Actor(s): Lazarus Group
BOOTWRECK is a master boot record wiper malware.
rule win_bootwreck_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2020-12-22" version = "1" description = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.bootwreck" malpedia_rule_date = "20201222" malpedia_hash = "30354d830a29f0fbd3714d93d94dea941d77a130" malpedia_version = "20201023" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { b23d 8b5514 8d84240bb3ad19 9c 660fb6c0 8b4510 } // n = 6, score = 100 // b23d | mov dl, 0x3d // 8b5514 | mov edx, dword ptr [ebp + 0x14] // 8d84240bb3ad19 | lea eax, [esp + 0x19adb30b] // 9c | pushfd // 660fb6c0 | movzx ax, al // 8b4510 | mov eax, dword ptr [ebp + 0x10] $sequence_1 = { 0f91c7 660fcb 0f90c7 8b5c240c 8d2c75c79eccde 8b6c2410 ff742408 } // n = 7, score = 100 // 0f91c7 | setno bh // 660fcb | bswap bx // 0f90c7 | seto bh // 8b5c240c | mov ebx, dword ptr [esp + 0xc] // 8d2c75c79eccde | lea ebp, [esi*2 - 0x21336139] // 8b6c2410 | mov ebp, dword ptr [esp + 0x10] // ff742408 | push dword ptr [esp + 8] $sequence_2 = { 1574c1f219 66d5c2 70df c803d13a bd39c7a88a 8022a0 2f } // n = 7, score = 100 // 1574c1f219 | adc eax, 0x19f2c174 // 66d5c2 | aad 0xc2 // 70df | jo 0xffffffe1 // c803d13a | enter -0x2efd, 0x3a // bd39c7a88a | mov ebp, 0x8aa8c739 // 8022a0 | and byte ptr [edx], 0xa0 // 2f | das $sequence_3 = { 9c e8???????? 8d642444 0f8419d9ffff 9c 893424 60 } // n = 7, score = 100 // 9c | pushfd // e8???????? | // 8d642444 | lea esp, [esp + 0x44] // 0f8419d9ffff | je 0xffffd91f // 9c | pushfd // 893424 | mov dword ptr [esp], esi // 60 | pushal $sequence_4 = { c74424043f0888a5 c704242c9108d6 c60424d0 c7042439683c09 9c 60 9c } // n = 7, score = 100 // c74424043f0888a5 | mov dword ptr [esp + 4], 0xa588083f // c704242c9108d6 | mov dword ptr [esp], 0xd608912c // c60424d0 | mov byte ptr [esp], 0xd0 // c7042439683c09 | mov dword ptr [esp], 0x93c6839 // 9c | pushfd // 60 | pushal // 9c | pushfd $sequence_5 = { 60 66c7442408faf3 66894c2404 8974242c 89f6 be???????? 9c } // n = 7, score = 100 // 60 | pushal // 66c7442408faf3 | mov word ptr [esp + 8], 0xf3fa // 66894c2404 | mov word ptr [esp + 4], cx // 8974242c | mov dword ptr [esp + 0x2c], esi // 89f6 | mov esi, esi // be???????? | // 9c | pushfd $sequence_6 = { 5d 9c 9c c7042496fa2c28 ff742408 c21c00 60 } // n = 7, score = 100 // 5d | pop ebp // 9c | pushfd // 9c | pushfd // c7042496fa2c28 | mov dword ptr [esp], 0x282cfa96 // ff742408 | push dword ptr [esp + 8] // c21c00 | ret 0x1c // 60 | pushal $sequence_7 = { e9???????? 6838097833 89ec 0fbeeb 660fbeeb 9c 60 } // n = 7, score = 100 // e9???????? | // 6838097833 | push 0x33780938 // 89ec | mov esp, ebp // 0fbeeb | movsx ebp, bl // 660fbeeb | movsx bp, bl // 9c | pushfd // 60 | pushal $sequence_8 = { 99 ec 85d9 57 3ebe1562e908 f5 } // n = 6, score = 100 // 99 | cdq // ec | in al, dx // 85d9 | test ecx, ebx // 57 | push edi // 3ebe1562e908 | mov esi, 0x8e96215 // f5 | cmc $sequence_9 = { 1433 2097e45384fb 48 df4e9b 2930 d028 85819d886810 } // n = 7, score = 100 // 1433 | adc al, 0x33 // 2097e45384fb | and byte ptr [edi - 0x47bac1c], dl // 48 | dec eax // df4e9b | fisttp word ptr [esi - 0x65] // 2930 | sub dword ptr [eax], esi // d028 | shr byte ptr [eax], 1 // 85819d886810 | test dword ptr [ecx + 0x1068889d], eax condition: 7 of them and filesize < 10821632 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY