SYMBOLCOMMON_NAMEaka. SYNONYMS
win.akira (Back to overview)

Akira

There is no description at this point.

References
2023-09-15CyberCXPhill Moore, Zach Stanford, Suyash Tripathi, Yogesh Khatri
@online{moore:20230915:weaponising:debcaf2, author = {Phill Moore and Zach Stanford and Suyash Tripathi and Yogesh Khatri}, title = {{Weaponising VMs to bypass EDR – Akira ransomware}}, date = {2023-09-15}, organization = {CyberCX}, url = {https://cybercx.com.au/blog/akira-ransomware/}, language = {English}, urldate = {2023-09-15} } Weaponising VMs to bypass EDR – Akira ransomware
Akira
2023-08-23StairwellSilas Cutler
@online{cutler:20230823:akira:a29f423, author = {Silas Cutler}, title = {{Akira: Pulling on the chains of ransomware}}, date = {2023-08-23}, organization = {Stairwell}, url = {https://stairwell.com/resources/akira-pulling-on-the-chains-of-ransomware/}, language = {English}, urldate = {2023-08-25} } Akira: Pulling on the chains of ransomware
Akira
2023-07-26Arctic WolfSteven Campbell, Akshay Suthar, Connor Belfiore
@online{campbell:20230726:conti:8d7c03f, author = {Steven Campbell and Akshay Suthar and Connor Belfiore}, title = {{Conti and Akira: Chained Together}}, date = {2023-07-26}, organization = {Arctic Wolf}, url = {https://arcticwolf.com/resources/blog/conti-and-akira-chained-together/}, language = {English}, urldate = {2023-07-27} } Conti and Akira: Chained Together
Akira Conti
2023-06-29Avast DecodedThreat Research Team
@online{team:20230629:decrypted:9d80eb8, author = {Threat Research Team}, title = {{Decrypted: Akira Ransomware}}, date = {2023-06-29}, organization = {Avast Decoded}, url = {https://decoded.avast.io/threatresearch/decrypted-akira-ransomware/}, language = {English}, urldate = {2023-07-02} } Decrypted: Akira Ransomware
Akira
2023-05-09SophosPaul Jaramillo
@online{jaramillo:20230509:akira:55a936a, author = {Paul Jaramillo}, title = {{Akira Ransomware is “bringin’ 1988 back”}}, date = {2023-05-09}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2023/05/09/akira-ransomware-is-bringin-88-back/}, language = {English}, urldate = {2023-05-11} } Akira Ransomware is “bringin’ 1988 back”
Akira
2023-04-28Twitter (@MalGamy12)Gameel Ali
@online{ali:20230428:explaning:21f000e, author = {Gameel Ali}, title = {{Tweet explaning similarity between Conti and Akira code}}, date = {2023-04-28}, organization = {Twitter (@MalGamy12)}, url = {https://twitter.com/MalGamy12/status/1651972583615602694}, language = {English}, urldate = {2023-05-25} } Tweet explaning similarity between Conti and Akira code
Akira
Yara Rules
[TLP:WHITE] win_akira_auto (20230715 | Detects win.akira.)
rule win_akira_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-07-11"
        version = "1"
        description = "Detects win.akira."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.akira"
        malpedia_rule_date = "20230705"
        malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
        malpedia_version = "20230715"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 4d3bca 7223 49893b 41c7430802000000 41c6431001 e9???????? b8ffffffff }
            // n = 7, score = 100
            //   4d3bca               | mov                 dword ptr [esp + 0x20], ebp
            //   7223                 | inc                 ecx
            //   49893b               | sub                 dh, bh
            //   41c7430802000000     | imul                ebp, edi
            //   41c6431001           | inc                 eax
            //   e9????????           |                     
            //   b8ffffffff           | movsx               eax, dh

        $sequence_1 = { e8???????? 4c8bc0 488bd3 488d4c2440 e8???????? 488d154de80600 488d4c2440 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   4c8bc0               | dec                 eax
            //   488bd3               | sub                 esp, ecx
            //   488d4c2440           | dec                 eax
            //   e8????????           |                     
            //   488d154de80600       | lea                 ebx, [esp + 0x50]
            //   488d4c2440           | dec                 eax

