SYMBOLCOMMON_NAMEaka. SYNONYMS
win.cuba (Back to overview)

Cuba

aka: COLDDRAW

Ransomware.

References
2022-08-18FortinetShunichi Imano, James Slaughter
@online{imano:20220818:ransomware:a073b3f, author = {Shunichi Imano and James Slaughter}, title = {{Ransomware Roundup: Gwisin, Kriptor, Cuba, and More}}, date = {2022-08-18}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/ransomware-roundup-gwisin-kriptor-cuba-and-more}, language = {English}, urldate = {2022-08-28} } Ransomware Roundup: Gwisin, Kriptor, Cuba, and More
Cuba
2022-08-10Palo Alto Networks Unit 42Anthony Galiette, Daniel Bunce, Doel Santos, Shawn Westfall
@online{galiette:20220810:novel:9849ff4, author = {Anthony Galiette and Daniel Bunce and Doel Santos and Shawn Westfall}, title = {{Novel News on Cuba Ransomware: Greetings From Tropical Scorpius}}, date = {2022-08-10}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/cuba-ransomware-tropical-scorpius/}, language = {English}, urldate = {2022-08-11} } Novel News on Cuba Ransomware: Greetings From Tropical Scorpius
Cuba ROMCOM RAT
2022-06-08Trend MicroDon Ovid Ladores
@online{ladores:20220608:cuba:2b4a6df, author = {Don Ovid Ladores}, title = {{Cuba Ransomware Group’s New Variant Found Using Optimized Infection Techniques}}, date = {2022-06-08}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/22/f/cuba-ransomware-group-s-new-variant-found-using-optimized-infect.html}, language = {English}, urldate = {2022-06-09} } Cuba Ransomware Group’s New Variant Found Using Optimized Infection Techniques
Cuba
2022-06-01ElasticSalim Bitam
@online{bitam:20220601:cuba:040c34a, author = {Salim Bitam}, title = {{CUBA Ransomware Malware Analysis}}, date = {2022-06-01}, organization = {Elastic}, url = {https://www.elastic.co/security-labs/cuba-ransomware-malware-analysis}, language = {English}, urldate = {2022-06-09} } CUBA Ransomware Malware Analysis
Cuba
2022-06-01ElasticDaniel Stepanic, Derek Ditch, Seth Goodwin, Salim Bitam, Andrew Pease
@online{stepanic:20220601:cuba:333f7c1, author = {Daniel Stepanic and Derek Ditch and Seth Goodwin and Salim Bitam and Andrew Pease}, title = {{CUBA Ransomware Campaign Analysis}}, date = {2022-06-01}, organization = {Elastic}, url = {https://www.elastic.co/security-labs/cuba-ransomware-campaign-analysis}, language = {English}, urldate = {2022-06-09} } CUBA Ransomware Campaign Analysis
Cobalt Strike Cuba Meterpreter MimiKatz SystemBC
2022-02-26AonEduardo Mattos, Rob Homewood
@online{mattos:20220226:yours:2cd2d24, author = {Eduardo Mattos and Rob Homewood}, title = {{Yours Truly, Signed AV Driver: Weaponizing An Antivirus Driver}}, date = {2022-02-26}, organization = {Aon}, url = {https://www.aon.com/cyber-solutions/aon_cyber_labs/yours-truly-signed-av-driver-weaponizing-an-antivirus-driver/}, language = {English}, urldate = {2022-03-22} } Yours Truly, Signed AV Driver: Weaponizing An Antivirus Driver
Cuba KillAV
2022-02-25IT-Connect (FR)Florian Burnel
@online{burnel:20220225:le:9689415, author = {Florian Burnel}, title = {{Le ransomware Cuba s’en prend aux serveurs Exchange}}, date = {2022-02-25}, organization = {IT-Connect (FR)}, url = {https://www.it-connect.fr/le-ransomware-cuba-sen-prend-aux-serveurs-exchange/}, language = {French}, urldate = {2022-03-01} } Le ransomware Cuba s’en prend aux serveurs Exchange
Cuba
2022-02-24Bleeping ComputerBill Toulas
@online{toulas:20220224:microsoft:4ade21b, author = {Bill Toulas}, title = {{Microsoft Exchange servers hacked to deploy Cuba ransomware}}, date = {2022-02-24}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/microsoft-exchange-servers-hacked-to-deploy-cuba-ransomware/}, language = {English}, urldate = {2022-03-01} } Microsoft Exchange servers hacked to deploy Cuba ransomware
Cuba
2022-02-23MandiantTyler McLellan, Joshua Shilko, Shambavi Sadayappan
@online{mclellan:20220223:exchange:9b09c31, author = {Tyler McLellan and Joshua Shilko and Shambavi Sadayappan}, title = {{(Ex)Change of Pace: UNC2596 Observed Leveraging Vulnerabilities to Deploy Cuba Ransomware}}, date = {2022-02-23}, organization = {Mandiant}, url = {https://www.mandiant.com/resources/unc2596-cuba-ransomware}, language = {English}, urldate = {2022-02-26} } (Ex)Change of Pace: UNC2596 Observed Leveraging Vulnerabilities to Deploy Cuba Ransomware
Cuba
2022-02-08GuidePoint SecurityDrew Schmitt
@online{schmitt:20220208:using:0b08b47, author = {Drew Schmitt}, title = {{Using Hindsight to Close a Cuba Cold Case}}, date = {2022-02-08}, organization = {GuidePoint Security}, url = {https://www.guidepointsecurity.com/blog/using-hindsight-to-close-a-cuba-cold-case/}, language = {English}, urldate = {2022-03-28} } Using Hindsight to Close a Cuba Cold Case
Cuba
2021-12-14Lab52Th3spis
@online{th3spis:20211214:cuba:db59204, author = {Th3spis}, title = {{Cuba Ransomware Analysis}}, date = {2021-12-14}, organization = {Lab52}, url = {https://lab52.io/blog/cuba-ransomware-analysis/}, language = {English}, urldate = {2022-01-18} } Cuba Ransomware Analysis
Cuba
2021-12-02FBIFBI
@techreport{fbi:20211202:cu000156mw:b256f8b, author = {FBI}, title = {{CU-000156-MW: Indicators of Compromise Associated with Cuba Ransomware}}, date = {2021-12-02}, institution = {FBI}, url = {https://www.ic3.gov/Media/News/2021/211203-2.pdf}, language = {English}, urldate = {2021-12-07} } CU-000156-MW: Indicators of Compromise Associated with Cuba Ransomware
Cuba
2021-05-10DarkTracerDarkTracer
@online{darktracer:20210510:intelligence:b9d1c3f, author = {DarkTracer}, title = {{Intelligence Report on Ransomware Gangs on the DarkWeb: List of victim organizations attacked by ransomware gangs released on the DarkWeb}}, date = {2021-05-10}, organization = {DarkTracer}, url = {https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3}, language = {English}, urldate = {2021-05-13} } Intelligence Report on Ransomware Gangs on the DarkWeb: List of victim organizations attacked by ransomware gangs released on the DarkWeb
RansomEXX Avaddon Babuk Clop Conti Cuba DarkSide DoppelPaymer Egregor Hades LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker Nefilim Nemty Pay2Key PwndLocker RagnarLocker Ragnarok RansomEXX REvil Sekhmet SunCrypt ThunderX
2021-05-07Group-IBOleg Skulkin, Semyon Rogachev
@online{skulkin:20210507:connecting:49c0b13, author = {Oleg Skulkin and Semyon Rogachev}, title = {{Connecting the Bots Hancitor fuels Cuba Ransomware Operations}}, date = {2021-05-07}, organization = {Group-IB}, url = {https://blog.group-ib.com/hancitor-cuba-ransomware}, language = {English}, urldate = {2021-05-08} } Connecting the Bots Hancitor fuels Cuba Ransomware Operations
Cuba Hancitor
2021-05-05ProferoProfero, SecurityJoes
@techreport{profero:20210505:cuba:bc183e8, author = {Profero and SecurityJoes}, title = {{Cuba Ransomware Group on a Roll}}, date = {2021-05-05}, institution = {Profero}, url = {https://shared-public-reports.s3-eu-west-1.amazonaws.com/Cuba+Ransomware+Group+-+on+a+roll.pdf}, language = {English}, urldate = {2021-05-07} } Cuba Ransomware Group on a Roll
Cuba
2021-04-06McAfeeThomas Roccia, Thibault Seret, Alexandre Mundo
@techreport{roccia:20210406:technical:3adb4cc, author = {Thomas Roccia and Thibault Seret and Alexandre Mundo}, title = {{Technical Analysis of Cuba Ransomware}}, date = {2021-04-06}, institution = {McAfee}, url = {https://www.mcafee.com/enterprise/en-us/assets/reports/rp-cuba-ransomware.pdf}, language = {English}, urldate = {2021-04-09} } Technical Analysis of Cuba Ransomware
Cuba
2021-04-06McAfeeThomas Roccia, Thibault Seret, Alexandre Mundo
@online{roccia:20210406:mcafee:1ad60c9, author = {Thomas Roccia and Thibault Seret and Alexandre Mundo}, title = {{McAfee ATR Threat Report: A Quick Primer on Cuba Ransomware}}, date = {2021-04-06}, organization = {McAfee}, url = {https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-atr-threat-report-a-quick-primer-on-cuba-ransomware}, language = {English}, urldate = {2021-05-13} } McAfee ATR Threat Report: A Quick Primer on Cuba Ransomware
Cuba
2019-12-31Andrew Ivanov
@online{ivanov:20191231:cuba:53a177c, author = {Andrew Ivanov}, title = {{Cuba Ransomware}}, date = {2019-12-31}, url = {https://id-ransomware.blogspot.com/2019/12/cuba-ransomware.html}, language = {Russian}, urldate = {2020-06-11} } Cuba Ransomware
Cuba
Yara Rules
[TLP:WHITE] win_cuba_auto (20221125 | Detects win.cuba.)
rule win_cuba_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-11-21"
        version = "1"
        description = "Detects win.cuba."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cuba"
        malpedia_rule_date = "20221118"
        malpedia_hash = "e0702e2e6d1d00da65c8a29a4ebacd0a4c59e1af"
        malpedia_version = "20221125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 68???????? 64a100000000 50 53 81ec04010000 a1???????? 33c5 }
            // n = 7, score = 100
            //   68????????           |                     
            //   64a100000000         | mov                 eax, dword ptr fs:[0]
            //   50                   | push                eax
            //   53                   | push                ebx
            //   81ec04010000         | sub                 esp, 0x104
            //   a1????????           |                     
            //   33c5                 | xor                 eax, ebp

        $sequence_1 = { 8907 33c0 5f 5d c3 6a1b 68???????? }
            // n = 7, score = 100
            //   8907                 | mov                 dword ptr [edi], eax
            //   33c0                 | xor                 eax, eax
            //   5f                   | pop                 edi
            //   5d                   | pop                 ebp
            //   c3                   | ret                 
            //   6a1b                 | push                0x1b
            //   68????????           |                     

        $sequence_2 = { 8b7dd4 894588 8b45c4 895db0 897d94 89458c 897590 }
            // n = 7, score = 100
            //   8b7dd4               | mov                 edi, dword ptr [ebp - 0x2c]
            //   894588               | mov                 dword ptr [ebp - 0x78], eax
            //   8b45c4               | mov                 eax, dword ptr [ebp - 0x3c]
            //   895db0               | mov                 dword ptr [ebp - 0x50], ebx
            //   897d94               | mov                 dword ptr [ebp - 0x6c], edi
            //   89458c               | mov                 dword ptr [ebp - 0x74], eax
            //   897590               | mov                 dword ptr [ebp - 0x70], esi

        $sequence_3 = { 8945ec 33c9 33c0 894dfc 8945d8 394518 0f8ec5040000 }
            // n = 7, score = 100
            //   8945ec               | mov                 dword ptr [ebp - 0x14], eax
            //   33c9                 | xor                 ecx, ecx
            //   33c0                 | xor                 eax, eax
            //   894dfc               | mov                 dword ptr [ebp - 4], ecx
            //   8945d8               | mov                 dword ptr [ebp - 0x28], eax
            //   394518               | cmp                 dword ptr [ebp + 0x18], eax
            //   0f8ec5040000         | jle                 0x4cb

        $sequence_4 = { 81c7???????? f3a5 5f 5e 5b 5d c3 }
            // n = 7, score = 100
            //   81c7????????         |                     
            //   f3a5                 | rep movsd           dword ptr es:[edi], dword ptr [esi]
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi
            //   5b                   | pop                 ebx
            //   5d                   | pop                 ebp
            //   c3                   | ret                 

        $sequence_5 = { 5b 8be5 5d c3 57 8d45f0 56 }
            // n = 7, score = 100
            //   5b                   | pop                 ebx
            //   8be5                 | mov                 esp, ebp
            //   5d                   | pop                 ebp
            //   c3                   | ret                 
            //   57                   | push                edi
            //   8d45f0               | lea                 eax, [ebp - 0x10]
            //   56                   | push                esi

        $sequence_6 = { ff15???????? 85c0 751e ffd7 894304 32c0 5f }
            // n = 7, score = 100
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   751e                 | jne                 0x20
            //   ffd7                 | call                edi
            //   894304               | mov                 dword ptr [ebx + 4], eax
            //   32c0                 | xor                 al, al
            //   5f                   | pop                 edi

        $sequence_7 = { 7d47 8d4510 50 ff15???????? 83c404 85c0 754a }
            // n = 7, score = 100
            //   7d47                 | jge                 0x49
            //   8d4510               | lea                 eax, [ebp + 0x10]
            //   50                   | push                eax
            //   ff15????????         |                     
            //   83c404               | add                 esp, 4
            //   85c0                 | test                eax, eax
            //   754a                 | jne                 0x4c

        $sequence_8 = { 8956f8 8b46dc 33c2 8946fc 81ff???????? 7595 8b450c }
            // n = 7, score = 100
            //   8956f8               | mov                 dword ptr [esi - 8], edx
            //   8b46dc               | mov                 eax, dword ptr [esi - 0x24]
            //   33c2                 | xor                 eax, edx
            //   8946fc               | mov                 dword ptr [esi - 4], eax
            //   81ff????????         |                     
            //   7595                 | jne                 0xffffff97
            //   8b450c               | mov                 eax, dword ptr [ebp + 0xc]

        $sequence_9 = { c1ca16 8bc3 c1c806 33c8 8b85d4feffff 3385e4feffff 034ddc }
            // n = 7, score = 100
            //   c1ca16               | ror                 edx, 0x16
            //   8bc3                 | mov                 eax, ebx
            //   c1c806               | ror                 eax, 6
            //   33c8                 | xor                 ecx, eax
            //   8b85d4feffff         | mov                 eax, dword ptr [ebp - 0x12c]
            //   3385e4feffff         | xor                 eax, dword ptr [ebp - 0x11c]
            //   034ddc               | add                 ecx, dword ptr [ebp - 0x24]

    condition:
        7 of them and filesize < 1094656
}
Download all Yara Rules