SYMBOLCOMMON_NAMEaka. SYNONYMS
win.crytox (Back to overview)

Crytox


Ransomware.

References
2023-06-01K7 SecurityRahul R
@online{r:20230601:encrypted:29af43c, author = {Rahul R}, title = {{Encrypted Chaos: Analysis of Crytox Ransomware}}, date = {2023-06-01}, organization = {K7 Security}, url = {https://labs.k7computing.com/index.php/encrypted-chaos-analysis-of-crytox-ransomware/}, language = {English}, urldate = {2023-06-05} } Encrypted Chaos: Analysis of Crytox Ransomware
Crytox
2022-09-21ZscalerRomain Dumont
@online{dumont:20220921:technical:3feb7d0, author = {Romain Dumont}, title = {{Technical Analysis of Crytox Ransomware}}, date = {2022-09-21}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/security-research/technical-analysis-crytox-ransomware}, language = {English}, urldate = {2022-09-30} } Technical Analysis of Crytox Ransomware
Crytox
Yara Rules
[TLP:WHITE] win_crytox_auto (20230407 | Detects win.crytox.)
rule win_crytox_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-03-28"
        version = "1"
        description = "Detects win.crytox."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.crytox"
        malpedia_rule_date = "20230328"
        malpedia_hash = "9d2d75cef573c1c2d861f5197df8f563b05a305d"
        malpedia_version = "20230407"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { c744240420000000 8944243c 053cc00700 8944242c 8b442440 8944240c 8b442444 }
            // n = 7, score = 100
            //   c744240420000000     | je                  0x11c
            //   8944243c             | imul                edx, dword ptr [eax + 4], 0xa
            //   053cc00700           | mov                 dword ptr [esp + 4], 8
            //   8944242c             | mov                 dword ptr [esp], eax
            //   8b442440             | mov                 eax, dword ptr [esp + 0x28]
            //   8944240c             | mov                 edx, dword ptr [esp + 0x2c]
            //   8b442444             | add                 esp, 0x38

        $sequence_1 = { e8???????? 035c2440 3b6c2454 75e3 83c42c 5b 5e }
            // n = 7, score = 100
            //   e8????????           |                     
            //   035c2440             | fucomip             st(1)
            //   3b6c2454             | fstp                st(0)
            //   75e3                 | ja                  0x1d52
            //   83c42c               | fld                 qword ptr [esp + 0x48]
            //   5b                   | fxch                st(1)
            //   5e                   | fucomip             st(1)

        $sequence_2 = { c744241001000000 8b442410 8b3c24 8b742414 0fb688d06f6900 8d44ad00 c646060b }
            // n = 7, score = 100
            //   c744241001000000     | mov                 byte ptr [esp + 0x49], al
            //   8b442410             | mov                 eax, dword ptr [esp + 0x2c]
            //   8b3c24               | mov                 dword ptr [esp + 0xc], 0x181
            //   8b742414             | mov                 eax, dword ptr [esp + 0x30]
            //   0fb688d06f6900       | mov                 dword ptr [esp + 8], 0x683924
            //   8d44ad00             | mov                 dword ptr [esp + 4], 4
            //   c646060b             | mov                 dword ptr [esp], eax

        $sequence_3 = { eb01 90 837d0800 751e c744240856000000 c744240440cd6a00 c7042478cd6a00 }
            // n = 7, score = 100
            //   eb01                 | je                  0x422
            //   90                   | xor                 ecx, ecx
            //   837d0800             | xor                 ecx, ecx
            //   751e                 | mov                 dword ptr [ebx + 0x23d30], 2
            //   c744240856000000     | mov                 dword ptr [ebx + 0x23d2c], 1
            //   c744240440cd6a00     | xor                 ecx, ecx
            //   c7042478cd6a00       | test                eax, eax

        $sequence_4 = { eb19 e8???????? 83f806 7e14 c7442404622b6800 c704246f2d6800 e8???????? }
            // n = 7, score = 100
            //   eb19                 | fstp                st(0)
            //   e8????????           |                     
            //   83f806               | add                 esp, 0xa0
            //   7e14                 | jmp                 0x338
            //   c7442404622b6800     | fstp                st(0)
            //   c704246f2d6800       | fstp                st(0)
            //   e8????????           |                     

        $sequence_5 = { ff10 0fbf5c2428 0fbf0f 0fbf74242c 89442430 894c2424 89c8 }
            // n = 7, score = 100
            //   ff10                 | test                edx, edx
            //   0fbf5c2428           | jne                 0xf9
            //   0fbf0f               | mov                 dword ptr [esp + 0x48], 0x120e
            //   0fbf74242c           | shl                 ebx, 3
            //   89442430             | xor                 edx, edx
            //   894c2424             | div                 ebx
            //   89c8                 | test                edx, edx

        $sequence_6 = { dddb ddd8 d9c9 eb08 dddb ddd8 d9c9 }
            // n = 7, score = 100
            //   dddb                 | fld                 st(0)
            //   ddd8                 | fxch                st(2)
            //   d9c9                 | fst                 dword ptr [esp + 0x28]
            //   eb08                 | fxch                st(1)
            //   dddb                 | fstp                st(1)
            //   ddd8                 | fld                 st(0)
            //   d9c9                 | fstp                dword ptr [esp + 0x18]

        $sequence_7 = { eb03 83c137 8848fe 8a0a 83e10f 8d7937 8d5930 }
            // n = 7, score = 100
            //   eb03                 | jle                 0x679
            //   83c137               | mov                 eax, dword ptr [ebp - 0x44]
            //   8848fe               | mov                 dword ptr [esp + 4], 0x66cdd7
            //   8a0a                 | mov                 dword ptr [esp], 0x66d003
            //   83e10f               | mov                 dword ptr [esp + 8], eax
            //   8d7937               | dec                 eax
            //   8d5930               | jle                 0x693

        $sequence_8 = { e8???????? 2b4330 1b5334 83fa00 0f8794010000 3df3010000 0f8789010000 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   2b4330               | movzx               eax, word ptr [ebp - 0x1c]
            //   1b5334               | mov                 dword ptr [ebp + 0x10], edi
            //   83fa00               | mov                 dword ptr [ebp + 8], ebx
            //   0f8794010000         | mov                 dword ptr [ebp + 0x1c], 0
            //   3df3010000           | mov                 dword ptr [ebp + 0xc], 1
            //   0f8789010000         | movzx               esi, word ptr [ebp - 0x1c]

        $sequence_9 = { f7ea 8b8510130200 29ca 89442440 89f0 89d1 99 }
            // n = 7, score = 100
            //   f7ea                 | mov                 eax, dword ptr [esp + 0x18]
            //   8b8510130200         | mul                 ecx
            //   29ca                 | add                 edx, ebx
            //   89442440             | mov                 ebx, esi
            //   89f0                 | mov                 esi, edi
            //   89d1                 | add                 ebx, eax
            //   99                   | mov                 edi, dword ptr [esp + 0xf0]

    condition:
        7 of them and filesize < 6156288
}
[TLP:WHITE] win_crytox_w0   (20220930 | Detect variants of Crytox Ransomware)
import "pe"
rule win_crytox_w0 {
  meta:
    description = "Detect variants of Crytox Ransomware"
    author = "Jake Goldi"
    date = "2022-09-29"
    packed_hash1 = "32eef267a1192a9a739ccaaae0266bc66707bb64768a764541ecb039a50cba67"
    hash2 = "11ea0d7e0ebe15b8147d39e72773221d11c2cf84e2d8d6164102c65e797eef6d"
    hash3 = "68fae79a2eca125090bd2a8badc46ed4324c38f2ff24db702d09c3d7687e0047"
    hash4 = "a0a6c2937b6a8b2bc1214ace8255adc6992b553b9e740c3fe1543e089e8437aa"
    source = "https://raw.githubusercontent.com/taogoldi/YARA/main/ransomware/crytox_ransom.yara"
    
    version="1.0"
    phase = "experimental"
    url = "https://www.zscaler.com/blogs/security-research/technical-analysis-crytox-ransomware"
    malware = "Win64.Ransom.Crytox"
    
    malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.crytox"
    malpedia_rule_date = "20220930"
    malpedia_hash = ""
    malpedia_version = "20220930"
    malpedia_license = "CC BY-SA 4.0"
    malpedia_sharing = "TLP:WHITE"
    
    
  strings:
    $s1 = "utox" wide ascii nocase
    /*
        hash 2: 11ea0d7e0ebe15b8147d39e72773221d11c2cf84e2d8d6164102c65e797eef6d

