SYMBOLCOMMON_NAMEaka. SYNONYMS
win.cuba (Back to overview)

Cuba


Ransomware.

References
2021-05-10DarkTracerDarkTracer
@online{darktracer:20210510:intelligence:b9d1c3f, author = {DarkTracer}, title = {{Intelligence Report on Ransomware Gangs on the DarkWeb: List of victim organizations attacked by ransomware gangs released on the DarkWeb}}, date = {2021-05-10}, organization = {DarkTracer}, url = {https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3}, language = {English}, urldate = {2021-05-13} } Intelligence Report on Ransomware Gangs on the DarkWeb: List of victim organizations attacked by ransomware gangs released on the DarkWeb
RansomEXX Avaddon Babuk Clop Conti Cuba DarkSide DoppelPaymer Egregor Hades LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker Nefilim Nemty Pay2Key PwndLocker RagnarLocker Ragnarok RansomEXX REvil Sekhmet SunCrypt ThunderX
2021-05-07Group-IBOleg Skulkin, Semyon Rogachev
@online{skulkin:20210507:connecting:49c0b13, author = {Oleg Skulkin and Semyon Rogachev}, title = {{Connecting the Bots Hancitor fuels Cuba Ransomware Operations}}, date = {2021-05-07}, organization = {Group-IB}, url = {https://blog.group-ib.com/hancitor-cuba-ransomware}, language = {English}, urldate = {2021-05-08} } Connecting the Bots Hancitor fuels Cuba Ransomware Operations
Cuba Hancitor
2021-05-05ProferoProfero, SecurityJoes
@techreport{profero:20210505:cuba:bc183e8, author = {Profero and SecurityJoes}, title = {{Cuba Ransomware Group on a Roll}}, date = {2021-05-05}, institution = {Profero}, url = {https://shared-public-reports.s3-eu-west-1.amazonaws.com/Cuba+Ransomware+Group+-+on+a+roll.pdf}, language = {English}, urldate = {2021-05-07} } Cuba Ransomware Group on a Roll
Cuba
2021-04-06McAfeeThomas Roccia, Thibault Seret, Alexandre Mundo
@online{roccia:20210406:mcafee:1ad60c9, author = {Thomas Roccia and Thibault Seret and Alexandre Mundo}, title = {{McAfee ATR Threat Report: A Quick Primer on Cuba Ransomware}}, date = {2021-04-06}, organization = {McAfee}, url = {https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-atr-threat-report-a-quick-primer-on-cuba-ransomware}, language = {English}, urldate = {2021-05-13} } McAfee ATR Threat Report: A Quick Primer on Cuba Ransomware
Cuba
2021-04-06McAfeeThomas Roccia, Thibault Seret, Alexandre Mundo
@techreport{roccia:20210406:technical:3adb4cc, author = {Thomas Roccia and Thibault Seret and Alexandre Mundo}, title = {{Technical Analysis of Cuba Ransomware}}, date = {2021-04-06}, institution = {McAfee}, url = {https://www.mcafee.com/enterprise/en-us/assets/reports/rp-cuba-ransomware.pdf}, language = {English}, urldate = {2021-04-09} } Technical Analysis of Cuba Ransomware
Cuba
2019-12-31Andrew Ivanov
@online{ivanov:20191231:cuba:53a177c, author = {Andrew Ivanov}, title = {{Cuba Ransomware}}, date = {2019-12-31}, url = {https://id-ransomware.blogspot.com/2019/12/cuba-ransomware.html}, language = {Russian}, urldate = {2020-06-11} } Cuba Ransomware
Cuba
Yara Rules
[TLP:WHITE] win_cuba_auto (20211008 | Detects win.cuba.)
rule win_cuba_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-10-07"
        version = "1"
        description = "Detects win.cuba."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cuba"
        malpedia_rule_date = "20211007"
        malpedia_hash = "e5b790e0f888f252d49063a1251ca60ec2832535"
        malpedia_version = "20211008"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 0f8552020000 ff75b8 53 57 ff75c8 ff75c4 ff75c0 }
            // n = 7, score = 100
            //   0f8552020000         | jne                 0x258
            //   ff75b8               | push                dword ptr [ebp - 0x48]
            //   53                   | push                ebx
            //   57                   | push                edi
            //   ff75c8               | push                dword ptr [ebp - 0x38]
            //   ff75c4               | push                dword ptr [ebp - 0x3c]
            //   ff75c0               | push                dword ptr [ebp - 0x40]

        $sequence_1 = { e8???????? 8bf0 83c408 85f6 0f8561030000 8d45b0 50 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   8bf0                 | mov                 esi, eax
            //   83c408               | add                 esp, 8
            //   85f6                 | test                esi, esi
            //   0f8561030000         | jne                 0x367
            //   8d45b0               | lea                 eax, dword ptr [ebp - 0x50]
            //   50                   | push                eax

        $sequence_2 = { 0f84c0030000 46 83fe10 72e9 8d45b8 50 53 }
            // n = 7, score = 100
            //   0f84c0030000         | je                  0x3c6
            //   46                   | inc                 esi
            //   83fe10               | cmp                 esi, 0x10
            //   72e9                 | jb                  0xffffffeb
            //   8d45b8               | lea                 eax, dword ptr [ebp - 0x48]
            //   50                   | push                eax
            //   53                   | push                ebx

        $sequence_3 = { e8???????? 83bd7cffffff00 7504 32db eb4f 6a00 6873010000 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   83bd7cffffff00       | cmp                 dword ptr [ebp - 0x84], 0
            //   7504                 | jne                 6
            //   32db                 | xor                 bl, bl
            //   eb4f                 | jmp                 0x51
            //   6a00                 | push                0
            //   6873010000           | push                0x173

        $sequence_4 = { 8bf0 83c40c 85f6 0f8545050000 8b45fc 50 50 }
            // n = 7, score = 100
            //   8bf0                 | mov                 esi, eax
            //   83c40c               | add                 esp, 0xc
            //   85f6                 | test                esi, esi
            //   0f8545050000         | jne                 0x54b
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]
            //   50                   | push                eax
            //   50                   | push                eax

        $sequence_5 = { 8bc1 50 e8???????? 8bf0 83c40c 85f6 754e }
            // n = 7, score = 100
            //   8bc1                 | mov                 eax, ecx
            //   50                   | push                eax
            //   e8????????           |                     
            //   8bf0                 | mov                 esi, eax
            //   83c40c               | add                 esp, 0xc
            //   85f6                 | test                esi, esi
            //   754e                 | jne                 0x50

        $sequence_6 = { 33c3 23c2 8d97015b8312 8bbdf8feffff 33c6 03c1 8bcf }
            // n = 7, score = 100
            //   33c3                 | xor                 eax, ebx
            //   23c2                 | and                 eax, edx
            //   8d97015b8312         | lea                 edx, dword ptr [edi + 0x12835b01]
            //   8bbdf8feffff         | mov                 edi, dword ptr [ebp - 0x108]
            //   33c6                 | xor                 eax, esi
            //   03c1                 | add                 eax, ecx
            //   8bcf                 | mov                 ecx, edi

        $sequence_7 = { 50 e8???????? 8bf0 83c40c 85f6 7563 8d45d0 }
            // n = 7, score = 100
            //   50                   | push                eax
            //   e8????????           |                     
            //   8bf0                 | mov                 esi, eax
            //   83c40c               | add                 esp, 0xc
            //   85f6                 | test                esi, esi
            //   7563                 | jne                 0x65
            //   8d45d0               | lea                 eax, dword ptr [ebp - 0x30]

        $sequence_8 = { 50 e8???????? 83c410 8bf8 6a00 8d45f0 50 }
            // n = 7, score = 100
            //   50                   | push                eax
            //   e8????????           |                     
            //   83c410               | add                 esp, 0x10
            //   8bf8                 | mov                 edi, eax
            //   6a00                 | push                0
            //   8d45f0               | lea                 eax, dword ptr [ebp - 0x10]
            //   50                   | push                eax

        $sequence_9 = { 8b85f0feffff 23f2 33b5e8feffff 05cffbc0b5 03f1 8bd7 03b5f8feffff }
            // n = 7, score = 100
            //   8b85f0feffff         | mov                 eax, dword ptr [ebp - 0x110]
            //   23f2                 | and                 esi, edx
            //   33b5e8feffff         | xor                 esi, dword ptr [ebp - 0x118]
            //   05cffbc0b5           | add                 eax, 0xb5c0fbcf
            //   03f1                 | add                 esi, ecx
            //   8bd7                 | mov                 edx, edi
            //   03b5f8feffff         | add                 esi, dword ptr [ebp - 0x108]

    condition:
        7 of them and filesize < 1094656
}
Download all Yara Rules