Ransomware.
rule win_crytox_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2023-01-25" version = "1" description = "Detects win.crytox." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.crytox" malpedia_rule_date = "20230124" malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686" malpedia_version = "20230125" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { f76c2418 01c1 8b442450 11d3 f7ac24a8000000 01c1 8b442428 } // n = 7, score = 100 // f76c2418 | add esi, dword ptr [esp + 0x78] // 01c1 | mov edi, ecx // 8b442450 | mul dword ptr [esp + 8] // 11d3 | mov edi, edx // f7ac24a8000000 | mov esi, eax // 01c1 | add edi, ebx // 8b442428 | mov ebx, dword ptr [esp + 0xb0] $sequence_1 = { ff15???????? 8b45dc 83ec1c 89742414 895c2410 897c2408 c744241c00000000 } // n = 7, score = 100 // ff15???????? | // 8b45dc | mov dword ptr [esp + 8], 1 // 83ec1c | sub esp, 0x10 // 89742414 | test eax, eax // 895c2410 | mov edi, eax // 897c2408 | mov edx, dword ptr [ebp - 0x4c] // c744241c00000000 | jle 0xc4 $sequence_2 = { dee9 d9ac24a4000000 db9c24a0000000 d9ac24a6000000 8b8424a0000000 39d0 0f8e3a080000 } // n = 7, score = 100 // dee9 | fld dword ptr [ebp - 4] // d9ac24a4000000 | fld1 // db9c24a0000000 | fxch st(1) // d9ac24a6000000 | fucomip st(1) // 8b8424a0000000 | fstp st(0) // 39d0 | fsubp st(1) // 0f8e3a080000 | fstp dword ptr [ebp - 4] $sequence_3 = { e8???????? c9 c3 55 89e5 83ec58 8b450c } // n = 7, score = 100 // e8???????? | // c9 | mov dword ptr [ebp + 0x14], 2 // c3 | lea eax, [edx + edi] // 55 | jmp 0x1e // 89e5 | cmp byte ptr [ebx + 3], 0 // 83ec58 | je 0x2a // 8b450c | mov dword ptr [ebp + 0x14], 0x18 $sequence_4 = { e9???????? 0fbf55fe 8b45f4 83c224 8b44900c 8945e0 8b45f4 } // n = 7, score = 100 // e9???????? | // 0fbf55fe | mov dword ptr [esp], 0xffff // 8b45f4 | sub esp, 4 // 83c224 | cmp eax, dword ptr [esp + 0x40] // 8b44900c | movups xmmword ptr [ecx + 0x10], xmm0 // 8945e0 | add ecx, 0x100 // 8b45f4 | movups xmmword ptr [ecx - 0xd0], xmm5 $sequence_5 = { e8???????? e9???????? 8b4508 05c4020000 c744240806000000 c7442404b4e86a00 890424 } // n = 7, score = 100 // e8???????? | // e9???????? | // 8b4508 | xor edx, edx // 05c4020000 | mov word ptr [ebp - 0x1a], dx // c744240806000000 | movzx eax, word ptr [ebp - 0x3c] // c7442404b4e86a00 | sub ax, word ptr [ebp - 0x1a] // 890424 | jne 0xc0 $sequence_6 = { e9???????? 891c24 c744240402a00000 e8???????? 895c2420 83c414 5b } // n = 7, score = 100 // e9???????? | // 891c24 | sub eax, 1 // c744240402a00000 | imul eax, eax, 0x64 // e8???????? | // 895c2420 | add eax, edx // 83c414 | mov eax, dword ptr [ebp + 0x2126c] // 5b | mov edi, dword ptr [esp + 0x8c] $sequence_7 = { e8???????? e9???????? 8b8424e0000000 8da82abc0100 8b44242c 8d500c 83c04c } // n = 7, score = 100 // e8???????? | // e9???????? | // 8b8424e0000000 | je 0x13c // 8da82abc0100 | movzx eax, byte ptr [eax + 0x80] // 8b44242c | mov dword ptr [esp], eax // 8d500c | cmp dword ptr [eax + 0x138], 0 // 83c04c | mov ebx, eax $sequence_8 = { e9???????? 890424 e8???????? 89c1 8b44246c 99 f77c247c } // n = 7, score = 100 // e9???????? | // 890424 | add esp, 0x7c // e8???????? | // 89c1 | pop ebx // 8b44246c | pop esi // 99 | pop edi // f77c247c | pop ebp $sequence_9 = { e8???????? eb01 90 8b45f4 8b400c 890424 e8???????? } // n = 7, score = 100 // e8???????? | // eb01 | mov dword ptr [esp + 0xc], eax // 90 | lea eax, [esp + 0xc8] // 8b45f4 | mov dword ptr [esp + 0x68], eax // 8b400c | mov dword ptr [esp + 0x64], 0 // 890424 | xor edi, edi // e8???????? | condition: 7 of them and filesize < 6156288 }
