7D ?? 8B 75 ?? 6A ?? 5B 3B F7 74 ?? 56 E8 ?? ?? ?? ?? 03 F3 59 3B F7 75 + ?? 8B 7D ?? 8B 75 ?? 85 F6 74 ?? 3B F7 74 ?? 8B CE E8 ?? ?? ?? ?? 03 F3 3B F7 75 ?? + 8B 75 ?? 8B 45 ?? 2B C6 99 F7 FB 6B C0 ?? 50 56 E8 ?? ?? ?? ?? 59 59 8D 4D ?? E8 ?? + ?? ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? C3 + } + + $encrypt_files = { + 8B FF 55 8B EC 57 FF 75 ?? E8 ?? ?? ?? ?? 59 8B 4D ?? 8B F8 8B 49 ?? 90 F6 C1 ?? 75 + ?? E8 ?? ?? ?? ?? C7 00 ?? ?? ?? ?? 8B 45 ?? 6A ?? 59 83 C0 ?? F0 09 08 83 C8 ?? E9 + ?? ?? ?? ?? 8B 45 ?? 8B 40 ?? 90 C1 E8 ?? A8 ?? 74 ?? E8 ?? ?? ?? ?? C7 00 ?? ?? ?? + ?? EB ?? 8B 45 ?? 8B 40 ?? 90 A8 ?? 74 ?? FF 75 ?? E8 ?? ?? ?? ?? 59 8B 4D ?? 83 61 + ?? ?? 84 C0 8B 45 ?? 74 ?? 8B 48 ?? 89 08 8B 45 ?? 6A ?? 59 83 C0 ?? F0 21 08 8B 45 + ?? 53 6A ?? 5B 83 C0 ?? F0 09 18 8B 45 ?? 6A ?? 59 83 C0 ?? F0 21 08 8B 45 ?? 83 60 + ?? ?? 8B 45 ?? 8B 40 ?? 90 A9 ?? ?? ?? ?? 75 ?? 56 8B 75 ?? 6A ?? E8 ?? ?? ?? ?? 59 + 3B F0 74 ?? 8B 75 ?? 53 E8 ?? ?? ?? ?? 59 3B F0 75 ?? 57 E8 ?? ?? ?? ?? 59 85 C0 75 + ?? FF 75 ?? E8 ?? ?? ?? ?? 59 5E FF 75 ?? 8B 5D ?? 53 E8 ?? ?? ?? ?? 59 59 84 C0 75 + ?? 8B 45 ?? 6A ?? 59 83 C0 ?? F0 09 08 83 C8 ?? EB ?? 0F B6 C3 5B 5F 5D C3 + } + + condition: + uint16(0) == 0x5A4D and + ( + all of ($find_files_p*) + ) and + ( + $encrypt_files + ) and + ( + all of ($remote_connection_p*) + ) +} \ No newline at end of file diff --git a/yara/ransomware/Win32.Ransomware.RagnarLocker.yara b/yara/ransomware/Win32.Ransomware.RagnarLocker.yara new file mode 100644 index 0000000..e8bade7 --- /dev/null +++ b/yara/ransomware/Win32.Ransomware.RagnarLocker.yara @@ -0,0 +1,108 @@ +rule Win32_Ransomware_RagnarLocker : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "RAGNARLOCKER" + description = "Yara rule that detects RagnarLocker ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "RagnarLocker" + tc_detection_factor = 5 + + strings: + + $find_files_p1 = { + 55 8B EC 81 EC ?? ?? ?? ?? 33 C0 B9 ?? ?? ?? ?? 53 8B 1D ?? ?? ?? ?? 56 8B 75 ?? 57 + 8D BD ?? ?? ?? ?? F3 AB 8B 3D ?? ?? ?? ?? 39 45 ?? 0F 84 ?? ?? ?? ?? 8D 45 ?? 50 8D + 85 ?? ?? ?? ?? 50 68 ?? ?? ?? ?? 56 FF 15 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? FF 75 + ?? 8D 85 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 68 ?? ?? ?? ?? FF 75 ?? FF 15 ?? ?? ?? ?? + 8D 85 ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? 50 8D 85 ?? ?? ?? ?? 50 FF D3 + } + + $find_files_p2 = { + 68 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 FF D7 85 C0 0F 84 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D + 85 ?? ?? ?? ?? 50 FF D7 85 C0 0F 84 ?? ?? ?? ?? F6 85 ?? ?? ?? ?? ?? 0F 84 ?? ?? ?? + ?? 83 FB ?? 75 ?? C7 45 ?? ?? ?? ?? ?? 33 F6 C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? + ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? + ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? + ?? C7 45 ?? ?? ?? ?? ?? FF 74 B5 ?? 8D 85 ?? ?? ?? ?? 50 FF D7 85 C0 0F 84 ?? ?? ?? + ?? 46 83 FE ?? 7C ?? 33 C0 85 C0 0F 85 ?? ?? ?? ?? 8D 45 ?? 50 8D 85 ?? ?? ?? ?? 50 + 68 ?? ?? ?? ?? FF 75 ?? FF 15 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? + 50 FF 75 ?? FF 15 ?? ?? ?? ?? 8B 35 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 68 ?? ?? ?? ?? 50 + FF D6 8D 85 ?? ?? ?? ?? 50 8D 85 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D + 85 ?? ?? ?? ?? 50 FF D6 6A ?? 8D 85 ?? ?? ?? ?? 50 68 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? + 8D 85 ?? ?? ?? ?? 50 8D 85 ?? ?? ?? ?? 50 FF D6 6A ?? 8D 85 ?? ?? ?? ?? 53 50 E8 ?? + ?? ?? ?? 83 C4 ?? 8D 85 ?? ?? ?? ?? 50 FF 75 ?? FF 15 ?? ?? ?? ?? 85 C0 0F 85 ?? ?? + ?? ?? 8B 45 ?? 8B 1D ?? ?? ?? ?? 8B 75 ?? 50 FF 15 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 + 56 FF D3 + } + + $find_files_p3 = { + 33 F6 C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? + ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? 90 FF 74 B5 ?? + 53 FF D7 85 C0 74 ?? 46 83 FE ?? 72 ?? 8D 85 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? + 8B 45 ?? 8B 75 ?? 8D 8D ?? ?? ?? ?? 51 50 FF 15 ?? ?? ?? ?? 85 C0 74 ?? 8B 45 ?? E9 + ?? ?? ?? ?? 5F 5E 32 C0 5B 8B E5 5D C3 FF 75 ?? FF 15 ?? ?? ?? ?? 5F 5E B0 ?? 5B 8B + E5 5D C3 + } + + $encrypt_files_p1 = { + 56 8B 75 ?? 68 ?? ?? ?? ?? 56 FF 15 ?? ?? ?? ?? 8B 3D ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? + 83 C4 ?? 68 ?? ?? ?? ?? 50 FF D7 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? FF D7 56 8B 35 ?? ?? + ?? ?? 68 ?? ?? ?? ?? FF D6 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? FF D6 68 ?? ?? ?? ?? 8D 85 + ?? ?? ?? ?? 50 FF D6 6A ?? 6A ?? 68 ?? ?? ?? ?? 6A ?? FF 15 ?? ?? ?? ?? 8D 85 ?? ?? + ?? ?? 50 68 ?? ?? ?? ?? FF D6 FF 75 ?? 8D 85 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 8D 85 + ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 6A ?? 6A ?? 8B F0 FF 15 ?? ?? ?? ?? 50 FF 15 ?? ?? + ?? ?? 8B F8 C7 45 ?? ?? ?? ?? ?? 8D 45 ?? 50 6A ?? 68 ?? ?? ?? ?? 56 8D 85 ?? ?? ?? + ?? 50 FF 15 ?? ?? ?? ?? 85 C0 74 ?? FF 75 ?? 6A ?? FF 15 ?? ?? ?? ?? 50 FF 15 + } + + $encrypt_files_p2 = { + 8D 45 ?? 50 57 68 ?? ?? ?? ?? 56 8D 85 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 85 C0 75 ?? + 57 50 FF 15 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? 6A ?? 6A ?? 6A ?? + 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 89 45 ?? 85 C0 74 ?? 8B 35 ?? ?? ?? + ?? 8D 4D ?? 6A ?? 51 FF 75 ?? FF 75 ?? 50 FF D6 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 57 68 + ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 68 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 83 + C4 ?? 8D 85 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 6A ?? 8D 4D ?? 51 50 8D 85 ?? ?? ?? ?? + 50 FF 75 ?? FF D6 8B 45 ?? 50 FF 15 ?? ?? ?? ?? A1 ?? ?? ?? ?? 68 ?? ?? ?? ?? 68 ?? + ?? ?? ?? FF D0 FF 75 ?? 68 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? BF ?? ?? + ?? ?? 89 45 ?? 8D 57 ?? 8B CF D3 E8 A8 ?? 0F 84 ?? ?? ?? ?? 8D 47 ?? C7 45 ?? ?? ?? + ?? ?? 66 89 45 ?? 33 F6 33 C0 50 50 50 50 50 68 ?? ?? ?? ?? 50 66 89 45 ?? 8D 45 ?? + 50 FF 15 ?? ?? ?? ?? 89 45 ?? 8D 45 ?? 50 FF 15 ?? ?? ?? ?? 83 F8 ?? 0F 84 ?? ?? ?? + ?? 83 7D ?? ?? 0F 85 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? + ?? 66 8B 85 ?? ?? ?? ?? 66 3B 45 ?? 75 ?? 66 8B 85 ?? ?? ?? ?? 66 3B 45 ?? B8 ?? ?? + ?? ?? 0F 44 F0 8D 45 ?? C7 45 ?? ?? ?? ?? ?? 50 C7 45 ?? ?? ?? ?? ?? 8D 85 ?? ?? ?? + ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? 50 C7 45 ?? ?? ?? ?? ?? FF 15 ?? ?? ?? + ?? 8D 45 ?? 50 8D 85 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 85 ?? ?? ?? + ?? 50 FF 15 ?? ?? ?? ?? 6A ?? 8D 85 ?? ?? ?? ?? 56 50 E8 ?? ?? ?? ?? 83 C4 ?? BA ?? + ?? ?? ?? 83 EF ?? 8B 45 ?? 0F 89 ?? ?? ?? ?? 0F 57 C0 C7 85 + } + + $encrypt_files_p3 = { + 0F 29 85 ?? ?? ?? ?? 0F 29 85 ?? ?? ?? ?? 0F 29 85 ?? ?? ?? ?? 0F 29 85 ?? ?? ?? ?? + 0F 29 45 ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 89 45 ?? 8D 45 ?? 50 68 + ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 8D 45 ?? 50 6A ?? 6A ?? 6A ?? 68 + ?? ?? ?? ?? FF 75 ?? FF 15 ?? ?? ?? ?? 6A ?? 8D 45 ?? 50 6A ?? FF 75 ?? FF 15 ?? ?? + ?? ?? B8 ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? 66 89 85 ?? ?? ?? ?? 8D 85 ?? ?? + ?? ?? 6A ?? 50 C7 85 ?? ?? ?? ?? ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 85 + ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 68 ?? ?? ?? ?? 50 + FF 15 ?? ?? ?? ?? 83 C4 ?? 8D 45 ?? 50 8D 85 ?? ?? ?? ?? 50 6A ?? 6A ?? 6A ?? 6A ?? + 6A ?? 6A ?? 8D 85 ?? ?? ?? ?? 50 8D 85 ?? ?? ?? ?? 50 FF 75 ?? FF 15 ?? ?? ?? ?? 85 + C0 74 ?? FF 75 ?? 8B 35 ?? ?? ?? ?? FF D6 FF 75 ?? FF D6 6A ?? FF 15 + } + + condition: + uint16(0) == 0x5A4D and + ( + all of ($find_files_p*) + ) and + ( + all of ($encrypt_files_p*) + ) +} \ No newline at end of file diff --git a/yara/ransomware/Win32.Ransomware.Ragnarok.yara b/yara/ransomware/Win32.Ransomware.Ragnarok.yara new file mode 100644 index 0000000..dafbdd3 --- /dev/null +++ b/yara/ransomware/Win32.Ransomware.Ragnarok.yara @@ -0,0 +1,110 @@ +rule Win32_Ransomware_Ragnarok : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "RAGNAROK" + description = "Yara rule that detects Ragnarok ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "Ragnarok" + tc_detection_factor = 5 + + strings: + + $find_files_p1 = { + 8B FF 55 8B EC 51 8B 4D ?? 8D 51 ?? 8A 01 41 84 C0 75 ?? 57 8B 7D ?? 2B CA 8B C7 41 + F7 D0 89 4D ?? 3B C8 76 ?? 6A ?? 58 5F 8B E5 5D C3 53 56 8D 5F ?? 03 D9 6A ?? 53 E8 + ?? ?? ?? ?? 8B F0 59 59 85 FF 74 ?? 57 FF 75 ?? 53 56 E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 + 75 ?? FF 75 ?? 2B DF 8D 04 3E FF 75 ?? 53 50 E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 75 ?? 8B + 5D ?? 8B CB E8 ?? ?? ?? ?? 33 FF 89 45 ?? 85 C0 74 ?? 56 E8 ?? ?? ?? ?? 8B 75 ?? 59 + EB ?? 8B 43 ?? 89 30 8B F7 83 43 ?? ?? 57 E8 ?? ?? ?? ?? 59 8B C6 5E 5B EB ?? 33 FF + 57 57 57 57 57 E8 ?? ?? ?? ?? CC 8B FF 55 8B EC 81 EC ?? ?? ?? ?? A1 ?? ?? ?? ?? 33 + C5 89 45 ?? 8B 4D ?? 8B 55 ?? 53 57 8B 7D ?? 89 95 ?? ?? ?? ?? 3B CF 74 ?? 8A 01 3C + ?? 74 ?? 3C ?? 74 ?? 3C ?? 74 ?? 51 57 E8 ?? ?? ?? ?? 59 59 8B C8 3B CF 75 ?? 8B 95 + ?? ?? ?? ?? 8A 01 88 85 ?? ?? ?? ?? 3C ?? 75 ?? 8D 47 ?? 3B C8 74 ?? 52 33 DB 53 53 + 57 E8 ?? ?? ?? ?? 83 C4 ?? E9 ?? ?? ?? ?? 8A 85 ?? ?? ?? ?? 33 DB 3C ?? 74 ?? 3C ?? + 74 ?? 3C ?? 8A C3 75 ?? B0 ?? 2B CF 0F B6 C0 41 89 9D ?? ?? ?? ?? F7 D8 89 9D ?? ?? + ?? ?? 56 1B C0 89 9D ?? ?? ?? ?? 23 C1 89 9D ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 89 9D ?? + ?? ?? ?? 88 9D ?? ?? ?? ?? E8 ?? ?? ?? ?? 50 8D 85 ?? ?? ?? ?? 50 57 E8 + } + + $find_files_p2 = { + 83 C4 ?? 8D 8D ?? ?? ?? ?? F7 D8 1B C0 53 53 53 51 F7 D0 23 85 ?? ?? ?? ?? 53 50 FF + 15 ?? ?? ?? ?? 8B F0 83 FE ?? 75 ?? FF B5 ?? ?? ?? ?? 53 53 57 E8 ?? ?? ?? ?? 83 C4 + ?? 8B D8 E9 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 8B 48 ?? 2B 08 C1 F9 ?? 89 8D ?? ?? ?? ?? + 89 9D ?? ?? ?? ?? 89 9D ?? ?? ?? ?? 89 9D ?? ?? ?? ?? 89 9D ?? ?? ?? ?? 89 9D ?? ?? + ?? ?? 88 9D ?? ?? ?? ?? E8 ?? ?? ?? ?? 50 8D 85 ?? ?? ?? ?? 50 8D 85 ?? ?? ?? ?? 50 + 8D 85 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? F7 D8 1B C0 F7 D0 23 85 ?? ?? ?? ?? 80 + 38 ?? 75 ?? 8A 48 ?? 84 C9 74 ?? 80 F9 ?? 75 ?? 38 58 ?? 74 ?? FF B5 ?? ?? ?? ?? FF + B5 ?? ?? ?? ?? 57 50 E8 ?? ?? ?? ?? 83 C4 ?? 89 85 ?? ?? ?? ?? 85 C0 75 ?? 38 9D ?? + ?? ?? ?? 74 ?? FF B5 ?? ?? ?? ?? E8 ?? ?? ?? ?? 59 8D 85 ?? ?? ?? ?? 50 56 FF 15 ?? + ?? ?? ?? 85 C0 0F 85 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 8B 8D ?? ?? ?? ?? 8B 10 8B 40 ?? + 2B C2 C1 F8 ?? 3B C8 74 ?? 68 ?? ?? ?? ?? 2B C1 6A ?? 50 8D 04 8A 50 E8 ?? ?? ?? ?? + 83 C4 ?? EB ?? 38 9D ?? ?? ?? ?? 74 ?? FF B5 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 85 ?? ?? + ?? ?? 59 8B D8 56 FF 15 ?? ?? ?? ?? 80 BD ?? ?? ?? ?? ?? 5E 74 ?? FF B5 ?? ?? ?? ?? + E8 ?? ?? ?? ?? 59 8B C3 8B 4D ?? 5F 33 CD 5B E8 ?? ?? ?? ?? 8B E5 5D C3 + } + + $encrypt_files_p1 = { + 55 8B EC 81 EC ?? ?? ?? ?? A1 ?? ?? ?? ?? 33 C5 89 45 ?? 8B 45 ?? 8B 4D ?? 56 57 89 + 85 ?? ?? ?? ?? 33 FF 33 C0 89 8D ?? ?? ?? ?? 6A ?? 51 89 85 ?? ?? ?? ?? E8 ?? ?? ?? + ?? 83 C4 ?? 8D 70 ?? 68 ?? ?? ?? ?? FF 35 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 40 ?? 8A 0E + 3A 08 75 ?? 84 C9 74 ?? 8A 4E ?? 3A 48 ?? 75 ?? 83 C6 ?? 83 C0 ?? 84 C9 75 ?? 33 C0 + EB ?? 1B C0 83 C8 ?? 85 C0 0F 84 ?? ?? ?? ?? 53 6A ?? E8 ?? ?? ?? ?? 83 C4 ?? 8B D8 + 68 ?? ?? ?? ?? FF 35 ?? ?? ?? ?? E8 ?? ?? ?? ?? 33 F6 8B 40 ?? 8B F8 E8 ?? ?? ?? ?? + 33 D2 B9 ?? ?? ?? ?? F7 F1 8A 04 3A 88 04 1E 46 83 FE ?? 7C ?? FF B5 ?? ?? ?? ?? E8 + ?? ?? ?? ?? 83 C4 ?? 89 85 ?? ?? ?? ?? 33 C9 23 F9 89 8D ?? ?? ?? ?? 3D ?? ?? ?? ?? + 0F 87 ?? ?? ?? ?? 48 83 E0 ?? 83 C0 ?? 50 89 85 ?? ?? ?? ?? E8 ?? ?? ?? ?? 68 ?? ?? + ?? ?? FF B5 ?? ?? ?? ?? 8B F0 89 B5 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B F8 83 C4 ?? 85 FF + } + + $encrypt_files_p2 = { + 0F 84 ?? ?? ?? ?? 57 FF B5 ?? ?? ?? ?? 6A ?? 56 E8 ?? ?? ?? ?? 57 8B F0 E8 ?? ?? ?? + ?? 83 C4 ?? 33 FF 3B B5 ?? ?? ?? ?? 0F 85 ?? ?? ?? ?? 33 C0 3B 85 ?? ?? ?? ?? 0F 85 + ?? ?? ?? ?? 53 FF B5 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? FF B5 ?? ?? ?? + ?? 8B B5 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 56 50 E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? FF B5 ?? + ?? ?? ?? E8 ?? ?? ?? ?? 8B F8 83 C4 ?? 85 FF 0F 84 ?? ?? ?? ?? 68 ?? ?? ?? ?? E8 ?? + ?? ?? ?? 50 53 89 85 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 75 ?? 8B 85 ?? ?? ?? + ?? 57 68 ?? ?? ?? ?? 6A ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 3D ?? ?? ?? ?? 75 ?? 57 6A ?? + 8D 85 ?? ?? ?? ?? 6A ?? 50 E8 ?? ?? ?? ?? 57 FF B5 ?? ?? ?? ?? 6A ?? 56 E8 ?? ?? ?? + ?? 83 C4 ?? 3B 85 ?? ?? ?? ?? 75 ?? 57 E8 ?? ?? ?? ?? 8B B5 ?? ?? ?? ?? 33 FF 56 E8 + ?? ?? ?? ?? 56 E8 ?? ?? ?? ?? 83 C4 ?? 8B 85 ?? ?? ?? ?? 85 C0 74 ?? 50 E8 ?? ?? ?? + ?? 83 C4 ?? 85 DB 74 ?? 53 E8 ?? ?? ?? ?? 83 C4 ?? 8B 85 ?? ?? ?? ?? 5B 85 C0 74 ?? + 50 E8 ?? ?? ?? ?? 83 C4 ?? 85 FF 74 ?? 57 E8 ?? ?? ?? ?? 83 C4 ?? 8B 4D ?? 5F 33 CD + 5E E8 ?? ?? ?? ?? 8B E5 5D C3 + } + + $disable_fw_and_delete_shadow_volumes = { + 6A ?? 68 ?? ?? ?? ?? FF 35 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 40 ?? 50 E8 ?? ?? ?? ?? 83 + C4 ?? 85 C0 74 ?? 8D 45 ?? 50 8D 85 ?? ?? ?? ?? 50 6A ?? 6A ?? 6A ?? 6A ?? 6A ?? 6A + ?? 68 ?? ?? ?? ?? FF 35 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 40 ?? 50 6A ?? FF D7 E9 ?? ?? + ?? ?? 6A ?? FF 35 ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 40 ?? + 50 FF 35 ?? ?? ?? ?? FF D3 6A ?? FF 35 ?? ?? ?? ?? 8B F0 E8 ?? ?? ?? ?? 8B 48 ?? 51 + FF 35 ?? ?? ?? ?? FF D3 8B F8 8D 85 ?? ?? ?? ?? 50 FF D6 8D 45 ?? 50 8D 85 ?? ?? ?? + ?? 50 6A ?? 6A ?? 6A ?? 6A ?? 6A ?? 6A ?? 68 ?? ?? ?? ?? FF 35 ?? ?? ?? ?? E8 ?? ?? + ?? ?? 8B 40 ?? 50 6A ?? FF 95 ?? ?? ?? ?? 8D 45 ?? 50 8D 85 ?? ?? ?? ?? 50 6A ?? 6A + ?? 6A ?? 6A ?? 6A ?? 6A ?? 68 ?? ?? ?? ?? FF 35 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 35 ?? + ?? ?? ?? 8B 40 ?? 50 6A ?? FF D6 8D 45 ?? 50 8D 85 ?? ?? ?? ?? 50 6A ?? 6A ?? 6A ?? + 6A ?? 6A ?? 6A ?? 68 ?? ?? ?? ?? FF 35 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 40 ?? 50 6A ?? + FF D6 8D 45 ?? 50 8D 85 ?? ?? ?? ?? 50 6A ?? 6A ?? 6A ?? 6A ?? 6A ?? 6A ?? 68 ?? ?? + ?? ?? FF 35 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 40 ?? 50 6A ?? FF D6 + } + + condition: + uint16(0) == 0x5A4D and + ( + $disable_fw_and_delete_shadow_volumes + ) and + ( + all of ($find_files_p*) + ) and + ( + all of ($encrypt_files_p*) + ) +} \ No newline at end of file diff --git a/yara/ransomware/Win32.Ransomware.Ransoc.yara b/yara/ransomware/Win32.Ransomware.Ransoc.yara new file mode 100644 index 0000000..d139125 --- /dev/null +++ b/yara/ransomware/Win32.Ransomware.Ransoc.yara @@ -0,0 +1,114 @@ +rule Win32_Ransomware_Ransoc : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "RANSOC" + description = "Yara rule that detects Ransoc ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "Ransoc" + tc_detection_factor = 5 + + strings: + + $scan_for_services = { + E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 75 ?? B8 ?? ?? ?? ?? 66 A3 ?? ?? ?? ?? E8 ?? ?? ?? ?? + 66 39 2D ?? ?? ?? ?? 73 ?? 66 01 1D ?? ?? ?? ?? 03 F3 E8 ?? ?? ?? ?? 6A ?? 6A ?? 68 + ?? ?? ?? ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 75 ?? B9 ?? ?? ?? ?? 66 89 + 0D ?? ?? ?? ?? E8 ?? ?? ?? ?? 66 39 2D ?? ?? ?? ?? 73 ?? 66 01 1D ?? ?? ?? ?? 03 F3 + E8 ?? ?? ?? ?? 6A ?? 6A ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 85 + C0 75 ?? BA ?? ?? ?? ?? 66 89 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 66 39 2D ?? ?? ?? ?? 73 + ?? 66 01 1D ?? ?? ?? ?? 03 F3 E8 ?? ?? ?? ?? 6A ?? 6A ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? + ?? E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 75 ?? B8 ?? ?? ?? ?? 66 A3 ?? ?? ?? ?? E8 ?? ?? ?? + ?? 66 39 2D ?? ?? ?? ?? 73 ?? 66 01 1D ?? ?? ?? ?? 03 F3 E8 ?? ?? ?? ?? 6A ?? 6A ?? + 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 75 ?? B9 ?? ?? ?? ?? 66 + 89 0D ?? ?? ?? ?? E8 ?? ?? ?? ?? 66 39 2D ?? ?? ?? ?? 73 ?? 66 01 1D ?? ?? ?? ?? 03 + F3 E8 ?? ?? ?? ?? 6A ?? 6A ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? + 85 C0 75 ?? BA ?? ?? ?? ?? 66 89 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 33 FF 66 39 2D ?? ?? + ?? ?? 73 ?? A1 ?? ?? ?? ?? 50 8D 4C 24 ?? 51 E8 ?? ?? ?? ?? 66 01 1D ?? ?? ?? ?? 8B + FB 03 F3 E8 ?? ?? ?? ?? 6A ?? 6A ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 + C4 ?? 85 C0 75 ?? BA ?? ?? ?? ?? 66 89 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 66 39 2D ?? ?? + ?? ?? 73 ?? 85 FF 75 ?? A1 ?? ?? ?? ?? 50 8D 4C 24 ?? 51 E8 ?? ?? ?? ?? 83 C4 ?? 66 + 01 1D ?? ?? ?? ?? 03 F3 E8 ?? ?? ?? ?? 6A ?? 6A ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? E8 + ?? ?? ?? ?? 83 C4 ?? 85 C0 75 ?? BA ?? ?? ?? ?? 66 89 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? + EB ?? 85 FF 74 ?? 8D 44 24 ?? 50 E8 + } + + $remote_connection = { + 8B 44 24 ?? 83 EC ?? 53 8B 5C 24 ?? 56 8B 74 24 ?? 50 56 E8 ?? ?? ?? ?? 8B D8 83 C4 + ?? 83 FB ?? 75 ?? 5E B8 ?? ?? ?? ?? 5B 83 C4 ?? C3 8B 4C 24 ?? 55 8B 6C 24 ?? 57 55 + 56 51 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 8B F0 56 FF 15 ?? ?? ?? ?? 50 56 53 E8 + ?? ?? ?? ?? 56 8B F8 E8 ?? ?? ?? ?? 83 C4 ?? 83 FF ?? 75 ?? 53 FF 15 ?? ?? ?? ?? 8D + 47 ?? 5F 5D 5E 5B 83 C4 ?? C3 8B 44 24 ?? 85 C0 74 ?? 85 ED 74 ?? 55 50 53 E8 ?? ?? + ?? ?? 83 C4 ?? 83 F8 ?? 75 ?? 53 FF 15 ?? ?? ?? ?? 5F 5D 5E B8 ?? ?? ?? ?? 5B 83 C4 + ?? C3 8D 54 24 ?? 52 E8 ?? ?? ?? ?? 8B 2D ?? ?? ?? ?? 83 C4 ?? 8D 49 ?? 8B 74 24 ?? + 8B C6 2B 44 24 ?? 75 ?? 8D 4C 24 ?? 6A ?? 51 E8 ?? ?? ?? ?? 8B 74 24 ?? 83 C4 ?? 2B + 74 24 ?? 6A ?? 56 8D 54 24 ?? 56 52 E8 ?? ?? ?? ?? 83 C4 ?? 50 53 FF D5 8B F8 85 FF + 78 ?? 2B C6 01 44 24 ?? EB ?? 29 74 24 ?? 83 FF ?? 74 ?? 85 FF 75 ?? 53 FF 15 ?? ?? + ?? ?? 85 FF 79 ?? 8D 4C 24 ?? 51 E8 ?? ?? ?? ?? 83 C4 ?? 5F 5D 5E B8 ?? ?? ?? ?? 5B + 83 C4 ?? C3 8D 54 24 ?? 6A ?? 52 E8 ?? ?? ?? ?? 8B 44 24 ?? 83 C4 ?? 68 ?? ?? ?? ?? + 50 FF 15 ?? ?? ?? ?? 8B F0 85 F6 75 ?? 8D 4C 24 ?? 51 E8 ?? ?? ?? ?? 83 C4 ?? 5F 5D + 8D 46 ?? 5E 5B 83 C4 ?? C3 8B 54 24 ?? 83 C2 ?? 6A ?? 52 E8 ?? ?? ?? ?? 8B 4C 24 ?? + 8B 54 24 ?? 8B F8 8B 44 24 ?? 2B F0 83 C6 ?? 2B CE 51 03 F0 56 52 E8 ?? ?? ?? ?? 8D + 44 24 ?? 50 E8 + } + + $encrypt_files = { + 81 EC ?? ?? ?? ?? 53 55 56 8B 35 ?? ?? ?? ?? 57 68 ?? ?? ?? ?? FF D6 68 ?? ?? ?? ?? + 8B F8 FF D6 8B 8C 24 ?? ?? ?? ?? 8B E8 8B 84 24 ?? ?? ?? ?? 50 51 57 8D 94 24 ?? ?? + ?? ?? 68 ?? ?? ?? ?? 52 E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 84 24 ?? ?? ?? ?? 6A ?? 50 + E8 ?? ?? ?? ?? 8B BC 24 ?? ?? ?? ?? 8B 8C 24 ?? ?? ?? ?? 83 C4 ?? 89 4C 24 ?? BB ?? + ?? ?? ?? 85 FF 0F 84 ?? ?? ?? ?? EB ?? 8D 49 ?? 55 68 ?? ?? ?? ?? 83 FB ?? 7E ?? 8D + 94 24 ?? ?? ?? ?? B9 ?? ?? ?? ?? 8D 74 24 ?? 8D BC 24 ?? ?? ?? ?? 52 F3 A5 E8 ?? ?? + ?? ?? 8B BC 24 ?? ?? ?? ?? 88 9C 2C ?? ?? ?? ?? 8D 75 ?? EB ?? 8D 84 24 ?? ?? ?? ?? + 50 E8 ?? ?? ?? ?? 88 9C 2C ?? ?? ?? ?? 8D 75 ?? 83 C4 ?? 6A ?? 8D 4C 24 ?? 6A ?? 51 + E8 ?? ?? ?? ?? 6A ?? 8D 94 24 ?? ?? ?? ?? 52 8D 44 24 ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? + 8D 44 24 ?? B9 ?? ?? ?? ?? 80 30 ?? 40 49 75 ?? 8D 4C 24 ?? 51 E8 ?? ?? ?? ?? 6A ?? + 8D 54 24 ?? 52 8D 84 24 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 56 8D 8C 24 ?? ?? ?? ?? 51 8D + 94 24 ?? ?? ?? ?? 52 E8 ?? ?? ?? ?? 8D 84 24 ?? ?? ?? ?? 50 8D 4C 24 ?? 51 E8 ?? ?? + ?? ?? 83 C4 ?? 8D 44 24 ?? B9 ?? ?? ?? ?? 8B FF 80 30 ?? 40 49 75 ?? 8D 54 24 ?? 52 + E8 ?? ?? ?? ?? 6A ?? 8D 44 24 ?? 50 8D 8C 24 ?? ?? ?? ?? 51 E8 ?? ?? ?? ?? 6A ?? 8D + 54 24 ?? 52 8D 84 24 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 8D 8C 24 ?? ?? ?? ?? 51 8D 54 24 + ?? 52 E8 ?? ?? ?? ?? 83 C4 ?? 8B F7 83 FF ?? 72 ?? BE ?? ?? ?? ?? 8B 4C 24 ?? 56 8D + 44 24 ?? 50 51 E8 ?? ?? ?? ?? 01 74 24 ?? 2B FE 83 C4 ?? 43 89 BC 24 ?? ?? ?? ?? 85 + FF 0F 85 ?? ?? ?? ?? 5F 5E 5D 5B 81 C4 ?? ?? ?? ?? C3 + } + + $find_files = { + 83 EC ?? 53 55 56 57 33 DB 68 ?? ?? ?? ?? 6A ?? 89 5C 24 ?? 89 5C 24 ?? E8 ?? ?? ?? + ?? 8B E8 8D 44 24 ?? 50 89 6C 24 ?? E8 ?? ?? ?? ?? 8D 4C 24 ?? 55 51 E8 ?? ?? ?? ?? + 8B 74 24 ?? 6A ?? 56 E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? 56 E8 ?? ?? ?? ?? 55 68 ?? ?? ?? + ?? 89 5C 24 ?? 89 5C 24 ?? E8 ?? ?? ?? ?? 8B F8 57 8D 54 24 ?? 52 8D 44 24 ?? 50 E8 + ?? ?? ?? ?? 83 C4 ?? 89 44 24 ?? 3B C3 75 ?? 8B 4C 24 ?? 51 8D 54 24 ?? 52 E8 ?? ?? + ?? ?? 83 C4 ?? 57 E8 ?? ?? ?? ?? 6A ?? 56 E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? 56 E8 ?? ?? + ?? ?? 8B 44 24 ?? 50 56 E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? 56 E8 ?? ?? ?? ?? 8B 4C 24 ?? + 51 56 E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? 56 E8 ?? ?? ?? ?? 8B 54 24 ?? 52 56 E8 ?? ?? ?? + ?? 83 C4 ?? 33 FF 39 5C 24 ?? 76 ?? 8D 64 24 ?? 8B 44 24 ?? 8B 0C B8 51 56 E8 ?? ?? + ?? ?? 47 83 C4 ?? 3B 7C 24 ?? 72 ?? 39 5C 24 ?? 75 ?? 8B 44 24 ?? 3B C3 74 ?? 50 E8 + ?? ?? ?? ?? 83 C4 ?? 68 ?? ?? ?? ?? 56 E8 ?? ?? ?? ?? 8B 54 24 ?? 52 56 E8 ?? ?? ?? + ?? 8B 44 24 ?? 83 C4 ?? 89 5C 24 ?? 3B C3 0F 86 ?? ?? ?? ?? EB ?? 8D 9B ?? ?? ?? ?? + 8B 44 24 ?? 8B 4C 24 ?? 8B 1C 88 53 55 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B F8 57 68 ?? + ?? ?? ?? E8 ?? ?? ?? ?? 57 68 ?? ?? ?? ?? 8B E8 E8 ?? ?? ?? ?? 6A ?? 56 89 44 24 ?? + E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? 56 E8 ?? ?? ?? ?? 53 56 E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? + 56 E8 ?? ?? ?? ?? 33 C0 8D 54 24 ?? 55 52 C7 44 24 ?? ?? ?? ?? ?? 89 44 24 ?? 89 84 + 24 ?? ?? ?? ?? 89 84 24 ?? ?? ?? ?? 89 84 24 ?? ?? ?? ?? 89 84 24 ?? ?? ?? ?? 89 84 + 24 ?? ?? ?? ?? 89 84 24 ?? ?? ?? ?? 89 84 24 ?? ?? ?? ?? 89 84 24 ?? ?? ?? ?? E8 ?? + ?? ?? ?? 83 C4 ?? 85 C0 74 ?? 50 56 E8 ?? ?? ?? ?? 83 C4 ?? EB ?? 8D 44 24 ?? 50 56 + E8 ?? ?? ?? ?? 8D 4C 24 ?? 51 E8 ?? ?? ?? ?? 83 C4 ?? 68 ?? ?? ?? ?? 56 E8 ?? ?? ?? + ?? 8B 5C 24 ?? E8 ?? ?? ?? ?? 57 E8 ?? ?? ?? ?? 55 E8 ?? ?? ?? ?? 8B D3 52 E8 ?? ?? + ?? ?? 8B 4C 24 ?? 8B 44 24 ?? 8B 6C 24 ?? 41 83 C4 ?? 89 4C 24 ?? 3B C8 0F 82 ?? ?? + ?? ?? 33 DB 33 F6 3B C3 76 ?? 8B 44 24 ?? 8B 0C B0 51 E8 ?? ?? ?? ?? 46 83 C4 ?? 3B + 74 24 ?? 72 ?? 8D 54 24 ?? 52 E8 ?? ?? ?? ?? 55 E8 ?? ?? ?? ?? 8B 44 24 ?? 83 C4 ?? + 3B C3 74 ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 8B 44 24 ?? 5F 5E 5D 3B C3 5B 74 ?? 50 E8 ?? + ?? ?? ?? 83 C4 ?? 83 C4 ?? C3 + } + + condition: + uint16(0) == 0x5A4D and $scan_for_services and $find_files and $encrypt_files and $remote_connection +} \ No newline at end of file diff --git a/yara/ransomware/Win32.Ransomware.RansomPlus.yara b/yara/ransomware/Win32.Ransomware.RansomPlus.yara new file mode 100644 index 0000000..919f9e4 --- /dev/null +++ b/yara/ransomware/Win32.Ransomware.RansomPlus.yara @@ -0,0 +1,95 @@ +rule Win32_Ransomware_RansomPlus : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "RANSOMPLUS" + description = "Yara rule that detects RansomPlus ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "RansomPlus" + tc_detection_factor = 5 + + strings: + + $find_files_1_0 = { + 55 8B EC 83 E4 ?? 83 EC ?? 6A ?? E8 ?? ?? ?? ?? 83 C4 ?? 50 E8 ?? ?? ?? ?? 83 EC ?? + 8B CC 6A ?? C7 41 ?? ?? ?? ?? ?? C7 41 ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? C6 01 ?? E8 ?? + ?? ?? ?? E8 ?? ?? ?? ?? 8B CC 6A ?? 68 ?? ?? ?? ?? C7 41 ?? ?? ?? ?? ?? C7 41 ?? ?? + ?? ?? ?? C6 01 ?? E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B CC 6A ?? 68 ?? ?? ?? ?? C7 41 ?? + ?? ?? ?? ?? C7 41 ?? ?? ?? ?? ?? C6 01 ?? E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B CC 6A ?? + 68 ?? ?? ?? ?? C7 41 ?? ?? ?? ?? ?? C7 41 ?? ?? ?? ?? ?? C6 01 ?? E8 ?? ?? ?? ?? E8 + ?? ?? ?? ?? 83 C4 ?? 8B E5 5D C2 + } + + $find_files_1_1 = { + 6A ?? 68 ?? ?? ?? ?? 8D 4D ?? E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 55 ?? 8D 8D ?? ?? ?? + ?? E8 ?? ?? ?? ?? 83 C4 ?? 83 78 ?? ?? 72 ?? 8B 00 8D 8D ?? ?? ?? ?? 51 50 FF 15 ?? + ?? ?? ?? 8B 8D ?? ?? ?? ?? 8B D8 89 9D ?? ?? ?? ?? 83 F9 ?? 72 ?? 8B 95 ?? ?? ?? ?? + 41 81 F9 ?? ?? ?? ?? 72 ?? F6 C2 ?? 74 ?? E8 ?? ?? ?? ?? 8B 42 ?? 3B C2 72 ?? E8 ?? + ?? ?? ?? 2B D0 83 FA ?? 73 ?? E8 ?? ?? ?? ?? 83 FA ?? 76 ?? E8 ?? ?? ?? ?? 8B D0 52 + E8 ?? ?? ?? ?? 83 C4 ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? + C6 85 ?? ?? ?? ?? ?? 83 FB ?? 75 ?? 53 FF 15 ?? ?? ?? ?? 32 DB E9 ?? ?? ?? ?? C7 85 + ?? ?? ?? ?? ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C6 85 ?? ?? ?? ?? ?? 8D 85 ?? + ?? ?? ?? C6 45 ?? ?? 50 53 FF 15 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? F6 85 ?? ?? ?? + ?? ?? 0F 84 ?? ?? ?? ?? B9 ?? ?? ?? ?? 8D 85 + } + + $find_files_1_2 = { + 8A 10 3A 11 75 ?? 84 D2 74 ?? 8A 50 ?? 3A 51 ?? 75 ?? 83 C0 ?? 83 C1 ?? 84 D2 75 ?? + 33 C0 EB ?? 1B C0 83 C8 ?? 85 C0 0F 84 ?? ?? ?? ?? B9 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? + 8A 10 3A 11 75 ?? 84 D2 74 ?? 8A 50 ?? 3A 51 ?? 75 ?? 83 C0 ?? 83 C1 ?? 84 D2 75 ?? + 33 C0 EB ?? 1B C0 83 C8 ?? 85 C0 0F 84 ?? ?? ?? ?? 80 BD ?? ?? ?? ?? ?? C7 85 ?? ?? + ?? ?? ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C6 85 ?? ?? ?? ?? ?? 75 ?? 33 C9 EB + ?? 8D 8D ?? ?? ?? ?? 8D 51 ?? 8A 01 41 84 C0 75 ?? 2B CA 51 8D 85 ?? ?? ?? ?? 50 8D + 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? C6 45 ?? ?? 50 8D 55 ?? 8D 8D ?? ?? + ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 8D 8D ?? ?? ?? ?? C6 45 ?? ?? E8 ?? ?? ?? ?? 83 EC ?? + 8B CC C7 41 ?? ?? ?? ?? ?? C7 41 ?? ?? ?? ?? ?? 83 79 ?? ?? 72 ?? 8B 01 EB ?? 8B C1 + 6A ?? C6 00 ?? 8D 85 ?? ?? ?? ?? 6A ?? 50 E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? C6 + 45 ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 80 BD ?? ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? + ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C6 85 ?? ?? ?? ?? ?? 75 ?? 33 C9 EB ?? 8D 8D + ?? ?? ?? ?? 8D 51 ?? 8A 01 41 84 C0 75 ?? 2B CA 51 8D 85 ?? ?? ?? ?? 50 8D 8D ?? ?? + ?? ?? E8 ?? ?? ?? ?? C6 45 ?? ?? 8D 85 ?? ?? ?? ?? 8B B5 ?? ?? ?? ?? 8D 8D ?? ?? ?? + ?? 8B 95 ?? ?? ?? ?? 8D 9D ?? ?? ?? ?? 83 FE ?? 0F 43 C2 0F 43 CA 89 85 ?? ?? ?? ?? + 8B 85 ?? ?? ?? ?? 03 C1 83 FE ?? 8B F8 0F 43 DA 33 C9 2B FB 33 F6 3B D8 0F 47 F9 85 + FF 74 ?? 0F BE 04 33 50 E8 ?? ?? ?? ?? 8B 8D ?? ?? ?? ?? 83 C4 ?? 88 04 31 46 3B F7 + 75 ?? 33 C0 89 85 ?? ?? ?? ?? 8B 94 85 ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C7 + 85 ?? ?? ?? ?? ?? ?? ?? ?? C6 85 ?? ?? ?? ?? ?? 80 3A ?? 75 ?? 33 C9 EB ?? 8B CA 8D + 71 ?? 8A 01 41 84 C0 75 ?? 2B CE 51 52 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? C6 45 ?? ?? + 8D 85 ?? ?? ?? ?? 8B 8D ?? ?? ?? ?? 8D 9D ?? ?? ?? ?? 8B 95 ?? ?? ?? ?? 83 F9 ?? 0F + 43 C2 89 85 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 0F 43 C2 03 85 ?? ?? ?? ?? 83 F9 ?? 8B F8 + 0F 43 DA 33 F6 2B FB 3B D8 0F 47 FE 85 FF 74 + } + + $encrypt_files = { + 8A 01 41 84 C0 75 ?? 2B CA C6 85 ?? ?? ?? ?? ?? 33 C0 88 84 05 ?? ?? ?? ?? 40 3D ?? + ?? ?? ?? 72 ?? 33 F6 8B C6 33 D2 F7 F1 8A 04 3A 02 C1 30 84 35 ?? ?? ?? ?? 46 81 FE + ?? ?? ?? ?? 72 ?? 83 7D ?? ?? 8D 45 ?? 68 ?? ?? ?? ?? 0F 43 45 ?? 50 E8 ?? ?? ?? ?? + 68 ?? ?? ?? ?? 8D 55 ?? 8B F8 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 BD ?? ?? ?? ?? ?? + 8D 8D ?? ?? ?? ?? 68 ?? ?? ?? ?? 0F 43 8D ?? ?? ?? ?? 51 E8 ?? ?? ?? ?? 83 C4 ?? 8B + D8 85 FF 74 ?? 85 DB 74 ?? 57 E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 75 ?? 57 68 ?? ?? ?? ?? + 8D 85 ?? ?? ?? ?? 6A ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 8D 8D ?? ?? ?? ?? 8B F0 8D 85 ?? + ?? ?? ?? 50 E8 ?? ?? ?? ?? 53 56 8D 85 ?? ?? ?? ?? 6A ?? 50 E8 ?? ?? ?? ?? 57 E8 ?? + ?? ?? ?? 83 C4 ?? 85 C0 74 ?? 53 E8 ?? ?? ?? ?? 83 C4 ?? 57 E8 ?? ?? ?? ?? 83 C4 ?? + 83 7D ?? ?? 8D 45 ?? 0F 43 45 ?? 50 E8 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 83 C4 ?? 83 F8 + ?? 72 ?? 8B 8D ?? ?? ?? ?? 40 3D ?? ?? ?? ?? 72 ?? F6 C1 ?? 74 ?? E8 ?? ?? ?? ?? 8B + 41 ?? 3B C1 72 ?? E8 ?? ?? ?? ?? 2B C8 83 F9 ?? 73 ?? E8 ?? ?? ?? ?? 83 F9 ?? 76 ?? + E8 ?? ?? ?? ?? 8B C8 51 E8 ?? ?? ?? ?? 83 C4 ?? 8B 45 ?? C7 85 ?? ?? ?? ?? ?? ?? ?? + ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C6 85 ?? ?? ?? ?? ?? 83 F8 ?? 72 ?? 8B 4D ?? 40 3D + ?? ?? ?? ?? 72 ?? F6 C1 ?? 74 ?? E8 ?? ?? ?? ?? 8B 41 ?? 3B C1 72 ?? E8 ?? ?? ?? ?? + 2B C8 83 F9 ?? 73 ?? E8 ?? ?? ?? ?? 83 F9 ?? 76 ?? E8 ?? ?? ?? ?? 8B C8 51 E8 ?? ?? + ?? ?? 83 C4 ?? 8B 45 ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C6 45 ?? ?? 83 F8 + ?? 72 ?? 8B 4D ?? 40 3D ?? ?? ?? ?? 72 ?? F6 C1 ?? 74 ?? E8 ?? ?? ?? ?? 8B 41 ?? 3B + C1 72 ?? E8 ?? ?? ?? ?? 2B C8 83 F9 ?? 73 ?? E8 ?? ?? ?? ?? 83 F9 ?? 76 ?? E8 ?? ?? + ?? ?? 8B C8 51 E8 ?? ?? ?? ?? 83 C4 ?? 8B 4D ?? 64 89 0D ?? ?? ?? ?? 59 5F 5E 5B 8B + 4D ?? 33 CD E8 ?? ?? ?? ?? 8B E5 5D C3 + } + + condition: + uint16(0) == 0x5A4D and $find_files_1_0 and $find_files_1_1 and $find_files_1_2 and $encrypt_files +} \ No newline at end of file diff --git a/yara/ransomware/Win32.Ransomware.Ransomexx.yara b/yara/ransomware/Win32.Ransomware.Ransomexx.yara new file mode 100644 index 0000000..0d19b74 --- /dev/null +++ b/yara/ransomware/Win32.Ransomware.Ransomexx.yara @@ -0,0 +1,147 @@ +rule Win32_Ransomware_Ransomexx : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "RANSOMEXX" + description = "Yara rule that detects Ransomexx ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "Ransomexx" + tc_detection_factor = 5 + + strings: + + $find_files_p1 = { + 55 8B EC 81 EC ?? ?? ?? ?? 53 56 57 8B 7D ?? 85 FF 0F 84 ?? ?? ?? ?? B8 ?? ?? ?? ?? + E8 ?? ?? ?? ?? 8B F4 B3 ?? 85 F6 74 ?? C6 46 ?? ?? B0 ?? 66 C7 06 ?? ?? 88 5E ?? 88 + 46 ?? 8B C7 8D 50 ?? 90 8A 08 40 84 C9 75 ?? 2B C2 8B D0 8B C6 8D 78 ?? 8A 08 40 84 + C9 75 ?? 2B C7 8D 84 10 ?? ?? ?? ?? 50 6A ?? FF 15 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? + 89 45 ?? 85 C0 0F 84 ?? ?? ?? ?? 8B 7D ?? 68 ?? ?? ?? ?? 57 50 FF 15 ?? ?? ?? ?? 68 + ?? ?? ?? ?? 56 8B 75 ?? 56 FF 15 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? 51 56 FF 15 ?? ?? ?? + ?? 8B F0 89 75 ?? 83 FE ?? 75 ?? FF 15 ?? ?? ?? ?? 8D A5 ?? ?? ?? ?? 5F 5E 5B 8B E5 + 5D C3 B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B C4 89 45 ?? 85 C0 74 ?? C6 40 ?? ?? 88 18 88 + 58 ?? B9 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 8D 49 ?? 8A 10 3A 11 75 ?? 84 D2 74 ?? 8A 50 + ?? 3A 51 ?? 75 ?? 83 C0 ?? 83 C1 ?? 84 D2 75 ?? 33 C0 EB ?? 1B C0 83 D8 ?? 85 C0 0F + 84 ?? ?? ?? ?? 8B 4D ?? 8D 85 ?? ?? ?? ?? 8A 10 3A 11 75 ?? 84 D2 74 ?? 8A 50 ?? 3A + } + + $find_files_p2 = { + 51 ?? 75 ?? 83 C0 ?? 83 C1 ?? 84 D2 75 ?? 33 C0 EB ?? 1B C0 83 D8 ?? 85 C0 0F 84 ?? + ?? ?? ?? 8B C7 8D 50 ?? 8A 08 40 84 C9 75 ?? 2B C2 8B D0 8D 85 ?? ?? ?? ?? 8D 70 ?? + 8D 64 24 ?? 8A 08 40 84 C9 75 ?? 8B 1D ?? ?? ?? ?? 2B C6 8D 94 10 ?? ?? ?? ?? 52 6A + ?? FF D3 50 FF 15 ?? ?? ?? ?? 8B F0 85 F6 0F 84 ?? ?? ?? ?? 68 ?? ?? ?? ?? 57 56 FF + 15 ?? ?? ?? ?? 56 FF 15 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 56 FF 15 ?? + ?? ?? ?? F6 85 ?? ?? ?? ?? ?? 74 ?? 56 E8 ?? ?? ?? ?? 83 C4 ?? EB ?? 6A ?? 56 FF 15 + ?? ?? ?? ?? 68 ?? ?? ?? ?? 56 FF 15 ?? ?? ?? ?? 85 C0 74 ?? 56 FF 15 ?? ?? ?? ?? 85 + C0 75 ?? 56 FF 15 ?? ?? ?? ?? 85 C0 75 ?? 6A ?? 6A ?? 56 FF 15 ?? ?? ?? ?? 56 6A ?? + FF D3 50 FF 15 ?? ?? ?? ?? 8B 75 ?? 8D 8D ?? ?? ?? ?? 51 56 FF 15 ?? ?? ?? ?? 85 C0 + 0F 85 ?? ?? ?? ?? 56 FF 15 ?? ?? ?? ?? 8B 55 ?? 52 6A ?? FF 15 ?? ?? ?? ?? 50 FF 15 + ?? ?? ?? ?? 6A ?? 57 FF 15 ?? ?? ?? ?? 57 FF 15 ?? ?? ?? ?? 8D A5 ?? ?? ?? ?? 5F 5E + 5B 8B E5 5D C3 + } + + $find_files_p3 = { + 55 8B EC 83 E4 ?? 81 EC ?? ?? ?? ?? 53 56 57 8B 7D ?? 85 FF 0F 84 ?? ?? ?? ?? 8B C7 + 8D 50 ?? 90 66 8B 08 83 C0 ?? 66 85 C9 75 ?? 2B C2 D1 F8 8D B4 00 ?? ?? ?? ?? 8D 86 + ?? ?? ?? ?? 50 6A ?? FF 15 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 8B D8 85 DB 0F 84 ?? ?? + ?? ?? 56 57 53 FF 15 ?? ?? ?? ?? 56 68 ?? ?? ?? ?? 53 FF 15 ?? ?? ?? ?? 8D 4C 24 ?? + 51 53 FF 15 ?? ?? ?? ?? 89 44 24 ?? 83 F8 ?? 75 ?? 8B 3D ?? ?? ?? ?? FF D7 83 F8 ?? + 0F 84 ?? ?? ?? ?? FF D7 E9 ?? ?? ?? ?? 8D A4 24 ?? ?? ?? ?? 8B 3D ?? ?? ?? ?? 68 ?? + ?? ?? ?? 8D 94 24 ?? ?? ?? ?? 52 FF D7 85 C0 0F 84 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 84 + 24 ?? ?? ?? ?? 50 FF D7 85 C0 0F 84 ?? ?? ?? ?? F6 44 24 ?? ?? 0F 85 ?? ?? ?? ?? 8B + 4D ?? 56 51 53 FF 15 ?? ?? ?? ?? 56 68 ?? ?? ?? ?? 53 FF 15 ?? ?? ?? ?? 56 8D 94 24 + ?? ?? ?? ?? 52 53 FF 15 ?? ?? ?? ?? F6 44 24 ?? ?? 74 ?? E8 ?? ?? ?? ?? 85 C0 0F 85 + ?? ?? ?? ?? 53 E8 ?? ?? ?? ?? E9 ?? ?? ?? ?? 8D 44 24 ?? 50 FF 15 ?? ?? ?? ?? 85 C0 + 74 ?? 66 83 38 ?? 74 ?? 68 ?? ?? ?? ?? 50 FF D7 85 C0 75 ?? FF 05 ?? ?? ?? ?? E9 ?? + ?? ?? ?? 8D 7C 24 ?? E8 ?? ?? ?? ?? 85 C0 0F 85 ?? ?? ?? ?? 39 05 ?? ?? ?? ?? 0F 84 + ?? ?? ?? ?? 8B 3D ?? ?? ?? ?? 8D 4C 24 ?? 51 8D 54 24 ?? 52 FF D7 85 C0 74 ?? 8D 44 + } + + $find_files_p4 = { + 24 ?? 50 8D 4C 24 ?? 51 6A ?? FF 15 ?? ?? ?? ?? 85 C0 74 ?? 0F B7 44 24 ?? 8B 0D ?? + ?? ?? ?? 3B C1 74 ?? 49 3B C1 74 ?? 8D 54 24 ?? 52 8D 44 24 ?? 50 FF D7 85 C0 74 ?? + 8D 4C 24 ?? 51 8D 54 24 ?? 52 6A ?? FF 15 ?? ?? ?? ?? 85 C0 74 ?? 0F B7 44 24 ?? 8B + 0D ?? ?? ?? ?? 3B C1 74 ?? 49 3B C1 74 ?? 8D 4C 24 ?? E8 ?? ?? ?? ?? 85 C0 0F 85 ?? + ?? ?? ?? 8B 44 24 ?? 0B 44 24 ?? 0F 84 ?? ?? ?? ?? 68 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? + A1 ?? ?? ?? ?? 8B 0D ?? ?? ?? ?? 6A ?? 6A ?? 50 51 FF 15 ?? ?? ?? ?? 83 F8 ?? 74 ?? + 80 3B ?? 75 ?? 80 7B ?? ?? 75 ?? 8B 15 ?? ?? ?? ?? 8D 3C 85 ?? ?? ?? ?? 8B 04 17 53 + 50 FF 15 ?? ?? ?? ?? EB ?? 8B 0D ?? ?? ?? ?? 8D 3C 85 ?? ?? ?? ?? 8B 14 0F 68 ?? ?? + ?? ?? 52 FF 15 ?? ?? ?? ?? A1 ?? ?? ?? ?? 8B 0C 07 68 ?? ?? ?? ?? 53 51 FF 15 ?? ?? + ?? ?? 8B 15 ?? ?? ?? ?? 8B 04 17 50 FF 15 ?? ?? ?? ?? 68 ?? ?? ?? ?? FF 15 ?? ?? ?? + ?? 8B 54 24 ?? 8D 4C 24 ?? 51 52 FF 15 ?? ?? ?? ?? 85 C0 0F 85 ?? ?? ?? ?? 8B 44 24 + ?? 50 FF 15 ?? ?? ?? ?? 53 6A ?? FF 15 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 5F 5E 33 C0 + 5B 8B E5 5D C2 + } + + $enum_network_resources = { + 55 8B EC 8B 4D ?? 83 EC ?? 8D 45 ?? 50 51 6A ?? 6A ?? 6A ?? FF 15 ?? ?? ?? ?? 85 C0 + 0F 85 ?? ?? ?? ?? 53 8B 1D ?? ?? ?? ?? 56 68 ?? ?? ?? ?? 6A ?? C7 45 ?? ?? ?? ?? ?? + FF D3 50 FF 15 ?? ?? ?? ?? 8B F0 89 75 ?? 85 F6 0F 84 ?? ?? ?? ?? 57 90 8B 4D ?? 8D + 55 ?? 52 56 8D 45 ?? 50 51 C7 45 ?? ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 85 C0 0F 85 ?? ?? + ?? ?? 33 FF 39 7D ?? 76 ?? 83 C6 ?? 8D 64 24 ?? F6 46 ?? ?? 74 ?? F6 46 ?? ?? 74 ?? + 8B 06 8D 50 ?? 66 8B 08 83 C0 ?? 66 85 C9 75 ?? 2B C2 D1 F8 8D 94 00 ?? ?? ?? ?? 52 + 6A ?? FF D3 50 FF 15 ?? ?? ?? ?? 8B 0D ?? ?? ?? ?? 89 04 8D ?? ?? ?? ?? 85 C0 74 ?? + 8B 16 0F B7 0A 66 89 08 83 C2 ?? 83 C0 ?? 66 85 C9 75 ?? FF 05 ?? ?? ?? ?? 8B 56 ?? + 83 E2 ?? 80 FA ?? 75 ?? 8D 46 ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 47 83 C6 ?? 3B 7D ?? 72 + ?? 8B 75 ?? E9 ?? ?? ?? ?? 56 6A ?? FF D3 50 FF 15 ?? ?? ?? ?? 5F 8B 4D ?? 51 FF 15 + ?? ?? ?? ?? 5E 5B 8B E5 5D C3 + } + + $encrypt_files_p1 = { + 55 8B EC 83 EC ?? 53 56 57 E8 ?? ?? ?? ?? 85 C0 0F 85 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? + 89 45 ?? 8D 45 ?? 50 FF 15 ?? ?? ?? ?? 8B 4D ?? B8 ?? ?? ?? ?? 89 4D ?? E8 ?? ?? ?? + ?? 8B F4 85 F6 0F 84 ?? ?? ?? ?? 8B D6 81 EA ?? ?? ?? ?? 83 C2 ?? 89 55 ?? 8B D6 81 + EA ?? ?? ?? ?? 83 C2 ?? 89 55 ?? 8B D6 8B CE 8B FE 81 EA ?? ?? ?? ?? 33 C0 81 E9 ?? + ?? ?? ?? 81 EF ?? ?? ?? ?? 83 C2 ?? C6 46 ?? ?? 89 55 ?? 8B 5D ?? 8A D0 80 E2 ?? 02 + 90 ?? ?? ?? ?? 32 90 ?? ?? ?? ?? 88 94 01 ?? ?? ?? ?? 8D 50 ?? 80 E2 ?? 02 90 ?? ?? + ?? ?? 32 90 ?? ?? ?? ?? 88 94 07 ?? ?? ?? ?? 8D 50 ?? 80 E2 ?? 02 90 ?? ?? ?? ?? 32 + 90 ?? ?? ?? ?? 88 94 03 ?? ?? ?? ?? 8B 5D ?? 8D 50 ?? 80 E2 ?? 02 90 ?? ?? ?? ?? 32 + 90 ?? ?? ?? ?? 88 94 03 ?? ?? ?? ?? 8B 5D ?? 8D 50 ?? 80 E2 ?? 02 90 ?? ?? ?? ?? 32 + 90 ?? ?? ?? ?? 88 94 03 ?? ?? ?? ?? 8D 50 ?? 80 E2 ?? 02 90 ?? ?? ?? ?? 83 C0 ?? 32 + 90 ?? ?? ?? ?? 88 54 06 ?? 83 F8 ?? 0F 8C ?? ?? ?? ?? A1 ?? ?? ?? ?? 8B 4D ?? 50 51 + FF 15 ?? ?? ?? ?? 50 56 E8 ?? ?? ?? ?? 83 C4 ?? 6A ?? FF 15 ?? ?? ?? ?? 50 FF 15 ?? + ?? ?? ?? 8B 35 ?? ?? ?? ?? 8D 55 ?? 52 6A ?? 6A ?? 68 ?? ?? ?? ?? 6A ?? 6A ?? C7 45 + ?? ?? ?? ?? ?? FF D6 85 C0 75 ?? 8B 3D ?? ?? ?? ?? 8D 49 ?? 68 ?? ?? ?? ?? FF D7 8D + 45 ?? 50 6A ?? 6A ?? 68 ?? ?? ?? ?? 6A ?? 6A ?? FF D6 85 C0 74 ?? 50 FF 15 ?? ?? ?? + ?? B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B FC 85 FF 0F 84 ?? ?? ?? ?? 8B D7 81 EA ?? ?? ?? + ?? 83 C2 ?? 89 55 ?? 8B D7 81 EA ?? ?? ?? ?? 83 C2 ?? 89 55 ?? 8B D7 8B CF 8B F7 81 + } + + $encrypt_files_p2 = { + EA ?? ?? ?? ?? 33 C0 81 E9 ?? ?? ?? ?? 81 EE ?? ?? ?? ?? 83 C2 ?? C6 47 ?? ?? 89 55 + ?? 8B 5D ?? 8A D0 80 E2 ?? 02 90 ?? ?? ?? ?? 32 90 ?? ?? ?? ?? 88 94 08 ?? ?? ?? ?? + 8D 50 ?? 80 E2 ?? 02 90 ?? ?? ?? ?? 32 90 ?? ?? ?? ?? 88 94 30 ?? ?? ?? ?? 8D 50 ?? + 80 E2 ?? 02 90 ?? ?? ?? ?? 32 90 ?? ?? ?? ?? 88 94 18 ?? ?? ?? ?? 8B 5D ?? 8D 50 ?? + 80 E2 ?? 02 90 ?? ?? ?? ?? 32 90 ?? ?? ?? ?? 88 94 18 ?? ?? ?? ?? 8B 5D ?? 8D 50 ?? + 80 E2 ?? 02 90 ?? ?? ?? ?? 32 90 ?? ?? ?? ?? 88 94 18 ?? ?? ?? ?? 8D 50 ?? 80 E2 ?? + 02 90 ?? ?? ?? ?? 83 C0 ?? 32 90 ?? ?? ?? ?? 88 54 07 ?? 83 F8 ?? 0F 8C ?? ?? ?? ?? + E8 ?? ?? ?? ?? 8B D8 C7 05 ?? ?? ?? ?? ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 8B C8 2B 4D ?? + B8 ?? ?? ?? ?? F7 E1 8B CA C1 E9 ?? B8 ?? ?? ?? ?? F7 E1 C1 EA ?? 8B C2 C1 E0 ?? 2B + C2 03 C0 03 C0 2B C8 8B F2 B8 ?? ?? ?? ?? F7 E6 A1 ?? ?? ?? ?? 51 C1 EA ?? 8B CA C1 + E1 ?? 2B CA 03 C9 03 C9 2B F1 56 52 8B 15 ?? ?? ?? ?? 52 50 53 57 E8 ?? ?? ?? ?? 83 + C4 ?? 85 DB 0F 84 ?? ?? ?? ?? C7 05 ?? ?? ?? ?? ?? ?? ?? ?? C7 05 ?? ?? ?? ?? ?? ?? + ?? ?? E8 ?? ?? ?? ?? 8B D8 C7 05 ?? ?? ?? ?? ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 8B C8 2B + 4D ?? B8 ?? ?? ?? ?? F7 E1 8B CA C1 E9 ?? B8 ?? ?? ?? ?? F7 E1 C1 EA ?? 8B C2 C1 E0 + ?? 2B C2 03 C0 03 C0 2B C8 8B F2 B8 ?? ?? ?? ?? F7 E6 A1 ?? ?? ?? ?? 51 C1 EA ?? 8B + CA C1 E1 ?? 2B CA 03 C9 03 C9 2B F1 56 52 8B 15 ?? ?? ?? ?? 52 50 53 57 E8 ?? ?? ?? + ?? 83 C4 ?? 85 DB 0F 85 ?? ?? ?? ?? 8D 65 ?? 5F 5E 5B 8B E5 5D C3 + } + + condition: + uint16(0) == 0x5A4D and + ( + $enum_network_resources + ) and + ( + all of ($find_files_p*) + ) and + ( + all of ($encrypt_files_p*) + ) +} \ No newline at end of file diff --git a/yara/ransomware/Win32.Ransomware.Redeemer.yara b/yara/ransomware/Win32.Ransomware.Redeemer.yara new file mode 100644 index 0000000..18e3c7c --- /dev/null +++ b/yara/ransomware/Win32.Ransomware.Redeemer.yara @@ -0,0 +1,105 @@ +rule Win32_Ransomware_Redeemer : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "REDEEMER" + description = "Yara rule that detects Redeemer ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "Redeemer" + tc_detection_factor = 5 + + strings: + + $find_files = { + 8D 85 ?? ?? ?? ?? 50 56 FF 15 ?? ?? ?? ?? 85 C0 0F 85 ?? ?? ?? ?? 8B B5 ?? ?? ?? ?? + 8B BD ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? C6 45 ?? ?? E8 ?? ?? ?? ?? 83 C6 ?? 89 B5 ?? ?? + ?? ?? 89 B5 ?? ?? ?? ?? 3B F7 0F 85 ?? ?? ?? ?? 83 BD ?? ?? ?? ?? ?? 0F 84 ?? ?? ?? + ?? 8B 3D ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 50 8D 8D ?? ?? ?? ?? E8 ?? ?? + ?? ?? 83 EC ?? 8D 85 ?? ?? ?? ?? 8B CC 89 A5 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 EC ?? + C6 45 ?? ?? 8D 85 ?? ?? ?? ?? 8B CC 50 E8 ?? ?? ?? ?? C6 45 ?? ?? E8 ?? ?? ?? ?? 83 + C4 ?? 84 C0 0F 85 ?? ?? ?? ?? 83 EC ?? 8D 85 ?? ?? ?? ?? 8B CC 89 A5 ?? ?? ?? ?? 50 + E8 ?? ?? ?? ?? 83 EC ?? C6 45 ?? ?? 8D 85 ?? ?? ?? ?? 8B CC 50 E8 ?? ?? ?? ?? C6 45 + ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 84 C0 75 ?? 83 EC ?? 8D 85 ?? ?? ?? ?? 8B CC 89 A5 ?? + ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 EC ?? C6 45 ?? ?? 8D 85 ?? ?? ?? ?? 8B CC 50 E8 ?? ?? + ?? ?? C6 45 ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 84 C0 75 ?? 83 EC ?? 8D 85 ?? ?? ?? ?? 8B + CC 50 E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 85 + ?? ?? ?? ?? 50 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 6A ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? + ?? 6A ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 8D 8D ?? ?? ?? ?? E8 + ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 8B F0 + } + + $encrypt_files_p1 = { + 80 FB ?? 0F 85 ?? ?? ?? ?? 83 EC ?? 8D 55 ?? 8B CC 89 A5 ?? ?? ?? ?? 68 ?? ?? ?? ?? + E8 ?? ?? ?? ?? 83 EC ?? C6 45 ?? ?? 8B CC C7 41 ?? ?? ?? ?? ?? C7 41 ?? ?? ?? ?? ?? + C7 41 ?? ?? ?? ?? ?? 83 79 ?? ?? C7 41 ?? ?? ?? ?? ?? 72 ?? 8B 01 EB ?? 8B C1 33 D2 + 6A ?? 66 89 10 8D 45 ?? 52 50 E8 ?? ?? ?? ?? B9 ?? ?? ?? ?? C6 45 ?? ?? E8 ?? ?? ?? + ?? 83 C4 ?? 8B CC C7 41 ?? ?? ?? ?? ?? C7 41 ?? ?? ?? ?? ?? C7 41 ?? ?? ?? ?? ?? 83 + 79 ?? ?? C7 41 ?? ?? ?? ?? ?? 72 ?? 8B 01 EB ?? 8B C1 33 D2 6A ?? 66 89 10 8D 45 ?? + 52 50 E8 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 8B F0 8D 45 ?? 3B C6 + 74 ?? 8B 45 ?? 83 F8 ?? 72 ?? 40 8D 4D ?? 50 FF 75 ?? E8 ?? ?? ?? ?? 33 C0 C7 45 ?? + ?? ?? ?? ?? 56 8D 4D ?? C7 45 ?? ?? ?? ?? ?? 66 89 45 ?? E8 ?? ?? ?? ?? C6 45 + } + + $encrypt_files_p2 = { + 8B 85 ?? ?? ?? ?? 83 F8 ?? 72 ?? 40 8D 8D ?? ?? ?? ?? 50 FF B5 ?? ?? ?? ?? E8 ?? ?? + ?? ?? 8B 35 ?? ?? ?? ?? 33 C0 83 7D ?? ?? 66 89 85 ?? ?? ?? ?? 8D 45 ?? 0F 43 45 ?? + 50 C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? FF D6 85 C0 0F 85 ?? + ?? ?? ?? FF 15 ?? ?? ?? ?? 83 F8 ?? 0F 84 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 55 ?? 8D 8D + ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 83 78 ?? ?? 72 ?? 8B 00 50 FF D6 8B 85 ?? ?? ?? + ?? 83 F8 ?? 72 ?? 40 8D 8D ?? ?? ?? ?? 50 FF B5 ?? ?? ?? ?? E8 ?? ?? ?? ?? 33 C0 C7 + 85 ?? ?? ?? ?? ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? 66 89 85 ?? ?? ?? ?? E9 ?? + ?? ?? ?? 8D 4D ?? E8 ?? ?? ?? ?? 8D 45 ?? C6 45 ?? ?? 50 C7 45 ?? ?? ?? ?? ?? E8 ?? + ?? ?? ?? 8B 45 ?? 83 C4 ?? 83 F8 ?? 72 ?? 40 8D 4D ?? 50 FF 75 ?? E8 ?? ?? ?? ?? 33 + C0 C7 45 ?? ?? ?? ?? ?? 8D 4D ?? C7 45 ?? ?? ?? ?? ?? 66 89 45 ?? E8 ?? ?? ?? ?? 8D + 4D ?? E8 ?? ?? ?? ?? 8D 4D ?? E8 ?? ?? ?? ?? 8B 4D ?? 64 89 0D ?? ?? ?? ?? 59 5F 5E + 5B 8B 4D ?? 33 CD E8 ?? ?? ?? ?? 8B E5 5D C3 E8 + } + + $modify_processes_p1 = { + 8D 85 ?? ?? ?? ?? 50 6A ?? 6A ?? 6A ?? 6A ?? FF 15 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 8D + ?? ?? ?? ?? E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? C6 45 ?? ?? E8 ?? ?? ?? + ?? 68 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? C6 45 ?? ?? E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 8D + ?? ?? ?? ?? C6 45 ?? ?? E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? C6 45 ?? ?? + E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? C6 45 ?? ?? E8 ?? ?? ?? ?? 68 ?? ?? + ?? ?? 8D 8D ?? ?? ?? ?? C6 45 ?? ?? E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? + C6 45 ?? ?? E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? C6 45 ?? ?? E8 ?? ?? ?? + ?? 68 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? C6 45 ?? ?? E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 8D + ?? ?? ?? ?? C6 45 ?? ?? E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? C6 45 ?? ?? + E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? C6 45 ?? ?? E8 ?? ?? ?? ?? 68 ?? ?? + ?? ?? 8D 8D ?? ?? ?? ?? C6 45 ?? ?? E8 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? C6 45 ?? ?? 50 + } + + $modify_processes_p2 = { + 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? E8 + ?? ?? ?? ?? 99 B9 ?? ?? ?? ?? F7 F9 6A ?? 8D 8D ?? ?? ?? ?? 6A ?? 8D 04 52 8D 04 C1 + 50 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 BD ?? ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 6A ?? 0F + 43 85 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 83 BD ?? ?? ?? ?? ?? 8D 95 ?? ?? ?? ?? 8D B5 + ?? ?? ?? ?? 0F 43 95 ?? ?? ?? ?? 0F 43 B5 ?? ?? ?? ?? 52 FF 15 ?? ?? ?? ?? 83 C8 ?? + 50 56 FF 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 99 B9 ?? ?? ?? ?? F7 F9 6A ?? 8D 8D ?? ?? ?? + ?? 6A ?? 8D 04 52 8D 04 C1 50 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 EC ?? 8D 85 ?? ?? + ?? ?? 8B CC 89 A5 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 EC ?? C6 45 ?? ?? 8B CC FF 37 E8 + ?? ?? ?? ?? C6 45 ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? C6 45 ?? ?? 8D 85 ?? ?? ?? ?? 68 ?? + ?? ?? ?? 6A ?? 6A ?? 50 E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A ?? C6 45 ?? ?? 8D 85 ?? ?? + ?? ?? 6A ?? 50 E8 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 33 C0 8B 4D ?? 64 89 + 0D ?? ?? ?? ?? 59 5F 5E 8B 4D ?? 33 CD E8 ?? ?? ?? ?? 8B E5 5D C3 FF 77 + } + + condition: + uint16(0) == 0x5A4D and + ( + $find_files + ) and + ( + all of ($encrypt_files_p*) + ) and + ( + all of ($modify_processes_p*) + ) +} \ No newline at end of file diff --git a/yara/ransomware/Win32.Ransomware.RegretLocker.yara b/yara/ransomware/Win32.Ransomware.RegretLocker.yara new file mode 100644 index 0000000..4c8909f --- /dev/null +++ b/yara/ransomware/Win32.Ransomware.RegretLocker.yara @@ -0,0 +1,206 @@ +rule Win32_Ransomware_RegretLocker : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "REGRETLOCKER" + description = "Yara rule that detects RegretLocker ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "RegretLocker" + tc_detection_factor = 5 + + strings: + + $remote_connection_p1 = { + 55 8B EC 8B 41 ?? 8B 55 ?? 3B C2 72 ?? 2B C2 56 8B 75 ?? 3B C6 0F 42 F0 83 79 ?? ?? + 72 ?? 8B 09 56 03 CA 51 FF 75 ?? E8 ?? ?? ?? ?? 83 C4 ?? 8B C6 5E 5D C2 ?? ?? E8 ?? + ?? ?? ?? CC B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 81 EC ?? ?? ?? ?? 83 65 ?? ?? 8D 45 ?? 53 + 56 57 50 E8 ?? ?? ?? ?? 83 65 ?? ?? 50 E8 ?? ?? ?? ?? 83 4D ?? ?? 8A D8 59 59 8D 4D + ?? E8 ?? ?? ?? ?? 84 DB 0F 85 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 EC ?? + C7 45 ?? ?? ?? ?? ?? 8B CC 6A ?? 83 61 ?? ?? C7 41 ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? 88 + 19 E8 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? C6 45 ?? ?? 50 + E8 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? C6 45 ?? ?? 50 E8 ?? ?? ?? ?? 59 59 8B 8D ?? ?? ?? + ?? 8D 85 ?? ?? ?? ?? 8B 95 ?? ?? ?? ?? 6A ?? 5B 3B CB C6 45 ?? ?? 0F 43 C2 80 78 ?? + ?? 75 ?? 3B CB 8D 85 ?? ?? ?? ?? 0F 43 C2 80 78 ?? ?? 75 ?? 3B CB 8D 85 ?? ?? ?? ?? + 0F 43 C2 80 78 ?? ?? 75 ?? 3B CB 8D 85 ?? ?? ?? ?? 0F 43 C2 80 78 ?? ?? 75 ?? 3B CB + 8D 85 ?? ?? ?? ?? 0F 43 C2 80 78 ?? ?? 75 ?? 83 BD ?? ?? ?? ?? ?? 0F 84 + } + + $remote_connection_p2 = { + 8D 45 ?? 50 E8 ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? 8B C8 C7 04 24 ?? ?? ?? ?? E8 ?? ?? + ?? ?? 84 C0 75 ?? 8B BD ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 3B FB 8D B5 ?? ?? ?? ?? 8B 9D + ?? ?? ?? ?? 8D 95 ?? ?? ?? ?? 0F 43 C3 83 FF ?? 0F 43 F3 0F 43 D3 33 C9 8A 40 ?? 3A + 46 ?? 0F BE 42 ?? 0F 94 C1 3B C8 75 ?? 83 FF ?? 8D 85 ?? ?? ?? ?? 0F 43 C3 80 78 ?? + ?? 75 ?? 83 FF ?? 8D 85 ?? ?? ?? ?? 0F 43 C3 80 78 ?? ?? 74 ?? 32 DB EB ?? B3 ?? F6 + 45 ?? ?? 74 ?? 8D 4D ?? E8 ?? ?? ?? ?? 84 DB 74 ?? 6A ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? + ?? 6A ?? FF 15 ?? ?? ?? ?? E9 ?? ?? ?? ?? E8 ?? ?? ?? ?? 6A ?? 5F 6A ?? 33 DB 89 BD + ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? 89 9D ?? ?? ?? ?? 88 9D ?? ?? ?? ?? E8 + ?? ?? ?? ?? 83 EC ?? C6 45 ?? ?? 8B CC 89 65 ?? 53 89 59 ?? 89 79 ?? 68 ?? ?? ?? ?? + 88 19 E8 ?? ?? ?? ?? 83 EC ?? C6 45 ?? ?? 8B CC 8D 85 ?? ?? ?? ?? 50 89 59 ?? 89 59 + ?? E8 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? C6 45 ?? ?? 50 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? + 8B B5 ?? ?? ?? ?? C6 45 ?? ?? 83 FE ?? 77 ?? 68 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? + ?? ?? ?? 84 C0 74 ?? 6A ?? 5E 83 EC ?? 8B CC 89 65 ?? 53 89 59 ?? 89 79 ?? 68 ?? ?? + ?? ?? 88 19 E8 ?? ?? ?? ?? 83 EC ?? C6 45 ?? ?? 8B CC 8D 85 ?? ?? ?? ?? 50 89 59 ?? + 89 59 ?? E8 ?? ?? ?? ?? 8D 45 ?? C6 45 ?? ?? 50 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 50 + } + + $remote_connection_p3 = { + 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 4D ?? E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? FF 15 ?? ?? + ?? ?? 83 EE ?? 75 ?? 8B B5 ?? ?? ?? ?? 8D 46 ?? 83 F8 ?? 77 ?? 68 ?? ?? ?? ?? 8D 8D + ?? ?? ?? ?? E8 ?? ?? ?? ?? 84 C0 74 ?? 6A ?? 68 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? + ?? ?? ?? 83 BD ?? ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 0F 43 85 ?? ?? ?? ?? 50 68 ?? ?? ?? + ?? E8 ?? ?? ?? ?? 59 59 89 5D ?? 89 7D ?? 88 9D ?? ?? ?? ?? 8D 4D ?? C6 45 ?? ?? 89 + 5D ?? 89 5D ?? E8 ?? ?? ?? ?? 89 45 ?? 8D 45 ?? C6 45 ?? ?? 50 E8 ?? ?? ?? ?? 59 8B + F0 6A ?? 68 ?? ?? ?? ?? 8D 4D ?? C6 45 ?? ?? 89 5D ?? 89 7D ?? 88 5D ?? E8 ?? ?? ?? + ?? 8D 45 ?? C6 45 ?? ?? 50 8D 45 ?? 50 8D 4D ?? E8 ?? ?? ?? ?? 8B 4D ?? 56 83 C1 ?? + E8 ?? ?? ?? ?? 8D 4D ?? E8 ?? ?? ?? ?? 8D 4D ?? C6 45 ?? ?? E8 ?? ?? ?? ?? FF 35 ?? + ?? ?? ?? 8D 45 ?? 50 E8 ?? ?? ?? ?? 59 59 6A ?? 68 ?? ?? ?? ?? 8D 4D ?? C6 45 + } + + $remote_connection_p4 = { + 89 5D ?? 89 7D ?? 88 5D ?? E8 ?? ?? ?? ?? 8D 45 ?? C6 45 ?? ?? 50 8D 45 ?? 50 8D 4D + ?? E8 ?? ?? ?? ?? 8B 4D ?? 8D 45 ?? 50 83 C1 ?? E8 ?? ?? ?? ?? 8D 4D ?? E8 ?? ?? ?? + ?? 8D 4D ?? C6 45 ?? ?? E8 ?? ?? ?? ?? 51 51 8B CC 89 65 ?? 8D 45 ?? C7 85 ?? ?? ?? + ?? ?? ?? ?? ?? 50 8D 45 ?? 89 4D ?? 50 E8 ?? ?? ?? ?? 83 EC ?? C6 45 ?? ?? 8B CC 6A + ?? 89 59 ?? C7 41 ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? 88 19 E8 ?? ?? ?? ?? 8D 45 ?? C6 45 + ?? ?? 50 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 50 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 4D + ?? E8 ?? ?? ?? ?? 8B 75 ?? 85 F6 0F 84 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? + E8 ?? ?? ?? ?? 84 C0 0F 85 ?? ?? ?? ?? 83 7D ?? ?? 8D 85 ?? ?? ?? ?? 6A ?? 0F 43 85 + ?? ?? ?? ?? 68 ?? ?? ?? ?? 53 56 50 E8 ?? ?? ?? ?? 83 C4 ?? 83 F8 ?? 74 ?? 50 53 8D + 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 7D ?? ?? 8D 85 ?? ?? ?? ?? 8B 75 ?? 0F 43 85 ?? ?? + ?? ?? 6A ?? 6A ?? 56 50 E8 ?? ?? ?? ?? 83 C4 ?? 83 F8 ?? 74 ?? 40 8D 8D ?? ?? ?? ?? + 50 E8 ?? ?? ?? ?? 8B 75 ?? 56 E8 ?? ?? ?? ?? 59 53 FF 75 ?? 8D 8D ?? ?? ?? ?? A3 ?? + ?? ?? ?? 50 E8 ?? ?? ?? ?? 8B 4D ?? A1 ?? ?? ?? ?? 68 ?? ?? ?? ?? 88 1C 01 E8 ?? ?? + ?? ?? EB ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? A1 ?? ?? ?? ?? A3 ?? ?? ?? ?? 59 8B 75 ?? + 8D 4D ?? C6 45 ?? ?? FF 76 ?? E8 ?? ?? ?? ?? 8B 45 ?? C6 45 ?? ?? 89 70 ?? 8B 45 ?? + 89 30 8B 45 ?? 89 70 ?? 8D 85 ?? ?? ?? ?? 50 6A ?? 58 50 68 ?? ?? ?? ?? 83 EC ?? 89 + } + + $remote_connection_p5 = { + 5D ?? 8B CC FF 35 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 4D ?? E8 ?? ?? ?? ?? 8B F8 6A ?? 58 + FF 35 ?? ?? ?? ?? 85 FF 0F 44 F8 8D 45 ?? 50 E8 ?? ?? ?? ?? 59 59 6A ?? 5E 6A ?? 68 + ?? ?? ?? ?? 8D 4D ?? C6 45 ?? ?? 89 5D ?? 89 75 ?? 88 5D ?? E8 ?? ?? ?? ?? 8D 45 ?? + C6 45 ?? ?? 50 8D 45 ?? 50 8D 4D ?? E8 ?? ?? ?? ?? 8B 4D ?? 8D 45 ?? 50 83 C1 ?? E8 + ?? ?? ?? ?? 8D 4D ?? E8 ?? ?? ?? ?? 8D 4D ?? C6 45 ?? ?? E8 ?? ?? ?? ?? 6A ?? 68 ?? + ?? ?? ?? 8D 4D ?? 89 5D ?? 89 75 ?? 88 5D ?? E8 ?? ?? ?? ?? 8D 45 ?? C6 45 ?? ?? 50 + 8D 45 ?? 50 8D 4D ?? E8 ?? ?? ?? ?? 8B 4D ?? 8D 85 ?? ?? ?? ?? 50 83 C1 ?? E8 ?? ?? + ?? ?? 8D 4D ?? C6 45 ?? ?? E8 ?? ?? ?? ?? 8D 45 ?? 50 E8 ?? ?? ?? ?? 59 8B F0 6A ?? + 68 ?? ?? ?? ?? 8D 4D ?? C6 45 ?? ?? 89 5D ?? C7 45 ?? ?? ?? ?? ?? 88 5D ?? E8 ?? ?? + ?? ?? 8D 45 ?? C6 45 ?? ?? 50 8D 45 ?? 50 8D 4D ?? E8 ?? ?? ?? ?? 8B 4D ?? 56 83 C1 + ?? E8 ?? ?? ?? ?? 8D 4D ?? E8 ?? ?? ?? ?? 8D 4D ?? C6 45 ?? ?? E8 ?? ?? ?? ?? 8D 45 + ?? 50 E8 ?? ?? ?? ?? 59 8B F0 6A ?? 68 ?? ?? ?? ?? 8D 4D ?? C6 45 ?? ?? 89 5D ?? C7 + 45 ?? ?? ?? ?? ?? 88 5D ?? E8 ?? ?? ?? ?? 8D 45 ?? C6 45 ?? ?? 50 8D 45 ?? 50 8D 4D + ?? E8 ?? ?? ?? ?? 8B 4D ?? 56 83 C1 ?? E8 ?? ?? ?? ?? 8D 4D ?? E8 ?? ?? ?? ?? 8D 4D + ?? C6 45 ?? ?? E8 ?? ?? ?? ?? FF B5 ?? ?? ?? ?? 8D 45 ?? 57 50 E8 ?? ?? ?? ?? 83 C4 + ?? 8B F0 6A ?? 58 6A ?? 5F 6A ?? 68 ?? ?? ?? ?? 8D 4D ?? 88 45 ?? 89 5D ?? 89 7D ?? + 88 5D ?? E8 ?? ?? ?? ?? 8D 45 ?? C6 45 ?? ?? 50 8D 45 ?? 50 8D 4D ?? E8 ?? ?? ?? ?? + 8B 4D ?? 56 83 C1 ?? E8 ?? ?? ?? ?? 8D 4D ?? E8 ?? ?? ?? ?? 8D 4D ?? C6 45 ?? ?? E8 + ?? ?? ?? ?? 51 51 8B CC 89 65 ?? 8D 45 ?? 89 4D ?? 50 8D 45 ?? 50 E8 ?? ?? ?? ?? 83 + EC ?? C6 45 ?? ?? 8B CC 6A ?? 89 59 ?? 89 79 ?? 68 ?? ?? ?? ?? 88 19 E8 + } + + $encrypt_files_p1 = { + 8B FB 89 5D ?? 89 7D ?? 89 5D ?? 8B 85 ?? ?? ?? ?? 8B B5 ?? ?? ?? ?? C6 45 ?? ?? 89 + 45 ?? 3B F0 74 ?? 56 68 ?? ?? ?? ?? 8D 4D ?? E8 ?? ?? ?? ?? C6 45 ?? ?? 3B DF 74 ?? + 8B 08 89 0F 8B 48 ?? 89 4F ?? 83 20 ?? 83 60 ?? ?? 83 C7 ?? 89 7D ?? EB ?? 50 57 8D + 4D ?? E8 ?? ?? ?? ?? 8B 5D ?? 8B 7D ?? 83 7D ?? ?? C6 45 ?? ?? 0F 85 ?? ?? ?? ?? 6A + ?? 58 03 F0 3B 75 ?? 75 ?? 8D 85 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 59 8B B5 ?? ?? ?? ?? + C6 45 ?? ?? 8B 06 89 45 ?? EB ?? 8D 48 ?? 8D 41 ?? 50 51 68 ?? ?? ?? ?? 8D 4D ?? E8 + ?? ?? ?? ?? C6 45 ?? ?? 3B DF 74 ?? 8B 08 89 0F 8B 48 ?? 89 4F ?? 83 20 ?? 83 60 ?? + ?? 83 C7 ?? 89 7D ?? EB ?? 50 57 8D 4D ?? E8 ?? ?? ?? ?? 8B 5D ?? 8B 7D ?? 83 7D ?? + ?? C6 45 ?? ?? 0F 85 ?? ?? ?? ?? 8D 4D ?? E8 ?? ?? ?? ?? 8B 45 ?? 3B C6 75 ?? 8B 75 + ?? EB ?? 83 7E ?? ?? 74 ?? 8B CE E8 ?? ?? ?? ?? 83 C6 ?? 3B F7 75 ?? 0F 57 C0 68 ?? + ?? ?? ?? 66 0F 13 45 ?? E8 ?? ?? ?? ?? A1 ?? ?? ?? ?? 2B 05 ?? ?? ?? ?? 6A ?? 59 99 + F7 F9 50 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? A1 ?? ?? ?? ?? 83 C4 ?? 8B 1D ?? ?? ?? ?? 8B + 75 ?? 8B 7D ?? 89 45 ?? 3B D8 74 ?? 83 EC ?? 8B CC 53 83 61 ?? ?? 83 61 ?? ?? E8 ?? + ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 03 F8 83 D6 ?? 6A ?? 58 03 D8 3B 5D ?? 75 ?? 0F AC + F7 ?? C1 EE ?? 56 57 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 3D ?? ?? ?? ?? 83 C4 ?? 8B 35 + ?? ?? ?? ?? EB ?? 83 7E ?? ?? 8B C6 72 ?? 8B 06 6A ?? 68 ?? ?? ?? ?? 50 E8 ?? ?? ?? + ?? 83 C4 ?? 6A ?? 58 03 F0 3B F7 75 ?? 68 ?? ?? ?? ?? E8 + } + + $encrypt_files_p2 = { + B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 81 EC ?? ?? ?? ?? 53 56 8B 75 ?? 8D 8D ?? ?? ?? ?? 57 + 56 E8 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 33 DB 50 8D 45 ?? 89 5D ?? 50 E8 ?? ?? ?? ?? 59 + 59 8D 8D ?? ?? ?? ?? C6 45 ?? ?? E8 ?? ?? ?? ?? 83 EC ?? 8B CC 6A ?? 89 59 ?? C7 41 + ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? 88 19 E8 ?? ?? ?? ?? 8D 45 ?? 50 E8 ?? ?? ?? ?? 83 C4 + ?? 8D 4D ?? 50 E8 ?? ?? ?? ?? 8D 4D ?? 8A D8 E8 ?? ?? ?? ?? 84 DB 74 ?? 33 DB E9 ?? + ?? ?? ?? 83 7D ?? ?? 8D 45 ?? 68 ?? ?? ?? ?? 0F 43 45 ?? 50 E8 ?? ?? ?? ?? 59 59 85 + C0 0F 84 ?? ?? ?? ?? 83 7D ?? ?? 8D 45 ?? 68 ?? ?? ?? ?? 0F 43 45 ?? 50 E8 ?? ?? ?? + ?? 59 59 85 C0 0F 84 ?? ?? ?? ?? 83 EC ?? 33 DB 8B CC 89 5D ?? 56 E8 ?? ?? ?? ?? E8 + ?? ?? ?? ?? 83 C4 ?? 89 45 ?? B9 ?? ?? ?? ?? BF ?? ?? ?? ?? 3B C1 0F 42 C8 3B C7 89 + 4D ?? 0F 42 F8 89 7D ?? 85 C0 0F 84 ?? ?? ?? ?? 6A ?? 6A ?? 6A ?? 56 8D 8D ?? ?? ?? + ?? E8 ?? ?? ?? ?? C6 45 ?? ?? 39 9D ?? ?? ?? ?? 75 ?? 83 EC ?? 8B CC 56 E8 ?? ?? ?? + ?? 8D 45 ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 8B F0 83 7E ?? ?? C6 45 ?? ?? 72 ?? 8B 36 E8 + ?? ?? ?? ?? FF 30 E8 ?? ?? ?? ?? 56 50 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 8D 4D + ?? E8 ?? ?? ?? ?? E9 ?? ?? ?? ?? 8D 77 ?? 56 E8 ?? ?? ?? ?? 56 89 45 ?? E8 ?? ?? ?? + ?? 8B 4D ?? 56 53 51 89 45 ?? E8 ?? ?? ?? ?? 56 53 FF 75 ?? E8 ?? ?? ?? ?? 8B 45 ?? + 83 C4 ?? 89 5D ?? 8B D3 85 C0 0F 84 ?? ?? ?? ?? 8B C8 2B CA 39 4D ?? 8B C1 8B F1 0F + 46 45 ?? 3B F9 89 45 ?? 0F 46 F7 8B 7D ?? 2B CE 89 75 ?? 39 4D ?? 0F 46 4D ?? 89 4D + ?? 85 FF 75 ?? 53 56 FF 75 ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 EC ?? 8D 0C 3E 8B + } + + $encrypt_files_p3 = { + C4 89 4D ?? 89 08 8D 8D ?? ?? ?? ?? 89 58 ?? 89 58 ?? 89 58 ?? 89 58 ?? 89 58 ?? E8 + ?? ?? ?? ?? 53 FF 75 ?? 8D 8D ?? ?? ?? ?? FF 75 ?? E8 ?? ?? ?? ?? 8D 45 ?? 50 FF 75 + ?? 8D 8D ?? ?? ?? ?? FF 75 ?? FF 75 ?? E8 ?? ?? ?? ?? 8B 4D ?? 83 EC ?? 8B D4 8B D8 + 33 C0 03 CF 89 0A 8D 8D ?? ?? ?? ?? 89 42 ?? 89 42 ?? 89 42 ?? 89 42 ?? 89 42 ?? E8 + ?? ?? ?? ?? 6A ?? FF 75 ?? 8D 8D ?? ?? ?? ?? 53 E8 ?? ?? ?? ?? 8B 7D ?? 2B 75 ?? 03 + 7D ?? 56 57 E8 ?? ?? ?? ?? 59 59 6A ?? 56 57 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? FF 75 + ?? FF 75 ?? FF 75 ?? E8 ?? ?? ?? ?? 8B 45 ?? 2B 45 ?? 01 45 ?? 53 E8 ?? ?? ?? ?? 8B + 85 ?? ?? ?? ?? 83 C4 ?? 8B 40 ?? 8B 84 05 ?? ?? ?? ?? C1 E8 ?? A8 ?? 74 ?? 83 EC ?? + 8B CC FF 75 ?? E8 ?? ?? ?? ?? 8D 45 ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 8B F0 83 7E ?? ?? + C6 45 ?? ?? 72 ?? 8B 36 E8 ?? ?? ?? ?? FF 30 E8 ?? ?? ?? ?? 56 50 68 ?? ?? ?? ?? E8 + ?? ?? ?? ?? 83 C4 ?? C6 45 ?? ?? 8D 4D ?? E8 ?? ?? ?? ?? 8B 55 ?? 8B 45 ?? 8B 7D ?? + 89 55 ?? 6A ?? 5B 3B D0 0F 82 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? FF 75 ?? + E8 ?? ?? ?? ?? FF 75 ?? E8 ?? ?? ?? ?? 59 59 FF 75 ?? 8D 4D ?? E8 ?? ?? ?? ?? 83 EC + ?? C6 45 ?? ?? 8B CC 6A ?? 89 59 ?? C7 41 ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? 88 19 E8 ?? + ?? ?? ?? 8D 45 ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 83 78 ?? ?? 8B 48 ?? C6 45 ?? ?? 72 ?? + 8B 00 51 50 8D 4D ?? E8 ?? ?? ?? ?? 8D 4D ?? C6 45 ?? ?? E8 ?? ?? ?? ?? 83 7D ?? ?? + 8D 45 ?? 0F 43 45 ?? 50 FF 75 ?? E8 ?? ?? ?? ?? 83 EC ?? 8D 45 ?? 8B CC 50 89 59 ?? + 89 59 ?? E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 8D 4D ?? B3 ?? E8 ?? ?? ?? ?? 8D 8D + ?? ?? ?? ?? E8 ?? ?? ?? ?? EB ?? FF 75 ?? 56 E8 ?? ?? ?? ?? 59 59 8A D8 8D 4D ?? E8 + ?? ?? ?? ?? 8B 4D ?? 8A C3 5F 5E 64 89 0D ?? ?? ?? ?? 5B C9 C3 + } + + $find_files = { + 8B FF 55 8B EC 51 8B 4D ?? 8D 51 ?? 8A 01 41 84 C0 75 ?? 2B CA 83 C8 ?? 57 8B 7D ?? + 41 2B C7 89 4D ?? 3B C8 76 ?? 6A ?? 58 EB ?? 53 56 8D 5F ?? 03 D9 6A ?? 53 E8 ?? ?? + ?? ?? 8B F0 59 59 85 FF 74 ?? 57 FF 75 ?? 53 56 E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 75 ?? + FF 75 ?? 2B DF 8D 04 3E FF 75 ?? 53 50 E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 75 ?? 8B 4D ?? + 56 E8 ?? ?? ?? ?? 6A ?? 8B F0 E8 ?? ?? ?? ?? 59 8B C6 5E 5B 5F 8B E5 5D C3 33 C0 50 + 50 50 50 50 E8 ?? ?? ?? ?? CC 8B FF 55 8B EC 81 EC ?? ?? ?? ?? A1 ?? ?? ?? ?? 33 C5 + 89 45 ?? 8B 4D ?? 53 8B 5D ?? 56 8B 75 ?? 57 89 B5 ?? ?? ?? ?? EB ?? 8A 01 3C ?? 74 + ?? 3C ?? 74 ?? 3C ?? 74 ?? 51 53 E8 ?? ?? ?? ?? 59 59 8B C8 3B CB 75 ?? 8A 11 80 FA + ?? 75 ?? 8D 43 ?? 3B C8 74 ?? 56 33 FF 57 57 53 E8 ?? ?? ?? ?? 83 C4 ?? EB ?? 33 FF + 80 FA ?? 74 ?? 80 FA ?? 74 ?? 80 FA ?? 74 ?? 8B C7 EB ?? 33 C0 40 0F B6 C0 2B CB 41 + F7 D8 68 ?? ?? ?? ?? 1B C0 23 C1 89 85 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 57 50 E8 ?? ?? + ?? ?? 83 C4 ?? 8D 85 ?? ?? ?? ?? 57 57 57 50 57 53 FF 15 ?? ?? ?? ?? 8B F0 8B 85 ?? + ?? ?? ?? 83 FE ?? 75 ?? 50 57 57 53 E8 ?? ?? ?? ?? 83 C4 ?? 8B F8 83 FE ?? 74 ?? 56 + FF 15 ?? ?? ?? ?? 8B C7 8B 4D ?? 5F 5E 33 CD 5B E8 ?? ?? ?? ?? 8B E5 5D C3 8B 48 ?? + 2B 08 C1 F9 ?? 89 8D ?? ?? ?? ?? 80 BD ?? ?? ?? ?? ?? 75 ?? 8A 8D ?? ?? ?? ?? 84 C9 + 74 ?? 80 F9 ?? 75 ?? 80 BD ?? ?? ?? ?? ?? 74 ?? 50 FF B5 ?? ?? ?? ?? 8D 85 ?? ?? ?? + ?? 53 50 E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 75 ?? 8D 85 ?? ?? ?? ?? 50 56 FF 15 ?? ?? ?? + ?? 85 C0 8B 85 ?? ?? ?? ?? 75 ?? 8B 10 8B 40 ?? 8B 8D ?? ?? ?? ?? 2B C2 C1 F8 ?? 3B + C8 0F 84 ?? ?? ?? ?? 68 ?? ?? ?? ?? 2B C1 6A ?? 50 8D 04 8A 50 E8 ?? ?? ?? ?? 83 C4 + ?? E9 + } + + condition: + uint16(0) == 0x5A4D and + ( + $find_files + ) and + ( + all of ($encrypt_files_p*) + ) and + ( + all of ($remote_connection_p*) + ) +} \ No newline at end of file diff --git a/yara/ransomware/Win32.Ransomware.RetMyData.yara b/yara/ransomware/Win32.Ransomware.RetMyData.yara new file mode 100644 index 0000000..d4c8d23 --- /dev/null +++ b/yara/ransomware/Win32.Ransomware.RetMyData.yara @@ -0,0 +1,79 @@ +rule Win32_Ransomware_RetMyData : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "RETMYDATA" + description = "Yara rule that detects RetMyData ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "RetMyData" + tc_detection_factor = 5 + + strings: + + $find_files = { + 55 89 E5 57 56 53 50 B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 29 C4 8D 9D ?? ?? ?? ?? 8B 04 04 + C7 44 24 ?? ?? ?? ?? ?? 89 1C 24 89 44 24 ?? 89 C7 E8 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? + 89 1C 24 89 44 24 ?? E8 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 40 51 51 0F 84 ?? ?? ?? ?? 8D + B5 ?? ?? ?? ?? 8D 9D ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? 89 34 24 E8 ?? ?? ?? ?? 85 + C0 74 ?? C7 44 24 ?? ?? ?? ?? ?? 89 34 24 E8 ?? ?? ?? ?? 85 C0 74 ?? F6 85 ?? ?? ?? + ?? ?? 89 74 24 ?? 89 7C 24 ?? 74 ?? C7 44 24 ?? ?? ?? ?? ?? 89 1C 24 E8 ?? ?? ?? ?? + 89 D8 E8 ?? ?? ?? ?? EB ?? C7 44 24 ?? ?? ?? ?? ?? 89 1C 24 E8 ?? ?? ?? ?? BA ?? ?? + ?? ?? 89 D8 E8 ?? ?? ?? ?? 85 C0 75 ?? 89 D8 E8 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 89 44 + 24 ?? 8B 85 ?? ?? ?? ?? 89 04 24 E8 ?? ?? ?? ?? 85 C0 52 52 0F 85 ?? ?? ?? ?? 8B 85 + ?? ?? ?? ?? 89 04 24 E8 ?? ?? ?? ?? 50 8D 65 ?? 5B 5E 5F 5D C3 55 BA ?? ?? ?? ?? 89 + E5 53 51 89 C3 E8 ?? ?? ?? ?? 48 74 ?? 5A 89 D8 5B 5D E9 ?? ?? ?? ?? 58 5B 5D C3 + } + + $enum_resources = { + 55 89 E5 57 56 53 50 B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 29 C4 8D 95 ?? ?? ?? ?? C7 85 ?? + ?? ?? ?? ?? ?? ?? ?? 8B 04 04 C7 44 24 ?? ?? ?? ?? ?? 89 54 24 ?? C7 44 24 ?? ?? ?? + ?? ?? C7 04 24 ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? 89 44 24 ?? E8 ?? ?? ?? ?? + 83 EC ?? 85 C0 75 ?? 8D 85 ?? ?? ?? ?? 8D 9D ?? ?? ?? ?? 8D BD ?? ?? ?? ?? 31 F6 89 + 44 24 ?? 8D 85 ?? ?? ?? ?? 89 5C 24 ?? 89 44 24 ?? 8B 85 ?? ?? ?? ?? 89 04 24 E8 ?? + ?? ?? ?? 83 EC ?? 3B B5 ?? ?? ?? ?? 7D ?? 83 7B ?? ?? 75 ?? 8B 43 ?? C7 44 24 ?? ?? + ?? ?? ?? 89 3C 24 89 44 24 ?? E8 ?? ?? ?? ?? 89 F8 E8 ?? ?? ?? ?? 89 D8 46 83 C3 ?? + E8 ?? ?? ?? ?? EB ?? 8B 85 ?? ?? ?? ?? 89 04 24 E8 ?? ?? ?? ?? 50 8D 65 ?? 5B 5E 5F + 5D C3 + } + + $encrypt_files = { + 55 89 E5 57 56 53 89 C3 81 EC ?? ?? ?? ?? 83 3D ?? ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? + ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? 75 ?? C7 04 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 + C0 89 C2 A3 ?? ?? ?? ?? 75 ?? C7 04 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? B9 ?? ?? ?? ?? 31 + C0 89 D7 F3 AB 85 DB 75 ?? A1 ?? ?? ?? ?? 89 04 24 E8 ?? ?? ?? ?? C7 05 ?? ?? ?? ?? + ?? ?? ?? ?? 8D BD ?? ?? ?? ?? 89 5C 24 ?? 8D 9D ?? ?? ?? ?? 8D B5 ?? ?? ?? ?? 89 3C + 24 E8 ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? 89 7C 24 ?? C7 44 24 ?? ?? ?? ?? ?? 89 1C + 24 E8 ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? 89 5C 24 ?? C7 44 24 ?? ?? ?? ?? ?? 89 34 + 24 E8 ?? ?? ?? ?? 89 74 24 ?? 89 3C 24 E8 ?? ?? ?? ?? 85 C0 0F 85 ?? ?? ?? ?? C7 44 + 24 ?? ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? C7 44 24 ?? ?? ?? + ?? ?? C7 44 24 ?? ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? 89 34 24 E8 ?? ?? ?? ?? 83 EC + ?? 83 F8 ?? 89 C3 C7 85 ?? ?? ?? ?? ?? ?? ?? ?? 75 ?? 89 7C 24 ?? 89 34 24 EB ?? 8D + BD ?? ?? ?? ?? A1 ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? 89 7C 24 ?? C7 44 24 ?? ?? ?? + ?? ?? 89 1C 24 89 44 24 ?? E8 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 83 EC ?? 85 C0 75 ?? 89 + 1C 24 E8 ?? ?? ?? ?? 50 8D 85 ?? ?? ?? ?? 89 44 24 ?? 8D 85 ?? ?? ?? ?? 89 04 24 E8 + ?? ?? ?? ?? EB ?? F7 D8 C7 44 24 ?? ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? 89 44 24 ?? + 89 1C 24 E8 ?? ?? ?? ?? 8B 35 ?? ?? ?? ?? 83 EC ?? BA ?? ?? ?? ?? C7 04 24 ?? ?? ?? + ?? B8 ?? ?? ?? ?? 89 F1 E8 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? 89 + 74 24 ?? 89 1C 24 89 44 24 ?? 8B 85 ?? ?? ?? ?? 89 44 24 ?? E8 ?? ?? ?? ?? 83 EC ?? + FF 8D ?? ?? ?? ?? 0F 85 ?? ?? ?? ?? E9 ?? ?? ?? ?? 8D 65 ?? 5B 5E 5F 5D C3 + } + + condition: + uint16(0) == 0x5A4D and + ( + $enum_resources + ) and + ( + $find_files + ) and + ( + $encrypt_files + ) +} \ No newline at end of file diff --git a/yara/ransomware/Win32.Ransomware.Reveton.yara b/yara/ransomware/Win32.Ransomware.Reveton.yara new file mode 100644 index 0000000..e256854 --- /dev/null +++ b/yara/ransomware/Win32.Ransomware.Reveton.yara @@ -0,0 +1,118 @@ +rule Win32_Ransomware_Reveton : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "REVETON" + description = "Yara rule that detects Reveton ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "Reveton" + tc_detection_factor = 5 + + strings: + $http_connection_1 = { + C6 45 ?? ?? 6A ?? 6A ?? 6A ?? 6A ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 45 ?? 83 7D ?? + ?? 0F 84 ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? 6A ?? 6A ?? 8B C3 E8 ?? ?? ?? ?? 50 8B 45 + ?? 50 E8 ?? ?? ?? ?? 8B D8 85 DB 74 ?? B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 45 ?? 33 C0 + 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 8B 06 E8 ?? ?? ?? ?? C6 45 ?? ?? 8D 45 ?? 50 68 + ?? ?? ?? ?? 8B 45 ?? 50 53 E8 ?? ?? ?? ?? 8B 55 ?? 8B 06 8B 4D ?? E8 ?? ?? ?? ?? 83 + 7D ?? ?? 75 ?? 53 E8 ?? ?? ?? ?? 33 C0 5A 59 59 64 89 10 68 ?? ?? ?? ?? 8B 45 ?? E8 + ?? ?? ?? ?? C3 E9 ?? ?? ?? ?? EB ?? 8B 45 ?? 50 E8 + } + + $raw_socket_connection_1_1 = { + 55 8B EC 81 C4 ?? ?? ?? ?? 53 56 57 33 C9 89 8D ?? ?? ?? ?? 89 8D ?? ?? ?? ?? 89 4D + ?? 89 55 ?? 8B F0 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 33 DB 8D 45 ?? BA ?? ?? + ?? ?? E8 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 6A ?? 68 ?? ?? + ?? ?? 8D 85 ?? ?? ?? ?? 50 56 E8 ?? ?? ?? ?? 8B F8 85 FF 0F 8E ?? ?? ?? ?? 8D 85 ?? + ?? ?? ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 95 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 8B CF E8 + ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? BA ?? ?? ?? ?? E8 + } + + $raw_socket_connection_1_2 = { + C6 85 ?? ?? ?? ?? ?? C6 85 ?? ?? ?? ?? ?? 80 BD ?? ?? ?? ?? ?? 75 ?? 80 BD ?? ?? ?? + ?? ?? 74 ?? 33 C0 EB ?? B0 ?? 84 C0 75 ?? C6 85 ?? ?? ?? ?? ?? 8D 45 ?? E8 ?? ?? ?? + ?? 8D 95 ?? ?? ?? ?? B9 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 55 ?? 8B C6 E8 ?? ?? ?? ?? E9 + ?? ?? ?? ?? 8A 85 ?? ?? ?? ?? FE C8 0F 85 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? BA ?? ?? ?? + ?? E8 ?? ?? ?? ?? 66 C7 85 ?? ?? ?? ?? ?? ?? 8A 85 ?? ?? ?? ?? FE C8 74 ?? 2C ?? 74 + ?? E9 ?? ?? ?? ?? 8A 85 ?? ?? ?? ?? 88 85 ?? ?? ?? ?? 8A 85 ?? ?? ?? ?? 88 85 ?? ?? + ?? ?? 8A 85 ?? ?? ?? ?? 88 85 ?? ?? ?? ?? 8A 85 ?? ?? ?? ?? 88 85 ?? ?? ?? ?? 8A 95 + ?? ?? ?? ?? 8A 85 ?? ?? ?? ?? E8 + } + + $raw_socket_connection_1_3 = { + 66 89 85 ?? ?? ?? ?? E9 ?? ?? ?? ?? 0F B6 BD ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 8D 85 + ?? ?? ?? ?? 8D 95 ?? ?? ?? ?? B9 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 8B CF + BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? E8 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 85 + C0 75 ?? C6 85 ?? ?? ?? ?? ?? 8D 45 ?? E8 ?? ?? ?? ?? 8D 95 ?? ?? ?? ?? B9 ?? ?? ?? + ?? E8 ?? ?? ?? ?? 8B 55 ?? 8B C6 E8 ?? ?? ?? ?? E9 ?? ?? ?? ?? 8B 40 ?? 8B 00 8B 00 + 89 85 ?? ?? ?? ?? 8A 94 3D ?? ?? ?? ?? 8A 84 3D ?? ?? ?? ?? E8 ?? ?? ?? ?? 66 89 85 + ?? ?? ?? ?? EB ?? C6 85 ?? ?? ?? ?? ?? 8D 45 ?? E8 ?? ?? ?? ?? 8D 95 ?? ?? ?? ?? B9 + ?? ?? ?? ?? E8 + } + + $raw_socket_connection_1_4 = { + 8B 55 ?? 8B C6 E8 ?? ?? ?? ?? E9 ?? ?? ?? ?? 6A ?? 8D 85 ?? ?? ?? ?? 50 8B 45 ?? 8B + 00 50 E8 ?? ?? ?? ?? 40 75 ?? C6 85 ?? ?? ?? ?? ?? 8D 45 ?? E8 ?? ?? ?? ?? 8D 95 ?? + ?? ?? ?? B9 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 55 ?? 8B C6 E8 ?? ?? ?? ?? 8B 45 ?? 8B 00 + 50 E8 ?? ?? ?? ?? E9 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? C7 + 45 ?? ?? ?? ?? ?? 8D 45 ?? 50 8D 85 ?? ?? ?? ?? 50 8B 45 ?? 8B 00 50 E8 + } + + $raw_socket_connection_1_5 = { + C6 85 ?? ?? ?? ?? ?? 8A 85 ?? ?? ?? ?? 88 85 ?? ?? ?? ?? 8A 85 ?? ?? ?? ?? 88 85 ?? + ?? ?? ?? 8A 85 ?? ?? ?? ?? 88 85 ?? ?? ?? ?? 8A 85 ?? ?? ?? ?? 88 85 ?? ?? ?? ?? 66 + 8B 85 ?? ?? ?? ?? 8B D0 66 81 E2 ?? ?? 88 95 ?? ?? ?? ?? 0F B7 C0 C1 E8 ?? 88 85 ?? + ?? ?? ?? 8D 85 ?? ?? ?? ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 95 ?? ?? ?? ?? 8D 85 ?? + ?? ?? ?? B9 ?? ?? ?? ?? E8 ?? ?? ?? ?? 6A ?? 6A ?? 8D 85 ?? ?? ?? ?? 50 56 E8 ?? ?? + ?? ?? 40 74 ?? B3 ?? EB ?? C6 85 ?? ?? ?? ?? ?? 8D 45 ?? E8 ?? ?? ?? ?? 8D 95 ?? ?? + ?? ?? B9 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 55 ?? 8B C6 E8 ?? ?? ?? ?? 33 C0 5A 59 59 64 + 89 10 68 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 ?? E8 ?? + ?? ?? ?? C3 + } + + $file_search_1_1 = { + 55 8B EC 81 C4 ?? ?? ?? ?? 53 56 57 89 55 ?? 89 45 ?? 8B 45 ?? 89 45 ?? 68 ?? ?? ?? + ?? E8 ?? ?? ?? ?? 8B F0 85 F6 74 ?? 68 ?? ?? ?? ?? 56 E8 ?? ?? ?? ?? 89 C3 85 DB 74 + ?? 68 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 8B 45 ?? 50 FF D3 85 C0 74 ?? 8B 45 ?? 50 8D + 85 ?? ?? ?? ?? 50 8B 45 ?? 50 E8 ?? ?? ?? ?? E9 ?? ?? ?? ?? 8B 45 ?? 80 38 ?? 75 ?? + 8B 45 ?? 80 78 ?? ?? 0F 85 ?? ?? ?? ?? 8B 45 ?? 83 C0 ?? E8 + } + + $file_search_1_2 = { + 8B F0 80 3E ?? 0F 84 ?? ?? ?? ?? 8D 46 ?? E8 ?? ?? ?? ?? 8B F0 80 3E ?? 0F 84 ?? ?? + ?? ?? EB ?? 8B 75 ?? 83 C6 ?? 8B DE 2B 5D ?? 8D 43 ?? 50 8B 45 ?? 50 8D 85 ?? ?? ?? + ?? 50 E8 ?? ?? ?? ?? E9 ?? ?? ?? ?? 8D 46 ?? E8 ?? ?? ?? ?? 8B F8 8B C7 2B C6 8B D0 + 03 D3 42 81 FA ?? ?? ?? ?? 0F 8F ?? ?? ?? ?? 40 50 56 8D 85 ?? ?? ?? ?? 03 C3 50 E8 + ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 8D 85 ?? ?? ?? ?? 50 E8 + } + + $file_search_1_3 = { + 8B F0 83 FE ?? 74 ?? 56 E8 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 8D 53 ?? + 03 C2 40 3D ?? ?? ?? ?? 7F ?? C6 84 1D ?? ?? ?? ?? ?? B8 ?? ?? ?? ?? 2B C3 48 50 8D + 85 ?? ?? ?? ?? 50 8D 85 ?? ?? ?? ?? 03 C3 40 50 E8 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 + E8 ?? ?? ?? ?? 40 03 D8 8B F7 80 3E ?? 0F 85 ?? ?? ?? ?? 8B 45 ?? 50 8D 85 ?? ?? ?? + ?? 50 8B 45 ?? 50 E8 ?? ?? ?? ?? 8B 45 ?? 5F 5E 5B 8B E5 5D C3 + } + + $raw_socket_connection_2 = { + 55 8B EC 83 C4 ?? 53 56 8B F2 89 45 ?? 8B 45 ?? E8 ?? ?? ?? ?? 33 C0 55 68 ?? ?? ?? + ?? 64 FF 30 64 89 20 6A ?? 6A ?? 6A ?? E8 ?? ?? ?? ?? 8B D8 83 FB ?? 74 ?? 8D 45 ?? + 33 C9 BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 66 C7 45 ?? ?? ?? 8B C6 86 E0 66 89 45 ?? 8B 45 + ?? E8 ?? ?? ?? ?? 89 45 ?? 6A ?? 8D 45 ?? 50 53 E8 ?? ?? ?? ?? 85 C0 74 ?? 8B C3 E8 + ?? ?? ?? ?? 83 CB ?? 33 C0 5A 59 59 64 89 10 68 ?? ?? ?? ?? 8D 45 ?? E8 ?? ?? ?? ?? + C3 + } + + condition: + uint16(0) == 0x5A4D and + (($http_connection_1 and $file_search_1_1 and $file_search_1_2 and $file_search_1_3 and $raw_socket_connection_1_1 and + $raw_socket_connection_1_2 and $raw_socket_connection_1_3 and $raw_socket_connection_1_4 and $raw_socket_connection_1_5) or + ($raw_socket_connection_2 and $file_search_1_1 and $file_search_1_2 and $file_search_1_3)) +} \ No newline at end of file diff --git a/yara/ransomware/Win32.Ransomware.Revil.yara b/yara/ransomware/Win32.Ransomware.Revil.yara new file mode 100644 index 0000000..b9b78f2 --- /dev/null +++ b/yara/ransomware/Win32.Ransomware.Revil.yara @@ -0,0 +1,101 @@ +rule Win32_Ransomware_Revil : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "REVIL" + description = "Yara rule that detects Revil ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "Revil" + tc_detection_factor = 5 + + strings: + + $search_files = { + 55 8B EC 81 EC ?? ?? ?? ?? 53 56 8B 75 ?? 33 C0 57 8B 7D ?? 8B D8 50 56 89 45 ?? 89 + 5D ?? 89 45 ?? 89 45 ?? FF 57 ?? 59 59 85 C0 0F 84 ?? ?? ?? ?? 8D 45 ?? 56 50 E8 ?? + ?? ?? ?? 53 56 FF 77 ?? FF 57 ?? 83 C4 ?? 01 47 ?? 11 57 ?? E9 ?? ?? ?? ?? 8B 45 ?? + 0B 45 ?? 74 ?? FF 33 56 E8 ?? ?? ?? ?? 8B F3 8B 5B ?? 89 5D ?? FF 36 E8 ?? ?? ?? ?? + 56 E8 ?? ?? ?? ?? 8B 45 ?? 83 C4 ?? 8B 4D ?? 83 C0 ?? 89 45 ?? 83 D1 ?? 0B C1 89 4D + ?? 75 ?? 21 45 ?? 8B 75 ?? 33 C0 40 85 C0 0F 84 ?? ?? ?? ?? 56 E8 ?? ?? ?? ?? C7 04 + 24 ?? ?? ?? ?? 56 89 45 ?? E8 ?? ?? ?? ?? 59 59 8D 85 ?? ?? ?? ?? 50 56 FF 15 ?? ?? + ?? ?? 89 45 ?? 83 F8 ?? 0F 84 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 68 ?? ?? ?? ?? 50 E8 ?? + ?? ?? ?? 59 59 85 C0 0F 84 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 68 ?? ?? ?? ?? 50 E8 ?? ?? + ?? ?? 59 59 85 C0 0F 84 ?? ?? ?? ?? F7 85 ?? ?? ?? ?? ?? ?? ?? ?? 0F 85 ?? ?? ?? ?? + 8D 85 ?? ?? ?? ?? 50 8B 45 ?? 8D 04 46 50 E8 ?? ?? ?? ?? F6 85 ?? ?? ?? ?? ?? 59 59 + 74 ?? 68 ?? ?? ?? ?? 56 E8 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 56 FF 57 ?? 83 C4 ?? 85 + C0 74 ?? 8D 45 ?? 56 50 E8 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 56 FF 77 ?? FF 57 ?? 83 + C4 ?? 01 47 ?? 11 57 ?? EB ?? 8B 85 ?? ?? ?? ?? 8B 9D ?? ?? ?? ?? 50 89 45 ?? 8D 85 + ?? ?? ?? ?? 53 50 56 FF 57 ?? 83 C4 ?? 85 C0 74 ?? FF 75 ?? 8D 85 ?? ?? ?? ?? 53 50 + 56 FF 77 ?? FF 57 ?? 83 C4 ?? 01 47 ?? 11 57 ?? 83 3F ?? 75 ?? 8D 85 ?? ?? ?? ?? 50 + FF 75 ?? FF 15 ?? ?? ?? ?? 85 C0 0F 85 ?? ?? ?? ?? FF 75 ?? FF 15 ?? ?? ?? ?? 8B 5D + ?? 83 3F ?? 0F 84 ?? ?? ?? ?? EB ?? 8B F3 8B 5B ?? FF 36 E8 ?? ?? ?? ?? 56 E8 ?? ?? + ?? ?? 59 59 85 DB 75 ?? 5F 5E 5B 8B E5 5D C3 + } + + $remote_connection = { + 55 8B EC 81 EC ?? ?? ?? ?? 56 57 8D 85 ?? ?? ?? ?? 50 68 ?? ?? ?? ?? 6A ?? 68 ?? ?? + ?? ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 33 F6 33 C0 66 89 85 ?? ?? ?? ?? 8D 85 + ?? ?? ?? ?? 56 56 56 56 50 FF 15 ?? ?? ?? ?? 8B F8 33 C0 89 7D ?? 85 FF 0F 84 ?? ?? + ?? ?? 66 89 45 ?? 33 C9 8D 45 ?? C7 45 ?? ?? ?? ?? ?? 50 56 56 FF 75 ?? 41 89 75 ?? + 89 75 ?? 89 75 ?? 89 75 ?? 89 4D ?? 89 75 ?? 89 75 ?? 89 75 ?? 89 75 ?? 89 75 ?? 89 + 4D ?? 89 75 ?? 89 75 ?? FF 15 ?? ?? ?? ?? 85 C0 75 ?? 57 FF 15 ?? ?? ?? ?? 33 C0 E9 + ?? ?? ?? ?? 8B 4D ?? 33 D2 8B 45 ?? 53 56 66 89 14 41 FF 75 ?? FF 75 ?? 57 FF 15 ?? + ?? ?? ?? 8B D8 89 5D ?? 85 DB 75 ?? 57 EB ?? 8B 45 ?? 66 39 30 75 ?? 6A ?? 59 66 89 + 08 8D 45 ?? 50 6A ?? 6A ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 33 + C0 83 7D ?? ?? B9 ?? ?? ?? ?? 66 89 45 ?? 0F 44 C1 0D ?? ?? ?? ?? 50 56 56 56 FF 75 + ?? 8D 45 ?? 50 53 FF 15 ?? ?? ?? ?? 8B D8 85 DB 75 ?? 57 FF 15 ?? ?? ?? ?? FF 75 ?? + FF 15 ?? ?? ?? ?? 33 C0 E9 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 8B FE 50 6A ?? 6A ?? 68 ?? + ?? ?? ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 33 C0 66 89 45 ?? 56 FF 75 ?? 8D 85 + ?? ?? ?? ?? FF 75 ?? FF 75 ?? 6A ?? 50 53 FF 15 ?? ?? ?? ?? 85 C0 75 ?? E8 ?? ?? ?? + ?? 3D ?? ?? ?? ?? 75 ?? 6A ?? 8D 45 ?? C7 45 ?? ?? ?? ?? ?? 50 6A ?? 53 FF 15 ?? ?? + ?? ?? 85 C0 6A ?? 58 0F 45 F8 85 FF 75 ?? 8B 45 ?? 56 53 89 30 FF 15 ?? ?? ?? ?? 8B + 7D ?? 85 C0 74 ?? 56 8D 45 ?? 89 75 ?? 50 8D 45 ?? C7 45 ?? ?? ?? ?? ?? 50 56 68 ?? + ?? ?? ?? 53 FF 15 ?? ?? ?? ?? 8B 4D ?? F7 D8 1B C0 23 45 ?? 89 01 3D ?? ?? ?? ?? 75 + ?? FF 75 ?? 53 E8 ?? ?? ?? ?? 59 59 8B F0 57 FF 15 ?? ?? ?? ?? FF 75 ?? FF 15 ?? ?? + ?? ?? 53 FF 15 ?? ?? ?? ?? 8B C6 5B 5F 5E 8B E5 5D C3 + } + + $encrypt_files = { + 55 8B EC 51 83 7D ?? ?? 53 56 57 BB ?? ?? ?? ?? 7F ?? 7C ?? 39 5D ?? 73 ?? 8B 5D ?? + 8B 7D ?? 8D 83 ?? ?? ?? ?? 50 57 E8 ?? ?? ?? ?? 59 59 EB ?? E8 ?? ?? ?? ?? 83 F8 ?? + 75 ?? 6A ?? E8 ?? ?? ?? ?? 8D 83 ?? ?? ?? ?? 50 57 E8 ?? ?? ?? ?? 83 C4 ?? 8B F0 85 + F6 74 ?? 89 9E ?? ?? ?? ?? 8B 5D ?? C7 45 ?? ?? ?? ?? ?? EB ?? 33 C0 EB ?? E8 ?? ?? + ?? ?? 8B 55 ?? 8B CA 4A 89 55 ?? 85 C9 74 ?? 83 F8 ?? 75 ?? 53 FF 15 ?? ?? ?? ?? 83 + F8 ?? 74 ?? A8 ?? 74 ?? 68 ?? ?? ?? ?? 53 FF 15 ?? ?? ?? ?? 85 C0 74 ?? 6A ?? 6A ?? + 68 ?? ?? ?? ?? FF 75 ?? FF 75 ?? 53 56 E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 74 ?? 56 E8 ?? + ?? ?? ?? 8B C6 59 5F 5E 5B 8B E5 5D C3 56 57 E8 ?? ?? ?? ?? 59 33 C0 EB + } + + $enum_resources = { + 55 8B EC 83 EC ?? 8D 45 ?? 50 FF 75 ?? 6A ?? 6A ?? 6A ?? FF 15 ?? ?? ?? ?? 85 C0 74 + ?? 33 C0 E9 ?? ?? ?? ?? 83 4D ?? ?? B8 ?? ?? ?? ?? 57 50 89 45 ?? E8 ?? ?? ?? ?? 8B + F8 59 85 FF 75 ?? FF 75 ?? FF 15 ?? ?? ?? ?? 33 C0 EB ?? 53 56 8D 45 ?? 50 57 8D 45 + ?? 50 FF 75 ?? FF 15 ?? ?? ?? ?? 89 45 ?? 85 C0 75 ?? 33 DB 39 5D ?? 76 ?? 8D 77 ?? + 83 7E ?? ?? 75 ?? FF 75 ?? FF 36 E8 ?? ?? ?? ?? 59 59 F6 46 ?? ?? 74 ?? 8D 46 ?? 50 + FF 75 ?? E8 ?? ?? ?? ?? 59 59 43 83 C6 ?? 3B 5D ?? 72 ?? 8B 45 ?? 3D ?? ?? ?? ?? 75 + ?? 57 E8 ?? ?? ?? ?? 59 FF 75 ?? FF 15 ?? ?? ?? ?? F7 D8 5E 1B C0 40 5B 5F 8B E5 5D + C3 + } + + condition: + uint16(0) == 0x5A4D and + ( + $enum_resources + ) and + ( + $search_files + ) and + ( + $encrypt_files + ) and + ( + $remote_connection + ) +} \ No newline at end of file diff --git a/yara/ransomware/Win32.Ransomware.Rokku.yara b/yara/ransomware/Win32.Ransomware.Rokku.yara new file mode 100644 index 0000000..ed0306c --- /dev/null +++ b/yara/ransomware/Win32.Ransomware.Rokku.yara @@ -0,0 +1,147 @@ +rule Win32_Ransomware_Rokku : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "ROKKU" + description = "Yara rule that detects Rokku ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "Rokku" + tc_detection_factor = 5 + + strings: + + $encrypt_files_p1 = { + B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 53 55 8B E9 C7 44 24 ?? ?? ?? ?? ?? 33 DB 89 6C 24 ?? + 56 0F 57 C0 66 C7 44 24 ?? ?? ?? 57 66 0F 13 44 24 ?? B2 ?? 88 5C 24 ?? 8B CB 8A C1 + 02 C2 30 44 0C ?? 41 83 F9 ?? 73 ?? 8A 54 24 ?? EB ?? 8B CD 88 5C 24 ?? E8 ?? ?? ?? + ?? 8D 54 24 ?? 8B C8 E8 ?? ?? ?? ?? 85 C0 75 ?? 40 E9 ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? + ?? FF 15 ?? ?? ?? ?? 51 BE ?? ?? ?? ?? B9 ?? ?? ?? ?? 8B D6 E8 ?? ?? ?? ?? 59 56 BE + ?? ?? ?? ?? BA ?? ?? ?? ?? 8B CE E8 ?? ?? ?? ?? C7 04 24 ?? ?? ?? ?? 8D 4C 24 ?? 6A + ?? 8B D5 E8 ?? ?? ?? ?? 59 59 85 C0 0F 84 ?? ?? ?? ?? 8D 4C 24 ?? E8 ?? ?? ?? ?? 85 + C0 0F 84 ?? ?? ?? ?? 8B 8C 24 ?? ?? ?? ?? 8B C1 8B 94 24 ?? ?? ?? ?? 0B C2 0F 84 ?? + ?? ?? ?? 6A ?? 5D 3B D3 77 ?? 81 F9 ?? ?? ?? ?? 76 ?? 2B CD 1B D3 52 51 55 8D 4C 24 + ?? E8 ?? ?? ?? ?? 83 C4 ?? 3B C5 0F 85 ?? ?? ?? ?? 8B CD 8B C3 8A 90 ?? ?? ?? ?? 49 + 8A B0 ?? ?? ?? ?? 3A D6 75 ?? 40 85 C9 75 ?? 8B CB EB ?? 0F B6 C6 0F B6 CA 2B C8 85 + C9 0F 84 ?? ?? ?? ?? 6A ?? 8D 44 24 ?? 50 FF 15 ?? ?? ?? ?? 8D 44 24 ?? 8B D6 50 B9 + ?? ?? ?? ?? E8 ?? ?? ?? ?? 59 B8 ?? ?? ?? ?? B9 ?? ?? ?? ?? 88 19 41 83 E8 ?? 75 ?? + 8B 6C 24 ?? 8B 7C 24 ?? 8B 84 24 ?? ?? ?? ?? 8B 8C 24 ?? ?? ?? ?? 2B C7 1B CD 3B EB + } + + $encrypt_files_p2 = { + 7C ?? 7F ?? 81 FF ?? ?? ?? ?? 72 ?? 8B AC 24 ?? ?? ?? ?? 0F 57 C0 8B BC 24 ?? ?? ?? + ?? 8B 4C 24 ?? 55 57 66 0F 13 44 24 ?? E8 ?? ?? ?? ?? 8B 44 24 ?? 59 59 8B 4C 24 ?? + 3B CB 77 ?? 3B C3 77 ?? 8B F3 EB ?? 3B CB 77 ?? 72 ?? 3D ?? ?? ?? ?? 72 ?? B8 ?? ?? + ?? ?? 55 57 50 8D 4C 24 ?? E8 ?? ?? ?? ?? 83 C4 ?? 8B F0 85 F6 0F 88 ?? ?? ?? ?? 74 + ?? B8 ?? ?? ?? ?? B9 ?? ?? ?? ?? 56 50 8B D0 E8 ?? ?? ?? ?? 55 57 56 BA ?? ?? ?? ?? + 8D 4C 24 ?? E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 0F 88 ?? ?? ?? ?? 99 03 F8 13 EA E9 ?? ?? + ?? ?? 6A ?? 58 89 1D ?? ?? ?? ?? 83 E8 ?? 75 ?? 8B C7 89 1D ?? ?? ?? ?? 0B C5 BE ?? + ?? ?? ?? 74 ?? 51 8D 54 24 ?? E8 ?? ?? ?? ?? 59 B9 ?? ?? ?? ?? 3B F1 74 ?? 56 51 BA + ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 55 57 BD ?? ?? ?? ?? 8B D1 55 8D 4C 24 ?? E8 ?? + ?? ?? ?? 83 C4 ?? 85 C0 0F 88 ?? ?? ?? ?? EB ?? BD ?? ?? ?? ?? 6A ?? 59 8B C1 BA ?? + ?? ?? ?? C6 02 ?? 42 83 E8 ?? 75 ?? B8 ?? ?? ?? ?? C6 00 ?? 40 83 E9 ?? 75 ?? 6A ?? + 58 B9 ?? ?? ?? ?? C6 01 ?? 41 83 E8 ?? 75 ?? C6 06 ?? 46 83 ED ?? 75 ?? 6A ?? 8D 44 + 24 ?? 59 C6 00 ?? 40 83 E9 ?? 75 ?? B1 ?? C7 44 24 ?? ?? ?? ?? ?? C7 44 24 ?? ?? ?? + ?? ?? 8B C3 30 4C 04 ?? 40 83 F8 ?? 73 ?? 8A 4C 24 ?? EB ?? 8B 4C 24 ?? 8D 54 24 ?? + 88 5C 24 ?? E8 ?? ?? ?? ?? 8D 4C 24 ?? 8B F0 E8 ?? ?? ?? ?? 8B 4C 24 ?? 8B D6 E8 ?? + ?? ?? ?? 56 E8 ?? ?? ?? ?? 59 33 DB 43 8D 4C 24 ?? E8 ?? ?? ?? ?? 8B C3 EB ?? 8D 4C + 24 ?? E8 ?? ?? ?? ?? 33 C0 5F 5E 5D 5B 81 C4 ?? ?? ?? ?? C3 + } + + $encrypt_files_p3 = { + 55 8B EC 83 E4 ?? 81 EC ?? ?? ?? ?? 53 55 56 57 6A ?? 5E 56 BF ?? ?? ?? ?? 57 FF 15 + ?? ?? ?? ?? 51 BB ?? ?? ?? ?? BD ?? ?? ?? ?? 8B D3 8B CD E8 ?? ?? ?? ?? 59 56 57 FF + 15 ?? ?? ?? ?? 51 BA ?? ?? ?? ?? B9 ?? ?? ?? ?? E8 ?? ?? ?? ?? 59 8B C6 C6 07 ?? 47 + 83 E8 ?? 75 ?? BF ?? ?? ?? ?? BA ?? ?? ?? ?? 53 8B CF E8 ?? ?? ?? ?? 59 6A ?? 58 C6 + 03 ?? 43 83 E8 ?? 75 ?? B9 ?? ?? ?? ?? C6 05 ?? ?? ?? ?? ?? 3B E9 74 ?? 55 51 8B D6 + E8 ?? ?? ?? ?? 83 C4 ?? B9 ?? ?? ?? ?? B8 ?? ?? ?? ?? 3B C1 74 ?? 50 51 8B D6 E8 ?? + ?? ?? ?? 83 C4 ?? 6A ?? 5B 53 8D 44 24 ?? 50 FF 15 ?? ?? ?? ?? 8D 44 24 ?? B9 ?? ?? + ?? ?? 50 51 8B D3 E8 ?? ?? ?? ?? B9 ?? ?? ?? ?? B8 ?? ?? ?? ?? 83 C4 ?? 3B C8 74 ?? + 51 50 6A ?? 5A 8B C8 E8 ?? ?? ?? ?? 83 C4 ?? B8 ?? ?? ?? ?? B9 ?? ?? ?? ?? 3B C1 74 + ?? 50 51 8B D6 E8 ?? ?? ?? ?? 83 C4 ?? B9 ?? ?? ?? ?? B8 ?? ?? ?? ?? 3B C1 74 ?? 50 + 51 6A ?? 5A E8 ?? ?? ?? ?? 83 C4 ?? B8 ?? ?? ?? ?? B9 ?? ?? ?? ?? 6A ?? 5B 3B C1 74 + ?? 50 51 8B D3 E8 ?? ?? ?? ?? 83 C4 ?? B8 ?? ?? ?? ?? B9 ?? ?? ?? ?? 3B C1 74 ?? 50 + 51 6A ?? 5A E8 ?? ?? ?? ?? 83 C4 ?? 8D 44 24 ?? 8B D7 50 8D 4C 24 ?? E8 ?? ?? ?? ?? + 59 BA ?? ?? ?? ?? 8D 4C 24 ?? 6A ?? 52 E8 ?? ?? ?? ?? 59 59 83 64 24 ?? ?? 83 EB ?? + 75 ?? 21 9C 24 ?? ?? ?? ?? 8D 44 24 ?? 6A ?? 59 C6 00 ?? 40 83 E9 ?? 75 ?? 8B C6 C6 + 45 ?? ?? 45 83 E8 ?? 75 ?? C6 07 ?? 47 83 EE ?? 75 ?? 33 C0 5F 40 5E 5D 5B 8B E5 5D + C3 + } + + $find_files_p1 = { + 55 8B EC 83 EC ?? 53 56 6A ?? 59 E8 ?? ?? ?? ?? 8B F0 66 C7 45 ?? ?? ?? 33 DB 89 35 + ?? ?? ?? ?? B1 ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? 8B C3 C7 45 ?? ?? ?? ?? + ?? 66 C7 45 ?? ?? ?? 02 C8 30 4C 05 ?? 40 83 F8 ?? 73 ?? 8A 4D ?? EB ?? 8D 45 ?? 88 + 5D ?? 50 8D 55 ?? 8B CE E8 ?? ?? ?? ?? 0F 28 05 ?? ?? ?? ?? B0 ?? 59 B1 ?? 88 5D ?? + 32 C1 88 4D ?? 88 45 ?? 8B CB 0F 11 45 ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? + 66 C7 45 ?? ?? ?? 88 5D ?? 8A 45 ?? 30 44 0D ?? 41 83 F9 ?? 72 ?? 8B 0D ?? ?? ?? ?? + 8D 45 ?? 50 8D 55 ?? 88 5D ?? E8 ?? ?? ?? ?? 59 B1 ?? 88 5D ?? B0 ?? 88 4D ?? 32 C1 + C7 45 ?? ?? ?? ?? ?? 88 45 ?? 8B C3 C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? 80 44 + 05 ?? ?? 40 83 F8 ?? 72 ?? 8B 0D ?? ?? ?? ?? 8D 45 ?? 50 8D 55 ?? E8 ?? ?? ?? ?? 59 + 6A ?? 33 C9 C7 45 ?? ?? ?? ?? ?? 5B B0 ?? 88 5D ?? 32 C3 88 4D ?? 88 45 ?? 8B C1 C7 + 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? 88 4D ?? 80 44 05 ?? ?? 40 83 F8 ?? 72 ?? 8B + 0D ?? ?? ?? ?? 8D 45 ?? 50 8D 55 ?? E8 ?? ?? ?? ?? 59 6A ?? 88 5D ?? B2 ?? 66 C7 45 + ?? ?? ?? 33 C9 66 C7 45 ?? ?? ?? C6 45 ?? ?? C7 45 ?? ?? ?? ?? ?? C6 45 ?? ?? 5B 8D + 04 0A 30 44 0D ?? 41 3B CB 73 ?? 8A 55 ?? EB ?? 8B 0D ?? ?? ?? ?? 8D 45 ?? 50 8D 55 + ?? C6 45 ?? ?? E8 ?? ?? ?? ?? 59 6A ?? 33 C9 C6 45 ?? ?? 58 34 ?? 88 4D ?? 88 45 + } + + $find_files_p2 = { + B2 ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? 66 C7 45 ?? ?? ?? 8D 04 0A 30 44 0D + ?? 41 83 F9 ?? 73 ?? 8A 55 ?? EB ?? 8B 0D ?? ?? ?? ?? 8D 45 ?? 50 8D 55 ?? C6 45 ?? + ?? E8 ?? ?? ?? ?? 8B 0D ?? ?? ?? ?? 8D 45 ?? 80 F3 ?? C6 45 ?? ?? 88 5D ?? 8D 55 ?? + 33 DB C6 45 ?? ?? 50 88 5D ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? E8 ?? ?? ?? + ?? 59 59 6A ?? 58 34 ?? C6 45 ?? ?? 88 45 ?? B2 ?? 88 5D ?? 8B CB C7 45 ?? ?? ?? ?? + ?? 66 C7 45 ?? ?? ?? 88 5D ?? 8D 04 0A 30 44 0D ?? 41 83 F9 ?? 73 ?? 8A 55 ?? EB ?? + 8B 0D ?? ?? ?? ?? 8D 45 ?? 50 8D 55 ?? 88 5D ?? E8 ?? ?? ?? ?? 59 66 C7 45 ?? ?? ?? + 8B C3 C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? 80 44 05 ?? ?? + 40 83 F8 ?? 72 ?? 8B 0D ?? ?? ?? ?? 8D 45 ?? 50 8D 55 ?? E8 ?? ?? ?? ?? B0 ?? C6 45 + ?? ?? 34 ?? 88 5D ?? 59 88 45 ?? B1 ?? C7 45 ?? ?? ?? ?? ?? 8B C3 C7 45 ?? ?? ?? ?? + ?? C7 45 ?? ?? ?? ?? ?? 66 C7 45 ?? ?? ?? 88 5D ?? 30 4C 05 ?? 40 83 F8 ?? 73 ?? 8A + 4D ?? EB ?? 8B 0D ?? ?? ?? ?? 8D 45 ?? 50 8D 55 ?? 88 5D ?? E8 ?? ?? ?? ?? 0F 28 05 + ?? ?? ?? ?? 59 66 C7 45 ?? ?? ?? 8B CB 0F 11 45 ?? C7 45 ?? ?? ?? ?? ?? 88 5D ?? 8A + 45 ?? 30 44 0D ?? 41 83 F9 ?? 72 ?? 8B 0D ?? ?? ?? ?? 8D 45 ?? 50 8D 55 ?? 88 5D ?? + E8 ?? ?? ?? ?? 59 5E 5B 8B E5 5D C3 + } + + $find_folders = { + 55 8B EC 83 EC ?? 53 56 6A ?? 59 E8 ?? ?? ?? ?? 0F 28 05 ?? ?? ?? ?? 33 DB 8B F0 66 + C7 45 ?? ?? ?? 89 35 ?? ?? ?? ?? 8B CB 0F 11 45 ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? + ?? ?? ?? 66 C7 45 ?? ?? ?? 88 5D ?? 8A 45 ?? 30 44 0D ?? 41 83 F9 ?? 72 ?? 8D 45 ?? + 88 5D ?? 50 8D 55 ?? 8B CE E8 ?? ?? ?? ?? 0F 28 05 ?? ?? ?? ?? B0 ?? 59 B1 ?? 88 5D + ?? 32 C1 88 4D ?? 88 45 ?? 8B CB 0F 11 45 ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? + ?? 66 C7 45 ?? ?? ?? 8A 45 ?? 30 44 0D ?? 41 83 F9 ?? 72 ?? 8B 0D ?? ?? ?? ?? 8D 45 + ?? 50 8D 55 ?? 88 5D ?? E8 ?? ?? ?? ?? 59 B1 ?? 88 5D ?? B0 ?? 88 4D ?? 32 C1 C7 45 + ?? ?? ?? ?? ?? 88 45 ?? B2 ?? C7 45 ?? ?? ?? ?? ?? 8B CB 66 C7 45 ?? ?? ?? 88 5D ?? + 8D 04 0A 30 44 0D ?? 41 83 F9 ?? 73 ?? 8A 55 ?? EB ?? 8B 0D ?? ?? ?? ?? 8D 45 ?? 50 + 8D 55 ?? 88 5D ?? E8 ?? ?? ?? ?? 59 B1 ?? 88 5D ?? B0 ?? 88 4D ?? 32 C1 C7 45 ?? ?? + ?? ?? ?? 88 45 ?? 8B C3 C7 45 ?? ?? ?? ?? ?? 66 C7 45 ?? ?? ?? 88 5D ?? 80 44 05 ?? + ?? 40 83 F8 ?? 72 ?? 8B 0D ?? ?? ?? ?? 8D 45 ?? 50 8D 55 ?? E8 ?? ?? ?? ?? 59 66 C7 + 45 ?? ?? ?? 8B C3 C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? 66 C7 45 ?? ?? ?? 80 44 + 05 ?? ?? 40 83 F8 ?? 72 ?? 8B 0D ?? ?? ?? ?? 8D 45 ?? 50 8D 55 ?? E8 ?? ?? ?? ?? 59 + 66 C7 45 ?? ?? ?? B1 ?? C7 45 ?? ?? ?? ?? ?? 8B C3 C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? + ?? ?? ?? 66 C7 45 ?? ?? ?? 30 4C 05 ?? 40 83 F8 ?? 73 ?? 8A 4D ?? EB ?? 8B 0D ?? ?? + ?? ?? 8D 45 ?? 50 8D 55 ?? 88 5D ?? E8 ?? ?? ?? ?? 59 66 C7 45 ?? ?? ?? B2 ?? C7 45 + ?? ?? ?? ?? ?? 8B CB C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? 66 C7 45 ?? ?? ?? 8D + 04 0A 30 44 0D ?? 41 83 F9 ?? 73 ?? 8A 55 ?? EB ?? 8B 0D ?? ?? ?? ?? 8D 45 ?? 50 8D + 55 ?? 88 5D ?? E8 ?? ?? ?? ?? 59 5E 5B 8B E5 5D C3 + } + + condition: + uint16(0) == 0x5A4D and + ( + $find_folders and + ( + all of ($find_files_p*) + ) and + ( + all of ($encrypt_files_p*) + ) + ) +} \ No newline at end of file diff --git a/yara/ransomware/Win32.Ransomware.Ryuk.yara b/yara/ransomware/Win32.Ransomware.Ryuk.yara new file mode 100644 index 0000000..3896056 --- /dev/null +++ b/yara/ransomware/Win32.Ransomware.Ryuk.yara @@ -0,0 +1,199 @@ +rule Win32_Ransomware_Ryuk : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "RYUK" + description = "Yara rule that detects Ryuk ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "Ryuk" + tc_detection_factor = 5 + + strings: + + $encrypt_files_p1 = { + 55 8B EC 81 EC ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? B8 ?? ?? ?? ?? 66 89 85 ?? ?? ?? ?? + 6A ?? 6A ?? 8D 8D ?? ?? ?? ?? 51 E8 ?? ?? ?? ?? 83 C4 ?? 68 ?? ?? ?? ?? 8B 55 ?? 52 + FF 15 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? 6A ?? 6A ?? 6A ?? 68 ?? ?? + ?? ?? 8B 45 ?? 50 FF 15 ?? ?? ?? ?? 89 45 ?? 83 7D ?? ?? 75 ?? 8B 4D ?? 51 FF 15 ?? + ?? ?? ?? 33 C0 E9 ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? 33 D2 89 55 ?? 0F 57 C0 66 0F 13 + 45 ?? 83 7D ?? ?? 74 ?? 8D 45 ?? 50 8B 4D ?? 51 FF 15 ?? ?? ?? ?? 8D 55 ?? 52 8B 45 + ?? 50 FF 15 ?? ?? ?? ?? 83 7D ?? ?? 75 ?? 83 7D ?? ?? 75 ?? 8B 4D ?? 51 FF 15 ?? ?? + ?? ?? B8 ?? ?? ?? ?? E9 ?? ?? ?? ?? 0F 57 C0 66 0F 13 45 ?? 83 7D ?? ?? 77 ?? 81 7D + ?? ?? ?? ?? ?? 0F 86 ?? ?? ?? ?? 6A ?? 6A ?? 8B 55 ?? 52 8B 45 ?? 50 E8 ?? ?? ?? ?? + 6A ?? 6A ?? 52 50 E8 ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? 52 50 E8 ?? ?? ?? ?? 89 45 ?? + 89 55 ?? 83 7D ?? ?? 72 ?? 77 ?? 81 7D ?? ?? ?? ?? ?? 76 ?? 6A ?? 6A ?? 8B 4D ?? 51 + 8B 55 ?? 52 E8 ?? ?? ?? ?? 6A ?? 6A ?? 52 50 E8 ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? 52 + 50 E8 ?? ?? ?? ?? 89 45 ?? 89 55 ?? 83 7D ?? ?? 77 ?? 72 ?? 81 7D ?? ?? ?? ?? ?? 77 + ?? 83 7D ?? ?? 77 ?? 72 ?? 83 7D ?? ?? 73 ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? + ?? E9 ?? ?? ?? ?? 83 7D ?? ?? 77 ?? 81 7D ?? ?? ?? ?? ?? 76 ?? 83 7D ?? ?? 77 ?? 72 + ?? 81 7D ?? ?? ?? ?? ?? 73 ?? 6A ?? 6A ?? 8B 45 ?? 50 8B 4D ?? 51 E8 ?? ?? ?? ?? 6A + ?? 6A ?? 52 50 E8 ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? 52 50 E8 ?? ?? ?? ?? 89 45 ?? 89 + 55 ?? EB ?? 83 7D ?? ?? 77 ?? 72 ?? 81 7D ?? ?? ?? ?? ?? 73 ?? 6A ?? 6A ?? 8B 55 ?? + 52 8B 45 ?? 50 E8 ?? ?? ?? ?? 6A ?? 6A ?? 52 50 E8 ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? + 52 50 E8 ?? ?? ?? ?? 89 45 ?? 89 55 ?? 83 7D ?? ?? 77 ?? 72 ?? 81 7D + } + + $encrypt_files_p2 = { + 77 ?? 83 7D ?? ?? 77 ?? 72 ?? 83 7D ?? ?? 77 ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? + ?? ?? 8B 4D ?? 89 8D ?? ?? ?? ?? 8B 55 ?? 89 95 ?? ?? ?? ?? 83 7D ?? ?? 77 ?? 72 ?? + 83 7D ?? ?? 73 ?? 8B 45 ?? 50 FF 15 ?? ?? ?? ?? B8 ?? ?? ?? ?? E9 ?? ?? ?? ?? 83 7D + ?? ?? 0F 84 ?? ?? ?? ?? 83 BD ?? ?? ?? ?? ?? 77 ?? 81 BD ?? ?? ?? ?? ?? ?? ?? ?? 0F + 86 ?? ?? ?? ?? 8B 4D ?? 81 E9 ?? ?? ?? ?? 89 4D ?? 6A ?? 6A ?? 8B 55 ?? 52 8B 45 ?? + 50 8B 4D ?? 51 FF 15 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 83 BD ?? ?? ?? ?? ?? 75 ?? B8 ?? + ?? ?? ?? E9 ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? + 6A ?? 8D 95 ?? ?? ?? ?? 52 6A ?? 8D 85 ?? ?? ?? ?? 50 8B 4D ?? 51 FF 15 ?? ?? ?? ?? + 89 45 ?? 83 7D ?? ?? 75 ?? B8 ?? ?? ?? ?? E9 ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? EB ?? + 8B 55 ?? 83 C2 ?? 89 55 ?? 83 7D ?? ?? 0F 83 ?? ?? ?? ?? 83 7D ?? ?? 0F 84 ?? ?? ?? + ?? 8B 45 ?? 0F BE 8C 05 ?? ?? ?? ?? 83 F9 ?? 0F 85 ?? ?? ?? ?? 8B 55 ?? 0F BE 84 15 + ?? ?? ?? ?? 83 F8 ?? 0F 85 ?? ?? ?? ?? 8B 4D ?? 0F BE 94 0D ?? ?? ?? ?? 83 FA ?? 0F + 85 ?? ?? ?? ?? 8B 45 ?? 0F BE 8C 05 ?? ?? ?? ?? 83 F9 ?? 0F 85 ?? ?? ?? ?? 8B 55 ?? + 0F BE 84 15 ?? ?? ?? ?? 83 F8 ?? 0F 85 ?? ?? ?? ?? 8B 4D ?? 0F BE 94 0D ?? ?? ?? ?? + 83 FA ?? 0F 85 ?? ?? ?? ?? 8B 45 ?? 50 FF 15 ?? ?? ?? ?? 8B 0D ?? ?? ?? ?? 89 8D ?? + ?? ?? ?? 8B 15 ?? ?? ?? ?? 89 95 ?? ?? ?? ?? 66 A1 ?? ?? ?? ?? 66 89 85 ?? ?? ?? ?? + 8D 8D ?? ?? ?? ?? 51 8B 55 ?? 52 E8 ?? ?? ?? ?? 83 C4 ?? 89 85 ?? ?? ?? ?? 83 BD ?? + ?? ?? ?? ?? 75 ?? 8B 45 ?? 89 45 ?? 8B 4D ?? 51 8B 55 ?? 52 E8 ?? ?? ?? ?? 83 C4 ?? + 8D 85 ?? ?? ?? ?? 50 8B 4D ?? 51 E8 ?? ?? ?? ?? 83 C4 ?? 6A ?? 8B 55 ?? 52 8B 45 ?? + 50 FF 15 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? B8 ?? ?? ?? ?? E9 ?? ?? ?? ?? E9 + } + + $encrypt_files_p3 = { + 6A ?? 6A ?? 6A ?? 8B 4D ?? 51 FF 15 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 83 BD ?? ?? ?? ?? + ?? 75 ?? B8 ?? ?? ?? ?? E9 ?? ?? ?? ?? 8D 55 ?? 52 6A ?? 68 ?? ?? ?? ?? 8B 45 ?? 50 + FF 15 ?? ?? ?? ?? 85 C0 75 ?? 8B 4D ?? 51 FF 15 ?? ?? ?? ?? 8B 55 ?? 52 FF 15 ?? ?? + ?? ?? B8 ?? ?? ?? ?? E9 ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? 83 7D + ?? ?? 77 ?? 81 7D ?? ?? ?? ?? ?? 0F 86 ?? ?? ?? ?? 8B 45 ?? 89 45 ?? 6A ?? 6A ?? 6A + ?? 68 ?? ?? ?? ?? 8B 4D ?? 51 8B 55 ?? 52 E8 ?? ?? ?? ?? 50 8B 45 ?? 50 FF 15 ?? ?? + ?? ?? 89 85 ?? ?? ?? ?? 83 BD ?? ?? ?? ?? ?? 75 ?? 8B 4D ?? 51 FF 15 ?? ?? ?? ?? 8B + 55 ?? 52 FF 15 ?? ?? ?? ?? B8 ?? ?? ?? ?? E9 ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? 6A ?? + 8D 45 ?? 50 6A ?? 8D 8D ?? ?? ?? ?? 51 8B 55 ?? 52 FF 15 ?? ?? ?? ?? 89 85 ?? ?? ?? + ?? 83 BD ?? ?? ?? ?? ?? 75 ?? 8B 45 ?? 50 FF 15 ?? ?? ?? ?? 8B 4D ?? 51 FF 15 ?? ?? + ?? ?? B8 ?? ?? ?? ?? E9 ?? ?? ?? ?? 6A ?? 6A ?? 6A ?? 8B 55 ?? 52 FF 15 ?? ?? ?? ?? + 89 85 ?? ?? ?? ?? 83 BD ?? ?? ?? ?? ?? 75 ?? 8B 45 ?? 50 FF 15 ?? ?? ?? ?? 8B 4D ?? + 51 FF 15 ?? ?? ?? ?? B8 ?? ?? ?? ?? E9 ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? EB ?? 6A ?? + 68 ?? ?? ?? ?? 8B 55 ?? 52 8B 45 ?? 50 E8 ?? ?? ?? ?? 89 45 ?? 6A ?? 68 + } + + $encrypt_files_p4 = { + 8B 4D ?? 51 8B 55 ?? 52 E8 ?? ?? ?? ?? 89 45 ?? 8B 45 ?? 89 45 ?? C7 45 ?? ?? ?? ?? + ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? + ?? EB ?? 8B 4D ?? 83 C1 ?? 89 4D ?? 8B 55 ?? 3B 55 ?? 0F 87 ?? ?? ?? ?? C7 45 ?? ?? + ?? ?? ?? C7 45 ?? ?? ?? ?? ?? 8B 45 ?? 3B 45 ?? 75 ?? 8B 4D ?? 89 4D ?? C7 45 ?? ?? + ?? ?? ?? C7 45 ?? ?? ?? ?? ?? 6A ?? 6A ?? 69 55 ?? ?? ?? ?? ?? 52 8B 45 ?? 50 FF 15 + ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 83 BD ?? ?? ?? ?? ?? 75 ?? 8B 4D ?? 51 FF 15 ?? ?? ?? + ?? 8B 55 ?? 52 FF 15 ?? ?? ?? ?? B8 ?? ?? ?? ?? E9 ?? ?? ?? ?? 6A ?? 8D 45 ?? 50 8B + 4D ?? 51 8B 55 ?? 52 8B 45 ?? 50 FF 15 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 83 BD ?? ?? ?? + ?? ?? 75 ?? 8B 4D ?? 51 FF 15 ?? ?? ?? ?? 8B 55 ?? 52 FF 15 ?? ?? ?? ?? B8 ?? ?? ?? + ?? E9 ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? 6A ?? 8D 45 ?? 50 6A ?? 6A ?? 8B 4D ?? 51 6A + ?? 8B 55 ?? 52 FF 15 ?? ?? ?? ?? 85 C0 75 ?? 8B 45 ?? 50 FF 15 ?? ?? ?? ?? 8B 4D ?? + 51 FF 15 ?? ?? ?? ?? B8 ?? ?? ?? ?? E9 ?? ?? ?? ?? 8B 55 ?? 52 8D 45 ?? 50 8B 4D ?? + 51 6A ?? 8B 55 ?? 52 6A ?? 8B 45 ?? 50 FF 15 ?? ?? ?? ?? 85 C0 75 ?? 8B 4D ?? 51 FF + 15 ?? ?? ?? ?? 8B 55 ?? 52 FF 15 ?? ?? ?? ?? B8 ?? ?? ?? ?? E9 ?? ?? ?? ?? 6A ?? 6A + ?? 69 45 ?? ?? ?? ?? ?? 50 8B 4D ?? 51 FF 15 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 83 BD ?? + ?? ?? ?? ?? 75 ?? 8B 55 ?? 52 FF 15 ?? ?? ?? ?? 8B 45 ?? 50 FF 15 ?? ?? ?? ?? B8 ?? + ?? ?? ?? E9 ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? 6A ?? 8D 4D ?? 51 8B 55 ?? 52 8B 45 ?? + 50 8B 4D ?? 51 FF 15 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 83 BD ?? ?? ?? ?? ?? 75 ?? 8B 55 + ?? 52 FF 15 ?? ?? ?? ?? 8B 45 ?? 50 FF 15 ?? ?? ?? ?? B8 ?? ?? ?? ?? E9 + } + + $encrypt_files_p5 = { + E9 ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? 8A 0D ?? ?? ?? ?? 88 4D ?? 33 D2 89 55 + ?? 89 55 ?? 89 55 ?? 89 55 ?? 88 55 ?? 6A ?? 6A ?? 8D 45 ?? 50 E8 ?? ?? ?? ?? 83 C4 + ?? C6 45 ?? ?? C6 45 ?? ?? C6 45 ?? ?? C6 45 ?? ?? C6 45 ?? ?? C6 45 ?? ?? C6 45 ?? + ?? 83 7D ?? ?? 77 ?? 81 7D ?? ?? ?? ?? ?? 0F 86 ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? + ?? ?? 33 C9 89 8D ?? ?? ?? ?? 6A ?? 6A ?? 8B 95 ?? ?? ?? ?? 52 8B 85 ?? ?? ?? ?? 50 + 8B 4D ?? 51 FF 15 ?? ?? ?? ?? 8B 55 ?? 89 95 ?? ?? ?? ?? 6A ?? 6A ?? 8D 85 ?? ?? ?? + ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 6A ?? 8D 8D ?? ?? ?? ?? 51 8B 95 ?? ?? ?? ?? 52 E8 ?? + ?? ?? ?? 83 C4 ?? 68 ?? ?? ?? ?? 8D 45 ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 8D 8D ?? ?? ?? + ?? 51 8D 55 ?? 52 E8 ?? ?? ?? ?? 83 C4 ?? 68 ?? ?? ?? ?? 8D 45 ?? 50 E8 ?? ?? ?? ?? + 83 C4 ?? 8D 4D ?? 51 8D 55 ?? 52 E8 ?? ?? ?? ?? 83 C4 ?? EB ?? 8D 45 ?? 50 8D 4D ?? + 51 E8 ?? ?? ?? ?? 83 C4 ?? C7 45 ?? ?? ?? ?? ?? 6A ?? 8D 55 ?? 52 8D 45 ?? 50 E8 ?? + ?? ?? ?? 83 C4 ?? 50 8D 4D ?? 51 8B 55 ?? 52 FF 15 ?? ?? ?? ?? 89 45 ?? 83 7D ?? ?? + 75 ?? 8B 45 ?? 50 FF 15 ?? ?? ?? ?? 8B 4D ?? 51 FF 15 ?? ?? ?? ?? B8 ?? ?? ?? ?? E9 + ?? ?? ?? ?? 8D 55 ?? 52 6A ?? 6A ?? 6A ?? 8B 45 ?? 50 8B 4D ?? 51 FF 15 ?? ?? ?? ?? + 89 85 ?? ?? ?? ?? 83 BD ?? ?? ?? ?? ?? 75 ?? 8B 55 ?? 52 FF 15 ?? ?? ?? ?? 8B 45 ?? + 50 FF 15 ?? ?? ?? ?? B8 ?? ?? ?? ?? E9 ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A ?? 8D 8D ?? ?? + ?? ?? 51 E8 ?? ?? ?? ?? 83 C4 ?? 8D 55 ?? 52 8D 85 ?? ?? ?? ?? 50 6A ?? 6A ?? 8B 4D + ?? 51 8B 55 ?? 52 FF 15 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 83 BD ?? ?? ?? ?? ?? 75 ?? 8B + } + + $encrypt_files_p6 = { + 45 ?? 50 FF 15 ?? ?? ?? ?? 8B 4D ?? 51 FF 15 ?? ?? ?? ?? B8 ?? ?? ?? ?? E9 ?? ?? ?? + ?? C7 45 ?? ?? ?? ?? ?? 6A ?? 8D 55 ?? 52 8B 45 ?? 50 8D 8D ?? ?? ?? ?? 51 8B 55 ?? + 52 FF 15 ?? ?? ?? ?? 89 45 ?? 83 7D ?? ?? 75 ?? 8B 45 ?? 50 FF 15 ?? ?? ?? ?? 8B 4D + ?? 51 FF 15 ?? ?? ?? ?? B8 ?? ?? ?? ?? E9 ?? ?? ?? ?? 83 7D ?? ?? 77 ?? 81 7D ?? ?? + ?? ?? ?? 0F 86 ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? 33 D2 89 55 ?? 0F 57 C0 66 0F 13 45 + ?? 6A ?? 6A ?? 8B 45 ?? 50 8B 4D ?? 51 8B 55 ?? 52 FF 15 ?? ?? ?? ?? 89 85 ?? ?? ?? + ?? 83 BD ?? ?? ?? ?? ?? 75 ?? 8B 45 ?? 50 FF 15 ?? ?? ?? ?? 8B 4D ?? 51 FF 15 ?? ?? + ?? ?? B8 ?? ?? ?? ?? E9 ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? 6A ?? 8D 95 ?? ?? + ?? ?? 52 6A ?? 8D 85 ?? ?? ?? ?? 50 8B 4D ?? 51 FF 15 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? + 83 BD ?? ?? ?? ?? ?? 75 ?? 8B 55 ?? 52 FF 15 ?? ?? ?? ?? 8B 45 ?? 50 FF 15 ?? ?? ?? + ?? B8 ?? ?? ?? ?? EB ?? 8B 4D ?? 51 FF 15 ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A ?? 8B 55 ?? + 52 E8 ?? ?? ?? ?? 83 C4 ?? 8B 45 ?? 50 FF 15 ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A ?? 8D 8D + ?? ?? ?? ?? 51 E8 ?? ?? ?? ?? 83 C4 ?? C7 45 ?? ?? ?? ?? ?? B8 ?? ?? ?? ?? EB ?? B8 + ?? ?? ?? ?? 8B E5 5D C3 + } + + $remote_connection = { + 55 8B EC 81 EC ?? ?? ?? ?? 8B 45 ?? C7 00 ?? ?? ?? ?? C7 40 ?? ?? ?? ?? ?? C7 45 ?? + ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? 8D 4D ?? 51 6A ?? 6A ?? 6A ?? 6A ?? E8 ?? ?? ?? ?? + 89 45 ?? 6A ?? 68 ?? ?? ?? ?? 8B 55 ?? 52 6A ?? FF 15 ?? ?? ?? ?? 89 45 ?? 83 7D ?? + ?? 0F 84 ?? ?? ?? ?? 8B 45 ?? 89 45 ?? 8D 4D ?? 51 8B 55 ?? 52 6A ?? 6A ?? 6A ?? E8 + ?? ?? ?? ?? 89 45 ?? C7 45 ?? ?? ?? ?? ?? 8B 45 ?? 89 45 ?? EB ?? 8B 4D ?? 8B 51 ?? + 89 55 ?? 83 7D ?? ?? 0F 84 ?? ?? ?? ?? 8B 45 ?? 83 C0 ?? 89 45 ?? C7 45 ?? ?? ?? ?? + ?? 8B 4D ?? 8B 51 ?? 89 55 ?? EB ?? 8B 45 ?? 8B 48 ?? 89 4D ?? 83 7D ?? ?? 0F 84 ?? + ?? ?? ?? 8B 55 ?? 83 C2 ?? 89 55 ?? 8D 85 ?? ?? ?? ?? 50 8B 4D ?? 83 C1 ?? 51 E8 ?? + ?? ?? ?? 83 C4 ?? 68 ?? ?? ?? ?? 8D 95 ?? ?? ?? ?? 52 E8 ?? ?? ?? ?? 83 C4 ?? B9 ?? + ?? ?? ?? 6B D1 ?? 8D 8C 15 ?? ?? ?? ?? 3B C1 74 ?? 68 ?? ?? ?? ?? 8D 95 ?? ?? ?? ?? + 52 E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 75 ?? 68 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 E8 ?? ?? + ?? ?? 83 C4 ?? 85 C0 0F 84 ?? ?? ?? ?? 0F 57 C0 66 0F 13 45 ?? C7 45 ?? ?? ?? ?? ?? + 8D 8D ?? ?? ?? ?? 51 FF 15 ?? ?? ?? ?? 89 45 ?? 83 7D ?? ?? 75 ?? 83 C8 ?? E9 ?? ?? + ?? ?? 8D 55 ?? 89 55 ?? 8D 45 ?? 50 8B 4D ?? 0F B6 51 ?? 52 E8 + } + + $find_files_p1 = { + 8B FF 55 8B EC 51 8B 4D ?? 53 57 33 DB 8D 51 ?? 66 8B 01 83 C1 ?? 66 3B C3 75 ?? 8B + 7D ?? 2B CA D1 F9 83 C8 ?? 41 2B C7 89 4D ?? 3B C8 76 ?? 6A ?? 58 EB ?? 56 8D 5F ?? + 03 D9 6A ?? 53 E8 ?? ?? ?? ?? 8B F0 59 59 85 FF 74 ?? 57 FF 75 ?? 53 56 E8 ?? ?? ?? + ?? 83 C4 ?? 85 C0 75 ?? FF 75 ?? 2B DF 8D 04 7E FF 75 ?? 53 50 E8 ?? ?? ?? ?? 83 C4 + ?? 85 C0 75 ?? 8B 4D ?? 56 E8 ?? ?? ?? ?? 6A ?? 8B F0 E8 ?? ?? ?? ?? 59 8B C6 5E 5F + 5B 8B E5 5D C3 33 C0 50 50 50 50 50 E8 ?? ?? ?? ?? CC 8B FF 55 8B EC 81 EC ?? ?? ?? + ?? A1 ?? ?? ?? ?? 33 C5 89 45 ?? 8B 55 ?? 8B 4D ?? 53 8B 5D ?? 56 57 6A ?? 5E 6A ?? + 89 95 ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? 5F EB ?? 0F B7 01 66 3B 85 ?? ?? ?? + ?? 74 ?? 66 3B C6 74 ?? 66 3B C7 74 ?? 83 E9 ?? 3B CB 75 ?? 0F B7 31 66 3B F7 75 ?? + 8D 43 ?? 3B C8 74 ?? 52 33 FF 57 57 53 E8 ?? ?? ?? ?? 83 C4 ?? E9 ?? ?? ?? ?? 6A ?? + 8B C6 33 FF 5A 66 3B C2 74 ?? 6A ?? 5A 66 3B C2 74 ?? 6A ?? 5A 66 3B C2 74 ?? 8B C7 + } + + $find_files_p2 = { + EB ?? 33 C0 40 2B CB 0F B6 C0 D1 F9 41 F7 D8 68 ?? ?? ?? ?? 1B C0 23 C1 89 85 ?? ?? + ?? ?? 8D 85 ?? ?? ?? ?? 57 50 E8 ?? ?? ?? ?? 83 C4 ?? 8D 85 ?? ?? ?? ?? 57 57 57 50 + 57 53 FF 15 ?? ?? ?? ?? 8B F0 83 FE ?? 75 ?? 8B 85 ?? ?? ?? ?? 50 57 57 53 E8 ?? ?? + ?? ?? 83 C4 ?? 8B F8 83 FE ?? 74 ?? 56 FF 15 ?? ?? ?? ?? 8B C7 8B 4D ?? 5F 5E 33 CD + 5B E8 ?? ?? ?? ?? 8B E5 5D C3 8B 8D ?? ?? ?? ?? 6A ?? 8B 41 ?? 2B 01 C1 F8 ?? 89 85 + ?? ?? ?? ?? 58 66 39 85 ?? ?? ?? ?? 75 ?? 66 39 BD ?? ?? ?? ?? 74 ?? 66 39 85 ?? ?? + ?? ?? 75 ?? 66 39 BD ?? ?? ?? ?? 74 ?? 51 FF B5 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 53 50 + E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 75 ?? 8D 85 ?? ?? ?? ?? 50 56 FF 15 ?? ?? ?? ?? 8B 8D + ?? ?? ?? ?? 85 C0 6A ?? 58 75 ?? 8B C1 8B 8D ?? ?? ?? ?? 8B 10 8B 40 ?? 2B C2 C1 F8 + ?? 3B C8 0F 84 ?? ?? ?? ?? 68 ?? ?? ?? ?? 2B C1 6A ?? 50 8D 04 8A 50 E8 ?? ?? ?? ?? + 83 C4 ?? E9 + } + + condition: + uint16(0) == 0x5A4D and + ( + all of ($find_files_p*) + ) and + ( + all of ($encrypt_files_p*) + ) and + ( + $remote_connection + ) +} \ No newline at end of file diff --git a/yara/ransomware/Win32.Ransomware.Sage.yara b/yara/ransomware/Win32.Ransomware.Sage.yara new file mode 100644 index 0000000..a058f0c --- /dev/null +++ b/yara/ransomware/Win32.Ransomware.Sage.yara @@ -0,0 +1,77 @@ +rule Win32_Ransomware_Sage : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "SAGE" + description = "Yara rule that detects Sage ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "Sage" + tc_detection_factor = 5 + + strings: + + $remote_connection = { + 83 EC ?? 8B 44 24 ?? 53 55 56 57 8B 7C 24 ?? 8B 77 ?? 50 E8 ?? ?? ?? ?? 8B 4C 24 ?? + 8B D8 51 89 5C 24 ?? E8 ?? ?? ?? ?? 83 C4 ?? 6A ?? 6A ?? 6A ?? 6A ?? 6A ?? 89 44 24 + ?? C7 44 24 ?? ?? ?? ?? ?? 89 77 ?? FF 15 ?? ?? ?? ?? 8B E8 89 6C 24 ?? 85 ED 0F 84 + ?? ?? ?? ?? 8B 74 24 ?? 6A ?? 56 53 55 FF 15 ?? ?? ?? ?? 8B D8 89 5C 24 ?? 85 DB 0F + 84 ?? ?? ?? ?? 8B 4C 24 ?? 33 C0 BA ?? ?? ?? ?? 66 3B F2 0F 95 C0 48 25 ?? ?? ?? ?? + 50 6A ?? 6A ?? 6A ?? 51 68 ?? ?? ?? ?? 53 FF 15 ?? ?? ?? ?? 8B F0 85 F6 0F 84 ?? ?? + ?? ?? 6A ?? 6A ?? 6A ?? 6A ?? 6A ?? 6A ?? 56 FF 15 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? + ?? 6A ?? 56 FF 15 ?? ?? ?? ?? 85 C0 74 ?? 8B 1D ?? ?? ?? ?? 8B 2D ?? ?? ?? ?? 8B FF + 8D 54 24 ?? 52 56 FF D3 8D 44 24 ?? 50 8B 44 24 ?? 50 50 57 E8 ?? ?? ?? ?? 83 C4 ?? + 50 56 FF D5 85 C0 0F 84 ?? ?? ?? ?? 83 7C 24 ?? ?? 75 ?? 6A ?? 8D 4C 24 ?? 51 8D 54 + 24 ?? 52 6A ?? 68 ?? ?? ?? ?? 56 C7 44 24 ?? ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? FF + 15 ?? ?? ?? ?? 8B 44 24 ?? 89 44 24 ?? 8B 5C 24 ?? 8B 6C 24 ?? 56 FF 15 ?? ?? ?? ?? + 53 FF 15 ?? ?? ?? ?? 55 FF 15 ?? ?? ?? ?? 8B 5C 24 ?? 85 DB 74 ?? 53 E8 ?? ?? ?? ?? + 83 C4 ?? 8B 44 24 ?? 5F 5E 5D 5B 85 C0 74 ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 8B 04 24 83 + C4 ?? C3 57 E8 ?? ?? ?? ?? 83 C4 + } + + $encrypt_files = { + 83 EC ?? 53 8B 1D ?? ?? ?? ?? 55 8B 6C 24 ?? 56 57 6A ?? 6A ?? 6A ?? 6A ?? 6A ?? 68 + ?? ?? ?? ?? 8D 7D ?? 57 FF D3 8B F0 83 FE ?? 74 ?? 8D 44 24 ?? 50 56 FF 15 ?? ?? ?? + ?? 89 44 24 ?? 3D ?? ?? ?? ?? 0F 87 ?? ?? ?? ?? 83 7C 24 ?? ?? 0F 85 ?? ?? ?? ?? 8B + 4C 24 ?? 6A ?? 6A ?? 6A ?? 6A ?? 6A ?? 68 ?? ?? ?? ?? 51 FF D3 8B D8 83 FB ?? 75 ?? + 56 FF 15 ?? ?? ?? ?? 5F 5E 5D B8 ?? ?? ?? ?? 5B 83 C4 ?? C3 8B 54 24 ?? 6A ?? 52 57 + 56 53 E8 ?? ?? ?? ?? 83 C4 ?? 56 8B 35 ?? ?? ?? ?? 8B E8 FF D6 53 FF D6 85 ED 79 ?? + 8B 44 24 ?? 50 FF 15 ?? ?? ?? ?? 5F 5E 8B C5 5D 5B 83 C4 ?? C3 57 E8 ?? ?? ?? ?? 8B + F0 56 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 57 8B D8 FF 15 ?? ?? ?? ?? 8B 4C 24 ?? + 6A ?? 53 51 EB ?? 8B 4C 24 ?? BA ?? ?? ?? ?? 3B 55 ?? 1B C0 83 C0 ?? 50 51 57 56 56 + E8 ?? ?? ?? ?? 83 C4 ?? 56 8B D8 FF 15 ?? ?? ?? ?? 85 DB 79 ?? 5F 5E 5D 8B C3 5B 83 + C4 ?? C3 57 E8 ?? ?? ?? ?? 8B F0 56 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 6A ?? 8B + D8 53 57 FF 15 ?? ?? ?? ?? 53 E8 ?? ?? ?? ?? 56 E8 ?? ?? ?? ?? 83 C4 ?? 5F 5E 5D 33 + C0 5B 83 C4 ?? C3 + } + + $find_files = { + 53 55 8B 2D ?? ?? ?? ?? 56 57 33 FF 57 57 FF D5 8B F0 85 F6 74 ?? 85 FF 74 ?? 57 E8 + ?? ?? ?? ?? 83 C4 ?? 8D 44 36 ?? 50 6A ?? 8B DE E8 ?? ?? ?? ?? 83 C4 ?? 8B F8 57 56 + FF D5 8B F0 3B DE 72 ?? 66 83 3F ?? 8B DF 0F 84 ?? ?? ?? ?? 8B 6C 24 ?? 53 8B FB FF + 15 ?? ?? ?? ?? 8B 35 ?? ?? ?? ?? 68 ?? ?? ?? ?? 57 8D 5C 43 ?? FF D6 85 C0 74 ?? 68 + ?? ?? ?? ?? 57 FF D6 85 C0 74 ?? 57 FF 15 ?? ?? ?? ?? BA ?? ?? ?? ?? 8B C8 D3 E2 F6 + C2 ?? 74 ?? 6A ?? 6A ?? E8 ?? ?? ?? ?? 57 8B F0 E8 ?? ?? ?? ?? 6A ?? 89 06 8D 46 ?? + 6A ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 8D 4E ?? 51 C7 46 ?? ?? ?? ?? ?? FF 15 ?? ?? ?? ?? + 8D 56 ?? 52 E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 56 55 89 46 ?? E8 ?? ?? ?? + ?? 83 C4 ?? 66 83 3B ?? 0F 85 ?? ?? ?? ?? 5F 5E 5D 5B C3 + } + + condition: + uint16(0) == 0x5A4D and + ( + $find_files + ) and + ( + $encrypt_files + ) and + ( + $remote_connection + ) +} \ No newline at end of file diff --git a/yara/ransomware/Win32.Ransomware.Sanwai.yara b/yara/ransomware/Win32.Ransomware.Sanwai.yara new file mode 100644 index 0000000..9f8a55e --- /dev/null +++ b/yara/ransomware/Win32.Ransomware.Sanwai.yara @@ -0,0 +1,71 @@ +rule Win32_Ransomware_Sanwai : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "SANWAI" + description = "Yara rule that detects Sanwai ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "Sanwai" + tc_detection_factor = 5 + + strings: + + $find_files = { + 55 8B EC 6A ?? 68 ?? ?? ?? ?? 64 A1 ?? ?? ?? ?? 50 83 EC ?? 53 56 57 A1 ?? ?? ?? ?? + 33 C5 50 8D 45 ?? 64 A3 ?? ?? ?? ?? 89 55 ?? 8B D9 83 7B ?? ?? 8B F3 8B 45 ?? 8B 7D + ?? 89 45 ?? 72 ?? 8B 33 8D 4E ?? 66 8B 06 83 C6 ?? 66 85 C0 75 ?? 2B F1 D1 FE 0F 84 + ?? ?? ?? ?? 3B 73 ?? 0F 85 ?? ?? ?? ?? 88 45 ?? 8D 55 ?? FF 75 ?? 8D 4D ?? C7 45 ?? + ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 8D 45 ?? C7 45 ?? ?? ?? ?? + ?? 50 8B CB E8 ?? ?? ?? ?? 8B 55 ?? 83 FA ?? 72 ?? 8B 4D ?? 8D 14 55 ?? ?? ?? ?? 8B + C1 81 FA ?? ?? ?? ?? 72 ?? 8B 49 ?? 83 C2 ?? 2B C1 83 C0 ?? 83 F8 ?? 76 ?? FF 15 ?? + ?? ?? ?? 52 51 E8 ?? ?? ?? ?? 83 C4 ?? 83 7B ?? ?? 72 ?? 8B 1B 8B 75 ?? 57 56 53 E8 + ?? ?? ?? ?? 85 C0 75 ?? 8B 36 8B CF E8 ?? ?? ?? ?? 84 C0 74 ?? 57 56 E8 ?? ?? ?? ?? + 85 C0 75 ?? 8B CF E8 ?? ?? ?? ?? 84 C0 75 ?? 33 C0 8B 4D ?? 64 89 0D ?? ?? ?? ?? 59 + 5F 5E 5B 8B E5 5D C3 83 F8 ?? 75 ?? 8B 4D ?? D1 E9 F6 C1 ?? B9 ?? ?? ?? ?? 0F 45 C1 + 8B 4D ?? 64 89 0D ?? ?? ?? ?? 59 5F 5E 5B 8B E5 5D C3 B8 ?? ?? ?? ?? 8B 4D ?? 64 89 + 0D ?? ?? ?? ?? 59 5F 5E 5B 8B E5 5D C3 + } + + $import_key = { + 8D 44 24 ?? 50 6A ?? 6A ?? 6A ?? 8D 44 24 ?? 50 FF 74 24 ?? FF 15 ?? ?? ?? ?? 5E 85 + C0 75 ?? 50 FF 74 24 ?? FF 15 ?? ?? ?? ?? 32 C0 5F 8B 4C 24 ?? 33 CC E8 ?? ?? ?? ?? + 83 C4 ?? C3 8B 44 24 ?? FF 74 24 ?? 8B 08 8B 40 ?? 89 47 ?? 8D 44 24 ?? 50 57 6A ?? + 6A ?? 6A ?? FF 74 24 ?? 89 0F FF 15 ?? ?? ?? ?? FF 74 24 ?? FF 15 ?? ?? ?? ?? 6A ?? + FF 74 24 ?? FF 15 ?? ?? ?? ?? 8B 4C 24 ?? B0 ?? 5F 33 CC E8 ?? ?? ?? ?? 83 C4 ?? C3 + } + + $encrypt_files = { + 8B 01 3B 02 75 ?? 83 C1 ?? 83 C2 ?? 83 EE ?? 73 ?? 8A 01 3A 02 75 ?? 83 FE ?? 74 ?? + 8A 41 ?? 3A 42 ?? 75 ?? 8A 41 ?? 3A 42 ?? 75 ?? 8A 41 ?? 3A 42 ?? 75 ?? 33 C0 EB ?? + 1B C0 83 C8 ?? 85 C0 75 ?? 8B 5D ?? 8B 7D ?? C6 85 ?? ?? ?? ?? ?? E9 ?? ?? ?? ?? 8B + BD ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 8B CF E8 ?? ?? ?? ?? 51 C6 45 ?? ?? 8D 4D ?? 8B + 9D ?? ?? ?? ?? 51 83 CB ?? 8B C8 89 9D ?? ?? ?? ?? E8 ?? ?? ?? ?? 81 CB ?? ?? ?? ?? + C7 45 ?? ?? ?? ?? ?? 8D 4D ?? 83 CB ?? 83 7D ?? ?? 89 9D ?? ?? ?? ?? 0F 43 4D ?? 83 + 7D ?? ?? 89 9D ?? ?? ?? ?? 0F 85 ?? ?? ?? ?? BA ?? ?? ?? ?? BE ?? ?? ?? ?? 8B 01 3B + 02 75 ?? 83 C1 ?? 83 C2 ?? 83 EE ?? 73 ?? 8A 01 3A 02 75 ?? 83 FE ?? 74 ?? 8A 41 ?? + 3A 42 ?? 75 ?? 8A 41 ?? 3A 42 ?? 75 ?? 8A 41 ?? 3A 42 ?? 75 ?? 33 C0 EB ?? 1B C0 83 + C8 ?? 85 C0 75 ?? 8B 5D ?? 8B 7D ?? C6 85 ?? ?? ?? ?? ?? E9 ?? ?? ?? ?? 8D 45 ?? 8B + CF 50 E8 ?? ?? ?? ?? 51 8D 4D ?? C7 45 ?? ?? ?? ?? ?? 51 83 CB ?? 8B C8 89 9D ?? ?? + ?? ?? E8 ?? ?? ?? ?? 8B 7D ?? 8D 4D ?? 81 CB ?? ?? ?? ?? 89 9D ?? ?? ?? ?? 8B 5D ?? + 83 FB ?? 0F 43 CF 83 7D ?? ?? 0F 85 + } + + condition: + uint16(0) == 0x5A4D and + ( + $find_files + ) and + ( + $import_key + ) and + ( + $encrypt_files + ) +} \ No newline at end of file diff --git a/yara/ransomware/Win32.Ransomware.Sarbloh.yara b/yara/ransomware/Win32.Ransomware.Sarbloh.yara new file mode 100644 index 0000000..6207fa8 --- /dev/null +++ b/yara/ransomware/Win32.Ransomware.Sarbloh.yara @@ -0,0 +1,88 @@ +rule Win32_Ransomware_Sarbloh : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "SARBLOH" + description = "Yara rule that detects Sarbloh ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "Sarbloh" + tc_detection_factor = 5 + + strings: + + $encrypt_files_p1 = { + 8B 45 ?? C6 00 ?? 8B 45 ?? 40 89 45 ?? 39 75 ?? 72 ?? 6A ?? 8D 45 ?? C7 45 ?? ?? ?? + ?? ?? 50 6A ?? 6A ?? 6A ?? 6A ?? 52 FF 15 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? 8B 75 + ?? 81 FE ?? ?? ?? ?? 0F 82 ?? ?? ?? ?? 56 6A ?? FF 15 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? + ?? 8B D8 89 5D ?? 85 DB 0F 84 ?? ?? ?? ?? C1 E6 ?? 56 6A ?? 89 75 ?? FF 15 ?? ?? ?? + ?? 50 FF 15 ?? ?? ?? ?? 89 45 ?? 85 C0 0F 84 ?? ?? ?? ?? 8B 7D ?? 8D 85 ?? ?? ?? ?? + 6A ?? 6A ?? 50 8D 85 ?? ?? ?? ?? 50 57 FF 15 ?? ?? ?? ?? 85 C0 0F 88 ?? ?? ?? ?? 8B + 8D ?? ?? ?? ?? 8B C1 8B 55 ?? 0B C2 89 4D ?? 89 55 ?? 0F 84 ?? ?? ?? ?? 0F 57 C0 66 + 0F 13 45 ?? 85 D2 0F 8C ?? ?? ?? ?? 7F ?? 85 C9 0F 84 ?? ?? ?? ?? 8B 45 ?? 89 45 ?? + 8B 45 ?? 89 45 ?? EB ?? 8B 75 ?? 8B 7D ?? 6A ?? 6A ?? 8D 45 ?? 50 8D 85 ?? ?? ?? ?? + 50 57 FF 15 ?? ?? ?? ?? 85 C0 0F 88 ?? ?? ?? ?? 8B 45 ?? 8B 4D ?? 89 4D ?? 89 45 ?? + 85 C0 0F 8C ?? ?? ?? ?? 7F ?? 85 C9 0F 82 ?? ?? ?? ?? 6A ?? 6A ?? 8D 45 ?? 50 8D 85 + ?? ?? ?? ?? 50 57 FF 15 ?? ?? ?? ?? 85 C0 0F 88 ?? ?? ?? ?? 6A ?? 6A ?? 56 8B 75 ?? + 8D 45 ?? 56 50 6A ?? 6A ?? 6A ?? 57 FF 15 ?? ?? ?? ?? 3D ?? ?? ?? ?? 74 ?? 85 C0 0F + 85 ?? ?? ?? ?? 8B 75 ?? EB ?? 33 F6 8B 45 ?? 8B 4D ?? 89 75 ?? 89 4D ?? 89 45 ?? 85 + C0 0F 8C ?? ?? ?? ?? 7F ?? 85 C9 0F 82 ?? ?? ?? ?? 6A ?? 6A ?? 8D 45 ?? 50 8D 85 ?? + ?? ?? ?? 50 57 FF 15 ?? ?? ?? ?? 33 FF 85 C0 0F 88 ?? ?? ?? ?? 85 F6 0F 84 + } + + $encrypt_files_p2 = { + 8B 75 ?? 8D 45 ?? 56 50 53 52 6A ?? 52 FF 75 ?? C7 45 ?? ?? ?? ?? ?? FF 15 ?? ?? ?? + ?? 85 C0 0F 84 ?? ?? ?? ?? 6A ?? 6A ?? 56 53 8D 45 ?? 50 6A ?? 6A ?? 6A ?? FF 75 ?? + FF 15 ?? ?? ?? ?? 3D ?? ?? ?? ?? 0F 84 ?? ?? ?? ?? 85 C0 0F 88 ?? ?? ?? ?? 8B 4D ?? + 81 C7 ?? ?? ?? ?? 3B 7D ?? 72 ?? 8B 75 ?? 03 75 ?? 8B 45 ?? 83 D0 ?? 89 75 ?? 89 45 + ?? 3B 45 ?? 0F 8C ?? ?? ?? ?? 7F ?? 3B B5 ?? ?? ?? ?? 8B 75 ?? 0F 82 ?? ?? ?? ?? 8D + 45 ?? 50 6A ?? 6A ?? 6A ?? 6A ?? FF 75 ?? FF 15 ?? ?? ?? ?? F7 D8 6A ?? 1B DB 8D 45 + ?? 23 5D ?? 50 6A ?? 6A ?? 6A ?? 6A ?? FF 75 ?? 89 5D ?? 89 5D ?? FF 15 ?? ?? ?? ?? + F7 D8 1B F6 23 75 ?? 56 6A ?? 89 75 ?? FF 15 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 8B F8 + 85 FF 0F 84 ?? ?? ?? ?? 8D 45 ?? 89 5D ?? 50 57 6A ?? 6A ?? 6A ?? FF 75 ?? FF 15 ?? + ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? 56 8D 45 ?? 89 5D ?? 50 57 6A ?? 6A ?? 6A ?? FF 75 + ?? FF 15 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? 6A ?? 6A ?? 56 57 8D 45 ?? 50 6A ?? 6A + ?? 6A ?? FF 75 ?? FF 15 ?? ?? ?? ?? 3D ?? ?? ?? ?? 74 ?? 85 C0 78 ?? 39 75 ?? 75 ?? + 8B 85 ?? ?? ?? ?? 6A ?? 6A ?? 89 85 ?? ?? ?? ?? 8B 45 ?? 6A ?? 89 85 ?? ?? ?? ?? 8D + 85 ?? ?? ?? ?? 50 8D 45 ?? 89 9D ?? ?? ?? ?? 50 6A ?? 6A ?? 6A ?? FF 75 ?? 89 B5 ?? + ?? ?? ?? FF 15 ?? ?? ?? ?? 3D ?? ?? ?? ?? 74 ?? 85 C0 78 ?? 33 C0 B9 ?? ?? ?? ?? 83 + 7D ?? ?? 0F 44 C1 89 45 ?? 89 7D ?? 83 7D ?? ?? 74 ?? 8B 4D ?? 03 4D ?? 39 4D ?? 73 + ?? 90 8B 45 ?? C6 00 ?? 8B 45 ?? 40 89 45 ?? 39 4D ?? 72 ?? 57 6A ?? FF 15 ?? ?? ?? + ?? 50 FF 15 ?? ?? ?? ?? 8B 5D ?? 8B 7D ?? 8B 75 ?? EB + } + + $find_files_p1 = { + 55 8B EC 83 EC ?? 53 56 8B 75 ?? 57 8B F9 83 3E ?? 0F 84 ?? ?? ?? ?? 6A ?? 6A ?? 8D + 45 ?? 50 52 FF 15 ?? ?? ?? ?? 6A ?? 8D 45 ?? C7 45 ?? ?? ?? ?? ?? 6A ?? 89 45 ?? 8D + 45 ?? 50 8D 45 ?? C7 45 ?? ?? ?? ?? ?? 50 68 ?? ?? ?? ?? 57 C7 45 ?? ?? ?? ?? ?? C7 + 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 8B 0F 89 4D ?? 85 C0 78 ?? + 83 F9 ?? 74 ?? FF 75 ?? BB ?? ?? ?? ?? C7 06 ?? ?? ?? ?? 6A ?? FF 15 ?? ?? ?? ?? 50 + FF 15 ?? ?? ?? ?? 8B 55 ?? EB ?? FF 75 ?? C7 06 ?? ?? ?? ?? 6A ?? FF 15 ?? ?? ?? ?? + 50 FF 15 ?? ?? ?? ?? B8 ?? ?? ?? ?? 5F 5E 5B 8B E5 5D C3 8B 17 33 DB 89 55 ?? C7 45 + ?? ?? ?? ?? ?? 83 7D ?? ?? 74 ?? 8B 4D ?? 81 C1 ?? ?? ?? ?? 39 4D ?? 73 + } + + $find_files_p2 = { + 8B 45 ?? C6 00 ?? 8B 45 ?? 40 89 45 ?? 39 4D ?? 72 ?? 53 6A ?? 6A ?? 6A ?? 68 ?? ?? + ?? ?? 68 ?? ?? ?? ?? 8D 45 ?? 50 6A ?? 6A ?? 6A ?? 52 FF 15 ?? ?? ?? ?? 8B F8 33 DB + 89 5D ?? 81 FF ?? ?? ?? ?? 0F 84 ?? ?? ?? ?? 8B 55 ?? 85 FF 78 ?? 8B 4D ?? 8B 35 ?? + ?? ?? ?? 2B CB 0F 84 ?? ?? ?? ?? 83 E9 ?? 0F 85 ?? ?? ?? ?? 8B 0D ?? ?? ?? ?? 8B C1 + C1 E8 ?? F7 D0 A8 ?? 74 ?? F7 C1 ?? ?? ?? ?? 0F 84 ?? ?? ?? ?? 83 FE ?? 74 ?? 83 FE + ?? 0F 85 ?? ?? ?? ?? B9 ?? ?? ?? ?? 33 C0 + } + + condition: + uint16(0) == 0x5A4D and + ( + all of ($find_files_p*) + ) and + ( + all of ($encrypt_files_p*) + ) +} \ No newline at end of file diff --git a/yara/ransomware/Win32.Ransomware.Satan.yara b/yara/ransomware/Win32.Ransomware.Satan.yara new file mode 100644 index 0000000..35b2326 --- /dev/null +++ b/yara/ransomware/Win32.Ransomware.Satan.yara @@ -0,0 +1,152 @@ +rule Win32_Ransomware_Satan : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "SATAN" + description = "Yara rule that detects Satan ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "Satan" + tc_detection_factor = 5 + + strings: + + $remote_connection = { + 55 8B EC B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? A1 ?? ?? ?? ?? 33 C5 89 45 ?? 53 56 57 68 ?? + ?? ?? ?? 8D 85 ?? ?? ?? ?? 6A ?? 50 E8 ?? ?? ?? ?? 6A ?? 8D 85 ?? ?? ?? ?? 6A ?? 50 + E8 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 83 + C4 ?? 8D 85 ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 8D 85 ?? ?? + ?? ?? 89 85 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 89 85 + ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 68 ?? ?? ?? ?? + 6A ?? 68 ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C7 + 85 ?? ?? ?? ?? ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? + ?? FF 15 ?? ?? ?? ?? 6A ?? 6A ?? 6A ?? 6A ?? 6A ?? FF 15 ?? ?? ?? ?? 6A ?? FF B5 ?? + ?? ?? ?? 89 85 ?? ?? ?? ?? FF B5 ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? 50 C7 45 ?? ?? ?? + ?? ?? FF 15 ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A ?? 6A ?? 68 ?? ?? ?? ?? FF B5 ?? ?? ?? ?? + 89 85 ?? ?? ?? ?? 68 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 8B 1D ?? ?? ?? ?? 8B F0 6A ?? + 6A ?? 6A ?? 6A ?? 6A ?? 6A ?? 56 FF D3 8B 3D ?? ?? ?? ?? 6A ?? 56 FF D7 8D 45 ?? 50 + 8D 45 ?? 50 8D 45 ?? 50 6A ?? 68 ?? ?? ?? ?? 56 FF 15 ?? ?? ?? ?? 56 FF 15 ?? ?? ?? + ?? 68 ?? ?? ?? ?? 6A ?? 6A ?? 68 ?? ?? ?? ?? FF B5 ?? ?? ?? ?? 68 ?? ?? ?? ?? FF B5 + ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 6A ?? 6A ?? 6A ?? 6A ?? 6A ?? 6A ?? 50 89 85 ?? ?? ?? + ?? FF D3 8B 9D ?? ?? ?? ?? 6A ?? 53 FF D7 68 ?? ?? ?? ?? 33 FF E8 ?? ?? ?? ?? 83 C4 + ?? 8B F0 57 68 ?? ?? ?? ?? 6A ?? 57 6A ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? FF 15 ?? ?? + ?? ?? 89 85 ?? ?? ?? ?? 39 7D ?? 76 ?? 68 ?? ?? ?? ?? 6A ?? 56 E8 ?? ?? ?? ?? 83 C4 + ?? 8D 45 ?? 50 68 ?? ?? ?? ?? 56 53 FF 15 ?? ?? ?? ?? 8B 45 ?? 8D 4D ?? 6A ?? 51 50 + 56 FF B5 ?? ?? ?? ?? 03 F8 FF 15 ?? ?? ?? ?? 39 7D ?? 77 ?? 8B 85 ?? ?? ?? ?? 50 FF + 15 ?? ?? ?? ?? 6A ?? 56 E8 ?? ?? ?? ?? 8B 35 ?? ?? ?? ?? 83 C4 ?? 53 FF D6 FF B5 ?? + ?? ?? ?? FF D6 FF B5 ?? ?? ?? ?? FF D6 8B 4D ?? 5F 5E 33 CD 5B E8 ?? ?? ?? ?? 8B E5 + 5D C3 + } + + $search_processes = { + 6A ?? 6A ?? FF 15 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? + ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? + ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? + ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? + ?? ?? 85 C0 0F 84 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? 51 50 + FF 15 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? 8B 3D ?? ?? ?? ?? 8B 1D ?? ?? ?? ?? 0F 1F + 44 00 ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 6A ?? 8D 85 ?? ?? ?? ?? + 50 FF 15 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 33 F6 8B 4C B5 ?? + 8D 85 ?? ?? ?? ?? 0F 1F 44 00 ?? 8A 11 3A 10 75 ?? 84 D2 74 ?? 8A 51 ?? 3A 50 ?? 75 + ?? 83 C1 ?? 83 C0 ?? 84 D2 75 ?? 33 C0 EB ?? 1B C0 83 C8 ?? 85 C0 75 ?? FF B5 ?? ?? + ?? ?? 50 68 ?? ?? ?? ?? FF D7 6A ?? 50 FF D3 46 83 FE ?? 76 ?? 8D 85 ?? ?? ?? ?? 50 + FF B5 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 85 C0 0F 85 ?? ?? ?? ?? 8B 4D ?? 5F 5E 33 CD 5B + E8 ?? ?? ?? ?? 8B E5 5D C3 + } + + $encrypt_files = { + 55 8B EC 6A ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 64 A1 ?? ?? ?? ?? 50 83 EC ?? A1 ?? ?? + ?? ?? 31 45 ?? 33 C5 89 45 ?? 53 56 57 50 8D 45 ?? 64 A3 ?? ?? ?? ?? 89 4D ?? 8B 4D + ?? 8B 45 ?? 89 45 ?? 8B 45 ?? 89 45 ?? C6 45 ?? ?? C7 45 ?? ?? ?? ?? ?? 83 CB ?? 89 + 5D ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? 33 F6 89 75 ?? 89 75 ?? 56 68 ?? ?? + ?? ?? 6A ?? 56 6A ?? 6A ?? 51 8B 3D ?? ?? ?? ?? FF D7 89 45 ?? 3B C3 0F 84 ?? ?? ?? + ?? 56 68 ?? ?? ?? ?? 6A ?? 56 6A ?? 6A ?? FF 75 ?? FF D7 8B D8 89 5D ?? 83 FB ?? 0F + 84 ?? ?? ?? ?? 8B 7D ?? 8B 07 85 C0 0F 84 ?? ?? ?? ?? 8D 4D ?? 51 56 56 68 ?? ?? ?? + ?? 50 FF 15 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? 56 FF 75 ?? FF 15 ?? ?? ?? ?? 50 FF + 75 ?? FF 75 ?? FF 15 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? 8D 45 ?? 50 68 ?? ?? ?? ?? + FF 75 ?? 68 ?? ?? ?? ?? FF 37 FF 15 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? 68 ?? ?? ?? + ?? E8 ?? ?? ?? ?? 83 C4 ?? 8B F0 89 75 ?? 85 F6 0F 84 ?? ?? ?? ?? 32 C0 89 45 ?? 88 + 45 ?? 33 FF 89 7D ?? C7 45 ?? ?? ?? ?? ?? 6A ?? 8D 45 ?? 50 68 ?? ?? ?? ?? 56 FF 75 + ?? FF 15 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? 8B 45 ?? 0F B6 C0 81 7D ?? ?? ?? ?? ?? + B9 ?? ?? ?? ?? 0F 42 C1 89 45 ?? 88 45 ?? 68 ?? ?? ?? ?? 8D 4D ?? 51 56 6A ?? 0F B6 + C0 50 6A ?? FF 75 ?? FF 15 ?? ?? ?? ?? 85 C0 74 ?? 85 FF 75 ?? 57 8D 45 ?? 50 68 ?? + ?? ?? ?? FF 35 ?? ?? ?? ?? 53 FF 15 ?? ?? ?? ?? 6A ?? 8D 45 ?? 50 FF 75 ?? 56 53 FF + 15 ?? ?? ?? ?? 85 C0 74 ?? 47 89 7D ?? 8B 45 ?? 84 C0 0F 84 ?? ?? ?? ?? 80 7D ?? ?? + 74 ?? 83 05 ?? ?? ?? ?? ?? C6 45 ?? ?? C7 45 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 8A 45 ?? + 8B 4D ?? 64 89 0D ?? ?? ?? ?? 59 5F 5E 5B 8B 4D ?? 33 CD E8 ?? ?? ?? ?? 8B E5 5D C2 + } + + $search_files_in_specific_folders_p1 = { + 51 8D 85 ?? ?? ?? ?? 8B CE 50 E8 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 + C4 ?? 8B F0 F6 85 ?? ?? ?? ?? ?? 0F 84 ?? ?? ?? ?? 80 7D ?? ?? 0F 84 ?? ?? ?? ?? 68 + ?? ?? ?? ?? 56 E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 0F 85 ?? ?? ?? ?? 68 ?? ?? ?? ?? 56 E8 + ?? ?? ?? ?? 83 C4 ?? 85 C0 0F 85 ?? ?? ?? ?? 68 ?? ?? ?? ?? 56 E8 ?? ?? ?? ?? 83 C4 + ?? 85 C0 0F 85 ?? ?? ?? ?? 68 ?? ?? ?? ?? 56 E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 0F 85 ?? + ?? ?? ?? 68 ?? ?? ?? ?? 56 E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 0F 85 ?? ?? ?? ?? 68 ?? ?? + ?? ?? 56 E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 0F 85 ?? ?? ?? ?? 68 ?? ?? ?? ?? 56 E8 ?? ?? + ?? ?? 83 C4 ?? 85 C0 0F 85 ?? ?? ?? ?? 68 ?? ?? ?? ?? 56 E8 ?? ?? ?? ?? 83 C4 ?? 85 + C0 0F 85 ?? ?? ?? ?? 68 ?? ?? ?? ?? 56 E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 0F 85 ?? ?? ?? + ?? 68 ?? ?? ?? ?? 56 E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 0F 85 ?? ?? ?? ?? 68 ?? ?? ?? ?? + 56 E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 0F 85 ?? ?? ?? ?? 68 ?? ?? ?? ?? 56 E8 ?? ?? ?? ?? + 83 C4 ?? 85 C0 0F 85 ?? ?? ?? ?? 68 ?? ?? ?? ?? 56 E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 0F + 85 ?? ?? ?? ?? 68 ?? ?? ?? ?? 56 E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 0F 85 ?? ?? ?? ?? 68 + ?? ?? ?? ?? 56 E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 0F 85 ?? ?? ?? ?? 68 ?? ?? ?? ?? 56 E8 + ?? ?? ?? ?? 83 C4 ?? 85 C0 0F 85 ?? ?? ?? ?? 68 ?? ?? ?? ?? 56 E8 ?? ?? ?? ?? 83 C4 + ?? 85 C0 0F 85 ?? ?? ?? ?? 68 ?? ?? ?? ?? 56 E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 0F 85 ?? + ?? ?? ?? 68 ?? ?? ?? ?? 56 E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 0F 85 ?? ?? ?? ?? 83 FF + } + + $search_files_in_specific_folders_p2 = { + 75 ?? FF 75 ?? 8D 55 ?? 8B CB 57 FF B5 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B F0 83 C4 ?? 85 + F6 0F 85 ?? ?? ?? ?? E9 ?? ?? ?? ?? 83 FF ?? 0F 85 ?? ?? ?? ?? FF 75 ?? 8D 55 ?? 8B + CB 57 FF B5 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B F0 83 C4 ?? 85 F6 0F 85 ?? ?? ?? ?? E9 ?? + ?? ?? ?? 80 BD ?? ?? ?? ?? ?? 75 ?? 33 C9 EB ?? 8D 8D ?? ?? ?? ?? 8D 51 ?? 8A 01 41 + 84 C0 75 ?? 2B CA 51 8D 85 ?? ?? ?? ?? 50 8D 4D ?? E8 ?? ?? ?? ?? 6A ?? 83 EC ?? 8D + 4D ?? E8 ?? ?? ?? ?? 6A ?? 40 8D 4D ?? 50 8D 85 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 8B F0 + 8D 45 ?? 3B C6 74 ?? 8B 45 ?? 83 F8 ?? 72 ?? 40 6A ?? 50 FF 75 ?? E8 ?? ?? ?? ?? 83 + C4 ?? 56 8D 4D ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C6 45 ?? ?? E8 ?? ?? ?? + ?? 8B 85 ?? ?? ?? ?? 83 F8 ?? 72 ?? 40 6A ?? 50 FF B5 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 + C4 ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C6 85 ?? ?? ?? ?? + ?? 8D 8D ?? ?? ?? ?? C6 45 ?? ?? E8 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 + EC ?? C6 45 ?? ?? 8D 4D ?? 54 E8 ?? ?? ?? ?? 83 EC ?? 8D 4D ?? 54 E8 ?? ?? ?? ?? 83 + EC ?? 8D 4D ?? 54 E8 ?? ?? ?? ?? BA ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 + C4 ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 FF ?? 75 ?? 8B 8D ?? ?? ?? ?? 8D 45 ?? 50 + 8D 85 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 8D 4D ?? C6 45 ?? ?? 51 8B C8 E8 ?? ?? ?? ?? 84 + C0 8D 8D ?? ?? ?? ?? 0F 94 C3 EB ?? 83 FF ?? 75 ?? 8B 8D ?? ?? ?? ?? 8D 45 ?? 50 8D + 85 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 8D 4D ?? C6 45 ?? ?? 51 8B C8 E8 ?? ?? ?? ?? 8A D8 + } + + $search_files_in_specific_folders_p3 = { + 8D 8D ?? ?? ?? ?? C6 45 ?? ?? E8 ?? ?? ?? ?? 84 DB 8B 9D ?? ?? ?? ?? 74 ?? 8D 45 ?? + 8B CB 50 E8 ?? ?? ?? ?? 8B B5 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 56 FF 15 ?? ?? ?? ?? + 83 F8 ?? 0F 84 ?? ?? ?? ?? 56 FF 15 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 8B F0 83 FE ?? 75 + ?? 33 F6 8D 4D ?? E8 ?? ?? ?? ?? 8B 45 ?? 83 F8 ?? 72 ?? 40 6A ?? 50 FF B5 ?? ?? ?? + ?? E8 ?? ?? ?? ?? 83 C4 ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C6 85 ?? ?? ?? + ?? ?? 8D 8D ?? ?? ?? ?? C6 45 ?? ?? E8 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? + 8B 45 ?? 83 F8 ?? 72 ?? 40 6A ?? 50 FF 75 ?? E8 ?? ?? ?? ?? 83 C4 ?? C7 45 ?? ?? ?? + ?? ?? C7 45 ?? ?? ?? ?? ?? C6 45 ?? ?? 8D 4D ?? C6 45 ?? ?? E8 ?? ?? ?? ?? 8D 4D ?? + E8 ?? ?? ?? ?? 8B 45 ?? 83 F8 ?? 72 ?? 40 6A ?? 50 FF 75 ?? E8 ?? ?? ?? ?? 83 C4 ?? + C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C6 45 ?? ?? 8D 4D ?? C6 45 ?? ?? E8 ?? ?? + ?? ?? 8D 4D ?? E8 ?? ?? ?? ?? 8B 45 ?? 83 F8 ?? 72 ?? 40 6A ?? 50 FF 75 ?? E8 ?? ?? + ?? ?? 83 C4 ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C6 45 ?? ?? 8D 4D ?? C7 45 + ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 4D ?? E8 ?? ?? ?? ?? 8B C6 8B 4D ?? 64 89 0D ?? ?? + ?? ?? 59 5F 5E 5B 8B 4D ?? 33 CD E8 ?? ?? ?? ?? 8B E5 5D C3 + } + + condition: + uint16(0) == 0x5A4D and + ( + $search_processes and + ( + all of ($search_files_in_specific_folders_p*) + ) and + $encrypt_files and + $remote_connection + ) +} \ No newline at end of file diff --git a/yara/ransomware/Win32.Ransomware.Satana.yara b/yara/ransomware/Win32.Ransomware.Satana.yara new file mode 100644 index 0000000..0bfae30 --- /dev/null +++ b/yara/ransomware/Win32.Ransomware.Satana.yara @@ -0,0 +1,123 @@ +rule Win32_Ransomware_Satana : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "SATANA" + description = "Yara rule that detects Satana ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "Satana" + tc_detection_factor = 5 + + strings: + + $encrypt_files_p1 = { + 55 8B EC 6A ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 64 A1 ?? ?? ?? ?? 50 64 89 25 ?? ?? ?? + ?? 83 EC ?? B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 53 56 57 89 65 ?? C7 45 ?? ?? ?? ?? ?? 66 + 0F 57 C0 66 0F 13 45 ?? 68 ?? ?? ?? ?? 8B 75 ?? 56 FF 15 ?? ?? ?? ?? 85 C0 75 ?? 90 + 6A ?? 68 ?? ?? ?? ?? 6A ?? 6A ?? 6A ?? 68 ?? ?? ?? ?? 56 FF 15 ?? ?? ?? ?? 8B F8 89 + 7D ?? 83 FF ?? 0F 84 ?? ?? ?? ?? 8D 45 ?? 50 57 FF 15 ?? ?? ?? ?? 8B 75 ?? 89 75 ?? + 8B 5D ?? 89 5D ?? 83 FE ?? 75 ?? 85 DB 0F 84 ?? ?? ?? ?? 8B CE 0B CB 0F 84 ?? ?? ?? + ?? C7 45 ?? ?? ?? ?? ?? 6A ?? 6A ?? 53 56 E8 ?? ?? ?? ?? 89 45 ?? 85 C0 74 ?? 33 C9 + 03 C6 13 CB 83 E8 ?? 89 45 ?? 83 D9 ?? 89 4D ?? 6A ?? 8B 55 ?? 52 6A ?? 6A ?? 6A ?? + 57 FF 15 ?? ?? ?? ?? 89 45 ?? 85 C0 0F 84 ?? ?? ?? ?? 6A ?? 6A ?? 6A ?? 68 ?? ?? ?? + ?? 50 FF 15 ?? ?? ?? ?? 89 45 ?? 8B 45 ?? 89 45 ?? 8B 4D ?? 89 4D ?? 6A ?? FF 15 ?? + ?? ?? ?? 83 C4 ?? 8B F0 66 0F 57 C0 66 0F 13 45 ?? 8B 5D ?? 8B 7D ?? 90 83 7D ?? ?? + 0F 8C ?? ?? ?? ?? 7F ?? 83 7D ?? ?? 0F 86 ?? ?? ?? ?? 8B D3 83 C2 ?? 8B 75 ?? 8B CE + 83 D1 ?? 8B 45 ?? 3B C8 7F ?? 7C ?? 3B 55 ?? 77 ?? BF ?? ?? ?? ?? 33 C0 8B 75 ?? 03 + } + + $encrypt_files_p2 = { + F3 8B DA 89 4D ?? EB ?? 8B 7D ?? 2B FB 1B C6 8B 55 ?? 8D 34 13 03 DF 11 45 ?? 89 5D + ?? 89 45 ?? 89 7D ?? 83 7D ?? ?? 7F ?? 7C ?? 83 7D ?? ?? 73 ?? 8B 4D ?? 89 4D ?? 83 + F9 ?? 7D ?? C6 04 31 ?? 41 EB ?? 29 7D ?? 19 45 ?? 33 C0 89 45 ?? 83 F8 ?? 7D ?? 8B + 0C 85 ?? ?? ?? ?? 31 0C 86 40 EB ?? E8 ?? ?? ?? ?? E9 ?? ?? ?? ?? 8B 45 ?? 85 C0 74 + ?? 88 04 37 8B 55 ?? 52 FF 15 ?? ?? ?? ?? 8B 45 ?? 50 FF 15 ?? ?? ?? ?? 8B 4D ?? 01 + 0D ?? ?? ?? ?? 8B 55 ?? 11 15 ?? ?? ?? ?? 8B 45 ?? 50 8B 0D ?? ?? ?? ?? 51 68 ?? ?? + ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 8B 7D ?? EB ?? 8B 55 ?? 52 8B 45 ?? 50 8B 4D ?? 51 FF + 15 ?? ?? ?? ?? 50 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? EB ?? FF 15 ?? ?? ?? ?? 50 + 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 57 FF 15 ?? ?? ?? ?? 57 FF 15 ?? ?? ?? ?? 8B + 4D ?? 8D 95 ?? ?? ?? ?? 0F B7 01 66 89 02 83 C1 ?? 83 C2 ?? 66 85 C0 75 ?? 6A ?? 8D + 95 ?? ?? ?? ?? 52 FF 15 ?? ?? ?? ?? 83 C4 ?? 83 C0 ?? 74 ?? 8B D0 8D B5 ?? ?? ?? ?? + 0F B7 0A 66 89 0E 83 C2 ?? 83 C6 ?? 66 85 C9 75 ?? 33 C9 66 89 08 8D 95 ?? ?? ?? ?? + 52 68 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 68 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? 51 FF 15 ?? + ?? ?? ?? 83 C4 ?? 8D 95 ?? ?? ?? ?? 52 8B 45 ?? 50 FF 15 ?? ?? ?? ?? 8B 4D ?? 51 FF + 15 ?? ?? ?? ?? 83 C4 ?? 68 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 68 ?? ?? ?? ?? FF 15 ?? ?? + ?? ?? EB ?? B8 ?? ?? ?? ?? C3 8B 65 ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? E8 + } + + $search_files_p1 = { + E8 ?? ?? ?? ?? 83 C4 ?? 68 ?? ?? ?? ?? 8D 84 24 ?? ?? ?? ?? 33 D2 56 50 66 89 94 24 + ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 68 ?? ?? ?? ?? 8D 94 24 ?? ?? ?? ?? 33 C9 56 52 + 66 89 8C 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 68 ?? ?? ?? ?? 8D 44 24 ?? 56 50 89 + 74 24 ?? E8 ?? ?? ?? ?? 8B 7D ?? 83 C4 ?? 8D 4C 24 ?? 51 8D 94 24 ?? ?? ?? ?? 52 68 + ?? ?? ?? ?? 57 FF 15 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? 68 ?? ?? ?? ?? FF 15 ?? ?? + ?? ?? 8D 94 24 ?? ?? ?? ?? 8B C7 2B D7 8D 9B ?? ?? ?? ?? 0F B7 08 66 89 0C 02 83 C0 + ?? 66 3B CE 75 ?? 8D 84 24 ?? ?? ?? ?? 83 C0 ?? 8D A4 24 ?? ?? ?? ?? 66 8B 48 ?? 83 + C0 ?? 66 3B CE 75 ?? 8B 0D ?? ?? ?? ?? 8B 15 ?? ?? ?? ?? 89 08 66 8B 0D ?? ?? ?? ?? + 89 50 ?? 68 ?? ?? ?? ?? 66 89 48 ?? FF 15 ?? ?? ?? ?? 8D 54 24 ?? 52 8D 84 24 ?? ?? + ?? ?? 50 C7 44 24 ?? ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 89 44 24 ?? 83 F8 ?? 75 ?? 68 ?? + ?? ?? ?? E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? B8 ?? ?? ?? ?? 5F 5E 5B 8B E5 + 5D C2 ?? ?? 8D A4 24 ?? ?? ?? ?? 8B 7D ?? 8B 35 ?? ?? ?? ?? 6A ?? 8D 4C 24 ?? 68 ?? + ?? ?? ?? 51 FF D6 83 C4 ?? 85 C0 0F 84 ?? ?? ?? ?? 6A ?? 8D 54 24 ?? 68 ?? ?? ?? ?? + 52 FF D6 83 C4 ?? 85 C0 0F 84 ?? ?? ?? ?? F6 44 24 ?? ?? 0F 85 ?? ?? ?? ?? 8D 44 24 + ?? 6A ?? 50 FF 15 ?? ?? ?? ?? 8B D8 83 C4 ?? 85 DB 0F 84 ?? ?? ?? ?? 66 83 3D ?? ?? + ?? ?? ?? BF ?? ?? ?? ?? 0F 84 ?? ?? ?? ?? 8B C7 8D 50 ?? EB ?? 8D 9B ?? ?? ?? ?? 66 + 8B 08 83 C0 ?? 66 85 C9 75 ?? 2B C2 8B CB D1 F8 8D 71 ?? 66 8B 11 83 C1 ?? 66 85 D2 + } + + $search_files_p2 = { + 75 ?? 2B CE D1 F9 3B C1 75 ?? 53 57 FF 15 ?? ?? ?? ?? 83 C4 ?? 85 C0 75 ?? 66 8B 0F + 83 C7 ?? 66 85 C9 75 ?? 66 39 0F 75 ?? E9 ?? ?? ?? ?? 68 ?? ?? ?? ?? FF 15 ?? ?? ?? + ?? 64 8B 15 ?? ?? ?? ?? 8B 32 8B 55 ?? 83 C4 ?? 8D 4C 24 ?? 51 52 68 ?? ?? ?? ?? 50 + 89 46 ?? FF 15 ?? ?? ?? ?? 8B 46 ?? 68 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 83 C4 ?? 85 + C0 0F 85 ?? ?? ?? ?? A1 ?? ?? ?? ?? 83 F8 ?? 7D ?? 68 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? + 8B 4E ?? 6A ?? 6A ?? 51 68 ?? ?? ?? ?? 6A ?? 6A ?? FF 15 ?? ?? ?? ?? 8B 15 ?? ?? ?? + ?? 89 04 95 ?? ?? ?? ?? A1 ?? ?? ?? ?? 8B 0C 85 ?? ?? ?? ?? 6A ?? 51 FF 15 ?? ?? ?? + ?? E9 ?? ?? ?? ?? 8B 1D ?? ?? ?? ?? 6A ?? 6A ?? 6A ?? 68 ?? ?? ?? ?? 6A ?? 6A ?? FF + D3 8B F8 6A ?? 57 FF 15 ?? ?? ?? ?? 57 FF 15 ?? ?? ?? ?? 68 ?? ?? ?? ?? FF 15 ?? ?? + ?? ?? 8B 56 ?? 6A ?? 6A ?? 52 68 ?? ?? ?? ?? 6A ?? 6A ?? FF D3 8B 0D ?? ?? ?? ?? 89 + 04 8D ?? ?? ?? ?? 8B 15 ?? ?? ?? ?? 8B 04 95 ?? ?? ?? ?? 6A ?? 50 FF 15 ?? ?? ?? ?? + E9 ?? ?? ?? ?? 8D 4C 24 ?? 51 57 8D 94 24 ?? ?? ?? ?? 68 ?? ?? ?? ?? 52 FF 15 ?? ?? + ?? ?? A1 ?? ?? ?? ?? 48 50 8D 8C 24 ?? ?? ?? ?? 68 ?? ?? ?? ?? 51 FF D6 83 C4 ?? 85 + C0 0F 84 ?? ?? ?? ?? 8D 94 24 ?? ?? ?? ?? 68 ?? ?? ?? ?? 52 FF 15 ?? ?? ?? ?? 83 C4 + ?? 85 C0 75 ?? 8D 9B ?? ?? ?? ?? 0F B7 8C 04 ?? ?? ?? ?? 66 89 8C 04 ?? ?? ?? ?? 83 + C0 ?? 66 85 C9 75 ?? 8D BC 24 ?? ?? ?? ?? 83 C7 ?? 66 8B 47 ?? 83 C7 ?? 66 85 C0 75 + ?? 6A ?? 8D 84 24 ?? ?? ?? ?? 50 B9 ?? ?? ?? ?? BE ?? ?? ?? ?? 68 ?? ?? ?? ?? F3 A5 + FF 15 ?? ?? ?? ?? 8D 8C 24 ?? ?? ?? ?? 51 E8 ?? ?? ?? ?? 8B 44 24 ?? 8D 54 24 ?? 52 + 50 FF 15 ?? ?? ?? ?? 85 C0 0F 85 ?? ?? ?? ?? 8B 74 24 ?? 56 FF 15 + } + + $remote_connection = { + 55 8B EC B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 53 56 57 E8 ?? ?? ?? ?? 8B D8 85 DB 0F 84 ?? + ?? ?? ?? 68 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 6A ?? 50 C6 85 ?? ?? ?? ?? ?? E8 ?? ?? ?? + ?? 8B 45 ?? 8B 0D ?? ?? ?? ?? 0F B6 15 ?? ?? ?? ?? 83 C4 ?? 68 ?? ?? ?? ?? 8B 3D ?? + ?? ?? ?? 8D 70 ?? 8B 00 56 68 ?? ?? ?? ?? 51 8B 0D ?? ?? ?? ?? 68 ?? ?? ?? ?? 68 ?? + ?? ?? ?? 52 0F B7 15 ?? ?? ?? ?? 51 8B 0D ?? ?? ?? ?? 52 8B 15 ?? ?? ?? ?? 51 52 50 + 6A ?? 8D 8D ?? ?? ?? ?? 68 ?? ?? ?? ?? 51 FF D7 83 C4 ?? 80 3E ?? 74 ?? B9 ?? ?? ?? + ?? 8B C6 EB ?? 8D 49 ?? C6 00 ?? 40 49 75 ?? 8D 95 ?? ?? ?? ?? 52 FF 15 ?? ?? ?? ?? + 8D 85 ?? ?? ?? ?? 8D 50 ?? 8D 49 ?? 8A 08 40 84 C9 75 ?? 8D 8D ?? ?? ?? ?? 51 2B C2 + 50 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 95 ?? ?? ?? ?? 68 ?? ?? ?? ?? 52 FF D7 8D 85 ?? + ?? ?? ?? 83 C4 ?? 8D 50 ?? 8A 08 40 84 C9 75 ?? 6A ?? 2B C2 50 8D 85 ?? ?? ?? ?? 50 + 53 FF 15 ?? ?? ?? ?? B9 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 8D 9B ?? ?? ?? ?? C6 00 ?? 40 + 49 75 ?? 53 FF 15 ?? ?? ?? ?? 5F 5E B8 ?? ?? ?? ?? 5B 8B E5 5D C2 + } + + condition: + uint16(0) == 0x5A4D and + ( + $remote_connection and + ( + all of ($search_files_p*) + ) and + ( + all of ($encrypt_files_p*) + ) + ) +} \ No newline at end of file diff --git a/yara/ransomware/Win32.Ransomware.Saturn.yara b/yara/ransomware/Win32.Ransomware.Saturn.yara new file mode 100644 index 0000000..a2bdd95 --- /dev/null +++ b/yara/ransomware/Win32.Ransomware.Saturn.yara @@ -0,0 +1,105 @@ +rule Win32_Ransomware_Saturn : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "SATURN" + description = "Yara rule that detects Saturn ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "Saturn" + tc_detection_factor = 5 + + strings: + + $find_files_1 = { + 6A ?? C6 45 ?? ?? 8D 4D ?? 8B 3B 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 4D ?? 3B C8 74 ?? + 83 78 ?? ?? 8B C8 72 ?? 8B 08 FF 70 ?? 51 8D 4D ?? E8 ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? + ?? 8D 8D ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C6 + 85 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? C6 45 ?? ?? 8D 8D ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? + C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C6 85 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? C6 45 + ?? ?? 8D 4D ?? 6A ?? 68 ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C6 45 + ?? ?? E8 ?? ?? ?? ?? C6 45 ?? ?? 8D 4D ?? 6A ?? 68 ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? + C7 45 ?? ?? ?? ?? ?? C6 45 ?? ?? E8 ?? ?? ?? ?? C6 45 ?? ?? 8D 8D ?? ?? ?? ?? 6A + } + + $find_files_2_p1 = { + 68 ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C6 85 ?? + ?? ?? ?? ?? E8 ?? ?? ?? ?? C6 45 ?? ?? 83 BD ?? ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? FF B5 + ?? ?? ?? ?? 0F 43 85 ?? ?? ?? ?? 8D 4D ?? 83 7D ?? ?? 8B 55 ?? 0F 43 4D ?? 50 51 E8 + ?? ?? ?? ?? 83 C4 ?? 83 F8 ?? 0F 85 ?? ?? ?? ?? 83 7D ?? ?? 8D 85 ?? ?? ?? ?? FF 75 + ?? 0F 43 85 ?? ?? ?? ?? 8D 4D ?? 83 7D ?? ?? 8B 55 ?? 0F 43 4D ?? 50 51 E8 ?? ?? ?? + ?? 83 C4 ?? 83 F8 ?? 0F 85 ?? ?? ?? ?? 83 7D ?? ?? 8D 45 ?? FF 75 ?? 0F 43 45 ?? 8D + 4D ?? 83 7D ?? ?? 8B 55 ?? 0F 43 4D ?? 50 51 E8 ?? ?? ?? ?? 83 C4 ?? 83 F8 ?? 0F 85 + ?? ?? ?? ?? 83 7D ?? ?? 8D 45 ?? FF 75 ?? 0F 43 45 ?? 8D 4D ?? 83 7D ?? ?? 8B 55 ?? + 0F 43 4D ?? 50 51 E8 ?? ?? ?? ?? 83 C4 ?? 83 F8 ?? 0F 85 ?? ?? ?? ?? 51 8D 85 ?? ?? + ?? ?? 50 8D 4D ?? E8 ?? ?? ?? ?? 83 F8 ?? 0F 85 ?? ?? ?? ?? 51 8D 85 ?? ?? ?? ?? 50 + 8D 4D ?? E8 ?? ?? ?? ?? 83 F8 ?? 0F 85 ?? ?? ?? ?? 51 8D 85 ?? ?? ?? ?? 50 8D 4D ?? + E8 ?? ?? ?? ?? 83 F8 ?? 0F 85 ?? ?? ?? ?? 51 8D 85 ?? ?? ?? ?? 50 8D 4D ?? E8 ?? ?? + ?? ?? 83 F8 ?? 0F 85 ?? ?? ?? ?? 51 8D 85 ?? ?? ?? ?? 50 8D 4D ?? E8 ?? ?? ?? ?? 83 + } + + $find_files_2_p2 = { + F8 ?? 0F 85 ?? ?? ?? ?? 83 7D ?? ?? 8D 8D ?? ?? ?? ?? 8D 45 ?? 0F 43 45 ?? 51 50 FF + 15 ?? ?? ?? ?? 8B D8 89 9D ?? ?? ?? ?? 83 FB ?? 0F 84 ?? ?? ?? ?? 8B 5D ?? 8B F0 80 + BD ?? ?? ?? ?? ?? 0F 84 ?? ?? ?? ?? 83 BD ?? ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? FF B5 ?? + ?? ?? ?? 0F 43 85 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C6 00 + ?? E8 ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? 8B C8 E8 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? 8B D0 + 8D 71 ?? 8A 01 41 84 C0 75 ?? 2B CE 8D 85 ?? ?? ?? ?? 51 50 8B CA E8 ?? ?? ?? ?? F6 + 85 ?? ?? ?? ?? ?? 0F 84 ?? ?? ?? ?? 84 DB 0F 84 ?? ?? ?? ?? 8B 8D ?? ?? ?? ?? 8D 95 + ?? ?? ?? ?? 53 FF B5 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B F0 83 C4 ?? 85 F6 0F 84 ?? ?? ?? + ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 8D ?? ?? ?? + ?? E8 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? + 8D 4D ?? E8 ?? ?? ?? ?? 8D 4D ?? E8 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D + 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 4D ?? E8 ?? ?? ?? ?? 8D 4D ?? E8 ?? ?? ?? ?? 8D 8D + ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B C6 E9 + } + + $encrypt_files_p1 = { + 6A ?? 68 ?? ?? ?? ?? 51 E8 ?? ?? ?? ?? 83 C4 ?? 83 F8 ?? 0F 85 ?? ?? ?? ?? 68 ?? ?? + ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 8B D8 89 9D ?? ?? ?? ?? 68 ?? ?? ?? ?? 53 6A ?? FF B5 + ?? ?? ?? ?? 6A ?? 6A ?? FF 15 ?? ?? ?? ?? 53 FF 15 ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? + 6A ?? 6A ?? 6A ?? 68 ?? ?? ?? ?? 56 8B 35 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? FF D6 8B D8 + 83 FB ?? 0F 84 ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? 6A ?? 6A ?? 6A ?? 68 ?? ?? ?? ?? 57 + FF D6 89 85 ?? ?? ?? ?? 83 F8 ?? 0F 84 ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A ?? 8D 85 ?? ?? + ?? ?? B9 ?? ?? ?? ?? 50 6A ?? 8D 85 ?? ?? ?? ?? BE ?? ?? ?? ?? 8D BD ?? ?? ?? ?? F3 + A5 50 FF 15 ?? ?? ?? ?? 85 C0 74 ?? 8D 85 ?? ?? ?? ?? 50 6A ?? 6A ?? 68 ?? ?? ?? ?? + FF B5 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 85 C0 74 ?? 6A ?? FF B5 ?? ?? ?? ?? FF B5 ?? ?? + ?? ?? FF B5 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 85 C0 75 ?? FF 15 ?? ?? ?? ?? E9 ?? ?? ?? + ?? 8D 85 ?? ?? ?? ?? 50 6A ?? FF B5 ?? ?? ?? ?? 68 ?? ?? ?? ?? FF B5 ?? ?? ?? ?? FF + 15 ?? ?? ?? ?? 85 C0 75 ?? FF 15 ?? ?? ?? ?? 6A ?? FF B5 ?? ?? ?? ?? 8B F0 FF 15 ?? + ?? ?? ?? 85 F6 0F 95 C3 E9 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 6A ?? 50 E8 + ?? ?? ?? ?? 83 C4 ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? 33 F6 89 B5 ?? ?? ?? ?? 56 53 FF + } + + $encrypt_files_p2 = { + 15 ?? ?? ?? ?? 8B 3D ?? ?? ?? ?? 56 89 85 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 68 ?? ?? + ?? ?? 8D 85 ?? ?? ?? ?? 50 53 FF D7 85 C0 0F 84 ?? ?? ?? ?? 8D 56 ?? 8B 85 ?? ?? ?? + ?? 85 C0 0F 84 ?? ?? ?? ?? 8B 8D ?? ?? ?? ?? 68 ?? ?? ?? ?? 03 C8 8D 85 ?? ?? ?? ?? + 3B 8D ?? ?? ?? ?? 50 8D 85 ?? ?? ?? ?? 89 8D ?? ?? ?? ?? 50 6A ?? 0F 44 F2 56 6A ?? + FF B5 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 6A ?? 8D 85 ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? + ?? ?? 50 FF B5 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 FF B5 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? + 85 C0 74 ?? 68 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 6A ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 8D 85 + ?? ?? ?? ?? 6A ?? 50 68 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 53 FF D7 BA ?? ?? ?? ?? 85 + C0 0F 85 ?? ?? ?? ?? 6A ?? FF B5 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? FF B5 ?? ?? ?? ?? FF + 15 ?? ?? ?? ?? FF B5 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 8B 35 ?? ?? ?? ?? 53 FF D6 FF B5 + ?? ?? ?? ?? FF D6 B3 ?? 8B 85 ?? ?? ?? ?? 83 F8 ?? 72 ?? 8B 8D ?? ?? ?? ?? 40 3D ?? + ?? ?? ?? 72 ?? F6 C1 ?? 75 ?? 8B 41 ?? 3B C1 73 ?? 2B C8 83 F9 ?? 72 ?? 83 F9 ?? 77 + ?? 8B C8 51 E8 ?? ?? ?? ?? 83 C4 ?? 8A C3 8B 4D ?? 64 89 0D ?? ?? ?? ?? 59 5F 5E 5B + 8B 4D ?? 33 CD E8 ?? ?? ?? ?? 8B E5 5D C2 + } + + condition: + uint16(0) == 0x5A4D and + ( + all of ($find_files_*) + ) and + ( + all of ($encrypt_files_p*) + ) +} \ No newline at end of file diff --git a/yara/ransomware/Win32.Ransomware.Sepsis.yara b/yara/ransomware/Win32.Ransomware.Sepsis.yara new file mode 100644 index 0000000..2b9c7c3 --- /dev/null +++ b/yara/ransomware/Win32.Ransomware.Sepsis.yara @@ -0,0 +1,126 @@ +rule Win32_Ransomware_Sepsis : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "SEPSIS" + description = "Yara rule that detects Sepsis ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "Sepsis" + tc_detection_factor = 5 + + strings: + + $search_files_1 = { + 55 8B EC 83 E4 ?? 81 EC ?? ?? ?? ?? 53 8B 5D ?? 8D 84 24 ?? ?? ?? ?? 56 57 8B 3D ?? + ?? ?? ?? 68 ?? ?? ?? ?? 53 50 FF D7 8D 44 24 ?? 50 8D 84 24 ?? ?? ?? ?? 50 FF 15 ?? + ?? ?? ?? 8D 4C 24 ?? 89 44 24 ?? 51 50 FF 15 ?? ?? ?? ?? 85 C0 0F 84 + } + + $search_files_2 = { + 68 ?? ?? ?? ?? 8D 44 24 ?? 50 FF D6 85 C0 0F 84 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 44 24 + ?? 50 FF D6 85 C0 0F 84 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 44 24 ?? 50 FF D6 85 C0 0F 84 + ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 44 24 ?? 50 FF D6 85 C0 0F 84 ?? ?? ?? ?? 68 ?? ?? ?? + ?? 8D 44 24 ?? 50 FF D6 85 C0 0F 84 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 44 24 ?? 50 FF D6 + 85 C0 0F 84 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 44 24 ?? 50 FF D6 85 C0 0F 84 ?? ?? ?? ?? + 68 ?? ?? ?? ?? 8D 44 24 ?? 50 FF D6 85 C0 0F 84 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 44 24 + ?? 50 FF D6 85 C0 0F 84 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 44 24 ?? 50 FF D6 85 C0 0F 84 + ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 44 24 ?? 50 FF D6 85 C0 0F 84 ?? ?? ?? ?? 68 ?? ?? ?? + ?? 8D 44 24 ?? 50 FF D6 85 C0 0F 84 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 44 24 ?? 50 FF D6 + 85 C0 0F 84 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 44 24 ?? 50 FF D6 85 C0 74 ?? 68 ?? ?? ?? + ?? 8D 44 24 ?? 50 FF D6 85 C0 74 ?? F6 44 24 ?? ?? 8D 44 24 ?? 50 53 8D 84 24 ?? ?? + ?? ?? 50 74 ?? FF D7 8D 84 24 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? EB ?? FF D7 8D 44 24 ?? + 50 FF 15 ?? ?? ?? ?? 8B D0 8D 7A + } + + $search_files_3 = { + 66 8B 0A 83 C2 ?? 66 85 C9 75 ?? 2B D7 D1 FA 83 FA ?? 75 ?? 66 83 78 ?? ?? 74 ?? 8D + 8C 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 3D ?? ?? ?? ?? 8D 44 24 ?? 50 FF 74 24 ?? FF 15 + ?? ?? ?? ?? 85 C0 0F 85 ?? ?? ?? ?? FF 74 24 ?? FF 15 ?? ?? ?? ?? 5F 5E 33 C0 5B 8B + E5 5D C2 + } + + $search_files_4 = { + 68 ?? ?? ?? ?? 8D 44 24 ?? 50 FF D6 85 C0 0F 84 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 44 24 + ?? 50 FF D6 85 C0 0F 84 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 44 24 ?? 50 FF D6 85 C0 0F 84 + ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 44 24 ?? 50 FF D6 85 C0 0F 84 ?? ?? ?? ?? 68 ?? ?? ?? + ?? 8D 44 24 ?? 50 FF D6 85 C0 0F 84 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 44 24 ?? 50 FF D6 + 85 C0 0F 84 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 44 24 ?? 50 FF D6 85 C0 0F 84 ?? ?? ?? ?? + 68 ?? ?? ?? ?? 8D 44 24 ?? 50 FF D6 85 C0 0F 84 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 44 24 + ?? 50 FF D6 85 C0 0F 84 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 44 24 ?? 50 FF D6 85 C0 0F 84 + ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 44 24 ?? 50 FF D6 85 C0 0F 84 ?? ?? ?? ?? 68 ?? ?? ?? + ?? 8D 44 24 ?? 50 FF D6 85 C0 0F 84 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 44 24 ?? 50 FF D6 + 85 C0 0F 84 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 44 24 ?? 50 FF D6 85 C0 0F 84 ?? ?? ?? ?? + 68 ?? ?? ?? ?? 8D 44 24 ?? 50 FF D6 85 C0 0F 84 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 44 24 + ?? 50 FF D6 85 C0 74 ?? 68 ?? ?? ?? ?? 8D 44 24 ?? 50 FF D6 85 C0 74 ?? F6 44 24 ?? + ?? 8D 44 24 ?? 50 53 8D 84 24 ?? ?? ?? ?? 50 74 ?? FF D7 8D 84 24 ?? ?? ?? ?? 50 E8 + ?? ?? ?? ?? EB ?? FF D7 8D 44 24 ?? 50 FF 15 ?? ?? ?? ?? 8B D0 8D 7A ?? 66 8B 0A 83 + C2 ?? 66 85 C9 75 ?? 2B D7 D1 FA 83 FA ?? 75 ?? 66 83 78 ?? ?? 74 ?? 8D 8C 24 ?? ?? + ?? ?? E8 ?? ?? ?? ?? 8B 3D ?? ?? ?? ?? 8D 44 24 ?? 50 FF 74 24 ?? FF 15 ?? ?? ?? ?? + 85 C0 0F 85 ?? ?? ?? ?? FF 74 24 ?? FF 15 ?? ?? ?? ?? 5F 5E 33 C0 5B 8B E5 5D C2 + } + + $encrypt_files_1 = { + BA ?? ?? ?? ?? B9 ?? ?? ?? ?? E8 ?? ?? ?? ?? BA ?? ?? ?? ?? B9 ?? ?? ?? ?? E8 ?? ?? + ?? ?? 6A ?? FF D6 0F 10 05 ?? ?? ?? ?? 8B F8 8D 85 ?? ?? ?? ?? 68 ?? ?? ?? ?? 68 ?? + ?? ?? ?? 50 0F 11 07 89 3D ?? ?? ?? ?? 0F 10 05 ?? ?? ?? ?? 0F 11 47 ?? 0F 10 05 ?? + ?? ?? ?? 0F 11 47 ?? E8 ?? ?? ?? ?? 83 C4 ?? C7 45 ?? ?? ?? ?? ?? 8D 45 ?? C7 45 ?? + ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? 6A ?? 6A ?? 50 8D 85 ?? ?? ?? ?? 50 6A ?? 6A ?? 8D + 85 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 85 C0 75 ?? 33 FF E9 ?? ?? ?? ?? 8D 45 ?? 50 8D + 45 ?? 50 6A ?? 68 ?? ?? ?? ?? FF 75 ?? 8D 85 ?? ?? ?? ?? 50 6A ?? 6A ?? FF 15 ?? ?? + ?? ?? 85 C0 75 ?? 33 FF E9 ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A ?? 6A ?? 6A ?? 8D 45 ?? 50 + FF 15 ?? ?? ?? ?? 85 C0 75 ?? 33 FF E9 ?? ?? ?? ?? 8D 45 ?? 50 FF 75 ?? 6A ?? FF 75 + ?? FF 15 ?? ?? ?? ?? 85 C0 75 ?? 33 FF EB ?? FF 75 ?? FF 15 ?? ?? ?? ?? 8B CF 8D 51 + } + + $encrypt_files_2 = { + 8A 01 41 84 C0 75 ?? 2B CA 8D 45 ?? 51 50 6A ?? 6A ?? 6A ?? 6A ?? FF 75 ?? 89 4D ?? + 89 4D ?? FF D3 85 C0 75 ?? 33 FF EB ?? FF 75 ?? FF D6 FF 75 ?? 8B F0 6A ?? 56 E8 ?? + ?? ?? ?? FF 75 ?? 57 56 E8 ?? ?? ?? ?? 83 C4 ?? 8D 45 ?? FF 75 ?? 50 56 6A ?? 6A ?? + 6A ?? FF 75 ?? FF D3 8B F8 F7 DF 1B FF 23 FE 8B 35 ?? ?? ?? ?? 8B D7 8D 4A ?? 66 90 + 8A 02 42 84 C0 75 ?? 2B D1 8B CF E8 ?? ?? ?? ?? A3 ?? ?? ?? ?? 8D 50 ?? 8A 08 40 84 + C9 75 ?? 2B C2 57 A3 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 83 C4 ?? 81 3D ?? ?? ?? ?? ?? ?? + ?? ?? 0F 82 ?? ?? ?? ?? 5F 5E 5B 8B E5 5D C3 + } + + $encrypt_files_3 = { + 55 8B EC 83 EC ?? 57 6A ?? 68 ?? ?? ?? ?? 6A ?? 6A ?? 6A ?? 8B C1 68 ?? ?? ?? ?? 50 + 89 45 ?? FF 15 ?? ?? ?? ?? 8B F8 83 FF ?? 75 ?? 0B C0 5F 8B E5 5D C3 53 6A ?? 57 FF + 15 ?? ?? ?? ?? 8B D8 83 FB ?? 75 ?? FF 75 ?? 57 FF 15 ?? ?? ?? ?? 8B D8 56 B8 ?? ?? + ?? ?? 6A ?? 3B D8 0F 47 D8 53 6A ?? 6A ?? 6A ?? 57 FF 15 ?? ?? ?? ?? 8B F0 83 FE ?? + 75 ?? 5E 5B 0B C0 5F 8B E5 5D C3 6A ?? 6A ?? 6A ?? 6A ?? 56 FF 15 ?? ?? ?? ?? 56 8B + 35 ?? ?? ?? ?? 89 45 ?? FF D6 57 FF D6 E8 ?? ?? ?? ?? 0F 10 05 ?? ?? ?? ?? 0F 11 05 + ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 45 ?? 8B F8 BE ?? ?? ?? ?? 0F 10 05 ?? ?? ?? ?? 0F 11 + 05 ?? ?? ?? ?? 85 DB 74 + } + + $encrypt_files_4 = { + 8A 0C 06 8D 40 ?? 30 48 ?? 83 EA ?? 75 ?? 8B CF E8 ?? ?? ?? ?? 8B F7 83 C7 ?? 83 EB + ?? 75 ?? 8B 45 ?? 0F 10 06 50 0F 11 05 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 68 ?? ?? ?? ?? + 6A ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 55 ?? 83 C4 ?? 8B F2 + } + + $encrypt_files_5 = { + 66 8B 02 83 C2 ?? 66 85 C0 75 ?? BB ?? ?? ?? ?? 2B D6 8D 7B ?? 66 8B 47 ?? 83 C7 ?? + 66 85 C0 75 ?? 8B CA C1 E9 ?? F3 A5 8B CA 83 E1 ?? 83 C3 ?? F3 A4 66 8B 43 ?? 83 C3 + ?? 66 85 C0 75 ?? 8B FB B9 ?? ?? ?? ?? 8B 5D ?? BE ?? ?? ?? ?? 68 ?? ?? ?? ?? F3 A5 + 53 FF 15 ?? ?? ?? ?? 6A ?? 8B F0 6A ?? 56 FF 15 ?? ?? ?? ?? 56 FF 35 ?? ?? ?? ?? 6A + ?? FF 35 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 56 FF 15 ?? ?? ?? ?? 83 C4 ?? 68 ?? ?? ?? ?? + 53 FF 15 ?? ?? ?? ?? 5E 5B 33 C0 5F 8B E5 5D C3 + } + + condition: + uint16(0) == 0x5A4D and + ( + all of ($search_files_*) + ) and + ( + all of ($encrypt_files_*) + ) +} \ No newline at end of file diff --git a/yara/ransomware/Win32.Ransomware.Serpent.yara b/yara/ransomware/Win32.Ransomware.Serpent.yara new file mode 100644 index 0000000..ee4f591 --- /dev/null +++ b/yara/ransomware/Win32.Ransomware.Serpent.yara @@ -0,0 +1,122 @@ +rule Win32_Ransomware_Serpent : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "SERPENT" + description = "Yara rule that detects Serpent ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "Serpent" + tc_detection_factor = 5 + + strings: + + $do_dll_stuff_and_create_thread = { + 68 ?? ?? ?? ?? 6A ?? 6A ?? 68 ?? ?? ?? ?? 6A ?? 6A ?? E8 ?? ?? ?? ?? 8B D8 68 ?? ?? + ?? ?? E8 ?? ?? ?? ?? 89 D2 C7 05 ?? ?? ?? ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? + ?? 89 FF 90 90 6A ?? 53 E8 ?? ?? ?? ?? 83 3D ?? ?? ?? ?? ?? 0F 84 ?? ?? ?? ?? 68 ?? + ?? ?? ?? E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? A3 ?? ?? ?? ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? + E8 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 85 C0 0F 85 ?? ?? ?? ?? BB ?? ?? ?? ?? 4B 75 ?? BA + ?? ?? ?? ?? 66 0F 6E D2 89 FF 89 C9 31 D2 66 0F 7E D2 89 15 ?? ?? ?? ?? 81 3D ?? ?? + ?? ?? ?? ?? ?? ?? 0F 85 ?? ?? ?? ?? BB ?? ?? ?? ?? 4B 75 ?? BB ?? ?? ?? ?? 89 C9 4B + 75 ?? 89 C9 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 C0 0F 85 ?? ?? ?? ?? BB ?? ?? ?? ?? 4B + 75 ?? BB ?? ?? ?? ?? E8 ?? ?? ?? ?? A3 ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 C0 79 ?? E8 ?? + ?? ?? ?? A3 ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 C0 79 ?? E8 ?? ?? ?? ?? A3 ?? ?? ?? ?? 4B + 75 ?? 89 FF 90 BB ?? ?? ?? ?? 89 C9 4B 75 ?? 90 90 BB ?? ?? ?? ?? 4B 75 ?? BB ?? ?? + ?? ?? 4B 75 ?? BB ?? ?? ?? ?? 4B 75 ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? + 50 E8 ?? ?? ?? ?? 85 C0 0F 85 ?? ?? ?? ?? 90 BB ?? ?? ?? ?? 89 D2 4B 75 ?? 6A ?? 68 + ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A ?? E8 ?? ?? ?? ?? 8B F0 85 F6 0F 84 ?? ?? ?? ?? BA ?? + ?? ?? ?? 8B C6 E8 ?? ?? ?? ?? 90 89 C9 BB ?? ?? ?? ?? 89 FF 4B 75 ?? 68 ?? ?? ?? ?? + 6A ?? 56 E8 ?? ?? ?? ?? BB ?? ?? ?? ?? 89 D2 4B 75 ?? 6A ?? 6A ?? E8 ?? ?? ?? ?? 33 + C0 A3 ?? ?? ?? ?? 64 8B 35 ?? ?? ?? ?? 89 35 ?? ?? ?? ?? 83 3D ?? ?? ?? ?? ?? 75 ?? + 90 89 F6 90 BB ?? ?? ?? ?? 89 DB 4B 75 ?? 89 D2 89 C0 BB ?? ?? ?? ?? 89 D2 4B 75 ?? + C7 05 ?? ?? ?? ?? ?? ?? ?? ?? BB ?? ?? ?? ?? 89 FF 4B 75 ?? 89 C0 0F 31 90 89 C7 0F + 31 90 89 C0 29 F8 89 D2 89 DB 77 ?? 90 90 89 C9 89 F6 8B 3D ?? ?? ?? ?? 90 90 89 C9 + 89 F6 90 03 3D ?? ?? ?? ?? 90 90 89 C9 89 F6 FF D7 89 F6 90 90 BB ?? ?? ?? ?? 4B 75 + ?? 33 C0 5A 59 59 64 89 10 68 ?? ?? ?? ?? C3 + } + + $find_files = { + 55 8B EC 81 C4 ?? ?? ?? ?? 53 56 33 C0 89 85 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 89 85 ?? + ?? ?? ?? 89 85 ?? ?? ?? ?? 89 45 ?? 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 8B 45 + ?? 8B 58 ?? 83 7B ?? ?? 75 ?? 8D 55 ?? A1 ?? ?? ?? ?? E8 ?? ?? ?? ?? EB ?? 8D 55 ?? + A1 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 73 ?? 6A ?? 8D 45 ?? 50 8B 43 ?? 50 E8 ?? ?? ?? ?? + 81 7D ?? ?? ?? ?? ?? 0F 85 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 8B 45 ?? + 50 E8 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? 8B 43 ?? 89 85 ?? ?? ?? ?? C6 85 ?? ?? ?? + ?? ?? 8D 85 ?? ?? ?? ?? 8D 95 ?? ?? ?? ?? B9 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 85 ?? ?? + ?? ?? 8D 95 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? C6 85 ?? + ?? ?? ?? ?? 8B 45 ?? 89 85 ?? ?? ?? ?? C6 85 ?? ?? ?? ?? ?? 89 B5 ?? ?? ?? ?? C6 85 + ?? ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 6A ?? 8D 95 ?? ?? ?? ?? A1 ?? ?? ?? ?? E8 ?? ?? + ?? ?? 8B 8D ?? ?? ?? ?? B2 ?? A1 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B D8 EB ?? 8B 43 ?? 89 + 85 ?? ?? ?? ?? C6 85 ?? ?? ?? ?? ?? 8B 45 ?? 89 85 ?? ?? ?? ?? C6 85 ?? ?? ?? ?? ?? + 89 B5 ?? ?? ?? ?? C6 85 ?? ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 6A ?? 8D 95 ?? ?? ?? ?? + A1 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 8D ?? ?? ?? ?? B2 ?? A1 ?? ?? ?? ?? E8 ?? ?? ?? ?? + 8B D8 33 C0 5A 59 59 64 89 10 68 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 85 + ?? ?? ?? ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 ?? E8 ?? ?? ?? ?? C3 + } + + $remote_connection = { + 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 FF 05 ?? ?? ?? ?? 83 3D ?? ?? ?? ?? ?? 0F 85 ?? + ?? ?? ?? 8D 83 ?? ?? ?? ?? 50 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? 66 8B 83 + ?? ?? ?? ?? E8 ?? ?? ?? ?? 25 ?? ?? ?? ?? 8D 55 ?? E8 ?? ?? ?? ?? FF 75 ?? 68 ?? ?? + ?? ?? 8D 55 ?? 33 C0 8A 83 ?? ?? ?? ?? E8 ?? ?? ?? ?? FF 75 ?? 8D 45 ?? BA ?? ?? ?? + ?? E8 ?? ?? ?? ?? 8B 55 ?? 8B 83 ?? ?? ?? ?? 8B 08 FF 51 ?? 68 ?? ?? ?? ?? 66 8B 83 + ?? ?? ?? ?? E8 ?? ?? ?? ?? 25 ?? ?? ?? ?? 8D 55 ?? E8 ?? ?? ?? ?? FF 75 ?? 68 ?? ?? + ?? ?? 8D 55 ?? 33 C0 8A 83 ?? ?? ?? ?? E8 ?? ?? ?? ?? FF 75 ?? 8D 45 ?? BA ?? ?? ?? + ?? E8 ?? ?? ?? ?? 8B 55 ?? 8B 83 ?? ?? ?? ?? 8B 08 FF 51 ?? 8D 45 ?? 8D 93 ?? ?? ?? + ?? B9 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 4D ?? 8D 45 ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B + 55 ?? 8B 83 ?? ?? ?? ?? 8B 08 FF 51 ?? 8D 45 ?? 8D 93 ?? ?? ?? ?? B9 ?? ?? ?? ?? E8 + ?? ?? ?? ?? 8B 4D ?? 8D 45 ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 55 ?? 8B 83 ?? ?? ?? + ?? 8B 08 FF 51 ?? 8D 55 ?? 0F B7 83 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 4D ?? 8D 45 ?? BA + ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 55 ?? 8B 83 ?? ?? ?? ?? 8B 08 FF 51 ?? 8D 55 ?? 0F B7 + 83 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 4D ?? 8D 45 ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 55 + ?? 8B 83 ?? ?? ?? ?? 8B 08 FF 51 ?? 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 6A ?? + 6A ?? 6A ?? E8 ?? ?? ?? ?? 8B F0 81 FE ?? ?? ?? ?? 76 ?? E8 ?? ?? ?? ?? 66 89 B3 ?? + ?? ?? ?? 66 C7 45 ?? ?? ?? 66 C7 45 ?? ?? ?? 6A ?? 8D 45 ?? 50 68 ?? ?? ?? ?? 68 ?? + ?? ?? ?? 0F B7 C6 50 E8 ?? ?? ?? ?? 66 81 BB ?? ?? ?? ?? ?? ?? 75 ?? 8D 4D ?? 66 BA + ?? ?? 8B C3 E8 ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? 8B 83 ?? ?? ?? ?? 50 0F B7 83 ?? ?? + ?? ?? 50 E8 ?? ?? ?? ?? 33 C0 5A 59 59 64 89 10 EB ?? E9 ?? ?? ?? ?? FF 0D ?? ?? ?? + ?? 83 3D ?? ?? ?? ?? ?? 75 ?? E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? E8 + } + + $remote_ftp_connection = { + BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 55 ?? 8D 4D ?? 8B 45 ?? 8B 18 FF 53 ?? 8B 45 ?? 66 + 8B 80 ?? ?? ?? ?? 66 3D ?? ?? 7E ?? 66 3D ?? ?? 7D ?? 8B 45 ?? 66 83 B8 ?? ?? ?? ?? + ?? 74 ?? 8B 5D ?? 8B 55 ?? 8B 83 ?? ?? ?? ?? FF 93 ?? ?? ?? ?? 8B 4D ?? B2 ?? A1 ?? + ?? ?? ?? E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 45 ?? 66 81 B8 ?? ?? ?? ?? ?? ?? 75 ?? B9 + ?? ?? ?? ?? B2 ?? 8B 45 ?? E8 ?? ?? ?? ?? 8B 45 ?? 8B 88 ?? ?? ?? ?? 8D 45 ?? BA ?? + ?? ?? ?? E8 ?? ?? ?? ?? 8B 55 ?? 8D 4D ?? 8B 45 ?? 8B 18 FF 53 ?? 8B 45 ?? 66 8B 80 + ?? ?? ?? ?? 66 3D ?? ?? 7E ?? 66 3D ?? ?? 7D ?? 8B 45 ?? 66 83 B8 ?? ?? ?? ?? ?? 74 + ?? 8B 5D ?? 8B 55 ?? 8B 83 ?? ?? ?? ?? FF 93 ?? ?? ?? ?? 8B 4D ?? B2 ?? A1 ?? ?? ?? + ?? E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 45 ?? 83 B8 ?? ?? ?? ?? ?? 74 ?? 8B 45 ?? 83 B8 + ?? ?? ?? ?? ?? 75 ?? 8B 45 ?? 66 83 B8 ?? ?? ?? ?? ?? 74 ?? 8D 55 ?? 8B 5D ?? 8B 83 + ?? ?? ?? ?? FF 93 ?? ?? ?? ?? 8B 45 ?? 83 B8 ?? ?? ?? ?? ?? 0F 84 ?? ?? ?? ?? 8B 45 + ?? 8A 80 ?? ?? ?? ?? 2C ?? 72 ?? 74 ?? FE C8 74 ?? E9 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8B + 45 ?? FF B0 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8B 45 ?? FF B0 ?? ?? ?? ?? 8D 45 ?? BA ?? ?? + ?? ?? E8 ?? ?? ?? ?? 8B 55 ?? 8D 4D ?? 8B 45 ?? 8B 18 FF 53 ?? EB ?? 8B 45 ?? 8B 88 + ?? ?? ?? ?? 8D 45 ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 55 ?? 8D 4D ?? 8B 45 ?? 8B 18 + FF 53 ?? EB ?? 8B 45 ?? 8B 88 ?? ?? ?? ?? 8D 45 ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B + 55 ?? 8D 4D ?? 8B 45 ?? 8B 18 FF 53 ?? 8B 45 ?? 83 B8 ?? ?? ?? ?? ?? 74 ?? 8B 45 ?? + 80 B8 ?? ?? ?? ?? ?? 0F 84 ?? ?? ?? ?? 8B 45 ?? 8B 88 ?? ?? ?? ?? 8D 45 ?? BA ?? ?? + ?? ?? E8 ?? ?? ?? ?? 8B 4D ?? B2 ?? 8B 45 ?? E8 ?? ?? ?? ?? 8B 45 ?? 8B 88 ?? ?? ?? + ?? 8D 45 ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 55 ?? 8D 4D ?? 8B 45 ?? 8B 18 FF 53 ?? + 8B 45 ?? 66 8B 80 ?? ?? ?? ?? 66 3D ?? ?? 7E ?? 66 3D ?? ?? 7D ?? 8B 45 ?? 66 83 B8 + ?? ?? ?? ?? ?? 74 ?? 8B 5D ?? 8B 55 ?? 8B 83 ?? ?? ?? ?? FF 93 ?? ?? ?? ?? 8B 4D ?? + B2 ?? A1 ?? ?? ?? ?? E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 45 ?? 66 81 B8 ?? ?? ?? ?? ?? + ?? 75 ?? B9 ?? ?? ?? ?? B2 ?? 8B 45 ?? E8 ?? ?? ?? ?? 8B 45 ?? 8B 88 ?? ?? ?? ?? 8D + 45 ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 55 ?? 8D 4D ?? 8B 45 ?? 8B 18 FF 53 ?? 8B 45 + ?? 66 8B 80 ?? ?? ?? ?? 66 3D ?? ?? 7E ?? 66 3D ?? ?? 7D ?? 8B 45 ?? 66 83 B8 ?? ?? + ?? ?? ?? 74 ?? 8B 5D ?? 8B 55 ?? 8B 83 ?? ?? ?? ?? FF 93 ?? ?? ?? ?? 8B 4D ?? B2 ?? + A1 ?? ?? ?? ?? E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 45 ?? 66 83 B8 ?? ?? ?? ?? ?? 74 ?? + 8B 5D ?? 8B 55 ?? 8B 83 ?? ?? ?? ?? FF 93 + } + + condition: + uint16(0) == 0x5A4D and $do_dll_stuff_and_create_thread and $find_files and $remote_connection and $remote_ftp_connection +} \ No newline at end of file diff --git a/yara/ransomware/Win32.Ransomware.SevenSevenSeven.yara b/yara/ransomware/Win32.Ransomware.SevenSevenSeven.yara new file mode 100644 index 0000000..0f07553 --- /dev/null +++ b/yara/ransomware/Win32.Ransomware.SevenSevenSeven.yara @@ -0,0 +1,148 @@ +rule Win32_Ransomware_SevenSevenSeven : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "SEVENSEVENSEVEN" + description = "Yara rule that detects SevenSevenSeven ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "SevenSevenSeven" + tc_detection_factor = 5 + + strings: + + $file_search_p1 = { + 55 8B EC 6A ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 64 A1 ?? ?? ?? ?? 50 64 89 25 ?? ?? ?? + ?? 81 EC ?? ?? ?? ?? A1 ?? ?? ?? ?? 89 45 ?? 53 56 57 89 65 ?? BE ?? ?? ?? ?? 89 75 + ?? 33 DB 89 5D ?? 88 5D ?? 89 75 ?? 89 5D ?? 88 5D ?? 89 75 ?? 88 5D ?? 68 ?? ?? ?? + ?? 8B 45 ?? 50 8D 8D ?? ?? ?? ?? 51 E8 ?? ?? ?? ?? 83 C4 ?? 6A ?? 53 50 8D 4D ?? E8 + ?? ?? ?? ?? BF ?? ?? ?? ?? 39 BD ?? ?? ?? ?? 72 ?? 8B 95 ?? ?? ?? ?? 52 E8 ?? ?? ?? + ?? 83 C4 ?? 39 7D ?? 8B 45 ?? 73 ?? 8D 45 ?? 8D 8D ?? ?? ?? ?? 51 50 FF 15 ?? ?? ?? + ?? 89 85 ?? ?? ?? ?? 83 F8 ?? 0F 84 ?? ?? ?? ?? EB ?? BE ?? ?? ?? ?? 90 6A ?? 53 8D + 4D ?? E8 ?? ?? ?? ?? 8D 95 ?? ?? ?? ?? 52 68 ?? ?? ?? ?? 8B 45 ?? 50 8D 8D ?? ?? ?? + ?? 51 E8 ?? ?? ?? ?? 83 C4 ?? 50 8D 95 ?? ?? ?? ?? 52 E8 ?? ?? ?? ?? 83 C4 ?? 6A ?? + 53 50 8D 4D ?? E8 ?? ?? ?? ?? 39 BD ?? ?? ?? ?? 72 ?? 8B 85 ?? ?? ?? ?? 50 E8 ?? ?? + ?? ?? 83 C4 ?? 89 B5 ?? ?? ?? ?? 89 9D ?? ?? ?? ?? 88 9D ?? ?? ?? ?? 39 BD ?? ?? ?? + ?? 72 ?? 8B 8D ?? ?? ?? ?? 51 E8 ?? ?? ?? ?? 83 C4 ?? 89 B5 ?? ?? ?? ?? 89 9D ?? ?? + ?? ?? 88 9D ?? ?? ?? ?? 39 7D ?? 8B 75 ?? 73 ?? 8D 75 ?? 68 ?? ?? ?? ?? 56 FF 15 ?? + ?? ?? ?? 85 C0 74 ?? B8 ?? ?? ?? ?? EB ?? 68 ?? ?? ?? ?? 56 FF 15 ?? ?? ?? ?? 85 C0 + } + + $file_search_p2 = { + 74 ?? B8 ?? ?? ?? ?? EB ?? 68 ?? ?? ?? ?? 56 FF 15 ?? ?? ?? ?? F7 D8 1B C0 F7 D8 3B + C3 0F 85 ?? ?? ?? ?? 80 BD ?? ?? ?? ?? ?? 0F 84 ?? ?? ?? ?? F6 85 ?? ?? ?? ?? ?? 74 + ?? 8B 45 ?? 3A C3 0F 84 ?? ?? ?? ?? 50 8D 55 ?? 52 E8 ?? ?? ?? ?? 83 C4 ?? 8B F0 3B + F3 0F 84 ?? ?? ?? ?? 39 7D ?? 72 ?? 8B 45 ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 39 7D ?? 72 + ?? 8B 4D ?? 51 E8 ?? ?? ?? ?? 83 C4 ?? C7 45 ?? ?? ?? ?? ?? 89 5D ?? 88 5D ?? 39 7D + ?? 0F 82 ?? ?? ?? ?? 8B 55 ?? 52 E8 ?? ?? ?? ?? 83 C4 ?? 8B C6 E9 ?? ?? ?? ?? 8D 85 + ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 8B F0 38 1E 74 ?? 68 ?? ?? ?? ?? 56 FF 15 ?? ?? ?? + ?? 85 C0 74 ?? 68 ?? ?? ?? ?? 56 FF 15 ?? ?? ?? ?? 85 C0 74 ?? 68 ?? ?? ?? ?? 56 FF + 15 ?? ?? ?? ?? 85 C0 74 ?? 68 ?? ?? ?? ?? 56 FF 15 ?? ?? ?? ?? 85 C0 74 ?? 89 5D ?? + 39 7D ?? 8B 45 ?? 73 ?? 8D 45 ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? C7 45 ?? ?? ?? ?? ?? EB + ?? B8 ?? ?? ?? ?? C3 + } + + $encrypt_file_1 = { + 81 EC ?? ?? ?? ?? A1 ?? ?? ?? ?? 55 8B AC 24 ?? ?? ?? ?? 56 55 89 84 24 ?? ?? ?? ?? + 33 F6 FF 15 ?? ?? ?? ?? 33 C9 85 C0 76 ?? 8D 9B ?? ?? ?? ?? 80 3C 29 ?? 75 ?? 46 41 + 3B C8 72 ?? 83 FE ?? 75 ?? 5E 33 C0 5D 8B 8C 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? 81 C4 ?? + ?? ?? ?? C3 57 6A ?? 6A ?? 6A ?? 6A ?? 6A ?? 68 ?? ?? ?? ?? 55 FF 15 ?? ?? ?? ?? 8B + F8 83 FF ?? 75 ?? 5F 5E 33 C0 5D 8B 8C 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? 81 C4 ?? ?? ?? + ?? C3 53 6A ?? 57 FF 15 ?? ?? ?? ?? 8B D8 83 FB ?? 73 ?? 57 FF 15 ?? ?? ?? ?? 5B 5F + 5E 33 C0 5D 8B 8C 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? 81 C4 ?? ?? ?? ?? C3 53 6A ?? FF 15 + ?? ?? ?? ?? 6A ?? 6A ?? 6A ?? 57 8B F0 FF 15 ?? ?? ?? ?? 6A ?? 8D 44 24 ?? 50 53 56 + 57 FF 15 ?? ?? ?? ?? 33 C0 85 DB 76 ?? 8D 49 ?? 80 34 30 ?? 40 3B C3 72 ?? 6A ?? 6A + ?? 6A ?? 57 FF 15 ?? ?? ?? ?? 6A ?? 8D 4C 24 ?? 51 53 56 57 FF 15 ?? ?? ?? ?? 57 FF + 15 ?? ?? ?? ?? 8D 54 24 ?? 52 FF 15 ?? ?? ?? ?? 0F B7 44 24 ?? 0F B7 4C 24 ?? 0F B7 + 54 24 ?? 68 ?? ?? ?? ?? 50 0F B7 44 24 ?? 51 0F B7 4C 24 ?? 52 0F B7 54 24 ?? 50 51 + 52 55 8D 44 24 ?? 68 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 8D 4C 24 ?? 51 68 ?? ?? ?? ?? + E8 ?? ?? ?? ?? 83 C4 ?? 8D 54 24 ?? 52 55 FF 15 ?? ?? ?? ?? 56 FF 15 ?? ?? ?? ?? 8B + 8C 24 ?? ?? ?? ?? 5B 5F 5E B8 ?? ?? ?? ?? 5D E8 ?? ?? ?? ?? 81 C4 ?? ?? ?? ?? C3 + } + + $encrypt_file_2 = { + 81 EC ?? ?? ?? ?? A1 ?? ?? ?? ?? 55 8B AC 24 ?? ?? ?? ?? 56 55 89 84 24 ?? ?? ?? ?? + 33 F6 FF 15 ?? ?? ?? ?? 33 C9 85 C0 76 ?? 8D 9B ?? ?? ?? ?? 80 3C 29 ?? 75 ?? 46 41 + 3B C8 72 ?? 83 FE ?? 74 ?? 6A ?? 6A ?? 6A ?? 6A ?? 6A ?? 68 ?? ?? ?? ?? 55 FF 15 ?? + ?? ?? ?? 8B F0 83 FE ?? 75 ?? 5E 33 C0 5D 8B 8C 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? 81 C4 + ?? ?? ?? ?? C3 53 6A ?? 56 FF 15 ?? ?? ?? ?? 8B D8 83 FB ?? 73 ?? 56 FF 15 ?? ?? ?? + ?? 5B 5E 33 C0 5D 8B 8C 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? 81 C4 ?? ?? ?? ?? C3 57 8D 83 + ?? ?? ?? ?? 50 6A ?? FF 15 ?? ?? ?? ?? 6A ?? 6A ?? 6A ?? 56 8B F8 FF 15 ?? ?? ?? ?? + 6A ?? 8D 4C 24 ?? 51 53 57 56 FF 15 ?? ?? ?? ?? 8B CB C1 E9 ?? 41 74 ?? 8D 47 ?? B2 + ?? 80 70 ?? ?? 80 70 ?? ?? 80 30 ?? 80 70 ?? ?? 80 70 ?? ?? 80 70 ?? ?? 80 70 ?? ?? + 30 50 ?? 83 C0 ?? 49 75 ?? 6A ?? 6A ?? 6A ?? 56 FF 15 ?? ?? ?? ?? 6A ?? 8D 54 24 ?? + 52 53 57 56 FF 15 ?? ?? ?? ?? 56 FF 15 ?? ?? ?? ?? 8D 44 24 ?? 50 FF 15 ?? ?? ?? ?? + 0F B7 4C 24 ?? 0F B7 54 24 ?? 0F B7 44 24 ?? 68 ?? ?? ?? ?? 51 0F B7 4C 24 ?? 52 0F + B7 54 24 ?? 50 0F B7 44 24 ?? 51 52 50 55 8D 4C 24 ?? 68 ?? ?? ?? ?? 51 FF 15 ?? ?? + ?? ?? 8D 54 24 ?? 52 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 8D 44 24 ?? 50 55 FF 15 + ?? ?? ?? ?? 57 FF 15 ?? ?? ?? ?? 8B 8C 24 ?? ?? ?? ?? 5F 5B 5E B8 ?? ?? ?? ?? 5D E8 + ?? ?? ?? ?? 81 C4 ?? ?? ?? ?? C3 + } + + $remote_server_1 = { + 81 EC ?? ?? ?? ?? A1 ?? ?? ?? ?? 53 55 56 57 68 ?? ?? ?? ?? 89 84 24 ?? ?? ?? ?? E8 + ?? ?? ?? ?? 50 68 ?? ?? ?? ?? 8D 84 24 ?? ?? ?? ?? 68 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? + ?? 8D 8C 24 ?? ?? ?? ?? 51 E8 ?? ?? ?? ?? 83 C4 ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? FF + 15 ?? ?? ?? ?? 33 FF 57 6A ?? 68 ?? ?? ?? ?? 57 FF 15 ?? ?? ?? ?? 68 ?? ?? ?? ?? 68 + ?? ?? ?? ?? FF 15 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 8B 35 ?? ?? ?? ?? 89 44 24 ?? 33 DB + BD ?? ?? ?? ?? 8B 44 24 ?? BA ?? ?? ?? ?? 8B CB D3 E2 85 D0 0F 84 ?? ?? ?? ?? 8A CB + 8D 54 24 ?? 80 C1 ?? 52 88 4C 24 ?? 66 C7 44 24 ?? ?? ?? FF D6 83 F8 ?? 74 ?? 8D 44 + 24 ?? 50 FF D6 83 F8 ?? 75 ?? 8D 44 24 ?? 89 6C 24 ?? 89 7C 24 ?? C6 44 24 ?? ?? 8D + 50 ?? 8A 08 40 84 C9 75 ?? 2B C2 50 8D 4C 24 ?? 51 8D 4C 24 ?? E8 ?? ?? ?? ?? 8D 54 + 24 ?? 6A ?? 52 E8 ?? ?? ?? ?? 8B 44 24 ?? 83 C4 ?? 83 F8 ?? 72 ?? 8B 44 24 ?? 50 E8 + ?? ?? ?? ?? 83 C4 ?? 89 6C 24 ?? 89 7C 24 ?? C6 44 24 ?? ?? 43 83 FB ?? 0F 8C ?? ?? + ?? ?? E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 57 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 57 FF 15 ?? ?? + ?? ?? 8B 8C 24 ?? ?? ?? ?? 5F 5E 5D 33 C0 5B E8 ?? ?? ?? ?? 81 C4 ?? ?? ?? ?? C2 + } + + $remote_server_2 = { + 81 EC ?? ?? ?? ?? A1 ?? ?? ?? ?? 57 33 FF 57 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 57 89 84 + 24 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 8D 44 24 ?? 50 FF 15 ?? ?? ?? ?? 66 83 7C 24 ?? ?? + 0F 85 ?? ?? ?? ?? 66 83 7C 24 ?? ?? 0F 87 ?? ?? ?? ?? 53 55 56 68 ?? ?? ?? ?? E8 ?? + ?? ?? ?? 50 68 ?? ?? ?? ?? 8D 8C 24 ?? ?? ?? ?? 68 ?? ?? ?? ?? 51 FF 15 ?? ?? ?? ?? + 8D 94 24 ?? ?? ?? ?? 52 E8 ?? ?? ?? ?? 83 C4 ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? FF 15 + ?? ?? ?? ?? 57 6A ?? 68 ?? ?? ?? ?? 57 FF 15 ?? ?? ?? ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? + ?? FF 15 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 8B 35 ?? ?? ?? ?? 89 44 24 ?? 33 DB BD ?? ?? + ?? ?? 8B CB B8 ?? ?? ?? ?? D3 E0 8B 4C 24 ?? 85 C1 0F 84 ?? ?? ?? ?? 8A D3 8D 44 24 + ?? 80 C2 ?? 50 88 54 24 ?? 66 C7 44 24 ?? ?? ?? FF D6 83 F8 ?? 74 ?? 8D 4C 24 ?? 51 + FF D6 83 F8 ?? 75 ?? 8D 44 24 ?? 89 6C 24 ?? 89 7C 24 ?? C6 44 24 ?? ?? 8D 50 ?? 8A + 08 40 84 C9 75 ?? 2B C2 50 8D 54 24 ?? 52 8D 4C 24 ?? E8 ?? ?? ?? ?? 8D 44 24 ?? 6A + ?? 50 E8 ?? ?? ?? ?? 8B 44 24 ?? 83 C4 ?? 83 F8 ?? 72 ?? 8B 4C 24 ?? 51 E8 ?? ?? ?? + ?? 83 C4 ?? 89 6C 24 ?? 89 7C 24 ?? C6 44 24 ?? ?? 43 83 FB ?? 0F 8C ?? ?? ?? ?? E8 + ?? ?? ?? ?? E8 ?? ?? ?? ?? 57 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 57 FF 15 ?? ?? ?? ?? 8B + 8C 24 ?? ?? ?? ?? 5E 5D 5B 33 C0 5F E8 ?? ?? ?? ?? 81 C4 ?? ?? ?? ?? C2 ?? ?? 57 FF + 15 + } + + condition: + uint16(0) == 0x5A4D and + ( + all of ($file_search_p*) + ) + and + ( + ( + ( + $encrypt_file_1 + ) and + ( + $remote_server_1 + ) + ) + or + ( + ( + $encrypt_file_2 + ) and + ( + $remote_server_2 + ) + ) + ) +} \ No newline at end of file diff --git a/yara/ransomware/Win32.Ransomware.ShadowCryptor.yara b/yara/ransomware/Win32.Ransomware.ShadowCryptor.yara new file mode 100644 index 0000000..5b5a4c0 --- /dev/null +++ b/yara/ransomware/Win32.Ransomware.ShadowCryptor.yara @@ -0,0 +1,89 @@ +rule Win32_Ransomware_ShadowCryptor : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "SHADOWCRYPTOR" + description = "Yara rule that detects ShadowCryptor ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "ShadowCryptor" + tc_detection_factor = 5 + + strings: + + $find_files = { + 55 8B EC 6A ?? 68 ?? ?? ?? ?? 64 A1 ?? ?? ?? ?? 50 81 EC ?? ?? ?? ?? A1 ?? ?? ?? ?? + 33 C5 89 45 ?? 53 56 57 50 8D 45 ?? 64 A3 ?? ?? ?? ?? 89 8D ?? ?? ?? ?? C7 45 ?? ?? + ?? ?? ?? 8D 45 ?? 83 7D ?? ?? 0F 57 C0 66 0F 13 85 ?? ?? ?? ?? 0F 43 45 ?? 50 8D 85 + ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? + ?? 8D 85 ?? ?? ?? ?? 50 8D 85 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 8B B5 ?? ?? ?? ?? 8B + BD ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 83 F8 ?? 0F 84 ?? ?? ?? ?? 8B 1D ?? ?? ?? ?? EB ?? + 8D A4 24 ?? ?? ?? ?? 90 68 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 FF D3 85 C0 0F 84 ?? ?? + ?? ?? 68 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 FF D3 85 C0 0F 84 ?? ?? ?? ?? 33 C0 83 7D + ?? ?? 66 89 85 ?? ?? ?? ?? 8D 45 ?? 0F 43 45 ?? 50 8D 85 ?? ?? ?? ?? 50 FF 15 ?? ?? + ?? ?? 8D 85 ?? ?? ?? ?? 50 8D 85 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 85 C0 74 ?? 8B 85 + ?? ?? ?? ?? 83 F8 ?? 74 ?? A8 ?? 74 ?? 50 8D 85 ?? ?? ?? ?? 50 51 8B 8D ?? ?? ?? ?? + E8 ?? ?? ?? ?? EB ?? 51 8D 85 ?? ?? ?? ?? 50 8D 85 ?? ?? ?? ?? 50 51 8B 8D ?? ?? ?? + ?? E8 ?? ?? ?? ?? 85 C0 74 ?? 83 C7 ?? 83 D6 ?? 8D 85 ?? ?? ?? ?? 50 FF B5 ?? ?? ?? + ?? FF 15 ?? ?? ?? ?? 85 C0 0F 85 ?? ?? ?? ?? FF B5 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 83 + 7D ?? ?? 72 ?? FF 75 ?? E8 ?? ?? ?? ?? 83 C4 ?? 8B D6 8B C7 8B 4D ?? 64 89 0D ?? ?? + ?? ?? 59 5F 5E 5B 8B 4D ?? 33 CD E8 ?? ?? ?? ?? 8B E5 5D C2 + } + + $encrypt_files = { + 55 8B EC 83 E4 ?? 6A ?? 68 ?? ?? ?? ?? 64 A1 ?? ?? ?? ?? 50 83 EC ?? A1 ?? ?? ?? ?? + 33 C4 89 44 24 ?? 53 56 57 A1 ?? ?? ?? ?? 33 C4 50 8D 44 24 ?? 64 A3 ?? ?? ?? ?? 8B + F1 8D 46 ?? 50 8D 4E ?? E8 ?? ?? ?? ?? 33 C0 C7 44 24 ?? ?? ?? ?? ?? C7 44 24 ?? ?? + ?? ?? ?? 66 89 44 24 ?? 89 44 24 ?? 39 46 ?? 0F 84 ?? ?? ?? ?? 8D A4 24 ?? ?? ?? ?? + 80 7E ?? ?? 0F 85 ?? ?? ?? ?? 51 8D 44 24 ?? 50 8D 44 24 ?? 50 8D 4E ?? E8 ?? ?? ?? + ?? 8B C8 E8 ?? ?? ?? ?? 8B D0 8B 02 85 C0 74 ?? 8B 00 8B 48 ?? 8B 40 ?? 49 23 4A ?? + 8B 04 88 8D 4C 24 ?? 3B C8 74 ?? 6A ?? 6A ?? 50 E8 ?? ?? ?? ?? 8B 46 ?? 8B 4E ?? 48 + 03 C8 8B 46 ?? 48 23 C8 8B 46 ?? 