Ransomware.
rule win_crytox_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2023-03-28" version = "1" description = "Detects win.crytox." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.crytox" malpedia_rule_date = "20230328" malpedia_hash = "9d2d75cef573c1c2d861f5197df8f563b05a305d" malpedia_version = "20230407" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { c744240420000000 8944243c 053cc00700 8944242c 8b442440 8944240c 8b442444 } // n = 7, score = 100 // c744240420000000 | je 0x11c // 8944243c | imul edx, dword ptr [eax + 4], 0xa // 053cc00700 | mov dword ptr [esp + 4], 8 // 8944242c | mov dword ptr [esp], eax // 8b442440 | mov eax, dword ptr [esp + 0x28] // 8944240c | mov edx, dword ptr [esp + 0x2c] // 8b442444 | add esp, 0x38 $sequence_1 = { e8???????? 035c2440 3b6c2454 75e3 83c42c 5b 5e } // n = 7, score = 100 // e8???????? | // 035c2440 | fucomip st(1) // 3b6c2454 | fstp st(0) // 75e3 | ja 0x1d52 // 83c42c | fld qword ptr [esp + 0x48] // 5b | fxch st(1) // 5e | fucomip st(1) $sequence_2 = { c744241001000000 8b442410 8b3c24 8b742414 0fb688d06f6900 8d44ad00 c646060b } // n = 7, score = 100 // c744241001000000 | mov byte ptr [esp + 0x49], al // 8b442410 | mov eax, dword ptr [esp + 0x2c] // 8b3c24 | mov dword ptr [esp + 0xc], 0x181 // 8b742414 | mov eax, dword ptr [esp + 0x30] // 0fb688d06f6900 | mov dword ptr [esp + 8], 0x683924 // 8d44ad00 | mov dword ptr [esp + 4], 4 // c646060b | mov dword ptr [esp], eax $sequence_3 = { eb01 90 837d0800 751e c744240856000000 c744240440cd6a00 c7042478cd6a00 } // n = 7, score = 100 // eb01 | je 0x422 // 90 | xor ecx, ecx // 837d0800 | xor ecx, ecx // 751e | mov dword ptr [ebx + 0x23d30], 2 // c744240856000000 | mov dword ptr [ebx + 0x23d2c], 1 // c744240440cd6a00 | xor ecx, ecx // c7042478cd6a00 | test eax, eax $sequence_4 = { eb19 e8???????? 83f806 7e14 c7442404622b6800 c704246f2d6800 e8???????? } // n = 7, score = 100 // eb19 | fstp st(0) // e8???????? | // 83f806 | add esp, 0xa0 // 7e14 | jmp 0x338 // c7442404622b6800 | fstp st(0) // c704246f2d6800 | fstp st(0) // e8???????? | $sequence_5 = { ff10 0fbf5c2428 0fbf0f 0fbf74242c 89442430 894c2424 89c8 } // n = 7, score = 100 // ff10 | test edx, edx // 0fbf5c2428 | jne 0xf9 // 0fbf0f | mov dword ptr [esp + 0x48], 0x120e // 0fbf74242c | shl ebx, 3 // 89442430 | xor edx, edx // 894c2424 | div ebx // 89c8 | test edx, edx $sequence_6 = { dddb ddd8 d9c9 eb08 dddb ddd8 d9c9 } // n = 7, score = 100 // dddb | fld st(0) // ddd8 | fxch st(2) // d9c9 | fst dword ptr [esp + 0x28] // eb08 | fxch st(1) // dddb | fstp st(1) // ddd8 | fld st(0) // d9c9 | fstp dword ptr [esp + 0x18] $sequence_7 = { eb03 83c137 8848fe 8a0a 83e10f 8d7937 8d5930 } // n = 7, score = 100 // eb03 | jle 0x679 // 83c137 | mov eax, dword ptr [ebp - 0x44] // 8848fe | mov dword ptr [esp + 4], 0x66cdd7 // 8a0a | mov dword ptr [esp], 0x66d003 // 83e10f | mov dword ptr [esp + 8], eax // 8d7937 | dec eax // 8d5930 | jle 0x693 $sequence_8 = { e8???????? 2b4330 1b5334 83fa00 0f8794010000 3df3010000 0f8789010000 } // n = 7, score = 100 // e8???????? | // 2b4330 | movzx eax, word ptr [ebp - 0x1c] // 1b5334 | mov dword ptr [ebp + 0x10], edi // 83fa00 | mov dword ptr [ebp + 8], ebx // 0f8794010000 | mov dword ptr [ebp + 0x1c], 0 // 3df3010000 | mov dword ptr [ebp + 0xc], 1 // 0f8789010000 | movzx esi, word ptr [ebp - 0x1c] $sequence_9 = { f7ea 8b8510130200 29ca 89442440 89f0 89d1 99 } // n = 7, score = 100 // f7ea | mov eax, dword ptr [esp + 0x18] // 8b8510130200 | mul ecx // 29ca | add edx, ebx // 89442440 | mov ebx, esi // 89f0 | mov esi, edi // 89d1 | add ebx, eax // 99 | mov edi, dword ptr [esp + 0xf0] condition: 7 of them and filesize < 6156288 }
import "pe" rule win_crytox_w0 { meta: description = "Detect variants of Crytox Ransomware" author = "Jake Goldi" date = "2022-09-29" packed_hash1 = "32eef267a1192a9a739ccaaae0266bc66707bb64768a764541ecb039a50cba67" hash2 = "11ea0d7e0ebe15b8147d39e72773221d11c2cf84e2d8d6164102c65e797eef6d" hash3 = "68fae79a2eca125090bd2a8badc46ed4324c38f2ff24db702d09c3d7687e0047" hash4 = "a0a6c2937b6a8b2bc1214ace8255adc6992b553b9e740c3fe1543e089e8437aa" source = "https://raw.githubusercontent.com/taogoldi/YARA/main/ransomware/crytox_ransom.yara" version="1.0" phase = "experimental" url = "https://www.zscaler.com/blogs/security-research/technical-analysis-crytox-ransomware" malware = "Win64.Ransom.Crytox" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.crytox" malpedia_rule_date = "20220930" malpedia_hash = "" malpedia_version = "20220930" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $s1 = "utox" wide ascii nocase /* hash 2: 11ea0d7e0ebe15b8147d39e72773221d11c2cf84e2d8d6164102c65e797eef6d FF 15 C9 22 00 00 call cs:GlobalAlloc 48 89 85 58 FF FF FF mov [rbp+hMem], rax ; unk_5F2520 4C 8B E0 mov r12, rax 48 8B C8 mov rcx, rax E8 DD 13 00 00 call sub_1402E940E 48 C7 C1 C0 01 00 00 mov rcx, 448 49 8D 94 24 08 04 00 00 lea rdx, [r12+408h] 4C 8D 05 29 20 00 00 lea r8, unk_1402EA070 4C 8D 8D A4 FD FF FF lea r9, [rbp+var_25C] E8 A2 11 00 00 call sub_1402E91F5 48 8B 8D 58 FF FF FF mov rcx, [rbp+hMem] ; hMem FF 15 90 22 00 00 call cs:GlobalFree ------------- hash 3: 68fae79a2eca125090bd2a8badc46ed4324c38f2ff24db702d09c3d7687e0047 FF 15 C9 22 00 00 call cs:GlobalAlloc 48 89 85 58 FF FF FF mov [rbp+hMem], rax 4C 8B E0 mov r12, rax 90 nop 50 push rax 59 pop rcx E8 E2 13 00 00 call sub_1402E9413 48 C7 C1 C0 01 00 00 mov rcx, 1C0h 49 8D 94 24 08 04 00 00 lea rdx, [r12+408h] 4C 8D 05 29 20 00 00 lea r8, unk_1402EA070 4C 8D 8D A4 FD FF FF lea r9, [rbp+var_25C] E8 A7 11 00 00 call sub_1402E91FA 48 8B 8D 58 FF FF FF mov rcx, [rbp+hMem] ; hMem FF 15 90 22 00 00 call cs:GlobalFree ------------- hash 4: a0a6c2937b6a8b2bc1214ace8255adc6992b553b9e740c3fe1543e089e8437aa FF 15 C9 22 00 00 call cs:GlobalAlloc 48 89 85 58 FF FF FF mov [rbp+hMem], rax 4C 8B E0 mov r12, rax 48 8B C8 mov rcx, rax E8 61 12 00 00 call sub_1402E9292 48 C7 C1 C0 01 00 00 mov rcx, 1C0h 49 8D 94 24 08 04 00 00 lea rdx, [r12+408h] 4C 8D 05 29 20 00 00 lea r8, unk_1402EA070 4C 8D 8D A4 FD FF FF lea r9, [rbp+var_25C] E8 26 10 00 00 call sub_1402E9079 48 8B 8D 58 FF FF FF mov rcx, [rbp+hMem] ; hMem FF 15 90 22 00 00 call cs:GlobalFre */ $op1 = { FF 15 C9 22 00 00 48 89 85 58 FF FF FF 4C 8B E0 } $op2 = { E8 ?? ?? 00 00 48 C7 C1 C0 01 00 00 49 8D 94 24 08 04 00 00 } $op3 = { 4C 8D 05 29 20 00 00 } $op4 = { 4C 8D 8D A4 FD FF FF E8 ?? 1? 00 00 48 8B 8D 58 FF FF FF FF 15 90 22 00 00 } condition: uint16(0) == 0x5a4d and filesize < 5000KB and ((all of ($s*)) and (all of ($op*))) }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY