SYMBOLCOMMON_NAMEaka. SYNONYMS
win.cuba (Back to overview)

Cuba

aka: COLDDRAW
VTCollection    

Ransomware.

References
2023-09-11KasperskyAlexander Kirichenko, Gleb Ivanov
From Caribbean shores to your devices: analyzing Cuba ransomware
Cuba
2023-07-28Quorum CyberQuorum Cyber
Scattered Spider Threat Actor Profile
Cuba KillAV POORTRY
2023-03-30United States District Court (Eastern District of New York)Fortra, HEALTH-ISAC, Microsoft
Cracked Cobalt Strike (1:23-cv-02447)
Black Basta BlackCat LockBit RagnarLocker LockBit Black Basta BlackCat Cobalt Strike Cuba Emotet LockBit Mount Locker PLAY QakBot RagnarLocker Royal Ransom Zloader
2022-12-01CISACISA
#StopRansomware: Cuba Ransomware
Cuba
2022-08-18FortinetJames Slaughter, Shunichi Imano
Ransomware Roundup: Gwisin, Kriptor, Cuba, and More
Cuba
2022-08-10Palo Alto Networks Unit 42Anthony Galiette, Daniel Bunce, Doel Santos, Shawn Westfall
Novel News on Cuba Ransomware: Greetings From Tropical Scorpius
Cuba ROMCOM RAT
2022-06-08Trend MicroDon Ovid Ladores
Cuba Ransomware Group’s New Variant Found Using Optimized Infection Techniques
Cuba
2022-06-01ElasticAndrew Pease, Daniel Stepanic, Derek Ditch, Salim Bitam, Seth Goodwin
CUBA Ransomware Campaign Analysis
Cobalt Strike Cuba Meterpreter MimiKatz SystemBC
2022-06-01ElasticSalim Bitam
CUBA Ransomware Malware Analysis
Cuba
2022-02-26AonEduardo Mattos, Rob Homewood
Yours Truly, Signed AV Driver: Weaponizing An Antivirus Driver
Cuba KillAV
2022-02-25IT-Connect (FR)Florian Burnel
Le ransomware Cuba s’en prend aux serveurs Exchange
Cuba
2022-02-24Bleeping ComputerBill Toulas
Microsoft Exchange servers hacked to deploy Cuba ransomware
Cuba
2022-02-23MandiantJoshua Shilko, Shambavi Sadayappan, Tyler McLellan
(Ex)Change of Pace: UNC2596 Observed Leveraging Vulnerabilities to Deploy Cuba Ransomware
Cuba KillAV
2022-02-08GuidePoint SecurityDrew Schmitt
Using Hindsight to Close a Cuba Cold Case
Cuba
2021-12-14Lab52Th3spis
Cuba Ransomware Analysis
Cuba
2021-12-02FBIFBI
CU-000156-MW: Indicators of Compromise Associated with Cuba Ransomware
Cuba
2021-05-10DarkTracerDarkTracer
Intelligence Report on Ransomware Gangs on the DarkWeb: List of victim organizations attacked by ransomware gangs released on the DarkWeb
RansomEXX Avaddon Babuk Clop Conti Cuba DarkSide DoppelPaymer Egregor Hades LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker Nefilim Nemty Pay2Key PwndLocker RagnarLocker Ragnarok RansomEXX REvil Sekhmet SunCrypt ThunderX
2021-05-07Group-IBOleg Skulkin, Semyon Rogachev
Connecting the Bots Hancitor fuels Cuba Ransomware Operations
Cuba Hancitor
2021-05-05ProferoProfero, SecurityJoes
Cuba Ransomware Group on a Roll
Cuba
2021-04-06McAfeeAlexandre Mundo, Thibault Seret, Thomas Roccia
McAfee ATR Threat Report: A Quick Primer on Cuba Ransomware
Cuba
2021-04-06McAfeeAlexandre Mundo, Thibault Seret, Thomas Roccia
Technical Analysis of Cuba Ransomware
Cuba
2019-12-31Andrew Ivanov
Cuba Ransomware
Cuba
Yara Rules
[TLP:WHITE] win_cuba_auto (20241030 | Detects win.cuba.)
rule win_cuba_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2024-10-31"
        version = "1"
        description = "Detects win.cuba."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cuba"
        malpedia_rule_date = "20241030"
        malpedia_hash = "26e26953c49c8efafbf72a38076855d578e0a2e4"
        malpedia_version = "20241030"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 0019 43 41 00444341 }
            // n = 4, score = 100
            //   0019                 | add                 byte ptr [ecx], bl
            //   43                   | inc                 ebx
            //   41                   | inc                 ecx
            //   00444341             | add                 byte ptr [ebx + eax*2 + 0x41], al

