SYMBOLCOMMON_NAMEaka. SYNONYMS
win.cuba (Back to overview)

Cuba

aka: COLDDRAW

Ransomware.

References
2022-12-01CISACISA
@techreport{cisa:20221201:stopransomware:de73b79, author = {CISA}, title = {{#StopRansomware: Cuba Ransomware}}, date = {2022-12-01}, institution = {CISA}, url = {https://www.cisa.gov/uscert/sites/default/files/publications/aa22-335a-stopransomware-cuba-ransomware.pdf}, language = {English}, urldate = {2022-12-02} } #StopRansomware: Cuba Ransomware
Cuba
2022-08-18FortinetShunichi Imano, James Slaughter
@online{imano:20220818:ransomware:a073b3f, author = {Shunichi Imano and James Slaughter}, title = {{Ransomware Roundup: Gwisin, Kriptor, Cuba, and More}}, date = {2022-08-18}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/ransomware-roundup-gwisin-kriptor-cuba-and-more}, language = {English}, urldate = {2022-08-28} } Ransomware Roundup: Gwisin, Kriptor, Cuba, and More
Cuba
2022-08-10Palo Alto Networks Unit 42Anthony Galiette, Daniel Bunce, Doel Santos, Shawn Westfall
@online{galiette:20220810:novel:9849ff4, author = {Anthony Galiette and Daniel Bunce and Doel Santos and Shawn Westfall}, title = {{Novel News on Cuba Ransomware: Greetings From Tropical Scorpius}}, date = {2022-08-10}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/cuba-ransomware-tropical-scorpius/}, language = {English}, urldate = {2022-08-11} } Novel News on Cuba Ransomware: Greetings From Tropical Scorpius
Cuba ROMCOM RAT
2022-06-08Trend MicroDon Ovid Ladores
@online{ladores:20220608:cuba:2b4a6df, author = {Don Ovid Ladores}, title = {{Cuba Ransomware Group’s New Variant Found Using Optimized Infection Techniques}}, date = {2022-06-08}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/22/f/cuba-ransomware-group-s-new-variant-found-using-optimized-infect.html}, language = {English}, urldate = {2022-06-09} } Cuba Ransomware Group’s New Variant Found Using Optimized Infection Techniques
Cuba
2022-06-01ElasticSalim Bitam
@online{bitam:20220601:cuba:040c34a, author = {Salim Bitam}, title = {{CUBA Ransomware Malware Analysis}}, date = {2022-06-01}, organization = {Elastic}, url = {https://www.elastic.co/security-labs/cuba-ransomware-malware-analysis}, language = {English}, urldate = {2022-06-09} } CUBA Ransomware Malware Analysis
Cuba
2022-06-01ElasticDaniel Stepanic, Derek Ditch, Seth Goodwin, Salim Bitam, Andrew Pease
@online{stepanic:20220601:cuba:333f7c1, author = {Daniel Stepanic and Derek Ditch and Seth Goodwin and Salim Bitam and Andrew Pease}, title = {{CUBA Ransomware Campaign Analysis}}, date = {2022-06-01}, organization = {Elastic}, url = {https://www.elastic.co/security-labs/cuba-ransomware-campaign-analysis}, language = {English}, urldate = {2022-06-09} } CUBA Ransomware Campaign Analysis
Cobalt Strike Cuba Meterpreter MimiKatz SystemBC
2022-02-26AonEduardo Mattos, Rob Homewood
@online{mattos:20220226:yours:2cd2d24, author = {Eduardo Mattos and Rob Homewood}, title = {{Yours Truly, Signed AV Driver: Weaponizing An Antivirus Driver}}, date = {2022-02-26}, organization = {Aon}, url = {https://www.aon.com/cyber-solutions/aon_cyber_labs/yours-truly-signed-av-driver-weaponizing-an-antivirus-driver/}, language = {English}, urldate = {2022-03-22} } Yours Truly, Signed AV Driver: Weaponizing An Antivirus Driver
Cuba KillAV
2022-02-25IT-Connect (FR)Florian Burnel
@online{burnel:20220225:le:9689415, author = {Florian Burnel}, title = {{Le ransomware Cuba s’en prend aux serveurs Exchange}}, date = {2022-02-25}, organization = {IT-Connect (FR)}, url = {https://www.it-connect.fr/le-ransomware-cuba-sen-prend-aux-serveurs-exchange/}, language = {French}, urldate = {2022-03-01} } Le ransomware Cuba s’en prend aux serveurs Exchange
Cuba
2022-02-24Bleeping ComputerBill Toulas
@online{toulas:20220224:microsoft:4ade21b, author = {Bill Toulas}, title = {{Microsoft Exchange servers hacked to deploy Cuba ransomware}}, date = {2022-02-24}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/microsoft-exchange-servers-hacked-to-deploy-cuba-ransomware/}, language = {English}, urldate = {2022-03-01} } Microsoft Exchange servers hacked to deploy Cuba ransomware
Cuba
2022-02-23MandiantTyler McLellan, Joshua Shilko, Shambavi Sadayappan
@online{mclellan:20220223:exchange:9b09c31, author = {Tyler McLellan and Joshua Shilko and Shambavi Sadayappan}, title = {{(Ex)Change of Pace: UNC2596 Observed Leveraging Vulnerabilities to Deploy Cuba Ransomware}}, date = {2022-02-23}, organization = {Mandiant}, url = {https://www.mandiant.com/resources/unc2596-cuba-ransomware}, language = {English}, urldate = {2022-02-26} } (Ex)Change of Pace: UNC2596 Observed Leveraging Vulnerabilities to Deploy Cuba Ransomware
Cuba
2022-02-08GuidePoint SecurityDrew Schmitt
