SYMBOLCOMMON_NAMEaka. SYNONYMS
win.cuba (Back to overview)

Cuba

aka: COLDDRAW
VTCollection    

Ransomware.

References
2023-09-11KasperskyAlexander Kirichenko, Gleb Ivanov
From Caribbean shores to your devices: analyzing Cuba ransomware
Cuba
2023-07-28Quorum CyberQuorum Cyber
Scattered Spider Threat Actor Profile
Cuba KillAV POORTRY
2023-03-30United States District Court (Eastern District of New York)Fortra, HEALTH-ISAC, Microsoft
Cracked Cobalt Strike (1:23-cv-02447)
Black Basta BlackCat LockBit RagnarLocker LockBit Black Basta BlackCat Cobalt Strike Cuba Emotet LockBit Mount Locker PLAY QakBot RagnarLocker Royal Ransom Zloader
2022-12-01CISACISA
#StopRansomware: Cuba Ransomware
Cuba
2022-08-18FortinetJames Slaughter, Shunichi Imano
Ransomware Roundup: Gwisin, Kriptor, Cuba, and More
Cuba
2022-08-10Palo Alto Networks Unit 42Anthony Galiette, Daniel Bunce, Doel Santos, Shawn Westfall
Novel News on Cuba Ransomware: Greetings From Tropical Scorpius
Cuba ROMCOM RAT
2022-06-08Trend MicroDon Ovid Ladores
Cuba Ransomware Group’s New Variant Found Using Optimized Infection Techniques
Cuba
2022-06-01ElasticSalim Bitam
CUBA Ransomware Malware Analysis
Cuba
2022-06-01ElasticAndrew Pease, Daniel Stepanic, Derek Ditch, Salim Bitam, Seth Goodwin
CUBA Ransomware Campaign Analysis
Cobalt Strike Cuba Meterpreter MimiKatz SystemBC
2022-02-26AonEduardo Mattos, Rob Homewood
Yours Truly, Signed AV Driver: Weaponizing An Antivirus Driver
Cuba KillAV
2022-02-25IT-Connect (FR)Florian Burnel
Le ransomware Cuba s’en prend aux serveurs Exchange
Cuba
2022-02-24Bleeping ComputerBill Toulas
Microsoft Exchange servers hacked to deploy Cuba ransomware
Cuba
2022-02-23MandiantJoshua Shilko, Shambavi Sadayappan, Tyler McLellan
(Ex)Change of Pace: UNC2596 Observed Leveraging Vulnerabilities to Deploy Cuba Ransomware
Cuba KillAV
2022-02-08GuidePoint SecurityDrew Schmitt
Using Hindsight to Close a Cuba Cold Case
Cuba
2021-12-14Lab52Th3spis
Cuba Ransomware Analysis
Cuba
2021-12-02FBIFBI
CU-000156-MW: Indicators of Compromise Associated with Cuba Ransomware
Cuba
2021-05-10DarkTracerDarkTracer
Intelligence Report on Ransomware Gangs on the DarkWeb: List of victim organizations attacked by ransomware gangs released on the DarkWeb
RansomEXX Avaddon Babuk Clop Conti Cuba DarkSide DoppelPaymer Egregor Hades LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker Nefilim Nemty Pay2Key PwndLocker RagnarLocker Ragnarok RansomEXX REvil Sekhmet SunCrypt ThunderX
2021-05-07Group-IBOleg Skulkin, Semyon Rogachev
Connecting the Bots Hancitor fuels Cuba Ransomware Operations
Cuba Hancitor
2021-05-05ProferoProfero, SecurityJoes
Cuba Ransomware Group on a Roll
Cuba
2021-04-06McAfeeAlexandre Mundo, Thibault Seret, Thomas Roccia
McAfee ATR Threat Report: A Quick Primer on Cuba Ransomware
Cuba
2021-04-06McAfeeAlexandre Mundo, Thibault Seret, Thomas Roccia
Technical Analysis of Cuba Ransomware
Cuba
2019-12-31Andrew Ivanov
Cuba Ransomware
Cuba
Yara Rules
[TLP:WHITE] win_cuba_auto (20251219 | Detects win.cuba.)
rule win_cuba_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-01-05"
        version = "1"
        description = "Detects win.cuba."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cuba"
        malpedia_rule_date = "20260105"
        malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79"
        malpedia_version = "20251219"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 85c0 7810 3de4000000 7309 8b04c510704100 5d }
            // n = 6, score = 100
            //   85c0                 | test                eax, eax
            //   7810                 | js                  0x12
            //   3de4000000           | cmp                 eax, 0xe4
            //   7309                 | jae                 0xb
            //   8b04c510704100       | mov                 eax, dword ptr [eax*8 + 0x417010]
            //   5d                   | pop                 ebp

        $sequence_1 = { c3 8bff 55 8bec 8b4d08 33c0 3b0cc5905d4100 }
            // n = 7, score = 100
            //   c3                   | ret                 
            //   8bff                 | mov                 edi, edi
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]
            //   33c0                 | xor                 eax, eax
            //   3b0cc5905d4100       | cmp                 ecx, dword ptr [eax*8 + 0x415d90]

        $sequence_2 = { 0019 43 41 00444341 }
            // n = 4, score = 100
            //   0019                 | add                 byte ptr [ecx], bl
            //   43                   | inc                 ebx
            //   41                   | inc                 ecx
            //   00444341             | add                 byte ptr [ebx + eax*2 + 0x41], al

        $sequence_3 = { 8bd6 c745ac749f4100 8bce 0fb707 }
            // n = 4, score = 100
            //   8bd6                 | mov                 edx, esi
            //   c745ac749f4100       | mov                 dword ptr [ebp - 0x54], 0x419f74
            //   8bce                 | mov                 ecx, esi
            //   0fb707               | movzx               eax, word ptr [edi]

        $sequence_4 = { 000d???????? 384100 b538 41 }
            // n = 4, score = 100
            //   000d????????         |                     
            //   384100               | cmp                 byte ptr [ecx], al
            //   b538                 | mov                 ch, 0x38
            //   41                   | inc                 ecx

        $sequence_5 = { 0026 45 41 003a }
            // n = 4, score = 100
            //   0026                 | add                 byte ptr [esi], ah
            //   45                   | inc                 ebp
            //   41                   | inc                 ecx
            //   003a                 | add                 byte ptr [edx], bh

        $sequence_6 = { 0026 43 41 00b043410062 }
            // n = 4, score = 100
            //   0026                 | add                 byte ptr [esi], ah
            //   43                   | inc                 ebx
            //   41                   | inc                 ecx
            //   00b043410062         | add                 byte ptr [eax + 0x62004143], dh

        $sequence_7 = { 0012 45 41 0026 }
            // n = 4, score = 100
            //   0012                 | add                 byte ptr [edx], dl
            //   45                   | inc                 ebp
            //   41                   | inc                 ecx
            //   0026                 | add                 byte ptr [esi], ah

        $sequence_8 = { 83e801 0f8501010000 c745e004934100 8b4508 }
            // n = 4, score = 100
            //   83e801               | sub                 eax, 1
            //   0f8501010000         | jne                 0x107
            //   c745e004934100       | mov                 dword ptr [ebp - 0x20], 0x419304
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]

        $sequence_9 = { ff24953c354000 c7878c00000001000000 85c9 747e 3bc6 730a }
            // n = 6, score = 100
            //   ff24953c354000       | jmp                 dword ptr [edx*4 + 0x40353c]
            //   c7878c00000001000000     | mov    dword ptr [edi + 0x8c], 1
            //   85c9                 | test                ecx, ecx
            //   747e                 | je                  0x80
            //   3bc6                 | cmp                 eax, esi
            //   730a                 | jae                 0xc

        $sequence_10 = { 660fc5c400 25f0070000 660f28a040974100 660f28b830934100 660f54f0 660f5cc6 660f59f4 }
            // n = 7, score = 100
            //   660fc5c400           | pextrw              eax, xmm4, 0
            //   25f0070000           | and                 eax, 0x7f0
            //   660f28a040974100     | movapd              xmm4, xmmword ptr [eax + 0x419740]
            //   660f28b830934100     | movapd              xmm7, xmmword ptr [eax + 0x419330]
            //   660f54f0             | andpd               xmm6, xmm0
            //   660f5cc6             | subpd               xmm0, xmm6
            //   660f59f4             | mulpd               xmm6, xmm4

        $sequence_11 = { ffd7 85c0 750c e8???????? 5f }
            // n = 5, score = 100
            //   ffd7                 | call                edi
            //   85c0                 | test                eax, eax
            //   750c                 | jne                 0xe
            //   e8????????           |                     
            //   5f                   | pop                 edi

        $sequence_12 = { 000c43 41 0035???????? 43 }
            // n = 4, score = 100
            //   000c43               | add                 byte ptr [ebx + eax*2], cl
            //   41                   | inc                 ecx
            //   0035????????         |                     
            //   43                   | inc                 ebx

        $sequence_13 = { 003a 45 41 004245 }
            // n = 4, score = 100
            //   003a                 | add                 byte ptr [edx], bh
            //   45                   | inc                 ebp
            //   41                   | inc                 ecx
            //   004245               | add                 byte ptr [edx + 0x45], al

        $sequence_14 = { 7414 8d85c0f9ffff 50 56 ff15???????? 85c0 75e6 }
            // n = 7, score = 100
            //   7414                 | je                  0x16
            //   8d85c0f9ffff         | lea                 eax, [ebp - 0x640]
            //   50                   | push                eax
            //   56                   | push                esi
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   75e6                 | jne                 0xffffffe8

        $sequence_15 = { 000446 41 00d1 45 }
            // n = 4, score = 100
            //   000446               | add                 byte ptr [esi + eax*2], al
            //   41                   | inc                 ecx
            //   00d1                 | add                 cl, dl
            //   45                   | inc                 ebp

    condition:
        7 of them and filesize < 1094656
}
[TLP:WHITE] win_cuba_w0   (20230118 | Detect_cuba_ransomware)
rule win_cuba_w0 {
    meta:
	    description = "Detect_cuba_ransomware"
	    author = "@malgamy12"
	    date = "24/11/2022"
	    license = "DRL 1.1"
        hash = "c2aad237b3f4c5a55df88ef26c25899fc4ec8170"
        hash = "4b41a1508f0f519396b7c14df161954f1c819e86"
        hash = "d5fe48b914c83711fe5313a4aaf1e8d80533543d"
        hash = "159b566e62dcec608a3991100d6edbca781d48c0"
        hash = "e1cae0d2a320a2756ae1ee5d37bfe803b39853fa"
        hash = "6f1d355b95546f0a5a09f7fd0b85fc9658e87813"
        hash = "25da0849207beb5695c8d9826b585b8cda435eba"
        hash = "3997d19f38ce14b7643c1ad8d6a737990b444215"
        hash = "f008e568c313b6f41406658a77313f89df07017e"
        hash = "7e42b668fd2ca96b05f39d5097943a191f1010f4"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cuba"
        malpedia_rule_date = "20230118"
        malpedia_hash = ""
        malpedia_version = "20230118"
        malpedia_license = "DRL 1.1"
        malpedia_sharing = "TLP:WHITE"

    strings:
        $p1 = {C1 8D 73 ?? 99 83 E2 ?? 03 C2 C1 F8 ?? 8D 04 45 [4] 89 83 [4] 0F B6 0F 0F B6 47 ?? C1 E1 ?? 0B C8 0F B6 47 ?? C1 E1 ?? 0B C8 0F B6 47 ?? C1 E1 ?? 0B C8 89 0B 0F B6 47 ?? 89 4D ?? 0F B6 4F ?? C1 E1 ?? 0B C8 0F B6 47 ?? C1 E1 ?? 0B C8 0F B6 47 ?? C1 E1 ?? 0B C8 89 0E 0F B6 4F ?? 0F B6 47 ?? C1 E1 ?? 0B C8 0F B6 47 ?? C1 E1 ?? 0B C8 0F B6 47 ?? C1 E1 ?? 0B C8 89 4B ?? 0F B6 4F ?? 0F B6 47 ?? C1 E1 ?? 0B C8 0F B6 47 ?? C1 E1 ?? 0B C8 0F B6 47 ?? C1 E1 ?? 0B C8 8B 45 ?? 89 4D ?? 89 4B}
        $p2 = {5D ?? 8B C3 C1 E8 ?? 0F B6 D0 8B C3 C1 E8 ?? 0F B6 C8 8B 04 95 [4] 33 04 8D [4] 8B CB C1 E9 ?? 33 04 8D [4] 0F B6 CB 5B 33 04 8D}
        $p3 = {8B 75 ?? 8B C6 C1 E8 ?? 0F B6 C8 8B 45 ?? C1 E8 ?? 0F B6 C0 8B 0C 8D [4] 8B 55 ?? 33 0C 85 [4] 8B C2 C1 E8 ?? 33 0C 85 [4] 8B 45 ?? 0F B6 C0 33 0C 85 [4] 33 0F 8B 45 ?? C1 E8 ?? 89 4D ?? 0F B6 C8 8B C6 C1 E8 ?? 0F B6 C0 8B 0C 8D [4] 33 0C 85 [4] 8B 45 ?? C1 E8 ?? 33 0C 85 [4] 0F B6 C2 33 0C 85 [4] 33 4F ?? 8B 45 ?? C1 E8 ?? 89 4D ?? 0F B6 C8 8B C2 C1 E8 ?? 0F B6 C0 C1 EA ?? 8B 1C 8D [4] 8B 4D ?? 33 1C 85 [4] 8B C6 C1 E8 ?? 33 1C 85 [4] 0F B6 C1 C1 E9 ?? 0F B6 C9 33 1C 85 [4] 33 5F ?? 0F B6 C2 8B 14 8D [4] 33 14 85 [4] 8B 45 ?? C1 E8 ?? 33 14 85 [4] 8B C6 0F B6 C0 33 14 85 [4] 8B C3 33 57 ?? C1 E8 ?? 0F B6 C8 8B 45 ?? C1 E8 ?? 0F B6 C0 8B 0C 8D [4] 33 0C 85 [4] 8B 45 ?? C1 E8 ?? 33 0C 85 [4] 0F B6 C2 33 0C 85 [4] 8B C2 33 4F ?? C1 E8 ?? 89 4D ?? 0F B6 C8 8B C3 C1 E8 ?? 8B 0C 8D [4] 0F B6 C0 33 0C 85 [4] 8B 45 ?? C1 E8 ?? 33 0C 85 [4] 8B 45 ?? 0F B6 C0 33 0C 85 [4] 8B C2 33 4F ?? C1 E8 ?? 89 4D ?? 0F B6 C8 8B 45 ?? C1 E8 ?? 0F B6 C0 8B 0C 8D [4] C1 EA ?? 33 0C 85 [4] 8B C3 C1 E8 ?? 33 0C 85 [4] 89 4D ?? 8B 4D ?? 8B 75 ?? 0F B6 C1 C1 E9 ?? 0F B6 C9 33 34 85 [4] 8B C6 89 75 ?? 33 47 ?? 8B 0C 8D [4] 89 45 ?? 8B 45 ?? C1 E8 ?? 0F B6 C0 33 0C 85 [4] 33 0C 95 [4] 0F B6 C3 33 0C 85 [4] 33 4F ?? 83 C7 ?? 83 6D}
        
    condition:
        uint16(0) == 0x5A4D and all of them
}
Download all Yara Rules