SYMBOLCOMMON_NAMEaka. SYNONYMS
win.cuba (Back to overview)

Cuba


Ransomware.

References
2021-05-10DarkTracerDarkTracer
@online{darktracer:20210510:intelligence:b9d1c3f, author = {DarkTracer}, title = {{Intelligence Report on Ransomware Gangs on the DarkWeb: List of victim organizations attacked by ransomware gangs released on the DarkWeb}}, date = {2021-05-10}, organization = {DarkTracer}, url = {https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3}, language = {English}, urldate = {2021-05-13} } Intelligence Report on Ransomware Gangs on the DarkWeb: List of victim organizations attacked by ransomware gangs released on the DarkWeb
RansomEXX Avaddon Babuk Clop Conti Cuba DarkSide DoppelPaymer Egregor Hades LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker Nefilim Nemty Pay2Key PwndLocker RagnarLocker Ragnarok RansomEXX REvil Sekhmet SunCrypt ThunderX
2021-05-07Group-IBOleg Skulkin, Semyon Rogachev
@online{skulkin:20210507:connecting:49c0b13, author = {Oleg Skulkin and Semyon Rogachev}, title = {{Connecting the Bots Hancitor fuels Cuba Ransomware Operations}}, date = {2021-05-07}, organization = {Group-IB}, url = {https://blog.group-ib.com/hancitor-cuba-ransomware}, language = {English}, urldate = {2021-05-08} } Connecting the Bots Hancitor fuels Cuba Ransomware Operations
Cuba Hancitor
2021-05-05ProferoProfero, SecurityJoes
@techreport{profero:20210505:cuba:bc183e8, author = {Profero and SecurityJoes}, title = {{Cuba Ransomware Group on a Roll}}, date = {2021-05-05}, institution = {Profero}, url = {https://shared-public-reports.s3-eu-west-1.amazonaws.com/Cuba+Ransomware+Group+-+on+a+roll.pdf}, language = {English}, urldate = {2021-05-07} } Cuba Ransomware Group on a Roll
Cuba
2021-04-06McAfeeThomas Roccia, Thibault Seret, Alexandre Mundo
@online{roccia:20210406:mcafee:1ad60c9, author = {Thomas Roccia and Thibault Seret and Alexandre Mundo}, title = {{McAfee ATR Threat Report: A Quick Primer on Cuba Ransomware}}, date = {2021-04-06}, organization = {McAfee}, url = {https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-atr-threat-report-a-quick-primer-on-cuba-ransomware}, language = {English}, urldate = {2021-05-13} } McAfee ATR Threat Report: A Quick Primer on Cuba Ransomware
Cuba
2021-04-06McAfeeThomas Roccia, Thibault Seret, Alexandre Mundo
@techreport{roccia:20210406:technical:3adb4cc, author = {Thomas Roccia and Thibault Seret and Alexandre Mundo}, title = {{Technical Analysis of Cuba Ransomware}}, date = {2021-04-06}, institution = {McAfee}, url = {https://www.mcafee.com/enterprise/en-us/assets/reports/rp-cuba-ransomware.pdf}, language = {English}, urldate = {2021-04-09} } Technical Analysis of Cuba Ransomware
Cuba
2019-12-31Andrew Ivanov
@online{ivanov:20191231:cuba:53a177c, author = {Andrew Ivanov}, title = {{Cuba Ransomware}}, date = {2019-12-31}, url = {https://id-ransomware.blogspot.com/2019/12/cuba-ransomware.html}, language = {Russian}, urldate = {2020-06-11} } Cuba Ransomware
Cuba
Yara Rules
[TLP:WHITE] win_cuba_auto (20210616 | Detects win.cuba.)
rule win_cuba_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-06-10"
        version = "1"
        description = "Detects win.cuba."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cuba"
        malpedia_rule_date = "20210604"
        malpedia_hash = "be09d5d71e77373c0f538068be31a2ad4c69cfbd"
        malpedia_version = "20210616"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8b4c2414 8d145502000000 8bc1 81fa00100000 7210 8b49fc 83c223 }
            // n = 7, score = 100
            //   8b4c2414             | mov                 ecx, dword ptr [esp + 0x14]
            //   8d145502000000       | lea                 edx, dword ptr [edx*2 + 2]
            //   8bc1                 | mov                 eax, ecx
            //   81fa00100000         | cmp                 edx, 0x1000
            //   7210                 | jb                  0x12
            //   8b49fc               | mov                 ecx, dword ptr [ecx - 4]
            //   83c223               | add                 edx, 0x23

        $sequence_1 = { 50 e8???????? eb1e 85c9 7f0d 7c07 3d00008000 }
            // n = 7, score = 100
            //   50                   | push                eax
            //   e8????????           |                     
            //   eb1e                 | jmp                 0x20
            //   85c9                 | test                ecx, ecx
            //   7f0d                 | jg                  0xf
            //   7c07                 | jl                  9
            //   3d00008000           | cmp                 eax, 0x800000

        $sequence_2 = { e8???????? 8bf0 83c40c 85f6 0f85fb010000 8d45bc 50 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   8bf0                 | mov                 esi, eax
            //   83c40c               | add                 esp, 0xc
            //   85f6                 | test                esi, esi
            //   0f85fb010000         | jne                 0x201
            //   8d45bc               | lea                 eax, dword ptr [ebp - 0x44]
            //   50                   | push                eax

        $sequence_3 = { 8bf0 83c40c 89b5f8efffff 85f6 0f85ec030000 8d85b0efffff 50 }
            // n = 7, score = 100
            //   8bf0                 | mov                 esi, eax
            //   83c40c               | add                 esp, 0xc
            //   89b5f8efffff         | mov                 dword ptr [ebp - 0x1008], esi
            //   85f6                 | test                esi, esi
            //   0f85ec030000         | jne                 0x3f2
            //   8d85b0efffff         | lea                 eax, dword ptr [ebp - 0x1050]
            //   50                   | push                eax

        $sequence_4 = { c1ee1f 03f2 57 7829 8b7d08 3b37 7d22 }
            // n = 7, score = 100
            //   c1ee1f               | shr                 esi, 0x1f
            //   03f2                 | add                 esi, edx
            //   57                   | push                edi
            //   7829                 | js                  0x2b
            //   8b7d08               | mov                 edi, dword ptr [ebp + 8]
            //   3b37                 | cmp                 esi, dword ptr [edi]
            //   7d22                 | jge                 0x24

        $sequence_5 = { 8d45b0 50 8d45f0 50 e8???????? 8bf0 83c408 }
            // n = 7, score = 100
            //   8d45b0               | lea                 eax, dword ptr [ebp - 0x50]
            //   50                   | push                eax
            //   8d45f0               | lea                 eax, dword ptr [ebp - 0x10]
            //   50                   | push                eax
            //   e8????????           |                     
            //   8bf0                 | mov                 esi, eax
            //   83c408               | add                 esp, 8

        $sequence_6 = { 8b0e 83782408 8d5810 7203 8b5810 8b7610 8b7820 }
            // n = 7, score = 100
            //   8b0e                 | mov                 ecx, dword ptr [esi]
            //   83782408             | cmp                 dword ptr [eax + 0x24], 8
            //   8d5810               | lea                 ebx, dword ptr [eax + 0x10]
            //   7203                 | jb                  5
            //   8b5810               | mov                 ebx, dword ptr [eax + 0x10]
            //   8b7610               | mov                 esi, dword ptr [esi + 0x10]
            //   8b7820               | mov                 edi, dword ptr [eax + 0x20]

        $sequence_7 = { 03f7 803e00 7525 660f1f440000 ff7518 8b45f8 6a01 }
            // n = 7, score = 100
            //   03f7                 | add                 esi, edi
            //   803e00               | cmp                 byte ptr [esi], 0
            //   7525                 | jne                 0x27
            //   660f1f440000         | nop                 word ptr [eax + eax]
            //   ff7518               | push                dword ptr [ebp + 0x18]
            //   8b45f8               | mov                 eax, dword ptr [ebp - 8]
            //   6a01                 | push                1

        $sequence_8 = { e8???????? 8bd8 83c410 85db 7541 8b4510 8a80e0b54500 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   8bd8                 | mov                 ebx, eax
            //   83c410               | add                 esp, 0x10
            //   85db                 | test                ebx, ebx
            //   7541                 | jne                 0x43
            //   8b4510               | mov                 eax, dword ptr [ebp + 0x10]
            //   8a80e0b54500         | mov                 al, byte ptr [eax + 0x45b5e0]

        $sequence_9 = { 33c4 89442424 8bc1 56 57 8944240c 83780400 }
            // n = 7, score = 100
            //   33c4                 | xor                 eax, esp
            //   89442424             | mov                 dword ptr [esp + 0x24], eax
            //   8bc1                 | mov                 eax, ecx
            //   56                   | push                esi
            //   57                   | push                edi
            //   8944240c             | mov                 dword ptr [esp + 0xc], eax
            //   83780400             | cmp                 dword ptr [eax + 4], 0

    condition:
        7 of them and filesize < 1094656
}
Download all Yara Rules