SYMBOLCOMMON_NAMEaka. SYNONYMS
win.bootwreck (Back to overview)

BOOTWRECK

aka: MBRkiller

Actor(s): Lazarus Group


BOOTWRECK is a master boot record wiper malware.

References
2018-06-07Trend MicroFernando Mercês
@online{mercs:20180607:new:760f179, author = {Fernando Mercês}, title = {{New KillDisk Variant Hits Latin American Financial Organizations Again}}, date = {2018-06-07}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/new-killdisk-variant-hits-latin-american-financial-organizations-again/}, language = {English}, urldate = {2020-01-09} } New KillDisk Variant Hits Latin American Financial Organizations Again
BOOTWRECK
2018FireEyeFireEye
@online{fireeye:2018:apt38:20161b7, author = {FireEye}, title = {{APT38}}, date = {2018}, organization = {FireEye}, url = {https://content.fireeye.com/apt/rpt-apt38}, language = {English}, urldate = {2020-01-13} } APT38
Bitsran BLINDTOAD BOOTWRECK Contopee DarkComet DYEPACK HOTWAX NESTEGG PowerRatankba REDSHAWL WORMHOLE Lazarus Group
Yara Rules
[TLP:WHITE] win_bootwreck_auto (20211008 | Detects win.bootwreck.)
rule win_bootwreck_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-10-07"
        version = "1"
        description = "Detects win.bootwreck."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.bootwreck"
        malpedia_rule_date = "20211007"
        malpedia_hash = "e5b790e0f888f252d49063a1251ca60ec2832535"
        malpedia_version = "20211008"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8d1c8d1254f60f 8b7c2440 8d1c5d38b9466e e8???????? 85c0 e8???????? 8d2ced31089109 }
            // n = 7, score = 100
            //   8d1c8d1254f60f       | lea                 ebx, dword ptr [ecx*4 + 0xff65412]
            //   8b7c2440             | mov                 edi, dword ptr [esp + 0x40]
            //   8d1c5d38b9466e       | lea                 ebx, dword ptr [ebx*2 + 0x6e46b938]
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   e8????????           |                     
            //   8d2ced31089109       | lea                 ebp, dword ptr [ebp*8 + 0x9910831]

        $sequence_1 = { 60 c7442428eb391a4d ff3424 9c ff742408 8d642434 e9???????? }
            // n = 7, score = 100
            //   60                   | pushal              
            //   c7442428eb391a4d     | mov                 dword ptr [esp + 0x28], 0x4d1a39eb
            //   ff3424               | push                dword ptr [esp]
            //   9c                   | pushfd              
            //   ff742408             | push                dword ptr [esp + 8]
            //   8d642434             | lea                 esp, dword ptr [esp + 0x34]
            //   e9????????           |                     

        $sequence_2 = { e8???????? 5f 5e c20800 55 8bec 83ec50 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi
            //   c20800               | ret                 8
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   83ec50               | sub                 esp, 0x50

        $sequence_3 = { 8d64244c e8???????? 60 8b6c2420 883c24 ff742424 c23400 }
            // n = 7, score = 100
            //   8d64244c             | lea                 esp, dword ptr [esp + 0x4c]
            //   e8????????           |                     
            //   60                   | pushal              
            //   8b6c2420             | mov                 ebp, dword ptr [esp + 0x20]
            //   883c24               | mov                 byte ptr [esp], bh
            //   ff742424             | push                dword ptr [esp + 0x24]
            //   c23400               | ret                 0x34

        $sequence_4 = { 19abacc23eaa c11373 54 d03c89 9d e430 76e6 }
            // n = 7, score = 100
            //   19abacc23eaa         | sbb                 dword ptr [ebx - 0x55c13d54], ebp
            //   c11373               | rcl                 dword ptr [ebx], 0x73
            //   54                   | push                esp
            //   d03c89               | sar                 byte ptr [ecx + ecx*4], 1
            //   9d                   | popfd               
            //   e430                 | in                  al, 0x30
            //   76e6                 | jbe                 0xffffffe8

        $sequence_5 = { c06fa6f3 2493 3331 bb24c21031 3b98fb9e1a61 a1???????? 396ad1 }
            // n = 7, score = 100
            //   c06fa6f3             | shr                 byte ptr [edi - 0x5a], 0xf3
            //   2493                 | and                 al, 0x93
            //   3331                 | xor                 esi, dword ptr [ecx]
            //   bb24c21031           | mov                 ebx, 0x3110c224
            //   3b98fb9e1a61         | cmp                 ebx, dword ptr [eax + 0x611a9efb]
            //   a1????????           |                     
            //   396ad1               | cmp                 dword ptr [edx - 0x2f], ebp

        $sequence_6 = { e027 3e55 054c6cd9ba 60 e260 ef 06 }
            // n = 7, score = 100
            //   e027                 | loopne              0x29
            //   3e55                 | push                ebp
            //   054c6cd9ba           | add                 eax, 0xbad96c4c
            //   60                   | pushal              
            //   e260                 | loop                0x62
            //   ef                   | out                 dx, eax
            //   06                   | push                es

        $sequence_7 = { 45 8c675c d887cbf29518 94 bb5be9200d 80db72 ea???????????? }
            // n = 7, score = 100
            //   45                   | inc                 ebp
            //   8c675c               | mov                 word ptr [edi + 0x5c], fs
            //   d887cbf29518         | fadd                dword ptr [edi + 0x1895f2cb]
            //   94                   | xchg                eax, esp
            //   bb5be9200d           | mov                 ebx, 0xd20e95b
            //   80db72               | sbb                 bl, 0x72
            //   ea????????????       |                     

        $sequence_8 = { 66c1cf0a 29db 6840aebb66 8b7c2404 e8???????? 9c 60 }
            // n = 7, score = 100
            //   66c1cf0a             | ror                 di, 0xa
            //   29db                 | sub                 ebx, ebx
            //   6840aebb66           | push                0x66bbae40
            //   8b7c2404             | mov                 edi, dword ptr [esp + 4]
            //   e8????????           |                     
            //   9c                   | pushfd              
            //   60                   | pushal              

        $sequence_9 = { 9c c744243000000000 e8???????? 0fc2b948af4f6282 7d4c f1 6f }
            // n = 7, score = 100
            //   9c                   | pushfd              
            //   c744243000000000     | mov                 dword ptr [esp + 0x30], 0
            //   e8????????           |                     
            //   0fc2b948af4f6282     | cmpps               xmm7, xmmword ptr [ecx + 0x624faf48], 0x82
            //   7d4c                 | jge                 0x4e
            //   f1                   | int1                
            //   6f                   | outsd               dx, dword ptr [esi]

    condition:
        7 of them and filesize < 10821632
}
Download all Yara Rules