        $sequence_1 = { 0026 43 41 00b043410062 }
            // n = 4, score = 100
            //   0026                 | add                 byte ptr [esi], ah
            //   43                   | inc                 ebx
            //   41                   | inc                 ecx
            //   00b043410062         | add                 byte ptr [eax + 0x62004143], dh

        $sequence_2 = { 3914c5e89b4100 7408 40 83f81d 7cf1 }
            // n = 5, score = 100
            //   3914c5e89b4100       | cmp                 dword ptr [eax*8 + 0x419be8], edx
            //   7408                 | je                  0xa
            //   40                   | inc                 eax
            //   83f81d               | cmp                 eax, 0x1d
            //   7cf1                 | jl                  0xfffffff3

        $sequence_3 = { a1???????? 33c5 8945fc e8???????? 84c0 0f854d010000 }
            // n = 6, score = 100
            //   a1????????           |                     
            //   33c5                 | xor                 eax, ebp
            //   8945fc               | mov                 dword ptr [ebp - 4], eax
            //   e8????????           |                     
            //   84c0                 | test                al, al
            //   0f854d010000         | jne                 0x153

        $sequence_4 = { 000d???????? 384100 b538 41 }
            // n = 4, score = 100
            //   000d????????         |                     
            //   384100               | cmp                 byte ptr [ecx], al
            //   b538                 | mov                 ch, 0x38
            //   41                   | inc                 ecx

        $sequence_5 = { 8d85fcfeffff 898df8fdffff 50 6a01 53 ff15???????? ffb5fcfeffff }
            // n = 7, score = 100
            //   8d85fcfeffff         | lea                 eax, [ebp - 0x104]
            //   898df8fdffff         | mov                 dword ptr [ebp - 0x208], ecx
            //   50                   | push                eax
            //   6a01                 | push                1
            //   53                   | push                ebx
            //   ff15????????         |                     
            //   ffb5fcfeffff         | push                dword ptr [ebp - 0x104]

        $sequence_6 = { 03b1e0b14100 8bc3 03b40dfcfeffff 03b5ecfeffff }
            // n = 4, score = 100
            //   03b1e0b14100         | add                 esi, dword ptr [ecx + 0x41b1e0]
            //   8bc3                 | mov                 eax, ebx
            //   03b40dfcfeffff       | add                 esi, dword ptr [ebp + ecx - 0x104]
            //   03b5ecfeffff         | add                 esi, dword ptr [ebp - 0x114]

        $sequence_7 = { 8985bcf9ffff 83cfff 33c0 c785c0f9ffff2c020000 668985ecfbffff 668985f4fdffff 8d85c0f9ffff }
            // n = 7, score = 100
            //   8985bcf9ffff         | mov                 dword ptr [ebp - 0x644], eax
            //   83cfff               | or                  edi, 0xffffffff
            //   33c0                 | xor                 eax, eax
            //   c785c0f9ffff2c020000     | mov    dword ptr [ebp - 0x640], 0x22c
            //   668985ecfbffff       | mov                 word ptr [ebp - 0x414], ax
            //   668985f4fdffff       | mov                 word ptr [ebp - 0x20c], ax
            //   8d85c0f9ffff         | lea                 eax, [ebp - 0x640]

        $sequence_8 = { 3385ecfeffff 0bcb 03f0 238df4feffff 8b85e0feffff 03b40508ffffff 03b0ecb14100 }
            // n = 7, score = 100
            //   3385ecfeffff         | xor                 eax, dword ptr [ebp - 0x114]
            //   0bcb                 | or                  ecx, ebx
            //   03f0                 | add                 esi, eax
            //   238df4feffff         | and                 ecx, dword ptr [ebp - 0x10c]
            //   8b85e0feffff         | mov                 eax, dword ptr [ebp - 0x120]
            //   03b40508ffffff       | add                 esi, dword ptr [ebp + eax - 0xf8]
            //   03b0ecb14100         | add                 esi, dword ptr [eax + 0x41b1ec]

