Covid22 (Malware Family)

Covid22

Destructive "joke" malware that ultimately deploys a wiper for the MBR.
References

2021-11-11 ⋅ Fortinet ⋅ Shunichi Imano, Fred Gutierrez
To Joke or Not to Joke: COVID-22 Brings Disaster to MBR
Covid22
Yara Rules

[TLP:WHITE] win_covid22_auto (20221125 | Detects win.covid22.)
rule win_covid22_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-11-21"
        version = "1"
        description = "Detects win.covid22."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.covid22"
        malpedia_rule_date = "20221118"
        malpedia_hash = "e0702e2e6d1d00da65c8a29a4ebacd0a4c59e1af"
        malpedia_version = "20221125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8db56cffffff 8d7dc0 a5 a5 a5 a5 5f }
            // n = 7, score = 100
            //   8db56cffffff         | lea                 esi, [ebp - 0x94]
            //   8d7dc0               | lea                 edi, [ebp - 0x40]
            //   a5                   | movsd               dword ptr es:[edi], dword ptr [esi]
            //   a5                   | movsd               dword ptr es:[edi], dword ptr [esi]
            //   a5                   | movsd               dword ptr es:[edi], dword ptr [esi]
            //   a5                   | movsd               dword ptr es:[edi], dword ptr [esi]
            //   5f                   | pop                 edi

        $sequence_1 = { 6a00 50 8b8388010000 50 e8???????? 5d 5f }
            // n = 7, score = 100
            //   6a00                 | push                0
            //   50                   | push                eax
            //   8b8388010000         | mov                 eax, dword ptr [ebx + 0x188]
            //   50                   | push                eax
            //   e8????????           |                     
            //   5d                   | pop                 ebp
            //   5f                   | pop                 edi

        $sequence_2 = { 8d45fc 8b55f8 e8???????? 8b55fc 8b4df8 8bc3 e8???????? }
            // n = 7, score = 100
            //   8d45fc               | lea                 eax, [ebp - 4]
            //   8b55f8               | mov                 edx, dword ptr [ebp - 8]
            //   e8????????           |                     
            //   8b55fc               | mov                 edx, dword ptr [ebp - 4]
            //   8b4df8               | mov                 ecx, dword ptr [ebp - 8]
            //   8bc3                 | mov                 eax, ebx
            //   e8????????           |                     

        $sequence_3 = { 0071f3 40 008bf34000ac f340 00cd f340 00ea }
            // n = 7, score = 100
            //   0071f3               | add                 byte ptr [ecx - 0xd], dh
            //   40                   | inc                 eax
            //   008bf34000ac         | add                 byte ptr [ebx - 0x53ffbf0d], cl
            //   f340                 | inc                 eax
            //   00cd                 | add                 ch, cl
            //   f340                 | inc                 eax
            //   00ea                 | add                 dl, ch

        $sequence_4 = { e8???????? 50 e8???????? 40 753a 893424 c644240400 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   50                   | push                eax
            //   e8????????           |                     
            //   40                   | inc                 eax
            //   753a                 | jne                 0x3c
            //   893424               | mov                 dword ptr [esp], esi
            //   c644240400           | mov                 byte ptr [esp + 4], 0

        $sequence_5 = { 8bc6 8bca 8bd0 8b860c020000 ff9608020000 5f 5e }
            // n = 7, score = 100
            //   8bc6                 | mov                 eax, esi
            //   8bca                 | mov                 ecx, edx
            //   8bd0                 | mov                 edx, eax
            //   8b860c020000         | mov                 eax, dword ptr [esi + 0x20c]
            //   ff9608020000         | call                dword ptr [esi + 0x208]
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi

        $sequence_6 = { 50 53 ff35???????? ff15???????? 803f22 89457c 7423 }
            // n = 7, score = 100
            //   50                   | push                eax
            //   53                   | push                ebx
            //   ff35????????         |                     
            //   ff15????????         |                     
            //   803f22               | cmp                 byte ptr [edi], 0x22
            //   89457c               | mov                 dword ptr [ebp + 0x7c], eax
            //   7423                 | je                  0x25

        $sequence_7 = { a1???????? e8???????? 898390000000 b201 a1???????? e8???????? 898398000000 }
            // n = 7, score = 100
            //   a1????????           |                     
            //   e8????????           |                     
            //   898390000000         | mov                 dword ptr [ebx + 0x90], eax
            //   b201                 | mov                 dl, 1
            //   a1????????           |                     
            //   e8????????           |                     
            //   898398000000         | mov                 dword ptr [ebx + 0x98], eax

        $sequence_8 = { 83e13f f6c120 742c 8b55f4 0fb61432 46 8bda }
            // n = 7, score = 100
            //   83e13f               | and                 ecx, 0x3f
            //   f6c120               | test                cl, 0x20
            //   742c                 | je                  0x2e
            //   8b55f4               | mov                 edx, dword ptr [ebp - 0xc]
            //   0fb61432             | movzx               edx, byte ptr [edx + esi]
            //   46                   | inc                 esi
            //   8bda                 | mov                 ebx, edx

        $sequence_9 = { 56 8bd9 8955f8 8945fc 8b45fc 668148548000 8b45f8 }
            // n = 7, score = 100
            //   56                   | push                esi
            //   8bd9                 | mov                 ebx, ecx
            //   8955f8               | mov                 dword ptr [ebp - 8], edx
            //   8945fc               | mov                 dword ptr [ebp - 4], eax
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]
            //   668148548000         | or                  word ptr [eax + 0x54], 0x80
            //   8b45f8               | mov                 eax, dword ptr [ebp - 8]

    condition:
        7 of them and filesize < 1955840
}
Download all Yara Rules
Covid22 Propose Change

References

Yara Rules

Covid22
