SYMBOLCOMMON_NAMEaka. SYNONYMS
win.aukill (Back to overview)

AuKill

aka: SophosKill

According to Sophos, the AuKill tool abuses an outdated version of the driver used by version 16.32 of the Microsoft utility, Process Explorer, to disable EDR processes before deploying either a backdoor or ransomware on the target system.

References
2023-04-19SophosAndreas Klopsch
@online{klopsch:20230419:aukill:cebf5d8, author = {Andreas Klopsch}, title = {{‘AuKill’ EDR killer malware abuses Process Explorer driver}}, date = {2023-04-19}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2023/04/19/aukill-edr-killer-malware-abuses-process-explorer-driver/}, language = {English}, urldate = {2023-04-22} } ‘AuKill’ EDR killer malware abuses Process Explorer driver
AuKill
Yara Rules
[TLP:WHITE] win_aukill_auto (20230715 | Detects win.aukill.)
rule win_aukill_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-07-11"
        version = "1"
        description = "Detects win.aukill."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.aukill"
        malpedia_rule_date = "20230705"
        malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
        malpedia_version = "20230715"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 48895c2440 48894c2438 4c8d442440 48894c2430 }
            // n = 4, score = 200
            //   48895c2440           | mov                 edx, 0x10000000
            //   48894c2438           | inc                 ebp
            //   4c8d442440           | xor                 ecx, ecx
            //   48894c2430           | dec                 eax

        $sequence_1 = { 771c 488b0b ff15???????? 0fb608 }
            // n = 4, score = 200
            //   771c                 | dec                 eax
            //   488b0b               | mov                 ecx, dword ptr [ebx]
            //   ff15????????         |                     
            //   0fb608               | dec                 eax

        $sequence_2 = { 0f114c2428 f2410f1044d118 f20f11442438 660f7ec8 }
            // n = 4, score = 200
            //   0f114c2428           | movups              xmmword ptr [ebp - 0x20], xmm0
            //   f2410f1044d118       | movups              xmmword ptr [ebp - 0x10], xmm0
            //   f20f11442438         | movups              xmmword ptr [ebp - 0x40], xmm0
            //   660f7ec8             | dec                 eax

        $sequence_3 = { 488bd3 33c9 ff15???????? 85c0 751f 488b4c2458 ff15???????? }
            // n = 7, score = 200
            //   488bd3               | mov                 eax, dword ptr [ecx + edi*8]
            //   33c9                 | inc                 edx
            //   ff15????????         |                     
            //   85c0                 | test                byte ptr [eax + 0x38], 1
            //   751f                 | dec                 ecx
            //   488b4c2458           | sar                 edi, 6
            //   ff15????????         |                     

        $sequence_4 = { ba28000000 488bc8 ff15???????? 85c0 7514 ff15???????? }
            // n = 6, score = 200
            //   ba28000000           | mov                 eax, esi
            //   488bc8               | dec                 ebp
            //   ff15????????         |                     
            //   85c0                 | lea                 ecx, [esp + 0x10]
            //   7514                 | dec                 esp
            //   ff15????????         |                     

        $sequence_5 = { e8???????? 4c8bc8 4533c0 4489442420 453b01 7346 4b8d1440 }
            // n = 7, score = 200
            //   e8????????           |                     
            //   4c8bc8               | dec                 eax
            //   4533c0               | mov                 edi, eax
            //   4489442420           | movzx               ecx, byte ptr [edx + eax*4 + 0x20cf2]
            //   453b01               | inc                 ecx
            //   7346                 | cmp                 ecx, esp
            //   4b8d1440             | jne                 0x1450

        $sequence_6 = { 4c897c2428 4c8d442440 41b910000000 4c897c2420 }
            // n = 4, score = 200
            //   4c897c2428           | mov                 ecx, ebx
            //   4c8d442440           | jmp                 0x13d
            //   41b910000000         | inc                 cx
            //   4c897c2420           | cmp                 eax, 0x2a

        $sequence_7 = { 85c0 751f 488b4c2458 ff15???????? ff15???????? }
            // n = 5, score = 200
            //   85c0                 | dec                 eax
            //   751f                 | mov                 ecx, ebx
            //   488b4c2458           | test                edi, edi
            //   ff15????????         |                     
            //   ff15????????         |                     

        $sequence_8 = { 410f104cd108 0f114c2428 f2410f1044d118 f20f11442438 }
            // n = 4, score = 200
            //   410f104cd108         | xor                 edx, edx
            //   0f114c2428           | dec                 eax
            //   f2410f1044d118       | lea                 ecx, [esp + 0x9a]
            //   f20f11442438         | inc                 ecx

        $sequence_9 = { 771c 488b0b ff15???????? 0fb608 fec9 0fb6d1 488b0b }
            // n = 7, score = 200
            //   771c                 | dec                 eax
            //   488b0b               | mov                 ecx, eax
            //   ff15????????         |                     
            //   0fb608               | dec                 eax
            //   fec9                 | lea                 edx, [0x2c2d]
            //   0fb6d1               | dec                 eax
            //   488b0b               | lea                 ecx, [0x2b54]

    condition:
        7 of them and filesize < 446464
}
Download all Yara Rules