SYMBOLCOMMON_NAMEaka. SYNONYMS
win.aurora (Back to overview)

Aurora

aka: OneKeyLocker

Actor(s): Oktropys

Ransomware

References
2023-04-18MorphisecArnold Osipov, Michael Dereviashkin
@online{osipov:20230418:what:516436d, author = {Arnold Osipov and Michael Dereviashkin}, title = {{What Makes Invalid Printer Loader So Stealthy?}}, date = {2023-04-18}, organization = {Morphisec}, url = {https://blog.morphisec.com/in2al5d-p3in4er}, language = {English}, urldate = {2023-04-22} } What Makes Invalid Printer Loader So Stealthy?
Aurora
2023-04-12SpamhausSpamhaus Malware Labs
@techreport{labs:20230412:spamhaus:aa309d1, author = {Spamhaus Malware Labs}, title = {{Spamhaus Botnet Threat Update Q1 2023}}, date = {2023-04-12}, institution = {Spamhaus}, url = {https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q1%20Botnet%20Threat%20Update.pdf}, language = {English}, urldate = {2023-04-18} } Spamhaus Botnet Threat Update Q1 2023
FluBot Amadey AsyncRAT Aurora Ave Maria BumbleBee Cobalt Strike DCRat Emotet IcedID ISFB NjRAT QakBot RecordBreaker RedLine Stealer Remcos Rhadamanthys Sliver Tofsee Vidar
2019-01-04Bleeping ComputerLawrence Abrams
@online{abrams:20190104:how:8932d09, author = {Lawrence Abrams}, title = {{How to Decrypt the Aurora Ransomware with AuroraDecrypter}}, date = {2019-01-04}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/ransomware/decryptor/how-to-decrypt-the-aurora-ransomware-with-auroradecrypter/}, language = {English}, urldate = {2019-12-17} } How to Decrypt the Aurora Ransomware with AuroraDecrypter
Aurora
2018-08-18Bleeping ComputerVishal Thakur
@online{thakur:20180818:azorult:e096002, author = {Vishal Thakur}, title = {{AZORult Trojan Serving Aurora Ransomware by MalActor Oktropys}}, date = {2018-08-18}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/azorult-trojan-serving-aurora-ransomware-by-malactor-oktropys/}, language = {English}, urldate = {2019-12-20} } AZORult Trojan Serving Aurora Ransomware by MalActor Oktropys
Aurora Azorult
2018-05-29Twitter (@malwrhunterteam)MalwareHunterTeam
@online{malwarehunterteam:20180529:aurora:867bacc, author = {MalwareHunterTeam}, title = {{Tweet on Aurora / OneKeyLocker Ransomware}}, date = {2018-05-29}, organization = {Twitter (@malwrhunterteam)}, url = {https://twitter.com/malwrhunterteam/status/1001461507513880576}, language = {English}, urldate = {2020-03-02} } Tweet on Aurora / OneKeyLocker Ransomware
Aurora
Yara Rules
[TLP:WHITE] win_aurora_auto (20230808 | Detects win.aurora.)
rule win_aurora_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.aurora."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.aurora"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8b4e14 8945d4 8b4610 3bc1 7530 40 83f8fe }
            // n = 7, score = 300
            //   8b4e14               | mov                 ecx, dword ptr [esi + 0x14]
            //   8945d4               | mov                 dword ptr [ebp - 0x2c], eax
            //   8b4610               | mov                 eax, dword ptr [esi + 0x10]
            //   3bc1                 | cmp                 eax, ecx
            //   7530                 | jne                 0x32
            //   40                   | inc                 eax
            //   83f8fe               | cmp                 eax, -2

        $sequence_1 = { c645fc03 8d4dd8 837dec08 8d5dd8 }
            // n = 4, score = 300
            //   c645fc03             | mov                 byte ptr [ebp - 4], 3
            //   8d4dd8               | lea                 ecx, [ebp - 0x28]
            //   837dec08             | cmp                 dword ptr [ebp - 0x14], 8
            //   8d5dd8               | lea                 ebx, [ebp - 0x28]

        $sequence_2 = { 8aca c0e206 0255d3 c0e902 80e10f }
            // n = 5, score = 300
            //   8aca                 | mov                 cl, dl
            //   c0e206               | shl                 dl, 6
            //   0255d3               | add                 dl, byte ptr [ebp - 0x2d]
            //   c0e902               | shr                 cl, 2
            //   80e10f               | and                 cl, 0xf

        $sequence_3 = { ebd9 837b1410 7202 8b1b }
            // n = 4, score = 300
            //   ebd9                 | jmp                 0xffffffdb
            //   837b1410             | cmp                 dword ptr [ebx + 0x14], 0x10
            //   7202                 | jb                  4
            //   8b1b                 | mov                 ebx, dword ptr [ebx]

        $sequence_4 = { 3bf3 7469 897de8 c645fc01 85ff 7437 c7471000000000 }
            // n = 7, score = 300
            //   3bf3                 | cmp                 esi, ebx
            //   7469                 | je                  0x6b
            //   897de8               | mov                 dword ptr [ebp - 0x18], edi
            //   c645fc01             | mov                 byte ptr [ebp - 4], 1
            //   85ff                 | test                edi, edi
            //   7437                 | je                  0x39
            //   c7471000000000       | mov                 dword ptr [edi + 0x10], 0

        $sequence_5 = { 6a00 c741140f000000 c7411000000000 68???????? c60100 e8???????? 8d8df8fbffff }
            // n = 7, score = 300
            //   6a00                 | push                0
            //   c741140f000000       | mov                 dword ptr [ecx + 0x14], 0xf
            //   c7411000000000       | mov                 dword ptr [ecx + 0x10], 0
            //   68????????           |                     
            //   c60100               | mov                 byte ptr [ecx], 0
            //   e8????????           |                     
            //   8d8df8fbffff         | lea                 ecx, [ebp - 0x408]

        $sequence_6 = { 83793800 0f45c2 50 e8???????? 8b9df0feffff c745e40f000000 c745e000000000 }
            // n = 7, score = 300
            //   83793800             | cmp                 dword ptr [ecx + 0x38], 0
            //   0f45c2               | cmovne              eax, edx
            //   50                   | push                eax
            //   e8????????           |                     
            //   8b9df0feffff         | mov                 ebx, dword ptr [ebp - 0x110]
            //   c745e40f000000       | mov                 dword ptr [ebp - 0x1c], 0xf
            //   c745e000000000       | mov                 dword ptr [ebp - 0x20], 0

        $sequence_7 = { c785c8f1ffff0f000000 c785c4f1ffff00000000 c685b4f1ffff00 e8???????? 8d8dccf1ffff }
            // n = 5, score = 300
            //   c785c8f1ffff0f000000     | mov    dword ptr [ebp - 0xe38], 0xf
            //   c785c4f1ffff00000000     | mov    dword ptr [ebp - 0xe3c], 0
            //   c685b4f1ffff00       | mov                 byte ptr [ebp - 0xe4c], 0
            //   e8????????           |                     
            //   8d8dccf1ffff         | lea                 ecx, [ebp - 0xe34]

        $sequence_8 = { 68???????? 8d8d24f1ffff c78538f1ffff0f000000 c78534f1ffff00000000 }
            // n = 4, score = 300
            //   68????????           |                     
            //   8d8d24f1ffff         | lea                 ecx, [ebp - 0xedc]
            //   c78538f1ffff0f000000     | mov    dword ptr [ebp - 0xec8], 0xf
            //   c78534f1ffff00000000     | mov    dword ptr [ebp - 0xecc], 0

        $sequence_9 = { 6a02 68???????? 8d8d14efffff c78528efffff0f000000 }
            // n = 4, score = 300
            //   6a02                 | push                2
            //   68????????           |                     
            //   8d8d14efffff         | lea                 ecx, [ebp - 0x10ec]
            //   c78528efffff0f000000     | mov    dword ptr [ebp - 0x10d8], 0xf

    condition:
        7 of them and filesize < 827392
}
Download all Yara Rules