SYMBOLCOMMON_NAMEaka. SYNONYMS
win.bootwreck (Back to overview)

BOOTWRECK

aka: MBRkiller

Actor(s): Lazarus Group

VTCollection    

BOOTWRECK is a master boot record wiper malware.

References
2018-06-07Trend MicroFernando Mercês
New KillDisk Variant Hits Latin American Financial Organizations Again
BOOTWRECK
2018-01-01FireEyeFireEye
APT38
Bitsran BLINDTOAD BOOTWRECK Contopee DarkComet DYEPACK HOTWAX NESTEGG PowerRatankba REDSHAWL WORMHOLE Lazarus Group
Yara Rules
[TLP:WHITE] win_bootwreck_auto (20230808 | Detects win.bootwreck.)
rule win_bootwreck_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.bootwreck."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.bootwreck"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 33ff 897dfc 3b1cfde0c18100 7409 47 897dfc }
            // n = 6, score = 100
            //   33ff                 | xor                 edi, edi
            //   897dfc               | mov                 dword ptr [ebp - 4], edi
            //   3b1cfde0c18100       | cmp                 ebx, dword ptr [edi*8 + 0x81c1e0]
            //   7409                 | je                  0xb
            //   47                   | inc                 edi
            //   897dfc               | mov                 dword ptr [ebp - 4], edi

        $sequence_1 = { 8d642428 0f8409000000 660fbec2 86c7 8b4510 55 660fb6da }
            // n = 7, score = 100
            //   8d642428             | lea                 esp, [esp + 0x28]
            //   0f8409000000         | je                  0xf
            //   660fbec2             | movsx               ax, dl
            //   86c7                 | xchg                bh, al
            //   8b4510               | mov                 eax, dword ptr [ebp + 0x10]
            //   55                   | push                ebp
            //   660fb6da             | movzx               bx, dl

        $sequence_2 = { 85b178373e03 025ad9 7efa 99 18c7 7e55 }
            // n = 6, score = 100
            //   85b178373e03         | test                dword ptr [ecx + 0x33e3778], esi
            //   025ad9               | add                 bl, byte ptr [edx - 0x27]
            //   7efa                 | jle                 0xfffffffc
            //   99                   | cdq                 
            //   18c7                 | sbb                 bh, al
            //   7e55                 | jle                 0x57

        $sequence_3 = { c74424147d978300 682dedfcaa 9c 89442418 9c 9c ff742420 }
            // n = 7, score = 100
            //   c74424147d978300     | mov                 dword ptr [esp + 0x14], 0x83977d
            //   682dedfcaa           | push                0xaafced2d
            //   9c                   | pushfd              
            //   89442418             | mov                 dword ptr [esp + 0x18], eax
            //   9c                   | pushfd              
            //   9c                   | pushfd              
            //   ff742420             | push                dword ptr [esp + 0x20]

        $sequence_4 = { ee 5b 7f3f 99 68e43b3fa7 6c }
            // n = 6, score = 100
            //   ee                   | out                 dx, al
            //   5b                   | pop                 ebx
            //   7f3f                 | jg                  0x41
            //   99                   | cdq                 
            //   68e43b3fa7           | push                0xa73f3be4
            //   6c                   | insb                byte ptr es:[edi], dx

        $sequence_5 = { 876c2428 66891c24 688106ab60 896c2428 5d 66896c2404 bd???????? }
            // n = 7, score = 100
            //   876c2428             | xchg                dword ptr [esp + 0x28], ebp
            //   66891c24             | mov                 word ptr [esp], bx
            //   688106ab60           | push                0x60ab0681
            //   896c2428             | mov                 dword ptr [esp + 0x28], ebp
            //   5d                   | pop                 ebp
            //   66896c2404           | mov                 word ptr [esp + 4], bp
            //   bd????????           |                     

        $sequence_6 = { 8955fc f9 8d9b00000000 30e1 37 d4b7 8b4d08 }
            // n = 7, score = 100
            //   8955fc               | mov                 dword ptr [ebp - 4], edx
            //   f9                   | stc                 
            //   8d9b00000000         | lea                 ebx, [ebx]
            //   30e1                 | xor                 cl, ah
            //   37                   | aaa                 
            //   d4b7                 | aam                 0xb7
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]

        $sequence_7 = { ff4638 88c3 66f7d6 b37c 5b 660fb6f9 5f }
            // n = 7, score = 100
            //   ff4638               | inc                 dword ptr [esi + 0x38]
            //   88c3                 | mov                 bl, al
            //   66f7d6               | not                 si
            //   b37c                 | mov                 bl, 0x7c
            //   5b                   | pop                 ebx
            //   660fb6f9             | movzx               di, cl
            //   5f                   | pop                 edi

        $sequence_8 = { c25400 c7042400000000 60 8774241c 8d64241c 0f8103500500 }
            // n = 6, score = 100
            //   c25400               | ret                 0x54
            //   c7042400000000       | mov                 dword ptr [esp], 0
            //   60                   | pushal              
            //   8774241c             | xchg                dword ptr [esp + 0x1c], esi
            //   8d64241c             | lea                 esp, [esp + 0x1c]
            //   0f8103500500         | jno                 0x55009

        $sequence_9 = { 8d041f f7c5036c87b2 99 84ed f8 60 6681fb744d }
            // n = 7, score = 100
            //   8d041f               | lea                 eax, [edi + ebx]
            //   f7c5036c87b2         | test                ebp, 0xb2876c03
            //   99                   | cdq                 
            //   84ed                 | test                ch, ch
            //   f8                   | clc                 
            //   60                   | pushal              
            //   6681fb744d           | cmp                 bx, 0x4d74

    condition:
        7 of them and filesize < 10821632
}
Download all Yara Rules