SYMBOLCOMMON_NAMEaka. SYNONYMS
win.karma (Back to overview)

Karma

Ransomware.

References
2022-04-21Sentinel LABSAntonis Terefos
@online{terefos:20220421:nokoyawa:72ae5e2, author = {Antonis Terefos}, title = {{Nokoyawa Ransomware | New Karma/Nemty Variant Wears Thin Disguise}}, date = {2022-04-21}, organization = {Sentinel LABS}, url = {https://www.sentinelone.com/labs/nokoyawa-ransomware-new-karma-nemty-variant-wears-thin-disguise/}, language = {English}, urldate = {2022-04-24} } Nokoyawa Ransomware | New Karma/Nemty Variant Wears Thin Disguise
Hive Karma Nemty Nokoyawa Ransomware
2022-03-17SophosTilly Travers
@online{travers:20220317:ransomware:df38f2f, author = {Tilly Travers}, title = {{The Ransomware Threat Intelligence Center}}, date = {2022-03-17}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/}, language = {English}, urldate = {2022-03-18} } The Ransomware Threat Intelligence Center
ATOMSILO Avaddon AvosLocker BlackKingdom Ransomware BlackMatter Conti Cring DarkSide dearcry Dharma Egregor Entropy Epsilon Red Gandcrab Karma LockBit LockFile Mailto Maze Nefilim RagnarLocker Ragnarok REvil RobinHood Ryuk SamSam Snatch WannaCryptor WastedLocker
2022-03-16SymantecSymantec Threat Hunter Team
@techreport{team:20220316:ransomware:1c2a72a, author = {Symantec Threat Hunter Team}, title = {{The Ransomware Threat Landscape: What to Expect in 2022}}, date = {2022-03-16}, institution = {Symantec}, url = {https://www.symantec.broadcom.com/hubfs/SED/SED_Threat_Hunter_Reports_Alerts/SED_FY22Q2_SES_Ransomware-Threat-Landscape_WP.pdf}, language = {English}, urldate = {2022-03-22} } The Ransomware Threat Landscape: What to Expect in 2022
AvosLocker BlackCat BlackMatter Conti DarkSide DoppelPaymer Emotet Hive Karma Mespinoza Nemty Squirrelwaffle VegaLocker WastedLocker Yanluowang Zeppelin
2022-02-28SophosSean Gallagher
@online{gallagher:20220228:conti:bcf09a0, author = {Sean Gallagher}, title = {{Conti and Karma actors attack healthcare provider at same time through ProxyShell exploits}}, date = {2022-02-28}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2022/02/28/conti-and-karma-actors-attack-healthcare-provider-at-same-time-through-proxyshell-exploits/?cmp=30728}, language = {English}, urldate = {2022-03-02} } Conti and Karma actors attack healthcare provider at same time through ProxyShell exploits
Conti Karma
2021-11-22Youtube (OALabs)c3rb3ru5d3d53c, Sergei Frankoff
@online{c3rb3ru5d3d53c:20211122:introduction:1daa38b, author = {c3rb3ru5d3d53c and Sergei Frankoff}, title = {{Introduction To Binlex A Binary Trait Lexer Library and Utility - Machine Learning First Steps...}}, date = {2021-11-22}, organization = {Youtube (OALabs)}, url = {https://www.youtube.com/watch?v=hgz5gZB3DxE}, language = {English}, urldate = {2021-11-29} } Introduction To Binlex A Binary Trait Lexer Library and Utility - Machine Learning First Steps...
Karma
2021-11-04BlackberryBlackBerry Research & Intelligence Team
@online{team:20211104:threat:41a70b2, author = {BlackBerry Research & Intelligence Team}, title = {{Threat Thursday: Karma Ransomware}}, date = {2021-11-04}, organization = {Blackberry}, url = {https://blogs.blackberry.com/en/2021/11/threat-thursday-karma-ransomware}, language = {English}, urldate = {2021-11-08} } Threat Thursday: Karma Ransomware
Karma
2021-10-18SentinelOneAntonis Terefos
@online{terefos:20211018:karma:04248e2, author = {Antonis Terefos}, title = {{Karma Ransomware | An Emerging Threat With A Hint of Nemty Pedigree}}, date = {2021-10-18}, organization = {SentinelOne}, url = {https://www.sentinelone.com/labs/karma-ransomware-an-emerging-threat-with-a-hint-of-nemty-pedigree/}, language = {English}, urldate = {2021-10-24} } Karma Ransomware | An Emerging Threat With A Hint of Nemty Pedigree
Karma Nemty
2021-08-24cybleCyble
@online{cyble:20210824:deepdive:9bd2478, author = {Cyble}, title = {{​A Deep-dive Analysis of KARMA Ransomware}}, date = {2021-08-24}, organization = {cyble}, url = {https://blog.cyble.com/2021/08/24/a-deep-dive-analysis-of-karma-ransomware/}, language = {English}, urldate = {2021-09-19} } ​A Deep-dive Analysis of KARMA Ransomware
Karma
Yara Rules
[TLP:WHITE] win_karma_auto (20230715 | Detects win.karma.)
rule win_karma_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-07-11"
        version = "1"
        description = "Detects win.karma."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.karma"
        malpedia_rule_date = "20230705"
        malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
        malpedia_version = "20230715"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { ff742428 8b4c2430 e8???????? 8b35???????? 33d2 }
            // n = 5, score = 100
            //   ff742428             | push                dword ptr [esp + 0x28]
            //   8b4c2430             | mov                 ecx, dword ptr [esp + 0x30]
            //   e8????????           |                     
            //   8b35????????         |                     
            //   33d2                 | xor                 edx, edx

        $sequence_1 = { 7ce6 57 8bd7 8bce e8???????? }
            // n = 5, score = 100
            //   7ce6                 | jl                  0xffffffe8
            //   57                   | push                edi
            //   8bd7                 | mov                 edx, edi
            //   8bce                 | mov                 ecx, esi
            //   e8????????           |                     

        $sequence_2 = { 0f1006 0f114318 e8???????? 5f }
            // n = 4, score = 100
            //   0f1006               | movups              xmm0, xmmword ptr [esi]
            //   0f114318             | movups              xmmword ptr [ebx + 0x18], xmm0
            //   e8????????           |                     
            //   5f                   | pop                 edi

        $sequence_3 = { d1f8 83e902 40 8d1400 0f1f00 0fb70411 8d4902 }
            // n = 7, score = 100
            //   d1f8                 | sar                 eax, 1
            //   83e902               | sub                 ecx, 2
            //   40                   | inc                 eax
            //   8d1400               | lea                 edx, [eax + eax]
            //   0f1f00               | nop                 dword ptr [eax]
            //   0fb70411             | movzx               eax, word ptr [ecx + edx]
            //   8d4902               | lea                 ecx, [ecx + 2]

        $sequence_4 = { 0f1f4000 40 6683bc45f4fdffff00 75f4 6a00 6a00 50 }
            // n = 7, score = 100
            //   0f1f4000             | nop                 dword ptr [eax]
            //   40                   | inc                 eax
            //   6683bc45f4fdffff00     | cmp    word ptr [ebp + eax*2 - 0x20c], 0
            //   75f4                 | jne                 0xfffffff6
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   50                   | push                eax

        $sequence_5 = { 56 57 8d7902 33f6 8bd7 0fb64a01 }
            // n = 6, score = 100
            //   56                   | push                esi
            //   57                   | push                edi
            //   8d7902               | lea                 edi, [ecx + 2]
            //   33f6                 | xor                 esi, esi
            //   8bd7                 | mov                 edx, edi
            //   0fb64a01             | movzx               ecx, byte ptr [edx + 1]

        $sequence_6 = { 0f8484010000 83c702 ebc5 33ff 6690 0fb78ffc434000 0fb79c3c68020000 }
            // n = 7, score = 100
            //   0f8484010000         | je                  0x18a
            //   83c702               | add                 edi, 2
            //   ebc5                 | jmp                 0xffffffc7
            //   33ff                 | xor                 edi, edi
            //   6690                 | nop                 
            //   0fb78ffc434000       | movzx               ecx, word ptr [edi + 0x4043fc]
            //   0fb79c3c68020000     | movzx               ebx, word ptr [esp + edi + 0x268]

        $sequence_7 = { 8d4c2448 2bc2 83e902 d1f8 40 8d1400 660f1f440000 }
            // n = 7, score = 100
            //   8d4c2448             | lea                 ecx, [esp + 0x48]
            //   2bc2                 | sub                 eax, edx
            //   83e902               | sub                 ecx, 2
            //   d1f8                 | sar                 eax, 1
            //   40                   | inc                 eax
            //   8d1400               | lea                 edx, [eax + eax]
            //   660f1f440000         | nop                 word ptr [eax + eax]

        $sequence_8 = { c1c80e 33c7 8b7b14 8903 8d0437 c1c007 314324 }
            // n = 7, score = 100
            //   c1c80e               | ror                 eax, 0xe
            //   33c7                 | xor                 eax, edi
            //   8b7b14               | mov                 edi, dword ptr [ebx + 0x14]
            //   8903                 | mov                 dword ptr [ebx], eax
            //   8d0437               | lea                 eax, [edi + esi]
            //   c1c007               | rol                 eax, 7
            //   314324               | xor                 dword ptr [ebx + 0x24], eax

        $sequence_9 = { 8bf3 8d41bf 83f819 8d5120 8d46bf }
            // n = 5, score = 100
            //   8bf3                 | mov                 esi, ebx
            //   8d41bf               | lea                 eax, [ecx - 0x41]
            //   83f819               | cmp                 eax, 0x19
            //   8d5120               | lea                 edx, [ecx + 0x20]
            //   8d46bf               | lea                 eax, [esi - 0x41]

    condition:
        7 of them and filesize < 49208
}
[TLP:WHITE] win_karma_w0   (20211108 | Detects Karma Ransomware 2021)
import "pe"

rule win_karma_w0 {
    meta:
        author = "Blackberry Threat Research Team"
        description = "Detects Karma Ransomware 2021"
        date = "2021-10"
        license = "This Yara rule is provided under the Apache License 2.0 (https://www.apache.org/licenses/LICENSE-2.0) and open to any user or organization, as long as you use it under this license and ensure originator credit in any derivative to The BlackBerry Research & Intelligence Team"
        source = "https://blogs.blackberry.com/en/2021/11/threat-thursday-karma-ransomware"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.karma"
        malpedia_rule_date = "20211108"
        malpedia_hash = ""
        malpedia_version = "20211108"
        malpedia_license = "Apache License 2.0"
        malpedia_sharing = "TLP:WHITE"
 
    strings:
        $s1 = "WW91ciBuZXR3b3JrIGhhcyBiZWVuIGJyZWFjaGVkIGJ5IEthcm1hIHJhbnNvbXdhcmUgZ3JvdXAu" ascii wide
        $x2 = "crypt32.dll" nocase
        $x3 = "KARMA" ascii wide
        $x4 = "Sleep" nocase                            

    condition:
        //PE File
        uint16(0) == 0x5a4d and
        //Base64 Karma Note
        all of ($s*) and
        //All Strings
        all of ($x*)
}
Download all Yara Rules