SYMBOLCOMMON_NAMEaka. SYNONYMS
win.bootwreck (Back to overview)

BOOTWRECK

aka: MBRkiller

Actor(s): Lazarus Group


BOOTWRECK is a master boot record wiper malware.

References
2018-06-07Trend MicroFernando Mercês
@online{mercs:20180607:new:760f179, author = {Fernando Mercês}, title = {{New KillDisk Variant Hits Latin American Financial Organizations Again}}, date = {2018-06-07}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/new-killdisk-variant-hits-latin-american-financial-organizations-again/}, language = {English}, urldate = {2020-01-09} } New KillDisk Variant Hits Latin American Financial Organizations Again
BOOTWRECK
2018FireEyeFireEye
@online{fireeye:2018:apt38:20161b7, author = {FireEye}, title = {{APT38}}, date = {2018}, organization = {FireEye}, url = {https://content.fireeye.com/apt/rpt-apt38}, language = {English}, urldate = {2020-01-13} } APT38
Bitsran BLINDTOAD BOOTWRECK Contopee DarkComet DYEPACK HOTWAX NESTEGG PowerRatankba REDSHAWL WORMHOLE Lazarus Group
Yara Rules
[TLP:WHITE] win_bootwreck_auto (20201023 | autogenerated rule brought to you by yara-signator)
rule win_bootwreck_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-12-22"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.bootwreck"
        malpedia_rule_date = "20201222"
        malpedia_hash = "30354d830a29f0fbd3714d93d94dea941d77a130"
        malpedia_version = "20201023"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { b23d 8b5514 8d84240bb3ad19 9c 660fb6c0 8b4510 }
            // n = 6, score = 100
            //   b23d                 | mov                 dl, 0x3d
            //   8b5514               | mov                 edx, dword ptr [ebp + 0x14]
            //   8d84240bb3ad19       | lea                 eax, [esp + 0x19adb30b]
            //   9c                   | pushfd              
            //   660fb6c0             | movzx               ax, al
            //   8b4510               | mov                 eax, dword ptr [ebp + 0x10]

        $sequence_1 = { 0f91c7 660fcb 0f90c7 8b5c240c 8d2c75c79eccde 8b6c2410 ff742408 }
            // n = 7, score = 100
            //   0f91c7               | setno               bh
            //   660fcb               | bswap               bx
            //   0f90c7               | seto                bh
            //   8b5c240c             | mov                 ebx, dword ptr [esp + 0xc]
            //   8d2c75c79eccde       | lea                 ebp, [esi*2 - 0x21336139]
            //   8b6c2410             | mov                 ebp, dword ptr [esp + 0x10]
            //   ff742408             | push                dword ptr [esp + 8]

        $sequence_2 = { 1574c1f219 66d5c2 70df c803d13a bd39c7a88a 8022a0 2f }
            // n = 7, score = 100
            //   1574c1f219           | adc                 eax, 0x19f2c174
            //   66d5c2               | aad                 0xc2
            //   70df                 | jo                  0xffffffe1
            //   c803d13a             | enter               -0x2efd, 0x3a
            //   bd39c7a88a           | mov                 ebp, 0x8aa8c739
            //   8022a0               | and                 byte ptr [edx], 0xa0
            //   2f                   | das                 

        $sequence_3 = { 9c e8???????? 8d642444 0f8419d9ffff 9c 893424 60 }
            // n = 7, score = 100
            //   9c                   | pushfd              
            //   e8????????           |                     
            //   8d642444             | lea                 esp, [esp + 0x44]
            //   0f8419d9ffff         | je                  0xffffd91f
            //   9c                   | pushfd              
            //   893424               | mov                 dword ptr [esp], esi
            //   60                   | pushal              

        $sequence_4 = { c74424043f0888a5 c704242c9108d6 c60424d0 c7042439683c09 9c 60 9c }
            // n = 7, score = 100
            //   c74424043f0888a5     | mov                 dword ptr [esp + 4], 0xa588083f
            //   c704242c9108d6       | mov                 dword ptr [esp], 0xd608912c
            //   c60424d0             | mov                 byte ptr [esp], 0xd0
            //   c7042439683c09       | mov                 dword ptr [esp], 0x93c6839
            //   9c                   | pushfd              
            //   60                   | pushal              
            //   9c                   | pushfd              

        $sequence_5 = { 60 66c7442408faf3 66894c2404 8974242c 89f6 be???????? 9c }
            // n = 7, score = 100
            //   60                   | pushal              
            //   66c7442408faf3       | mov                 word ptr [esp + 8], 0xf3fa
            //   66894c2404           | mov                 word ptr [esp + 4], cx
            //   8974242c             | mov                 dword ptr [esp + 0x2c], esi
            //   89f6                 | mov                 esi, esi
            //   be????????           |                     
            //   9c                   | pushfd              

        $sequence_6 = { 5d 9c 9c c7042496fa2c28 ff742408 c21c00 60 }
            // n = 7, score = 100
            //   5d                   | pop                 ebp
            //   9c                   | pushfd              
            //   9c                   | pushfd              
            //   c7042496fa2c28       | mov                 dword ptr [esp], 0x282cfa96
            //   ff742408             | push                dword ptr [esp + 8]
            //   c21c00               | ret                 0x1c
            //   60                   | pushal              

        $sequence_7 = { e9???????? 6838097833 89ec 0fbeeb 660fbeeb 9c 60 }
            // n = 7, score = 100
            //   e9????????           |                     
            //   6838097833           | push                0x33780938
            //   89ec                 | mov                 esp, ebp
            //   0fbeeb               | movsx               ebp, bl
            //   660fbeeb             | movsx               bp, bl
            //   9c                   | pushfd              
            //   60                   | pushal              

        $sequence_8 = { 99 ec 85d9 57 3ebe1562e908 f5 }
            // n = 6, score = 100
            //   99                   | cdq                 
            //   ec                   | in                  al, dx
            //   85d9                 | test                ecx, ebx
            //   57                   | push                edi
            //   3ebe1562e908         | mov                 esi, 0x8e96215
            //   f5                   | cmc                 

        $sequence_9 = { 1433 2097e45384fb 48 df4e9b 2930 d028 85819d886810 }
            // n = 7, score = 100
            //   1433                 | adc                 al, 0x33
            //   2097e45384fb         | and                 byte ptr [edi - 0x47bac1c], dl
            //   48                   | dec                 eax
            //   df4e9b               | fisttp              word ptr [esi - 0x65]
            //   2930                 | sub                 dword ptr [eax], esi
            //   d028                 | shr                 byte ptr [eax], 1
            //   85819d886810         | test                dword ptr [ecx + 0x1068889d], eax

    condition:
        7 of them and filesize < 10821632
}
Download all Yara Rules