Also known as Wacatac ransomware due to its .wctc extension.
rule win_deathransom_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2022-04-08" version = "1" description = "Detects win.deathransom." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.deathransom" malpedia_rule_date = "20220405" malpedia_hash = "ecd38294bd47d5589be5cd5490dc8bb4804afc2a" malpedia_version = "20220411" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 2345e4 0b75e4 2375dc 0bf0 8975e0 014de0 8b4db0 } // n = 7, score = 100 // 2345e4 | and eax, dword ptr [ebp - 0x1c] // 0b75e4 | or esi, dword ptr [ebp - 0x1c] // 2375dc | and esi, dword ptr [ebp - 0x24] // 0bf0 | or esi, eax // 8975e0 | mov dword ptr [ebp - 0x20], esi // 014de0 | add dword ptr [ebp - 0x20], ecx // 8b4db0 | mov ecx, dword ptr [ebp - 0x50] $sequence_1 = { 0b5dec 2345ec 235df0 0bd8 895de4 014de4 } // n = 6, score = 100 // 0b5dec | or ebx, dword ptr [ebp - 0x14] // 2345ec | and eax, dword ptr [ebp - 0x14] // 235df0 | and ebx, dword ptr [ebp - 0x10] // 0bd8 | or ebx, eax // 895de4 | mov dword ptr [ebp - 0x1c], ebx // 014de4 | add dword ptr [ebp - 0x1c], ecx $sequence_2 = { 50 ff15???????? 8945fc 8d50ff 33c9 03d6 } // n = 6, score = 100 // 50 | push eax // ff15???????? | // 8945fc | mov dword ptr [ebp - 4], eax // 8d50ff | lea edx, dword ptr [eax - 1] // 33c9 | xor ecx, ecx // 03d6 | add edx, esi $sequence_3 = { 33d2 f7f6 8bd0 0fb7c3 8bca 0fafc2 0fafce } // n = 7, score = 100 // 33d2 | xor edx, edx // f7f6 | div esi // 8bd0 | mov edx, eax // 0fb7c3 | movzx eax, bx // 8bca | mov ecx, edx // 0fafc2 | imul eax, edx // 0fafce | imul ecx, esi $sequence_4 = { 0fb6420f c1e108 0bc8 0fb64211 894d9c } // n = 5, score = 100 // 0fb6420f | movzx eax, byte ptr [edx + 0xf] // c1e108 | shl ecx, 8 // 0bc8 | or ecx, eax // 0fb64211 | movzx eax, byte ptr [edx + 0x11] // 894d9c | mov dword ptr [ebp - 0x64], ecx $sequence_5 = { 7508 893c81 33f6 40 33ff 836dfc01 8d5bff } // n = 7, score = 100 // 7508 | jne 0xa // 893c81 | mov dword ptr [ecx + eax*4], edi // 33f6 | xor esi, esi // 40 | inc eax // 33ff | xor edi, edi // 836dfc01 | sub dword ptr [ebp - 4], 1 // 8d5bff | lea ebx, dword ptr [ebx - 1] $sequence_6 = { 8b7d10 8bc1 8945fc 8bf2 83ff01 7516 ff7514 } // n = 7, score = 100 // 8b7d10 | mov edi, dword ptr [ebp + 0x10] // 8bc1 | mov eax, ecx // 8945fc | mov dword ptr [ebp - 4], eax // 8bf2 | mov esi, edx // 83ff01 | cmp edi, 1 // 7516 | jne 0x18 // ff7514 | push dword ptr [ebp + 0x14] $sequence_7 = { e8???????? 83c414 8d8d10fdffff 33d2 68???????? 83ec10 e8???????? } // n = 7, score = 100 // e8???????? | // 83c414 | add esp, 0x14 // 8d8d10fdffff | lea ecx, dword ptr [ebp - 0x2f0] // 33d2 | xor edx, edx // 68???????? | // 83ec10 | sub esp, 0x10 // e8???????? | $sequence_8 = { 894304 8b5708 8b470c 2b5308 895308 1b430c 89430c } // n = 7, score = 100 // 894304 | mov dword ptr [ebx + 4], eax // 8b5708 | mov edx, dword ptr [edi + 8] // 8b470c | mov eax, dword ptr [edi + 0xc] // 2b5308 | sub edx, dword ptr [ebx + 8] // 895308 | mov dword ptr [ebx + 8], edx // 1b430c | sbb eax, dword ptr [ebx + 0xc] // 89430c | mov dword ptr [ebx + 0xc], eax $sequence_9 = { 0f8591000000 ff75f8 6a08 ff15???????? } // n = 4, score = 100 // 0f8591000000 | jne 0x97 // ff75f8 | push dword ptr [ebp - 8] // 6a08 | push 8 // ff15???????? | condition: 7 of them and filesize < 133120 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY