SYMBOLCOMMON_NAMEaka. SYNONYMS
win.cryptowall (Back to overview)

Cryptowall

VTCollection    

CryptoWall is a ransomware, is usually spread by spam and phishing emails, malicious ads, hacked websites, or other malware and uses a Trojan horse to deliver the malicious payload.

References
2020-11-23Medium ryancorRyan Cornateanu
Genetic Analysis of CryptoWall Ransomware
Cryptowall
2020-08-01Temple UniversityCARE
Critical Infrastructure Ransomware Attacks
CryptoLocker Cryptowall DoppelPaymer FriedEx Mailto Maze REvil Ryuk SamSam WannaCryptor
2020-07-29ESET Researchwelivesecurity
THREAT REPORT Q2 2020
DEFENSOR ID HiddenAd Bundlore Pirrit Agent.BTZ Cerber ClipBanker CROSSWALK Cryptowall CTB Locker DanaBot Dharma Formbook Gandcrab Grandoreiro Houdini ISFB LockBit Locky Mailto Maze Microcin Nemty NjRAT Phobos PlugX Pony REvil Socelars STOP Tinba TrickBot WannaCryptor
Yara Rules
[TLP:WHITE] win_cryptowall_auto (20230808 | Detects win.cryptowall.)
rule win_cryptowall_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.cryptowall."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptowall"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 85c0 7504 33c0 eb21 0fb74d08 83f961 }
            // n = 6, score = 2100
            //   85c0                 | test                eax, eax
            //   7504                 | jne                 6
            //   33c0                 | xor                 eax, eax
            //   eb21                 | jmp                 0x23
            //   0fb74d08             | movzx               ecx, word ptr [ebp + 8]
            //   83f961               | cmp                 ecx, 0x61

        $sequence_1 = { b979000000 66894de6 ba73000000 668955e8 }
            // n = 4, score = 2100
            //   b979000000           | mov                 ecx, 0x79
            //   66894de6             | mov                 word ptr [ebp - 0x1a], cx
            //   ba73000000           | mov                 edx, 0x73
            //   668955e8             | mov                 word ptr [ebp - 0x18], dx

        $sequence_2 = { e8???????? 83c408 8b0d???????? 898164010000 }
            // n = 4, score = 2100
            //   e8????????           |                     
            //   83c408               | add                 esp, 8
            //   8b0d????????         |                     
            //   898164010000         | mov                 dword ptr [ecx + 0x164], eax

        $sequence_3 = { 55 8bec 51 837d0800 7441 837d0c00 }
            // n = 6, score = 2100
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   51                   | push                ecx
            //   837d0800             | cmp                 dword ptr [ebp + 8], 0
            //   7441                 | je                  0x43
            //   837d0c00             | cmp                 dword ptr [ebp + 0xc], 0

        $sequence_4 = { 7d1f 6a09 6a00 e8???????? }
            // n = 4, score = 2100
            //   7d1f                 | jge                 0x21
            //   6a09                 | push                9
            //   6a00                 | push                0
            //   e8????????           |                     

        $sequence_5 = { e8???????? 83c408 8b0d???????? 8901 68f2793618 }
            // n = 5, score = 2100
            //   e8????????           |                     
            //   83c408               | add                 esp, 8
            //   8b0d????????         |                     
            //   8901                 | mov                 dword ptr [ecx], eax
            //   68f2793618           | push                0x183679f2

        $sequence_6 = { 8b4508 668910 8b4d08 83c102 894d08 eb02 eba1 }
            // n = 7, score = 2100
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   668910               | mov                 word ptr [eax], dx
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]
            //   83c102               | add                 ecx, 2
            //   894d08               | mov                 dword ptr [ebp + 8], ecx
            //   eb02                 | jmp                 4
            //   eba1                 | jmp                 0xffffffa3

        $sequence_7 = { 668955e8 b874000000 668945ea b965000000 }
            // n = 4, score = 2100
            //   668955e8             | mov                 word ptr [ebp - 0x18], dx
            //   b874000000           | mov                 eax, 0x74
            //   668945ea             | mov                 word ptr [ebp - 0x16], ax
            //   b965000000           | mov                 ecx, 0x65

        $sequence_8 = { 7511 6aff 8b4508 50 }
            // n = 4, score = 2100
            //   7511                 | jne                 0x13
            //   6aff                 | push                -1
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   50                   | push                eax

        $sequence_9 = { 6a00 6a00 6a40 6a01 6a01 6880000000 }
            // n = 6, score = 2100
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   6a40                 | push                0x40
            //   6a01                 | push                1
            //   6a01                 | push                1
            //   6880000000           | push                0x80

    condition:
        7 of them and filesize < 417792
}
Download all Yara Rules