SYMBOLCOMMON_NAMEaka. SYNONYMS
win.cuba (Back to overview)

Cuba

aka: COLDDRAW
VTCollection    

Ransomware.

References
2023-09-11KasperskyAlexander Kirichenko, Gleb Ivanov
From Caribbean shores to your devices: analyzing Cuba ransomware
Cuba
2023-07-28Quorum CyberQuorum Cyber
Scattered Spider Threat Actor Profile
Cuba KillAV POORTRY
2023-03-30United States District Court (Eastern District of New York)Fortra, HEALTH-ISAC, Microsoft
Cracked Cobalt Strike (1:23-cv-02447)
Black Basta BlackCat LockBit RagnarLocker LockBit Black Basta BlackCat Cobalt Strike Cuba Emotet LockBit Mount Locker PLAY QakBot RagnarLocker Royal Ransom Zloader
2022-12-01CISACISA
#StopRansomware: Cuba Ransomware
Cuba
2022-08-18FortinetJames Slaughter, Shunichi Imano
Ransomware Roundup: Gwisin, Kriptor, Cuba, and More
Cuba
2022-08-10Palo Alto Networks Unit 42Anthony Galiette, Daniel Bunce, Doel Santos, Shawn Westfall
Novel News on Cuba Ransomware: Greetings From Tropical Scorpius
Cuba ROMCOM RAT
2022-06-08Trend MicroDon Ovid Ladores
Cuba Ransomware Group’s New Variant Found Using Optimized Infection Techniques
Cuba
2022-06-01ElasticAndrew Pease, Daniel Stepanic, Derek Ditch, Salim Bitam, Seth Goodwin
CUBA Ransomware Campaign Analysis
Cobalt Strike Cuba Meterpreter MimiKatz SystemBC
2022-06-01ElasticSalim Bitam
CUBA Ransomware Malware Analysis
Cuba
2022-02-26AonEduardo Mattos, Rob Homewood
Yours Truly, Signed AV Driver: Weaponizing An Antivirus Driver
Cuba KillAV
2022-02-25IT-Connect (FR)Florian Burnel
Le ransomware Cuba s’en prend aux serveurs Exchange
Cuba
2022-02-24Bleeping ComputerBill Toulas
Microsoft Exchange servers hacked to deploy Cuba ransomware
Cuba
2022-02-23MandiantJoshua Shilko, Shambavi Sadayappan, Tyler McLellan
(Ex)Change of Pace: UNC2596 Observed Leveraging Vulnerabilities to Deploy Cuba Ransomware
Cuba KillAV
2022-02-08GuidePoint SecurityDrew Schmitt
Using Hindsight to Close a Cuba Cold Case
Cuba
2021-12-14Lab52Th3spis
Cuba Ransomware Analysis
Cuba
2021-12-02FBIFBI
CU-000156-MW: Indicators of Compromise Associated with Cuba Ransomware
Cuba
2021-05-10DarkTracerDarkTracer
Intelligence Report on Ransomware Gangs on the DarkWeb: List of victim organizations attacked by ransomware gangs released on the DarkWeb
RansomEXX Avaddon Babuk Clop Conti Cuba DarkSide DoppelPaymer Egregor Hades LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker Nefilim Nemty Pay2Key PwndLocker RagnarLocker Ragnarok RansomEXX REvil Sekhmet SunCrypt ThunderX
2021-05-07Group-IBOleg Skulkin, Semyon Rogachev
Connecting the Bots Hancitor fuels Cuba Ransomware Operations
Cuba Hancitor
2021-05-05ProferoProfero, SecurityJoes
Cuba Ransomware Group on a Roll
Cuba
2021-04-06McAfeeAlexandre Mundo, Thibault Seret, Thomas Roccia
McAfee ATR Threat Report: A Quick Primer on Cuba Ransomware
Cuba
2021-04-06McAfeeAlexandre Mundo, Thibault Seret, Thomas Roccia
Technical Analysis of Cuba Ransomware
Cuba
2019-12-31Andrew Ivanov
Cuba Ransomware
Cuba
Yara Rules
[TLP:WHITE] win_cuba_auto (20230808 | Detects win.cuba.)
rule win_cuba_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.cuba."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cuba"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 0019 43 41 00444341 }
            // n = 4, score = 100
            //   0019                 | add                 byte ptr [ecx], bl
            //   43                   | inc                 ebx
            //   41                   | inc                 ecx
            //   00444341             | add                 byte ptr [ebx + eax*2 + 0x41], al

        $sequence_1 = { ffb5fcfeffff ffb5fcfdffff ff15???????? 85c0 750d 8b95c0fbffff 53 }
            // n = 7, score = 100
            //   ffb5fcfeffff         | push                dword ptr [ebp - 0x104]
            //   ffb5fcfdffff         | push                dword ptr [ebp - 0x204]
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   750d                 | jne                 0xf
            //   8b95c0fbffff         | mov                 edx, dword ptr [ebp - 0x440]
            //   53                   | push                ebx

        $sequence_2 = { 33d2 85c0 7e0c 807c95bc19 740c 42 3bd0 }
            // n = 7, score = 100
            //   33d2                 | xor                 edx, edx
            //   85c0                 | test                eax, eax
            //   7e0c                 | jle                 0xe
            //   807c95bc19           | cmp                 byte ptr [ebp + edx*4 - 0x44], 0x19
            //   740c                 | je                  0xe
            //   42                   | inc                 edx
            //   3bd0                 | cmp                 edx, eax

        $sequence_3 = { 85c0 0f84b4000000 8bbdc8fbffff 53 68???????? 8d85f0fbffff 50 }
            // n = 7, score = 100
            //   85c0                 | test                eax, eax
            //   0f84b4000000         | je                  0xba
            //   8bbdc8fbffff         | mov                 edi, dword ptr [ebp - 0x438]
            //   53                   | push                ebx
            //   68????????           |                     
            //   8d85f0fbffff         | lea                 eax, [ebp - 0x410]
            //   50                   | push                eax

        $sequence_4 = { 000d???????? 384100 b538 41 }
            // n = 4, score = 100
            //   000d????????         |                     
            //   384100               | cmp                 byte ptr [ecx], al
            //   b538                 | mov                 ch, 0x38
            //   41                   | inc                 ecx

        $sequence_5 = { 0026 45 41 003a }
            // n = 4, score = 100
            //   0026                 | add                 byte ptr [esi], ah
            //   45                   | inc                 ebp
            //   41                   | inc                 ecx
            //   003a                 | add                 byte ptr [edx], bh

        $sequence_6 = { 85c0 750c 57 ff15???????? e9???????? 56 ff15???????? }
            // n = 7, score = 100
            //   85c0                 | test                eax, eax
            //   750c                 | jne                 0xe
            //   57                   | push                edi
            //   ff15????????         |                     
            //   e9????????           |                     
            //   56                   | push                esi
            //   ff15????????         |                     

        $sequence_7 = { 0012 45 41 0026 }
            // n = 4, score = 100
            //   0012                 | add                 byte ptr [edx], dl
            //   45                   | inc                 ebp
            //   41                   | inc                 ecx
            //   0026                 | add                 byte ptr [esi], ah

        $sequence_8 = { 6a02 6a00 688b010000 ff75f4 ff15???????? ff75f4 f7d8 }
            // n = 7, score = 100
            //   6a02                 | push                2
            //   6a00                 | push                0
            //   688b010000           | push                0x18b
            //   ff75f4               | push                dword ptr [ebp - 0xc]
            //   ff15????????         |                     
            //   ff75f4               | push                dword ptr [ebp - 0xc]
            //   f7d8                 | neg                 eax

        $sequence_9 = { 757a ffb5d4fbffff 50 6800040000 }
            // n = 4, score = 100
            //   757a                 | jne                 0x7c
            //   ffb5d4fbffff         | push                dword ptr [ebp - 0x42c]
            //   50                   | push                eax
            //   6800040000           | push                0x400

        $sequence_10 = { 8945f4 8b4514 40 c745ecac9c4000 894df8 8945fc }
            // n = 6, score = 100
            //   8945f4               | mov                 dword ptr [ebp - 0xc], eax
            //   8b4514               | mov                 eax, dword ptr [ebp + 0x14]
            //   40                   | inc                 eax
            //   c745ecac9c4000       | mov                 dword ptr [ebp - 0x14], 0x409cac
            //   894df8               | mov                 dword ptr [ebp - 8], ecx
            //   8945fc               | mov                 dword ptr [ebp - 4], eax

        $sequence_11 = { 0026 43 41 00b043410062 }
            // n = 4, score = 100
            //   0026                 | add                 byte ptr [esi], ah
            //   43                   | inc                 ebx
            //   41                   | inc                 ecx
            //   00b043410062         | add                 byte ptr [eax + 0x62004143], dh

        $sequence_12 = { 000c43 41 0035???????? 43 }
            // n = 4, score = 100
            //   000c43               | add                 byte ptr [ebx + eax*2], cl
            //   41                   | inc                 ecx
            //   0035????????         |                     
            //   43                   | inc                 ebx

        $sequence_13 = { 003a 45 41 004245 }
            // n = 4, score = 100
            //   003a                 | add                 byte ptr [edx], bh
            //   45                   | inc                 ebp
            //   41                   | inc                 ecx
            //   004245               | add                 byte ptr [edx + 0x45], al

        $sequence_14 = { 03f0 c1ca16 8b85e0feffff 03b40510ffffff 03b0f4b14100 03b5e8feffff 8d0437 }
            // n = 7, score = 100
            //   03f0                 | add                 esi, eax
            //   c1ca16               | ror                 edx, 0x16
            //   8b85e0feffff         | mov                 eax, dword ptr [ebp - 0x120]
            //   03b40510ffffff       | add                 esi, dword ptr [ebp + eax - 0xf0]
            //   03b0f4b14100         | add                 esi, dword ptr [eax + 0x41b1f4]
            //   03b5e8feffff         | add                 esi, dword ptr [ebp - 0x118]
            //   8d0437               | lea                 eax, [edi + esi]

        $sequence_15 = { 000446 41 00d1 45 }
            // n = 4, score = 100
            //   000446               | add                 byte ptr [esi + eax*2], al
            //   41                   | inc                 ecx
            //   00d1                 | add                 cl, dl
            //   45                   | inc                 ebp

    condition:
        7 of them and filesize < 1094656
}
[TLP:WHITE] win_cuba_w0   (20230118 | Detect_cuba_ransomware)
rule win_cuba_w0 {
    meta:
	    description = "Detect_cuba_ransomware"
	    author = "@malgamy12"
	    date = "24/11/2022"
	    license = "DRL 1.1"
        hash = "c2aad237b3f4c5a55df88ef26c25899fc4ec8170"
        hash = "4b41a1508f0f519396b7c14df161954f1c819e86"
        hash = "d5fe48b914c83711fe5313a4aaf1e8d80533543d"
        hash = "159b566e62dcec608a3991100d6edbca781d48c0"
        hash = "e1cae0d2a320a2756ae1ee5d37bfe803b39853fa"
        hash = "6f1d355b95546f0a5a09f7fd0b85fc9658e87813"
        hash = "25da0849207beb5695c8d9826b585b8cda435eba"
        hash = "3997d19f38ce14b7643c1ad8d6a737990b444215"
        hash = "f008e568c313b6f41406658a77313f89df07017e"
        hash = "7e42b668fd2ca96b05f39d5097943a191f1010f4"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cuba"
        malpedia_rule_date = "20230118"
        malpedia_hash = ""
        malpedia_version = "20230118"
        malpedia_license = "DRL 1.1"
        malpedia_sharing = "TLP:WHITE"

    strings:
        $p1 = {C1 8D 73 ?? 99 83 E2 ?? 03 C2 C1 F8 ?? 8D 04 45 [4] 89 83 [4] 0F B6 0F 0F B6 47 ?? C1 E1 ?? 0B C8 0F B6 47 ?? C1 E1 ?? 0B C8 0F B6 47 ?? C1 E1 ?? 0B C8 89 0B 0F B6 47 ?? 89 4D ?? 0F B6 4F ?? C1 E1 ?? 0B C8 0F B6 47 ?? C1 E1 ?? 0B C8 0F B6 47 ?? C1 E1 ?? 0B C8 89 0E 0F B6 4F ?? 0F B6 47 ?? C1 E1 ?? 0B C8 0F B6 47 ?? C1 E1 ?? 0B C8 0F B6 47 ?? C1 E1 ?? 0B C8 89 4B ?? 0F B6 4F ?? 0F B6 47 ?? C1 E1 ?? 0B C8 0F B6 47 ?? C1 E1 ?? 0B C8 0F B6 47 ?? C1 E1 ?? 0B C8 8B 45 ?? 89 4D ?? 89 4B}
        $p2 = {5D ?? 8B C3 C1 E8 ?? 0F B6 D0 8B C3 C1 E8 ?? 0F B6 C8 8B 04 95 [4] 33 04 8D [4] 8B CB C1 E9 ?? 33 04 8D [4] 0F B6 CB 5B 33 04 8D}
        $p3 = {8B 75 ?? 8B C6 C1 E8 ?? 0F B6 C8 8B 45 ?? C1 E8 ?? 0F B6 C0 8B 0C 8D [4] 8B 55 ?? 33 0C 85 [4] 8B C2 C1 E8 ?? 33 0C 85 [4] 8B 45 ?? 0F B6 C0 33 0C 85 [4] 33 0F 8B 45 ?? C1 E8 ?? 89 4D ?? 0F B6 C8 8B C6 C1 E8 ?? 0F B6 C0 8B 0C 8D [4] 33 0C 85 [4] 8B 45 ?? C1 E8 ?? 33 0C 85 [4] 0F B6 C2 33 0C 85 [4] 33 4F ?? 8B 45 ?? C1 E8 ?? 89 4D ?? 0F B6 C8 8B C2 C1 E8 ?? 0F B6 C0 C1 EA ?? 8B 1C 8D [4] 8B 4D ?? 33 1C 85 [4] 8B C6 C1 E8 ?? 33 1C 85 [4] 0F B6 C1 C1 E9 ?? 0F B6 C9 33 1C 85 [4] 33 5F ?? 0F B6 C2 8B 14 8D [4] 33 14 85 [4] 8B 45 ?? C1 E8 ?? 33 14 85 [4] 8B C6 0F B6 C0 33 14 85 [4] 8B C3 33 57 ?? C1 E8 ?? 0F B6 C8 8B 45 ?? C1 E8 ?? 0F B6 C0 8B 0C 8D [4] 33 0C 85 [4] 8B 45 ?? C1 E8 ?? 33 0C 85 [4] 0F B6 C2 33 0C 85 [4] 8B C2 33 4F ?? C1 E8 ?? 89 4D ?? 0F B6 C8 8B C3 C1 E8 ?? 8B 0C 8D [4] 0F B6 C0 33 0C 85 [4] 8B 45 ?? C1 E8 ?? 33 0C 85 [4] 8B 45 ?? 0F B6 C0 33 0C 85 [4] 8B C2 33 4F ?? C1 E8 ?? 89 4D ?? 0F B6 C8 8B 45 ?? C1 E8 ?? 0F B6 C0 8B 0C 8D [4] C1 EA ?? 33 0C 85 [4] 8B C3 C1 E8 ?? 33 0C 85 [4] 89 4D ?? 8B 4D ?? 8B 75 ?? 0F B6 C1 C1 E9 ?? 0F B6 C9 33 34 85 [4] 8B C6 89 75 ?? 33 47 ?? 8B 0C 8D [4] 89 45 ?? 8B 45 ?? C1 E8 ?? 0F B6 C0 33 0C 85 [4] 33 0C 95 [4] 0F B6 C3 33 0C 85 [4] 33 4F ?? 83 C7 ?? 83 6D}
        
    condition:
        uint16(0) == 0x5A4D and all of them
}
Download all Yara Rules