8B 3C 88 83 7F ?? ?? 72 ?? FF 37 E8 ?? ?? ?? ?? 83 + C4 ?? 33 C0 C7 47 ?? ?? ?? ?? ?? C7 47 ?? ?? ?? ?? ?? 66 89 07 FF 4E ?? 75 ?? 89 46 + ?? 83 EC ?? 8B CC 6A ?? 89 41 ?? 33 C0 C7 41 ?? ?? ?? ?? ?? 50 66 89 01 8D 44 24 ?? + 50 E8 ?? ?? ?? ?? 51 8B CE E8 ?? ?? ?? ?? 8B C8 0B CA 74 ?? 01 46 ?? 11 56 ?? 83 7C + 24 ?? ?? 8D 54 24 ?? 0F 43 54 24 ?? 83 EC ?? 8B FC 33 C0 C7 47 ?? ?? ?? ?? ?? C7 47 + ?? ?? ?? ?? ?? 66 89 07 66 39 02 74 ?? 8B C2 8D 48 ?? 89 4C 24 ?? 66 8B 08 83 C0 ?? + 66 85 C9 75 ?? 2B 44 24 ?? D1 F8 50 52 8B CF E8 ?? ?? ?? ?? 8B 4E ?? 83 79 ?? ?? 8D + 41 ?? 72 ?? 8B 00 8B 91 ?? ?? ?? ?? 81 C1 ?? ?? ?? ?? 83 79 ?? ?? 72 ?? 8B 09 50 E8 + ?? ?? ?? ?? 83 C4 ?? 83 7E ?? ?? 0F 85 ?? ?? ?? ?? 83 7C 24 ?? ?? 72 ?? FF 74 24 ?? + E8 ?? ?? ?? ?? 83 C4 ?? 8B 4C 24 ?? 64 89 0D ?? ?? ?? ?? 59 5F 5E 5B 8B 4C 24 ?? 33 + CC E8 ?? ?? ?? ?? 8B E5 5D C3 + } + + $terminate_antivirus_processes_p1 = { + 55 8B EC 6A ?? 68 ?? ?? ?? ?? 64 A1 ?? ?? ?? ?? 50 81 EC ?? ?? ?? ?? A1 ?? ?? ?? ?? + 33 C5 89 45 ?? 53 56 57 50 8D 45 ?? 64 A3 ?? ?? ?? ?? 8B D9 C7 85 ?? ?? ?? ?? ?? ?? + ?? ?? 33 C0 C7 43 ?? ?? ?? ?? ?? C7 43 ?? ?? ?? ?? ?? 89 9D ?? ?? ?? ?? 66 89 03 89 + 45 ?? 50 6A ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C7 85 + } + + $terminate_antivirus_processes_p2 = { + 8D 85 ?? ?? ?? ?? 6A ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? 8D + 85 ?? ?? ?? ?? 50 56 FF 15 ?? ?? ?? ?? 85 C0 74 ?? 8D 49 ?? 33 F6 8B BC B5 ?? ?? ?? + ?? 8D 85 ?? ?? ?? ?? 57 50 FF 15 ?? ?? ?? ?? 85 C0 75 ?? 39 43 ?? 74 ?? 6A ?? 68 ?? + ?? ?? ?? 8B CB E8 ?? ?? ?? ?? 66 83 3F ?? 75 ?? 33 C0 EB ?? 8B C7 8D 50 ?? 8D 49 ?? + 66 8B 08 83 C0 ?? 66 85 C9 75 ?? 2B C2 D1 F8 50 57 8B CB E8 ?? ?? ?? ?? 46 83 FE ?? + 72 ?? 8B B5 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 56 FF 15 ?? ?? ?? ?? 85 C0 75 ?? 56 FF + 15 ?? ?? ?? ?? 8B C3 8B 4D ?? 64 89 0D ?? ?? ?? ?? 59 5F 5E 5B 8B 4D ?? 33 CD E8 ?? + ?? ?? ?? 8B E5 5D C3 + } + + condition: + uint16(0) == 0x5A4D and + ( + all of ($terminate_antivirus_processes_p*) + ) and + ( + $find_files + ) and + ( + $encrypt_files + ) +} \ No newline at end of file diff --git a/yara/ransomware/Win32.Ransomware.Sherminator.yara b/yara/ransomware/Win32.Ransomware.Sherminator.yara new file mode 100644 index 0000000..a13a068 --- /dev/null +++ b/yara/ransomware/Win32.Ransomware.Sherminator.yara @@ -0,0 +1,157 @@ +rule Win32_Ransomware_Sherminator : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "SHERMINATOR" + description = "Yara rule that detects Sherminator ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "Sherminator" + tc_detection_factor = 5 + + strings: + + $enum_resources_p1 = { + 55 89 E5 57 53 83 EC ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? + ?? C7 45 ?? ?? ?? ?? ?? 8D 45 ?? 89 44 24 ?? 8B 45 ?? 89 44 24 ?? 8B 45 ?? 89 44 24 + ?? 8B 45 ?? 89 44 24 ?? 8B 45 ?? 89 04 24 E8 ?? ?? ?? ?? 83 EC ?? 89 45 ?? 83 7D ?? + ?? 0F 85 ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? 8B 45 ?? C7 44 24 ?? + ?? ?? ?? ?? 89 04 24 E8 ?? ?? ?? ?? 89 45 ?? C7 45 ?? ?? ?? ?? ?? 8B 45 ?? 89 44 24 + ?? C7 44 24 ?? ?? ?? ?? ?? 8B 45 ?? 89 04 24 E8 ?? ?? ?? ?? 8B 45 ?? 8D 55 ?? 89 54 + 24 ?? 8B 55 ?? 89 54 24 ?? 8D 55 ?? 89 54 24 ?? 89 04 24 E8 ?? ?? ?? ?? 83 EC ?? 89 + 45 ?? 83 7D ?? ?? 0F 85 ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? E9 ?? ?? ?? ?? 8B 45 ?? 89 + } + + $enum_resources_p2 = { + 45 ?? 8B 45 ?? C1 E0 ?? 89 C2 8B 45 ?? 01 D0 8B 40 ?? 85 C0 0F 84 ?? ?? ?? ?? 8B 45 + ?? C1 E0 ?? 89 C2 8B 45 ?? 01 D0 8B 40 ?? 89 04 24 E8 ?? ?? ?? ?? 83 C0 ?? 8B 15 ?? + ?? ?? ?? 8B 0D ?? ?? ?? ?? C1 E1 ?? 8D 1C 0A C7 44 24 ?? ?? ?? ?? ?? 89 04 24 E8 ?? + ?? ?? ?? 89 03 A1 ?? ?? ?? ?? 8B 15 ?? ?? ?? ?? C1 E2 ?? 01 D0 8B 00 85 C0 0F 84 ?? + ?? ?? ?? 8B 45 ?? C1 E0 ?? 89 C2 8B 45 ?? 01 D0 8B 50 ?? A1 ?? ?? ?? ?? 8B 0D ?? ?? + ?? ?? C1 E1 ?? 01 C8 8B 00 89 54 24 ?? 89 04 24 E8 ?? ?? ?? ?? A1 ?? ?? ?? ?? 8B 15 + ?? ?? ?? ?? C1 E2 ?? 01 D0 8B 10 89 D0 B9 ?? ?? ?? ?? 89 C3 B8 ?? ?? ?? ?? 89 DF F2 + AE 89 C8 F7 D0 83 E8 ?? 01 D0 66 C7 00 ?? ?? A1 ?? ?? ?? ?? 83 C0 ?? A3 ?? ?? ?? ?? + 8B 45 ?? C1 E0 ?? 89 C2 8B 45 ?? 01 D0 8B 40 ?? 83 E0 ?? 85 C0 74 ?? 8B 45 ?? C1 E0 + ?? 89 C2 8B 45 ?? 01 D0 89 04 24 E8 ?? ?? ?? ?? EB ?? 90 83 45 ?? ?? 8B 45 ?? 39 45 + ?? 0F 82 ?? ?? ?? ?? 81 7D ?? ?? ?? ?? ?? 0F 85 ?? ?? ?? ?? 8B 45 ?? 89 04 24 E8 ?? + ?? ?? ?? 8B 45 ?? 89 04 24 E8 ?? ?? ?? ?? 83 EC ?? 90 90 8D 65 ?? 5B 5F 5D C3 + } + + $encrypt_files_p1 = { + 55 89 E5 57 83 EC ?? 8B 45 ?? 89 04 24 E8 ?? ?? ?? ?? 83 C0 ?? C7 44 24 ?? ?? ?? ?? + ?? 89 04 24 E8 ?? ?? ?? ?? 89 45 ?? 83 7D ?? ?? 75 ?? 8B 45 ?? 89 04 24 E8 ?? ?? ?? + ?? A1 ?? ?? ?? ?? FF D0 8B 45 ?? 89 44 24 ?? 8B 45 ?? 89 04 24 E8 ?? ?? ?? ?? 8B 45 + ?? B9 ?? ?? ?? ?? 89 C2 B8 ?? ?? ?? ?? 89 D7 F2 AE 89 C8 F7 D0 8D 50 ?? 8B 45 ?? 01 + D0 66 C7 00 ?? ?? C7 44 24 ?? ?? ?? ?? ?? 8B 45 ?? 89 04 24 E8 ?? ?? ?? ?? 8B 45 ?? + 89 04 24 A1 ?? ?? ?? ?? FF D0 83 EC ?? 89 45 ?? C7 44 24 ?? ?? ?? ?? ?? 8B 45 ?? 89 + 04 24 A1 ?? ?? ?? ?? FF D0 83 EC ?? 8B 45 ?? 89 04 24 E8 ?? ?? ?? ?? 89 45 ?? 89 55 + ?? 83 7D ?? ?? 7F ?? 83 7D ?? ?? 78 ?? 83 7D ?? ?? 77 ?? C7 44 24 ?? ?? ?? ?? ?? 8B + 45 ?? 89 44 24 ?? 8B 45 ?? 89 04 24 A1 ?? ?? ?? ?? FF D0 83 EC ?? 8B 45 ?? 89 44 24 + ?? 8B 45 ?? 89 04 24 A1 ?? ?? ?? ?? FF D0 83 EC ?? 8B 45 ?? 89 04 24 E8 ?? ?? ?? ?? + 8B 45 ?? 89 04 24 E8 ?? ?? ?? ?? A1 ?? ?? ?? ?? FF D0 C7 45 ?? ?? ?? ?? ?? DF 6D ?? + DD 5D ?? DD 45 ?? DD 05 ?? ?? ?? ?? DF E9 DD D8 76 ?? 8B 45 ?? 89 45 ?? EB ?? C7 45 + ?? ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? 8B 45 ?? 89 04 24 E8 ?? ?? ?? ?? 89 45 ?? 83 + 7D ?? ?? 75 ?? 8B 45 ?? 89 44 24 ?? 8B 45 ?? 89 04 24 A1 ?? ?? ?? ?? FF D0 83 EC + } + + $encrypt_files_p2 = { + 8B 45 ?? 89 04 24 E8 ?? ?? ?? ?? 8B 45 ?? 89 04 24 E8 ?? ?? ?? ?? A1 ?? ?? ?? ?? FF + D0 C7 45 ?? ?? ?? ?? ?? C7 04 24 ?? ?? ?? ?? A1 ?? ?? ?? ?? FF D0 83 EC ?? 8B 15 ?? + ?? ?? ?? A1 ?? ?? ?? ?? 8D 4D ?? 89 4C 24 ?? C7 44 24 ?? ?? ?? ?? ?? 89 54 24 ?? C7 + 44 24 ?? ?? ?? ?? ?? 89 04 24 A1 ?? ?? ?? ?? FF D0 83 EC ?? 85 C0 75 ?? C7 04 24 ?? + ?? ?? ?? A1 ?? ?? ?? ?? FF D0 83 EC ?? 8B 45 ?? 89 44 24 ?? 8B 45 ?? 89 04 24 A1 ?? + ?? ?? ?? FF D0 83 EC ?? 8B 45 ?? 89 04 24 E8 ?? ?? ?? ?? 8B 45 ?? 89 04 24 E8 ?? ?? + ?? ?? 8B 45 ?? 89 04 24 E8 ?? ?? ?? ?? A1 ?? ?? ?? ?? FF D0 C7 04 24 ?? ?? ?? ?? A1 + ?? ?? ?? ?? FF D0 83 EC ?? C7 44 24 ?? ?? ?? ?? ?? 8B 45 ?? 89 44 24 ?? 8B 45 ?? 89 + 04 24 A1 ?? ?? ?? ?? FF D0 83 EC ?? 85 C0 75 ?? 8B 45 ?? 89 44 24 ?? 8B 45 ?? 89 04 + 24 A1 ?? ?? ?? ?? FF D0 83 EC ?? 8B 45 ?? 89 04 24 A1 ?? ?? ?? ?? FF D0 83 EC ?? 8B + 45 ?? 89 04 24 E8 ?? ?? ?? ?? 8B 45 ?? 89 04 24 E8 ?? ?? ?? ?? 8B 45 ?? 89 04 24 E8 + ?? ?? ?? ?? A1 ?? ?? ?? ?? FF D0 C7 44 24 ?? ?? ?? ?? ?? 8B 45 ?? 89 04 24 E8 ?? ?? + ?? ?? 89 45 ?? C7 44 24 ?? ?? ?? ?? ?? 8B 45 ?? 89 04 24 E8 ?? ?? ?? ?? 89 45 ?? 83 + 7D ?? ?? 74 ?? 83 7D ?? ?? 0F 85 ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? 8B 45 ?? 89 44 + 24 ?? 8B 45 ?? 89 04 24 A1 ?? ?? ?? ?? FF D0 83 EC ?? 8B 45 ?? 89 44 24 ?? 8B 45 + } + + $encrypt_files_p3 = { + 89 04 24 A1 ?? ?? ?? ?? FF D0 83 EC ?? 8B 45 ?? 89 04 24 A1 ?? ?? ?? ?? FF D0 83 EC + ?? 8B 45 ?? 89 04 24 E8 ?? ?? ?? ?? 8B 45 ?? 89 04 24 E8 ?? ?? ?? ?? 8B 45 ?? 89 04 + 24 E8 ?? ?? ?? ?? 8B 45 ?? 89 04 24 E8 ?? ?? ?? ?? 8B 45 ?? 89 04 24 E8 ?? ?? ?? ?? + A1 ?? ?? ?? ?? FF D0 8B 45 ?? 89 04 24 E8 ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? + ?? ?? ?? ?? E9 ?? ?? ?? ?? 8B 45 ?? BA ?? ?? ?? ?? 39 55 ?? 7F ?? 39 55 ?? 7C ?? 39 + 45 ?? 77 ?? C7 45 ?? ?? ?? ?? ?? 8B 45 ?? 89 44 24 ?? 8B 45 ?? 89 44 24 ?? C7 44 24 + ?? ?? ?? ?? ?? 8B 45 ?? 89 04 24 E8 ?? ?? ?? ?? 89 45 ?? 83 7D ?? ?? 75 ?? 8B 45 ?? + 89 04 24 E8 ?? ?? ?? ?? 8B 45 ?? 8B 55 ?? 89 54 24 ?? 8D 55 ?? 89 54 24 ?? 8B 55 ?? + 89 54 24 ?? C7 44 24 ?? ?? ?? ?? ?? 8B 55 ?? 89 54 24 ?? C7 44 24 ?? ?? ?? ?? ?? 89 + 04 24 A1 ?? ?? ?? ?? FF D0 83 EC ?? 8B 45 ?? 8B 55 ?? 89 54 24 ?? 89 44 24 ?? C7 44 + 24 ?? ?? ?? ?? ?? 8B 45 ?? 89 04 24 E8 ?? ?? ?? ?? 8B 45 ?? BA ?? ?? ?? ?? 29 45 ?? + 19 55 ?? 83 7D ?? ?? 0F 8F ?? ?? ?? ?? 83 7D ?? ?? 78 ?? 83 7D ?? ?? 0F 87 ?? ?? ?? + ?? 8B 45 ?? 89 04 24 E8 ?? ?? ?? ?? 8B 45 ?? 89 04 24 E8 ?? ?? ?? ?? 8B 45 ?? 89 04 + 24 A1 ?? ?? ?? ?? FF D0 83 EC ?? 8B 45 ?? 89 44 24 ?? 8B 45 ?? 89 04 24 A1 ?? ?? ?? + ?? FF D0 83 EC ?? 8B 45 ?? 89 04 24 E8 ?? ?? ?? ?? A1 ?? ?? ?? ?? FF D0 + } + + $find_files_p1 = { + 55 89 E5 57 53 81 EC ?? ?? ?? ?? 8B 45 ?? 89 04 24 E8 ?? ?? ?? ?? 83 C0 ?? C7 44 24 + ?? ?? ?? ?? ?? 89 04 24 E8 ?? ?? ?? ?? 89 45 ?? 83 7D ?? ?? 75 ?? 8B 45 ?? 89 04 24 + E8 ?? ?? ?? ?? A1 ?? ?? ?? ?? FF D0 8B 45 ?? 89 04 24 E8 ?? ?? ?? ?? 8B 45 ?? 89 44 + 24 ?? 8B 45 ?? 89 04 24 E8 ?? ?? ?? ?? 8B 45 ?? B9 ?? ?? ?? ?? 89 C2 B8 ?? ?? ?? ?? + 89 D7 F2 AE 89 C8 F7 D0 8D 50 ?? 8B 45 ?? 01 D0 C7 00 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? + 89 44 24 ?? 8B 45 ?? 89 04 24 A1 ?? ?? ?? ?? FF D0 83 EC ?? 89 45 ?? 83 7D ?? ?? 0F + 84 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 83 E0 ?? 85 C0 0F 84 ?? ?? ?? ?? 0F B6 95 ?? ?? ?? + ?? 0F B6 05 ?? ?? ?? ?? 0F B6 D2 0F B6 C0 29 C2 89 D0 85 C0 0F 84 ?? ?? ?? ?? C7 44 + 24 ?? ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 83 C0 ?? 89 04 24 E8 ?? + ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 83 C0 ?? + 89 04 24 E8 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? 8D 85 ?? ?? + ?? ?? 83 C0 ?? 89 04 24 E8 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 83 + E0 ?? 85 C0 0F 85 ?? ?? ?? ?? 8B 45 ?? 89 04 24 E8 ?? ?? ?? ?? 89 C3 8D 85 ?? ?? ?? + ?? 83 C0 ?? 89 04 24 E8 ?? ?? ?? ?? 01 D8 83 C0 ?? C7 44 24 ?? ?? ?? ?? ?? 89 04 24 + } + + $find_files_p2 = { + E8 ?? ?? ?? ?? 89 45 ?? 83 7D ?? ?? 0F 84 ?? ?? ?? ?? 8B 45 ?? 89 44 24 ?? 8B 45 ?? + 89 04 24 E8 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 83 C0 ?? 89 44 24 ?? 8B 45 ?? 89 04 24 E8 + ?? ?? ?? ?? 8B 45 ?? B9 ?? ?? ?? ?? 89 C2 B8 ?? ?? ?? ?? 89 D7 F2 AE 89 C8 F7 D0 8D + 50 ?? 8B 45 ?? 01 D0 66 C7 00 ?? ?? A1 ?? ?? ?? ?? 8B 55 ?? 89 54 24 ?? 89 44 24 ?? + C7 04 24 ?? ?? ?? ?? A1 ?? ?? ?? ?? FF D0 E9 ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? 8D + 85 ?? ?? ?? ?? 83 C0 ?? 89 04 24 E8 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? C7 44 24 ?? + ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 83 C0 ?? 89 04 24 E8 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? + ?? C7 44 24 ?? ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 83 C0 ?? 89 04 24 E8 ?? ?? ?? ?? 85 C0 + 0F 84 ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 83 C0 ?? 89 04 24 E8 ?? + ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 83 C0 + } + + $find_files_p3 = { + 89 04 24 E8 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? 8D 85 ?? ?? + ?? ?? 83 C0 ?? 89 04 24 E8 ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? 89 04 24 E8 ?? ?? ?? + ?? 85 C0 0F 84 ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 83 C0 ?? 89 04 + 24 E8 ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? 89 04 24 E8 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? + ?? ?? C7 44 24 ?? ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 83 C0 ?? 89 04 24 E8 ?? ?? ?? ?? C7 + 44 24 ?? ?? ?? ?? ?? 89 04 24 E8 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? 8B 45 ?? 89 04 + 24 E8 ?? ?? ?? ?? 89 C3 8D 85 ?? ?? ?? ?? 83 C0 ?? 89 04 24 E8 ?? ?? ?? ?? 01 D8 83 + C0 ?? C7 44 24 ?? ?? ?? ?? ?? 89 04 24 E8 ?? ?? ?? ?? 89 45 ?? 83 7D ?? ?? 74 ?? 8B + 45 ?? 89 44 24 ?? 8B 45 ?? 89 04 24 E8 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 83 C0 ?? 89 44 + 24 ?? 8B 45 ?? 89 04 24 E8 ?? ?? ?? ?? A1 ?? ?? ?? ?? 8B 55 ?? 89 54 24 ?? 89 44 24 + ?? C7 04 24 ?? ?? ?? ?? A1 ?? ?? ?? ?? FF D0 EB ?? 90 EB ?? 90 EB ?? 90 EB ?? 90 EB + ?? 90 8D 85 ?? ?? ?? ?? 89 44 24 ?? 8B 45 ?? 89 04 24 A1 ?? ?? ?? ?? FF D0 83 EC ?? + 85 C0 0F 85 ?? ?? ?? ?? 8B 45 ?? 89 04 24 A1 ?? ?? ?? ?? FF D0 83 EC ?? 8B 45 ?? 89 + 04 24 E8 ?? ?? ?? ?? 8B 45 ?? 89 04 24 E8 ?? ?? ?? ?? A1 ?? ?? ?? ?? FF D0 + } + + condition: + uint16(0) == 0x5A4D and + ( + all of ($enum_resources_p*) + ) and + ( + all of ($find_files_p*) + ) and + ( + all of ($encrypt_files_p*) + ) +} \ No newline at end of file diff --git a/yara/ransomware/Win32.Ransomware.Sifrelendi.yara b/yara/ransomware/Win32.Ransomware.Sifrelendi.yara new file mode 100644 index 0000000..ce49bd2 --- /dev/null +++ b/yara/ransomware/Win32.Ransomware.Sifrelendi.yara @@ -0,0 +1,67 @@ +rule Win32_Ransomware_Sifrelendi : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "SIFRELENDI" + description = "Yara rule that detects Sifrelendi ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "Sifrelendi" + tc_detection_factor = 5 + + strings: + + $search_files = { + E9 ?? ?? ?? ?? EB ?? 8D 85 ?? ?? ?? ?? B9 ?? ?? ?? ?? 8B 55 ?? E8 ?? ?? ?? ?? 8B 85 + ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 C0 0F 85 ?? ?? ?? ?? + 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 8D 95 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? E8 ?? + ?? ?? ?? 8B 85 ?? ?? ?? ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 C0 7E ?? 8D 85 ?? ?? ?? + ?? 8B 8D ?? ?? ?? ?? 8B 55 ?? E8 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 8B 4D ?? 8B 55 ?? E8 + ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 C0 74 ?? 33 C0 5A 59 59 64 89 10 68 + ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? E8 ?? ?? ?? ?? C3 E9 ?? ?? ?? ?? EB ?? 8D 85 ?? ?? ?? + ?? B9 ?? ?? ?? ?? 8B 55 ?? E8 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? BA ?? + ?? ?? ?? E8 ?? ?? ?? ?? 85 C0 0F 85 ?? ?? ?? ?? 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 + 89 20 F6 85 ?? ?? ?? ?? ?? 74 ?? 8B 85 ?? ?? ?? ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 74 + ?? 8B 85 ?? ?? ?? ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 74 ?? 8D 85 ?? ?? ?? ?? 8B 8D ?? + ?? ?? ?? 8B 55 ?? E8 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 8B 4D ?? 8B 55 ?? E8 ?? ?? ?? ?? + 8D 85 ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 C0 74 ?? 33 C0 5A 59 59 64 89 10 68 ?? ?? ?? ?? + 8D 85 ?? ?? ?? ?? E8 ?? ?? ?? ?? C3 E9 ?? ?? ?? ?? EB ?? 33 C0 5A 59 59 64 89 10 EB + ?? E9 ?? ?? ?? ?? E8 ?? ?? ?? ?? 33 C0 5A 59 59 64 89 10 68 ?? ?? ?? ?? 8D 85 ?? ?? + ?? ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? + ?? 8D 45 ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? C3 E9 ?? ?? ?? ?? EB ?? 5F 5E 5B 8B E5 5D + C3 + } + + $encrypt_files = { + 55 8B EC 83 C4 ?? 53 56 57 33 DB 89 5D ?? 89 4D ?? 89 55 ?? 89 45 ?? 8B 45 ?? E8 ?? + ?? ?? ?? 8B 45 ?? E8 ?? ?? ?? ?? 8B 45 ?? E8 ?? ?? ?? ?? 33 C0 55 68 ?? ?? ?? ?? 64 + FF 30 64 89 20 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 B2 ?? A1 ?? ?? ?? ?? E8 ?? + ?? ?? ?? 89 45 ?? B2 ?? A1 ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 45 ?? 33 C9 B2 ?? A1 ?? ?? + ?? ?? E8 ?? ?? ?? ?? 8B F8 8B 0D ?? ?? ?? ?? 8B 55 ?? 8B C7 E8 ?? ?? ?? ?? 33 C9 B2 + ?? A1 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B F0 8B 0D ?? ?? ?? ?? 8B 55 ?? 8B C6 E8 ?? ?? ?? + ?? 8B 55 ?? 8B 45 ?? E8 ?? ?? ?? ?? B2 ?? A1 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B D8 8B 45 + ?? 8B 10 FF 12 50 8B CB 8B 55 ?? 8B C6 E8 ?? ?? ?? ?? 8B C6 8B 10 FF 52 ?? 6A ?? 6A + ?? 8B C3 E8 ?? ?? ?? ?? 8B C3 8B 10 FF 12 50 8B 4D ?? 8B D3 8B C7 E8 ?? ?? ?? ?? 8B + C7 8B 10 FF 52 ?? 8B 55 ?? 8B 45 ?? E8 ?? ?? ?? ?? 8B 45 ?? E8 ?? ?? ?? ?? 8B 45 ?? + E8 ?? ?? ?? ?? 8B C3 E8 ?? ?? ?? ?? 8B C6 E8 ?? ?? ?? ?? 8B C7 E8 ?? ?? ?? ?? 8D 45 + ?? B9 ?? ?? ?? ?? 8B 55 ?? E8 ?? ?? ?? ?? 8B 45 ?? E8 ?? ?? ?? ?? 50 8B 45 ?? E8 ?? + ?? ?? ?? 50 E8 ?? ?? ?? ?? 33 C0 5A 59 59 64 89 10 EB ?? E9 ?? ?? ?? ?? E8 ?? ?? ?? + ?? 33 C0 5A 59 59 64 89 10 68 ?? ?? ?? ?? 8D 45 ?? E8 ?? ?? ?? ?? 8D 45 ?? BA ?? ?? + ?? ?? E8 ?? ?? ?? ?? C3 E9 ?? ?? ?? ?? EB ?? 5F 5E 5B 8B E5 5D C3 + } + + condition: + uint16(0) == 0x5A4D and + ( + $search_files + ) and + ( + $encrypt_files + ) +} \ No newline at end of file diff --git a/yara/ransomware/Win32.Ransomware.Sifreli.yara b/yara/ransomware/Win32.Ransomware.Sifreli.yara new file mode 100644 index 0000000..f4e7764 --- /dev/null +++ b/yara/ransomware/Win32.Ransomware.Sifreli.yara @@ -0,0 +1,119 @@ +rule Win32_Ransomware_Sifreli : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "SIFRELI" + description = "Yara rule that detects Sifreli ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "Sifreli" + tc_detection_factor = 5 + + strings: + + $find_files = { + 55 8B EC 83 EC ?? 53 56 57 8B 7D ?? 8B C7 8D 50 ?? 66 8B 08 83 C0 ?? 66 85 C9 75 ?? + 2B C2 D1 F8 8D 44 00 ?? 85 C0 0F 84 ?? ?? ?? ?? 8B 35 ?? ?? ?? ?? 50 A1 ?? ?? ?? ?? + 6A ?? 50 FF D6 8B D8 89 5D ?? 85 DB 0F 84 ?? ?? ?? ?? 68 ?? ?? ?? ?? 57 53 FF 15 ?? + ?? ?? ?? 8B 0D ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A ?? 51 FF D6 8B F8 85 FF 0F 84 ?? ?? ?? + ?? 6A ?? 6A ?? 68 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 85 C0 75 ?? E8 ?? ?? ?? ?? 3D ?? ?? + ?? ?? 1B C0 40 A3 ?? ?? ?? ?? EB ?? A1 ?? ?? ?? ?? 6A ?? 6A ?? 6A ?? 57 50 53 FF 15 + ?? ?? ?? ?? 89 45 ?? 83 F8 ?? 0F 84 ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? 90 F6 07 ?? 74 + ?? BB ?? ?? ?? ?? B9 ?? ?? ?? ?? 8D 47 ?? 66 8B 10 66 3B 11 75 ?? 66 85 D2 74 ?? 66 + 8B 50 ?? 66 3B 51 ?? 75 ?? 83 C0 ?? 83 C1 ?? 66 85 D2 75 ?? 33 C0 EB ?? 33 DB EB ?? + 1B C0 83 D8 ?? 85 C0 74 ?? B9 ?? ?? ?? ?? 8D 47 ?? 8D 49 ?? 66 8B 10 66 3B 11 75 ?? + 66 85 D2 74 ?? 66 8B 50 ?? 66 3B 51 ?? 75 ?? 83 C0 ?? 83 C1 ?? 66 85 D2 75 ?? 33 C0 + EB ?? 1B C0 83 D8 ?? 85 C0 74 ?? 8B 55 ?? 8B 4D ?? 52 8D 47 ?? 50 8B 07 50 53 68 ?? + ?? ?? ?? 51 E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 74 ?? 8B 55 ?? 57 52 FF 15 ?? ?? ?? ?? 85 + C0 0F 85 ?? ?? ?? ?? 8B 45 ?? 50 FF 15 ?? ?? ?? ?? 8B 5D ?? EB ?? C7 45 ?? ?? ?? ?? + ?? 8B 0D ?? ?? ?? ?? 57 6A ?? 51 FF 15 ?? ?? ?? ?? EB ?? C7 45 ?? ?? ?? ?? ?? 8B 15 + ?? ?? ?? ?? 53 6A ?? 52 FF 15 ?? ?? ?? ?? 8B 45 ?? 5F 5E 5B 8B E5 5D C3 5F 5E B8 ?? + ?? ?? ?? 5B 8B E5 5D C3 + } + + $remote_connection_p1 = { + 55 8B EC 83 EC ?? 53 33 DB 8D 45 ?? 89 5D ?? E8 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? + 8B 45 ?? 8B 4D ?? 56 57 50 51 E8 ?? ?? ?? ?? 8B F8 83 C4 ?? 85 FF 74 ?? 8B 55 ?? 8B + 4D ?? 52 57 E8 ?? ?? ?? ?? 8B 1D ?? ?? ?? ?? 8B F0 83 C4 ?? 85 F6 74 ?? 8B 45 ?? 6A + ?? 50 6A ?? 6A ?? 56 FF 15 ?? ?? ?? ?? 85 C0 74 ?? 8B D6 E8 ?? ?? ?? ?? 85 C0 74 ?? + C7 45 ?? ?? ?? ?? ?? 56 FF D3 8D 4D ?? 51 8D 55 ?? 52 6A ?? 57 C7 45 ?? ?? ?? ?? ?? + C7 45 ?? ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 57 8B F0 FF D3 85 F6 74 ?? 8B 45 ?? 50 FF D3 + 8B 5D ?? 83 7D ?? ?? 8B 35 ?? ?? ?? ?? 74 ?? 8B 4D ?? 8B 15 ?? ?? ?? ?? 51 6A ?? 52 + FF D6 8B 45 ?? 85 C0 74 ?? 50 A1 ?? ?? ?? ?? 6A ?? 50 FF D6 5F 5E 8B C3 5B 8B E5 5D + C3 8B C3 5B 8B E5 5D C3 + } + + $remote_connection_p2 = { + 55 8B EC 83 EC ?? 56 57 68 ?? ?? ?? ?? 33 FF 57 57 57 57 FF 15 ?? ?? ?? ?? 8B F0 85 + F6 74 ?? 8B 3D ?? ?? ?? ?? B8 ?? ?? ?? ?? 6A ?? 89 45 ?? 89 45 ?? 8D 45 ?? 50 6A ?? + 56 C7 45 ?? ?? ?? ?? ?? FF D7 6A ?? 8D 4D ?? 51 6A ?? 56 FF D7 6A ?? 8D 55 ?? 52 6A + ?? 56 FF D7 8B 45 ?? 8B 4D ?? 6A ?? 6A ?? 6A ?? 6A ?? 6A ?? 50 51 56 FF 15 ?? ?? ?? + ?? 8B F8 85 FF 75 ?? 56 FF 15 ?? ?? ?? ?? 8B C7 5F 5E 8B E5 5D C3 + } + + $remote_connection_p3 = { + 55 8B EC 83 EC ?? 53 56 8B F0 33 C0 89 06 57 89 46 ?? 89 46 ?? 6A ?? 50 89 46 ?? 8D + 45 ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 8D 4D ?? 51 6A ?? BF ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? + ?? C7 45 ?? ?? ?? ?? ?? 89 7D ?? 89 7D ?? 89 7D ?? FF 15 ?? ?? ?? ?? 85 C0 0F 84 ?? + ?? ?? ?? 8B 4D ?? 8B 1D ?? ?? ?? ?? 8D 4C 09 ?? 33 C0 85 C9 74 ?? 8B 15 ?? ?? ?? ?? + 51 50 52 FF D3 89 06 85 C0 0F 84 ?? ?? ?? ?? 8B 4D ?? 8B 55 ?? 51 52 50 E8 ?? ?? ?? + ?? 8B 06 8B 55 ?? 33 C9 66 89 0C 50 8B 4D ?? 83 C4 ?? 85 C9 74 ?? 8B 45 ?? 66 83 38 + ?? 75 ?? 83 45 ?? ?? 2B CF 89 4D ?? 85 C9 75 ?? 8B 55 ?? 8D 7C 0A ?? 8D 54 3F ?? 33 + C0 85 D2 74 ?? 52 50 A1 ?? ?? ?? ?? 50 FF D3 8B 4D ?? 89 46 ?? 85 C0 74 ?? 51 8B 4D + ?? 51 83 C0 ?? 50 E8 ?? ?? ?? ?? 8B 55 ?? 8B 45 ?? 8B 4E ?? 52 8B 55 ?? 50 8D 44 51 + ?? 50 E8 ?? ?? ?? ?? 8B 46 ?? B9 ?? ?? ?? ?? 66 89 08 33 D2 66 89 14 78 66 8B 45 ?? + 83 C4 ?? 83 7D ?? ?? 66 89 46 ?? 75 ?? 83 4E ?? ?? 5F 5E B8 ?? ?? ?? ?? 5B 8B E5 5D + C3 8B 36 85 F6 74 ?? 8B 0D ?? ?? ?? ?? 56 6A ?? 51 FF 15 ?? ?? ?? ?? 5F 5E 33 C0 5B + 8B E5 5D C3 + } + + $encrypt_files_1 = { + 8B C3 8D 50 ?? 66 8B 08 83 C0 ?? 66 85 C9 75 ?? 2B C2 D1 F8 57 8B F8 8D 4C 3F ?? 33 + C0 85 C9 74 ?? 51 50 A1 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 85 C0 74 ?? 56 8B F0 8B CB + 2B F3 8D 9B ?? ?? ?? ?? 0F B7 11 66 89 14 0E 83 C1 ?? 66 85 D2 75 ?? B9 ?? ?? ?? ?? + 8D 34 3F 2B F1 03 F0 EB ?? 8D 49 ?? 0F B7 11 66 89 14 0E 83 C1 ?? 66 85 D2 75 ?? 5E + 5F C3 + } + + $encrypt_files_2 = { + 83 E8 ?? 53 56 57 8B DA 74 ?? 48 74 ?? 5F 5E 33 C0 5B C3 53 51 33 F6 E8 ?? ?? ?? ?? + 83 C4 ?? 85 C0 74 ?? E8 ?? ?? ?? ?? 8B F0 33 FF 85 F6 74 ?? 56 53 FF 15 ?? ?? ?? ?? + 85 C0 74 ?? BF ?? ?? ?? ?? A1 ?? ?? ?? ?? 56 6A ?? 50 FF 15 ?? ?? ?? ?? 8B F7 5F 8B + C6 5E 5B C3 53 51 33 F6 E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 74 ?? E8 ?? ?? ?? ?? 8B F0 33 + FF 85 F6 74 ?? 56 53 FF 15 ?? ?? ?? ?? 85 C0 74 ?? BF ?? ?? ?? ?? 8B 0D ?? ?? ?? ?? + 56 6A ?? 51 FF 15 ?? ?? ?? ?? 8B F7 5F 8B C6 5E 5B C3 ?? ?? 55 8B EC 8B 4D ?? 8B 41 + ?? 83 F8 ?? 0F 8F ?? ?? ?? ?? F7 45 ?? ?? ?? ?? ?? 0F 85 ?? ?? ?? ?? 40 53 89 41 ?? + 8B 45 ?? 83 E8 ?? 56 57 74 ?? 48 0F 85 ?? ?? ?? ?? 8B 7D ?? 33 F6 8D 9B ?? ?? ?? ?? + 8B 86 ?? ?? ?? ?? 50 57 E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 0F 84 ?? ?? ?? ?? 83 C6 ?? 83 + FE ?? 72 ?? 8B 5D ?? E8 ?? ?? ?? ?? 8B F0 85 F6 74 ?? 8B 4D ?? 51 56 E8 ?? ?? ?? ?? + 83 C4 ?? EB ?? 8B 41 ?? 83 E8 ?? 74 ?? 48 75 ?? 8B 75 ?? E8 ?? ?? ?? ?? EB ?? 8B 75 + ?? 8B C6 E8 ?? ?? ?? ?? F7 D8 1B C0 F7 D8 85 C0 74 ?? 8B 5D ?? 8B FE E8 ?? ?? ?? ?? + 8B F0 85 F6 74 ?? 8B 7D ?? 8B 47 ?? 8B 0F 8B D6 E8 ?? ?? ?? ?? 85 C0 74 ?? 8B 47 ?? + 85 C0 74 ?? 50 FF 15 ?? ?? ?? ?? 8B C6 E8 ?? ?? ?? ?? 8B 45 ?? FF 48 ?? 5F 5E 5B B8 + ?? ?? ?? ?? 5D C3 + } + + $encrypt_files_3 = { + 8B C6 8D 50 ?? 66 8B 08 83 C0 ?? 66 85 C9 75 ?? 2B C2 D1 F8 83 C0 ?? 85 C0 7E ?? EB + ?? 8D 49 ?? 66 83 3C 46 ?? 74 ?? 48 85 C0 7F ?? 33 C0 C3 8D 44 46 ?? 85 C0 74 ?? 83 + C0 ?? 68 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 75 ?? B8 ?? ?? ?? ?? C3 + } + + condition: + uint16(0) == 0x5A4D and + ( + $find_files + ) and + ( + all of ($encrypt_files_*) + ) and + ( + all of ($remote_connection_p*) + ) +} \ No newline at end of file diff --git a/yara/ransomware/Win32.Ransomware.Sigrun.yara b/yara/ransomware/Win32.Ransomware.Sigrun.yara new file mode 100644 index 0000000..664c2d8 --- /dev/null +++ b/yara/ransomware/Win32.Ransomware.Sigrun.yara @@ -0,0 +1,111 @@ +rule Win32_Ransomware_Sigrun : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "SIGRUN" + description = "Yara rule that detects Sigrun ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "Sigrun" + tc_detection_factor = 5 + + strings: + + $find_files = { + 55 8B EC 83 E4 ?? 81 EC ?? ?? ?? ?? 83 7D ?? ?? 53 56 57 8B DA C7 44 24 ?? ?? ?? ?? + ?? 8B F1 75 ?? 8D 54 24 ?? E8 ?? ?? ?? ?? 8B 7C 24 ?? 89 7C 24 ?? 85 C0 75 ?? 85 FF + 75 ?? 5F 5E 5B 8B E5 5D C3 C7 44 24 ?? ?? ?? ?? ?? 8B CE E8 ?? ?? ?? ?? 85 C0 75 ?? + A1 ?? ?? ?? ?? 89 44 24 ?? A1 ?? ?? ?? ?? 89 44 24 ?? 0F B7 06 66 89 44 24 ?? 83 F8 + ?? 0F 84 ?? ?? ?? ?? 8D 44 24 ?? 50 FF 15 ?? ?? ?? ?? 83 F8 ?? 0F 84 ?? ?? ?? ?? 56 + FF 15 ?? ?? ?? ?? 8B 3D ?? ?? ?? ?? 68 ?? ?? ?? ?? 56 8D 04 46 89 44 24 ?? FF D7 8D + 44 24 ?? 50 56 FF 15 ?? ?? ?? ?? 8B 4C 24 ?? 33 D2 89 44 24 ?? 66 89 11 83 F8 ?? 75 + ?? B8 ?? ?? ?? ?? 5F 5E 5B 8B E5 5D C3 68 ?? ?? ?? ?? 8D 44 24 ?? 50 FF 15 ?? ?? ?? + ?? 85 C0 0F 84 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 44 24 ?? 50 FF 15 ?? ?? ?? ?? 85 C0 74 + ?? 8D 44 24 ?? 50 56 FF D7 F6 44 24 ?? ?? 74 ?? 83 7C 24 ?? ?? 74 ?? BA ?? ?? ?? ?? + 8B CE E8 ?? ?? ?? ?? 85 C0 74 ?? 68 ?? ?? ?? ?? 56 FF D7 6A ?? 8B D3 8B CE E8 ?? ?? + ?? ?? EB ?? 68 ?? ?? ?? ?? 56 FF D7 6A ?? 8B D3 8B CE E8 ?? ?? ?? ?? EB ?? 53 8D 54 + 24 ?? 8B CE E8 ?? ?? ?? ?? 83 C4 ?? 8B 44 24 ?? 33 C9 66 89 08 8D 44 24 ?? 50 FF 74 + 24 ?? FF 15 ?? ?? ?? ?? 85 C0 0F 85 ?? ?? ?? ?? FF 74 24 ?? FF 15 ?? ?? ?? ?? 5F 5E + 33 C0 5B 8B E5 5D C3 + } + + $encrypt_files_1 = { + 55 8B EC 83 EC ?? 53 57 68 ?? ?? ?? ?? 8B FA 8B D9 FF 15 ?? ?? ?? ?? 68 ?? ?? ?? ?? + 6A ?? 68 ?? ?? ?? ?? 6A ?? 8D 45 ?? C7 45 ?? ?? ?? ?? ?? 50 C7 45 ?? ?? ?? ?? ?? FF + 15 ?? ?? ?? ?? 85 C0 75 ?? 68 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 5F 33 C0 5B 8B E5 5D C3 + 56 8D 45 ?? 33 F6 50 56 56 57 53 FF 75 ?? FF 15 ?? ?? ?? ?? 85 C0 74 ?? 56 8D 45 ?? + C7 45 ?? ?? ?? ?? ?? 50 8D 45 ?? 50 6A ?? FF 75 ?? FF 15 ?? ?? ?? ?? 8B 45 ?? 68 ?? + ?? ?? ?? 50 FF 75 ?? C7 00 ?? ?? ?? ?? 56 6A ?? 56 FF 75 ?? FF 15 ?? ?? ?? ?? 8B F0 + FF 15 ?? ?? ?? ?? FF 75 ?? FF 15 ?? ?? ?? ?? 6A ?? FF 75 ?? FF 15 ?? ?? ?? ?? 68 ?? + ?? ?? ?? FF 15 ?? ?? ?? ?? 8B C6 5E 5F 5B 8B E5 5D C3 + } + + $encrypt_files_2 = { + 55 8B EC 53 56 57 6A ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A ?? 8B DA 8B F9 FF 15 ?? ?? + ?? ?? 57 8B F0 68 ?? ?? ?? ?? 56 FF 15 ?? ?? ?? ?? 83 C4 ?? 8B CF E8 ?? ?? ?? ?? 85 + C0 74 ?? 68 ?? ?? ?? ?? 6A ?? 56 FF 15 ?? ?? ?? ?? 33 C0 5F 5E 5B 5D C3 8B CF E8 ?? + ?? ?? ?? 85 C0 75 ?? 83 7B ?? ?? 72 ?? 8B 55 ?? 8B CF E8 ?? ?? ?? ?? 85 C0 74 ?? 56 + 57 FF 15 ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A ?? 56 FF 15 ?? ?? ?? ?? 5F 5E B8 ?? ?? ?? ?? + 5B 5D C3 + } + + $encrypt_files_3 = { + 55 8B EC 83 EC ?? 56 57 E8 ?? ?? ?? ?? 85 C0 75 ?? 83 C8 ?? 5F 5E 8B E5 5D C3 8D 45 + ?? 50 8D 45 ?? 50 8D 55 ?? 8D 4D ?? E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 0F 84 ?? ?? ?? ?? + 6A ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A ?? FF 15 ?? ?? ?? ?? 8B F8 8D 4D ?? 8B D7 E8 + ?? ?? ?? ?? 8B 35 ?? ?? ?? ?? 85 C0 74 ?? 8B 4D ?? 85 C9 74 ?? 8B 45 ?? 85 C0 74 ?? + C6 04 08 ?? 8B 4D ?? 68 ?? ?? ?? ?? 51 FF 15 ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A ?? FF 75 + ?? FF D6 8B CF E8 ?? ?? ?? ?? 85 C0 74 ?? E8 ?? ?? ?? ?? 8D 4D ?? C7 05 ?? ?? ?? ?? + ?? ?? ?? ?? E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A ?? FF 75 ?? FF D6 68 ?? ?? ?? ?? 6A ?? + 57 FF D6 5F 33 C0 5E 8B E5 5D C3 + } + + $enum_resources_1 = { + 55 8B EC 83 E4 ?? 83 EC ?? 53 56 57 8B 3D ?? ?? ?? ?? 8B F1 6A ?? 68 ?? ?? ?? ?? 68 + ?? ?? ?? ?? 6A ?? 89 54 24 ?? 89 74 24 ?? C7 44 24 ?? ?? ?? ?? ?? FF D7 8B 1D ?? ?? + ?? ?? 89 44 24 ?? C7 44 24 ?? ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? 85 F6 0F 85 ?? ?? + ?? ?? 8D 44 24 ?? 50 6A ?? 6A ?? 6A ?? 6A ?? FF D3 85 C0 0F 85 ?? ?? ?? ?? 8D 44 24 + ?? C7 44 24 ?? ?? ?? ?? ?? 50 FF 74 24 ?? 8D 44 24 ?? C7 44 24 ?? ?? ?? ?? ?? 50 FF + 74 24 ?? FF 15 ?? ?? ?? ?? 85 C0 0F 85 ?? ?? ?? ?? 8D 49 ?? 33 DB 39 5C 24 ?? 0F 86 + ?? ?? ?? ?? 8B 74 24 ?? 83 C6 ?? 83 7E ?? ?? 75 ?? 8B 06 6A ?? 68 ?? ?? ?? ?? 68 ?? + ?? ?? ?? 6A ?? 89 44 24 ?? FF D7 8B F8 85 FF 74 ?? FF 74 24 ?? 68 ?? ?? ?? ?? 57 FF + 15 ?? ?? ?? ?? 8B 55 ?? 83 C4 ?? 8B CF 6A ?? E8 ?? ?? ?? ?? 83 C4 ?? 68 ?? ?? ?? ?? + 6A ?? 57 FF 15 ?? ?? ?? ?? 8B 3D ?? ?? ?? ?? F6 46 ?? ?? 74 ?? FF 75 ?? 8B 54 24 ?? + 8D 4E ?? E8 ?? ?? ?? ?? 83 C4 ?? 43 83 C6 ?? 3B 5C 24 ?? 72 ?? 8D 44 24 ?? C7 44 24 + ?? ?? ?? ?? ?? 50 FF 74 24 ?? 8D 44 24 ?? C7 44 24 ?? ?? ?? ?? ?? 50 FF 74 24 ?? FF + } + + $enum_resources_2 = { + 15 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? 8B 1D ?? ?? ?? ?? 8B 74 24 ?? FF 74 24 ?? FF + 15 ?? ?? ?? ?? 8D 44 24 ?? 50 56 6A ?? 6A ?? 6A ?? FF D3 8B F0 85 F6 0F 85 ?? ?? ?? + ?? 8B 74 24 ?? 8D 44 24 ?? 50 56 8D 44 24 ?? C7 44 24 ?? ?? ?? ?? ?? 50 FF 74 24 ?? + C7 44 24 ?? ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 85 C0 0F 85 ?? ?? ?? ?? 8D 9B ?? ?? ?? ?? + 33 DB 39 5C 24 ?? 0F 86 ?? ?? ?? ?? 83 C6 ?? 90 83 7E ?? ?? 75 ?? 8B 06 6A ?? 68 ?? + ?? ?? ?? 68 ?? ?? ?? ?? 6A ?? 89 44 24 ?? FF D7 8B F8 85 FF 74 ?? FF 74 24 ?? 68 ?? + ?? ?? ?? 57 FF 15 ?? ?? ?? ?? 8B 55 ?? 83 C4 ?? 8B CF 6A ?? E8 ?? ?? ?? ?? 83 C4 ?? + 68 ?? ?? ?? ?? 6A ?? 57 FF 15 ?? ?? ?? ?? F6 46 ?? ?? 74 ?? FF 75 ?? 8B 54 24 ?? 8D + 4E ?? E8 ?? ?? ?? ?? 83 C4 ?? 8B 3D ?? ?? ?? ?? 43 83 C6 ?? 3B 5C 24 ?? 72 ?? 8B 74 + 24 ?? 8D 44 24 ?? C7 44 24 ?? ?? ?? ?? ?? 50 56 8D 44 24 ?? C7 44 24 ?? ?? ?? ?? ?? + 50 FF 74 24 ?? FF 15 ?? ?? ?? ?? 8B 3D ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? FF 74 24 + ?? FF 15 ?? ?? ?? ?? 8B F0 68 ?? ?? ?? ?? 6A ?? FF 74 24 ?? FF 15 ?? ?? ?? ?? 5F 8B + C6 5E 5B 8B E5 5D C3 + } + + condition: + uint16(0) == 0x5A4D and + ( + all of ($enum_resources_*) + ) and + ( + $find_files + ) and + ( + all of ($encrypt_files_*) + ) +} \ No newline at end of file diff --git a/yara/ransomware/Win32.Ransomware.Skystars.yara b/yara/ransomware/Win32.Ransomware.Skystars.yara new file mode 100644 index 0000000..5a59499 --- /dev/null +++ b/yara/ransomware/Win32.Ransomware.Skystars.yara @@ -0,0 +1,97 @@ +rule Win32_Ransomware_Skystars : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "SKYSTARS" + description = "Yara rule that detects Skystars ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "Skystars" + tc_detection_factor = 5 + + strings: + + $search_files_p1 = { + 55 8B EC 81 EC ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? + 8B 5D ?? FF 33 B9 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 89 45 ?? 8D 85 ?? ?? ?? ?? 50 + 6A ?? 6A ?? FF 75 ?? B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 89 45 ?? 8B 5D ?? 85 DB + 74 ?? 53 E8 ?? ?? ?? ?? 83 C4 ?? 8B 45 ?? 50 8B 5D ?? 85 DB 74 ?? 53 E8 ?? ?? ?? ?? + 83 C4 ?? 58 89 45 ?? 68 ?? ?? ?? ?? FF 75 ?? E8 ?? ?? ?? ?? 83 C4 ?? 83 F8 ?? 0F 84 + ?? ?? ?? ?? 68 ?? ?? ?? ?? FF 75 ?? E8 ?? ?? ?? ?? 83 C4 ?? 83 F8 ?? 0F 84 ?? ?? ?? + ?? 68 ?? ?? ?? ?? FF 75 ?? E8 ?? ?? ?? ?? 83 C4 ?? 83 F8 ?? 0F 84 ?? ?? ?? ?? B8 ?? + ?? ?? ?? EB ?? B8 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? FF 75 ?? 68 ?? ?? ?? ?? 8B 5D + ?? FF 33 B9 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 89 45 ?? 8D 45 ?? 50 E8 ?? ?? ?? ?? + 8B 5D ?? 85 DB 74 ?? 53 E8 ?? ?? ?? ?? 83 C4 ?? 8D 85 ?? ?? ?? ?? 50 6A ?? 6A ?? 6A + ?? B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 89 45 ?? 8B 45 ?? 50 8B 5D ?? 85 DB 74 ?? + 53 E8 ?? ?? ?? ?? 83 C4 ?? 58 89 45 ?? E9 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8B 5D ?? FF 33 + } + + $search_files_p2 = { + B9 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 89 45 ?? 8D 85 ?? ?? ?? ?? 50 6A ?? 68 ?? ?? + ?? ?? FF 75 ?? B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 89 45 ?? 8B 5D ?? 85 DB 74 ?? + 53 E8 ?? ?? ?? ?? 83 C4 ?? 8B 45 ?? 50 8B 5D ?? 85 DB 74 ?? 53 E8 ?? ?? ?? ?? 83 C4 + ?? 58 89 45 ?? 68 ?? ?? ?? ?? FF 75 ?? E8 ?? ?? ?? ?? 83 C4 ?? 83 F8 ?? 0F 84 ?? ?? + ?? ?? 68 ?? ?? ?? ?? FF 75 ?? E8 ?? ?? ?? ?? 83 C4 ?? 83 F8 ?? 0F 84 ?? ?? ?? ?? 68 + ?? ?? ?? ?? FF 75 ?? E8 ?? ?? ?? ?? 83 C4 ?? 83 F8 ?? 0F 84 ?? ?? ?? ?? B8 ?? ?? ?? + ?? EB ?? B8 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? FF 75 ?? 68 ?? ?? ?? ?? 8B 5D ?? FF + 33 B9 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 89 45 ?? 8D 45 ?? 50 E8 ?? ?? ?? ?? 8B 5D + ?? 85 DB 74 ?? 53 E8 ?? ?? ?? ?? 83 C4 ?? 8D 85 ?? ?? ?? ?? 50 6A ?? 68 ?? ?? ?? ?? + 6A ?? B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 89 45 ?? 8B 45 ?? 50 8B 5D ?? 85 DB 74 + ?? 53 E8 ?? ?? ?? ?? 83 C4 ?? 58 89 45 ?? E9 ?? ?? ?? ?? FF 75 ?? B8 ?? ?? ?? ?? E8 + ?? ?? ?? ?? 83 C4 ?? 8B 5D ?? 85 DB 74 ?? 53 E8 ?? ?? ?? ?? 83 C4 ?? 8B E5 5D C2 + } + + $encrypt_files = { + 55 8B EC 81 EC ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A ?? 8B 5D ?? 8B 03 + 85 C0 75 ?? B8 ?? ?? ?? ?? 50 68 ?? ?? ?? ?? BB ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? + 89 45 ?? 8B 45 ?? 50 8B 5D ?? 85 DB 74 ?? 53 E8 ?? ?? ?? ?? 83 C4 ?? 58 89 45 ?? 68 + ?? ?? ?? ?? 6A ?? 8B 5D ?? 8B 03 85 C0 75 ?? B8 ?? ?? ?? ?? 50 68 ?? ?? ?? ?? BB ?? + ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? FF 75 ?? E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8B 5D ?? FF + 33 B9 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 89 45 ?? 68 ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? + ?? 68 ?? ?? ?? ?? BB ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 89 45 ?? FF 75 ?? 68 ?? ?? + ?? ?? B9 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 89 45 ?? 8B 5D ?? 85 DB 74 ?? 53 E8 ?? + ?? ?? ?? 83 C4 ?? 68 ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A ?? 8B 45 ?? + 85 C0 75 ?? B8 ?? ?? ?? ?? 50 68 ?? ?? ?? ?? 6A ?? 8B 45 ?? 85 C0 75 ?? B8 ?? ?? ?? + ?? 50 68 ?? ?? ?? ?? BB ?? ?? ?? ?? B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 89 45 ?? + 8B 5D ?? 85 DB 74 ?? 53 E8 ?? ?? ?? ?? 83 C4 ?? 68 ?? ?? ?? ?? 6A ?? 8B 45 ?? 85 C0 + 75 ?? B8 ?? ?? ?? ?? 50 68 ?? ?? ?? ?? 6A ?? 8B 45 ?? 85 C0 75 ?? B8 ?? ?? ?? ?? 50 + 68 ?? ?? ?? ?? BB ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 8B 5D ?? 85 DB 74 ?? 53 E8 ?? + ?? ?? ?? 83 C4 ?? 8B 5D ?? 85 DB 74 ?? 53 E8 ?? ?? ?? ?? 83 C4 ?? 8B 5D ?? 85 DB 74 + ?? 53 E8 ?? ?? ?? ?? 83 C4 ?? 8B E5 5D C2 + } + + $main_routine = { + 68 ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? BB ?? ?? ?? ?? B8 ?? ?? ?? ?? E8 + ?? ?? ?? ?? 83 C4 ?? 89 45 ?? 8D 45 ?? 50 E8 ?? ?? ?? ?? 8B 5D ?? 85 DB 74 ?? 53 E8 + ?? ?? ?? ?? 83 C4 ?? 68 ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? BB ?? ?? ?? + ?? B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 89 45 ?? 8D 45 ?? 50 E8 ?? ?? ?? ?? 8B 5D + ?? 85 DB 74 ?? 53 E8 ?? ?? ?? ?? 83 C4 ?? 68 ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? 68 ?? + ?? ?? ?? BB ?? ?? ?? ?? B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 89 45 ?? 8D 45 ?? 50 + E8 ?? ?? ?? ?? 8B 5D ?? 85 DB 74 ?? 53 E8 ?? ?? ?? ?? 83 C4 ?? B8 ?? ?? ?? ?? 89 45 + ?? 8D 45 ?? 50 E8 ?? ?? ?? ?? 8B 5D ?? 85 DB 74 ?? 53 E8 ?? ?? ?? ?? 83 C4 ?? 68 ?? + ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? BB ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? + 89 45 ?? 68 ?? ?? ?? ?? 6A ?? 8B 45 ?? 85 C0 75 ?? B8 ?? ?? ?? ?? 50 68 ?? ?? ?? ?? + 6A ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? BB ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 8B 5D ?? + 85 DB 74 ?? 53 E8 ?? ?? ?? ?? 83 C4 ?? 6A ?? 6A ?? 6A ?? 68 ?? ?? ?? ?? 6A ?? 68 ?? + ?? ?? ?? 68 ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? BB ?? ?? ?? ?? E8 ?? ?? + ?? ?? 83 C4 ?? B8 ?? ?? ?? ?? E9 ?? ?? ?? ?? 8B E5 5D C3 + } + + condition: + uint16(0) == 0x5A4D and + ( + $main_routine + ) and + ( + all of ($search_files_p*) + ) and + ( + $encrypt_files + ) +} \ No newline at end of file diff --git a/yara/ransomware/Win32.Ransomware.Spora.yara b/yara/ransomware/Win32.Ransomware.Spora.yara new file mode 100644 index 0000000..fe813e0 --- /dev/null +++ b/yara/ransomware/Win32.Ransomware.Spora.yara @@ -0,0 +1,124 @@ +rule Win32_Ransomware_Spora : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "SPORA" + description = "Yara rule that detects Spora ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "Spora" + tc_detection_factor = 5 + + strings: + + $encrypt_files = { + 55 8D 6C 24 ?? 81 EC ?? ?? ?? ?? 57 FF 75 ?? 33 FF 89 7D ?? FF 15 ?? ?? ?? ?? 83 F8 + ?? 0F 84 ?? ?? ?? ?? A8 ?? 74 ?? 83 E0 ?? 50 FF 75 ?? FF 15 ?? ?? ?? ?? 53 56 57 BE + ?? ?? ?? ?? 56 6A ?? 57 6A ?? 68 ?? ?? ?? ?? FF 75 ?? FF 15 ?? ?? ?? ?? 8B D8 83 FB + ?? 0F 84 ?? ?? ?? ?? 8D 45 ?? 50 53 89 7D ?? FF 15 ?? ?? ?? ?? 89 45 ?? 83 F8 ?? 0F + 82 ?? ?? ?? ?? 6A ?? 57 68 ?? ?? ?? ?? 53 FF 15 ?? ?? ?? ?? 83 F8 ?? 0F 84 ?? ?? ?? + ?? 57 8D 45 ?? 50 56 8D 45 ?? 50 53 FF 15 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? 39 75 + ?? 0F 85 ?? ?? ?? ?? 57 8D 45 ?? 50 6A ?? 8D 45 ?? 50 53 FF 15 ?? ?? ?? ?? 85 C0 0F + 84 ?? ?? ?? ?? 83 7D ?? ?? 0F 85 ?? ?? ?? ?? 56 8D 45 ?? 50 57 FF 15 ?? ?? ?? ?? 3B + 45 ?? 0F 84 ?? ?? ?? ?? 39 7D ?? 74 ?? C7 45 ?? ?? ?? ?? ?? EB ?? 8B 45 ?? B9 ?? ?? + ?? ?? 3B C1 72 ?? 89 4D ?? EB ?? 83 E0 ?? 89 45 ?? 57 FF 75 ?? 57 6A ?? 57 53 FF 15 + ?? ?? ?? ?? 89 45 ?? 3B C7 0F 84 ?? ?? ?? ?? FF 75 ?? 57 57 6A ?? 50 FF 15 ?? ?? ?? + ?? 89 45 ?? 3B C7 0F 84 ?? ?? ?? ?? 8D 45 ?? 50 6A ?? 68 ?? ?? ?? ?? FF 35 ?? ?? ?? + ?? FF 15 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? 8D 45 ?? 50 8D 45 ?? 50 57 6A ?? 57 FF + 75 ?? 89 75 ?? FF 15 ?? ?? ?? ?? 85 C0 74 ?? 56 8D 45 ?? 50 8D 45 ?? 50 57 6A ?? 57 + FF 35 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 85 C0 74 ?? FF 75 ?? 8D 45 ?? 50 FF 75 ?? 57 57 + 57 FF 75 ?? FF 15 ?? ?? ?? ?? 85 C0 74 ?? 56 8D 45 ?? 50 57 FF 15 ?? ?? ?? ?? 6A ?? + 57 57 53 89 45 ?? FF 15 ?? ?? ?? ?? 57 8D 45 ?? 50 56 8B 35 ?? ?? ?? ?? 8D 45 ?? 50 + 53 FF D6 57 8D 45 ?? 50 6A ?? 8D 45 ?? 50 53 FF D6 C7 45 ?? ?? ?? ?? ?? FF 75 ?? FF + 15 ?? ?? ?? ?? FF 75 ?? FF 15 ?? ?? ?? ?? FF 75 ?? FF 15 ?? ?? ?? ?? EB ?? C7 45 ?? + ?? ?? ?? ?? 53 FF 15 ?? ?? ?? ?? 5E 5B 8B 45 ?? 5F 83 C5 ?? C9 C2 + } + + $create_key_file = { + 55 8D 6C 24 ?? 81 EC ?? ?? ?? ?? 56 8D 45 ?? 50 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? FF 35 + ?? ?? ?? ?? 33 F6 89 75 ?? C7 45 ?? ?? ?? ?? ?? 89 75 ?? FF 15 ?? ?? ?? ?? 85 C0 0F + 84 ?? ?? ?? ?? 57 8D 45 ?? 50 8D 45 ?? 50 56 6A ?? 56 FF 75 ?? BF ?? ?? ?? ?? 89 7D + ?? FF 15 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? 57 8B 3D ?? ?? ?? ?? 8D 45 ?? 50 8D 45 + ?? 50 56 6A ?? 56 FF 35 ?? ?? ?? ?? FF D7 FF 75 ?? FF 15 ?? ?? ?? ?? 83 E0 ?? 83 C0 + ?? 50 89 45 ?? 8D 45 ?? 50 FF 75 ?? 56 56 56 FF 75 ?? FF D7 85 C0 0F 84 ?? ?? ?? ?? + 53 8B 1D ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A ?? FF D3 8B F8 3B FE 0F 84 ?? ?? ?? ?? 56 6A + ?? 57 56 FF 15 ?? ?? ?? ?? FF 75 ?? 68 ?? ?? ?? ?? 57 FF 15 ?? ?? ?? ?? 8D 04 47 50 + FF 15 ?? ?? ?? ?? 83 C4 ?? 56 6A ?? 6A ?? 56 56 68 ?? ?? ?? ?? 57 FF 15 ?? ?? ?? ?? + 89 45 ?? 83 F8 ?? 0F 84 ?? ?? ?? ?? 56 8D 4D ?? 51 FF 75 ?? FF 75 ?? 50 FF 15 ?? ?? + ?? ?? 85 C0 0F 84 ?? ?? ?? ?? 8B 45 ?? 3B 45 ?? 0F 85 ?? ?? ?? ?? 56 8D 45 ?? 50 68 + ?? ?? ?? ?? 8D 45 ?? 50 FF 75 ?? FF 15 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? 81 7D ?? + ?? ?? ?? ?? 75 ?? FF 75 ?? FF 15 ?? ?? ?? ?? FF 75 ?? C7 45 ?? ?? ?? ?? ?? 57 68 ?? + ?? ?? ?? E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A ?? FF D3 8B D8 3B DE 74 ?? 89 75 ?? 8B 45 + ?? 56 FF 74 85 ?? 53 56 FF 15 ?? ?? ?? ?? 85 C0 74 ?? FF 75 ?? 68 ?? ?? ?? ?? 53 FF + 15 ?? ?? ?? ?? 8D 04 43 50 FF 15 ?? ?? ?? ?? 83 C4 ?? 56 53 57 FF 15 ?? ?? ?? ?? FF + 45 ?? 83 7D ?? ?? 72 ?? 53 FF 15 ?? ?? ?? ?? EB ?? FF 75 ?? FF 15 ?? ?? ?? ?? 57 FF + 15 ?? ?? ?? ?? 5B FF 75 ?? FF 15 ?? ?? ?? ?? 5F 8B 45 ?? 5E 83 C5 ?? C9 C2 + } + + $create_key = { + 55 8D 6C 24 ?? 81 EC ?? ?? ?? ?? 56 8D 45 ?? 50 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? FF 35 + ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? 53 57 8D 45 ?? 50 8D 45 ?? 50 + 33 DB 53 6A ?? 53 FF 75 ?? BE ?? ?? ?? ?? 89 75 ?? FF 15 ?? ?? ?? ?? 85 C0 0F 84 ?? + ?? ?? ?? 56 8B 35 ?? ?? ?? ?? 8D 45 ?? 50 8D 45 ?? 50 53 6A ?? 53 FF 35 ?? ?? ?? ?? + FF D6 FF 75 ?? FF 15 ?? ?? ?? ?? 83 E0 ?? 83 C0 ?? 50 89 45 ?? 8D 45 ?? 50 FF 75 ?? + 53 53 53 FF 75 ?? FF D6 85 C0 0F 84 ?? ?? ?? ?? 8B 45 ?? 8B 4D ?? 8B 35 ?? ?? ?? ?? + 03 C8 51 6A ?? FF D6 8B F8 89 7D ?? 3B FB 0F 84 ?? ?? ?? ?? FF 75 ?? FF 75 ?? 57 FF + 15 ?? ?? ?? ?? FF 75 ?? 8D 45 ?? 50 8B 45 ?? 03 C7 50 FF 15 ?? ?? ?? ?? 8B 4D ?? 83 + C4 ?? 8D 45 ?? 50 8B 45 ?? 53 6A ?? 03 C8 51 57 8B 3D ?? ?? ?? ?? FF D7 85 C0 74 ?? + FF 75 ?? 6A ?? FF D6 8B F0 3B F3 74 ?? 8B 4D ?? 8D 45 ?? 50 8B 45 ?? 56 6A ?? 03 C8 + 51 FF 75 ?? FF D7 33 FF 38 1E 74 ?? 8B C6 80 38 ?? 75 ?? 40 40 8A 08 88 0C 37 47 40 + 38 18 75 ?? 88 1C 37 EB ?? 8B 75 ?? FF 75 ?? FF 15 ?? ?? ?? ?? EB ?? 8B 75 ?? FF 75 + ?? FF 15 ?? ?? ?? ?? 5F 5B EB ?? 8B 75 ?? 8B C6 5E 83 C5 ?? C9 C2 + } + + $create_lst_file = { + 55 8D 6C 24 ?? 81 EC ?? ?? ?? ?? 53 56 68 ?? ?? ?? ?? 33 F6 6A ?? 89 75 ?? FF 15 ?? + ?? ?? ?? 8B D8 3B DE 0F 84 ?? ?? ?? ?? 8D 45 ?? 50 6A ?? 56 FF 15 ?? ?? ?? ?? 85 C0 + 0F 85 ?? ?? ?? ?? 53 E8 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? 57 8B 45 ?? 8B 38 8D 45 + ?? 50 53 83 C7 ?? FF 15 ?? ?? ?? ?? 03 C0 50 53 FF 75 ?? FF 17 8B 45 ?? 8B 08 8D 55 + ?? 52 6A ?? 68 ?? ?? ?? ?? 50 FF 51 ?? 53 E8 ?? ?? ?? ?? 85 C0 75 ?? 8B 45 ?? 8B 08 + 8D 55 ?? 52 6A ?? 68 ?? ?? ?? ?? 50 FF 51 ?? 8D 45 ?? 50 FF 75 ?? FF 15 ?? ?? ?? ?? + 85 C0 0F 85 ?? ?? ?? ?? FF 75 ?? FF 15 ?? ?? ?? ?? 89 45 ?? 3B C6 0F 84 ?? ?? ?? ?? + 8B 3D ?? ?? ?? ?? 56 56 56 56 6A ?? 50 56 68 ?? ?? ?? ?? FF D7 89 45 ?? 3B C6 0F 84 + ?? ?? ?? ?? 83 C0 ?? 50 6A ?? FF 15 ?? ?? ?? ?? 89 45 ?? 3B C6 0F 84 ?? ?? ?? ?? 56 + 56 FF 75 ?? 50 6A ?? FF 75 ?? 56 68 ?? ?? ?? ?? FF D7 8D 45 ?? 50 6A ?? 68 ?? ?? ?? + ?? FF 35 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? 8B 45 ?? 83 E0 ?? 83 + C0 ?? 89 45 ?? 8D 45 ?? 50 8D 45 ?? 50 56 6A ?? 56 FF 75 ?? BF ?? ?? ?? ?? 89 7D ?? + FF 15 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? 57 8D 45 ?? 50 8D 45 ?? 50 56 6A ?? 56 FF + 75 ?? FF 15 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? FF 75 ?? 8D 45 ?? 50 FF 75 ?? 56 56 + 56 FF 75 ?? FF 15 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? 56 6A ?? 53 56 FF 15 ?? ?? ?? + ?? FF 75 ?? 68 ?? ?? ?? ?? 53 FF 15 ?? ?? ?? ?? 8D 04 43 50 FF 15 ?? ?? ?? ?? 83 C4 + ?? 57 53 FF 15 ?? ?? ?? ?? 56 6A ?? 6A ?? 56 56 68 ?? ?? ?? ?? 53 FF 15 ?? ?? ?? ?? + 89 45 ?? 83 F8 ?? 0F 84 ?? ?? ?? ?? 56 8D 4D ?? 51 FF 75 ?? FF 75 ?? 50 FF 15 ?? ?? + ?? ?? 85 C0 0F 84 ?? ?? ?? ?? 8B 45 ?? 3B 45 ?? 0F 85 ?? ?? ?? ?? 56 8D 45 ?? 50 57 + 8D 45 ?? 50 FF 75 ?? FF 15 ?? ?? ?? ?? 85 C0 74 ?? 39 7D ?? 75 ?? FF 75 ?? C7 45 ?? + ?? ?? ?? ?? FF 15 ?? ?? ?? ?? FF 75 ?? 53 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 68 ?? ?? ?? + ?? 6A ?? FF 15 ?? ?? ?? ?? 8B F8 3B FE 74 ?? 56 6A ?? 57 56 FF 15 ?? ?? ?? ?? 85 C0 + 74 ?? FF 75 ?? 68 ?? ?? ?? ?? 57 FF 15 ?? ?? ?? ?? 8D 04 47 50 FF 15 ?? ?? ?? ?? 83 + C4 ?? 56 57 53 FF 15 ?? ?? ?? ?? 57 FF 15 ?? ?? ?? ?? EB ?? FF 75 ?? FF 15 ?? ?? ?? + ?? FF 75 ?? FF 15 ?? ?? ?? ?? FF 75 ?? FF 15 ?? ?? ?? ?? FF 75 ?? FF 15 ?? ?? ?? ?? + 5F 8B 45 ?? 8B 08 50 FF 51 ?? 53 FF 15 ?? ?? ?? ?? 8B 45 ?? 5E 5B 83 C5 ?? C9 C2 + } + + $enumerate_resources = { + 55 8B EC 83 EC ?? 8D 45 ?? 50 FF 75 ?? 6A ?? 6A ?? 6A ?? E8 ?? ?? ?? ?? 85 C0 0F 85 + ?? ?? ?? ?? 53 8B 1D ?? ?? ?? ?? 56 57 BE ?? ?? ?? ?? 56 6A ?? FF D3 8B F8 89 7D ?? + 85 FF [2-8] 83 4D ?? ?? 8D 45 ?? 50 57 8D 45 ?? 50 FF 75 ?? 89 75 ?? E8 + ?? ?? ?? ?? 85 C0 75 ?? 39 45 ?? 74 ?? 8D 77 ?? F6 46 ?? ?? 74 ?? 8D 46 ?? 50 [0-3] + E8 ?? ?? ?? ?? EB ?? 83 7E ?? ?? 75 ?? FF 36 FF 15 ?? ?? ?? ?? 8D 44 00 ?? 50 6A + ?? FF D3 8B F8 85 FF 74 ?? FF 36 57 FF 15 ?? ?? ?? ?? [0-5] 57 E8 ?? ?? ?? + ?? 57 FF 15 ?? ?? ?? ?? 83 C6 ?? FF 4D ?? 75 ?? 8B 7D ?? 57 FF 15 ?? ?? ?? ?? FF 75 + ?? E8 ?? ?? ?? ?? 5F 5E 5B C9 C2 + } + + condition: + uint16(0) == 0x5A4D and + (($create_key_file and $create_lst_file and $enumerate_resources and $encrypt_files) or + ($create_key and $enumerate_resources and $encrypt_files)) +} \ No newline at end of file diff --git a/yara/ransomware/Win32.Ransomware.TBLocker.yara b/yara/ransomware/Win32.Ransomware.TBLocker.yara new file mode 100644 index 0000000..3293f86 --- /dev/null +++ b/yara/ransomware/Win32.Ransomware.TBLocker.yara @@ -0,0 +1,85 @@ +rule Win32_Ransomware_TBLocker : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "TBLOCKER" + description = "Yara rule that detects TBLocker ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "TBLocker" + tc_detection_factor = 5 + + strings: + + $main_ransomware_function_p1 = { + 00 02 16 28 ?? ?? ?? ?? 00 02 17 28 ?? ?? ?? ?? 00 02 16 28 ?? ?? ?? ?? 00 02 16 28 ?? ?? ?? ?? 00 02 + 16 28 ?? ?? ?? ?? 00 02 28 ?? ?? ?? ?? 00 00 28 ?? ?? ?? ?? 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 28 ?? ?? ?? + ?? 16 FE ?? 0A 06 2C ?? 28 ?? ?? ?? ?? 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 28 ?? ?? ?? ?? 26 72 ?? ?? ?? ?? + 28 ?? ?? ?? ?? 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 18 16 15 28 ?? ?? ?? ?? 26 00 00 28 ?? ?? ?? ?? 28 ?? ?? + ?? ?? 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 16 28 ?? ?? ?? ?? 16 FE ?? 0B 07 39 ?? ?? ?? ?? 28 ?? ?? ?? ?? 72 + ?? ?? ?? ?? 28 ?? ?? ?? ?? 28 ?? ?? ?? ?? 16 FE ?? 0C 08 2C ?? 28 ?? ?? ?? ?? 72 ?? ?? ?? ?? 28 ?? ?? + ?? ?? 6F ?? ?? ?? ?? 6F ?? ?? ?? ?? 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 28 ?? ?? ?? ?? 72 ?? ?? ?? ?? 28 ?? + ?? ?? ?? 28 ?? ?? ?? ?? 00 00 00 28 ?? ?? ?? ?? 6F ?? ?? ?? ?? 6F ?? ?? ?? ?? 72 ?? ?? ?? ?? 17 6F ?? + ?? ?? ?? 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 6F ?? ?? ?? ?? 00 00 00 DE ?? 25 + 28 ?? ?? ?? ?? 0D 00 28 ?? ?? ?? ?? DE ?? 00 02 72 ?? ?? ?? ?? 6F ?? ?? ?? ?? 00 02 17 28 ?? ?? ?? ?? + 00 02 18 28 ?? ?? ?? ?? 00 02 6F ?? ?? ?? ?? 28 ?? ?? ?? ?? 6F ?? ?? ?? ?? 13 ?? 12 ?? 28 ?? ?? ?? ?? + 6C 23 ?? ?? ?? ?? ?? ?? ?? ?? 5B 02 6F ?? ?? ?? ?? 6F ?? ?? ?? ?? 6C 23 ?? ?? ?? ?? ?? ?? ?? ?? 5B 59 + } + + $main_ransomware_function_p2 = { + 28 ?? ?? ?? ?? B7 28 ?? ?? ?? ?? 6F ?? ?? ?? ?? 13 ?? 12 ?? 28 ?? ?? ?? ?? 6C 23 ?? ?? ?? ?? ?? ?? ?? + ?? 5B 28 ?? ?? ?? ?? B7 73 ?? ?? ?? ?? 6F ?? ?? ?? ?? 00 02 6F ?? ?? ?? ?? 28 ?? ?? ?? ?? 6F ?? ?? ?? + ?? 13 ?? 12 ?? 28 ?? ?? ?? ?? 6C 23 ?? ?? ?? ?? ?? ?? ?? ?? 5B 02 6F ?? ?? ?? ?? 6F ?? ?? ?? ?? 6C 23 + ?? ?? ?? ?? ?? ?? ?? ?? 5B 59 28 ?? ?? ?? ?? B7 28 ?? ?? ?? ?? 6F ?? ?? ?? ?? 13 ?? 12 ?? 28 ?? ?? ?? + ?? 6C 23 ?? ?? ?? ?? ?? ?? ?? ?? 5B 23 ?? ?? ?? ?? ?? ?? ?? ?? 5A 28 ?? ?? ?? ?? B7 73 ?? ?? ?? ?? 6F + ?? ?? ?? ?? 00 02 6F ?? ?? ?? ?? 28 ?? ?? ?? ?? 6F ?? ?? ?? ?? 13 ?? 12 ?? 28 ?? ?? ?? ?? 6C 23 ?? ?? + ?? ?? ?? ?? ?? ?? 5B 02 6F ?? ?? ?? ?? 6F ?? ?? ?? ?? 6C 23 ?? ?? ?? ?? ?? ?? ?? ?? 5B 59 28 ?? ?? ?? + ?? B7 28 ?? ?? ?? ?? 6F ?? ?? ?? ?? 13 ?? 12 ?? 28 ?? ?? ?? ?? 1F ?? DA 73 ?? ?? ?? ?? 6F ?? ?? ?? ?? + 00 02 6F ?? ?? ?? ?? 28 ?? ?? ?? ?? 6F ?? ?? ?? ?? 13 ?? 12 ?? 28 ?? ?? ?? ?? 6C 23 ?? ?? ?? ?? ?? ?? + ?? ?? 5B 02 6F ?? ?? ?? ?? 6F ?? ?? ?? ?? 6C 23 ?? ?? ?? ?? ?? ?? ?? ?? 5B 59 28 ?? ?? ?? ?? B7 28 ?? + ?? ?? ?? 6F ?? ?? ?? ?? 13 ?? 12 ?? 28 ?? ?? ?? ?? 6C 23 ?? ?? ?? ?? ?? ?? ?? ?? 5B 23 ?? ?? ?? ?? ?? + ?? ?? ?? 5A 28 ?? ?? ?? ?? B7 73 ?? ?? ?? ?? 6F ?? ?? ?? ?? 00 02 6F ?? ?? ?? ?? 28 ?? ?? ?? ?? 6F + } + + $search_files = { + 00 00 28 ?? ?? ?? ?? 6F ?? ?? ?? ?? 03 6F ?? ?? ?? ?? 6F ?? ?? ?? ?? 0A 38 ?? ?? ?? ?? 06 6F ?? ?? ?? + ?? 0B 07 07 6F ?? ?? ?? ?? 17 DA 6F ?? ?? ?? ?? 28 ?? ?? ?? ?? 72 ?? ?? ?? ?? 16 28 ?? ?? ?? ?? 16 FE + ?? 0C 08 2C ?? 07 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 28 ?? ?? ?? ?? 16 FE ?? 0D 09 2C ?? 00 02 07 07 72 ?? + ?? ?? ?? 28 ?? ?? ?? ?? 02 7B ?? ?? ?? ?? 28 ?? ?? ?? ?? 00 07 28 ?? ?? ?? ?? 00 DE ?? 25 28 ?? ?? ?? + ?? 13 ?? 00 11 ?? 6F ?? ?? ?? ?? 16 14 28 ?? ?? ?? ?? 26 28 ?? ?? ?? ?? DE ?? 00 00 00 00 00 00 06 6F + ?? ?? ?? ?? 13 ?? 11 ?? 3A ?? ?? ?? ?? DE ?? 06 2C ?? 06 6F ?? ?? ?? ?? 00 DC DE ?? 25 28 ?? ?? ?? ?? + 13 ?? 00 28 ?? ?? ?? ?? DE ?? 00 03 28 ?? ?? ?? ?? 13 ?? 16 13 ?? 38 ?? ?? ?? ?? 11 ?? 11 ?? 9A 13 ?? + 00 28 ?? ?? ?? ?? 6F ?? ?? ?? ?? 11 ?? 6F ?? ?? ?? ?? 6F ?? ?? ?? ?? 13 ?? 38 ?? ?? ?? ?? 11 ?? 6F ?? + ?? ?? ?? 13 ?? 11 ?? 11 ?? 6F ?? ?? ?? ?? 17 DA 6F ?? ?? ?? ?? 28 ?? ?? ?? ?? 72 ?? ?? ?? ?? 16 28 ?? + ?? ?? ?? 16 FE ?? 13 ?? 11 ?? 2C ?? 11 ?? 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 28 ?? ?? ?? ?? 16 FE ?? 13 ?? + 11 ?? 2C ?? 00 02 11 ?? 11 ?? 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 02 7B ?? ?? ?? ?? 28 ?? ?? ?? ?? 00 11 ?? + 28 ?? ?? ?? ?? 00 DE ?? 25 28 ?? ?? ?? ?? 13 ?? 00 11 ?? 6F ?? ?? ?? ?? 16 14 28 ?? ?? ?? ?? 26 28 ?? + ?? ?? ?? DE ?? 00 00 00 00 00 00 11 ?? 6F ?? ?? ?? ?? 13 ?? 11 ?? 3A ?? ?? ?? ?? DE ?? 11 ?? 2C ?? 11 + ?? 6F ?? ?? ?? ?? 00 DC DE ?? 25 28 ?? ?? ?? ?? 13 ?? 00 28 ?? ?? ?? ?? DE ?? 00 00 11 ?? 17 D6 13 ?? + 11 ?? 11 ?? 8E 69 FE ?? 13 ?? 11 ?? 3A ?? ?? ?? ?? 2A + } + + $encrypt_files = { + 00 00 03 19 17 73 ?? ?? ?? ?? 0A 04 18 18 73 ?? ?? ?? ?? 0B 73 ?? ?? ?? ?? 0C 08 28 ?? ?? ?? ?? 05 6F + ?? ?? ?? ?? 6F ?? ?? ?? ?? 00 08 28 ?? ?? ?? ?? 05 6F ?? ?? ?? ?? 6F ?? ?? ?? ?? 00 08 6F ?? ?? ?? ?? + 0D 07 09 17 73 ?? ?? ?? ?? 13 ?? 06 6F ?? ?? ?? ?? 17 6A DA B7 17 D6 8D ?? ?? ?? ?? 13 ?? 06 11 ?? 16 + 11 ?? 8E 69 6F ?? ?? ?? ?? 26 11 ?? 11 ?? 16 11 ?? 8E 69 6F ?? ?? ?? ?? 00 11 ?? 6F ?? ?? ?? ?? 00 07 + 6F ?? ?? ?? ?? 00 06 6F ?? ?? ?? ?? 00 DE ?? 25 28 ?? ?? ?? ?? 13 ?? 00 28 ?? ?? ?? ?? DE ?? 00 2A + } + + condition: + uint16(0) == 0x5A4D and + ( + ( + all of ($main_ransomware_function_p*) + ) and + $search_files and + $encrypt_files + ) +} \ No newline at end of file diff --git a/yara/ransomware/Win32.Ransomware.TargetCompany.yara b/yara/ransomware/Win32.Ransomware.TargetCompany.yara new file mode 100644 index 0000000..f53d9b9 --- /dev/null +++ b/yara/ransomware/Win32.Ransomware.TargetCompany.yara @@ -0,0 +1,141 @@ +rule Win32_Ransomware_TargetCompany : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "TARGETCOMPANY" + description = "Yara rule that detects TargetCompany ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "TargetCompany" + tc_detection_factor = 5 + + strings: + + $encrypt_files_p1 = { + E8 ?? ?? ?? ?? 8B B5 ?? ?? ?? ?? 8B 3D ?? ?? ?? ?? 59 53 68 ?? ?? ?? ?? 6A ?? 53 6A + ?? 68 ?? ?? ?? ?? 56 FF D7 89 85 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 83 BD ?? ?? ?? ?? ?? + 89 85 ?? ?? ?? ?? 0F 85 ?? ?? ?? ?? 56 50 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 83 + BD ?? ?? ?? ?? ?? 75 ?? BF ?? ?? ?? ?? 57 FF 15 ?? ?? ?? ?? 56 8D 75 ?? E8 ?? ?? ?? + ?? 50 89 5D ?? E8 ?? ?? ?? ?? 53 6A ?? E8 ?? ?? ?? ?? 57 FF 15 ?? ?? ?? ?? E9 ?? ?? + ?? ?? 83 BD ?? ?? ?? ?? ?? 0F 85 ?? ?? ?? ?? 56 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 59 59 + E8 ?? ?? ?? ?? 84 C0 0F 84 ?? ?? ?? ?? 56 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 59 59 53 68 + ?? ?? ?? ?? 6A ?? 53 6A ?? 68 ?? ?? ?? ?? 56 FF D7 89 85 ?? ?? ?? ?? 83 F8 ?? 0F 84 + ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 FF B5 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 8B B5 ?? ?? ?? + ?? 6A ?? 5F 53 57 56 FF B5 ?? ?? ?? ?? 89 BD ?? ?? ?? ?? E8 ?? ?? ?? ?? 53 57 52 50 + 89 85 ?? ?? ?? ?? 89 95 ?? ?? ?? ?? E8 ?? ?? ?? ?? 25 ?? ?? ?? ?? 33 FF 3B F3 89 85 + ?? ?? ?? ?? 7F ?? 7C ?? 81 BD ?? ?? ?? ?? ?? ?? ?? ?? 77 ?? 33 FF 47 EB ?? B9 ?? ?? + ?? ?? 3B C1 73 ?? 53 51 56 FF B5 ?? ?? ?? ?? 89 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 53 50 + } + + $encrypt_files_p2 = { + 56 FF B5 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 8B 85 ?? ?? + ?? ?? 89 95 ?? ?? ?? ?? 8B 35 ?? ?? ?? ?? 3B FB 8B 3D ?? ?? ?? ?? 89 9D ?? ?? ?? ?? + 89 9D ?? ?? ?? ?? 0F 84 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 50 89 85 ?? ?? ?? ?? E8 ?? ?? + ?? ?? 59 89 85 ?? ?? ?? ?? 3B C3 0F 84 ?? ?? ?? ?? 53 8D 8D ?? ?? ?? ?? 51 FF B5 ?? + ?? ?? ?? 50 FF B5 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 8D 45 ?? 50 FF B5 ?? ?? ?? ?? 8D 4D + ?? FF B5 ?? ?? ?? ?? FF B5 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 53 53 53 53 FF B5 ?? + ?? ?? ?? FF D7 53 8D 85 ?? ?? ?? ?? 50 FF B5 ?? ?? ?? ?? FF B5 ?? ?? ?? ?? FF B5 ?? + ?? ?? ?? FF D6 E9 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 59 89 85 ?? ?? ?? ?? 3B C3 0F 84 ?? + ?? ?? ?? 8B 85 ?? ?? ?? ?? 3B C3 0F 86 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 53 53 FF B5 ?? + ?? ?? ?? FF B5 ?? ?? ?? ?? FF B5 ?? ?? ?? ?? FF D7 53 8D 85 ?? ?? ?? ?? 50 FF B5 ?? + ?? ?? ?? FF B5 ?? ?? ?? ?? FF B5 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 8D 45 ?? 50 FF B5 ?? + ?? ?? ?? 8D 4D ?? FF B5 ?? ?? ?? ?? FF B5 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 53 53 + FF B5 ?? ?? ?? ?? FF B5 ?? ?? ?? ?? FF B5 ?? ?? ?? ?? FF D7 53 8D 85 ?? ?? ?? ?? 50 + FF B5 ?? ?? ?? ?? FF B5 ?? ?? ?? ?? FF B5 ?? ?? ?? ?? FF D6 8B 85 ?? ?? ?? ?? 01 85 + ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 11 85 ?? ?? ?? ?? FF 8D ?? ?? ?? ?? 0F 85 ?? ?? ?? ?? + FF B5 ?? ?? ?? ?? E8 ?? ?? ?? ?? 59 6A ?? 53 53 33 C0 50 FF B5 ?? ?? ?? ?? FF D7 8B + BD ?? ?? ?? ?? 53 8D 85 ?? ?? ?? ?? 50 6A ?? 8D 45 ?? 50 57 FF D6 53 8D 85 ?? ?? ?? + ?? 50 6A ?? 8D 45 ?? 50 57 FF D6 53 8D 85 ?? ?? ?? ?? 50 6A ?? 68 ?? ?? ?? ?? 57 FF + D6 57 FF 15 ?? ?? ?? ?? FF B5 ?? ?? ?? ?? 68 ?? ?? ?? ?? E8 + } + + $remote_connection_p1 = { + 55 8B EC 83 EC ?? 53 56 33 F6 57 8D 5D ?? 89 75 ?? E8 ?? ?? ?? ?? 89 75 ?? 56 56 56 + FF 75 ?? 56 FF 15 ?? ?? ?? ?? 8B D8 89 5D ?? 3B DE 0F 84 ?? ?? ?? ?? C7 45 ?? ?? ?? + ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? 33 FF 6A ?? 8D + 45 ?? 50 FF 74 BD ?? 53 FF 15 ?? ?? ?? ?? 47 83 FF ?? 72 ?? 56 56 6A ?? 56 56 FF 75 + ?? FF 75 ?? 53 FF 15 ?? ?? ?? ?? 89 45 ?? 3B C6 0F 84 ?? ?? ?? ?? 33 C9 80 7D ?? ?? + B8 ?? ?? ?? ?? 0F 95 C1 56 49 23 C8 03 C8 81 C9 ?? ?? ?? ?? 51 56 56 56 FF 75 ?? 89 + 4D ?? 68 ?? ?? ?? ?? FF 75 ?? FF 15 ?? ?? ?? ?? 8B D8 3B DE 0F 84 ?? ?? ?? ?? 6A ?? + 5F 8D 45 ?? 50 8D 45 ?? 50 6A ?? 53 89 7D ?? 89 75 ?? FF 15 ?? ?? ?? ?? 85 C0 74 ?? + 81 4D ?? ?? ?? ?? ?? 57 8D 45 ?? 50 6A ?? 53 FF 15 ?? ?? ?? ?? FF 75 ?? 8B 45 ?? FF + 75 ?? F7 D8 1B C0 50 FF 75 ?? 53 FF 15 ?? ?? ?? ?? 85 C0 74 ?? 33 FF 56 56 8D 45 ?? + 50 53 89 75 ?? FF 15 ?? ?? ?? ?? 85 C0 74 ?? 8B 45 ?? 03 C7 50 FF 75 ?? E8 ?? ?? ?? + ?? 59 59 8D 4D ?? 51 FF 75 ?? 89 45 ?? 03 C7 50 53 FF 15 ?? ?? ?? ?? 03 7D ?? 39 75 + ?? 75 ?? 53 FF 15 ?? ?? ?? ?? FF 75 ?? FF 15 ?? ?? ?? ?? FF 75 ?? FF 15 ?? ?? ?? ?? + 39 75 ?? 75 ?? 33 C0 40 39 45 ?? 74 ?? 89 45 ?? E9 ?? ?? ?? ?? FF 75 ?? E8 ?? ?? ?? + ?? FF 75 ?? E8 ?? ?? ?? ?? 8B 45 ?? 59 59 5F 5E 5B C9 C3 + } + + $remote_connection_p2 = { + 55 8B EC 81 EC ?? ?? ?? ?? A1 ?? ?? ?? ?? 33 C5 89 45 ?? 53 56 57 8D 9D ?? ?? ?? ?? + 8B F9 E8 ?? ?? ?? ?? 84 C0 0F 84 ?? ?? ?? ?? FF B5 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 68 + ?? ?? ?? ?? 68 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 83 C4 ?? 8D 85 ?? ?? ?? ?? 50 8D 45 + ?? 50 C7 85 ?? ?? ?? ?? ?? ?? ?? ?? FF 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B F0 85 F6 75 + ?? B8 ?? ?? ?? ?? 50 8D 45 ?? 50 57 68 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 68 ?? ?? ?? ?? + 50 FF 15 ?? ?? ?? ?? 50 8D 85 ?? ?? ?? ?? 50 8D 85 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 + C4 ?? 8B F8 85 F6 74 ?? 56 E8 ?? ?? ?? ?? 59 85 FF 74 ?? 57 E8 ?? ?? ?? ?? 59 FF B5 + ?? ?? ?? ?? E8 ?? ?? ?? ?? 59 FF B5 ?? ?? ?? ?? E8 ?? ?? ?? ?? 59 8B 4D ?? 5F 5E 33 + CD 5B E8 ?? ?? ?? ?? C9 C3 + } + + $generate_key = { + 0F 31 0F AF C8 0F AF CE 0F AF 8D ?? ?? ?? ?? 8B 35 ?? ?? ?? ?? 53 33 FF 47 57 53 53 + 8D 85 ?? ?? ?? ?? 50 89 8D ?? ?? ?? ?? FF D6 3B C3 75 ?? FF 15 ?? ?? ?? ?? 3D ?? ?? + ?? ?? 75 ?? 6A ?? 57 53 53 8D 85 ?? ?? ?? ?? 50 FF D6 3B C3 74 ?? 8D 85 ?? ?? ?? ?? + 50 6A ?? FF B5 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 85 C0 74 ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? + ?? 59 53 FF B5 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? A3 ?? ?? ?? ?? 8B C7 + B9 ?? ?? ?? ?? 8B 11 8B F2 C1 EE ?? 33 F2 69 F6 ?? ?? ?? ?? 03 F0 89 71 ?? 83 C1 ?? + 40 81 F9 ?? ?? ?? ?? 7C ?? 57 A3 ?? ?? ?? ?? FF 15 + } + + $find_files_p1 = { + 8D 85 ?? ?? ?? ?? 53 53 50 53 FF B5 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? + 83 F8 ?? 0F 84 ?? ?? ?? ?? 8B 1D ?? ?? ?? ?? 8B 35 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 85 + ?? ?? ?? ?? 50 FF D6 85 C0 0F 84 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 FF + D6 85 C0 0F 84 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 FF B5 ?? ?? ?? ?? 68 ?? ?? ?? ?? 57 + FF B5 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 83 C4 ?? F6 85 ?? ?? ?? ?? ?? 74 ?? 33 F6 0F B7 + C6 FF 34 85 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? + ?? 46 66 83 FE ?? 72 ?? 6A ?? FF B5 ?? ?? ?? ?? E8 ?? ?? ?? ?? E9 ?? ?? ?? ?? 68 ?? + ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? 68 ?? ?? ?? + ?? 8D 85 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? F6 85 ?? ?? ?? ?? + ?? 0F 84 ?? ?? ?? ?? 83 A5 ?? ?? ?? ?? ?? 0F B7 B5 ?? ?? ?? ?? 8D 34 B5 + } + + $find_files_p2 = { + FF 36 8D 85 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 85 C0 74 ?? 50 FF D3 FF 36 89 85 ?? ?? + ?? ?? FF D3 8B 8D ?? ?? ?? ?? 3B C8 0F 84 ?? ?? ?? ?? FF 85 ?? ?? ?? ?? 66 83 BD ?? + ?? ?? ?? ?? 72 ?? C6 85 ?? ?? ?? ?? ?? 0F B6 85 ?? ?? ?? ?? FF 34 85 ?? ?? ?? ?? 8D + 85 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 85 C0 74 ?? FE 85 ?? ?? ?? ?? 80 BD ?? ?? ?? ?? + ?? 72 ?? 6A ?? E8 ?? ?? ?? ?? 8B F0 59 85 F6 74 ?? 6A ?? 59 FF B5 ?? ?? ?? ?? 33 C0 + 8B FE F3 AB 66 8B 85 ?? ?? ?? ?? 66 89 46 ?? FF D3 8D 44 00 ?? 50 E8 ?? ?? ?? ?? 59 + FF B5 ?? ?? ?? ?? 89 46 ?? 50 FF 15 ?? ?? ?? ?? 56 6A ?? 6A ?? FF 35 ?? ?? ?? ?? FF + 15 ?? ?? ?? ?? 68 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? BF ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 + FF B5 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 85 C0 0F 85 ?? ?? ?? ?? FF B5 ?? ?? ?? ?? FF 15 + ?? ?? ?? ?? 68 ?? ?? ?? ?? FF B5 ?? ?? ?? ?? 68 ?? ?? ?? ?? 57 FF B5 ?? ?? ?? ?? FF + 15 ?? ?? ?? ?? 83 C4 ?? FF B5 ?? ?? ?? ?? E8 ?? ?? ?? ?? 59 EB ?? 56 FF 15 ?? ?? ?? + ?? 50 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? FF B5 ?? ?? ?? ?? E8 ?? ?? ?? ?? 59 8B + 4D ?? 5F 5E 33 CD 33 C0 5B E8 ?? ?? ?? ?? C9 C2 + } + + condition: + uint16(0) == 0x5A4D and + ( + all of ($find_files_p*) + ) and + ( + $generate_key + ) and + ( + all of ($encrypt_files_p*) + ) and + ( + all of ($remote_connection_p*) + ) +} \ No newline at end of file diff --git a/yara/ransomware/Win32.Ransomware.TechandStrat.yara b/yara/ransomware/Win32.Ransomware.TechandStrat.yara new file mode 100644 index 0000000..2feac5c --- /dev/null +++ b/yara/ransomware/Win32.Ransomware.TechandStrat.yara @@ -0,0 +1,106 @@ +rule Win32_Ransomware_TechandStrat : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "TECHANDSTRAT" + description = "Yara rule that detects TechandStrat ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "TechandStrat" + tc_detection_factor = 5 + + strings: + + $enum_shares_p1 = { + 55 8B EC 83 EC ?? 53 56 57 8D 45 ?? C7 45 ?? ?? ?? ?? ?? 50 FF 75 ?? C7 45 ?? ?? ?? + ?? ?? 6A ?? 6A ?? 6A ?? FF 15 ?? ?? ?? ?? 85 C0 0F 85 ?? ?? ?? ?? FF 75 ?? 6A ?? FF + 15 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 8B D8 85 DB 74 ?? 8D 45 ?? 50 53 8D 45 ?? 50 FF + 75 ?? FF 15 ?? ?? ?? ?? 85 C0 75 + } + + $enum_shares_p2 = { + 8D 46 ?? B9 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? EB ?? FF 36 E8 ?? ?? ?? ?? 47 83 C6 ?? 3B + 7D ?? 72 ?? 8D 45 ?? 50 53 8D 45 ?? 50 FF 75 ?? FF 15 ?? ?? ?? ?? 85 C0 74 ?? 53 6A + ?? FF 15 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? FF 75 ?? FF 15 ?? ?? ?? ?? 5F 5E 5B 8B E5 + 5D C2 + } + + $find_files = { + 8B FF 55 8B EC 81 EC ?? ?? ?? ?? A1 ?? ?? ?? ?? 33 C5 89 45 ?? 8B 4D ?? 53 8B 5D ?? + 56 8B 75 ?? 57 89 B5 ?? ?? ?? ?? EB ?? 8A 01 3C ?? 74 ?? 3C ?? 74 ?? 3C ?? 74 ?? 51 + 53 E8 ?? ?? ?? ?? 59 59 8B C8 3B CB 75 ?? 8A 11 80 FA ?? 75 ?? 8D 43 ?? 3B C8 74 ?? + 56 33 FF 57 57 53 E8 ?? ?? ?? ?? 83 C4 ?? EB ?? 33 FF 80 FA ?? 74 ?? 80 FA ?? 74 ?? + 80 FA ?? 74 ?? 8B C7 EB ?? 33 C0 40 0F B6 C0 2B CB 41 F7 D8 68 ?? ?? ?? ?? 1B C0 23 + C1 89 85 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 57 50 E8 ?? ?? ?? ?? 83 C4 ?? 8D 85 ?? ?? ?? + ?? 57 57 57 50 57 53 FF 15 ?? ?? ?? ?? 8B F0 8B 85 ?? ?? ?? ?? 83 FE ?? 75 ?? 50 57 + 57 53 E8 ?? ?? ?? ?? 83 C4 ?? 8B F8 83 FE ?? 74 ?? 56 FF 15 ?? ?? ?? ?? 8B C7 8B 4D + ?? 5F 5E 33 CD 5B E8 ?? ?? ?? ?? 8B E5 5D C3 8B 48 ?? 2B 08 C1 F9 ?? 89 8D ?? ?? ?? + ?? 80 BD ?? ?? ?? ?? ?? 75 ?? 8A 8D ?? ?? ?? ?? 84 C9 74 ?? 80 F9 ?? 75 ?? 80 BD ?? + ?? ?? ?? ?? 74 ?? 50 FF B5 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 53 50 E8 ?? ?? ?? ?? 83 C4 + ?? 85 C0 75 ?? 8D 85 ?? ?? ?? ?? 50 56 FF 15 ?? ?? ?? ?? 85 C0 8B 85 ?? ?? ?? ?? 75 + ?? 8B 10 8B 40 ?? 8B 8D ?? ?? ?? ?? 2B C2 C1 F8 ?? 3B C8 0F 84 ?? ?? ?? ?? 68 ?? ?? + ?? ?? 2B C1 6A ?? 50 8D 04 8A 50 E8 ?? ?? ?? ?? 83 C4 ?? E9 ?? ?? ?? ?? 8B FF 56 57 + 8B F9 8B 37 EB ?? FF 36 E8 ?? ?? ?? ?? 59 83 C6 ?? 3B 77 ?? 75 ?? FF 37 E8 ?? ?? ?? + ?? 59 5F 5E C3 + } + + $encrypt_files_p1 = { + 55 8B EC 83 E4 ?? B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 56 8B 75 ?? 8D 44 24 ?? 57 50 C6 44 + 24 ?? ?? FF 36 FF 15 ?? ?? ?? ?? 6A ?? 8D 44 24 ?? 6A ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? + 8D 84 24 ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A ?? 50 E8 ?? ?? ?? ?? 8B 4C 24 ?? 83 C4 ?? 8B + 44 24 ?? 81 E9 ?? ?? ?? ?? 8B 3D ?? ?? ?? ?? 83 D8 ?? 6A ?? 6A ?? 50 51 FF 36 FF D7 + 6A ?? 8D 44 24 ?? 50 68 ?? ?? ?? ?? 8D 84 24 ?? ?? ?? ?? 50 FF 36 FF 15 ?? ?? ?? ?? + 81 BC 24 ?? ?? ?? ?? ?? ?? ?? ?? 0F 84 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 8B 4C 24 ?? 33 + D2 69 C0 ?? ?? ?? ?? 89 4C 24 ?? 8B 4C 24 ?? 89 8C 24 ?? ?? ?? ?? 83 C9 ?? 51 40 C7 + 44 24 ?? ?? ?? ?? ?? F7 F1 8D 84 24 ?? ?? ?? ?? C7 84 24 ?? ?? ?? ?? ?? ?? ?? ?? 50 + C7 84 24 ?? ?? ?? ?? ?? ?? ?? ?? C7 84 24 ?? ?? ?? ?? ?? ?? ?? ?? 89 54 24 ?? 89 94 + 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? 51 8D 84 24 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 8D 94 24 ?? + ?? ?? ?? 8D 8C 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? 0F 10 84 24 ?? ?? ?? ?? 6A ?? 6A ?? 0F + 11 84 24 ?? ?? ?? ?? 0F 57 C0 66 0F 13 44 24 ?? 8B 44 24 ?? 50 89 44 24 ?? 8B 44 24 + ?? 50 FF 36 89 44 24 ?? FF D7 6A ?? 8D 44 24 ?? 0F 57 C0 50 68 ?? ?? ?? ?? 8D 84 24 + ?? ?? ?? ?? 66 0F 13 44 24 ?? 50 FF 36 FF 15 ?? ?? ?? ?? 8B 44 24 ?? 89 44 24 ?? 85 + C0 0F 84 + } + + $encrypt_files_p2 = { + 6A ?? 6A ?? FF 74 24 ?? 0F 11 84 24 ?? ?? ?? ?? FF 74 24 ?? FF 36 FF 15 ?? ?? ?? ?? + 6A ?? 8D 44 24 ?? 50 FF 74 24 ?? 8D 84 24 ?? ?? ?? ?? 50 FF 36 FF 15 ?? ?? ?? ?? 8B + 84 24 ?? ?? ?? ?? 8B C8 85 C0 B8 ?? ?? ?? ?? 6A ?? 0F 44 C8 69 44 24 ?? ?? ?? ?? ?? + 33 D2 6A ?? 40 89 44 24 ?? F7 F1 8B 4C 24 ?? 33 C0 83 C2 ?? 13 C0 01 54 24 ?? 13 C8 + 8B 44 24 ?? 89 4C 24 ?? 0F A4 C1 ?? C1 E0 ?? 51 50 FF 36 89 4C 24 ?? 89 44 24 ?? FF + 15 ?? ?? ?? ?? 6A ?? 8D 44 24 ?? 50 68 ?? ?? ?? ?? 8D 84 24 ?? ?? ?? ?? 50 FF 36 FF + 15 ?? ?? ?? ?? 8B 44 24 ?? 89 44 24 ?? 85 C0 0F 85 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 84 + 24 ?? ?? ?? ?? 6A ?? 50 E8 ?? ?? ?? ?? 8B 3D ?? ?? ?? ?? 83 C4 ?? C7 84 24 ?? ?? ?? + ?? ?? ?? ?? ?? 6A ?? 6A ?? FF D7 8B 35 ?? ?? ?? ?? 50 FF D6 6A ?? 6A ?? 89 44 24 ?? + FF D7 50 FF D6 6A ?? 6A ?? 89 44 24 ?? C7 44 24 ?? ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? + ?? FF D7 50 FF D6 6A ?? 6A ?? 89 44 24 ?? C7 44 24 ?? ?? ?? ?? ?? C7 44 24 ?? ?? ?? + ?? ?? FF D7 50 FF D6 + } + + $encrypt_files_p3 = { + 6A ?? 6A ?? 66 0F 13 44 24 ?? FF 74 24 ?? FF 74 24 ?? FF 36 FF 15 ?? ?? ?? ?? 6A ?? + 8D 44 24 ?? 50 68 ?? ?? ?? ?? 8D 84 24 ?? ?? ?? ?? 50 FF 36 FF 15 ?? ?? ?? ?? C6 44 + 24 ?? ?? FF 36 FF 15 ?? ?? ?? ?? 80 7C 24 ?? ?? 74 ?? 68 ?? ?? ?? ?? 6A ?? 83 C6 ?? + 56 FF 15 ?? ?? ?? ?? 56 8D 84 24 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D + 84 24 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 8D 84 24 ?? ?? ?? ?? 50 56 FF 15 ?? ?? ?? ?? + 8B 75 ?? 68 ?? ?? ?? ?? 56 E8 ?? ?? ?? ?? 83 C4 ?? 6A ?? 68 ?? ?? ?? ?? FF 15 + } + + condition: + uint16(0) == 0x5A4D and + ( + all of ($enum_shares_p*) + ) and + ( + $find_files + ) and + ( + all of ($encrypt_files_p*) + ) +} \ No newline at end of file diff --git a/yara/ransomware/Win32.Ransomware.TeleCrypt.yara b/yara/ransomware/Win32.Ransomware.TeleCrypt.yara new file mode 100644 index 0000000..a32a571 --- /dev/null +++ b/yara/ransomware/Win32.Ransomware.TeleCrypt.yara @@ -0,0 +1,109 @@ +rule Win32_Ransomware_TeleCrypt : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "TELECRYPT" + description = "Yara rule that detects TeleCrypt ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "TeleCrypt" + tc_detection_factor = 5 + + strings: + $encrypt_file = { + 57 E8 ?? ?? ?? ?? 89 03 EB ?? 6A ?? E8 ?? ?? ?? ?? 89 03 66 83 BB ?? ?? ?? ?? ?? 0F + 85 ?? ?? ?? ?? 8B 03 50 E8 ?? ?? ?? ?? 83 F8 ?? 75 ?? 66 81 7B ?? ?? ?? 75 ?? E8 ?? + ?? ?? ?? 66 89 83 ?? ?? ?? ?? E9 ?? ?? ?? ?? E8 ?? ?? ?? ?? 66 89 83 ?? ?? ?? ?? E9 + ?? ?? ?? ?? 0F B7 05 ?? ?? ?? ?? 66 89 83 ?? ?? ?? ?? E9 ?? ?? ?? ?? C7 43 ?? ?? ?? + ?? ?? 6A ?? 68 ?? ?? ?? ?? 52 6A ?? 6A ?? 50 8D 43 ?? 50 E8 ?? ?? ?? ?? 83 F8 ?? 75 + ?? 66 C7 43 ?? ?? ?? E8 ?? ?? ?? ?? 8B F0 E9 ?? ?? ?? ?? 89 03 66 81 7B ?? ?? ?? 0F + 85 ?? ?? ?? ?? 66 C7 43 ?? ?? ?? 6A ?? 8B 03 50 E8 ?? ?? ?? ?? 8B F8 83 FF ?? 75 ?? + 8B C3 E8 ?? ?? ?? ?? 8B F0 E9 ?? ?? ?? ?? 81 EF ?? ?? ?? ?? 85 FF 7D ?? 33 FF 6A ?? + 6A ?? 57 8B 03 50 E8 ?? ?? ?? ?? 40 74 ?? 6A ?? 8D 44 24 ?? 50 68 ?? ?? ?? ?? 8D 83 + ?? ?? ?? ?? 50 8B 03 50 E8 ?? ?? ?? ?? 85 C0 75 ?? 8B C3 E8 ?? ?? ?? ?? 8B F0 E9 ?? + ?? ?? ?? F6 43 ?? ?? 74 ?? 83 3C 24 ?? 76 ?? 8B 14 24 4A 85 D2 72 ?? 42 33 FF 8D 83 + ?? ?? ?? ?? 80 38 ?? 75 ?? 6A ?? 6A ?? 8B C7 2B 44 24 ?? 50 8B 03 50 E8 ?? ?? ?? ?? + 40 74 ?? 8B 03 50 E8 ?? ?? ?? ?? 85 C0 75 ?? 8B C3 E8 ?? ?? ?? ?? 8B F0 EB ?? 47 40 + 4A 75 ?? 66 83 BB ?? ?? ?? ?? ?? 75 ?? 0F B7 05 ?? ?? ?? ?? 66 89 83 ?? ?? ?? ?? 66 + 81 7B ?? ?? ?? 74 ?? 8B 03 50 E8 + } + + $server_communication = { + 6A ?? 8D 45 ?? 50 8B 45 ?? 8B 80 ?? ?? ?? ?? 33 C9 BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 6A + ?? 8D 45 ?? 50 FF 35 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 55 ?? A1 ?? ?? ?? ?? E8 ?? ?? ?? + ?? FF 75 ?? 8D 45 ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 45 ?? 8D 55 ?? E8 ?? ?? ?? ?? + 8B 4D ?? 8D 45 ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 55 ?? 8B 45 ?? 8B 80 ?? ?? ?? ?? + 33 C9 E8 ?? ?? ?? ?? B2 ?? A1 ?? ?? ?? ?? E8 ?? ?? ?? ?? A3 ?? ?? ?? ?? B2 ?? A1 ?? + ?? ?? ?? E8 ?? ?? ?? ?? A3 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B F0 33 DB 8B CB B8 ?? ?? ?? + ?? D3 E0 85 F0 74 ?? 8D 45 ?? 8B D3 66 83 C2 ?? E8 ?? ?? ?? ?? 8D 45 ?? BA ?? ?? ?? + ?? E8 ?? ?? ?? ?? 8B 55 ?? A1 ?? ?? ?? ?? 8B 08 FF 51 ?? 43 83 FB ?? 75 ?? A1 ?? ?? + ?? ?? 8B 10 FF 52 ?? 8B F0 4E 85 F6 7C ?? 46 33 DB 8D 4D ?? 8B D3 A1 ?? ?? ?? ?? 8B + 38 FF 57 ?? 8B 45 ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 43 4E 75 ?? A1 ?? ?? ?? ?? 8B 10 + FF 52 ?? 8B F0 4E 85 F6 7C ?? 46 33 DB 6A ?? 6A ?? 8D 4D ?? 8B D3 A1 ?? ?? ?? ?? 8B + 38 FF 57 ?? 8B 45 ?? 8B 0D ?? ?? ?? ?? 33 D2 E8 ?? ?? ?? ?? 43 4E 75 ?? 8D 55 ?? B8 + ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 55 ?? A1 ?? ?? + ?? ?? 8B 08 FF 91 ?? ?? ?? ?? 6A ?? 8D 45 ?? 50 8B 45 ?? 8B 80 ?? ?? ?? ?? 33 C9 BA + ?? ?? ?? ?? E8 ?? ?? ?? ?? 6A ?? 8D 45 ?? 50 FF 35 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 55 + ?? A1 ?? ?? ?? ?? E8 ?? ?? ?? ?? FF 75 ?? 68 ?? ?? ?? ?? 8D 45 ?? BA ?? ?? ?? ?? E8 + ?? ?? ?? ?? 8B 45 ?? 8D 55 ?? E8 ?? ?? ?? ?? 8B 4D ?? 8D 45 ?? BA ?? ?? ?? ?? E8 + } + + $server_communication_1 = { + 55 8B EC 33 C9 51 51 51 51 51 53 8B D8 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 6A + ?? 8D 45 ?? 50 33 C9 BA ?? ?? ?? ?? 8B 83 ?? ?? ?? ?? E8 ?? ?? ?? ?? 6A ?? 8D 45 ?? + 50 8D 55 ?? 8B 83 ?? ?? ?? ?? 8B 08 FF 91 ?? ?? ?? ?? 8B 45 ?? 8D 55 ?? E8 ?? ?? ?? + ?? 8B 4D ?? 8D 45 ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 55 ?? 33 C9 8B 83 ?? ?? ?? ?? + E8 ?? ?? ?? ?? 33 D2 8B 83 ?? ?? ?? ?? 8B 08 FF 91 ?? ?? ?? ?? B8 ?? ?? ?? ?? E8 ?? + ?? ?? ?? 33 C0 5A 59 59 64 89 10 68 ?? ?? ?? ?? 8D 45 ?? BA ?? ?? ?? ?? E8 ?? ?? ?? + ?? 8D 45 ?? 8B 15 ?? ?? ?? ?? B9 ?? ?? ?? ?? E8 ?? ?? ?? ?? C3 + } + + $exec_payload = { + 55 68 ?? ?? ?? ?? 64 FF 32 64 89 22 8B 4D ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 ?? + E8 ?? ?? ?? ?? 8D 45 ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 55 ?? 8B 45 ?? E8 ?? ?? ?? + ?? 33 C0 5A 59 59 64 89 10 68 ?? ?? ?? ?? 6A ?? 6A ?? 8D 55 ?? 33 C0 E8 ?? ?? ?? ?? + 8B 45 ?? E8 ?? ?? ?? ?? 50 8D 45 ?? E8 ?? ?? ?? ?? 8D 45 ?? BA ?? ?? ?? ?? E8 ?? ?? + ?? ?? 8B 45 ?? E8 ?? ?? ?? ?? 50 68 ?? ?? ?? ?? 8B 45 ?? E8 ?? ?? ?? ?? 50 E8 ?? ?? + ?? ?? C3 + } + + $copy_payload = { + 55 8B EC 6A ?? 6A ?? 6A ?? 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 8D 55 ?? B8 ?? + ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 45 ?? B2 ?? E8 ?? + ?? ?? ?? 84 C0 75 ?? A1 ?? ?? ?? ?? 8B 00 E8 ?? ?? ?? ?? 6A ?? 8D 55 ?? B8 ?? ?? ?? + ?? E8 ?? ?? ?? ?? 8D 45 ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 45 ?? E8 ?? ?? ?? ?? 50 + 8D 55 ?? 33 C0 E8 ?? ?? ?? ?? 8B 45 ?? E8 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 33 C0 5A 59 + 59 64 89 10 68 ?? ?? ?? ?? 8D 45 ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? C3 + } + + $generate_strings_to_encrypt = { + 0F B6 05 ?? ?? ?? ?? 50 8D 85 ?? ?? ?? ?? 50 B9 ?? ?? ?? ?? BA ?? ?? ?? ?? 8B 45 ?? + E8 ?? ?? ?? ?? 8B 95 ?? ?? ?? ?? 8D 45 ?? E8 ?? ?? ?? ?? 0F B6 05 ?? ?? ?? ?? 50 8D + 85 ?? ?? ?? ?? 50 B9 ?? ?? ?? ?? BA ?? ?? ?? ?? 8B 45 ?? E8 ?? ?? ?? ?? 8B 95 ?? ?? + ?? ?? 8D 45 ?? E8 ?? ?? ?? ?? 0F B6 05 ?? ?? ?? ?? 50 8D 85 ?? ?? ?? ?? 50 B9 ?? ?? + ?? ?? BA ?? ?? ?? ?? 8B 45 ?? E8 ?? ?? ?? ?? 8B 95 ?? ?? ?? ?? 8D 45 ?? E8 ?? ?? ?? + ?? 0F B6 05 ?? ?? ?? ?? 50 8D 85 ?? ?? ?? ?? 50 B9 ?? ?? ?? ?? BA ?? ?? ?? ?? 8B 45 + ?? E8 ?? ?? ?? ?? 8B 95 ?? ?? ?? ?? 8D 45 ?? E8 ?? ?? ?? ?? 0F B6 05 ?? ?? ?? ?? 50 + 8D 85 ?? ?? ?? ?? 50 B9 ?? ?? ?? ?? BA ?? ?? ?? ?? 8B 45 ?? E8 ?? ?? ?? ?? 8B 95 ?? + ?? ?? ?? 8D 45 ?? E8 ?? ?? ?? ?? 0F B6 05 ?? ?? ?? ?? 50 8D 85 ?? ?? ?? ?? 50 B9 ?? + ?? ?? ?? BA ?? ?? ?? ?? 8B 45 ?? E8 ?? ?? ?? ?? 8B 95 ?? ?? ?? ?? 8D 45 ?? E8 ?? ?? + ?? ?? 0F B6 05 ?? ?? ?? ?? 50 8D 85 ?? ?? ?? ?? 50 B9 ?? ?? ?? ?? BA ?? ?? ?? ?? 8B + 45 ?? E8 ?? ?? ?? ?? 8B 95 ?? ?? ?? ?? 8D 45 ?? E8 ?? ?? ?? ?? 0F B6 05 ?? ?? ?? ?? + 50 8D 85 ?? ?? ?? ?? 50 B9 ?? ?? ?? ?? BA ?? ?? ?? ?? 8B 45 ?? E8 ?? ?? ?? ?? 8B 95 + ?? ?? ?? ?? 8D 45 ?? E8 ?? ?? ?? ?? 0F B6 05 ?? ?? ?? ?? 50 8D 85 ?? ?? ?? ?? 50 B9 + ?? ?? ?? ?? BA ?? ?? ?? ?? 8B 45 ?? E8 ?? ?? ?? ?? 8B 95 ?? ?? ?? ?? 8D 45 ?? E8 ?? + ?? ?? ?? 0F B6 05 ?? ?? ?? ?? 50 8D 85 ?? ?? ?? ?? 50 B9 ?? ?? ?? ?? BA ?? ?? ?? ?? + 8B 45 ?? E8 ?? ?? ?? ?? 8B 95 ?? ?? ?? ?? 8D 45 ?? E8 + } + + condition: + uint16(0) == 0x5A4D and + (($generate_strings_to_encrypt and $encrypt_file and $server_communication and $exec_payload) or + ($encrypt_file and $server_communication_1 and $copy_payload)) +} \ No newline at end of file diff --git a/yara/ransomware/Win32.Ransomware.Termite.yara b/yara/ransomware/Win32.Ransomware.Termite.yara new file mode 100644 index 0000000..c28389b --- /dev/null +++ b/yara/ransomware/Win32.Ransomware.Termite.yara @@ -0,0 +1,151 @@ +rule Win32_Ransomware_Termite : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "TERMITE" + description = "Yara rule that detects Termite ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "Termite" + tc_detection_factor = 5 + + strings: + + $find_files_p1 = { + 55 8B EC 81 EC ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? + ?? ?? C7 45 ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A ?? + 8B 5D ?? 8B 03 85 C0 75 ?? B8 ?? ?? ?? ?? 50 68 ?? ?? ?? ?? BB ?? ?? ?? ?? E8 ?? ?? + ?? ?? 83 C4 ?? 89 45 ?? 68 ?? ?? ?? ?? FF 75 ?? E8 ?? ?? ?? ?? 83 C4 ?? 83 F8 ?? B8 + ?? ?? ?? ?? 0F 95 C0 89 45 ?? 8B 5D ?? 85 DB 74 ?? 53 E8 ?? ?? ?? ?? 83 C4 ?? 83 7D + ?? ?? 0F 84 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8B 5D ?? FF 33 B9 ?? ?? ?? ?? E8 ?? ?? ?? ?? + 83 C4 ?? 89 45 ?? 8B 45 ?? 50 8B 5D ?? 8B 1B 85 DB 74 ?? 53 E8 ?? ?? ?? ?? 83 C4 ?? + 58 8B 5D ?? 89 03 68 ?? ?? ?? ?? 8B 5D ?? FF 33 B9 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 + ?? 89 45 ?? 8D 85 ?? ?? ?? ?? 50 6A ?? 6A ?? FF 75 ?? B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? + 83 C4 ?? 89 45 ?? 8B 5D ?? 85 DB 74 ?? 53 E8 ?? ?? ?? ?? 83 C4 ?? 8B 45 ?? 50 8B 5D + ?? 85 DB 74 ?? 53 E8 ?? ?? ?? ?? 83 C4 ?? 58 89 45 ?? 68 ?? ?? ?? ?? FF 75 ?? E8 ?? + ?? ?? ?? 83 C4 ?? 83 F8 ?? 0F 84 ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A ?? 8B 5D ?? 8B 03 85 + C0 75 ?? B8 ?? ?? ?? ?? 50 68 ?? ?? ?? ?? BB ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 89 + 45 ?? 68 ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A ?? 8B 45 ?? 85 C0 75 ?? + B8 ?? ?? ?? ?? 50 68 ?? ?? ?? ?? BB ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 89 45 ?? 8B + 5D ?? 85 DB 74 ?? 53 E8 ?? ?? ?? ?? 83 C4 ?? 68 ?? ?? ?? ?? FF 75 ?? E8 + } + + $find_files_p2 = { + 83 C4 ?? 83 F8 ?? B8 ?? ?? ?? ?? 0F 94 C0 89 45 ?? 8B 5D ?? 85 DB 74 ?? 53 E8 ?? ?? + ?? ?? 83 C4 ?? 83 7D ?? ?? 0F 84 ?? ?? ?? ?? E9 ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A ?? 68 + ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A ?? 8B 45 ?? 85 C0 75 ?? B8 ?? ?? ?? ?? 50 68 ?? ?? ?? + ?? BB ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 89 45 ?? 68 ?? ?? ?? ?? 6A ?? 8B 45 ?? 85 + C0 75 ?? B8 ?? ?? ?? ?? 50 68 ?? ?? ?? ?? BB ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 89 + 45 ?? 8B 5D ?? 85 DB 74 ?? 53 E8 ?? ?? ?? ?? 83 C4 ?? 8B 45 ?? 50 8B 5D ?? 85 DB 74 + ?? 53 E8 ?? ?? ?? ?? 83 C4 ?? 58 89 45 ?? 68 ?? ?? ?? ?? FF 75 ?? E8 ?? ?? ?? ?? 83 + C4 ?? 83 F8 ?? 0F 84 ?? ?? ?? ?? 68 ?? ?? ?? ?? FF 75 ?? E8 ?? ?? ?? ?? 83 C4 ?? 83 + F8 ?? 0F 84 ?? ?? ?? ?? 68 ?? ?? ?? ?? FF 75 ?? E8 ?? ?? ?? ?? 83 C4 ?? 83 F8 ?? 0F + 84 ?? ?? ?? ?? 68 ?? ?? ?? ?? FF 75 ?? E8 ?? ?? ?? ?? 83 C4 ?? 83 F8 ?? 0F 84 ?? ?? + ?? ?? 68 ?? ?? ?? ?? FF 75 ?? E8 ?? ?? ?? ?? 83 C4 ?? 83 F8 ?? 0F 84 ?? ?? ?? ?? 68 + ?? ?? ?? ?? FF 75 ?? E8 ?? ?? ?? ?? 83 C4 ?? 83 F8 ?? 0F 84 ?? ?? ?? ?? 68 ?? ?? ?? + ?? FF 75 ?? E8 ?? ?? ?? ?? 83 C4 ?? 83 F8 ?? 0F 84 ?? ?? ?? ?? B8 ?? ?? ?? ?? EB ?? + B8 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? FF 75 ?? 8B 5D ?? FF 33 B9 ?? ?? ?? ?? E8 ?? + ?? ?? ?? 83 C4 ?? 89 45 ?? 68 ?? ?? ?? ?? 6A ?? 8B 45 ?? 85 C0 75 ?? B8 + } + + $find_files_p3 = { + 50 68 ?? ?? ?? ?? BB ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 89 45 ?? 8B 5D ?? 85 DB 74 + ?? 53 E8 ?? ?? ?? ?? 83 C4 ?? 81 7D ?? ?? ?? ?? ?? 0F 8D ?? ?? ?? ?? FF 75 ?? 8B 5D + ?? FF 33 B9 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 89 45 ?? 68 ?? ?? ?? ?? 6A ?? 8B 45 + ?? 85 C0 75 ?? B8 ?? ?? ?? ?? 50 68 ?? ?? ?? ?? BB ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 + ?? 89 45 ?? 8B 5D ?? 85 DB 74 ?? 53 E8 ?? ?? ?? ?? 83 C4 ?? 8B 45 ?? 50 8B 5D ?? 85 + DB 74 ?? 53 E8 ?? ?? ?? ?? 83 C4 ?? 58 89 45 ?? 68 ?? ?? ?? ?? 6A ?? 8B 45 ?? 85 C0 + 75 ?? B8 ?? ?? ?? ?? 50 68 ?? ?? ?? ?? BB ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 89 45 + ?? 68 ?? ?? ?? ?? 6A ?? A1 ?? ?? ?? ?? 85 C0 75 ?? B8 ?? ?? ?? ?? 50 68 ?? ?? ?? ?? + BB ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 68 ?? ?? ?? ?? 6A ?? 50 68 ?? ?? ?? ?? 6A ?? + 8B 45 ?? 85 C0 75 ?? B8 ?? ?? ?? ?? 50 68 ?? ?? ?? ?? BB ?? ?? ?? ?? E8 ?? ?? ?? ?? + 83 C4 ?? 89 45 ?? 8B 5D ?? 85 DB 74 ?? 53 E8 ?? ?? ?? ?? 83 C4 ?? A1 ?? ?? ?? ?? 50 + FF 75 ?? E8 ?? ?? ?? ?? 83 C4 ?? 83 F8 ?? B8 ?? ?? ?? ?? 0F 95 C0 89 45 ?? 8B 5D ?? + 85 DB 74 ?? 53 E8 ?? ?? ?? ?? 83 C4 ?? 83 7D ?? ?? 0F 84 ?? ?? ?? ?? FF 75 ?? 8B 5D + ?? FF 33 B9 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 89 45 ?? 68 ?? ?? ?? ?? 6A ?? 8B 45 + ?? 85 C0 75 ?? B8 ?? ?? ?? ?? 50 68 ?? ?? ?? ?? BB ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 + ?? 8B 5D ?? 85 DB 74 ?? 53 E8 ?? ?? ?? ?? 83 C4 ?? FF 35 ?? ?? ?? ?? 68 + } + + $find_files_p4 = { + FF 75 ?? 8B 5D ?? FF 33 B9 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 89 45 ?? 68 ?? ?? ?? + ?? FF 35 ?? ?? ?? ?? B9 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 89 45 ?? 68 ?? ?? ?? ?? + 6A ?? 8B 45 ?? 85 C0 75 ?? B8 ?? ?? ?? ?? 50 68 ?? ?? ?? ?? BB ?? ?? ?? ?? E8 ?? ?? + ?? ?? 83 C4 ?? 89 45 ?? 8B 5D ?? 85 DB 74 ?? 53 E8 ?? ?? ?? ?? 83 C4 ?? 68 ?? ?? ?? + ?? 6A ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A ?? A1 ?? ?? ?? ?? 85 C0 75 ?? B8 ?? ?? ?? + ?? 50 68 ?? ?? ?? ?? 6A ?? 8B 45 ?? 85 C0 75 ?? B8 ?? ?? ?? ?? 50 68 ?? ?? ?? ?? B8 + ?? ?? ?? ?? BB ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 89 45 ?? FF 75 ?? FF 75 ?? B9 ?? + ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 89 45 ?? 8B 5D ?? 85 DB 74 ?? 53 E8 ?? ?? ?? ?? 83 + C4 ?? 8B 5D ?? 85 DB 74 ?? 53 E8 ?? ?? ?? ?? 83 C4 ?? 68 ?? ?? ?? ?? 6A ?? 8B 45 ?? + 85 C0 75 ?? B8 ?? ?? ?? ?? 50 68 ?? ?? ?? ?? 6A ?? 8B 45 ?? 85 C0 75 ?? B8 ?? ?? ?? + ?? 50 68 ?? ?? ?? ?? BB ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 8B 5D ?? 85 DB 74 ?? 53 + E8 ?? ?? ?? ?? 83 C4 ?? 8B 5D ?? 85 DB 74 ?? 53 E8 ?? ?? ?? ?? 83 C4 ?? E9 ?? ?? ?? + ?? FF 75 ?? 8B 5D ?? FF 33 B9 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 89 45 ?? 68 ?? ?? + ?? ?? 6A ?? 8B 45 ?? 85 C0 75 ?? B8 ?? ?? ?? ?? 50 68 ?? ?? ?? ?? BB ?? ?? ?? ?? E8 + ?? ?? ?? ?? 83 C4 ?? 8B 5D ?? 85 DB 74 ?? 53 E8 ?? ?? ?? ?? 83 C4 ?? 8D 85 ?? ?? ?? + ?? 50 6A ?? 6A ?? 6A ?? B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 89 45 ?? 8B 45 ?? 50 + } + + $find_files_p5 = { + 8B 5D ?? 85 DB 74 ?? 53 E8 ?? ?? ?? ?? 83 C4 ?? 58 89 45 ?? E9 ?? ?? ?? ?? 68 ?? ?? + ?? ?? 8B 5D ?? FF 33 B9 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 89 45 ?? 8D 85 ?? ?? ?? + ?? 50 6A ?? 68 ?? ?? ?? ?? FF 75 ?? B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 89 45 ?? + 8B 5D ?? 85 DB 74 ?? 53 E8 ?? ?? ?? ?? 83 C4 ?? 8B 45 ?? 50 8B 5D ?? 85 DB 74 ?? 53 + E8 ?? ?? ?? ?? 83 C4 ?? 58 89 45 ?? 68 ?? ?? ?? ?? FF 75 ?? E8 ?? ?? ?? ?? 83 C4 ?? + 83 F8 ?? 0F 84 ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A ?? + 8B 45 ?? 85 C0 75 ?? B8 ?? ?? ?? ?? 50 68 ?? ?? ?? ?? BB ?? ?? ?? ?? E8 ?? ?? ?? ?? + 83 C4 ?? 89 45 ?? 68 ?? ?? ?? ?? FF 75 ?? E8 ?? ?? ?? ?? 83 C4 ?? 83 F8 ?? B8 ?? ?? + ?? ?? 0F 95 C0 89 45 ?? 8B 5D ?? 85 DB 74 ?? 53 E8 ?? ?? ?? ?? 83 C4 ?? 83 7D ?? ?? + 0F 84 ?? ?? ?? ?? FF 75 ?? 8B 5D ?? FF 33 B9 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 89 + 45 ?? 8D 45 ?? 50 E8 ?? ?? ?? ?? 8B 5D ?? 85 DB 74 ?? 53 E8 ?? ?? ?? ?? 83 C4 ?? 8D + 85 ?? ?? ?? ?? 50 6A ?? 68 ?? ?? ?? ?? 6A ?? B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? + 89 45 ?? 8B 45 ?? 50 8B 5D ?? 85 DB 74 ?? 53 E8 ?? ?? ?? ?? 83 C4 ?? 58 89 45 ?? E9 + ?? ?? ?? ?? FF 75 ?? B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 8B 5D ?? 85 DB 74 ?? 53 + E8 ?? ?? ?? ?? 83 C4 ?? 8B 5D ?? 85 DB 74 ?? 53 E8 ?? ?? ?? ?? 83 C4 ?? 8B 5D ?? 85 + DB 74 ?? 53 E8 ?? ?? ?? ?? 83 C4 ?? 8B E5 5D C2 + } + + $encrypt_files_p1 = { + B8 ?? ?? ?? ?? 89 45 ?? 8D 45 ?? 50 E8 ?? ?? ?? ?? 89 45 ?? 8B 5D ?? 85 DB 74 ?? 53 + E8 ?? ?? ?? ?? 83 C4 ?? 83 7D ?? ?? 0F 85 ?? ?? ?? ?? 6A ?? E8 ?? ?? ?? ?? 83 C4 ?? + B8 ?? ?? ?? ?? 50 8B 1D ?? ?? ?? ?? 85 DB 74 ?? 53 E8 ?? ?? ?? ?? 83 C4 ?? 58 A3 ?? + ?? ?? ?? B8 ?? ?? ?? ?? 50 8B 1D ?? ?? ?? ?? 85 DB 74 ?? 53 E8 ?? ?? ?? ?? 83 C4 ?? + 58 A3 ?? ?? ?? ?? B8 ?? ?? ?? ?? 50 8B 1D ?? ?? ?? ?? 85 DB 74 ?? 53 E8 ?? ?? ?? ?? + 83 C4 ?? 58 A3 ?? ?? ?? ?? B8 ?? ?? ?? ?? 50 8B 1D ?? ?? ?? ?? 85 DB 74 ?? 53 E8 ?? + ?? ?? ?? 83 C4 ?? 58 A3 ?? ?? ?? ?? B8 ?? ?? ?? ?? 50 8B 1D ?? ?? ?? ?? 85 DB 74 ?? + 53 E8 ?? ?? ?? ?? 83 C4 ?? 58 A3 ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A ?? A1 ?? ?? ?? ?? 85 + C0 75 ?? B8 ?? ?? ?? ?? 50 68 ?? ?? ?? ?? BB ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 89 + 45 ?? 8B 45 ?? 50 8B 1D ?? ?? ?? ?? 85 DB 74 ?? 53 E8 ?? ?? ?? ?? 83 C4 ?? 58 A3 ?? + ?? ?? ?? 68 ?? ?? ?? ?? 6A ?? A1 ?? ?? ?? ?? 85 C0 75 ?? B8 ?? ?? ?? ?? 50 68 ?? ?? + ?? ?? BB ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 89 45 ?? 8B 45 ?? 50 8B 1D + } + + $encrypt_files_p2 = { + 85 DB 74 ?? 53 E8 ?? ?? ?? ?? 83 C4 ?? 58 A3 ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A ?? A1 ?? + ?? ?? ?? 85 C0 75 ?? B8 ?? ?? ?? ?? 50 68 ?? ?? ?? ?? BB ?? ?? ?? ?? E8 ?? ?? ?? ?? + 83 C4 ?? 89 45 ?? 8B 45 ?? 50 8B 1D ?? ?? ?? ?? 85 DB 74 ?? 53 E8 ?? ?? ?? ?? 83 C4 + ?? 58 A3 ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A ?? A1 ?? ?? ?? ?? 85 C0 75 ?? B8 ?? ?? ?? ?? + 50 68 ?? ?? ?? ?? BB ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 89 45 ?? 8B 45 ?? 50 8B 1D + ?? ?? ?? ?? 85 DB 74 ?? 53 E8 ?? ?? ?? ?? 83 C4 ?? 58 A3 ?? ?? ?? ?? 68 ?? ?? ?? ?? + 6A ?? A1 ?? ?? ?? ?? 85 C0 75 ?? B8 ?? ?? ?? ?? 50 68 ?? ?? ?? ?? BB ?? ?? ?? ?? E8 + ?? ?? ?? ?? 83 C4 ?? 89 45 ?? 8B 45 ?? 50 8B 1D ?? ?? ?? ?? 85 DB 74 ?? 53 E8 ?? ?? + ?? ?? 83 C4 ?? 58 A3 ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A ?? A1 ?? ?? ?? ?? 85 C0 75 ?? B8 + ?? ?? ?? ?? 50 68 ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? + ?? 68 ?? ?? ?? ?? BB ?? ?? ?? ?? E8 + } + + condition: + uint16(0) == 0x5A4D and + ( + all of ($find_files_p*) + ) and + ( + all of ($encrypt_files_p*) + ) +} \ No newline at end of file diff --git a/yara/ransomware/Win32.Ransomware.Teslacrypt.yara b/yara/ransomware/Win32.Ransomware.Teslacrypt.yara new file mode 100644 index 0000000..f34919d --- /dev/null +++ b/yara/ransomware/Win32.Ransomware.Teslacrypt.yara @@ -0,0 +1,665 @@ +rule Win32_Ransomware_Teslacrypt : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "TESLACRYPT" + description = "Yara rule that detects Teslacrypt ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "Teslacrypt" + + strings: + $file_search_0_3_1_1 = { + B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? A1 ?? ?? ?? ?? 33 C4 89 84 24 ?? ?? ?? ?? 55 56 8B B4 24 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 84 + 24 ?? ?? ?? ?? 6A ?? 50 66 C7 84 24 ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 56 8D 8C 24 ?? ?? ?? ?? 68 ?? ?? ?? ?? 51 E8 ?? ?? + ?? ?? 68 ?? ?? ?? ?? 8D 94 24 ?? ?? ?? ?? 68 ?? ?? ?? ?? 52 E8 ?? ?? ?? ?? 83 C4 ?? 8D 44 24 ?? 50 8D 8C 24 ?? ?? ?? ?? + 51 FF 15 ?? ?? ?? ?? 8B E8 83 FD ?? 0F 84 B5 01 00 00 53 8B 1D ?? ?? ?? ?? 57 8B BC 24 ?? ?? ?? ?? 8D A4 24 ?? ?? ?? ?? + 83 3D ?? ?? ?? ?? ?? 0F 85 89 01 00 00 F6 44 24 ?? ?? 0F 84 D2 00 00 00 8D 4C 24 ?? B8 ?? ?? ?? ?? 66 8B 10 66 3B 11 75 + 1E 66 85 D2 74 15 66 8B 50 ?? 66 3B 51 ?? 75 0F 83 C0 ?? 83 C1 ?? 66 85 D2 75 DE 33 C0 EB 05 1B C0 83 D8 ?? 85 C0 0F 84 + 29 01 00 00 8D 4C 24 ?? B8 ?? ?? ?? ?? 8D 49 ?? 66 8B 10 66 3B 11 75 1E 66 85 D2 74 15 66 8B 50 ?? 66 3B 51 ?? 75 0F 83 + C0 ?? 83 C1 ?? 66 85 D2 75 DE 33 C0 EB 05 1B C0 83 D8 ?? 85 C0 0F 84 EA 00 00 00 56 8D 94 24 ?? ?? ?? ?? 