SYMBOLCOMMON_NAMEaka. SYNONYMS
win.karma (Back to overview)

Karma


Ransomware.

References
2022-04-21Sentinel LABSAntonis Terefos
@online{terefos:20220421:nokoyawa:72ae5e2, author = {Antonis Terefos}, title = {{Nokoyawa Ransomware | New Karma/Nemty Variant Wears Thin Disguise}}, date = {2022-04-21}, organization = {Sentinel LABS}, url = {https://www.sentinelone.com/labs/nokoyawa-ransomware-new-karma-nemty-variant-wears-thin-disguise/}, language = {English}, urldate = {2022-04-24} } Nokoyawa Ransomware | New Karma/Nemty Variant Wears Thin Disguise
Hive Karma Nemty Nokoyawa Ransomware
2022-03-17SophosTilly Travers
@online{travers:20220317:ransomware:df38f2f, author = {Tilly Travers}, title = {{The Ransomware Threat Intelligence Center}}, date = {2022-03-17}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/}, language = {English}, urldate = {2022-03-18} } The Ransomware Threat Intelligence Center
ATOMSILO Avaddon AvosLocker BlackKingdom Ransomware BlackMatter Conti Cring DarkSide dearcry Dharma Egregor Entropy Epsilon Red Gandcrab Karma LockBit LockFile Mailto Maze Nefilim RagnarLocker Ragnarok REvil RobinHood Ryuk SamSam Snatch WannaCryptor WastedLocker
2022-03-16SymantecSymantec Threat Hunter Team
@techreport{team:20220316:ransomware:1c2a72a, author = {Symantec Threat Hunter Team}, title = {{The Ransomware Threat Landscape: What to Expect in 2022}}, date = {2022-03-16}, institution = {Symantec}, url = {https://www.symantec.broadcom.com/hubfs/SED/SED_Threat_Hunter_Reports_Alerts/SED_FY22Q2_SES_Ransomware-Threat-Landscape_WP.pdf}, language = {English}, urldate = {2022-03-22} } The Ransomware Threat Landscape: What to Expect in 2022
AvosLocker BlackCat BlackMatter Conti DarkSide DoppelPaymer Emotet Hive Karma Mespinoza Nemty Squirrelwaffle VegaLocker WastedLocker Yanluowang Zeppelin
2022-02-28SophosSean Gallagher
@online{gallagher:20220228:conti:bcf09a0, author = {Sean Gallagher}, title = {{Conti and Karma actors attack healthcare provider at same time through ProxyShell exploits}}, date = {2022-02-28}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2022/02/28/conti-and-karma-actors-attack-healthcare-provider-at-same-time-through-proxyshell-exploits/?cmp=30728}, language = {English}, urldate = {2022-03-02} } Conti and Karma actors attack healthcare provider at same time through ProxyShell exploits
Conti Karma
2021-11-22Youtube (OALabs)c3rb3ru5d3d53c, Sergei Frankoff
@online{c3rb3ru5d3d53c:20211122:introduction:1daa38b, author = {c3rb3ru5d3d53c and Sergei Frankoff}, title = {{Introduction To Binlex A Binary Trait Lexer Library and Utility - Machine Learning First Steps...}}, date = {2021-11-22}, organization = {Youtube (OALabs)}, url = {https://www.youtube.com/watch?v=hgz5gZB3DxE}, language = {English}, urldate = {2021-11-29} } Introduction To Binlex A Binary Trait Lexer Library and Utility - Machine Learning First Steps...
Karma
2021-11-04BlackberryBlackBerry Research & Intelligence Team
@online{team:20211104:threat:41a70b2, author = {BlackBerry Research & Intelligence Team}, title = {{Threat Thursday: Karma Ransomware}}, date = {2021-11-04}, organization = {Blackberry}, url = {https://blogs.blackberry.com/en/2021/11/threat-thursday-karma-ransomware}, language = {English}, urldate = {2021-11-08} } Threat Thursday: Karma Ransomware
Karma
2021-10-18SentinelOneAntonis Terefos
@online{terefos:20211018:karma:04248e2, author = {Antonis Terefos}, title = {{Karma Ransomware | An Emerging Threat With A Hint of Nemty Pedigree}}, date = {2021-10-18}, organization = {SentinelOne}, url = {https://www.sentinelone.com/labs/karma-ransomware-an-emerging-threat-with-a-hint-of-nemty-pedigree/}, language = {English}, urldate = {2021-10-24} } Karma Ransomware | An Emerging Threat With A Hint of Nemty Pedigree
Karma Nemty
2021-08-24cybleCyble
@online{cyble:20210824:deepdive:9bd2478, author = {Cyble}, title = {{​A Deep-dive Analysis of KARMA Ransomware}}, date = {2021-08-24}, organization = {cyble}, url = {https://blog.cyble.com/2021/08/24/a-deep-dive-analysis-of-karma-ransomware/}, language = {English}, urldate = {2021-09-19} } ​A Deep-dive Analysis of KARMA Ransomware
Karma
Yara Rules
[TLP:WHITE] win_karma_auto (20230125 | Detects win.karma.)
rule win_karma_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-01-25"
        version = "1"
        description = "Detects win.karma."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.karma"
        malpedia_rule_date = "20230124"
        malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686"
        malpedia_version = "20230125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 2bc8 d1f9 41 56 8db5f8fdffff 83ee02 03c9 }
            // n = 7, score = 100
            //   2bc8                 | sub                 ecx, eax
            //   d1f9                 | sar                 ecx, 1
            //   41                   | inc                 ecx
            //   56                   | push                esi
            //   8db5f8fdffff         | lea                 esi, [ebp - 0x208]
            //   83ee02               | sub                 esi, 2
            //   03c9                 | add                 ecx, ecx

        $sequence_1 = { 0fb702 8d4902 668901 8d5202 6685c0 75ef 8bcb }
            // n = 7, score = 100
            //   0fb702               | movzx               eax, word ptr [edx]
            //   8d4902               | lea                 ecx, [ecx + 2]
            //   668901               | mov                 word ptr [ecx], ax
            //   8d5202               | lea                 edx, [edx + 2]
            //   6685c0               | test                ax, ax
            //   75ef                 | jne                 0xfffffff1
            //   8bcb                 | mov                 ecx, ebx

        $sequence_2 = { 8d0437 83f840 7cc8 8b750c 8d5304 8d7b3b }
            // n = 6, score = 100
            //   8d0437               | lea                 eax, [edi + esi]
            //   83f840               | cmp                 eax, 0x40
            //   7cc8                 | jl                  0xffffffca
            //   8b750c               | mov                 esi, dword ptr [ebp + 0xc]
            //   8d5304               | lea                 edx, [ebx + 4]
            //   8d7b3b               | lea                 edi, [ebx + 0x3b]

        $sequence_3 = { 2bca 750e 6685db 0f8438030000 }
            // n = 4, score = 100
            //   2bca                 | sub                 ecx, edx
            //   750e                 | jne                 0x10
            //   6685db               | test                bx, bx
            //   0f8438030000         | je                  0x33e

        $sequence_4 = { 83c404 f745fc00020000 7431 33c0 }
            // n = 4, score = 100
            //   83c404               | add                 esp, 4
            //   f745fc00020000       | test                dword ptr [ebp - 4], 0x200
            //   7431                 | je                  0x33
            //   33c0                 | xor                 eax, eax

        $sequence_5 = { 8bc7 d3e8 8b4d08 d3e2 }
            // n = 4, score = 100
            //   8bc7                 | mov                 eax, edi
            //   d3e8                 | shr                 eax, cl
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]
            //   d3e2                 | shl                 edx, cl

        $sequence_6 = { 53 8bd9 56 57 8b3b 8b730c 8d0437 }
            // n = 7, score = 100
            //   53                   | push                ebx
            //   8bd9                 | mov                 ebx, ecx
            //   56                   | push                esi
            //   57                   | push                edi
            //   8b3b                 | mov                 edi, dword ptr [ebx]
            //   8b730c               | mov                 esi, dword ptr [ebx + 0xc]
            //   8d0437               | lea                 eax, [edi + esi]

        $sequence_7 = { 8d8c2470040000 8d542444 660f1f440000 0fb701 83c102 6685c0 75f5 }
            // n = 7, score = 100
            //   8d8c2470040000       | lea                 ecx, [esp + 0x470]
            //   8d542444             | lea                 edx, [esp + 0x44]
            //   660f1f440000         | nop                 word ptr [eax + eax]
            //   0fb701               | movzx               eax, word ptr [ecx]
            //   83c102               | add                 ecx, 2
            //   6685c0               | test                ax, ax
            //   75f5                 | jne                 0xfffffff7

        $sequence_8 = { 8b5334 8d040a c1c00d 33c6 894338 }
            // n = 5, score = 100
            //   8b5334               | mov                 edx, dword ptr [ebx + 0x34]
            //   8d040a               | lea                 eax, [edx + ecx]
            //   c1c00d               | rol                 eax, 0xd
            //   33c6                 | xor                 eax, esi
            //   894338               | mov                 dword ptr [ebx + 0x38], eax

        $sequence_9 = { 8b4814 894e14 8b4818 8b401c 5f 894e18 }
            // n = 6, score = 100
            //   8b4814               | mov                 ecx, dword ptr [eax + 0x14]
            //   894e14               | mov                 dword ptr [esi + 0x14], ecx
            //   8b4818               | mov                 ecx, dword ptr [eax + 0x18]
            //   8b401c               | mov                 eax, dword ptr [eax + 0x1c]
            //   5f                   | pop                 edi
            //   894e18               | mov                 dword ptr [esi + 0x18], ecx

    condition:
        7 of them and filesize < 49208
}
[TLP:WHITE] win_karma_w0   (20211108 | Detects Karma Ransomware 2021)
import "pe"

rule win_karma_w0 {
    meta:
        author = "Blackberry Threat Research Team"
        description = "Detects Karma Ransomware 2021"
        date = "2021-10"
        license = "This Yara rule is provided under the Apache License 2.0 (https://www.apache.org/licenses/LICENSE-2.0) and open to any user or organization, as long as you use it under this license and ensure originator credit in any derivative to The BlackBerry Research & Intelligence Team"
        source = "https://blogs.blackberry.com/en/2021/11/threat-thursday-karma-ransomware"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.karma"
        malpedia_rule_date = "20211108"
        malpedia_hash = ""
        malpedia_version = "20211108"
        malpedia_license = "Apache License 2.0"
        malpedia_sharing = "TLP:WHITE"
 
    strings:
        $s1 = "WW91ciBuZXR3b3JrIGhhcyBiZWVuIGJyZWFjaGVkIGJ5IEthcm1hIHJhbnNvbXdhcmUgZ3JvdXAu" ascii wide
        $x2 = "crypt32.dll" nocase
        $x3 = "KARMA" ascii wide
        $x4 = "Sleep" nocase                            

    condition:
        //PE File
        uint16(0) == 0x5a4d and
        //Base64 Karma Note
        all of ($s*) and
        //All Strings
        all of ($x*)
}
Download all Yara Rules