Actor(s): Lazarus Group
BOOTWRECK is a master boot record wiper malware.
rule win_bootwreck_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2023-12-06" version = "1" description = "Detects win.bootwreck." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.bootwreck" malpedia_rule_date = "20231130" malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351" malpedia_version = "20230808" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 33ff 897dfc 3b1cfde0c18100 7409 47 897dfc } // n = 6, score = 100 // 33ff | xor edi, edi // 897dfc | mov dword ptr [ebp - 4], edi // 3b1cfde0c18100 | cmp ebx, dword ptr [edi*8 + 0x81c1e0] // 7409 | je 0xb // 47 | inc edi // 897dfc | mov dword ptr [ebp - 4], edi $sequence_1 = { 8d642428 0f8409000000 660fbec2 86c7 8b4510 55 660fb6da } // n = 7, score = 100 // 8d642428 | lea esp, [esp + 0x28] // 0f8409000000 | je 0xf // 660fbec2 | movsx ax, dl // 86c7 | xchg bh, al // 8b4510 | mov eax, dword ptr [ebp + 0x10] // 55 | push ebp // 660fb6da | movzx bx, dl $sequence_2 = { 85b178373e03 025ad9 7efa 99 18c7 7e55 } // n = 6, score = 100 // 85b178373e03 | test dword ptr [ecx + 0x33e3778], esi // 025ad9 | add bl, byte ptr [edx - 0x27] // 7efa | jle 0xfffffffc // 99 | cdq // 18c7 | sbb bh, al // 7e55 | jle 0x57 $sequence_3 = { c74424147d978300 682dedfcaa 9c 89442418 9c 9c ff742420 } // n = 7, score = 100 // c74424147d978300 | mov dword ptr [esp + 0x14], 0x83977d // 682dedfcaa | push 0xaafced2d // 9c | pushfd // 89442418 | mov dword ptr [esp + 0x18], eax // 9c | pushfd // 9c | pushfd // ff742420 | push dword ptr [esp + 0x20] $sequence_4 = { ee 5b 7f3f 99 68e43b3fa7 6c } // n = 6, score = 100 // ee | out dx, al // 5b | pop ebx // 7f3f | jg 0x41 // 99 | cdq // 68e43b3fa7 | push 0xa73f3be4 // 6c | insb byte ptr es:[edi], dx $sequence_5 = { 876c2428 66891c24 688106ab60 896c2428 5d 66896c2404 bd???????? } // n = 7, score = 100 // 876c2428 | xchg dword ptr [esp + 0x28], ebp // 66891c24 | mov word ptr [esp], bx // 688106ab60 | push 0x60ab0681 // 896c2428 | mov dword ptr [esp + 0x28], ebp // 5d | pop ebp // 66896c2404 | mov word ptr [esp + 4], bp // bd???????? | $sequence_6 = { 8955fc f9 8d9b00000000 30e1 37 d4b7 8b4d08 } // n = 7, score = 100 // 8955fc | mov dword ptr [ebp - 4], edx // f9 | stc // 8d9b00000000 | lea ebx, [ebx] // 30e1 | xor cl, ah // 37 | aaa // d4b7 | aam 0xb7 // 8b4d08 | mov ecx, dword ptr [ebp + 8] $sequence_7 = { ff4638 88c3 66f7d6 b37c 5b 660fb6f9 5f } // n = 7, score = 100 // ff4638 | inc dword ptr [esi + 0x38] // 88c3 | mov bl, al // 66f7d6 | not si // b37c | mov bl, 0x7c // 5b | pop ebx // 660fb6f9 | movzx di, cl // 5f | pop edi $sequence_8 = { c25400 c7042400000000 60 8774241c 8d64241c 0f8103500500 } // n = 6, score = 100 // c25400 | ret 0x54 // c7042400000000 | mov dword ptr [esp], 0 // 60 | pushal // 8774241c | xchg dword ptr [esp + 0x1c], esi // 8d64241c | lea esp, [esp + 0x1c] // 0f8103500500 | jno 0x55009 $sequence_9 = { 8d041f f7c5036c87b2 99 84ed f8 60 6681fb744d } // n = 7, score = 100 // 8d041f | lea eax, [edi + ebx] // f7c5036c87b2 | test ebp, 0xb2876c03 // 99 | cdq // 84ed | test ch, ch // f8 | clc // 60 | pushal // 6681fb744d | cmp bx, 0x4d74 condition: 7 of them and filesize < 10821632 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below. Changes regarding references should be proposed on the Malpedia library page.
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY