SYMBOLCOMMON_NAMEaka. SYNONYMS
win.crytox (Back to overview)

Crytox

VTCollection    

Ransomware.

References
2023-06-01K7 SecurityRahul R
Encrypted Chaos: Analysis of Crytox Ransomware
Crytox
2022-09-21ZscalerRomain Dumont
Technical Analysis of Crytox Ransomware
Crytox
Yara Rules
[TLP:WHITE] win_crytox_auto (20230808 | Detects win.crytox.)
rule win_crytox_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.crytox."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.crytox"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { eb7d 85f6 7479 c645c800 e8???????? 85c0 89c3 }
            // n = 7, score = 100
            //   eb7d                 | mov                 eax, dword ptr [eax + 0xc]
            //   85f6                 | mov                 dword ptr [esp], eax
            //   7479                 | mov                 eax, dword ptr [ebp - 0xc]
            //   c645c800             | mov                 eax, dword ptr [eax + 8]
            //   e8????????           |                     
            //   85c0                 | jmp                 0x9ab
            //   89c3                 | cmp                 dword ptr [ebp - 0x14], 0x5f

        $sequence_1 = { dfe9 0f86c2e3ffff 89442410 89c1 c1fa02 db442410 c1f902 }
            // n = 7, score = 100
            //   dfe9                 | fistp               dword ptr [ebp - 0xf8]
            //   0f86c2e3ffff         | fldcw               word ptr [ebp - 0xf2]
            //   89442410             | mov                 eax, dword ptr [ebp - 0xf8]
            //   89c1                 | mov                 dword ptr [ebx + 0x212ac], eax
            //   c1fa02               | fild                qword ptr [ebp - 0x188]
            //   db442410             | fstp                qword ptr [esp]
            //   c1f902               | lea                 eax, [ebp - 0x80]

        $sequence_2 = { e8???????? 8b4510 3b4518 741d 0fbf45c4 c1e002 89442408 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   8b4510               | cmp                 byte ptr [esp + 0x28], 0
            //   3b4518               | mov                 dword ptr [ebx + 0x138], eax
            //   741d                 | mov                 eax, dword ptr [esp + 0x54]
            //   0fbf45c4             | mov                 dword ptr [ebx + 0x13c], eax
            //   c1e002               | mov                 eax, dword ptr [esp + 0x58]
            //   89442408             | mov                 eax, dword ptr [esp + 0x50]

        $sequence_3 = { e8???????? 89c3 8b45dc 85c0 0f84adfeffff 8d65f4 89d8 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   89c3                 | mov                 eax, dword ptr [ebp + 0x10]
            //   8b45dc               | mov                 dword ptr [esp + 8], esi
            //   85c0                 | mov                 dword ptr [esp + 4], edi
            //   0f84adfeffff         | mov                 dword ptr [esp], esi
            //   8d65f4               | mov                 edi, dword ptr [ebp - 0xa4]
            //   89d8                 | mov                 dword ptr [esp + 0xc], edi

        $sequence_4 = { eb02 d9c9 83c301 038d30ffffff 399d04ffffff 7f8e ddd9 }
            // n = 7, score = 100
            //   eb02                 | mov                 ebx, dword ptr [eax + 0xa8]
            //   d9c9                 | mov                 edi, eax
            //   83c301               | fxch                st(1)
            //   038d30ffffff         | cmp                 byte ptr [ebx + 0xc], 0
            //   399d04ffffff         | fucomip             st(1)
            //   7f8e                 | ja                  0x4f0
            //   ddd9                 | fld                 st(0)

        $sequence_5 = { f1 807de700 89d3 7510 6bc22c 80b84442660000 0f85ac000000 }
            // n = 7, score = 100
            //   f1                   | jmp                 0x77
            //   807de700             | add                 esi, edi
            //   89d3                 | inc                 edx
            //   7510                 | jmp                 0x71
            //   6bc22c               | fstp                st(0)
            //   80b84442660000       | fstp                st(0)
            //   0f85ac000000         | add                 esp, 0x24

        $sequence_6 = { c5c5fe3d???????? c5c572e70e c5fd7f9c24000b0000 c5e572e50e c5d572e60e c5fd7f9c24e0090000 c5ddfe15???????? }
            // n = 7, score = 100
            //   c5c5fe3d????????     |                     
            //   c5c572e70e           | vpsrad              ymm7, ymm7, 2
            //   c5fd7f9c24000b0000     | vpsrad    ymm6, ymm6, 2
            //   c5e572e50e           | vpackssdw           ymm7, ymm7, ymm6
            //   c5d572e60e           | vpsrad              ymm3, ymm3, 2
            //   c5fd7f9c24e0090000     | vpsrad    ymm2, ymm2, 2
            //   c5ddfe15????????     |                     

        $sequence_7 = { dee9 d95dc0 8b45e0 83c001 8d148500000000 8b4508 01d0 }
            // n = 7, score = 100
            //   dee9                 | mov                 edx, dword ptr [ebp - 0x20]
            //   d95dc0               | add                 edx, ecx
            //   8b45e0               | fld                 dword ptr [edx]
            //   83c001               | fsubrp              st(1)
            //   8d148500000000       | mov                 ecx, dword ptr [ebp - 0xe8]
            //   8b4508               | add                 ebx, 1
            //   01d0                 | fstp                dword ptr [ecx + eax*4]

        $sequence_8 = { e9???????? 8b7d24 8b4510 85ff c70000000000 742b 8b4508 }
            // n = 7, score = 100
            //   e9????????           |                     
            //   8b7d24               | mov                 dword ptr [ebp - 0x48], eax
            //   8b4510               | mov                 eax, dword ptr [ebp + 8]
            //   85ff                 | mov                 eax, dword ptr [eax + 0x44]
            //   c70000000000         | mov                 edx, dword ptr [ebp - 0x30]
            //   742b                 | shl                 edx, 2
            //   8b4508               | mov                 eax, dword ptr [ebp - 0x3c]

        $sequence_9 = { dec9 d96c2424 db5c2420 d96c2426 8b742420 d9e8 dfe9 }
            // n = 7, score = 100
            //   dec9                 | cmp                 ecx, esi
            //   d96c2424             | faddp               st(5)
            //   db5c2420             | fmul                st(1), st(0)
            //   d96c2426             | fxch                st(1)
            //   8b742420             | faddp               st(2)
            //   d9e8                 | fmul                st(0)
            //   dfe9                 | faddp               st(2)

    condition:
        7 of them and filesize < 6156288
}
[TLP:WHITE] win_crytox_w0   (20220930 | Detect variants of Crytox Ransomware)
import "pe"
rule win_crytox_w0 {
  meta:
    description = "Detect variants of Crytox Ransomware"
    author = "Jake Goldi"
    date = "2022-09-29"
    packed_hash1 = "32eef267a1192a9a739ccaaae0266bc66707bb64768a764541ecb039a50cba67"
    hash2 = "11ea0d7e0ebe15b8147d39e72773221d11c2cf84e2d8d6164102c65e797eef6d"
    hash3 = "68fae79a2eca125090bd2a8badc46ed4324c38f2ff24db702d09c3d7687e0047"
    hash4 = "a0a6c2937b6a8b2bc1214ace8255adc6992b553b9e740c3fe1543e089e8437aa"
    source = "https://raw.githubusercontent.com/taogoldi/YARA/main/ransomware/crytox_ransom.yara"
    
    version="1.0"
    phase = "experimental"
    url = "https://www.zscaler.com/blogs/security-research/technical-analysis-crytox-ransomware"
    malware = "Win64.Ransom.Crytox"
    
    malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.crytox"
    malpedia_rule_date = "20220930"
    malpedia_hash = ""
    malpedia_version = "20220930"
    malpedia_license = "CC BY-SA 4.0"
    malpedia_sharing = "TLP:WHITE"
    
    
  strings:
    $s1 = "utox" wide ascii nocase
    /*
        hash 2: 11ea0d7e0ebe15b8147d39e72773221d11c2cf84e2d8d6164102c65e797eef6d

        FF 15 C9 22 00 00                       call    cs:GlobalAlloc
        48 89 85 58 FF FF FF                    mov     [rbp+hMem], rax ; unk_5F2520
        4C 8B E0                                mov     r12, rax
        
        48 8B C8                                mov     rcx, rax

        E8 DD 13 00 00                          call    sub_1402E940E
        48 C7 C1 C0 01 00 00                    mov     rcx, 448
        49 8D 94 24 08 04 00 00                 lea     rdx, [r12+408h]

        4C 8D 05 29 20 00 00                    lea     r8, unk_1402EA070
 
        4C 8D 8D A4 FD FF FF                    lea     r9, [rbp+var_25C]
        E8 A2 11 00 00                          call    sub_1402E91F5
        48 8B 8D 58 FF FF FF                    mov     rcx, [rbp+hMem] ; hMem
        FF 15 90 22 00 00                       call    cs:GlobalFree 

        -------------   

        hash 3: 68fae79a2eca125090bd2a8badc46ed4324c38f2ff24db702d09c3d7687e0047

        FF 15 C9 22 00 00                       call    cs:GlobalAlloc
        48 89 85 58 FF FF FF                    mov     [rbp+hMem], rax
        4C 8B E0                                mov     r12, rax
        
        90                                      nop
        50                                      push    rax
        59                                      pop     rcx
        
        E8 E2 13 00 00                          call    sub_1402E9413
        48 C7 C1 C0 01 00 00                    mov     rcx, 1C0h
        49 8D 94 24 08 04 00 00                 lea     rdx, [r12+408h]

        4C 8D 05 29 20 00 00                    lea     r8, unk_1402EA070
        
        4C 8D 8D A4 FD FF FF                    lea     r9, [rbp+var_25C]
        E8 A7 11 00 00                          call    sub_1402E91FA
        48 8B 8D 58 FF FF FF                    mov     rcx, [rbp+hMem] ; hMem
        FF 15 90 22 00 00                       call    cs:GlobalFree

        ------------- 

        hash 4: a0a6c2937b6a8b2bc1214ace8255adc6992b553b9e740c3fe1543e089e8437aa

        FF 15 C9 22 00 00                       call    cs:GlobalAlloc
        48 89 85 58 FF FF FF                    mov     [rbp+hMem], rax
        4C 8B E0                                mov     r12, rax
        48 8B C8                                mov     rcx, rax
        E8 61 12 00 00                          call    sub_1402E9292
        48 C7 C1 C0 01 00 00                    mov     rcx, 1C0h
        49 8D 94 24 08 04 00 00                 lea     rdx, [r12+408h]
        4C 8D 05 29 20 00 00                    lea     r8, unk_1402EA070
        4C 8D 8D A4 FD FF FF                    lea     r9, [rbp+var_25C]
        E8 26 10 00 00                          call    sub_1402E9079
        48 8B 8D 58 FF FF FF                    mov     rcx, [rbp+hMem] ; hMem
        FF 15 90 22 00 00                       call    cs:GlobalFre



    */

    $op1 = { FF 15 C9 22 00 00 48 89 85 58 FF FF FF 4C 8B E0 } 
    $op2 = { E8 ?? ?? 00 00 48 C7 C1 C0 01 00 00 49 8D 94 24 08 04 00 00 }
    $op3 = { 4C 8D 05 29 20 00 00 }
    $op4 = { 4C 8D 8D A4 FD FF FF E8 ?? 1? 00 00 48 8B 8D 58 FF FF FF FF 15 90 22 00 00 }

condition:
    uint16(0) == 0x5a4d and filesize < 5000KB and ((all of ($s*)) and (all of ($op*)))

}
Download all Yara Rules