SYMBOLCOMMON_NAMEaka. SYNONYMS
win.cryptowall (Back to overview)

Cryptowall


There is no description at this point.

References
2020-11-23Medium ryancorRyan Cornateanu
@online{cornateanu:20201123:genetic:cd446d2, author = {Ryan Cornateanu}, title = {{Genetic Analysis of CryptoWall Ransomware}}, date = {2020-11-23}, organization = {Medium ryancor}, url = {https://ryancor.medium.com/genetic-analysis-of-cryptowall-ransomware-843f86055c7f}, language = {English}, urldate = {2020-12-03} } Genetic Analysis of CryptoWall Ransomware
Cryptowall
2020-08Temple UniversityCARE
@online{care:202008:critical:415c34d, author = {CARE}, title = {{Critical Infrastructure Ransomware Attacks}}, date = {2020-08}, organization = {Temple University}, url = {https://sites.temple.edu/care/ci-rw-attacks/}, language = {English}, urldate = {2020-09-15} } Critical Infrastructure Ransomware Attacks
CryptoLocker Cryptowall DoppelPaymer FriedEx Mailto Maze REvil Ryuk SamSam WannaCryptor
2020-07-29ESET Researchwelivesecurity
@techreport{welivesecurity:20200729:threat:496355c, author = {welivesecurity}, title = {{THREAT REPORT Q2 2020}}, date = {2020-07-29}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf}, language = {English}, urldate = {2020-07-30} } THREAT REPORT Q2 2020
DEFENSOR ID HiddenAd Bundlore Pirrit Agent.BTZ Cerber ClipBanker CROSSWALK Cryptowall CTB Locker DanaBot Dharma Formbook Gandcrab Grandoreiro Houdini ISFB LockBit Locky Mailto Maze Microcin Nemty NjRAT Phobos PlugX Pony REvil Socelars STOP Tinba TrickBot WannaCryptor
Yara Rules
[TLP:WHITE] win_cryptowall_auto (20211008 | Detects win.cryptowall.)
rule win_cryptowall_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-10-07"
        version = "1"
        description = "Detects win.cryptowall."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptowall"
        malpedia_rule_date = "20211007"
        malpedia_hash = "e5b790e0f888f252d49063a1251ca60ec2832535"
        malpedia_version = "20211008"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { f7e2 f7d8 83d200 f7da 8945f8 8955fc }
            // n = 6, score = 2100
            //   f7e2                 | mul                 edx
            //   f7d8                 | neg                 eax
            //   83d200               | adc                 edx, 0
            //   f7da                 | neg                 edx
            //   8945f8               | mov                 dword ptr [ebp - 8], eax
            //   8955fc               | mov                 dword ptr [ebp - 4], edx

        $sequence_1 = { e8???????? 8b10 ffd2 8b45f0 }
            // n = 4, score = 2100
            //   e8????????           |                     
            //   8b10                 | mov                 edx, dword ptr [eax]
            //   ffd2                 | call                edx
            //   8b45f0               | mov                 eax, dword ptr [ebp - 0x10]

        $sequence_2 = { 83fa7a 7f0b 0fb74508 83e820 66894508 }
            // n = 5, score = 2100
            //   83fa7a               | cmp                 edx, 0x7a
            //   7f0b                 | jg                  0xd
            //   0fb74508             | movzx               eax, word ptr [ebp + 8]
            //   83e820               | sub                 eax, 0x20
            //   66894508             | mov                 word ptr [ebp + 8], ax

        $sequence_3 = { 55 8bec 83ec18 837d0800 7438 6a18 }
            // n = 6, score = 2100
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   83ec18               | sub                 esp, 0x18
            //   837d0800             | cmp                 dword ptr [ebp + 8], 0
            //   7438                 | je                  0x3a
            //   6a18                 | push                0x18

        $sequence_4 = { 52 e8???????? 83c408 03450c 8945fc eb06 }
            // n = 6, score = 2100
            //   52                   | push                edx
            //   e8????????           |                     
            //   83c408               | add                 esp, 8
            //   03450c               | add                 eax, dword ptr [ebp + 0xc]
            //   8945fc               | mov                 dword ptr [ebp - 4], eax
            //   eb06                 | jmp                 8

        $sequence_5 = { 8b5018 52 e8???????? 8b4028 }
            // n = 4, score = 2100
            //   8b5018               | mov                 edx, dword ptr [eax + 0x18]
            //   52                   | push                edx
            //   e8????????           |                     
            //   8b4028               | mov                 eax, dword ptr [eax + 0x28]

        $sequence_6 = { 6a00 8d45e4 50 e8???????? 8b482c }
            // n = 5, score = 2100
            //   6a00                 | push                0
            //   8d45e4               | lea                 eax, dword ptr [ebp - 0x1c]
            //   50                   | push                eax
            //   e8????????           |                     
            //   8b482c               | mov                 ecx, dword ptr [eax + 0x2c]

        $sequence_7 = { 83ec18 53 8b450c 50 }
            // n = 4, score = 2100
            //   83ec18               | sub                 esp, 0x18
            //   53                   | push                ebx
            //   8b450c               | mov                 eax, dword ptr [ebp + 0xc]
            //   50                   | push                eax

        $sequence_8 = { 6a00 8b4508 50 6aff e8???????? 8b4818 }
            // n = 6, score = 2100
            //   6a00                 | push                0
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   50                   | push                eax
            //   6aff                 | push                -1
            //   e8????????           |                     
            //   8b4818               | mov                 ecx, dword ptr [eax + 0x18]

        $sequence_9 = { 8d4df4 51 8d55dc 52 8b450c }
            // n = 5, score = 2100
            //   8d4df4               | lea                 ecx, dword ptr [ebp - 0xc]
            //   51                   | push                ecx
            //   8d55dc               | lea                 edx, dword ptr [ebp - 0x24]
            //   52                   | push                edx
            //   8b450c               | mov                 eax, dword ptr [ebp + 0xc]

    condition:
        7 of them and filesize < 417792
}
Download all Yara Rules