SYMBOLCOMMON_NAMEaka. SYNONYMS
win.cryptowall (Back to overview)

Cryptowall


There is no description at this point.

References
2020-11-23Medium ryancorRyan Cornateanu
@online{cornateanu:20201123:genetic:cd446d2, author = {Ryan Cornateanu}, title = {{Genetic Analysis of CryptoWall Ransomware}}, date = {2020-11-23}, organization = {Medium ryancor}, url = {https://ryancor.medium.com/genetic-analysis-of-cryptowall-ransomware-843f86055c7f}, language = {English}, urldate = {2020-12-03} } Genetic Analysis of CryptoWall Ransomware
Cryptowall
2020-08Temple UniversityCARE
@online{care:202008:critical:415c34d, author = {CARE}, title = {{Critical Infrastructure Ransomware Attacks}}, date = {2020-08}, organization = {Temple University}, url = {https://sites.temple.edu/care/ci-rw-attacks/}, language = {English}, urldate = {2020-09-15} } Critical Infrastructure Ransomware Attacks
CryptoLocker Cryptowall DoppelPaymer FriedEx Mailto Maze REvil Ryuk SamSam WannaCryptor
2020-07-29ESET Researchwelivesecurity
@techreport{welivesecurity:20200729:threat:496355c, author = {welivesecurity}, title = {{THREAT REPORT Q2 2020}}, date = {2020-07-29}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf}, language = {English}, urldate = {2020-07-30} } THREAT REPORT Q2 2020
DEFENSOR ID HiddenAd Bundlore Pirrit Agent.BTZ Cerber ClipBanker CROSSWALK Cryptowall CTB Locker DanaBot Dharma Formbook Gandcrab Grandoreiro Houdini ISFB LockBit Locky Mailto Maze Microcin Nemty NjRAT Phobos Ransomware PlugX Pony REvil Socelars STOP Ransomware Tinba TrickBot WannaCryptor
Yara Rules
[TLP:WHITE] win_cryptowall_auto (20201023 | autogenerated rule brought to you by yara-signator)
rule win_cryptowall_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-12-22"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptowall"
        malpedia_rule_date = "20201222"
        malpedia_hash = "30354d830a29f0fbd3714d93d94dea941d77a130"
        malpedia_version = "20201023"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 50 8b4dec 51 e8???????? 8b5030 }
            // n = 5, score = 2100
            //   50                   | push                eax
            //   8b4dec               | mov                 ecx, dword ptr [ebp - 0x14]
            //   51                   | push                ecx
            //   e8????????           |                     
            //   8b5030               | mov                 edx, dword ptr [eax + 0x30]

        $sequence_1 = { 8b45fc 50 8b4dec 51 e8???????? 8b5030 }
            // n = 6, score = 2100
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]
            //   50                   | push                eax
            //   8b4dec               | mov                 ecx, dword ptr [ebp - 0x14]
            //   51                   | push                ecx
            //   e8????????           |                     
            //   8b5030               | mov                 edx, dword ptr [eax + 0x30]

        $sequence_2 = { 8b45fc 2d00080000 8945fc ebe5 8b45fc 8be5 }
            // n = 6, score = 2100
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]
            //   2d00080000           | sub                 eax, 0x800
            //   8945fc               | mov                 dword ptr [ebp - 4], eax
            //   ebe5                 | jmp                 0xffffffe7
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]
            //   8be5                 | mov                 esp, ebp

        $sequence_3 = { 837d0800 750a b80d0000c0 e9???????? }
            // n = 4, score = 2100
            //   837d0800             | cmp                 dword ptr [ebp + 8], 0
            //   750a                 | jne                 0xc
            //   b80d0000c0           | mov                 eax, 0xc000000d
            //   e9????????           |                     

        $sequence_4 = { 52 e8???????? 83c408 8b0d???????? 8981b4000000 }
            // n = 5, score = 2100
            //   52                   | push                edx
            //   e8????????           |                     
            //   83c408               | add                 esp, 8
            //   8b0d????????         |                     
            //   8981b4000000         | mov                 dword ptr [ecx + 0xb4], eax

        $sequence_5 = { eb17 8b4508 ba10270000 f7e2 }
            // n = 4, score = 2100
            //   eb17                 | jmp                 0x19
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   ba10270000           | mov                 edx, 0x2710
            //   f7e2                 | mul                 edx

        $sequence_6 = { 668945ec b933000000 66894dee ba32000000 668955f0 33c0 668945f2 }
            // n = 7, score = 2100
            //   668945ec             | mov                 word ptr [ebp - 0x14], ax
            //   b933000000           | mov                 ecx, 0x33
            //   66894dee             | mov                 word ptr [ebp - 0x12], cx
            //   ba32000000           | mov                 edx, 0x32
            //   668955f0             | mov                 word ptr [ebp - 0x10], dx
            //   33c0                 | xor                 eax, eax
            //   668945f2             | mov                 word ptr [ebp - 0xe], ax

        $sequence_7 = { 83c408 3b4508 751c 837d0cff 740b }
            // n = 5, score = 2100
            //   83c408               | add                 esp, 8
            //   3b4508               | cmp                 eax, dword ptr [ebp + 8]
            //   751c                 | jne                 0x1e
            //   837d0cff             | cmp                 dword ptr [ebp + 0xc], -1
            //   740b                 | je                  0xd

        $sequence_8 = { 6a08 6a00 8d55ec 52 }
            // n = 4, score = 2100
            //   6a08                 | push                8
            //   6a00                 | push                0
            //   8d55ec               | lea                 edx, [ebp - 0x14]
            //   52                   | push                edx

        $sequence_9 = { e8???????? 83c408 8b0d???????? 8981f4000000 }
            // n = 4, score = 2100
            //   e8????????           |                     
            //   83c408               | add                 esp, 8
            //   8b0d????????         |                     
            //   8981f4000000         | mov                 dword ptr [ecx + 0xf4], eax

    condition:
        7 of them and filesize < 417792
}
Download all Yara Rules