Ransomware.
rule win_crytox_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2024-10-31" version = "1" description = "Detects win.crytox." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.crytox" malpedia_rule_date = "20241030" malpedia_hash = "26e26953c49c8efafbf72a38076855d578e0a2e4" malpedia_version = "20241030" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { e8???????? 85c0 0f8483000000 c744240402a00000 891c24 e8???????? 895c2430 } // n = 7, score = 100 // e8???????? | // 85c0 | test al, al // 0f8483000000 | je 0xafd // c744240402a00000 | cmp ebx, 0x668ae0 // 891c24 | jne 0xb32 // e8???????? | // 895c2430 | jmp 0xb2d $sequence_1 = { c1ff1f 31f8 29f8 8d3402 0fb601 0fb613 29c2 } // n = 7, score = 100 // c1ff1f | mov edx, edi // 31f8 | movzx edi, di // 29f8 | sar edi, 0x10 // 8d3402 | add eax, edi // 0fb601 | mov edi, dword ptr [ebp - 0x64] // 0fb613 | add eax, edx // 29c2 | mov edx, dword ptr [ecx - 0x10] $sequence_2 = { d90481 8b442460 c744240801000000 d9ee 890424 dfe9 ddd8 } // n = 7, score = 100 // d90481 | fld dword ptr [ebp + eax*4] // 8b442460 | fmul dword ptr [ebx + eax*4 + 4] // c744240801000000 | add eax, 1 // d9ee | fld dword ptr [ebx] // 890424 | jle 0x156 // dfe9 | xor eax, eax // ddd8 | nop $sequence_3 = { f7d0 31f6 c1e206 01d0 80bd7ffeffff00 7419 8bb5f8feffff } // n = 7, score = 100 // f7d0 | mul dword ptr [esp + 0x90] // 31f6 | add eax, ebx // c1e206 | mov ebx, dword ptr [esp + 0x88] // 01d0 | adc edx, esi // 80bd7ffeffff00 | mov esi, eax // 7419 | mov eax, dword ptr [esp + 0x14] // 8bb5f8feffff | mov edi, edx $sequence_4 = { e8???????? 8b4c2440 3c3f 880419 76e4 8b15???????? c644242c01 } // n = 7, score = 100 // e8???????? | // 8b4c2440 | mov dword ptr [esp], eax // 3c3f | mov eax, dword ptr [ebp - 0x10] // 880419 | mov eax, dword ptr [ebp - 0x10] // 76e4 | lea edx, [eax*4] // 8b15???????? | // c644242c01 | mov eax, dword ptr [ebp + 8] $sequence_5 = { c5fd7f9c2440060000 c5fd7fac24a0050000 c5c5fe9c2460050000 c5c5feec c5fd7f9c2480050000 c5c5fe942400050000 c5c5fea42440070000 } // n = 7, score = 100 // c5fd7f9c2440060000 | vmovdqa ymmword ptr [esp + 0xd00], ymm3 // c5fd7fac24a0050000 | vmovdqa ymm3, ymmword ptr [esp + 0xc80] // c5c5fe9c2460050000 | vpsrad ymm3, ymm3, 0xe // c5c5feec | vmovdqa ymmword ptr [esp + 0xce0], ymm3 // c5fd7f9c2480050000 | vmovdqa ymmword ptr [esp + 0x1220], ymm3 // c5c5fe942400050000 | vmovdqa ymmword ptr [esp + 0x1060], ymm6 // c5c5fea42440070000 | vmovdqa ymm6, ymmword ptr [esp + 0xcc0] $sequence_6 = { e8???????? 0fb68520faffff 8844242c 83e07f 3c02 0f84c9020000 8b8528faffff } // n = 7, score = 100 // e8???????? | // 0fb68520faffff | add esp, 0x2c // 8844242c | pop ebx // 83e07f | pop esi // 3c02 | add ebx, dword ptr [ebp + 8] // 0f84c9020000 | test eax, eax // 8b8528faffff | je 0x170 $sequence_7 = { e9???????? 0fb68fe06f6900 89d8 29c8 d3e7 d3e2 89854c3d0000 } // n = 7, score = 100 // e9???????? | // 0fb68fe06f6900 | mov dword ptr [esp], edi // 89d8 | mov dword ptr [esp + 4], 0xa003 // 29c8 | mov dword ptr [esp + 0x40], edi // d3e7 | add esp, 0x2c // d3e2 | jmp 0x1e5 // 89854c3d0000 | mov eax, dword ptr [ebx + 4] $sequence_8 = { d905???????? d94508 d9c9 dfe9 ddd8 7207 b80080ffff } // n = 7, score = 100 // d905???????? | // d94508 | mov dword ptr [esi + ebp*4], eax // d9c9 | add ebp, 1 // dfe9 | cmp ebx, ebp // ddd8 | fmul dword ptr [eax + esi*4] // 7207 | fxch st(1) // b80080ffff | fucomi st(1) $sequence_9 = { e9???????? 8b4508 8b4044 8b55c8 c1e202 01d0 8b00 } // n = 7, score = 100 // e9???????? | // 8b4508 | mov dword ptr [esp + 0x14], edx // 8b4044 | mov edx, dword ptr [esp + 0x14] // 8b55c8 | mov eax, dword ptr [ebx + 0x14] // c1e202 | mov dword ptr [esp], eax // 01d0 | mov edi, dword ptr [ebx + 0x38] // 8b00 | test edi, edi condition: 7 of them and filesize < 6156288 }
import "pe" rule win_crytox_w0 { meta: description = "Detect variants of Crytox Ransomware" author = "Jake Goldi" date = "2022-09-29" packed_hash1 = "32eef267a1192a9a739ccaaae0266bc66707bb64768a764541ecb039a50cba67" hash2 = "11ea0d7e0ebe15b8147d39e72773221d11c2cf84e2d8d6164102c65e797eef6d" hash3 = "68fae79a2eca125090bd2a8badc46ed4324c38f2ff24db702d09c3d7687e0047" hash4 = "a0a6c2937b6a8b2bc1214ace8255adc6992b553b9e740c3fe1543e089e8437aa" source = "https://raw.githubusercontent.com/taogoldi/YARA/main/ransomware/crytox_ransom.yara" version="1.0" phase = "experimental" url = "https://www.zscaler.com/blogs/security-research/technical-analysis-crytox-ransomware" malware = "Win64.Ransom.Crytox" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.crytox" malpedia_rule_date = "20220930" malpedia_hash = "" malpedia_version = "20220930" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $s1 = "utox" wide ascii nocase /* hash 2: 11ea0d7e0ebe15b8147d39e72773221d11c2cf84e2d8d6164102c65e797eef6d FF 15 C9 22 00 00 call cs:GlobalAlloc 48 89 85 58 FF FF FF mov [rbp+hMem], rax ; unk_5F2520 4C 8B E0 mov r12, rax 48 8B C8 mov rcx, rax E8 DD 13 00 00 call sub_1402E940E 48 C7 C1 C0 01 00 00 mov rcx, 448 49 8D 94 24 08 04 00 00 lea rdx, [r12+408h] 4C 8D 05 29 20 00 00 lea r8, unk_1402EA070 4C 8D 8D A4 FD FF FF lea r9, [rbp+var_25C] E8 A2 11 00 00 call sub_1402E91F5 48 8B 8D 58 FF FF FF mov rcx, [rbp+hMem] ; hMem FF 15 90 22 00 00 call cs:GlobalFree ------------- hash 3: 68fae79a2eca125090bd2a8badc46ed4324c38f2ff24db702d09c3d7687e0047 FF 15 C9 22 00 00 call cs:GlobalAlloc 48 89 85 58 FF FF FF mov [rbp+hMem], rax 4C 8B E0 mov r12, rax 90 nop 50 push rax 59 pop rcx E8 E2 13 00 00 call sub_1402E9413 48 C7 C1 C0 01 00 00 mov rcx, 1C0h 49 8D 94 24 08 04 00 00 lea rdx, [r12+408h] 4C 8D 05 29 20 00 00 lea r8, unk_1402EA070 4C 8D 8D A4 FD FF FF lea r9, [rbp+var_25C] E8 A7 11 00 00 call sub_1402E91FA 48 8B 8D 58 FF FF FF mov rcx, [rbp+hMem] ; hMem FF 15 90 22 00 00 call cs:GlobalFree ------------- hash 4: a0a6c2937b6a8b2bc1214ace8255adc6992b553b9e740c3fe1543e089e8437aa FF 15 C9 22 00 00 call cs:GlobalAlloc 48 89 85 58 FF FF FF mov [rbp+hMem], rax 4C 8B E0 mov r12, rax 48 8B C8 mov rcx, rax E8 61 12 00 00 call sub_1402E9292 48 C7 C1 C0 01 00 00 mov rcx, 1C0h 49 8D 94 24 08 04 00 00 lea rdx, [r12+408h] 4C 8D 05 29 20 00 00 lea r8, unk_1402EA070 4C 8D 8D A4 FD FF FF lea r9, [rbp+var_25C] E8 26 10 00 00 call sub_1402E9079 48 8B 8D 58 FF FF FF mov rcx, [rbp+hMem] ; hMem FF 15 90 22 00 00 call cs:GlobalFre */ $op1 = { FF 15 C9 22 00 00 48 89 85 58 FF FF FF 4C 8B E0 } $op2 = { E8 ?? ?? 00 00 48 C7 C1 C0 01 00 00 49 8D 94 24 08 04 00 00 } $op3 = { 4C 8D 05 29 20 00 00 } $op4 = { 4C 8D 8D A4 FD FF FF E8 ?? 1? 00 00 48 8B 8D 58 FF FF FF FF 15 90 22 00 00 } condition: uint16(0) == 0x5a4d and filesize < 5000KB and ((all of ($s*)) and (all of ($op*))) }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below. Changes regarding references should be proposed on the Malpedia library page.
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY