7ev3n (Malware Family)

SYMBOL	COMMON_NAME	aka. SYNONYMS

win.7ev3n (Back to overview)

7ev3n

VTCollection

The NJCCIC describes 7ev3n as a ransomware "that targets the Windows OS and spreads via spam emails containing malicious attachments, as well as file sharing networks. It installs multiple files in the LocalAppData folder, each of which controls different functions including disabling bootup recovery options, deleting the ransomware installation file, encrypting data, and gaining administrator privileges. This variant also adds registry keys that disables various Windows function keys such as F1, F3, F4, F10, Alt, Num Lock, Ctrl, Enter, Escape, Shift, and Tab. Files encrypted by 7ev3n are labeled with a .R5A extension. It also locks victims out of Windows recovery options making it challenging to repair the damage done by 7ev3n."

References

2016-07-06 ⋅ NJCCIC ⋅ NJCCIC
7ev3n
7ev3n

2016-05-06 ⋅ Malwarebytes ⋅ hasherezade
7ev3n ransomware turning ‘HONE$T’
7ev3n

Yara Rules

[TLP:WHITE] win_7ev3n_auto (20230808 | Detects win.7ev3n.)

rule win_7ev3n_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.7ev3n."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.7ev3n"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8d8dd0cdffff e8???????? 8bce 2bcf 3bc1 0f8402b10000 }
            // n = 6, score = 100
            //   8d8dd0cdffff         | lea                 ecx, [ebp - 0x3230]
            //   e8????????           |                     
            //   8bce                 | mov                 ecx, esi
            //   2bcf                 | sub                 ecx, edi
            //   3bc1                 | cmp                 eax, ecx
            //   0f8402b10000         | je                  0xb108

        $sequence_1 = { 8bd4 89a50cf9ffff c7421407000000 c7421000000000 668902 66398560ffffff 7504 }
            // n = 7, score = 100
            //   8bd4                 | mov                 edx, esp
            //   89a50cf9ffff         | mov                 dword ptr [ebp - 0x6f4], esp
            //   c7421407000000       | mov                 dword ptr [edx + 0x14], 7
            //   c7421000000000       | mov                 dword ptr [edx + 0x10], 0
            //   668902               | mov                 word ptr [edx], ax
            //   66398560ffffff       | cmp                 word ptr [ebp - 0xa0], ax
            //   7504                 | jne                 6

        $sequence_2 = { 894104 a0???????? 884108 6a00 8d8504ffffff 50 }
            // n = 6, score = 100
            //   894104               | mov                 dword ptr [ecx + 4], eax
            //   a0????????           |                     
            //   884108               | mov                 byte ptr [ecx + 8], al
            //   6a00                 | push                0
            //   8d8504ffffff         | lea                 eax, [ebp - 0xfc]
            //   50                   | push                eax

        $sequence_3 = { c785e4fdffff00000000 6a00 c785e0fdffffd0a54500 ff15???????? 33c0 c705????????07000000 }
            // n = 6, score = 100
            //   c785e4fdffff00000000     | mov    dword ptr [ebp - 0x21c], 0
            //   6a00                 | push                0
            //   c785e0fdffffd0a54500     | mov    dword ptr [ebp - 0x220], 0x45a5d0
            //   ff15????????         |                     
            //   33c0                 | xor                 eax, eax
            //   c705????????07000000     |     

        $sequence_4 = { 8d85acefffff 50 8d8dd0cdffff e8???????? 8bce 2bcf }
            // n = 6, score = 100
            //   8d85acefffff         | lea                 eax, [ebp - 0x1054]
            //   50                   | push                eax
            //   8d8dd0cdffff         | lea                 ecx, [ebp - 0x3230]
            //   e8????????           |                     
            //   8bce                 | mov                 ecx, esi
            //   2bcf                 | sub                 ecx, edi

        $sequence_5 = { 6a00 8d85fcfeffff 50 8d8dd0cdffff e8???????? 8bce 2bcb }
            // n = 7, score = 100
            //   6a00                 | push                0
            //   8d85fcfeffff         | lea                 eax, [ebp - 0x104]
            //   50                   | push                eax
            //   8d8dd0cdffff         | lea                 ecx, [ebp - 0x3230]
            //   e8????????           |                     
            //   8bce                 | mov                 ecx, esi
            //   2bcb                 | sub                 ecx, ebx

        $sequence_6 = { 8dbd38f1ffff 8d4f02 0f1f840000000000 668b07 83c702 6685c0 75f5 }
            // n = 7, score = 100
            //   8dbd38f1ffff         | lea                 edi, [ebp - 0xec8]
            //   8d4f02               | lea                 ecx, [edi + 2]
            //   0f1f840000000000     | nop                 dword ptr [eax + eax]
            //   668b07               | mov                 ax, word ptr [edi]
            //   83c702               | add                 edi, 2
            //   6685c0               | test                ax, ax
            //   75f5                 | jne                 0xfffffff7

        $sequence_7 = { 8b0c8d20934500 80643128fd 5f 5e 8be5 5d c3 }
            // n = 7, score = 100
            //   8b0c8d20934500       | mov                 ecx, dword ptr [ecx*4 + 0x459320]
            //   80643128fd           | and                 byte ptr [ecx + esi + 0x28], 0xfd
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi
            //   8be5                 | mov                 esp, ebp
            //   5d                   | pop                 ebp
            //   c3                   | ret                 

        $sequence_8 = { f30f7e05???????? 660fd68564e6ffff 0fb705???????? 6689856ce6ffff f30f7e05???????? 660fd68558e6ffff 0fb705???????? }
            // n = 7, score = 100
            //   f30f7e05????????     |                     
            //   660fd68564e6ffff     | movq                qword ptr [ebp - 0x199c], xmm0
            //   0fb705????????       |                     
            //   6689856ce6ffff       | mov                 word ptr [ebp - 0x1994], ax
            //   f30f7e05????????     |                     
            //   660fd68558e6ffff     | movq                qword ptr [ebp - 0x19a8], xmm0
            //   0fb705????????       |                     

        $sequence_9 = { 0f84724c0000 8dbda0ddffff 8d4f02 0f1f840000000000 668b07 83c702 6685c0 }
            // n = 7, score = 100
            //   0f84724c0000         | je                  0x4c78
            //   8dbda0ddffff         | lea                 edi, [ebp - 0x2260]
            //   8d4f02               | lea                 ecx, [edi + 2]
            //   0f1f840000000000     | nop                 dword ptr [eax + eax]
            //   668b07               | mov                 ax, word ptr [edi]
            //   83c702               | add                 edi, 2
            //   6685c0               | test                ax, ax

    condition:
        7 of them and filesize < 803840
}

Download all Yara Rules

7ev3n Propose Change

References

Yara Rules

7ev3n