SYMBOLCOMMON_NAMEaka. SYNONYMS
win.akira (Back to overview)

Akira

VTCollection    

There is no description at this point.

References
2024-01-04Arctic WolfStefan Hostetler, Steven Campbell
Follow-On Extortion Campaign Targeting Victims of Akira and Royal Ransomware
Akira Royal Ransom
2023-12-20Sophos X-OpsMark Loman, Matt Wixey
CryptoGuard: An asymmetric approach to the ransomware battle
Akira LockBit
2023-12-13Kaspersky LabsGReAT
FakeSG campaign, Akira ransomware and AMOS macOS stealer
AMOS Akira
2023-11-29TrellixAlexandre Mundo, Max Kersten
Akira Ransomware
Akira
2023-11-29TrellixAlexandre Mundo, Max Kersten
Akira Ransomware
Akira Akira
2023-11-28IntrinsecCERT Intrinsec, Intrinsec
Aki-RATs – Command and Control Party
Akira
2023-09-15CyberCXPhill Moore, Suyash Tripathi, Yogesh Khatri, Zach Stanford
Weaponising VMs to bypass EDR – Akira ransomware
Akira
2023-09-14SekoiaLivia Tibirna
Sekoia.io mid-2023 Ransomware Threat Landscape
8Base Akira Cactus
2023-08-23StairwellSilas Cutler
Akira: Pulling on the chains of ransomware
Akira
2023-07-27Bankinfo SecurityMathew J. Schwartz
Are Akira Ransomware's Crypto-Locking Malware Days Numbered?
Akira Ryuk
2023-07-26Arctic WolfAkshay Suthar, Connor Belfiore, Steven Campbell
Conti and Akira: Chained Together
Akira Conti
2023-06-29Avast DecodedThreat Research Team
Decrypted: Akira Ransomware
Akira
2023-05-09SophosPaul Jaramillo
Akira Ransomware is “bringin’ 1988 back”
Akira
2023-04-28Twitter (@MalGamy12)Gameel Ali
Tweet explaning similarity between Conti and Akira code
Akira
Yara Rules
[TLP:WHITE] win_akira_auto (20230808 | Detects win.akira.)
rule win_akira_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.akira."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.akira"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8b01 85c0 7e18 ffc8 8901 498b4840 488b11 }
            // n = 7, score = 200
            //   8b01                 | mov                 dword ptr [ebp - 0x41], esi
            //   85c0                 | xor                 cl, cl
            //   7e18                 | mov                 byte ptr [ebp + 0x77], cl
            //   ffc8                 | inc                 ebp
            //   8901                 | xor                 edi, edi
            //   498b4840             | inc                 esp
            //   488b11               | mov                 dword ptr [ebp - 0x69], edi

        $sequence_1 = { 418bc9 83c902 41f6c108 410f44c9 81e13bffffff 390d???????? 741d }
            // n = 7, score = 200
            //   418bc9               | mov                 byte ptr [ebp + 0x6f4], 0x37
            //   83c902               | mov                 byte ptr [ebp + 0x6f5], 0x74
            //   41f6c108             | mov                 byte ptr [ebp + 0x6f6], 0x37
            //   410f44c9             | mov                 byte ptr [ebp + 0x6f7], 0x74
            //   81e13bffffff         | mov                 byte ptr [ebp + 0x6f8], 0x62
            //   390d????????         |                     
            //   741d                 | mov                 byte ptr [ebp + 0x6f9], 0x74

        $sequence_2 = { 90 488b4b60 48894c2430 4885c9 7445 488b5370 4889542440 }
            // n = 7, score = 200
            //   90                   | inc                 dx
            //   488b4b60             | cmp                 dword ptr [eax + eax*2], 0
            //   48894c2430           | jne                 0x6bb
            //   4885c9               | dec                 eax
            //   7445                 | lea                 edx, [ebp + 0x113]
            //   488b5370             | dec                 eax
            //   4889542440           | lea                 ecx, [ebp + 0xe80]

        $sequence_3 = { 7cee 488bcb 488b5c2430 4883c420 5f e9???????? 0fb6043b }
            // n = 7, score = 200
            //   7cee                 | mov                 byte ptr [edi + 0x321], al
            //   488bcb               | dec                 eax
            //   488b5c2430           | mov                 eax, dword ptr [edi + 0x81]
            //   4883c420             | dec                 eax
            //   5f                   | lea                 edx, [edi + 0x5a0]
            //   e9????????           |                     
            //   0fb6043b             | dec                 ecx

        $sequence_4 = { ff5208 90 488b4b60 48894c2430 4885c9 7445 488b5370 }
            // n = 7, score = 200
            //   ff5208               | nop                 
            //   90                   | mov                 byte ptr [ebp - 4], 0
            //   488b4b60             | mov                 byte ptr [ebp - 3], 0x52
            //   48894c2430           | mov                 byte ptr [ebp - 2], 0x76
            //   4885c9               | mov                 byte ptr [ebp - 1], 0xd
            //   7445                 | mov                 byte ptr [ebp], 0x76
            //   488b5370             | mov                 byte ptr [ebp + 1], 0x23

        $sequence_5 = { e8???????? 488975d0 488b4dd8 488975d8 48894808 0f1045e0 0f114010 }
            // n = 7, score = 200
            //   e8????????           |                     
            //   488975d0             | lea                 ecx, [0x74d6a]
            //   488b4dd8             | mov                 dword ptr [esp + 0x60], 2
            //   488975d8             | jne                 0x6a8
            //   48894808             | dec                 eax
            //   0f1045e0             | lea                 ecx, [0xcfa1]
            //   0f114010             | dec                 eax

        $sequence_6 = { 4488443c6e 48ffc7 4883ff0a 72ac 0f57c0 0f118590020000 0f57c9 }
            // n = 7, score = 200
            //   4488443c6e           | lea                 ecx, [ebp - 0x79]
            //   48ffc7               | dec                 eax
            //   4883ff0a             | sub                 eax, ecx
            //   72ac                 | dec                 eax
            //   0f57c0               | cmp                 eax, 0x16
            //   0f118590020000       | jae                 0x1896
            //   0f57c9               | mov                 byte ptr [ebp + 0x77], 1

        $sequence_7 = { 740a e8???????? 488bd8 eb03 498bdd 49897e18 }
            // n = 6, score = 200
            //   740a                 | dec                 ecx
            //   e8????????           |                     
            //   488bd8               | inc                 eax
            //   eb03                 | inc                 dx
            //   498bdd               | cmp                 dword ptr [eax + eax*2], 0
            //   49897e18             | jne                 0x14c6

        $sequence_8 = { e8???????? 33f6 41897578 49397568 744d 488b0f 40387128 }
            // n = 7, score = 200
            //   e8????????           |                     
            //   33f6                 | mov                 ecx, dword ptr [eax]
            //   41897578             | cmp                 byte ptr [eax], 0
            //   49397568             | dec                 esp
            //   744d                 | cmovg               esi, eax
            //   488b0f               | inc                 ecx
            //   40387128             | movzx               eax, byte ptr [esi]

        $sequence_9 = { c645bf01 4883ef01 75b4 0f2845bf 33ff 4c8d75cf 48837de710 }
            // n = 7, score = 200
            //   c645bf01             | je                  0x38e
            //   4883ef01             | cmp                 ax, 0x5c
            //   75b4                 | je                  0x35d
            //   0f2845bf             | cmp                 ax, 0x2f
            //   33ff                 | jne                 0x366
            //   4c8d75cf             | dec                 eax
            //   48837de710           | add                 ecx, 2

    condition:
        7 of them and filesize < 1286144
}
Download all Yara Rules