68 + } + + $file_search_0_3_1_2 = { + 52 E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 84 24 ?? ?? ?? ?? 68 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 8D 4C 24 ?? 51 8D 94 24 ?? ?? ?? + ?? 68 ?? ?? ?? ?? 52 E8 ?? ?? ?? ?? 8D 84 24 ?? ?? ?? ?? 57 50 E8 7E FE FF FF 83 C4 ?? E9 93 00 00 00 56 8D 8C 24 ?? ?? + ?? ?? 68 ?? ?? ?? ?? 51 E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 94 24 ?? ?? ?? ?? 68 ?? ?? ?? ?? 52 E8 ?? ?? ?? ?? 8D 44 24 ?? + 50 8D 8C 24 ?? ?? ?? ?? 68 ?? ?? ?? ?? 51 E8 ?? ?? ?? ?? 83 C4 ?? 8D 54 24 ?? 68 ?? ?? ?? ?? 52 E8 ?? ?? ?? ?? 83 C4 ?? + 85 FF 74 25 85 C0 75 35 8D 44 24 ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 83 F8 ?? 75 23 8D 8C 24 ?? ?? ?? ?? 51 E8 ?? ?? ?? ?? EB + 11 85 C0 74 10 8D 84 24 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 8D 4C 24 ?? 51 55 FF D3 85 C0 74 0D 83 3D ?? ?? ?? ?? ?? + 0F 84 6A FE FF FF 55 FF 15 ?? ?? ?? ?? 5F 5B 8B 8C 24 ?? ?? ?? ?? 5E 5D 33 CC E8 ?? ?? ?? ?? 81 C4 ?? ?? ?? ?? C3 + } + + $file_search_0_3_3_1 = { + B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? A1 ?? ?? ?? ?? 33 C4 89 84 24 ?? ?? ?? ?? 55 56 8B B4 24 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 84 + 24 ?? ?? ?? ?? 6A ?? 50 66 C7 84 24 ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 56 8D 8C 24 ?? ?? ?? ?? 68 ?? ?? ?? ?? 51 E8 ?? ?? + ?? ?? 68 ?? ?? ?? ?? 8D 94 24 ?? ?? ?? ?? 68 ?? ?? ?? ?? 52 E8 ?? ?? ?? ?? 83 C4 ?? 8D 44 24 ?? 50 8D 8C 24 ?? ?? ?? ?? + 51 FF 15 ?? ?? ?? ?? 8B E8 83 FD ?? 0F 84 57 02 00 00 53 8B 1D ?? ?? ?? ?? 57 8B BC 24 ?? ?? ?? ?? 8D A4 24 ?? ?? ?? ?? + 83 3D ?? ?? ?? ?? ?? 0F 85 2B 02 00 00 F6 44 24 ?? ?? 0F 84 74 01 00 00 8D 4C 24 ?? B8 ?? ?? ?? ?? 66 8B 10 66 3B 11 75 + 1E 66 85 D2 74 15 66 8B 50 ?? 66 3B 51 ?? 75 0F 83 C0 ?? 83 C1 ?? 66 85 D2 75 DE 33 C0 EB 05 1B C0 83 D8 ?? 85 C0 0F 84 + CB 01 00 00 8D 4C 24 ?? B8 ?? ?? ?? ?? 8D 49 ?? 66 8B 10 66 3B 11 75 1E 66 85 D2 74 15 66 8B 50 ?? 66 3B 51 ?? 75 0F 83 + C0 ?? 83 C1 ?? 66 85 D2 75 DE 33 C0 EB 05 1B C0 83 D8 ?? 85 C0 0F 84 8C 01 00 00 56 8D 94 24 ?? ?? ?? ?? 68 ?? ?? ?? ?? + 52 E8 ?? ?? ?? ?? 8B C6 83 C4 ?? 8D 50 ?? 8B FF 66 8B 08 83 C0 ?? 66 85 C9 75 F5 2B C2 D1 F8 83 F8 ?? 76 1A 68 ?? ?? ?? + ?? 8D 84 24 ?? ?? ?? ?? 68 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 8D 4C 24 ?? 51 8D 94 24 ?? ?? ?? ?? 68 ?? ?? ?? ?? 52 + } + + $file_search_0_3_3_2 = { + E8 ?? ?? ?? ?? 83 C4 ?? 8D 8C 24 ?? ?? ?? ?? B8 ?? ?? ?? ?? 66 8B 10 66 3B 11 75 1E 66 85 D2 74 15 66 8B 50 ?? 66 3B 51 + ?? 75 0F 83 C0 ?? 83 C1 ?? 66 85 D2 75 DE 33 C0 EB 05 1B C0 83 D8 ?? 85 C0 0F 84 E8 00 00 00 8D 8C 24 ?? ?? ?? ?? B8 ?? + ?? ?? ?? 66 8B 10 66 3B 11 75 1E 66 85 D2 74 15 66 8B 50 ?? 66 3B 51 ?? 75 0F 83 C0 ?? 83 C1 ?? 66 85 D2 75 DE 33 C0 EB + 05 1B C0 83 D8 ?? 85 C0 0F 84 A9 00 00 00 8D 84 24 ?? ?? ?? ?? 57 50 E8 DC FD FF FF 83 C4 ?? E9 93 00 00 00 56 8D 8C 24 + ?? ?? ?? ?? 68 ?? ?? ?? ?? 51 E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 94 24 ?? ?? ?? ?? 68 ?? ?? ?? ?? 52 E8 ?? ?? ?? ?? 8D 44 + 24 ?? 50 8D 8C 24 ?? ?? ?? ?? 68 ?? ?? ?? ?? 51 E8 ?? ?? ?? ?? 83 C4 ?? 8D 54 24 ?? 68 ?? ?? ?? ?? 52 E8 ?? ?? ?? ?? 83 + C4 ?? 85 FF 74 25 85 C0 75 35 8D 44 24 ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 83 F8 ?? 75 23 8D 8C 24 ?? ?? ?? ?? 51 E8 ?? ?? ?? + ?? EB 11 85 C0 74 10 8D 84 24 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 8D 4C 24 ?? 51 55 FF D3 85 C0 74 0D 83 3D ?? ?? ?? + ?? ?? 0F 84 C8 FD FF FF 55 FF 15 ?? ?? ?? ?? 5F 5B 8B 8C 24 ?? ?? ?? ?? 5E 5D 33 CC E8 ?? ?? ?? ?? 81 C4 ?? ?? ?? ?? C3 + } + + $file_search_0_3_4a_1 = { + B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? A1 ?? ?? ?? ?? 33 C4 89 84 24 ?? ?? ?? ?? 55 56 8B B4 24 ?? ?? ?? ?? 57 33 FF 68 ?? ?? ?? + ?? 8D 84 24 ?? ?? ?? ?? 57 50 66 89 BC 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 8C 24 ?? ?? ?? ?? 57 51 66 89 BC + 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? 56 8D 94 24 ?? ?? ?? ?? 68 ?? ?? ?? ?? 52 E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 84 24 ?? ?? ?? + ?? 68 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 8D 4C 24 ?? 51 8D 94 24 ?? ?? ?? ?? 52 FF 15 ?? ?? ?? ?? 8B E8 83 FD ?? 0F + 84 99 02 00 00 8B BC 24 ?? ?? ?? ?? 53 8B 1D ?? ?? ?? ?? 83 3D ?? ?? ?? ?? ?? 0F 85 76 02 00 00 F6 44 24 ?? ?? 0F 84 6B + 01 00 00 8D 44 24 ?? 50 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 0F 84 38 02 00 00 8D 4C 24 ?? 51 68 ?? ?? ?? ?? E8 + ?? ?? ?? ?? 83 C4 ?? 85 C0 0F 84 1E 02 00 00 56 8D 94 24 ?? ?? ?? ?? 68 ?? ?? ?? ?? 52 E8 ?? ?? ?? ?? 56 E8 ?? ?? ?? ?? + 83 C4 ?? 83 F8 ?? 76 1A 68 ?? ?? ?? ?? 8D 84 24 ?? ?? ?? ?? 68 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 8D 4C 24 ?? 51 8D + 94 24 ?? ?? ?? ?? 68 ?? ?? ?? ?? 52 E8 ?? ?? ?? ?? 8D 84 24 ?? ?? ?? ?? 50 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 + 0F 84 AF 01 00 00 8D 8C 24 ?? ?? ?? ?? 51 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 0F 84 92 01 00 00 8D 94 24 ?? ?? + ?? ?? 52 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 0F 84 75 01 00 00 8D 84 24 ?? ?? ?? ?? 50 68 ?? ?? ?? ?? E8 + } + + $file_search_0_3_4a_2 = { + 83 C4 ?? 85 C0 0F 84 58 01 00 00 8D 8C 24 ?? ?? ?? ?? 51 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 0F 84 3B 01 + 00 00 8D 94 24 ?? ?? ?? ?? 57 52 E8 10 FE FF FF 8D 84 24 ?? ?? ?? ?? 50 8D 8C 24 ?? ?? ?? ?? 68 ?? ?? ?? ?? 51 E8 ?? ?? + ?? ?? 68 ?? ?? ?? ?? 8D 94 24 ?? ?? ?? ?? 68 ?? ?? ?? ?? 52 E8 ?? ?? ?? ?? 8D 84 24 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 + ?? E9 E7 00 00 00 56 8D 8C 24 ?? ?? ?? ?? 68 ?? ?? ?? ?? 51 E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 94 24 ?? ?? ?? ?? 68 ?? ?? + ?? ?? 52 E8 ?? ?? ?? ?? 8D 44 24 ?? 50 8D 8C 24 ?? ?? ?? ?? 68 ?? ?? ?? ?? 51 E8 ?? ?? ?? ?? 83 C4 ?? 85 FF 74 79 8D 54 + 24 ?? 52 E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 0F 85 7F 00 00 00 8D 44 24 ?? 50 E8 ?? ?? ?? ?? + 68 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 75 63 8D 4C 24 ?? 51 E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 + C4 ?? 85 C0 75 47 8D 54 24 ?? 52 E8 ?? ?? ?? ?? 83 C4 ?? 83 F8 ?? 75 35 8D 84 24 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? EB 23 8D + 4C 24 ?? 68 ?? ?? ?? ?? 51 E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 74 10 8D 94 24 ?? ?? ?? ?? 52 E8 ?? ?? ?? ?? 83 C4 ?? 8D 44 24 + ?? 50 55 FF D3 85 C0 74 0D 83 3D ?? ?? ?? ?? ?? 0F 84 7D FD FF FF 55 FF 15 ?? ?? ?? ?? 5B 8B 8C 24 ?? ?? ?? ?? 5F 5E 5D + 33 CC E8 ?? ?? ?? ?? 81 C4 ?? ?? ?? ?? C3 + } + + $file_search_0_3_5a_1 = { + B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? A1 ?? ?? ?? ?? 33 C4 89 84 24 ?? ?? ?? ?? 53 55 8B AC 24 ?? ?? ?? ?? 57 68 ?? ?? ?? ?? 8D + 84 24 ?? ?? ?? ?? 6A ?? 50 66 C7 84 24 ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 68 ?? ?? ?? ?? 8D 8C 24 ?? ?? ?? ?? 6A + ?? 51 66 C7 84 24 ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 55 8D 94 24 ?? ?? ?? ?? 68 ?? ?? ?? ?? 52 E8 ?? ?? ?? ?? 83 + C4 ?? 68 ?? ?? ?? ?? 8D 84 24 ?? ?? ?? ?? 68 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 8D 4C 24 ?? 51 8D 94 24 ?? ?? ?? ?? + 52 FF 15 ?? ?? ?? ?? 83 F8 ?? 89 44 24 ?? 0F 84 91 03 00 00 8B 9C 24 ?? ?? ?? ?? F6 44 24 ?? ?? 0F 84 73 02 00 00 8D 4C + 24 ?? B8 ?? ?? ?? ?? 90 66 8B 10 66 3B 11 75 1E 66 85 D2 74 15 66 8B 50 ?? 66 3B 51 ?? 75 0F 83 C0 ?? 83 C1 ?? 66 85 D2 + 75 DE 33 C0 EB 05 1B C0 83 D8 ?? 85 C0 0F 84 23 03 00 00 8D 4C 24 ?? B8 ?? ?? ?? ?? 8D 64 24 ?? 66 8B 10 66 3B 11 75 1E + 66 85 D2 74 15 66 8B 50 ?? 66 3B 51 ?? 75 0F 83 C0 ?? 83 C1 ?? 66 85 D2 75 DE 33 C0 EB 05 1B C0 83 D8 ?? 85 C0 0F 84 E3 + 02 00 00 55 8D 84 24 ?? ?? ?? ?? 68 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 8B C5 83 C4 ?? 8D 50 ?? 8B FF 66 8B 08 83 C0 ?? 66 85 + C9 75 F5 2B C2 D1 F8 83 F8 ?? 76 1A 68 ?? ?? ?? ?? 8D 8C 24 ?? ?? ?? ?? 68 ?? ?? ?? ?? 51 E8 ?? ?? ?? ?? 83 C4 ?? 8D 54 + 24 ?? 52 8D 84 24 ?? ?? ?? ?? 68 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 8D 8C 24 ?? ?? ?? ?? B8 ?? ?? ?? ?? 66 8B 10 66 + 3B 11 75 1E 66 85 D2 74 15 66 8B 50 ?? 66 3B 51 ?? 75 0F 83 C0 ?? 83 C1 ?? 66 85 D2 75 DE 33 C0 EB 05 1B C0 83 D8 ?? 85 + C0 0F 84 3F 02 00 00 8D 8C 24 ?? ?? ?? ?? B8 ?? ?? ?? ?? 66 8B 10 66 3B 11 75 1E 66 85 D2 74 15 66 8B 50 ?? 66 3B 51 ?? + 75 0F 83 C0 ?? 83 C1 ?? 66 85 D2 75 DE 33 C0 EB 05 1B C0 83 D8 ?? 85 C0 0F 84 00 02 00 00 8D 8C 24 ?? ?? ?? ?? B8 + } + + $file_search_0_3_5a_2 = { + 66 8B 10 66 3B 11 75 1E 66 85 D2 74 15 66 8B 50 ?? 66 3B 51 ?? 75 0F 83 C0 ?? 83 C1 ?? 66 85 D2 75 DE 33 C0 EB 05 + 1B C0 83 D8 ?? 85 C0 0F 84 C1 01 00 00 8D 8C 24 ?? ?? ?? ?? B8 ?? ?? ?? ?? 66 8B 10 66 3B 11 75 1E 66 85 D2 74 15 66 8B + 50 ?? 66 3B 51 ?? 75 0F 83 C0 ?? 83 C1 ?? 66 85 D2 75 DE 33 C0 EB 05 1B C0 83 D8 ?? 85 C0 0F 84 82 01 00 00 8D 8C 24 ?? + ?? ?? ?? B8 ?? ?? ?? ?? 66 8B 10 66 3B 11 75 1E 66 85 D2 74 15 66 8B 50 ?? 66 3B 51 ?? 75 0F 83 C0 ?? 83 C1 ?? 66 85 D2 + 75 DE 33 C0 EB 05 1B C0 83 D8 ?? 85 C0 0F 84 43 01 00 00 8D 8C 24 ?? ?? ?? ?? 53 51 E8 0F FD FF FF 8D 94 24 ?? ?? ?? ?? + 52 8D 84 24 ?? ?? ?? ?? 68 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 68 ?? ?? ?? ?? 8D 8C 24 ?? ?? ?? ?? 68 ?? ?? ?? ?? 51 + E8 ?? ?? ?? ?? 83 C4 ?? 8D 84 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? E9 ED 00 00 00 55 8D 94 24 ?? ?? ?? ?? 68 ?? ?? ?? ?? 52 E8 + ?? ?? ?? ?? 83 C4 ?? 68 ?? ?? ?? ?? 8D 84 24 ?? ?? ?? ?? 68 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 8D 4C 24 ?? 51 8D 94 + 24 ?? ?? ?? ?? 68 ?? ?? ?? ?? 52 E8 ?? ?? ?? ?? 83 C4 ?? 85 DB 8D 44 24 ?? 0F 84 79 00 00 00 50 E8 ?? ?? ?? ?? 83 C4 ?? + 68 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 0F 85 78 00 00 00 8D 4C 24 ?? 51 E8 ?? ?? ?? ?? 83 C4 ?? 68 ?? ?? ?? ?? + 50 E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 75 59 8D 54 24 ?? 52 E8 ?? ?? ?? ?? 83 C4 ?? 68 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? + 85 C0 75 3A 8D 7C 24 ?? E8 ?? ?? ?? ?? 83 F8 ?? 75 2C 8D 8C 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? EB 1E 68 ?? ?? ?? ?? 50 E8 ?? + ?? ?? ?? 83 C4 ?? 85 C0 74 0C 8D 8C 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 7C 24 ?? 8D 4C 24 ?? 51 57 FF 15 ?? ?? ?? ?? 85 C0 + 0F 85 7D FC FF FF 57 FF 15 ?? ?? ?? ?? 8B 8C 24 ?? ?? ?? ?? 5F 5D 5B 33 CC E8 ?? ?? ?? ?? 81 C4 ?? ?? ?? ?? C3 + } + + $encrypt_file_0_2_6a_1 = { + B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? A1 ?? ?? ?? ?? 33 C4 89 84 24 ?? ?? ?? ?? 33 C0 56 8B B4 24 ?? ?? ?? ?? 57 33 FF 68 ?? ?? + ?? ?? 89 84 24 ?? ?? ?? ?? 89 84 24 ?? ?? ?? ?? 89 84 24 ?? ?? ?? ?? 66 89 84 24 ?? ?? ?? ?? 88 84 24 ?? ?? ?? ?? 88 84 + 24 ?? ?? ?? ?? 89 84 24 ?? ?? ?? ?? 89 84 24 ?? ?? ?? ?? 89 84 24 ?? ?? ?? ?? 66 89 84 24 ?? ?? ?? ?? 88 84 24 ?? ?? ?? + ?? 8D 84 24 ?? ?? ?? ?? 57 50 89 74 24 ?? C6 84 24 ?? ?? ?? ?? ?? 89 7C 24 ?? 66 89 BC 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? 6A + ?? 56 8D 8C 24 ?? ?? ?? ?? 68 ?? ?? ?? ?? 51 E8 ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? 8D 94 24 ?? ?? ?? ?? 68 ?? ?? ?? ?? 52 + E8 ?? ?? ?? ?? 83 C4 ?? 57 68 ?? ?? ?? ?? 6A ?? 57 6A ?? 68 ?? ?? ?? ?? 56 FF 15 ?? ?? ?? ?? 8B F0 83 FE ?? 74 1A 57 56 + FF 15 ?? ?? ?? ?? 8B F8 83 FF ?? 89 7C 24 ?? 75 21 56 FF 15 ?? ?? ?? ?? 5F 83 C8 ?? 5E 8B 8C 24 ?? ?? ?? ?? 33 CC E8 ?? + ?? ?? ?? 81 C4 ?? ?? ?? ?? C3 81 FF ?? ?? ?? ?? 77 D7 53 55 8D 84 24 ?? ?? ?? ?? 6A ?? 50 E8 ?? ?? ?? ?? 8B 94 24 ?? ?? + ?? ?? 8B 8C 24 ?? ?? ?? ?? 8B 84 24 ?? ?? ?? ?? 89 94 24 ?? ?? ?? ?? 8B D7 83 E2 ?? BB ?? ?? ?? ?? 2B DA 89 8C 24 + } + + $encrypt_file_0_2_6a_2 = { + 8B 8C 24 ?? ?? ?? ?? 03 FB 57 89 84 24 ?? ?? ?? ?? 89 8C 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B E8 83 C4 ?? 85 ED 74 3C + 8B 4C 24 ?? 6A ?? 8D 44 24 ?? 50 51 55 56 FF 15 ?? ?? ?? ?? 85 C0 74 24 8B 44 24 ?? 3B 44 24 ?? 75 1A 53 8D 14 28 53 52 + E8 ?? ?? ?? ?? 57 E8 ?? ?? ?? ?? 8B D8 83 C4 ?? 85 DB 75 0F 56 FF 15 ?? ?? ?? ?? 83 C8 ?? E9 D5 00 00 00 8D 44 24 ?? 50 + 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 4C 24 ?? 51 8D 94 24 ?? ?? ?? ?? 52 57 53 55 E8 ?? ?? ?? ?? 83 C4 ?? 6A ?? 6A ?? 6A ?? + 56 FF 15 ?? ?? ?? ?? 6A ?? 8D 44 24 ?? 50 6A ?? 8D 8C 24 ?? ?? ?? ?? 51 56 FF 15 ?? ?? ?? ?? 6A ?? 8D 54 24 ?? 52 6A ?? + 8D 44 24 ?? 50 56 FF 15 ?? ?? ?? ?? 6A ?? 8D 4C 24 ?? 51 57 53 56 FF 15 ?? ?? ?? ?? 56 FF 15 ?? ?? ?? ?? 8B 74 24 ?? 8D + 94 24 ?? ?? ?? ?? 52 56 FF 15 ?? ?? ?? ?? A1 ?? ?? ?? ?? 85 C0 74 0F 56 68 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 83 05 + ?? ?? ?? ?? ?? B8 ?? ?? ?? ?? 55 11 05 ?? ?? ?? ?? 01 3D ?? ?? ?? ?? 11 05 ?? ?? ?? ?? E8 ?? ?? ?? ?? 53 E8 ?? ?? ?? ?? + 83 C4 ?? B8 ?? ?? ?? ?? 8B 8C 24 ?? ?? ?? ?? 5D 5B 5F 5E 33 CC E8 ?? ?? ?? ?? 81 C4 ?? ?? ?? ?? C3 + } + + $encrypt_file_0_3_1 = { + 53 8D 84 24 ?? ?? ?? ?? 6A ?? 50 E8 ?? ?? ?? ?? 8B 94 24 ?? ?? ?? ?? 8B 8C 24 ?? ?? ?? ?? 8B 84 24 ?? ?? ?? ?? 89 94 24 + ?? ?? ?? ?? 8B D5 83 E2 ?? BF ?? ?? ?? ?? 2B FA 89 8C 24 ?? ?? ?? ?? 8B 8C 24 ?? ?? ?? ?? 8D 1C 2F 53 89 84 24 ?? ?? ?? + ?? 89 8C 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 89 44 24 ?? 74 38 6A ?? 8D 4C 24 ?? 51 55 50 56 FF 15 ?? ?? ?? ?? + 85 C0 74 24 3B 6C 24 ?? 75 1E 57 57 8B 7C 24 ?? 8D 14 2F 52 E8 ?? ?? ?? ?? 53 E8 ?? ?? ?? ?? 8B E8 83 C4 ?? 85 ED 75 0F + 56 FF 15 ?? ?? ?? ?? 83 C8 ?? E9 0F 01 00 00 8D 44 24 ?? 50 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 4C 24 ?? 51 8D 94 24 ?? ?? + ?? ?? 52 53 55 57 E8 ?? ?? ?? ?? 83 C4 ?? 6A ?? 6A ?? 6A ?? 56 FF 15 ?? ?? ?? ?? 8B 3D ?? ?? ?? ?? 6A ?? 8D 44 24 ?? 50 + 6A ?? 8D 8C 24 ?? ?? ?? ?? 51 56 FF D7 6A ?? 8D 54 24 ?? 52 6A ?? 8D 44 24 ?? 50 56 FF D7 6A ?? 8D 4C 24 ?? 51 53 55 56 + FF D7 56 FF 15 ?? ?? ?? ?? 8B 3D ?? ?? ?? ?? 33 F6 8D 9B ?? ?? ?? ?? 8B 44 24 ?? 6A ?? 8D 94 24 ?? ?? ?? ?? 52 50 FF 15 + ?? ?? ?? ?? 85 C0 75 27 FF 15 ?? ?? ?? ?? 3D ?? ?? ?? ?? 75 0E 8D 8C 24 ?? ?? ?? ?? 51 FF 15 ?? ?? ?? ?? 6A ?? FF D7 83 + C6 ?? 83 FE ?? 7C C0 A1 ?? ?? ?? ?? 33 F6 3B C6 74 13 8B 54 24 ?? 52 68 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 83 05 ?? + ?? ?? ?? ?? 8B 44 24 ?? 50 11 35 ?? ?? ?? ?? 01 1D ?? ?? ?? ?? 11 35 ?? ?? ?? ?? E8 ?? ?? ?? ?? 55 E8 ?? ?? ?? ?? 83 C4 + ?? B8 ?? ?? ?? ?? 8B 8C 24 ?? ?? ?? ?? 5B 5D 5F 5E 33 CC E8 ?? ?? ?? ?? 81 C4 ?? ?? ?? ?? C3 + } + + $encrypt_file_0_3_3_1 = { + 55 8D 84 24 ?? ?? ?? ?? 6A ?? 50 E8 ?? ?? ?? ?? 8B 94 24 ?? ?? ?? ?? 8B 84 24 ?? ?? ?? ?? 8B 8C 24 ?? ?? ?? ?? 89 94 24 + ?? ?? ?? ?? 8B D3 83 E2 ?? BD ?? ?? ?? ?? 2B EA 89 84 24 ?? ?? ?? ?? 8D 04 2B 89 8C 24 ?? ?? ?? ?? 8B 8C 24 ?? ?? ?? ?? + 50 89 8C 24 ?? ?? ?? ?? 89 44 24 ?? E8 ?? ?? ?? ?? 8B F8 83 C4 ?? 85 FF 0F 84 0A 01 00 00 6A ?? 8D 44 24 ?? 50 53 57 56 + FF 15 ?? ?? ?? ?? 85 C0 75 18 56 FF 15 ?? ?? ?? ?? 57 E8 ?? ?? ?? ?? 83 C4 ?? 83 C8 ?? E9 98 01 00 00 3B 5C 24 ?? 75 1E + 55 8D 0C 1F 55 51 E8 ?? ?? ?? ?? 8B 6C 24 ?? 55 E8 ?? ?? ?? ?? 8B D8 83 C4 ?? 85 DB 75 18 57 E8 ?? ?? ?? ?? 83 C4 ?? 56 + FF 15 ?? ?? ?? ?? 83 C8 ?? E9 5C 01 00 00 8D 54 24 ?? 52 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 44 24 ?? 50 8D 8C 24 ?? ?? ?? + ?? 51 55 53 57 E8 ?? ?? ?? ?? 83 C4 ?? 6A ?? 6A ?? 6A ?? 56 FF 15 ?? ?? ?? ?? 8B 2D ?? ?? ?? ?? 6A ?? 8D 54 24 ?? 52 6A + ?? 8D 84 24 ?? ?? ?? ?? 50 56 C7 44 24 ?? ?? ?? ?? ?? FF D5 85 C0 74 39 6A ?? 8D 4C 24 ?? 51 6A ?? 8D 54 24 ?? 52 56 C7 + 44 24 ?? ?? ?? ?? ?? FF D5 85 C0 74 1C 8B 4C 24 ?? 6A ?? 8D 44 24 ?? 50 51 53 56 C7 44 24 ?? ?? ?? ?? ?? FF D5 85 C0 75 + 1E 57 E8 ?? ?? ?? ?? 53 E8 ?? ?? ?? ?? 83 C4 ?? 56 FF 15 ?? ?? ?? ?? 83 C8 ?? E9 AB 00 00 00 56 FF 15 ?? ?? ?? ?? 56 FF + } + + $encrypt_file_0_3_3_2 = { + 15 ?? ?? ?? ?? 8B 2D ?? ?? ?? ?? 33 F6 8D 49 ?? 8B 44 24 ?? 6A ?? 8D 94 24 ?? ?? ?? ?? 52 50 FF 15 ?? ?? ?? ?? 85 C0 75 + 2A FF 15 ?? ?? ?? ?? 3D ?? ?? ?? ?? 75 0E 8D 8C 24 ?? ?? ?? ?? 51 FF 15 ?? ?? ?? ?? 68 ?? ?? ?? ?? FF D5 83 C6 ?? 83 FE + ?? 7C BD A1 ?? ?? ?? ?? 33 F6 3B C6 74 13 8B 54 24 ?? 52 68 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 83 05 ?? ?? ?? ?? ?? + 8B 44 24 ?? 57 11 35 ?? ?? ?? ?? 01 05 ?? ?? ?? ?? 11 35 ?? ?? ?? ?? E8 ?? ?? ?? ?? 53 E8 ?? ?? ?? ?? 83 C4 ?? B8 ?? ?? + ?? ?? 8B 8C 24 ?? ?? ?? ?? 5D 5B 5F 5E 33 CC E8 ?? ?? ?? ?? 81 C4 ?? ?? ?? ?? C3 + } + + $encrypt_file_0_3_4a_1 = { + B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? A1 ?? ?? ?? ?? 33 C4 89 84 24 ?? ?? ?? ?? 33 C0 56 8B B4 24 ?? ?? ?? ?? 57 33 FF 68 ?? ?? + ?? ?? 89 84 24 ?? ?? ?? ?? 89 84 24 ?? ?? ?? ?? 89 84 24 ?? ?? ?? ?? 66 89 84 24 ?? ?? ?? ?? 88 84 24 ?? ?? ?? ?? 88 84 + 24 ?? ?? ?? ?? 89 84 24 ?? ?? ?? ?? 89 84 24 ?? ?? ?? ?? 89 84 24 ?? ?? ?? ?? 66 89 84 24 ?? ?? ?? ?? 88 84 24 ?? ?? ?? + ?? 8D 84 24 ?? ?? ?? ?? 57 50 89 74 24 ?? C6 84 24 ?? ?? ?? ?? ?? 89 7C 24 ?? 66 89 BC 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? 6A + ?? 56 8D 8C 24 ?? ?? ?? ?? 68 ?? ?? ?? ?? 51 E8 ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? 8D 94 24 ?? ?? ?? ?? 68 ?? ?? ?? ?? 52 + E8 ?? ?? ?? ?? 83 C4 ?? 57 68 ?? ?? ?? ?? 6A ?? 57 57 68 ?? ?? ?? ?? 56 FF 15 ?? ?? ?? ?? 8B F0 83 FE ?? 75 19 5F 0B C0 + 5E 8B 8C 24 ?? ?? ?? ?? 33 CC E8 ?? ?? ?? ?? 81 C4 ?? ?? ?? ?? C3 53 57 56 FF 15 ?? ?? ?? ?? 8B D8 83 FB ?? 74 08 81 FB + ?? ?? ?? ?? 76 22 56 FF 15 ?? ?? ?? ?? 5B 5F 83 C8 ?? 5E 8B 8C 24 ?? ?? ?? ?? 33 CC E8 ?? ?? ?? ?? 81 C4 ?? ?? ?? ?? C3 + 55 8D 84 24 ?? ?? ?? ?? 6A ?? 50 E8 ?? ?? ?? ?? 6A ?? 8D 8C 24 ?? ?? ?? ?? 51 8D 94 24 ?? ?? ?? ?? 52 E8 ?? ?? ?? ?? 8B + C3 83 E0 ?? BD ?? ?? ?? ?? 2B E8 8D 04 2B 50 89 44 24 ?? E8 ?? ?? ?? ?? 8B F8 83 C4 ?? 85 FF 0F 84 0A 01 00 00 6A ?? 8D + 4C 24 ?? 51 53 57 56 FF 15 ?? ?? ?? ?? 85 C0 75 18 56 FF 15 ?? ?? ?? ?? 57 E8 ?? ?? ?? ?? 83 C4 ?? 83 C8 ?? E9 99 01 00 + } + + $encrypt_file_0_3_4a_2 = { + 00 3B 5C 24 ?? 75 1E 55 8D 14 1F 55 52 E8 ?? ?? ?? ?? 8B 6C 24 ?? 55 E8 ?? ?? ?? ?? 8B D8 83 C4 ?? 85 DB 75 18 57 E8 ?? + ?? ?? ?? 83 C4 ?? 56 FF 15 ?? ?? ?? ?? 83 C8 ?? E9 5D 01 00 00 8D 44 24 ?? 50 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 4C 24 ?? + 51 8D 94 24 ?? ?? ?? ?? 52 55 53 57 E8 ?? ?? ?? ?? 83 C4 ?? 6A ?? 6A ?? 6A ?? 56 FF 15 ?? ?? ?? ?? 8B 2D ?? ?? ?? ?? 6A + ?? 8D 44 24 ?? 50 6A ?? 8D 8C 24 ?? ?? ?? ?? 51 56 C7 44 24 ?? ?? ?? ?? ?? FF D5 85 C0 74 39 6A ?? 8D 54 24 ?? 52 6A ?? + 8D 44 24 ?? 50 56 C7 44 24 ?? ?? ?? ?? ?? FF D5 85 C0 74 1C 8B 54 24 ?? 6A ?? 8D 4C 24 ?? 51 52 53 56 C7 44 24 ?? ?? ?? + ?? ?? FF D5 85 C0 75 1E 57 E8 ?? ?? ?? ?? 53 E8 ?? ?? ?? ?? 83 C4 ?? 56 FF 15 ?? ?? ?? ?? 83 C8 ?? E9 AC 00 00 00 56 FF + 15 ?? ?? ?? ?? 56 FF 15 ?? ?? ?? ?? 8B 2D ?? ?? ?? ?? 33 F6 8D 64 24 ?? 8B 4C 24 ?? 6A ?? 8D 84 24 ?? ?? ?? ?? 50 51 FF + 15 ?? ?? ?? ?? 85 C0 75 2A FF 15 ?? ?? ?? ?? 3D ?? ?? ?? ?? 75 0E 8D 94 24 ?? ?? ?? ?? 52 FF 15 ?? ?? ?? ?? 68 ?? ?? ?? + ?? FF D5 83 C6 ?? 83 FE ?? 7C BD A1 ?? ?? ?? ?? 33 F6 3B C6 74 13 8B 4C 24 ?? 51 68 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 + ?? 83 05 ?? ?? ?? ?? ?? 8B 54 24 ?? 57 11 35 ?? ?? ?? ?? 01 15 ?? ?? ?? ?? 11 35 ?? ?? ?? ?? E8 ?? ?? ?? ?? 53 E8 ?? ?? + ?? ?? 83 C4 ?? B8 ?? ?? ?? ?? 8B 8C 24 ?? ?? ?? ?? 5D 5B 5F 5E 33 CC E8 ?? ?? ?? ?? 81 C4 ?? ?? ?? ?? C3 + } + + $encrypt_file_0_3_5a_1 = { + B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? A1 ?? ?? ?? ?? 33 C4 89 84 24 ?? ?? ?? ?? 53 33 C0 55 56 57 33 FF 68 ?? ?? ?? ?? 89 84 24 + ?? ?? ?? ?? 89 84 24 ?? ?? ?? ?? 89 84 24 ?? ?? ?? ?? 66 89 84 24 ?? ?? ?? ?? 88 84 24 ?? ?? ?? ?? 88 84 24 ?? ?? ?? ?? + 89 84 24 ?? ?? ?? ?? 89 84 24 ?? ?? ?? ?? 89 84 24 ?? ?? ?? ?? 66 89 84 24 ?? ?? ?? ?? 88 84 24 ?? ?? ?? ?? 8D 84 24 ?? + ?? ?? ?? 8B F1 57 50 89 74 24 ?? C6 84 24 ?? ?? ?? ?? ?? 89 7C 24 ?? 66 89 BC 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 6A + ?? 56 8D 8C 24 ?? ?? ?? ?? 68 ?? ?? ?? ?? 51 E8 ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? 8D 94 24 ?? ?? ?? ?? 68 ?? ?? ?? ?? 52 + E8 ?? ?? ?? ?? 83 C4 ?? 57 68 ?? ?? ?? ?? 6A ?? 57 57 68 ?? ?? ?? ?? 56 FF 15 ?? ?? ?? ?? 8B F0 83 FE ?? 0F 84 D2 00 00 + 00 57 56 FF 15 ?? ?? ?? ?? 8B E8 83 FD ?? 0F 84 B8 00 00 00 3B EF 0F 84 B0 00 00 00 81 FD ?? ?? ?? ?? 0F 87 A4 00 00 00 + 8D 4F ?? 8D 94 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 8C 24 ?? ?? ?? ?? 8B 84 24 ?? ?? ?? ?? 8B 94 24 ?? ?? ?? ?? 89 8C 24 ?? + ?? ?? ?? 89 84 24 ?? ?? ?? ?? 8B 84 24 ?? ?? ?? ?? 8B CD 83 E1 ?? BB ?? ?? ?? ?? 2B D9 89 84 24 ?? ?? ?? ?? 8D 04 2B 50 + 89 94 24 ?? ?? ?? ?? 89 44 24 ?? E8 ?? ?? ?? ?? 8B F8 83 C4 ?? 85 FF 74 3B 6A ?? 8D 54 24 ?? 52 55 57 56 FF 15 ?? ?? ?? + ?? 85 C0 75 18 56 FF 15 ?? ?? ?? ?? 57 E8 ?? ?? ?? ?? 83 C4 ?? 83 C8 ?? E9 98 01 00 00 3B 6C 24 ?? 74 18 57 E8 + } + + $encrypt_file_0_3_5a_2 = { + 83 C4 ?? 56 FF 15 ?? ?? ?? ?? 83 C8 ?? E9 7A 01 00 00 53 8D 04 2F 53 50 E8 ?? ?? ?? ?? 8B 6C 24 ?? 83 C4 ?? 55 E8 ?? + ?? ?? ?? 8B D8 83 C4 ?? 85 DB 74 C7 8D 4C 24 ?? 51 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 54 24 ?? 52 8D 84 24 ?? ?? ?? ?? 50 + 55 57 8B CB E8 ?? ?? ?? ?? 83 C4 ?? 6A ?? 6A ?? 6A ?? 56 FF 15 ?? ?? ?? ?? 8B 2D ?? ?? ?? ?? 6A ?? 8D 4C 24 ?? 51 6A ?? + 8D 94 24 ?? ?? ?? ?? 52 56 C7 44 24 ?? ?? ?? ?? ?? FF D5 85 C0 75 0F 57 E8 ?? ?? ?? ?? 83 C4 ?? 53 E9 5E FF FF FF 6A ?? + 8D 44 24 ?? 50 6A ?? 8D 4C 24 ?? 51 56 C7 44 24 ?? ?? ?? ?? ?? FF D5 85 C0 74 D4 8B 44 24 ?? 6A ?? 8D 54 24 ?? 52 50 53 + 56 C7 44 24 ?? ?? ?? ?? ?? FF D5 85 C0 74 B8 56 FF 15 ?? ?? ?? ?? 56 FF 15 ?? ?? ?? ?? 8B 2D ?? ?? ?? ?? 33 F6 EB 09 8D + A4 24 ?? ?? ?? ?? 8B FF 8B 54 24 ?? 6A ?? 8D 8C 24 ?? ?? ?? ?? 51 52 FF 15 ?? ?? ?? ?? 85 C0 75 2A FF 15 ?? ?? ?? ?? 3D + ?? ?? ?? ?? 75 0E 8D 84 24 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 68 ?? ?? ?? ?? FF D5 83 C6 ?? 83 FE ?? 7C BD A1 ?? ?? ?? ?? + 33 F6 3B C6 74 13 8B 4C 24 ?? 51 68 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 83 05 ?? ?? ?? ?? ?? 8B 54 24 ?? 57 11 35 ?? + ?? ?? ?? 01 15 ?? ?? ?? ?? 11 35 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 53 E8 ?? ?? ?? ?? 83 C4 ?? B8 ?? ?? ?? ?? 8B 8C 24 + ?? ?? ?? ?? 5F 5E 5D 5B 33 CC E8 ?? ?? ?? ?? 81 C4 ?? ?? ?? ?? C3 + } + + $server_communication_0_2_6a_1 = { + B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? A1 ?? ?? ?? ?? 33 C4 89 84 24 ?? ?? ?? ?? 8B 84 24 ?? ?? ?? ?? 8B 00 53 33 DB 39 1D ?? ?? + ?? ?? A3 ?? ?? ?? ?? 0F 85 ?? ?? ?? ?? 83 F8 ?? 0F 87 ?? ?? ?? ?? 55 56 57 68 ?? ?? ?? ?? 8D 44 24 ?? 53 50 88 5C 24 ?? + E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 8C 24 ?? ?? ?? ?? 53 51 88 9C 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? 33 C0 53 89 44 24 ?? 89 44 + 24 ?? 89 44 24 ?? E8 ?? ?? ?? ?? 8B 0D ?? ?? ?? ?? 83 C4 ?? 51 8B 0D ?? ?? ?? ?? 51 8B 0D ?? ?? ?? ?? 51 8B 0D ?? ?? ?? + ?? 51 52 8B 15 ?? ?? ?? ?? 50 A1 ?? ?? ?? ?? 68 ?? ?? ?? ?? 53 68 ?? ?? ?? ?? 52 50 E8 ?? ?? ?? ?? 53 68 ?? ?? ?? ?? 52 + 50 E8 ?? ?? ?? ?? 8B 0D ?? ?? ?? ?? 52 8B 15 ?? ?? ?? ?? 50 A1 ?? ?? ?? ?? 51 52 68 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 + ?? 50 68 ?? ?? ?? ?? 8D 4C 24 ?? 68 ?? ?? ?? ?? 51 E8 ?? ?? ?? ?? 8D 44 24 ?? 83 C4 ?? 8D 70 ?? 8A 08 83 C0 ?? 3A CB 75 + F7 8D 54 24 ?? 52 8D 8C 24 ?? ?? ?? ?? 51 2B C6 50 8D 54 24 ?? 52 E8 ?? ?? ?? ?? 8D 4C 24 ?? 51 8D 94 04 ?? ?? ?? ?? 52 + E8 ?? ?? ?? ?? 8D 84 24 ?? ?? ?? ?? 50 68 ?? ?? ?? ?? 8D 4C 24 ?? 68 ?? ?? ?? ?? 51 E8 ?? ?? ?? ?? 8B 15 ?? ?? ?? ?? 83 + C4 ?? 53 53 53 53 52 FF 15 ?? ?? ?? ?? 8B F8 A1 ?? ?? ?? ?? 8B 0C 85 ?? ?? ?? ?? 8B 14 85 ?? ?? ?? ?? 51 53 52 FF 15 + } + + $server_communication_0_2_6a_2 = { + A1 ?? ?? ?? ?? 8B 0C 85 ?? ?? ?? ?? 53 53 6A ?? 53 53 68 ?? ?? ?? ?? 51 57 FF 15 ?? ?? ?? ?? 53 68 ?? ?? ?? ?? + 53 53 53 8D 54 24 ?? 52 8B E8 68 ?? ?? ?? ?? 55 FF 15 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8B F0 8D 84 24 ?? ?? ?? ?? 53 50 88 9C + 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 53 53 53 53 56 89 5C 24 ?? FF 15 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 85 C0 0F 85 ?? ?? + ?? ?? 8D 4C 24 ?? 51 68 ?? ?? ?? ?? 8D 94 24 ?? ?? ?? ?? 52 56 FF 15 ?? ?? ?? ?? 8D 84 24 ?? ?? ?? ?? 68 ?? ?? ?? ?? 50 + E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 0F 84 ?? ?? ?? ?? 33 C0 68 ?? ?? ?? ?? 8D 4C 24 ?? 68 ?? ?? ?? ?? 51 C7 05 ?? ?? ?? ?? ?? + ?? ?? ?? 89 5C 24 ?? A3 ?? ?? ?? ?? A3 ?? ?? ?? ?? A3 ?? ?? ?? ?? A3 ?? ?? ?? ?? A3 ?? ?? ?? ?? A3 ?? ?? ?? ?? A3 ?? ?? + ?? ?? A3 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 54 24 ?? 52 68 ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 44 24 ?? 50 E8 + ?? ?? ?? ?? 83 C4 ?? 56 8B 35 ?? ?? ?? ?? FF D6 + } + + $server_communication_0_3_1_1 = { + 8B 0D ?? ?? ?? ?? 83 C4 ?? 68 ?? ?? ?? ?? 51 8B 0D ?? ?? ?? ?? 51 8B 0D ?? ?? ?? ?? 51 8B 0D ?? ?? ?? ?? 51 8B 0D ?? ?? + ?? ?? 51 8B 0D ?? ?? ?? ?? 51 52 8B 15 ?? ?? ?? ?? 50 A1 ?? ?? ?? ?? 68 ?? ?? ?? ?? 53 68 ?? ?? ?? ?? 52 50 E8 ?? ?? ?? + ?? 53 68 ?? ?? ?? ?? 52 50 E8 ?? ?? ?? ?? 8B 0D ?? ?? ?? ?? 52 8B 15 ?? ?? ?? ?? 50 A1 ?? ?? ?? ?? 51 52 68 ?? ?? ?? ?? + 50 E8 ?? ?? ?? ?? 83 C4 ?? 50 68 ?? ?? ?? ?? 8D 4C 24 ?? 68 ?? ?? ?? ?? 51 E8 ?? ?? ?? ?? 8D 44 24 ?? 83 C4 ?? 8D 48 ?? + 8A 10 83 C0 ?? 3A D3 75 F7 55 56 57 2B C1 8D 54 24 ?? 52 8D 8C 24 ?? ?? ?? ?? 51 50 8D 54 24 ?? 52 E8 ?? ?? ?? ?? 8D 4C + 24 ?? 51 8D 94 04 ?? ?? ?? ?? 52 E8 ?? ?? ?? ?? 8D 84 24 ?? ?? ?? ?? 50 68 ?? ?? ?? ?? 8D 4C 24 ?? 68 ?? ?? ?? ?? 51 E8 + ?? ?? ?? ?? 8B 15 ?? ?? ?? ?? 83 C4 ?? 53 53 53 53 52 FF 15 ?? ?? ?? ?? 8B F8 A1 ?? ?? ?? ?? 8B 0C 85 ?? ?? ?? ?? 8B 14 + 85 ?? ?? ?? ?? 51 53 52 FF 15 ?? ?? ?? ?? A1 ?? ?? ?? ?? 83 F8 ?? 53 53 6A ?? 53 53 73 23 8B 04 85 ?? ?? ?? ?? 6A ?? 50 + 57 FF 15 ?? ?? ?? ?? 53 68 ?? ?? ?? ?? 53 53 53 8D 4C 24 ?? 8B F0 51 EB 24 8B 14 85 ?? ?? ?? ?? 68 ?? ?? ?? ?? 52 57 FF + 15 ?? ?? ?? ?? 53 68 ?? ?? ?? ?? 53 53 8B F0 53 8D 44 24 ?? 50 68 ?? ?? ?? ?? 56 FF 15 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 8C + } + + $server_communication_0_3_1_2 = { + 24 ?? ?? ?? ?? 53 51 8B E8 88 9C 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 53 53 53 53 55 89 5C 24 ?? FF 15 ?? ?? ?? ?? FF + 15 ?? ?? ?? ?? 85 C0 0F 85 ?? ?? ?? ?? 8D 54 24 ?? 52 68 ?? ?? ?? ?? 8D 84 24 ?? ?? ?? ?? 50 55 FF 15 ?? ?? ?? ?? 8D 8C + 24 ?? ?? ?? ?? 68 ?? ?? ?? ?? 51 E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 0F 84 ?? ?? ?? ?? 33 C0 68 ?? ?? ?? ?? 8D 54 24 ?? 68 ?? + ?? ?? ?? 52 C7 05 ?? ?? ?? ?? ?? ?? ?? ?? 89 5C 24 ?? A3 ?? ?? ?? ?? A3 ?? ?? ?? ?? A3 ?? ?? ?? ?? A3 ?? ?? ?? ?? A3 ?? + ?? ?? ?? A3 ?? ?? ?? ?? A3 ?? ?? ?? ?? A3 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 44 24 ?? 50 68 ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? + E8 ?? ?? ?? ?? 8B 4C 24 ?? 51 E8 ?? ?? ?? ?? 8B 1D ?? ?? ?? ?? 83 C4 ?? 55 FF D3 + } + + $server_communication_0_3_3_1 = { + B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? A1 ?? ?? ?? ?? 33 C4 89 84 24 ?? ?? ?? ?? B8 ?? ?? ?? ?? 8D 50 ?? 8A 08 83 C0 ?? 84 C9 75 + F7 2B C2 75 0D 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 53 55 56 57 68 ?? ?? ?? ?? 8D 44 24 ?? 6A ?? 50 C6 44 24 ?? ?? E8 + ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 8C 24 ?? ?? ?? ?? 6A ?? 51 C6 84 24 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 15 ?? ?? ?? ?? 33 C0 + 83 C4 ?? 50 50 50 50 52 89 44 24 ?? 89 44 24 ?? 89 44 24 ?? FF 15 ?? ?? ?? ?? 8B 1D ?? ?? ?? ?? 8B F8 89 7C 24 ?? 33 F6 + EB 04 8B 7C 24 ?? 68 ?? ?? ?? ?? 8D 44 24 ?? 6A ?? 50 E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 8C 24 ?? ?? ?? ?? 6A ?? 51 E8 ?? + ?? ?? ?? 6A ?? E8 ?? ?? ?? ?? 8B 0D ?? ?? ?? ?? 83 C4 ?? 68 ?? ?? ?? ?? 51 8B 0D ?? ?? ?? ?? 51 8B 0D ?? ?? ?? ?? 56 51 + 8B 0D ?? ?? ?? ?? 51 8B 0D ?? ?? ?? ?? 51 52 8B 15 ?? ?? ?? ?? 50 A1 ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? 52 + 50 E8 ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? 52 50 E8 ?? ?? ?? ?? 8B 0D ?? ?? ?? ?? 52 8B 15 ?? ?? ?? ?? 50 A1 ?? ?? ?? ?? 51 + 52 68 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 50 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 4C 24 ?? 68 ?? ?? ?? ?? 51 E8 ?? ?? ?? + ?? 8D 44 24 ?? 83 C4 ?? 8D 48 ?? 8A 10 83 C0 ?? 84 D2 75 F7 2B C1 8D 54 24 ?? 52 8D 8C 24 ?? ?? ?? ?? 51 50 8D 54 24 + } + + $server_communication_0_3_3_2 = { + 52 E8 ?? ?? ?? ?? 8D 4C 24 ?? 51 8D 94 04 ?? ?? ?? ?? 52 E8 ?? ?? ?? ?? 8D 84 24 ?? ?? ?? ?? 50 68 ?? ?? ?? ?? 8D 4C 24 + ?? 68 ?? ?? ?? ?? 51 E8 ?? ?? ?? ?? 83 C4 ?? 83 FE ?? 6A ?? 6A ?? 6A ?? 6A ?? 6A ?? 7D 23 8B 14 B5 ?? ?? ?? ?? 6A ?? 52 + 57 FF D3 6A ?? 68 ?? ?? ?? ?? 6A ?? 6A ?? 8B F8 6A ?? 8D 44 24 ?? 50 EB 3C 8B 0C B5 ?? ?? ?? ?? 68 ?? ?? ?? ?? 51 57 FF + D3 8B 14 B5 ?? ?? ?? ?? 52 8B F8 8B 04 B5 ?? ?? ?? ?? 6A ?? 50 FF 15 ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? 6A ?? 6A ?? 6A ?? + 8D 4C 24 ?? 51 68 ?? ?? ?? ?? 57 FF 15 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 94 24 ?? ?? ?? ?? 6A ?? 52 8B E8 C6 84 24 ?? ?? ?? + ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 6A ?? 6A ?? 6A ?? 6A ?? 55 C7 44 24 ?? ?? ?? ?? ?? FF 15 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 85 + C0 75 32 8D 44 24 ?? 50 68 ?? ?? ?? ?? 8D 8C 24 ?? ?? ?? ?? 51 55 FF 15 ?? ?? ?? ?? 8D 94 24 ?? ?? ?? ?? 68 ?? ?? ?? ?? + 52 E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 75 ?? 55 8B 2D ?? ?? ?? ?? FF D5 + } + + $server_communication_0_3_4a_1 = { + B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? A1 ?? ?? ?? ?? 33 C4 89 84 24 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 44 24 ?? 6A ?? 50 C6 44 24 ?? + ?? E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 8C 24 ?? ?? ?? ?? 6A ?? 51 C6 84 24 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? E8 + ?? ?? ?? ?? 83 C4 ?? 85 C0 75 0D 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 53 55 56 57 6A ?? 8D 54 24 ?? 6A ?? 52 E8 ?? ?? + ?? ?? A1 ?? ?? ?? ?? 83 C4 ?? 6A ?? 6A ?? 6A ?? 6A ?? 50 FF 15 ?? ?? ?? ?? 8B 1D ?? ?? ?? ?? 8B F8 89 7C 24 ?? 33 F6 EB + 04 8B 7C 24 ?? 68 ?? ?? ?? ?? 8D 4C 24 ?? 6A ?? 51 E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 94 24 ?? ?? ?? ?? 6A ?? 52 E8 ?? ?? + ?? ?? 6A ?? E8 ?? ?? ?? ?? 8B 0D ?? ?? ?? ?? 83 C4 ?? 51 8B 0D ?? ?? ?? ?? 68 ?? ?? ?? ?? 51 8B 0D ?? ?? ?? ?? 51 8B 0D + ?? ?? ?? ?? 56 51 8B 0D ?? ?? ?? ?? 51 8B 0D ?? ?? ?? ?? 51 52 8B 15 ?? ?? ?? ?? 50 A1 ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A ?? + 68 ?? ?? ?? ?? 52 50 E8 ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? 52 50 E8 ?? ?? ?? ?? 8B 0D ?? ?? ?? ?? 52 8B 15 ?? ?? ?? ?? 50 + A1 ?? ?? ?? ?? 51 52 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 50 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 4C 24 + ?? 68 ?? ?? ?? ?? 51 E8 ?? ?? ?? ?? 83 C4 ?? 8D 54 24 ?? 52 8D 84 24 ?? ?? ?? ?? 50 8D 4C 24 ?? 51 E8 ?? ?? ?? ?? 83 C4 + ?? 50 8D 54 24 ?? 52 E8 ?? ?? ?? ?? 8D 4C 24 ?? 51 8D 94 04 ?? ?? ?? ?? 52 E8 ?? ?? ?? ?? 8D 84 24 ?? ?? ?? ?? 50 68 + } + + $server_communication_0_3_4a_2 = { + 8D 4C 24 ?? 68 ?? ?? ?? ?? 51 E8 ?? ?? ?? ?? 83 C4 ?? 83 FE ?? 6A ?? 6A ?? 6A ?? 6A ?? 6A ?? 7D 23 8B 14 B5 ?? + ?? ?? ?? 6A ?? 52 57 FF D3 6A ?? 68 ?? ?? ?? ?? 6A ?? 6A ?? 8B F8 6A ?? 8D 44 24 ?? 50 EB 3C 8B 0C B5 ?? ?? ?? ?? 68 ?? + ?? ?? ?? 51 57 FF D3 8B 14 B5 ?? ?? ?? ?? 52 8B F8 8B 04 B5 ?? ?? ?? ?? 6A ?? 50 FF 15 ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? + 6A ?? 6A ?? 6A ?? 8D 4C 24 ?? 51 68 ?? ?? ?? ?? 57 FF 15 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 94 24 ?? ?? ?? ?? 6A ?? 52 8B E8 + C6 84 24 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 6A ?? 6A ?? 6A ?? 6A ?? 55 C7 44 24 ?? ?? ?? ?? ?? FF 15 ?? ?? ?? ?? FF + 15 ?? ?? ?? ?? 85 C0 75 32 8D 44 24 ?? 50 68 ?? ?? ?? ?? 8D 8C 24 ?? ?? ?? ?? 51 55 FF 15 ?? ?? ?? ?? 8D 94 24 ?? ?? ?? + ?? 68 ?? ?? ?? ?? 52 E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 75 18 55 8B 2D ?? ?? ?? ?? FF D5 57 FF D5 83 C6 ?? 83 FE ?? 0F 8C CE + FD FF FF 8B 44 24 ?? 50 FF 15 + } + + $server_communication_0_3_5a_1 = { + 55 8B EC 83 E4 ?? B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? A1 ?? ?? ?? ?? 33 C4 89 84 24 ?? ?? ?? ?? 53 56 57 68 ?? ?? ?? ?? 8D 44 + 24 ?? 6A ?? 50 C6 44 24 ?? ?? E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 8C 24 ?? ?? ?? ?? 6A ?? 51 C6 84 24 ?? ?? ?? ?? ?? E8 ?? + ?? ?? ?? B8 ?? ?? ?? ?? 83 C4 ?? 8D 50 ?? 8B FF 8A 08 83 C0 ?? 84 C9 75 F7 2B C2 75 05 E8 ?? ?? ?? ?? 33 C0 50 50 50 50 + 68 ?? ?? ?? ?? 89 44 24 ?? 89 44 24 ?? 89 44 24 ?? FF 15 ?? ?? ?? ?? 89 44 24 ?? 33 DB 68 ?? ?? ?? ?? 8D 54 24 ?? 6A ?? + 52 E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 84 24 ?? ?? ?? ?? 6A ?? 50 E8 ?? ?? ?? ?? 6A ?? E8 ?? ?? ?? ?? 8B 0D ?? ?? ?? ?? 83 + C4 ?? 51 8B 0D ?? ?? ?? ?? 68 ?? ?? ?? ?? 51 8B 0D ?? ?? ?? ?? 51 8B 0D ?? ?? ?? ?? 53 51 8B 0D ?? ?? ?? ?? 51 8B 0D ?? + ?? ?? ?? 51 52 8B 15 ?? ?? ?? ?? 50 A1 ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? 52 50 E8 ?? ?? ?? ?? 6A ?? 68 ?? + ?? ?? ?? 52 50 E8 ?? ?? ?? ?? 8B 0D ?? ?? ?? ?? 52 8B 15 ?? ?? ?? ?? 50 A1 ?? ?? ?? ?? 51 52 68 ?? ?? ?? ?? 68 ?? ?? ?? + ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 50 68 ?? ?? ?? ?? 8D 4C 24 ?? 68 ?? ?? ?? ?? 51 B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 44 24 ?? + 83 C4 ?? 8D 70 ?? 8B FF 8A 08 83 C0 ?? 84 C9 75 F7 8D 94 24 ?? ?? ?? ?? 2B C6 52 8D 7C 24 ?? 8D 4C 24 ?? E8 ?? ?? ?? ?? + 8D 8C 04 ?? ?? ?? ?? 8B F7 E8 ?? ?? ?? ?? 8D 84 24 ?? ?? ?? ?? 50 8D 4C 24 ?? 68 ?? ?? ?? ?? 51 B8 ?? ?? ?? ?? E8 + } + + $server_communication_0_3_5a_2 = { + 8B 14 9D ?? ?? ?? ?? 8B 44 24 ?? 83 C4 ?? 83 FB ?? 6A ?? 6A ?? 6A ?? 6A ?? 6A ?? 7D 20 6A ?? 52 50 FF 15 ?? ?? ?? + ?? 6A ?? 68 ?? ?? ?? ?? 6A ?? 6A ?? 6A ?? 8D 4C 24 ?? 8B F0 51 EB 39 68 ?? ?? ?? ?? 52 50 FF 15 ?? ?? ?? ?? 8B 0C 9D ?? + ?? ?? ?? 8B 14 9D ?? ?? ?? ?? 51 6A ?? 52 8B F0 FF 15 ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? 6A ?? 6A ?? 6A ?? 8D 44 24 ?? 50 + 68 ?? ?? ?? ?? 56 FF 15 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 8C 24 ?? ?? ?? ?? 6A ?? 51 8B F8 C6 84 24 ?? ?? ?? ?? ?? E8 ?? ?? + ?? ?? 83 C4 ?? 6A ?? 6A ?? 6A ?? 6A ?? 57 C7 44 24 ?? ?? ?? ?? ?? FF 15 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 85 C0 75 32 8D 54 + 24 ?? 52 68 ?? ?? ?? ?? 8D 84 24 ?? ?? ?? ?? 50 57 FF 15 ?? ?? ?? ?? 8D 8C 24 ?? ?? ?? ?? 68 ?? ?? ?? ?? 51 E8 ?? ?? ?? + ?? 83 C4 ?? 85 C0 75 18 57 8B 3D ?? ?? ?? ?? FF D7 56 FF D7 83 C3 ?? 83 FB ?? 0F 8C CD FD FF FF 8B 54 24 ?? 52 FF 15 + } + + $server_communication_2_0_4e = { + B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? A1 ?? ?? ?? ?? 33 C4 89 84 24 ?? ?? ?? ?? 83 3D ?? ?? + ?? ?? ?? 53 56 57 75 ?? C7 44 24 ?? ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? EB ?? A1 ?? + ?? ?? ?? 50 C7 44 24 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 89 44 24 ?? B8 ?? ?? ?? + ?? 8D 50 ?? 33 DB 8A 08 40 3A CB 75 ?? 2B C2 75 ?? E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D + 8C 24 ?? ?? ?? ?? 53 51 88 9C 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 53 53 53 53 68 + ?? ?? ?? ?? FF 15 + } + + $search_and_encrypt_2_0_4e_1 = { + 55 8B EC B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? A1 ?? ?? ?? ?? 33 C5 89 45 ?? 53 8B 5D ?? 56 + 57 33 C0 68 ?? ?? ?? ?? 50 8D 8D ?? ?? ?? ?? 51 66 89 85 ?? ?? ?? ?? E8 ?? ?? ?? ?? + 83 C4 ?? 33 D2 68 ?? ?? ?? ?? 52 8D 85 ?? ?? ?? ?? 50 66 89 95 ?? ?? ?? ?? E8 ?? ?? + ?? ?? 83 C4 ?? 53 8D 8D ?? ?? ?? ?? 68 ?? ?? ?? ?? 51 E8 ?? ?? ?? ?? 83 C4 ?? 68 ?? + ?? ?? ?? 8D 95 ?? ?? ?? ?? 68 ?? ?? ?? ?? 52 E8 ?? ?? ?? ?? 83 C4 ?? 8D 85 ?? ?? ?? + ?? 50 8D 8D ?? ?? ?? ?? 51 FF 15 ?? ?? ?? ?? 8B F0 89 B5 ?? ?? ?? ?? 83 FE ?? 0F 84 + } + + $search_and_encrypt_2_0_4e_2 = { + 0F 84 ?? ?? ?? ?? F6 85 ?? ?? ?? ?? ?? 0F 84 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? B8 ?? ?? + ?? ?? 66 8B 10 66 3B 11 75 ?? 66 85 D2 74 ?? 66 8B 50 ?? 66 3B 51 ?? 75 ?? 83 C0 ?? + 83 C1 ?? 66 85 D2 75 ?? 33 C0 EB ?? 1B C0 83 D8 ?? 85 C0 0F 84 ?? ?? ?? ?? 8D 8D ?? + ?? ?? ?? B8 ?? ?? ?? ?? 66 8B 10 66 3B 11 75 ?? 66 85 D2 74 ?? 66 8B 50 ?? 66 3B 51 + ?? 75 ?? 83 C0 ?? 83 C1 ?? 66 85 D2 75 ?? 33 C0 EB ?? 1B C0 83 D8 ?? 85 C0 0F 84 ?? + ?? ?? ?? 53 8D 95 ?? ?? ?? ?? 68 ?? ?? ?? ?? 52 E8 + } + + $search_and_encrypt_2_0_4e_3 = { + 8B C3 83 C4 ?? 8D 50 ?? 90 66 8B 08 83 C0 ?? 66 85 C9 75 ?? 2B C2 D1 F8 83 F8 ?? 76 + ?? 68 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 68 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 8D 8D + ?? ?? ?? ?? 51 8D 95 ?? ?? ?? ?? 68 ?? ?? ?? ?? 52 E8 ?? ?? ?? ?? 83 C4 ?? 8D 8D ?? + ?? ?? ?? B8 ?? ?? ?? ?? 66 8B 10 66 3B 11 75 ?? 66 85 D2 74 ?? 66 8B 50 ?? 66 3B 51 + ?? 75 ?? 83 C0 ?? 83 C1 ?? 66 85 D2 75 ?? 33 C0 EB ?? 1B C0 83 D8 ?? 85 C0 0F 84 + } + + $search_and_encrypt_2_0_4e_4 = { + 8D 8D ?? ?? ?? ?? B8 ?? ?? ?? ?? 66 8B 10 66 3B 11 75 ?? 66 85 D2 74 ?? 66 8B 50 ?? + 66 3B 51 ?? 75 ?? 83 C0 ?? 83 C1 ?? 66 85 D2 75 ?? 33 C0 EB ?? 1B C0 83 D8 ?? 85 C0 + 0F 84 ?? ?? ?? ?? 8B 45 ?? 50 8D 8D ?? ?? ?? ?? 51 E8 ?? ?? ?? ?? 8D 95 ?? ?? ?? ?? + 52 8D 85 ?? ?? ?? ?? 68 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 8D 8D ?? ?? ?? ?? E8 + ?? ?? ?? ?? E9 ?? ?? ?? ?? 53 8D 8D ?? ?? ?? ?? 68 ?? ?? ?? ?? 51 E8 ?? ?? ?? ?? 83 + C4 ?? 68 ?? ?? ?? ?? 8D 95 ?? ?? ?? ?? 68 ?? ?? ?? ?? 52 E8 ?? ?? ?? ?? 83 C4 ?? 8D + 85 ?? ?? ?? ?? 50 8D 8D ?? ?? ?? ?? 68 ?? ?? ?? ?? 51 E8 + } + + $search_and_encrypt_2_0_4e_5 = { + 8D 85 ?? ?? ?? ?? 83 C4 ?? 8D 50 ?? 66 8B 08 83 C0 ?? 66 85 C9 75 ?? 2B C2 8D 95 ?? + ?? ?? ?? D1 F8 52 8D 78 ?? E8 ?? ?? ?? ?? 83 C4 ?? 8B F0 57 56 E8 ?? ?? ?? ?? 8B 3D + ?? ?? ?? ?? 68 ?? ?? ?? ?? 56 FF D7 83 C4 ?? 85 C0 75 ?? 68 ?? ?? ?? ?? 56 FF D7 83 + C4 ?? 85 C0 75 ?? 68 ?? ?? ?? ?? 56 FF D7 83 C4 ?? 85 C0 75 ?? 8B C6 E8 ?? ?? ?? ?? + 83 F8 ?? 75 ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 56 E8 ?? ?? ?? ?? 8B B5 ?? ?? ?? ?? + 83 C4 ?? 8D 85 ?? ?? ?? ?? 50 56 FF 15 ?? ?? ?? ?? 85 C0 0F 85 ?? ?? ?? ?? 56 FF 15 + } + + $server_communication_4_0_1 = { + 55 8B EC 83 E4 ?? B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? A1 ?? ?? ?? ?? 33 C4 89 84 24 + } + + $server_communication_4_0_2 = { + 8A 08 40 3A CB 75 ?? 2B ?? 50 8D ?? ?? ?? ?? ?? ?? [0-2] E8 ?? ?? ?? ?? 83 C4 04 8D + ?? 24 ?? ?? ?? ?? ?? (8B ??|8D ?? 24 ?? ?? ?? ??) ?? C7 84 24 ?? ?? ?? ?? ?? ?? ?? ?? + C7 84 24 ?? ?? ?? ?? ?? ?? ?? ?? C7 84 24 ?? ?? ?? ?? ?? ?? ?? ?? C7 84 24 ?? ?? ?? ?? + ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 84 24 ?? ?? ?? ?? 83 C4 08 8D ?? 01 [0-7] 8A 08 40 3A CB + 75 ?? 2B ?? 8B C8 8D 51 ?? 83 E2 ?? B8 ?? ?? ?? ?? 2B C2 50 50 8D 7C 01 ?? 8D 84 0C + ?? ?? ?? ?? 50 E8 + } + + $server_communication_4_0_3 = { + 83 C4 ?? 8D 8C 24 ?? ?? ?? ?? 51 8D 94 24 ?? ?? ?? ?? 52 8D 84 24 ?? ?? ?? ?? ?? [1-2] + 8D ?? 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 8C 24 ?? ?? ?? ?? [0-3] 51 E8 ?? ?? ?? ?? + 8B 15 ?? ?? ?? ?? 83 C4 ?? 8B ?? 8B 42 ?? ?? 50 8D 8C 24 ?? ?? ?? ?? 51 BA ?? ?? ?? ?? + E8 ?? ?? ?? ?? 83 C4 ?? ?? E8 ?? ?? ?? ?? 8B 54 24 ?? 83 C4 ?? 52 E8 ?? ?? ?? ?? 83 C4 + ?? 33 ?? 89 ?? 24 ?? 6A ?? 8D 44 24 ?? 53 50 E8 ?? ?? ?? ?? 83 C4 ?? 68 ?? ?? ?? ?? B8 + ?? ?? ?? ?? 8D 8C 24 ?? ?? ?? ?? 53 51 C7 44 24 ?? ?? ?? ?? ?? 89 44 24 ?? 89 84 24 ?? + ?? ?? ?? 88 9C 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 68 ?? ?? ?? ?? 8D 94 24 ?? ?? ?? + ?? 53 52 88 9C 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B ?? ?? ?? 8B ?? 83 C4 ?? 8D 50 + } + + $file_search_4_0_1 = { + 55 8B EC B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? A1 ?? ?? ?? ?? 33 C5 89 45 ?? 56 57 33 C0 68 + ?? ?? ?? ?? 50 8D 8D ?? ?? ?? ?? 51 66 89 85 ?? ?? ?? ?? E8 ?? ?? ?? ?? 33 D2 68 ?? + ?? ?? ?? 52 8D 85 ?? ?? ?? ?? 50 66 89 95 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 8D ?? ?? ?? + ?? 6A ?? 51 E8 + } + + $file_search_4_0_2 = { + 74 ?? FF 15 ?? ?? ?? ?? 50 8D 95 ?? ?? ?? ?? 52 EB ?? FF 15 ?? ?? ?? ?? 50 68 ?? ?? + ?? ?? A1 ?? ?? ?? ?? 8B 48 ?? 51 8D 95 ?? ?? ?? ?? 52 BA ?? ?? ?? ?? E8 ?? ?? ?? ?? + 83 C4 ?? 68 ?? ?? ?? ?? 6A ?? 6A ?? E8 ?? ?? ?? ?? 83 C4 ?? 6A ?? 6A ?? 6A ?? 6A ?? + 6A ?? 68 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? 51 FF D0 8B F0 C7 85 ?? ?? ?? ?? ?? ?? ?? ?? + 64 A1 ?? ?? ?? ?? 3E 8B 40 ?? 89 85 ?? ?? ?? ?? 8B BD ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A + ?? 6A ?? E8 ?? ?? ?? ?? 83 C4 ?? 56 FF D0 83 FF ?? 0F 85 ?? ?? ?? ?? 83 3D ?? ?? ?? + ?? ?? 74 ?? 8B 0D ?? ?? ?? ?? 8D 95 ?? ?? ?? ?? 52 8B 51 ?? 8D 85 ?? ?? ?? ?? 50 52 + 8D 85 ?? ?? ?? ?? 50 EB ?? 8B 15 ?? ?? ?? ?? 8B 42 ?? 8D 8D ?? ?? ?? ?? 51 68 ?? ?? + ?? ?? 50 8D 8D + } + + $file_search_4_0_3 = { + E8 ?? ?? ?? ?? 83 C4 ?? 8D 8D ?? ?? ?? ?? 51 8D 95 ?? ?? ?? ?? 52 6A ?? 6A ?? 6A ?? + 6A ?? 6A ?? 6A ?? 8D 8D ?? ?? ?? ?? 51 6A ?? FF D0 85 C0 0F 84 ?? ?? ?? ?? E8 ?? ?? + ?? ?? B8 ?? ?? ?? ?? 5F 5E 8B 4D ?? 33 CD E8 ?? ?? ?? ?? 8B E5 5D C3 8B 4D ?? 5F 33 + CD 33 C0 5E E8 ?? ?? ?? ?? 8B E5 5D C3 + } + + $file_search_4_1b_1 = { + E8 ?? ?? ?? ?? 83 C4 ?? 8D 85 ?? ?? ?? ?? 50 6A ?? 6A ?? 6A ?? 6A ?? FF 15 ?? ?? ?? + ?? 8D 8D ?? ?? ?? ?? 6A ?? 51 E8 ?? ?? ?? ?? A1 ?? ?? ?? ?? 8B 08 83 C4 ?? 68 ?? ?? + ?? ?? 8D 95 ?? ?? ?? ?? 52 51 FF 15 ?? ?? ?? ?? 68 ?? ?? ?? ?? FF 15 + } + + $file_search_4_1b_2 = { + E8 ?? ?? ?? ?? 83 C4 ?? 6A ?? 6A ?? 6A ?? 6A ?? 6A ?? 68 ?? ?? ?? ?? 8D 85 ?? ?? ?? + ?? 50 FF 15 ?? ?? ?? ?? 8B F0 FF 15 ?? ?? ?? ?? 56 8B F8 FF 15 ?? ?? ?? ?? 83 FF ?? + 0F 85 ?? ?? ?? ?? A1 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? 51 8B 48 ?? 8D 95 ?? ?? ?? ?? 52 + 51 8D 95 ?? ?? ?? ?? 52 BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 35 ?? ?? ?? ?? 8B 3D ?? ?? + ?? ?? 8B 1D + } + + $file_search_4_1b_3 = { + E8 ?? ?? ?? ?? 83 C4 ?? 8D 4D ?? 51 8D 55 ?? 52 6A ?? 6A ?? 6A ?? 6A ?? B8 ?? ?? ?? + ?? 6A ?? 66 89 45 ?? 89 45 ?? 6A ?? 8D 85 ?? ?? ?? ?? 50 6A ?? C7 45 ?? ?? ?? ?? ?? + FF D3 85 C0 74 ?? E8 ?? ?? ?? ?? B8 ?? ?? ?? ?? 5F 5E 5B 8B E5 5D C3 + } + + $server_communication_4_1b_1 = { + 55 8B EC 83 E4 ?? B8 ?? ?? ?? ?? E8 + } + + $server_communication_4_1b_2 = { + E8 ?? ?? ?? ?? 8B 15 ?? ?? ?? ?? 8B 42 ?? 83 C4 ?? ?? ?? ?? ?? ?? FF 15 ?? ?? ?? ?? + 89 44 24 ?? 3B C3 75 ?? ?? ?? B8 ?? ?? ?? ?? ?? 8B E5 5D C2 ?? ?? 68 ?? ?? ?? ?? 8D + ?? 24 ?? ?? ?? ?? 53 51 E8 ?? ?? ?? ?? 0F B6 ?? ?? ?? ?? ?? 0F B6 ?? ?? ?? ?? ?? 0F + B6 ?? ?? ?? ?? ?? 83 C4 0C + } + + $server_communication_4_1b_3 = { + 8A 08 ?? ?? ?? 75 ?? 2B C6 50 57 8D ?? 24 ?? E8 ?? ?? ?? ?? 8D 84 24 ?? ?? ?? ?? 50 + 8B CF 51 C7 44 24 ?? ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? C7 + 44 24 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 84 24 ?? ?? ?? ?? 83 C4 ?? 8D 78 ?? 8A 08 40 + 3A CB 75 ?? 2B C7 8B C8 8D 51 ?? 83 E2 ?? B8 ?? ?? ?? ?? 2B C2 50 50 8D 7C 01 ?? 8D + 84 0C ?? ?? ?? ?? 50 E8 + } + + $server_communication_4_1b_4 = { + FF 15 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? 8B 84 24 ?? ?? ?? ?? 3B C3 76 ?? 8B 94 24 + ?? ?? ?? ?? 50 52 8D 84 24 ?? ?? ?? ?? 68 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 8B + 84 24 ?? ?? ?? ?? 3B C3 76 ?? 8B 8C 24 ?? ?? ?? ?? 50 51 8D 94 24 ?? ?? ?? ?? 68 ?? + ?? ?? ?? 52 E8 ?? ?? ?? ?? 83 C4 ?? 8B 4C 24 ?? 53 53 6A ?? 53 53 6A ?? 8D 84 24 ?? + ?? ?? ?? 50 51 FF 15 ?? ?? ?? ?? 8B F0 89 74 24 ?? 3B F3 0F 84 ?? ?? ?? ?? 6A ?? 8D + 54 24 ?? 52 6A ?? 56 C7 44 24 ?? ?? ?? ?? ?? FF 15 ?? ?? ?? ?? A1 ?? ?? ?? ?? 8B 48 + ?? 8B 40 ?? 53 68 ?? ?? ?? ?? 51 53 53 8D 94 24 ?? ?? ?? ?? 52 50 56 FF 15 + } + + $server_communication_4_1b_5 = { + FF 15 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 85 C0 75 ?? 8D 44 24 ?? 50 68 ?? ?? ?? ?? 8D 8C + 24 ?? ?? ?? ?? 51 56 FF 15 ?? ?? ?? ?? 8B 44 24 ?? 8B 15 ?? ?? ?? ?? 88 9C 04 ?? ?? + ?? ?? 88 9C 04 ?? ?? ?? ?? 8B 42 ?? 50 8D 84 24 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 + ?? 85 C0 75 ?? 56 8B 35 ?? ?? ?? ?? FF D6 8B 4C 24 ?? 51 FF D6 8B 7C 24 ?? 47 89 7C + 24 ?? 83 FF ?? 0F 8C ?? ?? ?? ?? 8B 54 24 ?? 52 FF 15 ?? ?? ?? ?? 6A ?? FF 15 + } + + $file_search_4_2_1 = { + E8 ?? ?? ?? ?? 83 C4 ?? 8D 85 ?? ?? ?? ?? 50 6A ?? 6A ?? 6A ?? 6A ?? FF 15 ?? ?? ?? + ?? 68 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 A1 ?? ?? ?? ?? FF 30 FF 15 ?? ?? ?? ?? 68 ?? + ?? ?? ?? FF 15 ?? ?? ?? ?? 8B 1D ?? ?? ?? ?? 50 8D 85 ?? ?? ?? ?? 50 A1 ?? ?? ?? ?? + FF 70 ?? 8D 85 ?? ?? ?? ?? 50 FF D3 83 C4 ?? 8D 85 ?? ?? ?? ?? 6A ?? 6A ?? 6A ?? 6A + ?? 6A ?? 68 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 8B F0 FF 15 ?? ?? ?? ?? 56 8B F8 FF 15 + } + + $file_search_4_2_2 = { + FF D3 8B 35 ?? ?? ?? ?? 83 C4 ?? 8B 3D ?? ?? ?? ?? 8B 1D ?? ?? ?? ?? 6A ?? 8D 85 ?? + ?? ?? ?? 50 68 ?? ?? ?? ?? FF D6 6A ?? 8D 85 ?? ?? ?? ?? 50 FF D7 6A ?? 8D 45 ?? 6A + ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? C7 45 ?? ?? ?? ?? ?? B8 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? + 66 89 45 ?? 89 45 ?? 8D 45 ?? 50 8D 45 ?? 50 6A ?? 6A ?? 6A ?? 6A ?? 6A ?? 6A ?? 51 + 6A ?? FF D3 + } + + $server_communication_4_2_1 = { + FF 15 ?? ?? ?? ?? 8B F0 0F 57 C0 8D 84 24 ?? ?? ?? ?? 66 0F 7F 84 24 ?? ?? ?? ?? 50 + 8D 84 24 ?? ?? ?? ?? 8B D6 50 68 ?? ?? ?? ?? B9 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? + 8B CE E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A ?? 56 A3 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? + 56 FF 15 + } + + $server_communication_4_2_2 = { + FF D7 8B 0D ?? ?? ?? ?? 8B D0 8B 49 ?? E8 ?? ?? ?? ?? 83 C4 ?? C7 44 24 ?? ?? ?? ?? + ?? 8D 84 24 ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? C7 44 24 ?? + ?? ?? ?? ?? 50 8D 84 24 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 8D 84 24 ?? ?? ?? ?? + 50 FF D7 + } + + $server_communication_4_2_3 = { + 6A ?? 8D 44 24 ?? C7 44 24 ?? ?? ?? ?? ?? 50 6A ?? 56 FF 54 24 ?? 8B 0D ?? ?? ?? ?? + 6A ?? 68 ?? ?? ?? ?? 8D 41 ?? 50 6A ?? 68 ?? ?? ?? ?? 8D 84 24 ?? ?? ?? ?? 50 FF 71 + ?? 56 FF 54 24 + } + + $server_communication_4_2_4 = { + FF 54 24 ?? 8B 44 24 ?? 66 C7 84 04 ?? ?? ?? ?? ?? ?? A1 ?? ?? ?? ?? FF 70 ?? 8D 84 + 24 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 83 C4 ?? 85 C0 75 ?? 57 8B 7C 24 ?? FF D7 56 FF + D7 + } + + $server_communication_4_2_5 = { + 57 8B 7C 24 ?? FF D7 56 FF D7 FF 74 24 ?? FF D7 FF 35 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? + 6A ?? FF 15 + } + + $server_communication_3_1 = { + 8A 08 40 3A CB 75 ?? 2B C7 50 8D 94 24 ?? ?? ?? ?? 8B CE E8 ?? ?? ?? ?? 83 C4 ?? 8D + 44 24 ?? 50 8D 8C 24 ?? ?? ?? ?? 51 C7 84 24 ?? ?? ?? ?? ?? ?? ?? ?? C7 84 24 ?? ?? + ?? ?? ?? ?? ?? ?? C7 84 24 ?? ?? ?? ?? ?? ?? ?? ?? C7 84 24 ?? ?? ?? ?? ?? ?? ?? ?? + E8 ?? ?? ?? ?? 8D 84 24 ?? ?? ?? ?? 83 C4 ?? 8D ?? ?? EB + } + + $server_communication_3_2 = { + 68 ?? ?? ?? ?? 88 9C 04 ?? ?? ?? ?? 51 88 9C 04 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 83 C4 + ?? 85 C0 75 ?? 57 8B 3D ?? ?? ?? ?? FF D7 56 FF D7 8B 7C 24 ?? 83 C7 ?? 89 7C 24 ?? + 81 FF ?? ?? ?? ?? 0F 8C ?? ?? ?? ?? 8B 54 24 ?? 52 FF 15 ?? ?? ?? ?? 39 1D ?? ?? ?? + ?? 75 ?? 8B 44 24 ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 6A ?? FF 15 + } + + $file_search_3_1 = { + 55 8B EC B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? A1 ?? ?? ?? ?? 33 C5 89 45 ?? [0-1] 56 57 33 C0 + 68 ?? ?? ?? ?? 50 8D 8D ?? ?? ?? ?? 51 66 89 85 ?? ?? ?? ?? E8 + } + + $file_search_3_1_1 = { + FF 15 ?? ?? ?? ?? 50 8D 85 ?? ?? ?? ?? 50 68 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? 51 EB ?? + FF 15 ?? ?? ?? ?? 50 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 95 ?? ?? ?? ?? 52 BA ?? ?? ?? + ?? E8 ?? ?? ?? ?? 83 C4 ?? 6A ?? 6A ?? 6A ?? 6A ?? 6A ?? 68 ?? ?? ?? ?? 8D 85 ?? ?? + ?? ?? 50 FF 15 ?? ?? ?? ?? 8B F0 FF 15 ?? ?? ?? ?? 56 8B F8 FF 15 + } + + $file_search_3_1_2 = { + 8B 35 ?? ?? ?? ?? 8B 3D ?? ?? ?? ?? 8B 1D ?? ?? ?? ?? 83 C4 ?? 6A ?? 8D 85 ?? ?? ?? + ?? 50 68 ?? ?? ?? ?? FF D6 6A ?? 8D 8D ?? ?? ?? ?? 51 FF D7 6A ?? 8D 95 ?? ?? ?? ?? + 6A ?? 52 E8 ?? ?? ?? ?? 83 C4 ?? 8D 8D ?? ?? ?? ?? 51 8D 95 ?? ?? ?? ?? 52 6A ?? 6A + ?? 6A ?? 6A ?? B8 ?? ?? ?? ?? 6A ?? 66 89 85 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 6A ?? 8D + 85 ?? ?? ?? ?? 50 6A ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? FF D3 85 C0 74 ?? E8 + } + $file_search_3_2_1 = { + 68 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 50 68 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 68 ?? ?? ?? ?? + 50 BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 6A ?? 6A ?? 6A ?? 6A ?? 6A ?? 68 ?? ?? ?? + ?? 8D 8D ?? ?? ?? ?? 51 FF 15 ?? ?? ?? ?? 8B F0 FF 15 ?? ?? ?? ?? 56 8B F8 FF 15 ?? + ?? ?? ?? 83 FF ?? 0F 85 + } + + $file_search_3_2_2 = { + 8B 35 ?? ?? ?? ?? 8B 3D ?? ?? ?? ?? 83 C4 ?? 6A ?? 8D 8D ?? ?? ?? ?? 51 68 ?? ?? ?? + ?? FF D6 6A ?? 8D 95 ?? ?? ?? ?? 6A ?? 52 E8 ?? ?? ?? ?? 83 C4 ?? 8D 8D ?? ?? ?? ?? + 51 8D 95 ?? ?? ?? ?? 52 6A ?? 6A ?? 6A ?? 6A ?? B8 ?? ?? ?? ?? 6A ?? 66 89 85 ?? ?? + ?? ?? 89 85 ?? ?? ?? ?? 6A ?? 8D 85 ?? ?? ?? ?? 50 6A ?? C7 85 ?? ?? ?? ?? ?? ?? ?? + ?? FF D7 85 C0 74 ?? E8 + } + + $search_and_encrypt_3_1 = { + 8B C3 83 C4 ?? 8D 50 ?? [1-3] 66 8B 08 83 C0 ?? 66 85 C9 75 ?? 2B C2 D1 F8 83 F8 ?? 76 + ?? 68 ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 8D ?? + ?? ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 8D 8D ?? + ?? ?? ?? B8 ?? ?? ?? ?? 66 8B 10 66 3B 11 75 ?? 66 85 D2 74 ?? 66 8B 50 ?? 66 3B 51 + ?? 75 ?? 83 C0 ?? 83 C1 ?? 66 85 D2 75 ?? 33 C0 EB + } + + $search_and_encrypt_3_2 = { + 1B C0 83 D8 ?? 85 C0 0F 84 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? B8 ?? ?? ?? ?? 66 8B 10 66 + 3B 11 75 ?? 66 85 D2 74 ?? 66 8B 50 ?? 66 3B 51 ?? 75 ?? 83 C0 ?? 83 C1 ?? 66 85 D2 + 75 ?? 33 C0 EB ?? 1B C0 83 D8 ?? 85 C0 0F 84 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? B8 ?? ?? + ?? ?? 90 66 8B 10 66 3B 11 75 ?? 66 85 D2 74 ?? 66 8B 50 ?? 66 3B 51 ?? 75 ?? 83 C0 + ?? 83 C1 ?? 66 85 D2 75 ?? 33 C0 + } + + $search_and_encrypt_3_3 = { + 1B C0 83 D8 ?? 85 C0 0F 84 ?? ?? ?? ?? 8B ?? ?? ?? 8D ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? + ?? 8D ?? ?? ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? + 8D ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? E9 ?? ?? ?? ?? 83 7D ?? ?? 0F 85 ?? ?? ?? ?? 53 + 8D ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 68 ?? ?? ?? ?? 8D ?? ?? + ?? ?? ?? 68 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 8D ?? ?? ?? ?? ?? ?? 8D ?? ?? ?? + ?? ?? 68 ?? ?? ?? ?? ?? E8 + } + + $search_and_encrypt_3_4 = { + E8 ?? ?? ?? ?? 83 C4 ?? 8B F0 57 56 E8 ?? ?? ?? ?? 83 C4 ?? B8 ?? ?? ?? ?? 8B CE E8 + ?? ?? ?? ?? 85 C0 75 ?? B8 ?? ?? ?? ?? 8B CE E8 ?? ?? ?? ?? 85 C0 75 ?? 8B C6 E8 ?? + ?? ?? ?? 83 F8 ?? 75 ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 56 E8 + } + + condition: + uint16(0) == 0x5A4D and + (($file_search_0_3_1_1 and $file_search_0_3_1_2 and $encrypt_file_0_2_6a_1 and $encrypt_file_0_2_6a_2 and $server_communication_0_2_6a_1 and $server_communication_0_2_6a_2) or + ($file_search_0_3_1_1 and $file_search_0_3_1_2 and $encrypt_file_0_3_1 and $server_communication_0_3_1_1 and $server_communication_0_3_1_2) or + ($file_search_0_3_3_1 and $file_search_0_3_3_2 and $encrypt_file_0_3_3_1 and $encrypt_file_0_3_3_2 and $server_communication_0_3_3_1 and $server_communication_0_3_3_2) or + ($file_search_0_3_4a_1 and $file_search_0_3_4a_2 and $encrypt_file_0_3_4a_1 and $encrypt_file_0_3_4a_2 and $server_communication_0_3_4a_1 and $server_communication_0_3_4a_2) or + ($file_search_0_3_5a_1 and $file_search_0_3_5a_2 and $encrypt_file_0_3_5a_1 and $encrypt_file_0_3_5a_2 and $server_communication_0_3_5a_1 and $server_communication_0_3_5a_2) or + ($server_communication_2_0_4e and $search_and_encrypt_2_0_4e_1 and $search_and_encrypt_2_0_4e_2 and $search_and_encrypt_2_0_4e_3 and + $search_and_encrypt_2_0_4e_4 and $search_and_encrypt_2_0_4e_5) or + ($server_communication_4_0_1 and $server_communication_4_0_2 and $server_communication_4_0_3 and $file_search_4_0_1 and $file_search_4_0_2 and + $file_search_4_0_3) or + ($file_search_4_1b_1 and $file_search_4_1b_2 and $file_search_4_1b_3 and $server_communication_4_1b_1 and $server_communication_4_1b_2 and + $server_communication_4_1b_3 and $server_communication_4_1b_4 and $server_communication_4_1b_5) or + ($file_search_4_2_1 and $file_search_4_2_2 and $server_communication_4_1b_1 and $server_communication_4_2_1 and $server_communication_4_2_2 and + $server_communication_4_2_3 and $server_communication_4_2_4 and $server_communication_4_2_5) or + ($server_communication_4_0_1 and $server_communication_3_1 and $server_communication_3_2 and $file_search_3_1 and $file_search_3_1_1 and $file_search_3_1_2 and $search_and_encrypt_3_1 and $search_and_encrypt_3_2 and $search_and_encrypt_3_3 and $search_and_encrypt_3_4) or + ($server_communication_4_0_1 and $server_communication_3_1 and $server_communication_3_2 and $file_search_3_1 and $file_search_3_2_1 and $file_search_3_2_2 and $search_and_encrypt_3_1 and $search_and_encrypt_3_2 and $search_and_encrypt_3_3 and $search_and_encrypt_3_4)) +} \ No newline at end of file diff --git a/yara/ransomware/Win32.Ransomware.Teslarvng.yara b/yara/ransomware/Win32.Ransomware.Teslarvng.yara new file mode 100644 index 0000000..fcb220e --- /dev/null +++ b/yara/ransomware/Win32.Ransomware.Teslarvng.yara @@ -0,0 +1,137 @@ +rule Win32_Ransomware_Teslarvng : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "TESLARVNG" + description = "Yara rule that detects Teslarvng ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "Teslarvng" + tc_detection_factor = 5 + + strings: + + $encrypt_files_p1 = { + 53 8B DC 83 EC ?? 83 E4 ?? 83 C4 ?? 55 8B 6B ?? 89 6C 24 ?? 8B EC 6A ?? 68 ?? ?? ?? + ?? 64 A1 ?? ?? ?? ?? ?? ?? ?? ?? A8 ?? 00 00 A1 ?? ?? ?? ?? ?? ?? ?? ?? EC 56 57 50 + 8D 45 ?? 64 A3 ?? ?? ?? ?? ?? ?? ?? ?? C9 89 4D ?? 89 4D ?? 8B 73 ?? 8B 43 ?? 89 75 + ?? 89 45 ?? 3B F0 0F 84 ?? ?? ?? ?? 8B 15 ?? ?? ?? ?? 8B 06 8D 04 40 C1 E0 ?? 89 45 + ?? 8B 04 02 8B 40 ?? 8B 30 3B F0 0F 84 ?? ?? ?? ?? A1 ?? ?? ?? ?? ?? ?? ?? ?? 3D ?? + ?? ?? ?? 10 89 ?? ?? ?? ?? E3 ?? 00 0F 43 05 ?? ?? ?? ?? 89 45 ?? C6 45 ?? ?? 33 C0 + 83 C9 ?? 66 89 45 ?? 89 4D ?? 8D 4D ?? 8B 47 ?? 40 C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? + ?? ?? ?? 50 C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 7F ?? ?? 8B + C7 72 ?? 8B 07 FF 77 ?? 8D 4D ?? 50 E8 ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? 8D 4D ?? E8 + ?? ?? ?? ?? C6 45 ?? ?? 8D 4D ?? 6A ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? C7 45 ?? ?? ?? + ?? ?? 8D 95 ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? 33 C9 68 ?? ?? ?? ?? 0F 10 00 0F 11 85 + ?? ?? ?? ?? F3 0F 7E 40 ?? 83 4D ?? ?? 66 0F D6 45 ?? 66 89 08 8D 8D ?? ?? ?? ?? C7 + 40 ?? ?? ?? ?? ?? C7 40 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? C6 45 ?? ?? 8D 85 ?? + ?? ?? ?? 83 BD ?? ?? ?? ?? ?? 6A ?? 0F 43 85 ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A ?? 6A ?? + 6A ?? 68 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 89 45 ?? 83 F8 ?? 74 ?? 6A ?? 8D 4D ?? 51 + } + + $encrypt_files_p2 = { + FF 75 ?? FF 75 ?? 50 FF 15 ?? ?? ?? ?? FF 75 ?? FF 15 ?? ?? ?? ?? FF 75 ?? FF 15 ?? + ?? ?? ?? C6 45 ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 65 ?? ?? C6 45 ?? ?? 8D 8D + ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 65 ?? ?? C6 45 ?? ?? 8D 4D ?? E8 ?? ?? ?? ?? 8B 4D ?? + 8B 41 ?? 89 45 ?? 83 78 ?? ?? 8B 48 ?? 89 4D ?? 72 ?? 8B 00 89 45 ?? C6 45 ?? ?? 33 + C0 83 4D ?? ?? 8D 4D ?? 66 89 45 ?? 8B 47 ?? 40 C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? + ?? ?? 50 C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 7F ?? ?? 8B 47 + ?? 72 ?? 8B 3F 50 57 8D 4D ?? E8 ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? 8D 4D ?? E8 ?? ?? + ?? ?? 68 ?? ?? ?? ?? 8D 55 ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? C6 45 ?? ?? + 8D 85 ?? ?? ?? ?? 83 BD ?? ?? ?? ?? ?? 6A ?? 0F 43 85 ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A + ?? 6A ?? 6A ?? 68 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 8B F8 83 FF ?? 74 ?? 6A ?? 8D 45 + ?? 50 FF 75 ?? FF 75 ?? 57 FF 15 ?? ?? ?? ?? 57 FF 15 ?? ?? ?? ?? 57 FF 15 ?? ?? ?? + ?? C6 45 ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 65 ?? ?? C6 45 ?? ?? 8D 4D ?? E8 + ?? ?? ?? ?? 8B 15 ?? ?? ?? ?? 8B 45 ?? 8B 36 8B 4D ?? 8B 04 02 3B 70 ?? 0F 85 ?? ?? + ?? ?? 8B 75 ?? 83 C6 ?? 89 75 ?? 3B 75 ?? 0F 85 ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? 8D + 4B ?? E8 ?? ?? ?? ?? 8B 4D ?? 64 89 0D ?? ?? ?? ?? 59 5F 5E 8B 4D ?? 33 CD E8 ?? ?? + ?? ?? 8B E5 5D 8B E3 5B C2 + } + + $find_files = { + FF D6 83 F8 ?? 0F 85 ?? ?? ?? ?? 8D 43 ?? 50 BA ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? + ?? ?? ?? 83 C4 ?? C6 45 ?? ?? 83 78 ?? ?? 72 ?? 8B 00 B2 ?? 8B C8 E8 ?? ?? ?? ?? C6 + 45 ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? C6 45 ?? ?? 8D 4D ?? E8 ?? ?? ?? ?? C6 45 + ?? ?? 8D 4D ?? E8 ?? ?? ?? ?? C6 45 ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? C6 45 ?? + ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? E9 ?? ?? ?? ?? 0F 1F 40 ?? 8D 85 ?? ?? ?? ?? 50 + FF B5 ?? ?? ?? ?? 33 C9 8B 85 ?? ?? ?? ?? 03 8D ?? ?? ?? ?? 83 D0 ?? 50 51 FF B5 ?? + ?? ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? C6 45 ?? ?? F6 85 ?? ?? ?? ?? ?? 0F 84 ?? + ?? ?? ?? BA ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 8B C8 90 66 8B 31 66 3B 32 75 ?? 66 85 F6 + 74 ?? 66 8B 71 ?? 66 3B 72 ?? 75 ?? 83 C1 ?? 83 C2 ?? 66 85 F6 75 ?? 33 C9 EB ?? 1B + C9 83 C9 ?? 85 C9 74 ?? B9 ?? ?? ?? ?? 66 8B 10 66 3B 11 75 ?? 66 85 D2 74 ?? 66 8B + 50 ?? 66 3B 51 ?? 75 ?? 83 C0 ?? 83 C1 ?? 66 85 D2 75 ?? 33 C0 EB ?? 1B C0 83 C8 ?? + 85 C0 74 ?? 8B 45 ?? 8D 8D ?? ?? ?? ?? 51 3B 45 ?? 74 ?? 8B C8 E8 ?? ?? ?? ?? 83 45 + ?? ?? EB ?? 50 8D 4D ?? E8 ?? ?? ?? ?? EB ?? 8D 85 ?? ?? ?? ?? 50 8D 4D ?? E8 ?? ?? + ?? ?? 8D 85 ?? ?? ?? ?? 50 57 FF 15 ?? ?? ?? ?? 8B F0 C6 45 ?? ?? FF B5 ?? ?? ?? ?? + E8 ?? ?? ?? ?? 83 C4 ?? 85 F6 0F 85 ?? ?? ?? ?? 8B 35 ?? ?? ?? ?? FF D6 83 F8 ?? 0F + 84 ?? ?? ?? ?? FF D6 8B D0 + } + + $enum_shares_p1 = { + 55 8B EC 6A ?? 68 ?? ?? ?? ?? 64 A1 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 A1 ?? ?? ?? ?? + 33 C5 89 45 ?? 56 57 50 8D 45 ?? 64 A3 ?? ?? ?? ?? ?? ?? ?? ?? 45 FC 00 00 00 00 8D + 75 ?? 83 7D ?? ?? 6A ?? 0F 43 75 ?? 6A ?? 6A ?? FF 15 ?? ?? ?? ?? 8B F8 B8 ?? ?? ?? + ?? 56 66 89 45 ?? FF 15 ?? ?? ?? ?? 68 ?? ?? ?? ?? 89 45 ?? FF 15 ?? ?? ?? ?? 66 89 + 45 ?? 8D 45 ?? 50 68 ?? ?? ?? ?? 57 C7 45 ?? ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 6A ?? 8D + 45 ?? 50 57 FF 15 ?? ?? ?? ?? 8D 45 ?? C7 45 ?? ?? ?? ?? ?? 50 8D 45 ?? 89 7D ?? 50 + 8D 45 ?? C7 45 ?? ?? ?? ?? ?? 50 6A ?? 6A ?? 89 7D ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? + ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 85 C0 0F 8E ?? ?? ?? ?? 83 7D ?? ?? 0F 87 ?? ?? ?? ?? + 83 7D ?? ?? 0F 86 ?? ?? ?? ?? 57 FF 15 ?? ?? ?? ?? 83 7D ?? ?? 8D 4D ?? 8B 75 ?? 0F + 43 4D ?? 03 F1 C7 45 ?? ?? ?? ?? ?? 83 7D ?? ?? 8D 4D ?? C7 45 ?? ?? ?? ?? ?? 0F 43 + 4D ?? 33 C0 66 89 45 ?? 8B C6 2B C1 89 4D ?? 50 8D 4D ?? C7 45 ?? ?? ?? ?? ?? C7 45 + ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? E8 ?? + ?? ?? ?? FF 75 ?? 8D 4D ?? 56 FF 75 ?? E8 ?? ?? ?? ?? C6 45 ?? ?? 8D 4D ?? 83 7D ?? + ?? 8D 45 ?? 6A ?? 0F 43 45 ?? 51 8D 4D ?? 51 6A ?? 8D 4D ?? 51 6A ?? 50 FF 15 ?? ?? + ?? ?? 85 C0 74 ?? 3D ?? ?? ?? ?? 0F 85 ?? ?? ?? ?? 0F 57 C0 C7 45 ?? ?? ?? ?? ?? 66 + } + + $enum_shares_p2 = { + 0F D6 45 ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C6 45 ?? + ?? 33 F6 8B 55 ?? 85 D2 0F 84 ?? ?? ?? ?? 33 FF 8B 4D ?? 8B 44 39 ?? 85 C0 74 ?? 3D + ?? ?? ?? ?? 0F 85 ?? ?? ?? ?? 8B 14 39 33 C0 66 89 45 ?? 8B C2 C7 45 ?? ?? ?? ?? ?? + C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? 8D 48 ?? C7 45 ?? ?? ?? ?? ?? 89 4D ?? 66 + 8B 08 83 C0 ?? 66 85 C9 75 ?? 2B 45 ?? 8D 4D ?? D1 F8 50 52 E8 ?? ?? ?? ?? C6 45 ?? + ?? 8B 45 ?? 3B 45 ?? 74 ?? 0F 10 45 ?? C7 40 ?? ?? ?? ?? ?? 0F 11 00 F3 0F 7E 45 ?? + 66 0F D6 40 ?? 33 C0 83 45 ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? 66 89 45 + ?? EB ?? 8D 4D ?? 51 50 8D 4D ?? E8 ?? ?? ?? ?? C6 45 ?? ?? 8D 4D ?? E8 ?? ?? ?? ?? + 8B 55 ?? 46 83 C7 ?? 3B F2 0F 82 ?? ?? ?? ?? 8B 45 ?? 8B 75 ?? 3B 45 ?? 0F 84 ?? ?? + ?? ?? FF 76 ?? E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 0F 85 ?? ?? ?? ?? 8B 46 ?? 83 7D ?? ?? + 8B 7D ?? 89 45 ?? 8D 45 ?? 0F 43 45 ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C7 85 ?? ?? ?? + ?? ?? ?? ?? ?? 89 45 ?? 83 FF ?? 73 ?? 0F 10 00 C7 85 ?? ?? ?? ?? ?? ?? ?? ?? 0F 11 + 85 ?? ?? ?? ?? EB ?? 8B F7 8D 8D ?? ?? ?? ?? B8 ?? ?? ?? ?? 83 CE ?? 3B F0 0F 47 F0 + } + + $enum_shares_p3 = { + 8D 46 ?? 50 E8 ?? ?? ?? ?? 8D 0C 7D ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 51 FF 75 ?? 50 E8 + ?? ?? ?? ?? 83 C4 ?? 89 B5 ?? ?? ?? ?? 89 BD ?? ?? ?? ?? C6 45 ?? ?? 8B 45 ?? 8B 7D + ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? 89 45 ?? + 3B F8 0F 84 ?? ?? ?? ?? 2B C7 C1 F8 ?? 69 F0 ?? ?? ?? ?? 56 E8 ?? ?? ?? ?? 89 85 ?? + ?? ?? ?? 8D 0C 76 89 45 ?? 8D 04 C8 89 45 ?? 8D 85 ?? ?? ?? ?? 89 45 ?? C6 45 ?? ?? + 0F 57 C0 8B B5 ?? ?? ?? ?? 66 0F D6 45 ?? C7 45 ?? ?? ?? ?? ?? 89 75 ?? 89 75 ?? 89 + 45 ?? C6 45 ?? ?? 66 90 57 8B CE E8 ?? ?? ?? ?? 83 C6 ?? 83 C7 ?? 89 75 ?? 3B 7D ?? + 75 ?? 89 75 ?? C6 45 ?? ?? 89 75 ?? C7 45 ?? ?? ?? ?? ?? C6 45 ?? ?? C6 45 ?? ?? 8D + 85 ?? ?? ?? ?? 8B 4D ?? 50 8D 45 ?? 50 E8 ?? ?? ?? ?? C6 45 ?? ?? 8D 8D ?? ?? ?? ?? + E8 ?? ?? ?? ?? C6 45 ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 75 ?? FF 76 ?? E8 ?? + ?? ?? ?? 83 C4 ?? 85 C0 0F 85 ?? ?? ?? ?? C6 45 ?? ?? 8D 4D ?? E8 ?? ?? ?? ?? EB ?? + 8B 75 ?? FF 75 ?? FF 15 ?? ?? ?? ?? 8B 06 F0 FF 08 C6 45 ?? ?? 8D 4D ?? E8 ?? ?? ?? + ?? EB ?? 57 FF 15 ?? ?? ?? ?? 8B 75 + } + + condition: + uint16(0) == 0x5A4D and + ( + all of ($enum_shares_p*) + ) and + ( + $find_files + ) and + ( + all of ($encrypt_files_p*) + ) +} \ No newline at end of file diff --git a/yara/ransomware/Win32.Ransomware.Thanatos.yara b/yara/ransomware/Win32.Ransomware.Thanatos.yara new file mode 100644 index 0000000..29434b9 --- /dev/null +++ b/yara/ransomware/Win32.Ransomware.Thanatos.yara @@ -0,0 +1,85 @@ +rule Win32_Ransomware_Thanatos : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "THANATOS" + description = "Yara rule that detects Thanatos ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "Thanatos" + tc_detection_factor = 5 + + strings: + + $find_files = { + 55 8B EC 81 EC ?? ?? ?? ?? A1 ?? ?? ?? ?? 33 C5 89 45 ?? 8B 45 ?? 53 56 57 50 89 85 + ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 8B 35 ?? ?? ?? ?? 68 ?? ?? ?? ?? + 8D 8D ?? ?? ?? ?? 51 FF D6 8D 95 ?? ?? ?? ?? 52 8D 85 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? + ?? 89 85 ?? ?? ?? ?? EB ?? 8D 49 ?? 6A ?? E8 ?? ?? ?? ?? 8B D8 83 C4 ?? C6 03 ?? FF + 15 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? BF ?? ?? ?? ?? E8 ?? ?? ?? ?? 99 B9 ?? ?? + ?? ?? F7 F9 52 53 68 ?? ?? ?? ?? 53 E8 ?? ?? ?? ?? 83 C4 ?? 4F 75 ?? 8B 95 ?? ?? ?? + ?? 52 8D 85 ?? ?? ?? ?? 50 C6 43 ?? ?? FF 15 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 8D ?? ?? + ?? ?? 51 FF D6 8D 95 ?? ?? ?? ?? 52 8D 85 ?? ?? ?? ?? 50 FF D6 F6 85 ?? ?? ?? ?? ?? + 74 ?? 8B 3D ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? 51 FF D7 85 C0 0F 84 ?? ?? + ?? ?? 68 ?? ?? ?? ?? 8D 95 ?? ?? ?? ?? 52 FF D7 85 C0 0F 84 ?? ?? ?? ?? 8D 85 ?? ?? + ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 8D 85 ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C7 + 85 ?? ?? ?? ?? ?? ?? ?? ?? C6 85 ?? ?? ?? ?? ?? 8D 50 ?? 8A 08 40 84 C9 75 ?? 2B C2 + 50 8D 8D ?? ?? ?? ?? 51 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 95 ?? ?? ?? ?? 52 8D BD + ?? ?? ?? ?? C6 85 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 BD ?? ?? ?? ?? ?? 8B F8 72 ?? 8B + 85 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 83 FF ?? 74 ?? 53 8D 9D ?? ?? ?? ?? E8 ?? + ?? ?? ?? 8B 95 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? 51 52 FF 15 ?? ?? ?? ?? 85 C0 0F 85 ?? + ?? ?? ?? 8B 85 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 8B 4D ?? 5F 5E 33 CD 5B E8 ?? ?? ?? + ?? 8B E5 5D C3 + } + + $encrypt_files_p1 = { + 55 8B EC 83 EC ?? 53 56 57 68 ?? ?? ?? ?? 33 DB 6A ?? 53 8B F0 53 8D 45 ?? 33 FF 50 + 89 7D ?? 89 5D ?? 89 5D ?? 89 5D ?? FF 15 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? 8B 55 + ?? 8D 4D ?? 51 53 53 68 ?? ?? ?? ?? 52 FF 15 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? 8B + C6 8D 50 ?? 8A 08 40 84 C9 75 ?? 53 2B C2 50 8B 45 ?? 56 50 FF 15 ?? ?? ?? ?? 85 C0 + 0F 84 ?? ?? ?? ?? 8B 55 ?? 8B 45 ?? 8D 4D ?? 51 6A ?? 52 68 ?? ?? ?? ?? 50 FF 15 ?? + ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? 8B 45 ?? 8B 55 ?? 50 8D 4D ?? 51 53 53 6A ?? 53 8B + 1D ?? ?? ?? ?? 52 89 45 ?? FF D3 85 C0 74 ?? 8B 45 ?? 8B 3D ?? ?? ?? ?? 50 6A ?? FF + D7 50 FF 15 ?? ?? ?? ?? 8B F0 85 F6 74 ?? 8B 4D ?? 8B 55 ?? 8B 02 51 50 56 E8 ?? ?? + ?? ?? 8B 4D ?? 8B 45 ?? 83 C4 ?? 51 8D 55 ?? 52 56 6A ?? 6A ?? 6A ?? 50 FF D3 85 C0 + 74 ?? 8B 5D ?? 8B 0B 51 6A ?? FF D7 50 FF 15 ?? ?? ?? ?? 8B 55 ?? 8B 45 ?? 89 10 89 + 33 C7 45 ?? ?? ?? ?? ?? 8B 4D ?? 51 FF 15 ?? ?? ?? ?? 8B 7D ?? 33 DB 8B 55 ?? 52 FF + 15 ?? ?? ?? ?? 8B 45 ?? 53 50 FF 15 ?? ?? ?? ?? 8B C7 5F 5E 5B 8B E5 5D C2 + } + + $encrypt_files_p2 = { + 55 8B EC 6A ?? 68 ?? ?? ?? ?? 64 A1 ?? ?? ?? ?? 50 81 EC ?? ?? ?? ?? A1 ?? ?? ?? ?? + 33 C5 89 45 ?? 56 57 50 8D 45 ?? 64 A3 ?? ?? ?? ?? 8B 45 ?? 33 F6 56 68 ?? ?? ?? ?? + 6A ?? 56 6A ?? 68 ?? ?? ?? ?? 53 89 85 ?? ?? ?? ?? 89 B5 ?? ?? ?? ?? 89 B5 ?? ?? ?? + ?? FF 15 ?? ?? ?? ?? 8B F8 83 FF ?? 0F 84 ?? ?? ?? ?? 56 57 FF 15 ?? ?? ?? ?? 8B F0 + 56 6A ?? FF 15 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? + ?? ?? 6A ?? 8D 8D ?? ?? ?? ?? 51 56 50 57 FF 15 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? + 8B 85 ?? ?? ?? ?? 8D 95 ?? ?? ?? ?? 52 50 8B 85 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? 51 E8 + ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 95 ?? ?? ?? ?? 6A ?? 52 E8 ?? + ?? ?? ?? 83 C4 ?? 53 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 50 B8 ?? ?? ?? ?? 8D B5 ?? ?? + ?? ?? C7 45 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? BE ?? ?? ?? ?? 83 C4 ?? 39 70 ?? 72 ?? 8B + 00 50 8D 85 ?? ?? ?? ?? 68 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 39 B5 ?? ?? ?? ?? + 72 ?? 8B 8D ?? ?? ?? ?? 51 E8 ?? ?? ?? ?? 83 C4 ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C7 + 85 ?? ?? ?? ?? ?? ?? ?? ?? C6 85 ?? ?? ?? ?? ?? 39 B5 ?? ?? ?? ?? 72 ?? 8B 95 ?? ?? + ?? ?? 52 E8 ?? ?? ?? ?? 83 C4 ?? 6A ?? 68 ?? ?? ?? ?? 6A ?? 6A ?? 6A ?? 68 ?? ?? ?? + ?? 8D 85 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 83 F8 ?? 74 ?? 8B 95 ?? ?? ?? ?? 6A ?? 8D + 8D ?? ?? ?? ?? 51 8B 8D ?? ?? ?? ?? 52 51 50 FF 15 ?? ?? ?? ?? 57 FF 15 ?? ?? ?? ?? + 53 FF 15 ?? ?? ?? ?? 8B 4D ?? 64 89 0D ?? ?? ?? ?? 59 5F 5E 8B 4D ?? 33 CD E8 ?? ?? + ?? ?? 8B E5 5D C2 + } + + condition: + uint16(0) == 0x5A4D and + ( + $find_files + ) and + ( + all of ($encrypt_files_p*) + ) +} \ No newline at end of file diff --git a/yara/ransomware/Win32.Ransomware.TorrentLocker.yara b/yara/ransomware/Win32.Ransomware.TorrentLocker.yara new file mode 100644 index 0000000..7a15de0 --- /dev/null +++ b/yara/ransomware/Win32.Ransomware.TorrentLocker.yara @@ -0,0 +1,98 @@ +rule Win32_Ransomware_TorrentLocker : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "TORRENTLOCKER" + description = "Yara rule that detects TorrentLocker ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "TorrentLocker" + tc_detection_factor = 5 + + strings: + $tlocker_ep = { + 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 74 05 E8 ?? ?? ?? ?? 33 C0 C3 + } + + $tlocker_contact_server_1 = { + 55 8B EC 83 EC ?? 8D 45 ?? 50 8D 4D ?? 51 B8 ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 74 21 83 7D + ?? ?? 8B 45 ?? 75 05 8B 10 89 55 ?? 85 C0 74 0F 50 A1 ?? ?? ?? ?? 6A ?? 50 FF 15 ?? ?? ?? ?? 53 56 57 8D 9B ?? ?? ?? ?? + 8B 4D ?? 8D 55 ?? 52 6A ?? BB ?? ?? ?? ?? 89 4D ?? E8 ?? ?? ?? ?? 8B F0 83 C4 ?? 89 75 ?? 85 F6 0F 84 2C 01 00 00 8B BE + ?? ?? ?? ?? 81 C7 ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B D8 85 DB 0F 84 EB 00 00 00 6A ?? 68 ?? ?? ?? ?? 68 + ?? ?? ?? ?? 6A ?? 6A ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 53 FF 15 ?? ?? ?? ?? 8B F0 85 F6 0F 84 89 00 00 00 8D 45 ?? 50 8D + 4D ?? 51 6A ?? 56 C7 45 ?? ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 85 C0 74 16 81 4D ?? ?? ?? ?? ?? 6A ?? 8D 55 ?? 52 6A ?? 56 FF + 15 ?? ?? ?? ?? 8B 45 ?? 57 50 6A ?? 6A ?? 56 FF 15 ?? ?? ?? ?? 85 C0 74 38 6A ?? 8D 4D ?? 51 8D 55 ?? 52 68 ?? ?? ?? ?? + 56 C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 85 C0 74 10 81 7D ?? ?? ?? ?? ?? 75 07 C7 45 ?? ?? ?? ?? + ?? 8B 3D ?? ?? ?? ?? 56 FF D7 EB 06 8B 3D ?? ?? ?? ?? 8D 45 ?? 50 8D 4D ?? 51 6A ?? 53 C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? + ?? ?? ?? FF 15 ?? ?? ?? ?? 53 8B F0 FF D7 85 F6 74 06 8B 55 ?? 52 FF D7 8B 75 ?? 8B 0D ?? ?? ?? ?? 33 C0 83 7D ?? ?? 56 + 0F 94 C0 6A ?? 51 8B F8 FF 15 ?? ?? ?? ?? 85 FF 75 10 68 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? E9 9E FE FF FF 5F 5E 5B 8B E5 5D + C3 + } + + $tlocker_contact_server_2_1 = { + 55 8B EC 83 EC ?? 8D 45 ?? 50 8D 4D ?? 51 B8 ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 74 21 83 7D + ?? ?? 8B 45 ?? 75 05 8B 10 89 55 ?? 85 C0 74 0F 50 A1 ?? ?? ?? ?? 6A ?? 50 FF 15 ?? ?? ?? ?? 53 56 57 8D 9B ?? ?? ?? ?? + 8B 4D ?? 8D 55 ?? 52 6A ?? BF ?? ?? ?? ?? 89 4D ?? E8 ?? ?? ?? ?? 8B F0 83 C4 ?? 89 75 ?? 85 F6 0F 84 E5 01 00 00 BF ?? + ?? ?? ?? 39 3D ?? ?? ?? ?? 74 11 68 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 89 3D ?? ?? ?? ?? 68 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 8B + 9E ?? ?? ?? ?? 81 C3 ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B F8 85 FF 0F 84 EB 00 00 00 6A ?? 68 ?? ?? ?? ?? + 68 ?? ?? ?? ?? 6A ?? 6A ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 57 FF 15 ?? ?? ?? ?? 8B F0 85 F6 0F 84 89 00 00 00 8D 45 ?? 50 + 8D 4D ?? 51 6A ?? 56 C7 45 ?? ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 85 C0 74 16 81 4D ?? ?? ?? ?? ?? 6A ?? 8D 55 ?? 52 6A ?? 56 + FF 15 ?? ?? ?? ?? 8B 45 ?? 53 50 6A ?? 6A ?? 56 FF 15 ?? ?? ?? ?? 85 C0 74 38 6A ?? 8D 4D ?? 51 8D 55 ?? 52 68 ?? ?? ?? + ?? 56 C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 85 C0 74 10 81 7D ?? ?? ?? ?? ?? 75 07 C7 45 ?? ?? ?? + ?? ?? 56 8B 35 ?? ?? ?? ?? FF D6 EB 06 8B 35 ?? ?? ?? ?? 8D 45 ?? 50 8D 4D ?? 51 6A ?? 57 C7 45 ?? ?? ?? ?? ?? C7 45 ?? + } + + $tlocker_contact_server_2_2 = { + ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 57 8B D8 FF D6 85 DB 74 06 8B 55 ?? 52 FF D6 8B 75 ?? 33 C0 83 7D ?? ?? 0F 94 C0 8B F8 85 + FF 74 18 8B 0D ?? ?? ?? ?? 89 0D ?? ?? ?? ?? C7 05 ?? ?? ?? ?? ?? ?? ?? ?? EB 5E 8B 15 ?? ?? ?? ?? 3B 15 ?? ?? ?? ?? 75 + 34 FF 15 ?? ?? ?? ?? 8B 0D ?? ?? ?? ?? 8B D1 41 89 0D ?? ?? ?? ?? 85 D2 7E 71 8B 0D ?? ?? ?? ?? 3B C1 73 08 8B C8 89 0D + ?? ?? ?? ?? 2B C1 3D ?? ?? ?? ?? 72 1C A1 ?? ?? ?? ?? 40 83 F8 ?? 7E 05 A1 ?? ?? ?? ?? 8B C8 A3 ?? ?? ?? ?? E8 ?? ?? ?? + ?? 81 3D ?? ?? ?? ?? ?? ?? ?? ?? 75 0B 68 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? A1 ?? ?? ?? ?? 56 6A ?? 50 FF 15 ?? ?? ?? ?? 85 + FF 75 17 68 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? E9 E5 FD FF FF A3 ?? ?? ?? ?? EB BF 5F 5E 5B 8B E5 5D C3 + } + + $tlocker_get_server_data = { + 55 8B EC 83 EC ?? 56 57 33 FF 57 57 8D 45 ?? 50 53 33 F6 FF 15 ?? ?? ?? ?? 85 C0 74 77 8D 49 ?? 8B 4D ?? 03 CF 85 F6 75 + 73 33 C0 85 C9 74 0F 8B 15 ?? ?? ?? ?? 51 50 52 FF 15 ?? ?? ?? ?? 33 C9 85 C0 0F 95 C1 8B F0 8B C1 85 C0 74 33 8B 55 ?? + 8D 4D ?? 51 52 8D 04 37 50 53 FF 15 ?? ?? ?? ?? 85 C0 74 1C 8B 45 ?? 85 C0 74 ?? 6A ?? 6A ?? 8D 4D ?? 51 53 03 F8 FF 15 + ?? ?? ?? ?? 85 C0 75 A0 85 F6 74 10 8B 0D ?? ?? ?? ?? 56 6A ?? 51 FF 15 ?? ?? ?? ?? 5F 33 C0 5E 8B E5 5D C3 + } + + $tlocker_remove_shadow_copies = { + 55 8B EC 81 EC ?? ?? ?? ?? A1 ?? ?? ?? ?? 33 C5 89 45 ?? A1 ?? ?? ?? ?? 53 57 6A ?? 33 FF 57 50 FF 15 ?? ?? ?? ?? 8B D8 + 3B DF 0F 84 DC 00 00 00 56 8D B5 ?? ?? ?? ?? 89 BD ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 C0 74 0A C7 85 ?? ?? ?? ?? ?? ?? ?? ?? + 68 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? 51 FF 15 ?? ?? ?? ?? 3D ?? ?? ?? ?? 73 5E B8 ?? ?? ?? ?? 8B D3 2B D0 0F B7 08 66 89 0C + 02 83 C0 ?? 66 3B CF 75 F1 6A ?? 8D 95 ?? ?? ?? ?? 57 52 E8 ?? ?? ?? ?? 83 C4 ?? 8D 85 ?? ?? ?? ?? 50 8D 8D ?? ?? ?? ?? + 51 8D 95 ?? ?? ?? ?? 52 57 68 ?? ?? ?? ?? 57 57 57 53 57 C7 85 ?? ?? ?? ?? ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 85 C0 75 0F FF + 15 ?? ?? ?? ?? 8B C8 E8 ?? ?? ?? ?? 8B F8 83 BD ?? ?? ?? ?? ?? 74 0B 8B B5 ?? ?? ?? ?? E8 ?? ?? ?? ?? A1 ?? ?? ?? ?? 53 + 6A ?? 50 FF 15 ?? ?? ?? ?? 5E 8B C7 5F 5B 8B 4D ?? 33 CD E8 ?? ?? ?? ?? 8B E5 5D C3 8B 4D ?? 5F 33 CD B8 ?? ?? ?? ?? 5B + E8 ?? ?? ?? ?? 8B E5 5D C3 + } + + $tlocker_find_files = { + 55 8B EC 81 EC ?? ?? ?? ?? A1 ?? ?? ?? ?? 33 C5 89 45 ?? 8B 0D ?? ?? ?? ?? 8B 45 ?? 53 56 57 68 ?? ?? ?? ?? 33 F6 56 51 + 89 85 ?? ?? ?? ?? 89 B5 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 8B D8 85 DB 0F 84 AD 01 00 00 53 56 56 6A ?? 56 FF 15 ?? ?? ?? ?? + 85 C0 0F 88 89 01 00 00 68 ?? ?? ?? ?? 53 53 FF 15 ?? ?? ?? ?? 8B C3 8D 50 ?? 8D 9B ?? ?? ?? ?? 66 8B 08 83 C0 ?? 66 85 + C9 75 F5 2B C2 D1 F8 8B F8 E8 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 85 C0 0F 84 4D 01 00 00 8D 95 ?? ?? ?? ?? 52 50 FF 15 ?? ?? + ?? ?? 89 85 ?? ?? ?? ?? 85 C0 0F 84 15 01 00 00 F6 85 ?? ?? ?? ?? ?? 0F 84 EC 00 00 00 B9 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? + 66 8B 10 66 3B 11 75 1E 66 85 D2 74 15 66 8B 50 ?? 66 3B 51 ?? 75 0F 83 C0 ?? 83 C1 ?? 66 85 D2 75 DE 33 C0 EB 05 1B C0 + 83 D8 ?? 85 C0 0F 84 AE 00 00 00 B9 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 66 8B 10 66 3B 11 75 1E 66 85 D2 74 15 66 8B 50 ?? 66 + 3B 51 ?? 75 0F 83 C0 ?? 83 C1 ?? 66 85 D2 75 DE 33 C0 EB 05 1B C0 83 D8 ?? 85 C0 74 74 8D 85 ?? ?? ?? ?? 8D 50 ?? 8B FF + 66 8B 08 83 C0 ?? 66 85 C9 75 F5 2B C2 D1 F8 03 C7 8D 44 00 ?? 85 C0 74 6C 50 A1 ?? ?? ?? ?? 6A ?? 50 FF 15 ?? ?? ?? ?? + 8B F0 85 F6 74 57 53 8D 4F ?? 51 56 E8 ?? ?? ?? ?? 83 C4 ?? 8D 95 ?? ?? ?? ?? 52 56 56 FF 15 ?? ?? ?? ?? 8B 85 ?? ?? ?? + ?? 50 56 E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 74 0A C7 85 ?? ?? ?? ?? ?? ?? ?? ?? 8B 95 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? 51 52 FF + 15 ?? ?? ?? ?? 85 C0 0F 85 EB FE FF FF 8B 85 ?? ?? ?? ?? 8B 0D ?? ?? ?? ?? 50 6A ?? 51 FF 15 ?? ?? ?? ?? 8B B5 ?? ?? ?? + ?? 8B 15 ?? ?? ?? ?? 53 6A ?? 52 FF 15 ?? ?? ?? ?? 8B 4D ?? 5F 8B C6 5E 33 CD 5B E8 ?? ?? ?? ?? 8B E5 5D C3 + } + + condition: + uint16(0) == 0x5A4D and + (($tlocker_ep and $tlocker_get_server_data and $tlocker_remove_shadow_copies and $tlocker_find_files) and + ($tlocker_contact_server_1 or ($tlocker_contact_server_2_1 and $tlocker_contact_server_2_2))) +} \ No newline at end of file diff --git a/yara/ransomware/Win32.Ransomware.VHDLocker.yara b/yara/ransomware/Win32.Ransomware.VHDLocker.yara new file mode 100644 index 0000000..1647f14 --- /dev/null +++ b/yara/ransomware/Win32.Ransomware.VHDLocker.yara @@ -0,0 +1,152 @@ +rule Win32_Ransomware_VHDLocker : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "VHDLOCKER" + description = "Yara rule that detects VHDLocker ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "VHDLocker" + tc_detection_factor = 5 + + strings: + + $encrypt_files_p1 = { + 55 8B EC 6A ?? 68 ?? ?? ?? ?? 64 A1 ?? ?? ?? ?? 50 B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? A1 + ?? ?? ?? ?? 33 C5 89 45 ?? 53 56 57 50 8D 45 ?? 64 A3 ?? ?? ?? ?? 8B 45 ?? 6A ?? 68 + ?? ?? ?? ?? 6A ?? 6A ?? 6A ?? 68 ?? ?? ?? ?? 50 89 85 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? + 8B D8 89 9D ?? ?? ?? ?? 83 FB ?? 0F 84 ?? ?? ?? ?? 8B 45 ?? 8B 4D ?? 50 51 E8 ?? ?? + ?? ?? 83 C4 ?? 0B C2 74 ?? 53 FF 15 ?? ?? ?? ?? B0 ?? E9 ?? ?? ?? ?? 68 ?? ?? ?? ?? + 33 DB 8D 95 ?? ?? ?? ?? 53 52 C6 85 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 68 ?? ?? + ?? ?? 8D 85 ?? ?? ?? ?? 53 50 88 9D ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 89 9D ?? ?? + ?? ?? 89 9D ?? ?? ?? ?? 33 F6 8B FF 6A ?? 53 E8 ?? ?? ?? ?? 88 44 35 ?? 46 83 FE ?? + 7C ?? 8D 4D ?? 51 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? BF ?? ?? ?? ?? B8 ?? ?? ?? ?? 8D + B5 ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? 89 9D ?? ?? ?? ?? 88 9D ?? ?? ?? ?? E8 + ?? ?? ?? ?? 8D 95 ?? ?? ?? ?? 52 8B CE 89 5D ?? E8 ?? ?? ?? ?? 81 EC ?? ?? ?? ?? 8D + 85 ?? ?? ?? ?? 8B F4 89 A5 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 ?? 6A ?? 50 8D 8D ?? ?? + ?? ?? E8 ?? ?? ?? ?? 81 C4 ?? ?? ?? ?? 83 BD ?? ?? ?? ?? ?? 72 ?? 8B 8D + } + + $encrypt_files_p2 = { + 51 E8 ?? ?? ?? ?? 83 C4 ?? 8B BD ?? ?? ?? ?? 53 53 33 C9 51 33 C0 50 57 FF 15 ?? ?? + ?? ?? 85 C0 75 ?? 57 FF 15 ?? ?? ?? ?? 32 C0 E9 ?? ?? ?? ?? 53 8D 95 ?? ?? ?? ?? 52 + 68 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 57 89 9D ?? ?? ?? ?? 89 9D ?? ?? ?? ?? 89 9D ?? + ?? ?? ?? 89 9D ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 83 F8 ?? 0F 85 ?? ?? ?? ?? 8B 35 ?? ?? + ?? ?? 8B 85 ?? ?? ?? ?? 3B C3 0F 84 ?? ?? ?? ?? 6A ?? F7 D8 99 53 52 50 57 FF 15 ?? + ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? 51 8B 8D ?? ?? ?? ?? 8D 95 ?? ?? + ?? ?? 52 8D 95 ?? ?? ?? ?? E8 ?? ?? ?? ?? 53 8D 8D ?? ?? ?? ?? 51 50 8D 95 ?? ?? ?? + ?? 52 57 FF D6 85 C0 0F 84 ?? ?? ?? ?? 39 9D ?? ?? ?? ?? 0F 84 ?? ?? ?? ?? 81 BD ?? + ?? ?? ?? ?? ?? ?? ?? 0F 82 ?? ?? ?? ?? 39 9D ?? ?? ?? ?? 77 ?? 81 BD ?? ?? ?? ?? ?? + ?? ?? ?? 0F 82 ?? ?? ?? ?? 83 85 ?? ?? ?? ?? ?? 8B 15 ?? ?? ?? ?? 11 9D ?? ?? ?? ?? + 83 FA ?? 0F 84 ?? ?? ?? ?? 53 53 33 C9 51 33 C0 50 52 FF 15 ?? ?? ?? ?? A1 ?? ?? ?? + ?? 50 FF 15 ?? ?? ?? ?? 8B 9D ?? ?? ?? ?? 8B C3 8D 50 ?? 66 8B 08 83 C0 ?? 66 85 C9 + } + + $encrypt_files_p3 = { + 75 ?? 2B C2 6A ?? D1 F8 8D 8D ?? ?? ?? ?? 51 8D 14 00 A1 ?? ?? ?? ?? 52 53 50 FF D6 + 8B 15 ?? ?? ?? ?? 6A ?? 8D 8D ?? ?? ?? ?? 51 6A ?? 68 ?? ?? ?? ?? 52 FF D6 8B 15 ?? + ?? ?? ?? 6A ?? 8D 85 ?? ?? ?? ?? 50 6A ?? 8D 4D ?? 51 52 FF D6 8B 0D ?? ?? ?? ?? 6A + ?? 8D 85 ?? ?? ?? ?? 50 6A ?? 68 ?? ?? ?? ?? 51 FF D6 8B 0D ?? ?? ?? ?? 6A ?? 8D 95 + ?? ?? ?? ?? 52 6A ?? 8D 85 ?? ?? ?? ?? 50 51 FF D6 EB ?? 8B 9D ?? ?? ?? ?? 6A ?? 33 + C9 51 51 B8 ?? ?? ?? ?? 50 57 FF 15 ?? ?? ?? ?? 85 C0 74 ?? 33 DB EB ?? 83 85 ?? ?? + ?? ?? ?? 11 9D ?? ?? ?? ?? 53 8D 95 ?? ?? ?? ?? 52 68 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? + 50 57 FF 15 ?? ?? ?? ?? 83 F8 ?? 0F 84 ?? ?? ?? ?? 8B 9D ?? ?? ?? ?? 8B 4D ?? 8B 55 + ?? 8B B5 ?? ?? ?? ?? 51 52 8D BD ?? ?? ?? ?? E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? 53 8D 85 + ?? ?? ?? ?? 68 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 8D ?? + ?? ?? ?? 68 ?? ?? ?? ?? 51 E8 ?? ?? ?? ?? 83 C4 ?? 8B D6 52 FF 15 ?? ?? ?? ?? 33 C9 + 51 51 33 C0 51 50 A1 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 8B 0D ?? ?? ?? ?? 51 FF 15 ?? + ?? ?? ?? 8D 95 ?? ?? ?? ?? 52 53 E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 0F 94 C0 8B 4D ?? 64 + 89 0D ?? ?? ?? ?? 59 5F 5E 5B 8B 4D ?? 33 CD E8 ?? ?? ?? ?? 8B E5 5D C3 + } + + $find_files_p1 = { + 55 8B EC 81 EC ?? ?? ?? ?? A1 ?? ?? ?? ?? 33 C5 89 45 ?? 53 56 68 ?? ?? ?? ?? 33 F6 + 8D 8D ?? ?? ?? ?? 33 C0 56 51 66 89 85 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 57 8D 95 + ?? ?? ?? ?? 68 ?? ?? ?? ?? 52 E8 ?? ?? ?? ?? 83 C4 ?? 68 ?? ?? ?? ?? 8D 85 ?? ?? ?? + ?? 68 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 8D 8D ?? ?? ?? ?? 51 8D 95 ?? ?? ?? ?? + 52 FF 15 ?? ?? ?? ?? 8B D8 89 9D ?? ?? ?? ?? 83 FB ?? 0F 84 ?? ?? ?? ?? EB ?? 8D 9B + ?? ?? ?? ?? 8A 85 ?? ?? ?? ?? A8 ?? 0F 85 ?? ?? ?? ?? A8 ?? 0F 84 ?? ?? ?? ?? 57 8D + 85 ?? ?? ?? ?? 68 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 8D 8D ?? ?? ?? ?? 51 8D 95 + ?? ?? ?? ?? 68 ?? ?? ?? ?? 52 E8 ?? ?? ?? ?? 83 C4 ?? 8D 85 ?? ?? ?? ?? 68 ?? ?? ?? + ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 0F 84 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? 68 ?? ?? ?? + ?? 51 E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 75 ?? 8D 95 ?? ?? ?? ?? 52 FF 15 ?? ?? ?? ?? E9 + ?? ?? ?? ?? B9 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 66 8B 10 66 3B 11 75 ?? 66 3B D6 74 ?? + 66 8B 50 ?? 66 3B 51 ?? 75 ?? 83 C0 ?? 83 C1 ?? 66 3B D6 75 ?? 33 C0 EB ?? 1B C0 83 + } + + $find_files_p2 = { + D8 ?? 3B C6 0F 84 ?? ?? ?? ?? B9 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 66 8B 10 66 3B 11 75 + ?? 66 3B D6 74 ?? 66 8B 50 ?? 66 3B 51 ?? 75 ?? 83 C0 ?? 83 C1 ?? 66 3B D6 75 ?? 33 + C0 EB ?? 1B C0 83 D8 ?? 3B C6 0F 84 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 BB ?? ?? ?? ?? + E8 ?? ?? ?? ?? 8B 9D ?? ?? ?? ?? E9 ?? ?? ?? ?? B9 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 90 + 66 8B 10 66 3B 11 75 ?? 66 3B D6 74 ?? 66 8B 50 ?? 66 3B 51 ?? 75 ?? 83 C0 ?? 83 C1 + ?? 66 3B D6 75 ?? 33 C0 EB ?? 1B C0 83 D8 ?? 3B C6 0F 84 ?? ?? ?? ?? B9 ?? ?? ?? ?? + 8D 85 ?? ?? ?? ?? 8B FF 66 8B 10 66 3B 11 75 ?? 66 3B D6 74 ?? 66 8B 50 ?? 66 3B 51 + ?? 75 ?? 83 C0 ?? 83 C1 ?? 66 3B D6 75 ?? 33 C0 EB ?? 1B C0 83 D8 ?? 3B C6 0F 84 ?? + ?? ?? ?? 57 8D 8D ?? ?? ?? ?? 68 ?? ?? ?? ?? 51 E8 ?? ?? ?? ?? 83 C4 ?? 8D 95 ?? ?? + ?? ?? 52 8D 85 ?? ?? ?? ?? 68 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 8B 8D ?? ?? ?? ?? 8B 85 + ?? ?? ?? ?? 8B D1 83 C4 ?? 0B D0 89 B5 ?? ?? ?? ?? 89 B5 ?? ?? ?? ?? 74 ?? 50 51 8D + 85 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? B9 ?? ?? ?? ?? 83 C4 ?? 3A C1 75 ?? 01 0D ?? ?? ?? + ?? 11 35 ?? ?? ?? ?? EB ?? 01 0D ?? ?? ?? ?? 11 35 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? 51 + 53 FF 15 ?? ?? ?? ?? 85 C0 0F 85 ?? ?? ?? ?? 53 FF 15 ?? ?? ?? ?? 8B 4D ?? 5E 33 CD + B0 ?? 5B E8 ?? ?? ?? ?? 8B E5 5D C3 + } + + $get_logical_drives_list_p1 = { + 8D 85 ?? ?? ?? ?? 50 57 89 BD ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? + 68 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? 68 ?? ?? ?? ?? 51 E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D + 95 ?? ?? ?? ?? 68 ?? ?? ?? ?? 52 E8 ?? ?? ?? ?? 83 C4 ?? 57 68 ?? ?? ?? ?? 6A ?? 57 + 57 68 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 8B D8 83 FB ?? 0F 84 ?? ?? + ?? ?? 83 EC ?? 8B F4 89 7E ?? C7 46 ?? ?? ?? ?? ?? BF ?? ?? ?? ?? B8 ?? ?? ?? ?? 89 + A5 ?? ?? ?? ?? C6 06 ?? E8 ?? ?? ?? ?? 8D B5 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 33 + FF 89 7D ?? 83 78 ?? ?? 72 ?? 8B 00 8D 50 ?? 8D A4 24 ?? ?? ?? ?? 8A 08 40 84 C9 75 + ?? 57 8D 8D ?? ?? ?? ?? 2B C2 51 50 83 EC ?? 8B F4 89 7E ?? C7 46 ?? ?? ?? ?? ?? BF + ?? ?? ?? ?? B8 ?? ?? ?? ?? 89 A5 ?? ?? ?? ?? C6 06 ?? E8 ?? ?? ?? ?? 8D B5 ?? ?? ?? + ?? E8 ?? ?? ?? ?? BE ?? ?? ?? ?? 83 C4 ?? 39 70 ?? 72 ?? 8B 00 50 53 FF 15 ?? ?? ?? + ?? 39 B5 ?? ?? ?? ?? 72 ?? 8B 95 ?? ?? ?? ?? 52 E8 ?? ?? ?? ?? 83 C4 ?? C7 45 ?? ?? + ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C6 85 ?? ?? ?? + ?? ?? 39 B5 ?? ?? ?? ?? 72 ?? 8B 85 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 53 FF 15 + ?? ?? ?? ?? B9 ?? ?? ?? ?? B8 ?? ?? ?? ?? 8D 64 24 ?? 66 8B 10 66 3B 11 75 ?? 66 85 + D2 74 ?? 66 8B 50 ?? 66 3B 51 ?? 75 ?? 83 C0 ?? 83 C1 ?? 66 85 D2 75 ?? 33 C0 EB + } + + $get_logical_drives_list_p2 = { + 1B C0 83 D8 ?? 85 C0 0F 85 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? BE ?? ?? ?? ?? 89 85 ?? ?? + ?? ?? 89 B5 ?? ?? ?? ?? BA ?? ?? ?? ?? 8B CE D3 E2 85 95 ?? ?? ?? ?? 0F 84 ?? ?? ?? + ?? 8D 4E ?? 66 89 8D ?? ?? ?? ?? 33 C9 6A ?? 51 8D 95 ?? ?? ?? ?? 52 C7 85 ?? ?? ?? + ?? ?? ?? ?? ?? 66 89 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 8D 85 ?? ?? ?? ?? 50 FF + 15 ?? ?? ?? ?? 83 F8 ?? 0F 84 ?? ?? ?? ?? 83 F8 ?? 0F 84 ?? ?? ?? ?? 83 F8 ?? 0F 84 + ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? 51 BB ?? ?? ?? ?? E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 95 + ?? ?? ?? ?? 6A ?? 52 E8 ?? ?? ?? ?? 83 C4 ?? 6A ?? 68 ?? ?? ?? ?? 6A ?? 6A ?? 6A ?? + 68 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 8B D8 83 FB ?? 0F 84 ?? ?? ?? + ?? 83 EC ?? B8 ?? ?? ?? ?? 8B CC 89 A5 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D B5 ?? ?? ?? ?? + E8 ?? ?? ?? ?? 83 C4 ?? BF ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? 39 78 ?? 72 ?? 8B 00 8D + 50 ?? 8A 08 40 84 C9 75 ?? 6A ?? 8D 8D ?? ?? ?? ?? 51 2B C2 50 83 EC ?? B8 ?? ?? ?? + ?? 8B CC 89 A5 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D B5 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? + 39 78 ?? 72 ?? 8B 00 50 53 FF 15 ?? ?? ?? ?? 39 BD ?? ?? ?? ?? 72 ?? 8B 95 ?? ?? ?? + ?? 52 E8 ?? ?? ?? ?? 83 C4 ?? BE ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? 89 B5 ?? ?? ?? ?? + C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C6 85 ?? ?? ?? ?? ?? 39 BD ?? ?? ?? ?? 72 ?? 8B 85 ?? + ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 53 89 B5 ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? + ?? C6 85 ?? ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 8B B5 ?? ?? ?? ?? 46 89 B5 ?? ?? ?? ?? 83 + FE ?? 0F 8C ?? ?? ?? ?? EB ?? 68 ?? ?? ?? ?? BB ?? ?? ?? ?? E8 ?? ?? ?? ?? B0 ?? 8B + 4D ?? 64 89 0D ?? ?? ?? ?? 59 5F 5E 5B 8B 4D ?? 33 CD E8 ?? ?? ?? ?? 8B E5 5D C3 + } + + condition: + uint16(0) == 0x5A4D and + ( + all of ($get_logical_drives_list_p*) + ) and + ( + all of ($find_files_p*) + ) and + ( + all of ($encrypt_files_p*) + ) +} \ No newline at end of file diff --git a/yara/ransomware/Win32.Ransomware.VegaLocker.yara b/yara/ransomware/Win32.Ransomware.VegaLocker.yara new file mode 100644 index 0000000..83a8658 --- /dev/null +++ b/yara/ransomware/Win32.Ransomware.VegaLocker.yara @@ -0,0 +1,100 @@ +rule Win32_Ransomware_VegaLocker : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "VEGALOCKER" + description = "Yara rule that detects VegaLocker ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "VegaLocker" + tc_detection_factor = 5 + + strings: + + $find_files = { + 55 8B EC 81 C4 ?? ?? ?? ?? 53 56 57 89 55 ?? 89 45 ?? 8B 45 ?? 89 45 ?? 68 ?? ?? ?? + ?? E8 ?? ?? ?? ?? 89 45 ?? 83 7D ?? ?? 74 ?? 68 ?? ?? ?? ?? 8B 45 ?? 50 E8 ?? ?? ?? + ?? 89 C3 85 DB 74 ?? 68 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 8B 45 ?? 50 FF D3 85 C0 74 + ?? 8B 45 ?? 50 8D 85 ?? ?? ?? ?? 50 8B 45 ?? 50 E8 ?? ?? ?? ?? E9 ?? ?? ?? ?? 8B 45 + ?? 80 38 ?? 75 ?? 8B 45 ?? 80 78 ?? ?? 0F 85 ?? ?? ?? ?? 8B 45 ?? 83 C0 ?? E8 ?? ?? + ?? ?? 8B F0 80 3E ?? 0F 84 ?? ?? ?? ?? 8D 46 ?? E8 ?? ?? ?? ?? 8B F0 80 3E ?? 0F 84 + ?? ?? ?? ?? EB ?? 8B 75 ?? 83 C6 ?? 8B DE 2B 5D ?? 8D 43 ?? 50 8B 45 ?? 50 8D 85 ?? + ?? ?? ?? 50 E8 ?? ?? ?? ?? E9 ?? ?? ?? ?? 8D 46 ?? E8 ?? ?? ?? ?? 8B F8 8B C7 2B C6 + 03 C3 40 3D ?? ?? ?? ?? 0F 8F ?? ?? ?? ?? 8B C7 2B C6 40 50 56 8D 85 ?? ?? ?? ?? 03 + C3 50 E8 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 8D 85 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 89 45 + ?? 83 7D ?? ?? 74 ?? 8B 45 ?? 50 E8 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? + 8D 53 ?? 03 C2 40 3D ?? ?? ?? ?? 7F ?? C6 84 1D ?? ?? ?? ?? ?? B8 ?? ?? ?? ?? 2B C3 + 48 50 8D 85 ?? ?? ?? ?? 50 8D 85 ?? ?? ?? ?? 03 C3 40 50 E8 ?? ?? ?? ?? 8D 85 ?? ?? + ?? ?? 50 E8 ?? ?? ?? ?? 40 03 D8 8B F7 80 3E ?? 0F 85 ?? ?? ?? ?? 8B 45 ?? 50 8D 85 + ?? ?? ?? ?? 50 8B 45 ?? 50 E8 ?? ?? ?? ?? 8B 45 ?? 5F 5E 5B 8B E5 5D C3 + } + + $encrypt_files_p1 = { + 55 8B EC 81 C4 ?? ?? ?? ?? 53 56 57 33 C9 89 8D ?? ?? ?? ?? 89 8D ?? ?? ?? ?? 89 8D + ?? ?? ?? ?? 89 4D ?? 89 4D ?? 89 4D ?? 89 4D ?? 89 55 ?? 89 45 ?? 8D 45 ?? E8 ?? ?? + ?? ?? 8D 85 ?? ?? ?? ?? 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 33 C0 55 68 ?? ?? ?? ?? 64 + FF 30 64 89 20 C6 85 ?? ?? ?? ?? ?? 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 8D 85 + ?? ?? ?? ?? 8B 55 ?? E8 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? BA ?? ?? ?? + ?? E8 ?? ?? ?? ?? 85 C0 75 ?? 8B 85 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? + 89 85 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 89 85 ?? ?? + ?? ?? 8B 85 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 8B 85 + ?? ?? ?? ?? 89 85 ?? ?? ?? ?? EB ?? 33 C0 5A 59 59 64 89 10 E9 ?? ?? ?? ?? 8D 85 ?? + ?? ?? ?? E8 ?? ?? ?? ?? 6A ?? 8B 45 ?? E8 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 33 C0 55 68 + ?? ?? ?? ?? 64 FF 30 64 89 20 6A ?? 8B 4D ?? B2 ?? A1 ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 + 45 ?? 8B 45 ?? 8B 10 FF 12 89 85 ?? ?? ?? ?? 89 95 ?? ?? ?? ?? 8D 45 ?? BA ?? ?? ?? + ?? E8 ?? ?? ?? ?? 8D 45 ?? E8 ?? ?? ?? ?? 8B D0 B9 ?? ?? ?? ?? 8B 45 ?? E8 ?? ?? ?? + ?? 8B 45 ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 74 ?? FF B5 ?? ?? ?? ?? FF B5 ?? ?? ?? ?? + 33 D2 8B 45 ?? 8B 08 FF 51 ?? A1 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B D0 B9 ?? ?? ?? ?? 8B + 45 ?? E8 ?? ?? ?? ?? FF B5 ?? ?? ?? ?? FF B5 ?? ?? ?? ?? 8B 45 ?? E8 ?? ?? ?? ?? C6 + 85 ?? ?? ?? ?? ?? EB ?? C6 85 ?? ?? ?? ?? ?? 8B 45 ?? E8 ?? ?? ?? ?? 33 C0 5A 59 59 + 64 89 10 EB ?? E9 ?? ?? ?? ?? C6 85 ?? ?? ?? ?? ?? 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 + } + + $encrypt_files_p2 = { + 64 89 20 8B 45 ?? E8 ?? ?? ?? ?? 33 C0 5A 59 59 64 89 10 EB ?? E9 ?? ?? ?? ?? E8 ?? + ?? ?? ?? E8 ?? ?? ?? ?? 80 BD ?? ?? ?? ?? ?? 0F 84 ?? ?? ?? ?? 6A ?? 8B 4D ?? B2 ?? + A1 ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 45 ?? 8B 45 ?? 8B 10 FF 12 89 85 ?? ?? ?? ?? 89 95 + ?? ?? ?? ?? 83 BD ?? ?? ?? ?? ?? 75 ?? 83 BD ?? ?? ?? ?? ?? 0F 86 ?? ?? ?? ?? EB ?? + 0F 8E ?? ?? ?? ?? 83 BD ?? ?? ?? ?? ?? 75 ?? 81 BD ?? ?? ?? ?? ?? ?? ?? ?? 76 ?? EB + ?? 7E ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? EB ?? 8B 85 ?? + ?? ?? ?? 89 85 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 8D 45 ?? E8 ?? ?? ?? + ?? 8D 45 ?? E8 ?? ?? ?? ?? BB ?? ?? ?? ?? B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B D0 8D 85 + ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 95 ?? ?? ?? ?? 8D 45 ?? E8 ?? ?? ?? ?? 83 FB ?? 7F ?? + B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B D0 8D 85 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 95 ?? ?? ?? + ?? 8D 45 ?? E8 ?? ?? ?? ?? 43 83 FB ?? 75 ?? 8B 85 ?? ?? ?? ?? 8B D0 8D 45 ?? E8 ?? + ?? ?? ?? 8D 45 ?? E8 ?? ?? ?? ?? 8B D0 8B 8D ?? ?? ?? ?? 8B 45 ?? E8 ?? ?? ?? ?? 83 + BD ?? ?? ?? ?? ?? 75 ?? 81 BD ?? ?? ?? ?? ?? ?? ?? ?? 75 ?? 8D 45 ?? BA + } + + $encrypt_files_p3 = { + E8 ?? ?? ?? ?? 8D 45 ?? E8 ?? ?? ?? ?? 8B D0 B9 ?? ?? ?? ?? 8B 45 ?? E8 ?? ?? ?? ?? + EB ?? 8D 45 ?? E8 ?? ?? ?? ?? FF B5 ?? ?? ?? ?? FF B5 ?? ?? ?? ?? 33 D2 8B 45 ?? 8B + 08 FF 51 ?? 83 BD ?? ?? ?? ?? ?? 75 ?? 81 BD ?? ?? ?? ?? ?? ?? ?? ?? 75 ?? 8D 45 ?? + E8 ?? ?? ?? ?? 8B D0 B9 ?? ?? ?? ?? 8B 45 ?? E8 ?? ?? ?? ?? A1 ?? ?? ?? ?? E8 ?? ?? + ?? ?? 8B D0 B9 ?? ?? ?? ?? 8B 45 ?? E8 ?? ?? ?? ?? 55 E8 ?? ?? ?? ?? 59 55 E8 ?? ?? + ?? ?? 59 EB ?? 55 E8 ?? ?? ?? ?? 59 A1 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B D0 B9 ?? ?? ?? + ?? 8B 45 ?? E8 ?? ?? ?? ?? 55 E8 ?? ?? ?? ?? 59 C6 85 ?? ?? ?? ?? ?? 8B 45 ?? E8 ?? + ?? ?? ?? 80 BD ?? ?? ?? ?? ?? 74 ?? 8B 85 ?? ?? ?? ?? 50 8B 45 ?? E8 ?? ?? ?? ?? 50 + E8 ?? ?? ?? ?? 33 C0 5A 59 59 64 89 10 EB ?? E9 ?? ?? ?? ?? 33 C0 55 68 ?? ?? ?? ?? + 64 FF 30 64 89 20 8B 45 ?? E8 ?? ?? ?? ?? 33 C0 5A 59 59 64 89 10 EB ?? E9 ?? ?? ?? + ?? E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 33 C0 5A 59 59 64 89 10 68 ?? ?? ?? ?? 8D 85 ?? ?? + ?? ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? + ?? 8D 45 ?? E8 ?? ?? ?? ?? 8D 45 ?? E8 ?? ?? ?? ?? 8D 45 ?? E8 ?? ?? ?? ?? 8D 45 ?? + BA ?? ?? ?? ?? E8 ?? ?? ?? ?? C3 + } + + condition: + uint16(0) == 0x5A4D and + ( + $find_files + ) and + ( + all of ($encrypt_files_p*) + ) +} \ No newline at end of file diff --git a/yara/ransomware/Win32.Ransomware.Velso.yara b/yara/ransomware/Win32.Ransomware.Velso.yara new file mode 100644 index 0000000..c578499 --- /dev/null +++ b/yara/ransomware/Win32.Ransomware.Velso.yara @@ -0,0 +1,230 @@ +rule Win32_Ransomware_Velso : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "VELSO" + description = "Yara rule that detects Velso ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "Velso" + tc_detection_factor = 5 + + strings: + + $find_files_p1 = { + 55 89 E5 81 EC ?? ?? ?? ?? 8D 45 ?? 89 A5 ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? + C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 8D 85 + ?? ?? ?? ?? 89 04 24 E8 ?? ?? ?? ?? C7 04 24 ?? ?? ?? ?? 8B 4D ?? C7 85 ?? ?? ?? ?? + ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 EC ?? 85 C0 75 ?? C6 85 ?? ?? ?? ?? ?? 8D 85 ?? ?? ?? + ?? 89 04 24 E8 ?? ?? ?? ?? 0F B6 85 ?? ?? ?? ?? C9 C3 C7 04 24 ?? ?? ?? ?? 8B 4D ?? + C7 85 ?? ?? ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 EC ?? 85 C0 74 ?? C7 04 24 ?? ?? ?? + ?? 8B 4D ?? E8 ?? ?? ?? ?? 83 EC ?? 85 C0 74 ?? C7 04 24 ?? ?? ?? ?? 8B 4D ?? E8 ?? + ?? ?? ?? 83 EC ?? 85 C0 74 ?? C7 04 24 ?? ?? ?? ?? 8B 4D ?? E8 ?? ?? ?? ?? 83 EC ?? + 85 C0 74 ?? C7 04 24 ?? ?? ?? ?? 8B 4D ?? E8 ?? ?? ?? ?? 83 EC ?? 85 C0 0F 84 ?? ?? + ?? ?? C7 04 24 ?? ?? ?? ?? 8B 4D ?? E8 ?? ?? ?? ?? 83 EC ?? 85 C0 0F 84 ?? ?? ?? ?? + C7 04 24 ?? ?? ?? ?? 8B 4D ?? E8 ?? ?? ?? ?? 83 EC ?? 85 C0 0F 84 ?? ?? ?? ?? C7 04 + 24 ?? ?? ?? ?? 8B 4D ?? E8 ?? ?? ?? ?? 85 C0 51 0F 84 ?? ?? ?? ?? C7 04 24 ?? ?? ?? + ?? 8B 4D ?? E8 ?? ?? ?? ?? 85 C0 52 0F 84 ?? ?? ?? ?? C7 04 24 ?? ?? ?? ?? 8B 4D ?? + E8 ?? ?? ?? ?? 85 C0 51 0F 84 ?? ?? ?? ?? C7 04 24 ?? ?? ?? ?? 8B 4D ?? E8 ?? ?? ?? + ?? 85 C0 52 0F 84 ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? 8B 45 ?? 89 44 24 ?? 8D 85 ?? + ?? ?? ?? 89 04 24 E8 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 89 04 24 8B 4D ?? C7 85 ?? ?? ?? + ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 51 8B 85 ?? ?? ?? ?? 8D 95 ?? ?? ?? ?? 39 D0 74 ?? 89 + 04 24 E8 ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? 8B 45 ?? 89 44 24 ?? 8D 85 ?? ?? ?? ?? + 89 04 24 C7 85 ?? ?? ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 89 44 24 + } + + $find_files_p2 = { + 8B 85 ?? ?? ?? ?? 89 04 24 C7 85 ?? ?? ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 52 52 8D 95 + ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 39 D0 74 ?? 89 04 24 E8 ?? ?? ?? ?? + EB ?? 8D 85 ?? ?? ?? ?? 89 44 24 ?? 8B 85 ?? ?? ?? ?? 89 04 24 C7 85 ?? ?? ?? ?? ?? + ?? ?? ?? E8 ?? ?? ?? ?? 85 C0 52 52 0F 84 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? C7 44 24 ?? + ?? ?? ?? ?? 89 04 24 C7 85 ?? ?? ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 C0 51 51 74 ?? + 8D 85 ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? 89 04 24 E8 ?? ?? ?? ?? 85 C0 52 52 74 ?? + F6 85 ?? ?? ?? ?? ?? 0F 84 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 8B 4D ?? 89 85 ?? ?? ?? ?? + 8B 45 ?? 8B 51 ?? 8D 8D ?? ?? ?? ?? 8B 00 01 C2 89 04 24 89 54 24 ?? C7 85 ?? ?? ?? + ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 51 51 89 44 24 ?? 8B 45 ?? 89 44 24 + ?? 8D 85 ?? ?? ?? ?? 89 04 24 C7 85 ?? ?? ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 85 ?? + ?? ?? ?? 89 44 24 ?? 8B 45 ?? 89 44 24 ?? 8D 85 ?? ?? ?? ?? 89 04 24 C7 85 ?? ?? ?? + ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 8D 95 ?? ?? ?? ?? 39 D0 74 ?? 89 04 + 24 E8 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 8D 95 ?? ?? ?? ?? 39 D0 0F 84 ?? ?? ?? ?? 89 04 + 24 E8 ?? ?? ?? ?? E9 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 89 44 24 ?? 8B 45 ?? 89 44 24 ?? + 8D 85 ?? ?? ?? ?? 89 04 24 C7 85 ?? ?? ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 45 ?? 89 + 44 24 ?? 8D 85 ?? ?? ?? ?? 89 04 24 C7 85 ?? ?? ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? EB + ?? 83 C5 ?? 83 BD ?? ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 0F 87 ?? ?? ?? + ?? 8B 85 ?? ?? ?? ?? FF 24 85 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 89 04 24 E8 + } + + $enum_resources_p1 = { + 55 89 E5 81 EC ?? ?? ?? ?? 8D 45 ?? 89 65 ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? + ?? C7 45 ?? ?? ?? ?? ?? 89 45 ?? 8D 45 ?? 89 04 24 E8 ?? ?? ?? ?? 8D 45 ?? C7 45 ?? + ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? 89 44 24 ?? 8B 45 ?? C7 44 24 ?? ?? ?? ?? ?? C7 44 + 24 ?? ?? ?? ?? ?? C7 04 24 ?? ?? ?? ?? 89 44 24 ?? C7 45 ?? ?? ?? ?? ?? E8 ?? ?? ?? + ?? 83 EC ?? 85 C0 74 ?? C7 45 ?? ?? ?? ?? ?? 8D 45 ?? 89 04 24 E8 ?? ?? ?? ?? 8B 45 + ?? C9 C2 ?? ?? 8B 45 ?? C7 04 24 ?? ?? ?? ?? 89 44 24 ?? C7 45 ?? ?? ?? ?? ?? E8 ?? + ?? ?? ?? 83 EC ?? 85 C0 89 85 ?? ?? ?? ?? 74 ?? 90 8D B4 26 ?? ?? ?? ?? 8B 45 ?? C7 + 44 24 ?? ?? ?? ?? ?? 89 44 24 ?? 8B 85 ?? ?? ?? ?? 89 04 24 E8 ?? ?? ?? ?? 8D 55 ?? + 89 54 24 ?? 8B 85 ?? ?? ?? ?? 8D 55 ?? 89 54 24 ?? 89 44 24 ?? 8B 45 ?? 89 04 24 C7 + 45 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 EC ?? 85 C0 74 ?? 8B 85 ?? ?? ?? ?? 89 04 24 C7 + 45 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 45 ?? 83 EC ?? 89 04 24 E8 ?? ?? ?? ?? 83 EC ?? + 85 C0 0F 94 C0 0F B6 C0 89 45 ?? E9 ?? ?? ?? ?? 8B 45 ?? 85 C0 0F 84 ?? ?? ?? ?? 8B + } + + $enum_resources_p2 = { + 85 ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? 89 45 ?? EB ?? 8B 45 ?? 8B 40 ?? 89 85 + ?? ?? ?? ?? 83 E0 ?? 83 F8 ?? 0F 84 ?? ?? ?? ?? 83 85 ?? ?? ?? ?? ?? 83 45 ?? ?? 8B + 85 ?? ?? ?? ?? 39 45 ?? 0F 86 ?? ?? ?? ?? 8B 45 ?? F6 40 ?? ?? 74 ?? 8D 45 ?? 8B 4D + ?? 89 45 ?? 8B 45 ?? 8B 51 ?? 8D 4D ?? 8B 00 01 C2 89 04 24 89 54 24 ?? C7 45 ?? ?? + ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 ?? 83 EC ?? 89 44 24 ?? 8B 45 ?? 89 44 24 ?? 8B 45 ?? + 89 04 24 C7 45 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 45 ?? 8D 55 ?? 83 EC ?? 39 D0 0F 84 + ?? ?? ?? ?? 89 04 24 E8 ?? ?? ?? ?? E9 ?? ?? ?? ?? 8D B4 26 ?? ?? ?? ?? 8D 45 ?? 8B + 4D ?? 89 45 ?? 8B 45 ?? 8B 51 ?? 8D 4D ?? 8B 00 01 C2 89 04 24 89 54 24 ?? C7 45 ?? + ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 45 ?? 83 EC ?? 8B 40 ?? 89 C2 89 85 ?? ?? ?? ?? 8D 45 + ?? 85 D2 89 45 ?? B8 ?? ?? ?? ?? 74 ?? 89 14 24 E8 ?? ?? ?? ?? 03 85 ?? ?? ?? ?? 89 + 44 24 ?? 8B 85 ?? ?? ?? ?? 8D 4D ?? 89 04 24 C7 45 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D + 45 ?? 83 EC ?? 89 44 24 ?? 8B 45 ?? 89 44 24 ?? 8D 45 ?? 89 04 24 C7 45 ?? ?? ?? ?? + ?? E8 ?? ?? ?? ?? 8B 45 ?? 8D 55 ?? 39 D0 74 ?? 89 04 24 E8 ?? ?? ?? ?? 8B 45 ?? 8D + 55 ?? 39 D0 0F 84 ?? ?? ?? ?? 89 04 24 E8 ?? ?? ?? ?? E9 + } + + $encrypt_files_p1 = { + 55 89 E5 81 EC ?? ?? ?? ?? 8D 45 ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C7 85 ?? ?? ?? ?? + ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? 89 A5 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 8D 85 + ?? ?? ?? ?? 89 04 24 E8 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? A1 ?? ?? ?? ?? + C6 45 ?? ?? 8D 8D ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C6 + 45 ?? ?? C7 45 ?? ?? ?? ?? ?? 03 48 ?? 89 85 ?? ?? ?? ?? A1 ?? ?? ?? ?? C7 45 ?? ?? + ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? 89 01 C7 04 24 ?? ?? ?? ?? C7 85 + ?? ?? ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? 83 EC ?? C7 85 ?? ?? ?? ?? + ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? + ?? 8D 85 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? 89 04 24 C7 85 ?? ?? ?? ?? ?? ?? ?? ?? E8 ?? + ?? ?? ?? 8D 85 ?? ?? ?? ?? 8B 4D ?? 83 EC ?? 89 85 ?? ?? ?? ?? 8B 45 ?? 8B 51 ?? 8D + 8D ?? ?? ?? ?? 8B 00 01 C2 89 04 24 89 54 24 ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? E8 ?? + ?? ?? ?? B8 ?? ?? ?? ?? 2B 85 ?? ?? ?? ?? 83 EC ?? 83 F8 ?? 0F 86 ?? ?? ?? ?? 8D 8D + ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? C7 04 24 ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? + ?? E8 ?? ?? ?? ?? 83 EC ?? 8D 8D ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? 8B 85 ?? ?? ?? + ?? 89 04 24 C7 85 ?? ?? ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 EC ?? 85 C0 8D 8D ?? ?? + ?? ?? 8B 85 ?? ?? ?? ?? 0F 84 ?? ?? ?? ?? 03 48 ?? C7 04 24 ?? ?? ?? ?? C7 85 ?? ?? + ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 8D 95 ?? ?? ?? ?? 83 EC ?? 39 D0 + 74 ?? 89 04 24 E8 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? C7 44 24 ?? + ?? ?? ?? ?? 89 04 24 C7 85 ?? ?? ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? + C7 44 24 ?? ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? 89 04 24 E8 ?? ?? ?? ?? 8B 45 ?? 8B + } + + $encrypt_files_p2 = { + 40 ?? 89 44 24 ?? 8B 45 ?? 8B 00 89 44 24 ?? 8D 85 ?? ?? ?? ?? 89 04 24 E8 ?? ?? ?? + ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? C7 85 + ?? ?? ?? ?? ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? + C7 85 ?? ?? ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? + ?? ?? ?? E8 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? + ?? A1 ?? ?? ?? ?? 8B 15 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? 8B 40 ?? 89 94 05 ?? ?? ?? ?? + C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 85 ?? + ?? ?? ?? 89 04 24 E8 ?? ?? ?? ?? C9 C3 03 48 ?? 8B 41 ?? 83 C8 ?? 89 04 24 C7 85 ?? + ?? ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? E9 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 8D 8D ?? ?? ?? + ?? 03 48 ?? 8B 41 ?? 83 C8 ?? 89 04 24 C7 85 ?? ?? ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? + 83 EC ?? E9 ?? ?? ?? ?? C7 04 24 ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? E8 ?? ?? + ?? ?? 83 C5 ?? 83 BD ?? ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 77 ?? 8B 85 + ?? ?? ?? ?? FF 24 85 ?? ?? ?? ?? 0F 0B 8B 85 ?? ?? ?? ?? 8D 95 ?? ?? ?? ?? 39 D0 74 + ?? 89 04 24 E8 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? E8 ?? ?? + ?? ?? 8B 85 ?? ?? ?? ?? 89 04 24 C7 85 ?? ?? ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 8D + ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? A1 ?? ?? ?? ?? 8B 15 ?? ?? + ?? ?? 8B 40 ?? 89 94 05 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? C7 85 + } + + $encrypt_files_p3 = { + C7 85 ?? ?? ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 89 04 24 C7 85 ?? ?? + ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? E8 + ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? A1 ?? ?? + ?? ?? 8B 15 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? 8B 40 ?? 89 94 05 ?? ?? ?? ?? C7 85 ?? ?? + ?? ?? ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 89 + 04 24 C7 85 ?? ?? ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D B4 26 ?? ?? ?? ?? 55 89 E5 81 + EC ?? ?? ?? ?? 8D 45 ?? 89 65 ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? + ?? ?? ?? ?? 89 45 ?? 8D 45 ?? 89 04 24 E8 ?? ?? ?? ?? 8D 45 ?? 8B 4D ?? 89 45 ?? 8B + 45 ?? 8B 51 ?? 8D 4D ?? 8B 00 01 C2 89 04 24 89 54 24 ?? C7 45 ?? ?? ?? ?? ?? E8 ?? + ?? ?? ?? 8D 45 ?? 83 EC ?? 89 44 24 ?? 8D 45 ?? 89 04 24 C7 45 ?? ?? ?? ?? ?? E8 ?? + ?? ?? ?? 8D 4D ?? C7 04 24 ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 45 ?? + 8B 45 ?? 8D 55 ?? 83 EC ?? 39 D0 74 ?? 89 04 24 E8 ?? ?? ?? ?? 8B 45 ?? 8D 55 ?? 39 + } + + $encrypt_files_p4 = { + D0 74 ?? 89 04 24 E8 ?? ?? ?? ?? 8B 55 ?? 85 D2 75 ?? C6 45 ?? ?? 8D 45 ?? 89 04 24 + E8 ?? ?? ?? ?? 0F B6 45 ?? C9 C3 8D 45 ?? 8B 4D ?? 89 45 ?? 8B 45 ?? 8B 51 ?? 8D 4D + ?? 8B 00 01 C2 89 04 24 89 54 24 ?? C7 45 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 ?? 83 + EC ?? 89 44 24 ?? 8D 45 ?? 89 04 24 C7 45 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 4D ?? C7 + 04 24 ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 45 ?? 8B 45 ?? 8D 55 ?? 83 + EC ?? 39 D0 74 ?? 89 04 24 E8 ?? ?? ?? ?? 8B 45 ?? 8D 4D ?? 39 C8 74 ?? 89 04 24 E8 + ?? ?? ?? ?? 8B 45 ?? 85 C0 0F 84 ?? ?? ?? ?? 8D 45 ?? 8B 4D ?? 89 45 ?? 8B 45 ?? 8B + 51 ?? 8D 4D ?? 8B 00 01 C2 89 04 24 89 54 24 ?? C7 45 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? + 8D 45 ?? 83 EC ?? 89 44 24 ?? 8D 45 ?? 89 04 24 C7 45 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? + 8D 4D ?? C7 04 24 ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 45 ?? 8B 45 ?? + 8D 55 ?? 83 EC ?? 39 D0 74 ?? 89 04 24 E8 ?? ?? ?? ?? 8B 45 ?? 8D 55 ?? 39 D0 74 ?? + 89 04 24 E8 ?? ?? ?? ?? 8B 45 ?? 85 C0 0F 84 ?? ?? ?? ?? 8D 45 ?? 8B 4D ?? 89 45 + } + + $encrypt_files_p5 = { + 8B 45 ?? 8B 51 ?? 8D 4D ?? 8B 00 01 C2 89 04 24 89 54 24 ?? C7 45 ?? ?? ?? ?? ?? E8 + ?? ?? ?? ?? 8D 45 ?? 83 EC ?? 89 44 24 ?? 8D 45 ?? 89 04 24 C7 45 ?? ?? ?? ?? ?? E8 + ?? ?? ?? ?? 8D 4D ?? C7 04 24 ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 45 + ?? 8B 45 ?? 8D 55 ?? 83 EC ?? 39 D0 74 ?? 89 04 24 E8 ?? ?? ?? ?? 8B 45 ?? 8D 55 ?? + 39 D0 74 ?? 89 04 24 E8 ?? ?? ?? ?? 8B 45 ?? 85 C0 0F 84 ?? ?? ?? ?? 8D 45 ?? 8B 4D + ?? 89 45 ?? 8B 45 ?? 8B 51 ?? 8D 4D ?? 8B 00 01 C2 89 04 24 89 54 24 ?? C7 45 ?? ?? + ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 ?? 83 EC ?? 89 44 24 ?? 8D 45 ?? 89 04 24 C7 45 ?? ?? + ?? ?? ?? E8 ?? ?? ?? ?? 8D 4D ?? C7 04 24 ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? E8 ?? ?? + ?? ?? 89 45 ?? 8B 45 ?? 8D 55 ?? 83 EC ?? 39 D0 74 ?? 89 04 24 E8 ?? ?? ?? ?? 8B 45 + ?? 8D 4D ?? 39 C8 74 ?? 89 04 24 E8 ?? ?? ?? ?? 8B 45 ?? 85 C0 0F 84 ?? ?? ?? ?? 8D + 45 ?? 8B 4D ?? 89 45 ?? 8B 45 ?? 8B 51 ?? 8D 4D ?? 8B 00 01 C2 89 04 24 89 54 24 ?? + C7 45 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 ?? 83 EC ?? 89 44 24 ?? 8D 45 ?? 89 04 24 + C7 45 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 4D ?? C7 04 24 ?? ?? ?? ?? C7 45 ?? ?? ?? ?? + ?? E8 ?? ?? ?? ?? 89 45 ?? 8B 45 ?? 8D 4D ?? 83 EC ?? 39 C8 74 ?? 89 04 24 E8 ?? ?? + ?? ?? 8B 45 ?? 8D 4D ?? 39 C8 74 ?? 89 04 24 E8 ?? ?? ?? ?? 8B 45 ?? 85 C0 0F 84 ?? + ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? C7 + } + + $encrypt_files_p6 = { + 44 24 ?? ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? 8B 45 ?? 8B 00 + 89 04 24 C7 45 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 EC ?? 83 F8 ?? 89 85 ?? ?? ?? ?? 0F + 84 ?? ?? ?? ?? 8D 4D ?? 89 04 24 89 4C 24 ?? E8 ?? ?? ?? ?? 8B 45 ?? 83 EC ?? 3D ?? + ?? ?? ?? 77 ?? 83 E0 ?? 0F 85 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 89 04 24 C7 45 ?? ?? ?? + ?? ?? E8 ?? ?? ?? ?? C6 45 ?? ?? 83 EC ?? E9 ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? 8B 45 + ?? 89 04 24 E8 ?? ?? ?? ?? 8D 55 ?? C7 44 24 ?? ?? ?? ?? ?? 89 C1 89 54 24 ?? 8B 45 + ?? 89 44 24 ?? 89 8D ?? ?? ?? ?? 89 4C 24 ?? 8B 95 ?? ?? ?? ?? 89 14 24 C7 45 ?? ?? + ?? ?? ?? E8 ?? ?? ?? ?? 8B 55 ?? 83 EC ?? 3B 55 ?? 89 95 ?? ?? ?? ?? 0F 85 ?? ?? ?? + ?? 8B 45 ?? 8B 8D ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C1 E8 ?? 89 8D ?? ?? ?? ?? 85 C0 + 89 85 ?? ?? ?? ?? 74 ?? 8B 45 ?? 89 44 24 ?? 8B 85 ?? ?? ?? ?? 89 44 24 ?? 89 85 ?? + ?? ?? ?? 89 04 24 C7 45 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 45 ?? ?? 83 85 ?? ?? ?? ?? + ?? 8B 55 ?? 39 95 ?? ?? ?? ?? 75 ?? C7 44 24 ?? ?? ?? ?? ?? C7 44 24 + } + + $encrypt_files_p7 = { + C7 44 24 ?? ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 89 04 24 C7 45 ?? ?? ?? ?? ?? E8 ?? ?? ?? + ?? 8D 4D ?? 83 EC ?? C7 44 24 ?? ?? ?? ?? ?? 89 4C 24 ?? 8B 8D ?? ?? ?? ?? 89 4C 24 + ?? 8B 95 ?? ?? ?? ?? 89 54 24 ?? 8B 85 ?? ?? ?? ?? 89 04 24 E8 ?? ?? ?? ?? 8B 8D ?? + ?? ?? ?? 83 EC ?? 3B 4D ?? 74 ?? 8B 85 ?? ?? ?? ?? 89 04 24 C7 45 ?? ?? ?? ?? ?? E8 + ?? ?? ?? ?? 51 8B 85 ?? ?? ?? ?? 89 04 24 E8 ?? ?? ?? ?? E9 ?? ?? ?? ?? 8B 95 ?? ?? + ?? ?? 89 14 24 E8 ?? ?? ?? ?? 50 8B 8D ?? ?? ?? ?? 89 0C 24 E8 ?? ?? ?? ?? C6 45 ?? + ?? E9 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 89 04 24 C7 45 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 52 + 8B 85 ?? ?? ?? ?? 89 04 24 E8 ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? 8B 45 ?? 89 44 24 + ?? 8D 45 ?? 89 04 24 E8 ?? ?? ?? ?? 8B 45 ?? 89 44 24 ?? 8B 45 ?? 8B 00 89 04 24 C7 + 45 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 50 50 8D 4D ?? 8B 45 ?? 39 C8 74 ?? 89 04 24 E8 ?? + ?? ?? ?? C6 45 ?? ?? E9 ?? ?? ?? ?? 89 45 ?? E9 + } + + condition: + uint16(0) == 0x5A4D and + ( + all of ($enum_resources_p*) + ) and + ( + all of ($find_files_p*) + ) and + ( + all of ($encrypt_files_p*) + ) and + ( + all of ($encrypt_files_p*) + ) +} \ No newline at end of file diff --git a/yara/ransomware/Win32.Ransomware.WannaCry.yara b/yara/ransomware/Win32.Ransomware.WannaCry.yara new file mode 100644 index 0000000..5b50309 --- /dev/null +++ b/yara/ransomware/Win32.Ransomware.WannaCry.yara @@ -0,0 +1,135 @@ +import "pe" + +rule Win32_Ransomware_WannaCry : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "WANNACRY" + description = "Yara rule that detects WannaCry ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "WannaCry" + tc_detection_factor = 5 + + strings: + $main_1 = { + A0 ?? ?? ?? ?? 56 57 6A ?? 88 85 ?? ?? ?? ?? 59 33 C0 8D BD ?? ?? ?? ?? F3 AB 66 AB + AA 8D 85 ?? ?? ?? ?? 68 ?? ?? ?? ?? 50 53 FF 15 ?? ?? ?? ?? 8B 35 ?? ?? ?? ?? 8D 85 + ?? ?? ?? ?? 6A ?? 50 FF D6 59 85 C0 59 74 ?? 8D 85 ?? ?? ?? ?? 6A ?? 50 FF D6 59 88 + 18 59 8D 85 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 68 ?? ?? ?? ?? 53 E8 ?? ?? ?? ?? 59 59 + 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 53 53 53 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 5F 5E 85 + C0 74 ?? 8D 45 ?? 8D 8D ?? ?? ?? ?? 50 68 ?? ?? ?? ?? 89 5D + } + + $main_2 = { + 68 ?? ?? ?? ?? 33 DB 50 53 FF 15 ?? ?? ?? ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 59 FF 15 + ?? ?? ?? ?? 83 38 ?? 75 ?? 68 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 8B 00 FF 70 ?? E8 ?? ?? + ?? ?? 59 85 C0 59 75 ?? 53 E8 ?? ?? ?? ?? 85 C0 59 74 ?? BE ?? ?? ?? ?? 53 8D 85 ?? + ?? ?? ?? 56 50 FF 15 ?? ?? ?? ?? 56 FF 15 ?? ?? ?? ?? 83 F8 ?? 74 ?? E8 ?? ?? ?? ?? + 85 C0 0F 85 ?? ?? ?? ?? 8B 35 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 6A ?? 50 FF D6 59 85 C0 + 59 74 ?? 8D 85 ?? ?? ?? ?? 6A ?? 50 FF D6 59 88 18 59 8D 85 ?? ?? ?? ?? 50 FF 15 ?? + ?? ?? ?? 6A ?? E8 ?? ?? ?? ?? C7 04 24 ?? ?? ?? ?? 53 E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? + 53 53 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 53 53 68 ?? ?? ?? ?? E8 + } + + $main_3 = { + 83 EC ?? 56 57 B9 ?? ?? ?? ?? BE ?? ?? ?? ?? 8D 7C 24 ?? 33 C0 F3 A5 A4 89 44 24 ?? + 89 44 24 ?? 89 44 24 ?? 89 44 24 ?? 89 44 24 ?? 66 89 44 24 ?? 50 50 50 6A ?? 50 88 + 44 24 ?? FF 15 ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? 6A ?? 8D 4C 24 ?? 8B F0 6A ?? 51 56 + FF 15 ?? ?? ?? ?? 8B F8 56 8B 35 ?? ?? ?? ?? 85 FF 75 ?? FF D6 6A ?? FF D6 E8 + } + + $start_service_3 = { + 83 EC ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A ?? FF 15 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 83 + 38 ?? 7D ?? E8 ?? ?? ?? ?? 83 C4 ?? C3 57 68 ?? ?? ?? ?? 6A ?? 6A ?? FF 15 ?? ?? ?? + ?? 8B F8 85 FF 74 ?? 53 56 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 57 FF 15 ?? ?? ?? ?? 8B 1D + ?? ?? ?? ?? 8B F0 85 F6 74 ?? 6A ?? 56 E8 ?? ?? ?? ?? 83 C4 ?? 56 FF D3 57 FF D3 5E + 5B 8D 44 24 ?? C7 44 24 ?? ?? ?? ?? ?? 50 C7 44 24 ?? ?? ?? ?? ?? C7 44 24 ?? ?? ?? + ?? ?? C7 44 24 ?? ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 5F 83 C4 ?? C3 + } + + $main_4 = { + 83 EC ?? 57 68 ?? ?? ?? ?? 6A ?? 6A ?? FF 15 ?? ?? ?? ?? 8B F8 85 FF 74 ?? 53 56 68 + ?? ?? ?? ?? 68 ?? ?? ?? ?? 57 FF 15 ?? ?? ?? ?? 8B 1D ?? ?? ?? ?? 8B F0 85 F6 74 ?? + 6A ?? 56 E8 ?? ?? ?? ?? 83 C4 ?? 56 FF D3 57 FF D3 5E 5B 8D 44 24 ?? C7 44 24 ?? ?? + ?? ?? ?? 50 C7 44 24 ?? ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? + FF 15 ?? ?? ?? ?? 33 C0 5F 83 C4 ?? C2 + } + + $main_5 = { + 68 ?? ?? ?? ?? 50 53 FF 15 ?? ?? ?? ?? 8B 35 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 6A ?? 50 + FF D6 59 85 C0 59 74 ?? 8D 85 ?? ?? ?? ?? 6A ?? 50 FF D6 59 88 18 59 8D 85 ?? ?? ?? + ?? 50 FF 15 ?? ?? ?? ?? 68 ?? ?? ?? ?? 53 E8 ?? ?? ?? ?? 59 59 8D 8D ?? ?? ?? ?? E8 + ?? ?? ?? ?? 53 53 53 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 5F 5E 85 C0 74 ?? 8D 45 ?? 8D + 8D ?? ?? ?? ?? 50 68 ?? ?? ?? ?? 89 5D ?? E8 ?? ?? ?? ?? 3B C3 74 ?? FF 75 ?? 50 E8 + ?? ?? ?? ?? 59 3B C3 59 74 ?? 68 ?? ?? ?? ?? 50 E8 + } + + $main_6 = { + FF 74 24 ?? FF 74 24 ?? FF 74 24 ?? FF 74 24 ?? E8 ?? ?? ?? ?? C2 + } + + $set_reg_key_6 = { + 68 ?? ?? ?? ?? F3 AB 66 AB AA 8D 44 24 ?? C7 44 24 ?? ?? ?? ?? ?? 50 FF 15 ?? ?? ?? + ?? 8B 2D ?? ?? ?? ?? 8B 1D ?? ?? ?? ?? 83 C4 ?? 33 FF 89 7C 24 ?? 85 FF 75 ?? 8D 4C + 24 ?? 8D 54 24 ?? 51 52 68 ?? ?? ?? ?? EB ?? 8D 44 24 ?? 8D 4C 24 ?? 50 51 68 ?? ?? + ?? ?? FF 15 ?? ?? ?? ?? 8B 44 24 ?? 85 C0 0F 84 ?? ?? ?? ?? 8B 8C 24 ?? ?? ?? ?? 85 + C9 74 ?? 8D 94 24 ?? ?? ?? ?? 52 68 ?? ?? ?? ?? FF D5 8D BC 24 ?? ?? ?? ?? 83 C9 ?? + 33 C0 F2 AE F7 D1 8D 84 24 ?? ?? ?? ?? 51 8B 4C 24 ?? 50 6A ?? 6A ?? 68 ?? ?? ?? ?? + 51 FF D3 8B 7C 24 ?? 8B F0 F7 DE 1B F6 46 EB ?? 8D 54 24 ?? 8D 8C 24 ?? ?? ?? ?? 52 + 51 6A ?? 6A ?? 68 ?? ?? ?? ?? 50 C7 44 24 ?? ?? ?? ?? ?? FF 15 + } + + $download_tor_6 = { + 81 EC ?? ?? ?? ?? 53 55 56 57 E8 ?? ?? ?? ?? 84 C0 0F 85 ?? ?? ?? ?? A0 ?? ?? ?? ?? + B9 ?? ?? ?? ?? 88 44 24 ?? 33 C0 8D 7C 24 ?? 8B 35 ?? ?? ?? ?? F3 AB 68 ?? ?? ?? ?? + 68 ?? ?? ?? ?? 66 AB 68 ?? ?? ?? ?? 8D 4C 24 ?? 33 ED 68 ?? ?? ?? ?? 51 89 2D ?? ?? + ?? ?? 89 2D ?? ?? ?? ?? AA FF D6 8B 1D ?? ?? ?? ?? 83 C4 ?? 8D 54 24 ?? 52 FF D3 83 + F8 ?? 0F 85 ?? ?? ?? ?? 55 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 84 + C0 75 ?? 5F 5E 5D 5B 81 C4 ?? ?? ?? ?? C3 A0 ?? ?? ?? ?? B9 ?? ?? ?? ?? 88 84 24 ?? + ?? ?? ?? 33 C0 8D BC 24 ?? ?? ?? ?? 68 ?? ?? ?? ?? F3 AB 66 AB 68 ?? ?? ?? ?? 68 ?? + ?? ?? ?? 8D 8C 24 ?? ?? ?? ?? 68 ?? ?? ?? ?? 51 AA FF D6 83 C4 ?? 8D 94 24 ?? ?? ?? + ?? 52 FF D3 83 F8 ?? 75 ?? 5F 5E 5D 32 C0 5B 81 C4 ?? ?? ?? ?? C3 + } + + $main_7 = { + 68 ?? ?? ?? ?? 50 53 FF 15 ?? ?? ?? ?? 8B 35 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 6A ?? 50 + FF D6 59 85 C0 59 74 ?? 8D 85 ?? ?? ?? ?? 6A ?? 50 FF D6 59 88 18 59 8D 85 ?? ?? ?? + ?? 50 FF 15 ?? ?? ?? ?? 68 ?? ?? ?? ?? 53 E8 ?? ?? ?? ?? 59 59 8D 8D ?? ?? ?? ?? E8 + ?? ?? ?? ?? 53 53 53 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 5F 5E 85 C0 74 ?? 8D 45 ?? 8D + 8D ?? ?? ?? ?? 50 68 ?? ?? ?? ?? 53 8F 45 ?? E8 ?? ?? ?? ?? 39 44 24 ?? 74 ?? 89 44 + 24 ?? 83 EC ?? 2B C3 58 74 ?? FF 75 ?? 50 E8 ?? ?? ?? ?? 59 89 44 24 ?? 83 EC ?? 2B + C3 58 59 74 ?? 68 ?? ?? ?? ?? 50 E8 + } + + $main_8 = { + 68 ?? ?? ?? ?? F3 AB 66 AB AA 8D 44 24 ?? 50 6A ?? FF 15 ?? ?? ?? ?? 8B 35 ?? ?? ?? + ?? 8D 4C 24 ?? 6A ?? 51 FF D6 83 C4 ?? 85 C0 74 ?? 8D 54 24 ?? 6A ?? 52 FF D6 83 C4 + ?? C6 00 ?? 8D 44 24 ?? 50 FF 15 ?? ?? ?? ?? 6A ?? E8 ?? ?? ?? ?? 83 C4 ?? 8D 8C 24 + ?? ?? ?? ?? E8 ?? ?? ?? ?? 6A ?? 6A ?? 6A ?? 8D 8C 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? 5F + 5E 85 C0 74 ?? 8D 4C 24 ?? C7 44 24 ?? ?? ?? ?? ?? 51 68 ?? ?? ?? ?? 8D 8C 24 ?? ?? + ?? ?? E8 ?? ?? ?? ?? 85 C0 74 ?? 8B 54 24 ?? 52 50 E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 74 + ?? 68 ?? ?? ?? ?? 50 E8 + } + + $entrypoint_all = { + 55 8B EC 6A ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 64 A1 ?? ?? ?? ?? 50 64 89 25 ?? ?? ?? + ?? 83 EC ?? 53 56 57 89 65 ?? 33 DB 89 5D ?? 6A ?? FF 15 ?? ?? ?? ?? 59 83 0D ?? ?? + ?? ?? ?? 83 0D ?? ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 8B 0D ?? ?? ?? ?? 89 08 FF 15 ?? ?? + ?? ?? 8B 0D ?? ?? ?? ?? 89 08 A1 ?? ?? ?? ?? 8B 00 A3 ?? ?? ?? ?? E8 ?? ?? ?? ?? 39 + 1D ?? ?? ?? ?? 75 ?? 68 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 59 E8 ?? ?? ?? ?? 68 ?? ?? ?? + ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? A1 ?? ?? ?? ?? 89 45 ?? 8D 45 ?? 50 FF 35 ?? ?? ?? + ?? 8D 45 ?? 50 8D 45 ?? 50 8D 45 ?? 50 FF 15 + } + + condition: + uint16(0) == 0x5A4D and + ($entrypoint_all at pe.entry_point) and + ($main_1 or $main_2 or ($main_3 and $start_service_3) or $main_4 or $main_5 or ($main_6 and ($set_reg_key_6 or $download_tor_6)) or $main_7 or $main_8) +} \ No newline at end of file diff --git a/yara/ransomware/Win32.Ransomware.WaspLocker.yara b/yara/ransomware/Win32.Ransomware.WaspLocker.yara new file mode 100644 index 0000000..a6be1dd --- /dev/null +++ b/yara/ransomware/Win32.Ransomware.WaspLocker.yara @@ -0,0 +1,76 @@ +rule Win32_Ransomware_WaspLocker : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "WASPLOCKER" + description = "Yara rule that detects WaspLocker ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "WaspLocker" + tc_detection_factor = 5 + + strings: + + $find_files = { + 50 50 8D 8D ?? ?? ?? ?? 51 8D 8D ?? ?? ?? ?? 51 50 50 50 56 FF 15 ?? ?? ?? ?? 85 C0 + 75 ?? 57 53 E8 ?? ?? ?? ?? 8D 4E ?? E8 ?? ?? ?? ?? E9 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? + A8 ?? 75 ?? FF B5 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? A8 ?? 0F 85 ?? ?? + ?? ?? 8D 85 ?? ?? ?? ?? 50 57 FF 15 ?? ?? ?? ?? 83 F8 ?? 0F 84 ?? ?? ?? ?? 50 FF 15 + ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 85 C0 74 ?? 3B 85 ?? ?? ?? ?? 76 ?? 8D 85 ?? ?? ?? ?? + 50 E8 ?? ?? ?? ?? 8B 95 ?? ?? ?? ?? 2B 95 ?? ?? ?? ?? 59 03 C2 B9 ?? ?? ?? ?? 3B C1 + 7D ?? 8D 85 ?? ?? ?? ?? 2B CA 50 51 FF B5 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 + 74 ?? 83 F8 ?? 74 ?? 83 F8 ?? 74 ?? 83 F8 ?? 74 ?? 83 F8 ?? 75 ?? EB ?? 85 DB 0F 84 + ?? ?? ?? ?? C7 43 ?? ?? ?? ?? ?? 85 FF 75 ?? 33 C0 EB ?? 57 E8 ?? ?? ?? ?? 59 50 57 + 8D 4B ?? E8 ?? ?? ?? ?? E9 ?? ?? ?? ?? 8D 4E ?? E8 ?? ?? ?? ?? 33 C0 40 E8 ?? ?? ?? + ?? C2 ?? ?? E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? CC 6A ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 33 + F6 89 75 ?? 33 FF 89 7D ?? 21 75 ?? 21 75 ?? 39 3D ?? ?? ?? ?? 75 ?? 8D 45 ?? 50 E8 + ?? ?? ?? ?? 8B F8 89 7D ?? 85 FF 74 ?? FF 75 ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? E8 ?? + ?? ?? ?? 8B F0 89 75 ?? C7 45 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B C6 E8 ?? ?? ?? ?? C2 + } + + $drop_aux_files = { + A1 ?? ?? ?? ?? 89 01 A1 ?? ?? ?? ?? 68 ?? ?? ?? ?? 89 41 ?? 66 A1 ?? ?? ?? ?? 68 ?? + ?? ?? ?? 6A ?? 66 89 41 ?? FF 15 ?? ?? ?? ?? 8B F0 85 F6 74 ?? 56 6A ?? FF 15 ?? ?? + ?? ?? 89 85 ?? ?? ?? ?? 85 C0 74 ?? 56 6A ?? FF 15 ?? ?? ?? ?? 85 C0 74 ?? 50 FF 15 + ?? ?? ?? ?? 8B F8 85 FF 74 ?? 8D 85 ?? ?? ?? ?? 68 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 8B + F0 83 C4 ?? 85 F6 74 ?? 56 FF B5 ?? ?? ?? ?? 6A ?? 57 E8 ?? ?? ?? ?? 6A ?? 6A ?? 56 + E8 ?? ?? ?? ?? 83 C4 ?? 56 E8 ?? ?? ?? ?? 83 C4 ?? 6A ?? 8D 85 ?? ?? ?? ?? 50 FF 15 + ?? ?? ?? ?? 8B B5 ?? ?? ?? ?? 81 C6 ?? ?? ?? ?? 56 FF 15 ?? ?? ?? ?? 85 C0 75 ?? 68 + ?? ?? ?? ?? BA ?? ?? ?? ?? 8B CE E8 ?? ?? ?? ?? 83 C4 ?? 6A ?? 6A ?? 6A ?? 68 ?? ?? + ?? ?? 6A ?? 6A ?? FF 15 ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? 6A ?? 6A ?? 6A ?? 68 ?? ?? + ?? ?? 56 C7 85 ?? ?? ?? ?? ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 8B F0 6A ?? 56 FF 15 ?? ?? + ?? ?? 50 89 85 ?? ?? ?? ?? E8 + } + + $drop_ransom_notes = { + 89 85 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? C6 45 ?? ?? E8 ?? ?? ?? ?? 84 C0 + 75 ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? C6 45 ?? ?? E8 + ?? ?? ?? ?? 8B C8 85 C9 0F 84 ?? ?? ?? ?? 8B 01 8B 40 ?? FF D0 83 C0 ?? 89 85 ?? ?? + ?? ?? 68 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? C6 45 ?? ?? E8 ?? ?? ?? ?? 84 C0 75 ?? 68 ?? + ?? ?? ?? 68 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? C6 45 ?? ?? E8 ?? ?? ?? ?? + 8B C8 85 C9 0F 84 ?? ?? ?? ?? 8B 01 8B 40 ?? FF D0 83 C0 ?? 89 85 ?? ?? ?? ?? 68 ?? + ?? ?? ?? 8D 8D ?? ?? ?? ?? C6 45 ?? ?? E8 ?? ?? ?? ?? 84 C0 75 ?? B9 ?? ?? ?? ?? 8D + 51 ?? 90 8A 01 41 84 C0 75 ?? 2B CA 51 68 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? + ?? C6 45 ?? ?? E8 ?? ?? ?? ?? 8B C8 85 C9 0F 84 ?? ?? ?? ?? 8B 01 8B 40 ?? FF D0 83 + C0 ?? 89 85 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? C6 45 ?? ?? E8 ?? ?? ?? ?? + 84 C0 75 + } + + condition: + uint16(0) == 0x5A4D and + ( + $find_files + ) and + ( + $drop_aux_files + ) and + ( + $drop_ransom_notes + ) +} \ No newline at end of file diff --git a/yara/ransomware/Win32.Ransomware.Wastedlocker.yara b/yara/ransomware/Win32.Ransomware.Wastedlocker.yara new file mode 100644 index 0000000..10f0c91 --- /dev/null +++ b/yara/ransomware/Win32.Ransomware.Wastedlocker.yara @@ -0,0 +1,86 @@ +rule Win32_Ransomware_WastedLocker : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "WASTEDLOCKER" + description = "Yara rule that detects WastedLocker ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "WastedLocker" + tc_detection_factor = 5 + + strings: + + $find_files_p1 = { + 55 8B EC 83 EC ?? 83 65 ?? ?? 57 68 ?? ?? ?? ?? 6A ?? FF 35 ?? ?? ?? ?? FF 15 ?? ?? + ?? ?? 8B F8 85 FF 0F 84 ?? ?? ?? ?? 8B 4D ?? 8B 45 ?? 53 8B 5D ?? 8D 04 41 89 45 ?? + C7 00 ?? ?? ?? ?? 8B 43 ?? 57 51 89 45 ?? FF 15 ?? ?? ?? ?? 83 F8 ?? 89 45 ?? 0F 84 + ?? ?? ?? ?? 56 8D 47 ?? 66 83 38 ?? 75 ?? 0F B7 4F ?? 66 85 C9 0F 84 ?? ?? ?? ?? 66 + 83 F9 ?? 75 ?? 66 83 7F ?? ?? 0F 84 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 8B 4D ?? 8B F0 + 8D 14 0E B8 ?? ?? ?? ?? 3B D0 89 55 ?? 0F 83 ?? ?? ?? ?? F6 07 ?? 0F 85 ?? ?? ?? ?? + 8B 45 ?? 85 C0 74 ?? 83 7F ?? ?? 75 ?? 39 47 ?? 0F 82 ?? ?? ?? ?? 8D 44 36 ?? 50 8D + 47 ?? 50 FF 75 ?? E8 ?? ?? ?? ?? 8B 4D ?? 83 C4 ?? 85 C9 74 ?? 8B 45 ?? 83 C0 ?? 50 + E8 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? 8B 4D ?? 85 C9 74 ?? 8B 45 ?? 83 C0 ?? 50 E8 + ?? ?? ?? ?? 85 C0 0F 85 ?? ?? ?? ?? 8B 45 ?? 03 C6 8D 44 00 ?? 83 C0 ?? 50 6A ?? FF + 35 ?? ?? ?? ?? 89 45 ?? FF 15 ?? ?? ?? ?? 8B F0 85 F6 0F 84 ?? ?? ?? ?? FF 75 ?? 6A + ?? 56 E8 ?? ?? ?? ?? 8B 45 ?? 8D 44 00 ?? 50 FF 75 ?? 8D 46 ?? 50 89 76 ?? 89 36 E8 + ?? ?? ?? ?? 8B 45 ?? 89 46 ?? 8B 45 ?? 89 46 ?? 8B 07 89 46 ?? 8B 47 ?? 89 46 ?? 8B + } + + $find_files_p2 = { + 47 ?? 89 46 ?? 8B 47 ?? 89 46 ?? 8B 47 ?? 83 C4 ?? 89 46 ?? 83 3B ?? 74 ?? 53 FF 15 + ?? ?? ?? ?? 8D 43 ?? 8B 48 ?? 89 06 89 4E ?? 89 31 89 70 ?? FF 43 ?? 83 7B ?? ?? 74 + ?? 8B 43 ?? 83 F8 ?? 75 ?? FF 73 ?? FF 15 ?? ?? ?? ?? 83 3B ?? 0F 84 ?? ?? ?? ?? 53 + FF 15 ?? ?? ?? ?? EB ?? C7 45 ?? ?? ?? ?? ?? EB ?? F6 45 ?? ?? 74 ?? 8D 4C 0E ?? 3B + C8 73 ?? 8D 04 36 50 8D 47 ?? 50 FF 75 ?? E8 ?? ?? ?? ?? 8B 4D ?? 8B 45 ?? 8D 04 41 + 66 83 60 ?? ?? 83 C4 ?? 83 7D ?? ?? 66 C7 00 ?? ?? 74 ?? 83 C1 ?? 51 8B 4D ?? E8 ?? + ?? ?? ?? 85 C0 75 ?? 8B 4D ?? FF 75 ?? 8B 45 ?? 53 FF 75 ?? 8D 44 06 ?? FF 75 ?? 50 + 51 E8 ?? ?? ?? ?? 89 45 ?? EB ?? C7 45 ?? ?? ?? ?? ?? 83 7D ?? ?? 74 ?? F6 45 ?? ?? + 74 ?? 83 65 ?? ?? 83 7D ?? ?? 75 ?? 57 FF 75 ?? FF 15 ?? ?? ?? ?? 85 C0 74 ?? 8B 43 + ?? 85 C0 0F 84 ?? ?? ?? ?? 6A ?? 50 FF 15 ?? ?? ?? ?? 3D ?? ?? ?? ?? 0F 84 ?? ?? ?? + ?? FF 75 ?? FF 15 ?? ?? ?? ?? 5E 57 6A ?? FF 35 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 5B EB + ?? C7 45 ?? ?? ?? ?? ?? 8B 45 ?? 5F C9 C2 + } + + $encrypt_files_p1 = { + 55 8B EC 81 EC ?? ?? ?? ?? 53 56 57 FF 75 ?? 8B 3D ?? ?? ?? ?? FF 75 ?? FF D7 85 C0 + 0F 84 ?? ?? ?? ?? FF 75 ?? 8D 75 ?? E8 ?? ?? ?? ?? 83 F8 ?? 89 45 ?? 75 ?? FF 75 ?? + FF 15 ?? ?? ?? ?? 8B D8 83 FB ?? 74 ?? F6 C3 ?? 74 ?? 83 E0 ?? 50 FF 75 ?? FF 15 ?? + ?? ?? ?? 85 C0 75 ?? 33 DB 85 DB 89 5D ?? 0F 84 ?? ?? ?? ?? FF 75 ?? 8D 75 ?? E8 ?? + ?? ?? ?? 89 45 ?? EB ?? 83 65 ?? ?? 33 C9 39 4D ?? 0F 85 ?? ?? ?? ?? 8D 85 ?? ?? ?? + ?? E8 ?? ?? ?? ?? 39 4D ?? 74 ?? 8B 45 ?? 8B 10 8B 40 ?? C1 65 ?? ?? 89 55 ?? 89 45 + ?? EB ?? C7 45 ?? ?? ?? ?? ?? 89 4D ?? 89 4D ?? 8B 45 ?? 89 45 ?? 89 4D ?? 89 4D ?? + 8B 5D ?? 33 F6 8B 45 ?? 85 C0 89 45 ?? 74 ?? 3B D8 73 ?? 89 5D ?? 2B 45 ?? 89 45 ?? + 75 ?? 8B 45 ?? 89 45 ?? 8B 45 ?? 89 45 ?? 8B 7D ?? 8D 45 ?? 50 57 8D 47 ?? 50 FF 75 + ?? 8B 45 ?? 03 C6 50 8D 85 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 03 75 ?? 85 C0 89 45 ?? 0F + } + + $encrypt_files_p2 = { + 85 ?? ?? ?? ?? 2B 5D ?? 75 ?? EB ?? 8B 7D ?? 8B 45 ?? 0B 45 ?? 0F 84 ?? ?? ?? ?? 33 + C0 3B 45 ?? 77 ?? 72 ?? 3B 5D ?? 73 ?? 8B C3 EB ?? 8B 45 ?? 29 45 ?? 8B 4D ?? 83 5D + ?? ?? 0B 4D ?? 75 ?? 8B 4D ?? 89 4D ?? 03 F0 2B D8 0F 85 ?? ?? ?? ?? 8B 45 ?? 8B 4D + ?? 0F AC C8 ?? C1 E9 ?? 85 C0 74 ?? B9 ?? ?? ?? ?? F7 E1 29 45 ?? 19 55 ?? 01 45 ?? + 11 55 ?? 83 7D ?? ?? 75 ?? 8D 75 ?? E8 ?? ?? ?? ?? 85 C0 89 45 ?? 0F 84 ?? ?? ?? ?? + 8B 7D ?? 8D 47 ?? 50 8D 85 ?? ?? ?? ?? E8 ?? ?? ?? ?? 33 F6 39 75 ?? 74 ?? 83 7D ?? + ?? 74 ?? 8B 4D ?? 8B 45 ?? 8B D1 0B D0 74 ?? 0F AC C1 ?? C1 E8 ?? 83 4F ?? ?? 89 4F + ?? 89 75 ?? 39 75 ?? 74 ?? FF 75 ?? FF 15 ?? ?? ?? ?? FF 75 ?? FF 15 ?? ?? ?? ?? 39 + 75 ?? 74 ?? FF 75 ?? FF 75 ?? FF 15 ?? ?? ?? ?? EB ?? 8B 45 ?? 89 45 ?? 85 DB 0F 85 + ?? ?? ?? ?? E9 ?? ?? ?? ?? 01 75 ?? 83 55 ?? ?? E9 ?? ?? ?? ?? FF 75 ?? FF 75 ?? FF + D7 EB ?? FF 15 ?? ?? ?? ?? 89 45 ?? 8B 45 ?? 5F 5E 5B C9 C2 + } + + condition: + uint16(0) == 0x5A4D and + ( + all of ($find_files_p*) + ) and + ( + all of ($encrypt_files_p*) + ) +} \ No newline at end of file diff --git a/yara/ransomware/Win32.Ransomware.WinWord64.yara b/yara/ransomware/Win32.Ransomware.WinWord64.yara new file mode 100644 index 0000000..f332568 --- /dev/null +++ b/yara/ransomware/Win32.Ransomware.WinWord64.yara @@ -0,0 +1,215 @@ +rule Win32_Ransomware_WinWord64 : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "WINWORD64" + description = "Yara rule that detects WinWord64 ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "WinWord64" + tc_detection_factor = 5 + + strings: + + $remote_connection_p1 = { + 55 8B EC 6A ?? 68 ?? ?? ?? ?? 64 A1 ?? ?? ?? ?? 50 81 EC ?? ?? ?? ?? A1 ?? ?? ?? ?? + 33 C5 89 45 ?? 53 56 57 50 8D 45 ?? 64 A3 ?? ?? ?? ?? 89 8D ?? ?? ?? ?? A1 ?? ?? ?? + ?? 33 DB 83 3D ?? ?? ?? ?? ?? B9 ?? ?? ?? ?? 89 9D ?? ?? ?? ?? 0F 43 0D ?? ?? ?? ?? + 03 C1 89 9D ?? ?? ?? ?? 83 3D ?? ?? ?? ?? ?? B9 ?? ?? ?? ?? 0F 43 0D ?? ?? ?? ?? 51 + 50 51 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 53 53 89 5D ?? 8D 85 ?? ?? ?? ?? 83 BD ?? ?? + ?? ?? ?? 53 0F 43 85 ?? ?? ?? ?? 6A ?? 50 FF 15 ?? ?? ?? ?? 8B D8 89 9D ?? ?? ?? ?? + 85 DB 0F 84 ?? ?? ?? ?? 83 3D ?? ?? ?? ?? ?? B9 ?? ?? ?? ?? A1 ?? ?? ?? ?? 0F 43 0D + ?? ?? ?? ?? 03 C1 83 3D ?? ?? ?? ?? ?? B9 ?? ?? ?? ?? 0F 43 0D ?? ?? ?? ?? 51 50 51 + 8D 4D ?? E8 ?? ?? ?? ?? 83 7D ?? ?? 8D 45 ?? 6A ?? 0F 43 45 ?? 68 ?? ?? ?? ?? 50 53 + FF 15 ?? ?? ?? ?? 8B 55 ?? 8B D8 89 9D ?? ?? ?? ?? 83 FA ?? 72 ?? 8B 4D ?? 8D 14 55 + ?? ?? ?? ?? 8B C1 81 FA ?? ?? ?? ?? 72 ?? 8B 49 ?? 83 C2 ?? 2B C1 83 C0 ?? 83 F8 ?? + 76 ?? FF 15 ?? ?? ?? ?? 52 51 E8 ?? ?? ?? ?? 83 C4 ?? 33 C0 C7 45 ?? ?? ?? ?? ?? C7 + 45 ?? ?? ?? ?? ?? 66 89 45 ?? 85 DB 0F 84 ?? ?? ?? ?? 83 3D ?? ?? ?? ?? ?? B9 ?? ?? + ?? ?? A1 ?? ?? ?? ?? 0F 43 0D ?? ?? ?? ?? 03 C1 83 3D ?? ?? ?? ?? ?? B9 + } + + $remote_connection_p2 = { + 0F 43 0D ?? ?? ?? ?? 51 50 51 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? C6 45 ?? ?? 8D BD ?? + ?? ?? ?? 83 BD ?? ?? ?? ?? ?? B9 ?? ?? ?? ?? A1 ?? ?? ?? ?? 0F 43 BD ?? ?? ?? ?? 83 + 3D ?? ?? ?? ?? ?? 0F 43 0D ?? ?? ?? ?? 03 C1 83 3D ?? ?? ?? ?? ?? B9 ?? ?? ?? ?? 0F + 43 0D ?? ?? ?? ?? 51 50 51 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 7D ?? ?? 8D 85 ?? ?? + ?? ?? 68 ?? ?? ?? ?? 0F 43 85 ?? ?? ?? ?? 6A ?? 6A ?? 6A ?? 50 57 53 FF 15 ?? ?? ?? + ?? 8B 55 ?? 89 85 ?? ?? ?? ?? 83 FA ?? 72 ?? 8B 8D ?? ?? ?? ?? 8D 14 55 ?? ?? ?? ?? + 8B C1 81 FA ?? ?? ?? ?? 72 ?? 8B 49 ?? 83 C2 ?? 2B C1 83 C0 ?? 83 F8 ?? 77 ?? 52 51 + E8 ?? ?? ?? ?? 83 C4 ?? 33 C0 C7 45 ?? ?? ?? ?? ?? 88 45 ?? 8B 95 ?? ?? ?? ?? C7 45 + ?? ?? ?? ?? ?? 66 89 85 ?? ?? ?? ?? 83 FA ?? 72 ?? 8B 8D ?? ?? ?? ?? 8D 14 55 ?? ?? + ?? ?? 8B C1 81 FA ?? ?? ?? ?? 72 ?? 8B 49 ?? 83 C2 ?? 2B C1 83 C0 ?? 83 F8 ?? 76 ?? + FF 15 ?? ?? ?? ?? 52 51 E8 ?? ?? ?? ?? 83 C4 ?? 33 C0 C7 85 ?? ?? ?? ?? ?? ?? ?? ?? + C7 85 ?? ?? ?? ?? ?? ?? ?? ?? 66 89 85 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 4D ?? E8 ?? ?? + ?? ?? C6 45 ?? ?? 8D 4D ?? 83 7D ?? ?? 8B 45 ?? 0F 43 4D ?? 03 C1 83 7D ?? ?? 8D 4D + ?? 0F 43 4D ?? 51 50 51 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? C6 45 ?? ?? 8D 85 ?? ?? ?? + ?? 83 BD ?? ?? ?? ?? ?? 8D 4D ?? 68 ?? ?? ?? ?? 0F 43 85 ?? ?? ?? ?? 89 85 ?? ?? ?? + ?? E8 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? C6 45 ?? ?? E8 ?? ?? ?? ?? C6 45 ?? ?? B9 ?? ?? + ?? ?? 83 3D ?? ?? ?? ?? ?? 8B 75 ?? 8B C6 0F 43 0D ?? ?? ?? ?? 8B 3D ?? ?? ?? ?? 8B + } + + $remote_connection_p3 = { + 55 ?? 2B C2 57 51 3B F8 77 ?? 8D 04 3A 83 FE ?? 89 45 ?? 8D 45 ?? 0F 43 45 ?? 8D 34 + 10 56 E8 ?? ?? ?? ?? 83 C4 ?? C6 04 37 ?? EB ?? C6 85 ?? ?? ?? ?? ?? 8D 4D ?? FF B5 + ?? ?? ?? ?? 57 E8 ?? ?? ?? ?? 83 BD ?? ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? 8B 75 ?? 8B C6 + 8B BD ?? ?? ?? ?? 0F 43 CF 8B 55 ?? 2B C2 8B 9D ?? ?? ?? ?? 53 51 3B D8 77 ?? 8D 04 + 1A 83 FE ?? 89 45 ?? 8D 45 ?? 0F 43 45 ?? 8D 34 10 56 E8 ?? ?? ?? ?? 83 C4 ?? C6 04 + 1E ?? EB ?? C6 85 ?? ?? ?? ?? ?? 8D 4D ?? FF B5 ?? ?? ?? ?? 53 E8 ?? ?? ?? ?? 8B BD + ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? C6 45 ?? ?? B9 ?? ?? ?? ?? 83 3D ?? ?? + ?? ?? ?? 8B 75 ?? 8B C6 0F 43 0D ?? ?? ?? ?? 8B 1D ?? ?? ?? ?? 8B 55 ?? 2B C2 53 51 + 3B D8 77 ?? 8D 04 1A 83 FE ?? 89 45 ?? 8D 45 ?? 0F 43 45 ?? 8D 34 10 56 E8 ?? ?? ?? + ?? 83 C4 ?? C6 04 33 ?? EB ?? C6 85 ?? ?? ?? ?? ?? 8D 4D ?? FF B5 ?? ?? ?? ?? 53 E8 + ?? ?? ?? ?? 83 BD ?? ?? ?? ?? ?? 8D 95 ?? ?? ?? ?? 8B 9D ?? ?? ?? ?? 8B 45 ?? 0F 43 + D3 8B 75 ?? 2B C6 8B 8D ?? ?? ?? ?? 51 52 3B C8 77 ?? 83 7D ?? ?? 8D 04 0E 89 45 ?? + 8D 45 ?? 0F 43 45 ?? 03 F0 56 E8 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 83 C4 ?? C6 04 06 ?? + EB ?? C6 85 ?? ?? ?? ?? ?? FF B5 ?? ?? ?? ?? 51 8D 4D ?? E8 ?? ?? ?? ?? 8B 9D ?? ?? + ?? ?? 83 3D ?? ?? ?? ?? ?? BA ?? ?? ?? ?? 8B 0D ?? ?? ?? ?? 0F 43 15 ?? ?? ?? ?? 8B + } + + $remote_connection_p4 = { + 45 ?? 8B 75 ?? 2B C6 89 8D ?? ?? ?? ?? 51 52 3B C8 77 ?? 83 7D ?? ?? 8D 04 0E 89 45 + ?? 8D 45 ?? 0F 43 45 ?? 03 F0 56 E8 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 83 C4 ?? C6 04 30 + ?? EB ?? C6 85 ?? ?? ?? ?? ?? FF B5 ?? ?? ?? ?? 51 8D 4D ?? E8 ?? ?? ?? ?? 8B 95 ?? + ?? ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? C6 45 ?? ?? 8B D0 83 78 ?? ?? 72 ?? 8B 10 + 8B 48 ?? 8B 45 ?? 8B 75 ?? 2B C6 89 8D ?? ?? ?? ?? 51 52 3B C8 77 ?? 83 7D ?? ?? 8D + 04 0E 89 45 ?? 8D 45 ?? 0F 43 45 ?? 03 F0 56 E8 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 83 C4 + ?? C6 04 30 ?? EB ?? C6 85 ?? ?? ?? ?? ?? FF B5 ?? ?? ?? ?? 51 8D 4D ?? E8 ?? ?? ?? + ?? C6 45 ?? ?? 8B 95 ?? ?? ?? ?? 83 FA ?? 72 ?? 8B 8D ?? ?? ?? ?? 42 8B C1 81 FA ?? + ?? ?? ?? 72 ?? 8B 49 ?? 83 C2 ?? 2B C1 83 C0 ?? 83 F8 ?? 76 ?? FF 15 ?? ?? ?? ?? 52 + 51 E8 ?? ?? ?? ?? 83 C4 ?? 8D 4D ?? E8 ?? ?? ?? ?? C6 45 ?? ?? BA ?? ?? ?? ?? 83 3D + ?? ?? ?? ?? ?? 8B 0D ?? ?? ?? ?? 0F 43 15 ?? ?? ?? ?? 8B 45 ?? 8B 75 ?? 2B C6 89 8D + ?? ?? ?? ?? 51 52 3B C8 77 ?? 83 7D ?? ?? 8D 04 0E 89 45 ?? 8D 45 ?? 0F 43 45 ?? 03 + F0 56 E8 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 83 C4 ?? C6 04 30 ?? EB ?? C6 85 ?? ?? ?? ?? + ?? FF B5 ?? ?? ?? ?? 51 8D 4D ?? E8 ?? ?? ?? ?? 83 7D ?? ?? 8D 55 ?? 8B 4D ?? 0F 43 + 55 ?? 8B 45 ?? 8B 75 ?? 2B C6 89 8D ?? ?? ?? ?? 51 52 3B C8 77 ?? 83 7D ?? ?? 8D 04 + 0E 89 45 ?? 8D 45 ?? 0F 43 45 ?? 03 F0 56 E8 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 83 C4 ?? + C6 04 30 ?? EB ?? C6 85 ?? ?? ?? ?? ?? FF B5 ?? ?? ?? ?? 51 8D 4D ?? E8 ?? ?? ?? ?? + 83 3D ?? ?? ?? ?? ?? BA ?? ?? ?? ?? 8B 0D ?? ?? ?? ?? 0F 43 15 ?? ?? ?? ?? 8B 45 ?? + 8B 75 ?? 2B C6 89 8D ?? ?? ?? ?? 51 52 3B C8 77 ?? 83 7D ?? ?? 8D 04 31 89 45 ?? 8D + } + + $remote_connection_p5 = { + 45 ?? 0F 43 45 ?? 03 F0 56 E8 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 83 C4 ?? C6 04 30 ?? EB + ?? C6 85 ?? ?? ?? ?? ?? FF B5 ?? ?? ?? ?? 51 8D 4D ?? E8 ?? ?? ?? ?? 8B B5 ?? ?? ?? + ?? 85 F6 74 ?? 8B 45 ?? 8D 4D ?? 83 7D ?? ?? 6A ?? 0F 43 4D ?? 50 50 51 6A ?? FF B5 + ?? ?? ?? ?? 56 FF 15 ?? ?? ?? ?? 85 C0 75 ?? FF 15 ?? ?? ?? ?? 6A ?? 6A ?? 8D 8D ?? + ?? ?? ?? 51 68 ?? ?? ?? ?? 50 6A ?? 68 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 85 F6 8B 35 ?? + ?? ?? ?? 74 ?? 8B 85 ?? ?? ?? ?? 50 FF D6 8B 85 ?? ?? ?? ?? 85 C0 74 ?? 50 FF D6 8B + 85 ?? ?? ?? ?? 85 C0 74 ?? 50 FF D6 8B 55 ?? 83 FA ?? 72 ?? 8B 4D ?? 42 8B C1 81 FA + ?? ?? ?? ?? 72 ?? 8B 49 ?? 83 C2 ?? 2B C1 83 C0 ?? 83 F8 ?? 0F 87 ?? ?? ?? ?? 52 51 + E8 ?? ?? ?? ?? 83 C4 ?? 8B 85 ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? + C6 45 ?? ?? 83 F8 ?? 72 ?? 8D 48 ?? 8B C3 81 F9 ?? ?? ?? ?? 72 ?? 8B 5B ?? 83 C1 ?? + 2B C3 83 C0 ?? 83 F8 ?? 0F 87 ?? ?? ?? ?? 51 53 E8 ?? ?? ?? ?? 83 C4 ?? 8B 85 ?? ?? + ?? ?? 83 F8 ?? 72 ?? 8D 48 ?? 8B C7 81 F9 ?? ?? ?? ?? 72 ?? 8B 7F ?? 83 C1 ?? 2B C7 + } + + $remote_connection_p6 = { + 83 C0 ?? 83 F8 ?? 0F 87 ?? ?? ?? ?? 51 57 E8 ?? ?? ?? ?? 83 C4 ?? 8B 55 ?? 83 FA ?? + 72 ?? 8B 4D ?? 42 8B C1 81 FA ?? ?? ?? ?? 72 ?? 8B 49 ?? 83 C2 ?? 2B C1 83 C0 ?? 83 + F8 ?? 0F 87 ?? ?? ?? ?? 52 51 E8 ?? ?? ?? ?? 83 C4 ?? 8B 95 ?? ?? ?? ?? C7 45 ?? ?? + ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C6 45 ?? ?? 83 FA ?? 72 ?? 8B 8D ?? ?? ?? ?? 8D 14 55 + ?? ?? ?? ?? 8B C1 81 FA ?? ?? ?? ?? 72 ?? 8B 49 ?? 83 C2 ?? 2B C1 83 C0 ?? 83 F8 ?? + 0F 87 ?? ?? ?? ?? 52 51 E8 ?? ?? ?? ?? 83 C4 ?? 8B 55 ?? 33 C0 C7 85 ?? ?? ?? ?? ?? + ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? 66 89 85 ?? ?? ?? ?? 83 FA ?? 72 ?? 8B 4D ?? + 42 8B C1 81 FA ?? ?? ?? ?? 72 ?? 8B 49 ?? 83 C2 ?? 2B C1 83 C0 ?? 83 F8 ?? 77 ?? 52 + 51 E8 ?? ?? ?? ?? 83 C4 ?? 8B 95 ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? + ?? C6 45 ?? ?? 83 FA ?? 72 ?? 8B 8D ?? ?? ?? ?? 8D 14 55 ?? ?? ?? ?? 8B C1 81 FA ?? + ?? ?? ?? 72 ?? 8B 49 ?? 83 C2 ?? 2B C1 83 C0 ?? 83 F8 ?? 76 ?? FF 15 ?? ?? ?? ?? 52 + 51 E8 ?? ?? ?? ?? 83 C4 ?? 8B 4D ?? 64 89 0D ?? ?? ?? ?? 59 5F 5E 5B 8B 4D ?? 33 CD + E8 ?? ?? ?? ?? 8B E5 5D C3 + } + + $encrypt_files_p1 = { + FF 15 ?? ?? ?? ?? 83 7D ?? ?? 8D 55 ?? 8B 4D ?? 0F 43 55 ?? 03 CA 89 85 ?? ?? ?? ?? + 83 7D ?? ?? 8D 45 ?? 51 0F 43 45 ?? 51 50 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B F8 83 + 7F ?? ?? 72 ?? 8B 3F 8B 95 ?? ?? ?? ?? 83 FA ?? 72 ?? 8B 8D ?? ?? ?? ?? 8D 14 55 ?? + ?? ?? ?? 8B C1 81 FA ?? ?? ?? ?? 72 ?? 8B 49 ?? 83 C2 ?? 2B C1 83 C0 ?? 83 F8 ?? 76 + ?? FF 15 ?? ?? ?? ?? 52 51 E8 ?? ?? ?? ?? 83 C4 ?? 33 C0 C7 85 ?? ?? ?? ?? ?? ?? ?? + ?? 83 7D ?? ?? 8D 4D ?? 66 89 85 ?? ?? ?? ?? 0F 43 4D ?? 8B 45 ?? 03 C1 C7 85 ?? ?? + ?? ?? ?? ?? ?? ?? 83 7D ?? ?? 8D 4D ?? 0F 43 4D ?? 51 50 51 8D 8D ?? ?? ?? ?? E8 ?? + ?? ?? ?? 8B F0 83 7E ?? ?? 72 ?? 8B 36 8B 95 ?? ?? ?? ?? 83 FA ?? 72 ?? 8B 8D ?? ?? + ?? ?? 8D 14 55 ?? ?? ?? ?? 8B C1 81 FA ?? ?? ?? ?? 72 ?? 8B 49 ?? 83 C2 ?? 2B C1 83 + C0 ?? 83 F8 ?? 76 ?? FF 15 ?? ?? ?? ?? 52 51 E8 ?? ?? ?? ?? 83 C4 ?? 33 C0 C7 85 ?? + ?? ?? ?? ?? ?? ?? ?? 50 68 ?? ?? ?? ?? 6A ?? 50 6A ?? 68 ?? ?? ?? ?? 57 8B 3D ?? ?? + ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? 66 89 85 ?? ?? ?? ?? FF D7 89 85 ?? ?? ?? ?? 83 + F8 ?? 0F 84 ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? 6A ?? 6A ?? 6A ?? 68 ?? ?? ?? ?? 56 FF + D7 89 85 ?? ?? ?? ?? 83 F8 ?? 0F 84 ?? ?? ?? ?? A1 ?? ?? ?? ?? 33 C9 BA + } + + $encrypt_files_p2 = { + 8D 40 ?? F7 E2 0F 90 C1 F7 D9 0B C8 51 E8 ?? ?? ?? ?? 83 3D ?? ?? ?? ?? ?? BA ?? ?? + ?? ?? 8B 0D ?? ?? ?? ?? 0F 43 15 ?? ?? ?? ?? 03 CA 89 85 ?? ?? ?? ?? 83 3D ?? ?? ?? + ?? ?? B8 ?? ?? ?? ?? 8B B5 ?? ?? ?? ?? 0F 43 05 ?? ?? ?? ?? 51 50 8B CE E8 ?? ?? ?? + ?? A1 ?? ?? ?? ?? 83 C4 ?? 33 C9 68 ?? ?? ?? ?? 6A ?? 56 66 89 0C 46 8D 85 ?? ?? ?? + ?? 51 50 FF 15 ?? ?? ?? ?? 85 C0 0F 85 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 6A ?? FF B5 ?? + ?? ?? ?? FF 15 ?? ?? ?? ?? C6 85 ?? ?? ?? ?? ?? 8B 55 ?? 83 FA ?? 72 ?? 8B 4D ?? 42 + 8B C1 81 FA ?? ?? ?? ?? 72 ?? 8B 49 ?? 83 C2 ?? 2B C1 83 C0 ?? 83 F8 ?? 0F 87 ?? ?? + ?? ?? 52 51 E8 ?? ?? ?? ?? 83 C4 ?? 8B 55 ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? + ?? C6 45 ?? ?? 83 FA ?? 72 ?? 8B 4D ?? 42 8B C1 81 FA ?? ?? ?? ?? 72 ?? 8B 49 ?? 83 + C2 ?? 2B C1 83 C0 ?? 83 F8 ?? 77 ?? 52 51 E8 ?? ?? ?? ?? 83 C4 ?? 8B 55 ?? C7 45 ?? + ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C6 45 ?? ?? 83 FA ?? 0F 82 ?? ?? ?? ?? 8B 4D ?? 42 + 8B C1 81 FA ?? ?? ?? ?? 0F 82 ?? ?? ?? ?? 8B 49 ?? 83 C2 ?? 2B C1 83 C0 ?? 83 F8 ?? + 0F 86 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 6A ?? 6A ?? 68 ?? ?? ?? ?? + FF B5 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? 6A ?? FF B5 ?? ?? ?? ?? + 8D 45 ?? 50 FF B5 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 85 C0 75 ?? FF 15 ?? ?? ?? ?? E9 ?? + ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 6A ?? FF B5 ?? ?? ?? ?? 68 ?? ?? ?? ?? FF B5 ?? ?? ?? + ?? FF 15 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 6A ?? + 50 E8 ?? ?? ?? ?? 83 C4 ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? 33 FF 33 F6 57 FF B5 ?? ?? + ?? ?? FF 15 ?? ?? ?? ?? 57 89 85 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 68 ?? ?? ?? ?? 8D + 85 ?? ?? ?? ?? 50 FF B5 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 85 C0 0F 84 + } + + $encrypt_files_p3 = { + 8B 85 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? 68 ?? ?? ?? ?? 03 F8 8D 85 ?? ?? ?? ?? 3B + BD ?? ?? ?? ?? 50 8D 85 ?? ?? ?? ?? 0F 44 F1 50 6A ?? 56 6A ?? FF B5 ?? ?? ?? ?? FF + 15 ?? ?? ?? ?? 85 C0 74 ?? 6A ?? 8D 85 ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? 50 + FF B5 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 FF B5 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 85 C0 74 + ?? 68 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 6A ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 8D 85 ?? ?? ?? + ?? 6A ?? 50 68 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 FF B5 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? + B9 ?? ?? ?? ?? 85 C0 0F 85 ?? ?? ?? ?? 6A ?? FF B5 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? FF + B5 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? FF B5 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? FF B5 ?? ?? ?? + ?? 8B 35 ?? ?? ?? ?? FF D6 FF B5 ?? ?? ?? ?? FF D6 C6 85 ?? ?? ?? ?? ?? E9 ?? ?? ?? + ?? 52 51 E8 ?? ?? ?? ?? 83 C4 ?? 8A 85 ?? ?? ?? ?? 8B 4D ?? 64 89 0D ?? ?? ?? ?? 59 + 5F 5E 8B 4D ?? 33 CD E8 ?? ?? ?? ?? 8B E5 5D C3 + } + + $find_files = { + 55 8B EC 6A ?? 68 ?? ?? ?? ?? 64 A1 ?? ?? ?? ?? 50 81 EC ?? ?? ?? ?? A1 ?? ?? ?? ?? + 33 C5 89 45 ?? 56 57 50 8D 45 ?? 64 A3 ?? ?? ?? ?? 8B F9 89 BD ?? ?? ?? ?? 33 C0 89 + 85 ?? ?? ?? ?? 38 47 ?? 0F 85 ?? ?? ?? ?? 8B 07 8B 08 8D 85 ?? ?? ?? ?? 50 8D 49 ?? + E8 ?? ?? ?? ?? 83 38 ?? 0F 85 ?? ?? ?? ?? 83 7F ?? ?? 74 ?? 8B 07 8B 08 8D 85 ?? ?? + ?? ?? 50 8D 49 ?? E8 ?? ?? ?? ?? 83 38 ?? 0F 84 ?? ?? ?? ?? 8B 07 8D 8D ?? ?? ?? ?? + 8B 30 8D 46 ?? 50 E8 ?? ?? ?? ?? 8D 46 ?? C7 45 ?? ?? ?? ?? ?? 50 8D 8D ?? ?? ?? ?? + E8 ?? ?? ?? ?? 50 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? B8 ?? ?? ?? + ?? 8B 95 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 83 FA ?? 72 ?? 8B 8D ?? ?? ?? ?? 8D 14 55 ?? + ?? ?? ?? 8B C1 81 FA ?? ?? ?? ?? 72 ?? 8B 49 ?? 83 C2 ?? 2B C1 83 C0 ?? 83 F8 ?? 76 + ?? FF 15 ?? ?? ?? ?? 52 51 E8 ?? ?? ?? ?? 83 C4 ?? 33 C0 C7 85 ?? ?? ?? ?? ?? ?? ?? + ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? 66 89 85 ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? 8B 07 8B + 30 8B 46 ?? 8B 00 85 C0 74 ?? 8D 8D ?? ?? ?? ?? 51 50 8D 85 ?? ?? ?? ?? 50 FF 15 ?? + ?? ?? ?? 83 C4 ?? 66 83 38 ?? 75 ?? 8B 46 ?? FF 30 FF 15 ?? ?? ?? ?? 8B 46 ?? 83 C4 + ?? C7 00 ?? ?? ?? ?? EB ?? FF B5 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? FF B5 ?? ?? ?? ?? 8D + 4E ?? 50 E8 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 50 8D + 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? C6 45 ?? ?? 50 8D 8D ?? ?? ?? ?? E8 + ?? ?? ?? ?? C6 45 ?? ?? 81 7F ?? ?? ?? ?? ?? 8B 37 8B 36 75 ?? 68 ?? ?? ?? ?? FF 15 + ?? ?? ?? ?? 8B 46 ?? 89 85 ?? ?? ?? ?? 89 BD ?? ?? ?? ?? C6 45 ?? ?? 6A ?? C7 85 ?? + ?? ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B F8 83 C4 ?? 8D 85 ?? ?? ?? ?? 8D 4F ?? 50 E8 + } + + condition: + uint16(0) == 0x5A4D and + ( + $find_files + ) and + ( + all of ($encrypt_files_p*) + ) and + ( + all of ($remote_connection_p*) + ) +} \ No newline at end of file diff --git a/yara/ransomware/Win32.Ransomware.WsIR.yara b/yara/ransomware/Win32.Ransomware.WsIR.yara new file mode 100644 index 0000000..1208d4e --- /dev/null +++ b/yara/ransomware/Win32.Ransomware.WsIR.yara @@ -0,0 +1,73 @@ +rule Win32_Ransomware_WsIR : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "WSIR" + description = "Yara rule that detects WsIR ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "WsIR" + tc_detection_factor = 5 + + strings: + + $find_files = { + 6A ?? 68 ?? ?? ?? ?? 64 A1 ?? ?? ?? ?? 50 64 89 25 ?? ?? ?? ?? 81 EC ?? ?? ?? ?? 53 + 55 8B E9 8D 4C 24 ?? 8D 45 ?? 50 E8 ?? ?? ?? ?? 8B 4C 24 ?? C7 84 24 ?? ?? ?? ?? ?? + ?? ?? ?? 8B 41 ?? 85 C0 74 ?? 8D 54 24 ?? 6A ?? 52 8D 4C 24 ?? E8 ?? ?? ?? ?? 8B 00 + 68 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 8D 4C 24 ?? 85 C0 0F 95 C3 E8 ?? ?? ?? ?? + 84 DB 74 ?? 68 ?? ?? ?? ?? 8D 4C 24 ?? E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 4C 24 ?? E8 + ?? ?? ?? ?? 8B 4C 24 ?? 8D 44 24 ?? 50 51 FF 15 ?? ?? ?? ?? 83 F8 ?? 89 44 24 ?? 75 + ?? 8D 4C 24 ?? 89 84 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? E9 ?? ?? ?? ?? 56 8B B4 24 ?? ?? + ?? ?? 57 8B 3D ?? ?? ?? ?? BB ?? ?? ?? ?? F6 44 24 ?? ?? 74 ?? 8D 54 24 ?? 68 ?? ?? + ?? ?? 52 E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 74 ?? 8D 44 24 ?? 68 ?? ?? ?? ?? 50 E8 ?? ?? + ?? ?? 83 C4 ?? 85 C0 74 ?? 8B 45 ?? 8D 54 24 ?? 52 6A ?? 8D 8C 24 ?? ?? ?? ?? 68 ?? + ?? ?? ?? 50 89 74 24 ?? C7 44 24 ?? ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? C7 44 24 ?? + ?? ?? ?? ?? 89 4C 24 ?? 89 5C 24 ?? FF D7 8B 54 24 ?? 8D 4C 24 ?? 51 52 FF 15 ?? ?? + ?? ?? 85 C0 0F 85 ?? ?? ?? ?? 8B 44 24 ?? 50 FF 15 ?? ?? ?? ?? 8B 4D ?? 56 6A ?? 68 + ?? ?? ?? ?? 51 FF D7 8D 4C 24 ?? C7 84 24 ?? ?? ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 5F + 5E 8B 8C 24 ?? ?? ?? ?? 5D 5B 64 89 0D ?? ?? ?? ?? 81 C4 ?? ?? ?? ?? C2 + } + + $encrypt_files = { + FF 75 ?? 8B 5D ?? FF 33 B9 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 89 45 ?? 68 ?? ?? ?? + ?? FF 75 ?? 8B 5D ?? FF 33 B9 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 89 45 ?? 68 ?? ?? + ?? ?? 6A ?? 8B 45 ?? 85 C0 75 ?? B8 ?? ?? ?? ?? 50 68 ?? ?? ?? ?? 6A ?? 8B 45 ?? 85 + C0 75 ?? B8 ?? ?? ?? ?? 50 68 ?? ?? ?? ?? BB ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 8B + 5D ?? 85 DB 74 ?? 53 E8 ?? ?? ?? ?? 83 C4 ?? 8B 5D ?? 85 DB 74 ?? 53 E8 ?? ?? ?? ?? + 83 C4 ?? 8D 85 ?? ?? ?? ?? 50 6A ?? 6A ?? 6A ?? B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 + ?? 89 45 ?? 8B 45 ?? 50 8B 5D ?? 85 DB 74 ?? 53 E8 ?? ?? ?? ?? 83 C4 ?? 58 89 45 ?? + E9 + } + + $exec_proc = { + 52 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 C0 0F 85 ?? ?? ?? ?? 8B 1D ?? ?? + ?? ?? 8D 44 24 ?? 68 ?? ?? ?? ?? 50 FF D3 8D 4C 24 ?? 8D 54 24 ?? 51 52 68 ?? ?? ?? + ?? 8B CF E8 ?? ?? ?? ?? 85 C0 0F 85 ?? ?? ?? ?? 8D 44 24 ?? 68 ?? ?? ?? ?? 50 E8 ?? + ?? ?? ?? 8B F0 83 C4 ?? 85 F6 75 ?? 8D 4C 24 ?? 68 ?? ?? ?? ?? 51 E8 ?? ?? ?? ?? 8B + F0 83 C4 ?? 85 F6 75 ?? 8D 54 24 ?? 52 FF 15 ?? ?? ?? ?? 8D 74 04 ?? EB ?? 8D 57 ?? + 8D 4C 24 ?? 52 E8 ?? ?? ?? ?? 8B 44 24 ?? 8B 48 ?? 85 C9 0F 85 ?? ?? ?? ?? 8D 4C 24 + ?? C7 84 24 ?? ?? ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 33 C0 EB ?? C6 06 ?? 68 ?? ?? ?? + ?? 56 FF D3 8B 44 24 ?? 50 56 FF D3 8D 4C 24 ?? 55 51 FF 15 ?? ?? ?? ?? 8B F0 33 D2 + 83 FE ?? 0F 9F C2 8D 4C 24 ?? 8B F2 C7 84 24 ?? ?? ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? + 5D 8B C6 5B 8B 8C 24 ?? ?? ?? ?? 5F 5E 64 89 0D ?? ?? ?? ?? 81 C4 ?? ?? ?? ?? C2 + } + + condition: + uint16(0) == 0x5A4D and + ( + $find_files + ) and + ( + $encrypt_files + ) and + ( + $exec_proc + ) +} \ No newline at end of file diff --git a/yara/ransomware/Win32.Ransomware.Xorist.yara b/yara/ransomware/Win32.Ransomware.Xorist.yara new file mode 100644 index 0000000..e08c79d --- /dev/null +++ b/yara/ransomware/Win32.Ransomware.Xorist.yara @@ -0,0 +1,150 @@ +rule Win32_Ransomware_Xorist : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "XORIST" + description = "Yara rule that detects Xorist ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "Xorist" + tc_detection_factor = 5 + + strings: + + $search_and_encrypt_v1_p1 = { + 55 8B EC 81 EC ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 40 0F + 84 ?? ?? ?? ?? 48 89 45 ?? 8B 85 ?? ?? ?? ?? 83 E0 ?? 0F 84 ?? ?? ?? ?? 8D 85 ?? ?? + ?? ?? 50 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 + 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? + 2D ?? ?? ?? ?? 50 C6 80 ?? ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 68 ?? ?? ?? ?? E8 ?? ?? + ?? ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? C7 80 ?? ?? ?? ?? ?? ?? ?? ?? C6 80 ?? ?? ?? ?? + ?? E8 ?? ?? ?? ?? 58 C7 80 ?? ?? ?? ?? ?? ?? ?? ?? C6 80 ?? ?? ?? ?? ?? E9 ?? ?? ?? + ?? E8 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 C0 0F 84 ?? + ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? + 8D 85 ?? ?? ?? ?? 50 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? 68 ?? ?? + ?? ?? E8 ?? ?? ?? ?? 2D ?? ?? ?? ?? C6 80 ?? ?? ?? ?? ?? A0 ?? ?? ?? ?? 3C ?? 75 ?? + 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 9D ?? ?? ?? ?? 53 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 80 + } + + $search_and_encrypt_v1_p2 = { + 3D ?? ?? ?? ?? ?? 75 ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 F8 ?? 74 ?? + E9 ?? ?? ?? ?? EB ?? 8B 3D ?? ?? ?? ?? 8B 0F 83 C7 ?? 51 57 68 ?? ?? ?? ?? E8 ?? ?? + ?? ?? 8B D8 57 E8 ?? ?? ?? ?? 03 F8 47 59 83 FB ?? 74 ?? 49 75 ?? E9 ?? ?? ?? ?? 68 + ?? ?? ?? ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 80 3D ?? ?? ?? ?? ?? 75 ?? 68 ?? ?? ?? ?? + 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? FF 35 ?? + ?? ?? ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? EB ?? 80 3D ?? ?? ?? ?? ?? 75 ?? 68 ?? ?? ?? + ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? C6 00 ?? EB ?? 68 ?? + ?? ?? ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 6A ?? 6A ?? 6A ?? 6A ?? 6A ?? 68 ?? ?? ?? ?? + 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 40 85 C0 0F 84 ?? ?? ?? ?? 48 A3 ?? ?? ?? ?? 6A ?? FF + } + + $search_and_encrypt_v1_p3 = { + 35 ?? ?? ?? ?? E8 ?? ?? ?? ?? A3 ?? ?? ?? ?? 83 F8 ?? 7D ?? FF 35 ?? ?? ?? ?? E8 ?? + ?? ?? ?? E9 ?? ?? ?? ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? FF 35 ?? ?? ?? + ?? E8 ?? ?? ?? ?? 6A ?? 6A ?? FF 35 ?? ?? ?? ?? FF 35 ?? ?? ?? ?? E8 ?? ?? ?? ?? 6A + ?? 68 ?? ?? ?? ?? FF 35 ?? ?? ?? ?? FF 35 ?? ?? ?? ?? FF 35 ?? ?? ?? ?? E8 ?? ?? ?? + ?? 83 3D ?? ?? ?? ?? ?? 75 ?? E9 ?? ?? ?? ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8A 10 B9 + ?? ?? ?? ?? BE ?? ?? ?? ?? BF ?? ?? ?? ?? AC 32 C2 D0 C2 AA E2 ?? A1 ?? ?? ?? ?? 80 + 3D ?? ?? ?? ?? ?? 75 ?? E8 ?? ?? ?? ?? EB ?? 80 3D ?? ?? ?? ?? ?? 75 ?? E8 ?? ?? ?? + ?? EB ?? E8 ?? ?? ?? ?? 6A ?? 6A ?? FF 35 ?? ?? ?? ?? FF 35 ?? ?? ?? ?? E8 ?? ?? ?? + ?? 6A ?? 68 ?? ?? ?? ?? FF 35 ?? ?? ?? ?? FF 35 ?? ?? ?? ?? FF 35 ?? ?? ?? ?? E8 ?? + ?? ?? ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? FF 35 ?? ?? ?? ?? E8 ?? ?? ?? + ?? FF 35 ?? ?? ?? ?? E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D + 85 ?? ?? ?? ?? 50 FF 75 ?? E8 ?? ?? ?? ?? 85 C0 0F 85 ?? ?? ?? ?? FF 75 ?? E8 ?? ?? + ?? ?? C9 C3 + } + + $extract_rsrc_v1 = { + 55 8B EC 83 C4 ?? B9 ?? ?? ?? ?? BF ?? ?? ?? ?? 51 57 0F 31 5F 59 25 ?? ?? ?? ?? C1 + E8 ?? 83 C0 ?? AA E2 ?? 33 C0 AA 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 68 ?? + ?? ?? ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? + 6A ?? 68 ?? ?? ?? ?? 6A ?? E8 ?? ?? ?? ?? 0B C0 75 ?? C9 C3 89 45 ?? 50 6A ?? E8 ?? + ?? ?? ?? 0B C0 75 ?? C9 C3 89 45 ?? FF 75 ?? 6A ?? E8 ?? ?? ?? ?? 0B C0 75 ?? C9 C3 + 89 45 ?? 50 E8 ?? ?? ?? ?? 0B C0 75 ?? C9 C3 89 45 ?? 8B D8 6A ?? 6A ?? 6A ?? 6A ?? + 6A ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 F8 ?? 74 ?? 89 45 ?? 6A ?? 6A + ?? 6A ?? FF 75 ?? E8 ?? ?? ?? ?? 6A ?? 8D 45 ?? 50 FF 75 ?? 53 FF 75 ?? E8 ?? ?? ?? + ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? FF 75 ?? E8 ?? ?? ?? ?? FF 75 ?? E8 + ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? 6A ?? 6A ?? E8 ?? ?? ?? ?? FF 75 ?? E8 ?? ?? ?? ?? + C9 C3 + } + + $search_and_encrypt_v2_p1 = { + 55 8B EC 81 EC ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 40 0F + 84 ?? ?? ?? ?? 48 89 45 ?? 8B 85 ?? ?? ?? ?? 83 E0 ?? 0F 84 ?? ?? ?? ?? 8D 85 ?? ?? + ?? ?? 50 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 + 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? + 2D ?? ?? ?? ?? 50 C6 80 ?? ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 68 ?? ?? ?? ?? E8 ?? ?? + ?? ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? C7 80 ?? ?? ?? ?? ?? ?? ?? ?? C6 80 ?? ?? ?? ?? + ?? E8 ?? ?? ?? ?? 58 C7 80 ?? ?? ?? ?? ?? ?? ?? ?? C6 80 ?? ?? ?? ?? ?? E9 ?? ?? ?? + ?? E8 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 C0 0F 84 ?? + ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? + 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 2D ?? ?? ?? ?? C6 80 ?? ?? ?? ?? ?? A0 ?? ?? ?? ?? 3C + ?? 75 ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 9D ?? ?? ?? ?? 53 68 ?? ?? ?? ?? E8 ?? ?? + ?? ?? 80 3D ?? ?? ?? ?? ?? 75 ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 F8 + ?? 74 ?? E9 ?? ?? ?? ?? EB ?? 8B 3D ?? ?? ?? ?? 8B 0F 83 C7 ?? 51 57 68 + } + + $search_and_encrypt_v2_p2 = { + E8 ?? ?? ?? ?? 8B D8 57 E8 ?? ?? ?? ?? 03 F8 47 59 83 FB ?? 74 ?? 49 75 ?? E9 ?? ?? + ?? ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 80 3D ?? ?? ?? ?? ?? 75 ?? 68 ?? + ?? ?? ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? + FF 35 ?? ?? ?? ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? EB ?? 80 3D ?? ?? ?? ?? ?? 75 ?? 68 + ?? ?? ?? ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? C6 00 ?? 6A + ?? 6A ?? 6A ?? 6A ?? 6A ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 40 85 C0 0F + 84 ?? ?? ?? ?? 48 A3 ?? ?? ?? ?? 6A ?? FF 35 ?? ?? ?? ?? E8 ?? ?? ?? ?? A3 ?? ?? ?? + ?? 83 F8 ?? 7D ?? FF 35 ?? ?? ?? ?? E8 ?? ?? ?? ?? E9 ?? ?? ?? ?? 68 ?? ?? ?? ?? 68 + ?? ?? ?? ?? 68 ?? ?? ?? ?? FF 35 ?? ?? ?? ?? E8 ?? ?? ?? ?? 6A ?? 6A ?? FF 35 ?? ?? + ?? ?? FF 35 ?? ?? ?? ?? E8 ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? FF 35 ?? ?? ?? ?? FF 35 + ?? ?? ?? ?? FF 35 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 3D ?? ?? ?? ?? ?? 75 ?? EB ?? 68 ?? + ?? ?? ?? E8 ?? ?? ?? ?? 8A 10 B9 ?? ?? ?? ?? BE ?? ?? ?? ?? BF ?? ?? ?? ?? AC 32 C2 + D0 C2 AA E2 ?? A1 ?? ?? ?? ?? E8 ?? ?? ?? ?? 6A ?? 6A ?? FF 35 ?? ?? ?? ?? FF 35 ?? + ?? ?? ?? E8 ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? FF 35 ?? ?? ?? ?? FF 35 ?? ?? ?? ?? FF + 35 ?? ?? ?? ?? E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? FF 35 ?? + ?? ?? ?? E8 ?? ?? ?? ?? FF 35 ?? ?? ?? ?? E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? + ?? E8 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 FF 75 ?? E8 ?? ?? ?? ?? 85 C0 0F 85 ?? ?? ?? + ?? FF 75 ?? E8 ?? ?? ?? ?? C9 C3 + } + + $extract_rsrc_v2 = { + 55 8B EC 83 C4 ?? 53 6A ?? 6A ?? 6A ?? E8 ?? ?? ?? ?? 0B C0 75 ?? E9 ?? ?? ?? ?? 89 + 45 ?? 50 6A ?? E8 ?? ?? ?? ?? 0B C0 75 ?? E9 ?? ?? ?? ?? 89 45 ?? FF 75 ?? 6A ?? E8 + ?? ?? ?? ?? 0B C0 75 ?? E9 ?? ?? ?? ?? 89 45 ?? 50 E8 ?? ?? ?? ?? 0B C0 75 ?? E9 ?? + ?? ?? ?? 89 45 ?? 8B F8 6A ?? 57 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C7 ?? 8B 45 ?? 83 + E8 ?? 50 57 E8 ?? ?? ?? ?? 8B 1F 83 C7 ?? 53 6A ?? FF 35 ?? ?? ?? ?? E8 ?? ?? ?? ?? + 0B C0 75 ?? E9 ?? ?? ?? ?? A3 ?? ?? ?? ?? 53 57 FF 35 ?? ?? ?? ?? E8 ?? ?? ?? ?? 03 + FB 8B 1F 83 C7 ?? 53 6A ?? FF 35 ?? ?? ?? ?? E8 ?? ?? ?? ?? 0B C0 75 ?? E9 ?? ?? ?? + ?? A3 ?? ?? ?? ?? 53 57 FF 35 ?? ?? ?? ?? E8 ?? ?? ?? ?? 03 FB 8B 1F 83 C7 ?? 53 6A + ?? FF 35 ?? ?? ?? ?? E8 ?? ?? ?? ?? 0B C0 75 ?? E9 ?? ?? ?? ?? A3 ?? ?? ?? ?? 53 57 + FF 35 ?? ?? ?? ?? E8 ?? ?? ?? ?? 03 FB 6A ?? 57 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C7 + ?? 6A ?? 57 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C7 ?? 6A ?? 57 68 ?? ?? ?? ?? E8 ?? ?? + ?? ?? 83 C7 ?? 6A ?? 57 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C7 ?? 6A ?? 57 68 ?? ?? ?? + ?? E8 ?? ?? ?? ?? 83 C7 ?? 6A ?? 57 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C7 ?? 6A ?? 57 + 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C7 ?? 6A ?? 57 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C7 + ?? FF 75 ?? E8 ?? ?? ?? ?? 5B C9 C3 + } + + condition: + uint16(0) == 0x5A4D and + ( + ( + $extract_rsrc_v1 + ) and + ( + all of ($search_and_encrypt_v1_p*) + ) + ) or + ( + ( + $extract_rsrc_v2 + ) and + ( + all of ($search_and_encrypt_v2_p*) + ) + ) +} \ No newline at end of file diff --git a/yara/ransomware/Win32.Ransomware.Zeoticus.yara b/yara/ransomware/Win32.Ransomware.Zeoticus.yara new file mode 100644 index 0000000..2dd4aae --- /dev/null +++ b/yara/ransomware/Win32.Ransomware.Zeoticus.yara @@ -0,0 +1,90 @@ +rule Win32_Ransomware_Zeoticus : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "ZEOTICUS" + description = "Yara rule that detects Zeoticus ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "Zeoticus" + tc_detection_factor = 5 + + strings: + + $enum_shares_p1 = { + 53 55 8B 2D ?? ?? ?? ?? 8B C1 56 57 8B 3D ?? ?? ?? ?? 89 44 24 ?? C7 44 24 ?? ?? ?? + ?? ?? C7 44 24 ?? ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? 8D 4C 24 ?? 51 8D 4C 24 ?? 51 + 8D 4C 24 ?? 51 6A ?? 8D 4C 24 ?? 51 6A ?? 50 FF 15 ?? ?? ?? ?? 89 44 24 ?? 85 C0 74 + ?? 3D ?? ?? ?? ?? 0F 85 ?? ?? ?? ?? 83 7C 24 ?? ?? 8B 5C 24 ?? 89 5C 24 ?? C7 44 24 + ?? ?? ?? ?? ?? 0F 86 ?? ?? ?? ?? 33 F6 39 73 ?? 0F 85 ?? ?? ?? ?? 68 ?? ?? ?? ?? FF + 33 FF D5 85 C0 0F 84 ?? ?? ?? ?? 68 ?? ?? ?? ?? FF 33 FF D5 85 C0 0F 84 ?? ?? ?? ?? + 68 ?? ?? ?? ?? FF 33 FF D5 85 C0 0F 84 ?? ?? ?? ?? 68 ?? ?? ?? ?? FF 33 FF D5 85 C0 + 0F 84 ?? ?? ?? ?? 68 ?? ?? ?? ?? FF 33 FF D5 85 C0 0F 84 ?? ?? ?? ?? FF 33 8D 44 24 + ?? FF 74 24 ?? 68 ?? ?? ?? ?? 50 FF D7 A1 ?? ?? ?? ?? 83 C4 ?? 85 C0 75 ?? 68 ?? ?? + ?? ?? E8 ?? ?? ?? ?? 8B 0D ?? ?? ?? ?? 83 C4 ?? 89 04 8D ?? ?? ?? ?? 8D 4C 24 ?? 51 + } + + $enum_shares_p2 = { + 50 FF 15 ?? ?? ?? ?? A1 ?? ?? ?? ?? 8D 04 85 ?? ?? ?? ?? 50 A1 ?? ?? ?? ?? 56 FF 34 + 85 ?? ?? ?? ?? 68 ?? ?? ?? ?? 56 56 FF 15 ?? ?? ?? ?? 8B 0D ?? ?? ?? ?? 89 04 8D ?? + ?? ?? ?? 41 FF 05 ?? ?? ?? ?? 89 0D ?? ?? ?? ?? E9 ?? ?? ?? ?? 33 FF 85 C0 7E ?? 8D + 5F ?? 8D 44 24 ?? 50 FF 34 BD ?? ?? ?? ?? FF D5 85 C0 0F 44 F3 47 3B 3D ?? ?? ?? ?? + 7C ?? 8B 5C 24 ?? 85 F6 0F 85 ?? ?? ?? ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 0D ?? ?? + ?? ?? 8B 3D ?? ?? ?? ?? 89 04 8D ?? ?? ?? ?? 8D 4C 24 ?? 51 68 ?? ?? ?? ?? 50 FF D7 + A1 ?? ?? ?? ?? 83 C4 ?? 8D 04 85 ?? ?? ?? ?? 50 A1 ?? ?? ?? ?? 6A ?? FF 34 85 ?? ?? + ?? ?? 68 ?? ?? ?? ?? 6A ?? 6A ?? FF 15 ?? ?? ?? ?? 8B 0D ?? ?? ?? ?? 89 04 8D ?? ?? + ?? ?? 41 FF 05 ?? ?? ?? ?? 89 0D ?? ?? ?? ?? EB ?? 8B 3D ?? ?? ?? ?? 8B 74 24 ?? 83 + C3 ?? 46 89 5C 24 ?? 89 74 24 ?? 3B 74 24 ?? 0F 82 ?? ?? ?? ?? 8B 5C 24 ?? 53 FF 15 + ?? ?? ?? ?? 81 7C 24 ?? ?? ?? ?? ?? 8B 44 24 ?? 0F 84 ?? ?? ?? ?? 5F 5E 5D 5B 81 C4 + ?? ?? ?? ?? C3 + } + + $encrypt_files = { + 68 ?? ?? ?? ?? 6A ?? BA ?? ?? ?? ?? B9 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? A3 ?? ?? + ?? ?? FF D0 68 ?? ?? ?? ?? 6A ?? BA ?? ?? ?? ?? B9 ?? ?? ?? ?? 8B F0 E8 ?? ?? ?? ?? + 83 C4 ?? A3 ?? ?? ?? ?? 68 ?? ?? ?? ?? 56 FF D0 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 68 ?? + ?? ?? ?? 68 ?? ?? ?? ?? FF 35 ?? ?? ?? ?? A3 ?? ?? ?? ?? 68 ?? ?? ?? ?? 50 FF D7 83 + C4 ?? E8 ?? ?? ?? ?? 85 C0 74 ?? BA ?? ?? ?? ?? B9 ?? ?? ?? ?? E8 ?? ?? ?? ?? FF 35 + ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A ?? BA ?? ?? ?? ?? B9 ?? ?? ?? ?? 8D + 04 45 ?? ?? ?? ?? A3 ?? ?? ?? ?? E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? A3 ?? ?? ?? ?? E8 ?? + ?? ?? ?? 68 ?? ?? ?? ?? A3 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 68 ?? ?? ?? ?? 6A ?? + FF 15 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 8B F0 83 FB ?? 75 ?? E8 ?? ?? ?? ?? BA ?? ?? + ?? ?? E8 ?? ?? ?? ?? BA ?? ?? ?? ?? EB ?? 83 FB ?? 75 ?? 6A ?? 6A ?? 68 ?? ?? ?? ?? + 56 6A ?? FF 35 ?? ?? ?? ?? 6A ?? 6A ?? FF 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B D6 E8 ?? + ?? ?? ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 EC ?? FF B4 24 ?? ?? ?? ?? 51 E8 ?? ?? ?? + ?? 83 C4 ?? E8 ?? ?? ?? ?? FF 35 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? A3 ?? ?? ?? ?? E8 + } + + $find_files = { + 81 EC ?? ?? ?? ?? 8D 84 24 ?? ?? ?? ?? 53 68 ?? ?? ?? ?? 6A ?? 50 E8 ?? ?? ?? ?? 68 + ?? ?? ?? ?? 8D 44 24 ?? 6A ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 8D 44 24 ?? 68 ?? ?? ?? ?? + 50 FF 15 ?? ?? ?? ?? 8B D8 83 FB ?? 0F 84 ?? ?? ?? ?? 8D 4C 24 ?? 8D 51 ?? 66 8B 01 + 83 C1 ?? 66 85 C0 75 ?? 2B CA D1 F9 66 83 7C 24 ?? ?? 56 8D 71 ?? 0F 85 ?? ?? ?? ?? + 55 8B 2D ?? ?? ?? ?? 57 8B 3D ?? ?? ?? ?? 66 90 66 83 7C 24 ?? ?? 0F 85 ?? ?? ?? ?? + 66 83 7C 24 ?? ?? 0F 85 ?? ?? ?? ?? 66 83 7C 24 ?? ?? 0F 85 ?? ?? ?? ?? 66 83 7C 74 + ?? ?? 0F 85 ?? ?? ?? ?? 33 C0 66 89 44 74 ?? 8D 84 24 ?? ?? ?? ?? 68 ?? ?? ?? ?? 50 + 8D 44 24 ?? 50 FF 15 ?? ?? ?? ?? B9 ?? ?? ?? ?? 66 89 4C 74 ?? 85 C0 74 ?? 33 F6 90 + FF 34 B5 ?? ?? ?? ?? FF D7 83 F8 ?? 74 ?? 46 83 FE ?? 72 ?? 8D 44 24 ?? 50 FF 34 B5 + ?? ?? ?? ?? FF D5 68 ?? ?? ?? ?? 8D 44 24 ?? 50 53 FF 15 ?? ?? ?? ?? 85 C0 74 ?? 8D + 4C 24 ?? 8D 51 ?? 66 90 66 8B 01 83 C1 ?? 66 85 C0 75 ?? 2B CA D1 F9 66 83 7C 24 ?? + ?? 8D 71 ?? 0F 84 ?? ?? ?? ?? 5F 5D 53 FF 15 ?? ?? ?? ?? 5E 5B 81 C4 ?? ?? ?? ?? C3 + } + + condition: + uint16(0) == 0x5A4D and + ( + $find_files + ) and + ( + $encrypt_files + ) and + ( + all of ($enum_shares_p*) + ) +} \ No newline at end of file diff --git a/yara/ransomware/Win32.Ransomware.Zeppelin.yara b/yara/ransomware/Win32.Ransomware.Zeppelin.yara new file mode 100644 index 0000000..e88d1a2 --- /dev/null +++ b/yara/ransomware/Win32.Ransomware.Zeppelin.yara @@ -0,0 +1,109 @@ +rule Win32_Ransomware_Zeppelin : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "ZEPPELIN" + description = "Yara rule that detects Zeppelin ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "Zeppelin" + tc_detection_factor = 5 + + strings: + + $search_files_p1 = { + 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 8D 55 ?? 8B 45 ?? E8 ?? ?? ?? ?? 8D 85 ?? ?? ?? + ?? B9 ?? ?? ?? ?? 8B 55 ?? E8 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? BA ?? + ?? ?? ?? E8 ?? ?? ?? ?? 85 C0 0F 85 ?? ?? ?? ?? 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 + 89 20 8D 45 ?? 8B 8D ?? ?? ?? ?? 8B 55 ?? E8 ?? ?? ?? ?? 8D 45 ?? 50 8B 45 ?? E8 ?? + ?? ?? ?? 8B D8 8B 45 ?? E8 ?? ?? ?? ?? 2B D8 43 53 8B 45 ?? E8 ?? ?? ?? ?? 8B D0 42 + 8B 45 ?? 59 E8 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? FF 30 FF 75 ?? 68 ?? ?? ?? ?? 8B 85 ?? + ?? ?? ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 8B 00 E8 ?? ?? ?? ?? 83 F8 + ?? 7C ?? E8 ?? ?? ?? ?? E9 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 C0 0F 84 + ?? ?? ?? ?? 33 C0 5A 59 59 64 89 10 68 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? E8 ?? ?? ?? ?? + C3 + } + + $search_files_p2 = { + 8D 85 ?? ?? ?? ?? B9 ?? ?? ?? ?? 8B 55 ?? E8 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 8D 8D ?? + ?? ?? ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 C0 0F 85 ?? ?? ?? ?? 33 C0 55 68 ?? ?? ?? + ?? 64 FF 30 64 89 20 F6 85 ?? ?? ?? ?? ?? 74 ?? 8B 85 ?? ?? ?? ?? BA ?? ?? ?? ?? E8 + ?? ?? ?? ?? 74 ?? 8B 85 ?? ?? ?? ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 74 ?? 8B 45 ?? 50 + 8D 85 ?? ?? ?? ?? 8B 8D ?? ?? ?? ?? 8B 55 ?? E8 ?? ?? ?? ?? 8B 95 ?? ?? ?? ?? 8B 8D + ?? ?? ?? ?? 8B 45 ?? E8 ?? ?? ?? ?? 59 8D 85 ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 C0 74 ?? + 33 C0 5A 59 59 64 89 10 68 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? E8 ?? ?? ?? ?? C3 E9 ?? ?? + ?? ?? EB ?? 33 C0 5A 59 59 64 89 10 68 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? BA ?? ?? ?? ?? + E8 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 ?? BA ?? ?? + ?? ?? E8 ?? ?? ?? ?? C3 E9 ?? ?? ?? ?? EB ?? 5B 8B E5 5D C3 + } + + $kill_processes = { + 55 8B EC 33 C9 51 51 51 51 51 51 51 51 53 56 57 84 D2 74 ?? 83 C4 ?? E8 ?? ?? ?? ?? + 88 55 ?? 89 45 ?? 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 33 D2 55 68 ?? ?? ?? ?? + 64 FF 32 64 89 22 8D 55 ?? A1 ?? ?? ?? ?? 8B 00 E8 ?? ?? ?? ?? B2 ?? A1 ?? ?? ?? ?? + E8 ?? ?? ?? ?? 8B D8 8B 45 ?? 89 58 ?? 8B C3 B2 ?? E8 ?? ?? ?? ?? 8B 45 ?? 8B 40 ?? + C6 40 ?? ?? 8D 45 ?? E8 ?? ?? ?? ?? 8B 45 ?? 85 C0 74 ?? 83 E8 ?? 8B 00 8B F0 85 F6 + 7E ?? BB ?? ?? ?? ?? 8D 45 ?? 8B 55 ?? 0F B6 54 1A ?? E8 ?? ?? ?? ?? 8B 45 ?? 50 8D + 55 ?? B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 55 ?? 58 E8 ?? ?? ?? ?? 75 ?? 8D 55 ?? 8B 45 + ?? E8 ?? ?? ?? ?? 8B 55 ?? 8B 45 ?? 8B 40 ?? 8B 08 FF 51 ?? 8D 45 ?? E8 ?? ?? ?? ?? + EB ?? 8D 45 ?? 8B 55 ?? 0F B6 54 1A ?? E8 ?? ?? ?? ?? 8B 55 ?? 8D 45 ?? E8 ?? ?? ?? + ?? 43 4E 75 ?? 33 C0 5A 59 59 64 89 10 EB ?? E9 ?? ?? ?? ?? E8 ?? ?? ?? ?? B1 ?? 33 + D2 8B 45 ?? E8 ?? ?? ?? ?? 33 C0 5A 59 59 64 89 10 68 ?? ?? ?? ?? 8D 45 ?? BA ?? ?? + ?? ?? E8 ?? ?? ?? ?? 8D 45 ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? C3 E9 ?? ?? ?? ?? EB ?? + 8B 45 ?? 80 7D ?? ?? 74 ?? E8 ?? ?? ?? ?? 64 8F 05 ?? ?? ?? ?? 83 C4 ?? 8B 45 ?? 5F + 5E 5B 8B E5 5D C3 + } + + $enum_shares = { + 55 8B EC B9 ?? ?? ?? ?? 6A ?? 6A ?? 49 75 ?? 51 53 56 57 89 45 ?? 8B 45 ?? E8 ?? ?? + ?? ?? 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 + 89 20 B2 ?? A1 ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 45 ?? 8D 55 ?? B8 ?? ?? ?? ?? E8 ?? ?? + ?? ?? 8B 55 ?? 8B 45 ?? E8 ?? ?? ?? ?? 8B 55 ?? 8B 45 ?? E8 ?? ?? ?? ?? 8D 4D ?? 33 + D2 8B 45 ?? E8 ?? ?? ?? ?? 8B 45 ?? E8 ?? ?? ?? ?? B2 ?? A1 ?? ?? ?? ?? E8 ?? ?? ?? + ?? 89 45 ?? B2 ?? 8B 45 ?? E8 ?? ?? ?? ?? B2 ?? 8B 45 ?? E8 ?? ?? ?? ?? 8B 55 ?? 8B + 45 ?? E8 ?? ?? ?? ?? B2 ?? A1 ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 45 ?? 8D 55 ?? B8 ?? ?? + ?? ?? E8 ?? ?? ?? ?? 8B 55 ?? 8B 45 ?? E8 ?? ?? ?? ?? 8B 45 ?? 8B 10 FF 52 ?? 48 85 + C0 0F 8C ?? ?? ?? ?? 40 89 45 ?? C7 45 ?? ?? ?? ?? ?? 8D 4D ?? 8B 55 ?? 8B 45 ?? 8B + 18 FF 53 ?? 8B 55 ?? 8B 45 ?? E8 ?? ?? ?? ?? 84 C0 74 ?? 33 C0 55 68 ?? ?? ?? ?? 64 + FF 30 64 89 20 FF 75 ?? 68 ?? ?? ?? ?? 8D 4D ?? 33 D2 8B 45 ?? E8 ?? ?? ?? ?? 8B 45 + ?? 8D 55 ?? E8 ?? ?? ?? ?? FF 75 ?? 8D 45 ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 55 ?? + 8D 45 ?? E8 ?? ?? ?? ?? 8B 55 ?? A1 ?? ?? ?? ?? E8 ?? ?? ?? ?? 33 C0 5A 59 59 64 89 + 10 EB ?? E9 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 45 ?? E8 ?? ?? ?? ?? 84 C0 75 ?? FF 45 ?? + FF 4D ?? 0F 85 ?? ?? ?? ?? 8B 45 ?? E8 ?? ?? ?? ?? 8B 45 ?? E8 ?? ?? ?? ?? 33 C0 5A + 59 59 64 89 10 EB ?? E9 ?? ?? ?? ?? E8 ?? ?? ?? ?? 33 C0 5A 59 59 64 89 10 68 ?? ?? + ?? ?? 8D 45 ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 ?? E8 ?? ?? ?? ?? 8D 45 ?? BA ?? + ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? C3 E9 ?? ?? ?? ?? EB + ?? 5F 5E 5B 8B E5 5D C3 + } + + $encrypt_files = { + 55 8B EC 83 C4 ?? 53 56 33 DB 89 5D ?? 84 D2 74 ?? 83 C4 ?? E8 ?? ?? ?? ?? 8B D9 88 + 55 ?? 8B F0 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 33 D2 8B C6 E8 ?? ?? ?? ?? E8 + ?? ?? ?? ?? 88 5E ?? 88 5E ?? 56 6A ?? 8D 46 ?? 50 B9 ?? ?? ?? ?? 33 D2 33 C0 E8 ?? + ?? ?? ?? 8B D8 89 5E ?? 85 DB 75 ?? E8 ?? ?? ?? ?? 8D 55 ?? E8 ?? ?? ?? ?? 8B 45 ?? + 89 45 ?? C6 45 ?? ?? 8D 45 ?? 50 6A ?? 8B 0D ?? ?? ?? ?? B2 ?? A1 ?? ?? ?? ?? E8 ?? + ?? ?? ?? E8 ?? ?? ?? ?? 33 C0 5A 59 59 64 89 10 68 ?? ?? ?? ?? 8D 45 ?? E8 ?? ?? ?? + ?? C3 + } + + condition: + uint16(0) == 0x5A4D and + ( + $kill_processes + ) and + ( + $enum_shares + ) and + ( + all of ($search_files_p*) + ) and + ( + $encrypt_files + ) +} \ No newline at end of file diff --git a/yara/ransomware/Win32.Ransomware.ZeroCrypt.yara b/yara/ransomware/Win32.Ransomware.ZeroCrypt.yara new file mode 100644 index 0000000..ddd72b0 --- /dev/null +++ b/yara/ransomware/Win32.Ransomware.ZeroCrypt.yara @@ -0,0 +1,94 @@ +rule Win32_Ransomware_ZeroCrypt : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "ZEROCRYPT" + description = "Yara rule that detects ZeroCrypt ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "ZeroCrypt" + tc_detection_factor = 5 + + strings: + + $encrypt_file_1 = { + 55 8B EC 83 E4 ?? 6A ?? 68 ?? ?? ?? ?? 64 A1 ?? ?? ?? ?? 50 81 EC ?? ?? ?? ?? A1 ?? + ?? ?? ?? 33 C4 89 84 24 ?? ?? ?? ?? 53 56 57 A1 ?? ?? ?? ?? 33 C4 50 8D 84 24 ?? ?? + ?? ?? 64 A3 ?? ?? ?? ?? 8B F2 8B F9 68 ?? ?? ?? ?? 8B D7 8D 4C 24 ?? E8 ?? ?? ?? ?? + 83 C4 ?? C7 84 24 ?? ?? ?? ?? ?? ?? ?? ?? 8B D0 56 8D 8C 24 ?? ?? ?? ?? E8 ?? ?? ?? + ?? 83 C4 ?? C6 84 24 ?? ?? ?? ?? ?? 83 7C 24 ?? ?? 72 ?? FF 74 24 ?? E8 ?? ?? ?? ?? + 83 C4 ?? 33 C0 C7 44 24 ?? ?? ?? ?? ?? 83 7E ?? ?? C7 44 24 ?? ?? ?? ?? ?? 66 89 44 + 24 ?? 72 ?? 8B 16 EB ?? 8B D6 8D 8C 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? C6 84 24 ?? ?? ?? + ?? ?? 33 C0 C7 84 24 ?? ?? ?? ?? ?? ?? ?? ?? C7 84 24 ?? ?? ?? ?? ?? ?? ?? ?? C7 84 + 24 ?? ?? ?? ?? ?? ?? ?? ?? C7 84 24 ?? ?? ?? ?? ?? ?? ?? ?? 66 89 84 24 ?? ?? ?? ?? + C6 84 24 ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 74 ?? 50 E8 ?? + ?? ?? ?? 83 C4 ?? 8B D6 8D 4C 24 ?? E8 ?? ?? ?? ?? 