SYMBOLCOMMON_NAMEaka. SYNONYMS
win.aurora (Back to overview)

Aurora

aka: OneKeyLocker

Actor(s): Oktropys

VTCollection    

Ransomware

References
2023-04-18MorphisecArnold Osipov, Michael Dereviashkin
What Makes Invalid Printer Loader So Stealthy?
Aurora
2023-04-12SpamhausSpamhaus Malware Labs
Spamhaus Botnet Threat Update Q1 2023
FluBot Amadey AsyncRAT Aurora Ave Maria BumbleBee Cobalt Strike DCRat Emotet IcedID ISFB NjRAT QakBot RecordBreaker RedLine Stealer Remcos Rhadamanthys Sliver Tofsee Vidar
2019-01-04Bleeping ComputerLawrence Abrams
How to Decrypt the Aurora Ransomware with AuroraDecrypter
Aurora
2018-08-18Bleeping ComputerVishal Thakur
AZORult Trojan Serving Aurora Ransomware by MalActor Oktropys
Aurora Azorult
2018-05-29Twitter (@malwrhunterteam)MalwareHunterTeam
Tweet on Aurora / OneKeyLocker Ransomware
Aurora
Yara Rules
[TLP:WHITE] win_aurora_auto (20260504 | Detects win.aurora.)
rule win_aurora_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.aurora."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.aurora"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 50 e8???????? 8bb5c8feffff 56 ffd3 46 03f0 }
            // n = 7, score = 300
            //   50                   | push                eax
            //   e8????????           |                     
            //   8bb5c8feffff         | mov                 esi, dword ptr [ebp - 0x138]
            //   56                   | push                esi
            //   ffd3                 | call                ebx
            //   46                   | inc                 esi
            //   03f0                 | add                 esi, eax

        $sequence_1 = { 8d8db4f1ffff c785c8f1ffff0f000000 c785c4f1ffff00000000 c685b4f1ffff00 e8???????? }
            // n = 5, score = 300
            //   8d8db4f1ffff         | lea                 ecx, [ebp - 0xe4c]
            //   c785c8f1ffff0f000000     | mov    dword ptr [ebp - 0xe38], 0xf
            //   c785c4f1ffff00000000     | mov    dword ptr [ebp - 0xe3c], 0
            //   c685b4f1ffff00       | mov                 byte ptr [ebp - 0xe4c], 0
            //   e8????????           |                     

        $sequence_2 = { 0f57c0 83c608 660fd645e8 83ef01 0f856cffffff }
            // n = 5, score = 300
            //   0f57c0               | xorps               xmm0, xmm0
            //   83c608               | add                 esi, 8
            //   660fd645e8           | movq                qword ptr [ebp - 0x18], xmm0
            //   83ef01               | sub                 edi, 1
            //   0f856cffffff         | jne                 0xffffff72

        $sequence_3 = { e8???????? 6a03 68???????? 8d8d7cf0ffff c78590f0ffff0f000000 c7858cf0ffff00000000 c6857cf0ffff00 }
            // n = 7, score = 300
            //   e8????????           |                     
            //   6a03                 | push                3
            //   68????????           |                     
            //   8d8d7cf0ffff         | lea                 ecx, [ebp - 0xf84]
            //   c78590f0ffff0f000000     | mov    dword ptr [ebp - 0xf70], 0xf
            //   c7858cf0ffff00000000     | mov    dword ptr [ebp - 0xf74], 0
            //   c6857cf0ffff00       | mov                 byte ptr [ebp - 0xf84], 0

        $sequence_4 = { e8???????? ff75e8 837dec10 8d45d8 6a00 0f4345d8 8d4da8 }
            // n = 7, score = 300
            //   e8????????           |                     
            //   ff75e8               | push                dword ptr [ebp - 0x18]
            //   837dec10             | cmp                 dword ptr [ebp - 0x14], 0x10
            //   8d45d8               | lea                 eax, [ebp - 0x28]
            //   6a00                 | push                0
            //   0f4345d8             | cmovae              eax, dword ptr [ebp - 0x28]
            //   8d4da8               | lea                 ecx, [ebp - 0x58]

        $sequence_5 = { 6a02 68???????? 8d8de4eeffff c785f8eeffff0f000000 }
            // n = 4, score = 300
            //   6a02                 | push                2
            //   68????????           |                     
            //   8d8de4eeffff         | lea                 ecx, [ebp - 0x111c]
            //   c785f8eeffff0f000000     | mov    dword ptr [ebp - 0x1108], 0xf

        $sequence_6 = { 52 8d4dd8 e8???????? c645fc01 8d4dc0 }
            // n = 5, score = 300
            //   52                   | push                edx
            //   8d4dd8               | lea                 ecx, [ebp - 0x28]
            //   e8????????           |                     
            //   c645fc01             | mov                 byte ptr [ebp - 4], 1
            //   8d4dc0               | lea                 ecx, [ebp - 0x40]

        $sequence_7 = { 3c2f 0f85aa000000 837f1410 7204 8b07 eb02 }
            // n = 6, score = 300
            //   3c2f                 | cmp                 al, 0x2f
            //   0f85aa000000         | jne                 0xb0
            //   837f1410             | cmp                 dword ptr [edi + 0x14], 0x10
            //   7204                 | jb                  6
            //   8b07                 | mov                 eax, dword ptr [edi]
            //   eb02                 | jmp                 4

        $sequence_8 = { 837e1410 8955c4 895610 7202 }
            // n = 4, score = 300
            //   837e1410             | cmp                 dword ptr [esi + 0x14], 0x10
            //   8955c4               | mov                 dword ptr [ebp - 0x3c], edx
            //   895610               | mov                 dword ptr [esi + 0x10], edx
            //   7202                 | jb                  4

        $sequence_9 = { 47 8d85d8feffff 50 8d8df8feffff }
            // n = 4, score = 300
            //   47                   | inc                 edi
            //   8d85d8feffff         | lea                 eax, [ebp - 0x128]
            //   50                   | push                eax
            //   8d8df8feffff         | lea                 ecx, [ebp - 0x108]

    condition:
        7 of them and filesize < 827392
}
Download all Yara Rules