SYMBOLCOMMON_NAMEaka. SYNONYMS
win.aurora (Back to overview)

Aurora

aka: OneKeyLocker

Actor(s): Oktropys

Ransomware

References
2023-04-18MorphisecArnold Osipov, Michael Dereviashkin
@online{osipov:20230418:what:516436d, author = {Arnold Osipov and Michael Dereviashkin}, title = {{What Makes Invalid Printer Loader So Stealthy?}}, date = {2023-04-18}, organization = {Morphisec}, url = {https://blog.morphisec.com/in2al5d-p3in4er}, language = {English}, urldate = {2023-04-22} } What Makes Invalid Printer Loader So Stealthy?
Aurora
2023-04-12SpamhausSpamhaus Malware Labs
@techreport{labs:20230412:spamhaus:aa309d1, author = {Spamhaus Malware Labs}, title = {{Spamhaus Botnet Threat Update Q1 2023}}, date = {2023-04-12}, institution = {Spamhaus}, url = {https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q1%20Botnet%20Threat%20Update.pdf}, language = {English}, urldate = {2023-04-18} } Spamhaus Botnet Threat Update Q1 2023
FluBot Amadey AsyncRAT Aurora Ave Maria BumbleBee Cobalt Strike DCRat Emotet IcedID ISFB NjRAT QakBot RecordBreaker RedLine Stealer Remcos Rhadamanthys Sliver Tofsee Vidar
2019-01-04Bleeping ComputerLawrence Abrams
@online{abrams:20190104:how:8932d09, author = {Lawrence Abrams}, title = {{How to Decrypt the Aurora Ransomware with AuroraDecrypter}}, date = {2019-01-04}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/ransomware/decryptor/how-to-decrypt-the-aurora-ransomware-with-auroradecrypter/}, language = {English}, urldate = {2019-12-17} } How to Decrypt the Aurora Ransomware with AuroraDecrypter
Aurora
2018-08-18Bleeping ComputerVishal Thakur
@online{thakur:20180818:azorult:e096002, author = {Vishal Thakur}, title = {{AZORult Trojan Serving Aurora Ransomware by MalActor Oktropys}}, date = {2018-08-18}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/azorult-trojan-serving-aurora-ransomware-by-malactor-oktropys/}, language = {English}, urldate = {2019-12-20} } AZORult Trojan Serving Aurora Ransomware by MalActor Oktropys
Aurora Azorult
2018-05-29Twitter (@malwrhunterteam)MalwareHunterTeam
@online{malwarehunterteam:20180529:aurora:867bacc, author = {MalwareHunterTeam}, title = {{Tweet on Aurora / OneKeyLocker Ransomware}}, date = {2018-05-29}, organization = {Twitter (@malwrhunterteam)}, url = {https://twitter.com/malwrhunterteam/status/1001461507513880576}, language = {English}, urldate = {2020-03-02} } Tweet on Aurora / OneKeyLocker Ransomware
Aurora
Yara Rules
[TLP:WHITE] win_aurora_auto (20230407 | Detects win.aurora.)
rule win_aurora_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-03-28"
        version = "1"
        description = "Detects win.aurora."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.aurora"
        malpedia_rule_date = "20230328"
        malpedia_hash = "9d2d75cef573c1c2d861f5197df8f563b05a305d"
        malpedia_version = "20230407"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8d8d70ffffff c745e40f000000 c745e000000000 c645d000 e8???????? c645fc04 }
            // n = 6, score = 300
            //   8d8d70ffffff         | lea                 ecx, [ebp - 0x90]
            //   c745e40f000000       | mov                 dword ptr [ebp - 0x1c], 0xf
            //   c745e000000000       | mov                 dword ptr [ebp - 0x20], 0
            //   c645d000             | mov                 byte ptr [ebp - 0x30], 0
            //   e8????????           |                     
            //   c645fc04             | mov                 byte ptr [ebp - 4], 4

        $sequence_1 = { 6a03 68???????? 8d8dbcefffff c785d0efffff0f000000 c785ccefffff00000000 }
            // n = 5, score = 300
            //   6a03                 | push                3
            //   68????????           |                     
            //   8d8dbcefffff         | lea                 ecx, [ebp - 0x1044]
            //   c785d0efffff0f000000     | mov    dword ptr [ebp - 0x1030], 0xf
            //   c785ccefffff00000000     | mov    dword ptr [ebp - 0x1034], 0