@online{schmitt:20220208:using:0b08b47, author = {Drew Schmitt}, title = {{Using Hindsight to Close a Cuba Cold Case}}, date = {2022-02-08}, organization = {GuidePoint Security}, url = {https://www.guidepointsecurity.com/blog/using-hindsight-to-close-a-cuba-cold-case/}, language = {English}, urldate = {2022-03-28} } Using Hindsight to Close a Cuba Cold Case
Cuba
2021-12-14Lab52Th3spis
@online{th3spis:20211214:cuba:db59204, author = {Th3spis}, title = {{Cuba Ransomware Analysis}}, date = {2021-12-14}, organization = {Lab52}, url = {https://lab52.io/blog/cuba-ransomware-analysis/}, language = {English}, urldate = {2022-01-18} } Cuba Ransomware Analysis
Cuba
2021-12-02FBIFBI
@techreport{fbi:20211202:cu000156mw:b256f8b, author = {FBI}, title = {{CU-000156-MW: Indicators of Compromise Associated with Cuba Ransomware}}, date = {2021-12-02}, institution = {FBI}, url = {https://www.ic3.gov/Media/News/2021/211203-2.pdf}, language = {English}, urldate = {2021-12-07} } CU-000156-MW: Indicators of Compromise Associated with Cuba Ransomware
Cuba
2021-05-10DarkTracerDarkTracer
@online{darktracer:20210510:intelligence:b9d1c3f, author = {DarkTracer}, title = {{Intelligence Report on Ransomware Gangs on the DarkWeb: List of victim organizations attacked by ransomware gangs released on the DarkWeb}}, date = {2021-05-10}, organization = {DarkTracer}, url = {https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3}, language = {English}, urldate = {2021-05-13} } Intelligence Report on Ransomware Gangs on the DarkWeb: List of victim organizations attacked by ransomware gangs released on the DarkWeb
RansomEXX Avaddon Babuk Clop Conti Cuba DarkSide DoppelPaymer Egregor Hades LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker Nefilim Nemty Pay2Key PwndLocker RagnarLocker Ragnarok RansomEXX REvil Sekhmet SunCrypt ThunderX
2021-05-07Group-IBOleg Skulkin, Semyon Rogachev
@online{skulkin:20210507:connecting:49c0b13, author = {Oleg Skulkin and Semyon Rogachev}, title = {{Connecting the Bots Hancitor fuels Cuba Ransomware Operations}}, date = {2021-05-07}, organization = {Group-IB}, url = {https://blog.group-ib.com/hancitor-cuba-ransomware}, language = {English}, urldate = {2021-05-08} } Connecting the Bots Hancitor fuels Cuba Ransomware Operations
Cuba Hancitor
2021-05-05ProferoProfero, SecurityJoes
@techreport{profero:20210505:cuba:bc183e8, author = {Profero and SecurityJoes}, title = {{Cuba Ransomware Group on a Roll}}, date = {2021-05-05}, institution = {Profero}, url = {https://shared-public-reports.s3-eu-west-1.amazonaws.com/Cuba+Ransomware+Group+-+on+a+roll.pdf}, language = {English}, urldate = {2021-05-07} } Cuba Ransomware Group on a Roll
Cuba
2021-04-06McAfeeThomas Roccia, Thibault Seret, Alexandre Mundo
@online{roccia:20210406:mcafee:1ad60c9, author = {Thomas Roccia and Thibault Seret and Alexandre Mundo}, title = {{McAfee ATR Threat Report: A Quick Primer on Cuba Ransomware}}, date = {2021-04-06}, organization = {McAfee}, url = {https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-atr-threat-report-a-quick-primer-on-cuba-ransomware}, language = {English}, urldate = {2021-05-13} } McAfee ATR Threat Report: A Quick Primer on Cuba Ransomware
Cuba
2021-04-06McAfeeThomas Roccia, Thibault Seret, Alexandre Mundo
@techreport{roccia:20210406:technical:3adb4cc, author = {Thomas Roccia and Thibault Seret and Alexandre Mundo}, title = {{Technical Analysis of Cuba Ransomware}}, date = {2021-04-06}, institution = {McAfee}, url = {https://www.mcafee.com/enterprise/en-us/assets/reports/rp-cuba-ransomware.pdf}, language = {English}, urldate = {2021-04-09} } Technical Analysis of Cuba Ransomware
Cuba
2019-12-31Andrew Ivanov
@online{ivanov:20191231:cuba:53a177c, author = {Andrew Ivanov}, title = {{Cuba Ransomware}}, date = {2019-12-31}, url = {https://id-ransomware.blogspot.com/2019/12/cuba-ransomware.html}, language = {Russian}, urldate = {2020-06-11} } Cuba Ransomware
Cuba
Yara Rules
[TLP:WHITE] win_cuba_auto (20230125 | Detects win.cuba.)
rule win_cuba_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-01-25"
        version = "1"
        description = "Detects win.cuba."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cuba"
        malpedia_rule_date = "20230124"
        malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686"
        malpedia_version = "20230125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8d850cf0ffff 50 8d47f0 50 e8???????? 8bf0 83c40c }
            // n = 7, score = 100
            //   8d850cf0ffff         | lea                 eax, [ebp - 0xff4]
            //   50                   | push                eax
            //   8d47f0               | lea                 eax, [edi - 0x10]
            //   50                   | push                eax
            //   e8????????           |                     
            //   8bf0                 | mov                 esi, eax
            //   83c40c               | add                 esp, 0xc

        $sequence_1 = { c1c109 33c1 8945e8 8d0c03 c1c10d 314d0c 8b4d0c }
            // n = 7, score = 100
            //   c1c109               | rol                 ecx, 9
            //   33c1                 | xor                 eax, ecx
            //   8945e8               | mov                 dword ptr [ebp - 0x18], eax
            //   8d0c03               | lea                 ecx, [ebx + eax]
            //   c1c10d               | rol                 ecx, 0xd
            //   314d0c               | xor                 dword ptr [ebp + 0xc], ecx
            //   8b4d0c               | mov                 ecx, dword ptr [ebp + 0xc]

        $sequence_2 = { c1e803 03c8 8d341b 894df0 8d41fe 3bf0 }
            // n = 6, score = 100
            //   c1e803               | shr                 eax, 3
            //   03c8                 | add                 ecx, eax
            //   8d341b               | lea                 esi, [ebx + ebx]
            //   894df0               | mov                 dword ptr [ebp - 0x10], ecx
            //   8d41fe               | lea                 eax, [ecx - 2]
            //   3bf0                 | cmp                 esi, eax

        $sequence_3 = { ff15???????? 8bf0 83c410 85f6 0f85a5010000 8b45e0 ff7004 }
            // n = 7, score = 100
            //   ff15????????         |                     
            //   8bf0                 | mov                 esi, eax
            //   83c410               | add                 esp, 0x10
            //   85f6                 | test                esi, esi
            //   0f85a5010000         | jne                 0x1ab
            //   8b45e0               | mov                 eax, dword ptr [ebp - 0x20]
            //   ff7004               | push                dword ptr [eax + 4]

        $sequence_4 = { 83c40c 5e 5d c3 ff7510 56 }
            // n = 6, score = 100
            //   83c40c               | add                 esp, 0xc
            //   5e                   | pop                 esi
            //   5d                   | pop                 ebp
            //   c3                   | ret                 
            //   ff7510               | push                dword ptr [ebp + 0x10]
            //   56                   | push                esi

        $sequence_5 = { 33c8 8b85e4feffff 3385f4feffff 038d28ffffff 23c7 3385f4feffff 03c1 }
            // n = 7, score = 100
            //   33c8                 | xor                 ecx, eax
            //   8b85e4feffff         | mov                 eax, dword ptr [ebp - 0x11c]
            //   3385f4feffff         | xor                 eax, dword ptr [ebp - 0x10c]
            //   038d28ffffff         | add                 ecx, dword ptr [ebp - 0xd8]
            //   23c7                 | and                 eax, edi
            //   3385f4feffff         | xor                 eax, dword ptr [ebp - 0x10c]
            //   03c1                 | add                 eax, ecx

        $sequence_6 = { ff15???????? 85c0 751e ffd7 894304 32c0 5f }
            // n = 7, score = 100
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   751e                 | jne                 0x20
            //   ffd7                 | call                edi
            //   894304               | mov                 dword ptr [ebx + 4], eax
            //   32c0                 | xor                 al, al
            //   5f                   | pop                 edi

        $sequence_7 = { c1e810 0fb6c0 8b0c8538524500 8b45f8 81e10000ff00 c1e808 }
            // n = 6, score = 100
            //   c1e810               | shr                 eax, 0x10
            //   0fb6c0               | movzx               eax, al
            //   8b0c8538524500       | mov                 ecx, dword ptr [eax*4 + 0x455238]
            //   8b45f8               | mov                 eax, dword ptr [ebp - 8]
            //   81e10000ff00         | and                 ecx, 0xff0000
            //   c1e808               | shr                 eax, 8

        $sequence_8 = { 8be5 5d c3 57 8d45f0 56 }
            // n = 6, score = 100
            //   8be5                 | mov                 esp, ebp
            //   5d                   | pop                 ebp
            //   c3                   | ret                 
            //   57                   | push                edi
            //   8d45f0               | lea                 eax, [ebp - 0x10]
            //   56                   | push                esi

        $sequence_9 = { 8bb5ecfeffff 8bc7 8bbde8feffff c1c806 33c8 8bc7 038d68ffffff }
            // n = 7, score = 100
            //   8bb5ecfeffff         | mov                 esi, dword ptr [ebp - 0x114]
            //   8bc7                 | mov                 eax, edi
            //   8bbde8feffff         | mov                 edi, dword ptr [ebp - 0x118]
            //   c1c806               | ror                 eax, 6
            //   33c8                 | xor                 ecx, eax
            //   8bc7                 | mov                 eax, edi
            //   038d68ffffff         | add                 ecx, dword ptr [ebp - 0x98]

    condition:
        7 of them and filesize < 1094656
}
[TLP:WHITE] win_cuba_w0   (20230118 | Detect_cuba_ransomware)
rule win_cuba_w0 {
    meta:
	    description = "Detect_cuba_ransomware"
	    author = "@malgamy12"
	    date = "24/11/2022"
	    license = "DRL 1.1"
        hash = "c2aad237b3f4c5a55df88ef26c25899fc4ec8170"
        hash = "4b41a1508f0f519396b7c14df161954f1c819e86"
        hash = "d5fe48b914c83711fe5313a4aaf1e8d80533543d"
        hash = "159b566e62dcec608a3991100d6edbca781d48c0"
        hash = "e1cae0d2a320a2756ae1ee5d37bfe803b39853fa"
        hash = "6f1d355b95546f0a5a09f7fd0b85fc9658e87813"
        hash = "25da0849207beb5695c8d9826b585b8cda435eba"
        hash = "3997d19f38ce14b7643c1ad8d6a737990b444215"
        hash = "f008e568c313b6f41406658a77313f89df07017e"
        hash = "7e42b668fd2ca96b05f39d5097943a191f1010f4"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cuba"
        malpedia_rule_date = "20230118"
        malpedia_hash = ""
        malpedia_version = "20230118"
        malpedia_license = "DRL 1.1"
        malpedia_sharing = "TLP:WHITE"