8B F0 C6 84 24 ?? ?? ?? ?? ?? 8B + D7 68 ?? ?? ?? ?? 8D 4C 24 ?? E8 ?? ?? ?? ?? 83 C4 ?? C6 84 24 ?? ?? ?? ?? ?? 8B D0 + 56 8D 4C 24 ?? E8 ?? ?? ?? ?? 83 C4 ?? C6 84 24 ?? ?? ?? ?? ?? 8B D0 68 ?? ?? ?? ?? + 8D 4C 24 ?? E8 ?? ?? ?? ?? 83 C4 ?? 8B F0 C6 84 24 ?? ?? ?? ?? ?? 8D 84 24 ?? ?? ?? + ?? 3B C6 74 ?? 83 BC 24 ?? ?? ?? ?? ?? 72 ?? FF B4 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 + C4 ?? 33 C0 C7 84 24 ?? ?? ?? ?? ?? ?? ?? ?? 56 8D 8C 24 ?? ?? ?? ?? C7 84 24 ?? ?? + ?? ?? ?? ?? ?? ?? 66 89 84 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? C6 84 24 ?? ?? ?? ?? ?? 83 + 7C 24 ?? ?? 72 ?? FF 74 24 ?? E8 ?? ?? ?? ?? 83 C4 ?? 33 C0 C7 44 24 ?? ?? ?? ?? ?? + C7 44 24 ?? ?? ?? ?? ?? 66 89 44 24 ?? C6 84 24 ?? ?? ?? ?? ?? 83 7C 24 ?? ?? 72 ?? + FF 74 24 ?? E8 ?? ?? ?? ?? 83 C4 ?? 33 C0 C7 44 24 ?? ?? ?? ?? ?? C7 44 24 ?? ?? ?? + ?? ?? 66 89 44 24 ?? C6 84 24 ?? ?? ?? ?? ?? 83 7C 24 ?? ?? 72 ?? FF 74 24 ?? E8 ?? + ?? ?? ?? 83 C4 ?? 33 C0 C7 44 24 ?? ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? 66 89 44 24 + } + + $encrypt_file_2 = { + C6 84 24 ?? ?? ?? ?? ?? 83 7C 24 ?? ?? 72 ?? FF 74 24 ?? E8 ?? ?? ?? ?? 83 C4 ?? + 33 C0 C7 44 24 ?? ?? ?? ?? ?? 83 BC 24 ?? ?? ?? ?? ?? 8D BC 24 ?? ?? ?? ?? 66 89 44 + 24 ?? 8D B4 24 ?? ?? ?? ?? 0F 43 BC 24 ?? ?? ?? ?? 8D 44 24 ?? 83 BC 24 ?? ?? ?? ?? + ?? 50 0F 43 B4 24 ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? E8 ?? + ?? ?? ?? 57 56 8B 00 FF D0 85 C0 68 ?? ?? ?? ?? 0F 95 C3 E8 ?? ?? ?? ?? 83 C4 ?? 85 + C0 74 ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 84 DB 0F 84 ?? ?? ?? ?? 83 BC 24 ?? ?? ?? ?? ?? + 8D 44 24 ?? 8D B4 24 ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? 0F 43 B4 24 ?? ?? ?? ?? 50 + E8 ?? ?? ?? ?? 56 8B 00 FF D0 85 C0 0F 84 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8D 44 24 ?? 6A + ?? 50 E8 ?? ?? ?? ?? 8D 84 24 ?? ?? ?? ?? 50 8D 8C 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? C6 + 84 24 ?? ?? ?? ?? ?? 8D 4C 24 ?? 6A ?? 83 EC ?? E8 ?? ?? ?? ?? 8D 44 24 ?? 50 8D 4C + 24 ?? E8 ?? ?? ?? ?? 6A ?? 83 EC ?? 8D 8C 24 ?? ?? ?? ?? 8B 58 ?? 03 18 E8 ?? ?? ?? + ?? 6A ?? 8D 84 24 ?? ?? ?? ?? 6A ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? C7 44 24 ?? ?? ?? ?? + ?? 8D 44 24 ?? 50 E8 ?? ?? ?? ?? 33 C9 8B 00 C7 84 24 ?? ?? ?? ?? ?? ?? ?? ?? C7 84 + 24 ?? ?? ?? ?? ?? ?? ?? ?? C7 84 24 ?? ?? ?? ?? ?? ?? ?? ?? C7 84 24 ?? ?? ?? ?? ?? + ?? ?? ?? 66 89 8C 24 ?? ?? ?? ?? C6 84 24 ?? ?? ?? ?? ?? 8D 8C 24 ?? ?? ?? ?? 89 84 + 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 8C 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? C6 84 24 ?? ?? ?? + ?? ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 51 8B F8 8D 4C 24 ?? 57 BE ?? ?? ?? ?? E8 ?? ?? + ?? ?? 8B 4C 24 ?? 8B 41 ?? F6 84 04 ?? ?? ?? ?? ?? 74 ?? 8D 4C 24 ?? BA ?? ?? ?? ?? + 03 C8 8B F3 33 C0 39 41 ?? 0F 44 C2 83 E0 ?? 89 41 ?? 85 41 ?? 74 ?? 6A ?? E8 ?? ?? + ?? ?? 56 57 8D 8C 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? 6A ?? 83 EC ?? 8D 8C 24 ?? ?? ?? ?? + E8 ?? ?? ?? ?? 6A ?? 56 57 8D 8C 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 8C 24 ?? ?? ?? ?? + E8 ?? ?? ?? ?? 8D 8C 24 ?? ?? ?? ?? F3 0F 6F 00 F3 0F 7F 07 E8 ?? ?? ?? ?? F3 0F 6F + } + + $encrypt_file_3 = { + 00 F3 0F 7F 47 ?? F3 0F 6F 40 ?? F3 0F 7F 47 ?? F3 0F 6F 40 ?? 8D 84 24 ?? ?? ?? ?? + 50 51 F3 0F 7F 47 ?? 57 C7 84 24 ?? ?? ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B F0 83 C4 + ?? 85 F6 74 ?? 6A ?? 83 EC ?? 8D 8C 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? 6A ?? FF B4 24 ?? + ?? ?? ?? 8D 8C 24 ?? ?? ?? ?? 56 E8 ?? ?? ?? ?? 8D 8C 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? + 85 C0 75 ?? 8B 44 24 ?? 8D 4C 24 ?? 8B 40 ?? 03 C8 8B 41 ?? 83 C8 ?? 83 79 ?? ?? 75 + ?? 83 C8 ?? 83 E0 ?? 89 41 ?? 85 41 ?? 74 ?? 6A ?? E8 ?? ?? ?? ?? 85 F6 74 ?? 56 E8 + ?? ?? ?? ?? 83 C4 ?? 57 E8 ?? ?? ?? ?? 83 C4 ?? B3 ?? C6 84 24 ?? ?? ?? ?? ?? 8D 8C + 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? C6 84 24 ?? ?? ?? ?? ?? 8D 8C 24 ?? ?? ?? ?? E8 ?? ?? + ?? ?? 8D 84 24 ?? ?? ?? ?? C7 84 24 ?? ?? ?? ?? ?? ?? ?? ?? 89 44 24 ?? C6 84 24 ?? + ?? ?? ?? ?? 50 C7 84 24 ?? ?? ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? EB ?? 32 DB + C6 84 24 ?? ?? ?? ?? ?? 83 BC 24 ?? ?? ?? ?? ?? 72 ?? FF B4 24 ?? ?? ?? ?? E8 ?? ?? + ?? ?? 83 C4 ?? 33 C0 C7 84 24 ?? ?? ?? ?? ?? ?? ?? ?? C7 84 24 ?? ?? ?? ?? ?? ?? ?? + ?? 66 89 84 24 ?? ?? ?? ?? C6 84 24 ?? ?? ?? ?? ?? 83 BC 24 ?? ?? ?? ?? ?? 72 ?? FF + B4 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 33 C0 C7 84 24 ?? ?? ?? ?? ?? ?? ?? ?? C7 + 84 24 ?? ?? ?? ?? ?? ?? ?? ?? 66 89 84 24 ?? ?? ?? ?? C7 84 24 ?? ?? ?? ?? ?? ?? ?? + ?? 83 BC 24 ?? ?? ?? ?? ?? 72 ?? FF B4 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 33 C0 + C7 84 24 ?? ?? ?? ?? ?? ?? ?? ?? 66 89 84 24 ?? ?? ?? ?? 8A C3 C7 84 24 ?? ?? ?? ?? + ?? ?? ?? ?? 8B 8C 24 ?? ?? ?? ?? 64 89 0D ?? ?? ?? ?? 59 5F 5E 5B 8B 8C 24 ?? ?? ?? + ?? 33 CC E8 ?? ?? ?? ?? 8B E5 5D C3 + } + + condition: + uint16(0) == 0x5A4D and $encrypt_file_1 and $encrypt_file_2 and $encrypt_file_3 +} \ No newline at end of file diff --git a/yara/ransomware/Win32.Ransomware.Zhen.yara b/yara/ransomware/Win32.Ransomware.Zhen.yara new file mode 100644 index 0000000..6b46316 --- /dev/null +++ b/yara/ransomware/Win32.Ransomware.Zhen.yara @@ -0,0 +1,176 @@ +rule Win32_Ransomware_Zhen : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "ZHEN" + description = "Yara rule that detects Zhen ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "Zhen" + tc_detection_factor = 5 + + strings: + + $find_files_p1 = { + FF 15 ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? 8D 95 + ?? ?? ?? ?? 8B 4D ?? B8 ?? ?? ?? ?? 2B 41 ?? C1 E0 ?? 8B 4D ?? 8B 49 ?? 03 C8 FF 15 + ?? ?? ?? ?? 8D 55 ?? 52 8D 45 ?? 50 FF 15 ?? ?? ?? ?? 8D 4D ?? 51 6A ?? FF 15 ?? ?? + ?? ?? 8D 55 ?? 8B 4D ?? 83 C1 ?? FF 15 ?? ?? ?? ?? 8D 4D ?? FF 15 ?? ?? ?? ?? C7 45 + ?? ?? ?? ?? ?? 8D 55 ?? 52 E8 ?? ?? ?? ?? 8D 4D ?? FF 15 ?? ?? ?? ?? C7 45 ?? ?? ?? + ?? ?? 8D 45 ?? 50 E8 ?? ?? ?? ?? 8D 4D ?? FF 15 ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? 8D + 4D ?? 51 E8 ?? ?? ?? ?? 8D 4D ?? FF 15 ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? 8D 55 ?? 52 + E8 ?? ?? ?? ?? 8D 4D ?? FF 15 ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? 8D 45 ?? 50 8B 4D + } + + $find_files_p2 = { + 8B 11 8B 45 ?? 50 FF 92 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 83 BD ?? ?? ?? ?? ?? 7D ?? 68 + ?? ?? ?? ?? 68 ?? ?? ?? ?? 8B 4D ?? 51 8B 95 ?? ?? ?? ?? 52 FF 15 ?? ?? ?? ?? 89 85 + ?? ?? ?? ?? EB ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? 8D 4D ?? FF 15 ?? ?? ?? ?? C7 45 ?? + ?? ?? ?? ?? 8D 45 ?? 50 E8 ?? ?? ?? ?? 8D 4D ?? FF 15 ?? ?? ?? ?? C7 45 ?? ?? ?? ?? + ?? 8D 4D ?? 51 E8 ?? ?? ?? ?? 8D 4D ?? FF 15 ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? 8D 55 + ?? 52 E8 ?? ?? ?? ?? 8D 4D ?? FF 15 ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? 8D 45 ?? 50 E8 + ?? ?? ?? ?? 8D 4D ?? FF 15 ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? 83 3D ?? ?? ?? ?? ?? 75 + ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? EB + ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? 8B 8D ?? ?? ?? ?? 8B 11 89 95 ?? ?? ?? ?? C7 45 ?? + ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? B8 ?? ?? + ?? ?? E8 ?? ?? ?? ?? 8B C4 8B 4D ?? 89 08 8B 55 ?? 89 50 ?? 8B 4D ?? 89 48 ?? 8B 55 + ?? 89 50 ?? B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B C4 8B 4D ?? 89 08 8B 55 ?? 89 50 ?? 8B + 4D ?? 89 48 ?? 8B 55 ?? 89 50 ?? 8B 85 ?? ?? ?? ?? 8B 08 8B 95 ?? ?? ?? ?? 52 FF 91 + ?? ?? ?? ?? DB E2 89 85 ?? ?? ?? ?? 83 BD ?? ?? ?? ?? ?? 7D ?? 68 ?? ?? ?? ?? 68 ?? + ?? ?? ?? 8B 85 ?? ?? ?? ?? 50 8B 8D ?? ?? ?? ?? 51 FF 15 ?? ?? ?? ?? 89 85 ?? ?? ?? + ?? EB ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? EB ?? 8D + 4D ?? FF 15 ?? ?? ?? ?? 8D 4D ?? FF 15 ?? ?? ?? ?? 8D 55 ?? 52 6A ?? FF 15 ?? ?? ?? + ?? C3 C3 8B 45 ?? 8B 08 8B 55 ?? 52 FF 51 ?? 8B 45 ?? 8B 4D ?? 64 89 0D ?? ?? ?? ?? + 5F 5E 5B 8B E5 5D C2 + } + + $encrypt_files_p1 = { + 55 8B EC 83 EC ?? 68 ?? ?? ?? ?? 64 A1 ?? ?? ?? ?? 50 64 89 25 ?? ?? ?? ?? B8 ?? ?? + ?? ?? E8 ?? ?? ?? ?? 53 56 57 89 65 ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 + 45 ?? ?? ?? ?? ?? 8B 45 ?? 8B 08 8B 55 ?? 52 FF 51 ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? + ?? ?? ?? ?? 6A ?? FF 15 ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 + ?? ?? ?? ?? ?? 8D 45 ?? 50 FF 15 ?? ?? ?? ?? 66 89 45 ?? 8D 4D ?? FF 15 ?? ?? ?? ?? + C7 45 ?? ?? ?? ?? ?? 8B 4D ?? 8B 11 52 66 8B 45 ?? 50 6A ?? 6A ?? FF 15 ?? ?? ?? ?? + C7 45 ?? ?? ?? ?? ?? 6A ?? 66 8B 4D ?? 51 FF 15 ?? ?? ?? ?? 83 E8 ?? 50 6A ?? 6A ?? + 8D 55 ?? 52 6A ?? 68 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 83 C4 ?? C7 45 ?? ?? ?? ?? ?? 66 + 8B 45 ?? 50 8D 4D ?? 51 68 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? 66 8B + 55 ?? 52 FF 15 ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? 8B 45 ?? 50 8D 4D ?? 51 8B 55 ?? 8B + 02 8B 4D ?? 51 FF 50 ?? 89 45 ?? 83 7D ?? ?? 7D ?? 6A ?? 68 ?? ?? ?? ?? 8B 55 ?? 52 + 8B 45 ?? 50 FF 15 ?? ?? ?? ?? 89 45 ?? EB ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? + ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? 8D 4D ?? 51 FF 15 ?? ?? ?? ?? 66 89 45 + ?? 8D 4D ?? FF 15 ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? 8B 55 ?? 8B 02 50 66 8B 4D ?? 51 + } + + $encrypt_files_p2 = { + 6A ?? 6A ?? FF 15 ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? BA ?? ?? ?? ?? 8D 4D ?? FF 15 ?? + ?? ?? ?? 8D 55 ?? 52 8D 45 ?? 50 8B 4D ?? 8B 11 8B 45 ?? 50 FF 52 ?? 89 45 ?? 83 7D + ?? ?? 7D ?? 6A ?? 68 ?? ?? ?? ?? 8B 4D ?? 51 8B 55 ?? 52 FF 15 ?? ?? ?? ?? 89 45 ?? + EB ?? C7 45 ?? ?? ?? ?? ?? 66 8B 45 ?? 50 8D 4D ?? 51 68 ?? ?? ?? ?? FF 15 ?? ?? ?? + ?? 8D 4D ?? FF 15 ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? 66 8B 55 ?? 52 8D 45 ?? 50 68 ?? + ?? ?? ?? FF 15 ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? 66 8B 4D ?? 51 FF 15 ?? ?? ?? ?? C7 + 45 ?? ?? ?? ?? ?? 66 C7 45 ?? ?? ?? E9 ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? 6A ?? FF 15 + ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? 66 8B 55 ?? 52 FF 15 ?? ?? ?? ?? C7 45 ?? ?? ?? ?? + ?? 8B 45 ?? 8B 08 51 8D 55 ?? 52 FF 15 ?? ?? ?? ?? 50 8B 45 ?? 8B 08 51 8D 55 ?? 52 + FF 15 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 8B 45 ?? 50 8B 4D ?? 51 FF 15 + ?? ?? ?? ?? 8B 55 ?? 52 8B 45 ?? 50 FF 15 ?? ?? ?? ?? 8D 4D ?? 51 8D 55 ?? 52 6A ?? + FF 15 ?? ?? ?? ?? 83 C4 ?? C7 45 ?? ?? ?? ?? ?? 66 C7 45 ?? ?? ?? FF 15 ?? ?? ?? ?? + 68 ?? ?? ?? ?? EB ?? 8D 45 ?? 50 8D 4D ?? 51 6A ?? FF 15 ?? ?? ?? ?? 83 C4 ?? 8D 4D + ?? FF 15 ?? ?? ?? ?? C3 8D 55 ?? 52 6A ?? FF 15 ?? ?? ?? ?? 8D 45 ?? 50 6A ?? FF 15 + ?? ?? ?? ?? C3 8B 4D ?? 8B 11 8B 45 ?? 50 FF 52 ?? 8B 4D ?? 66 8B 55 ?? 66 89 11 8B + 45 ?? 8B 4D ?? 64 89 0D ?? ?? ?? ?? 5F 5E 5B 8B E5 5D C2 + } + + $scan_network_p1 = { + 55 8B EC 83 EC ?? 68 ?? ?? ?? ?? 64 A1 ?? ?? ?? ?? 50 64 89 25 ?? ?? ?? ?? B8 ?? ?? + ?? ?? E8 ?? ?? ?? ?? 53 56 57 89 65 ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 + 45 ?? ?? ?? ?? ?? 8B 45 ?? 8B 08 8B 55 ?? 52 FF 51 ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? + ?? ?? ?? ?? 6A ?? FF 15 ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? 8B 45 ?? 8B 08 8B 55 ?? 52 + FF 91 ?? ?? ?? ?? 50 8D 45 ?? 50 FF 15 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 8D 4D ?? 51 8B + 95 ?? ?? ?? ?? 8B 02 8B 8D ?? ?? ?? ?? 51 FF 90 ?? ?? ?? ?? DB E2 89 85 ?? ?? ?? ?? + 83 BD ?? ?? ?? ?? ?? 7D ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8B 95 ?? ?? ?? ?? 52 8B 85 + ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? EB ?? C7 85 ?? ?? ?? ?? ?? ?? ?? + ?? C7 45 ?? ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? 8D 95 ?? ?? ?? ?? 8D 4D ?? FF + 15 ?? ?? ?? ?? 6A ?? 6A ?? 8D 4D ?? 51 8B 55 ?? 52 8D 45 ?? 50 FF 15 ?? ?? ?? ?? 8D + 4D ?? 51 68 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 8D 95 ?? ?? ?? ?? 52 8D + 45 ?? 50 FF 15 ?? ?? ?? ?? 8D 4D ?? FF 15 ?? ?? ?? ?? 8D 4D ?? FF 15 ?? ?? ?? ?? 8D + 4D ?? 51 8D 55 ?? 52 6A ?? FF 15 ?? ?? ?? ?? 83 C4 ?? C7 45 ?? ?? ?? ?? ?? 8B 45 ?? + 8B 08 8B 55 ?? 52 FF 91 ?? ?? ?? ?? 50 8D 45 ?? 50 FF 15 ?? ?? ?? ?? 89 85 ?? ?? ?? + ?? 8D 4D ?? 51 8B 95 ?? ?? ?? ?? 8B 02 8B 8D ?? ?? ?? ?? 51 FF 90 ?? ?? ?? ?? DB E2 + 89 85 ?? ?? ?? ?? 83 BD ?? ?? ?? ?? ?? 7D ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 8B 95 ?? + ?? ?? ?? 52 8B 85 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? EB ?? C7 85 ?? + ?? ?? ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? 8D 95 ?? ?? + ?? ?? 8D 4D ?? FF 15 ?? ?? ?? ?? 6A ?? 6A ?? 8D 4D ?? 51 8B 55 ?? 52 8D 45 ?? 50 FF + } + + $scan_network_p2 = { + 15 ?? ?? ?? ?? 8D 4D ?? 51 68 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 8D 95 + ?? ?? ?? ?? 52 8D 45 ?? 50 FF 15 ?? ?? ?? ?? 8D 4D ?? FF 15 ?? ?? ?? ?? 8D 4D ?? FF + 15 ?? ?? ?? ?? 8D 4D ?? 51 8D 55 ?? 52 6A ?? FF 15 ?? ?? ?? ?? 83 C4 ?? C7 45 ?? ?? + ?? ?? ?? 8B 45 ?? B9 ?? ?? ?? ?? 2B 48 ?? 8B 55 ?? 8B 42 ?? 8B 0C 88 51 FF 15 ?? ?? + ?? ?? DD 9D ?? ?? ?? ?? 8B 55 ?? B8 ?? ?? ?? ?? 2B 42 ?? 8B 4D ?? 8B 51 ?? 8B 04 82 + 50 FF 15 ?? ?? ?? ?? DC AD ?? ?? ?? ?? DD 9D ?? ?? ?? ?? 8B 4D ?? BA ?? ?? ?? ?? 2B + 51 ?? 8B 45 ?? 8B 48 ?? 8B 14 91 52 FF 15 ?? ?? ?? ?? DD 9D ?? ?? ?? ?? 8B 45 ?? B9 + ?? ?? ?? ?? 2B 48 ?? 8B 55 ?? 8B 42 ?? 8B 0C 88 51 FF 15 ?? ?? ?? ?? DC AD ?? ?? ?? + ?? DC 0D ?? ?? ?? ?? DC 85 ?? ?? ?? ?? DD 9D ?? ?? ?? ?? 8B 55 ?? B8 ?? ?? ?? ?? 2B + 42 ?? 8B 4D ?? 8B 51 ?? 8B 04 82 50 FF 15 ?? ?? ?? ?? DD 9D ?? ?? ?? ?? 8B 4D ?? BA + ?? ?? ?? ?? 2B 51 ?? 8B 45 ?? 8B 48 ?? 8B 14 91 52 FF 15 ?? ?? ?? ?? DC AD ?? ?? ?? + ?? DC 0D ?? ?? ?? ?? DC 0D ?? ?? ?? ?? DC 85 ?? ?? ?? ?? DD 9D ?? ?? ?? ?? 8B 45 ?? + 33 C9 2B 48 ?? 8B 55 ?? 8B 42 ?? 8B 0C 88 51 FF 15 ?? ?? ?? ?? DD 9D ?? ?? ?? ?? 8B + 55 ?? 33 C0 2B 42 ?? 8B 4D ?? 8B 51 ?? 8B 04 82 50 FF 15 ?? ?? ?? ?? DC AD ?? ?? ?? + ?? DC 0D ?? ?? ?? ?? DC 0D ?? ?? ?? ?? DC 0D ?? ?? ?? ?? DC 85 ?? ?? ?? ?? DD 5D ?? + C7 45 ?? ?? ?? ?? ?? DD 45 ?? FF 15 ?? ?? ?? ?? 8B 4D ?? 89 41 ?? C7 45 ?? ?? ?? ?? + ?? C7 45 ?? ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C7 85 + } + + $scan_network_p3 = { + C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? + ?? ?? 8D 95 ?? ?? ?? ?? 52 8D 85 ?? ?? ?? ?? 50 8D 8D ?? ?? ?? ?? 51 8D 95 ?? ?? ?? + ?? 52 8D 85 ?? ?? ?? ?? 50 8D 4D ?? 51 FF 15 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? E9 ?? ?? + ?? ?? C7 45 ?? ?? ?? ?? ?? 83 3D ?? ?? ?? ?? ?? 75 ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? + FF 15 ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? EB ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? + 8B 95 ?? ?? ?? ?? 8B 02 89 85 ?? ?? ?? ?? 8B 4D ?? 8B 11 8B 45 ?? 50 FF 92 ?? ?? ?? + ?? 50 8D 4D ?? 51 FF 15 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 8D 55 ?? 52 8D 45 ?? 50 FF 15 + ?? ?? ?? ?? 50 8B 8D ?? ?? ?? ?? 8B 11 8B 85 ?? ?? ?? ?? 50 FF 52 ?? DB E2 89 85 ?? + ?? ?? ?? 83 BD ?? ?? ?? ?? ?? 7D ?? 6A ?? 68 ?? ?? ?? ?? 8B 8D ?? ?? ?? ?? 51 8B 95 + ?? ?? ?? ?? 52 FF 15 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? EB ?? C7 85 ?? ?? ?? ?? ?? ?? ?? + ?? 8B 45 ?? 89 85 ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? 8B 8D ?? ?? ?? ?? 51 8D 55 ?? 52 + FF 15 ?? ?? ?? ?? 50 8B 85 ?? ?? ?? ?? 8B 08 8B 95 ?? ?? ?? ?? 52 FF 51 ?? DB E2 89 + 85 ?? ?? ?? ?? 83 BD ?? ?? ?? ?? ?? 7D ?? 6A ?? 68 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 50 + } + + $scan_network_p4 = { + 8B 8D ?? ?? ?? ?? 51 FF 15 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? EB ?? C7 85 ?? ?? ?? ?? ?? + ?? ?? ?? 8D 55 ?? 52 8D 45 ?? 50 6A ?? FF 15 ?? ?? ?? ?? 83 C4 ?? C7 45 ?? ?? ?? ?? + ?? FF 15 ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? 51 8D 95 ?? ?? ?? ?? 52 + 8D 45 ?? 50 FF 15 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 83 BD ?? ?? ?? ?? ?? 0F 85 ?? ?? ?? + ?? C7 45 ?? ?? ?? ?? ?? 8B 4D ?? 8B 11 8B 45 ?? 50 FF 92 ?? ?? ?? ?? 50 8D 4D ?? 51 + FF 15 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 6A ?? 8B 95 ?? ?? ?? ?? 8B 02 8B 8D ?? ?? ?? ?? + 51 FF 50 ?? DB E2 89 85 ?? ?? ?? ?? 83 BD ?? ?? ?? ?? ?? 7D ?? 6A ?? 68 ?? ?? ?? ?? + 8B 95 ?? ?? ?? ?? 52 8B 85 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? EB ?? + C7 85 ?? ?? ?? ?? ?? ?? ?? ?? 8D 4D ?? FF 15 ?? ?? ?? ?? 9B 68 ?? ?? ?? ?? EB ?? 8D + 4D ?? FF 15 ?? ?? ?? ?? 8D 4D ?? 51 8D 55 ?? 52 8D 45 ?? 50 6A ?? FF 15 ?? ?? ?? ?? + 83 C4 ?? 8D 4D ?? 51 8D 55 ?? 52 6A ?? FF 15 ?? ?? ?? ?? 83 C4 ?? C3 8D 85 ?? ?? ?? + ?? 50 8D 8D ?? ?? ?? ?? 51 6A ?? FF 15 ?? ?? ?? ?? 83 C4 ?? 8D 4D ?? FF 15 ?? ?? ?? + ?? 8D 55 ?? 52 6A ?? FF 15 ?? ?? ?? ?? 8D 45 ?? 50 6A ?? FF 15 ?? ?? ?? ?? C3 8B 4D + ?? 8B 11 8B 45 ?? 50 FF 52 ?? 8B 4D ?? 66 8B 55 ?? 66 89 11 8B 45 ?? 8B 4D ?? 64 89 + 0D ?? ?? ?? ?? 5F 5E 5B 8B E5 5D C2 + } + + condition: + uint16(0) == 0x5A4D and + ( + all of ($scan_network_p*) + ) and + ( + all of ($find_files_p*) + ) and + ( + all of ($encrypt_files_p*) + ) +} \ No newline at end of file diff --git a/yara/ransomware/Win32.Ransomware.Zoldon.yara b/yara/ransomware/Win32.Ransomware.Zoldon.yara new file mode 100644 index 0000000..574cc7f --- /dev/null +++ b/yara/ransomware/Win32.Ransomware.Zoldon.yara @@ -0,0 +1,107 @@ +rule Win32_Ransomware_Zoldon : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "ZOLDON" + description = "Yara rule that detects Zoldon ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "Zoldon" + tc_detection_factor = 5 + + strings: + + $main_encrypt_function_p1 = { + 55 8B EC 81 C4 ?? ?? ?? ?? 33 C9 89 8D ?? ?? ?? ?? 89 8D ?? ?? ?? ?? 89 8D ?? ?? ?? + ?? 89 8D ?? ?? ?? ?? 89 4D ?? 89 8D ?? ?? ?? ?? 89 4D ?? 89 4D ?? 89 55 ?? 89 45 ?? + 8D 85 ?? ?? ?? ?? 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 + 64 89 20 E8 ?? ?? ?? ?? DD 5D ?? 9B 8B 45 ?? 89 45 ?? 8B 45 ?? 89 45 ?? FF 75 ?? FF + 75 ?? 8D 55 ?? A1 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 ?? 8B 55 ?? E8 ?? ?? ?? ?? B2 ?? + A1 ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 45 ?? B1 ?? BA ?? ?? ?? ?? 8B 45 ?? E8 ?? ?? ?? ?? + 3C ?? 0F 85 ?? ?? ?? ?? B0 ?? E8 ?? ?? ?? ?? BA ?? ?? ?? ?? 8B 45 ?? E8 ?? ?? ?? ?? + 84 C0 0F 85 ?? ?? ?? ?? 8B 4D ?? BA ?? ?? ?? ?? 8B 45 ?? E8 ?? ?? ?? ?? 8B 45 ?? C6 + 80 ?? ?? ?? ?? ?? 8D 95 ?? ?? ?? ?? 8B 45 ?? E8 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? BA ?? + ?? ?? ?? E8 ?? ?? ?? ?? 8B 95 ?? ?? ?? ?? 8B 45 ?? E8 ?? ?? ?? ?? 66 C7 45 + } + + $main_encrypt_function_p2 = { + 8D 85 ?? ?? ?? ?? 66 8B 55 ?? E8 ?? ?? ?? ?? 8B 95 ?? ?? ?? ?? 8D 45 ?? B9 ?? ?? ?? + ?? E8 ?? ?? ?? ?? 8B 45 ?? E8 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 F8 ?? 75 ?? 66 83 7D + ?? ?? 74 ?? 8D 85 ?? ?? ?? ?? 66 8B 55 ?? E8 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? BA ?? ?? + ?? ?? E8 ?? ?? ?? ?? 8B 95 ?? ?? ?? ?? 8B 45 ?? E8 ?? ?? ?? ?? 66 FF 45 ?? 66 83 7D + ?? ?? 75 ?? 8B 4D ?? BA ?? ?? ?? ?? 8B 45 ?? E8 ?? ?? ?? ?? 8B 45 ?? E8 ?? ?? ?? ?? + 8D 95 ?? ?? ?? ?? 8B 45 ?? E8 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? BA ?? ?? ?? ?? E8 ?? ?? + ?? ?? 8B 95 ?? ?? ?? ?? 33 C9 8D 85 ?? ?? ?? ?? E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 85 + ?? ?? ?? ?? E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? BA ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? E8 ?? ?? + ?? ?? E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? BA ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? E8 ?? ?? ?? ?? + E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? BA ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? E8 ?? ?? ?? ?? E8 ?? + ?? ?? ?? E8 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 33 C0 5A 59 + 59 64 89 10 68 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 85 ?? + ?? ?? ?? E8 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 ?? + E8 ?? ?? ?? ?? 8D 45 ?? E8 ?? ?? ?? ?? 8D 45 ?? E8 ?? ?? ?? ?? C3 + } + + $write_zoldon_regkey = { + 55 8B EC 83 C4 ?? 53 56 33 DB 89 5D ?? 88 4D ?? 8B DA 8B F0 33 C0 55 68 ?? ?? ?? ?? + 64 FF 30 64 89 20 8D 45 ?? 8B D3 E8 ?? ?? ?? ?? 8B 45 ?? E8 ?? ?? ?? ?? 8B D8 84 DB + 75 ?? 8D 45 ?? B9 ?? ?? ?? ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 33 C0 89 45 ?? 80 7D ?? + ?? 74 ?? 83 7D ?? ?? 75 ?? 8D 45 ?? 50 8B 46 ?? 50 6A ?? 8B 45 ?? E8 ?? ?? ?? ?? 50 + 8B D3 8B C6 E8 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 8B D0 8B C6 E8 ?? ?? ?? ?? 88 45 ?? EB + ?? 8D 45 ?? 50 8D 45 ?? 50 6A ?? 8B 46 ?? 50 6A ?? 6A ?? 6A ?? 8B 45 ?? E8 ?? ?? ?? + ?? 50 8B D3 8B C6 E8 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 8B D0 8B C6 E8 ?? ?? ?? ?? 88 45 + ?? 80 7D ?? ?? 74 ?? 83 7E ?? ?? 0F 95 C0 84 D8 74 ?? FF 76 ?? 68 ?? ?? ?? ?? FF 75 + ?? 8D 45 ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 4D ?? 8B 55 ?? 8B C6 E8 ?? ?? ?? ?? 33 + C0 5A 59 59 64 89 10 68 ?? ?? ?? ?? 8D 45 ?? E8 ?? ?? ?? ?? C3 + } + + $find_files_p1 = { + 55 8B EC 81 C4 ?? ?? ?? ?? 33 C9 89 8D ?? ?? ?? ?? 89 8D ?? ?? ?? ?? 89 8D ?? ?? ?? + ?? 89 8D ?? ?? ?? ?? 89 4D ?? 89 4D ?? 89 4D ?? 89 4D ?? 89 4D ?? 89 4D ?? 89 55 ?? + 89 45 ?? 8D 85 ?? ?? ?? ?? 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 33 C0 55 68 ?? ?? ?? ?? + 64 FF 30 64 89 20 8D 85 ?? ?? ?? ?? B9 ?? ?? ?? ?? 8B 55 ?? E8 ?? ?? ?? ?? 8B 85 ?? + ?? ?? ?? 8D 8D ?? ?? ?? ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 C0 0F 85 ?? ?? ?? ?? 33 + C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 F6 85 ?? ?? ?? ?? ?? 0F 85 ?? ?? ?? ?? 8B 45 + ?? 80 B8 ?? ?? ?? ?? ?? 0F 84 ?? ?? ?? ?? B9 ?? ?? ?? ?? 8B 55 ?? B8 ?? ?? ?? ?? E8 + ?? ?? ?? ?? 85 C0 75 ?? B9 ?? ?? ?? ?? 8B 55 ?? B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 C0 + 74 ?? E8 ?? ?? ?? ?? E9 ?? ?? ?? ?? 8D 45 ?? 8B 55 ?? E8 ?? ?? ?? ?? 33 C0 55 68 ?? + ?? ?? ?? 64 FF 30 64 89 20 8D 55 ?? 8B 45 ?? E8 ?? ?? ?? ?? 33 C0 5A 59 59 64 89 10 + 68 ?? ?? ?? ?? 8D 45 ?? E8 ?? ?? ?? ?? C3 E9 ?? ?? ?? ?? EB ?? 8D 85 ?? ?? ?? ?? 8B + } + + $find_files_p2 = { + 8D ?? ?? ?? ?? 8B 55 ?? E8 ?? ?? ?? ?? 8B 95 ?? ?? ?? ?? 8B 45 ?? E8 ?? ?? ?? ?? E9 + ?? ?? ?? ?? B9 ?? ?? ?? ?? 8B 55 ?? B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 C0 75 ?? B9 ?? + ?? ?? ?? 8B 55 ?? B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 C0 74 ?? E8 ?? ?? ?? ?? E9 ?? ?? + ?? ?? 8D 45 ?? 8B 55 ?? E8 ?? ?? ?? ?? 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 8D + 55 ?? 8B 45 ?? E8 ?? ?? ?? ?? 33 C0 5A 59 59 64 89 10 68 ?? ?? ?? ?? 8D 45 ?? E8 ?? + ?? ?? ?? C3 E9 ?? ?? ?? ?? EB ?? 8D 85 ?? ?? ?? ?? 8B 8D ?? ?? ?? ?? 8B 55 ?? E8 ?? + ?? ?? ?? 8B 95 ?? ?? ?? ?? 8B 45 ?? E8 ?? ?? ?? ?? E9 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? + BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 74 ?? 8B 85 ?? ?? ?? ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? + 74 ?? 8D 45 ?? 8B 55 ?? E8 ?? ?? ?? ?? 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 8D + 55 ?? 8B 45 ?? E8 ?? ?? ?? ?? 33 C0 5A 59 59 64 89 10 68 ?? ?? ?? ?? 8D 45 ?? E8 ?? + ?? ?? ?? C3 E9 ?? ?? ?? ?? EB ?? 8D 85 ?? ?? ?? ?? 8B 8D ?? ?? ?? ?? 8B 55 ?? E8 ?? + ?? ?? ?? 8B 95 ?? ?? ?? ?? 8B 45 ?? E8 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? E8 ?? ?? ?? ?? + 85 C0 0F 84 ?? ?? ?? ?? 33 C0 5A 59 59 64 89 10 68 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? E8 + ?? ?? ?? ?? C3 E9 ?? ?? ?? ?? EB ?? 33 C0 5A 59 59 64 89 10 68 ?? ?? ?? ?? 8D 85 ?? + ?? ?? ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 8B 15 ?? ?? ?? ?? E8 ?? ?? + ?? ?? 8D 45 ?? BA ?? ?? ?? ?? E8 ?? ?? ?? ?? C3 E9 ?? ?? ?? ?? EB ?? 8B E5 5D C3 + } + + condition: + uint16(0) == 0x5A4D and + ( + $write_zoldon_regkey + ) and + ( + all of ($find_files_p*) + ) and + ( + all of ($main_encrypt_function_p*) + ) +} \ No newline at end of file diff --git a/yara/ransomware/Win64.Ransomware.Ako.yara b/yara/ransomware/Win64.Ransomware.Ako.yara new file mode 100644 index 0000000..722da36 --- /dev/null +++ b/yara/ransomware/Win64.Ransomware.Ako.yara @@ -0,0 +1,173 @@ +rule Win64_Ransomware_Ako : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "AKO" + description = "Yara rule that detects Ako ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "Ako" + tc_detection_factor = 5 + + strings: + + $encrypt_files_win64_p1 = { + 44 89 4C 24 ?? 4C 89 44 24 ?? 48 89 54 24 ?? 48 89 4C 24 ?? 56 57 48 81 EC ?? ?? ?? + ?? 48 C7 44 24 ?? ?? ?? ?? ?? 48 8B 05 ?? ?? ?? ?? 48 33 C4 48 89 84 24 ?? ?? ?? ?? + 48 83 BC 24 ?? ?? ?? ?? ?? 74 ?? 48 83 BC 24 ?? ?? ?? ?? ?? 75 ?? 32 C0 E9 ?? ?? ?? + ?? 41 B9 ?? ?? ?? ?? 45 33 C0 48 8B 94 24 ?? ?? ?? ?? 48 8B 8C 24 ?? ?? ?? ?? E8 ?? + ?? ?? ?? 90 89 44 24 ?? 81 7C 24 ?? ?? ?? ?? ?? 73 ?? 32 C0 E9 ?? ?? ?? ?? C7 84 24 + ?? ?? ?? ?? ?? ?? ?? ?? 48 8D 84 24 ?? ?? ?? ?? 48 8B F8 33 C0 B9 ?? ?? ?? ?? F3 AA + 48 8D 94 24 ?? ?? ?? ?? 48 8B 8C 24 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 90 85 C0 75 ?? 32 + C0 E9 ?? ?? ?? ?? C7 84 24 ?? ?? ?? ?? ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? 8B 44 24 + ?? 45 33 C0 8B D0 48 8D 8C 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? 90 45 33 C0 BA ?? ?? ?? ?? + 48 8D 8C 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? 90 C7 84 24 ?? ?? ?? ?? ?? ?? ?? ?? 48 8D 84 + 24 ?? ?? ?? ?? 48 8B F8 33 C0 B9 ?? ?? ?? ?? F3 AA C7 84 24 ?? ?? ?? ?? ?? ?? ?? ?? + 48 8D 84 24 ?? ?? ?? ?? 48 8B F8 33 C0 B9 ?? ?? ?? ?? F3 AA 48 C7 44 24 ?? ?? ?? ?? + ?? EB ?? 48 8B 44 24 ?? 48 05 ?? ?? ?? ?? 48 89 44 24 ?? 48 8B 84 24 ?? ?? ?? ?? 48 + 39 44 24 ?? 0F 8D ?? ?? ?? ?? 48 C7 84 24 ?? ?? ?? ?? ?? ?? ?? ?? 41 B9 ?? ?? ?? ?? + 4C 8D 84 24 ?? ?? ?? ?? 48 8B 94 24 ?? ?? ?? ?? 48 8B 8C 24 ?? ?? ?? ?? FF 15 ?? ?? + ?? ?? 90 85 C0 75 ?? C6 44 24 ?? ?? 48 8D 8C 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? 90 48 8D + 8C 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? 90 0F B6 44 24 ?? E9 ?? ?? ?? ?? 33 D2 48 8D 8C 24 + ?? ?? ?? ?? E8 ?? ?? ?? ?? 90 48 C7 44 24 ?? ?? ?? ?? ?? 4C 8D 8C 24 ?? ?? ?? ?? 41 + B8 ?? ?? ?? ?? 48 8B D0 48 8B 8C 24 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 90 85 C0 75 ?? C6 + } + + $encrypt_files_win64_p2 = { + 44 24 ?? ?? 48 8D 8C 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? 90 48 8D 8C 24 ?? ?? ?? ?? E8 ?? + ?? ?? ?? 90 0F B6 44 24 ?? E9 ?? ?? ?? ?? 45 33 C9 4C 8D 84 24 ?? ?? ?? ?? 48 8B 94 + 24 ?? ?? ?? ?? 48 8B 8C 24 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 90 85 C0 75 ?? C6 44 24 ?? + ?? 48 8D 8C 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? 90 48 8D 8C 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? + 90 0F B6 44 24 ?? E9 ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? EB ?? 8B 44 24 ?? 05 ?? ?? + ?? ?? 89 44 24 ?? 8B 84 24 ?? ?? ?? ?? 39 44 24 ?? 0F 83 ?? ?? ?? ?? 48 8D 8C 24 ?? + ?? ?? ?? E8 ?? ?? ?? ?? 90 8B 4C 24 ?? 48 03 C1 48 89 44 24 ?? 33 D2 48 8D 8C 24 ?? + ?? ?? ?? E8 ?? ?? ?? ?? 90 48 8B F8 48 8B 44 24 ?? 48 8B F0 B9 ?? ?? ?? ?? F3 A4 48 + 8D 8C 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? 90 8B 4C 24 ?? 89 4C 24 ?? C7 44 24 ?? ?? ?? ?? + ?? 4C 8B C8 45 33 C0 48 8B 94 24 ?? ?? ?? ?? 48 8B 8C 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? + 90 0F B6 C0 85 C0 75 ?? C6 44 24 ?? ?? 48 8D 8C 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? 90 48 + 8D 8C 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? 90 0F B6 44 24 ?? E9 ?? ?? ?? ?? 48 8D 8C 24 ?? + ?? ?? ?? E8 ?? ?? ?? ?? 90 48 C7 44 24 ?? ?? ?? ?? ?? 4C 8D 4C 24 ?? 44 8B 44 24 ?? + 48 8B D0 48 8B 8C 24 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 90 85 C0 75 ?? C6 44 24 ?? ?? 48 + 8D 8C 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? 90 48 8D 8C 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? 90 0F + B6 44 24 ?? E9 ?? ?? ?? ?? E9 ?? ?? ?? ?? 83 BC 24 ?? ?? ?? ?? ?? 75 ?? EB ?? E9 ?? + ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? 48 8D 44 24 ?? 48 8B F8 33 C0 B9 ?? ?? ?? ?? F3 AA + } + + $encrypt_files_win64_p3 = { + 48 8B 44 24 ?? 48 89 84 24 ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? 48 8D 44 24 ?? 48 8B + F8 33 C0 B9 ?? ?? ?? ?? F3 AA 48 8B 44 24 ?? 48 89 84 24 ?? ?? ?? ?? 41 B9 ?? ?? ?? + ?? 4C 8D 84 24 ?? ?? ?? ?? 48 8B 94 24 ?? ?? ?? ?? 48 8B 8C 24 ?? ?? ?? ?? FF 15 ?? + ?? ?? ?? 90 85 C0 0F 84 ?? ?? ?? ?? 48 8B 84 24 ?? ?? ?? ?? 48 83 C0 ?? 48 8B C8 E8 + ?? ?? ?? ?? 90 48 89 44 24 ?? 48 8B 8C 24 ?? ?? ?? ?? 48 83 C1 ?? E8 ?? ?? ?? ?? 90 + 48 C7 44 24 ?? ?? ?? ?? ?? 4C 8D 4C 24 ?? 48 8B 4C 24 ?? 44 8B C1 48 8B D0 48 8B 8C + 24 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 90 85 C0 0F 84 ?? ?? ?? ?? 8B 44 24 ?? 48 89 44 24 + ?? 48 8B 8C 24 ?? ?? ?? ?? 48 83 C1 ?? E8 ?? ?? ?? ?? 90 48 8B 4C 24 ?? 48 3B C8 0F + 85 ?? ?? ?? ?? 48 C7 84 24 ?? ?? ?? ?? ?? ?? ?? ?? C7 84 24 ?? ?? ?? ?? ?? ?? ?? ?? + C7 84 24 ?? ?? ?? ?? ?? ?? ?? ?? 48 8B 84 24 ?? ?? ?? ?? 48 89 84 24 ?? ?? ?? ?? 8B + 84 24 ?? ?? ?? ?? 89 84 24 ?? ?? ?? ?? 48 C7 44 24 ?? ?? ?? ?? ?? 4C 8D 4C 24 ?? 41 + B8 ?? ?? ?? ?? 48 8D 94 24 ?? ?? ?? ?? 48 8B 8C 24 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 90 + 85 C0 74 ?? 8B 44 24 ?? 48 83 F8 ?? 75 ?? C6 44 24 ?? ?? 48 8D 8C 24 ?? ?? ?? ?? E8 + ?? ?? ?? ?? 90 48 8D 8C 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? 90 0F B6 44 24 ?? EB ?? C6 44 + 24 ?? ?? 48 8D 8C 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? 90 48 8D 8C 24 ?? ?? ?? ?? E8 ?? ?? + ?? ?? 90 0F B6 44 24 ?? 48 8B 8C 24 ?? ?? ?? ?? 48 33 CC E8 ?? ?? ?? ?? 90 48 81 C4 + ?? ?? ?? ?? 5F 5E C3 + } + + $encrypt_network_shares_win64_p1 = { + 48 89 54 24 ?? 48 89 4C 24 ?? 48 81 EC ?? ?? ?? ?? 48 C7 44 24 ?? ?? ?? ?? ?? 48 8B + 05 ?? ?? ?? ?? 48 33 C4 48 89 84 24 ?? ?? ?? ?? 48 8B 94 24 ?? ?? ?? ?? 48 8D 8C 24 + ?? ?? ?? ?? E8 ?? ?? ?? ?? 90 48 8B 84 24 ?? ?? ?? ?? 48 05 ?? ?? ?? ?? 48 8B C8 E8 + ?? ?? ?? ?? 90 0F B6 C0 85 C0 0F 85 ?? ?? ?? ?? 48 8B 8C 24 ?? ?? ?? ?? E8 ?? ?? ?? + ?? 90 0F B6 C0 85 C0 0F 85 ?? ?? ?? ?? 48 8D 8C 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? 90 48 + 8D 94 24 ?? ?? ?? ?? 48 8B 8C 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? 90 48 8D 8C 24 ?? ?? ?? + ?? E8 ?? ?? ?? ?? 90 0F B6 C0 85 C0 0F 85 ?? ?? ?? ?? 48 8B 84 24 ?? ?? ?? ?? 48 83 + C0 ?? 48 8D 94 24 ?? ?? ?? ?? 48 8B C8 E8 ?? ?? ?? ?? 90 48 8D 15 ?? ?? ?? ?? 48 8D + 8C 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? 90 48 8D 94 24 ?? ?? ?? ?? 48 8B 8C 24 ?? ?? ?? ?? + E8 ?? ?? ?? ?? 90 4C 8B C0 48 8D 94 24 ?? ?? ?? ?? 48 8B 8C 24 ?? ?? ?? ?? E8 ?? ?? + ?? ?? 90 4C 8B C0 48 8D 15 ?? ?? ?? ?? 48 8D 8C 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? 90 4C + 8D 05 ?? ?? ?? ?? 48 8B D0 48 8D 8C 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? 90 48 8B D0 48 8D + 8C 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? 90 48 8D 8C 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? 90 48 8D + 8C 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? 90 48 8D 8C 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? 90 48 8D + 8C 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? 90 4C 8D 84 24 ?? ?? ?? ?? 48 8D 15 ?? ?? ?? ?? 48 + 8D 8C 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? 90 4C 8D 05 ?? ?? ?? ?? 48 8B D0 48 8D 8C 24 ?? + ?? ?? ?? E8 ?? ?? ?? ?? 90 48 8B D0 48 8D 8C 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? 90 48 8D + 8C 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? 90 48 8D 8C 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? 90 48 8B + } + + $encrypt_network_shares_win64_p2 = { + 8C 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? 90 4C 8B C0 48 8D 94 24 ?? ?? ?? ?? 48 8B 8C 24 ?? + ?? ?? ?? E8 ?? ?? ?? ?? 90 4C 8B C0 48 8D 15 ?? ?? ?? ?? 48 8D 8C 24 ?? ?? ?? ?? E8 + ?? ?? ?? ?? 90 4C 8D 05 ?? ?? ?? ?? 48 8B D0 48 8D 8C 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? + 90 48 8B D0 48 8D 8C 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? 90 48 8D 8C 24 ?? ?? ?? ?? E8 ?? + ?? ?? ?? 90 48 8D 8C 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? 90 48 8D 8C 24 ?? ?? ?? ?? E8 ?? + ?? ?? ?? 90 48 8B 8C 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? 90 4C 8B C0 48 8D 94 24 ?? ?? ?? + ?? 48 8B 8C 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? 90 4C 8B C0 48 8D 15 ?? ?? ?? ?? 48 8D 8C + 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? 90 4C 8D 05 ?? ?? ?? ?? 48 8B D0 48 8D 8C 24 ?? ?? ?? + ?? E8 ?? ?? ?? ?? 90 48 8B D0 48 8D 8C 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? 90 48 8D 8C 24 + ?? ?? ?? ?? E8 ?? ?? ?? ?? 90 48 8D 8C 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? 90 48 8D 8C 24 + ?? ?? ?? ?? E8 ?? ?? ?? ?? 90 48 8D 15 ?? ?? ?? ?? 48 8D 8C 24 ?? ?? ?? ?? E8 ?? ?? + ?? ?? 90 48 8D 15 ?? ?? ?? ?? 48 8D 8C 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? 90 48 8D 8C 24 + ?? ?? ?? ?? E8 ?? ?? ?? ?? 90 48 8D 94 24 ?? ?? ?? ?? 48 8D 8C 24 ?? ?? ?? ?? E8 ?? + ?? ?? ?? 90 48 8D 8C 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? 90 0F B6 C0 85 C0 0F 85 ?? ?? ?? + ?? 48 C7 44 24 ?? ?? ?? ?? ?? EB ?? 48 8B 44 24 ?? 48 FF C0 48 89 44 24 ?? 48 8D 8C + 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? 90 48 39 44 24 ?? 73 ?? 48 83 7C 24 ?? ?? 76 ?? 33 D2 + 48 8B 44 24 ?? B9 ?? ?? ?? ?? 48 F7 F1 48 8B C2 48 85 C0 75 ?? 41 B9 ?? ?? ?? ?? 4C + } + + $encrypt_network_shares_win64_p3 = { + 8D 05 ?? ?? ?? ?? 48 8B 54 24 ?? 48 8D 8C 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? 90 48 8B 44 + 24 ?? 48 FF C0 48 89 44 24 ?? EB ?? 48 8D 15 ?? ?? ?? ?? 48 8D 4C 24 ?? E8 ?? ?? ?? + ?? 90 48 8D 8C 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? 90 4C 8B C0 48 8D 54 24 ?? 48 8D 8C 24 + ?? ?? ?? ?? E8 ?? ?? ?? ?? 90 48 8D 4C 24 ?? E8 ?? ?? ?? ?? 90 48 8D 15 ?? ?? ?? ?? + 48 8D 4C 24 ?? E8 ?? ?? ?? ?? 90 48 8D 94 24 ?? ?? ?? ?? 48 8B 8C 24 ?? ?? ?? ?? E8 + ?? ?? ?? ?? 90 4C 8B C0 48 8D 94 24 ?? ?? ?? ?? 48 8B 8C 24 ?? ?? ?? ?? E8 ?? ?? ?? + ?? 90 48 8B C8 E8 ?? ?? ?? ?? 90 4C 8B C0 48 8D 54 24 ?? 48 8D 8C 24 ?? ?? ?? ?? E8 + ?? ?? ?? ?? 90 48 8D 8C 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? 90 48 8D 8C 24 ?? ?? ?? ?? E8 + ?? ?? ?? ?? 90 48 8D 4C 24 ?? E8 ?? ?? ?? ?? 90 48 8D 15 ?? ?? ?? ?? 48 8D 4C 24 ?? + E8 ?? ?? ?? ?? 90 48 8B 8C 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? 90 4C 8B C0 48 8D 94 24 ?? + ?? ?? ?? 48 8B 8C 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? 90 48 8B C8 E8 ?? ?? ?? ?? 90 4C 8B + C0 48 8D 54 24 ?? 48 8D 8C 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? 90 48 8D 8C 24 ?? ?? ?? ?? + E8 ?? ?? ?? ?? 90 48 8D 4C 24 ?? E8 ?? ?? ?? ?? 90 C6 44 24 ?? ?? 48 8D 8C 24 ?? ?? + ?? ?? E8 ?? ?? ?? ?? 90 48 8D 8C 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? 90 48 8D 8C 24 ?? ?? + ?? ?? E8 ?? ?? ?? ?? 90 0F B6 44 24 ?? EB ?? 48 8D 8C 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? + 90 48 8D 8C 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? 90 48 8D 8C 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? + 90 32 C0 48 8B 8C 24 ?? ?? ?? ?? 48 33 CC E8 ?? ?? ?? ?? 90 48 81 C4 ?? ?? ?? ?? C3 + } + + $find_files_win64 = { + 48 89 5C 24 ?? 55 56 57 41 56 41 57 48 81 EC ?? ?? ?? ?? 48 8B 05 ?? ?? ?? ?? 48 33 + C4 48 89 84 24 ?? ?? ?? ?? 4D 8B F0 49 B8 ?? ?? ?? ?? ?? ?? ?? ?? 48 8B E9 48 3B D1 + 74 ?? 0F B7 02 66 83 E8 ?? 66 83 F8 ?? 77 ?? 0F B7 C0 49 0F A3 C0 72 ?? 48 83 EA ?? + 48 3B D5 75 ?? 0F B7 0A 66 83 F9 ?? 75 ?? 48 8D 45 ?? 48 3B D0 74 ?? 4D 8B CE 45 33 + C0 33 D2 48 8B CD E8 ?? ?? ?? ?? E9 ?? ?? ?? ?? 66 83 E9 ?? 33 FF 66 83 F9 ?? 77 ?? + 0F B7 C1 49 0F A3 C0 B0 ?? 72 ?? 40 8A C7 48 2B D5 48 8D 4C 24 ?? 48 D1 FA 41 B8 ?? + ?? ?? ?? 48 FF C2 F6 D8 4D 1B FF 4C 23 FA 33 D2 E8 ?? ?? ?? ?? 45 33 C9 89 7C 24 ?? + 4C 8D 44 24 ?? 48 89 7C 24 ?? 33 D2 48 8B CD FF 15 ?? ?? ?? ?? 48 8B D8 48 83 F8 ?? + 75 ?? 4D 8B CE 45 33 C0 33 D2 48 8B CD E8 ?? ?? ?? ?? 8B F8 48 83 FB ?? 74 ?? 48 8B + CB FF 15 ?? ?? ?? ?? 8B C7 48 8B 8C 24 ?? ?? ?? ?? 48 33 CC E8 ?? ?? ?? ?? 48 8B 9C + 24 ?? ?? ?? ?? 48 81 C4 ?? ?? ?? ?? 41 5F 41 5E 5F 5E 5D C3 49 8B 76 ?? 49 2B 36 48 + C1 FE ?? 66 83 7C 24 ?? ?? 75 ?? 66 39 7C 24 ?? 74 ?? 66 83 7C 24 ?? ?? 75 ?? 66 39 + 7C 24 ?? 74 ?? 4D 8B CE 48 8D 4C 24 ?? 4D 8B C7 48 8B D5 E8 ?? ?? ?? ?? 85 C0 75 ?? + 48 8D 54 24 ?? 48 8B CB FF 15 ?? ?? ?? ?? 85 C0 75 ?? 49 8B 06 49 8B 56 ?? 48 2B D0 + 48 C1 FA ?? 48 3B F2 0F 84 ?? ?? ?? ?? 48 2B D6 48 8D 0C F0 4C 8D 0D ?? ?? ?? ?? 41 + B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? E9 + } + + condition: + uint16(0) == 0x5A4D and + ( + $find_files_win64 + ) and + ( + all of ($encrypt_files_win64_p*) + ) and + ( + all of ($encrypt_network_shares_win64_p*) + ) +} \ No newline at end of file diff --git a/yara/ransomware/Win64.Ransomware.Albabat.yara b/yara/ransomware/Win64.Ransomware.Albabat.yara new file mode 100644 index 0000000..2c41b36 --- /dev/null +++ b/yara/ransomware/Win64.Ransomware.Albabat.yara @@ -0,0 +1,139 @@ +rule Win64_Ransomware_Albabat : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "ALBABAT" + description = "Yara rule that detects Albabat ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "Albabat" + tc_detection_factor = 5 + + strings: + + $encrypt_files_p1 = { + 48 8D 05 ?? ?? ?? ?? 48 89 83 ?? ?? ?? ?? 48 C7 83 ?? ?? ?? ?? ?? ?? ?? ?? C7 83 ?? + ?? ?? ?? ?? ?? ?? ?? 66 C7 83 ?? ?? 00 00 ?? ?? C7 83 ?? ?? ?? ?? ?? ?? ?? ?? 0F 57 + F6 0F 11 B3 ?? ?? ?? ?? 48 C7 83 ?? ?? ?? ?? ?? ?? ?? ?? C6 83 ?? ?? ?? ?? ?? 4C 8D + 83 ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 89 D7 48 85 C0 74 ?? 0F B6 05 ?? ?? ?? ?? 48 8B 0D + ?? ?? ?? ?? 48 85 C9 75 ?? FF 15 ?? ?? ?? ?? 48 85 C0 0F 84 ?? ?? ?? ?? 48 89 C1 48 + 89 05 ?? ?? ?? ?? 41 B8 ?? ?? ?? ?? 31 D2 FF 15 ?? ?? ?? ?? 48 85 C0 0F 84 ?? ?? ?? + ?? 48 89 C6 48 89 38 4C 8D 35 ?? ?? ?? ?? E9 ?? ?? ?? ?? 48 89 BB ?? ?? ?? ?? 48 C7 + 83 ?? ?? ?? ?? ?? ?? ?? ?? 0F 11 B3 ?? ?? ?? ?? 48 89 F9 E8 ?? ?? ?? ?? 48 89 C6 48 + 89 D7 48 85 C0 74 ?? 48 85 FF 0F 85 ?? ?? ?? ?? 48 89 7C 24 ?? 48 8D 8B ?? ?? ?? ?? + 48 8D 93 ?? ?? ?? ?? 4C 8D 83 ?? ?? ?? ?? 49 89 F1 E8 ?? ?? ?? ?? 48 83 BB ?? ?? ?? + ?? ?? 0F 84 ?? ?? ?? ?? 48 8B BB ?? ?? ?? ?? 0F B6 05 ?? ?? ?? ?? 48 8B 0D ?? ?? ?? + ?? 48 85 C9 75 ?? FF 15 ?? ?? ?? ?? 48 85 C0 0F 84 ?? ?? ?? ?? 48 89 C1 48 89 05 ?? + ?? ?? ?? 41 B8 ?? ?? ?? ?? 31 D2 FF 15 ?? ?? ?? ?? 48 85 C0 0F 84 ?? ?? ?? ?? 48 89 + } + + $encrypt_files_p2 = { + C6 48 89 38 4C 8D 35 ?? ?? ?? ?? 48 83 BB ?? ?? ?? ?? ?? 74 ?? 4C 8B 83 ?? ?? ?? ?? + 48 8B 0D ?? ?? ?? ?? 31 D2 FF 15 ?? ?? ?? ?? 48 8B 8B ?? ?? ?? ?? FF 15 ?? ?? ?? ?? + 48 85 F6 0F 84 ?? ?? ?? ?? 48 89 B3 ?? ?? ?? ?? 4C 89 B3 ?? ?? ?? ?? 4C 8D B3 ?? ?? + ?? ?? 4C 89 B3 ?? ?? ?? ?? 4C 8D 3D ?? ?? ?? ?? 4C 89 BB ?? ?? ?? ?? 48 8D 05 ?? ?? + ?? ?? 48 89 83 ?? ?? ?? ?? 48 C7 83 ?? ?? ?? ?? ?? ?? ?? ?? 48 C7 83 ?? ?? ?? ?? ?? + ?? ?? ?? 48 8D BB ?? ?? ?? ?? 48 89 BB ?? ?? ?? ?? 48 C7 83 ?? ?? ?? ?? ?? ?? ?? ?? + 48 8D 8B ?? ?? ?? ?? 48 8D 93 ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 8B B3 ?? ?? ?? ?? 48 8B + 93 ?? ?? ?? ?? 4C 8B A3 ?? ?? ?? ?? 48 89 F1 E8 ?? ?? ?? ?? 4D 85 E4 74 ?? 48 8B 0D + ?? ?? ?? ?? 31 D2 49 89 F0 FF 15 ?? ?? ?? ?? 4C 89 B3 ?? ?? ?? ?? 4C 89 BB ?? ?? ?? + ?? 48 8D 05 ?? ?? ?? ?? 48 89 83 ?? ?? ?? ?? 48 C7 83 ?? ?? ?? ?? ?? ?? ?? ?? 48 8D + 35 ?? ?? ?? ?? 48 89 B3 ?? ?? ?? ?? 48 C7 83 ?? ?? ?? ?? ?? ?? ?? ?? 4C 8D B3 ?? ?? + ?? ?? 4C 89 B3 ?? ?? ?? ?? 48 C7 83 ?? ?? ?? ?? ?? ?? ?? ?? 48 C7 83 ?? ?? ?? ?? ?? + ?? ?? ?? 48 8D 8B ?? ?? ?? ?? E8 ?? ?? ?? ?? 84 C0 0F 85 ?? ?? ?? ?? 48 8B 05 ?? ?? + ?? ?? 48 83 F8 ?? 0F 85 ?? ?? ?? ?? 48 8B 05 ?? ?? ?? ?? 8B 0D ?? ?? ?? ?? 65 48 8B + 14 25 ?? ?? ?? ?? 48 8B 0C CA 48 8D 89 ?? ?? ?? ?? 48 39 C8 75 ?? 8B 05 ?? ?? ?? ?? + FF C0 75 ?? 48 8D 0D ?? ?? ?? ?? 4C 8D 05 ?? ?? ?? ?? BA ?? ?? ?? ?? E8 + } + + $drop_ransom_note = { + 48 8D 05 ?? ?? ?? ?? 48 89 84 24 ?? ?? ?? ?? 48 C7 84 24 ?? ?? ?? ?? ?? ?? ?? ?? 48 + 89 B4 24 ?? ?? ?? ?? 48 C7 84 24 ?? ?? ?? ?? ?? ?? ?? ?? 4C 89 B4 24 ?? ?? ?? ?? 48 + C7 84 24 ?? ?? ?? ?? ?? ?? ?? ?? 48 8D 8C 24 ?? ?? ?? ?? 48 8D 94 24 ?? ?? ?? ?? E8 + ?? ?? ?? ?? 48 83 BC 24 ?? ?? ?? ?? ?? 74 ?? 4C 8B 84 24 ?? ?? ?? ?? 48 8B 0D ?? ?? + ?? ?? 31 D2 FF 15 ?? ?? ?? ?? 48 8D B4 24 ?? ?? ?? ?? 48 8D 94 24 ?? ?? ?? ?? 48 89 + F1 E8 ?? ?? ?? ?? 48 85 C0 4C 8B 74 24 ?? 74 ?? 48 89 C5 4C 8B 6C 24 ?? E9 ?? ?? ?? + ?? 4D 8D 0C D1 49 83 C1 ?? 48 C1 E2 ?? 48 F7 DA 4F 8D 14 C2 49 83 C2 ?? 49 C1 E0 ?? + 49 F7 D8 45 31 DB 4C 39 DA 0F 84 ?? ?? ?? ?? 4D 39 D8 0F 84 ?? ?? ?? ?? 4B 8B 34 19 + 4F 8B 34 1A 4C 39 F6 0F 82 ?? ?? ?? ?? 49 83 C3 ?? 4C 39 F6 76 ?? E9 ?? ?? ?? ?? 48 + 8D 15 ?? ?? ?? ?? 48 8D 8C 24 ?? ?? ?? ?? 41 B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 80 BC 24 + ?? ?? ?? ?? ?? 0F 85 ?? ?? ?? ?? 48 8B 9C 24 ?? ?? ?? ?? 48 8B AC 24 ?? ?? ?? ?? 4C + 8B 84 24 ?? ?? ?? ?? 48 C7 44 24 ?? ?? ?? ?? ?? 4C 8D 0D ?? ?? ?? ?? 48 8D 8C 24 ?? + ?? ?? ?? 48 89 DA E8 ?? ?? ?? ?? 4C 8B B4 24 ?? ?? ?? ?? 4C 8B 84 24 ?? ?? ?? ?? 48 + C7 44 24 ?? ?? ?? ?? ?? 4C 8D 0D ?? ?? ?? ?? 48 8D 8C 24 ?? ?? ?? ?? 4C 89 F2 E8 ?? + ?? ?? ?? 48 83 BC 24 ?? ?? ?? ?? ?? 74 ?? 48 8B 0D ?? ?? ?? ?? 31 D2 4D 89 F0 FF 15 + ?? ?? ?? ?? 48 85 ED 74 ?? 48 8B 0D ?? ?? ?? ?? 31 D2 49 89 D8 FF 15 ?? ?? ?? ?? 48 + 8D 9C 24 ?? ?? ?? ?? 48 89 D9 E8 ?? ?? ?? ?? 48 8D 15 ?? ?? ?? ?? 4C 8D 0D ?? ?? ?? + ?? 41 B8 ?? ?? ?? ?? 48 89 D9 E8 ?? ?? ?? ?? 0F 10 00 0F 11 84 24 ?? ?? ?? ?? 48 8B + 8C 24 ?? ?? ?? ?? 48 85 C9 74 + } + + $change_desktop_wallpaper = { + 4C 8D 0D ?? ?? ?? ?? 48 8D 8C 24 ?? ?? ?? ?? 48 89 DA E8 ?? ?? ?? ?? 48 83 BC 24 ?? + ?? ?? ?? ?? 74 ?? 48 8B 0D ?? ?? ?? ?? 31 D2 49 89 D8 FF 15 ?? ?? ?? ?? 4D 85 F6 74 + ?? 48 8B 0D ?? ?? ?? ?? 31 D2 49 89 F0 FF 15 ?? ?? ?? ?? 48 8D 15 ?? ?? ?? ?? 48 8D + 8C 24 ?? ?? ?? ?? 41 B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 4C 8D 25 ?? ?? ?? ?? 48 85 C0 4C + 8B 74 24 ?? 0F 85 ?? ?? ?? ?? 48 8D 15 ?? ?? ?? ?? 48 8D 8C 24 ?? ?? ?? ?? 41 B8 ?? + ?? ?? ?? E8 ?? ?? ?? ?? 80 BC 24 ?? ?? ?? ?? ?? 0F 85 ?? ?? ?? ?? 48 8B B4 24 ?? ?? + ?? ?? 4C 8B AC 24 ?? ?? ?? ?? 4C 8B 84 24 ?? ?? ?? ?? 48 C7 44 24 ?? ?? ?? ?? ?? 4C + 8D 0D ?? ?? ?? ?? 48 8D 8C 24 ?? ?? ?? ?? 48 89 F2 E8 ?? ?? ?? ?? 48 8B 9C 24 ?? ?? + ?? ?? 4C 8B 84 24 ?? ?? ?? ?? 48 C7 44 24 ?? ?? ?? ?? ?? 4C 8D 0D ?? ?? ?? ?? 48 8D + 8C 24 ?? ?? ?? ?? 48 89 DA E8 ?? ?? ?? ?? 48 83 BC 24 ?? ?? ?? ?? ?? 74 ?? 48 8B 0D + ?? ?? ?? ?? 31 D2 49 89 D8 FF 15 ?? ?? ?? ?? 48 8B 9C 24 ?? ?? ?? ?? 4C 8B B4 24 ?? + ?? ?? ?? 48 8D 8C 24 ?? ?? ?? ?? 48 89 DA 4D 89 F0 E8 ?? ?? ?? ?? 83 BC 24 ?? ?? ?? + ?? ?? 0F 85 ?? ?? ?? ?? 48 8B 84 24 ?? ?? ?? ?? 89 C1 83 E1 ?? 83 F9 ?? 0F 85 ?? ?? + ?? ?? 48 8D 58 ?? 4C 8B 70 ?? 48 8B 68 ?? 4C 89 F1 FF 55 + } + + $find_files_p1 = { + 4C 8D 0D ?? ?? ?? ?? 48 8D 8C 24 ?? ?? ?? ?? 48 89 DA E8 ?? ?? ?? ?? 48 83 BC 24 ?? + ?? ?? ?? ?? 74 ?? 48 8B 0D ?? ?? ?? ?? 31 D2 49 89 D8 FF 15 ?? ?? ?? ?? 4D 85 FF 74 + ?? 48 8B 0D ?? ?? ?? ?? 31 D2 49 89 F0 FF 15 ?? ?? ?? ?? 48 C7 84 24 ?? ?? ?? ?? ?? + ?? ?? ?? 66 0F EF C0 F3 0F 7F 84 24 ?? ?? ?? ?? 48 8D 8C 24 ?? ?? ?? ?? 48 8D 94 24 + ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 85 C0 0F 84 ?? ?? ?? ?? 48 89 C5 4C 8B 6C 24 ?? 4C 8B + 74 24 ?? E9 ?? ?? ?? ?? 48 8D 8C 24 ?? ?? ?? ?? 31 D2 49 89 F0 E8 ?? ?? ?? ?? 48 8B + 84 24 ?? ?? ?? ?? 48 8B AC 24 ?? ?? ?? ?? 48 29 E8 48 39 F0 72 ?? 48 8B 8C 24 ?? ?? + ?? ?? 48 01 E9 31 D2 49 89 F0 E8 ?? ?? ?? ?? 48 01 F5 48 89 AC 24 ?? ?? ?? ?? E9 ?? + ?? ?? ?? 48 C1 ED ?? 74 ?? 41 BD ?? ?? ?? ?? E9 ?? ?? ?? ?? 49 83 FF ?? 72 ?? 48 85 + DB 74 ?? 48 8B 84 24 ?? ?? ?? ?? EB ?? 48 8D 8C 24 ?? ?? ?? ?? 48 89 EA 49 89 F0 E8 + ?? ?? ?? ?? 48 8B AC 24 ?? ?? ?? ?? EB ?? 4C 89 FB 4C 89 F0 4D 85 FF 74 ?? 49 89 DC + 48 8B 44 D8 ?? 48 85 C0 74 ?? 48 0F BD C0 48 83 F0 ?? EB ?? 45 31 E4 EB ?? B8 ?? ?? + ?? ?? 49 C1 E4 ?? 49 83 CC ?? 49 29 C4 49 C1 EC ?? 48 8B B4 24 ?? ?? ?? ?? BA ?? ?? + ?? ?? 48 89 F1 45 31 C0 E8 ?? ?? ?? ?? 48 89 F1 E8 ?? ?? ?? ?? 49 89 C7 49 83 FC + } + + $find_files_p2 = { + 73 ?? 48 8B 0D ?? ?? ?? ?? 31 D2 4D 89 F8 FF 15 ?? ?? ?? ?? 41 BD ?? ?? ?? ?? E9 ?? + ?? ?? ?? BA ?? ?? ?? ?? 4C 89 E1 E8 ?? ?? ?? ?? 48 85 C0 0F 84 ?? ?? ?? ?? 48 8D 68 + ?? 49 8D 5C 24 ?? 48 8B 8C 24 ?? ?? ?? ?? 48 89 EA 48 89 44 24 ?? E8 ?? ?? ?? ?? 48 + 8B 44 24 ?? F3 41 0F 6F 07 41 0F 10 4F ?? 0F 11 48 ?? F3 0F 7F 40 ?? 49 8D 4C 24 ?? + 48 39 D9 0F 83 ?? ?? ?? ?? 4D 89 E5 4C 8D 60 ?? 49 8D 4D ?? 43 C6 44 2C ?? ?? 48 39 + CB 0F 82 ?? ?? ?? ?? 43 0F 11 74 2C ?? 43 0F 11 7C 2C ?? 48 C7 44 24 ?? ?? ?? ?? ?? + 4C 89 E1 48 89 DA 48 8B B4 24 ?? ?? ?? ?? 49 89 F0 49 89 E9 E8 ?? ?? ?? ?? 48 89 5C + 24 ?? BA ?? ?? ?? ?? 48 89 E9 49 89 F0 4D 89 E1 E8 ?? ?? ?? ?? 48 8B 0D ?? ?? ?? ?? + 31 D2 4D 89 F8 FF 15 ?? ?? ?? ?? 0F B6 05 ?? ?? ?? ?? BA ?? ?? ?? ?? 4C 89 E9 E8 ?? + ?? ?? ?? 48 85 C0 0F 84 ?? ?? ?? ?? 48 89 C3 48 8D B4 24 ?? ?? ?? ?? 48 89 C1 48 8B + 54 24 ?? 4D 89 E8 E8 + } + + condition: + uint16(0) == 0x5A4D and + ( + all of ($find_files_p*) + ) and + ( + all of ($encrypt_files_p*) + ) and + ( + $drop_ransom_note + ) and + ( + $change_desktop_wallpaper + ) +} \ No newline at end of file diff --git a/yara/ransomware/Win64.Ransomware.AntiWar.yara b/yara/ransomware/Win64.Ransomware.AntiWar.yara new file mode 100644 index 0000000..0829bb2 --- /dev/null +++ b/yara/ransomware/Win64.Ransomware.AntiWar.yara @@ -0,0 +1,146 @@ +rule Win64_Ransomware_AntiWar : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "ANTIWAR" + description = "Yara rule that detects AntiWar ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "AntiWar" + tc_detection_factor = 5 + + strings: + + $find_files_p1 = { + 49 8B D7 49 8B CD FF 15 ?? ?? ?? ?? 48 8D 15 ?? ?? ?? ?? 49 8B CD FF 15 ?? ?? ?? ?? + 48 8D 95 ?? ?? ?? ?? 49 8B CD FF 15 ?? ?? ?? ?? 4C 8B F0 48 89 44 24 ?? 48 83 F8 ?? + 0F 84 ?? ?? ?? ?? 48 8D 35 ?? ?? ?? ?? 41 8B DC 48 8D 3D ?? ?? ?? ?? 66 90 48 8B 0F + E8 ?? ?? ?? ?? 48 8B D0 48 8D 8D ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? + ?? FF C3 48 83 C7 ?? 83 FB ?? 72 ?? 49 8B D7 49 8B CD FF 15 ?? ?? ?? ?? 48 8D 15 ?? + ?? ?? ?? 49 8B CD FF 15 ?? ?? ?? ?? 48 8D 95 ?? ?? ?? ?? 49 8B CD FF 15 ?? ?? ?? ?? + F6 85 ?? ?? ?? ?? ?? 0F 85 ?? ?? ?? ?? 66 0F 6F 35 ?? ?? 03 00 66 0F 6F 3D ?? ?? 03 + 00 C7 85 ?? ?? ?? ?? ?? ?? ?? ?? 66 C7 85 ?? ?? 00 00 ?? ?? 8B 05 ?? ?? ?? ?? 4C 8D + 3C C5 ?? ?? ?? ?? 41 BC ?? ?? ?? ?? 65 48 8B 04 25 ?? ?? ?? ?? 4A 8B 0C 38 41 8B 04 + 0C 39 05 ?? ?? ?? ?? 7E ?? 48 8D 0D ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 3D ?? ?? ?? ?? ?? + 75 ?? C6 05 ?? ?? ?? ?? ?? 0F 11 35 ?? ?? ?? ?? 0F 11 3D ?? ?? ?? ?? 8B 85 ?? ?? ?? + ?? 89 05 ?? ?? ?? ?? 0F B7 85 ?? ?? ?? ?? 66 89 05 ?? ?? 04 00 48 8D 0D ?? ?? ?? ?? + E8 ?? ?? ?? ?? 48 8D 0D ?? ?? ?? ?? E8 ?? ?? ?? ?? 80 3D ?? ?? ?? ?? ?? 74 ?? 45 33 + C9 41 BA ?? ?? ?? ?? 4C 8D 35 ?? ?? ?? ?? 4D 2B D6 49 BB ?? ?? ?? ?? ?? ?? ?? ?? 66 + 66 0F 1F 84 00 ?? ?? 00 00 4B 8D 14 31 41 0F B6 C9 80 E1 ?? C0 E1 ?? 49 8B C3 48 D3 + } + + $find_files_p2 = { + E8 30 02 4C 8D 42 ?? 41 8D 0C 12 80 E1 ?? C0 E1 ?? 49 8B D3 48 D3 EA 41 30 10 49 83 + C1 ?? 49 83 F9 ?? 72 ?? 4C 8B 74 24 ?? C6 05 ?? ?? ?? ?? ?? 48 8D 0D ?? ?? ?? ?? E8 + ?? ?? ?? ?? 48 8B D0 48 8D 8D ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? + 48 8D 8D ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 83 E8 ?? 48 63 C8 78 ?? 0F 1F 40 ?? 66 83 BC + 4D ?? ?? 00 00 ?? 74 ?? FF C8 48 83 E9 ?? 79 ?? EB ?? B3 ?? 48 98 4C 8D B5 ?? ?? ?? + ?? 4D 8D 34 46 48 8D 3D ?? ?? ?? ?? BE ?? ?? ?? ?? 45 33 ED 48 8B 0F E8 ?? ?? ?? ?? + 48 8B D0 49 8B CE FF 15 ?? ?? ?? ?? 0F B6 DB 85 C0 41 0F 44 DD 48 8D 7F ?? 48 83 EE + ?? 75 ?? 4C 8B 6C 24 ?? 4C 8B 74 24 ?? 84 DB 0F 84 ?? ?? ?? ?? 48 8D 35 ?? ?? ?? ?? + 45 33 C0 49 8B D5 48 8D 0D ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 C0 0F 85 ?? ?? ?? ?? 33 FF + 90 89 BD ?? ?? ?? ?? 4C 8D 85 ?? ?? ?? ?? 33 D2 48 8D 0D ?? ?? ?? ?? E8 ?? ?? ?? ?? + 48 8B D8 48 85 C0 0F 84 ?? ?? ?? ?? 66 0F 1F 84 00 ?? ?? 00 00 83 3D ?? ?? ?? ?? ?? + 0F 84 ?? ?? ?? ?? 48 8B 0D ?? ?? ?? ?? 48 85 C9 0F 84 ?? ?? ?? ?? 83 79 ?? ?? 0F 8C + ?? ?? ?? ?? 66 0F 6F 35 ?? ?? 03 00 66 0F 6F 3D ?? ?? 03 00 66 C7 85 ?? ?? 00 00 ?? + ?? 65 48 8B 04 25 ?? ?? ?? ?? 4A 8B 0C 38 41 8B 04 0C 39 05 ?? ?? ?? ?? 7E ?? 48 8D + 0D ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 3D ?? ?? ?? ?? ?? 75 ?? C6 05 ?? ?? ?? ?? ?? 0F 11 + 35 ?? ?? ?? ?? 0F 11 3D ?? ?? ?? ?? 0F B7 85 ?? ?? ?? ?? 66 89 05 ?? ?? 04 00 48 8D + } + + $find_files_p3 = { + 0D ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 8D 0D ?? ?? ?? ?? E8 ?? ?? ?? ?? 80 3D ?? ?? ?? ?? + ?? 74 ?? 48 8B C7 41 BA ?? ?? ?? ?? 4C 8D 35 ?? ?? ?? ?? 4D 2B D6 49 BB ?? ?? ?? ?? + ?? ?? ?? ?? 90 4E 8D 0C 30 0F B6 C8 80 E1 ?? C0 E1 ?? 4D 8B C3 49 D3 E8 45 30 01 43 + 8D 0C 11 80 E1 ?? C0 E1 ?? 49 8B D3 48 D3 EA 41 30 51 ?? 48 83 C0 ?? 48 83 F8 ?? 72 + ?? 4C 8B 74 24 ?? C6 05 ?? ?? ?? ?? ?? 48 8D 05 ?? ?? ?? ?? 48 89 44 24 ?? C7 44 24 + ?? ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 89 44 24 ?? 48 89 7D ?? 48 C7 45 ?? ?? ?? ?? ?? BA + ?? ?? ?? ?? 48 8D 4D ?? E8 ?? ?? ?? ?? 48 8D 05 ?? ?? ?? ?? 48 89 45 ?? 48 8D 05 ?? + ?? ?? ?? 48 89 85 ?? ?? ?? ?? 89 BD ?? ?? ?? ?? 48 89 BD ?? ?? ?? ?? 48 C7 85 ?? ?? + ?? ?? ?? ?? ?? ?? C6 85 ?? ?? ?? ?? ?? 48 89 BD ?? ?? ?? ?? 48 C7 85 ?? ?? ?? ?? ?? + ?? ?? ?? 66 89 BD ?? ?? 00 00 48 8D 4C 24 ?? E8 ?? ?? ?? ?? 90 48 8D 15 ?? ?? ?? ?? + 48 8D 4D ?? E8 ?? ?? ?? ?? 48 8B D6 48 85 DB 48 0F 45 D3 48 8D 4D ?? E8 ?? ?? ?? ?? + 48 8B 3D ?? ?? ?? ?? 48 8B 5F ?? 48 3B 5F ?? 74 ?? 0F 1F 84 00 ?? ?? ?? ?? 48 8B 0B + } + + $find_files_p4 = { + 48 8B 01 48 8D 54 24 ?? FF 50 ?? 48 83 C3 ?? 48 3B 5F ?? 75 ?? 48 8D 05 ?? ?? ?? ?? + 48 89 44 24 ?? 48 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 8B 95 ?? ?? ?? ?? 48 83 FA ?? + 72 ?? 48 FF C2 48 8B 8D ?? ?? ?? ?? 48 8B C1 48 81 FA ?? ?? ?? ?? 72 ?? 48 83 C2 ?? + 48 8B 49 ?? 48 2B C1 48 83 C0 ?? 48 83 F8 ?? 0F 87 ?? ?? ?? ?? E8 ?? ?? ?? ?? 33 FF + 48 89 BD ?? ?? ?? ?? 48 C7 85 ?? ?? ?? ?? ?? ?? ?? ?? 40 88 BD ?? ?? ?? ?? 48 8D 4D + ?? E8 ?? ?? ?? ?? EB ?? 48 8B CB E8 ?? ?? ?? ?? 48 8B CB E8 ?? ?? ?? ?? 4C 8D 85 ?? + ?? ?? ?? 33 D2 48 8D 0D ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 8B D8 48 85 C0 0F 85 ?? ?? ?? + ?? 45 33 C0 49 8B D5 48 8D 0D ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? 45 + 33 E4 4C 8B 7C 24 ?? 48 8D 95 ?? ?? ?? ?? 49 8B CE FF 15 ?? ?? ?? ?? 85 C0 + } + + $enum_shares = { + 48 83 EC ?? 48 8B 05 ?? ?? ?? ?? 48 33 C4 48 89 44 24 ?? 33 D2 C7 44 24 ?? ?? ?? ?? + ?? 48 8D 44 24 ?? C7 44 24 ?? ?? ?? ?? ?? 4C 8B C9 48 89 44 24 ?? 8D 4A ?? 44 8D 42 + ?? E8 ?? ?? ?? ?? 85 C0 0F 85 ?? ?? ?? ?? 8B 4C 24 ?? 48 89 7C 24 ?? E8 ?? ?? ?? ?? + 48 8B F8 48 85 C0 0F 84 ?? ?? ?? ?? 48 8B 4C 24 ?? 4C 8D 4C 24 ?? 4C 8B C0 48 8D 54 + 24 ?? E8 ?? ?? ?? ?? 85 C0 75 ?? 48 89 5C 24 ?? 33 DB 39 5C 24 ?? 76 ?? 0F 1F 84 00 + ?? ?? ?? ?? 48 8D 0C 5B 48 C1 E1 ?? 48 03 CF F6 41 ?? ?? 74 ?? E8 ?? ?? ?? ?? EB ?? + 48 8B 49 ?? E8 ?? ?? ?? ?? FF C3 3B 5C 24 ?? 72 ?? 48 8B 4C 24 ?? 4C 8D 4C 24 ?? 4C + 8B C7 48 8D 54 24 ?? E8 ?? ?? ?? ?? 85 C0 74 ?? 48 8B 5C 24 ?? 48 8B CF E8 ?? ?? ?? + ?? 48 8B 4C 24 ?? E8 ?? ?? ?? ?? 48 8B 7C 24 ?? 48 8B 4C 24 ?? 48 33 CC E8 ?? ?? ?? + ?? 48 83 C4 ?? C3 + } + + $encrypt_files_p1 = { + 48 89 74 24 ?? C7 44 24 ?? ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? 45 33 C9 45 33 C0 BA + ?? ?? ?? ?? 48 8B 8D ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 4C 8B F0 48 8B 8D ?? ?? ?? ?? E8 + ?? ?? ?? ?? 49 83 FE ?? 0F 84 ?? ?? ?? ?? 41 BD ?? ?? ?? ?? 48 8D 95 ?? ?? ?? ?? 49 + 8B CE FF 15 ?? ?? ?? ?? B9 ?? ?? ?? ?? E8 ?? ?? ?? ?? 4C 8B F8 48 85 C0 0F 84 ?? ?? + ?? ?? 4C 8D 85 ?? ?? ?? ?? BA ?? ?? ?? ?? 48 8B 0D ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 80 + A5 ?? ?? ?? ?? ?? 0F B6 8D ?? ?? ?? ?? 80 E1 ?? 80 C9 ?? 88 8D ?? ?? ?? ?? 4C 8D 85 + ?? ?? ?? ?? 48 8D 95 ?? ?? ?? ?? 48 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 4C 8D 05 ?? ?? + ?? ?? 48 8D 95 ?? ?? ?? ?? 48 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 4C 8D 85 ?? ?? ?? ?? + BA ?? ?? ?? ?? 48 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 41 B9 ?? ?? ?? ?? 45 8B C1 48 8D + 95 ?? ?? ?? ?? 48 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 8D 95 ?? ?? ?? ?? 48 8D 8D ?? + ?? ?? ?? E8 ?? ?? ?? ?? BA ?? ?? ?? ?? 48 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 85 ?? + ?? ?? ?? 33 D2 44 8D 42 ?? 48 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 33 D2 44 8D 42 ?? 48 + 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 33 D2 44 8D 42 ?? 48 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? + ?? 48 8B DE 45 33 C9 45 33 C0 48 8B D6 49 8B CE FF 15 ?? ?? ?? ?? 48 8B 8D ?? ?? ?? + ?? 48 81 F9 ?? ?? ?? ?? 0F 8E ?? ?? ?? ?? 48 B8 ?? ?? ?? ?? ?? ?? ?? ?? 48 F7 E9 48 + } + + $encrypt_files_p2 = { + 8B FA 48 C1 FF ?? 48 8B C7 48 C1 E8 ?? 48 03 F8 48 85 FF 0F 8E ?? ?? ?? ?? 48 89 74 + 24 ?? 4C 8D 8D ?? ?? ?? ?? 41 B8 ?? ?? ?? ?? 49 8B D7 49 8B CE FF 15 ?? ?? ?? ?? 8B + 85 ?? ?? ?? ?? 89 44 24 ?? 4D 8B CF 4D 8B C7 48 8D 95 ?? ?? ?? ?? 33 C9 E8 ?? ?? ?? + ?? 45 33 C9 45 33 C0 48 8B D3 49 8B CE FF 15 ?? ?? ?? ?? 48 89 74 24 ?? 4C 8D 8D ?? + ?? ?? ?? 41 B8 ?? ?? ?? ?? 49 8B D7 49 8B CE FF 15 ?? ?? ?? ?? 48 81 C3 ?? ?? ?? ?? + 45 33 C9 45 33 C0 48 8B D3 49 8B CE FF 15 ?? ?? ?? ?? 48 83 EF ?? 0F 85 ?? ?? ?? ?? + E9 ?? ?? ?? ?? 48 8B 05 ?? ?? ?? ?? 48 85 C0 0F 84 ?? ?? ?? ?? 83 78 ?? ?? 0F 8C ?? + ?? ?? ?? 41 8B C6 48 8D 1C C5 ?? ?? ?? ?? 65 48 8B 04 25 ?? ?? ?? ?? 48 8B 0C 18 8B + 04 0F 39 05 ?? ?? ?? ?? 7E ?? 48 8D 0D ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 3D ?? ?? ?? ?? + ?? 75 ?? 66 C7 05 ?? ?? 05 00 ?? ?? C6 05 ?? ?? ?? ?? ?? 48 8D 0D ?? ?? ?? ?? E8 ?? + ?? ?? ?? 48 8D 0D ?? ?? ?? ?? E8 ?? ?? ?? ?? 80 3D ?? ?? ?? ?? ?? 74 ?? 80 35 ?? ?? + ?? ?? ?? 80 35 ?? ?? ?? ?? ?? C6 05 ?? ?? ?? ?? ?? 65 48 8B 04 25 ?? ?? ?? ?? 48 8B + 0C 18 8B 04 0F 39 05 ?? ?? ?? ?? 7E ?? 48 8D 0D ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 3D ?? + ?? ?? ?? ?? 75 ?? C7 05 ?? ?? ?? ?? ?? ?? ?? ?? 48 8D 0D ?? ?? ?? ?? E8 ?? ?? ?? ?? + 48 8D 0D ?? ?? ?? ?? E8 ?? ?? ?? ?? 80 3D + } + + condition: + uint16(0) == 0x5A4D and + ( + ( + all of ($find_files_p*) + ) and + ( + all of ($encrypt_files_p*) + ) and + ( + $enum_shares + ) + ) +} \ No newline at end of file diff --git a/yara/ransomware/Win64.Ransomware.AwesomeScott.yara b/yara/ransomware/Win64.Ransomware.AwesomeScott.yara new file mode 100644 index 0000000..8650643 --- /dev/null +++ b/yara/ransomware/Win64.Ransomware.AwesomeScott.yara @@ -0,0 +1,101 @@ +rule Win64_Ransomware_AwesomeScott : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "AWESOMESCOTT" + description = "Yara rule that detects AwesomeScott ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "AwesomeScott" + tc_detection_factor = 5 + + strings: + + $encrypt_files_p1 = { + 48 8B C4 48 89 58 ?? 48 89 68 ?? 48 89 70 ?? 57 41 54 41 55 41 56 41 57 48 83 EC ?? + 45 33 FF 4C 8B F2 49 8B D8 4C 89 78 ?? C7 40 ?? ?? ?? ?? ?? C7 40 ?? ?? ?? ?? ?? 4C + 89 78 ?? 4C 89 78 ?? 4C 89 78 ?? 4C 89 78 ?? B8 ?? ?? ?? ?? 48 8B F1 45 33 C9 44 8B + C0 8B D0 49 8B CE 45 32 ED 48 83 CD ?? 49 8B FF FF 15 ?? ?? ?? ?? 4C 8B E0 48 3B C5 + 75 ?? FF 15 ?? ?? ?? ?? 8B D8 E8 ?? ?? ?? ?? 48 8D 15 ?? ?? ?? ?? 48 8D 48 ?? E8 ?? + ?? ?? ?? E8 ?? ?? ?? ?? 4C 8D 05 ?? ?? ?? ?? 48 8D 48 ?? 48 8D 15 ?? ?? ?? ?? E8 ?? + ?? ?? ?? E8 ?? ?? ?? ?? 48 8D 15 ?? ?? ?? ?? 48 83 C0 ?? 44 8B C3 48 8B C8 E8 ?? ?? + ?? ?? E9 ?? ?? ?? ?? 45 33 C9 4C 89 7C 24 ?? 48 8B CB 41 8D 51 ?? 45 8D 41 ?? C7 44 + 24 ?? ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 48 8B E8 48 83 F8 ?? 75 + ?? FF 15 ?? ?? ?? ?? 8B D8 E8 ?? ?? ?? ?? 48 8D 15 ?? ?? ?? ?? 48 8D 48 ?? E8 ?? ?? + ?? ?? E8 ?? ?? ?? ?? 4C 8D 05 ?? ?? ?? ?? 48 8D 48 ?? 48 8D 15 ?? ?? ?? ?? E8 ?? ?? + ?? ?? E8 ?? ?? ?? ?? 48 8D 15 ?? ?? ?? ?? 48 83 C0 ?? 44 8B C3 48 8B C8 E8 ?? ?? ?? + ?? E9 ?? ?? ?? ?? BB ?? ?? ?? ?? 4C 8D 05 ?? ?? ?? ?? 48 8D 4C 24 ?? 33 D2 44 8B CB + } + + $encrypt_files_p2 = { + 44 89 7C 24 ?? FF 15 ?? ?? ?? ?? 85 C0 75 ?? FF 15 ?? ?? ?? ?? 3D ?? ?? ?? ?? 75 ?? + 4C 8D 05 ?? ?? ?? ?? 48 8D 4C 24 ?? 44 8B CB 33 D2 C7 44 24 ?? ?? ?? ?? ?? FF 15 ?? + ?? ?? ?? 85 C0 75 ?? FF 15 ?? ?? ?? ?? 48 8D 15 ?? ?? ?? ?? E9 ?? ?? ?? ?? 48 8B 4C + 24 ?? 48 8D 44 24 ?? 45 33 C9 45 33 C0 BA ?? ?? ?? ?? 48 89 44 24 ?? FF 15 ?? ?? ?? + ?? 85 C0 75 ?? FF 15 ?? ?? ?? ?? 48 8D 15 ?? ?? ?? ?? E9 ?? ?? ?? ?? 48 8D 0D ?? ?? + ?? ?? FF 15 ?? ?? ?? ?? 48 8B 4C 24 ?? 48 8D 15 ?? ?? ?? ?? 44 8B C0 45 33 C9 FF 15 + ?? ?? ?? ?? 85 C0 75 ?? FF 15 ?? ?? ?? ?? 48 8D 15 ?? ?? ?? ?? E9 ?? ?? ?? ?? 4C 8B + 44 24 ?? 48 8B 4C 24 ?? 48 8D 44 24 ?? 41 B9 ?? ?? ?? ?? BA ?? ?? ?? ?? 48 89 44 24 + ?? FF 15 ?? ?? ?? ?? 85 C0 75 ?? FF 15 ?? ?? ?? ?? 48 8D 15 ?? ?? ?? ?? E9 ?? ?? ?? + ?? B9 ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 8B F8 48 85 C0 75 ?? 41 B8 ?? ?? ?? ?? 48 8D 15 + ?? ?? ?? ?? E9 ?? ?? ?? ?? 32 DB 90 4C 8D 4C 24 ?? 41 B8 ?? ?? ?? ?? 48 8B D7 49 8B + CC 4C 89 7C 24 ?? FF 15 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? 81 7C 24 ?? ?? ?? ?? ?? + 48 8B 4C 24 ?? B8 ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? 0F B6 DB 0F 42 D8 48 8D 44 24 + ?? 45 33 C9 48 89 44 24 ?? 44 0F B6 C3 33 D2 48 89 7C 24 ?? FF 15 ?? ?? ?? ?? 85 C0 + } + + $encrypt_files_p3 = { + 74 ?? 44 8B 44 24 ?? 4C 8D 4C 24 ?? 48 8B D7 48 8B CD 4C 89 7C 24 ?? FF 15 ?? ?? ?? + ?? 85 C0 74 ?? 84 DB 0F 84 ?? ?? ?? ?? 41 B5 ?? EB ?? FF 15 ?? ?? ?? ?? 48 8D 15 ?? + ?? ?? ?? EB ?? FF 15 ?? ?? ?? ?? 48 8D 15 ?? ?? ?? ?? EB ?? FF 15 ?? ?? ?? ?? 48 8D + 15 ?? ?? ?? ?? 44 8B C0 48 8B CE E8 ?? ?? ?? ?? 4D 85 E4 74 ?? 49 8B CC FF 15 ?? ?? + ?? ?? 48 85 ED 74 ?? 48 8B CD FF 15 ?? ?? ?? ?? 48 85 FF 74 ?? 48 8B CF E8 ?? ?? ?? + ?? 48 8B 4C 24 ?? 48 85 C9 74 ?? FF 15 ?? ?? ?? ?? 85 C0 75 ?? FF 15 ?? ?? ?? ?? 8B + D8 E8 ?? ?? ?? ?? 48 8D 15 ?? ?? ?? ?? 48 8D 48 ?? E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 4C + 8D 05 ?? ?? ?? ?? 48 8D 48 ?? 48 8D 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 + 8D 15 ?? ?? ?? ?? 48 83 C0 ?? 44 8B C3 48 8B C8 E8 ?? ?? ?? ?? 4C 89 7C 24 ?? 48 8B + 4C 24 ?? 48 85 C9 74 ?? FF 15 ?? ?? ?? ?? 85 C0 75 ?? FF 15 ?? ?? ?? ?? 8B D8 E8 ?? + ?? ?? ?? 48 8D 15 ?? ?? ?? ?? 48 8D 48 ?? E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 4C 8D 05 ?? + ?? ?? ?? 48 8D 48 ?? 48 8D 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 8D 15 ?? + ?? ?? ?? 48 83 C0 ?? 44 8B C3 48 8B C8 E8 ?? ?? ?? ?? 48 8B 4C 24 + } + + $find_files = { + E8 ?? ?? ?? ?? 48 8D 8C 24 ?? ?? ?? ?? 33 F6 33 D2 41 B8 ?? ?? ?? ?? 66 89 B4 24 ?? + ?? 00 00 E8 ?? ?? ?? ?? 4C 8D 05 ?? ?? ?? ?? 48 8D 8C 24 ?? ?? ?? ?? 48 8B D7 FF 15 + ?? ?? ?? ?? 48 8D 54 24 ?? 48 8D 8C 24 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 48 8B D8 48 83 + F8 ?? 0F 84 ?? ?? ?? ?? 0F 1F 40 ?? 48 8D 15 ?? ?? ?? ?? 48 8D 4C 24 ?? 41 B8 ?? ?? + ?? ?? E8 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? 48 8D 15 ?? ?? ?? ?? 48 8D 4C 24 ?? 41 + B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? F6 44 24 ?? ?? 74 ?? 4C 8D 44 + 24 ?? 48 8D 8C 24 ?? ?? ?? ?? 48 8B D7 FF 15 ?? ?? ?? ?? 48 8D 8C 24 ?? ?? ?? ?? E8 + ?? ?? ?? ?? 48 8D 15 ?? ?? ?? ?? 48 8D 4C 24 ?? FF 15 ?? ?? ?? ?? 85 C0 0F 85 ?? ?? + ?? ?? 48 8D 15 ?? ?? ?? ?? 48 8D 4C 24 ?? FF 15 ?? ?? ?? ?? 85 C0 0F 85 ?? ?? ?? ?? + 48 8D 15 ?? ?? ?? ?? 48 8D 4C 24 ?? FF 15 ?? ?? ?? ?? 85 C0 0F 85 ?? ?? ?? ?? 48 8D + 15 ?? ?? ?? ?? 48 8D 4C 24 ?? FF 15 ?? ?? ?? ?? 85 C0 0F 85 ?? ?? ?? ?? 48 8D 15 ?? + ?? ?? ?? 48 8D 4C 24 ?? FF 15 ?? ?? ?? ?? 85 C0 0F 85 ?? ?? ?? ?? 48 8D 15 ?? ?? ?? + ?? 48 8D 4C 24 ?? FF 15 ?? ?? ?? ?? 85 C0 0F 85 ?? ?? ?? ?? 48 8D 15 ?? ?? ?? ?? 48 + 8D 4C 24 ?? FF 15 ?? ?? ?? ?? 85 C0 0F 85 ?? ?? ?? ?? 48 8D 15 ?? ?? ?? ?? 48 8D 4C + 24 ?? FF 15 ?? ?? ?? ?? 85 C0 0F 85 ?? ?? ?? ?? 48 8D 15 ?? ?? ?? ?? 48 8D 4C 24 ?? + FF 15 ?? ?? ?? ?? 85 C0 0F 85 ?? ?? ?? ?? 48 8D 15 ?? ?? ?? ?? 48 8D 4C 24 ?? FF 15 + ?? ?? ?? ?? 85 C0 0F 85 ?? ?? ?? ?? 48 8D 15 ?? ?? ?? ?? 48 8D 4C 24 ?? FF 15 ?? ?? + ?? ?? 85 C0 0F 85 ?? ?? ?? ?? 48 8D 15 ?? ?? ?? ?? 48 8D 4C 24 ?? FF 15 ?? ?? ?? ?? + 85 C0 0F 85 ?? ?? ?? ?? 48 8D 15 ?? ?? ?? ?? 48 8D 4C 24 ?? FF 15 ?? ?? ?? ?? 85 C0 + 0F 85 ?? ?? ?? ?? 8B 44 24 ?? A8 ?? 0F 85 ?? ?? ?? ?? A8 ?? 0F 85 ?? ?? ?? ?? 48 8D + 8C 24 ?? ?? ?? ?? 33 D2 41 B8 ?? ?? ?? ?? 66 89 B4 24 ?? ?? 00 00 E8 ?? ?? ?? ?? 48 + 8D 8C 24 ?? ?? ?? ?? 33 D2 41 B8 ?? ?? ?? ?? 66 89 B4 24 ?? ?? 00 00 E8 ?? ?? ?? ?? + 4C 8D 44 24 ?? 48 8D 8C 24 ?? ?? ?? ?? 48 8B D7 FF 15 ?? ?? ?? ?? 4C 8D 84 24 ?? ?? + ?? ?? 48 8D 15 ?? ?? ?? ?? 48 8D 8C 24 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 39 74 24 ?? 76 + ?? 4C 8D 0D ?? ?? ?? ?? 4C 8D 84 24 ?? ?? ?? ?? 48 8D 94 24 ?? ?? ?? ?? 48 8D 4C 24 + ?? E8 ?? ?? ?? ?? 48 8D 54 24 ?? 48 8B CB FF 15 ?? ?? ?? ?? 85 C0 0F 85 ?? ?? ?? ?? + 48 8B CB FF 15 + } + + condition: + uint16(0) == 0x5A4D and $find_files and (all of ($encrypt_files_p*)) +} \ No newline at end of file diff --git a/yara/ransomware/Win64.Ransomware.BlackBasta.yara b/yara/ransomware/Win64.Ransomware.BlackBasta.yara new file mode 100644 index 0000000..820a559 --- /dev/null +++ b/yara/ransomware/Win64.Ransomware.BlackBasta.yara @@ -0,0 +1,293 @@ +rule Win64_Ransomware_BlackBasta : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "BLACKBASTA" + description = "Yara rule that detects BlackBasta ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "BlackBasta" + tc_detection_factor = 5 + + strings: + + $find_files = { + 48 8B 44 24 ?? 83 A0 ?? ?? ?? ?? ?? 44 8B C9 EB ?? E8 ?? ?? ?? ?? 85 C0 75 ?? 44 38 + 75 ?? 74 ?? 48 8B 44 24 ?? 83 A0 ?? ?? ?? ?? ?? 41 B9 ?? ?? ?? ?? EB ?? 44 38 75 ?? + 74 ?? 48 8B 44 24 ?? 83 A0 ?? ?? ?? ?? ?? 45 8B CE 4C 8D 44 24 ?? 48 8B CF 48 8D 54 + 24 ?? E8 ?? ?? ?? ?? 48 8B 4C 24 ?? 4C 8D 45 ?? 85 C0 44 89 74 24 ?? 4C 89 74 24 ?? + 49 0F 45 CE 45 33 C9 33 D2 FF 15 ?? ?? ?? ?? 48 8B D8 48 83 F8 ?? 75 ?? 4D 8B CC 45 + 33 C0 33 D2 48 8B CF E8 ?? ?? ?? ?? 8B D8 44 38 74 24 ?? 74 ?? 48 8B 4C 24 ?? E8 ?? + ?? ?? ?? 8B C3 E9 ?? ?? ?? ?? 49 8B 74 24 ?? 49 2B 34 24 48 C1 FE ?? 33 D2 4C 89 75 + ?? 48 8D 4D ?? 4C 89 75 ?? 4C 89 75 ?? 4C 89 75 ?? 4C 89 75 ?? 44 88 75 ?? E8 ?? ?? + ?? ?? 48 8B 45 ?? B9 ?? ?? ?? ?? 39 48 ?? 75 ?? 44 38 75 ?? 74 ?? 48 8B 45 ?? 83 A0 + ?? ?? ?? ?? ?? 44 8B C9 EB ?? E8 ?? ?? ?? ?? 85 C0 75 ?? 44 38 75 ?? 74 ?? 48 8B 45 + ?? 83 A0 ?? ?? ?? ?? ?? 41 B9 ?? ?? ?? ?? EB ?? 44 38 75 ?? 74 ?? 48 8B 45 ?? 83 A0 + ?? ?? ?? ?? ?? 45 8B CE 4C 8D 44 24 ?? 48 8D 55 ?? 48 8D 4D ?? E8 ?? ?? ?? ?? 4C 8B + 75 ?? 33 D2 85 C0 49 8B CE 48 0F 45 CA 80 39 ?? 75 ?? 8A 41 ?? 84 C0 75 ?? 38 55 ?? + 74 ?? 49 8B CE E8 ?? ?? ?? ?? EB ?? 3C ?? 75 ?? 38 51 ?? 74 ?? 4D 8B CC 4D 8B C5 48 + 8B D7 E8 ?? ?? ?? ?? 44 8B E8 85 C0 75 ?? 38 45 ?? 74 ?? 49 8B CE E8 ?? ?? ?? ?? 4C + 8B 6C 24 ?? 48 8D 55 ?? 48 8B CB FF 15 ?? ?? ?? ?? 45 33 F6 85 C0 0F 85 ?? ?? ?? ?? + 49 8B 04 24 49 8B 54 24 ?? 48 2B D0 48 C1 FA ?? 48 3B F2 74 ?? 48 2B D6 48 8D 0C F0 + 4C 8D 0D ?? ?? ?? ?? 45 8D 46 ?? E8 ?? ?? ?? ?? 48 8B CB FF 15 ?? ?? ?? ?? 44 38 74 + 24 ?? 74 ?? 48 8B 4C 24 + } + + $find_system_volumes_v1_p1 = { + 48 89 4C 24 ?? 55 53 56 57 41 56 41 57 48 8D AC 24 ?? ?? ?? ?? 48 81 EC ?? ?? ?? ?? + 48 8B F1 45 33 FF 44 89 7C 24 ?? 4C 89 39 4C 89 79 ?? 4C 89 79 ?? C7 44 24 ?? ?? ?? + ?? ?? BA ?? ?? ?? ?? 48 8D 4C 24 ?? FF 15 ?? ?? ?? ?? 4C 8B F0 0F 1F 00 4C 8D 8D ?? + ?? ?? ?? 41 B8 ?? ?? ?? ?? 48 8D 95 ?? ?? ?? ?? 48 8D 4C 24 ?? FF 15 ?? ?? ?? ?? 85 + C0 0F 84 ?? ?? ?? ?? 44 89 7C 24 ?? 4C 89 7C 24 ?? 48 8D 85 ?? ?? ?? ?? 48 89 44 24 + ?? 4C 89 7C 24 ?? 45 33 C9 45 33 C0 33 D2 48 8D 8D ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 85 + C0 0F 84 ?? ?? ?? ?? F7 85 ?? ?? ?? ?? ?? ?? ?? ?? 0F 85 ?? ?? ?? ?? 48 8D 8D ?? ?? + ?? ?? E8 ?? ?? ?? ?? 48 8D 14 00 48 8D BD ?? ?? ?? ?? 48 03 FA 4C 89 7C 24 ?? 4C 89 + 7C 24 ?? 4C 89 7C 24 ?? 4C 89 7C 24 ?? 48 C7 44 24 ?? ?? ?? ?? ?? C6 44 24 ?? ?? 48 + 8D 9D ?? ?? ?? ?? 48 D1 FA 48 83 FA ?? 72 ?? 45 33 C0 48 8D 4C 24 ?? E8 + } + + $find_system_volumes_v1_p2 = { + 4C 89 7C 24 ?? 48 8D 44 24 ?? 48 89 85 ?? ?? ?? ?? 48 8D 85 ?? ?? ?? ?? 48 3B C7 74 + ?? 66 66 66 0F 1F 84 00 ?? ?? 00 00 44 0F B6 0B 48 8B 4C 24 ?? 48 8B 54 24 ?? 48 3B + CA 73 ?? 48 8D 41 ?? 48 89 44 24 ?? 48 8D 44 24 ?? 48 83 FA ?? 48 0F 43 44 24 ?? 44 + 88 0C 08 C6 44 08 ?? ?? EB ?? 45 33 C0 41 8D 50 ?? 48 8D 4C 24 ?? E8 ?? ?? ?? ?? 48 + 83 C3 ?? 48 3B DF 75 ?? 4C 89 BD ?? ?? ?? ?? 48 8B 46 ?? 48 3B 46 ?? 74 ?? 4C 89 38 + 4C 89 78 ?? 4C 89 78 ?? 41 B8 ?? ?? ?? ?? 48 8D 54 24 ?? 48 8B C8 E8 ?? ?? ?? ?? 4C + 89 7C 24 ?? 48 C7 44 24 ?? ?? ?? ?? ?? C6 44 24 ?? ?? 48 83 46 ?? ?? EB ?? 4C 8D 44 + 24 ?? 48 8B D0 48 8B CE E8 ?? ?? ?? ?? 90 48 8B 54 24 ?? 48 83 FA ?? 72 ?? 48 FF C2 + 48 8B 4C 24 ?? 48 8B C1 48 81 FA ?? ?? ?? ?? 72 ?? 48 83 C2 ?? 48 8B 49 ?? 48 2B C1 + 48 83 C0 ?? 48 83 F8 ?? 77 ?? E8 ?? ?? ?? ?? 4C 89 7C 24 ?? 48 C7 44 24 ?? ?? ?? ?? + ?? C6 44 24 ?? ?? 41 B8 ?? ?? ?? ?? 48 8D 54 24 ?? 49 8B CE FF 15 ?? ?? ?? ?? 85 C0 + 0F 85 ?? ?? ?? ?? 49 8B CE FF 15 ?? ?? ?? ?? 48 8B C6 48 81 C4 + } + + $set_default_icon_p1 = { + 48 89 5C 24 ?? 48 89 4C 24 ?? 55 56 57 41 54 41 55 41 56 41 57 48 81 EC ?? ?? ?? ?? + 48 8B F1 45 33 ED 44 89 6C 24 ?? 4C 8B 35 ?? ?? ?? ?? 48 8D 0D ?? ?? ?? ?? E8 ?? ?? + ?? ?? 4C 8B F8 48 B8 ?? ?? ?? ?? ?? ?? ?? ?? 48 8B C8 49 2B CE 49 3B CF 0F 82 ?? ?? + ?? ?? 4C 8D 25 ?? ?? ?? ?? 48 83 3D ?? ?? ?? ?? ?? 4C 0F 43 25 ?? ?? ?? ?? 4C 89 6C + 24 ?? 4C 89 6C 24 ?? 4C 89 6C 24 ?? 4B 8D 2C 37 BB ?? ?? ?? ?? 48 8D 7C 24 ?? 48 3B + EB 0F 86 ?? ?? ?? ?? 48 8B DD 48 83 CB ?? 48 3B D8 76 ?? 48 8B D8 48 B8 ?? ?? ?? ?? + ?? ?? ?? ?? 48 8D 0C 00 EB ?? B8 ?? ?? ?? ?? 48 3B D8 48 0F 42 D8 48 8D 4B ?? 48 B8 + ?? ?? ?? ?? ?? ?? ?? ?? 48 3B C8 0F 87 ?? ?? ?? ?? 48 03 C9 48 81 F9 ?? ?? ?? ?? 72 + ?? 48 8D 41 ?? 48 3B C1 0F 86 ?? ?? ?? ?? 48 8B C8 E8 ?? ?? ?? ?? 48 85 C0 0F 84 ?? + ?? ?? ?? 48 8D 78 ?? 48 83 E7 ?? 48 89 47 ?? EB ?? 48 85 C9 74 ?? E8 ?? ?? ?? ?? 48 + 8B F8 EB ?? 49 8B FD 48 89 7C 24 ?? 48 89 6C 24 ?? 48 89 5C 24 ?? 4B 8D 1C 36 4C 8B + } + + $set_default_icon_p2 = { + C3 49 8B D4 48 8B CF E8 ?? ?? ?? ?? 48 8D 0C 3B 4F 8D 04 3F 48 8D 15 ?? ?? ?? ?? E8 + ?? ?? ?? ?? 66 44 89 2C 6F BB ?? ?? ?? ?? 89 5C 24 ?? 48 8D 54 24 ?? 48 83 7C 24 ?? + ?? 48 0F 43 54 24 ?? 48 8D 84 24 ?? ?? ?? ?? 48 89 44 24 ?? 48 8D 84 24 ?? ?? ?? ?? + 48 89 44 24 ?? 4C 89 6C 24 ?? C7 44 24 ?? ?? ?? ?? ?? 44 89 6C 24 ?? 45 33 C9 45 33 + C0 48 C7 C1 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 85 C0 75 ?? 48 8B CE 48 83 7E ?? ?? 72 ?? + 48 8B 0E 8B 46 ?? 03 C0 89 44 24 ?? 48 89 4C 24 ?? 44 8B CB 45 33 C0 48 8D 15 ?? ?? + ?? ?? 48 8B 8C 24 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 45 33 C9 45 33 C0 33 D2 B9 ?? ?? ?? + ?? FF 15 ?? ?? ?? ?? 45 33 C9 45 33 C0 BA ?? ?? ?? ?? B9 ?? ?? ?? ?? FF 15 ?? ?? ?? + ?? EB ?? 4C 89 6C 24 ?? C7 44 24 ?? ?? ?? ?? ?? 48 8D 8C 24 ?? ?? ?? ?? 48 89 4C 24 + ?? 45 33 C9 44 8B C0 33 D2 B9 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 83 E3 ?? 89 5C 24 ?? 48 + 8B 54 24 ?? 48 83 FA ?? 72 ?? 48 8D 14 55 ?? ?? ?? ?? 48 8B 4C 24 ?? 48 8B C1 48 81 + FA ?? ?? ?? ?? 72 ?? 48 83 C2 ?? 48 8B 49 ?? 48 2B C1 48 83 C0 ?? 48 83 F8 ?? 77 ?? + E8 ?? ?? ?? ?? 4C 89 6C 24 ?? 48 C7 44 24 ?? ?? ?? ?? ?? 66 44 89 6C 24 ?? 48 8B CE + E8 ?? ?? ?? ?? 48 8B 9C 24 ?? ?? ?? ?? 48 81 C4 ?? ?? ?? ?? 41 5F 41 5E 41 5D 41 5C + 5F 5E 5D C3 + } + + $cmd_prompt = { + 48 89 5C 24 ?? 48 89 7C 24 ?? 55 48 8B EC 48 83 EC ?? 48 8B 05 ?? ?? ?? ?? 48 33 C4 + 48 89 45 ?? 48 8B D9 4C 8D 05 ?? ?? ?? ?? 33 FF 48 8D 4D ?? 33 D2 48 89 7D ?? E8 ?? + ?? ?? ?? 83 F8 ?? 0F 84 ?? ?? ?? ?? 48 85 DB 75 ?? 48 8B 4D ?? 48 85 C9 0F 84 ?? ?? + ?? ?? 33 D2 E8 ?? ?? ?? ?? 48 8B 4D ?? 8B D8 E8 ?? ?? ?? ?? 85 DB 40 0F 94 C7 E9 ?? + ?? ?? ?? 48 8B 45 ?? 48 8D 0D ?? ?? ?? ?? 48 89 45 ?? 48 89 4D ?? 48 89 5D ?? 48 89 + 7D ?? 48 85 C0 74 ?? E8 ?? ?? ?? ?? 8B 18 E8 ?? ?? ?? ?? 45 33 C9 4C 8D 45 ?? 33 C9 + 89 38 48 8B 55 ?? E8 ?? ?? ?? ?? 48 8B F8 83 F8 ?? 74 ?? E8 ?? ?? ?? ?? 89 18 EB ?? + E8 ?? ?? ?? ?? 83 38 ?? 74 ?? E8 ?? ?? ?? ?? 83 38 ?? 74 ?? 48 8B 4D ?? E8 ?? ?? ?? + ?? 83 CF ?? EB ?? E8 ?? ?? ?? ?? 89 18 48 8D 15 ?? ?? ?? ?? 45 33 C9 4C 8D 45 ?? 48 + 89 55 ?? 33 C9 E8 ?? ?? ?? ?? 48 8B F8 48 8B 4D ?? E8 ?? ?? ?? ?? 8B C7 48 8B 4D ?? + 48 33 CC E8 ?? ?? ?? ?? 4C 8D 5C 24 ?? 49 8B 5B ?? 49 8B 7B ?? 49 8B E3 5D C3 + } + + $exclude_from_encryption = { + 66 89 75 ?? 48 8D 0D ?? ?? ?? ?? E8 ?? ?? ?? ?? 4C 8B C0 48 8D 15 ?? ?? ?? ?? 48 8D + 4D ?? E8 ?? ?? ?? ?? 90 45 33 C0 48 8D 55 ?? 48 8B CB E8 ?? ?? ?? ?? 48 8B F8 48 8B + 55 ?? 48 83 FA ?? 72 ?? 48 8D 14 55 ?? ?? ?? ?? 48 8B 4D ?? 48 8B C1 48 81 FA ?? ?? + ?? ?? 72 ?? 48 83 C2 ?? 48 8B 49 ?? 48 2B C1 48 83 C0 ?? 48 83 F8 ?? 0F 87 ?? ?? ?? + ?? E8 ?? ?? ?? ?? 48 89 75 ?? 48 C7 45 ?? ?? ?? ?? ?? 66 89 75 ?? 48 83 FF ?? 0F 85 + ?? ?? ?? ?? 48 89 75 ?? 48 89 75 ?? 48 89 75 ?? 48 89 75 ?? 48 C7 45 ?? ?? ?? ?? ?? + 66 89 75 ?? 48 8D 0D ?? ?? ?? ?? E8 ?? ?? ?? ?? 4C 8B C0 48 8D 15 ?? ?? ?? ?? 48 8D + 4D ?? E8 ?? ?? ?? ?? 90 45 33 C0 48 8D 55 ?? 48 8B CB E8 ?? ?? ?? ?? 48 8B F8 48 8B + 55 ?? 48 83 FA ?? 72 ?? 48 8D 14 55 ?? ?? ?? ?? 48 8B 4D ?? 48 8B C1 48 81 FA ?? ?? + ?? ?? 72 ?? 48 83 C2 ?? 48 8B 49 ?? 48 2B C1 48 83 C0 ?? 48 83 F8 ?? 0F 87 ?? ?? ?? + ?? E8 ?? ?? ?? ?? 48 89 75 ?? 48 C7 45 ?? ?? ?? ?? ?? 66 89 75 ?? 48 83 FF ?? 0F 85 + ?? ?? ?? ?? 48 89 75 ?? 48 89 75 ?? 48 89 75 ?? 48 89 75 ?? 48 C7 45 ?? ?? ?? ?? ?? + 66 89 75 ?? 48 8D 0D ?? ?? ?? ?? E8 ?? ?? ?? ?? 4C 8B C0 48 8D 15 ?? ?? ?? ?? 48 8D + 4D ?? E8 ?? ?? ?? ?? 90 45 33 C0 48 8D 55 ?? 48 8B CB E8 ?? ?? ?? ?? 48 8B F8 48 8B + 55 ?? 48 83 FA ?? 72 ?? 48 8D 14 55 ?? ?? ?? ?? 48 8B 4D ?? 48 8B C1 48 81 FA ?? ?? + ?? ?? 72 ?? 48 83 C2 ?? 48 8B 49 ?? 48 2B C1 48 83 C0 + } + + $encrypt_files_v1 = { + 41 83 CC ?? 44 89 64 24 ?? 48 8D 8C 24 ?? ?? ?? ?? 48 83 FF ?? 48 0F 43 8C 24 ?? ?? + ?? ?? FF 15 ?? ?? ?? ?? 8B F8 41 83 E4 ?? 44 89 64 24 ?? 48 8B 94 24 ?? ?? ?? ?? 48 + 83 FA ?? 72 ?? 48 8D 14 55 ?? ?? ?? ?? 48 89 94 24 ?? ?? ?? ?? 48 8B 8C 24 ?? ?? ?? + ?? 48 8B C1 48 81 FA ?? ?? ?? ?? 72 ?? 48 83 C2 ?? 48 89 94 24 ?? ?? ?? ?? 48 8B 49 + ?? 48 2B C1 48 83 C0 ?? 48 83 F8 ?? 0F 87 ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 89 9C 24 ?? + ?? ?? ?? 48 C7 84 24 ?? ?? ?? ?? ?? ?? ?? ?? 66 89 9C 24 ?? ?? 00 00 40 F6 C7 ?? 74 + ?? 49 8B CF E8 ?? ?? ?? ?? 90 48 BE ?? ?? ?? ?? ?? ?? ?? ?? 48 8D 3D ?? ?? ?? ?? 4C + 8D 35 ?? ?? ?? ?? 4C 8D 05 ?? ?? ?? ?? E9 ?? ?? ?? ?? 49 8B CF E8 ?? ?? ?? ?? C6 84 + 24 ?? ?? ?? ?? ?? 48 8D 94 24 ?? ?? ?? ?? 48 8D 4C 24 ?? E8 ?? ?? ?? ?? 48 8B F0 48 + 89 9C 24 ?? ?? ?? ?? 48 89 9C 24 ?? ?? ?? ?? 48 89 9C 24 ?? ?? ?? ?? 4C 8B 70 ?? 48 + 83 78 ?? ?? 72 ?? 48 8B 30 48 8D 8C 24 ?? ?? ?? ?? 49 83 FE ?? 73 ?? 41 B8 ?? ?? ?? + ?? 48 8B D6 E8 ?? ?? ?? ?? 4C 89 B4 24 ?? ?? ?? ?? 48 C7 84 24 ?? ?? ?? ?? ?? ?? ?? + ?? EB ?? 4C 89 AC 24 ?? ?? ?? ?? 49 8B FE 48 83 CF ?? 48 89 BC 24 ?? ?? ?? ?? 49 3B + FD 49 0F 47 FD 48 8D 57 ?? E8 ?? ?? ?? ?? 48 89 84 24 ?? ?? ?? ?? 4E 8D 04 75 ?? ?? + ?? ?? 48 8B D6 48 8B C8 E8 ?? ?? ?? ?? 4C 89 B4 24 ?? ?? ?? ?? 48 89 BC 24 + } + + $find_system_volumes_v2 = { + BA ?? ?? ?? ?? 48 8D 4C 24 ?? FF 15 ?? ?? ?? ?? 48 8B F8 0F 1F 44 00 ?? 4C 8D 8D ?? + ?? ?? ?? 41 B8 ?? ?? ?? ?? 48 8D 95 ?? ?? ?? ?? 48 8D 4C 24 ?? FF 15 ?? ?? ?? ?? 85 + C0 0F 84 ?? ?? ?? ?? 89 74 24 ?? 48 89 74 24 ?? 48 8D 85 ?? ?? ?? ?? 48 89 44 24 ?? + 48 89 74 24 ?? 45 33 C9 45 33 C0 33 D2 48 8D 8D ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 85 C0 + 0F 84 ?? ?? ?? ?? F7 85 ?? ?? ?? ?? ?? ?? ?? ?? 0F 85 ?? ?? ?? ?? 48 8D 8D ?? ?? ?? + ?? E8 ?? ?? ?? ?? 4C 8D 04 00 48 8D 85 ?? ?? ?? ?? 49 03 C0 48 89 74 24 ?? 48 89 74 + 24 ?? 48 89 74 24 ?? 48 89 74 24 ?? 48 C7 44 24 ?? ?? ?? ?? ?? 66 89 74 24 ?? 48 8D + 8D ?? ?? ?? ?? 48 3B C8 74 ?? 49 D1 F8 48 8D 95 ?? ?? ?? ?? 48 8D 4C 24 ?? E8 ?? ?? + ?? ?? 90 48 8B 43 ?? 48 3B 43 ?? 74 ?? 48 89 30 48 89 70 ?? 48 89 70 ?? 41 B8 ?? ?? + ?? ?? 48 8D 54 24 ?? 48 8B C8 E8 ?? ?? ?? ?? 48 89 74 24 ?? 48 C7 44 24 ?? ?? ?? ?? + ?? 66 89 74 24 ?? 48 83 43 ?? ?? EB ?? 4C 8D 44 24 ?? 48 8B D0 48 8B CB E8 ?? ?? ?? + ?? 90 48 8B 54 24 ?? 48 83 FA ?? 72 ?? 48 8D 14 55 ?? ?? ?? ?? 48 8B 4C 24 ?? 48 8B + C1 48 81 FA ?? ?? ?? ?? 72 ?? 48 83 C2 ?? 48 8B 49 ?? 48 2B C1 48 83 C0 ?? 48 83 F8 + ?? 77 ?? E8 ?? ?? ?? ?? 48 89 74 24 ?? 48 C7 44 24 ?? ?? ?? ?? ?? 66 89 74 24 ?? 41 + B8 ?? ?? ?? ?? 48 8D 54 24 ?? 48 8B CF FF 15 ?? ?? ?? ?? 85 C0 0F 85 ?? ?? ?? ?? 48 + 8B CF FF 15 ?? ?? ?? ?? 48 8B C3 48 8B 9C 24 ?? ?? ?? ?? 48 81 C4 ?? ?? ?? ?? 5F 5E + 5D C3 + } + + $drop_ransom_note = { + 48 83 3D ?? ?? ?? ?? ?? 48 0F 43 15 ?? ?? ?? ?? 4C 8B 05 ?? ?? ?? ?? 48 8D 4D ?? E8 + ?? ?? ?? ?? 48 8B D8 4C 89 75 ?? 4C 89 75 ?? 4C 89 75 ?? 45 8D 46 ?? 48 8B D0 48 8D + 4D ?? E8 ?? ?? ?? ?? 4C 89 73 ?? 48 C7 43 ?? ?? ?? ?? ?? 66 44 89 33 BE ?? ?? ?? ?? + 89 75 ?? 83 E6 ?? 89 75 ?? 48 8B 55 ?? 48 83 FA ?? 72 ?? 48 8D 14 55 ?? ?? ?? ?? 48 + 8B 4D ?? 48 8B C1 48 81 FA ?? ?? ?? ?? 72 ?? 48 83 C2 ?? 48 8B 49 ?? 48 2B C1 48 83 + C0 ?? 48 83 F8 ?? 0F 87 ?? ?? ?? ?? E8 ?? ?? ?? ?? 4C 89 75 ?? 48 C7 45 ?? ?? ?? ?? + ?? 66 44 89 75 ?? 48 8D 4D ?? 48 83 7D ?? ?? 48 0F 43 4D ?? 4C 89 74 24 ?? C7 44 24 + ?? ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? 45 33 C9 45 33 C0 BA ?? ?? ?? ?? FF 15 ?? ?? + ?? ?? 48 8B D8 48 83 F8 ?? 74 ?? 4C 89 74 24 ?? 45 33 C9 41 B8 ?? ?? ?? ?? 48 8D 15 + ?? ?? ?? ?? 48 8B C8 FF 15 ?? ?? ?? ?? 48 8B CB FF 15 ?? ?? ?? ?? 83 E6 ?? 89 75 ?? + 48 8B 55 ?? 48 83 FA ?? 72 ?? 48 8D 14 55 ?? ?? ?? ?? 48 8B 4D ?? 48 8B C1 48 81 FA + ?? ?? ?? ?? 72 ?? 48 83 C2 ?? 48 8B 49 ?? 48 2B C1 48 83 C0 ?? 48 83 F8 ?? 0F 87 ?? + ?? ?? ?? E8 ?? ?? ?? ?? 4C 89 75 ?? 48 C7 45 ?? ?? ?? ?? ?? 66 44 89 75 ?? 48 8B 57 + ?? 48 83 FA ?? 72 ?? 48 8D 14 55 ?? ?? ?? ?? 48 8B 0F 48 81 FA ?? ?? ?? ?? 72 ?? 48 + 83 C2 ?? 4C 8B 41 ?? 49 2B C8 48 8D 41 ?? 48 83 F8 ?? 77 ?? 49 8B C8 E8 ?? ?? ?? ?? + 4C 89 77 ?? 48 C7 47 ?? ?? ?? ?? ?? 66 44 89 37 4C 8D 9C 24 ?? ?? ?? ?? 49 8B 5B ?? + 49 8B 73 ?? 49 8B 7B + } + + $encrypt_files_v2_p1 = { + BA ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 48 8B D8 48 83 F8 ?? 75 ?? 48 8D 8D ?? ?? ?? ?? E8 + ?? ?? ?? ?? 90 48 8D 05 ?? ?? ?? ?? 48 89 85 ?? ?? ?? ?? 48 8D 05 ?? ?? ?? ?? 48 89 + 85 ?? ?? ?? ?? E9 ?? ?? ?? ?? 48 85 C9 0F 84 ?? ?? ?? ?? 49 8B FA 49 8B D1 4D 85 D2 + 74 ?? 4C 8B C1 4D 2B C1 0F B7 02 66 41 39 04 10 75 ?? 48 83 C2 ?? 48 83 EF ?? 75 ?? + 49 2B CB 48 D1 F9 E9 ?? ?? ?? ?? 48 83 C1 ?? E9 ?? ?? ?? ?? 48 8D 95 ?? ?? ?? ?? 48 + 8B CB FF 15 ?? ?? ?? ?? 85 C0 75 ?? 48 8B CB FF 15 ?? ?? ?? ?? 90 48 8D 8D ?? ?? ?? + ?? E8 ?? ?? ?? ?? 90 48 8D 05 ?? ?? ?? ?? 48 89 85 ?? ?? ?? ?? 48 8D 05 ?? ?? ?? ?? + 48 89 85 ?? ?? ?? ?? E9 ?? ?? ?? ?? 4C 8B BD ?? ?? ?? ?? B2 ?? 48 8D 4C 24 ?? E8 ?? + ?? ?? ?? B2 ?? 48 8D 4C 24 ?? E8 ?? ?? ?? ?? 66 0F 6F 05 ?? ?? 0B 00 F3 0F 7F 45 ?? + 48 89 75 ?? 48 89 75 ?? 48 8D 45 ?? 48 89 85 ?? ?? ?? ?? 48 8D 45 ?? 48 89 44 24 ?? + C6 45 ?? ?? 48 B8 ?? ?? ?? ?? ?? ?? ?? ?? 48 89 45 ?? 48 C7 45 ?? ?? ?? ?? ?? C6 45 + ?? ?? 48 8D 45 ?? 83 E0 ?? 48 8D 44 05 ?? 48 89 45 ?? 89 75 ?? C7 45 ?? ?? ?? ?? ?? + 48 8D 05 ?? ?? ?? ?? 48 89 44 24 ?? 48 8D 05 ?? ?? ?? ?? 48 89 44 24 ?? 48 8D 05 ?? + ?? ?? ?? 48 89 44 24 ?? 48 8D 05 ?? ?? ?? ?? 48 89 45 ?? 48 8D 05 ?? ?? ?? ?? 48 89 + 44 24 ?? 48 8D 05 ?? ?? ?? ?? 48 89 44 24 ?? 48 8D 05 ?? ?? ?? ?? 48 89 44 24 ?? 48 + 8D 05 ?? ?? ?? ?? 48 89 45 ?? B9 ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 89 85 ?? ?? ?? ?? 48 + C7 44 24 ?? ?? ?? ?? ?? 48 C7 44 24 ?? ?? ?? ?? ?? B9 ?? ?? ?? ?? E8 ?? ?? ?? ?? 4C + 8B E8 48 89 44 24 ?? 48 C7 85 ?? ?? ?? ?? ?? ?? ?? ?? 48 C7 85 ?? ?? ?? ?? ?? ?? ?? + ?? B9 ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 8B F8 48 89 85 ?? ?? ?? ?? 41 B8 ?? ?? ?? ?? 49 + } + + $encrypt_files_v2_p2 = { + 8B D5 48 8D 0D ?? ?? ?? ?? E8 ?? ?? ?? ?? 41 B8 ?? ?? ?? ?? 48 8B D7 48 8D 0D ?? ?? + ?? ?? E8 ?? ?? ?? ?? 48 C7 44 24 ?? ?? ?? ?? ?? 4C 8B CF 41 B8 ?? ?? ?? ?? 49 8B D5 + 48 8D 4C 24 ?? E8 ?? ?? ?? ?? 41 B8 ?? ?? ?? ?? 49 8B D5 48 8B 8D ?? ?? ?? ?? E8 ?? + ?? ?? ?? 48 8B 8D ?? ?? ?? ?? 48 83 C1 ?? 41 B8 ?? ?? ?? ?? 48 8B D7 E8 ?? ?? ?? ?? + BF ?? ?? ?? ?? 4C 3B FF 0F 8D ?? ?? ?? ?? F2 0F 10 35 ?? ?? ?? ?? 48 8B FE 49 8B C7 + 48 2B C7 48 99 83 E2 ?? 48 03 C2 48 C1 F8 ?? 4C 8B F0 F2 0F 59 35 ?? ?? ?? ?? 0F 57 + C0 F2 48 0F 2A C0 F2 0F 59 F0 F2 48 0F 2C CE 48 85 C9 0F 85 ?? ?? ?? ?? 4D 85 FF 0F + 8E ?? ?? ?? ?? 48 8D 45 ?? 48 89 44 24 ?? 48 8D 54 24 ?? 48 8D 4D ?? E8 ?? ?? ?? ?? + 90 48 8D 35 ?? ?? ?? ?? 48 89 75 ?? 4C 8D 35 ?? ?? ?? ?? 4C 89 75 ?? 48 8D 05 ?? ?? + ?? ?? 48 89 45 ?? 48 8D 05 ?? ?? ?? ?? 48 89 85 ?? ?? ?? ?? 48 8D 45 ?? 48 89 44 24 + ?? 4D 8B CF 45 33 C0 48 8B D3 48 8B 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? E9 ?? ?? ?? ?? 49 + 81 FF ?? ?? ?? ?? 0F 8E ?? ?? ?? ?? F2 0F 10 35 ?? ?? ?? ?? 48 8D 45 ?? 48 89 44 24 + ?? 48 8D 54 24 ?? 48 8D 4D ?? E8 ?? ?? ?? ?? 90 48 8D 05 ?? ?? ?? ?? 48 89 45 ?? 48 + 8D 05 ?? ?? ?? ?? 48 89 45 ?? 48 8D 05 ?? ?? ?? ?? 48 89 45 ?? 48 8D 05 ?? ?? ?? ?? + 48 89 85 ?? ?? ?? ?? 48 8D 45 ?? 48 89 44 24 ?? 4C 8B CF 45 33 C0 48 8B D3 49 8B CE + E8 ?? ?? ?? ?? E9 ?? ?? ?? ?? 48 99 48 F7 F9 4C 8B E8 48 85 C0 75 ?? 48 8D 45 ?? 48 + } + + $encrypt_files_v2_p3 = { + 89 44 24 ?? 48 8D 54 24 ?? 48 8D 4D ?? E8 ?? ?? ?? ?? 90 48 8D 35 ?? ?? ?? ?? 48 89 + 75 ?? 4C 8D 35 ?? ?? ?? ?? 4C 89 75 ?? 48 8D 05 ?? ?? ?? ?? 48 89 45 ?? 48 8D 05 ?? + ?? ?? ?? 48 89 85 ?? ?? ?? ?? 48 8D 45 ?? 48 89 44 24 ?? 4D 8B CF 45 33 C0 48 8B D3 + 48 8B 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 4C 8B 6C 24 ?? E9 ?? ?? ?? ?? 4D 85 F6 0F 8E ?? + ?? ?? ?? 4D 8B FD 49 C1 E7 ?? 4C 8B A5 ?? ?? ?? ?? 90 48 8D 45 ?? 48 89 44 24 ?? 48 + 8D 54 24 ?? 48 8D 4D ?? E8 ?? ?? ?? ?? 90 48 8D 05 ?? ?? ?? ?? 48 89 45 ?? 48 8D 05 + ?? ?? ?? ?? 48 89 45 ?? 48 8D 05 ?? ?? ?? ?? 48 89 45 ?? 48 8D 05 ?? ?? ?? ?? 48 89 + 85 ?? ?? ?? ?? 48 8D 45 ?? 48 89 44 24 ?? 41 B9 ?? ?? ?? ?? 4C 8B C7 48 8B D3 49 8B + CC E8 ?? ?? ?? ?? 49 03 F5 49 03 FF 49 3B F6 7C ?? 4C 8B A5 ?? ?? ?? ?? 4C 8B 6C 24 + ?? 48 8D 35 ?? ?? ?? ?? 4C 8D 35 ?? ?? ?? ?? 4C 8D 8D ?? ?? ?? ?? 4C 8B C3 48 8B 95 + ?? ?? ?? ?? 48 8B 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 8B CB FF 15 ?? ?? ?? ?? 4D 8B C4 + 48 8D 95 ?? ?? ?? ?? 48 8B 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 90 48 8B 95 ?? ?? ?? ?? 48 + 85 D2 74 ?? 48 8B FA 33 C0 B9 ?? ?? ?? ?? F3 AA 48 8B CA E8 ?? ?? ?? ?? 90 4D 85 ED + 74 ?? 49 8B FD 33 C0 B9 ?? ?? ?? ?? F3 AA 49 8B CD E8 ?? ?? ?? ?? 90 48 89 74 24 ?? + 4C 89 74 24 + } + + condition: + uint16(0) == 0x5A4D and + ( + ( + ( + $find_files + ) and + ( + all of ($find_system_volumes_v1_p*) + ) and + ( + all of ($set_default_icon_p*) + ) and + ( + $cmd_prompt + ) and + ( + $exclude_from_encryption + ) and + ( + $encrypt_files_v1 + ) + ) or + ( + ( + $find_files + ) and + ( + $cmd_prompt + ) and + ( + $find_system_volumes_v2 + ) and + ( + $drop_ransom_note + ) and + ( + all of ($encrypt_files_v2_p*) + ) + ) + ) +} \ No newline at end of file diff --git a/yara/ransomware/Win64.Ransomware.Cactus.yara b/yara/ransomware/Win64.Ransomware.Cactus.yara new file mode 100644 index 0000000..1bd6c34 --- /dev/null +++ b/yara/ransomware/Win64.Ransomware.Cactus.yara @@ -0,0 +1,190 @@ +rule Win64_Ransomware_Cactus : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "CACTUS" + description = "Yara rule that detects Cactus ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "Cactus" + tc_detection_factor = 5 + + strings: + + $encrypt_files_p1 = { + 55 41 57 41 56 41 55 41 54 56 53 B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 29 C4 48 8D AC 24 + ?? ?? ?? ?? 48 89 8D ?? ?? ?? ?? 48 89 95 ?? ?? ?? ?? 4C 89 85 ?? ?? ?? ?? C7 85 ?? + ?? ?? ?? ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? 48 8D 85 ?? ?? ?? ?? 48 89 C1 E8 + ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? 48 C7 85 ?? ?? ?? ?? + ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 89 85 ?? ?? ?? ?? 48 8B 85 ?? ?? ?? ?? 48 89 C1 E8 ?? + ?? ?? ?? 48 98 48 89 C1 E8 ?? ?? ?? ?? 48 89 45 ?? B9 ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 + 89 85 ?? ?? ?? ?? 48 C7 85 ?? ?? ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 89 C1 4C 8D 4D + ?? 4C 8D 45 ?? 48 8B 85 ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? 48 8D 95 ?? ?? ?? ?? 48 + 89 54 24 ?? 48 8B 95 ?? ?? ?? ?? 48 89 54 24 ?? 48 89 CA 48 89 C1 E8 ?? ?? ?? ?? 48 + 8D 45 ?? 48 8B 95 ?? ?? ?? ?? 4C 8D 05 ?? ?? ?? ?? 48 89 C1 E8 ?? ?? ?? ?? 48 8D 45 + ?? 48 8B 95 ?? ?? ?? ?? 4C 8D 05 ?? ?? ?? ?? 48 89 C1 E8 ?? ?? ?? ?? 48 8D 45 ?? 48 + 89 C1 E8 ?? ?? ?? ?? 48 89 C3 48 8B 85 ?? ?? ?? ?? 48 89 C1 E8 ?? ?? ?? ?? 48 89 DA + 48 89 C1 48 8B 05 ?? ?? ?? ?? FF D0 BA ?? ?? ?? ?? B9 ?? ?? ?? ?? E8 ?? ?? ?? ?? BA + ?? ?? ?? ?? 89 C1 E8 ?? ?? ?? ?? 89 C3 48 8D 45 ?? 48 89 C1 E8 ?? ?? ?? ?? 48 89 C2 + 48 8D 85 ?? ?? ?? ?? 41 89 D8 48 89 C1 E8 ?? ?? ?? ?? 48 8D 85 ?? ?? ?? ?? 41 B8 ?? + ?? ?? ?? BA ?? ?? ?? ?? 48 89 C1 E8 ?? ?? ?? ?? 8B 45 ?? 4C 63 C0 48 8B 45 ?? 48 8D + } + + $encrypt_files_p2 = { + 95 ?? ?? ?? ?? 48 8D 4A ?? 48 89 C2 E8 ?? ?? ?? ?? 4C 8B 85 ?? ?? ?? ?? 48 8B 85 ?? + ?? ?? ?? 48 8D 95 ?? ?? ?? ?? 48 8D 4A ?? 48 89 C2 E8 ?? ?? ?? ?? 48 8D 85 ?? ?? ?? + ?? 48 83 C0 ?? BA ?? ?? ?? ?? 48 89 C1 E8 ?? ?? ?? ?? 48 8D 85 ?? ?? ?? ?? 48 8D 95 + ?? ?? ?? ?? 48 8D 4A ?? 41 B8 ?? ?? ?? ?? 48 89 C2 E8 ?? ?? ?? ?? 48 8D 85 ?? ?? ?? + ?? 41 B8 ?? ?? ?? ?? BA ?? ?? ?? ?? 48 89 C1 E8 ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? + ?? ?? 48 C7 85 ?? ?? ?? ?? ?? ?? ?? ?? 48 C7 85 ?? ?? ?? ?? ?? ?? ?? ?? 48 C7 85 ?? + ?? ?? ?? ?? ?? ?? ?? E9 ?? ?? ?? ?? 48 8B 85 ?? ?? ?? ?? 48 8B 95 ?? ?? ?? ?? 48 29 + C2 48 89 95 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 48 98 48 39 85 ?? ?? ?? ?? 0F 8D ?? ?? ?? + ?? 48 89 E0 48 89 C6 48 8B 85 ?? ?? ?? ?? 48 8D 50 ?? 48 85 C0 48 0F 48 C2 48 C1 F8 + ?? 48 C1 E0 ?? 48 89 85 ?? ?? ?? ?? 48 8B 9D ?? ?? ?? ?? 48 8D 43 ?? 48 89 85 ?? ?? + ?? ?? 48 89 D8 49 89 C4 41 BD ?? ?? ?? ?? 48 89 D8 49 89 C6 41 BF ?? ?? ?? ?? 48 89 + D8 48 83 C0 ?? 48 C1 E8 ?? 48 C1 E0 ?? E8 ?? ?? ?? ?? 48 29 C4 48 8D 44 24 ?? 48 83 + C0 ?? 48 89 85 ?? ?? ?? ?? 48 8B 8D ?? ?? ?? ?? 48 8B 95 ?? ?? ?? ?? 48 8D 85 ?? ?? + ?? ?? 49 89 C8 48 89 C1 E8 ?? ?? ?? ?? 41 89 D9 4C 8B 85 ?? ?? ?? ?? 48 89 E9 48 8D + 55 ?? 48 8B 85 ?? ?? ?? ?? 44 89 4C 24 ?? 4D 89 C1 49 89 C8 48 89 C1 E8 ?? ?? ?? ?? + 48 8B 85 ?? ?? ?? ?? F7 D8 89 85 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 48 63 D0 48 8D 85 ?? + ?? ?? ?? 41 B8 ?? ?? ?? ?? 48 89 C1 E8 ?? ?? ?? ?? 8B 45 ?? 4C 63 C0 48 8D 45 ?? 48 + 8D 95 ?? ?? ?? ?? 48 8D 4A ?? 48 89 C2 E8 ?? ?? ?? ?? 48 8B 85 ?? ?? ?? ?? 48 2B 85 + ?? ?? ?? ?? 48 89 C2 48 8D 85 ?? ?? ?? ?? 41 B8 ?? ?? ?? ?? 48 89 C1 E8 + } + + $encrypt_files_p3 = { + 48 89 DA 48 8B 85 ?? ?? ?? ?? 48 01 D0 48 89 85 ?? ?? ?? ?? 90 48 89 F4 E9 ?? ?? ?? + ?? 8B 85 ?? ?? ?? ?? 48 63 C8 48 8D 95 ?? ?? ?? ?? 48 8D 85 ?? ?? ?? ?? 49 89 C8 48 + 89 C1 E8 ?? ?? ?? ?? 4C 8D 85 ?? ?? ?? ?? 48 89 E9 48 8D 55 ?? 48 8B 85 ?? ?? ?? ?? + C7 44 24 ?? ?? ?? ?? ?? 4D 89 C1 49 89 C8 48 89 C1 E8 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? + F7 D8 89 85 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 48 63 D0 48 8D 85 ?? ?? ?? ?? 41 B8 ?? ?? + ?? ?? 48 89 C1 E8 ?? ?? ?? ?? 8B 45 ?? 4C 63 C0 48 8D 45 ?? 48 8D 95 ?? ?? ?? ?? 48 + 8D 4A ?? 48 89 C2 E8 ?? ?? ?? ?? 48 8B 85 ?? ?? ?? ?? 48 05 ?? ?? ?? ?? 48 89 85 ?? + ?? ?? ?? 48 8D 85 ?? ?? ?? ?? 48 05 ?? ?? ?? ?? 48 89 C1 E8 ?? ?? ?? ?? 83 F0 ?? 84 + C0 0F 85 ?? ?? ?? ?? 8B 45 ?? 48 98 48 8D 55 ?? 48 01 C2 48 89 E9 48 8B 85 ?? ?? ?? + ?? 49 89 C8 48 89 C1 E8 ?? ?? ?? ?? 8B 45 ?? 4C 63 C0 48 8D 45 ?? 48 8D 95 ?? ?? ?? + ?? 48 8D 4A ?? 48 89 C2 E8 ?? ?? ?? ?? 8B 45 ?? 4C 63 C0 48 8B 45 ?? 48 8D 95 ?? ?? + ?? ?? 48 8D 4A ?? 48 89 C2 E8 ?? ?? ?? ?? 4C 8B 85 ?? ?? ?? ?? 48 8B 85 ?? ?? ?? ?? + 48 8D 95 ?? ?? ?? ?? 48 8D 4A ?? 48 89 C2 E8 ?? ?? ?? ?? 48 8D 85 ?? ?? ?? ?? 48 83 + C0 ?? BA ?? ?? ?? ?? 48 89 C1 E8 ?? ?? ?? ?? 48 8D 85 ?? ?? ?? ?? 48 8D 95 ?? ?? ?? + ?? 48 8D 4A ?? 41 B8 ?? ?? ?? ?? 48 89 C2 E8 ?? ?? ?? ?? 48 8D 85 ?? ?? ?? ?? 48 89 + } + + $encrypt_files_p4 = { + C1 E8 ?? ?? ?? ?? 48 8B 85 ?? ?? ?? ?? 48 89 C1 E8 ?? ?? ?? ?? 48 8D 45 ?? 48 89 C1 + E8 ?? ?? ?? ?? 48 89 85 ?? ?? ?? ?? 48 8D 95 ?? ?? ?? ?? 48 8D 85 ?? ?? ?? ?? 41 B8 + ?? ?? ?? ?? 48 89 C1 E8 ?? ?? ?? ?? 48 8D 85 ?? ?? ?? ?? 48 89 C1 E8 ?? ?? ?? ?? 89 + C3 48 8D 85 ?? ?? ?? ?? 48 89 C1 E8 ?? ?? ?? ?? 84 DB 74 ?? 48 8D 45 ?? 48 89 C1 E8 + ?? ?? ?? ?? 48 89 C1 48 8B 05 ?? ?? ?? ?? FF D0 48 8D 45 ?? 48 89 C1 E8 ?? ?? ?? ?? + 48 89 C3 48 8D 45 ?? 48 89 C1 E8 ?? ?? ?? ?? 48 89 DA 48 89 C1 48 8B 05 ?? ?? ?? ?? + FF D0 48 8D 45 ?? 48 89 C1 E8 ?? ?? ?? ?? 48 8D 45 ?? 48 89 C1 E8 ?? ?? ?? ?? 48 8D + 85 ?? ?? ?? ?? 48 89 C1 E8 ?? ?? ?? ?? EB ?? 48 89 F4 48 89 C3 EB ?? 48 89 C3 48 8D + 85 ?? ?? ?? ?? 48 89 C1 E8 ?? ?? ?? ?? EB ?? 48 89 C3 48 8D 45 ?? 48 89 C1 E8 ?? ?? + ?? ?? EB ?? 48 89 C3 48 8D 45 ?? 48 89 C1 E8 ?? ?? ?? ?? EB ?? 48 89 C3 48 8D 85 ?? + ?? ?? ?? 48 89 C1 E8 ?? ?? ?? ?? 48 89 D8 48 89 C1 E8 ?? ?? ?? ?? 90 48 8D A5 ?? ?? + ?? ?? 5B 5E 41 5C 41 5D 41 5E 41 5F 5D C3 + } + + $find_files_p1 = { + 55 56 53 B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 29 C4 48 8D AC 24 ?? ?? ?? ?? 48 89 8D ?? + ?? ?? ?? 48 8D 45 ?? BB ?? ?? ?? ?? 48 89 C6 EB ?? 48 89 F1 E8 ?? ?? ?? ?? 48 83 EB + ?? 48 83 C6 ?? 48 85 DB 79 ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? 48 8D 45 ?? 48 89 C1 E8 + ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 48 8B 85 ?? ?? ?? ?? 48 89 C1 E8 ?? ?? ?? ?? 48 85 C0 + 0F 95 C0 84 C0 74 ?? 48 8B 95 ?? ?? ?? ?? 48 8D 85 ?? ?? ?? ?? 48 89 C1 E8 ?? ?? ?? + ?? 48 8D 85 ?? ?? ?? ?? 48 89 C1 E8 ?? ?? ?? ?? 48 8D 85 ?? ?? ?? ?? 48 89 C1 E8 ?? + ?? ?? ?? E9 ?? ?? ?? ?? 83 BD ?? ?? ?? ?? ?? 0F 8E ?? ?? ?? ?? 0F B6 05 ?? ?? ?? ?? + 84 C0 74 ?? 48 8D 85 ?? ?? ?? ?? 8B 95 ?? ?? ?? ?? 48 89 C1 E8 ?? ?? ?? ?? 48 8D 85 + ?? ?? ?? ?? 48 8D 95 ?? ?? ?? ?? 49 89 D0 48 8D 15 ?? ?? ?? ?? 48 89 C1 E8 ?? ?? ?? + ?? 48 8D 85 ?? ?? ?? ?? 48 89 C1 E8 ?? ?? ?? ?? 48 8D 85 ?? ?? ?? ?? 48 89 C1 E8 ?? + ?? ?? ?? 48 8D 85 ?? ?? ?? ?? 48 89 C1 E8 ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? + E9 ?? ?? ?? ?? 0F B6 05 ?? ?? ?? ?? 84 C0 74 ?? 48 8D 45 ?? 8B 95 ?? ?? ?? ?? 48 63 + D2 48 C1 E2 ?? 48 01 C2 48 8D 85 ?? ?? ?? ?? 49 89 D0 48 8D 15 ?? ?? ?? ?? 48 89 C1 + E8 ?? ?? ?? ?? 48 8D 85 ?? ?? ?? ?? 48 89 C1 E8 ?? ?? ?? ?? 48 8D 85 ?? ?? ?? ?? 48 + } + + $find_files_p2 = { + 89 C1 E8 ?? ?? ?? ?? 48 8D 45 ?? 8B 95 ?? ?? ?? ?? 48 63 D2 48 C1 E2 ?? 48 01 C2 48 + 8D 85 ?? ?? ?? ?? 41 B9 ?? ?? ?? ?? 41 B8 ?? ?? ?? ?? 48 89 C1 E8 ?? ?? ?? ?? 48 8D + 85 ?? ?? ?? ?? 48 89 C1 E8 ?? ?? ?? ?? 48 8D 85 ?? ?? ?? ?? 48 89 C1 E8 ?? ?? ?? ?? + 83 85 ?? ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 3B 85 ?? ?? ?? ?? 0F 8C ?? ?? ?? ?? C6 05 ?? + ?? ?? ?? ?? 48 8D 5D ?? 48 81 C3 ?? ?? ?? ?? 48 8D 45 ?? 48 39 C3 74 ?? 48 83 EB ?? + 48 89 D9 E8 ?? ?? ?? ?? EB ?? 90 E9 ?? ?? ?? ?? 48 89 C3 48 8D 85 ?? ?? ?? ?? 48 89 + C1 E8 ?? ?? ?? ?? 48 89 DE EB ?? 48 89 C3 48 8D 85 ?? ?? ?? ?? 48 89 C1 E8 ?? ?? ?? + ?? EB ?? 48 89 C3 48 8D 85 ?? ?? ?? ?? 48 89 C1 E8 ?? ?? ?? ?? 48 89 DE EB ?? 48 89 + C3 48 8D 85 ?? ?? ?? ?? 48 89 C1 E8 ?? ?? ?? ?? 48 89 DE EB ?? 48 89 C3 48 8D 85 ?? + ?? ?? ?? 48 89 C1 E8 ?? ?? ?? ?? 48 89 DE EB ?? 48 89 C6 48 8D 5D ?? 48 81 C3 ?? ?? + ?? ?? 48 8D 45 ?? 48 39 C3 74 ?? 48 83 EB ?? 48 89 D9 E8 ?? ?? ?? ?? EB ?? 90 48 89 + F0 48 89 C1 E8 ?? ?? ?? ?? 90 48 81 C4 ?? ?? ?? ?? 5B 5E 5D C3 + } + + $check_processes = { + 55 53 48 83 EC ?? 48 8D 6C 24 ?? 48 89 4D ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? + ?? EB ?? 8B 45 ?? 48 98 48 8D 14 C5 ?? ?? ?? ?? 48 8D 05 ?? ?? ?? ?? 48 8B 1C 02 48 + 8B 45 ?? 48 89 C1 E8 ?? ?? ?? ?? 48 89 DA 48 89 C1 48 8B 05 ?? ?? ?? ?? FF D0 48 85 + C0 0F 95 C0 84 C0 74 ?? B8 ?? ?? ?? ?? EB ?? 83 45 ?? ?? 8B 45 ?? 3B 45 ?? 7C ?? B8 + ?? ?? ?? ?? 48 83 C4 ?? 5B 5D C3 + } + + $kill_file_processes_p1 = { + 55 56 53 48 81 EC ?? ?? ?? ?? 48 8D AC 24 ?? ?? ?? ?? 48 89 8D ?? ?? ?? ?? C6 85 ?? + ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? 66 0F EF C0 + 0F 11 45 ?? F3 0F 6F 4D ?? 0F 11 8D ?? ?? ?? ?? F3 0F 6F 55 ?? 0F 11 95 ?? ?? ?? ?? + F3 0F 6F 5D ?? 0F 11 9D ?? ?? ?? ?? F3 0F 6F 65 ?? 0F 11 A5 ?? ?? ?? ?? 0F B7 45 ?? + 66 89 85 ?? ?? 00 00 48 8D 95 ?? ?? ?? ?? 48 8D 85 ?? ?? ?? ?? 49 89 D0 BA ?? ?? ?? + ?? 48 89 C1 E8 ?? ?? ?? ?? 85 C0 0F 94 C0 84 C0 0F 84 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? + 48 C7 44 24 ?? ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? 48 C7 44 24 ?? ?? ?? ?? ?? 41 B9 + ?? ?? ?? ?? 4C 8D 85 ?? ?? ?? ?? BA ?? ?? ?? ?? 89 C1 E8 ?? ?? ?? ?? 85 C0 0F 94 C0 + 84 C0 0F 84 ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? + C7 85 ?? ?? ?? ?? ?? ?? ?? ?? 48 C7 85 ?? ?? ?? ?? ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 4C + 8D 85 ?? ?? ?? ?? 48 8D 95 ?? ?? ?? ?? 48 8D 8D ?? ?? ?? ?? 48 89 4C 24 ?? 41 B9 ?? + ?? ?? ?? 89 C1 E8 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 81 BD ?? ?? ?? ?? ?? ?? ?? ?? 75 ?? + 8B 85 ?? ?? ?? ?? 85 C0 75 ?? 8B 85 ?? ?? ?? ?? 89 C1 E8 ?? ?? ?? ?? BB ?? ?? ?? ?? + E9 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 89 C0 48 69 F0 ?? ?? ?? ?? 48 8B 05 ?? ?? ?? ?? FF + D0 49 89 F0 BA ?? ?? ?? ?? 48 89 C1 48 8B 05 ?? ?? ?? ?? FF D0 48 89 85 ?? ?? ?? ?? + 48 83 BD ?? ?? ?? ?? ?? 75 ?? 8B 85 ?? ?? ?? ?? 89 C1 E8 ?? ?? ?? ?? BB ?? ?? ?? ?? + E9 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 4C 8B 8D ?? ?? + ?? ?? 4C 8D 85 ?? ?? ?? ?? 48 8D 95 ?? ?? ?? ?? 48 8D 8D ?? ?? ?? ?? 48 89 4C 24 + } + + $kill_file_processes_p2 = { + 89 C1 E8 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 83 BD ?? ?? ?? ?? ?? 75 ?? 8B 85 ?? ?? ?? ?? + 85 C0 75 ?? 48 8B 05 ?? ?? ?? ?? FF D0 48 8B 95 ?? ?? ?? ?? 49 89 D0 BA ?? ?? ?? ?? + 48 89 C1 48 8B 05 ?? ?? ?? ?? FF D0 8B 85 ?? ?? ?? ?? 89 C1 E8 ?? ?? ?? ?? BB ?? ?? + ?? ?? E9 ?? ?? ?? ?? 48 8B 05 ?? ?? ?? ?? FF D0 48 89 C1 48 8B 05 ?? ?? ?? ?? FF D0 + 89 85 ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? E9 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 48 + 98 48 69 D0 ?? ?? ?? ?? 48 8B 85 ?? ?? ?? ?? 48 01 D0 8B 00 39 85 ?? ?? ?? ?? 75 ?? + 48 8B 05 ?? ?? ?? ?? FF D0 48 8B 95 ?? ?? ?? ?? 49 89 D0 BA ?? ?? ?? ?? 48 89 C1 48 + 8B 05 ?? ?? ?? ?? FF D0 8B 85 ?? ?? ?? ?? 89 C1 E8 ?? ?? ?? ?? BB ?? ?? ?? ?? E9 ?? + ?? ?? ?? 8B 85 ?? ?? ?? ?? 48 98 48 69 D0 ?? ?? ?? ?? 48 8B 85 ?? ?? ?? ?? 48 01 D0 + 8B 00 41 89 C0 BA ?? ?? ?? ?? B9 ?? ?? ?? ?? 48 8B 05 ?? ?? ?? ?? FF D0 48 89 85 ?? + ?? ?? ?? 48 83 BD ?? ?? ?? ?? ?? 0F 84 ?? ?? ?? ?? 48 8D 55 ?? 48 8B 85 ?? ?? ?? ?? + 41 B8 ?? ?? ?? ?? 48 89 C1 E8 ?? ?? ?? ?? 48 8B 85 ?? ?? ?? ?? 48 89 C1 48 8B 05 ?? + ?? ?? ?? FF D0 48 8D 85 ?? ?? ?? ?? 48 89 C1 E8 ?? ?? ?? ?? 48 8D 8D ?? ?? ?? ?? 48 + 8D 55 ?? 48 8D 45 ?? 49 89 C8 48 89 C1 E8 ?? ?? ?? ?? 48 8D 85 ?? ?? ?? ?? 48 89 C1 + E8 ?? ?? ?? ?? 48 8D 45 ?? 49 C7 C0 ?? ?? ?? ?? 48 8D 15 ?? ?? ?? ?? 48 89 C1 E8 ?? + ?? ?? ?? 89 85 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 83 C0 ?? 48 63 C8 48 8D 45 ?? 48 8D 55 + ?? 49 C7 C1 ?? ?? ?? ?? 49 89 C8 48 89 C1 E8 ?? ?? ?? ?? 48 8D 55 ?? 48 8D 85 ?? ?? + ?? ?? 48 89 C1 E8 ?? ?? ?? ?? 48 8D 85 ?? ?? ?? ?? 48 89 C1 E8 + } + + condition: + uint16(0) == 0x5A4D and + ( + all of ($find_files_p*) + ) and + ( + all of ($encrypt_files_p*) + ) and + ( + $check_processes + ) and + ( + all of ($kill_file_processes_p*) + ) +} \ No newline at end of file diff --git a/yara/ransomware/Win64.Ransomware.Curator.yara b/yara/ransomware/Win64.Ransomware.Curator.yara new file mode 100644 index 0000000..aa39e95 --- /dev/null +++ b/yara/ransomware/Win64.Ransomware.Curator.yara @@ -0,0 +1,94 @@ +rule Win64_Ransomware_Curator : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "CURATOR" + description = "Yara rule that detects Curator ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "Curator" + tc_detection_factor = 5 + + strings: + + $encrypt_files_p1 = { + 44 8B CB C7 44 24 ?? ?? ?? ?? ?? 45 33 C0 48 8D 8D ?? ?? ?? ?? 33 D2 FF 15 ?? ?? ?? + ?? 48 8B BD ?? ?? ?? ?? 4C 8D 35 ?? ?? ?? ?? 48 85 FF 0F 84 ?? ?? ?? ?? 48 8B 0D ?? + ?? ?? ?? 41 8B DC 48 81 C1 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 85 C0 7E ?? 45 33 F6 48 8B + 05 ?? ?? ?? ?? 4C 8D 05 ?? ?? ?? ?? BA ?? ?? ?? ?? 41 0F BE 8C 06 ?? ?? ?? ?? 45 0F + BE 8C 06 ?? ?? ?? ?? 89 4C 24 ?? 48 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 33 D2 48 8D 8D + ?? ?? ?? ?? 44 8D 42 ?? E8 ?? ?? ?? ?? 8B CB 4D 8D 76 ?? FF C3 41 83 C4 ?? 88 84 0D + ?? ?? ?? ?? 48 8B 0D ?? ?? ?? ?? 48 81 C1 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 44 3B E0 7C + ?? 4C 8D 35 ?? ?? ?? ?? 48 8D 85 ?? ?? ?? ?? 45 33 E4 48 89 44 24 ?? 48 8D 95 ?? ?? + ?? ?? 45 33 C9 44 89 64 24 ?? 44 8B C3 48 8B CF FF 15 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? + ?? ?? 48 8B 1D ?? ?? ?? ?? 48 8D 4C 24 ?? 48 8B 15 ?? ?? ?? ?? 4C 8B C3 E8 ?? ?? ?? + ?? 48 8B 8D ?? ?? ?? ?? 48 8D 85 ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? 45 8D 44 24 ?? + 48 89 44 24 ?? 45 33 C9 48 8D 44 24 ?? 89 9D ?? ?? ?? ?? 33 D2 48 89 44 24 ?? FF 15 + ?? ?? ?? ?? 85 C0 74 ?? 41 8B DC 44 39 A5 ?? ?? ?? ?? 76 ?? 8B C3 4C 8D 05 ?? ?? ?? + ?? BA ?? ?? ?? ?? 48 8D 8D ?? ?? ?? ?? 44 0F B6 4C 04 ?? E8 ?? ?? ?? ?? 48 8D 95 ?? + ?? ?? ?? 49 8B CE FF 15 ?? ?? ?? ?? FF C3 3B 9D ?? ?? ?? ?? 72 ?? 48 8B 8D ?? ?? ?? + ?? FF 15 ?? ?? ?? ?? 33 D2 48 8B CF FF 15 ?? ?? ?? ?? B9 + } + + $encrypt_files_p2 = { + 48 8B C4 48 89 58 ?? 48 89 70 ?? 48 89 78 ?? 55 41 54 41 55 41 56 41 57 48 8D A8 ?? + ?? ?? ?? B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 2B E0 48 8B 05 ?? ?? ?? ?? 48 33 C4 48 89 + 85 ?? ?? ?? ?? 45 33 E4 C7 44 24 ?? ?? ?? ?? ?? 41 B8 ?? ?? ?? ?? 44 89 25 ?? ?? ?? + ?? 48 8D 95 ?? ?? ?? ?? 44 89 25 ?? ?? ?? ?? 33 C9 44 89 25 ?? ?? ?? ?? 45 8B FC 4C + 89 25 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 48 8D 8D ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 48 63 C8 + 48 8D 85 ?? ?? ?? ?? 48 8D 04 48 48 83 C0 ?? 66 83 38 ?? 75 ?? 66 44 89 20 4C 8D 05 + ?? ?? ?? ?? 48 83 C0 ?? 4C 89 64 24 ?? 48 89 05 ?? ?? ?? ?? 45 33 C9 48 8D 05 ?? ?? + ?? ?? 44 89 64 24 ?? 33 D2 48 89 05 ?? ?? ?? ?? 33 C9 FF 15 ?? ?? ?? ?? 33 D2 33 C9 + 44 8D 42 ?? FF 15 ?? ?? ?? ?? 48 8B F0 48 85 C0 74 ?? 48 8B 1D ?? ?? ?? ?? 48 81 C3 + ?? ?? ?? ?? EB ?? 48 8B CB FF 15 ?? ?? ?? ?? 41 B8 ?? ?? ?? ?? 48 8B D3 48 8B CE 44 + 8B F0 FF 15 ?? ?? ?? ?? 48 8B F8 48 85 C0 74 ?? 4C 8D 85 ?? ?? ?? ?? BA ?? ?? ?? ?? + 48 8B C8 FF 15 ?? ?? ?? ?? 48 8B CF FF 15 ?? ?? ?? ?? 41 8D 46 + } + + $find_files = { + 48 89 5C 24 ?? 48 89 7C 24 ?? 55 48 8D AC 24 ?? ?? ?? ?? 48 81 EC ?? ?? ?? ?? 48 8B + 05 ?? ?? ?? ?? 48 33 C4 48 89 85 ?? ?? ?? ?? 48 8B F9 4C 8D 05 ?? ?? ?? ?? 4C 8B C9 + BA ?? ?? ?? ?? 48 8D 8D ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 48 8D 54 24 ?? 48 8D 8D ?? ?? + ?? ?? FF 15 ?? ?? ?? ?? 48 8B D8 48 83 F8 ?? 0F 84 ?? ?? ?? ?? 48 8D 15 ?? ?? ?? ?? + 48 8D 4C 24 ?? FF 15 ?? ?? ?? ?? 85 C0 74 ?? 48 8D 15 ?? ?? ?? ?? 48 8D 4C 24 ?? FF + 15 ?? ?? ?? ?? 85 C0 74 ?? 48 8D 44 24 ?? 4C 8B CF 4C 8D 05 ?? ?? ?? ?? 48 89 44 24 + ?? BA ?? ?? ?? ?? 48 8D 8D ?? ?? ?? ?? FF 15 ?? ?? ?? ?? F6 44 24 ?? ?? 48 8D 8D ?? + ?? ?? ?? 74 ?? 48 8D 15 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 48 8D 8D ?? ?? ?? ?? E8 ?? ?? + ?? ?? EB ?? FF 15 ?? ?? ?? ?? 48 8D 54 24 ?? 48 8B CB FF 15 ?? ?? ?? ?? 85 C0 0F 85 + ?? ?? ?? ?? 48 8B CB FF 15 ?? ?? ?? ?? 48 8B CF FF 15 ?? ?? ?? ?? 48 8B 8D ?? ?? ?? + ?? 48 33 CC E8 ?? ?? ?? ?? 4C 8D 9C 24 ?? ?? ?? ?? 49 8B 5B ?? 49 8B 7B ?? 49 8B E3 + 5D C3 + } + + $remote_connection = { + 44 0F B7 45 ?? 33 DB 48 8B 55 ?? 45 33 C9 48 89 5C 24 ?? 48 8B CE 89 5C 24 ?? C7 44 + 24 ?? ?? ?? ?? ?? 48 89 5C 24 ?? FF 15 ?? ?? ?? ?? 4C 8B F0 48 85 C0 0F 84 ?? ?? ?? + ?? 80 7D ?? ?? B9 ?? ?? ?? ?? 4C 8B 45 ?? B8 ?? ?? ?? ?? 48 8B 55 ?? 0F 44 C8 48 89 + 5C 24 ?? 45 33 C9 89 4C 24 ?? 89 4D ?? 49 8B CE 48 89 5C 24 ?? 48 89 5C 24 ?? FF 15 + ?? ?? ?? ?? 48 8B D8 48 85 C0 0F 84 ?? ?? ?? ?? 83 65 ?? ?? 4C 8D 4D ?? 4C 8D 45 ?? + C7 45 ?? ?? ?? ?? ?? BA ?? ?? ?? ?? 48 8B C8 FF 15 ?? ?? ?? ?? 85 C0 74 ?? 81 4D ?? + ?? ?? ?? ?? 4C 8D 45 ?? 41 B9 ?? ?? ?? ?? 48 8B CB 41 8D 51 ?? FF 15 ?? ?? ?? ?? 4C + 8B 4D ?? 48 8B C7 48 F7 D8 48 8B D7 8B 45 ?? 48 8B CB 45 1B C0 89 44 24 ?? FF 15 ?? + ?? ?? ?? 85 C0 74 ?? 33 FF 83 65 ?? ?? 48 8D 55 ?? 45 33 C9 45 33 C0 48 8B CB FF 15 + ?? ?? ?? ?? 85 C0 74 ?? 8B 55 ?? 49 8B CF 03 D7 E8 ?? ?? ?? ?? 44 8B 45 ?? 4C 8D 4D + ?? 8B D7 48 8B CB 48 03 D0 4C 8B F8 FF 15 ?? ?? ?? ?? 8B 45 ?? 03 F8 EB ?? 8B 45 + } + + condition: + uint16(0) == 0x5A4D and + ( + $find_files + ) and + ( + all of ($encrypt_files_p*) + ) and + ( + $remote_connection + ) +} \ No newline at end of file diff --git a/yara/ransomware/Win64.Ransomware.DST.yara b/yara/ransomware/Win64.Ransomware.DST.yara new file mode 100644 index 0000000..850090d --- /dev/null +++ b/yara/ransomware/Win64.Ransomware.DST.yara @@ -0,0 +1,170 @@ +rule Win64_Ransomware_DST : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "DST" + description = "Yara rule that detects DST ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "DST" + tc_detection_factor = 5 + + strings: + + $encrypt_files_p1 = { + 4C 8D A4 24 ?? ?? ?? ?? 4D 3B 66 ?? 0F 86 ?? ?? ?? ?? 48 81 EC ?? ?? ?? ?? 48 89 AC + 24 ?? ?? ?? ?? 48 8D AC 24 ?? ?? ?? ?? 48 89 84 24 ?? ?? ?? ?? 48 89 8C 24 ?? ?? ?? + ?? 48 89 BC 24 ?? ?? ?? ?? 44 0F 11 BC 24 ?? ?? ?? ?? 48 85 DB 0F 84 ?? ?? ?? ?? 48 + 89 9C 24 ?? ?? ?? ?? 48 89 84 24 ?? ?? ?? ?? 48 89 BC 24 ?? ?? ?? ?? 48 89 4C 24 ?? + 31 C9 31 FF E8 ?? ?? ?? ?? 48 89 9C 24 ?? ?? ?? ?? 48 89 8C 24 ?? ?? ?? ?? 48 85 DB + 0F 85 ?? ?? ?? ?? 48 89 84 24 ?? ?? ?? ?? 44 0F 11 BC 24 ?? ?? ?? ?? 48 8D 0D ?? ?? + ?? ?? 48 89 8C 24 ?? ?? ?? ?? 48 89 84 24 ?? ?? ?? ?? C7 84 24 ?? ?? ?? ?? ?? ?? ?? + ?? 48 8D 8C 24 ?? ?? ?? ?? 48 89 8C 24 ?? ?? ?? ?? 48 8D 84 24 ?? ?? ?? ?? 0F 1F 00 + E8 ?? ?? ?? ?? 85 C0 0F 85 ?? ?? ?? ?? 31 C0 48 8B 9C 24 ?? ?? ?? ?? 48 8B 8C 24 ?? + ?? ?? ?? 48 8D 3D ?? ?? ?? ?? BE ?? ?? ?? ?? E8 ?? ?? ?? ?? B9 ?? ?? ?? ?? BF ?? ?? + ?? ?? E8 ?? ?? ?? ?? 48 89 9C 24 ?? ?? ?? ?? 48 89 8C 24 ?? ?? ?? ?? 48 85 DB 0F 85 + ?? ?? ?? ?? 48 89 84 24 ?? ?? ?? ?? 44 0F 11 BC 24 ?? ?? ?? ?? 48 8D 0D + } + + $encrypt_files_p2 = { + 48 89 8C 24 ?? ?? ?? ?? 48 89 84 24 ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? 48 8D 8C 24 + ?? ?? ?? ?? 48 89 4C 24 ?? 48 8D 44 24 ?? E8 ?? ?? ?? ?? 90 85 C0 0F 85 ?? ?? ?? ?? + 48 8D 05 ?? ?? ?? ?? BB ?? ?? ?? ?? 48 89 D9 E8 ?? ?? ?? ?? 48 89 84 24 ?? ?? ?? ?? + BB ?? ?? ?? ?? 48 89 D9 E8 ?? ?? ?? ?? 48 89 9C 24 ?? ?? ?? ?? 48 89 8C 24 ?? ?? ?? + ?? 48 85 DB 0F 85 ?? ?? ?? ?? 48 8B 84 24 ?? ?? ?? ?? BB ?? ?? ?? ?? 48 89 D9 E8 ?? + ?? ?? ?? 48 89 8C 24 ?? ?? ?? ?? 48 89 BC 24 ?? ?? ?? ?? 48 85 C9 0F 85 ?? ?? ?? ?? + 48 89 5C 24 ?? 48 89 84 24 ?? ?? ?? ?? 48 8B 4C 24 ?? 48 8B 51 ?? 48 8B 84 24 ?? ?? + ?? ?? FF D2 48 8B 0D ?? ?? ?? ?? 83 B9 ?? ?? ?? ?? ?? 75 ?? 48 89 C2 48 C1 E0 ?? 48 + 8D 70 ?? 48 B8 ?? ?? ?? ?? ?? ?? ?? ?? 48 89 D1 48 F7 EE 48 8D 14 CA 48 8D 52 ?? 48 + } + + $encrypt_files_p3 = { + C1 FA ?? 48 C1 FE ?? 48 29 F2 EB ?? 48 8D 70 ?? 48 89 C1 48 B8 ?? ?? ?? ?? ?? ?? ?? + ?? 48 F7 EE 48 8D 14 0A 48 8D 52 ?? 48 D1 FA 48 C1 FE ?? 48 29 F2 48 C1 E2 ?? 48 8D + 4A ?? 48 89 4C 24 ?? 48 8D 05 ?? ?? ?? ?? 48 89 CB E8 ?? ?? ?? ?? 48 89 C3 48 8B 4C + 24 ?? 48 89 CF 48 8B 84 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 89 9C 24 ?? ?? ?? ?? 48 89 + 8C 24 ?? ?? ?? ?? 48 85 DB 0F 85 ?? ?? ?? ?? 31 C0 48 8B 9C 24 ?? ?? ?? ?? 48 8B 4C + 24 ?? 48 8D 3D ?? ?? ?? ?? BE ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 89 D9 48 89 C3 48 8B 84 + 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 89 9C 24 ?? ?? ?? ?? 48 89 8C 24 ?? ?? ?? ?? 48 85 + DB 0F 85 ?? ?? ?? ?? 48 8B 84 24 ?? ?? ?? ?? BB ?? ?? ?? ?? 48 89 D9 31 FF 48 8B 74 + 24 ?? 4C 8B 84 24 ?? ?? ?? ?? 4C 8D 0D ?? ?? ?? ?? 4C 8B 94 24 ?? ?? ?? ?? E8 ?? ?? + ?? ?? 48 89 9C 24 ?? ?? ?? ?? 48 89 8C 24 ?? ?? ?? ?? 66 0F 1F 44 00 ?? 48 85 DB 0F + 85 ?? ?? ?? ?? 48 89 84 24 ?? ?? ?? ?? 48 89 C3 48 8D 0D ?? ?? ?? ?? 48 8B BC 24 ?? + ?? ?? ?? 31 F6 45 31 C0 4D 89 C1 48 8D 05 ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 89 9C 24 ?? + ?? ?? ?? 48 89 8C 24 ?? ?? ?? ?? 48 8B 84 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 89 84 24 + ?? ?? ?? ?? 48 89 9C 24 ?? ?? ?? ?? 48 85 C0 0F 85 ?? ?? ?? ?? 48 8B 84 24 ?? ?? ?? + ?? 31 DB 31 C9 E8 ?? ?? ?? ?? 48 89 9C 24 ?? ?? ?? ?? 48 89 8C 24 ?? ?? ?? ?? 48 85 + DB 74 ?? 90 E8 ?? ?? ?? ?? 48 8B 84 24 ?? ?? ?? ?? 48 8B 9C 24 ?? ?? ?? ?? 48 8B AC + 24 ?? ?? ?? ?? 48 81 C4 ?? ?? ?? ?? C3 48 8B 94 24 ?? ?? ?? ?? 48 8B 72 ?? 48 8B 42 + ?? 48 8B 56 ?? 31 DB 31 C9 48 89 CF FF D2 48 8B 15 ?? ?? ?? ?? 48 89 CF 48 89 D9 48 + } + + $encrypt_files_p4 = { + 89 C3 48 89 D0 E8 ?? ?? ?? ?? 48 89 D9 48 89 C3 48 8B 84 24 ?? ?? ?? ?? 0F 1F 40 ?? + E8 ?? ?? ?? ?? 48 89 9C 24 ?? ?? ?? ?? 48 89 8C 24 ?? ?? ?? ?? 90 E8 ?? ?? ?? ?? 48 + 8B 84 24 ?? ?? ?? ?? 48 8B 9C 24 ?? ?? ?? ?? 48 8B AC 24 ?? ?? ?? ?? 48 81 C4 ?? ?? + ?? ?? C3 90 0F 1F 40 ?? E8 ?? ?? ?? ?? 48 8B 84 24 ?? ?? ?? ?? 48 8B 9C 24 ?? ?? ?? + ?? 48 8B AC 24 ?? ?? ?? ?? 48 81 C4 ?? ?? ?? ?? C3 90 E8 ?? ?? ?? ?? 48 8B 84 24 ?? + ?? ?? ?? 48 8B 9C 24 ?? ?? ?? ?? 48 8B AC 24 ?? ?? ?? ?? 48 81 C4 ?? ?? ?? ?? C3 90 + E8 ?? ?? ?? ?? 48 8B 84 24 ?? ?? ?? ?? 48 8B 9C 24 ?? ?? ?? ?? 48 8B AC 24 ?? ?? ?? + ?? 48 81 C4 ?? ?? ?? ?? C3 90 E8 ?? ?? ?? ?? 48 8B 84 24 ?? ?? ?? ?? 48 8B 9C 24 ?? + ?? ?? ?? 48 8B AC 24 ?? ?? ?? ?? 48 81 C4 ?? ?? ?? ?? C3 90 E8 ?? ?? ?? ?? 48 8B 84 + 24 ?? ?? ?? ?? 48 8B 9C 24 ?? ?? ?? ?? 48 8B AC 24 ?? ?? ?? ?? 48 81 C4 ?? ?? ?? ?? + C3 90 66 90 E8 ?? ?? ?? ?? 48 8B 84 24 ?? ?? ?? ?? 48 8B 9C 24 ?? ?? ?? ?? 48 8B AC + 24 ?? ?? ?? ?? 48 81 C4 ?? ?? ?? ?? C3 90 E8 ?? ?? ?? ?? 48 8B 84 24 ?? ?? ?? ?? 48 + 8B 9C 24 ?? ?? ?? ?? 48 8B AC 24 ?? ?? ?? ?? 48 81 C4 ?? ?? ?? ?? C3 90 E8 ?? ?? ?? + ?? 48 8B 84 24 ?? ?? ?? ?? 48 8B 9C 24 ?? ?? ?? ?? 48 8B AC 24 ?? ?? ?? ?? 48 81 C4 + ?? ?? ?? ?? C3 90 E8 ?? ?? ?? ?? 48 8B 84 24 ?? ?? ?? ?? 48 8B 9C 24 ?? ?? ?? ?? 48 + 8B AC 24 ?? ?? ?? ?? 48 81 C4 ?? ?? ?? ?? C3 90 E8 ?? ?? ?? ?? 48 8B 84 24 ?? ?? ?? + ?? 48 8B 9C 24 ?? ?? ?? ?? 48 8B AC 24 ?? ?? ?? ?? 48 81 C4 ?? ?? ?? ?? C3 90 66 90 + E8 ?? ?? ?? ?? 48 8B 84 24 ?? ?? ?? ?? 48 8B 9C 24 ?? ?? ?? ?? 48 8B AC 24 ?? ?? ?? + ?? 48 81 C4 ?? ?? ?? ?? C3 48 89 44 24 ?? 48 89 5C 24 ?? 48 89 4C 24 ?? 48 89 7C 24 + ?? E8 + } + + $find_files_p1 = { + 4C 8D A4 24 ?? ?? ?? ?? 4D 3B 66 ?? 0F 86 ?? ?? ?? ?? 48 81 EC ?? ?? ?? ?? 48 89 AC + 24 ?? ?? ?? ?? 48 8D AC 24 ?? ?? ?? ?? 48 89 84 24 ?? ?? ?? ?? 48 89 9C 24 ?? ?? ?? + ?? 48 89 8C 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 85 DB 7E ?? 48 89 5C 24 ?? 31 C9 EB ?? + 48 8B AC 24 ?? ?? ?? ?? 48 81 C4 ?? ?? ?? ?? C3 48 8B 9C 24 ?? ?? ?? ?? 48 8D 43 ?? + 48 89 4C 24 ?? 48 89 84 24 ?? ?? ?? ?? 48 8B 10 48 89 54 24 ?? 48 8B 58 ?? 48 89 5C + 24 ?? 48 8B 72 ?? 48 89 D8 FF D6 48 89 84 24 ?? ?? ?? ?? 48 89 9C 24 ?? ?? ?? ?? 48 + 8B 8C 24 ?? ?? ?? ?? 48 8D 3D ?? ?? ?? ?? BE ?? ?? ?? ?? 49 89 C0 49 89 D9 31 C0 48 + 8B 9C 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 89 44 24 ?? 48 89 5C 24 ?? 48 8B 4C 24 ?? 48 + 8B 51 ?? 48 8B 44 24 ?? FF D2 48 89 84 24 ?? ?? ?? ?? 48 89 9C 24 ?? ?? ?? ?? 48 8D + 4B ?? 66 90 E9 ?? ?? ?? ?? 48 29 CB 48 89 DA 48 F7 DB 48 C1 FB ?? 48 21 D9 48 01 C1 + 48 89 8C 24 ?? ?? ?? ?? 48 89 94 24 ?? ?? ?? ?? EB ?? 31 D2 31 C9 48 89 C8 48 89 D3 + E8 ?? ?? ?? ?? 48 89 84 24 ?? ?? ?? ?? 48 89 9C 24 ?? ?? ?? ?? 48 8B 0D ?? ?? ?? ?? + 48 8B 3D ?? ?? ?? ?? 48 8B 35 ?? ?? ?? ?? 66 90 E8 ?? ?? ?? ?? 84 C0 74 ?? 48 8D BC + 24 ?? ?? ?? ?? 48 8D 35 ?? ?? ?? ?? 0F 1F 84 00 ?? ?? ?? ?? 48 89 6C 24 ?? 48 8D 6C + } + + $find_files_p2 = { + 24 ?? E8 ?? ?? ?? ?? 48 8B 6D ?? 48 8D 84 24 ?? ?? ?? ?? 31 C9 0F 1F 00 E9 ?? ?? ?? + ?? 48 8B 4C 24 ?? 48 8B 49 ?? 48 8B 44 24 ?? FF D1 84 C0 74 ?? 48 8B 44 24 ?? 48 8B + 5C 24 ?? 48 8B 8C 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 8B 4C 24 ?? 48 FF C1 48 8B 54 24 + ?? 0F 1F 00 48 39 CA 0F 8F ?? ?? ?? ?? E9 ?? ?? ?? ?? 48 FF C9 48 85 C9 0F 8C ?? ?? + ?? ?? 0F B6 14 08 66 90 80 FA ?? 0F 84 ?? ?? ?? ?? 80 FA ?? 0F 84 ?? ?? ?? ?? 80 FA + ?? 75 ?? E9 ?? ?? ?? ?? 48 8B 94 24 ?? ?? ?? ?? 48 8D 42 ?? 48 89 4C 24 ?? 48 89 84 + 24 ?? ?? ?? ?? 48 8B 10 48 89 54 24 ?? 48 8B 70 ?? 48 89 74 24 ?? 48 8B 5C 24 ?? 48 + 8B 44 24 ?? E8 ?? ?? ?? ?? 48 89 84 24 ?? ?? ?? ?? 48 89 9C 24 ?? ?? ?? ?? 48 8B 44 + 24 ?? 48 8B 5C 24 ?? E8 ?? ?? ?? ?? 48 8B 8C 24 ?? ?? ?? ?? 48 8B 94 24 ?? ?? ?? ?? + 48 89 DF 48 89 D3 48 89 C2 48 89 C8 48 89 D1 E8 ?? ?? ?? ?? 0F 1F 84 00 ?? ?? ?? ?? + 48 85 C0 0F 8D ?? ?? ?? ?? 48 8B 4C 24 ?? 48 FF C1 48 83 F9 ?? 0F 8C ?? ?? ?? ?? 48 + 8B 4C 24 ?? 48 89 8C 24 ?? ?? ?? ?? 48 8B 54 24 ?? 48 89 94 24 ?? ?? ?? ?? 48 8B 84 + 24 ?? ?? ?? ?? 48 8D 9C 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? E9 ?? ?? ?? ?? 48 89 44 24 ?? + 48 89 5C 24 ?? 48 89 4C 24 ?? 66 90 E8 + } + + $kill_procs_p1 = { + 4C 8D A4 24 ?? ?? ?? ?? 4D 3B 66 ?? 0F 86 ?? ?? ?? ?? 48 81 EC ?? ?? ?? ?? 48 89 AC + 24 ?? ?? ?? ?? 48 8D AC 24 ?? ?? ?? ?? 90 E8 ?? ?? ?? ?? 48 89 84 24 ?? ?? ?? ?? 48 + 89 5C 24 ?? 31 C9 66 90 EB ?? 48 8B 54 24 ?? 48 8D 4A ?? 48 8B 84 24 ?? ?? ?? ?? 48 + 8B 5C 24 ?? 0F 1F 84 00 ?? ?? ?? ?? 48 39 CB 0F 8E ?? ?? ?? ?? 48 89 4C 24 ?? 48 C1 + E1 ?? 48 8B 1C 08 48 89 5C 24 ?? 48 8B 4C 08 ?? 48 89 4C 24 ?? 48 8B 73 ?? 48 89 C8 + FF D6 48 89 1D ?? ?? ?? ?? 83 3D ?? ?? ?? ?? ?? 75 ?? 48 89 05 ?? ?? ?? ?? EB ?? 48 + 8D 3D ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 8B 4C 24 ?? 48 8B 49 ?? 48 8B 44 24 ?? FF D1 48 + 89 05 ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 89 84 24 ?? ?? ?? ?? 48 8B 0D ?? ?? ?? ?? 48 8B + 3D ?? ?? ?? ?? 48 89 C3 48 8D 05 ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 8B 0D ?? ?? ?? ?? 48 + 89 08 48 8D BC 24 ?? ?? ?? ?? 48 8D 35 ?? ?? ?? ?? B9 ?? ?? ?? ?? F3 48 A5 48 8D BC + 24 ?? ?? ?? ?? 48 8D 7F ?? 48 89 6C 24 ?? 48 8D 6C 24 ?? E8 ?? ?? ?? ?? 48 8B 6D ?? + 48 8D 05 ?? ?? ?? ?? 48 8B 9C 24 ?? ?? ?? ?? 48 8D 8C 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? + EB ?? 48 8B AC 24 ?? ?? ?? ?? 48 81 C4 ?? ?? ?? ?? C3 48 8D 84 24 ?? ?? ?? ?? E8 ?? + ?? ?? ?? 48 8B 8C 24 ?? ?? ?? ?? 66 0F 1F 84 00 ?? ?? 00 00 48 85 C9 0F 84 ?? ?? ?? + ?? 48 8B 94 24 ?? ?? ?? ?? 48 8B 12 48 89 54 24 ?? 48 8B 01 48 89 44 24 ?? 48 8B 59 + ?? 48 89 5C 24 ?? 48 8D 8C 24 ?? ?? ?? ?? 31 F6 EB ?? 48 8B 94 24 ?? ?? ?? ?? 48 83 + } + + $kill_procs_p2 = { + C2 ?? 48 8B 44 24 ?? 48 8B 5C 24 ?? 48 89 CE 48 89 D1 48 89 74 24 ?? 48 89 8C 24 ?? + ?? ?? ?? 48 8B 11 48 89 54 24 ?? 48 8B 79 ?? 48 89 7C 24 ?? E8 ?? ?? ?? ?? 48 8B 4C + 24 ?? 48 8B 7C 24 ?? 90 E8 ?? ?? ?? ?? 48 85 C0 0F 8C ?? ?? ?? ?? 48 8B 44 24 ?? BB + ?? ?? ?? ?? E8 ?? ?? ?? ?? B9 ?? ?? ?? ?? 48 89 C7 48 89 DE 31 C0 48 8D 1D ?? ?? ?? + ?? E8 ?? ?? ?? ?? 48 8D 8C 24 ?? ?? ?? ?? 44 0F 11 39 48 8D 94 24 ?? ?? ?? ?? 44 0F + 11 3A 48 8D 15 ?? ?? ?? ?? 48 89 94 24 ?? ?? ?? ?? 48 C7 84 24 ?? ?? ?? ?? ?? ?? ?? + ?? 48 89 84 24 ?? ?? ?? ?? 48 89 9C 24 ?? ?? ?? ?? 48 8D 05 ?? ?? ?? ?? BB ?? ?? ?? + ?? BF ?? ?? ?? ?? 48 89 FE E8 ?? ?? ?? ?? 48 89 44 24 ?? 44 0F 11 BC 24 ?? ?? ?? ?? + 48 8D 0D ?? ?? ?? ?? 48 89 8C 24 ?? ?? ?? ?? 48 89 84 24 ?? ?? ?? ?? 48 8B 1D ?? ?? + ?? ?? BF ?? ?? ?? ?? 48 89 FE 48 8D 05 ?? ?? ?? ?? 48 8D 8C 24 ?? ?? ?? ?? E8 ?? ?? + ?? ?? 48 8B 44 24 ?? 90 E8 ?? ?? ?? ?? 48 8B 4C 24 ?? 48 FF C1 48 83 F9 ?? 0F 8C ?? + ?? ?? ?? E9 ?? ?? ?? ?? 0F 1F 40 ?? E8 + } + + condition: + uint16(0) == 0x5A4D and + ( + all of ($kill_procs_p*) + ) and + ( + all of ($find_files_p*) + ) and + ( + all of ($encrypt_files_p*) + ) +} \ No newline at end of file diff --git a/yara/ransomware/Win64.Ransomware.HermeticRansom.yara b/yara/ransomware/Win64.Ransomware.HermeticRansom.yara new file mode 100644 index 0000000..d6d7290 --- /dev/null +++ b/yara/ransomware/Win64.Ransomware.HermeticRansom.yara @@ -0,0 +1,105 @@ +rule Win64_Ransomware_HermeticRansom : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "HERMETICRANSOM" + description = "Yara rule that detects HermeticRansom ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "HermeticRansom" + tc_detection_factor = 5 + + strings: + + $drop_ransom_note = { + 65 48 8B 0C 25 ?? ?? ?? ?? 48 8B 89 ?? ?? ?? ?? 48 8D 84 24 ?? ?? ?? ?? 48 3B 41 ?? + 0F 86 ?? ?? ?? ?? 48 81 EC ?? ?? ?? ?? 48 89 AC 24 ?? ?? ?? ?? 48 8D AC 24 ?? ?? ?? + ?? E8 ?? ?? ?? ?? 0F 10 04 24 0F 11 44 24 ?? 0F 10 44 24 ?? 0F 11 44 24 ?? 0F 10 44 + 24 ?? 0F 11 04 24 E8 ?? ?? ?? ?? 48 8B 44 24 ?? 48 8B 4C 24 ?? 48 8D BC 24 ?? ?? ?? + ?? 48 8D 35 ?? ?? ?? ?? 48 89 6C 24 ?? 48 8D 6C 24 ?? E8 ?? ?? ?? ?? 48 8B 6D ?? 48 + 89 8C 24 ?? ?? ?? ?? 48 89 84 24 ?? ?? ?? ?? 48 8B 05 ?? ?? ?? ?? 48 8B 0D ?? ?? ?? + ?? 48 89 8C 24 ?? ?? ?? ?? 48 89 84 24 ?? ?? ?? ?? 48 8B 05 ?? ?? ?? ?? 48 8B 0D ?? + ?? ?? ?? 48 89 84 24 ?? ?? ?? ?? 48 89 8C 24 ?? ?? ?? ?? 48 C7 04 24 ?? ?? ?? ?? 48 + 8D 84 24 ?? ?? ?? ?? 48 89 44 24 ?? 48 C7 44 24 ?? ?? ?? ?? ?? 48 C7 44 24 ?? ?? ?? + ?? ?? E8 ?? ?? ?? ?? 48 8B 44 24 ?? 48 89 44 24 ?? 48 8B 4C 24 ?? 48 89 8C 24 ?? ?? + ?? ?? 48 8D 15 ?? ?? ?? ?? 48 89 14 24 48 C7 44 24 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 + 8B 44 24 ?? 48 8B 4C 24 ?? 48 8D 94 24 ?? ?? ?? ?? 48 89 14 24 48 89 4C 24 ?? 48 89 + 44 24 ?? 48 8D 05 ?? ?? ?? ?? 48 89 44 24 ?? 48 C7 44 24 ?? ?? ?? ?? ?? E8 ?? ?? ?? + ?? 48 8B 44 24 ?? 48 8B 4C 24 ?? 48 C7 04 24 ?? ?? ?? ?? 48 89 44 24 ?? 48 89 4C 24 + ?? 48 8D 05 ?? ?? ?? ?? 48 89 44 24 ?? 48 C7 44 24 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 + 8B 44 24 ?? 48 8B 4C 24 ?? 48 89 0C 24 48 89 44 24 ?? 48 C7 44 24 ?? ?? ?? ?? ?? C7 + 44 24 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 8B 44 24 ?? 48 89 84 24 ?? ?? ?? ?? 48 8B 4C + 24 ?? 48 89 8C 24 ?? ?? ?? ?? 48 89 44 24 ?? C7 04 24 ?? ?? ?? ?? 48 8D 15 ?? ?? ?? + ?? 48 89 54 24 ?? E8 ?? ?? ?? ?? 85 C0 0F 85 ?? ?? ?? ?? 48 8B 84 24 ?? ?? ?? ?? 48 + } + + $encrypt_files_p1 = { + E8 ?? ?? ?? ?? 48 8B 44 24 ?? 48 89 84 24 ?? ?? ?? ?? 48 8B 4C 24 ?? 48 89 8C 24 ?? + ?? ?? ?? 48 8B 15 ?? ?? ?? ?? 48 8B 1D ?? ?? ?? ?? 48 8B 35 ?? ?? ?? ?? 48 89 14 24 + 48 89 74 24 ?? 48 89 5C 24 ?? 48 8D 15 ?? ?? ?? ?? 48 89 54 24 ?? 48 C7 44 24 ?? ?? + ?? ?? ?? 48 8B 15 ?? ?? ?? ?? 48 8B 1D ?? ?? ?? ?? 48 89 5C 24 ?? 48 89 54 24 ?? E8 + ?? ?? ?? ?? 48 8B 44 24 ?? 48 8B 4C 24 ?? 48 8B 54 24 ?? 48 8B 9C 24 ?? ?? ?? ?? 48 + 85 DB 0F 85 ?? ?? ?? ?? 48 89 44 24 ?? 48 89 4C 24 ?? 48 89 94 24 ?? ?? ?? ?? 48 8D + 05 ?? ?? ?? ?? 48 89 04 24 48 C7 44 24 ?? ?? ?? ?? ?? 48 C7 44 24 ?? ?? ?? ?? ?? E8 + ?? ?? ?? ?? 48 8D 05 ?? ?? ?? ?? 48 89 04 24 48 8B 44 24 ?? 48 89 C1 48 C1 F8 ?? 48 + C1 E8 ?? 48 01 C8 48 C1 F8 ?? 48 89 84 24 ?? ?? ?? ?? 48 C1 E0 ?? 48 29 C1 48 89 4C + 24 ?? 48 89 4C 24 ?? E8 ?? ?? ?? ?? 48 8B 84 24 ?? ?? ?? ?? 48 89 04 24 0F 57 C0 0F + 11 44 24 ?? E8 ?? ?? ?? ?? 48 8B 84 24 ?? ?? ?? ?? 48 83 F8 ?? 7E ?? B8 ?? ?? ?? ?? + 48 89 84 24 ?? ?? ?? ?? 31 C9 EB ?? 48 8B 84 24 ?? ?? ?? ?? 48 8B 8C 24 ?? ?? ?? ?? + 48 39 C1 0F 8D ?? ?? ?? ?? 48 89 CA 48 C1 E1 ?? 48 FF C2 48 89 D3 48 C1 E2 ?? 48 39 + D1 0F 87 ?? ?? ?? ?? 48 8B 74 24 ?? 48 39 F2 0F 87 ?? ?? ?? ?? 48 89 9C 24 ?? ?? ?? + ?? 48 8B 05 ?? ?? ?? ?? 48 8B 1D ?? ?? ?? ?? 48 8B 3D ?? ?? ?? ?? 48 89 3C 24 48 89 + } + + $encrypt_files_p2 = { + 5C 24 ?? 48 89 44 24 ?? 48 29 CE 48 89 F3 48 F7 DE 48 C1 FE ?? 48 21 CE 48 8B BC 24 + ?? ?? ?? ?? 48 01 FE 48 89 74 24 ?? 48 29 CA 48 89 54 24 ?? 48 89 5C 24 ?? E8 ?? ?? + ?? ?? 48 8B 44 24 ?? 48 8B 4C 24 ?? 48 8B 54 24 ?? 48 8B 5C 24 ?? 48 85 DB 0F 85 ?? + ?? ?? ?? 48 8B 9C 24 ?? ?? ?? ?? 48 89 1C 24 48 89 44 24 ?? 48 89 4C 24 ?? 48 89 54 + 24 ?? E8 ?? ?? ?? ?? E9 ?? ?? ?? ?? 48 83 F8 ?? 0F 8D ?? ?? ?? ?? 48 C1 E0 ?? 48 8B + 4C 24 ?? 48 39 C8 0F 87 ?? ?? ?? ?? 48 8B 15 ?? ?? ?? ?? 48 8B 1D ?? ?? ?? ?? 48 8B + 35 ?? ?? ?? ?? 48 89 14 24 48 89 5C 24 ?? 48 89 74 24 ?? 48 8B 54 24 ?? 48 29 C2 48 + 89 D3 48 F7 DA 48 C1 FA ?? 48 21 C2 48 8B B4 24 ?? ?? ?? ?? 48 01 F2 48 89 54 24 ?? + 48 29 C1 48 89 4C 24 ?? 48 89 5C 24 ?? E8 ?? ?? ?? ?? 48 8B 44 24 ?? 48 8B 4C 24 ?? + 48 8B 54 24 ?? 48 8B 5C 24 ?? 48 85 DB 74 ?? 48 8B 84 24 ?? ?? ?? ?? 48 8B 8C 24 ?? + ?? ?? ?? 48 89 8C 24 ?? ?? ?? ?? 48 89 84 24 ?? ?? ?? ?? 48 8B AC 24 ?? ?? ?? ?? 48 + 81 C4 ?? ?? ?? ?? C3 48 8B 9C 24 ?? ?? ?? ?? 48 89 1C 24 48 89 44 24 ?? 48 89 4C 24 + ?? 48 89 54 24 ?? E8 ?? ?? ?? ?? 48 8B 84 24 + } + + $find_files = { + 65 48 8B 0C 25 ?? ?? ?? ?? 48 8B 89 ?? ?? ?? ?? 48 3B 61 ?? 0F 86 ?? ?? ?? ?? 48 83 + EC ?? 48 89 6C 24 ?? 48 8D 6C 24 ?? 48 C7 04 24 ?? ?? ?? ?? 48 8B 84 24 ?? ?? ?? ?? + 48 89 44 24 ?? 48 8B 8C 24 ?? ?? ?? ?? 48 89 4C 24 ?? 48 8D 15 ?? ?? ?? ?? 48 89 54 + 24 ?? 48 C7 44 24 ?? ?? ?? ?? ?? 48 8B 15 ?? ?? ?? ?? 48 8B 1D ?? ?? ?? ?? 48 89 54 + 24 ?? 48 89 5C 24 ?? 48 8D 15 ?? ?? ?? ?? 48 89 54 24 ?? 48 C7 44 24 ?? ?? ?? ?? ?? + E8 ?? ?? ?? ?? 48 8B 44 24 ?? 48 89 44 24 ?? 48 8B 4C 24 ?? 48 89 4C 24 ?? 48 8B 94 + 24 ?? ?? ?? ?? 48 89 14 24 48 8B 9C 24 ?? ?? ?? ?? 48 89 5C 24 ?? 48 89 44 24 ?? 48 + 89 4C 24 ?? E8 ?? ?? ?? ?? 48 8B 44 24 ?? 48 85 C0 0F 84 ?? ?? ?? ?? 48 8B 84 24 ?? + ?? ?? ?? 48 8B 8C 24 ?? ?? ?? ?? 48 89 04 24 48 89 4C 24 ?? 48 C7 44 24 ?? ?? ?? ?? + ?? C7 44 24 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 8B 44 24 ?? 48 8B 4C 24 ?? 48 85 C9 75 + ?? 48 89 44 24 ?? 48 89 04 24 E8 ?? ?? ?? ?? 48 8B 44 24 ?? 48 85 C0 74 ?? 48 8B 44 + 24 ?? 48 89 04 24 E8 ?? ?? ?? ?? C6 84 24 ?? ?? ?? ?? ?? 48 8B 6C 24 ?? 48 83 C4 ?? + C3 48 8B 44 24 ?? 48 89 04 24 E8 ?? ?? ?? ?? C6 84 24 ?? ?? ?? ?? ?? 48 8B 6C 24 ?? + 48 83 C4 ?? C3 48 89 04 24 E8 ?? ?? ?? ?? C6 84 24 ?? ?? ?? ?? ?? 48 8B 6C 24 ?? 48 + 83 C4 ?? C3 48 8B 44 24 + } + + condition: + uint16(0) == 0x5A4D and + ( + $find_files + ) and + ( + all of ($encrypt_files_p*) + ) and + ( + $drop_ransom_note + ) +} \ No newline at end of file diff --git a/yara/ransomware/Win64.Ransomware.HotCoffee.yara b/yara/ransomware/Win64.Ransomware.HotCoffee.yara new file mode 100644 index 0000000..7b08d5f --- /dev/null +++ b/yara/ransomware/Win64.Ransomware.HotCoffee.yara @@ -0,0 +1,111 @@ +rule Win64_Ransomware_HotCoffee : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "HOTCOFFEE" + description = "Yara rule that detects HotCoffee ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "HotCoffee" + tc_detection_factor = 5 + + strings: + + $find_files = { + 48 85 C9 74 ?? B8 ?? ?? ?? ?? 48 2B C1 48 85 C9 48 0F 44 C6 BA ?? ?? ?? ?? 48 2B D0 + 48 8D 8D ?? ?? ?? ?? 48 8D 0C 41 74 ?? 48 05 ?? ?? ?? ?? 48 03 C2 4C 8D 0D ?? ?? ?? + ?? 4C 2B C9 0F 1F 44 00 ?? 48 85 C0 74 ?? 45 0F B7 04 09 66 45 85 C0 74 ?? 66 44 89 + 01 48 83 C1 ?? 48 FF C8 48 83 EA ?? 75 ?? 48 8D 41 ?? 48 85 D2 48 0F 45 C1 66 89 30 + 48 8D 95 ?? ?? ?? ?? 48 83 BD ?? ?? ?? ?? ?? 48 0F 43 95 ?? ?? ?? ?? 48 8D 44 24 ?? + 48 89 44 24 ?? 41 B8 ?? ?? ?? ?? 48 8D 4C 24 ?? E8 ?? ?? ?? ?? 4C 8B 44 24 ?? BA ?? + ?? ?? ?? 48 8D 8D ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 48 8D 44 24 ?? 48 8B 4C 24 ?? 48 3B + C8 74 ?? FF 15 ?? ?? ?? ?? B9 ?? ?? ?? ?? 48 8D 85 ?? ?? ?? ?? 66 39 30 74 ?? 48 83 + C0 ?? 48 83 E9 ?? 75 ?? 48 85 C9 74 ?? B8 ?? ?? ?? ?? 48 2B C1 48 85 C9 48 0F 44 C6 + BA ?? ?? ?? ?? 48 2B D0 48 8D 8D ?? ?? ?? ?? 48 8D 0C 41 74 ?? 48 05 ?? ?? ?? ?? 48 + 03 C2 4C 8D 0D ?? ?? ?? ?? 4C 2B C9 48 85 C0 74 ?? 45 0F B7 04 09 66 45 85 C0 74 ?? + 66 44 89 01 48 83 C1 ?? 48 FF C8 48 83 EA ?? 75 ?? 48 8D 41 ?? 48 85 D2 48 0F 45 C1 + 66 89 30 48 8D 95 ?? ?? ?? ?? 48 8D 8D ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 4C 8B E0 48 89 + 44 24 ?? 48 83 F8 ?? 75 ?? 48 8B 95 ?? ?? ?? ?? 48 83 FA ?? 72 ?? 48 FF C2 48 8B 8D + ?? ?? ?? ?? 48 8B C1 48 81 FA ?? ?? ?? ?? 72 ?? 48 83 C2 ?? 48 8B 49 ?? 48 2B C1 48 + 83 C0 ?? 48 83 F8 ?? 0F 87 ?? ?? ?? ?? E8 ?? ?? ?? ?? 33 C0 + } + + $encrypt_files_p1 = { + B9 ?? ?? ?? ?? 48 8D 85 ?? ?? ?? ?? 90 66 83 38 ?? 74 ?? 48 83 C0 ?? 48 83 E9 ?? 75 + ?? 48 85 C9 74 ?? 41 B8 ?? ?? ?? ?? 48 8D 85 ?? ?? ?? ?? 4C 2B C1 BA ?? ?? ?? ?? 48 + 85 C9 4C 0F 44 C3 4A 8D 04 40 49 2B D0 74 ?? 49 8D 88 ?? ?? ?? ?? 48 03 CA 4C 8D 0D + ?? ?? ?? ?? 4C 2B C8 66 90 48 85 C9 74 ?? 45 0F B7 04 01 66 45 85 C0 74 ?? 66 44 89 + 00 48 FF C9 48 83 C0 ?? 48 83 EA ?? 75 ?? 48 85 D2 48 8D 48 ?? 48 0F 45 C8 66 89 19 + 48 89 5C 24 ?? 45 33 C9 C7 44 24 ?? ?? ?? ?? ?? 44 8B C7 8B D7 C7 44 24 ?? ?? ?? ?? + ?? 49 8B CC FF 15 ?? ?? ?? ?? 45 33 C9 48 89 5C 24 ?? C7 44 24 ?? ?? ?? ?? ?? 48 8D + 8D ?? ?? ?? ?? 44 8B C7 C7 44 24 ?? ?? ?? ?? ?? 48 8B F0 41 8D 51 ?? FF 15 ?? ?? ?? + ?? 41 B9 ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? 4C 8D 05 ?? ?? ?? ?? 33 D2 48 8D 0D ?? + ?? ?? ?? 4C 8B F0 FF 15 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 3D ?? ?? ?? ?? 75 ?? 41 B9 ?? + ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? 4C 8D 05 ?? ?? ?? ?? 33 D2 48 8D 0D ?? ?? ?? ?? FF + 15 ?? ?? ?? ?? 48 8B 0D ?? ?? ?? ?? 48 8D 85 ?? ?? ?? ?? 45 33 C9 48 89 44 24 ?? 45 + } + + $encrypt_files_p2 = { + 33 C0 BA ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 48 8B 0D ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 48 8B + 15 ?? ?? ?? ?? 45 33 C9 48 8B 8D ?? ?? ?? ?? 44 8B C0 FF 15 ?? ?? ?? ?? 4C 8B 85 ?? + ?? ?? ?? 48 8D 85 ?? ?? ?? ?? 48 8B 0D ?? ?? ?? ?? 44 8B CF BA ?? ?? ?? ?? 48 89 44 + 24 ?? FF 15 ?? ?? ?? ?? B9 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 32 DB 41 BD ?? ?? ?? ?? 48 + 8B F8 66 66 66 0F 1F 84 00 ?? ?? 00 00 4C 8D 8D ?? ?? ?? ?? 48 C7 44 24 ?? ?? ?? ?? + ?? 41 B8 ?? ?? ?? ?? 48 8B D7 48 8B CE FF 15 ?? ?? ?? ?? 81 BD ?? ?? ?? ?? ?? ?? ?? + ?? 48 8D 85 ?? ?? ?? ?? 48 8B 8D ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? 48 89 44 24 ?? + 0F B6 DB 41 0F 42 DD 48 89 7C 24 ?? 44 0F B6 C3 45 33 C9 33 D2 FF 15 ?? ?? ?? ?? 44 + 8B 85 ?? ?? ?? ?? 4C 8D 8D ?? ?? ?? ?? 48 8B D7 48 C7 44 24 ?? ?? ?? ?? ?? 49 8B CE + FF 15 ?? ?? ?? ?? 84 DB 0F 84 ?? ?? ?? ?? 4C 8B 6C 24 ?? 48 85 F6 74 ?? 48 8B CE FF + 15 ?? ?? ?? ?? 4D 85 F6 + } + + $drop_ransom_note = { + 48 85 C9 74 ?? B8 ?? ?? ?? ?? 48 2B C1 48 85 C9 49 0F 44 C6 BA ?? ?? ?? ?? 48 2B D0 + 48 8D 8D ?? ?? ?? ?? 48 8D 0C 41 74 ?? 48 05 ?? ?? ?? ?? 48 03 C2 4C 8D 0D ?? ?? ?? + ?? 4C 2B C9 66 90 48 85 C0 74 ?? 46 0F B7 04 09 66 45 85 C0 74 ?? 66 44 89 01 48 83 + C1 ?? 48 FF C8 48 83 EA ?? 75 ?? 48 8D 41 ?? 48 85 D2 48 0F 45 C1 66 44 89 30 4C 89 + 74 24 ?? C7 44 24 ?? ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? 45 33 C9 45 33 C0 BA ?? ?? + ?? ?? 48 8D 8D ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 48 8B D8 49 C7 C0 ?? ?? ?? ?? 49 FF C0 + 46 38 34 06 75 ?? 4C 89 74 24 ?? 4C 8D 8D ?? ?? ?? ?? 48 8B D6 48 8B CB FF 15 ?? ?? + ?? ?? 48 85 DB 74 ?? 48 8B CB FF 15 ?? ?? ?? ?? 48 8B CE E8 ?? ?? ?? ?? 90 48 8B 95 + ?? ?? ?? ?? 48 83 FA ?? 72 ?? 48 FF C2 48 8B 4D ?? 48 8B C1 48 81 FA ?? ?? ?? ?? 72 + ?? 48 83 C2 ?? 48 8B 49 ?? 48 2B C1 48 83 C0 ?? 48 83 F8 ?? 0F 87 ?? ?? ?? ?? E8 ?? + ?? ?? ?? 33 F6 48 89 B5 ?? ?? ?? ?? 48 C7 85 ?? ?? ?? ?? ?? ?? ?? ?? 40 88 75 ?? 48 + 8B 95 ?? ?? ?? ?? 48 83 FA ?? 0F 82 ?? ?? ?? ?? 48 8D 14 55 ?? ?? ?? ?? 48 8B 8D ?? + ?? ?? ?? 48 8B C1 48 81 FA ?? ?? ?? ?? 0F 82 ?? ?? ?? ?? 48 83 C2 ?? 48 8B 49 ?? 48 + 2B C1 48 83 C0 ?? 48 83 F8 ?? 0F 86 ?? ?? ?? ?? FF 15 + } + + $enum_drives = { + 48 89 5D ?? 48 C7 45 ?? ?? ?? ?? ?? C6 45 ?? ?? FF 15 ?? ?? ?? ?? 8B F8 0F A3 DF 0F + 83 ?? ?? ?? ?? 8D 4B ?? 48 C7 45 ?? ?? ?? ?? ?? 88 4D ?? 48 C7 45 ?? ?? ?? ?? ?? 66 + C7 45 ?? ?? ?? 48 8B 05 ?? ?? ?? ?? 48 3B 05 ?? ?? ?? ?? 74 ?? 48 8D 55 ?? 48 8B C8 + E8 ?? ?? ?? ?? 48 83 05 ?? ?? ?? ?? ?? EB ?? 4C 8D 45 ?? 48 8B D0 48 8D 0D ?? ?? ?? + ?? E8 ?? ?? ?? ?? 90 48 8B 45 ?? 48 83 F8 ?? 72 ?? 48 8D 50 ?? 48 8B 4D ?? 48 8B C1 + 48 81 FA ?? ?? ?? ?? 72 ?? 48 83 C2 ?? 48 8B 49 ?? 48 2B C1 48 83 C0 ?? 48 83 F8 ?? + 77 ?? E8 ?? ?? ?? ?? FF C3 83 FB ?? 0F 8C ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 F8 ?? 75 ?? + E8 ?? ?? ?? ?? 90 33 C0 48 8B 4D ?? 48 33 CC E8 ?? ?? ?? ?? 4C 8D 5C 24 ?? 49 8B 5B + ?? 49 8B 7B ?? 49 8B E3 5D C3 FF 15 + } + + condition: + uint16(0) == 0x5A4D and + ( + $enum_drives + ) and + ( + $find_files + ) and + ( + all of ($encrypt_files_p*) + ) and + ( + $drop_ransom_note + ) +} \ No newline at end of file diff --git a/yara/ransomware/Win64.Ransomware.Nokoyawa.yara b/yara/ransomware/Win64.Ransomware.Nokoyawa.yara new file mode 100644 index 0000000..693b7ac --- /dev/null +++ b/yara/ransomware/Win64.Ransomware.Nokoyawa.yara @@ -0,0 +1,104 @@ +rule Win64_Ransomware_Nokoyawa : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "NOKOYAWA" + description = "Yara rule that detects Nokoyawa ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "Nokoyawa" + tc_detection_factor = 5 + + strings: + + $enum_shares = { + 48 89 4C 24 ?? 48 81 EC ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? + 48 8D 44 24 ?? 48 89 44 24 ?? 4C 8B 8C 24 ?? ?? ?? ?? 45 33 C0 33 D2 B9 ?? ?? ?? ?? + FF 15 ?? ?? ?? ?? 89 44 24 ?? 83 7C 24 ?? ?? 74 ?? 33 C0 E9 ?? ?? ?? ?? 8B 44 24 ?? + 8B D0 B9 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 48 89 44 24 ?? 48 83 7C 24 ?? ?? 75 ?? 33 C0 + E9 ?? ?? ?? ?? 8B 44 24 ?? 44 8B C0 33 D2 48 8B 4C 24 ?? E8 ?? ?? ?? ?? 4C 8D 4C 24 + ?? 4C 8B 44 24 ?? 48 8D 54 24 ?? 48 8B 4C 24 ?? FF 15 ?? ?? ?? ?? 89 44 24 ?? 83 7C + 24 ?? ?? 0F 85 ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? EB ?? 8B 44 24 ?? FF C0 89 44 24 + ?? 8B 44 24 ?? 39 44 24 ?? 73 ?? 48 8B 44 24 ?? 83 78 ?? ?? 75 ?? 8B 44 24 ?? 48 6B + C0 ?? 48 8B 4C 24 ?? 48 8B 54 01 ?? 48 8D 4C 24 ?? E8 ?? ?? ?? ?? 48 8D 15 ?? ?? ?? + ?? 48 8D 4C 24 ?? E8 ?? ?? ?? ?? 48 8D 4C 24 ?? E8 ?? ?? ?? ?? 8B 44 24 ?? 48 6B C0 + ?? 48 8B 4C 24 ?? 8B 44 01 ?? 83 E0 ?? 83 F8 ?? 75 ?? 8B 44 24 ?? 48 6B C0 ?? 48 8B + 4C 24 ?? 48 03 C8 48 8B C1 48 8B C8 E8 ?? ?? ?? ?? E9 ?? ?? ?? ?? EB ?? 81 7C 24 ?? + ?? ?? ?? ?? 74 ?? EB ?? 81 7C 24 ?? ?? ?? ?? ?? 0F 85 ?? ?? ?? ?? 48 8B 4C 24 ?? FF + 15 ?? ?? ?? ?? 48 8B 4C 24 ?? FF 15 + } + + $find_files_p1 = { + FF 15 ?? ?? ?? ?? 48 89 44 24 ?? 48 83 7C 24 ?? ?? 0F 84 ?? ?? ?? ?? 8B 44 24 ?? 83 + E0 ?? 85 C0 0F 84 ?? ?? ?? ?? 48 8D 15 ?? ?? ?? ?? 48 8D 4C 24 ?? E8 ?? ?? ?? ?? 85 + C0 0F 84 ?? ?? ?? ?? 48 8D 15 ?? ?? ?? ?? 48 8D 4C 24 ?? E8 ?? ?? ?? ?? 85 C0 0F 84 + ?? ?? ?? ?? 48 8D 4C 24 ?? E8 ?? ?? ?? ?? 48 98 48 8B D0 48 8D 4C 24 ?? E8 ?? ?? ?? + ?? 3D ?? ?? ?? ?? 0F 84 ?? ?? ?? ?? 48 8D 4C 24 ?? E8 ?? ?? ?? ?? 48 98 48 8B D0 48 + 8D 4C 24 ?? E8 ?? ?? ?? ?? 3D ?? ?? ?? ?? 0F 84 ?? ?? ?? ?? 48 8D 4C 24 ?? E8 ?? ?? + ?? ?? 48 98 48 8B D0 48 8D 4C 24 ?? E8 ?? ?? ?? ?? 3D ?? ?? ?? ?? 74 ?? 48 8D 4C 24 + ?? E8 ?? ?? ?? ?? 48 98 48 8B D0 48 8D 4C 24 ?? E8 ?? ?? ?? ?? 3D ?? ?? ?? ?? 74 ?? + 48 8D 4C 24 ?? E8 ?? ?? ?? ?? 48 98 48 8B D0 48 8D 4C 24 ?? E8 ?? ?? ?? ?? 3D ?? ?? + ?? ?? 74 ?? 48 8D 4C 24 ?? E8 ?? ?? ?? ?? 48 98 48 8B D0 48 8D 4C 24 ?? E8 ?? ?? ?? + ?? 3D ?? ?? ?? ?? 75 ?? E9 ?? ?? ?? ?? 48 8B 94 24 ?? ?? ?? ?? 48 8D 8C 24 ?? ?? ?? + ?? E8 ?? ?? ?? ?? 48 8B 8C 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? FF C8 48 98 48 8B 8C 24 ?? + ?? ?? ?? 0F B7 04 41 83 F8 ?? 75 ?? 48 8B 8C 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? FF C8 48 + } + + $find_files_p2 = { + 98 48 8B 8C 24 ?? ?? ?? ?? 0F B7 04 41 83 F8 ?? 74 ?? 48 8D 15 ?? ?? ?? ?? 48 8D 8C + 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 8D 54 24 ?? 48 8D 8C 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? + 48 8D 15 ?? ?? ?? ?? 48 8D 8C 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 8D 8C 24 ?? ?? ?? ?? + E8 ?? ?? ?? ?? E9 ?? ?? ?? ?? 48 8B 94 24 ?? ?? ?? ?? 48 8D 8C 24 ?? ?? ?? ?? E8 ?? + ?? ?? ?? 48 8B 8C 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? FF C8 48 98 48 8B 8C 24 ?? ?? ?? ?? + 0F B7 04 41 83 F8 ?? 75 ?? 48 8B 8C 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? FF C8 48 98 48 8B + 8C 24 ?? ?? ?? ?? 0F B7 04 41 83 F8 ?? 74 ?? 48 8D 15 ?? ?? ?? ?? 48 8D 8C 24 ?? ?? + ?? ?? E8 ?? ?? ?? ?? 48 8D 54 24 ?? 48 8D 8C 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 8D 4C + 24 ?? E8 ?? ?? ?? ?? 48 8B D0 48 8D 8C 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 8B 15 ?? ?? + ?? ?? 48 8D 4C 24 ?? E8 ?? ?? ?? ?? 48 85 C0 75 ?? 48 8D 15 ?? ?? ?? ?? 48 8D 8C 24 + ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 C0 74 ?? 48 8D 15 ?? ?? ?? ?? 48 8D 8C 24 ?? ?? ?? ?? + E8 ?? ?? ?? ?? 85 C0 74 ?? 48 8D 15 ?? ?? ?? ?? 48 8D 8C 24 ?? ?? ?? ?? E8 ?? ?? ?? + ?? 85 C0 75 ?? EB ?? 48 8D 8C 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 8D 54 24 ?? 48 8B 4C + 24 ?? FF 15 ?? ?? ?? ?? 85 C0 0F 85 ?? ?? ?? ?? 48 8B 4C 24 ?? FF 15 ?? ?? ?? ?? 48 + 81 C4 + } + + $encrypt_files = { + 48 89 4C 24 ?? 48 83 EC ?? 48 C7 44 24 ?? ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? C7 44 + 24 ?? ?? ?? ?? ?? 45 33 C9 45 33 C0 BA ?? ?? ?? ?? 48 8B 8C 24 ?? ?? ?? ?? FF 15 ?? + ?? ?? ?? 48 89 44 24 ?? 48 83 7C 24 ?? ?? 0F 84 ?? ?? ?? ?? B9 ?? ?? ?? ?? E8 ?? ?? + ?? ?? 48 89 44 24 ?? B9 ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 89 44 24 ?? B9 ?? ?? ?? ?? E8 + ?? ?? ?? ?? 48 89 44 24 ?? BA ?? ?? ?? ?? 48 8B 4C 24 ?? E8 ?? ?? ?? ?? 48 8B 54 24 + ?? 48 8B 4C 24 ?? E8 ?? ?? ?? ?? 4C 8B 44 24 ?? 48 8B 15 ?? ?? ?? ?? 48 8B 4C 24 ?? + E8 ?? ?? ?? ?? B9 ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 89 44 24 ?? 41 B8 ?? ?? ?? ?? 33 D2 + 48 8B 4C 24 ?? E8 ?? ?? ?? ?? 48 8B 44 24 ?? 48 C7 40 ?? ?? ?? ?? ?? 48 8B 44 24 ?? + 48 8B 4C 24 ?? 48 89 48 ?? 48 8B 44 24 ?? C7 40 ?? ?? ?? ?? ?? 48 8B 44 24 ?? 48 C7 + 40 ?? ?? ?? ?? ?? 48 8B 44 24 ?? C7 40 ?? ?? ?? ?? ?? 48 8B 44 24 ?? 48 8B 4C 24 ?? + 48 89 48 ?? 48 8B 44 24 ?? 48 8B 4C 24 ?? 48 89 48 ?? B9 ?? ?? ?? ?? E8 ?? ?? ?? ?? + 48 8B 4C 24 ?? 48 89 41 ?? B9 ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 8B 4C 24 ?? 48 89 41 ?? + 48 8B 44 24 ?? C7 40 ?? ?? ?? ?? ?? 48 8B 44 24 ?? 48 83 C0 ?? 48 8B 94 24 ?? ?? ?? + ?? 48 8B C8 E8 ?? ?? ?? ?? 48 8D 0D ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 98 4C 8B C0 48 8D + 15 ?? ?? ?? ?? 48 8B 44 24 ?? 48 8B 48 ?? E8 ?? ?? ?? ?? 48 8B 44 24 ?? 48 83 C0 ?? + 48 8B D0 48 8B 4C 24 ?? FF 15 ?? ?? ?? ?? 48 8B 4C 24 ?? E8 ?? ?? ?? ?? 48 8B 54 24 + ?? 48 8B 0D ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 8B 44 24 ?? 48 89 44 24 ?? 45 33 C9 41 B8 + ?? ?? ?? ?? 48 8B 44 24 ?? 48 8B 50 ?? 48 8B 44 24 ?? 48 8B 48 ?? FF 15 ?? ?? ?? ?? + 48 8D 05 ?? ?? ?? ?? F0 FF 00 48 83 C4 ?? C3 + } + + condition: + uint16(0) == 0x5A4D and + ( + all of ($find_files_p*) + ) and + ( + $enum_shares + ) and + ( + $encrypt_files + ) +} \ No newline at end of file diff --git a/yara/ransomware/Win64.Ransomware.Pandora.yara b/yara/ransomware/Win64.Ransomware.Pandora.yara new file mode 100644 index 0000000..6fad093 --- /dev/null +++ b/yara/ransomware/Win64.Ransomware.Pandora.yara @@ -0,0 +1,95 @@ +rule Win64_Ransomware_Pandora : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "PANDORA" + description = "Yara rule that detects Pandora ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "Pandora" + tc_detection_factor = 5 + + strings: + + $find_files_p1 = { + 41 57 41 56 41 55 41 54 56 57 55 53 48 83 EC ?? 48 89 4C 24 ?? C7 44 24 ?? ?? ?? ?? + ?? 45 31 F6 41 BA ?? ?? ?? ?? BE ?? ?? ?? ?? 48 8B 05 ?? ?? ?? ?? 48 8B 0D ?? ?? ?? + ?? 48 89 4C 24 ?? 45 31 C0 41 81 FA ?? ?? ?? ?? B9 ?? ?? ?? ?? BA ?? ?? ?? ?? 48 0F + 4C CA 41 0F 94 C0 48 8B 8C 08 ?? ?? ?? ?? 48 01 F1 31 D2 31 DB 41 81 FA ?? ?? ?? ?? + 0F 9C C2 0F 95 C3 41 BD ?? ?? ?? ?? 49 29 D5 41 81 FA ?? ?? ?? ?? BF ?? ?? ?? ?? BA + ?? ?? ?? ?? 48 0F 4C FA 4C 8D 4C 9B ?? 41 BB ?? ?? ?? ?? BA ?? ?? ?? ?? 4C 0F 44 DA + 49 83 C8 ?? 31 DB 31 D2 41 81 FA ?? ?? ?? ?? 0F 9C C3 4C 8D 64 1B ?? 0F 94 C2 48 83 + F2 ?? 31 DB 41 81 FA ?? ?? ?? ?? 0F 94 C3 48 8D 1C DB 48 83 C3 ?? EB ?? 0F 1F 40 ?? + 4A 8B AC C0 ?? ?? ?? ?? 48 01 F5 FF E5 FF E1 4A 8B AC E0 ?? ?? ?? ?? 48 01 F5 FF E5 + 48 8B AC D8 ?? ?? ?? ?? 48 01 F5 FF E5 0F 1F 80 ?? ?? ?? ?? 48 8B AC F8 ?? ?? ?? ?? + 48 01 F5 FF E5 4A 8B AC E8 ?? ?? ?? ?? 48 01 F5 FF E5 4A 8B AC D8 ?? ?? ?? ?? 48 01 + } + + $find_files_p2 = { + F5 FF E5 66 0F 1F 84 00 ?? ?? 00 00 48 8B AC D0 ?? ?? ?? ?? 48 01 F5 FF E5 4A 8B AC + C8 ?? ?? ?? ?? 48 01 F5 FF E5 44 89 74 24 ?? 48 63 4C 24 ?? 48 8B 54 24 ?? 48 8B 8C + CA ?? ?? ?? ?? 48 89 4C 24 ?? 48 8B 4C 24 ?? 8B 54 24 ?? BD ?? ?? ?? ?? 01 EA 44 8B + 54 24 ?? BD ?? ?? ?? ?? 41 01 EA 66 83 39 ?? 44 0F 45 D2 E9 ?? ?? ?? ?? 45 31 FF EB + ?? 66 2E 0F 1F 84 00 ?? ?? 00 00 90 41 BF ?? ?? ?? ?? 44 8B 54 24 ?? 41 81 C2 ?? ?? + ?? ?? E9 ?? ?? ?? ?? 66 0F 1F 84 00 ?? ?? 00 00 44 8B 74 24 ?? 41 83 C6 ?? 48 8B 54 + 24 ?? 48 8B 05 ?? ?? ?? ?? 48 8B 80 ?? ?? ?? ?? B9 ?? ?? ?? ?? 48 01 C8 48 8B 4C 24 + ?? FF D0 8B 4C 24 ?? BA ?? ?? ?? ?? 01 D1 44 8B 54 24 ?? BA ?? ?? ?? ?? 41 01 D2 85 + C0 44 0F 44 D1 E9 ?? ?? ?? ?? 44 89 F8 48 83 C4 ?? 5B 5D 5F 5E 41 5C 41 5D 41 5E 41 + 5F C3 + } + + $generate_key = { + 41 57 41 56 41 55 41 54 56 57 55 53 48 81 EC ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? 48 + 8D B4 24 ?? ?? ?? ?? 48 89 74 24 ?? 48 8B 44 24 ?? 48 8B 05 ?? ?? ?? ?? 48 C7 C5 ?? + ?? ?? ?? 48 8B 80 ?? ?? ?? ?? 48 01 E8 41 BC ?? ?? ?? ?? 48 8B 0D ?? ?? ?? ?? 4C 01 + E1 BA ?? ?? ?? ?? 48 03 15 ?? ?? ?? ?? FF D0 48 8B 05 ?? ?? ?? ?? 48 8B 4C 24 ?? 0F + B7 90 ?? ?? ?? ?? 66 89 51 ?? 48 8B 80 ?? ?? ?? ?? 48 89 01 48 8B 05 ?? ?? ?? ?? 48 + 8B 80 ?? ?? ?? ?? 48 01 E8 48 8B 0D ?? ?? ?? ?? 4C 01 E1 FF D0 48 8B 05 ?? ?? ?? ?? + 48 8B 80 ?? ?? ?? ?? 48 01 E8 48 8B 0D ?? ?? ?? ?? 4C 01 E1 FF D0 48 8B 05 ?? ?? ?? + ?? 48 8B 80 ?? ?? ?? ?? 48 01 E8 48 89 F1 FF D0 48 98 4C 8B 05 ?? ?? ?? ?? 4D 01 E0 + 48 8B 0D ?? ?? ?? ?? 48 8B 99 ?? ?? ?? ?? 48 01 EB 48 8B 0D ?? ?? ?? ?? 4C 01 E1 48 + 89 44 24 ?? 48 8D 15 ?? ?? ?? ?? 49 89 F1 FF D3 89 84 24 ?? ?? ?? ?? B9 ?? ?? ?? ?? + 45 31 ED 41 BE ?? ?? ?? ?? 41 BF ?? ?? ?? ?? BB ?? ?? ?? ?? EB ?? 81 F9 ?? ?? ?? ?? + BA ?? ?? ?? ?? BF ?? ?? ?? ?? 48 0F 44 D7 48 8B 04 10 4C 01 F0 FF E0 + } + + $drop_ransom_note = { + 48 8B 05 ?? ?? ?? ?? 48 8B 80 ?? ?? ?? ?? BD ?? ?? ?? ?? 48 01 E8 48 8B 0D ?? ?? ?? + ?? BE ?? ?? ?? ?? 48 01 F1 48 8B 15 ?? ?? ?? ?? BF ?? ?? ?? ?? 48 01 FA FF D0 48 8B + 0D ?? ?? ?? ?? 48 01 F1 48 8B 05 ?? ?? ?? ?? 48 8B 90 ?? ?? ?? ?? 48 01 EA FF D2 48 + 8B 15 ?? ?? ?? ?? 48 01 F2 48 8B 8C 24 ?? ?? ?? ?? 48 8B 35 ?? ?? ?? ?? 48 8B B6 ?? + ?? ?? ?? 48 01 EE 48 C7 44 24 ?? ?? ?? ?? ?? 41 89 C0 4C 8D 4C 24 ?? FF D6 BE ?? ?? + ?? ?? 48 8B 8C 24 ?? ?? ?? ?? 48 8B 05 ?? ?? ?? ?? 48 8B 90 ?? ?? ?? ?? 41 BE ?? ?? + ?? ?? 48 01 EA FF D2 BF ?? ?? ?? ?? 8B 4C 24 ?? B8 ?? ?? ?? ?? 01 C1 E9 ?? ?? ?? ?? + 81 F9 ?? ?? ?? ?? BA ?? ?? ?? ?? BD ?? ?? ?? ?? 48 0F 44 D5 48 8B 04 10 4C 01 E0 FF + E0 8B 44 24 ?? 83 C0 ?? 89 44 24 ?? 8B 4C 24 ?? B8 ?? ?? ?? ?? 01 C1 E9 ?? ?? ?? ?? + 81 F9 ?? ?? ?? ?? BA ?? ?? ?? ?? BD ?? ?? ?? ?? 48 0F 44 D5 48 8B 04 10 4C 01 E0 FF + E0 8B 4C 24 ?? B8 ?? ?? ?? ?? 01 C1 E9 ?? ?? ?? ?? 81 F9 ?? ?? ?? ?? BA ?? ?? ?? ?? + BD ?? ?? ?? ?? 48 0F 44 D5 48 8B 04 10 4C 01 E0 FF E0 8B 4C 24 ?? B8 ?? ?? ?? ?? 01 + C1 C7 44 24 ?? ?? ?? ?? ?? E9 ?? ?? ?? ?? 81 F9 ?? ?? ?? ?? BA ?? ?? ?? ?? BD ?? ?? + ?? ?? 48 0F 44 D5 48 8B 04 10 4C 01 E0 FF E0 48 8B 05 ?? ?? ?? ?? 48 8B 88 ?? ?? ?? + ?? 48 8B 05 ?? ?? ?? ?? 48 8B 80 ?? ?? ?? ?? 4C 01 F0 C7 44 24 ?? ?? ?? ?? ?? 48 8D + 54 24 ?? 4C 8D 84 24 ?? ?? ?? ?? 4C 8D 4C 24 ?? FF D0 BF ?? ?? ?? ?? 8B 54 24 ?? B9 + ?? ?? ?? ?? 01 CA 8B 4C 24 ?? BD ?? ?? ?? ?? E9 ?? ?? ?? ?? 48 8B 84 24 ?? ?? ?? ?? + 48 8B 84 24 ?? ?? ?? ?? 48 8B 84 24 ?? ?? ?? ?? 48 8B 84 24 ?? ?? ?? ?? 31 C0 48 81 + C4 ?? ?? ?? ?? 5B 5D 5F 5E 41 5C 41 5D 41 5E 41 5F C3 + } + + condition: + uint16(0) == 0x5A4D and + ( + all of ($find_files_p*) + ) and + ( + $generate_key + ) and + ( + $drop_ransom_note + ) +} \ No newline at end of file diff --git a/yara/ransomware/Win64.Ransomware.RedRoman.yara b/yara/ransomware/Win64.Ransomware.RedRoman.yara new file mode 100644 index 0000000..40fbde2 --- /dev/null +++ b/yara/ransomware/Win64.Ransomware.RedRoman.yara @@ -0,0 +1,82 @@ +rule Win64_Ransomware_RedRoman : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "REDROMAN" + description = "Yara rule that detects RedRoman ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "RedRoman" + tc_detection_factor = 5 + + strings: + + $encrypt_files_p1 = { + 48 8B 8C 24 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 48 8D 84 24 ?? ?? ?? ?? 48 89 84 24 ?? ?? + ?? ?? C7 84 24 ?? ?? ?? ?? ?? ?? ?? ?? 48 C7 44 24 ?? ?? ?? ?? ?? 48 C7 44 24 ?? ?? + ?? ?? ?? 48 8D 84 24 ?? ?? ?? ?? 48 89 44 24 ?? 4C 8D 8C 24 ?? ?? ?? ?? 41 B8 ?? ?? + ?? ?? BA ?? ?? ?? ?? 48 8B 8C 24 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 85 C0 75 ?? 48 C7 84 + 24 ?? ?? ?? ?? ?? ?? ?? ?? 33 C0 85 C0 75 ?? 33 D2 48 8B 8C 24 ?? ?? ?? ?? FF 15 ?? + ?? ?? ?? B8 ?? ?? ?? ?? E9 ?? ?? ?? ?? 48 C7 44 24 ?? ?? ?? ?? ?? 48 8D 84 24 ?? ?? + ?? ?? 48 89 44 24 ?? 41 B9 ?? ?? ?? ?? 45 33 C0 BA ?? ?? ?? ?? 48 8B 8C 24 ?? ?? ?? + ?? FF 15 ?? ?? ?? ?? B9 ?? ?? ?? ?? 48 6B C9 ?? 48 89 84 0C ?? ?? ?? ?? 48 C7 84 24 + ?? ?? ?? ?? ?? ?? ?? ?? 33 C0 85 C0 75 ?? B8 ?? ?? ?? ?? 48 6B C0 ?? 48 83 BC 04 ?? + ?? ?? ?? ?? 74 ?? C7 84 24 ?? ?? ?? ?? ?? ?? ?? ?? 48 8D 84 24 ?? ?? ?? ?? 48 89 84 + 24 ?? ?? ?? ?? EB ?? 33 D2 48 8B 8C 24 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? B8 ?? ?? ?? ?? + E9 ?? ?? ?? ?? 33 D2 48 8B 8C 24 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? BA ?? ?? ?? ?? B9 ?? + ?? ?? ?? FF 15 ?? ?? ?? ?? 48 8B 4C 24 ?? 48 8B 49 ?? 48 89 01 48 8B 44 24 ?? 48 8B + 40 ?? 48 83 38 ?? 75 ?? 48 8D 15 ?? ?? ?? ?? 48 8B 4C 24 ?? E8 ?? ?? ?? ?? B8 ?? ?? + ?? ?? 48 6B C0 ?? 48 83 BC 04 ?? ?? ?? ?? ?? 74 ?? B8 ?? ?? ?? ?? 48 6B C0 ?? 48 8B + 8C 04 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? B8 + } + + $encrypt_files_p2 = { + 4C 8D 05 ?? ?? ?? ?? 41 B9 ?? ?? ?? ?? 48 8B 4D ?? 48 8B 55 ?? E8 ?? ?? ?? ?? 48 89 + 55 ?? 48 89 45 ?? EB ?? 31 C0 41 89 C0 48 8B 4D ?? 48 8B 55 ?? E8 ?? ?? ?? ?? 48 89 + 45 ?? EB ?? 48 8B 45 ?? 48 83 F8 ?? 74 ?? 48 8B 55 ?? 48 8D 8D ?? ?? ?? ?? E8 ?? ?? + ?? ?? EB ?? EB ?? 48 81 C4 ?? ?? ?? ?? 5D C3 48 8D 4D ?? E8 ?? ?? ?? ?? EB ?? 48 8B + 85 ?? ?? ?? ?? 48 85 C0 74 ?? EB ?? EB ?? 0F 0B 48 8B 85 ?? ?? ?? ?? 48 89 85 ?? ?? + ?? ?? 48 8B 85 ?? ?? ?? ?? 48 89 85 ?? ?? ?? ?? 48 8B 85 ?? ?? ?? ?? 48 89 85 ?? ?? + ?? ?? C6 85 ?? ?? ?? ?? ?? 48 8B 85 ?? ?? ?? ?? 48 89 85 ?? ?? ?? ?? 48 8B 85 ?? ?? + ?? ?? 48 89 85 ?? ?? ?? ?? 48 8B 85 ?? ?? ?? ?? 48 89 85 ?? ?? ?? ?? 48 83 BD ?? ?? + ?? ?? ?? 0F 84 ?? ?? ?? ?? E9 ?? ?? ?? ?? 48 8B 85 ?? ?? ?? ?? 48 8B 8D ?? ?? ?? ?? + 48 89 85 ?? ?? ?? ?? 48 89 8D ?? ?? ?? ?? 48 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? EB ?? + 48 83 BD ?? ?? ?? ?? ?? 0F 84 ?? ?? ?? ?? E9 ?? ?? ?? ?? 48 8B 85 ?? ?? ?? ?? 48 85 + C0 74 ?? EB ?? EB ?? 0F 0B 48 8B 85 ?? ?? ?? ?? 48 89 85 ?? ?? ?? ?? 48 8B 85 ?? ?? + ?? ?? 48 89 85 ?? ?? ?? ?? 48 8B 85 ?? ?? ?? ?? 48 89 85 ?? ?? ?? ?? 48 8B 85 ?? ?? + ?? ?? 48 89 85 ?? ?? ?? ?? 48 8B 85 ?? ?? ?? ?? 48 89 85 ?? ?? ?? ?? 48 8B 85 ?? ?? + ?? ?? 48 89 85 ?? ?? ?? ?? 48 83 BD ?? ?? ?? ?? ?? 0F 84 ?? ?? ?? ?? E9 ?? ?? ?? ?? + 48 8B 85 ?? ?? ?? ?? 48 8B 8D ?? ?? ?? ?? 48 89 85 ?? ?? ?? ?? 48 89 8D + } + + $find_files = { + 48 8D 9C 24 ?? ?? ?? ?? 41 B8 ?? ?? ?? ?? 48 89 D9 31 D2 E8 ?? ?? ?? ?? 48 8B 0F 48 + 89 DA E8 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? 4C 8D B4 24 ?? ?? ?? ?? 48 8D 9C 24 ?? + ?? ?? ?? 66 83 BC 24 ?? ?? 00 00 ?? 74 ?? EB ?? 0F 1F 84 00 ?? ?? ?? ?? 48 8B 0F 48 + 89 DA E8 ?? ?? ?? ?? 85 C0 74 ?? 66 83 BC 24 ?? ?? 00 00 ?? 75 ?? 0F B7 84 24 ?? ?? + ?? ?? 66 85 C0 74 ?? 66 83 F8 ?? 75 ?? 66 83 BC 24 ?? ?? 00 00 ?? 74 ?? 48 8B 47 ?? + F0 48 83 00 ?? 0F 8E ?? ?? ?? ?? 48 89 84 24 ?? ?? ?? ?? 48 8D 94 24 ?? ?? ?? ?? 41 + B8 ?? ?? ?? ?? 4C 89 F1 E8 ?? ?? ?? ?? 48 C7 06 ?? ?? ?? ?? 48 8D 4E ?? 48 8D 94 24 + ?? ?? ?? ?? 41 B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? EB ?? E8 ?? ?? ?? ?? 83 F8 ?? 75 ?? 48 + C7 06 ?? ?? ?? ?? EB ?? E8 ?? ?? ?? ?? 48 C7 06 ?? ?? ?? ?? C6 46 ?? ?? 89 46 ?? 48 + 89 F0 0F 28 B5 ?? ?? ?? ?? 0F 28 BD ?? ?? ?? ?? 44 0F 28 85 ?? ?? ?? ?? 44 0F 28 8D + ?? ?? ?? ?? 44 0F 28 95 ?? ?? ?? ?? 44 0F 28 9D ?? ?? ?? ?? 44 0F 28 A5 ?? ?? ?? ?? + 44 0F 28 AD ?? ?? ?? ?? 44 0F 28 B5 ?? ?? ?? ?? 44 0F 28 BD ?? ?? ?? ?? 48 8D A5 ?? + ?? ?? ?? 5B 5F 5E 41 5E 5D C3 0F 0B + } + + condition: + uint16(0) == 0x5A4D and + ( + $find_files + ) and + ( + all of ($encrypt_files_p*) + ) +} \ No newline at end of file diff --git a/yara/ransomware/Win64.Ransomware.Rook.yara b/yara/ransomware/Win64.Ransomware.Rook.yara new file mode 100644 index 0000000..58d53ec --- /dev/null +++ b/yara/ransomware/Win64.Ransomware.Rook.yara @@ -0,0 +1,122 @@ +rule Win64_Ransomware_Rook : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "ROOK" + description = "Yara rule that detects Rook ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "Rook" + tc_detection_factor = 5 + + strings: + + $find_files = { + 48 2B D6 48 8D 4C 24 ?? 48 FF C2 41 B8 ?? ?? ?? ?? F6 D8 4D 1B FF 4C 23 FA 33 D2 E8 + ?? ?? ?? ?? 45 33 C9 89 7C 24 ?? 4C 8D 44 24 ?? 48 89 7C 24 ?? 33 D2 48 8B CE FF 15 + ?? ?? ?? ?? 48 8B D8 48 83 F8 ?? 75 ?? 4D 8B CE 45 33 C0 33 D2 48 8B CE E8 ?? ?? ?? + ?? 8B F8 48 83 FB ?? 74 ?? 48 8B CB FF 15 ?? ?? ?? ?? 8B C7 48 8B 8C 24 ?? ?? ?? ?? + 48 33 CC E8 ?? ?? ?? ?? 48 8B 9C 24 ?? ?? ?? ?? 48 81 C4 ?? ?? ?? ?? 41 5F 41 5E 5F + 5E 5D C3 49 8B 6E ?? 49 2B 2E 48 C1 FD ?? 80 7C 24 ?? ?? 75 ?? 8A 44 24 ?? 84 C0 74 + ?? 3C ?? 75 ?? 40 38 7C 24 ?? 74 ?? 4D 8B CE 48 8D 4C 24 ?? 4D 8B C7 48 8B D6 E8 ?? + ?? ?? ?? 85 C0 75 ?? 48 8D 54 24 ?? 48 8B CB FF 15 ?? ?? ?? ?? 85 C0 75 ?? 49 8B 06 + 49 8B 56 ?? 48 2B D0 48 C1 FA ?? 48 3B EA 0F 84 ?? ?? ?? ?? 48 2B D5 48 8D 0C E8 4C + 8D 0D ?? ?? ?? ?? 41 B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? E9 + } + + $encrypt_files_p1 = { + 40 55 53 56 48 8D AC 24 ?? ?? ?? ?? 48 81 EC ?? ?? ?? ?? F2 0F 10 05 ?? ?? ?? ?? 0F + B6 05 ?? ?? ?? ?? F2 0F 11 44 24 ?? 88 44 24 ?? E8 ?? ?? ?? ?? 33 D2 48 8D 0D ?? ?? + ?? ?? 41 B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 83 CE ?? 48 8D 4C 24 ?? 89 35 ?? ?? ?? ?? + FF 15 ?? ?? ?? ?? 48 63 C8 4C 8D 4C 24 ?? 48 89 4C 24 ?? E8 ?? ?? ?? ?? 48 8D 4C 24 + ?? FF 15 ?? ?? ?? ?? 48 63 C8 4C 8D 4C 24 ?? 48 89 4C 24 ?? E8 ?? ?? ?? ?? 0F 57 C0 + 0F 57 C9 F3 0F 7F 05 ?? ?? ?? ?? F3 0F 7F 0D ?? ?? ?? ?? F3 0F 7F 05 ?? ?? ?? ?? E8 + ?? ?? ?? ?? 48 85 C0 48 89 05 ?? ?? ?? ?? 48 8D 0D ?? ?? ?? ?? 48 0F 44 0D ?? ?? ?? + ?? 48 89 0D ?? ?? ?? ?? 48 8D 0D ?? ?? ?? ?? FF 15 ?? ?? ?? ?? FF C0 48 8D 15 ?? ?? + ?? ?? 4C 63 C0 48 8D 0D ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 8B 05 ?? ?? ?? ?? 48 8D 15 ?? + ?? ?? ?? 48 89 05 ?? ?? ?? ?? 33 DB 48 8B 05 ?? ?? ?? ?? 45 33 C9 48 89 05 ?? ?? ?? + ?? 45 33 C0 48 8D 85 ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? 48 89 44 24 ?? 48 C7 + } + + $encrypt_files_p2 = { + C1 ?? ?? ?? ?? 48 8D 85 ?? ?? ?? ?? 48 89 44 24 ?? 48 89 5C 24 ?? C7 44 24 ?? ?? ?? + ?? ?? 89 5C 24 ?? FF 15 ?? ?? ?? ?? 85 C0 0F 85 ?? ?? ?? ?? 48 8B 8D ?? ?? ?? ?? 48 + 8D 85 ?? ?? ?? ?? 4C 89 A4 24 ?? ?? ?? ?? 48 8D 15 ?? ?? ?? ?? 48 89 44 24 ?? 4C 8D + 25 ?? ?? ?? ?? 4C 89 AC 24 ?? ?? ?? ?? 45 33 C9 45 33 C0 4C 89 64 24 ?? 4C 89 BC 24 + ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 4C 8D 2D ?? ?? ?? ?? 83 + F8 ?? 0F 85 ?? ?? ?? ?? E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 8D 54 24 ?? 48 89 5C 24 ?? + E8 ?? ?? ?? ?? 85 C0 78 ?? 4C 63 C8 4C 8D 85 ?? ?? ?? ?? 48 8D 44 24 ?? 4D 2B C1 48 + 89 44 24 ?? 48 8D 15 ?? ?? ?? ?? 48 8D 0D ?? ?? ?? ?? 4C 89 64 24 ?? E8 ?? ?? ?? ?? + 49 8B CD FF 15 ?? ?? ?? ?? 44 8B C0 89 05 ?? ?? ?? ?? B8 ?? ?? ?? ?? 41 F7 E8 C1 FA + ?? 8B CA C1 E9 ?? 03 D1 69 CA ?? ?? ?? ?? 44 3B C1 74 ?? FF C2 4C 8D 3D ?? ?? ?? ?? + 85 D2 0F 8E ?? ?? ?? ?? 48 89 BC 24 ?? ?? ?? ?? 49 8B DD 4C 89 B4 24 ?? ?? ?? ?? 49 + } + + $encrypt_files_p3 = { + 8B FF 44 8B F2 0F 1F 00 48 8B 0D ?? ?? ?? ?? 8B 91 ?? ?? ?? ?? 85 D2 74 ?? 83 FA ?? + 75 ?? 48 89 7C 24 ?? 4C 8D 05 ?? ?? ?? ?? 48 89 5C 24 ?? 48 8D 15 ?? ?? ?? ?? 48 C7 + 44 24 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? EB ?? 48 89 7C 24 ?? 4C 8D 05 ?? ?? ?? ?? 48 89 + 5C 24 ?? 48 8D 15 ?? ?? ?? ?? 48 C7 44 24 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 81 C7 ?? + ?? ?? ?? 48 81 C3 ?? ?? ?? ?? 49 83 EE ?? 75 ?? 4C 8B B4 24 ?? ?? ?? ?? 33 DB 48 8B + BC 24 ?? ?? ?? ?? 66 0F 1F 44 00 ?? 48 FF C6 41 80 3C 34 ?? 75 ?? 48 8B 8D ?? ?? ?? + ?? 48 8D 15 ?? ?? ?? ?? 89 74 24 ?? 41 B9 ?? ?? ?? ?? 45 33 C0 4C 89 64 24 ?? FF 15 + ?? ?? ?? ?? 48 8B 8D ?? ?? ?? ?? 48 8D 15 ?? ?? ?? ?? 41 B9 ?? ?? ?? ?? C7 44 24 ?? + ?? ?? ?? ?? 45 33 C0 4C 89 7C 24 ?? FF 15 ?? ?? ?? ?? EB ?? 48 8B 8D ?? ?? ?? ?? 48 + 8D 85 ?? ?? ?? ?? 48 89 44 24 ?? 4C 8D 3D ?? ?? ?? ?? 45 33 C9 4C 89 7C 24 ?? 45 33 + C0 C7 85 ?? ?? ?? ?? ?? ?? ?? ?? 48 8D 15 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 49 8B CC FF + 15 ?? ?? ?? ?? 49 8B D4 48 8D 0D ?? ?? ?? ?? FF C0 4C 63 C0 E8 ?? ?? ?? ?? 48 8B 05 + ?? ?? ?? ?? 48 8B 0D ?? ?? ?? ?? 48 89 05 ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 8B 05 ?? ?? + ?? ?? 4C 8B BC 24 ?? ?? ?? ?? 4C 8B A4 24 ?? ?? ?? ?? 48 85 C0 74 ?? 48 8B 0D ?? ?? + ?? ?? FF 50 ?? 48 8B 05 ?? ?? ?? ?? 48 8D 0D ?? ?? ?? ?? 33 D2 44 8D 42 ?? FF D0 48 + 8B 8D ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 89 9D ?? ?? ?? ?? 48 63 85 ?? ?? ?? ?? 48 3D ?? + ?? ?? ?? 73 ?? 0F 1F 00 48 63 85 ?? ?? ?? ?? 42 C6 04 28 ?? FF 85 ?? ?? ?? ?? 48 63 + 85 ?? ?? ?? ?? 48 3D ?? ?? ?? ?? 72 ?? 4C 8B AC 24 ?? ?? ?? ?? 48 81 C4 ?? ?? ?? ?? + 5E 5B 5D C3 + } + + $enum_procs = { + 40 56 48 81 EC ?? ?? ?? ?? 33 D2 8D 4A ?? FF 15 ?? ?? ?? ?? 48 8D 54 24 ?? C7 44 24 + ?? ?? ?? ?? ?? 48 8B C8 48 8B F0 FF 15 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? 48 89 9C + 24 ?? ?? ?? ?? 48 89 AC 24 ?? ?? ?? ?? 48 8D 2D ?? ?? ?? ?? 48 89 BC 24 ?? ?? ?? ?? + 0F 1F 40 ?? 0F 1F 84 00 ?? ?? ?? ?? 33 DB 48 8B FD 66 66 66 0F 1F 84 00 ?? ?? 00 00 + 48 8B 0F 48 8D 54 24 ?? FF 15 ?? ?? ?? ?? 85 C0 74 ?? FF C3 48 83 C7 ?? 83 FB ?? 72 + ?? EB ?? 44 8B 44 24 ?? 33 D2 8D 4A ?? FF 15 ?? ?? ?? ?? 48 8B D8 48 85 C0 74 ?? BA + ?? ?? ?? ?? 48 8B C8 FF 15 ?? ?? ?? ?? 48 8B CB FF 15 ?? ?? ?? ?? 48 8D 54 24 ?? 48 + 8B CE FF 15 ?? ?? ?? ?? 85 C0 75 ?? 48 8B BC 24 ?? ?? ?? ?? 48 8B AC 24 ?? ?? ?? ?? + 48 8B 9C 24 ?? ?? ?? ?? 48 8B CE FF 15 ?? ?? ?? ?? 48 81 C4 ?? ?? ?? ?? 5E C3 + } + + $enum_shares = { + 48 83 EC ?? 33 D2 C7 44 24 ?? ?? ?? ?? ?? 48 8D 44 24 ?? C7 44 24 ?? ?? ?? ?? ?? 4C + 8B C9 48 89 44 24 ?? 8D 4A ?? 44 8D 42 ?? FF 15 ?? ?? ?? ?? 85 C0 0F 85 ?? ?? ?? ?? + 48 89 5C 24 ?? 8B 5C 24 ?? 48 89 7C 24 ?? 66 66 0F 1F 84 00 ?? ?? 00 00 48 8B 0D ?? + ?? ?? ?? 4C 8D 43 ?? BA ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 48 8B F8 48 85 C0 74 ?? 48 8B + 4C 24 ?? 4C 8D 4C 24 ?? 4C 8B C0 48 8D 54 24 ?? FF 15 ?? ?? ?? ?? 85 C0 75 ?? 66 0F + 1F 44 00 ?? 33 DB 39 5C 24 ?? 76 ?? 0F 1F 84 00 ?? ?? ?? ?? 48 8D 0C 5B 48 C1 E1 ?? + 48 03 CF F6 41 ?? ?? 74 ?? E8 ?? ?? ?? ?? EB ?? 48 8B 49 ?? E8 ?? ?? ?? ?? FF C3 3B + 5C 24 ?? 72 ?? 48 8B 4C 24 ?? 4C 8D 4C 24 ?? 4C 8B C7 48 8D 54 24 ?? FF 15 ?? ?? ?? + ?? 85 C0 74 ?? 48 8B 0D ?? ?? ?? ?? 4C 8B C7 33 D2 FF 15 ?? ?? ?? ?? 48 8B 4C 24 ?? + FF 15 ?? ?? ?? ?? 48 8B 7C 24 ?? 48 8B 5C 24 ?? 48 83 C4 ?? C3 + } + + condition: + uint16(0) == 0x5A4D and + ( + $enum_shares + ) and + ( + $enum_procs + ) and + ( + $find_files + ) and + ( + all of ($encrypt_files_p*) + ) +} \ No newline at end of file diff --git a/yara/ransomware/Win64.Ransomware.SeedLocker.yara b/yara/ransomware/Win64.Ransomware.SeedLocker.yara new file mode 100644 index 0000000..d66286a --- /dev/null +++ b/yara/ransomware/Win64.Ransomware.SeedLocker.yara @@ -0,0 +1,91 @@ +rule Win64_Ransomware_SeedLocker : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "SEEDLOCKER" + description = "Yara rule that detects SeedLocker ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "SeedLocker" + tc_detection_factor = 5 + + strings: + + $search_files = { + 48 89 5C 24 ?? 48 89 7C 24 ?? 55 48 8D AC 24 ?? ?? ?? ?? 48 81 EC ?? ?? ?? ?? 48 8B + 05 ?? ?? ?? ?? 48 33 C4 48 89 85 ?? ?? ?? ?? 48 8B F9 4C 8D 05 ?? ?? ?? ?? 4C 8B C9 + BA ?? ?? ?? ?? 48 8D 8D ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 48 8D 54 24 ?? 48 8D 8D ?? ?? + ?? ?? FF 15 ?? ?? ?? ?? 48 8B D8 48 83 F8 ?? 0F 84 ?? ?? ?? ?? 48 8D 15 ?? ?? ?? ?? + 48 8D 4C 24 ?? FF 15 ?? ?? ?? ?? 85 C0 74 ?? 48 8D 15 ?? ?? ?? ?? 48 8D 4C 24 ?? FF + 15 ?? ?? ?? ?? 85 C0 74 ?? 48 8D 44 24 ?? 4C 8B CF 4C 8D 05 ?? ?? ?? ?? 48 89 44 24 + ?? BA ?? ?? ?? ?? 48 8D 8D ?? ?? ?? ?? FF 15 ?? ?? ?? ?? F6 44 24 ?? ?? 48 8D 8D ?? + ?? ?? ?? 74 ?? 48 8D 15 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 48 8D 8D ?? ?? ?? ?? E8 ?? ?? + ?? ?? EB ?? FF 15 ?? ?? ?? ?? 48 8D 54 24 ?? 48 8B CB FF 15 ?? ?? ?? ?? 85 C0 0F 85 + ?? ?? ?? ?? 48 8B CB FF 15 ?? ?? ?? ?? 48 8B CF FF 15 ?? ?? ?? ?? 48 8B 8D ?? ?? ?? + ?? 48 33 CC E8 ?? ?? ?? ?? 4C 8D 9C 24 ?? ?? ?? ?? 49 8B 5B ?? 49 8B 7B ?? 49 8B E3 + 5D C3 + } + + $encrypt_files_p1 = { + FF 15 ?? ?? ?? ?? 48 8D 8D ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 48 63 C8 48 8D 85 ?? ?? ?? + ?? 48 8D 04 48 48 83 C0 ?? 66 83 38 ?? 75 ?? 45 33 FF 4C 8D 05 ?? ?? ?? ?? 66 44 89 + 38 45 33 C9 48 83 C0 ?? 4C 89 7C 24 ?? 48 89 05 ?? ?? ?? ?? 33 D2 48 8D 05 ?? ?? ?? + ?? 44 89 7C 24 ?? 33 C9 48 89 05 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 33 D2 45 8D 47 ?? 33 + C9 FF 15 ?? ?? ?? ?? 48 8B F0 48 85 C0 74 ?? 48 8B 1D ?? ?? ?? ?? 48 81 C3 ?? ?? ?? + ?? EB ?? 48 8B CB FF 15 ?? ?? ?? ?? 41 B8 ?? ?? ?? ?? 48 8B D3 48 8B CE 44 8B F0 FF + 15 ?? ?? ?? ?? 48 8B F8 48 85 C0 74 ?? 4C 8D 85 ?? ?? ?? ?? BA ?? ?? ?? ?? 48 8B C8 + FF 15 ?? ?? ?? ?? 48 8B CF FF 15 ?? ?? ?? ?? 41 8D 46 ?? 48 63 C8 48 8D 1C 4B 66 44 + 39 3B 75 ?? 48 8B CE FF 15 ?? ?? ?? ?? 33 D2 8D 4A ?? FF 15 ?? ?? ?? ?? 48 8B F8 48 + 83 F8 ?? 0F 84 ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? EB ?? 48 8B 1D ?? ?? ?? ?? 48 81 + C3 ?? ?? ?? ?? EB ?? 48 8B CB FF 15 ?? ?? ?? ?? 48 8B D3 48 8D 4C 24 ?? 44 8B F0 FF + 15 ?? ?? ?? ?? 85 C0 75 ?? 44 8B 44 24 ?? 8D 48 ?? 33 D2 FF 15 ?? ?? ?? ?? 48 8B F0 + 48 83 F8 ?? 74 ?? 33 D2 48 8B C8 FF 15 ?? ?? ?? ?? 48 8B CE FF 15 ?? ?? ?? ?? 41 8D + 46 ?? 48 63 C8 48 8D 1C 4B 66 44 39 3B 75 ?? 48 8D 54 24 ?? 48 8B CF FF 15 ?? ?? ?? + ?? 85 C0 75 ?? 48 8B CF FF 15 ?? ?? ?? ?? 33 D2 48 8D 8D ?? ?? ?? ?? 41 B8 ?? ?? ?? + ?? E8 ?? ?? ?? ?? 48 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 33 D2 48 8D 35 ?? ?? ?? ?? 48 + } + + $encrypt_files_p2 = { + 8D 8D ?? ?? ?? ?? 48 89 B5 ?? ?? ?? ?? 44 8D 42 ?? E8 ?? ?? ?? ?? 4C 8B 05 ?? ?? ?? + ?? 48 8D 8D ?? ?? ?? ?? 48 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? BB ?? ?? ?? ?? 4C 89 BD + ?? ?? ?? ?? 44 8B CB C7 44 24 ?? ?? ?? ?? ?? 45 33 C0 48 8D 8D ?? ?? ?? ?? 33 D2 FF + 15 ?? ?? ?? ?? 85 C0 75 ?? FF 15 ?? ?? ?? ?? 3D ?? ?? ?? ?? 75 ?? 48 8D 44 24 ?? 45 + 33 C9 45 33 C0 48 89 44 24 ?? 8D 53 ?? 33 C9 FF 15 ?? ?? ?? ?? 48 8D 15 ?? ?? ?? ?? + 48 8D 4C 24 ?? FF 15 ?? ?? ?? ?? 48 8D 4C 24 ?? E8 ?? ?? ?? ?? EB ?? FF 15 ?? ?? ?? + ?? 3D ?? ?? ?? ?? 75 ?? 44 8B CB C7 44 24 ?? ?? ?? ?? ?? 45 33 C0 48 8D 8D ?? ?? ?? + ?? 33 D2 FF 15 ?? ?? ?? ?? 48 8B BD ?? ?? ?? ?? 48 85 FF 0F 84 ?? ?? ?? ?? 48 8B 0D + ?? ?? ?? ?? 41 8B DF 48 81 C1 ?? ?? ?? ?? 45 8B F7 FF 15 ?? ?? ?? ?? 85 C0 7E ?? 49 + 8B F7 48 8B 05 ?? ?? ?? ?? 4C 8D 05 ?? ?? ?? ?? BA ?? ?? ?? ?? 0F BE 8C 06 ?? ?? ?? + ?? 44 0F BE 8C 06 ?? ?? ?? ?? 89 4C 24 ?? 48 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 33 D2 + 48 8D 8D ?? ?? ?? ?? 44 8D 42 ?? E8 ?? ?? ?? ?? 8B CB 48 8D 76 ?? FF C3 41 83 C6 ?? + 88 84 0D ?? ?? ?? ?? 48 8B 0D ?? ?? ?? ?? 48 81 C1 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 44 + } + + $encrypt_files_p3 = { + 3B F0 7C ?? 48 8D 35 ?? ?? ?? ?? 48 8D 85 ?? ?? ?? ?? 45 33 C9 48 89 44 24 ?? 48 8D + 95 ?? ?? ?? ?? 44 8B C3 44 89 7C 24 ?? 48 8B CF FF 15 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? + ?? ?? 48 8B 1D ?? ?? ?? ?? 48 8D 8D ?? ?? ?? ?? 48 8B 15 ?? ?? ?? ?? 4C 8B C3 E8 ?? + ?? ?? ?? 48 8B 8D ?? ?? ?? ?? 48 8D 85 ?? ?? ?? ?? 45 33 C9 C7 44 24 ?? ?? ?? ?? ?? + 48 89 44 24 ?? 33 D2 48 8D 85 ?? ?? ?? ?? 89 9D ?? ?? ?? ?? 48 89 44 24 ?? 45 8D 41 + ?? FF 15 ?? ?? ?? ?? 85 C0 74 ?? 41 8B DF 44 39 BD ?? ?? ?? ?? 76 ?? 8B C3 4C 8D 05 + ?? ?? ?? ?? BA ?? ?? ?? ?? 48 8D 8D ?? ?? ?? ?? 44 0F B6 8C 05 ?? ?? ?? ?? E8 ?? ?? + ?? ?? 48 8D 95 ?? ?? ?? ?? 48 8D 0D ?? ?? ?? ?? FF 15 ?? ?? ?? ?? FF C3 3B 9D ?? ?? + ?? ?? 72 ?? 48 8B 8D ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 33 D2 48 8B CF FF 15 ?? ?? ?? ?? + 48 8B 05 ?? ?? ?? ?? 4C 8D 8D ?? ?? ?? ?? 48 83 C0 ?? 4C 8D 05 ?? ?? ?? ?? BA ?? ?? + ?? ?? 48 89 44 24 ?? 48 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 66 0F 6F 05 ?? ?? 06 00 48 + 8D 95 ?? ?? ?? ?? 48 8D 8D ?? ?? ?? ?? 66 44 89 BD ?? ?? 00 00 F3 0F 7F 85 ?? ?? ?? + ?? E8 ?? ?? ?? ?? 48 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? + 48 8D 8D ?? ?? ?? ?? 48 89 B5 ?? ?? ?? ?? E8 ?? ?? ?? ?? 33 C0 48 8B 8D ?? ?? ?? ?? + 48 33 CC E8 ?? ?? ?? ?? 4C 8D 9C 24 ?? ?? ?? ?? 49 8B 5B ?? 49 8B 73 ?? 49 8B 7B ?? + 49 8B E3 41 5F 41 5E 5D C3 + } + + condition: + uint16(0) == 0x5A4D and $search_files and (all of ($encrypt_files_p*)) +} \ No newline at end of file diff --git a/yara/ransomware/Win64.Ransomware.Seth.yara b/yara/ransomware/Win64.Ransomware.Seth.yara new file mode 100644 index 0000000..8277d6e --- /dev/null +++ b/yara/ransomware/Win64.Ransomware.Seth.yara @@ -0,0 +1,122 @@ +rule Win64_Ransomware_Seth : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "SETH" + description = "Yara rule that detects Seth ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "Seth" + tc_detection_factor = 5 + + strings: + + $encrypt_files_p1 = { + 55 53 48 81 EC ?? ?? ?? ?? 48 8D AC 24 ?? ?? ?? ?? 48 89 8D ?? ?? ?? ?? 48 8D 85 ?? + ?? ?? ?? 4C 8D 05 ?? ?? ?? ?? 48 8B 95 ?? ?? ?? ?? 48 89 C1 E8 ?? ?? ?? ?? BA ?? ?? + ?? ?? 48 8B 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 89 85 ?? ?? ?? ?? 48 8D 85 ?? ?? ?? ?? + BA ?? ?? ?? ?? 48 89 C1 E8 ?? ?? ?? ?? 48 89 85 ?? ?? ?? ?? 48 8D 85 ?? ?? ?? ?? 48 + 89 C1 E8 ?? ?? ?? ?? BA ?? ?? ?? ?? B9 ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 C1 48 8B 95 ?? + ?? ?? ?? 48 8D 85 ?? ?? ?? ?? 41 89 C8 48 89 C1 E8 ?? ?? ?? ?? 48 8D 85 ?? ?? ?? ?? + 48 05 ?? ?? ?? ?? 48 89 C1 E8 ?? ?? ?? ?? 84 C0 74 ?? 48 8D 15 ?? ?? ?? ?? 48 8B 0D + ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 89 C1 48 8B 85 ?? ?? ?? ?? 48 89 C2 E8 ?? ?? ?? ?? 48 + 8B 15 ?? ?? ?? ?? 48 89 C1 E8 ?? ?? ?? ?? 48 8D 85 ?? ?? ?? ?? 41 B8 ?? ?? ?? ?? BA + ?? ?? ?? ?? 48 89 C1 E8 ?? ?? ?? ?? 48 8D 85 ?? ?? ?? ?? 48 8D 95 ?? ?? ?? ?? 48 89 + C1 E8 ?? ?? ?? ?? 48 8D 85 ?? ?? ?? ?? 48 89 C1 E8 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 48 + 8D 15 ?? ?? ?? ?? 48 8B 0D ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 89 C1 48 8B 85 + } + + $encrypt_files_p2 = { + 48 89 C2 E8 ?? ?? ?? ?? 48 8D 15 ?? ?? ?? ?? 48 89 C1 E8 ?? ?? ?? ?? 48 89 C1 8B 85 + ?? ?? ?? ?? 89 C2 E8 ?? ?? ?? ?? 48 8B 15 ?? ?? ?? ?? 48 89 C1 E8 ?? ?? ?? ?? 8B 85 + ?? ?? ?? ?? 48 98 48 89 C1 E8 ?? ?? ?? ?? 48 89 85 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 48 + 63 C8 48 8B 95 ?? ?? ?? ?? 48 8D 85 ?? ?? ?? ?? 49 89 C8 48 89 C1 E8 ?? ?? ?? ?? 48 + 8B 95 ?? ?? ?? ?? 48 8D 45 ?? 41 B8 ?? ?? ?? ?? 48 89 C1 E8 ?? ?? ?? ?? 8B 85 ?? ?? + ?? ?? 48 63 C8 48 8B 95 ?? ?? ?? ?? 48 8D 45 ?? 49 89 C8 48 89 C1 E8 ?? ?? ?? ?? 48 + 8D 85 ?? ?? ?? ?? 48 89 C1 E8 ?? ?? ?? ?? 48 8D 45 ?? 48 89 C1 E8 ?? ?? ?? ?? 48 83 + BD ?? ?? ?? ?? ?? 74 ?? 48 8B 85 ?? ?? ?? ?? 48 89 C1 E8 ?? ?? ?? ?? 48 8D 45 ?? 48 + 89 C1 E8 ?? ?? ?? ?? 48 8D 85 ?? ?? ?? ?? 48 89 C1 E8 ?? ?? ?? ?? 48 8D 85 ?? ?? ?? + ?? 48 89 C1 E8 ?? ?? ?? ?? EB ?? 48 89 C3 48 8D 45 ?? 48 89 C1 E8 ?? ?? ?? ?? EB ?? + 48 89 C3 48 8D 85 ?? ?? ?? ?? 48 89 C1 E8 ?? ?? ?? ?? EB ?? 48 89 C3 48 8D 85 ?? ?? + ?? ?? 48 89 C1 E8 ?? ?? ?? ?? 48 89 D8 48 89 C1 E8 ?? ?? ?? ?? 90 48 81 C4 ?? ?? ?? + ?? 5B 5D C3 + } + + $remote_connection_p1 = { + 55 48 81 EC ?? ?? ?? ?? 48 8D AC 24 ?? ?? ?? ?? 48 89 8D ?? ?? ?? ?? 48 8B 05 ?? ?? + ?? ?? FF D0 89 C1 E8 ?? ?? ?? ?? C6 85 ?? ?? ?? ?? ?? BA ?? ?? ?? ?? 48 8D 85 ?? ?? + ?? ?? 41 89 D0 48 89 C2 48 8D 0D ?? ?? ?? ?? 48 8B 05 ?? ?? ?? ?? FF D0 48 8B 05 ?? + ?? ?? ?? FF D0 89 C1 E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 C1 BA ?? ?? ?? ?? 89 C8 F7 EA + C1 FA ?? 89 C8 C1 F8 ?? 29 C2 89 D0 69 C0 ?? ?? ?? ?? 29 C1 89 C8 8D 88 ?? ?? ?? ?? + 48 8D 95 ?? ?? ?? ?? 48 8D 45 ?? 41 89 C9 49 89 D0 48 8D 15 ?? ?? ?? ?? 48 89 C1 48 + 8B 05 ?? ?? ?? ?? FF D0 C7 44 24 ?? ?? ?? ?? ?? 41 B9 ?? ?? ?? ?? 41 B8 ?? ?? ?? ?? + BA ?? ?? ?? ?? 48 8D 0D ?? ?? ?? ?? 48 8B 05 ?? ?? ?? ?? FF D0 48 89 85 ?? ?? ?? ?? + 48 83 BD ?? ?? ?? ?? ?? 0F 84 ?? ?? ?? ?? 48 8B 85 ?? ?? ?? ?? 48 C7 44 24 ?? ?? ?? + ?? ?? C7 44 24 ?? ?? ?? ?? ?? 41 B9 ?? ?? ?? ?? 41 B8 ?? ?? ?? ?? 48 8B 95 ?? ?? ?? + ?? 48 89 C1 48 8B 05 ?? ?? ?? ?? FF D0 48 89 85 ?? ?? ?? ?? 48 83 BD ?? ?? ?? ?? ?? + 0F 84 ?? ?? ?? ?? 48 8D 45 ?? 48 C7 44 24 ?? ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? C7 + 44 24 ?? ?? ?? ?? ?? 41 B9 ?? ?? ?? ?? 41 B8 ?? ?? ?? ?? BA ?? ?? ?? ?? 48 89 C1 48 + 8B 05 ?? ?? ?? ?? FF D0 48 89 85 ?? ?? ?? ?? 48 83 BD ?? ?? ?? ?? ?? 0F 84 ?? ?? ?? + ?? 48 8D 85 ?? ?? ?? ?? 41 B8 ?? ?? ?? ?? BA ?? ?? ?? ?? 48 89 C1 E8 ?? ?? ?? ?? EB + ?? 8B 8D ?? ?? ?? ?? 4C 8D 85 ?? ?? ?? ?? 48 8D 95 ?? ?? ?? ?? 48 8B 85 ?? ?? ?? ?? + 48 C7 44 24 ?? ?? ?? ?? ?? 4D 89 C1 41 89 C8 48 89 C1 48 8B 05 ?? ?? ?? ?? FF D0 B8 + ?? ?? ?? ?? 44 8D 40 ?? 48 8D 8D ?? ?? ?? ?? 48 8D 95 ?? ?? ?? ?? 48 8B 85 ?? ?? ?? + ?? 49 89 C9 48 89 C1 48 8B 05 ?? ?? ?? ?? FF D0 85 C0 74 ?? 8B 85 ?? ?? ?? ?? 85 C0 + } + + $remote_connection_p2 = { + 74 ?? B8 ?? ?? ?? ?? EB ?? B8 ?? ?? ?? ?? 84 C0 0F 85 ?? ?? ?? ?? 48 8B 85 ?? ?? ?? + ?? 48 89 C1 48 8B 05 ?? ?? ?? ?? FF D0 48 8D 55 ?? 48 8D 85 ?? ?? ?? ?? 49 89 D0 48 + 8D 15 ?? ?? ?? ?? 48 89 C1 48 8B 05 ?? ?? ?? ?? FF D0 48 8D 85 ?? ?? ?? ?? 48 89 C1 + 48 8B 05 ?? ?? ?? ?? FF D0 B9 ?? ?? ?? ?? 48 8B 05 ?? ?? ?? ?? FF D0 48 8D 45 ?? 48 + 89 C1 E8 ?? ?? ?? ?? 84 C0 74 ?? C6 85 ?? ?? ?? ?? ?? 48 8B 85 ?? ?? ?? ?? 48 89 C1 + 48 8B 05 ?? ?? ?? ?? FF D0 48 8B 85 ?? ?? ?? ?? 48 89 C1 48 8B 05 ?? ?? ?? ?? FF D0 + 48 8B 85 ?? ?? ?? ?? 48 89 C1 48 8B 05 ?? ?? ?? ?? FF D0 B9 ?? ?? ?? ?? 48 8B 05 ?? + ?? ?? ?? FF D0 0F B6 85 ?? ?? ?? ?? 83 F0 ?? 84 C0 0F 84 ?? ?? ?? ?? E8 ?? ?? ?? ?? + 89 C1 BA ?? ?? ?? ?? 89 C8 F7 EA C1 FA ?? 89 C8 C1 F8 ?? 29 C2 89 D0 69 C0 ?? ?? ?? + ?? 29 C1 89 C8 8D 88 ?? ?? ?? ?? 48 8D 95 ?? ?? ?? ?? 48 8D 45 ?? 41 89 C9 49 89 D0 + 48 8D 15 ?? ?? ?? ?? 48 89 C1 48 8B 05 ?? ?? ?? ?? FF D0 48 8D 45 ?? 48 C7 44 24 ?? + ?? ?? ?? ?? 41 B9 ?? ?? ?? ?? 49 89 C0 48 8B 95 ?? ?? ?? ?? B9 ?? ?? ?? ?? E8 ?? ?? + ?? ?? 85 C0 0F 94 C0 84 C0 74 ?? 48 8D 55 ?? 48 8D 85 ?? ?? ?? ?? 49 89 D0 48 8D 15 + ?? ?? ?? ?? 48 89 C1 48 8B 05 ?? ?? ?? ?? FF D0 48 8D 85 ?? ?? ?? ?? 48 89 C1 48 8B + 05 ?? ?? ?? ?? FF D0 B9 ?? ?? ?? ?? 48 8B 05 ?? ?? ?? ?? FF D0 48 8D 45 ?? 48 89 C1 + E8 ?? ?? ?? ?? 90 48 81 C4 ?? ?? ?? ?? 5D C3 + } + + $find_files = { + 48 8D 15 ?? ?? ?? ?? 48 89 C1 E8 ?? ?? ?? ?? 48 83 F8 ?? 0F 95 C0 84 C0 74 ?? BB ?? + ?? ?? ?? E9 ?? ?? ?? ?? 48 8D 85 ?? ?? ?? ?? 48 8D 8D ?? ?? ?? ?? 48 8D 95 ?? ?? ?? + ?? 49 89 C8 48 89 C1 E8 ?? ?? ?? ?? 48 8D 85 ?? ?? ?? ?? 48 89 C2 48 8B 0D ?? ?? ?? + ?? E8 ?? ?? ?? ?? 48 8D 15 ?? ?? ?? ?? 48 89 C1 E8 ?? ?? ?? ?? 48 8D 95 ?? ?? ?? ?? + 48 8D 85 ?? ?? ?? ?? 48 89 C1 E8 ?? ?? ?? ?? 48 8D 85 ?? ?? ?? ?? 48 89 C1 E8 ?? ?? + ?? ?? 48 8D 85 ?? ?? ?? ?? 48 89 C1 E8 ?? ?? ?? ?? 48 8D 85 ?? ?? ?? ?? 48 89 C1 E8 + ?? ?? ?? ?? 48 89 C1 E8 ?? ?? ?? ?? 48 8D 85 ?? ?? ?? ?? 48 89 C1 E8 ?? ?? ?? ?? 48 + 8D 95 ?? ?? ?? ?? 48 8D 45 ?? 48 89 C1 E8 ?? ?? ?? ?? 48 8B 10 48 83 EA ?? 48 8B 12 + 48 01 D0 48 89 C1 E8 ?? ?? ?? ?? 48 85 C0 0F 95 C0 84 C0 0F 85 ?? ?? ?? ?? 48 8B 8D + ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 89 C1 E8 ?? ?? ?? ?? BB ?? ?? ?? ?? 48 8D 85 ?? ?? ?? + ?? 48 89 C1 E8 ?? ?? ?? ?? 83 FB ?? 74 ?? BB ?? ?? ?? ?? EB ?? 90 BB ?? ?? ?? ?? 48 + 8D 85 ?? ?? ?? ?? 48 89 C1 E8 ?? ?? ?? ?? 83 FB ?? 74 ?? BB ?? ?? ?? ?? EB ?? 90 BB + ?? ?? ?? ?? 48 8D 45 ?? 48 89 C1 E8 ?? ?? ?? ?? 83 FB ?? 74 ?? E9 ?? ?? ?? ?? 90 E9 + ?? ?? ?? ?? 48 89 C3 48 8D 85 ?? ?? ?? ?? 48 89 C1 E8 ?? ?? ?? ?? E9 ?? ?? ?? ?? 48 + 89 C3 48 8D 85 ?? ?? ?? ?? 48 89 C1 E8 ?? ?? ?? ?? EB ?? 48 89 C3 48 8D 85 ?? ?? ?? + ?? 48 89 C1 E8 ?? ?? ?? ?? E9 + } + + condition: + uint16(0) == 0x5A4D and + ( + $find_files + ) and + ( + all of ($encrypt_files_p*) + ) and + ( + all of ($remote_connection_p*) + ) +} \ No newline at end of file diff --git a/yara/ransomware/Win64.Ransomware.Solaso.yara b/yara/ransomware/Win64.Ransomware.Solaso.yara new file mode 100644 index 0000000..389d2ca --- /dev/null +++ b/yara/ransomware/Win64.Ransomware.Solaso.yara @@ -0,0 +1,171 @@ +rule Win64_Ransomware_Solaso : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "SOLASO" + description = "Yara rule that detects Solaso ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "Solaso" + tc_detection_factor = 5 + + strings: + + $find_files_p1 = { + C6 85 ?? ?? ?? ?? ?? 48 8D 85 ?? ?? ?? ?? 48 89 45 ?? 4C 89 AD ?? ?? ?? ?? 48 8D 85 + ?? ?? ?? ?? 48 89 45 ?? B1 ?? E8 ?? ?? ?? ?? 48 89 85 ?? ?? ?? ?? 48 8D 8D ?? ?? ?? + ?? E8 ?? ?? ?? ?? 90 4C 8D 05 ?? ?? ?? ?? 48 8D 15 ?? ?? ?? ?? 48 8D 8D ?? ?? ?? ?? + E8 ?? ?? ?? ?? 90 48 8D 95 ?? ?? ?? ?? 48 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 90 4C 8D + 85 ?? ?? ?? ?? 48 8D 95 ?? ?? ?? ?? 48 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 90 48 8B BD + ?? ?? ?? ?? 4C 8B BD ?? ?? ?? ?? 49 3B FF 0F 84 ?? ?? ?? ?? 66 0F 1F 44 00 ?? 48 8D + 95 ?? ?? ?? ?? 48 8B CF E8 ?? ?? ?? ?? 90 48 8D 95 ?? ?? ?? ?? 48 83 BD ?? ?? ?? ?? + ?? 48 0F 43 95 ?? ?? ?? ?? 4C 8B 85 ?? ?? ?? ?? 48 8D 0D ?? ?? ?? ?? E8 ?? ?? ?? ?? + 48 8B C8 E8 ?? ?? ?? ?? 4C 89 AD ?? ?? ?? ?? 48 C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C6 85 + ?? ?? ?? ?? ?? 48 8D 95 ?? ?? ?? ?? 48 83 BD ?? ?? ?? ?? ?? 48 0F 43 95 ?? ?? ?? ?? + 4C 8B 85 ?? ?? ?? ?? 48 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 8B CF 48 83 7F ?? ?? 72 + ?? 48 8B 0F BA ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 41 B8 ?? ?? ?? ?? 48 8D 15 ?? ?? ?? ?? + 48 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 8D 85 ?? ?? ?? ?? 48 89 44 24 ?? 4C 89 AD ?? + ?? ?? ?? 4C 89 AD ?? ?? ?? ?? 48 8B B5 ?? ?? ?? ?? 4C 8D B5 ?? ?? ?? ?? 48 83 BD ?? + ?? ?? ?? ?? 4C 0F 43 B5 ?? ?? ?? ?? 48 83 FE ?? 73 ?? 41 0F 10 06 0F 11 85 ?? ?? ?? + ?? 48 C7 85 ?? ?? ?? ?? ?? ?? ?? ?? E9 ?? ?? ?? ?? 48 B8 ?? ?? ?? ?? ?? ?? ?? ?? 48 + } + + $find_files_p2 = { + 8B DE 48 83 CB ?? 48 3B D8 48 0F 47 D8 48 8D 4B ?? 48 81 F9 ?? ?? ?? ?? 72 ?? 48 8D + 41 ?? 48 3B C1 0F 86 ?? ?? ?? ?? 0F AE E8 48 8B C8 E8 ?? ?? ?? ?? 48 8B C8 48 85 C0 + 0F 84 ?? ?? ?? ?? 48 83 C0 ?? 48 83 E0 ?? 48 89 48 ?? EB ?? 48 85 C9 74 ?? 0F AE E8 + E8 ?? ?? ?? ?? EB ?? 49 8B C5 48 89 85 ?? ?? ?? ?? 4C 8D 46 ?? 49 8B D6 48 8B C8 E8 + ?? ?? ?? ?? 48 89 9D ?? ?? ?? ?? 48 89 B5 ?? ?? ?? ?? 4C 89 6D ?? 4C 89 6D ?? 48 8B + B5 ?? ?? ?? ?? 4C 8D B5 ?? ?? ?? ?? 48 83 BD ?? ?? ?? ?? ?? 4C 0F 43 B5 ?? ?? ?? ?? + 48 83 FE ?? 73 ?? 41 0F 10 06 0F 11 45 ?? 48 C7 45 ?? ?? ?? ?? ?? E9 ?? ?? ?? ?? 48 + B8 ?? ?? ?? ?? ?? ?? ?? ?? 48 89 45 ?? 48 8B DE 48 83 CB ?? 48 89 5D ?? 48 3B D8 48 + 0F 47 D8 48 8D 4B ?? 48 81 F9 ?? ?? ?? ?? 72 ?? 48 8D 41 ?? 48 3B C1 0F 86 ?? ?? ?? + ?? 0F AE E8 48 8B C8 E8 ?? ?? ?? ?? 48 8B C8 48 85 C0 0F 84 ?? ?? ?? ?? 48 83 C0 ?? + 48 83 E0 ?? 48 89 48 ?? EB ?? 48 85 C9 74 ?? 0F AE E8 E8 ?? ?? ?? ?? EB ?? 49 8B C5 + 48 89 45 ?? 4C 8D 46 ?? 49 8B D6 48 8B C8 E8 ?? ?? ?? ?? 48 89 5D ?? 48 89 75 ?? 4C + 8D 85 ?? ?? ?? ?? 48 8D 55 ?? 48 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 8D 8D + } + + $encrypt_files_p1 = { + 48 63 53 ?? 48 89 B5 ?? ?? ?? ?? 48 C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C6 45 ?? ?? 45 33 + C0 48 8D 4D ?? E8 ?? ?? ?? ?? 90 48 8D 55 ?? 48 83 BD ?? ?? ?? ?? ?? 48 0F 43 55 ?? + 4C 63 43 ?? 48 8D 4C 24 ?? E8 ?? ?? ?? ?? 48 8B 4C 24 ?? 48 89 4B ?? 48 85 C9 0F 84 + ?? ?? ?? ?? 48 8B 95 ?? ?? ?? ?? 48 3B CA 77 ?? 48 89 8D ?? ?? ?? ?? 48 8D 45 ?? 48 + 83 BD ?? ?? ?? ?? ?? 48 0F 43 45 ?? C6 04 01 ?? EB ?? 48 8B F1 48 2B F2 4C 8B 85 ?? + ?? ?? ?? 49 8B C0 48 2B C2 48 3B F0 77 ?? 48 89 8D ?? ?? ?? ?? 48 8D 7D ?? 49 83 F8 + ?? 48 0F 43 7D ?? 48 03 FA 4C 8B C6 33 D2 48 8B CF E8 ?? ?? ?? ?? C6 04 37 ?? EB ?? + 0F AE E8 C6 44 24 ?? ?? 4C 8B CE 48 8B D6 48 8D 4D ?? E8 ?? ?? ?? ?? 33 F6 8B 43 ?? + 99 41 F7 FD B9 ?? ?? ?? ?? 85 C0 0F 45 C8 89 4B ?? 83 F9 ?? 0F 8C ?? ?? ?? ?? 4C 63 + C9 4C 8D 45 ?? 48 8D 54 24 ?? E8 ?? ?? ?? ?? 48 8B F8 48 3B D8 74 ?? 48 8B 0B 48 85 + } + + $encrypt_files_p2 = { + C9 74 ?? 48 8B 53 ?? E8 ?? ?? ?? ?? 48 8B 0B 48 8B 53 ?? 48 2B D1 48 83 E2 ?? 48 81 + FA ?? ?? ?? ?? 72 ?? 48 83 C2 ?? 4C 8B 41 ?? 49 2B C8 48 8D 41 ?? 48 83 F8 ?? 0F 87 + ?? ?? ?? ?? 49 8B C8 E8 ?? ?? ?? ?? 48 89 33 48 89 73 ?? 48 89 73 ?? 48 8B 07 48 89 + 03 48 8B 47 ?? 48 89 43 ?? 48 8B 47 ?? 48 89 43 ?? 48 89 37 48 89 77 ?? 48 89 77 ?? + 48 8B 4C 24 ?? 48 85 C9 74 ?? 48 8B 54 24 ?? E8 ?? ?? ?? ?? 48 8B 54 24 ?? 48 8B 4C + 24 ?? 48 2B D1 48 83 E2 ?? 48 8B C1 48 81 FA ?? ?? ?? ?? 72 ?? 48 83 C2 ?? 48 8B 49 + ?? 48 2B C1 48 83 C0 ?? 48 83 F8 ?? 0F 87 ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 89 74 24 ?? + 0F 57 C0 F3 0F 7F 44 24 ?? EB ?? 48 8B 0B 48 8D 45 ?? 48 3B C8 74 ?? 48 8D 55 ?? 48 + 83 BD ?? ?? ?? ?? ?? 48 0F 43 55 ?? 4C 8B 85 ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 8B CB E8 + ?? ?? ?? ?? 45 33 C0 48 8D 15 ?? ?? ?? ?? 48 8D 4D ?? E8 ?? ?? ?? ?? 83 7B ?? ?? 74 + ?? 33 FF 0F 1F 40 ?? 66 0F 1F 84 00 ?? ?? 00 00 4C 8B 03 4C 03 C7 49 8B D0 49 83 78 + ?? ?? 72 ?? 49 8B 10 4D 8B 40 ?? 48 8D 4D ?? E8 ?? ?? ?? ?? 48 63 CE 48 C1 E1 ?? 48 + } + + $encrypt_files_p3 = { + 03 0B 45 33 C0 48 8D 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 8B 0B 48 03 CF 48 C7 41 ?? ?? + ?? ?? ?? 48 83 79 ?? ?? 72 ?? 48 8B 09 C6 01 ?? FF C6 48 83 C7 ?? 3B 73 ?? 75 ?? 48 + 8D 55 ?? 48 83 BD ?? ?? ?? ?? ?? 48 0F 43 55 ?? 4C 8B 85 ?? ?? ?? ?? 48 8D 8D ?? ?? + ?? ?? E8 ?? ?? ?? ?? 90 48 8B 95 ?? ?? ?? ?? 48 83 FA ?? 72 ?? 48 FF C2 48 8B 4D ?? + 48 8B C1 48 81 FA ?? ?? ?? ?? 72 ?? 48 83 C2 ?? 48 8B 49 ?? 48 2B C1 48 83 C0 ?? 48 + 83 F8 ?? 0F 87 ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 8B 44 24 ?? 48 63 48 ?? 33 F6 F6 44 0C + ?? ?? 75 ?? E9 ?? ?? ?? ?? 48 8B 95 ?? ?? ?? ?? 48 83 FA ?? 72 ?? 48 FF C2 48 8B 4D + ?? 48 8B C1 48 81 FA ?? ?? ?? ?? 72 ?? 48 83 C2 ?? 48 8B 49 ?? 48 2B C1 48 83 C0 ?? + 48 83 F8 ?? 0F 87 ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 8D 3D ?? ?? ?? ?? 48 8D 4C 24 ?? E8 + ?? ?? ?? ?? BB ?? ?? ?? ?? 48 85 C0 75 ?? 48 8B 44 24 ?? 48 63 48 ?? 48 8D 44 24 ?? + 48 03 C8 41 8B D4 48 83 79 ?? ?? 0F 45 D3 0B 51 ?? 45 33 C0 E8 ?? ?? ?? ?? 48 8D 8D + ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 85 C0 75 ?? 48 8B 85 ?? ?? ?? ?? 48 63 48 ?? 48 8D 85 + ?? ?? ?? ?? 48 03 C8 48 83 79 ?? ?? 44 0F 45 E3 44 0B 61 ?? 45 33 C0 41 8B D4 E8 ?? + ?? ?? ?? 90 48 8B 85 ?? ?? ?? ?? 48 63 48 ?? 48 89 BC 0D ?? ?? ?? ?? 48 8B 85 ?? ?? + ?? ?? 48 63 48 ?? 8D 91 ?? ?? ?? ?? 89 94 0D ?? ?? ?? ?? 48 8D 8D ?? ?? ?? ?? E8 ?? + ?? ?? ?? 48 8B 85 ?? ?? ?? ?? 48 63 48 ?? 48 8D 05 ?? ?? ?? ?? 48 89 84 0D ?? ?? ?? + ?? 48 8B 85 ?? ?? ?? ?? 48 63 48 ?? 8D 51 ?? 89 94 0D ?? ?? ?? ?? 48 8D 1D ?? ?? ?? + ?? 48 89 9D ?? ?? ?? ?? 48 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 90 48 8B 44 24 ?? 48 63 + } + + $encrypt_files_p4 = { + 48 ?? 48 8D 05 ?? ?? ?? ?? 48 89 44 0C ?? 48 8B 44 24 ?? 48 63 48 ?? 8D 91 ?? ?? ?? + ?? 89 54 0C ?? 48 8D 4C 24 ?? E8 ?? ?? ?? ?? 48 8B 44 24 ?? 48 63 48 ?? 48 8D 05 ?? + ?? ?? ?? 48 89 44 0C ?? 48 8B 44 24 ?? 48 63 48 ?? 8D 51 ?? 89 54 0C ?? 48 89 5D ?? + 48 8D 4D ?? E8 ?? ?? ?? ?? 90 49 8B 57 ?? 48 83 FA ?? 72 ?? 49 8B 0F 48 FF C2 48 81 + FA ?? ?? ?? ?? 72 ?? 48 83 C2 ?? 4C 8B 41 ?? 49 2B C8 48 8D 41 ?? 48 83 F8 ?? 0F 87 + ?? ?? ?? ?? 49 8B C8 E8 ?? ?? ?? ?? 49 89 77 ?? 49 C7 47 ?? ?? ?? ?? ?? 41 C6 07 ?? + 49 8B 56 ?? 48 83 FA ?? 72 ?? 48 FF C2 49 8B 0E 48 81 FA ?? ?? ?? ?? 72 ?? 48 83 C2 + ?? 4C 8B 41 ?? 49 2B C8 48 8D 41 ?? 48 83 F8 ?? 77 ?? 49 8B C8 E8 ?? ?? ?? ?? 49 89 + 76 ?? 49 C7 46 ?? ?? ?? ?? ?? 41 C6 06 ?? 48 8B 8D ?? ?? ?? ?? 48 33 CC E8 ?? ?? ?? + ?? 48 8B 9C 24 ?? ?? ?? ?? 48 81 C4 ?? ?? ?? ?? 41 5F 41 5E 41 5D 41 5C 5F 5E 5D C3 + E8 + } + + $encrypt_files_p5 = { + 48 8B C4 48 89 58 ?? 48 89 70 ?? 48 89 78 ?? 4C 89 40 ?? 55 41 54 41 55 41 56 41 57 + 48 8D 68 ?? 48 81 EC ?? ?? ?? ?? 45 8B E1 49 8B D8 44 8B 4D ?? 48 8B FA 44 8B 45 ?? + 48 8B F1 41 8B D4 48 8D 4D ?? E8 ?? ?? ?? ?? 0F 10 00 F2 0F 10 48 ?? 0F 11 45 ?? 66 + 0F 73 D8 ?? 66 49 0F 7E C7 F2 0F 11 4D ?? 49 C1 EF ?? F2 0F 11 4D ?? 4C 89 7D ?? 41 + 83 FF ?? 75 ?? E8 ?? ?? ?? ?? 33 F6 89 30 83 0F ?? E8 ?? ?? ?? ?? 8B 00 E9 ?? ?? ?? + ?? E8 ?? ?? ?? ?? 89 07 83 F8 ?? 75 ?? E8 ?? ?? ?? ?? 33 F6 89 30 83 0F ?? E8 ?? ?? + ?? ?? C7 00 ?? ?? ?? ?? EB ?? 8B 4D ?? 4C 8D 4D ?? 4C 8B 75 ?? 41 8B C4 48 8B 55 ?? + 45 8B C7 C1 E8 ?? 49 C1 EE ?? F7 D0 44 0B 75 ?? 83 E0 ?? C7 06 ?? ?? ?? ?? 33 F6 48 + 89 74 24 ?? 44 89 74 24 ?? 89 4C 24 ?? 48 8B CB 48 C1 EA ?? C7 45 ?? ?? ?? ?? ?? 48 + 89 75 ?? 89 45 ?? 4C 89 75 ?? FF 15 ?? ?? ?? ?? 8B 5D ?? B9 ?? ?? ?? ?? 4C 8B E8 48 + 83 F8 ?? 75 ?? 8B C3 23 C1 3B C1 75 ?? 41 F6 C4 ?? 74 ?? 8B 4D ?? 4C 8D 4D ?? 48 89 + 74 24 ?? 0F BA F3 ?? 89 5D ?? 45 8B C7 48 8B 55 ?? 44 89 74 24 ?? 89 4C 24 ?? 48 8B + } + + $encrypt_files_p6 = { + 4D ?? 48 C1 EA ?? FF 15 ?? ?? ?? ?? 4C 8B E8 48 83 F8 ?? 75 ?? 48 63 0F 4C 8D 3D ?? + ?? ?? ?? 48 8B C1 83 E1 ?? 48 C1 F8 ?? 48 8D 0C C9 49 8B 04 C7 80 64 C8 ?? ?? FF 15 + ?? ?? ?? ?? 8B C8 E8 ?? ?? ?? ?? E9 ?? ?? ?? ?? 49 8B CD FF 15 ?? ?? ?? ?? 85 C0 75 + ?? FF 15 ?? ?? ?? ?? 8B C8 8B D8 E8 ?? ?? ?? ?? 48 63 17 4C 8D 3D ?? ?? ?? ?? 48 8B + CA 83 E2 ?? 48 C1 F9 ?? 48 8D 14 D2 49 8B 0C CF 80 64 D1 ?? ?? 49 8B CD FF 15 ?? ?? + ?? ?? 85 DB 0F 85 ?? ?? ?? ?? E8 ?? ?? ?? ?? C7 00 ?? ?? ?? ?? E9 ?? ?? ?? ?? 44 8A + 75 ?? 83 F8 ?? 75 ?? 41 80 CE ?? EB ?? 83 F8 ?? 75 ?? 41 80 CE ?? 8B 0F 49 8B D5 E8 + ?? ?? ?? ?? 48 63 0F 4C 8D 3D ?? ?? ?? ?? 48 8B C1 41 80 CE ?? 48 C1 F8 ?? 83 E1 ?? + 44 88 75 ?? 49 8B 04 C7 48 8D 0C C9 44 88 74 C8 ?? 48 63 0F 48 8B C1 83 E1 ?? 48 C1 + F8 ?? 48 8D 0C C9 49 8B 04 C7 40 88 74 C8 ?? 41 F6 C4 ?? 74 ?? 8B 0F E8 ?? ?? ?? ?? + 89 45 ?? 85 C0 74 ?? 8B 0F E8 ?? ?? ?? ?? 8B 45 ?? E9 ?? ?? ?? ?? 0F 10 45 ?? 4C 8D + 4D ?? 8B 0F F2 0F 10 4D ?? 48 8D 55 ?? 45 8B C4 0F 29 45 ?? 40 88 75 ?? F2 0F 11 4D + ?? E8 ?? ?? ?? ?? 48 63 0F 89 45 ?? 85 C0 75 ?? 48 8B C1 48 C1 F9 ?? 83 E0 ?? 49 8B + } + + $encrypt_files_p7 = { + 0C CF 48 8D 14 C0 8A 45 ?? 88 44 D1 ?? 48 63 0F 48 8B C1 83 E1 ?? 48 C1 F8 ?? 48 8D + 14 C9 49 8B 0C C7 41 8B C4 C1 E8 ?? 24 ?? 80 64 D1 ?? ?? 08 44 D1 ?? 41 F6 C6 ?? 75 + ?? 41 F6 C4 ?? 74 ?? 48 63 0F 48 8B C1 83 E1 ?? 48 C1 F8 ?? 48 8D 0C C9 49 8B 04 C7 + 80 4C C8 ?? ?? B9 ?? ?? ?? ?? 8B C3 23 C1 3B C1 0F 85 ?? ?? ?? ?? 41 F6 C4 ?? 0F 84 + ?? ?? ?? ?? 49 8B CD FF 15 ?? ?? ?? ?? 48 8B 4D ?? 4C 8D 4D ?? 44 8B 45 ?? 0F BA F3 + ?? 48 89 74 24 ?? 89 4C 24 ?? 8B 4D ?? 89 4C 24 ?? 48 8B 4D ?? 89 5D ?? 48 8B 55 ?? + 48 C1 EA ?? FF 15 ?? ?? ?? ?? 48 8B D0 48 83 F8 ?? 75 ?? FF 15 ?? ?? ?? ?? 8B C8 E8 + ?? ?? ?? ?? 48 63 0F 48 8B C1 83 E1 ?? 48 C1 F8 ?? 48 8D 0C C9 49 8B 04 C7 80 64 C8 + ?? ?? 8B 0F E8 ?? ?? ?? ?? E9 ?? ?? ?? ?? 48 63 0F 48 8B C1 48 C1 F8 ?? 83 E1 ?? 49 + 8B 04 C7 48 8D 0C C9 48 89 54 C8 ?? 33 C0 4C 8D 9C 24 ?? ?? ?? ?? 49 8B 5B ?? 49 8B + 73 ?? 49 8B 7B ?? 49 8B E3 41 5F 41 5E 41 5D 41 5C 5D C3 + } + + condition: + uint16(0) == 0x5A4D and + ( + all of ($find_files_p*) + ) and + ( + all of ($encrypt_files_p*) + ) +} \ No newline at end of file diff --git a/yara/ransomware/Win64.Ransomware.Vovalex.yara b/yara/ransomware/Win64.Ransomware.Vovalex.yara new file mode 100644 index 0000000..b2b313f --- /dev/null +++ b/yara/ransomware/Win64.Ransomware.Vovalex.yara @@ -0,0 +1,81 @@ +rule Win64_Ransomware_Vovalex : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "VOVALEX" + description = "Yara rule that detects Vovalex ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "Vovalex" + tc_detection_factor = 5 + + strings: + + $encrypt_files = { + 48 8D 95 ?? ?? ?? ?? 48 8B 85 ?? ?? ?? ?? 48 89 85 ?? ?? ?? ?? 48 8B BD ?? ?? ?? ?? + 48 89 BD ?? ?? ?? ?? 48 8D 8D ?? ?? ?? ?? 48 83 EC ?? E8 ?? ?? ?? ?? 48 83 C4 ?? 48 + 89 85 ?? ?? ?? ?? 48 89 95 ?? ?? ?? ?? 48 83 BD ?? ?? ?? ?? ?? 0F 85 ?? ?? ?? ?? 48 + 8B 9D ?? ?? ?? ?? 48 8B 53 ?? 48 8B 03 48 89 85 ?? ?? ?? ?? 48 89 95 ?? ?? ?? ?? 48 + 8D 8D ?? ?? ?? ?? 48 83 EC ?? E8 ?? ?? ?? ?? 48 83 C4 ?? 83 F8 ?? 75 ?? 48 8B B5 ?? + ?? ?? ?? 48 8B 56 ?? 48 8B 06 48 89 85 ?? ?? ?? ?? 48 89 95 ?? ?? ?? ?? 48 8D 95 ?? + ?? ?? ?? 8B 8D ?? ?? ?? ?? 48 83 EC ?? E8 ?? ?? ?? ?? 48 83 C4 ?? 48 8B 9D ?? ?? ?? + ?? 48 8B 53 ?? 48 8B 03 48 89 85 ?? ?? ?? ?? 48 89 95 ?? ?? ?? ?? 48 8D 8D ?? ?? ?? + ?? 48 83 EC ?? E8 ?? ?? ?? ?? 48 83 C4 ?? 48 3D ?? ?? ?? ?? 0F 87 ?? ?? ?? ?? 48 83 + EC ?? 48 8B 85 ?? ?? ?? ?? 48 89 85 ?? ?? ?? ?? 48 8B 9D ?? ?? ?? ?? 48 89 9D ?? ?? + ?? ?? 48 8D B5 ?? ?? ?? ?? 56 48 89 85 ?? ?? ?? ?? 48 89 9D ?? ?? ?? ?? 48 8D 15 ?? + ?? ?? ?? 48 89 95 ?? ?? ?? ?? 48 C7 85 ?? ?? ?? ?? ?? ?? ?? ?? 48 8B 0D ?? ?? ?? ?? + 48 89 8D ?? ?? ?? ?? 48 8B 05 ?? ?? ?? ?? 48 89 85 ?? ?? ?? ?? 48 8D 9D ?? ?? ?? ?? + 48 89 9D ?? ?? ?? ?? 48 C7 85 ?? ?? ?? ?? ?? ?? ?? ?? 48 8D 95 ?? ?? ?? ?? 48 8D 0D + ?? ?? ?? ?? 48 83 EC ?? E8 ?? ?? ?? ?? 48 83 C4 ?? 48 89 85 ?? ?? ?? ?? 48 89 95 ?? + ?? ?? ?? 4C 8D 8D ?? ?? ?? ?? 48 8B 05 ?? ?? ?? ?? 48 89 85 ?? ?? ?? ?? 48 8B 1D ?? + ?? ?? ?? 48 89 9D ?? ?? ?? ?? 4C 8D 85 ?? ?? ?? ?? 48 8B 0D ?? ?? ?? ?? 48 89 8D ?? + ?? ?? ?? 48 8B 15 ?? ?? ?? ?? 48 89 95 ?? ?? ?? ?? 48 8D 95 ?? ?? ?? ?? B9 ?? ?? ?? + ?? 48 83 EC ?? E8 ?? ?? ?? ?? 48 83 C4 + } + + $find_files_p1 = { + 48 89 C6 48 8D 0D ?? ?? ?? ?? 48 83 EC ?? E8 ?? ?? ?? ?? 48 83 C4 ?? 48 89 C1 48 83 + EC ?? E8 ?? ?? ?? ?? 48 83 C4 ?? 48 89 06 48 89 56 ?? 48 8D 0D ?? ?? ?? ?? 48 83 EC + ?? E8 ?? ?? ?? ?? 48 83 C4 ?? 48 89 C1 48 83 EC ?? E8 ?? ?? ?? ?? 48 83 C4 ?? 48 89 + 46 ?? 48 89 56 ?? 48 8D 0D ?? ?? ?? ?? 48 83 EC ?? E8 ?? ?? ?? ?? 48 83 C4 ?? 48 89 + C1 48 83 EC ?? E8 ?? ?? ?? ?? 48 83 C4 ?? 48 89 46 ?? 48 89 56 ?? 48 8D 0D ?? ?? ?? + ?? 48 83 EC ?? E8 ?? ?? ?? ?? 48 83 C4 ?? 48 89 C1 48 83 EC ?? E8 ?? ?? ?? ?? 48 83 + C4 ?? 48 89 46 ?? 48 89 56 ?? 48 8D 0D ?? ?? ?? ?? 48 83 EC ?? E8 ?? ?? ?? ?? 48 83 + C4 ?? 48 89 C1 48 83 EC ?? E8 ?? ?? ?? ?? 48 83 C4 ?? 48 89 46 ?? 48 89 56 ?? 48 8D + 0D ?? ?? ?? ?? 48 83 EC ?? E8 ?? ?? ?? ?? 48 83 C4 ?? 48 89 C1 48 83 EC ?? E8 ?? ?? + ?? ?? 48 83 C4 ?? 48 89 46 ?? 48 89 56 ?? 48 89 B5 ?? ?? ?? ?? 48 C7 85 ?? ?? ?? ?? + ?? ?? ?? ?? 48 8D 15 ?? ?? ?? ?? B8 ?? ?? ?? ?? 48 89 85 ?? ?? ?? ?? 48 89 95 ?? ?? + ?? ?? BA ?? ?? ?? ?? 48 8D 0D ?? ?? ?? ?? 48 83 EC ?? E8 ?? ?? ?? ?? 48 83 C4 ?? 48 + } + + $find_files_p2 = { + 89 C3 48 8B 95 ?? ?? ?? ?? 48 8B 85 ?? ?? ?? ?? 48 89 03 48 89 53 ?? 48 8D 15 ?? ?? + ?? ?? BF ?? ?? ?? ?? 48 89 7B ?? 48 89 53 ?? 48 8D 0D ?? ?? ?? ?? B8 ?? ?? ?? ?? 48 + 89 43 ?? 48 89 4B ?? 48 89 9D ?? ?? ?? ?? 48 C7 85 ?? ?? ?? ?? ?? ?? ?? ?? 45 31 C0 + 4C 89 85 ?? ?? ?? ?? 4C 8D A5 ?? ?? ?? ?? 49 C7 04 24 ?? ?? ?? ?? 49 8B 14 24 48 89 + 95 ?? ?? ?? ?? 4C 89 85 ?? ?? ?? ?? 4C 8D AD ?? ?? ?? ?? 49 B9 ?? ?? ?? ?? ?? ?? ?? + ?? 4D 89 4D ?? 49 8B 4D ?? 48 89 8D ?? ?? ?? ?? 4C 89 85 ?? ?? ?? ?? 4C 8D B5 ?? ?? + ?? ?? 4D 89 06 49 8B 16 48 8D 8D ?? ?? ?? ?? 48 83 EC ?? E8 ?? ?? ?? ?? 48 83 C4 ?? + 45 31 C0 41 3B C0 7E ?? 41 BF ?? ?? ?? ?? 4C 89 85 ?? ?? ?? ?? 4C 8D 8D ?? ?? ?? ?? + 4D 69 D7 ?? ?? ?? ?? 4D 89 11 4C 89 D2 48 8D 8D ?? ?? ?? ?? 48 83 EC ?? E8 ?? ?? ?? + ?? 48 83 C4 ?? 45 31 C0 41 3B C0 79 ?? 4C 89 85 ?? ?? ?? ?? 48 8D 8D ?? ?? ?? ?? 48 + C7 01 ?? ?? ?? ?? 48 8B 01 48 89 85 ?? ?? ?? ?? 48 8B 95 ?? ?? ?? ?? 48 8D 8D ?? ?? + ?? ?? 48 83 EC ?? E8 ?? ?? ?? ?? 48 83 C4 ?? 85 C0 7E ?? 48 8B 9D ?? ?? ?? ?? 48 B8 + ?? ?? ?? ?? ?? ?? ?? ?? 48 F7 EB + } + + condition: + uint16(0) == 0x5A4D and + ( + all of ($find_files_p*) + ) and + ( + $encrypt_files + ) +} \ No newline at end of file diff --git a/yara/ransomware/Win64.Ransomware.WhiteBlackCrypt.yara b/yara/ransomware/Win64.Ransomware.WhiteBlackCrypt.yara new file mode 100644 index 0000000..c1c7ded --- /dev/null +++ b/yara/ransomware/Win64.Ransomware.WhiteBlackCrypt.yara @@ -0,0 +1,91 @@ +rule Win64_Ransomware_WhiteBlackCrypt : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "WHITEBLACKCRYPT" + description = "Yara rule that detects WhiteBlackCrypt ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "WhiteBlackCrypt" + tc_detection_factor = 5 + + strings: + + $find_files = { + 41 57 41 56 41 55 41 54 55 57 56 53 48 83 EC ?? 4C 8D 3D ?? ?? ?? ?? 45 31 F6 49 89 + CD E8 ?? ?? ?? ?? 48 85 C0 49 89 C4 0F 84 ?? ?? ?? ?? 4C 89 E1 E8 ?? ?? ?? ?? 48 85 + C0 0F 84 ?? ?? ?? ?? 48 8D 68 ?? 4C 89 FA 48 89 E9 E8 ?? ?? ?? ?? 85 C0 74 ?? 48 8D + 15 ?? ?? ?? ?? 48 89 E9 E8 ?? ?? ?? ?? 85 C0 74 ?? 44 89 F0 48 83 C9 ?? 48 89 EF F2 + AE 4C 89 EF 48 89 CB 48 83 C9 ?? F2 AE 48 F7 D3 48 F7 D1 01 D9 48 63 D9 48 89 D9 E8 + ?? ?? ?? ?? 48 89 D9 4C 89 EA 48 89 C6 48 89 C7 44 89 F0 F3 AA 48 89 F1 E8 ?? ?? ?? + ?? 48 8D 15 ?? ?? ?? ?? 48 89 F1 E8 ?? ?? ?? ?? 48 89 EA 48 89 F1 E8 ?? ?? ?? ?? 48 + 89 F1 E8 ?? ?? ?? ?? 48 89 F1 85 C0 74 ?? E8 ?? ?? ?? ?? EB ?? E8 ?? ?? ?? ?? 48 89 + F1 E8 ?? ?? ?? ?? E9 ?? ?? ?? ?? 4C 89 E1 48 83 C4 ?? 5B 5E 5F 5D 41 5C 41 5D 41 5E + 41 5F E9 ?? ?? ?? ?? 48 83 C4 ?? 5B 5E 5F 5D 41 5C 41 5D 41 5E 41 5F C3 + } + + $encrypt_files = { + 41 55 41 54 55 57 56 53 48 83 EC ?? 48 8D 15 ?? ?? ?? ?? 31 F6 4C 8D 2D ?? ?? ?? ?? + 48 89 CD E8 ?? ?? ?? ?? B9 ?? ?? ?? ?? 48 89 C3 E8 ?? ?? ?? ?? 48 89 C7 49 89 D9 41 + B8 ?? ?? ?? ?? BA ?? ?? ?? ?? 48 89 F9 E8 ?? ?? ?? ?? 85 C0 49 89 C4 74 ?? 81 FE ?? + ?? ?? ?? 7F ?? 45 89 E0 48 89 FA 4C 89 E9 E8 ?? ?? ?? ?? 45 31 C0 89 F2 48 89 D9 E8 + ?? ?? ?? ?? 44 01 E6 4D 63 C4 48 89 F9 49 89 D9 BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 45 31 + C0 89 F2 48 89 D9 E8 ?? ?? ?? ?? EB ?? 48 89 F9 48 89 EF E8 ?? ?? ?? ?? 48 89 D9 E8 + ?? ?? ?? ?? 31 C0 48 83 C9 ?? F2 AE 48 89 CE 48 F7 D6 48 89 F1 48 83 C1 ?? E8 ?? ?? + ?? ?? 48 89 EA 48 89 C1 E8 ?? ?? ?? ?? 48 8D 15 ?? ?? ?? ?? 48 89 C1 E8 ?? ?? ?? ?? + 48 89 E9 48 89 C2 48 83 C4 ?? 5B 5E 5F 5D 41 5C 41 5D E9 + } + + $register_service_p1 = { + 57 56 53 48 81 EC ?? ?? ?? ?? 4C 8D 05 ?? ?? ?? ?? 31 C0 41 B9 ?? ?? ?? ?? 48 8D 94 + 24 ?? ?? ?? ?? 48 89 CB B9 ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? 48 89 D7 F3 AB 48 8D + 44 24 ?? 48 89 54 24 ?? 48 C7 C1 ?? ?? ?? ?? 48 89 44 24 ?? 48 8D 15 ?? ?? ?? ?? 48 + C7 44 24 ?? ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 80 BC 24 ?? ?? ?? ?? ?? 48 8B 35 ?? ?? ?? + ?? 0F 85 ?? ?? ?? ?? 48 8D 9C 24 ?? ?? ?? ?? 31 C9 41 B8 ?? ?? ?? ?? 48 89 DA FF 15 + ?? ?? ?? ?? 48 8D 44 24 ?? 45 31 C0 41 B9 ?? ?? ?? ?? 48 89 44 24 ?? 48 8D 15 ?? ?? + ?? ?? 48 C7 C1 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 85 C0 75 ?? 48 8D 05 ?? ?? ?? ?? 48 8B + 4C 24 ?? 41 B9 ?? ?? ?? ?? 45 31 C0 C7 44 24 ?? ?? ?? ?? ?? 48 8D 15 ?? ?? ?? ?? 48 + 89 44 24 ?? FF 15 ?? ?? ?? ?? 48 8B 4C 24 ?? FF 15 ?? ?? ?? ?? 48 8D 15 ?? ?? ?? ?? + 45 31 C0 48 89 D9 FF 15 ?? ?? ?? ?? 31 C0 E9 ?? ?? ?? ?? 31 C9 FF D6 48 85 C0 79 ?? + B9 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? EB ?? E8 ?? ?? ?? ?? B8 ?? ?? ?? ?? 31 C9 BA ?? ?? + ?? ?? 48 C1 E0 ?? 48 89 9C 24 ?? ?? ?? ?? 48 89 84 24 ?? ?? ?? ?? 48 8D 05 ?? ?? ?? + ?? 48 8D 35 ?? ?? ?? ?? 48 89 84 24 ?? ?? ?? ?? 48 C7 84 24 ?? ?? ?? ?? ?? ?? ?? ?? + 48 C7 84 24 ?? ?? ?? ?? ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 48 89 B4 24 ?? ?? ?? ?? 48 8D + } + + $register_service_p2 = { + 8C 24 ?? ?? ?? ?? 48 89 84 24 ?? ?? ?? ?? 48 C7 84 24 ?? ?? ?? ?? ?? ?? ?? ?? 48 C7 + 84 24 ?? ?? ?? ?? ?? ?? ?? ?? 48 C7 84 24 ?? ?? ?? ?? ?? ?? ?? ?? FF 15 ?? ?? ?? ?? + 41 B9 ?? ?? ?? ?? 48 89 F2 48 89 1D ?? ?? ?? ?? 4C 8D 05 ?? ?? ?? ?? 48 89 5C 24 ?? + 48 8B 35 ?? ?? ?? ?? B9 ?? ?? ?? ?? 48 C7 44 24 ?? ?? ?? ?? ?? 48 C7 44 24 ?? ?? ?? + ?? ?? 48 C7 44 24 ?? ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? C7 + 44 24 ?? ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? FF D6 B9 ?? ?? ?? ?? 48 89 C3 FF 15 ?? + ?? ?? ?? BA ?? ?? ?? ?? 48 89 D9 49 89 C0 FF 15 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 48 8D + 54 24 ?? 48 89 C1 FF 15 ?? ?? ?? ?? B9 ?? ?? ?? ?? 48 8B 05 ?? ?? ?? ?? 41 B9 ?? ?? + ?? ?? 4C 8B 05 ?? ?? ?? ?? 48 89 5C 24 ?? 48 C7 44 24 ?? ?? ?? ?? ?? 48 C7 44 24 ?? + ?? ?? ?? ?? 48 89 44 24 ?? 8B 44 24 ?? C7 44 24 ?? ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? + ?? 99 F7 F9 2D ?? ?? ?? ?? 89 44 24 ?? 8B 44 24 ?? 99 F7 F9 31 C9 48 8D 15 ?? ?? ?? + ?? 2D ?? ?? ?? ?? 89 44 24 ?? FF D6 BA ?? ?? ?? ?? 48 89 D9 FF 15 ?? ?? ?? ?? 48 89 + D9 FF 15 ?? ?? ?? ?? 48 8B 35 ?? ?? ?? ?? 48 8D 5C 24 ?? 45 31 C9 45 31 C0 31 D2 48 + 89 D9 FF D6 85 C0 74 ?? 48 89 D9 FF 15 ?? ?? ?? ?? 48 89 D9 FF 15 ?? ?? ?? ?? EB ?? + 8B 84 24 ?? ?? ?? ?? 48 81 C4 ?? ?? ?? ?? 5B 5E 5F C3 + } + + condition: + uint16(0) == 0x5A4D and + ( + all of ($register_service_p*) + ) and + ( + $find_files + ) and + ( + $encrypt_files + ) +} \ No newline at end of file diff --git a/yara/ransomware/Win64.Ransomware.Wintenzz.yara b/yara/ransomware/Win64.Ransomware.Wintenzz.yara new file mode 100644 index 0000000..cca1486 --- /dev/null +++ b/yara/ransomware/Win64.Ransomware.Wintenzz.yara @@ -0,0 +1,83 @@ +rule Win64_Ransomware_Wintenzz : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "WINTENZZ" + description = "Yara rule that detects Wintenzz ransomware." + + tc_detection_type = "Ransomware" + tc_detection_name = "Wintenzz" + tc_detection_factor = 5 + + strings: + + $find_files = { + 48 8D 75 ?? 41 B8 ?? ?? ?? ?? 48 89 F1 31 D2 E8 ?? ?? ?? ?? 48 89 F9 48 89 F2 E8 ?? + ?? ?? ?? 48 83 F8 ?? 0F 84 ?? ?? ?? ?? 48 89 C6 48 8B 85 ?? ?? ?? ?? 48 89 85 ?? ?? + ?? ?? 0F 28 85 ?? ?? ?? ?? 0F 29 85 ?? ?? ?? ?? B9 ?? ?? ?? ?? BA ?? ?? ?? ?? E8 ?? + ?? ?? ?? 48 85 C0 0F 84 ?? ?? ?? ?? 0F 28 05 ?? ?? ?? ?? 0F 11 00 0F 28 85 ?? ?? ?? + ?? 0F 11 40 ?? 48 8B 8D ?? ?? ?? ?? 48 89 48 ?? 49 89 77 ?? 49 89 47 ?? 41 C7 47 ?? + ?? ?? ?? ?? 49 8D 4F ?? 48 8D 55 ?? 41 B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 40 B6 ?? 31 C0 + 49 89 07 48 85 DB 75 ?? EB ?? E8 ?? ?? ?? ?? 48 C1 E0 ?? 49 89 47 ?? 49 C7 47 ?? ?? + ?? ?? ?? B8 ?? ?? ?? ?? 31 F6 49 89 07 48 85 DB 74 ?? 48 01 DB 74 ?? 41 B8 ?? ?? ?? + ?? 48 89 F9 48 89 DA E8 ?? ?? ?? ?? 48 8B 95 ?? ?? ?? ?? 48 85 D2 74 ?? 41 B8 ?? ?? + ?? ?? 4C 89 F1 E8 ?? ?? ?? ?? 40 84 F6 75 ?? 48 8B 8D ?? ?? ?? ?? 48 85 C9 74 ?? 48 + 8B 95 ?? ?? ?? ?? 48 85 D2 74 ?? 41 B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 4C 89 F8 48 81 C4 + ?? ?? ?? ?? 5B 5F 5E 41 5E 41 5F 5D C3 BA + } + + $encrypt_files_p1 = { + 4C 89 75 ?? 48 8D 05 ?? ?? ?? ?? 48 89 45 ?? 48 8D 05 ?? ?? ?? ?? 48 89 45 ?? 48 8D + 05 ?? ?? ?? ?? 48 89 45 ?? 48 8D 05 ?? ?? ?? ?? 48 89 45 ?? 48 C7 45 ?? ?? ?? ?? ?? + 48 C7 45 ?? ?? ?? ?? ?? 48 89 7D ?? 48 C7 45 ?? ?? ?? ?? ?? 48 8D 4D ?? 48 8D 55 ?? + E8 ?? ?? ?? ?? 0F 10 45 ?? 0F 29 45 ?? 48 8B 45 ?? 48 89 45 ?? 48 8D 4D ?? 48 8D 55 + ?? E8 ?? ?? ?? ?? 48 85 DB 74 ?? BA ?? ?? ?? ?? 48 89 D9 E8 ?? ?? ?? ?? 48 85 C0 75 + ?? BA ?? ?? ?? ?? 48 89 D9 E8 + } + + $encrypt_files_p2 = { + 86 97 ?? ?? ?? ?? C0 74 3C ?? ?? C1 E8 ?? 28 03 00 48 ?? C0 74 2F ?? ?? FA 03 75 ?? + 48 8D 0D ?? ?? ?? ?? 48 39 C8 0F 84 ?? ?? ?? ?? 0F B7 08 81 F1 ?? ?? ?? ?? 0F B6 40 + ?? 83 F0 ?? 66 09 C8 0F 84 ?? ?? ?? ?? 48 8B 4D ?? 48 8B 55 ?? E8 ?? ?? ?? ?? 48 85 + C0 74 ?? 48 89 C1 E8 ?? ?? ?? ?? 48 85 C0 74 ?? 48 83 FA ?? 75 ?? 48 8D 0D ?? ?? ?? + ?? 48 39 C8 0F 84 ?? ?? ?? ?? 81 38 ?? ?? ?? ?? 0F 84 ?? ?? ?? ?? 48 8B 4D ?? 48 8B + 55 ?? E8 ?? ?? ?? ?? 48 85 C0 74 ?? 48 89 C1 E8 ?? ?? ?? ?? 48 85 C0 74 ?? 48 83 FA + ?? 75 ?? 48 8D 0D ?? ?? ?? ?? 48 39 C8 0F 84 ?? ?? ?? ?? 0F B7 08 81 F1 ?? ?? ?? ?? + 0F B6 40 ?? 83 F0 ?? 66 09 C8 0F 84 ?? ?? ?? ?? 48 8B 4D ?? 48 8B 55 ?? E8 ?? ?? ?? + ?? 48 85 C0 74 ?? 48 89 C1 E8 ?? ?? ?? ?? 48 85 C0 74 ?? 48 83 FA ?? 75 ?? 48 8D 0D + ?? ?? ?? ?? 48 39 C8 0F 84 ?? ?? ?? ?? 0F B7 08 81 F1 ?? ?? ?? ?? 0F B6 40 ?? 83 F0 + ?? 66 09 C8 0F 84 ?? ?? ?? ?? 48 8B 4D + } + + $drop_ransom_note = { + 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 8B 95 ?? ?? ?? ?? 48 85 D2 74 ?? 48 8B 8D ?? ?? + ?? ?? 41 B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 8B 95 ?? ?? ?? ?? 48 85 D2 74 ?? 48 8B 8D + ?? ?? ?? ?? 41 B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 8B 95 ?? ?? ?? ?? 48 85 D2 74 ?? 48 + 8B 8D ?? ?? ?? ?? 41 B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 8B 95 ?? ?? ?? ?? 48 85 D2 74 + ?? 48 8B 8D ?? ?? ?? ?? 41 B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 8B 95 ?? ?? ?? ?? 48 85 + D2 74 ?? 48 8B 8D ?? ?? ?? ?? 41 B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 8B 95 ?? ?? ?? ?? + 48 85 D2 74 ?? 48 8B 8D ?? ?? ?? ?? 41 B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 8B 95 ?? ?? + ?? ?? 48 85 D2 74 ?? 48 8B 8D ?? ?? ?? ?? 41 B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 40 84 F6 + 0F 85 ?? ?? ?? ?? 48 8B 55 ?? 48 85 D2 74 ?? 41 B8 ?? ?? ?? ?? 48 8B 8D ?? ?? ?? ?? + E8 ?? ?? ?? ?? 48 8B 55 ?? 48 85 D2 74 ?? 41 B8 ?? ?? ?? ?? 48 8B 8D ?? ?? ?? ?? E8 + ?? ?? ?? ?? 48 8B 55 + } + + condition: + uint16(0) == 0x5A4D and + ( + $find_files + ) and + ( + all of ($encrypt_files_*) + ) and + ( + $drop_ransom_note + ) +} \ No newline at end of file diff --git a/yara/trojan/Linux.Trojan.AcidRain.yara b/yara/trojan/Linux.Trojan.AcidRain.yara new file mode 100644 index 0000000..50c4f78 --- /dev/null +++ b/yara/trojan/Linux.Trojan.AcidRain.yara @@ -0,0 +1,67 @@ +rule Linux_Trojan_AcidRain : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "ACIDRAIN" + description = "Yara rule that detects AcidRain trojan." + + tc_detection_type = "Trojan" + tc_detection_name = "AcidRain" + tc_detection_factor = 5 + + strings: + + $destroy_files_using_ioctls = { + 55 89 E5 57 BF ?? ?? ?? ?? 56 53 81 EC ?? ?? ?? ?? 89 7C 24 ?? 8B 45 ?? 89 04 24 E8 + ?? ?? ?? ?? 85 C0 89 C3 78 ?? 8D 85 ?? ?? ?? ?? 89 44 24 ?? 89 1C 24 E8 ?? ?? ?? ?? + 8B 85 ?? ?? ?? ?? 25 ?? ?? ?? ?? 3D ?? ?? ?? ?? 74 ?? 81 C4 ?? ?? ?? ?? 5B 5E 5F 5D + C3 8D 45 ?? BE ?? ?? ?? ?? 89 44 24 ?? 89 74 24 ?? 89 1C 24 E8 ?? ?? ?? ?? 8B 4D ?? + 8B 55 ?? C7 45 ?? ?? ?? ?? ?? 85 C9 89 55 ?? 74 ?? 8D 75 ?? 8D B6 ?? ?? ?? ?? 8D BF + ?? ?? ?? ?? B8 ?? ?? ?? ?? 89 74 24 ?? 89 44 24 ?? 89 1C 24 E8 ?? ?? ?? ?? B8 ?? ?? + ?? ?? 89 74 24 ?? 89 44 24 ?? 89 1C 24 E8 ?? ?? ?? ?? 8B 45 ?? 8B 55 ?? 01 D0 39 45 + ?? 89 45 ?? 77 ?? 81 FA ?? ?? ?? ?? BF ?? ?? ?? ?? 0F 86 ?? ?? ?? ?? 8B 45 ?? C7 45 + ?? ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? 8D 75 ?? EB ?? 31 C9 89 4C 24 ?? 8B 45 ?? 89 + 1C 24 89 44 24 ?? E8 ?? ?? ?? ?? A1 ?? ?? ?? ?? 89 7C 24 ?? 89 1C 24 89 44 24 ?? E8 + ?? ?? ?? ?? 8B 55 ?? 8B 45 ?? 01 D0 39 45 ?? 89 45 ?? 76 ?? B8 ?? ?? ?? ?? 89 74 24 + ?? 89 44 24 ?? 89 1C 24 E8 ?? ?? ?? ?? B8 ?? ?? ?? ?? 89 74 24 ?? 89 44 24 ?? 89 1C + 24 E8 ?? ?? ?? ?? 80 7D ?? ?? 75 ?? A1 ?? ?? ?? ?? 89 7D ?? 89 45 ?? 8B 45 ?? 89 45 + ?? 8D 45 ?? 89 44 24 ?? B8 ?? ?? ?? ?? 89 44 24 ?? 89 1C 24 E8 ?? ?? ?? ?? 8B 55 ?? + 8B 45 ?? 01 D0 39 45 ?? 89 45 ?? 77 ?? 8D 74 26 ?? 8D BC 27 ?? ?? ?? ?? 31 FF 89 1C + 24 E8 ?? ?? ?? ?? 31 C0 89 44 24 ?? 89 7C 24 ?? 89 1C 24 E8 ?? ?? ?? ?? 8B 75 ?? C7 + 45 ?? ?? ?? ?? ?? 85 F6 74 ?? 8D 75 ?? 8D 76 ?? B9 ?? ?? ?? ?? 89 74 24 ?? 89 4C 24 + ?? 89 1C 24 E8 ?? ?? ?? ?? 8B 55 ?? 8B 45 ?? 01 D0 39 45 ?? 89 45 ?? 77 ?? 89 1C 24 + E8 ?? ?? ?? ?? 89 1C 24 E8 ?? ?? ?? ?? 81 C4 ?? ?? ?? ?? 5B 5E 5F 5D C3 + } + + $destroy_files_using_overwrite = { + 55 89 E5 83 EC ?? 89 5D ?? 8B 5D ?? 8D 45 ?? 89 75 ?? 89 7D ?? C7 45 ?? ?? ?? ?? ?? + C7 45 ?? ?? ?? ?? ?? 89 44 24 ?? 89 1C 24 E8 ?? ?? ?? ?? 85 C0 75 ?? 8B 5D ?? 8B 75 + ?? 8B 7D ?? 89 EC 5D C3 + } + + $redundant_reboot_attempts = { + C7 04 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? C7 04 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? C7 04 24 ?? + ?? ?? ?? E8 ?? ?? ?? ?? C7 04 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 C0 0F + 84 ?? ?? ?? ?? 8D B6 ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 C0 74 ?? E8 ?? ?? ?? ?? 85 C0 0F + 84 ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 C0 8D 76 ?? 0F 84 ?? ?? ?? ?? A1 ?? ?? ?? ?? 89 04 + 24 E8 ?? ?? ?? ?? 31 D2 83 C4 ?? 89 D0 59 5B 5E 5F 5D 8D 61 ?? C3 + } + + condition: + uint32(0) == 0x464C457F and + ( + $destroy_files_using_ioctls + ) and + ( + $destroy_files_using_overwrite + ) and + ( + $redundant_reboot_attempts + ) +} \ No newline at end of file diff --git a/yara/trojan/Linux.Trojan.BiBiWiper.yara b/yara/trojan/Linux.Trojan.BiBiWiper.yara new file mode 100644 index 0000000..6119204 --- /dev/null +++ b/yara/trojan/Linux.Trojan.BiBiWiper.yara @@ -0,0 +1,76 @@ +rule Linux_Trojan_BiBiWiper : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "BIBIWIPER" + description = "Yara rule that detects BiBiWiper trojan." + + tc_detection_type = "Trojan" + tc_detection_name = "BiBiWiper" + tc_detection_factor = 5 + + strings: + + $destroy_files_p1 = { + 55 48 89 E5 53 48 81 EC ?? ?? ?? ?? 48 89 BD ?? ?? ?? ?? 48 89 B5 ?? ?? ?? ?? 48 89 + 95 ?? ?? ?? ?? 48 89 8D ?? ?? ?? ?? 4C 89 85 ?? ?? ?? ?? 44 89 8D ?? ?? ?? ?? 48 8B + 05 ?? ?? ?? ?? 48 83 C0 ?? 48 89 05 ?? ?? ?? ?? 48 8B 0D ?? ?? ?? ?? 48 BA ?? ?? ?? + ?? ?? ?? ?? ?? 48 89 C8 48 F7 EA 48 89 D0 48 C1 F8 ?? 48 89 CA 48 C1 FA ?? 48 29 D0 + 48 69 D0 ?? ?? ?? ?? 48 89 C8 48 29 D0 48 85 C0 0F 94 C0 84 C0 74 ?? E8 ?? ?? ?? ?? + 48 8B 85 ?? ?? ?? ?? 48 89 85 ?? ?? ?? ?? 48 8D 85 ?? ?? ?? ?? 8B 95 ?? ?? ?? ?? 89 + D6 48 89 C7 E8 ?? ?? ?? ?? 48 8D 85 ?? ?? ?? ?? BE ?? ?? ?? ?? 48 89 C7 E8 ?? ?? ?? + ?? 48 8D 85 ?? ?? ?? ?? 48 8D 8D ?? ?? ?? ?? 48 8D 15 ?? ?? ?? ?? 48 89 CE 48 89 C7 + E8 ?? ?? ?? ?? 48 8D 85 ?? ?? ?? ?? 48 8D 95 ?? ?? ?? ?? 48 8D 8D ?? ?? ?? ?? 48 89 + CE 48 89 C7 E8 ?? ?? ?? ?? 48 8D 85 ?? ?? ?? ?? 48 89 C7 E8 ?? ?? ?? ?? 48 8D 85 ?? + ?? ?? ?? 48 89 C7 E8 ?? ?? ?? ?? 48 8D 85 ?? ?? ?? ?? 48 89 C7 E8 ?? ?? ?? ?? 48 8D + 8D ?? ?? ?? ?? 48 8D 85 ?? ?? ?? ?? BA ?? ?? ?? ?? 48 89 CE 48 89 C7 E8 ?? ?? ?? ?? + 48 8D 8D ?? ?? ?? ?? 48 8D 85 ?? ?? ?? ?? BA ?? ?? ?? ?? 48 89 CE 48 89 C7 E8 ?? ?? + ?? ?? 48 8D 95 ?? ?? ?? ?? 48 8D 85 ?? ?? ?? ?? 48 89 D6 48 89 C7 E8 ?? ?? ?? ?? 48 + 89 C3 48 8D 8D ?? ?? ?? ?? 48 8D 45 ?? BA ?? ?? ?? ?? 48 89 CE 48 89 C7 E8 ?? ?? ?? + ?? 48 8D 45 ?? 48 89 DE 48 89 C7 E8 ?? ?? ?? ?? 48 8D 45 ?? 48 89 C7 E8 + } + + $destroy_files_p2 = { + 48 8D 85 ?? ?? ?? ?? 48 89 C7 E8 ?? ?? ?? ?? 48 8D 85 ?? ?? ?? ?? 48 89 C7 E8 ?? ?? + ?? ?? 48 8B 85 ?? ?? ?? ?? 48 C1 E0 ?? 48 89 45 ?? 48 8B B5 ?? ?? ?? ?? 48 8B 85 ?? + ?? ?? ?? BA ?? ?? ?? ?? 48 F7 F6 48 8B 55 ?? 48 29 D0 48 89 45 ?? 83 BD ?? ?? ?? ?? + ?? 7E ?? 8B 85 ?? ?? ?? ?? 83 E8 ?? 48 98 48 0F AF 45 ?? BA ?? ?? ?? ?? 48 F7 B5 ?? + ?? ?? ?? 48 89 D0 48 89 C1 48 8B 85 ?? ?? ?? ?? BA ?? ?? ?? ?? 48 89 CE 48 89 C7 E8 + ?? ?? ?? ?? EB ?? 48 8B 85 ?? ?? ?? ?? BA ?? ?? ?? ?? BE ?? ?? ?? ?? 48 89 C7 E8 ?? + ?? ?? ?? 48 8B 85 ?? ?? ?? ?? 48 89 C7 E8 ?? ?? ?? ?? 48 89 45 ?? 48 8B 45 ?? 48 39 + 85 ?? ?? ?? ?? 73 ?? BB ?? ?? ?? ?? E9 ?? ?? ?? ?? 48 8B 55 ?? 48 8B 85 ?? ?? ?? ?? + 48 29 D0 48 89 45 ?? 48 8B 45 ?? 48 89 45 ?? 48 8D 55 ?? 48 8D 45 ?? 48 89 D6 48 89 + C7 E8 ?? ?? ?? ?? 48 8B 00 48 89 45 ?? 48 8B 45 ?? 48 89 C7 E8 ?? ?? ?? ?? 48 89 45 + ?? 48 8B 45 ?? 89 C2 48 8D 85 ?? ?? ?? ?? 89 D6 48 89 C7 E8 ?? ?? ?? ?? C7 45 ?? ?? + ?? ?? ?? E9 ?? ?? ?? ?? 48 8B 5D ?? 48 8D 85 ?? ?? ?? ?? 48 89 C7 E8 ?? ?? ?? ?? 48 + } + + $destroy_files_p3 = { + 89 C7 48 8B 85 ?? ?? ?? ?? 48 89 C1 BA ?? ?? ?? ?? 48 89 DE E8 ?? ?? ?? ?? 48 8B 85 + ?? ?? ?? ?? 48 89 C7 E8 ?? ?? ?? ?? 48 89 45 ?? 48 8B 55 ?? 48 8B 45 ?? 48 01 C2 48 + 8B 45 ?? 48 01 D0 48 39 85 ?? ?? ?? ?? 73 ?? 48 8B 55 ?? 48 8B 85 ?? ?? ?? ?? 48 29 + D0 48 8B 55 ?? 48 29 D0 48 89 45 ?? 48 83 7D ?? ?? 7E ?? 48 8B 4D ?? 48 8B 85 ?? ?? + ?? ?? BA ?? ?? ?? ?? 48 89 CE 48 89 C7 E8 ?? ?? ?? ?? 83 45 ?? ?? 8B 45 ?? 48 98 48 + 39 85 ?? ?? ?? ?? 0F 8F ?? ?? ?? ?? EB ?? 90 48 8B 45 ?? 48 89 C7 E8 ?? ?? ?? ?? 48 + 8D 85 ?? ?? ?? ?? 48 89 C7 E8 ?? ?? ?? ?? BB ?? ?? ?? ?? 48 8D 85 ?? ?? ?? ?? 48 89 + C7 E8 ?? ?? ?? ?? 83 FB ?? E9 ?? ?? ?? ?? 48 89 C3 48 8D 85 ?? ?? ?? ?? 48 89 C7 E8 + ?? ?? ?? ?? EB ?? 48 89 C3 48 8D 85 ?? ?? ?? ?? 48 89 C7 E8 ?? ?? ?? ?? EB ?? 48 89 + C3 48 8D 85 ?? ?? ?? ?? 48 89 C7 E8 ?? ?? ?? ?? 48 89 D8 48 89 C7 E8 ?? ?? ?? ?? 48 + 89 C3 48 8D 45 ?? 48 89 C7 E8 ?? ?? ?? ?? EB ?? 48 89 C3 48 8D 85 ?? ?? ?? ?? 48 89 + C7 E8 ?? ?? ?? ?? EB ?? 48 89 C3 48 8D 85 ?? ?? ?? ?? 48 89 C7 E8 ?? ?? ?? ?? EB ?? + 48 89 C3 48 8D 85 ?? ?? ?? ?? 48 89 C7 E8 ?? ?? ?? ?? EB ?? 48 89 C3 48 8D 85 ?? ?? + ?? ?? 48 89 C7 E8 ?? ?? ?? ?? 48 89 D8 48 89 C7 E8 ?? ?? ?? ?? 48 8B 5D ?? C9 C3 + } + + condition: + uint32(0) == 0x464C457F and + ( + all of ($destroy_files_p*) + ) +} \ No newline at end of file diff --git a/yara/trojan/Win32.Trojan.BiBiWiper.yara b/yara/trojan/Win32.Trojan.BiBiWiper.yara new file mode 100644 index 0000000..5df18d2 --- /dev/null +++ b/yara/trojan/Win32.Trojan.BiBiWiper.yara @@ -0,0 +1,102 @@ +rule Win32_Trojan_BiBiWiper : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "BIBIWIPER" + description = "Yara rule that detects BiBiWiper trojan." + + tc_detection_type = "Trojan" + tc_detection_name = "BiBiWiper" + tc_detection_factor = 5 + + strings: + + $delete_shadow_copies_p1 = { + 48 89 5C 24 ?? 55 48 8D 6C 24 ?? 48 81 EC ?? ?? ?? ?? 48 8B 05 ?? ?? ?? ?? 48 33 C4 + 48 89 45 ?? 33 DB 48 C7 44 24 ?? ?? ?? ?? ?? 48 8D 15 ?? ?? ?? ?? 48 89 5C 24 ?? 48 + 8D 4C 24 ?? 48 89 5C 24 ?? 44 8D 43 ?? E8 ?? ?? ?? ?? 48 83 7C 24 ?? ?? 48 8D 4C 24 + ?? 48 8B 54 24 ?? 48 0F 43 4C 24 ?? 48 03 D1 48 8D 4C 24 ?? 48 83 7C 24 ?? ?? 48 0F + 43 4C 24 ?? E8 ?? ?? ?? ?? 48 83 7C 24 ?? ?? 48 8D 4C 24 ?? 48 8D 55 ?? 48 0F 43 4C + 24 ?? 48 2B D1 0F B6 01 88 04 0A 48 8D 49 ?? 84 C0 75 ?? 0F 57 C0 C7 44 24 ?? ?? ?? + ?? ?? 48 8D 45 ?? 45 33 C9 48 89 44 24 ?? 48 8D 55 ?? 48 8D 44 24 ?? 45 33 C0 48 89 + 44 24 ?? 33 C9 48 89 5C 24 ?? 48 89 5C 24 ?? 0F 11 45 ?? C7 44 24 ?? ?? ?? ?? ?? 89 + 5C 24 ?? 0F 11 44 24 ?? 66 89 5D ?? 0F 11 45 ?? 0F 11 45 ?? 0F 11 45 ?? 0F 11 45 ?? + FF 15 ?? ?? ?? ?? 48 8B 54 24 ?? 48 83 FA ?? 72 ?? 48 8B 4C 24 ?? 48 FF C2 48 8B C1 + 48 81 FA ?? ?? ?? ?? 72 ?? 48 8B 49 ?? 48 83 C2 ?? 48 2B C1 48 83 C0 ?? 48 83 F8 ?? + 0F 87 ?? ?? ?? ?? E8 ?? ?? ?? ?? 41 B8 ?? ?? ?? ?? 48 89 5C 24 ?? 48 8D 15 ?? ?? ?? + ?? 48 89 5C 24 ?? 48 8D 4C 24 ?? 48 C7 44 24 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 83 7C + 24 ?? ?? 48 8D 4C 24 ?? 48 8B 54 24 ?? 48 0F 43 4C 24 ?? 48 03 D1 48 8D 4C 24 ?? 48 + 83 7C 24 ?? ?? 48 0F 43 4C 24 ?? E8 ?? ?? ?? ?? 48 83 7C 24 ?? ?? 48 8D 4C 24 ?? 48 + 8D 55 ?? 48 0F 43 4C 24 ?? 48 2B D1 0F B6 01 88 04 0A 48 8D 49 ?? 84 C0 75 ?? 0F 57 + C0 C7 44 24 ?? ?? ?? ?? ?? 48 8D 45 ?? 45 33 C9 48 89 44 24 ?? 48 8D 55 ?? 48 8D 44 + 24 ?? 45 33 C0 48 89 44 24 ?? 33 C9 48 89 5C 24 ?? 48 89 5C 24 ?? 0F 11 45 ?? C7 44 + 24 ?? ?? ?? ?? ?? 89 5C 24 ?? 0F 11 44 24 ?? 66 89 5D ?? 0F 11 45 ?? 0F 11 45 ?? 0F + } + + $delete_shadow_copies_p2 = { + 11 45 ?? 0F 11 45 ?? FF 15 ?? ?? ?? ?? 48 8B 54 24 ?? 48 83 FA ?? 72 ?? 48 8B 4C 24 + ?? 48 FF C2 48 8B C1 48 81 FA ?? ?? ?? ?? 72 ?? 48 8B 49 ?? 48 83 C2 ?? 48 2B C1 48 + 83 C0 ?? 48 83 F8 ?? 0F 87 ?? ?? ?? ?? E8 ?? ?? ?? ?? 41 B8 ?? ?? ?? ?? 48 89 5C 24 + ?? 48 8D 15 ?? ?? ?? ?? 48 89 5C 24 ?? 48 8D 4C 24 ?? 48 C7 44 24 ?? ?? ?? ?? ?? E8 + ?? ?? ?? ?? 48 83 7C 24 ?? ?? 48 8D 4C 24 ?? 48 8B 54 24 ?? 48 0F 43 4C 24 ?? 48 03 + D1 48 8D 4C 24 ?? 48 83 7C 24 ?? ?? 48 0F 43 4C 24 ?? E8 ?? ?? ?? ?? 48 83 7C 24 ?? + ?? 48 8D 4C 24 ?? 48 8D 55 ?? 48 0F 43 4C 24 ?? 48 2B D1 90 0F B6 01 88 04 0A 48 8D + 49 ?? 84 C0 75 ?? 0F 57 C0 C7 44 24 ?? ?? ?? ?? ?? 48 8D 45 ?? 45 33 C9 48 89 44 24 + ?? 48 8D 55 ?? 48 8D 44 24 ?? 45 33 C0 48 89 44 24 ?? 33 C9 48 89 5C 24 ?? 48 89 5C + 24 ?? 0F 11 45 ?? C7 44 24 ?? ?? ?? ?? ?? 89 5C 24 ?? 0F 11 44 24 ?? 66 89 5D ?? 0F + 11 45 ?? 0F 11 45 ?? 0F 11 45 ?? 0F 11 45 ?? FF 15 ?? ?? ?? ?? 48 8B 54 24 ?? 48 83 + FA ?? 72 ?? 48 8B 4C 24 ?? 48 FF C2 48 8B C1 48 81 FA ?? ?? ?? ?? 72 ?? 48 8B 49 ?? + 48 83 C2 ?? 48 2B C1 48 83 C0 ?? 48 83 F8 ?? 0F 87 ?? ?? ?? ?? E8 ?? ?? ?? ?? 41 B8 + ?? ?? ?? ?? 48 89 5C 24 ?? 48 8D 15 ?? ?? ?? ?? 48 89 5C 24 ?? 48 8D 4C 24 ?? 48 C7 + 44 24 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 83 7C 24 ?? ?? 48 8D 4C 24 ?? 48 8B 54 24 ?? + 48 0F 43 4C 24 ?? 48 03 D1 48 8D 4C 24 ?? 48 83 7C 24 ?? ?? 48 0F 43 4C 24 ?? E8 ?? + ?? ?? ?? 48 83 7C 24 ?? ?? 48 8D 4C 24 ?? 48 8D 55 ?? 48 0F 43 4C 24 ?? 48 2B D1 90 + 0F B6 01 88 04 0A 48 8D 49 ?? 84 C0 75 ?? 0F 57 C0 C7 44 24 ?? ?? ?? ?? ?? 48 8D 45 + ?? 45 33 C9 48 89 44 24 ?? 48 8D 55 ?? 48 8D 44 24 ?? 45 33 C0 48 89 44 24 ?? 33 C9 + 48 89 5C 24 ?? 48 89 5C 24 ?? 0F 11 45 ?? C7 44 24 ?? ?? ?? ?? ?? 89 5C 24 + } + + $destroy_files_p1 = { + 48 89 5C 24 ?? 55 56 57 41 54 41 55 41 56 41 57 48 83 EC ?? 48 8B 05 ?? ?? ?? ?? 48 + 33 C4 48 89 44 24 ?? 4D 8B E9 4D 8B E0 4C 8B F9 48 63 BC 24 ?? ?? ?? ?? 33 F6 89 74 + 24 ?? 48 8B 05 ?? ?? ?? ?? 48 FF C0 48 89 05 ?? ?? ?? ?? 48 8B 0D ?? ?? ?? ?? 48 B8 + ?? ?? ?? ?? ?? ?? ?? ?? 48 F7 E9 48 C1 FA ?? 48 8B C2 48 C1 E8 ?? 48 03 D0 48 69 C2 + ?? ?? ?? ?? 48 3B C8 75 ?? 4C 8B 05 ?? ?? ?? ?? 48 8B 15 ?? ?? ?? ?? 48 8D 0D ?? ?? + ?? ?? E8 ?? ?? ?? ?? 48 8B 9C 24 ?? ?? ?? ?? 48 C1 E3 ?? 33 D2 49 8B C4 49 F7 F5 48 + 8B E8 48 2B EB 83 FF ?? 7E ?? 48 8D 47 ?? 48 0F AF C3 33 D2 49 F7 F4 EB ?? 48 8B D6 + 45 33 C0 49 8B CF E8 ?? ?? ?? ?? 49 8B CF E8 ?? ?? ?? ?? 48 63 C8 49 3B CC 0F 87 ?? + ?? ?? ?? 49 8B C4 48 2B C1 49 8B FC 48 2B F9 48 3B D8 48 0F 42 FB 48 8B CF E8 ?? ?? + ?? ?? 48 89 44 24 ?? 0F 57 C0 4C 63 F7 F3 0F 7F 44 24 ?? 48 89 74 24 ?? 85 FF 74 ?? + 48 B8 ?? ?? ?? ?? ?? ?? ?? ?? 4C 3B F0 0F 87 ?? ?? ?? ?? 49 81 FE ?? ?? ?? ?? 72 + } + + $destroy_files_p2 = { + 49 8D 4E ?? 49 3B CE 0F 86 ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 8B C8 48 85 C0 0F 84 ?? ?? + ?? ?? 48 83 C0 ?? 48 83 E0 ?? 48 89 48 ?? EB ?? 49 8B CE E8 ?? ?? ?? ?? 48 89 44 24 + ?? 4A 8D 1C 30 48 89 5C 24 ?? 4D 8B C6 33 D2 48 8B C8 E8 ?? ?? ?? ?? 48 89 5C 24 ?? + C7 44 24 ?? ?? ?? ?? ?? 85 FF 7E ?? 48 8B DE 44 8B F7 66 0F 1F 44 00 ?? BA ?? ?? ?? + ?? E8 ?? ?? ?? ?? 48 8B 4C 24 ?? 88 04 0B 48 8D 5B ?? 49 83 EE ?? 75 ?? 4D 85 ED 7E + ?? 4D 8B CF 41 B8 ?? ?? ?? ?? 48 8B D7 48 8B 4C 24 ?? E8 ?? ?? ?? ?? 49 8B CF E8 ?? + ?? ?? ?? 48 63 C8 48 8D 04 29 48 03 C7 49 3B C4 76 ?? 49 8B FC 48 2B F9 48 2B FD 48 + 85 FF 7E ?? 41 B8 ?? ?? ?? ?? 48 8B D5 49 8B CF E8 ?? ?? ?? ?? FF C6 48 63 C6 49 3B + C5 7C ?? 48 8B 4C 24 ?? E8 ?? ?? ?? ?? 90 48 8B 4C 24 ?? 48 85 C9 74 ?? 48 8B 54 24 + ?? 48 2B D1 48 8B C1 48 81 FA ?? ?? ?? ?? 72 ?? 48 83 C2 ?? 48 8B 49 ?? 48 2B C1 48 + 83 C0 ?? 48 83 F8 ?? 77 ?? E8 ?? ?? ?? ?? 48 8B 4C 24 ?? 48 33 CC E8 ?? ?? ?? ?? 48 + 8B 9C 24 ?? ?? ?? ?? 48 83 C4 ?? 41 5F 41 5E 41 5D 41 5C 5F 5E 5D C3 + } + + condition: + uint16(0) == 0x5A4D and + ( + all of ($delete_shadow_copies_p*) + ) and + ( + all of ($destroy_files_p*) + ) +} \ No newline at end of file diff --git a/yara/trojan/Win32.Trojan.CaddyWiper.yara b/yara/trojan/Win32.Trojan.CaddyWiper.yara new file mode 100644 index 0000000..cafca05 --- /dev/null +++ b/yara/trojan/Win32.Trojan.CaddyWiper.yara @@ -0,0 +1,95 @@ +rule Win32_Trojan_CaddyWiper : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "CADDYWIPER" + description = "Yara rule that detects CaddyWiper trojan." + + tc_detection_type = "Trojan" + tc_detection_name = "CaddyWiper" + tc_detection_factor = 5 + + strings: + + $destroy_if_not_controller = { + 50 6A ?? 6A ?? FF 15 ?? ?? ?? ?? 8B 4D ?? 83 39 ?? 75 ?? EB ?? 8D 55 ?? 52 FF 55 ?? + C6 45 ?? 43 C6 45 ?? 3A C6 45 ?? 5C C6 45 ?? 55 C6 45 ?? 73 C6 45 ?? 65 C6 45 ?? 72 + C6 45 ?? 73 C6 45 ?? 00 8D 45 ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? C6 45 ?? ?? C6 45 ?? ?? + C6 45 ?? ?? C6 45 ?? ?? C7 45 ?? ?? ?? ?? ?? EB ?? 8B 4D ?? 83 C1 ?? 89 4D ?? 83 7D + ?? ?? 73 ?? 8D 55 ?? 52 E8 ?? ?? ?? ?? 83 C4 ?? 8A 45 ?? 04 ?? 88 45 ?? EB ?? E8 ?? + ?? ?? ?? 8B E5 5D C3 + } + + $erase_drive_data = { + C6 45 ?? ?? C6 45 ?? ?? C6 45 ?? ?? 8D 4D ?? 89 8D ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? + 6A ?? 6A ?? 6A ?? 68 ?? ?? ?? ?? 8B 95 ?? ?? ?? ?? 52 FF 95 ?? ?? ?? ?? 89 45 ?? 83 + 7D ?? ?? 74 ?? 6A ?? 8D 85 ?? ?? ?? ?? 50 6A ?? 6A ?? 68 ?? ?? ?? ?? 8D 8D ?? ?? ?? + ?? 51 68 ?? ?? ?? ?? 8B 55 ?? 52 FF 55 ?? 8B 45 ?? 50 FF 55 ?? 8A 4D ?? 88 4D ?? 8A + 55 ?? 80 EA ?? 88 55 ?? 8B 85 ?? ?? ?? ?? 8B 8D ?? ?? ?? ?? 83 E9 ?? 89 8D ?? ?? ?? + ?? 85 C0 0F 85 ?? ?? ?? ?? 8B E5 5D C3 + } + + $erase_drives_recursively_1 = { + 55 8B EC 81 EC ?? ?? ?? ?? C7 85 ?? ?? ?? ?? FF FF FF FF C6 85 ?? ?? ?? ?? 2A C6 85 + ?? ?? ?? ?? 00 C6 85 ?? ?? ?? ?? 5C C6 85 ?? ?? ?? ?? 00 8D 85 ?? ?? ?? ?? 50 8B 4D + ?? 51 8D 95 ?? ?? ?? ?? 52 E8 ?? ?? ?? ?? 83 C4 ?? 8D 85 ?? ?? ?? ?? 50 8D 8D ?? ?? + ?? ?? 51 8D 95 ?? ?? ?? ?? 52 E8 ?? ?? ?? ?? 83 C4 ?? C7 85 ?? ?? ?? ?? 00 00 00 00 + C6 85 ?? ?? ?? ?? 46 C6 85 ?? ?? ?? ?? 69 C6 85 ?? ?? ?? ?? 6E C6 85 ?? ?? ?? ?? 64 + C6 85 ?? ?? ?? ?? 46 C6 85 ?? ?? ?? ?? 69 C6 85 ?? ?? ?? ?? 72 C6 85 ?? ?? ?? ?? 73 + C6 85 ?? ?? ?? ?? 74 C6 85 ?? ?? ?? ?? 46 C6 85 ?? ?? ?? ?? 69 C6 85 ?? ?? ?? ?? 6C + C6 85 ?? ?? ?? ?? 65 C6 85 ?? ?? ?? ?? 41 C6 85 ?? ?? ?? ?? 00 C6 85 ?? ?? ?? ?? 6B + C6 85 ?? ?? ?? ?? 00 C6 85 ?? ?? ?? ?? 65 C6 85 ?? ?? ?? ?? 00 C6 85 ?? ?? ?? ?? 72 + C6 85 ?? ?? ?? ?? 00 C6 85 ?? ?? ?? ?? 6E C6 85 ?? ?? ?? ?? 00 C6 85 ?? ?? ?? ?? 65 + C6 85 ?? ?? ?? ?? 00 C6 85 ?? ?? ?? ?? 6C C6 85 ?? ?? ?? ?? 00 C6 85 ?? ?? ?? ?? 33 + C6 85 ?? ?? ?? ?? 00 C6 85 ?? ?? ?? ?? 32 C6 85 ?? ?? ?? ?? 00 C6 85 ?? ?? ?? ?? 2E + C6 85 ?? ?? ?? ?? 00 C6 85 ?? ?? ?? ?? 64 C6 85 ?? ?? ?? ?? 00 C6 85 ?? ?? ?? ?? 6C + C6 85 ?? ?? ?? ?? 00 C6 85 ?? ?? ?? ?? 6C C6 85 ?? ?? ?? ?? 00 C6 85 ?? ?? ?? ?? 00 + C6 85 ?? ?? ?? ?? 00 8D 85 ?? ?? ?? ?? 50 8D 8D ?? ?? ?? ?? 51 E8 + } + + $erase_drives_recursively_2_p1 = { + 8D 45 ?? 50 8D 8D ?? ?? ?? ?? 51 E8 ?? ?? ?? ?? 83 C4 ?? 89 85 ?? ?? ?? ?? 8D 95 ?? + ?? ?? ?? 52 8D 85 ?? ?? ?? ?? 50 FF 95 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 83 BD ?? ?? ?? + ?? ?? 75 ?? E9 ?? ?? ?? ?? 8B 8D ?? ?? ?? ?? 83 E1 ?? 0F 84 ?? ?? ?? ?? 0F BE 95 ?? + ?? ?? ?? 83 FA ?? 75 ?? 0F BE 85 ?? ?? ?? ?? 85 C0 74 ?? 0F BE 8D ?? ?? ?? ?? 83 F9 + ?? 75 ?? E9 ?? ?? ?? ?? 8B 95 ?? ?? ?? ?? 83 E2 ?? 75 ?? 8B 85 ?? ?? ?? ?? 83 E0 ?? + 74 ?? E9 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? 51 8B 55 ?? 52 8D 85 ?? ?? ?? ?? 50 E8 ?? ?? + ?? ?? 83 C4 ?? 8D 8D ?? ?? ?? ?? 51 8D 95 ?? ?? ?? ?? 52 8D 85 ?? ?? ?? ?? 50 E8 ?? + ?? ?? ?? 83 C4 ?? 8D 8D ?? ?? ?? ?? 51 E8 ?? ?? ?? ?? 83 C4 ?? 8D 95 ?? ?? ?? ?? 52 + E8 ?? ?? ?? ?? 83 C4 ?? E9 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 8B 4D ?? 51 8D 95 ?? ?? + ?? ?? 52 E8 ?? ?? ?? ?? 83 C4 ?? 8D 85 ?? ?? ?? ?? 50 8D 8D ?? ?? ?? ?? 51 8D 95 ?? + ?? ?? ?? 52 E8 ?? ?? ?? ?? 83 C4 ?? 8D 85 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 85 + } + + $erase_drives_recursively_2_p2 = { + C0 75 ?? E9 ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? 6A ?? 6A ?? 6A ?? 68 ?? ?? ?? ?? 8D 8D + ?? ?? ?? ?? 51 FF 95 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 83 BD ?? ?? ?? ?? ?? 75 ?? E9 ?? + ?? ?? ?? 6A ?? 8B 95 ?? ?? ?? ?? 52 FF 95 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 83 BD ?? ?? + ?? ?? ?? 73 ?? E9 ?? ?? ?? ?? 81 BD ?? ?? ?? ?? ?? ?? ?? ?? 76 ?? C7 85 ?? ?? ?? ?? + ?? ?? ?? ?? C7 85 ?? ?? ?? ?? ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 50 6A ?? FF 95 ?? ?? ?? + ?? 89 85 ?? ?? ?? ?? 8B 8D ?? ?? ?? ?? 51 8B 95 ?? ?? ?? ?? 52 E8 ?? ?? ?? ?? 83 C4 + ?? 6A ?? 6A ?? 6A ?? 8B 85 ?? ?? ?? ?? 50 FF 95 ?? ?? ?? ?? 6A ?? 8D 8D ?? ?? ?? ?? + 51 8B 95 ?? ?? ?? ?? 52 8B 85 ?? ?? ?? ?? 50 8B 8D ?? ?? ?? ?? 51 FF 95 ?? ?? ?? ?? + 8B 95 ?? ?? ?? ?? 52 FF 95 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 50 FF 55 ?? 8D 8D ?? ?? ?? + ?? 51 8B 95 ?? ?? ?? ?? 52 FF 95 ?? ?? ?? ?? 85 C0 0F 85 ?? ?? ?? ?? 8B 85 ?? ?? ?? + ?? 50 FF 95 ?? ?? ?? ?? 8B E5 5D C3 + } + + condition: + uint16(0) == 0x5A4D and + ( + $destroy_if_not_controller + ) and + ( + $erase_drive_data + ) and + ( + all of ($erase_drives_recursively_*) + ) +} \ No newline at end of file diff --git a/yara/trojan/Win32.Trojan.Dridex.yara b/yara/trojan/Win32.Trojan.Dridex.yara new file mode 100644 index 0000000..be64558 --- /dev/null +++ b/yara/trojan/Win32.Trojan.Dridex.yara @@ -0,0 +1,80 @@ +rule Win32_Trojan_Dridex : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "DRIDEX" + description = "Yara rule that detects Dridex trojan." + + tc_detection_type = "Trojan" + tc_detection_name = "Dridex" + tc_detection_factor = 5 + + strings: + + $resolve_api_wrapper_1 = { + 56 57 8B FA 8B F1 8B CF E8 ?? ?? ?? ?? 85 C0 75 ?? 81 FE ?? ?? ?? ?? 75 ?? 33 C0 5F + 5E C3 8B CE E8 ?? ?? ?? ?? 85 C0 75 ?? 8B CE E8 ?? ?? ?? ?? 84 C0 74 ?? 8B CE E8 ?? + ?? ?? ?? 85 C0 74 ?? 8B D7 ?? ?? ?? ?? E9 + } + + $resolve_api_wrapper_2 = { + 57 53 8B FA 8B D9 8B CF E8 ?? ?? ?? ?? 85 C0 75 ?? 81 FB ?? ?? ?? ?? 74 ?? 8B CB E8 + ?? ?? ?? ?? 85 C0 74 ?? 8B C8 8B D7 E8 ?? ?? ?? ?? 5B 5F C3 8B CB E8 ?? ?? ?? ?? 84 + C0 74 ?? 8B CB E8 ?? ?? ?? ?? 85 C0 75 ?? 33 C0 EB + } + + $resolve_api_wrapper_3 = { + 55 8B EC 57 8B 7D ?? 57 E8 ?? ?? ?? ?? 85 C0 75 ?? 56 8B 75 ?? 81 FE ?? ?? ?? ?? 74 + ?? 56 E8 ?? ?? ?? ?? 85 C0 75 ?? 8B CE E8 ?? ?? ?? ?? 84 C0 74 ?? 56 E8 ?? ?? ?? ?? + 85 C0 75 ?? 5E 33 C0 5F 5D C2 ?? ?? 57 50 E8 ?? ?? ?? ?? 5E 5F 5D C2 + } + + $resolve_api_wrapper_4 = { + 55 8B EC FF 75 ?? E8 ?? ?? ?? ?? 85 C0 75 ?? 56 8B 75 ?? 81 FE ?? ?? ?? ?? 74 ?? 56 + E8 ?? ?? ?? ?? 85 C0 75 ?? 8B CE E8 ?? ?? ?? ?? 84 C0 74 ?? 56 E8 ?? ?? ?? ?? 85 C0 + 74 ?? 5E 89 45 ?? 5D E9 + } + + $find_first_file_snippet_1 = { + 53 56 8B F1 57 33 DB 32 C9 89 5E ?? 33 FF E8 ?? ?? ?? ?? 83 38 ?? 7C ?? [4-6] BA ?? + ?? ?? ?? B9 ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 C0 74 ?? 8B 4E ?? 57 6A ?? 6A ?? 8D 56 ?? + 52 53 51 FF D0 + } + + $find_first_file_snippet_2 = { + 57 53 55 8B E9 33 C9 C7 45 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? B9 ?? ?? ?? ?? BA ?? ?? ?? + ?? 8B 18 E8 ?? ?? ?? ?? 8B C8 85 C9 74 ?? 33 D2 83 FB ?? 6A ?? 5B 8D 7D ?? 0F 4C DA + 8B C2 53 52 52 57 0F 9D C0 50 FF 75 ?? FF D1 + } + + $find_first_file_snippet_3 = { + 53 56 8B F1 33 DB 57 32 C9 89 5E ?? E8 ?? ?? ?? ?? BA ?? ?? ?? ?? B9 ?? ?? ?? ?? 8B + 38 E8 ?? ?? ?? ?? 8B D0 85 D2 74 ?? 6A ?? 33 C0 83 FF ?? 59 0F 4C C8 8D 46 ?? 51 53 + 53 50 33 C0 83 FF ?? 0F 9D C0 50 FF 76 ?? FF D2 + } + + $find_first_file_snippet_4 = { + 53 56 8B F1 57 33 DB 32 C9 89 5E ?? 33 FF E8 ?? ?? ?? ?? 83 38 ?? 7C ?? 8D 7B ?? 8D + 5F ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 C0 74 ?? 8B 4E ?? 57 6A ?? 6A + ?? 8D 56 ?? 52 53 51 CC C3 + } + + $find_first_file_snippet_5 = { + 56 8B F1 32 C9 57 C7 46 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? + 8B 38 E8 ?? ?? ?? ?? 8B D0 85 D2 74 ?? 33 C0 B9 ?? ?? ?? ?? 83 FF ?? 0F 4C C8 51 50 + 50 8D 46 ?? 50 33 C0 83 FF ?? 0F 9D C0 50 FF 76 ?? FF D2 + } + + condition: + uint16(0) == 0x5A4D and + ( + any of ($resolve_api_wrapper_*) and + any of ($find_first_file_snippet_*) + ) +} \ No newline at end of file diff --git a/yara/trojan/Win32.Trojan.Emotet.yara b/yara/trojan/Win32.Trojan.Emotet.yara new file mode 100644 index 0000000..341a2a9 --- /dev/null +++ b/yara/trojan/Win32.Trojan.Emotet.yara @@ -0,0 +1,182 @@ +rule Win32_Trojan_Emotet : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "EMOTET" + description = "Yara rule that detects Emotet trojan." + + tc_detection_type = "Trojan" + tc_detection_name = "Emotet" + tc_detection_factor = 5 + + strings: + + $decrypt_resource_v1 = { + 55 8B EC 83 EC ?? 53 8B D9 8B C2 56 57 89 45 ?? 8B 3B 33 F8 8B C7 89 7D ?? 83 E0 ?? + 75 ?? 8D 77 ?? EB ?? 8B F7 2B F0 83 C6 ?? 8D 0C 36 E8 ?? ?? ?? ?? 8B D0 89 55 ?? 85 + D2 74 ?? 83 65 ?? ?? 8D 43 ?? 83 65 ?? ?? C1 EE ?? 8D 0C B0 8B F2 8B D9 2B D8 83 C3 + ?? C1 EB ?? 3B C1 0F 47 5D ?? 85 DB 74 ?? 8B 55 ?? 8B F8 8B 0F 8D 7F ?? 33 CA 0F B6 + C1 66 89 06 8B C1 C1 E8 ?? 8D 76 ?? 0F B6 C0 66 89 46 ?? C1 E9 ?? 0F B6 C1 66 89 46 + ?? C1 E9 ?? 0F B6 C1 66 89 46 ?? 8B 45 ?? 40 89 45 ?? 3B C3 72 ?? 8B 7D ?? 8B 55 ?? + 33 C0 66 89 04 7A 5F 5E 8B C2 5B 8B E5 5D C3 + } + + $generate_filename_v1 = { + 56 57 33 C0 BF ?? ?? ?? ?? 57 50 50 6A ?? 50 FF 15 ?? ?? ?? ?? BA ?? ?? ?? ?? B9 ?? + ?? ?? ?? E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? 57 8B F0 56 68 ?? ?? ?? ?? 57 FF 15 ?? ?? ?? + ?? 83 C4 ?? 8B CE 5F 5E E9 + } + + $decrypt_resource_v2 = { + 55 8B EC 83 EC ?? 8B 41 ?? 8B 11 33 C2 53 56 8D 71 ?? 89 55 ?? 8D 58 ?? 89 45 ?? 83 + C6 ?? F6 C3 ?? 74 ?? 83 E3 ?? 83 C3 ?? B9 ?? ?? ?? ?? E8 ?? ?? ?? ?? BA ?? ?? ?? ?? + 8B C8 E8 ?? ?? ?? ?? FF D0 8D 14 1B B9 ?? ?? ?? ?? 52 6A ?? 50 E8 ?? ?? ?? ?? BA ?? + ?? ?? ?? 8B C8 E8 ?? ?? ?? ?? FF D0 89 45 ?? 85 C0 74 ?? C1 EB ?? 8B C8 57 33 C0 8D + 14 9E 33 DB 8B FA 2B FE 83 C7 ?? C1 EF ?? 3B F2 0F 47 F8 85 FF 74 ?? 8B 16 8D 49 ?? + 33 55 ?? 8D 76 ?? 0F B6 C2 43 66 89 41 ?? 8B C2 C1 E8 ?? 0F B6 C0 66 89 41 ?? C1 EA + ?? 0F B6 C2 66 89 41 ?? C1 EA ?? 0F B6 C2 66 89 41 ?? 3B DF 72 ?? 8B 45 ?? 33 D2 8B + 4D ?? 5F 66 89 14 41 8B C1 5E 5B 8B E5 5D C3 + } + + $generate_filename_v2 = { + 55 8B EC 81 EC ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 6A ?? 6A ?? 51 6A ?? B9 ?? ?? ?? ?? + E8 ?? ?? ?? ?? BA ?? ?? ?? ?? 8B C8 E8 ?? ?? ?? ?? FF D0 85 C0 0F 88 ?? ?? ?? ?? 56 + B9 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 15 ?? ?? ?? ?? 8B F0 8D 85 ?? ?? ?? ?? 8D [1-5] 51 + 51 50 56 8D [1-5] 68 ?? ?? ?? ?? 51 B9 ?? ?? ?? ?? E8 ?? ?? ?? ?? BA ?? ?? ?? ?? 8B + C8 E8 ?? ?? ?? ?? FF D0 83 C4 ?? B9 ?? ?? ?? ?? E8 ?? ?? ?? ?? BA ?? ?? ?? ?? 8B C8 + E8 ?? ?? ?? ?? FF D0 56 6A ?? 50 B9 ?? ?? ?? ?? E8 ?? ?? ?? ?? BA ?? ?? ?? ?? 8B C8 + E8 ?? ?? ?? ?? FF D0 B8 ?? ?? ?? ?? 5E 8B E5 5D C3 33 C0 8B E5 5D C3 + } + + $decrypt_resource_v3 = { + 56 8B F1 BA [6-9] B9 ?? ?? ?? ?? E8 ?? ?? ?? ?? 59 FF D0 56 6A ?? 50 68 ?? ?? ?? ?? + BA ?? ?? ?? ?? B9 ?? ?? ?? ?? E8 ?? ?? ?? ?? 59 FF D0 5E C3 + } + + $generate_filename_v3 = { + 55 8B EC 81 EC ?? ?? ?? ?? 53 56 57 8B F1 8B FA 6A ?? 8D 4D ?? E8 ?? ?? ?? ?? BB ?? + ?? ?? ?? 8D 8D ?? ?? ?? ?? 53 E8 ?? ?? ?? ?? 53 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 + C4 ?? 8D 85 ?? ?? ?? ?? BB ?? ?? ?? ?? 8B D3 56 50 BE ?? ?? ?? ?? [2-5] 8B CE E8 ?? + ?? ?? ?? 59 FF D0 57 8D 85 ?? ?? ?? ?? 8B D3 50 [2-5] 8B CE E8 ?? ?? ?? ?? 59 FF D0 + 8D 85 ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? 89 45 ?? BA ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? B9 + ?? ?? ?? ?? 89 45 ?? B8 ?? ?? ?? ?? 66 89 45 ?? 8D 45 ?? 50 68 ?? ?? ?? ?? E8 ?? ?? + ?? ?? 59 FF D0 F7 D8 5F 1B C0 5E 40 5B 8B E5 5D C3 + } + + $decrypt_resource_v4 = { + 56 57 8B FA E8 ?? ?? ?? ?? 8B F0 A1 ?? ?? ?? ?? 85 C0 75 ?? B9 ?? ?? ?? ?? E8 ?? ?? + ?? ?? BA ?? ?? ?? ?? 8B C8 E8 ?? ?? ?? ?? A3 ?? ?? ?? ?? 56 FF D0 8B 0D ?? ?? ?? ?? + 89 44 B9 ?? A1 ?? ?? ?? ?? 85 C0 75 ?? B9 ?? ?? ?? ?? E8 ?? ?? ?? ?? BA ?? ?? ?? ?? + 8B C8 E8 ?? ?? ?? ?? A3 ?? ?? ?? ?? FF D0 8B F8 A1 ?? ?? ?? ?? 85 C0 75 ?? B9 ?? ?? + ?? ?? E8 ?? ?? ?? ?? BA ?? ?? ?? ?? 8B C8 E8 ?? ?? ?? ?? A3 ?? ?? ?? ?? 56 6A ?? 57 + FF D0 5F 5E C3 + } + + $generate_filename_snippet_v4 = { + A1 ?? ?? ?? ?? 85 C0 75 ?? B9 ?? ?? ?? ?? E8 ?? ?? ?? ?? BA ?? ?? ?? ?? 8B C8 E8 ?? + ?? ?? ?? A3 ?? ?? ?? ?? 56 53 FF D0 A1 ?? ?? ?? ?? 85 C0 75 ?? B9 ?? ?? ?? ?? E8 ?? + ?? ?? ?? BA ?? ?? ?? ?? 8B C8 E8 ?? ?? ?? ?? A3 ?? ?? ?? ?? 56 FF D0 5F 5E 33 C9 8D + 04 43 66 89 08 5D 5B 59 C3 + } + + $decrypt_resource_snippet_v5 = { + C1 EE ?? 33 C0 55 33 ED 8B D3 8D 0C B7 8B F1 2B F7 83 C6 ?? C1 EE ?? 3B F9 0F 47 F0 + 85 F6 74 ?? 8B 5C 24 ?? 8B 0F 8D 7F ?? 33 CB 0F B6 C1 66 89 02 8B C1 C1 E8 ?? 8D 52 + ?? 0F B6 C0 66 89 42 ?? C1 E9 ?? 0F B6 C1 C1 E9 ?? 45 66 89 42 ?? 0F B6 C1 66 89 42 + ?? 3B EE 72 ?? 8B 5C 24 ?? 8B 44 24 ?? 33 C9 5D 66 89 0C 43 5F 5E 8B C3 5B 83 C4 ?? + C3 + } + + $decrypt_resource_snippet_v6 = { + C1 EE ?? 33 C0 55 33 ED 8B D3 8D 0C B7 8B F1 2B F7 83 C6 ?? C1 EE ?? 3B F9 0F 47 F0 + 85 F6 74 ?? 8B 5C 24 ?? 8B 0F 8D 7F ?? 33 CB 88 0A 8B C1 C1 E8 ?? 8D 52 ?? C1 E9 ?? + 88 42 ?? 88 4A ?? C1 E9 ?? 45 88 4A ?? 3B EE 72 ?? 8B 5C 24 ?? 8B 44 24 ?? 5D C6 04 + 03 ?? 5F 5E 8B C3 5B 83 C4 ?? C3 + } + + $liblzf_decompression_1 = { + 83 EC ?? 8B 44 24 ?? 53 55 8D 2C 11 89 4C 24 ?? 8B 54 24 ?? 33 DB 03 C2 89 6C 24 ?? + 56 89 44 24 ?? 0F B6 41 ?? 8D 72 ?? 0F B6 11 C1 E2 ?? 0B D0 8D 45 ?? 89 44 24 ?? 57 + 8B F9 3B C8 0F 83 ?? ?? ?? ?? 0F B6 47 ?? C1 E2 ?? 0B D0 6B C2 ?? 8B CA C1 E9 ?? 33 + CA 89 54 24 ?? 8B 54 24 ?? C1 E9 ?? 2B C8 8B 44 24 ?? 81 E1 ?? ?? ?? ?? 8B 2C 88 8B + C7 2B 44 24 ?? 03 6C 24 ?? 89 04 8A 8B C7 8B 54 24 ?? 2B C5 48 89 44 24 ?? 3D ?? ?? + ?? ?? 0F 8D ?? ?? ?? ?? 3B EA 0F 86 ?? ?? ?? ?? 8A 45 ?? 3A 47 ?? 0F 85 ?? ?? ?? ?? + 0F B6 55 ?? 8D 4F ?? 0F B6 45 ?? 89 4C 24 ?? 0F B6 09 C1 E2 ?? 0B D0 C1 E1 ?? 0F B6 + 07 0B C8 3B D1 0F 85 ?? ?? ?? ?? 8B 44 24 ?? B9 ?? ?? ?? ?? 2B C7 3B C1 6A ?? 0F 47 + C1 89 44 24 ?? 8D 46 ?? 5A 3B 44 24 ?? 72 ?? 33 C9 8B C6 85 DB 0F 94 C1 2B C1 83 C0 + ?? 3B 44 24 ?? 0F 83 ?? ?? ?? ?? 8B C6 8D 4B ?? 2B C3 88 48 ?? 33 C0 85 DB 8B 5C 24 + ?? 0F 94 C0 2B F0 83 FB ?? 0F 86 ?? ?? ?? ?? 8A 45 ?? 6A ?? 5A 3A 47 ?? 0F 85 ?? ?? + ?? ?? 8A 45 ?? 6A ?? 5A 3A 47 ?? 0F 85 ?? ?? ?? ?? 8A 45 ?? 6A ?? 5A 3A 47 ?? 0F 85 + ?? ?? ?? ?? 8A 45 ?? 6A ?? 5A 3A 47 ?? 0F 85 ?? ?? ?? ?? 8A 45 ?? 6A ?? 5A 3A 47 + } + + $liblzf_decompression_2 = { + 0F 85 ?? ?? ?? ?? 8A 45 ?? 6A ?? 5A 3A 47 ?? 0F 85 ?? ?? ?? ?? 8A 45 ?? 6A ?? 5A 3A + 47 ?? 75 ?? 8A 45 ?? 6A ?? 5A 3A 47 ?? 75 ?? 8A 45 ?? 6A ?? 5A 3A 47 ?? 75 ?? 8A 45 + ?? 6A ?? 5A 3A 47 ?? 75 ?? 8A 45 ?? 6A ?? 5A 3A 47 ?? 75 ?? 8A 45 ?? 6A ?? 5A 3A 47 + ?? 75 ?? 8A 45 ?? 6A ?? 5A 3A 47 ?? 75 ?? 8A 45 ?? 6A ?? 5A 3A 47 ?? 75 ?? 8A 45 ?? + 6A ?? 5A 3A 47 ?? 75 ?? 8A 45 ?? 6A ?? 5A 3A 47 ?? 75 ?? 8D 0C 3A 2B EF 42 41 3B D3 + 73 ?? 8A 04 29 3A 01 74 ?? 8B 5C 24 ?? 83 EA ?? 83 FA ?? 73 ?? 8B CB 8A C2 C1 F9 ?? + C0 E0 ?? 02 C8 88 0E 46 EB ?? 8B C3 C1 F8 ?? 2C ?? 88 06 8D 42 ?? 88 46 ?? 83 C6 ?? + 8B 7C 24 ?? 8B 44 24 ?? 47 88 1E 03 FA 33 DB 83 C6 ?? 3B F8 72 ?? 8B 6C 24 ?? 8D 46 + ?? 3B 44 24 ?? 76 ?? 33 C0 EB ?? 3B 74 24 ?? 73 ?? 8A 07 43 88 06 46 8B 44 24 ?? 47 + 83 FB ?? 75 ?? C6 46 ?? ?? 33 DB 46 3B F8 73 ?? 8B 54 24 ?? E9 ?? ?? ?? ?? 8A 07 43 + 88 06 46 47 83 FB ?? 75 ?? C6 46 ?? ?? 33 DB 46 3B FD 72 ?? 8B CE 8D 53 ?? 2B CB 88 + 51 ?? 33 C9 85 DB 0F 94 C1 2B F1 2B 74 24 ?? 8B C6 5F 5E 5D 5B 83 C4 ?? C3 + } + + $decrypt_resource_snippet_v7 = { + C1 EE ?? 3B F9 0F 47 F0 85 F6 74 ?? 8B 5C 24 ?? 8B 0F 8D 7F ?? 33 CB 0F B6 C1 66 89 + 02 8B C1 C1 E8 ?? 8D 52 ?? 0F B6 C0 66 89 42 ?? C1 E9 ?? 0F B6 C1 C1 E9 ?? 45 66 89 + 42 ?? 0F B6 C1 66 89 42 ?? 3B EE 72 ?? 8B 5C 24 ?? 8B 44 24 ?? 33 C9 5D 66 89 0C 43 + 5F 5E 8B C3 5B 83 C4 ?? C3 + } + + $state_machine_snippet_v7 = { + 8D 84 24 ?? ?? ?? ?? 50 68 ?? ?? ?? ?? FF B4 24 ?? ?? ?? ?? FF B4 24 ?? ?? ?? ?? 8B + 94 24 ?? ?? ?? ?? 8B 8C 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 84 24 ?? ?? ?? ?? 8D 84 24 + ?? ?? ?? ?? 50 68 ?? ?? ?? ?? FF B4 24 ?? ?? ?? ?? FF B4 24 ?? ?? ?? ?? 8B 54 24 ?? + 8B 8C 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? FF B4 24 ?? ?? ?? ?? 8B 8C 24 ?? ?? ?? ?? 8D 94 + 24 ?? ?? ?? ?? 89 84 24 ?? ?? ?? ?? 8D 84 24 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? FF 74 24 + ?? 8B F0 FF B4 24 ?? ?? ?? ?? 8B 8C 24 ?? ?? ?? ?? F7 DE 8B 94 24 ?? ?? ?? ?? 1B F6 + 81 E6 ?? ?? ?? ?? 81 C6 ?? ?? ?? ?? E8 ?? ?? ?? ?? FF B4 24 ?? ?? ?? ?? FF B4 24 ?? + ?? ?? ?? 8B 94 24 ?? ?? ?? ?? 8B 4C 24 ?? E8 ?? ?? ?? ?? 83 C4 ?? E9 + } + + condition: + uint16(0) == 0x5A4D and + ( + $decrypt_resource_v1 and + $generate_filename_v1 + ) or + ( + $decrypt_resource_v2 and + $generate_filename_v2 + ) or + ( + $decrypt_resource_v3 and + $generate_filename_v3 + ) or + ( + $decrypt_resource_v4 and + $generate_filename_snippet_v4 + ) or + ( + $decrypt_resource_snippet_v5 and + all of ($liblzf_decompression_*) + ) or + ( + $decrypt_resource_snippet_v6 and + all of ($liblzf_decompression_*) + ) or + ( + $decrypt_resource_snippet_v7 and + $state_machine_snippet_v7 + ) +} \ No newline at end of file diff --git a/yara/trojan/Win32.Trojan.HermeticWiper.yara b/yara/trojan/Win32.Trojan.HermeticWiper.yara new file mode 100644 index 0000000..686f18f --- /dev/null +++ b/yara/trojan/Win32.Trojan.HermeticWiper.yara @@ -0,0 +1,50 @@ +rule Win32_Trojan_HermeticWiper : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "HERMETICWIPER" + description = "Yara rule that detects HermeticWiper trojan." + + tc_detection_type = "Trojan" + tc_detection_name = "HermeticWiper" + tc_detection_factor = 5 + + strings: + $corrupt_physical_drive = { + 55 8B EC 81 EC ?? ?? ?? ?? 53 56 57 51 68 ?? ?? ?? ?? 0F 57 C0 89 55 ?? 8D 85 ?? ?? + ?? ?? C7 45 ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? 33 F6 66 0F D6 45 ?? 33 FF 89 75 ?? 50 0F + 11 45 ?? 89 7D ?? 0F 11 45 ?? FF 15 ?? ?? ?? ?? 83 C4 ?? 8D 45 ?? 8D 55 ?? 8D 8D ?? + ?? ?? ?? 50 E8 ?? ?? ?? ?? 8B D8 83 FB ?? 0F 84 ?? ?? ?? ?? 85 DB 0F 84 ?? ?? ?? ?? + BF ?? ?? ?? ?? 57 6A ?? FF 15 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 6A ?? 8B F0 8D 45 ?? + 50 57 56 6A ?? 6A ?? 68 ?? ?? ?? ?? 53 FF 15 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 83 F8 ?? + 75 ?? 66 0F 1F 44 00 ?? 56 6A ?? FF 15 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 81 C7 ?? ?? + ?? ?? 33 F6 81 FF ?? ?? ?? ?? 0F 83 ?? ?? ?? ?? 57 6A ?? FF 15 ?? ?? ?? ?? 50 FF 15 + ?? ?? ?? ?? 8B F0 85 F6 0F 84 ?? ?? ?? ?? 6A ?? 8D 45 ?? 50 57 56 6A ?? 6A ?? 68 ?? + ?? ?? ?? 53 FF 15 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 83 F8 ?? 74 ?? 85 F6 0F 84 ?? ?? ?? + ?? 8B 06 C7 45 ?? ?? ?? ?? ?? 83 F8 ?? 74 ?? 85 C0 74 ?? 83 F8 ?? 0F 85 ?? ?? ?? ?? + 83 7E ?? ?? C7 45 ?? ?? ?? ?? ?? 0F 86 ?? ?? ?? ?? 8B 55 ?? 8D 46 ?? 89 45 ?? 66 90 + 8B 00 85 C0 74 ?? 83 F8 ?? 0F 85 ?? ?? ?? ?? 52 6A ?? FF 15 ?? ?? ?? ?? 50 FF 15 ?? + ?? ?? ?? 8B F8 89 7D ?? 85 FF 0F 84 ?? ?? ?? ?? 8B 45 ?? 6A ?? 6A ?? FF 70 ?? FF 70 + ?? 53 FF 15 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? 6A ?? 8D 45 ?? 50 FF 75 ?? 57 53 FF + 15 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? 8B 55 ?? 81 FA ?? ?? ?? ?? 72 ?? 66 83 7F ?? + ?? 75 ?? 85 D2 0F B7 C2 B9 ?? ?? ?? ?? 0F 45 C8 66 89 4F ?? 8B 45 ?? FF 70 ?? FF 70 + ?? FF 75 ?? FF 75 ?? 57 53 FF 55 ?? 8B 55 ?? 8B 4D ?? 8B 45 ?? 41 05 ?? ?? ?? ?? 89 + 4D ?? 89 45 ?? 3B 4E ?? 0F 82 ?? ?? ?? ?? 8B 7D ?? EB ?? FF 15 ?? ?? ?? ?? 33 FF 85 + DB 74 ?? 83 FB ?? 74 ?? 53 FF 15 ?? ?? ?? ?? 8B 1D ?? ?? ?? ?? 85 F6 74 ?? 56 6A ?? + FF D3 8B 35 ?? ?? ?? ?? 50 FF D6 EB ?? FF 15 ?? ?? ?? ?? 8B 7D ?? EB ?? 33 C0 5F 5E + 5B 8B E5 5D C2 ?? ?? 8B 35 ?? ?? ?? ?? 85 FF 74 ?? 57 6A ?? FF D3 50 FF D6 8B 45 ?? + 5F 5E 5B 8B E5 5D C2 + } + + condition: + uint16(0) == 0x5A4D and + ( + $corrupt_physical_drive + ) +} \ No newline at end of file diff --git a/yara/trojan/Win32.Trojan.IsaacWiper.yara b/yara/trojan/Win32.Trojan.IsaacWiper.yara new file mode 100644 index 0000000..1e0376a --- /dev/null +++ b/yara/trojan/Win32.Trojan.IsaacWiper.yara @@ -0,0 +1,76 @@ +rule Win32_Trojan_IsaacWiper : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "ISAACWIPER" + description = "Yara rule that detects IsaacWiper trojan." + + tc_detection_type = "Trojan" + tc_detection_name = "IsaacWiper" + tc_detection_factor = 5 + + strings: + $enumerate_physical_drives = { + 55 8B EC 81 EC ?? ?? ?? ?? 53 56 33 F6 89 55 ?? 57 89 4D ?? B3 ?? C7 45 ?? ?? ?? ?? + ?? 89 75 ?? 84 DB 0F 84 ?? ?? ?? ?? 8B D6 8D 4D ?? E8 ?? ?? ?? ?? 84 C0 0F 84 ?? ?? + ?? ?? 6A ?? 68 ?? ?? ?? ?? BA ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? E8 ?? ?? ?? ?? D1 E8 8D + 8D ?? ?? ?? ?? BF ?? ?? ?? ?? 89 45 ?? 2B F8 83 C4 ?? 66 83 7D ?? ?? 8D 0C 41 8D 45 + ?? 74 ?? 83 C0 ?? 66 83 38 ?? 75 ?? 8D 55 ?? 2B C2 D1 F8 8D 04 45 ?? ?? ?? ?? 50 8B + C2 8D 14 3F 50 E8 ?? ?? ?? ?? D1 E8 83 C4 ?? 3B C7 8D 48 ?? 0F 46 C1 8B 4D ?? 03 C8 + 89 4D ?? 83 F9 ?? 73 ?? 8B 3D ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 6A ?? 6A ?? 6A ?? 6A ?? + 6A ?? 68 ?? ?? ?? ?? 50 B3 ?? FF D7 83 F8 ?? 74 ?? 46 50 89 75 ?? FF 15 ?? ?? ?? ?? + E9 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 83 F8 ?? 74 ?? 32 DB E9 ?? ?? ?? ?? 68 ?? ?? ?? ?? + 8D 85 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? 3D ?? ?? ?? ?? 0F 83 + ?? ?? ?? ?? 0F B7 85 ?? ?? ?? ?? 66 85 C0 0F 95 C1 66 85 C0 0F 84 ?? ?? ?? ?? 6A ?? + 68 ?? ?? ?? ?? BA ?? ?? ?? ?? 66 89 45 ?? 8D 4D ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? + ?? ?? ?? E8 ?? ?? ?? ?? D1 E8 8D 4D ?? BE ?? ?? ?? ?? 89 45 ?? 2B F0 83 C4 ?? 66 83 + 7D ?? ?? 8D 0C 41 8D 45 ?? 74 ?? 83 C0 ?? 66 83 38 ?? 75 ?? 8D 55 ?? 2B C2 D1 F8 8D + 04 45 ?? ?? ?? ?? 50 8B C2 8D 14 36 50 E8 ?? ?? ?? ?? D1 E8 83 C4 ?? 3B C6 8D 48 ?? + 0F 46 C1 8B 4D ?? 03 C8 89 4D ?? 83 F9 ?? 0F 83 ?? ?? ?? ?? 6A ?? 6A ?? 6A ?? 6A ?? + 6A ?? 68 ?? ?? ?? ?? 8D 45 ?? 50 FF D7 8B F0 83 FE ?? 0F 84 ?? ?? ?? ?? 6A ?? 8D 45 + ?? C7 45 ?? ?? ?? ?? ?? 50 6A ?? 8D 45 ?? 50 6A ?? 6A ?? 68 ?? ?? ?? ?? 56 FF 15 ?? + ?? ?? ?? 83 F8 ?? 0F 94 C3 75 ?? 33 C0 83 7D ?? ?? 0F 44 45 ?? 89 45 ?? 56 FF 15 ?? + ?? ?? ?? 84 DB EB ?? 84 C9 0F 84 ?? ?? ?? ?? 8B 5D ?? 8B D3 8B 4D ?? 6A ?? E8 ?? ?? + ?? ?? 8B 7D ?? 8A C8 83 C4 ?? 33 F6 84 C9 74 ?? 3B F3 74 ?? 6A ?? 8B D6 8B CF E8 ?? + ?? ?? ?? 8A C8 83 C4 ?? 46 83 C7 ?? 84 C9 75 ?? 46 84 C9 74 ?? 8B 5D ?? 3B F3 73 ?? + 6A ?? 8B D6 8B CF E8 ?? ?? ?? ?? 8A C8 83 C4 ?? 46 83 C7 ?? 84 C9 75 ?? 8A C1 5F 5E + 5B 8B E5 5D C3 + } + + $corrupt_drive_thread = { + 55 8B EC 83 E4 ?? B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 53 8B 5D ?? 56 57 85 DB 0F 84 ?? ?? + ?? ?? 83 7B ?? ?? 0F 85 ?? ?? ?? ?? 8B 43 ?? 8D 4C 24 ?? 03 C0 BA ?? ?? ?? ?? 50 53 + E8 ?? ?? ?? ?? 8B 3D ?? ?? ?? ?? 83 C4 ?? D1 E8 33 C9 66 89 4C 44 ?? 8D 44 24 ?? 50 + FF D7 8B 35 ?? ?? ?? ?? 50 68 ?? ?? ?? ?? 8D 44 24 ?? 50 FF D6 6A ?? 8D 44 24 ?? 50 + FF 15 ?? ?? ?? ?? 6A ?? 8D 44 24 ?? 50 FF 15 ?? ?? ?? ?? 66 83 7C 24 ?? ?? 8D 44 24 + ?? 74 ?? 90 83 C0 ?? 66 83 38 ?? 75 ?? 8D 4C 24 ?? BA ?? ?? ?? ?? 2B C1 D1 F8 8D 04 + 45 ?? ?? ?? ?? 50 8B C1 8D 8C 24 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 8D 84 24 ?? + ?? ?? ?? 50 FF D7 50 68 ?? ?? ?? ?? 8D 84 24 ?? ?? ?? ?? 50 FF D6 6A ?? 6A ?? 6A ?? + 6A ?? 6A ?? 68 ?? ?? ?? ?? 8D 84 24 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 8B F0 89 74 24 + ?? 83 FE ?? 0F 84 ?? ?? ?? ?? 8B 7B ?? 8B 5B ?? C7 44 24 ?? ?? ?? ?? ?? 85 DB 75 ?? + 81 FF ?? ?? ?? ?? 0F 82 ?? ?? ?? ?? C7 84 24 ?? ?? ?? ?? ?? ?? ?? ?? FF 15 ?? ?? ?? + ?? 89 84 24 ?? ?? ?? ?? B8 ?? ?? ?? ?? 8B 8C 84 ?? ?? ?? ?? 8B D1 C1 EA ?? 33 D1 69 + CA ?? ?? ?? ?? 03 C8 89 8C 84 ?? ?? ?? ?? 40 3D ?? ?? ?? ?? 72 ?? BA ?? ?? ?? ?? 8D + B4 24 ?? ?? ?? ?? 89 94 24 ?? ?? ?? ?? 0F 1F 80 ?? ?? ?? ?? 81 FA ?? ?? ?? ?? 75 ?? + 8D 8C 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 94 24 ?? ?? ?? ?? 8B 8C 94 ?? ?? ?? ?? 8B C1 + C1 E8 ?? 42 33 C8 89 94 24 ?? ?? ?? ?? 8B C1 25 ?? ?? ?? ?? C1 E0 ?? 33 C8 8B C1 25 + ?? ?? ?? ?? C1 E0 ?? 33 C8 8B C1 C1 E8 ?? 33 C1 89 06 83 C6 ?? 8D 84 24 ?? ?? ?? ?? + 3B F0 72 ?? 8B 74 24 ?? 8D 44 24 ?? 6A ?? 50 68 ?? ?? ?? ?? 8D 84 24 ?? ?? ?? ?? 50 + 56 FF 15 ?? ?? ?? ?? 85 C0 74 ?? 8B 44 24 ?? 3D ?? ?? ?? ?? 75 ?? 2B F8 83 DB ?? E9 + ?? ?? ?? ?? 8B C7 0B C3 74 ?? 57 8D 8C 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 C4 ?? 8D 44 + 24 ?? 6A ?? 50 57 8D 84 24 ?? ?? ?? ?? 50 56 FF 15 ?? ?? ?? ?? 56 FF 15 ?? ?? ?? ?? + 5F 5E 33 C0 5B 8B E5 5D C2 + } + + condition: + uint16(0) == 0x5A4D and + ( + $enumerate_physical_drives and $corrupt_drive_thread + ) +} \ No newline at end of file diff --git a/yara/trojan/Win32.Trojan.TrickBot.yara b/yara/trojan/Win32.Trojan.TrickBot.yara new file mode 100644 index 0000000..661eede --- /dev/null +++ b/yara/trojan/Win32.Trojan.TrickBot.yara @@ -0,0 +1,46 @@ +rule Win32_Trojan_TrickBot : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "TRICKBOT" + description = "Yara rule that detects TrickBot trojan." + + tc_detection_type = "Trojan" + tc_detection_name = "TrickBot" + tc_detection_factor = 5 + + strings: + + $entry_setup = { + 58 (68 | 8B) [6-8] 59 [1-3] E2 ?? 57 8B (C7 | EC) 8B (C7 | EC) 05 ?? ?? ?? ?? 68 [4-5] + 89 45 [1-2] 8B D7 [3-4] 8B C1 66 AD 85 C0 74 ?? 3B (C1 | C8) (72 | 77) ?? 2B C1 (C1 | D1) + [2-4] 8B CF 03 C8 81 C1 ?? ?? ?? ?? 8B 01 59 03 D0 52 EB ?? 89 45 ?? 8B C5 B9 ?? ?? + ?? ?? C1 E1 ?? 2B C1 8B 00 89 45 ?? 6A ?? 8B D0 59 FF D2 89 68 ?? 6A ?? 8B D0 FF D2 + } + + $decrypt_function_snippet = { + 58 8B C8 75 ?? 58 2B F0 50 8B D8 49 75 ?? 59 58 59 5E 5F 5B C3 + } + + $decrypt_function_snippet_wrapper = { + 55 BD ?? ?? ?? ?? 50 51 52 6A ?? FF 45 ?? 8B 45 ?? 59 F7 E1 8D 8D ?? ?? ?? ?? 03 C8 + 89 4D ?? 8F 41 ?? 8F 41 ?? 8F 41 ?? 8F 41 ?? 8F 01 89 79 ?? 89 71 ?? 8B D1 59 89 4A + ?? 55 2B C0 8B C8 8B 02 8B F8 58 41 41 41 41 50 2B C1 8B 00 3B C7 72 ?? 58 C1 E9 ?? + 49 89 4A ?? E3 ?? FF 55 ?? 8B 55 ?? 8B 4A ?? FF 55 ?? 50 51 50 6A ?? 59 FF 55 ?? FF + D0 + } + + condition: + uint16(0) == 0x5A4D and + $entry_setup and + ( + $decrypt_function_snippet or + $decrypt_function_snippet_wrapper + ) +} \ No newline at end of file diff --git a/yara/virus/Linux.Virus.Vit.yara b/yara/virus/Linux.Virus.Vit.yara new file mode 100644 index 0000000..2588122 --- /dev/null +++ b/yara/virus/Linux.Virus.Vit.yara @@ -0,0 +1,36 @@ +import "elf" + +rule Linux_Virus_Vit : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "VIT" + description = "Yara rule that detects Vit virus." + + tc_detection_type = "Virus" + tc_detection_name = "Vit" + tc_detection_factor = 5 + + strings: + + $vit_entry_point = { + 55 89 E5 81 EC 40 31 00 00 57 56 50 53 51 52 C7 85 D8 CE FF FF 00 00 00 00 C7 85 D4 + CE FF FF 00 00 00 00 C7 85 FC CF FF FF CA 08 00 00 C7 85 F8 CF FF FF B8 06 00 00 C7 + 85 F4 CF FF FF AD 08 00 00 C7 85 F0 CF FF FF 50 06 00 00 6A 00 6A 00 8B 45 08 50 E8 + 18 FA FF FF 89 C6 83 C4 0C 85 F6 0F 8C E6 01 00 00 6A 00 68 ?? ?? ?? ?? 56 E8 2E FA + FF FF 83 C4 0C 85 C0 0F 8C C4 01 00 00 8B 85 FC CF FF FF 50 8D 85 00 D0 FF FF 50 56 + E8 2A FA FF FF 89 C2 8B 85 FC CF FF FF 83 C4 0C 39 C2 0F 85 9D 01 00 00 56 E8 E1 F9 + FF FF BE FF FF FF FF 6A 00 6A 00 E9 + } + + $vit_str = "vi324.tmp" + + condition: + uint32(0) == 0x464C457F and $vit_entry_point at elf.entry_point and $vit_str +} \ No newline at end of file diff --git a/yara/virus/Win32.Virus.Awfull.yara b/yara/virus/Win32.Virus.Awfull.yara new file mode 100644 index 0000000..e50db81 --- /dev/null +++ b/yara/virus/Win32.Virus.Awfull.yara @@ -0,0 +1,33 @@ +import "pe" + +rule Win32_Virus_Awfull : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "AWFULL" + description = "Yara rule that detects Awfull virus." + + tc_detection_type = "Virus" + tc_detection_name = "Awfull" + tc_detection_factor = 5 + + strings: + $awfull_body = { + 60 E8 ?? 00 00 00 8B 64 24 08 EB ?? [0-256] + 33 D2 64 FF 32 64 89 22 33 C0 C7 00 00 00 00 00 33 D2 64 8F 02 + 5A 64 (8B 0D | 67 8B 0E ) 14 00 [0-2] E3 03 FA + EB FD 61 E8 00 00 00 00 5D 81 ED ?? ?? ?? ?? 0B ED 74 ?? + [0-128] (BE | 8B 35) ?? ?? ?? ?? 03 F5 B9 ?? ?? ?? ?? + 56 5F AC F6 D0 AA 49 E3 02 EB F7 + } + + condition: + uint16(0) == 0x5A4D and + ($awfull_body at pe.entry_point) +} \ No newline at end of file diff --git a/yara/virus/Win32.Virus.Cmay.yara b/yara/virus/Win32.Virus.Cmay.yara new file mode 100644 index 0000000..6743d5e --- /dev/null +++ b/yara/virus/Win32.Virus.Cmay.yara @@ -0,0 +1,73 @@ +import "pe" + +rule Win32_Virus_Cmay : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "CMAY" + description = "Yara rule that detects Cmay virus." + + tc_detection_type = "Virus" + tc_detection_name = "Cmay" + tc_detection_factor = 5 + + strings: + $cmay_body_1 = { + 60 66 9C E8 00 00 00 00 5D 8B C5 81 ED ?? ?? ?? ?? 2D 08 00 00 00 2D + ?? ?? ?? ?? 89 85 ?? ?? ?? ?? E8 3A 02 00 00 0F 82 7C 03 00 00 8D B5 + ?? ?? ?? ?? 8D BD ?? ?? ?? ?? E8 4F 02 00 00 E8 05 00 00 00 E9 61 03 + 00 00 8D BD ?? ?? ?? ?? C6 85 ?? ?? ?? ?? 03 6A 7F 57 FF 95 ?? ?? ?? + ?? 83 C7 7F 6A 7F 57 FF 95 ?? ?? ?? ?? 83 C7 7F 57 6A 7F FF 95 ?? ?? + ?? ?? 8D BD ?? ?? ?? ?? 80 BD ?? ?? ?? ?? 00 0F 84 20 03 00 00 FE 8D + ?? ?? ?? ?? 57 FF 95 ?? ?? ?? ?? 83 C7 7F 8D 9D ?? ?? ?? ?? 53 8D 9D + ?? ?? ?? ?? 53 FF 95 ?? ?? ?? ?? 83 F8 FF 74 CA 89 85 ?? ?? ?? ?? FF + 85 ?? ?? ?? ?? E8 C0 02 00 00 83 F8 FF 74 75 E8 70 02 00 00 85 C0 74 + 6C 8B 85 ?? ?? ?? ?? 8B 50 3C 3B 95 ?? ?? ?? ?? 73 5B 03 D0 8B 02 35 + 96 23 00 00 3D C6 66 00 00 75 4B 81 7A 4C 53 54 30 00 74 42 52 FF B5 + ?? ?? ?? ?? FF 95 ?? ?? ?? ?? 5A FF B5 ?? ?? ?? ?? FF B5 ?? ?? ?? ?? + E8 79 00 00 00 8F 85 ?? ?? ?? ?? 8F 85 ?? ?? ?? ?? 83 BD ?? ?? ?? ?? + 05 7E 0E 80 BD ?? ?? ?? ?? 00 0F 85 40 FF FF FF C3 57 8D BD ?? ?? ?? + ?? B9 04 01 00 00 32 C0 F3 AA 5F FF B5 ?? ?? ?? ?? FF 95 ?? ?? ?? ?? + FF B5 ?? ?? ?? ?? FF 95 ?? ?? ?? ?? FF B5 ?? ?? ?? ?? FF 95 ?? ?? ?? + ?? 8D 9D ?? ?? ?? ?? 53 FF B5 ?? ?? ?? ?? FF 95 ?? ?? ?? ?? 85 C0 74 + 05 E9 2A FF FF FF E9 E9 FE FF FF 8B B5 ?? ?? ?? ?? 81 C6 ?? ?? ?? ?? + 8B 5A 3C E8 87 01 00 00 89 B5 ?? ?? ?? ?? E8 8B 01 00 00 33 DB 8B 95 + ?? ?? ?? ?? 8B 42 3C 03 D0 0F B7 42 06 48 6B C0 28 0F B7 5A 14 83 C3 + 18 03 DA 03 C3 8B 58 10 03 58 14 03 9D ?? ?? ?? ?? 53 8B 4A 28 89 8D + ?? ?? ?? ?? 8B 4A 34 89 8D ?? ?? ?? ?? 8B 48 0C 03 48 10 89 8D ?? ?? + ?? ?? 89 4A 28 8B 70 10 81 C6 ?? ?? ?? ?? 8B 5A 3C E8 1D 01 00 00 89 + 70 10 89 70 08 03 70 0C 89 72 50 81 48 24 20 00 00 A0 C7 42 4C 53 54 + } + + $cmay_body_2 = { + 30 00 5B B9 ?? ?? ?? ?? FC 8B FB 8D B5 ?? ?? ?? ?? F3 A4 FF B5 ?? ?? + ?? ?? FF 95 ?? ?? ?? ?? FF B5 ?? ?? ?? ?? FF 95 ?? ?? ?? ?? FF B5 ?? + ?? ?? ?? FF 95 ?? ?? ?? ?? C3 50 51 B9 05 00 00 00 8B 44 24 2E 25 00 + 00 FF FF 66 81 38 4D 5A 74 09 2D 00 00 01 00 E2 F2 EB 06 89 85 ?? ?? + ?? ?? 59 58 74 01 F9 C3 56 8B 95 ?? ?? ?? ?? 8B 72 3C 03 F2 8B 76 78 + 03 F2 83 C6 1C AD 03 C2 89 85 ?? ?? ?? ?? AD 03 C2 89 85 ?? ?? ?? ?? + AD 03 C2 89 85 ?? ?? ?? ?? 5E 57 E8 16 00 00 00 5F 89 07 83 C7 04 80 + 3E 88 C7 85 ?? ?? ?? ?? 00 00 00 00 75 E5 C3 8B DE 80 3E 00 74 03 46 + EB F8 46 8B CE 2B CB 8B F3 8B BD ?? ?? ?? ?? 57 8B 3F 03 FA 51 F3 A6 + 74 0F 8B F3 59 5F 83 C7 04 FF 85 ?? ?? ?? ?? EB E7 59 5F 8B 85 ?? ?? + ?? ?? D1 E0 03 85 ?? ?? ?? ?? 33 DB 66 8B 18 C1 E3 02 03 9D ?? ?? ?? + ?? 8B 1B 03 DA 8B C3 C3 50 52 33 D2 8B C6 F7 F3 2B DA 03 F3 5A 58 C3 + 8B 85 ?? ?? ?? ?? 6A 00 50 6A 00 6A 04 6A 00 FF B5 ?? ?? ?? ?? FF 95 + ?? ?? ?? ?? 85 C0 74 1E 89 85 ?? ?? ?? ?? 6A 00 6A 00 6A 00 6A 02 FF + B5 ?? ?? ?? ?? FF 95 ?? ?? ?? ?? 85 C0 75 02 33 C0 89 85 ?? ?? ?? ?? + C3 33 C0 50 68 80 00 00 00 6A 03 50 40 50 68 00 00 00 C0 8D B5 ?? ?? + ?? ?? 56 FF 95 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? C3 85 ED 0F 84 2A 04 00 + 00 33 C0 05 ?? ?? ?? ?? 05 ?? ?? ?? ?? FF E0 + } + + condition: + uint16(0) == 0x5A4D and + ($cmay_body_1 at pe.entry_point) and + $cmay_body_2 +} \ No newline at end of file diff --git a/yara/virus/Win32.Virus.DeadCode.yara b/yara/virus/Win32.Virus.DeadCode.yara new file mode 100644 index 0000000..991fd6a --- /dev/null +++ b/yara/virus/Win32.Virus.DeadCode.yara @@ -0,0 +1,76 @@ +import "pe" + +rule Win32_Virus_DeadCode : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "DEADCODE" + description = "Yara rule that detects DeadCode virus." + + tc_detection_type = "Virus" + tc_detection_name = "DeadCode" + tc_detection_factor = 5 + + strings: + $deadcode_ep_1 = { + 64 67 FF 36 30 00 58 8B 40 08 FF 70 48 5B FF 70 4C 5A 03 40 44 + FF E0 + } + + $deadcode_marker = { + DE C0 AD DE + } + + $deadcode_ep_2 = { + 2B C0 85 C0 74 0E 64 67 FF 36 00 00 64 67 89 26 00 00 89 00 E8 + ED FF FF FF 8B 74 24 0C 64 67 A1 30 00 8B 40 08 8B 58 48 8B 50 + 4C 03 40 44 89 86 B8 00 00 00 89 86 B0 00 00 00 89 9E A4 00 00 + 00 89 96 A8 00 00 00 2B C0 C3 + } + + $deadcode_ep_3 = { + B8 DE C0 AD DE 50 5A 64 67 A1 30 00 8B 40 08 8B 58 48 8B 50 4C + 03 40 44 FF D0 + } + + $deadcode_body_1 = { + 8B D0 8B EA 81 C5 ?? ?? ?? ?? 89 85 A4 00 00 00 89 9D C0 00 00 00 E8 56 01 00 00 89 + 45 00 8D 75 04 81 C2 ?? ?? ?? ?? 6A 19 FF 75 00 52 56 E8 CE 01 00 00 64 67 A1 30 00 + 8B 40 08 89 85 88 00 00 00 C7 85 D0 00 00 00 ?? ?? ?? ?? E8 09 00 00 00 8B 64 24 08 + E9 03 01 00 00 33 D2 64 FF 32 64 89 22 83 BD C0 00 00 00 00 75 2F 6A 04 68 00 10 00 + 00 68 40 01 00 00 6A 00 FF 55 08 50 8F 45 78 E8 2A 03 00 00 68 00 40 00 00 68 40 01 + 00 00 FF 75 78 FF 55 28 E9 C3 00 00 00 8B 85 A4 00 00 00 05 ?? ?? ?? ?? 8D B5 B4 00 + 00 00 56 6A 00 55 50 68 00 00 10 00 6A 00 FF 55 30 89 85 AC 00 00 00 6A 04 68 00 10 + 00 00 6A 54 6A 00 FF 55 08 89 85 A8 00 00 00 64 67 A1 30 00 8B 40 10 8B 40 3C 8B B5 + A8 00 00 00 8D 7E 10 56 57 6A 00 6A 00 6A 04 6A 01 6A 00 6A 00 50 6A 00 FF 55 50 85 + C0 74 5D FF 76 04 8F 85 B0 00 00 00 64 67 A1 30 00 8B 40 08 8B D8 03 5B 3C 8B 5B 28 + 03 D8 8B 8D A4 00 00 00 81 ?? ?? ?? ?? 8D 85 B4 00 00 00 50 6A ?? 51 53 FF 36 FF 55 + 4C FF 76 04 FF 55 54 8D B5 AC 00 00 00 6A FF 6A 01 56 6A 02 FF 55 34 68 00 40 00 00 + 6A 54 FF B5 A8 00 00 00 FF 55 28 33 D2 64 8F 02 5A E8 DB 01 00 00 E8 F5 00 00 00 6A + 00 FF 55 3C 64 67 8B 36 00 00 AD 83 F8 FF 74 04 8B F0 EB F6 8B 7E 04 81 E7 00 00 FF + FF 66 81 3F 4D 5A 74 08 81 EF 00 00 01 00 EB F1 8B DF 03 5B 3C 66 81 3B 50 45 74 02 + EB E3 8B C7 C3 55 8B EC 8B 75 0C AC 84 C0 75 FB 2B 75 0C 8B CE 8B 5D 08 03 5B 3C 8B + 5B 78 03 5D 08 8B 53 20 03 55 08 2B C0 8B 32 03 75 08 8B 7D 0C 51 FC F3 A6 59 74 06 + } + + $deadcode_body_2 = { + 83 C2 04 40 EB EB 8B 73 24 03 75 08 2B D2 66 8B 14 46 8B 73 1C 03 75 08 8B 04 96 03 + 45 08 8B E5 5D C2 08 00 55 8B EC 8B 7D 08 8B 75 0C 8B 4D 14 51 56 57 56 FF 75 10 E8 + 91 FF FF FF 5F 5E 59 AB AC 84 C0 75 FB E2 E9 8B E5 5D C2 10 00 8B 6C 24 04 6A 04 68 + 00 10 00 00 68 40 01 00 00 6A 00 FF 55 08 85 C0 74 18 89 45 78 E8 63 01 00 00 68 00 + 40 00 00 68 40 01 00 00 FF 75 78 FF 55 28 6A 00 FF 55 40 C3 + } + + condition: + uint16(0) == 0x5A4D and + ((($deadcode_ep_1 at pe.entry_point) and ($deadcode_marker at 0x40)) or + (($deadcode_ep_2 at pe.entry_point) and ($deadcode_marker at 0x40)) or + (($deadcode_ep_3 at pe.entry_point) and ($deadcode_marker at 0x40)) or + ($deadcode_body_1 and $deadcode_body_2)) +} \ No newline at end of file diff --git a/yara/virus/Win32.Virus.Elerad.yara b/yara/virus/Win32.Virus.Elerad.yara new file mode 100644 index 0000000..3eeaf46 --- /dev/null +++ b/yara/virus/Win32.Virus.Elerad.yara @@ -0,0 +1,33 @@ +import "pe" + +rule Win32_Virus_Elerad : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "ELERAD" + description = "Yara rule that detects Elerad virus." + + tc_detection_type = "Virus" + tc_detection_name = "Elerad" + tc_detection_factor = 5 + + strings: + $elerad_body = { + EB 77 60 E8 09 00 00 00 8B 64 24 08 E9 DD 01 00 00 33 D2 64 FF 32 64 89 22 50 8B D8 B9 FF 00 00 00 81 38 2E 65 78 65 74 + 08 40 E2 F5 E9 BD 01 00 00 32 D2 38 50 04 0F 85 B2 01 00 00 33 D2 80 38 5C 74 07 3B C3 74 07 48 E2 F4 88 10 8B D0 58 BE + 00 00 E6 77 BF 23 C1 AB 00 EB 3E 60 E8 09 00 00 00 8B 64 24 08 E9 84 01 00 00 33 D2 64 FF 32 64 89 22 BE 00 00 E6 77 EB + 20 68 ?? ?? ?? ?? 60 8B 74 24 24 E8 09 00 00 00 8B 64 24 08 E9 5D 01 00 00 33 D2 64 FF 32 64 89 22 E8 00 00 00 00 5D 81 + ED ?? ?? ?? ?? 81 FF 23 C1 AB 00 75 0C 89 95 22 12 40 00 89 85 1E 12 40 00 BA ?? ?? ?? ?? B9 09 02 00 00 8D 85 D0 10 40 + 00 31 10 83 C0 04 E2 F9 + } + + condition: + uint16(0) == 0x5A4D and + ($elerad_body at pe.entry_point) +} \ No newline at end of file diff --git a/yara/virus/Win32.Virus.Greenp.yara b/yara/virus/Win32.Virus.Greenp.yara new file mode 100644 index 0000000..f3e1ee3 --- /dev/null +++ b/yara/virus/Win32.Virus.Greenp.yara @@ -0,0 +1,46 @@ +import "pe" + +rule Win32_Virus_Greenp : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "GREENP" + description = "Yara rule that detects Greenp virus." + + tc_detection_type = "Virus" + tc_detection_name = "Greenp" + tc_detection_factor = 5 + + strings: + $greenp_body_1 = { + 68 ?? ?? ?? ?? 60 FC E8 4E 05 00 00 E8 31 04 00 00 0F 82 93 00 00 00 80 BD ?? ?? ?? ?? 01 75 63 FF 95 ?? ?? ?? ?? 6A 01 + 50 FF 95 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 68 ?? ?? ?? ?? 6A 00 6A 00 FF 95 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 83 EC 18 8B FC + 6A 00 6A 00 6A 00 57 FF 95 ?? ?? ?? ?? 85 C0 74 10 57 FF 95 ?? ?? ?? ?? 57 FF 95 ?? ?? ?? ?? EB DF 68 ?? ?? ?? ?? 6A 00 + FF 95 ?? ?? ?? ?? 83 C4 18 EB 27 8D 85 ?? ?? ?? ?? 50 FF 95 ?? ?? ?? ?? 85 C0 75 16 8D 85 ?? ?? ?? ?? 50 FF 95 ?? ?? ?? + ?? 85 C0 74 05 E8 81 00 00 00 61 58 FF E0 ?? E8 04 00 00 00 [4] 8B 3C 24 81 EC 00 01 00 00 8B F4 56 68 00 01 00 00 FF + 95 ?? ?? ?? ?? AC AA 81 C4 00 01 00 00 FF 95 ?? ?? ?? ?? 83 F8 03 75 2D 83 EC 10 8B F4 56 8D 46 04 50 8D 46 08 50 8D 46 + 0C 50 4F 57 FF 95 ?? ?? ?? ?? 8B 46 04 2B D2 F7 66 08 F7 66 0C 83 C4 10 3D 00 00 40 06 C3 [27] 81 EC ?? ?? ?? ?? 8B F4 + 68 ?? ?? ?? ?? 56 FF 95 ?? ?? ?? ?? 8D BD ?? ?? ?? ?? 8A 17 88 14 06 40 47 80 FA 00 75 F4 68 ?? ?? ?? ?? 6A 00 FF 95 ?? + ?? ?? ?? 97 56 57 B9 ?? ?? ?? ?? 8D B5 ?? ?? ?? ?? E8 3A 02 00 00 5F B8 ?? ?? ?? ?? 99 68 ?? ?? ?? ?? 59 F7 F1 40 F7 E1 + 8B 57 3C 03 D7 0F B7 5A 14 8D 5C 13 40 8B 72 28 03 72 34 89 B5 ?? ?? ?? ?? C7 42 10 80 67 D5 40 FF 73 10 01 43 10 8B 43 + 10 05 ?? ?? ?? ?? 89 43 08 58 03 43 0C 89 42 28 52 B8 ?? ?? ?? ?? 99 68 ?? ?? ?? ?? 59 F7 F1 40 F7 E1 5A 01 43 10 01 42 + 50 81 42 50 ?? ?? ?? ?? 57 C6 85 ?? ?? ?? ?? 01 81 C7 ?? ?? ?? ?? 8D B5 ?? ?? ?? ?? B9 ?? ?? ?? ?? FC F3 A4 C6 85 ?? ?? + ?? ?? 00 5F 5E 6A 00 6A 00 6A 02 6A 00 6A 00 68 00 00 00 C0 56 FF 95 ?? ?? ?? ?? 93 50 8B C4 6A 00 50 B8 ?? ?? ?? ?? 99 + } + + $greenp_body_2 = { + 68 ?? ?? ?? ?? 59 F7 F1 40 F7 E1 50 57 53 FF 95 ?? ?? ?? ?? 58 57 FF 95 ?? ?? ?? ?? 53 FF 95 ?? ?? ?? ?? 6A 00 56 FF 95 + ?? ?? ?? ?? 50 50 8B FC 8D 57 04 2B C0 52 57 50 68 3F 00 0F 00 50 50 50 8D 85 ?? ?? ?? ?? 50 68 02 00 00 80 FF 95 ?? ?? + ?? ?? 85 C0 75 1E 6A 0C 56 6A 01 6A 00 8D 85 ?? ?? ?? ?? 50 FF 37 FF 95 ?? ?? ?? ?? FF 37 FF 95 ?? ?? ?? ?? 81 C4 ?? ?? + ?? ?? C3 + } + + condition: + uint16(0) == 0x5A4D and ($greenp_body_1 at pe.entry_point) and $greenp_body_2 +} \ No newline at end of file diff --git a/yara/virus/Win32.Virus.Mocket.yara b/yara/virus/Win32.Virus.Mocket.yara new file mode 100644 index 0000000..a6df691 --- /dev/null +++ b/yara/virus/Win32.Virus.Mocket.yara @@ -0,0 +1,58 @@ +import "pe" + +rule Win32_Virus_Mocket : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "MOCKET" + description = "Yara rule that detects Mocket virus." + + tc_detection_type = "Virus" + tc_detection_name = "Mocket" + tc_detection_factor = 5 + + strings: + $mocket_body_1 = { + E8 00 00 00 00 5B 81 EB ?? ?? ?? ?? 8B 34 24 81 E6 00 00 FF FF E8 31 00 00 00 89 83 ?? ?? ?? ?? E8 4C 00 00 00 89 83 ?? + ?? ?? ?? E8 A2 00 00 00 E8 CD 00 00 00 E8 05 01 00 00 87 CB E3 0C B8 ?? ?? ?? ?? 05 ?? ?? ?? ?? FF E0 C3 66 81 3E 4D 5A + 75 0E 8B 7E 3C 03 FE 66 81 3F 50 45 75 02 96 C3 81 EE 00 00 01 00 81 FE 00 00 00 70 73 DD 33 C0 C3 8B 70 3C 03 F0 8B 76 + 78 03 F0 56 8B 76 20 03 F0 8B C6 33 D2 33 C9 8A 8B ?? ?? ?? ?? 8D BB ?? ?? ?? ?? 8B 34 02 03 B3 ?? ?? ?? ?? 83 C2 04 F3 + A6 75 E2 5E 8B C6 83 EA 04 D1 EA 8B 40 24 03 83 ?? ?? ?? ?? 33 C9 66 8B 0C 02 8B C6 8B 40 1C 03 83 ?? ?? ?? ?? C1 E1 02 + 8B 04 01 03 83 ?? ?? ?? ?? C3 8D BB ?? ?? ?? ?? 8D B3 ?? ?? ?? ?? 57 8B 83 ?? ?? ?? ?? 50 8B 83 ?? ?? ?? ?? FF D0 89 06 + 83 C6 04 B9 FF FF FF FF 32 C0 F2 AE 80 3F 90 75 DD C3 8D BB ?? ?? ?? ?? 57 68 80 00 00 00 8B 83 ?? ?? ?? ?? FF D0 81 C7 + 80 00 00 00 57 68 80 00 00 00 8B 83 ?? ?? ?? ?? FF D0 81 C7 80 00 00 00 57 68 80 00 00 00 8B 83 ?? ?? ?? ?? FF D0 C3 33 + C9 B1 03 8D BB ?? ?? ?? ?? 57 8B 83 ?? ?? ?? ?? FF D0 E8 01 00 00 00 C3 C7 83 ?? ?? ?? ?? 00 00 00 00 8D 83 ?? ?? ?? ?? + } + + $mocket_body_2 = { + 50 8D 83 ?? ?? ?? ?? 50 8B 83 ?? ?? ?? ?? FF D0 40 0B C0 74 53 48 89 83 ?? ?? ?? ?? E8 48 00 00 00 FE 83 ?? ?? ?? ?? 80 + BB ?? ?? ?? ?? 0A 74 29 8D BB ?? ?? ?? ?? B9 ?? ?? ?? ?? 32 C0 F3 AA 8D 83 ?? ?? ?? ?? 50 8B 83 ?? ?? ?? ?? 50 8B 83 ?? + ?? ?? ?? FF D0 0B C0 75 C3 8B 83 ?? ?? ?? ?? 50 8B 83 ?? ?? ?? ?? FF D0 C3 60 8D B3 ?? ?? ?? ?? 56 8B 83 ?? ?? ?? ?? FF + D0 89 83 ?? ?? ?? ?? 68 80 00 00 00 56 8B 83 ?? ?? ?? ?? FF D0 E8 B7 01 00 00 40 0B C0 0F 84 75 01 00 00 48 89 83 ?? ?? + ?? ?? 8B 8B ?? ?? ?? ?? E8 B4 01 00 00 0B C0 0F 84 4D 01 00 00 89 83 ?? ?? ?? ?? 8B 8B ?? ?? ?? ?? E8 B4 01 00 00 0B C0 + 0F 84 26 01 00 00 89 83 ?? ?? ?? ?? 8B 70 3C 03 F0 66 81 3E 50 45 0F 85 F7 00 00 00 81 7E 4C 4B 43 4F 4D 0F 84 EA 00 00 + 00 8B 4E 3C 51 8B 46 28 89 83 ?? ?? ?? ?? 8B 46 34 89 83 ?? ?? ?? ?? FF B3 ?? ?? ?? ?? 8B 83 ?? ?? ?? ?? FF D0 FF B3 ?? + ?? ?? ?? 8B 83 ?? ?? ?? ?? FF D0 59 8B 83 ?? ?? ?? ?? 05 ?? ?? ?? ?? E8 5C 01 00 00 89 83 ?? ?? ?? ?? 91 E8 21 01 00 00 + 40 0B C0 0F 84 B9 00 00 00 48 89 83 ?? ?? ?? ?? 8B 8B ?? ?? ?? ?? E8 1F 01 00 00 0B C0 0F 84 91 00 00 00 89 83 ?? ?? ?? + } + + $mocket_body_3 = { + ?? 8B 70 3C 03 F0 8B FE 83 C6 78 8B 57 74 C1 E2 03 03 F2 0F B7 47 06 48 6B C0 28 03 F0 8B 56 10 8B CA 03 56 14 52 8B C1 + 03 46 0C 89 47 28 8B 46 10 05 ?? ?? ?? ?? 8B 4F 3C E8 EA 00 00 00 89 46 10 89 46 08 8B 46 10 03 46 0C 89 47 50 81 4E 24 + 20 00 00 A0 C7 47 4C 4B 43 4F 4D 8D B3 ?? ?? ?? ?? 5A 87 FA 03 BB ?? ?? ?? ?? B9 ?? ?? ?? ?? F3 A4 EB 0B 8B 8B ?? ?? ?? + ?? E8 41 00 00 00 FF B3 ?? ?? ?? ?? 8B 83 ?? ?? ?? ?? FF D0 FF B3 ?? ?? ?? ?? 8B 83 ?? ?? ?? ?? FF D0 FF B3 ?? ?? ?? ?? + 8B 83 ?? ?? ?? ?? FF D0 FF B3 ?? ?? ?? ?? 8D 83 ?? ?? ?? ?? 50 8B 83 ?? ?? ?? ?? FF D0 61 C3 33 C0 50 50 51 FF B3 ?? ?? + ?? ?? 8B 83 ?? ?? ?? ?? FF D0 FF B3 ?? ?? ?? ?? 8B 83 ?? ?? ?? ?? FF D0 C3 33 C0 50 50 6A 03 50 6A 01 68 00 00 00 C0 56 + 8B 83 ?? ?? ?? ?? FF D0 C3 6A 00 51 6A 00 6A 04 6A 00 8B 83 ?? ?? ?? ?? 50 8B 83 ?? ?? ?? ?? FF D0 C3 51 6A 00 6A 00 6A + 02 FF B3 ?? ?? ?? ?? 8B 83 ?? ?? ?? ?? FF D0 C3 33 D2 F7 F1 0B D2 74 01 40 F7 E1 C3 + } + + condition: + uint16(0) == 0x5A4D and ($mocket_body_1 at pe.entry_point) and $mocket_body_2 and $mocket_body_3 +} \ No newline at end of file diff --git a/yara/virus/Win32.Virus.Negt.yara b/yara/virus/Win32.Virus.Negt.yara new file mode 100644 index 0000000..f0dc8a9 --- /dev/null +++ b/yara/virus/Win32.Virus.Negt.yara @@ -0,0 +1,94 @@ +import "pe" + +rule Win32_Virus_Negt : tc_detection malicious +{ + meta: + + author = "ReversingLabs" + + source = "ReversingLabs" + status = "RELEASED" + sharing = "TLP:WHITE" + category = "MALWARE" + malware = "NEGT" + description = "Yara rule that detects Negt virus." + + tc_detection_type = "Virus" + tc_detection_name = "Negt" + tc_detection_factor = 5 + + strings: + $negt_body_and_infector_1 = { + 6A 00 E8 99 08 00 00 A3 ?? ?? ?? ?? 68 04 01 00 00 68 ?? ?? ?? ?? 6A 00 E8 7D 08 00 00 6A 00 68 ?? ?? ?? ?? 68 ?? ?? ?? + ?? E8 48 08 00 00 BB 00 00 00 00 8D 05 ?? ?? ?? ?? FE 00 68 ?? ?? ?? ?? E8 2D 00 00 00 43 83 FB 18 7C E8 E8 92 08 00 00 + 3C 9F 7F 17 6A 01 68 ?? ?? ?? ?? 6A 00 68 ?? ?? ?? ?? 6A 00 6A 00 E8 7D 08 00 00 6A 00 E8 10 08 00 00 55 8B EC 81 C4 B8 + FD FF FF FF 75 08 E8 35 08 00 00 0B C0 0F 84 C2 00 00 00 8D 85 C2 FE FF FF 50 68 ?? ?? ?? ?? E8 F2 07 00 00 89 85 BC FE + FF FF 83 BD BC FE FF FF FF 0F 84 9E 00 00 00 8D 9D EE FE FF FF 53 E8 21 08 00 00 8B F3 BB 00 00 00 00 F7 D3 68 ?? ?? ?? + ?? 56 E8 01 08 00 00 23 D8 68 ?? ?? ?? ?? 56 E8 F4 07 00 00 23 D8 68 ?? ?? ?? ?? 56 E8 E7 07 00 00 23 D8 68 ?? ?? ?? ?? + 56 E8 DA 07 00 00 23 D8 68 ?? ?? ?? ?? 56 E8 CD 07 00 00 23 D8 83 FB 00 74 28 FF 75 08 68 ?? ?? ?? ?? E8 BF 07 00 00 8D + 85 EE FE FF FF 50 68 ?? ?? ?? ?? E8 A2 07 00 00 68 ?? ?? ?? ?? E8 08 01 00 00 8D 85 C2 FE FF FF 50 FF B5 BC FE FF FF E8 + 50 07 00 00 83 F8 00 0F 85 62 FF FF FF FF B5 BC FE FF FF E8 30 07 00 00 8D 85 C2 FE FF FF 50 68 ?? ?? ?? ?? E8 25 07 00 + 00 89 85 BC FE FF FF 83 BD BC FE FF FF FF 0F 84 AF 00 00 00 8D BD C2 FE FF FF 8B 07 66 83 E0 10 0F 84 82 00 00 00 8D 9D + } + + $negt_body_and_infector_2 = { + EE FE FF FF 53 E8 42 07 00 00 8B F3 BB 00 00 00 00 F7 D3 68 ?? ?? ?? ?? 56 E8 22 07 00 00 23 D8 68 ?? ?? ?? ?? 56 E8 15 + 07 00 00 23 D8 68 ?? ?? ?? ?? 56 E8 08 07 00 00 23 D8 83 FB 00 74 41 FF 75 08 8D 85 B8 FD FF FF 50 E8 F8 06 00 00 8D 85 + EE FE FF FF 50 8D 85 B8 FD FF FF 50 E8 D9 06 00 00 68 ?? ?? ?? ?? 8D 85 B8 FD FF FF 50 E8 C8 06 00 00 60 8D 85 B8 FD FF + FF 50 E8 63 FE FF FF 61 8D 85 C2 FE FF FF 50 FF B5 BC FE FF FF E8 72 06 00 00 83 F8 00 0F 85 51 FF FF FF FF B5 BC FE FF + FF E8 52 06 00 00 C9 C2 04 00 55 8B EC 81 C4 E4 E9 FF FF 51 6A 00 68 80 00 00 00 6A 03 6A 00 6A 03 68 00 00 00 C0 FF 75 + 08 E8 1E 06 00 00 83 F8 FF 75 05 E9 AE 03 00 00 89 45 FC 6A 00 6A 00 6A 3C FF 75 FC E8 45 06 00 00 6A 00 8D 45 F0 50 6A + 04 8D 45 F4 50 FF 75 FC E8 25 06 00 00 6A 00 6A 00 FF 75 F4 FF 75 FC E8 22 06 00 00 6A 00 8D 45 F0 50 68 20 01 00 00 68 + ?? ?? ?? ?? FF 75 FC E8 FE 05 00 00 8B 5D F4 83 EB 0B 6A 00 6A 00 53 FF 75 FC E8 F7 05 00 00 6A 00 8D 45 F0 50 6A 0B 68 + ?? ?? ?? ?? FF 75 FC E8 D6 05 00 00 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? E8 E5 05 00 00 0B C0 75 05 E9 12 03 00 00 81 3D ?? ?? + ?? ?? 50 45 00 00 74 05 E9 01 03 00 00 0F B7 05 ?? ?? ?? ?? B9 28 00 00 00 F7 E1 03 45 F4 83 C0 18 0F B7 0D ?? ?? ?? ?? + 03 C1 83 C0 28 3B 05 ?? ?? ?? ?? 76 05 E9 D4 02 00 00 A1 ?? ?? ?? ?? A3 ?? ?? ?? ?? A1 ?? ?? ?? ?? A3 ?? ?? ?? ?? 0F B7 + } + + $negt_body_and_infector_3 = { + 05 ?? ?? ?? ?? B9 28 00 00 00 F7 E1 83 C0 04 03 45 F4 83 C0 14 05 E0 00 00 00 89 45 EC C7 05 ?? ?? ?? ?? 2E 45 41 54 C7 + 05 ?? ?? ?? ?? 55 02 00 00 FF 35 ?? ?? ?? ?? 8F 05 ?? ?? ?? ?? A1 ?? ?? ?? ?? 8B 0D ?? ?? ?? ?? 99 F7 F1 40 F7 E1 A3 ?? + ?? ?? ?? 8B 45 EC 83 E8 18 6A 00 6A 00 50 FF 75 FC E8 10 05 00 00 6A 00 8D 45 F0 50 6A 04 8D 45 E8 50 FF 75 FC E8 F0 04 + 00 00 6A 00 8D 45 F0 50 6A 04 8D 45 E4 50 FF 75 FC E8 DC 04 00 00 8B 45 E8 03 45 E4 A3 ?? ?? ?? ?? C7 05 ?? ?? ?? ?? 00 + 00 00 00 C7 05 ?? ?? ?? ?? 00 00 00 00 66 C7 05 ?? ?? ?? ?? 00 00 66 C7 05 ?? ?? ?? ?? 00 00 C7 05 ?? ?? ?? ?? 20 00 00 + E0 6A 00 6A 00 FF 75 EC FF 75 FC E8 9E 04 00 00 6A 00 8D 45 F0 50 6A 28 68 ?? ?? ?? ?? FF 75 FC E8 8F 04 00 00 68 ?? ?? + ?? ?? E8 61 04 00 00 68 ?? ?? ?? ?? E8 63 04 00 00 A3 ?? ?? ?? ?? 68 ?? ?? ?? ?? FF 35 ?? ?? ?? ?? E8 48 04 00 00 A3 ?? + ?? ?? ?? 68 ?? ?? ?? ?? FF 35 ?? ?? ?? ?? E8 33 04 00 00 A3 ?? ?? ?? ?? 68 ?? ?? ?? ?? FF 35 ?? ?? ?? ?? E8 1E 04 00 00 + A3 ?? ?? ?? ?? 68 ?? ?? ?? ?? FF 35 ?? ?? ?? ?? E8 09 04 00 00 A3 ?? ?? ?? ?? 68 ?? ?? ?? ?? FF 35 ?? ?? ?? ?? E8 F4 03 + 00 00 A3 ?? ?? ?? ?? 68 ?? ?? ?? ?? FF 35 ?? ?? ?? ?? E8 DF 03 00 00 A3 ?? ?? ?? ?? 68 ?? ?? ?? ?? FF 35 ?? ?? ?? ?? E8 + CA 03 00 00 A3 ?? ?? ?? ?? 68 ?? ?? ?? ?? FF 35 ?? ?? ?? ?? E8 B5 03 00 00 A3 ?? ?? ?? ?? 6A 02 6A 00 6A 00 FF 75 FC E8 + BA 03 00 00 6A 00 8D 45 F0 50 FF 35 ?? ?? ?? ?? 8D 05 ?? ?? ?? ?? 50 FF 75 FC E8 A5 03 00 00 66 FF 05 ?? ?? ?? ?? A1 ?? + ?? ?? ?? 8B 0D ?? ?? ?? ?? 99 F7 F1 40 F7 E1 03 05 ?? ?? ?? ?? A3 ?? ?? ?? ?? A1 ?? ?? ?? ?? A3 ?? ?? ?? ?? 6A 00 6A 00 + } + + $negt_body_and_infector_4 = { + FF 75 F4 FF 75 FC E8 63 03 00 00 6A 00 8D 45 F0 50 68 F8 00 00 00 68 ?? ?? ?? ?? FF 75 FC E8 51 03 00 00 83 6D F4 0B 6A + 00 6A 00 FF 75 F4 FF 75 FC E8 38 03 00 00 6A 00 8D 45 F0 50 6A 0B 68 ?? ?? ?? ?? FF 75 FC E8 29 03 00 00 6A 00 6A 20 6A + 03 6A 00 6A 01 68 00 00 00 80 68 ?? ?? ?? ?? E8 C8 02 00 00 89 45 F8 6A 00 6A 00 6A 00 FF 75 F8 E8 F9 02 00 00 6A 00 8D + 45 F0 50 68 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 FF 75 F8 E8 D3 02 00 00 8B 75 F0 6A 02 6A 00 6A 00 FF 75 FC E8 CE 02 00 00 + 6A 00 8D 45 F0 50 56 8D 85 ?? ?? ?? ?? 50 FF 75 FC E8 BE 02 00 00 FF 75 FC E8 62 02 00 00 FF 75 F8 E8 5A 02 00 00 59 C9 + C2 04 00 E8 00 00 00 00 5D 81 ED ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 68 00 01 00 00 FF B5 ?? ?? ?? ?? 6A 00 + FF 95 ?? ?? ?? ?? 6A 00 6A 20 6A 03 6A 00 6A 01 68 00 00 00 80 FF B5 ?? ?? ?? ?? FF 95 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 6A + 00 6A 20 6A 02 6A 00 6A 03 68 00 00 00 C0 8D 85 ?? ?? ?? ?? 50 FF 95 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 6A 00 FF B5 ?? ?? ?? + ?? FF 95 ?? ?? ?? ?? 2D ?? ?? ?? ?? 6A 00 6A 00 50 FF B5 ?? ?? ?? ?? FF 95 ?? ?? ?? ?? 6A 00 8D 85 ?? ?? ?? ?? 50 68 00 + 01 00 00 FF B5 ?? ?? ?? ?? FF B5 ?? ?? ?? ?? FF 95 ?? ?? ?? ?? 8B 9D ?? ?? ?? ?? 83 FB 00 74 1E 8D 85 ?? ?? ?? ?? 6A 00 + 50 53 FF B5 ?? ?? ?? ?? FF B5 ?? ?? ?? ?? FF 95 ?? ?? ?? ?? EB B7 FF B5 ?? ?? ?? ?? FF 95 ?? ?? ?? ?? FF B5 ?? ?? ?? ?? + FF 95 ?? ?? ?? ?? 6A 00 8D 85 ?? ?? ?? ?? 50 FF 95 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 03 85 ?? ?? ?? ?? 50 C3 + } + + $negt_infector = { + E8 00 00 00 00 5D 81 ED ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 68 00 01 00 00 FF B5 ?? ?? ?? ?? 6A 00 FF 95 ?? + ?? ?? ?? 6A 00 6A 20 6A 03 6A 00 6A 01 68 00 00 00 80 FF B5 ?? ?? ?? ?? FF 95 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 6A 00 6A 20 + 6A 02 6A 00 6A 03 68 00 00 00 C0 8D 85 ?? ?? ?? ?? 50 FF 95 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 6A 00 FF B5 ?? ?? ?? ?? FF 95 + ?? ?? ?? ?? 2D ?? ?? ?? ?? 6A 00 6A 00 50 FF B5 ?? ?? ?? ?? FF 95 ?? ?? ?? ?? 6A 00 8D 85 ?? ?? ?? ?? 50 68 00 01 00 00 + FF B5 ?? ?? ?? ?? FF B5 ?? ?? ?? ?? FF 95 ?? ?? ?? ?? 8B 9D ?? ?? ?? ?? 83 FB 00 74 1E 8D 85 ?? ?? ?? ?? 6A 00 50 53 FF + B5 ?? ?? ?? ?? FF B5 ?? ?? ?? ?? FF 95 ?? ?? ?? ?? EB B7 FF B5 ?? ?? ?? ?? FF 95 ?? ?? ?? ?? FF B5 ?? ?? ?? ?? FF 95 ?? + ?? ?? ?? 6A 00 8D 85 ?? ?? ?? ?? 50 FF 95 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 03 85 ?? ?? ?? ?? 50 C3 + } + + condition: + uint16(0) == 0x5A4D and + (($negt_infector at pe.entry_point) or + (($negt_body_and_infector_1 at pe.entry_point) and $negt_body_and_infector_2 and + $negt_body_and_infector_3 and $negt_body_and_infector_4)) +} \ No newline at end of file