import "pe" rule win_crytox_w0 { meta: description = "Detect variants of Crytox Ransomware" author = "Jake Goldi" date = "2022-09-29" packed_hash1 = "32eef267a1192a9a739ccaaae0266bc66707bb64768a764541ecb039a50cba67" hash2 = "11ea0d7e0ebe15b8147d39e72773221d11c2cf84e2d8d6164102c65e797eef6d" hash3 = "68fae79a2eca125090bd2a8badc46ed4324c38f2ff24db702d09c3d7687e0047" hash4 = "a0a6c2937b6a8b2bc1214ace8255adc6992b553b9e740c3fe1543e089e8437aa" source = "https://raw.githubusercontent.com/taogoldi/YARA/main/ransomware/crytox_ransom.yara" version="1.0" phase = "experimental" url = "https://www.zscaler.com/blogs/security-research/technical-analysis-crytox-ransomware" malware = "Win64.Ransom.Crytox" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.crytox" malpedia_rule_date = "20220930" malpedia_hash = "" malpedia_version = "20220930" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $s1 = "utox" wide ascii nocase /* hash 2: 11ea0d7e0ebe15b8147d39e72773221d11c2cf84e2d8d6164102c65e797eef6d FF 15 C9 22 00 00 call cs:GlobalAlloc 48 89 85 58 FF FF FF mov [rbp+hMem], rax ; unk_5F2520 4C 8B E0 mov r12, rax 48 8B C8 mov rcx, rax E8 DD 13 00 00 call sub_1402E940E 48 C7 C1 C0 01 00 00 mov rcx, 448 49 8D 94 24 08 04 00 00 lea rdx, [r12+408h] 4C 8D 05 29 20 00 00 lea r8, unk_1402EA070 4C 8D 8D A4 FD FF FF lea r9, [rbp+var_25C] E8 A2 11 00 00 call sub_1402E91F5 48 8B 8D 58 FF FF FF mov rcx, [rbp+hMem] ; hMem FF 15 90 22 00 00 call cs:GlobalFree ------------- hash 3: 68fae79a2eca125090bd2a8badc46ed4324c38f2ff24db702d09c3d7687e0047 FF 15 C9 22 00 00 call cs:GlobalAlloc 48 89 85 58 FF FF FF mov [rbp+hMem], rax 4C 8B E0 mov r12, rax 90 nop 50 push rax 59 pop rcx E8 E2 13 00 00 call sub_1402E9413 48 C7 C1 C0 01 00 00 mov rcx, 1C0h 49 8D 94 24 08 04 00 00 lea rdx, [r12+408h] 4C 8D 05 29 20 00 00 lea r8, unk_1402EA070 4C 8D 8D A4 FD FF FF lea r9, [rbp+var_25C] E8 A7 11 00 00 call sub_1402E91FA 48 8B 8D 58 FF FF FF mov rcx, [rbp+hMem] ; hMem FF 15 90 22 00 00 call cs:GlobalFree ------------- hash 4: a0a6c2937b6a8b2bc1214ace8255adc6992b553b9e740c3fe1543e089e8437aa FF 15 C9 22 00 00 call cs:GlobalAlloc 48 89 85 58 FF FF FF mov [rbp+hMem], rax 4C 8B E0 mov r12, rax 48 8B C8 mov rcx, rax E8 61 12 00 00 call sub_1402E9292 48 C7 C1 C0 01 00 00 mov rcx, 1C0h 49 8D 94 24 08 04 00 00 lea rdx, [r12+408h] 4C 8D 05 29 20 00 00 lea r8, unk_1402EA070 4C 8D 8D A4 FD FF FF lea r9, [rbp+var_25C] E8 26 10 00 00 call sub_1402E9079 48 8B 8D 58 FF FF FF mov rcx, [rbp+hMem] ; hMem FF 15 90 22 00 00 call cs:GlobalFre */ $op1 = { FF 15 C9 22 00 00 48 89 85 58 FF FF FF 4C 8B E0 } $op2 = { E8 ?? ?? 00 00 48 C7 C1 C0 01 00 00 49 8D 94 24 08 04 00 00 } $op3 = { 4C 8D 05 29 20 00 00 } $op4 = { 4C 8D 8D A4 FD FF FF E8 ?? 1? 00 00 48 8B 8D 58 FF FF FF FF 15 90 22 00 00 } condition: uint16(0) == 0x5a4d and filesize < 5000KB and ((all of ($s*)) and (all of ($op*))) }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY