SYMBOLCOMMON_NAMEaka. SYNONYMS
win.aurora (Back to overview)

Aurora

aka: OneKeyLocker

Actor(s): Oktropys

VTCollection    

Ransomware

References
2023-04-18MorphisecArnold Osipov, Michael Dereviashkin
What Makes Invalid Printer Loader So Stealthy?
Aurora
2023-04-12SpamhausSpamhaus Malware Labs
Spamhaus Botnet Threat Update Q1 2023
FluBot Amadey AsyncRAT Aurora Ave Maria BumbleBee Cobalt Strike DCRat Emotet IcedID ISFB NjRAT QakBot RecordBreaker RedLine Stealer Remcos Rhadamanthys Sliver Tofsee Vidar
2019-01-04Bleeping ComputerLawrence Abrams
How to Decrypt the Aurora Ransomware with AuroraDecrypter
Aurora
2018-08-18Bleeping ComputerVishal Thakur
AZORult Trojan Serving Aurora Ransomware by MalActor Oktropys
Aurora Azorult
2018-05-29Twitter (@malwrhunterteam)MalwareHunterTeam
Tweet on Aurora / OneKeyLocker Ransomware
Aurora
Yara Rules
[TLP:WHITE] win_aurora_auto (20230808 | Detects win.aurora.)
rule win_aurora_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.aurora."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.aurora"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8b4e14 8945d4 8b4610 3bc1 7530 40 83f8fe }
            // n = 7, score = 300
            //   8b4e14               | mov                 ecx, dword ptr [esi + 0x14]
            //   8945d4               | mov                 dword ptr [ebp - 0x2c], eax
            //   8b4610               | mov                 eax, dword ptr [esi + 0x10]
            //   3bc1                 | cmp                 eax, ecx
            //   7530                 | jne                 0x32
            //   40                   | inc                 eax
            //   83f8fe               | cmp                 eax, -2

        $sequence_1 = { c645fc03 8d4dd8 837dec08 8d5dd8 }
            // n = 4, score = 300
            //   c645fc03             | mov                 byte ptr [ebp - 4], 3
            //   8d4dd8               | lea                 ecx, [ebp - 0x28]
            //   837dec08             | cmp                 dword ptr [ebp - 0x14], 8
            //   8d5dd8               | lea                 ebx, [ebp - 0x28]

        $sequence_2 = { 8aca c0e206 0255d3 c0e902 80e10f }
            // n = 5, score = 300
            //   8aca                 | mov                 cl, dl
            //   c0e206               | shl                 dl, 6
            //   0255d3               | add                 dl, byte ptr [ebp - 0x2d]
            //   c0e902               | shr                 cl, 2
            //   80e10f               | and                 cl, 0xf

        $sequence_3 = { ebd9 837b1410 7202 8b1b }
            // n = 4, score = 300
            //   ebd9                 | jmp                 0xffffffdb
            //   837b1410             | cmp                 dword ptr [ebx + 0x14], 0x10
            //   7202                 | jb                  4
            //   8b1b                 | mov                 ebx, dword ptr [ebx]

        $sequence_4 = { 3bf3 7469 897de8 c645fc01 85ff 7437 c7471000000000 }
            // n = 7, score = 300
            //   3bf3                 | cmp                 esi, ebx
            //   7469                 | je                  0x6b
            //   897de8               | mov                 dword ptr [ebp - 0x18], edi
            //   c645fc01             | mov                 byte ptr [ebp - 4], 1
            //   85ff                 | test                edi, edi
            //   7437                 | je                  0x39
            //   c7471000000000       | mov                 dword ptr [edi + 0x10], 0

        $sequence_5 = { 6a00 c741140f000000 c7411000000000 68???????? c60100 e8???????? 8d8df8fbffff }
            // n = 7, score = 300
            //   6a00                 | push                0
            //   c741140f000000       | mov                 dword ptr [ecx + 0x14], 0xf
            //   c7411000000000       | mov                 dword ptr [ecx + 0x10], 0
            //   68????????           |                     
            //   c60100               | mov                 byte ptr [ecx], 0
            //   e8????????           |                     
            //   8d8df8fbffff         | lea                 ecx, [ebp - 0x408]

        $sequence_6 = { 83793800 0f45c2 50 e8???????? 8b9df0feffff c745e40f000000 c745e000000000 }
            // n = 7, score = 300
            //   83793800             | cmp                 dword ptr [ecx + 0x38], 0
            //   0f45c2               | cmovne              eax, edx
            //   50                   | push                eax
            //   e8????????           |                     
            //   8b9df0feffff         | mov                 ebx, dword ptr [ebp - 0x110]
            //   c745e40f000000       | mov                 dword ptr [ebp - 0x1c], 0xf
            //   c745e000000000       | mov                 dword ptr [ebp - 0x20], 0

        $sequence_7 = { c785c8f1ffff0f000000 c785c4f1ffff00000000 c685b4f1ffff00 e8???????? 8d8dccf1ffff }
            // n = 5, score = 300
            //   c785c8f1ffff0f000000     | mov    dword ptr [ebp - 0xe38], 0xf
            //   c785c4f1ffff00000000     | mov    dword ptr [ebp - 0xe3c], 0
            //   c685b4f1ffff00       | mov                 byte ptr [ebp - 0xe4c], 0
            //   e8????????           |                     
            //   8d8dccf1ffff         | lea                 ecx, [ebp - 0xe34]

        $sequence_8 = { 68???????? 8d8d24f1ffff c78538f1ffff0f000000 c78534f1ffff00000000 }
            // n = 4, score = 300
            //   68????????           |                     
            //   8d8d24f1ffff         | lea                 ecx, [ebp - 0xedc]
            //   c78538f1ffff0f000000     | mov    dword ptr [ebp - 0xec8], 0xf
            //   c78534f1ffff00000000     | mov    dword ptr [ebp - 0xecc], 0

        $sequence_9 = { 6a02 68???????? 8d8d14efffff c78528efffff0f000000 }
            // n = 4, score = 300
            //   6a02                 | push                2
            //   68????????           |                     
            //   8d8d14efffff         | lea                 ecx, [ebp - 0x10ec]
            //   c78528efffff0f000000     | mov    dword ptr [ebp - 0x10d8], 0xf

    condition:
        7 of them and filesize < 827392
}
Download all Yara Rules