        $sequence_9 = { c745e008934100 e9???????? c745e010934100 e9???????? c745e018934100 }
            // n = 5, score = 100
            //   c745e008934100       | mov                 dword ptr [ebp - 0x20], 0x419308
            //   e9????????           |                     
            //   c745e010934100       | mov                 dword ptr [ebp - 0x20], 0x419310
            //   e9????????           |                     
            //   c745e018934100       | mov                 dword ptr [ebp - 0x20], 0x419318

        $sequence_10 = { 0026 45 41 003a }
            // n = 4, score = 100
            //   0026                 | add                 byte ptr [esi], ah
            //   45                   | inc                 ebp
            //   41                   | inc                 ecx
            //   003a                 | add                 byte ptr [edx], bh

        $sequence_11 = { e8???????? 8bf8 b900010000 8d85f8fdffff 89bdbcfbffff }
            // n = 5, score = 100
            //   e8????????           |                     
            //   8bf8                 | mov                 edi, eax
            //   b900010000           | mov                 ecx, 0x100
            //   8d85f8fdffff         | lea                 eax, [ebp - 0x208]
            //   89bdbcfbffff         | mov                 dword ptr [ebp - 0x444], edi

        $sequence_12 = { 000c43 41 0035???????? 43 }
            // n = 4, score = 100
            //   000c43               | add                 byte ptr [ebx + eax*2], cl
            //   41                   | inc                 ecx
            //   0035????????         |                     
            //   43                   | inc                 ebx

        $sequence_13 = { 003a 45 41 004245 }
            // n = 4, score = 100
            //   003a                 | add                 byte ptr [edx], bh
            //   45                   | inc                 ebp
            //   41                   | inc                 ecx
            //   004245               | add                 byte ptr [edx + 0x45], al

        $sequence_14 = { 0012 45 41 0026 }
            // n = 4, score = 100
            //   0012                 | add                 byte ptr [edx], dl
            //   45                   | inc                 ebp
            //   41                   | inc                 ecx
            //   0026                 | add                 byte ptr [esi], ah

        $sequence_15 = { 000446 41 00d1 45 }
            // n = 4, score = 100
            //   000446               | add                 byte ptr [esi + eax*2], al
            //   41                   | inc                 ecx
            //   00d1                 | add                 cl, dl
            //   45                   | inc                 ebp

    condition:
        7 of them and filesize < 1094656
}
[TLP:WHITE] win_cuba_w0   (20230118 | Detect_cuba_ransomware)
rule win_cuba_w0 {
    meta:
	    description = "Detect_cuba_ransomware"
	    author = "@malgamy12"
	    date = "24/11/2022"
	    license = "DRL 1.1"
        hash = "c2aad237b3f4c5a55df88ef26c25899fc4ec8170"
        hash = "4b41a1508f0f519396b7c14df161954f1c819e86"
        hash = "d5fe48b914c83711fe5313a4aaf1e8d80533543d"
        hash = "159b566e62dcec608a3991100d6edbca781d48c0"
        hash = "e1cae0d2a320a2756ae1ee5d37bfe803b39853fa"
        hash = "6f1d355b95546f0a5a09f7fd0b85fc9658e87813"
        hash = "25da0849207beb5695c8d9826b585b8cda435eba"
        hash = "3997d19f38ce14b7643c1ad8d6a737990b444215"
        hash = "f008e568c313b6f41406658a77313f89df07017e"
        hash = "7e42b668fd2ca96b05f39d5097943a191f1010f4"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cuba"
        malpedia_rule_date = "20230118"
        malpedia_hash = ""
        malpedia_version = "20230118"
        malpedia_license = "DRL 1.1"
        malpedia_sharing = "TLP:WHITE"

