SYMBOLCOMMON_NAMEaka. SYNONYMS
win.cryptowall (Back to overview)

Cryptowall

There is no description at this point.

References
2020-11-23Medium ryancorRyan Cornateanu
@online{cornateanu:20201123:genetic:cd446d2, author = {Ryan Cornateanu}, title = {{Genetic Analysis of CryptoWall Ransomware}}, date = {2020-11-23}, organization = {Medium ryancor}, url = {https://ryancor.medium.com/genetic-analysis-of-cryptowall-ransomware-843f86055c7f}, language = {English}, urldate = {2020-12-03} } Genetic Analysis of CryptoWall Ransomware
Cryptowall
2020-08Temple UniversityCARE
@online{care:202008:critical:415c34d, author = {CARE}, title = {{Critical Infrastructure Ransomware Attacks}}, date = {2020-08}, organization = {Temple University}, url = {https://sites.temple.edu/care/ci-rw-attacks/}, language = {English}, urldate = {2020-09-15} } Critical Infrastructure Ransomware Attacks
CryptoLocker Cryptowall DoppelPaymer FriedEx Mailto Maze REvil Ryuk SamSam WannaCryptor
2020-07-29ESET Researchwelivesecurity
@techreport{welivesecurity:20200729:threat:496355c, author = {welivesecurity}, title = {{THREAT REPORT Q2 2020}}, date = {2020-07-29}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf}, language = {English}, urldate = {2020-07-30} } THREAT REPORT Q2 2020
DEFENSOR ID HiddenAd Bundlore Pirrit Agent.BTZ Cerber ClipBanker CROSSWALK Cryptowall CTB Locker DanaBot Dharma Formbook Gandcrab Grandoreiro Houdini ISFB LockBit Locky Mailto Maze Microcin Nemty NjRAT Phobos PlugX Pony REvil Socelars STOP Tinba TrickBot WannaCryptor
Yara Rules
[TLP:WHITE] win_cryptowall_auto (20220411 | Detects win.cryptowall.)
rule win_cryptowall_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-04-08"
        version = "1"
        description = "Detects win.cryptowall."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptowall"
        malpedia_rule_date = "20220405"
        malpedia_hash = "ecd38294bd47d5589be5cd5490dc8bb4804afc2a"
        malpedia_version = "20220411"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 55 8bec 6804010000 e8???????? 83c404 }
            // n = 5, score = 2100
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   6804010000           | push                0x104
            //   e8????????           |                     
            //   83c404               | add                 esp, 4

        $sequence_1 = { 668955e4 b873000000 668945e6 b974000000 66894de8 ba65000000 668955ea }
            // n = 7, score = 2100
            //   668955e4             | mov                 word ptr [ebp - 0x1c], dx
            //   b873000000           | mov                 eax, 0x73
            //   668945e6             | mov                 word ptr [ebp - 0x1a], ax
            //   b974000000           | mov                 ecx, 0x74
            //   66894de8             | mov                 word ptr [ebp - 0x18], cx
            //   ba65000000           | mov                 edx, 0x65
            //   668955ea             | mov                 word ptr [ebp - 0x16], dx

        $sequence_2 = { 8b4d10 8d540902 52 8b450c 50 8b4d08 51 }
            // n = 7, score = 2100
            //   8b4d10               | mov                 ecx, dword ptr [ebp + 0x10]
            //   8d540902             | lea                 edx, dword ptr [ecx + ecx + 2]
            //   52                   | push                edx
            //   8b450c               | mov                 eax, dword ptr [ebp + 0xc]
            //   50                   | push                eax
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]
            //   51                   | push                ecx

        $sequence_3 = { e8???????? 83c408 8b0d???????? 898154010000 }
            // n = 4, score = 2100
            //   e8????????           |                     
            //   83c408               | add                 esp, 8
            //   8b0d????????         |                     
            //   898154010000         | mov                 dword ptr [ecx + 0x154], eax

        $sequence_4 = { 83fa5a 7f0b 0fb74508 83c020 66894508 }
            // n = 5, score = 2100
            //   83fa5a               | cmp                 edx, 0x5a
            //   7f0b                 | jg                  0xd
            //   0fb74508             | movzx               eax, word ptr [ebp + 8]
            //   83c020               | add                 eax, 0x20
            //   66894508             | mov                 word ptr [ebp + 8], ax

        $sequence_5 = { 837d0800 7441 837d0c00 743b c745fc00000000 eb09 8b45fc }
            // n = 7, score = 2100
            //   837d0800             | cmp                 dword ptr [ebp + 8], 0
            //   7441                 | je                  0x43
            //   837d0c00             | cmp                 dword ptr [ebp + 0xc], 0
            //   743b                 | je                  0x3d
            //   c745fc00000000       | mov                 dword ptr [ebp - 4], 0
            //   eb09                 | jmp                 0xb
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]

        $sequence_6 = { 8b08 894d08 eb09 8b5508 83c202 895508 8b4508 }
            // n = 7, score = 2100
            //   8b08                 | mov                 ecx, dword ptr [eax]
            //   894d08               | mov                 dword ptr [ebp + 8], ecx
            //   eb09                 | jmp                 0xb
            //   8b5508               | mov                 edx, dword ptr [ebp + 8]
            //   83c202               | add                 edx, 2
            //   895508               | mov                 dword ptr [ebp + 8], edx
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]

        $sequence_7 = { 8b4510 50 e8???????? 83c404 8945f8 8b4d0c }
            // n = 6, score = 2100
            //   8b4510               | mov                 eax, dword ptr [ebp + 0x10]
            //   50                   | push                eax
            //   e8????????           |                     
            //   83c404               | add                 esp, 4
            //   8945f8               | mov                 dword ptr [ebp - 8], eax
            //   8b4d0c               | mov                 ecx, dword ptr [ebp + 0xc]

        $sequence_8 = { 837d1400 7425 837d1000 741f }
            // n = 4, score = 2100
            //   837d1400             | cmp                 dword ptr [ebp + 0x14], 0
            //   7425                 | je                  0x27
            //   837d1000             | cmp                 dword ptr [ebp + 0x10], 0
            //   741f                 | je                  0x21

        $sequence_9 = { eb72 8b4508 50 e8???????? 83c404 }
            // n = 5, score = 2100
            //   eb72                 | jmp                 0x74
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   50                   | push                eax
            //   e8????????           |                     
            //   83c404               | add                 esp, 4

    condition:
        7 of them and filesize < 417792
}
Download all Yara Rules