Crytox (Malware Family)

SYMBOL	COMMON_NAME	aka. SYNONYMS

win.crytox (Back to overview)

Crytox

VTCollection

Ransomware.

References

2023-06-01 ⋅ K7 Security ⋅ Rahul R
Encrypted Chaos: Analysis of Crytox Ransomware
Crytox

2022-09-21 ⋅ Zscaler ⋅ Romain Dumont
Technical Analysis of Crytox Ransomware
Crytox

Yara Rules

[TLP:WHITE] win_crytox_auto (20241030 | Detects win.crytox.)

rule win_crytox_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2024-10-31"
        version = "1"
        description = "Detects win.crytox."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.crytox"
        malpedia_rule_date = "20241030"
        malpedia_hash = "26e26953c49c8efafbf72a38076855d578e0a2e4"
        malpedia_version = "20241030"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { e8???????? 85c0 0f8483000000 c744240402a00000 891c24 e8???????? 895c2430 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   85c0                 | test                al, al
            //   0f8483000000         | je                  0xafd
            //   c744240402a00000     | cmp                 ebx, 0x668ae0
            //   891c24               | jne                 0xb32
            //   e8????????           |                     
            //   895c2430             | jmp                 0xb2d

        $sequence_1 = { c1ff1f 31f8 29f8 8d3402 0fb601 0fb613 29c2 }
            // n = 7, score = 100
            //   c1ff1f               | mov                 edx, edi
            //   31f8                 | movzx               edi, di
            //   29f8                 | sar                 edi, 0x10
            //   8d3402               | add                 eax, edi
            //   0fb601               | mov                 edi, dword ptr [ebp - 0x64]
            //   0fb613               | add                 eax, edx
            //   29c2                 | mov                 edx, dword ptr [ecx - 0x10]

        $sequence_2 = { d90481 8b442460 c744240801000000 d9ee 890424 dfe9 ddd8 }
            // n = 7, score = 100
            //   d90481               | fld                 dword ptr [ebp + eax*4]
            //   8b442460             | fmul                dword ptr [ebx + eax*4 + 4]
            //   c744240801000000     | add                 eax, 1
            //   d9ee                 | fld                 dword ptr [ebx]
            //   890424               | jle                 0x156
            //   dfe9                 | xor                 eax, eax
            //   ddd8                 | nop                 

        $sequence_3 = { f7d0 31f6 c1e206 01d0 80bd7ffeffff00 7419 8bb5f8feffff }
            // n = 7, score = 100
            //   f7d0                 | mul                 dword ptr [esp + 0x90]
            //   31f6                 | add                 eax, ebx
            //   c1e206               | mov                 ebx, dword ptr [esp + 0x88]
            //   01d0                 | adc                 edx, esi
            //   80bd7ffeffff00       | mov                 esi, eax
            //   7419                 | mov                 eax, dword ptr [esp + 0x14]
            //   8bb5f8feffff         | mov                 edi, edx

        $sequence_4 = { e8???????? 8b4c2440 3c3f 880419 76e4 8b15???????? c644242c01 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   8b4c2440             | mov                 dword ptr [esp], eax
            //   3c3f                 | mov                 eax, dword ptr [ebp - 0x10]
            //   880419               | mov                 eax, dword ptr [ebp - 0x10]
            //   76e4                 | lea                 edx, [eax*4]
            //   8b15????????         |                     
            //   c644242c01           | mov                 eax, dword ptr [ebp + 8]

        $sequence_5 = { c5fd7f9c2440060000 c5fd7fac24a0050000 c5c5fe9c2460050000 c5c5feec c5fd7f9c2480050000 c5c5fe942400050000 c5c5fea42440070000 }
            // n = 7, score = 100
            //   c5fd7f9c2440060000     | vmovdqa    ymmword ptr [esp + 0xd00], ymm3
            //   c5fd7fac24a0050000     | vmovdqa    ymm3, ymmword ptr [esp + 0xc80]
            //   c5c5fe9c2460050000     | vpsrad    ymm3, ymm3, 0xe
            //   c5c5feec             | vmovdqa             ymmword ptr [esp + 0xce0], ymm3
            //   c5fd7f9c2480050000     | vmovdqa    ymmword ptr [esp + 0x1220], ymm3
            //   c5c5fe942400050000     | vmovdqa    ymmword ptr [esp + 0x1060], ymm6
            //   c5c5fea42440070000     | vmovdqa    ymm6, ymmword ptr [esp + 0xcc0]

        $sequence_6 = { e8???????? 0fb68520faffff 8844242c 83e07f 3c02 0f84c9020000 8b8528faffff }
            // n = 7, score = 100
            //   e8????????           |                     
            //   0fb68520faffff       | add                 esp, 0x2c
            //   8844242c             | pop                 ebx
            //   83e07f               | pop                 esi
            //   3c02                 | add                 ebx, dword ptr [ebp + 8]
            //   0f84c9020000         | test                eax, eax
            //   8b8528faffff         | je                  0x170

        $sequence_7 = { e9???????? 0fb68fe06f6900 89d8 29c8 d3e7 d3e2 89854c3d0000 }
            // n = 7, score = 100
            //   e9????????           |                     
            //   0fb68fe06f6900       | mov                 dword ptr [esp], edi
            //   89d8                 | mov                 dword ptr [esp + 4], 0xa003
            //   29c8                 | mov                 dword ptr [esp + 0x40], edi
            //   d3e7                 | add                 esp, 0x2c
            //   d3e2                 | jmp                 0x1e5
            //   89854c3d0000         | mov                 eax, dword ptr [ebx + 4]

        $sequence_8 = { d905???????? d94508 d9c9 dfe9 ddd8 7207 b80080ffff }
            // n = 7, score = 100
            //   d905????????         |                     
            //   d94508               | mov                 dword ptr [esi + ebp*4], eax
            //   d9c9                 | add                 ebp, 1
            //   dfe9                 | cmp                 ebx, ebp
            //   ddd8                 | fmul                dword ptr [eax + esi*4]
            //   7207                 | fxch                st(1)
            //   b80080ffff           | fucomi              st(1)

        $sequence_9 = { e9???????? 8b4508 8b4044 8b55c8 c1e202 01d0 8b00 }
            // n = 7, score = 100
            //   e9????????           |                     
            //   8b4508               | mov                 dword ptr [esp + 0x14], edx
            //   8b4044               | mov                 edx, dword ptr [esp + 0x14]
            //   8b55c8               | mov                 eax, dword ptr [ebx + 0x14]
            //   c1e202               | mov                 dword ptr [esp], eax
            //   01d0                 | mov                 edi, dword ptr [ebx + 0x38]
            //   8b00                 | test                edi, edi

    condition:
        7 of them and filesize < 6156288
}

[TLP:WHITE] win_crytox_w0 (20220930 | Detect variants of Crytox Ransomware)

import "pe"
rule win_crytox_w0 {
  meta:
    description = "Detect variants of Crytox Ransomware"
    author = "Jake Goldi"
    date = "2022-09-29"
    packed_hash1 = "32eef267a1192a9a739ccaaae0266bc66707bb64768a764541ecb039a50cba67"
    hash2 = "11ea0d7e0ebe15b8147d39e72773221d11c2cf84e2d8d6164102c65e797eef6d"
    hash3 = "68fae79a2eca125090bd2a8badc46ed4324c38f2ff24db702d09c3d7687e0047"
    hash4 = "a0a6c2937b6a8b2bc1214ace8255adc6992b553b9e740c3fe1543e089e8437aa"
    source = "https://raw.githubusercontent.com/taogoldi/YARA/main/ransomware/crytox_ransom.yara"
    
    version="1.0"
    phase = "experimental"
    url = "https://www.zscaler.com/blogs/security-research/technical-analysis-crytox-ransomware"
    malware = "Win64.Ransom.Crytox"
    
    malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.crytox"
    malpedia_rule_date = "20220930"
    malpedia_hash = ""
    malpedia_version = "20220930"
    malpedia_license = "CC BY-SA 4.0"
    malpedia_sharing = "TLP:WHITE"
    
    
  strings:
    $s1 = "utox" wide ascii nocase
    /*
        hash 2: 11ea0d7e0ebe15b8147d39e72773221d11c2cf84e2d8d6164102c65e797eef6d

        FF 15 C9 22 00 00                       call    cs:GlobalAlloc
        48 89 85 58 FF FF FF                    mov     [rbp+hMem], rax ; unk_5F2520
        4C 8B E0                                mov     r12, rax
        
        48 8B C8                                mov     rcx, rax

        E8 DD 13 00 00                          call    sub_1402E940E
        48 C7 C1 C0 01 00 00                    mov     rcx, 448
        49 8D 94 24 08 04 00 00                 lea     rdx, [r12+408h]

        4C 8D 05 29 20 00 00                    lea     r8, unk_1402EA070
 
        4C 8D 8D A4 FD FF FF                    lea     r9, [rbp+var_25C]
        E8 A2 11 00 00                          call    sub_1402E91F5
        48 8B 8D 58 FF FF FF                    mov     rcx, [rbp+hMem] ; hMem
        FF 15 90 22 00 00                       call    cs:GlobalFree 

        -------------   

        hash 3: 68fae79a2eca125090bd2a8badc46ed4324c38f2ff24db702d09c3d7687e0047

        FF 15 C9 22 00 00                       call    cs:GlobalAlloc
        48 89 85 58 FF FF FF                    mov     [rbp+hMem], rax
        4C 8B E0                                mov     r12, rax
        
        90                                      nop
        50                                      push    rax
        59                                      pop     rcx
        
        E8 E2 13 00 00                          call    sub_1402E9413
        48 C7 C1 C0 01 00 00                    mov     rcx, 1C0h
        49 8D 94 24 08 04 00 00                 lea     rdx, [r12+408h]

        4C 8D 05 29 20 00 00                    lea     r8, unk_1402EA070
        
        4C 8D 8D A4 FD FF FF                    lea     r9, [rbp+var_25C]
        E8 A7 11 00 00                          call    sub_1402E91FA
        48 8B 8D 58 FF FF FF                    mov     rcx, [rbp+hMem] ; hMem
        FF 15 90 22 00 00                       call    cs:GlobalFree

        ------------- 

        hash 4: a0a6c2937b6a8b2bc1214ace8255adc6992b553b9e740c3fe1543e089e8437aa

        FF 15 C9 22 00 00                       call    cs:GlobalAlloc
        48 89 85 58 FF FF FF                    mov     [rbp+hMem], rax
        4C 8B E0                                mov     r12, rax
        48 8B C8                                mov     rcx, rax
        E8 61 12 00 00                          call    sub_1402E9292
        48 C7 C1 C0 01 00 00                    mov     rcx, 1C0h
        49 8D 94 24 08 04 00 00                 lea     rdx, [r12+408h]
        4C 8D 05 29 20 00 00                    lea     r8, unk_1402EA070
        4C 8D 8D A4 FD FF FF                    lea     r9, [rbp+var_25C]
        E8 26 10 00 00                          call    sub_1402E9079
        48 8B 8D 58 FF FF FF                    mov     rcx, [rbp+hMem] ; hMem
        FF 15 90 22 00 00                       call    cs:GlobalFre



    */

    $op1 = { FF 15 C9 22 00 00 48 89 85 58 FF FF FF 4C 8B E0 } 
    $op2 = { E8 ?? ?? 00 00 48 C7 C1 C0 01 00 00 49 8D 94 24 08 04 00 00 }
    $op3 = { 4C 8D 05 29 20 00 00 }
    $op4 = { 4C 8D 8D A4 FD FF FF E8 ?? 1? 00 00 48 8B 8D 58 FF FF FF FF 15 90 22 00 00 }

condition:
    uint16(0) == 0x5a4d and filesize < 5000KB and ((all of ($s*)) and (all of ($op*)))

}

Download all Yara Rules

Crytox Propose Change

References

Yara Rules

Crytox