SYMBOLCOMMON_NAMEaka. SYNONYMS
win.defray (Back to overview)

Defray

aka: Glushkov
VTCollection    

Defray is ransomware that appeared in 2017, and is targeted ransomware, mainly on the healthcare vertical.

The distribution of Defray has several notable characteristics:
According to Proofpoint:
"
Defray is currently being spread via Microsoft Word document attachments in email
The campaigns are as small as several messages each
The lures are custom crafted to appeal to the intended set of potential victims
The recipients are individuals or distribution lists, e.g., group@ and websupport@
Geographic targeting is in the UK and US
Vertical targeting varies by campaign and is narrow and selective
"

References
2020-11-20Trend MicroAbraham Camba, Bren Matthew Ebriega, Gilbert Sison
Weaponizing Open Source Software for Targeted Attacks
LaZagne Defray PlugX
2020-11-06Palo Alto Networks Unit 42CRYPSIS, Drew Schmitt, Ryan Tracey
Next Up: “PyXie Lite”
Defray PyXie
2020-09-23Bleeping ComputerLawrence Abrams
Government software provider Tyler Technologies hit by ransomware
Defray
2020-02-25RSA ConferenceJoel DeCapua
Feds Fighting Ransomware: How the FBI Investigates and How You Can Help
FastCash Cerber Defray Dharma FriedEx Gandcrab GlobeImposter Mamba Phobos Rapid Ransom REvil Ryuk SamSam Zeus
2020-01-17SecureworksKeita Yamazaki, Tamada Kiyotaka, You Nakatsuru
Is It Wrong to Try to Find APT Techniques in Ransomware Attack?
Defray Dharma FriedEx Gandcrab GlobeImposter Matrix Ransom MedusaLocker Phobos REvil Ryuk SamSam Scarab Ransomware
2020-01-01SecureworksSecureWorks
GOLD DUPONT
Cobalt Strike Defray PyXie GOLD DUPONT
2017-09-26Threat VectorCylance Threat Research Team
Defray Ransomware Hits Healthcare and Education
Defray
2017-08-24ProofpointProofpoint Staff
Defray - New Ransomware Targeting Education and Healthcare Verticals
Defray
2017-08-24ProofpointProofpoint Staff
New Defray Ransomware Targets Education and Healthcare Verticals
Defray
Yara Rules
[TLP:WHITE] win_defray_auto (20230808 | Detects win.defray.)
rule win_defray_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.defray."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.defray"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 3bc1 75c3 894db4 8d8d60ffffff e8???????? 84c0 7419 }
            // n = 7, score = 200
            //   3bc1                 | cmp                 eax, ecx
            //   75c3                 | jne                 0xffffffc5
            //   894db4               | mov                 dword ptr [ebp - 0x4c], ecx
            //   8d8d60ffffff         | lea                 ecx, [ebp - 0xa0]
            //   e8????????           |                     
            //   84c0                 | test                al, al
            //   7419                 | je                  0x1b

        $sequence_1 = { 8b0b 8bc1 83e13f c1f806 6bc930 8b048568f34800 }
            // n = 6, score = 200
            //   8b0b                 | mov                 ecx, dword ptr [ebx]
            //   8bc1                 | mov                 eax, ecx
            //   83e13f               | and                 ecx, 0x3f
            //   c1f806               | sar                 eax, 6
            //   6bc930               | imul                ecx, ecx, 0x30
            //   8b048568f34800       | mov                 eax, dword ptr [eax*4 + 0x48f368]

        $sequence_2 = { 33c0 8dbd94f5ffff a5 a5 a5 8dbda0f5ffff be???????? }
            // n = 7, score = 200
            //   33c0                 | xor                 eax, eax
            //   8dbd94f5ffff         | lea                 edi, [ebp - 0xa6c]
            //   a5                   | movsd               dword ptr es:[edi], dword ptr [esi]
            //   a5                   | movsd               dword ptr es:[edi], dword ptr [esi]
            //   a5                   | movsd               dword ptr es:[edi], dword ptr [esi]
            //   8dbda0f5ffff         | lea                 edi, [ebp - 0xa60]
            //   be????????           |                     

        $sequence_3 = { 2bf2 8d7b1f c1ef05 c1fe02 897d08 3bfe 7322 }
            // n = 7, score = 200
            //   2bf2                 | sub                 esi, edx
            //   8d7b1f               | lea                 edi, [ebx + 0x1f]
            //   c1ef05               | shr                 edi, 5
            //   c1fe02               | sar                 esi, 2
            //   897d08               | mov                 dword ptr [ebp + 8], edi
            //   3bfe                 | cmp                 edi, esi
            //   7322                 | jae                 0x24

        $sequence_4 = { 83c9f8 41 0f2825???????? 8bd6 0f282d???????? 2bd1 0f57db }
            // n = 7, score = 200
            //   83c9f8               | or                  ecx, 0xfffffff8
            //   41                   | inc                 ecx
            //   0f2825????????       |                     
            //   8bd6                 | mov                 edx, esi
            //   0f282d????????       |                     
            //   2bd1                 | sub                 edx, ecx
            //   0f57db               | xorps               xmm3, xmm3

        $sequence_5 = { 33c6 03d0 8b85e0feffff 03940514ffffff 039008d54700 03d7 8bbde4feffff }
            // n = 7, score = 200
            //   33c6                 | xor                 eax, esi
            //   03d0                 | add                 edx, eax
            //   8b85e0feffff         | mov                 eax, dword ptr [ebp - 0x120]
            //   03940514ffffff       | add                 edx, dword ptr [ebp + eax - 0xec]
            //   039008d54700         | add                 edx, dword ptr [eax + 0x47d508]
            //   03d7                 | add                 edx, edi
            //   8bbde4feffff         | mov                 edi, dword ptr [ebp - 0x11c]

        $sequence_6 = { 56 6a02 51 8975fc 8975f8 ff15???????? }
            // n = 6, score = 200
            //   56                   | push                esi
            //   6a02                 | push                2
            //   51                   | push                ecx
            //   8975fc               | mov                 dword ptr [ebp - 4], esi
            //   8975f8               | mov                 dword ptr [ebp - 8], esi
            //   ff15????????         |                     

        $sequence_7 = { 663907 7407 83c702 3bfe 75f4 3bfe 0f8434feffff }
            // n = 7, score = 200
            //   663907               | cmp                 word ptr [edi], ax
            //   7407                 | je                  9
            //   83c702               | add                 edi, 2
            //   3bfe                 | cmp                 edi, esi
            //   75f4                 | jne                 0xfffffff6
            //   3bfe                 | cmp                 edi, esi
            //   0f8434feffff         | je                  0xfffffe3a

        $sequence_8 = { 8bf0 85f6 0f8528050000 8b45d8 c745f4006d4100 8945f8 837d1000 }
            // n = 7, score = 200
            //   8bf0                 | mov                 esi, eax
            //   85f6                 | test                esi, esi
            //   0f8528050000         | jne                 0x52e
            //   8b45d8               | mov                 eax, dword ptr [ebp - 0x28]
            //   c745f4006d4100       | mov                 dword ptr [ebp - 0xc], 0x416d00
            //   8945f8               | mov                 dword ptr [ebp - 8], eax
            //   837d1000             | cmp                 dword ptr [ebp + 0x10], 0

        $sequence_9 = { 6a0c 99 5f f7ff 8365e000 8b7508 85c0 }
            // n = 7, score = 200
            //   6a0c                 | push                0xc
            //   99                   | cdq                 
            //   5f                   | pop                 edi
            //   f7ff                 | idiv                edi
            //   8365e000             | and                 dword ptr [ebp - 0x20], 0
            //   8b7508               | mov                 esi, dword ptr [ebp + 8]
            //   85c0                 | test                eax, eax

    condition:
        7 of them and filesize < 1253376
}
Download all Yara Rules