Actor(s): Lazarus Group
BOOTWRECK is a master boot record wiper malware.
rule win_bootwreck_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2023-07-11" version = "1" description = "Detects win.bootwreck." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.bootwreck" malpedia_rule_date = "20230705" malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41" malpedia_version = "20230715" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 660fbec0 8d82bf37ec7c b801000000 8d1c657dae7869 5b 5b 60 } // n = 7, score = 100 // 660fbec0 | movsx ax, al // 8d82bf37ec7c | lea eax, [edx + 0x7cec37bf] // b801000000 | mov eax, 1 // 8d1c657dae7869 | lea ebx, [0x6978ae7d] // 5b | pop ebx // 5b | pop ebx // 60 | pushal $sequence_1 = { e685 5c dbd2 39d9 00ed 1e 55 } // n = 7, score = 100 // e685 | out 0x85, al // 5c | pop esp // dbd2 | fcmovnbe st(0), st(2) // 39d9 | cmp ecx, ebx // 00ed | add ch, ch // 1e | push ds // 55 | push ebp $sequence_2 = { 98 261f d363a4 777b 690606d1a06f 6f 7fb4 } // n = 7, score = 100 // 98 | cwde // 261f | pop ds // d363a4 | shl dword ptr [ebx - 0x5c], cl // 777b | ja 0x7d // 690606d1a06f | imul eax, dword ptr [esi], 0x6fa0d106 // 6f | outsd dx, dword ptr [esi] // 7fb4 | jg 0xffffffb6 $sequence_3 = { 40 5f d3e0 99 f7ff 03c6 8bf0 } // n = 7, score = 100 // 40 | inc eax // 5f | pop edi // d3e0 | shl eax, cl // 99 | cdq // f7ff | idiv edi // 03c6 | add eax, esi // 8bf0 | mov esi, eax $sequence_4 = { 6350c6 52 2f 650aa78e3d0cfb f2c9 8027b6 6d } // n = 7, score = 100 // 6350c6 | arpl word ptr [eax - 0x3a], dx // 52 | push edx // 2f | das // 650aa78e3d0cfb | or ah, byte ptr gs:[edi - 0x4f3c272] // f2c9 | leave // 8027b6 | and byte ptr [edi], 0xb6 // 6d | insd dword ptr es:[edi], dx $sequence_5 = { e8???????? 57 33db 33ff 3bc3 752e ffd6 } // n = 7, score = 100 // e8???????? | // 57 | push edi // 33db | xor ebx, ebx // 33ff | xor edi, edi // 3bc3 | cmp eax, ebx // 752e | jne 0x30 // ffd6 | call esi $sequence_6 = { 8b5d0c d0e5 18c1 56 6681e6f0be 660fa3cb } // n = 6, score = 100 // 8b5d0c | mov ebx, dword ptr [ebp + 0xc] // d0e5 | shl ch, 1 // 18c1 | sbb cl, al // 56 | push esi // 6681e6f0be | and si, 0xbef0 // 660fa3cb | bt bx, cx $sequence_7 = { dd84a3f093a2c1 7bf0 50 1dc982205c c8c8444b 7289 8900 } // n = 7, score = 100 // dd84a3f093a2c1 | fld qword ptr [ebx - 0x3e5d6c10] // 7bf0 | jnp 0xfffffff2 // 50 | push eax // 1dc982205c | sbb eax, 0x5c2082c9 // c8c8444b | enter 0x44c8, 0x4b // 7289 | jb 0xffffff8b // 8900 | mov dword ptr [eax], eax $sequence_8 = { ed 2d07128e15 95 dcc9 7070 bdbdaa357c c9 } // n = 7, score = 100 // ed | in eax, dx // 2d07128e15 | sub eax, 0x158e1207 // 95 | xchg eax, ebp // dcc9 | fmul st(1), st(0) // 7070 | jo 0x72 // bdbdaa357c | mov ebp, 0x7c35aabd // c9 | leave $sequence_9 = { 89c8 53 0fbedb 660fcb 89cb 9c 0f31 } // n = 7, score = 100 // 89c8 | mov eax, ecx // 53 | push ebx // 0fbedb | movsx ebx, bl // 660fcb | bswap bx // 89cb | mov ebx, ecx // 9c | pushfd // 0f31 | rdtsc condition: 7 of them and filesize < 10821632 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY