SYMBOLCOMMON_NAMEaka. SYNONYMS
win.cryptowall (Back to overview)

Cryptowall


There is no description at this point.

References
2020-11-23Medium ryancorRyan Cornateanu
@online{cornateanu:20201123:genetic:cd446d2, author = {Ryan Cornateanu}, title = {{Genetic Analysis of CryptoWall Ransomware}}, date = {2020-11-23}, organization = {Medium ryancor}, url = {https://ryancor.medium.com/genetic-analysis-of-cryptowall-ransomware-843f86055c7f}, language = {English}, urldate = {2020-12-03} } Genetic Analysis of CryptoWall Ransomware
Cryptowall
2020-08Temple UniversityCARE
@online{care:202008:critical:415c34d, author = {CARE}, title = {{Critical Infrastructure Ransomware Attacks}}, date = {2020-08}, organization = {Temple University}, url = {https://sites.temple.edu/care/ci-rw-attacks/}, language = {English}, urldate = {2020-09-15} } Critical Infrastructure Ransomware Attacks
CryptoLocker Cryptowall DoppelPaymer FriedEx Mailto Maze REvil Ryuk SamSam WannaCryptor
2020-07-29ESET Researchwelivesecurity
@techreport{welivesecurity:20200729:threat:496355c, author = {welivesecurity}, title = {{THREAT REPORT Q2 2020}}, date = {2020-07-29}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf}, language = {English}, urldate = {2020-07-30} } THREAT REPORT Q2 2020
DEFENSOR ID HiddenAd Bundlore Pirrit Agent.BTZ Cerber ClipBanker CROSSWALK Cryptowall CTB Locker DanaBot Dharma Formbook Gandcrab Grandoreiro Houdini ISFB LockBit Locky Mailto Maze Microcin Nemty NjRAT Phobos PlugX Pony REvil Socelars STOP Tinba TrickBot WannaCryptor
Yara Rules
[TLP:WHITE] win_cryptowall_auto (20220808 | Detects win.cryptowall.)
rule win_cryptowall_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-08-05"
        version = "1"
        description = "Detects win.cryptowall."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptowall"
        malpedia_rule_date = "20220805"
        malpedia_hash = "6ec06c64bcfdbeda64eff021c766b4ce34542b71"
        malpedia_version = "20220808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 837d0800 7502 eb4f 6a08 6a00 8d45f8 50 }
            // n = 7, score = 2100
            //   837d0800             | cmp                 dword ptr [ebp + 8], 0
            //   7502                 | jne                 4
            //   eb4f                 | jmp                 0x51
            //   6a08                 | push                8
            //   6a00                 | push                0
            //   8d45f8               | lea                 eax, [ebp - 8]
            //   50                   | push                eax

        $sequence_1 = { c645ee7c c645ef25 c645f073 c645f17d }
            // n = 4, score = 2100
            //   c645ee7c             | mov                 byte ptr [ebp - 0x12], 0x7c
            //   c645ef25             | mov                 byte ptr [ebp - 0x11], 0x25
            //   c645f073             | mov                 byte ptr [ebp - 0x10], 0x73
            //   c645f17d             | mov                 byte ptr [ebp - 0xf], 0x7d

        $sequence_2 = { 52 e8???????? 83c408 8b0d???????? 894140 }
            // n = 5, score = 2100
            //   52                   | push                edx
            //   e8????????           |                     
            //   83c408               | add                 esp, 8
            //   8b0d????????         |                     
            //   894140               | mov                 dword ptr [ecx + 0x40], eax

        $sequence_3 = { c645f125 c645f273 c645f37d c645f400 837d1000 }
            // n = 5, score = 2100
            //   c645f125             | mov                 byte ptr [ebp - 0xf], 0x25
            //   c645f273             | mov                 byte ptr [ebp - 0xe], 0x73
            //   c645f37d             | mov                 byte ptr [ebp - 0xd], 0x7d
            //   c645f400             | mov                 byte ptr [ebp - 0xc], 0
            //   837d1000             | cmp                 dword ptr [ebp + 0x10], 0

        $sequence_4 = { 33c0 eb21 0fb74d08 83f961 7c14 }
            // n = 5, score = 2100
            //   33c0                 | xor                 eax, eax
            //   eb21                 | jmp                 0x23
            //   0fb74d08             | movzx               ecx, word ptr [ebp + 8]
            //   83f961               | cmp                 ecx, 0x61
            //   7c14                 | jl                  0x16

        $sequence_5 = { 55 8bec 51 837d0800 7441 837d0c00 }
            // n = 6, score = 2100
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   51                   | push                ecx
            //   837d0800             | cmp                 dword ptr [ebp + 8], 0
            //   7441                 | je                  0x43
            //   837d0c00             | cmp                 dword ptr [ebp + 0xc], 0

        $sequence_6 = { 7d2b 6a09 6a00 e8???????? 83c408 8bf0 83c630 }
            // n = 7, score = 2100
            //   7d2b                 | jge                 0x2d
            //   6a09                 | push                9
            //   6a00                 | push                0
            //   e8????????           |                     
            //   83c408               | add                 esp, 8
            //   8bf0                 | mov                 esi, eax
            //   83c630               | add                 esi, 0x30

        $sequence_7 = { eb09 b801000000 85c0 7599 }
            // n = 4, score = 2100
            //   eb09                 | jmp                 0xb
            //   b801000000           | mov                 eax, 1
            //   85c0                 | test                eax, eax
            //   7599                 | jne                 0xffffff9b

        $sequence_8 = { 83ec18 53 8b450c 50 }
            // n = 4, score = 2100
            //   83ec18               | sub                 esp, 0x18
            //   53                   | push                ebx
            //   8b450c               | mov                 eax, dword ptr [ebp + 0xc]
            //   50                   | push                eax

        $sequence_9 = { 68a5470b2b 6a01 6a00 e8???????? 83c40c 8b15???????? }
            // n = 6, score = 2100
            //   68a5470b2b           | push                0x2b0b47a5
            //   6a01                 | push                1
            //   6a00                 | push                0
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   8b15????????         |                     

    condition:
        7 of them and filesize < 417792
}
Download all Yara Rules