        $sequence_2 = { 488d8597010000 4c8bc7 0f1f840000000000 49ffc0 6642833c4000 75f5 488d9597010000 }
            // n = 7, score = 100
            //   488d8597010000       | dec                 eax
            //   4c8bc7               | mov                 eax, dword ptr [ebp - 8]
            //   0f1f840000000000     | dec                 eax
            //   49ffc0               | mov                 ebx, dword ptr [eax + 0x88]
            //   6642833c4000         | dec                 eax
            //   75f5                 | mov                 eax, dword ptr [ebp - 0x20]
            //   488d9597010000       | dec                 eax

        $sequence_3 = { 742c 4c8bc6 488d15fbf80400 488bcf e8???????? 488d55c0 48837dd810 }
            // n = 7, score = 100
            //   742c                 | dec                 eax
            //   4c8bc6               | mov                 edi, eax
            //   488d15fbf80400       | jmp                 0x3c2
            //   488bcf               | dec                 ecx
            //   e8????????           |                     
            //   488d55c0             | mov                 edi, ebp
            //   48837dd810           | dec                 eax

        $sequence_4 = { 488bd9 488bc2 488d0d45550400 0f57c0 488d5308 48890b 488d4808 }
            // n = 7, score = 100
            //   488bd9               | mov                 edi, dword ptr [edi + 8]
            //   488bc2               | dec                 eax
            //   488d0d45550400       | test                edi, edi
            //   0f57c0               | jne                 0x4f
            //   488d5308             | dec                 eax
            //   48890b               | mov                 edi, dword ptr [ebp - 0x79]
            //   488d4808             | dec                 eax

        $sequence_5 = { 488d542420 e8???????? 8bf8 85c0 750d f744243010000000 0f95c3 }
            // n = 7, score = 100
            //   488d542420           | test                edi, edi
            //   e8????????           |                     
            //   8bf8                 | jne                 0x649
            //   85c0                 | mov                 edx, dword ptr [esp + 0x3b8]
            //   750d                 | cmp                 edx, 0x3b9aca00
            //   f744243010000000     | dec                 eax
            //   0f95c3               | lea                 eax, [esp + 0x50]

        $sequence_6 = { 488b842430010000 668910 4c892b e8???????? eb7a 0f1f00 488d4b28 }
            // n = 7, score = 100
            //   488b842430010000     | add                 edx, ecx
            //   668910               | dec                 eax
            //   4c892b               | sar                 edx, 6
            //   e8????????           |                     
            //   eb7a                 | dec                 eax
            //   0f1f00               | mov                 eax, edx
            //   488d4b28             | dec                 eax

        $sequence_7 = { 0f57c0 0f118580110000 0f57c9 660f7f8d90110000 488d85d9010000 4c8bc7 660f1f440000 }
            // n = 7, score = 100
            //   0f57c0               | mov                 eax, edi
            //   0f118580110000       | nop                 dword ptr [eax + eax]
            //   0f57c9               | dec                 ecx
            //   660f7f8d90110000     | inc                 eax
            //   488d85d9010000       | movups              xmmword ptr [ebp + 0xfc0], xmm0
            //   4c8bc7               | xorps               xmm1, xmm1
            //   660f1f440000         | movdqa              xmmword ptr [ebp + 0xfd0], xmm1

        $sequence_8 = { 4688840da5000000 49ffc1 4983f90a 72a1 0f57c0 0f1185c00c0000 0f57c9 }
            // n = 7, score = 100
            //   4688840da5000000     | cmp                 ecx, dword ptr [eax]
            //   49ffc1               | jne                 0xd18
            //   4983f90a             | dec                 eax
            //   72a1                 | add                 eax, 2
            //   0f57c0               | dec                 ecx
            //   0f1185c00c0000       | sub                 edx, esp
            //   0f57c9               | jne                 0xcc9

        $sequence_9 = { 6666660f1f840000000000 420fb68c0d84000000 83e955 446bc11f b809040281 41f7e8 }
            // n = 6, score = 100
            //   6666660f1f840000000000     | dec    ecx
            //   420fb68c0d84000000     | inc    eax
            //   83e955               | inc                 dx
            //   446bc11f             | cmp                 dword ptr [eax + eax*2], 0
            //   b809040281           | movdqa              xmmword ptr [ebp + 0x1070], xmm1
            //   41f7e8               | dec                 eax

    condition:
        7 of them and filesize < 1219584
}
Download all Yara Rules