    strings:
        $p1 = {C1 8D 73 ?? 99 83 E2 ?? 03 C2 C1 F8 ?? 8D 04 45 [4] 89 83 [4] 0F B6 0F 0F B6 47 ?? C1 E1 ?? 0B C8 0F B6 47 ?? C1 E1 ?? 0B C8 0F B6 47 ?? C1 E1 ?? 0B C8 89 0B 0F B6 47 ?? 89 4D ?? 0F B6 4F ?? C1 E1 ?? 0B C8 0F B6 47 ?? C1 E1 ?? 0B C8 0F B6 47 ?? C1 E1 ?? 0B C8 89 0E 0F B6 4F ?? 0F B6 47 ?? C1 E1 ?? 0B C8 0F B6 47 ?? C1 E1 ?? 0B C8 0F B6 47 ?? C1 E1 ?? 0B C8 89 4B ?? 0F B6 4F ?? 0F B6 47 ?? C1 E1 ?? 0B C8 0F B6 47 ?? C1 E1 ?? 0B C8 0F B6 47 ?? C1 E1 ?? 0B C8 8B 45 ?? 89 4D ?? 89 4B}
        $p2 = {5D ?? 8B C3 C1 E8 ?? 0F B6 D0 8B C3 C1 E8 ?? 0F B6 C8 8B 04 95 [4] 33 04 8D [4] 8B CB C1 E9 ?? 33 04 8D [4] 0F B6 CB 5B 33 04 8D}
        $p3 = {8B 75 ?? 8B C6 C1 E8 ?? 0F B6 C8 8B 45 ?? C1 E8 ?? 0F B6 C0 8B 0C 8D [4] 8B 55 ?? 33 0C 85 [4] 8B C2 C1 E8 ?? 33 0C 85 [4] 8B 45 ?? 0F B6 C0 33 0C 85 [4] 33 0F 8B 45 ?? C1 E8 ?? 89 4D ?? 0F B6 C8 8B C6 C1 E8 ?? 0F B6 C0 8B 0C 8D [4] 33 0C 85 [4] 8B 45 ?? C1 E8 ?? 33 0C 85 [4] 0F B6 C2 33 0C 85 [4] 33 4F ?? 8B 45 ?? C1 E8 ?? 89 4D ?? 0F B6 C8 8B C2 C1 E8 ?? 0F B6 C0 C1 EA ?? 8B 1C 8D [4] 8B 4D ?? 33 1C 85 [4] 8B C6 C1 E8 ?? 33 1C 85 [4] 0F B6 C1 C1 E9 ?? 0F B6 C9 33 1C 85 [4] 33 5F ?? 0F B6 C2 8B 14 8D [4] 33 14 85 [4] 8B 45 ?? C1 E8 ?? 33 14 85 [4] 8B C6 0F B6 C0 33 14 85 [4] 8B C3 33 57 ?? C1 E8 ?? 0F B6 C8 8B 45 ?? C1 E8 ?? 0F B6 C0 8B 0C 8D [4] 33 0C 85 [4] 8B 45 ?? C1 E8 ?? 33 0C 85 [4] 0F B6 C2 33 0C 85 [4] 8B C2 33 4F ?? C1 E8 ?? 89 4D ?? 0F B6 C8 8B C3 C1 E8 ?? 8B 0C 8D [4] 0F B6 C0 33 0C 85 [4] 8B 45 ?? C1 E8 ?? 33 0C 85 [4] 8B 45 ?? 0F B6 C0 33 0C 85 [4] 8B C2 33 4F ?? C1 E8 ?? 89 4D ?? 0F B6 C8 8B 45 ?? C1 E8 ?? 0F B6 C0 8B 0C 8D [4] C1 EA ?? 33 0C 85 [4] 8B C3 C1 E8 ?? 33 0C 85 [4] 89 4D ?? 8B 4D ?? 8B 75 ?? 0F B6 C1 C1 E9 ?? 0F B6 C9 33 34 85 [4] 8B C6 89 75 ?? 33 47 ?? 8B 0C 8D [4] 89 45 ?? 8B 45 ?? C1 E8 ?? 0F B6 C0 33 0C 85 [4] 33 0C 95 [4] 0F B6 C3 33 0C 85 [4] 33 4F ?? 83 C7 ?? 83 6D}
        
    condition:
        uint16(0) == 0x5A4D and all of them
}
Download all Yara Rules