    strings:
        $p1 = {C1 8D 73 ?? 99 83 E2 ?? 03 C2 C1 F8 ?? 8D 04 45 [4] 89 83 [4] 0F B6 0F 0F B6 47 ?? C1 E1 ?? 0B C8 0F B6 47 ?? C1 E1 ?? 0B C8 0F B6 47 ?? C1 E1 ?? 0B C8 89 0B 0F B6 47 ?? 89 4D ?? 0F B6 4F ?? C1 E1 ?? 0B C8 0F B6 47 ?? C1 E1 ?? 0B C8 0F B6 47 ?? C1 E1 ?? 0B C8 89 0E 0F B6 4F ?? 0F B6 47 ?? C1 E1 ?? 0B C8 0F B6 47 ?? C1 E1 ?? 0B C8 0F B6 47 ?? C1 E1 ?? 0B C8 89 4B ?? 0F B6 4F ?? 0F B6 47 ?? C1 E1 ?? 0B C8 0F B6 47 ?? C1 E1 ?? 0B C8 0F B6 47 ?? C1 E1 ?? 0B C8 8B 45 ?? 89 4D ?? 89 4B}
        $p2 = {5D ?? 8B C3 C1 E8 ?? 0F B6 D0 8B C3 C1 E8 ?? 0F B6 C8 8B 04 95 [4] 33 04 8D [4] 8B CB C1 E9 ?? 33 04 8D [4] 0F B6 CB 5B 33 04 8D}
        $p3 = {8B 75 ?? 8B C6 C1 E8 ?? 0F B6 C8 8B 45 ?? C1 E8 ?? 0F B6 C0 8B 0C 8D [4] 8B 55 ?? 33 0C 85 [4] 8B C2 C1 E8 ?? 33 0C 85 [4] 8B 45 ?? 0F B6 C0 33 0C 85 [4] 33 0F 8B 45 ?? C1 E8 ?? 89 4D ?? 0F B6 C8 8B C6 C1 E8 ?? 0F B6 C0 8B 0C 8D [4] 33 0C 85 [4] 8B 45 ?? C1 E8 ?? 33 0C 85 [4] 0F B6 C2 33 0C 85 [4] 33 4F ?? 8B 45 ?? C1 E8 ?? 89 4D ?? 0F B6 C8 8B C2 C1 E8 ?? 0F B6 C0 C1 EA ?? 8B 1C 8D [4] 8B 4D ?? 33 1C 85 [4] 8B C6 C1 E8 ?? 33 1C 85 [4] 0F B6 C1 C1 E9 ?? 0F B6 C9 33 1C 85 [4] 33 5F ?? 0F B6 C2 8B 14 8D [4] 33 14 85 [4] 8B 45 ?? C1 E8 ?? 33 14 85 [4] 8B C6 0F B6 C0 33 14 85 [4] 8B C3 33 57 ?? C1 E8 ?? 0F B6 C8 8B 45 ?? C1 E8 ?? 0F B6 C0 8B 0C 8D [4] 33 0C 85 [4] 8B 45 ?? C1 E8 ?? 33 0C 85 [4] 0F B6 C2 33 0C 85 [4] 8B C2 33 4F ?? C1 E8 ?? 89 4D ?? 0F B6 C8 8B C3 C1 E8 ?? 8B 0C 8D [4] 0F B6 C0 33 0C 85 [4] 8B 45 ?? C1 E8 ?? 33 0C 85 [4] 8B 45 ?? 0F B6 C0 33 0C 85 [4] 8B C2 33 4F ?? C1 E8 ?? 89 4D ?? 0F B6 C8 8B 45 ?? C1 E8 ?? 0F B6 C0 8B 0C 8D [4] C1 EA ?? 33 0C 85 [4] 8B C3 C1 E8 ?? 33 0C 85 [4] 89 4D ?? 8B 4D ?? 8B 75 ?? 0F B6 C1 C1 E9 ?? 0F B6 C9 33 34 85 [4] 8B C6 89 75 ?? 33 47 ?? 8B 0C 8D [4] 89 45 ?? 8B 45 ?? C1 E8 ?? 0F B6 C0 33 0C 85 [4] 33 0C 95 [4] 0F B6 C3 33 0C 85 [4] 33 4F ?? 83 C7 ?? 83 6D}
        
    condition:
        uint16(0) == 0x5A4D and all of them
}
Download all Yara Rules