        $sequence_2 = { 57 8b7a10 6a78 c746140f000000 c7461000000000 8975f8 }
            // n = 6, score = 300
            //   57                   | push                edi
            //   8b7a10               | mov                 edi, dword ptr [edx + 0x10]
            //   6a78                 | push                0x78
            //   c746140f000000       | mov                 dword ptr [esi + 0x14], 0xf
            //   c7461000000000       | mov                 dword ptr [esi + 0x10], 0
            //   8975f8               | mov                 dword ptr [ebp - 8], esi

        $sequence_3 = { 394db8 7612 0fb60419 41 33c7 69f893010001 }
            // n = 6, score = 300
            //   394db8               | cmp                 dword ptr [ebp - 0x48], ecx
            //   7612                 | jbe                 0x14
            //   0fb60419             | movzx               eax, byte ptr [ecx + ebx]
            //   41                   | inc                 ecx
            //   33c7                 | xor                 eax, edi
            //   69f893010001         | imul                edi, eax, 0x1000193

        $sequence_4 = { 8d8d14efffff c78528efffff0f000000 c78524efffff00000000 c68514efffff00 e8???????? }
            // n = 5, score = 300
            //   8d8d14efffff         | lea                 ecx, [ebp - 0x10ec]
            //   c78528efffff0f000000     | mov    dword ptr [ebp - 0x10d8], 0xf
            //   c78524efffff00000000     | mov    dword ptr [ebp - 0x10dc], 0
            //   c68514efffff00       | mov                 byte ptr [ebp - 0x10ec], 0
            //   e8????????           |                     

        $sequence_5 = { 85ff 75da 837e1410 897e10 720d 8b06 }
            // n = 6, score = 300
            //   85ff                 | test                edi, edi
            //   75da                 | jne                 0xffffffdc
            //   837e1410             | cmp                 dword ptr [esi + 0x14], 0x10
            //   897e10               | mov                 dword ptr [esi + 0x10], edi
            //   720d                 | jb                  0xf
            //   8b06                 | mov                 eax, dword ptr [esi]

        $sequence_6 = { 7414 8d8d70ffffff e8???????? c645fc02 e9???????? 83ec0c }
            // n = 6, score = 300
            //   7414                 | je                  0x16
            //   8d8d70ffffff         | lea                 ecx, [ebp - 0x90]
            //   e8????????           |                     
            //   c645fc02             | mov                 byte ptr [ebp - 4], 2
            //   e9????????           |                     
            //   83ec0c               | sub                 esp, 0xc

        $sequence_7 = { 0f8483000000 c1e706 03f8 83c106 894ddc 7869 8bc7 }
            // n = 7, score = 300
            //   0f8483000000         | je                  0x89
            //   c1e706               | shl                 edi, 6
            //   03f8                 | add                 edi, eax
            //   83c106               | add                 ecx, 6
            //   894ddc               | mov                 dword ptr [ebp - 0x24], ecx
            //   7869                 | js                  0x6b
            //   8bc7                 | mov                 eax, edi

        $sequence_8 = { 8d4dbc e8???????? 83c418 8bd8 c645fc01 b801000000 8b35???????? }
            // n = 7, score = 300
            //   8d4dbc               | lea                 ecx, [ebp - 0x44]
            //   e8????????           |                     
            //   83c418               | add                 esp, 0x18
            //   8bd8                 | mov                 ebx, eax
            //   c645fc01             | mov                 byte ptr [ebp - 4], 1
            //   b801000000           | mov                 eax, 1
            //   8b35????????         |                     

        $sequence_9 = { 6a02 68???????? 8d8d14efffff c78528efffff0f000000 }
            // n = 4, score = 300
            //   6a02                 | push                2
            //   68????????           |                     
            //   8d8d14efffff         | lea                 ecx, [ebp - 0x10ec]
            //   c78528efffff0f000000     | mov    dword ptr [ebp - 0x10d8], 0xf

    condition:
        7 of them and filesize < 827392
}
Download all Yara Rules