SYMBOLCOMMON_NAMEaka. SYNONYMS
win.deathransom (Back to overview)

DeathRansom

aka: deathransom, wacatac

Also known as Wacatac ransomware due to its .wctc extension.

References
2020-01-06Github (albertzsigovits)Albert Zsigovits
@online{zsigovits:20200106:deathransom:e39cb8a, author = {Albert Zsigovits}, title = {{DeathRansom \ Wacatac ransomware}}, date = {2020-01-06}, organization = {Github (albertzsigovits)}, url = {https://github.com/albertzsigovits/malware-notes/blob/master/DeathRansom.md}, language = {English}, urldate = {2020-01-13} } DeathRansom \ Wacatac ransomware
DeathRansom
2020-01-02FortinetMinh Tran
@online{tran:20200102:curious:3682a97, author = {Minh Tran}, title = {{The Curious Case of DeathRansom: Part I}}, date = {2020-01-02}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/death-ransom-new-strain-ransomware.html}, language = {English}, urldate = {2020-01-08} } The Curious Case of DeathRansom: Part I
DeathRansom
2020-01-02FortinetArtem Semenchenko, Evengeny Ananin
@online{semenchenko:20200102:deathransom:1d5c66d, author = {Artem Semenchenko and Evengeny Ananin}, title = {{DeathRansom Part II: Attribution}}, date = {2020-01-02}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/death-ransom-attribution.html}, language = {English}, urldate = {2020-01-09} } DeathRansom Part II: Attribution
DeathRansom
2019-11-21ASECASEC Analysis Team
@online{team:20191121:gandcrab:39506f0, author = {ASEC Analysis Team}, title = {{GandCrab Finds DEATHRansom of the Same Appearance Following Nemty in Korea}}, date = {2019-11-21}, organization = {ASEC}, url = {https://asec.ahnlab.com/1269}, language = {English}, urldate = {2020-01-09} } GandCrab Finds DEATHRansom of the Same Appearance Following Nemty in Korea
DeathRansom
2019-11-19Twitter (@Amigo_A_)Andrew Ivanov
@online{ivanov:20191119:wacatac:c1815bb, author = {Andrew Ivanov}, title = {{Tweet on Wacatac Ransomware}}, date = {2019-11-19}, organization = {Twitter (@Amigo_A_)}, url = {https://twitter.com/Amigo_A_/status/1196898012645220354}, language = {English}, urldate = {2020-01-08} } Tweet on Wacatac Ransomware
DeathRansom
2019-11-19ID RansomwareAndrew Ivanov
@online{ivanov:20191119:wacatac:e257783, author = {Andrew Ivanov}, title = {{Wacatac Ransomware}}, date = {2019-11-19}, organization = {ID Ransomware}, url = {https://id-ransomware.blogspot.com/2019/11/wacatac-ransomware.html}, language = {Russian}, urldate = {2020-01-08} } Wacatac Ransomware
DeathRansom
2019-11-19Dissecting MalwareMarius Genheimer
@online{genheimer:20191119:quick:b7c4538, author = {Marius Genheimer}, title = {{Quick and painless - Reversing DeathRansom / "Wacatac"}}, date = {2019-11-19}, organization = {Dissecting Malware}, url = {https://dissectingmalwa.re/quick-and-painless-reversing-deathransom-wacatac.html}, language = {English}, urldate = {2020-03-27} } Quick and painless - Reversing DeathRansom / "Wacatac"
DeathRansom
Yara Rules
[TLP:WHITE] win_deathransom_auto (20220411 | Detects win.deathransom.)
rule win_deathransom_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-04-08"
        version = "1"
        description = "Detects win.deathransom."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.deathransom"
        malpedia_rule_date = "20220405"
        malpedia_hash = "ecd38294bd47d5589be5cd5490dc8bb4804afc2a"
        malpedia_version = "20220411"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 2345e4 0b75e4 2375dc 0bf0 8975e0 014de0 8b4db0 }
            // n = 7, score = 100
            //   2345e4               | and                 eax, dword ptr [ebp - 0x1c]
            //   0b75e4               | or                  esi, dword ptr [ebp - 0x1c]
            //   2375dc               | and                 esi, dword ptr [ebp - 0x24]
            //   0bf0                 | or                  esi, eax
            //   8975e0               | mov                 dword ptr [ebp - 0x20], esi
            //   014de0               | add                 dword ptr [ebp - 0x20], ecx
            //   8b4db0               | mov                 ecx, dword ptr [ebp - 0x50]

        $sequence_1 = { 0b5dec 2345ec 235df0 0bd8 895de4 014de4 }
            // n = 6, score = 100
            //   0b5dec               | or                  ebx, dword ptr [ebp - 0x14]
            //   2345ec               | and                 eax, dword ptr [ebp - 0x14]
            //   235df0               | and                 ebx, dword ptr [ebp - 0x10]
            //   0bd8                 | or                  ebx, eax
            //   895de4               | mov                 dword ptr [ebp - 0x1c], ebx
            //   014de4               | add                 dword ptr [ebp - 0x1c], ecx

        $sequence_2 = { 50 ff15???????? 8945fc 8d50ff 33c9 03d6 }
            // n = 6, score = 100
            //   50                   | push                eax
            //   ff15????????         |                     
            //   8945fc               | mov                 dword ptr [ebp - 4], eax
            //   8d50ff               | lea                 edx, dword ptr [eax - 1]
            //   33c9                 | xor                 ecx, ecx
            //   03d6                 | add                 edx, esi

        $sequence_3 = { 33d2 f7f6 8bd0 0fb7c3 8bca 0fafc2 0fafce }
            // n = 7, score = 100
            //   33d2                 | xor                 edx, edx
            //   f7f6                 | div                 esi
            //   8bd0                 | mov                 edx, eax
            //   0fb7c3               | movzx               eax, bx
            //   8bca                 | mov                 ecx, edx
            //   0fafc2               | imul                eax, edx
            //   0fafce               | imul                ecx, esi

        $sequence_4 = { 0fb6420f c1e108 0bc8 0fb64211 894d9c }
            // n = 5, score = 100
            //   0fb6420f             | movzx               eax, byte ptr [edx + 0xf]
            //   c1e108               | shl                 ecx, 8
            //   0bc8                 | or                  ecx, eax
            //   0fb64211             | movzx               eax, byte ptr [edx + 0x11]
            //   894d9c               | mov                 dword ptr [ebp - 0x64], ecx

        $sequence_5 = { 7508 893c81 33f6 40 33ff 836dfc01 8d5bff }
            // n = 7, score = 100
            //   7508                 | jne                 0xa
            //   893c81               | mov                 dword ptr [ecx + eax*4], edi
            //   33f6                 | xor                 esi, esi
            //   40                   | inc                 eax
            //   33ff                 | xor                 edi, edi
            //   836dfc01             | sub                 dword ptr [ebp - 4], 1
            //   8d5bff               | lea                 ebx, dword ptr [ebx - 1]

        $sequence_6 = { 8b7d10 8bc1 8945fc 8bf2 83ff01 7516 ff7514 }
            // n = 7, score = 100
            //   8b7d10               | mov                 edi, dword ptr [ebp + 0x10]
            //   8bc1                 | mov                 eax, ecx
            //   8945fc               | mov                 dword ptr [ebp - 4], eax
            //   8bf2                 | mov                 esi, edx
            //   83ff01               | cmp                 edi, 1
            //   7516                 | jne                 0x18
            //   ff7514               | push                dword ptr [ebp + 0x14]

        $sequence_7 = { e8???????? 83c414 8d8d10fdffff 33d2 68???????? 83ec10 e8???????? }
            // n = 7, score = 100
            //   e8????????           |                     
            //   83c414               | add                 esp, 0x14
            //   8d8d10fdffff         | lea                 ecx, dword ptr [ebp - 0x2f0]
            //   33d2                 | xor                 edx, edx
            //   68????????           |                     
            //   83ec10               | sub                 esp, 0x10
            //   e8????????           |                     

        $sequence_8 = { 894304 8b5708 8b470c 2b5308 895308 1b430c 89430c }
            // n = 7, score = 100
            //   894304               | mov                 dword ptr [ebx + 4], eax
            //   8b5708               | mov                 edx, dword ptr [edi + 8]
            //   8b470c               | mov                 eax, dword ptr [edi + 0xc]
            //   2b5308               | sub                 edx, dword ptr [ebx + 8]
            //   895308               | mov                 dword ptr [ebx + 8], edx
            //   1b430c               | sbb                 eax, dword ptr [ebx + 0xc]
            //   89430c               | mov                 dword ptr [ebx + 0xc], eax

        $sequence_9 = { 0f8591000000 ff75f8 6a08 ff15???????? }
            // n = 4, score = 100
            //   0f8591000000         | jne                 0x97
            //   ff75f8               | push                dword ptr [ebp - 8]
            //   6a08                 | push                8
            //   ff15????????         |                     

    condition:
        7 of them and filesize < 133120
}
Download all Yara Rules