SYMBOLCOMMON_NAMEaka. SYNONYMS
win.cryptowall (Back to overview)

Cryptowall


There is no description at this point.

References
2020-11-23Medium ryancorRyan Cornateanu
@online{cornateanu:20201123:genetic:cd446d2, author = {Ryan Cornateanu}, title = {{Genetic Analysis of CryptoWall Ransomware}}, date = {2020-11-23}, organization = {Medium ryancor}, url = {https://ryancor.medium.com/genetic-analysis-of-cryptowall-ransomware-843f86055c7f}, language = {English}, urldate = {2020-12-03} } Genetic Analysis of CryptoWall Ransomware
Cryptowall
2020-08Temple UniversityCARE
@online{care:202008:critical:415c34d, author = {CARE}, title = {{Critical Infrastructure Ransomware Attacks}}, date = {2020-08}, organization = {Temple University}, url = {https://sites.temple.edu/care/ci-rw-attacks/}, language = {English}, urldate = {2020-09-15} } Critical Infrastructure Ransomware Attacks
CryptoLocker Cryptowall DoppelPaymer FriedEx Mailto Maze REvil Ryuk SamSam WannaCryptor
2020-07-29ESET Researchwelivesecurity
@techreport{welivesecurity:20200729:threat:496355c, author = {welivesecurity}, title = {{THREAT REPORT Q2 2020}}, date = {2020-07-29}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf}, language = {English}, urldate = {2020-07-30} } THREAT REPORT Q2 2020
DEFENSOR ID HiddenAd Bundlore Pirrit Agent.BTZ Cerber ClipBanker CROSSWALK Cryptowall CTB Locker DanaBot Dharma Formbook Gandcrab Grandoreiro Houdini ISFB LockBit Locky Mailto Maze Microcin Nemty NjRAT Phobos PlugX Pony REvil Socelars STOP Tinba TrickBot WannaCryptor
Yara Rules
[TLP:WHITE] win_cryptowall_auto (20230125 | Detects win.cryptowall.)
rule win_cryptowall_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-01-25"
        version = "1"
        description = "Detects win.cryptowall."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptowall"
        malpedia_rule_date = "20230124"
        malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686"
        malpedia_version = "20230125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { e8???????? 83c408 e9???????? 837d0c02 752e }
            // n = 5, score = 2100
            //   e8????????           |                     
            //   83c408               | add                 esp, 8
            //   e9????????           |                     
            //   837d0c02             | cmp                 dword ptr [ebp + 0xc], 2
            //   752e                 | jne                 0x30

        $sequence_1 = { 52 6a00 e8???????? 8b4018 50 }
            // n = 5, score = 2100
            //   52                   | push                edx
            //   6a00                 | push                0
            //   e8????????           |                     
            //   8b4018               | mov                 eax, dword ptr [eax + 0x18]
            //   50                   | push                eax

        $sequence_2 = { b873000000 668945e4 b979000000 66894de6 ba73000000 668955e8 }
            // n = 6, score = 2100
            //   b873000000           | mov                 eax, 0x73
            //   668945e4             | mov                 word ptr [ebp - 0x1c], ax
            //   b979000000           | mov                 ecx, 0x79
            //   66894de6             | mov                 word ptr [ebp - 0x1a], cx
            //   ba73000000           | mov                 edx, 0x73
            //   668955e8             | mov                 word ptr [ebp - 0x18], dx

        $sequence_3 = { 7d1f 6a09 6a00 e8???????? }
            // n = 4, score = 2100
            //   7d1f                 | jge                 0x21
            //   6a09                 | push                9
            //   6a00                 | push                0
            //   e8????????           |                     

        $sequence_4 = { e8???????? 83c408 8b0d???????? 894124 }
            // n = 4, score = 2100
            //   e8????????           |                     
            //   83c408               | add                 esp, 8
            //   8b0d????????         |                     
            //   894124               | mov                 dword ptr [ecx + 0x24], eax

        $sequence_5 = { 83fa5a 7f0b 0fb74508 83c020 66894508 }
            // n = 5, score = 2100
            //   83fa5a               | cmp                 edx, 0x5a
            //   7f0b                 | jg                  0xd
            //   0fb74508             | movzx               eax, word ptr [ebp + 8]
            //   83c020               | add                 eax, 0x20
            //   66894508             | mov                 word ptr [ebp + 8], ax

        $sequence_6 = { 7511 6aff 8b4508 50 }
            // n = 4, score = 2100
            //   7511                 | jne                 0x13
            //   6aff                 | push                -1
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   50                   | push                eax

        $sequence_7 = { 8945fc 8b4dfc 0fb711 81fa4d5a0000 740d }
            // n = 5, score = 2100
            //   8945fc               | mov                 dword ptr [ebp - 4], eax
            //   8b4dfc               | mov                 ecx, dword ptr [ebp - 4]
            //   0fb711               | movzx               edx, word ptr [ecx]
            //   81fa4d5a0000         | cmp                 edx, 0x5a4d
            //   740d                 | je                  0xf

        $sequence_8 = { 0fbe4d08 83f97a 7f0a 0fbe5508 83ea20 885508 }
            // n = 6, score = 2100
            //   0fbe4d08             | movsx               ecx, byte ptr [ebp + 8]
            //   83f97a               | cmp                 ecx, 0x7a
            //   7f0a                 | jg                  0xc
            //   0fbe5508             | movsx               edx, byte ptr [ebp + 8]
            //   83ea20               | sub                 edx, 0x20
            //   885508               | mov                 byte ptr [ebp + 8], dl

        $sequence_9 = { c645ea64 c645eb7c c645ec25 c645ed73 c645ee7c c645ef25 }
            // n = 6, score = 2100
            //   c645ea64             | mov                 byte ptr [ebp - 0x16], 0x64
            //   c645eb7c             | mov                 byte ptr [ebp - 0x15], 0x7c
            //   c645ec25             | mov                 byte ptr [ebp - 0x14], 0x25
            //   c645ed73             | mov                 byte ptr [ebp - 0x13], 0x73
            //   c645ee7c             | mov                 byte ptr [ebp - 0x12], 0x7c
            //   c645ef25             | mov                 byte ptr [ebp - 0x11], 0x25

    condition:
        7 of them and filesize < 417792
}
Download all Yara Rules