SYMBOLCOMMON_NAMEaka. SYNONYMS
win.cuba (Back to overview)

Cuba

aka: COLDDRAW

Ransomware.

References
2023-09-11KasperskyAlexander Kirichenko, Gleb Ivanov
@online{kirichenko:20230911:from:7fe2d83, author = {Alexander Kirichenko and Gleb Ivanov}, title = {{From Caribbean shores to your devices: analyzing Cuba ransomware}}, date = {2023-09-11}, organization = {Kaspersky}, url = {https://securelist.com/cuba-ransomware/110533/}, language = {English}, urldate = {2023-09-13} } From Caribbean shores to your devices: analyzing Cuba ransomware
Cuba
2023-03-30United States District Court (Eastern District of New York)Microsoft, Fortra, HEALTH-ISAC
@techreport{microsoft:20230330:cracked:08c67c0, author = {Microsoft and Fortra and HEALTH-ISAC}, title = {{Cracked Cobalt Strike (1:23-cv-02447)}}, date = {2023-03-30}, institution = {United States District Court (Eastern District of New York)}, url = {https://noticeofpleadings.com/crackedcobaltstrike/files/ComplaintAndSummons/1%20-Microsoft%20Cobalt%20Strike%20-%20Complaint(907040021.9).pdf}, language = {English}, urldate = {2023-04-28} } Cracked Cobalt Strike (1:23-cv-02447)
Black Basta BlackCat LockBit RagnarLocker LockBit Black Basta BlackCat Cobalt Strike Cuba Emotet LockBit Mount Locker PLAY QakBot RagnarLocker Royal Ransom Zloader
2022-12-01CISACISA
@techreport{cisa:20221201:stopransomware:de73b79, author = {CISA}, title = {{#StopRansomware: Cuba Ransomware}}, date = {2022-12-01}, institution = {CISA}, url = {https://www.cisa.gov/uscert/sites/default/files/publications/aa22-335a-stopransomware-cuba-ransomware.pdf}, language = {English}, urldate = {2022-12-02} } #StopRansomware: Cuba Ransomware
Cuba
2022-08-18FortinetShunichi Imano, James Slaughter
@online{imano:20220818:ransomware:a073b3f, author = {Shunichi Imano and James Slaughter}, title = {{Ransomware Roundup: Gwisin, Kriptor, Cuba, and More}}, date = {2022-08-18}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/ransomware-roundup-gwisin-kriptor-cuba-and-more}, language = {English}, urldate = {2022-08-28} } Ransomware Roundup: Gwisin, Kriptor, Cuba, and More
Cuba
2022-08-10Palo Alto Networks Unit 42Anthony Galiette, Daniel Bunce, Doel Santos, Shawn Westfall
@online{galiette:20220810:novel:9849ff4, author = {Anthony Galiette and Daniel Bunce and Doel Santos and Shawn Westfall}, title = {{Novel News on Cuba Ransomware: Greetings From Tropical Scorpius}}, date = {2022-08-10}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/cuba-ransomware-tropical-scorpius/}, language = {English}, urldate = {2022-08-11} } Novel News on Cuba Ransomware: Greetings From Tropical Scorpius
Cuba ROMCOM RAT
2022-06-08Trend MicroDon Ovid Ladores
@online{ladores:20220608:cuba:2b4a6df, author = {Don Ovid Ladores}, title = {{Cuba Ransomware Group’s New Variant Found Using Optimized Infection Techniques}}, date = {2022-06-08}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/22/f/cuba-ransomware-group-s-new-variant-found-using-optimized-infect.html}, language = {English}, urldate = {2022-06-09} } Cuba Ransomware Group’s New Variant Found Using Optimized Infection Techniques
Cuba
2022-06-01ElasticSalim Bitam
@online{bitam:20220601:cuba:040c34a, author = {Salim Bitam}, title = {{CUBA Ransomware Malware Analysis}}, date = {2022-06-01}, organization = {Elastic}, url = {https://www.elastic.co/security-labs/cuba-ransomware-malware-analysis}, language = {English}, urldate = {2022-06-09} } CUBA Ransomware Malware Analysis
Cuba
2022-06-01ElasticDaniel Stepanic, Derek Ditch, Seth Goodwin, Salim Bitam, Andrew Pease
@online{stepanic:20220601:cuba:333f7c1, author = {Daniel Stepanic and Derek Ditch and Seth Goodwin and Salim Bitam and Andrew Pease}, title = {{CUBA Ransomware Campaign Analysis}}, date = {2022-06-01}, organization = {Elastic}, url = {https://www.elastic.co/security-labs/cuba-ransomware-campaign-analysis}, language = {English}, urldate = {2022-06-09} } CUBA Ransomware Campaign Analysis
Cobalt Strike Cuba Meterpreter MimiKatz SystemBC
2022-02-26AonEduardo Mattos, Rob Homewood
@online{mattos:20220226:yours:2cd2d24, author = {Eduardo Mattos and Rob Homewood}, title = {{Yours Truly, Signed AV Driver: Weaponizing An Antivirus Driver}}, date = {2022-02-26}, organization = {Aon}, url = {https://www.aon.com/cyber-solutions/aon_cyber_labs/yours-truly-signed-av-driver-weaponizing-an-antivirus-driver/}, language = {English}, urldate = {2022-03-22} } Yours Truly, Signed AV Driver: Weaponizing An Antivirus Driver
Cuba KillAV
2022-02-25IT-Connect (FR)Florian Burnel
@online{burnel:20220225:le:9689415, author = {Florian Burnel}, title = {{Le ransomware Cuba s’en prend aux serveurs Exchange}}, date = {2022-02-25}, organization = {IT-Connect (FR)}, url = {https://www.it-connect.fr/le-ransomware-cuba-sen-prend-aux-serveurs-exchange/}, language = {French}, urldate = {2022-03-01} } Le ransomware Cuba s’en prend aux serveurs Exchange
Cuba
2022-02-24Bleeping ComputerBill Toulas
@online{toulas:20220224:microsoft:4ade21b, author = {Bill Toulas}, title = {{Microsoft Exchange servers hacked to deploy Cuba ransomware}}, date = {2022-02-24}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/microsoft-exchange-servers-hacked-to-deploy-cuba-ransomware/}, language = {English}, urldate = {2022-03-01} } Microsoft Exchange servers hacked to deploy Cuba ransomware
Cuba
2022-02-23MandiantTyler McLellan, Joshua Shilko, Shambavi Sadayappan
@online{mclellan:20220223:exchange:9b09c31, author = {Tyler McLellan and Joshua Shilko and Shambavi Sadayappan}, title = {{(Ex)Change of Pace: UNC2596 Observed Leveraging Vulnerabilities to Deploy Cuba Ransomware}}, date = {2022-02-23}, organization = {Mandiant}, url = {https://www.mandiant.com/resources/unc2596-cuba-ransomware}, language = {English}, urldate = {2023-09-13} } (Ex)Change of Pace: UNC2596 Observed Leveraging Vulnerabilities to Deploy Cuba Ransomware
Cuba KillAV
2022-02-08GuidePoint SecurityDrew Schmitt
@online{schmitt:20220208:using:0b08b47, author = {Drew Schmitt}, title = {{Using Hindsight to Close a Cuba Cold Case}}, date = {2022-02-08}, organization = {GuidePoint Security}, url = {https://www.guidepointsecurity.com/blog/using-hindsight-to-close-a-cuba-cold-case/}, language = {English}, urldate = {2022-03-28} } Using Hindsight to Close a Cuba Cold Case
Cuba
2021-12-14Lab52Th3spis
@online{th3spis:20211214:cuba:db59204, author = {Th3spis}, title = {{Cuba Ransomware Analysis}}, date = {2021-12-14}, organization = {Lab52}, url = {https://lab52.io/blog/cuba-ransomware-analysis/}, language = {English}, urldate = {2022-01-18} } Cuba Ransomware Analysis
Cuba
2021-12-02FBIFBI
@techreport{fbi:20211202:cu000156mw:b256f8b, author = {FBI}, title = {{CU-000156-MW: Indicators of Compromise Associated with Cuba Ransomware}}, date = {2021-12-02}, institution = {FBI}, url = {https://www.ic3.gov/Media/News/2021/211203-2.pdf}, language = {English}, urldate = {2021-12-07} } CU-000156-MW: Indicators of Compromise Associated with Cuba Ransomware
Cuba
2021-05-10DarkTracerDarkTracer
@online{darktracer:20210510:intelligence:b9d1c3f, author = {DarkTracer}, title = {{Intelligence Report on Ransomware Gangs on the DarkWeb: List of victim organizations attacked by ransomware gangs released on the DarkWeb}}, date = {2021-05-10}, organization = {DarkTracer}, url = {https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3}, language = {English}, urldate = {2021-05-13} } Intelligence Report on Ransomware Gangs on the DarkWeb: List of victim organizations attacked by ransomware gangs released on the DarkWeb
RansomEXX Avaddon Babuk Clop Conti Cuba DarkSide DoppelPaymer Egregor Hades LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker Nefilim Nemty Pay2Key PwndLocker RagnarLocker Ragnarok RansomEXX REvil Sekhmet SunCrypt ThunderX
2021-05-07Group-IBOleg Skulkin, Semyon Rogachev
@online{skulkin:20210507:connecting:49c0b13, author = {Oleg Skulkin and Semyon Rogachev}, title = {{Connecting the Bots Hancitor fuels Cuba Ransomware Operations}}, date = {2021-05-07}, organization = {Group-IB}, url = {https://blog.group-ib.com/hancitor-cuba-ransomware}, language = {English}, urldate = {2021-05-08} } Connecting the Bots Hancitor fuels Cuba Ransomware Operations
Cuba Hancitor
2021-05-05ProferoProfero, SecurityJoes
@techreport{profero:20210505:cuba:bc183e8, author = {Profero and SecurityJoes}, title = {{Cuba Ransomware Group on a Roll}}, date = {2021-05-05}, institution = {Profero}, url = {https://shared-public-reports.s3-eu-west-1.amazonaws.com/Cuba+Ransomware+Group+-+on+a+roll.pdf}, language = {English}, urldate = {2021-05-07} } Cuba Ransomware Group on a Roll
Cuba
2021-04-06McAfeeThomas Roccia, Thibault Seret, Alexandre Mundo
@online{roccia:20210406:mcafee:1ad60c9, author = {Thomas Roccia and Thibault Seret and Alexandre Mundo}, title = {{McAfee ATR Threat Report: A Quick Primer on Cuba Ransomware}}, date = {2021-04-06}, organization = {McAfee}, url = {https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-atr-threat-report-a-quick-primer-on-cuba-ransomware}, language = {English}, urldate = {2021-05-13} } McAfee ATR Threat Report: A Quick Primer on Cuba Ransomware
Cuba
2021-04-06McAfeeThomas Roccia, Thibault Seret, Alexandre Mundo
@techreport{roccia:20210406:technical:3adb4cc, author = {Thomas Roccia and Thibault Seret and Alexandre Mundo}, title = {{Technical Analysis of Cuba Ransomware}}, date = {2021-04-06}, institution = {McAfee}, url = {https://www.mcafee.com/enterprise/en-us/assets/reports/rp-cuba-ransomware.pdf}, language = {English}, urldate = {2021-04-09} } Technical Analysis of Cuba Ransomware
Cuba
2019-12-31Andrew Ivanov
@online{ivanov:20191231:cuba:53a177c, author = {Andrew Ivanov}, title = {{Cuba Ransomware}}, date = {2019-12-31}, url = {https://id-ransomware.blogspot.com/2019/12/cuba-ransomware.html}, language = {Russian}, urldate = {2020-06-11} } Cuba Ransomware
Cuba
Yara Rules
[TLP:WHITE] win_cuba_auto (20230715 | Detects win.cuba.)
rule win_cuba_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-07-11"
        version = "1"
        description = "Detects win.cuba."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cuba"
        malpedia_rule_date = "20230705"
        malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
        malpedia_version = "20230715"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 0019 43 41 00444341 }
            // n = 4, score = 100
            //   0019                 | add                 byte ptr [ecx], bl
            //   43                   | inc                 ebx
            //   41                   | inc                 ecx
            //   00444341             | add                 byte ptr [ebx + eax*2 + 0x41], al

        $sequence_1 = { 8b85e0feffff 03b40514ffffff 03b0f8b14100 03b5e4feffff }
            // n = 4, score = 100
            //   8b85e0feffff         | mov                 eax, dword ptr [ebp - 0x120]
            //   03b40514ffffff       | add                 esi, dword ptr [ebp + eax - 0xec]
            //   03b0f8b14100         | add                 esi, dword ptr [eax + 0x41b1f8]
            //   03b5e4feffff         | add                 esi, dword ptr [ebp - 0x11c]

        $sequence_2 = { 3d0000800c 7704 6a40 eb14 83f902 7f0d }
            // n = 6, score = 100
            //   3d0000800c           | cmp                 eax, 0xc800000
            //   7704                 | ja                  6
            //   6a40                 | push                0x40
            //   eb14                 | jmp                 0x16
            //   83f902               | cmp                 ecx, 2
            //   7f0d                 | jg                  0xf

        $sequence_3 = { 8985c4fbffff 85c0 745e 8bc8 e8???????? ffb5c4fbffff 8bd8 }
            // n = 7, score = 100
            //   8985c4fbffff         | mov                 dword ptr [ebp - 0x43c], eax
            //   85c0                 | test                eax, eax
            //   745e                 | je                  0x60
            //   8bc8                 | mov                 ecx, eax
            //   e8????????           |                     
            //   ffb5c4fbffff         | push                dword ptr [ebp - 0x43c]
            //   8bd8                 | mov                 ebx, eax

        $sequence_4 = { 0026 45 41 003a }
            // n = 4, score = 100
            //   0026                 | add                 byte ptr [esi], ah
            //   45                   | inc                 ebp
            //   41                   | inc                 ecx
            //   003a                 | add                 byte ptr [edx], bh

        $sequence_5 = { 7412 ff75e8 8b35???????? ffd6 ff75ec ffd6 }
            // n = 6, score = 100
            //   7412                 | je                  0x14
            //   ff75e8               | push                dword ptr [ebp - 0x18]
            //   8b35????????         |                     
            //   ffd6                 | call                esi
            //   ff75ec               | push                dword ptr [ebp - 0x14]
            //   ffd6                 | call                esi

        $sequence_6 = { 0012 45 41 0026 }
            // n = 4, score = 100
            //   0012                 | add                 byte ptr [edx], dl
            //   45                   | inc                 ebp
            //   41                   | inc                 ecx
            //   0026                 | add                 byte ptr [esi], ah

        $sequence_7 = { 742b 8d45f8 50 6a01 6a02 6a00 688b010000 }
            // n = 7, score = 100
            //   742b                 | je                  0x2d
            //   8d45f8               | lea                 eax, [ebp - 8]
            //   50                   | push                eax
            //   6a01                 | push                1
            //   6a02                 | push                2
            //   6a00                 | push                0
            //   688b010000           | push                0x18b

        $sequence_8 = { 6a10 ff15???????? 33d2 85c0 7e0c }
            // n = 5, score = 100
            //   6a10                 | push                0x10
            //   ff15????????         |                     
            //   33d2                 | xor                 edx, edx
            //   85c0                 | test                eax, eax
            //   7e0c                 | jle                 0xe

        $sequence_9 = { 0026 43 41 00b043410062 }
            // n = 4, score = 100
            //   0026                 | add                 byte ptr [esi], ah
            //   43                   | inc                 ebx
            //   41                   | inc                 ecx
            //   00b043410062         | add                 byte ptr [eax + 0x62004143], dh

        $sequence_10 = { 33c9 8bc1 3914c5e89b4100 7408 40 83f81d 7cf1 }
            // n = 7, score = 100
            //   33c9                 | xor                 ecx, ecx
            //   8bc1                 | mov                 eax, ecx
            //   3914c5e89b4100       | cmp                 dword ptr [eax*8 + 0x419be8], edx
            //   7408                 | je                  0xa
            //   40                   | inc                 eax
            //   83f81d               | cmp                 eax, 0x1d
            //   7cf1                 | jl                  0xfffffff3

        $sequence_11 = { ff15???????? eb16 39bdc8f9ffff 7414 8d85c0f9ffff }
            // n = 5, score = 100
            //   ff15????????         |                     
            //   eb16                 | jmp                 0x18
            //   39bdc8f9ffff         | cmp                 dword ptr [ebp - 0x638], edi
            //   7414                 | je                  0x16
            //   8d85c0f9ffff         | lea                 eax, [ebp - 0x640]

        $sequence_12 = { 000446 41 00d1 45 }
            // n = 4, score = 100
            //   000446               | add                 byte ptr [esi + eax*2], al
            //   41                   | inc                 ecx
            //   00d1                 | add                 cl, dl
            //   45                   | inc                 ebp

        $sequence_13 = { 003a 45 41 004245 }
            // n = 4, score = 100
            //   003a                 | add                 byte ptr [edx], bh
            //   45                   | inc                 ebp
            //   41                   | inc                 ecx
            //   004245               | add                 byte ptr [edx + 0x45], al

        $sequence_14 = { 000c43 41 0035???????? 43 }
            // n = 4, score = 100
            //   000c43               | add                 byte ptr [ebx + eax*2], cl
            //   41                   | inc                 ecx
            //   0035????????         |                     
            //   43                   | inc                 ebx

        $sequence_15 = { 000d???????? 384100 b538 41 }
            // n = 4, score = 100
            //   000d????????         |                     
            //   384100               | cmp                 byte ptr [ecx], al
            //   b538                 | mov                 ch, 0x38
            //   41                   | inc                 ecx

    condition:
        7 of them and filesize < 1094656
}
[TLP:WHITE] win_cuba_w0   (20230118 | Detect_cuba_ransomware)
rule win_cuba_w0 {
    meta:
	    description = "Detect_cuba_ransomware"
	    author = "@malgamy12"
	    date = "24/11/2022"
	    license = "DRL 1.1"
        hash = "c2aad237b3f4c5a55df88ef26c25899fc4ec8170"
        hash = "4b41a1508f0f519396b7c14df161954f1c819e86"
        hash = "d5fe48b914c83711fe5313a4aaf1e8d80533543d"
        hash = "159b566e62dcec608a3991100d6edbca781d48c0"
        hash = "e1cae0d2a320a2756ae1ee5d37bfe803b39853fa"
        hash = "6f1d355b95546f0a5a09f7fd0b85fc9658e87813"
        hash = "25da0849207beb5695c8d9826b585b8cda435eba"
        hash = "3997d19f38ce14b7643c1ad8d6a737990b444215"
        hash = "f008e568c313b6f41406658a77313f89df07017e"
        hash = "7e42b668fd2ca96b05f39d5097943a191f1010f4"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cuba"
        malpedia_rule_date = "20230118"
        malpedia_hash = ""
        malpedia_version = "20230118"
        malpedia_license = "DRL 1.1"
        malpedia_sharing = "TLP:WHITE"

    strings:
        $p1 = {C1 8D 73 ?? 99 83 E2 ?? 03 C2 C1 F8 ?? 8D 04 45 [4] 89 83 [4] 0F B6 0F 0F B6 47 ?? C1 E1 ?? 0B C8 0F B6 47 ?? C1 E1 ?? 0B C8 0F B6 47 ?? C1 E1 ?? 0B C8 89 0B 0F B6 47 ?? 89 4D ?? 0F B6 4F ?? C1 E1 ?? 0B C8 0F B6 47 ?? C1 E1 ?? 0B C8 0F B6 47 ?? C1 E1 ?? 0B C8 89 0E 0F B6 4F ?? 0F B6 47 ?? C1 E1 ?? 0B C8 0F B6 47 ?? C1 E1 ?? 0B C8 0F B6 47 ?? C1 E1 ?? 0B C8 89 4B ?? 0F B6 4F ?? 0F B6 47 ?? C1 E1 ?? 0B C8 0F B6 47 ?? C1 E1 ?? 0B C8 0F B6 47 ?? C1 E1 ?? 0B C8 8B 45 ?? 89 4D ?? 89 4B}
        $p2 = {5D ?? 8B C3 C1 E8 ?? 0F B6 D0 8B C3 C1 E8 ?? 0F B6 C8 8B 04 95 [4] 33 04 8D [4] 8B CB C1 E9 ?? 33 04 8D [4] 0F B6 CB 5B 33 04 8D}
        $p3 = {8B 75 ?? 8B C6 C1 E8 ?? 0F B6 C8 8B 45 ?? C1 E8 ?? 0F B6 C0 8B 0C 8D [4] 8B 55 ?? 33 0C 85 [4] 8B C2 C1 E8 ?? 33 0C 85 [4] 8B 45 ?? 0F B6 C0 33 0C 85 [4] 33 0F 8B 45 ?? C1 E8 ?? 89 4D ?? 0F B6 C8 8B C6 C1 E8 ?? 0F B6 C0 8B 0C 8D [4] 33 0C 85 [4] 8B 45 ?? C1 E8 ?? 33 0C 85 [4] 0F B6 C2 33 0C 85 [4] 33 4F ?? 8B 45 ?? C1 E8 ?? 89 4D ?? 0F B6 C8 8B C2 C1 E8 ?? 0F B6 C0 C1 EA ?? 8B 1C 8D [4] 8B 4D ?? 33 1C 85 [4] 8B C6 C1 E8 ?? 33 1C 85 [4] 0F B6 C1 C1 E9 ?? 0F B6 C9 33 1C 85 [4] 33 5F ?? 0F B6 C2 8B 14 8D [4] 33 14 85 [4] 8B 45 ?? C1 E8 ?? 33 14 85 [4] 8B C6 0F B6 C0 33 14 85 [4] 8B C3 33 57 ?? C1 E8 ?? 0F B6 C8 8B 45 ?? C1 E8 ?? 0F B6 C0 8B 0C 8D [4] 33 0C 85 [4] 8B 45 ?? C1 E8 ?? 33 0C 85 [4] 0F B6 C2 33 0C 85 [4] 8B C2 33 4F ?? C1 E8 ?? 89 4D ?? 0F B6 C8 8B C3 C1 E8 ?? 8B 0C 8D [4] 0F B6 C0 33 0C 85 [4] 8B 45 ?? C1 E8 ?? 33 0C 85 [4] 8B 45 ?? 0F B6 C0 33 0C 85 [4] 8B C2 33 4F ?? C1 E8 ?? 89 4D ?? 0F B6 C8 8B 45 ?? C1 E8 ?? 0F B6 C0 8B 0C 8D [4] C1 EA ?? 33 0C 85 [4] 8B C3 C1 E8 ?? 33 0C 85 [4] 89 4D ?? 8B 4D ?? 8B 75 ?? 0F B6 C1 C1 E9 ?? 0F B6 C9 33 34 85 [4] 8B C6 89 75 ?? 33 47 ?? 8B 0C 8D [4] 89 45 ?? 8B 45 ?? C1 E8 ?? 0F B6 C0 33 0C 85 [4] 33 0C 95 [4] 0F B6 C3 33 0C 85 [4] 33 4F ?? 83 C7 ?? 83 6D}
        
    condition:
        uint16(0) == 0x5A4D and all of them
}
Download all Yara Rules