SYMBOLCOMMON_NAMEaka. SYNONYMS
win.industrial_spy (Back to overview)

Industrial Spy


A ransomware that emerged in April 2022.

References
2022-08-01ZscalerAtinderpal Singh
@online{singh:20220801:technical:ab3b0b8, author = {Atinderpal Singh}, title = {{Technical Analysis of Industrial Spy Ransomware}}, date = {2022-08-01}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/security-research/technical-analysis-industrial-spy-ransomware}, language = {English}, urldate = {2022-08-02} } Technical Analysis of Industrial Spy Ransomware
Industrial Spy
Yara Rules
[TLP:WHITE] win_industrial_spy_auto (20230407 | Detects win.industrial_spy.)
rule win_industrial_spy_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-03-28"
        version = "1"
        description = "Detects win.industrial_spy."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.industrial_spy"
        malpedia_rule_date = "20230328"
        malpedia_hash = "9d2d75cef573c1c2d861f5197df8f563b05a305d"
        malpedia_version = "20230407"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 4403d1 4133c2 4133c1 0345c8 4403c0 8bc1 }
            // n = 6, score = 100
            //   4403d1               | lea                 ecx, [ebx + 0x242070db]
            //   4133c2               | not                 ecx
            //   4133c1               | dec                 ecx
            //   0345c8               | sub                 ecx, 4
            //   4403c0               | inc                 ecx
            //   8bc1                 | sub                 eax, 1

        $sequence_1 = { 33d2 410fb70451 66890451 48ffc2 6685c0 75ef 48ffc3 }
            // n = 7, score = 100
            //   33d2                 | dec                 eax
            //   410fb70451           | sub                 edi, ecx
            //   66890451             | inc                 ebp
            //   48ffc2               | mov                 ecx, ecx
            //   6685c0               | mov                 edx, dword ptr [edi + ebx]
            //   75ef                 | inc                 ecx
            //   48ffc3               | mov                 ecx, ebx

        $sequence_2 = { 4533c9 4889442428 4533c0 33d2 4c89642420 488bcb }
            // n = 6, score = 100
            //   4533c9               | mov                 ecx, esi
            //   4889442428           | test                eax, eax
            //   4533c0               | jne                 0xa18
            //   33d2                 | dec                 esp
            //   4c89642420           | lea                 eax, [0x9c1b]
            //   488bcb               | dec                 eax

        $sequence_3 = { 0f872f010000 ff15???????? 41b80a020000 418bd6 488bc8 ff15???????? 4c8d8d600d0000 }
            // n = 7, score = 100
            //   0f872f010000         | mov                 dword ptr [esp + 0x20], esi
            //   ff15????????         |                     
            //   41b80a020000         | dec                 eax
            //   418bd6               | mov                 edx, edi
            //   488bc8               | dec                 eax
            //   ff15????????         |                     
            //   4c8d8d600d0000       | lea                 ecx, [esp + 0x140]

        $sequence_4 = { f20f59ee f20f5ce9 f2410f1004c1 488d15e6a00000 f20f1014c2 f20f1025???????? f20f59e6 }
            // n = 7, score = 100
            //   f20f59ee             | lea                 ecx, [esp + 0x50]
            //   f20f5ce9             | dec                 eax
            //   f2410f1004c1         | and                 dword ptr [esp + 0x20], 0
            //   488d15e6a00000       | xor                 edx, edx
            //   f20f1014c2           | dec                 eax
            //   f20f1025????????     |                     
            //   f20f59e6             | lea                 ecx, [ebp + 0x19f0]

        $sequence_5 = { 7409 03ca d1e8 83f920 72f3 41bc20000000 }
            // n = 6, score = 100
            //   7409                 | dec                 esp
            //   03ca                 | mov                 eax, edi
            //   d1e8                 | movups              xmmword ptr [esp + 0x268], xmm0
            //   83f920               | movsd               qword ptr [esp + 0x278], xmm0
            //   72f3                 | movups              xmmword ptr [esp + 0x228], xmm1
            //   41bc20000000         | movups              xmmword ptr [esp + 0x2a8], xmm0

        $sequence_6 = { 0fb68c2490000000 4c8d0531b90000 4803da 4883f101 4803d9 482bfb 488bcb }
            // n = 7, score = 100
            //   0fb68c2490000000     | inc                 ecx
            //   4c8d0531b90000       | add                 eax, ebp
            //   4803da               | inc                 ebp
            //   4883f101             | add                 edx, ecx
            //   4803d9               | inc                 ecx
            //   482bfb               | xor                 eax, edx
            //   488bcb               | add                 eax, dword ptr [ebp - 0x40]

        $sequence_7 = { 44897c2424 0f8878020000 488d542460 4963c7 }
            // n = 4, score = 100
            //   44897c2424           | inc                 esp
            //   0f8878020000         | mov                 eax, eax
            //   488d542460           | mov                 ecx, eax
            //   4963c7               | inc                 ecx

        $sequence_8 = { ff15???????? 488bc8 be00000100 448bc6 bb08000000 8bd3 ff15???????? }
            // n = 7, score = 100
            //   ff15????????         |                     
            //   488bc8               | cmp                 edx, esi
            //   be00000100           | seta                cl
            //   448bc6               | sub                 edx, dword ptr [esp + 0x50]
            //   bb08000000           | or                  eax, 0xffffffff
            //   8bd3                 | inc                 edx
            //   ff15????????         |                     

        $sequence_9 = { 418bc2 334704 448bc0 8bc8 48c1e810 83e03f 41c1c904 }
            // n = 7, score = 100
            //   418bc2               | dec                 eax
            //   334704               | lea                 ecx, [ebp + 0x40]
            //   448bc0               | dec                 eax
            //   8bc8                 | lea                 edx, [ebx + 0x80]
            //   48c1e810             | dec                 eax
            //   83e03f               | lea                 ecx, [ebp + 0x40]
            //   41c1c904             | dec                 eax

    condition:
        7 of them and filesize < 339968
}
Download all Yara Rules