SYMBOLCOMMON_NAMEaka. SYNONYMS
win.cuba (Back to overview)

Cuba

aka: COLDDRAW

Ransomware.

References
2022-06-08Trend MicroDon Ovid Ladores
@online{ladores:20220608:cuba:2b4a6df, author = {Don Ovid Ladores}, title = {{Cuba Ransomware Group’s New Variant Found Using Optimized Infection Techniques}}, date = {2022-06-08}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/22/f/cuba-ransomware-group-s-new-variant-found-using-optimized-infect.html}, language = {English}, urldate = {2022-06-09} } Cuba Ransomware Group’s New Variant Found Using Optimized Infection Techniques
Cuba
2022-06-01ElasticDaniel Stepanic, Derek Ditch, Seth Goodwin, Salim Bitam, Andrew Pease
@online{stepanic:20220601:cuba:333f7c1, author = {Daniel Stepanic and Derek Ditch and Seth Goodwin and Salim Bitam and Andrew Pease}, title = {{CUBA Ransomware Campaign Analysis}}, date = {2022-06-01}, organization = {Elastic}, url = {https://www.elastic.co/security-labs/cuba-ransomware-campaign-analysis}, language = {English}, urldate = {2022-06-09} } CUBA Ransomware Campaign Analysis
Cobalt Strike Cuba Meterpreter MimiKatz SystemBC
2022-06-01ElasticSalim Bitam
@online{bitam:20220601:cuba:040c34a, author = {Salim Bitam}, title = {{CUBA Ransomware Malware Analysis}}, date = {2022-06-01}, organization = {Elastic}, url = {https://www.elastic.co/security-labs/cuba-ransomware-malware-analysis}, language = {English}, urldate = {2022-06-09} } CUBA Ransomware Malware Analysis
Cuba
2022-02-26AonEduardo Mattos, Rob Homewood
@online{mattos:20220226:yours:2cd2d24, author = {Eduardo Mattos and Rob Homewood}, title = {{Yours Truly, Signed AV Driver: Weaponizing An Antivirus Driver}}, date = {2022-02-26}, organization = {Aon}, url = {https://www.aon.com/cyber-solutions/aon_cyber_labs/yours-truly-signed-av-driver-weaponizing-an-antivirus-driver/}, language = {English}, urldate = {2022-03-22} } Yours Truly, Signed AV Driver: Weaponizing An Antivirus Driver
Cuba KillAV
2022-02-25IT-Connect (FR)Florian Burnel
@online{burnel:20220225:le:9689415, author = {Florian Burnel}, title = {{Le ransomware Cuba s’en prend aux serveurs Exchange}}, date = {2022-02-25}, organization = {IT-Connect (FR)}, url = {https://www.it-connect.fr/le-ransomware-cuba-sen-prend-aux-serveurs-exchange/}, language = {French}, urldate = {2022-03-01} } Le ransomware Cuba s’en prend aux serveurs Exchange
Cuba
2022-02-24Bleeping ComputerBill Toulas
@online{toulas:20220224:microsoft:4ade21b, author = {Bill Toulas}, title = {{Microsoft Exchange servers hacked to deploy Cuba ransomware}}, date = {2022-02-24}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/microsoft-exchange-servers-hacked-to-deploy-cuba-ransomware/}, language = {English}, urldate = {2022-03-01} } Microsoft Exchange servers hacked to deploy Cuba ransomware
Cuba
2022-02-23MandiantTyler McLellan, Joshua Shilko, Shambavi Sadayappan
@online{mclellan:20220223:exchange:9b09c31, author = {Tyler McLellan and Joshua Shilko and Shambavi Sadayappan}, title = {{(Ex)Change of Pace: UNC2596 Observed Leveraging Vulnerabilities to Deploy Cuba Ransomware}}, date = {2022-02-23}, organization = {Mandiant}, url = {https://www.mandiant.com/resources/unc2596-cuba-ransomware}, language = {English}, urldate = {2022-02-26} } (Ex)Change of Pace: UNC2596 Observed Leveraging Vulnerabilities to Deploy Cuba Ransomware
Cuba
2022-02-08GuidePoint SecurityDrew Schmitt
@online{schmitt:20220208:using:0b08b47, author = {Drew Schmitt}, title = {{Using Hindsight to Close a Cuba Cold Case}}, date = {2022-02-08}, organization = {GuidePoint Security}, url = {https://www.guidepointsecurity.com/blog/using-hindsight-to-close-a-cuba-cold-case/}, language = {English}, urldate = {2022-03-28} } Using Hindsight to Close a Cuba Cold Case
Cuba
2021-12-14Lab52Th3spis
@online{th3spis:20211214:cuba:db59204, author = {Th3spis}, title = {{Cuba Ransomware Analysis}}, date = {2021-12-14}, organization = {Lab52}, url = {https://lab52.io/blog/cuba-ransomware-analysis/}, language = {English}, urldate = {2022-01-18} } Cuba Ransomware Analysis
Cuba
2021-12-02FBIFBI
@techreport{fbi:20211202:cu000156mw:b256f8b, author = {FBI}, title = {{CU-000156-MW: Indicators of Compromise Associated with Cuba Ransomware}}, date = {2021-12-02}, institution = {FBI}, url = {https://www.ic3.gov/Media/News/2021/211203-2.pdf}, language = {English}, urldate = {2021-12-07} } CU-000156-MW: Indicators of Compromise Associated with Cuba Ransomware
Cuba
2021-05-10DarkTracerDarkTracer
@online{darktracer:20210510:intelligence:b9d1c3f, author = {DarkTracer}, title = {{Intelligence Report on Ransomware Gangs on the DarkWeb: List of victim organizations attacked by ransomware gangs released on the DarkWeb}}, date = {2021-05-10}, organization = {DarkTracer}, url = {https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3}, language = {English}, urldate = {2021-05-13} } Intelligence Report on Ransomware Gangs on the DarkWeb: List of victim organizations attacked by ransomware gangs released on the DarkWeb
RansomEXX Avaddon Babuk Clop Conti Cuba DarkSide DoppelPaymer Egregor Hades LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker Nefilim Nemty Pay2Key PwndLocker RagnarLocker Ragnarok RansomEXX REvil Sekhmet SunCrypt ThunderX
2021-05-07Group-IBOleg Skulkin, Semyon Rogachev
@online{skulkin:20210507:connecting:49c0b13, author = {Oleg Skulkin and Semyon Rogachev}, title = {{Connecting the Bots Hancitor fuels Cuba Ransomware Operations}}, date = {2021-05-07}, organization = {Group-IB}, url = {https://blog.group-ib.com/hancitor-cuba-ransomware}, language = {English}, urldate = {2021-05-08} } Connecting the Bots Hancitor fuels Cuba Ransomware Operations
Cuba Hancitor
2021-05-05ProferoProfero, SecurityJoes
@techreport{profero:20210505:cuba:bc183e8, author = {Profero and SecurityJoes}, title = {{Cuba Ransomware Group on a Roll}}, date = {2021-05-05}, institution = {Profero}, url = {https://shared-public-reports.s3-eu-west-1.amazonaws.com/Cuba+Ransomware+Group+-+on+a+roll.pdf}, language = {English}, urldate = {2021-05-07} } Cuba Ransomware Group on a Roll
Cuba
2021-04-06McAfeeThomas Roccia, Thibault Seret, Alexandre Mundo
@online{roccia:20210406:mcafee:1ad60c9, author = {Thomas Roccia and Thibault Seret and Alexandre Mundo}, title = {{McAfee ATR Threat Report: A Quick Primer on Cuba Ransomware}}, date = {2021-04-06}, organization = {McAfee}, url = {https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-atr-threat-report-a-quick-primer-on-cuba-ransomware}, language = {English}, urldate = {2021-05-13} } McAfee ATR Threat Report: A Quick Primer on Cuba Ransomware
Cuba
2021-04-06McAfeeThomas Roccia, Thibault Seret, Alexandre Mundo
@techreport{roccia:20210406:technical:3adb4cc, author = {Thomas Roccia and Thibault Seret and Alexandre Mundo}, title = {{Technical Analysis of Cuba Ransomware}}, date = {2021-04-06}, institution = {McAfee}, url = {https://www.mcafee.com/enterprise/en-us/assets/reports/rp-cuba-ransomware.pdf}, language = {English}, urldate = {2021-04-09} } Technical Analysis of Cuba Ransomware
Cuba
2019-12-31Andrew Ivanov
@online{ivanov:20191231:cuba:53a177c, author = {Andrew Ivanov}, title = {{Cuba Ransomware}}, date = {2019-12-31}, url = {https://id-ransomware.blogspot.com/2019/12/cuba-ransomware.html}, language = {Russian}, urldate = {2020-06-11} } Cuba Ransomware
Cuba
Yara Rules
[TLP:WHITE] win_cuba_auto (20220516 | Detects win.cuba.)
rule win_cuba_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-05-16"
        version = "1"
        description = "Detects win.cuba."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cuba"
        malpedia_rule_date = "20220513"
        malpedia_hash = "7f4b2229e6ae614d86d74917f6d5b41890e62a26"
        malpedia_version = "20220516"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 038d78ffffff 33c6 2385dcfeffff 33c7 03c1 03d0 8b85f0feffff }
            // n = 7, score = 100
            //   038d78ffffff         | add                 ecx, dword ptr [ebp - 0x88]
            //   33c6                 | xor                 eax, esi
            //   2385dcfeffff         | and                 eax, dword ptr [ebp - 0x124]
            //   33c7                 | xor                 eax, edi
            //   03c1                 | add                 eax, ecx
            //   03d0                 | add                 edx, eax
            //   8b85f0feffff         | mov                 eax, dword ptr [ebp - 0x110]

        $sequence_1 = { 50 895df8 e8???????? 8bf0 83c40c 85f6 75af }
            // n = 7, score = 100
            //   50                   | push                eax
            //   895df8               | mov                 dword ptr [ebp - 8], ebx
            //   e8????????           |                     
            //   8bf0                 | mov                 esi, eax
            //   83c40c               | add                 esp, 0xc
            //   85f6                 | test                esi, esi
            //   75af                 | jne                 0xffffffb1

        $sequence_2 = { 894804 8b85c8f7ffff 8908 8b85dcf7ffff c645fc00 8b95e0f7ffff 8d3446 }
            // n = 7, score = 100
            //   894804               | mov                 dword ptr [eax + 4], ecx
            //   8b85c8f7ffff         | mov                 eax, dword ptr [ebp - 0x838]
            //   8908                 | mov                 dword ptr [eax], ecx
            //   8b85dcf7ffff         | mov                 eax, dword ptr [ebp - 0x824]
            //   c645fc00             | mov                 byte ptr [ebp - 4], 0
            //   8b95e0f7ffff         | mov                 edx, dword ptr [ebp - 0x820]
            //   8d3446               | lea                 esi, [esi + eax*2]

        $sequence_3 = { 68de010000 68???????? 68???????? e8???????? 68df010000 68???????? 68???????? }
            // n = 7, score = 100
            //   68de010000           | push                0x1de
            //   68????????           |                     
            //   68????????           |                     
            //   e8????????           |                     
            //   68df010000           | push                0x1df
            //   68????????           |                     
            //   68????????           |                     

        $sequence_4 = { 8d45b0 50 e8???????? 8bf0 83c40c 85f6 0f852f010000 }
            // n = 7, score = 100
            //   8d45b0               | lea                 eax, [ebp - 0x50]
            //   50                   | push                eax
            //   e8????????           |                     
            //   8bf0                 | mov                 esi, eax
            //   83c40c               | add                 esp, 0xc
            //   85f6                 | test                esi, esi
            //   0f852f010000         | jne                 0x135

        $sequence_5 = { 89410c 85c0 7507 b8feffffff 5d c3 c70100000000 }
            // n = 7, score = 100
            //   89410c               | mov                 dword ptr [ecx + 0xc], eax
            //   85c0                 | test                eax, eax
            //   7507                 | jne                 9
            //   b8feffffff           | mov                 eax, 0xfffffffe
            //   5d                   | pop                 ebp
            //   c3                   | ret                 
            //   c70100000000         | mov                 dword ptr [ecx], 0

        $sequence_6 = { 895dfc 50 57 8b7df4 8945ec 8d041f 50 }
            // n = 7, score = 100
            //   895dfc               | mov                 dword ptr [ebp - 4], ebx
            //   50                   | push                eax
            //   57                   | push                edi
            //   8b7df4               | mov                 edi, dword ptr [ebp - 0xc]
            //   8945ec               | mov                 dword ptr [ebp - 0x14], eax
            //   8d041f               | lea                 eax, [edi + ebx]
            //   50                   | push                eax

        $sequence_7 = { c3 8d87c0440000 6a10 50 e8???????? 83c408 33c0 }
            // n = 7, score = 100
            //   c3                   | ret                 
            //   8d87c0440000         | lea                 eax, [edi + 0x44c0]
            //   6a10                 | push                0x10
            //   50                   | push                eax
            //   e8????????           |                     
            //   83c408               | add                 esp, 8
            //   33c0                 | xor                 eax, eax

        $sequence_8 = { 3901 8919 1bc0 83e006 5b 8be5 5d }
            // n = 7, score = 100
            //   3901                 | cmp                 dword ptr [ecx], eax
            //   8919                 | mov                 dword ptr [ecx], ebx
            //   1bc0                 | sbb                 eax, eax
            //   83e006               | and                 eax, 6
            //   5b                   | pop                 ebx
            //   8be5                 | mov                 esp, ebp
            //   5d                   | pop                 ebp

        $sequence_9 = { 85d2 7e36 baecffffff 8d4e14 2bd6 800101 }
            // n = 6, score = 100
            //   85d2                 | test                edx, edx
            //   7e36                 | jle                 0x38
            //   baecffffff           | mov                 edx, 0xffffffec
            //   8d4e14               | lea                 ecx, [esi + 0x14]
            //   2bd6                 | sub                 edx, esi
            //   800101               | add                 byte ptr [ecx], 1

    condition:
        7 of them and filesize < 1094656
}
Download all Yara Rules