Actor(s): Lazarus Group
BOOTWRECK is a master boot record wiper malware.
rule win_bootwreck_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2022-04-08" version = "1" description = "Detects win.bootwreck." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.bootwreck" malpedia_rule_date = "20220405" malpedia_hash = "ecd38294bd47d5589be5cd5490dc8bb4804afc2a" malpedia_version = "20220411" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { f73e 4e 83ca93 37 0e b81b997f80 e0e8 } // n = 7, score = 100 // f73e | idiv dword ptr [esi] // 4e | dec esi // 83ca93 | or edx, 0xffffff93 // 37 | aaa // 0e | push cs // b81b997f80 | mov eax, 0x807f991b // e0e8 | loopne 0xffffffea $sequence_1 = { e8???????? 88db 60 0f9fc3 60 8b7c2440 8d9e49c16089 } // n = 7, score = 100 // e8???????? | // 88db | mov bl, bl // 60 | pushal // 0f9fc3 | setg bl // 60 | pushal // 8b7c2440 | mov edi, dword ptr [esp + 0x40] // 8d9e49c16089 | lea ebx, dword ptr [esi - 0x769f3eb7] $sequence_2 = { 8d642440 0f8c28aa0500 8da82aad67de 5d 9c 60 9c } // n = 7, score = 100 // 8d642440 | lea esp, dword ptr [esp + 0x40] // 0f8c28aa0500 | jl 0x5aa2e // 8da82aad67de | lea ebp, dword ptr [eax - 0x219852d6] // 5d | pop ebp // 9c | pushfd // 60 | pushal // 9c | pushfd $sequence_3 = { 5d c3 55 e8???????? c20400 8bff 56 } // n = 7, score = 100 // 5d | pop ebp // c3 | ret // 55 | push ebp // e8???????? | // c20400 | ret 4 // 8bff | mov edi, edi // 56 | push esi $sequence_4 = { 6689442404 689e671321 8744242c 58 660fb6c2 98 e8???????? } // n = 7, score = 100 // 6689442404 | mov word ptr [esp + 4], ax // 689e671321 | push 0x2113679e // 8744242c | xchg dword ptr [esp + 0x2c], eax // 58 | pop eax // 660fb6c2 | movzx ax, dl // 98 | cwde // e8???????? | $sequence_5 = { 88742404 9c 8d64244c e8???????? 66f7d6 9c 660fce } // n = 7, score = 100 // 88742404 | mov byte ptr [esp + 4], dh // 9c | pushfd // 8d64244c | lea esp, dword ptr [esp + 0x4c] // e8???????? | // 66f7d6 | not si // 9c | pushfd // 660fce | bswap si $sequence_6 = { 27 8890f746e64d 3ac5 1c09 82789a0e 7382 } // n = 6, score = 100 // 27 | daa // 8890f746e64d | mov byte ptr [eax + 0x4de646f7], dl // 3ac5 | cmp al, ch // 1c09 | sbb al, 9 // 82789a0e | // 7382 | jae 0xffffff84 $sequence_7 = { 1dd4474552 f77564 fb 9a4100cf7e2de4 6b3a91 e8???????? } // n = 6, score = 100 // 1dd4474552 | sbb eax, 0x524547d4 // f77564 | div dword ptr [ebp + 0x64] // fb | sti // 9a4100cf7e2de4 | lcall 0xe42d:0x7ecf0041 // 6b3a91 | imul edi, dword ptr [edx], -0x6f // e8???????? | $sequence_8 = { 67747b 6f 26e260 7f4a 3928 6f 7fb4 } // n = 7, score = 100 // 67747b | je 0x7e // 6f | outsd dx, dword ptr [esi] // 26e260 | loop 0x63 // 7f4a | jg 0x4c // 3928 | cmp dword ptr [eax], ebp // 6f | outsd dx, dword ptr [esi] // 7fb4 | jg 0xffffffb6 $sequence_9 = { 44 7ce8 bf6cc5d5da 8927 37 56 92 } // n = 7, score = 100 // 44 | inc esp // 7ce8 | jl 0xffffffea // bf6cc5d5da | mov edi, 0xdad5c56c // 8927 | mov dword ptr [edi], esp // 37 | aaa // 56 | push esi // 92 | xchg eax, edx condition: 7 of them and filesize < 10821632 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY