SYMBOLCOMMON_NAMEaka. SYNONYMS
win.karma (Back to overview)

Karma


Ransomware.

References
2022-04-21Sentinel LABSAntonis Terefos
@online{terefos:20220421:nokoyawa:72ae5e2, author = {Antonis Terefos}, title = {{Nokoyawa Ransomware | New Karma/Nemty Variant Wears Thin Disguise}}, date = {2022-04-21}, organization = {Sentinel LABS}, url = {https://www.sentinelone.com/labs/nokoyawa-ransomware-new-karma-nemty-variant-wears-thin-disguise/}, language = {English}, urldate = {2022-04-24} } Nokoyawa Ransomware | New Karma/Nemty Variant Wears Thin Disguise
Hive Karma Nemty Nokoyawa Ransomware
2022-03-17SophosTilly Travers
@online{travers:20220317:ransomware:df38f2f, author = {Tilly Travers}, title = {{The Ransomware Threat Intelligence Center}}, date = {2022-03-17}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/}, language = {English}, urldate = {2022-03-18} } The Ransomware Threat Intelligence Center
ATOMSILO Avaddon AvosLocker BlackKingdom Ransomware BlackMatter Conti Cring DarkSide dearcry Dharma Egregor Entropy Epsilon Red Gandcrab Karma LockBit LockFile Mailto Maze Nefilim RagnarLocker Ragnarok REvil RobinHood Ryuk SamSam Snatch WannaCryptor WastedLocker
2022-03-16SymantecSymantec Threat Hunter Team
@techreport{team:20220316:ransomware:1c2a72a, author = {Symantec Threat Hunter Team}, title = {{The Ransomware Threat Landscape: What to Expect in 2022}}, date = {2022-03-16}, institution = {Symantec}, url = {https://www.symantec.broadcom.com/hubfs/SED/SED_Threat_Hunter_Reports_Alerts/SED_FY22Q2_SES_Ransomware-Threat-Landscape_WP.pdf}, language = {English}, urldate = {2022-03-22} } The Ransomware Threat Landscape: What to Expect in 2022
AvosLocker BlackCat BlackMatter Conti DarkSide DoppelPaymer Emotet Hive Karma Mespinoza Nemty Squirrelwaffle VegaLocker WastedLocker Yanluowang Zeppelin
2022-02-28SophosSean Gallagher
@online{gallagher:20220228:conti:bcf09a0, author = {Sean Gallagher}, title = {{Conti and Karma actors attack healthcare provider at same time through ProxyShell exploits}}, date = {2022-02-28}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2022/02/28/conti-and-karma-actors-attack-healthcare-provider-at-same-time-through-proxyshell-exploits/?cmp=30728}, language = {English}, urldate = {2022-03-02} } Conti and Karma actors attack healthcare provider at same time through ProxyShell exploits
Conti Karma
2021-11-22Youtube (OALabs)c3rb3ru5d3d53c, Sergei Frankoff
@online{c3rb3ru5d3d53c:20211122:introduction:1daa38b, author = {c3rb3ru5d3d53c and Sergei Frankoff}, title = {{Introduction To Binlex A Binary Trait Lexer Library and Utility - Machine Learning First Steps...}}, date = {2021-11-22}, organization = {Youtube (OALabs)}, url = {https://www.youtube.com/watch?v=hgz5gZB3DxE}, language = {English}, urldate = {2021-11-29} } Introduction To Binlex A Binary Trait Lexer Library and Utility - Machine Learning First Steps...
Karma
2021-11-04BlackberryBlackBerry Research & Intelligence Team
@online{team:20211104:threat:41a70b2, author = {BlackBerry Research & Intelligence Team}, title = {{Threat Thursday: Karma Ransomware}}, date = {2021-11-04}, organization = {Blackberry}, url = {https://blogs.blackberry.com/en/2021/11/threat-thursday-karma-ransomware}, language = {English}, urldate = {2021-11-08} } Threat Thursday: Karma Ransomware
Karma
2021-10-18SentinelOneAntonis Terefos
@online{terefos:20211018:karma:04248e2, author = {Antonis Terefos}, title = {{Karma Ransomware | An Emerging Threat With A Hint of Nemty Pedigree}}, date = {2021-10-18}, organization = {SentinelOne}, url = {https://www.sentinelone.com/labs/karma-ransomware-an-emerging-threat-with-a-hint-of-nemty-pedigree/}, language = {English}, urldate = {2021-10-24} } Karma Ransomware | An Emerging Threat With A Hint of Nemty Pedigree
Karma Nemty
2021-08-24cybleCyble
@online{cyble:20210824:deepdive:9bd2478, author = {Cyble}, title = {{​A Deep-dive Analysis of KARMA Ransomware}}, date = {2021-08-24}, organization = {cyble}, url = {https://blog.cyble.com/2021/08/24/a-deep-dive-analysis-of-karma-ransomware/}, language = {English}, urldate = {2021-09-19} } ​A Deep-dive Analysis of KARMA Ransomware
Karma
Yara Rules
[TLP:WHITE] win_karma_auto (20220808 | Detects win.karma.)
rule win_karma_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-08-05"
        version = "1"
        description = "Detects win.karma."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.karma"
        malpedia_rule_date = "20220805"
        malpedia_hash = "6ec06c64bcfdbeda64eff021c766b4ce34542b71"
        malpedia_version = "20220808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8945f8 33db c645ff01 885dfe 8d0cf0 }
            // n = 5, score = 100
            //   8945f8               | mov                 dword ptr [ebp - 8], eax
            //   33db                 | xor                 ebx, ebx
            //   c645ff01             | mov                 byte ptr [ebp - 1], 1
            //   885dfe               | mov                 byte ptr [ebp - 2], bl
            //   8d0cf0               | lea                 ecx, [eax + esi*8]

        $sequence_1 = { 83c102 8bd0 6685c0 75da }
            // n = 4, score = 100
            //   83c102               | add                 ecx, 2
            //   8bd0                 | mov                 edx, eax
            //   6685c0               | test                ax, ax
            //   75da                 | jne                 0xffffffdc

        $sequence_2 = { 8be5 5d c3 8bd7 8d4de0 }
            // n = 5, score = 100
            //   8be5                 | mov                 esp, ebp
            //   5d                   | pop                 ebp
            //   c3                   | ret                 
            //   8bd7                 | mov                 edx, edi
            //   8d4de0               | lea                 ecx, [ebp - 0x20]

        $sequence_3 = { 33ff 660f1f440000 0fb78fac434000 0fb75c3c44 8bf3 8d41bf 83f819 }
            // n = 7, score = 100
            //   33ff                 | xor                 edi, edi
            //   660f1f440000         | nop                 word ptr [eax + eax]
            //   0fb78fac434000       | movzx               ecx, word ptr [edi + 0x4043ac]
            //   0fb75c3c44           | movzx               ebx, word ptr [esp + edi + 0x44]
            //   8bf3                 | mov                 esi, ebx
            //   8d41bf               | lea                 eax, [ecx - 0x41]
            //   83f819               | cmp                 eax, 0x19

        $sequence_4 = { 72f4 0f84dd020000 33c9 0f1f440000 833c8f00 757a }
            // n = 6, score = 100
            //   72f4                 | jb                  0xfffffff6
            //   0f84dd020000         | je                  0x2e3
            //   33c9                 | xor                 ecx, ecx
            //   0f1f440000           | nop                 dword ptr [eax + eax]
            //   833c8f00             | cmp                 dword ptr [edi + ecx*4], 0
            //   757a                 | jne                 0x7c

        $sequence_5 = { 660f1f440000 0fb701 83c102 6685c0 75f5 }
            // n = 5, score = 100
            //   660f1f440000         | nop                 word ptr [eax + eax]
            //   0fb701               | movzx               eax, word ptr [ecx]
            //   83c102               | add                 ecx, 2
            //   6685c0               | test                ax, ax
            //   75f5                 | jne                 0xfffffff7

        $sequence_6 = { 8d4704 0f1f8000000000 0fb708 83f95c 740a 83c002 6685c9 }
            // n = 7, score = 100
            //   8d4704               | lea                 eax, [edi + 4]
            //   0f1f8000000000       | nop                 dword ptr [eax]
            //   0fb708               | movzx               ecx, word ptr [eax]
            //   83f95c               | cmp                 ecx, 0x5c
            //   740a                 | je                  0xc
            //   83c002               | add                 eax, 2
            //   6685c9               | test                cx, cx

        $sequence_7 = { 7431 33c0 0f1f4000 6666660f1f840000000000 0f104405e0 }
            // n = 5, score = 100
            //   7431                 | je                  0x33
            //   33c0                 | xor                 eax, eax
            //   0f1f4000             | nop                 dword ptr [eax]
            //   6666660f1f840000000000     | nop    word ptr [eax + eax]
            //   0f104405e0           | movups              xmm0, xmmword ptr [ebp + eax - 0x20]

        $sequence_8 = { 50 6a00 ff15???????? 46 8945f8 }
            // n = 5, score = 100
            //   50                   | push                eax
            //   6a00                 | push                0
            //   ff15????????         |                     
            //   46                   | inc                 esi
            //   8945f8               | mov                 dword ptr [ebp - 8], eax

        $sequence_9 = { 8bec 83e4f8 83ec08 8b4508 8b08 8b4004 }
            // n = 6, score = 100
            //   8bec                 | mov                 ebp, esp
            //   83e4f8               | and                 esp, 0xfffffff8
            //   83ec08               | sub                 esp, 8
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   8b08                 | mov                 ecx, dword ptr [eax]
            //   8b4004               | mov                 eax, dword ptr [eax + 4]

    condition:
        7 of them and filesize < 49208
}
[TLP:WHITE] win_karma_w0   (20211108 | Detects Karma Ransomware 2021)
import "pe"

rule win_karma_w0 {
    meta:
        author = "Blackberry Threat Research Team"
        description = "Detects Karma Ransomware 2021"
        date = "2021-10"
        license = "This Yara rule is provided under the Apache License 2.0 (https://www.apache.org/licenses/LICENSE-2.0) and open to any user or organization, as long as you use it under this license and ensure originator credit in any derivative to The BlackBerry Research & Intelligence Team"
        source = "https://blogs.blackberry.com/en/2021/11/threat-thursday-karma-ransomware"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.dridex"
        malpedia_rule_date = "20211108"
        malpedia_hash = ""
        malpedia_version = "20211108"
        malpedia_license = "Apache License 2.0"
        malpedia_sharing = "TLP:WHITE"
 
    strings:
        $s1 = "WW91ciBuZXR3b3JrIGhhcyBiZWVuIGJyZWFjaGVkIGJ5IEthcm1hIHJhbnNvbXdhcmUgZ3JvdXAu" ascii wide
        $x2 = "crypt32.dll" nocase
        $x3 = "KARMA" ascii wide
        $x4 = "Sleep" nocase                            

    condition:
        //PE File
        uint16(0) == 0x5a4d and
        //Base64 Karma Note
        all of ($s*) and
        //All Strings
        all of ($x*)
}
Download all Yara Rules