SYMBOLCOMMON_NAMEaka. SYNONYMS
win.aukill (Back to overview)

AuKill

aka: SophosKill
VTCollection    

According to Sophos, the AuKill tool abuses an outdated version of the driver used by version 16.32 of the Microsoft utility, Process Explorer, to disable EDR processes before deploying either a backdoor or ransomware on the target system.

References
2023-04-19SophosAndreas Klopsch
‘AuKill’ EDR killer malware abuses Process Explorer driver
AuKill
Yara Rules
[TLP:WHITE] win_aukill_auto (20260504 | Detects win.aukill.)
rule win_aukill_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.aukill."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.aukill"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 48895c2408 57 4883ec40 0fb7da 8bf9 e8???????? }
            // n = 6, score = 200
            //   48895c2408           | mov                 eax, 0x1f4
            //   57                   | mov                 dword ptr [ecx], eax
            //   4883ec40             | dec                 eax
            //   0fb7da               | mov                 ecx, edi
            //   8bf9                 | nop                 word ptr [eax + eax]
            //   e8????????           |                     

        $sequence_1 = { b940040000 ff15???????? 488bd8 4885c0 }
            // n = 4, score = 200
            //   b940040000           | mov                 ecx, 0x3e8
            //   ff15????????         |                     
            //   488bd8               | dec                 eax
            //   4885c0               | dec                 eax

        $sequence_2 = { f20f11442438 660f7ec8 3bc7 751d 488b442428 48c1e830 }
            // n = 6, score = 200
            //   f20f11442438         | dec                 eax
            //   660f7ec8             | lea                 edx, [0x209e7]
            //   3bc7                 | dec                 eax
            //   751d                 | lea                 ecx, [0x206b0]
            //   488b442428           | jmp                 0x2062
            //   48c1e830             | dec                 eax

        $sequence_3 = { 0fb7da 8bf9 e8???????? 4c8bc8 }
            // n = 4, score = 200
            //   0fb7da               | jne                 0xbb
            //   8bf9                 | dec                 eax
            //   e8????????           |                     
            //   4c8bc8               | lea                 ecx, [esp + 0x70]

        $sequence_4 = { 57 4883ec60 488bfa 8bd9 e8???????? 33c9 }
            // n = 6, score = 200
            //   57                   | nop                 word ptr [eax + eax]
            //   4883ec60             | xor                 esi, esi
            //   488bfa               | dec                 ecx
            //   8bd9                 | mov                 edi, dword ptr [edi + ebx*8]
            //   e8????????           |                     
            //   33c9                 | inc                 ebp

        $sequence_5 = { 85c0 751f 488b4c2458 ff15???????? ff15???????? }
            // n = 5, score = 200
            //   85c0                 | lea                 eax, [ebp - 0x18]
            //   751f                 | dec                 eax
            //   488b4c2458           | mov                 dword ptr [ebp - 0x18], ecx
            //   ff15????????         |                     
            //   ff15????????         |                     

        $sequence_6 = { 33c0 4889442428 c744243001000000 c744243c02000000 448d4810 4889442420 ff15???????? }
            // n = 7, score = 200
            //   33c0                 | inc                 eax
            //   4889442428           | push                ebx
            //   c744243001000000     | dec                 eax
            //   c744243c02000000     | sub                 esp, 0x20
            //   448d4810             | dec                 eax
            //   4889442420           | mov                 ebx, ecx
            //   ff15????????         |                     

        $sequence_7 = { 488b0d???????? 48897c2458 4889442448 ff15???????? }
            // n = 4, score = 200
            //   488b0d????????       |                     
            //   48897c2458           | dec                 eax
            //   4889442448           | cmove               ecx, edx
            //   ff15????????         |                     

        $sequence_8 = { 7346 4b8d1440 410f104cd108 0f114c2428 f2410f1044d118 f20f11442438 }
            // n = 6, score = 200
            //   7346                 | jmp                 0x9e1
            //   4b8d1440             | dec                 eax
            //   410f104cd108         | arpl                ax, cx
            //   0f114c2428           | dec                 eax
            //   f2410f1044d118       | add                 esi, ecx
            //   f20f11442438         | movzx               eax, byte ptr [esi]

        $sequence_9 = { 48895c2408 57 4883ec60 488bfa 8bd9 e8???????? 33c9 }
            // n = 7, score = 200
            //   48895c2408           | mov                 edx, eax
            //   57                   | dec                 esp
            //   4883ec60             | lea                 eax, [esp + 0x20]
            //   488bfa               | dec                 eax
            //   8bd9                 | lea                 ecx, [0x35aa]
            //   e8????????           |                     
            //   33c9                 | dec                 eax

    condition:
        7 of them and filesize < 446464
}
Download all Yara Rules