SYMBOLCOMMON_NAMEaka. SYNONYMS
win.bootwreck (Back to overview)

BOOTWRECK

aka: MBRkiller

Actor(s): Lazarus Group


BOOTWRECK is a master boot record wiper malware.

References
2018-06-07Trend MicroFernando Mercês
@online{mercs:20180607:new:760f179, author = {Fernando Mercês}, title = {{New KillDisk Variant Hits Latin American Financial Organizations Again}}, date = {2018-06-07}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/new-killdisk-variant-hits-latin-american-financial-organizations-again/}, language = {English}, urldate = {2020-01-09} } New KillDisk Variant Hits Latin American Financial Organizations Again
BOOTWRECK
2018FireEyeFireEye
@online{fireeye:2018:apt38:20161b7, author = {FireEye}, title = {{APT38}}, date = {2018}, organization = {FireEye}, url = {https://content.fireeye.com/apt/rpt-apt38}, language = {English}, urldate = {2020-01-13} } APT38
Bitsran BLINDTOAD BOOTWRECK Contopee DarkComet DYEPACK HOTWAX NESTEGG PowerRatankba REDSHAWL WORMHOLE Lazarus Group
Yara Rules
[TLP:WHITE] win_bootwreck_auto (20230125 | Detects win.bootwreck.)
rule win_bootwreck_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-01-25"
        version = "1"
        description = "Detects win.bootwreck."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.bootwreck"
        malpedia_rule_date = "20230124"
        malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686"
        malpedia_version = "20230125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 28ec 8b45f8 60 f9 6681f98ac3 a90000ffff 66891c24 }
            // n = 7, score = 100
            //   28ec                 | sub                 ah, ch
            //   8b45f8               | mov                 eax, dword ptr [ebp - 8]
            //   60                   | pushal              
            //   f9                   | stc                 
            //   6681f98ac3           | cmp                 cx, 0xc38a
            //   a90000ffff           | test                eax, 0xffff0000
            //   66891c24             | mov                 word ptr [esp], bx

        $sequence_1 = { 7300 53 7074 00530f 7700 24b8 7800 }
            // n = 7, score = 100
            //   7300                 | jae                 2
            //   53                   | push                ebx
            //   7074                 | jo                  0x76
            //   00530f               | add                 byte ptr [ebx + 0xf], dl
            //   7700                 | ja                  2
            //   24b8                 | and                 al, 0xb8
            //   7800                 | js                  2

        $sequence_2 = { 9c 5f f7d7 5f 8d9b661ee2b9 9c }
            // n = 6, score = 100
            //   9c                   | pushfd              
            //   5f                   | pop                 edi
            //   f7d7                 | not                 edi
            //   5f                   | pop                 edi
            //   8d9b661ee2b9         | lea                 ebx, [ebx - 0x461de19a]
            //   9c                   | pushfd              

        $sequence_3 = { 66891424 6687de 660fbef2 886c2408 8b74240c 880c24 }
            // n = 6, score = 100
            //   66891424             | mov                 word ptr [esp], dx
            //   6687de               | xchg                si, bx
            //   660fbef2             | movsx               si, dl
            //   886c2408             | mov                 byte ptr [esp + 8], ch
            //   8b74240c             | mov                 esi, dword ptr [esp + 0xc]
            //   880c24               | mov                 byte ptr [esp], cl

        $sequence_4 = { 60 9c 8b92bf434600 9c 6851bf1d89 c60424b4 8d92d4bcc119 }
            // n = 7, score = 100
            //   60                   | pushal              
            //   9c                   | pushfd              
            //   8b92bf434600         | mov                 edx, dword ptr [edx + 0x4643bf]
            //   9c                   | pushfd              
            //   6851bf1d89           | push                0x891dbf51
            //   c60424b4             | mov                 byte ptr [esp], 0xb4
            //   8d92d4bcc119         | lea                 edx, [edx + 0x19c1bcd4]

        $sequence_5 = { 66f7d2 66c70424db8b 8b54240c e9???????? e8???????? 60 8bad0a004400 }
            // n = 7, score = 100
            //   66f7d2               | not                 dx
            //   66c70424db8b         | mov                 word ptr [esp], 0x8bdb
            //   8b54240c             | mov                 edx, dword ptr [esp + 0xc]
            //   e9????????           |                     
            //   e8????????           |                     
            //   60                   | pushal              
            //   8bad0a004400         | mov                 ebp, dword ptr [ebp + 0x44000a]

        $sequence_6 = { f7d1 60 f9 6639e9 ff742404 85c9 e8???????? }
            // n = 7, score = 100
            //   f7d1                 | not                 ecx
            //   60                   | pushal              
            //   f9                   | stc                 
            //   6639e9               | cmp                 cx, bp
            //   ff742404             | push                dword ptr [esp + 4]
            //   85c9                 | test                ecx, ecx
            //   e8????????           |                     

        $sequence_7 = { e9???????? ff7510 8f442448 9c 9c 66c70424931c 891424 }
            // n = 7, score = 100
            //   e9????????           |                     
            //   ff7510               | push                dword ptr [ebp + 0x10]
            //   8f442448             | pop                 dword ptr [esp + 0x48]
            //   9c                   | pushfd              
            //   9c                   | pushfd              
            //   66c70424931c         | mov                 word ptr [esp], 0x1c93
            //   891424               | mov                 dword ptr [esp], edx

        $sequence_8 = { c744241c00000000 c604247c 8d64241c e8???????? 660fbcf3 66f7de 660fce }
            // n = 7, score = 100
            //   c744241c00000000     | mov                 dword ptr [esp + 0x1c], 0
            //   c604247c             | mov                 byte ptr [esp], 0x7c
            //   8d64241c             | lea                 esp, [esp + 0x1c]
            //   e8????????           |                     
            //   660fbcf3             | bsf                 si, bx
            //   66f7de               | neg                 si
            //   660fce               | bswap               si

        $sequence_9 = { 888c18b0993700 ff4594 8b4594 3b45a0 7cae ff459c }
            // n = 6, score = 100
            //   888c18b0993700       | mov                 byte ptr [eax + ebx + 0x3799b0], cl
            //   ff4594               | inc                 dword ptr [ebp - 0x6c]
            //   8b4594               | mov                 eax, dword ptr [ebp - 0x6c]
            //   3b45a0               | cmp                 eax, dword ptr [ebp - 0x60]
            //   7cae                 | jl                  0xffffffb0
            //   ff459c               | inc                 dword ptr [ebp - 0x64]

    condition:
        7 of them and filesize < 10821632
}
Download all Yara Rules