SYMBOLCOMMON_NAMEaka. SYNONYMS
win.bootwreck (Back to overview)

BOOTWRECK

aka: MBRkiller

Actor(s): Lazarus Group


BOOTWRECK is a master boot record wiper malware.

References
2018-06-07Trend MicroFernando Mercês
@online{mercs:20180607:new:760f179, author = {Fernando Mercês}, title = {{New KillDisk Variant Hits Latin American Financial Organizations Again}}, date = {2018-06-07}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/new-killdisk-variant-hits-latin-american-financial-organizations-again/}, language = {English}, urldate = {2020-01-09} } New KillDisk Variant Hits Latin American Financial Organizations Again
BOOTWRECK
2018FireEyeFireEye
@online{fireeye:2018:apt38:20161b7, author = {FireEye}, title = {{APT38}}, date = {2018}, organization = {FireEye}, url = {https://content.fireeye.com/apt/rpt-apt38}, language = {English}, urldate = {2020-01-13} } APT38
Bitsran BLINDTOAD BOOTWRECK Contopee DarkComet DYEPACK HOTWAX NESTEGG PowerRatankba REDSHAWL WORMHOLE Lazarus Group
Yara Rules
[TLP:WHITE] win_bootwreck_auto (20201014 | autogenerated rule brought to you by yara-signator)
rule win_bootwreck_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-10-14"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.5.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.bootwreck"
        malpedia_rule_date = "20201014"
        malpedia_hash = "a7e3bd57eaf12bf3ea29a863c041091ba3af9ac9"
        malpedia_version = "20201014"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { ae 72d1 e116 45 00c6 27 629614659dee }
            // n = 7, score = 100
            //   ae                   | scasb               al, byte ptr es:[edi]
            //   72d1                 | jb                  0xffffffd3
            //   e116                 | loope               0x18
            //   45                   | inc                 ebp
            //   00c6                 | add                 dh, al
            //   27                   | daa                 
            //   629614659dee         | bound               edx, qword ptr [esi - 0x11629aec]

        $sequence_1 = { be80f61c86 d5c2 c9 691087d623e2 59 f9 }
            // n = 6, score = 100
            //   be80f61c86           | mov                 esi, 0x861cf680
            //   d5c2                 | aad                 0xc2
            //   c9                   | leave               
            //   691087d623e2         | imul                edx, dword ptr [eax], 0xe223d687
            //   59                   | pop                 ecx
            //   f9                   | stc                 

        $sequence_2 = { 82b906c5ec8cc3 1041a8 fb 316c2354 d23b b8d9a16d0a 79c6 }
            // n = 7, score = 100
            //   82b906c5ec8cc3       | cmp                 byte ptr [ecx - 0x73133afa], 0xc3
            //   1041a8               | adc                 byte ptr [ecx - 0x58], al
            //   fb                   | sti                 
            //   316c2354             | xor                 dword ptr [ebx + 0x54], ebp
            //   d23b                 | sar                 byte ptr [ebx], cl
            //   b8d9a16d0a           | mov                 eax, 0xa6da1d9
            //   79c6                 | jns                 0xffffffc8

        $sequence_3 = { 803853 7516 8a4801 80f920 7404 3acb 750a }
            // n = 7, score = 100
            //   803853               | cmp                 byte ptr [eax], 0x53
            //   7516                 | jne                 0x18
            //   8a4801               | mov                 cl, byte ptr [eax + 1]
            //   80f920               | cmp                 cl, 0x20
            //   7404                 | je                  6
            //   3acb                 | cmp                 cl, bl
            //   750a                 | jne                 0xc

        $sequence_4 = { c24c00 60 89442420 668b442404 b8???????? 9c 9c }
            // n = 7, score = 100
            //   c24c00               | ret                 0x4c
            //   60                   | pushal              
            //   89442420             | mov                 dword ptr [esp + 0x20], eax
            //   668b442404           | mov                 ax, word ptr [esp + 4]
            //   b8????????           |                     
            //   9c                   | pushfd              
            //   9c                   | pushfd              

        $sequence_5 = { 61 ef f6b6f1a771e6 83f793 35c06de938 56 f5 }
            // n = 7, score = 100
            //   61                   | popal               
            //   ef                   | out                 dx, eax
            //   f6b6f1a771e6         | div                 byte ptr [esi - 0x198e580f]
            //   83f793               | xor                 edi, 0xffffff93
            //   35c06de938           | xor                 eax, 0x38e96dc0
            //   56                   | push                esi
            //   f5                   | cmc                 

        $sequence_6 = { 0f85b4fdffff 53 8d45d8 ff75d4 c6431018 50 e8???????? }
            // n = 7, score = 100
            //   0f85b4fdffff         | jne                 0xfffffdba
            //   53                   | push                ebx
            //   8d45d8               | lea                 eax, [ebp - 0x28]
            //   ff75d4               | push                dword ptr [ebp - 0x2c]
            //   c6431018             | mov                 byte ptr [ebx + 0x10], 0x18
            //   50                   | push                eax
            //   e8????????           |                     

        $sequence_7 = { 6681fae58d f8 01d1 6810fcfcc4 3cc5 881424 39cb }
            // n = 7, score = 100
            //   6681fae58d           | cmp                 dx, 0x8de5
            //   f8                   | clc                 
            //   01d1                 | add                 ecx, edx
            //   6810fcfcc4           | push                0xc4fcfc10
            //   3cc5                 | cmp                 al, 0xc5
            //   881424               | mov                 byte ptr [esp], dl
            //   39cb                 | cmp                 ebx, ecx

        $sequence_8 = { 9e 6b555cbd 39989c836ab1 b8bc11d63d 8af1 3e6f d6 }
            // n = 7, score = 100
            //   9e                   | sahf                
            //   6b555cbd             | imul                edx, dword ptr [ebp + 0x5c], -0x43
            //   39989c836ab1         | cmp                 dword ptr [eax - 0x4e957c64], ebx
            //   b8bc11d63d           | mov                 eax, 0x3dd611bc
            //   8af1                 | mov                 dh, cl
            //   3e6f                 | outsd               dx, dword ptr ds:[esi]
            //   d6                   | salc                

        $sequence_9 = { 60 ff3424 ff74240c ff742440 c24400 8b6c2404 9c }
            // n = 7, score = 100
            //   60                   | pushal              
            //   ff3424               | push                dword ptr [esp]
            //   ff74240c             | push                dword ptr [esp + 0xc]
            //   ff742440             | push                dword ptr [esp + 0x40]
            //   c24400               | ret                 0x44
            //   8b6c2404             | mov                 ebp, dword ptr [esp + 4]
            //   9c                   | pushfd              

    condition:
        7 of them and filesize < 10821632
}
Download all Yara Rules