SYMBOLCOMMON_NAMEaka. SYNONYMS
win.cryptowall (Back to overview)

Cryptowall


There is no description at this point.

References
2020-08Temple UniversityCARE
@online{care:202008:critical:415c34d, author = {CARE}, title = {{Critical Infrastructure Ransomware Attacks}}, date = {2020-08}, organization = {Temple University}, url = {https://sites.temple.edu/care/ci-rw-attacks/}, language = {English}, urldate = {2020-09-15} } Critical Infrastructure Ransomware Attacks
CryptoLocker Cryptowall DoppelPaymer FriedEx Mailto Maze REvil Ryuk SamSam WannaCryptor
2020-07-29ESET Researchwelivesecurity
@techreport{welivesecurity:20200729:threat:496355c, author = {welivesecurity}, title = {{THREAT REPORT Q2 2020}}, date = {2020-07-29}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf}, language = {English}, urldate = {2020-07-30} } THREAT REPORT Q2 2020
DEFENSOR ID HiddenAd Bundlore Pirrit Agent.BTZ Cerber ClipBanker CROSSWALK Cryptowall CTB Locker DanaBot Dharma Formbook Gandcrab Grandoreiro Houdini ISFB LockBit Locky Mailto Maze Microcin Nemty NjRAT Phobos Ransomware PlugX Pony REvil Socelars STOP Ransomware Tinba TrickBot WannaCryptor
Yara Rules
[TLP:WHITE] win_cryptowall_auto (20201014 | autogenerated rule brought to you by yara-signator)
rule win_cryptowall_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-10-14"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.5.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptowall"
        malpedia_rule_date = "20201014"
        malpedia_hash = "a7e3bd57eaf12bf3ea29a863c041091ba3af9ac9"
        malpedia_version = "20201014"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 6a00 6a40 6a01 6a01 6a00 6a00 8d55e8 }
            // n = 7, score = 2100
            //   6a00                 | push                0
            //   6a40                 | push                0x40
            //   6a01                 | push                1
            //   6a01                 | push                1
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   8d55e8               | lea                 edx, [ebp - 0x18]

        $sequence_1 = { e8???????? 83c408 8b0d???????? 894104 }
            // n = 4, score = 2100
            //   e8????????           |                     
            //   83c408               | add                 esp, 8
            //   8b0d????????         |                     
            //   894104               | mov                 dword ptr [ecx + 4], eax

        $sequence_2 = { 99 b91a000000 f7f9 83c261 8b45f4 }
            // n = 5, score = 2100
            //   99                   | cdq                 
            //   b91a000000           | mov                 ecx, 0x1a
            //   f7f9                 | idiv                ecx
            //   83c261               | add                 edx, 0x61
            //   8b45f4               | mov                 eax, dword ptr [ebp - 0xc]

        $sequence_3 = { 837d0800 7502 eb4f 6a08 6a00 }
            // n = 5, score = 2100
            //   837d0800             | cmp                 dword ptr [ebp + 8], 0
            //   7502                 | jne                 4
            //   eb4f                 | jmp                 0x51
            //   6a08                 | push                8
            //   6a00                 | push                0

        $sequence_4 = { 8b5018 52 e8???????? 8b4028 }
            // n = 4, score = 2100
            //   8b5018               | mov                 edx, dword ptr [eax + 0x18]
            //   52                   | push                edx
            //   e8????????           |                     
            //   8b4028               | mov                 eax, dword ptr [eax + 0x28]

        $sequence_5 = { 8945fc 8b4dfc 0fb711 81fa4d5a0000 740d }
            // n = 5, score = 2100
            //   8945fc               | mov                 dword ptr [ebp - 4], eax
            //   8b4dfc               | mov                 ecx, dword ptr [ebp - 4]
            //   0fb711               | movzx               edx, word ptr [ecx]
            //   81fa4d5a0000         | cmp                 edx, 0x5a4d
            //   740d                 | je                  0xf

        $sequence_6 = { 894834 5d c3 55 8bec 83ec0c c745fc00000000 }
            // n = 7, score = 2100
            //   894834               | mov                 dword ptr [eax + 0x34], ecx
            //   5d                   | pop                 ebp
            //   c3                   | ret                 
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   83ec0c               | sub                 esp, 0xc
            //   c745fc00000000       | mov                 dword ptr [ebp - 4], 0

        $sequence_7 = { 6a00 6a00 6a40 6a01 6a01 6880000000 6a00 }
            // n = 7, score = 2100
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   6a40                 | push                0x40
            //   6a01                 | push                1
            //   6a01                 | push                1
            //   6880000000           | push                0x80
            //   6a00                 | push                0

        $sequence_8 = { 68a5470b2b 6a01 6a00 e8???????? 83c40c 8b15???????? }
            // n = 6, score = 2100
            //   68a5470b2b           | push                0x2b0b47a5
            //   6a01                 | push                1
            //   6a00                 | push                0
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   8b15????????         |                     

        $sequence_9 = { 8d4df4 51 8d55dc 52 8b450c }
            // n = 5, score = 2100
            //   8d4df4               | lea                 ecx, [ebp - 0xc]
            //   51                   | push                ecx
            //   8d55dc               | lea                 edx, [ebp - 0x24]
            //   52                   | push                edx
            //   8b450c               | mov                 eax, dword ptr [ebp + 0xc]

    condition:
        7 of them and filesize < 417792
}
Download all Yara Rules