SYMBOLCOMMON_NAMEaka. SYNONYMS
win.deathransom (Back to overview)

DeathRansom

aka: deathransom, wacatac
VTCollection    

Also known as Wacatac ransomware due to its .wctc extension.

References
2020-01-06Github (albertzsigovits)Albert Zsigovits
DeathRansom \ Wacatac ransomware
DeathRansom
2020-01-02FortinetArtem Semenchenko, Evengeny Ananin
DeathRansom Part II: Attribution
DeathRansom
2020-01-02FortinetMinh Tran
The Curious Case of DeathRansom: Part I
DeathRansom
2019-11-21ASECASEC Analysis Team
GandCrab Finds DEATHRansom of the Same Appearance Following Nemty in Korea
DeathRansom
2019-11-19ID RansomwareAndrew Ivanov
Wacatac Ransomware
DeathRansom
2019-11-19Twitter (@Amigo_A_)Andrew Ivanov
Tweet on Wacatac Ransomware
DeathRansom
2019-11-19Dissecting MalwareMarius Genheimer
Quick and painless - Reversing DeathRansom / "Wacatac"
DeathRansom
Yara Rules
[TLP:WHITE] win_deathransom_auto (20230808 | Detects win.deathransom.)
rule win_deathransom_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.deathransom."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.deathransom"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8b55d8 33c3 03c1 81c216c1a419 03d0 8bcf 0155ec }
            // n = 7, score = 100
            //   8b55d8               | mov                 edx, dword ptr [ebp - 0x28]
            //   33c3                 | xor                 eax, ebx
            //   03c1                 | add                 eax, ecx
            //   81c216c1a419         | add                 edx, 0x19a4c116
            //   03d0                 | add                 edx, eax
            //   8bcf                 | mov                 ecx, edi
            //   0155ec               | add                 dword ptr [ebp - 0x14], edx

        $sequence_1 = { 03d1 c1c007 0355a8 8bcf c1c90b 33c8 8955d8 }
            // n = 7, score = 100
            //   03d1                 | add                 edx, ecx
            //   c1c007               | rol                 eax, 7
            //   0355a8               | add                 edx, dword ptr [ebp - 0x58]
            //   8bcf                 | mov                 ecx, edi
            //   c1c90b               | ror                 ecx, 0xb
            //   33c8                 | xor                 ecx, eax
            //   8955d8               | mov                 dword ptr [ebp - 0x28], edx

        $sequence_2 = { 742d 8b45f8 ba20000000 2bd6 8bca d3e8 8bce }
            // n = 7, score = 100
            //   742d                 | je                  0x2f
            //   8b45f8               | mov                 eax, dword ptr [ebp - 8]
            //   ba20000000           | mov                 edx, 0x20
            //   2bd6                 | sub                 edx, esi
            //   8bca                 | mov                 ecx, edx
            //   d3e8                 | shr                 eax, cl
            //   8bce                 | mov                 ecx, esi

        $sequence_3 = { 0f8278010000 8b5df4 8d4dd8 56 8bd3 837b0400 }
            // n = 6, score = 100
            //   0f8278010000         | jb                  0x17e
            //   8b5df4               | mov                 ebx, dword ptr [ebp - 0xc]
            //   8d4dd8               | lea                 ecx, [ebp - 0x28]
            //   56                   | push                esi
            //   8bd3                 | mov                 edx, ebx
            //   837b0400             | cmp                 dword ptr [ebx + 4], 0

        $sequence_4 = { c3 83f802 7546 6820020000 6a08 c745fc20020000 ff15???????? }
            // n = 7, score = 100
            //   c3                   | ret                 
            //   83f802               | cmp                 eax, 2
            //   7546                 | jne                 0x48
            //   6820020000           | push                0x220
            //   6a08                 | push                8
            //   c745fc20020000       | mov                 dword ptr [ebp - 4], 0x220
            //   ff15????????         |                     

        $sequence_5 = { 8d8d90fdffff e8???????? 8d8d90fdffff e8???????? 8d8d90fdffff e8???????? 6a50 }
            // n = 7, score = 100
            //   8d8d90fdffff         | lea                 ecx, [ebp - 0x270]
            //   e8????????           |                     
            //   8d8d90fdffff         | lea                 ecx, [ebp - 0x270]
            //   e8????????           |                     
            //   8d8d90fdffff         | lea                 ecx, [ebp - 0x270]
            //   e8????????           |                     
            //   6a50                 | push                0x50

        $sequence_6 = { 0b7de4 237ddc 8b55f4 0bf8 897de0 8bc6 014de0 }
            // n = 7, score = 100
            //   0b7de4               | or                  edi, dword ptr [ebp - 0x1c]
            //   237ddc               | and                 edi, dword ptr [ebp - 0x24]
            //   8b55f4               | mov                 edx, dword ptr [ebp - 0xc]
            //   0bf8                 | or                  edi, eax
            //   897de0               | mov                 dword ptr [ebp - 0x20], edi
            //   8bc6                 | mov                 eax, esi
            //   014de0               | add                 dword ptr [ebp - 0x20], ecx

        $sequence_7 = { 8b45dc 8bc8 0155e8 c1c00a }
            // n = 4, score = 100
            //   8b45dc               | mov                 eax, dword ptr [ebp - 0x24]
            //   8bc8                 | mov                 ecx, eax
            //   0155e8               | add                 dword ptr [ebp - 0x18], edx
            //   c1c00a               | rol                 eax, 0xa

        $sequence_8 = { 85c9 0f95c0 2bc8 33c0 c1e905 }
            // n = 5, score = 100
            //   85c9                 | test                ecx, ecx
            //   0f95c0               | setne               al
            //   2bc8                 | sub                 ecx, eax
            //   33c0                 | xor                 eax, eax
            //   c1e905               | shr                 ecx, 5

        $sequence_9 = { c1e810 884311 8bc1 c1e808 884312 884b13 8b4f1c }
            // n = 7, score = 100
            //   c1e810               | shr                 eax, 0x10
            //   884311               | mov                 byte ptr [ebx + 0x11], al
            //   8bc1                 | mov                 eax, ecx
            //   c1e808               | shr                 eax, 8
            //   884312               | mov                 byte ptr [ebx + 0x12], al
            //   884b13               | mov                 byte ptr [ebx + 0x13], cl
            //   8b4f1c               | mov                 ecx, dword ptr [edi + 0x1c]

    condition:
        7 of them and filesize < 133120
}
Download all Yara Rules