Actor(s): Lazarus Group
BOOTWRECK is a master boot record wiper malware.
rule win_bootwreck_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2023-01-25" version = "1" description = "Detects win.bootwreck." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.bootwreck" malpedia_rule_date = "20230124" malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686" malpedia_version = "20230125" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 28ec 8b45f8 60 f9 6681f98ac3 a90000ffff 66891c24 } // n = 7, score = 100 // 28ec | sub ah, ch // 8b45f8 | mov eax, dword ptr [ebp - 8] // 60 | pushal // f9 | stc // 6681f98ac3 | cmp cx, 0xc38a // a90000ffff | test eax, 0xffff0000 // 66891c24 | mov word ptr [esp], bx $sequence_1 = { 7300 53 7074 00530f 7700 24b8 7800 } // n = 7, score = 100 // 7300 | jae 2 // 53 | push ebx // 7074 | jo 0x76 // 00530f | add byte ptr [ebx + 0xf], dl // 7700 | ja 2 // 24b8 | and al, 0xb8 // 7800 | js 2 $sequence_2 = { 9c 5f f7d7 5f 8d9b661ee2b9 9c } // n = 6, score = 100 // 9c | pushfd // 5f | pop edi // f7d7 | not edi // 5f | pop edi // 8d9b661ee2b9 | lea ebx, [ebx - 0x461de19a] // 9c | pushfd $sequence_3 = { 66891424 6687de 660fbef2 886c2408 8b74240c 880c24 } // n = 6, score = 100 // 66891424 | mov word ptr [esp], dx // 6687de | xchg si, bx // 660fbef2 | movsx si, dl // 886c2408 | mov byte ptr [esp + 8], ch // 8b74240c | mov esi, dword ptr [esp + 0xc] // 880c24 | mov byte ptr [esp], cl $sequence_4 = { 60 9c 8b92bf434600 9c 6851bf1d89 c60424b4 8d92d4bcc119 } // n = 7, score = 100 // 60 | pushal // 9c | pushfd // 8b92bf434600 | mov edx, dword ptr [edx + 0x4643bf] // 9c | pushfd // 6851bf1d89 | push 0x891dbf51 // c60424b4 | mov byte ptr [esp], 0xb4 // 8d92d4bcc119 | lea edx, [edx + 0x19c1bcd4] $sequence_5 = { 66f7d2 66c70424db8b 8b54240c e9???????? e8???????? 60 8bad0a004400 } // n = 7, score = 100 // 66f7d2 | not dx // 66c70424db8b | mov word ptr [esp], 0x8bdb // 8b54240c | mov edx, dword ptr [esp + 0xc] // e9???????? | // e8???????? | // 60 | pushal // 8bad0a004400 | mov ebp, dword ptr [ebp + 0x44000a] $sequence_6 = { f7d1 60 f9 6639e9 ff742404 85c9 e8???????? } // n = 7, score = 100 // f7d1 | not ecx // 60 | pushal // f9 | stc // 6639e9 | cmp cx, bp // ff742404 | push dword ptr [esp + 4] // 85c9 | test ecx, ecx // e8???????? | $sequence_7 = { e9???????? ff7510 8f442448 9c 9c 66c70424931c 891424 } // n = 7, score = 100 // e9???????? | // ff7510 | push dword ptr [ebp + 0x10] // 8f442448 | pop dword ptr [esp + 0x48] // 9c | pushfd // 9c | pushfd // 66c70424931c | mov word ptr [esp], 0x1c93 // 891424 | mov dword ptr [esp], edx $sequence_8 = { c744241c00000000 c604247c 8d64241c e8???????? 660fbcf3 66f7de 660fce } // n = 7, score = 100 // c744241c00000000 | mov dword ptr [esp + 0x1c], 0 // c604247c | mov byte ptr [esp], 0x7c // 8d64241c | lea esp, [esp + 0x1c] // e8???????? | // 660fbcf3 | bsf si, bx // 66f7de | neg si // 660fce | bswap si $sequence_9 = { 888c18b0993700 ff4594 8b4594 3b45a0 7cae ff459c } // n = 6, score = 100 // 888c18b0993700 | mov byte ptr [eax + ebx + 0x3799b0], cl // ff4594 | inc dword ptr [ebp - 0x6c] // 8b4594 | mov eax, dword ptr [ebp - 0x6c] // 3b45a0 | cmp eax, dword ptr [ebp - 0x60] // 7cae | jl 0xffffffb0 // ff459c | inc dword ptr [ebp - 0x64] condition: 7 of them and filesize < 10821632 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY