SYMBOLCOMMON_NAMEaka. SYNONYMS
win.afrodita (Back to overview)

Afrodita


There is no description at this point.

References
2020-01-14Github (albertzsigovits)Albert Zsigovits
@online{zsigovits:20200114:afrodita:8f0a6b2, author = {Albert Zsigovits}, title = {{Afrodita ransomware}}, date = {2020-01-14}, organization = {Github (albertzsigovits)}, url = {https://github.com/albertzsigovits/malware-notes/blob/master/Afrodita.md}, language = {English}, urldate = {2020-01-14} } Afrodita ransomware
Afrodita
2020-01-09Dissecting MalwareMarius Genheimer
@online{genheimer:20200109:not:187b390, author = {Marius Genheimer}, title = {{Not so nice after all - Afrodita Ransomware}}, date = {2020-01-09}, organization = {Dissecting Malware}, url = {https://dissectingmalwa.re/not-so-nice-after-all-afrodita-ransomware.html}, language = {English}, urldate = {2020-03-27} } Not so nice after all - Afrodita Ransomware
Afrodita
2019-12-03Twitter (@_CPResearch_)Check Point Research
@online{research:20191203:afrodita:8c3d9fc, author = {Check Point Research}, title = {{Tweet on Afrodita Ransomware}}, date = {2019-12-03}, organization = {Twitter (@_CPResearch_)}, url = {https://twitter.com/_CPResearch_/status/1201957880909484033}, language = {English}, urldate = {2020-01-07} } Tweet on Afrodita Ransomware
Afrodita
Yara Rules
[TLP:WHITE] win_afrodita_auto (20220411 | Detects win.afrodita.)
rule win_afrodita_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-04-08"
        version = "1"
        description = "Detects win.afrodita."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.afrodita"
        malpedia_rule_date = "20220405"
        malpedia_hash = "ecd38294bd47d5589be5cd5490dc8bb4804afc2a"
        malpedia_version = "20220411"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 0fb64d87 bb01000000 84c0 8bd3 68b8000000 0f45d1 899574ffffff }
            // n = 7, score = 300
            //   0fb64d87             | movzx               ecx, byte ptr [ebp - 0x79]
            //   bb01000000           | mov                 ebx, 1
            //   84c0                 | test                al, al
            //   8bd3                 | mov                 edx, ebx
            //   68b8000000           | push                0xb8
            //   0f45d1               | cmovne              edx, ecx
            //   899574ffffff         | mov                 dword ptr [ebp - 0x8c], edx

        $sequence_1 = { 6a00 50 51 8b4e30 e8???????? 8b4630 8b55c8 }
            // n = 7, score = 300
            //   6a00                 | push                0
            //   50                   | push                eax
            //   51                   | push                ecx
            //   8b4e30               | mov                 ecx, dword ptr [esi + 0x30]
            //   e8????????           |                     
            //   8b4630               | mov                 eax, dword ptr [esi + 0x30]
            //   8b55c8               | mov                 edx, dword ptr [ebp - 0x38]

        $sequence_2 = { 83e3fd e8???????? f6c301 7408 8d4d8c e8???????? 807d1b00 }
            // n = 7, score = 300
            //   83e3fd               | and                 ebx, 0xfffffffd
            //   e8????????           |                     
            //   f6c301               | test                bl, 1
            //   7408                 | je                  0xa
            //   8d4d8c               | lea                 ecx, dword ptr [ebp - 0x74]
            //   e8????????           |                     
            //   807d1b00             | cmp                 byte ptr [ebp + 0x1b], 0

        $sequence_3 = { ff524c 8b37 8bc8 8b10 ff5220 50 ff75c8 }
            // n = 7, score = 300
            //   ff524c               | call                dword ptr [edx + 0x4c]
            //   8b37                 | mov                 esi, dword ptr [edi]
            //   8bc8                 | mov                 ecx, eax
            //   8b10                 | mov                 edx, dword ptr [eax]
            //   ff5220               | call                dword ptr [edx + 0x20]
            //   50                   | push                eax
            //   ff75c8               | push                dword ptr [ebp - 0x38]

        $sequence_4 = { 0f8425010000 8b4508 0fb77d0c 8b4d10 57 8b400c }
            // n = 6, score = 300
            //   0f8425010000         | je                  0x12b
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   0fb77d0c             | movzx               edi, word ptr [ebp + 0xc]
            //   8b4d10               | mov                 ecx, dword ptr [ebp + 0x10]
            //   57                   | push                edi
            //   8b400c               | mov                 eax, dword ptr [eax + 0xc]

        $sequence_5 = { c745fc04000000 395d10 0f8600010000 6690 6a02 8d8d70ffffff e8???????? }
            // n = 7, score = 300
            //   c745fc04000000       | mov                 dword ptr [ebp - 4], 4
            //   395d10               | cmp                 dword ptr [ebp + 0x10], ebx
            //   0f8600010000         | jbe                 0x106
            //   6690                 | nop                 
            //   6a02                 | push                2
            //   8d8d70ffffff         | lea                 ecx, dword ptr [ebp - 0x90]
            //   e8????????           |                     

        $sequence_6 = { 8bda c1eb1f 03da 83fb01 766a 83c3fe 83fb01 }
            // n = 7, score = 300
            //   8bda                 | mov                 ebx, edx
            //   c1eb1f               | shr                 ebx, 0x1f
            //   03da                 | add                 ebx, edx
            //   83fb01               | cmp                 ebx, 1
            //   766a                 | jbe                 0x6c
            //   83c3fe               | add                 ebx, -2
            //   83fb01               | cmp                 ebx, 1

        $sequence_7 = { 66c1e108 660bc8 0fb7c9 8b4508 6a00 57 668908 }
            // n = 7, score = 300
            //   66c1e108             | shl                 cx, 8
            //   660bc8               | or                  cx, ax
            //   0fb7c9               | movzx               ecx, cx
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   6a00                 | push                0
            //   57                   | push                edi
            //   668908               | mov                 word ptr [eax], cx

        $sequence_8 = { ff90a8000000 8bc8 8b857cffffff 898578ffffff 394754 }
            // n = 5, score = 300
            //   ff90a8000000         | call                dword ptr [eax + 0xa8]
            //   8bc8                 | mov                 ecx, eax
            //   8b857cffffff         | mov                 eax, dword ptr [ebp - 0x84]
            //   898578ffffff         | mov                 dword ptr [ebp - 0x88], eax
            //   394754               | cmp                 dword ptr [edi + 0x54], eax

        $sequence_9 = { 8bcf c7472000000000 ff5018 8b4f18 8b5d08 8b410c 394118 }
            // n = 7, score = 300
            //   8bcf                 | mov                 ecx, edi
            //   c7472000000000       | mov                 dword ptr [edi + 0x20], 0
            //   ff5018               | call                dword ptr [eax + 0x18]
            //   8b4f18               | mov                 ecx, dword ptr [edi + 0x18]
            //   8b5d08               | mov                 ebx, dword ptr [ebp + 8]
            //   8b410c               | mov                 eax, dword ptr [ecx + 0xc]
            //   394118               | cmp                 dword ptr [ecx + 0x18], eax

    condition:
        7 of them and filesize < 2334720
}
Download all Yara Rules