SYMBOLCOMMON_NAMEaka. SYNONYMS
win.azov_wiper (Back to overview)

Azov Wiper


According to Checkpoint, this malware is a wiper instead of ransomware as self-announced. It is manually written in FASM, unrecoverably overwriting data in blocks of 666 bytes, using multi-threading.

References
2023-01-24FortinetGeri Revay
@online{revay:20230124:year:00a1450, author = {Geri Revay}, title = {{The Year of the Wiper}}, date = {2023-01-24}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/the-year-of-the-wiper}, language = {English}, urldate = {2023-01-25} } The Year of the Wiper
Azov Wiper Bruh Wiper CaddyWiper Cobalt Strike Vidar
2022-12-12CheckpointJiří Vinopal
@online{vinopal:20221212:pulling:7b5315a, author = {Jiří Vinopal}, title = {{Pulling the Curtains on Azov Ransomware: Not a Skidsware but Polymorphic Wiper}}, date = {2022-12-12}, organization = {Checkpoint}, url = {https://research.checkpoint.com/2022/pulling-the-curtains-on-azov-ransomware-not-a-skidsware-but-polymorphic-wiper/}, language = {English}, urldate = {2022-12-13} } Pulling the Curtains on Azov Ransomware: Not a Skidsware but Polymorphic Wiper
Azov Wiper
2022-11-02Twitter (@_CPResearch_)Checkpoint Research
@online{research:20221102:azov:9f43496, author = {Checkpoint Research}, title = {{Tweet on Azov Wiper}}, date = {2022-11-02}, organization = {Twitter (@_CPResearch_)}, url = {https://twitter.com/_CPResearch_/status/1587837524604465153}, language = {English}, urldate = {2022-11-09} } Tweet on Azov Wiper
Azov Wiper
Yara Rules
[TLP:WHITE] win_azov_wiper_auto (20230407 | Detects win.azov_wiper.)
rule win_azov_wiper_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-03-28"
        version = "1"
        description = "Detects win.azov_wiper."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.azov_wiper"
        malpedia_rule_date = "20230328"
        malpedia_hash = "9d2d75cef573c1c2d861f5197df8f563b05a305d"
        malpedia_version = "20230407"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 4c8d041b 48897c2420 4c8d4c2450 488bce ff5040 }
            // n = 5, score = 100
            //   4c8d041b             | dec                 eax
            //   48897c2420           | mov                 ebx, eax
            //   4c8d4c2450           | dec                 eax
            //   488bce               | test                eax, eax
            //   ff5040               | je                  0x1fd

        $sequence_1 = { 57 4883ec30 488b05???????? 488bd9 48894c2420 }
            // n = 5, score = 100
            //   57                   | inc                 ecx
            //   4883ec30             | rol                 ecx, 1
            //   488b05????????       |                     
            //   488bd9               | dec                 eax
            //   48894c2420           | test                ecx, ecx

        $sequence_2 = { 4080e4f0 c645f356 c645f469 c645f572 c645f674 }
            // n = 5, score = 100
            //   4080e4f0             | test                eax, eax
            //   c645f356             | je                  0x2c1
            //   c645f469             | dec                 esp
            //   c645f572             | mov                 eax, dword ptr [eax]
            //   c645f674             | inc                 ecx

        $sequence_3 = { 488b05???????? 488bcd 488b10 ff5250 }
            // n = 4, score = 100
            //   488b05????????       |                     
            //   488bcd               | add                 esp, 8
            //   488b10               | dec                 eax
            //   ff5250               | add                 esp, 8

        $sequence_4 = { 4c8b10 ba00000080 4c8bf9 4883ceff 8bfb 41ff5238 }
            // n = 6, score = 100
            //   4c8b10               | lea                 eax, [ebx + ebx]
            //   ba00000080           | dec                 eax
            //   4c8bf9               | mov                 dword ptr [esp + 0x20], edi
            //   4883ceff             | dec                 esp
            //   8bfb                 | lea                 ecx, [esp + 0x50]
            //   41ff5238             | dec                 eax

        $sequence_5 = { a2????????ec084889 2c24 4889e5 48c74424f800000000 }
            // n = 4, score = 100
            //   a2????????ec084889     |     
            //   2c24                 | mov                 ebx, eax
            //   4889e5               | dec                 eax
            //   48c74424f800000000     | test    eax, eax

        $sequence_6 = { 4c8b10 488d842478020000 4889442428 48897c2420 41ff92c0000000 4885c0 }
            // n = 6, score = 100
            //   4c8b10               | xor                 ecx, ecx
            //   488d842478020000     | lea                 edx, [eax*2 + 0x402]
            //   4889442428           | inc                 ecx
            //   48897c2420           | mov                 eax, 0x3000
            //   41ff92c0000000       | inc                 esp
            //   4885c0               | lea                 ecx, [ecx + 4]

        $sequence_7 = { e8???????? 488bf8 488d4bfe 66397102 488d4902 75f6 }
            // n = 6, score = 100
            //   e8????????           |                     
            //   488bf8               | mov                 edi, dword ptr [ecx]
            //   488d4bfe             | dec                 eax
            //   66397102             | mov                 ecx, eax
            //   488d4902             | jne                 0x333
            //   75f6                 | xor                 ecx, ecx

        $sequence_8 = { 7416 488b0d???????? 488b11 ff9218010000 }
            // n = 4, score = 100
            //   7416                 | dec                 eax
            //   488b0d????????       |                     
            //   488b11               | mov                 ecx, dword ptr [esp - 8]
            //   ff9218010000         | dec                 eax

        $sequence_9 = { 660f1f440000 488b05???????? 488b0b 488b10 }
            // n = 4, score = 100
            //   660f1f440000         | mov                 edx, dword ptr [eax]
            //   488b05????????       |                     
            //   488b0b               | call                dword ptr [edx + 0x60]
            //   488b10               | dec                 eax

    condition:
        7 of them and filesize < 73728
}
Download all Yara Rules