SYMBOLCOMMON_NAMEaka. SYNONYMS
win.bootwreck (Back to overview)

BOOTWRECK

aka: MBRkiller

Actor(s): Lazarus Group


BOOTWRECK is a master boot record wiper malware.

References
2018-06-07Trend MicroFernando Mercês
@online{mercs:20180607:new:760f179, author = {Fernando Mercês}, title = {{New KillDisk Variant Hits Latin American Financial Organizations Again}}, date = {2018-06-07}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/new-killdisk-variant-hits-latin-american-financial-organizations-again/}, language = {English}, urldate = {2020-01-09} } New KillDisk Variant Hits Latin American Financial Organizations Again
BOOTWRECK
2018FireEyeFireEye
@online{fireeye:2018:apt38:20161b7, author = {FireEye}, title = {{APT38}}, date = {2018}, organization = {FireEye}, url = {https://content.fireeye.com/apt/rpt-apt38}, language = {English}, urldate = {2020-01-13} } APT38
Bitsran BLINDTOAD BOOTWRECK Contopee DarkComet DYEPACK HOTWAX NESTEGG PowerRatankba REDSHAWL WORMHOLE Lazarus Group
Yara Rules
[TLP:WHITE] win_bootwreck_auto (20220411 | Detects win.bootwreck.)
rule win_bootwreck_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-04-08"
        version = "1"
        description = "Detects win.bootwreck."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.bootwreck"
        malpedia_rule_date = "20220405"
        malpedia_hash = "ecd38294bd47d5589be5cd5490dc8bb4804afc2a"
        malpedia_version = "20220411"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { f73e 4e 83ca93 37 0e b81b997f80 e0e8 }
            // n = 7, score = 100
            //   f73e                 | idiv                dword ptr [esi]
            //   4e                   | dec                 esi
            //   83ca93               | or                  edx, 0xffffff93
            //   37                   | aaa                 
            //   0e                   | push                cs
            //   b81b997f80           | mov                 eax, 0x807f991b
            //   e0e8                 | loopne              0xffffffea

        $sequence_1 = { e8???????? 88db 60 0f9fc3 60 8b7c2440 8d9e49c16089 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   88db                 | mov                 bl, bl
            //   60                   | pushal              
            //   0f9fc3               | setg                bl
            //   60                   | pushal              
            //   8b7c2440             | mov                 edi, dword ptr [esp + 0x40]
            //   8d9e49c16089         | lea                 ebx, dword ptr [esi - 0x769f3eb7]

        $sequence_2 = { 8d642440 0f8c28aa0500 8da82aad67de 5d 9c 60 9c }
            // n = 7, score = 100
            //   8d642440             | lea                 esp, dword ptr [esp + 0x40]
            //   0f8c28aa0500         | jl                  0x5aa2e
            //   8da82aad67de         | lea                 ebp, dword ptr [eax - 0x219852d6]
            //   5d                   | pop                 ebp
            //   9c                   | pushfd              
            //   60                   | pushal              
            //   9c                   | pushfd              

        $sequence_3 = { 5d c3 55 e8???????? c20400 8bff 56 }
            // n = 7, score = 100
            //   5d                   | pop                 ebp
            //   c3                   | ret                 
            //   55                   | push                ebp
            //   e8????????           |                     
            //   c20400               | ret                 4
            //   8bff                 | mov                 edi, edi
            //   56                   | push                esi

        $sequence_4 = { 6689442404 689e671321 8744242c 58 660fb6c2 98 e8???????? }
            // n = 7, score = 100
            //   6689442404           | mov                 word ptr [esp + 4], ax
            //   689e671321           | push                0x2113679e
            //   8744242c             | xchg                dword ptr [esp + 0x2c], eax
            //   58                   | pop                 eax
            //   660fb6c2             | movzx               ax, dl
            //   98                   | cwde                
            //   e8????????           |                     

        $sequence_5 = { 88742404 9c 8d64244c e8???????? 66f7d6 9c 660fce }
            // n = 7, score = 100
            //   88742404             | mov                 byte ptr [esp + 4], dh
            //   9c                   | pushfd              
            //   8d64244c             | lea                 esp, dword ptr [esp + 0x4c]
            //   e8????????           |                     
            //   66f7d6               | not                 si
            //   9c                   | pushfd              
            //   660fce               | bswap               si

        $sequence_6 = { 27 8890f746e64d 3ac5 1c09 82789a0e 7382 }
            // n = 6, score = 100
            //   27                   | daa                 
            //   8890f746e64d         | mov                 byte ptr [eax + 0x4de646f7], dl
            //   3ac5                 | cmp                 al, ch
            //   1c09                 | sbb                 al, 9
            //   82789a0e             |                     
            //   7382                 | jae                 0xffffff84

        $sequence_7 = { 1dd4474552 f77564 fb 9a4100cf7e2de4 6b3a91 e8???????? }
            // n = 6, score = 100
            //   1dd4474552           | sbb                 eax, 0x524547d4
            //   f77564               | div                 dword ptr [ebp + 0x64]
            //   fb                   | sti                 
            //   9a4100cf7e2de4       | lcall               0xe42d:0x7ecf0041
            //   6b3a91               | imul                edi, dword ptr [edx], -0x6f
            //   e8????????           |                     

        $sequence_8 = { 67747b 6f 26e260 7f4a 3928 6f 7fb4 }
            // n = 7, score = 100
            //   67747b               | je                  0x7e
            //   6f                   | outsd               dx, dword ptr [esi]
            //   26e260               | loop                0x63
            //   7f4a                 | jg                  0x4c
            //   3928                 | cmp                 dword ptr [eax], ebp
            //   6f                   | outsd               dx, dword ptr [esi]
            //   7fb4                 | jg                  0xffffffb6

        $sequence_9 = { 44 7ce8 bf6cc5d5da 8927 37 56 92 }
            // n = 7, score = 100
            //   44                   | inc                 esp
            //   7ce8                 | jl                  0xffffffea
            //   bf6cc5d5da           | mov                 edi, 0xdad5c56c
            //   8927                 | mov                 dword ptr [edi], esp
            //   37                   | aaa                 
            //   56                   | push                esi
            //   92                   | xchg                eax, edx

    condition:
        7 of them and filesize < 10821632
}
Download all Yara Rules