        FF 15 C9 22 00 00                       call    cs:GlobalAlloc
        48 89 85 58 FF FF FF                    mov     [rbp+hMem], rax ; unk_5F2520
        4C 8B E0                                mov     r12, rax
        
        48 8B C8                                mov     rcx, rax

        E8 DD 13 00 00                          call    sub_1402E940E
        48 C7 C1 C0 01 00 00                    mov     rcx, 448
        49 8D 94 24 08 04 00 00                 lea     rdx, [r12+408h]

        4C 8D 05 29 20 00 00                    lea     r8, unk_1402EA070
 
        4C 8D 8D A4 FD FF FF                    lea     r9, [rbp+var_25C]
        E8 A2 11 00 00                          call    sub_1402E91F5
        48 8B 8D 58 FF FF FF                    mov     rcx, [rbp+hMem] ; hMem
        FF 15 90 22 00 00                       call    cs:GlobalFree 

        -------------   

        hash 3: 68fae79a2eca125090bd2a8badc46ed4324c38f2ff24db702d09c3d7687e0047

        FF 15 C9 22 00 00                       call    cs:GlobalAlloc
        48 89 85 58 FF FF FF                    mov     [rbp+hMem], rax
        4C 8B E0                                mov     r12, rax
        
        90                                      nop
        50                                      push    rax
        59                                      pop     rcx
        
        E8 E2 13 00 00                          call    sub_1402E9413
        48 C7 C1 C0 01 00 00                    mov     rcx, 1C0h
        49 8D 94 24 08 04 00 00                 lea     rdx, [r12+408h]

        4C 8D 05 29 20 00 00                    lea     r8, unk_1402EA070
        
        4C 8D 8D A4 FD FF FF                    lea     r9, [rbp+var_25C]
        E8 A7 11 00 00                          call    sub_1402E91FA
        48 8B 8D 58 FF FF FF                    mov     rcx, [rbp+hMem] ; hMem
        FF 15 90 22 00 00                       call    cs:GlobalFree

        ------------- 

        hash 4: a0a6c2937b6a8b2bc1214ace8255adc6992b553b9e740c3fe1543e089e8437aa

        FF 15 C9 22 00 00                       call    cs:GlobalAlloc
        48 89 85 58 FF FF FF                    mov     [rbp+hMem], rax
        4C 8B E0                                mov     r12, rax
        48 8B C8                                mov     rcx, rax
        E8 61 12 00 00                          call    sub_1402E9292
        48 C7 C1 C0 01 00 00                    mov     rcx, 1C0h
        49 8D 94 24 08 04 00 00                 lea     rdx, [r12+408h]
        4C 8D 05 29 20 00 00                    lea     r8, unk_1402EA070
        4C 8D 8D A4 FD FF FF                    lea     r9, [rbp+var_25C]
        E8 26 10 00 00                          call    sub_1402E9079
        48 8B 8D 58 FF FF FF                    mov     rcx, [rbp+hMem] ; hMem
        FF 15 90 22 00 00                       call    cs:GlobalFre



    */

    $op1 = { FF 15 C9 22 00 00 48 89 85 58 FF FF FF 4C 8B E0 } 
    $op2 = { E8 ?? ?? 00 00 48 C7 C1 C0 01 00 00 49 8D 94 24 08 04 00 00 }
    $op3 = { 4C 8D 05 29 20 00 00 }
    $op4 = { 4C 8D 8D A4 FD FF FF E8 ?? 1? 00 00 48 8B 8D 58 FF FF FF FF 15 90 22 00 00 }

condition:
    uint16(0) == 0x5a4d and filesize < 5000KB and ((all of ($s*)) and (all of ($op*)))

}
Download all Yara Rules