SYMBOLCOMMON_NAMEaka. SYNONYMS
win.karma (Back to overview)

Karma


Ransomware.

References
2022-04-21Sentinel LABSAntonis Terefos
@online{terefos:20220421:nokoyawa:72ae5e2, author = {Antonis Terefos}, title = {{Nokoyawa Ransomware | New Karma/Nemty Variant Wears Thin Disguise}}, date = {2022-04-21}, organization = {Sentinel LABS}, url = {https://www.sentinelone.com/labs/nokoyawa-ransomware-new-karma-nemty-variant-wears-thin-disguise/}, language = {English}, urldate = {2022-04-24} } Nokoyawa Ransomware | New Karma/Nemty Variant Wears Thin Disguise
Hive Karma Nemty Nokoyawa Ransomware
2022-03-17SophosTilly Travers
@online{travers:20220317:ransomware:df38f2f, author = {Tilly Travers}, title = {{The Ransomware Threat Intelligence Center}}, date = {2022-03-17}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/}, language = {English}, urldate = {2022-03-18} } The Ransomware Threat Intelligence Center
ATOMSILO Avaddon AvosLocker BlackKingdom Ransomware BlackMatter Conti Cring DarkSide dearcry Dharma Egregor Entropy Epsilon Red Gandcrab Karma LockBit LockFile Mailto Maze Nefilim RagnarLocker Ragnarok REvil RobinHood Ryuk SamSam Snatch WannaCryptor WastedLocker
2022-03-16SymantecSymantec Threat Hunter Team
@techreport{team:20220316:ransomware:1c2a72a, author = {Symantec Threat Hunter Team}, title = {{The Ransomware Threat Landscape: What to Expect in 2022}}, date = {2022-03-16}, institution = {Symantec}, url = {https://www.symantec.broadcom.com/hubfs/SED/SED_Threat_Hunter_Reports_Alerts/SED_FY22Q2_SES_Ransomware-Threat-Landscape_WP.pdf}, language = {English}, urldate = {2022-03-22} } The Ransomware Threat Landscape: What to Expect in 2022
AvosLocker BlackCat BlackMatter Conti DarkSide DoppelPaymer Emotet Hive Karma Mespinoza Nemty Squirrelwaffle VegaLocker WastedLocker Yanluowang Zeppelin
2022-02-28SophosSean Gallagher
@online{gallagher:20220228:conti:bcf09a0, author = {Sean Gallagher}, title = {{Conti and Karma actors attack healthcare provider at same time through ProxyShell exploits}}, date = {2022-02-28}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2022/02/28/conti-and-karma-actors-attack-healthcare-provider-at-same-time-through-proxyshell-exploits/?cmp=30728}, language = {English}, urldate = {2022-03-02} } Conti and Karma actors attack healthcare provider at same time through ProxyShell exploits
Conti Karma
2021-11-22Youtube (OALabs)c3rb3ru5d3d53c, Sergei Frankoff
@online{c3rb3ru5d3d53c:20211122:introduction:1daa38b, author = {c3rb3ru5d3d53c and Sergei Frankoff}, title = {{Introduction To Binlex A Binary Trait Lexer Library and Utility - Machine Learning First Steps...}}, date = {2021-11-22}, organization = {Youtube (OALabs)}, url = {https://www.youtube.com/watch?v=hgz5gZB3DxE}, language = {English}, urldate = {2021-11-29} } Introduction To Binlex A Binary Trait Lexer Library and Utility - Machine Learning First Steps...
Karma
2021-11-04BlackberryBlackBerry Research & Intelligence Team
@online{team:20211104:threat:41a70b2, author = {BlackBerry Research & Intelligence Team}, title = {{Threat Thursday: Karma Ransomware}}, date = {2021-11-04}, organization = {Blackberry}, url = {https://blogs.blackberry.com/en/2021/11/threat-thursday-karma-ransomware}, language = {English}, urldate = {2021-11-08} } Threat Thursday: Karma Ransomware
Karma
2021-10-18SentinelOneAntonis Terefos
@online{terefos:20211018:karma:04248e2, author = {Antonis Terefos}, title = {{Karma Ransomware | An Emerging Threat With A Hint of Nemty Pedigree}}, date = {2021-10-18}, organization = {SentinelOne}, url = {https://www.sentinelone.com/labs/karma-ransomware-an-emerging-threat-with-a-hint-of-nemty-pedigree/}, language = {English}, urldate = {2021-10-24} } Karma Ransomware | An Emerging Threat With A Hint of Nemty Pedigree
Karma Nemty
2021-08-24cybleCyble
@online{cyble:20210824:deepdive:9bd2478, author = {Cyble}, title = {{​A Deep-dive Analysis of KARMA Ransomware}}, date = {2021-08-24}, organization = {cyble}, url = {https://blog.cyble.com/2021/08/24/a-deep-dive-analysis-of-karma-ransomware/}, language = {English}, urldate = {2021-09-19} } ​A Deep-dive Analysis of KARMA Ransomware
Karma
Yara Rules
[TLP:WHITE] win_karma_auto (20220411 | Detects win.karma.)
rule win_karma_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-04-08"
        version = "1"
        description = "Detects win.karma."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.karma"
        malpedia_rule_date = "20220405"
        malpedia_hash = "ecd38294bd47d5589be5cd5490dc8bb4804afc2a"
        malpedia_version = "20220411"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 380a 740e 0f1f8000000000 41 803c0a00 75f9 8b35???????? }
            // n = 7, score = 100
            //   380a                 | cmp                 byte ptr [edx], cl
            //   740e                 | je                  0x10
            //   0f1f8000000000       | nop                 dword ptr [eax]
            //   41                   | inc                 ecx
            //   803c0a00             | cmp                 byte ptr [edx + ecx], 0
            //   75f9                 | jne                 0xfffffffb
            //   8b35????????         |                     

        $sequence_1 = { 8d8df4fdffff e8???????? ba???????? 8d8df4fdffff e8???????? 8d95f4fdffff b9???????? }
            // n = 7, score = 100
            //   8d8df4fdffff         | lea                 ecx, dword ptr [ebp - 0x20c]
            //   e8????????           |                     
            //   ba????????           |                     
            //   8d8df4fdffff         | lea                 ecx, dword ptr [ebp - 0x20c]
            //   e8????????           |                     
            //   8d95f4fdffff         | lea                 edx, dword ptr [ebp - 0x20c]
            //   b9????????           |                     

        $sequence_2 = { 6685c9 75ef 33c0 663985f8fdffff 7410 }
            // n = 5, score = 100
            //   6685c9               | test                cx, cx
            //   75ef                 | jne                 0xfffffff1
            //   33c0                 | xor                 eax, eax
            //   663985f8fdffff       | cmp                 word ptr [ebp - 0x208], ax
            //   7410                 | je                  0x12

        $sequence_3 = { 8d0439 c1c009 314334 8b5334 }
            // n = 4, score = 100
            //   8d0439               | lea                 eax, dword ptr [ecx + edi]
            //   c1c009               | rol                 eax, 9
            //   314334               | xor                 dword ptr [ebx + 0x34], eax
            //   8b5334               | mov                 edx, dword ptr [ebx + 0x34]

        $sequence_4 = { 6a40 53 57 ff15???????? 8b35???????? ffd6 83f806 }
            // n = 7, score = 100
            //   6a40                 | push                0x40
            //   53                   | push                ebx
            //   57                   | push                edi
            //   ff15????????         |                     
            //   8b35????????         |                     
            //   ffd6                 | call                esi
            //   83f806               | cmp                 eax, 6

        $sequence_5 = { 50 6800710200 56 ff742420 ff15???????? }
            // n = 5, score = 100
            //   50                   | push                eax
            //   6800710200           | push                0x27100
            //   56                   | push                esi
            //   ff742420             | push                dword ptr [esp + 0x20]
            //   ff15????????         |                     

        $sequence_6 = { 47 8b06 0fb3c8 8906 81ff00010000 7ce3 52 }
            // n = 7, score = 100
            //   47                   | inc                 edi
            //   8b06                 | mov                 eax, dword ptr [esi]
            //   0fb3c8               | btr                 eax, ecx
            //   8906                 | mov                 dword ptr [esi], eax
            //   81ff00010000         | cmp                 edi, 0x100
            //   7ce3                 | jl                  0xffffffe5
            //   52                   | push                edx

        $sequence_7 = { 6690 2bc7 1bca 894c243c 0f88ce000000 7f0b 3d00710200 }
            // n = 7, score = 100
            //   6690                 | nop                 
            //   2bc7                 | sub                 eax, edi
            //   1bca                 | sbb                 ecx, edx
            //   894c243c             | mov                 dword ptr [esp + 0x3c], ecx
            //   0f88ce000000         | js                  0xd4
            //   7f0b                 | jg                  0xd
            //   3d00710200           | cmp                 eax, 0x27100

        $sequence_8 = { 0fb74dfe 6a00 6a00 66894806 ff15???????? 68f4010000 }
            // n = 6, score = 100
            //   0fb74dfe             | movzx               ecx, word ptr [ebp - 2]
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   66894806             | mov                 word ptr [eax + 6], cx
            //   ff15????????         |                     
            //   68f4010000           | push                0x1f4

        $sequence_9 = { 33ff 85f6 7e1a 8b1d???????? }
            // n = 4, score = 100
            //   33ff                 | xor                 edi, edi
            //   85f6                 | test                esi, esi
            //   7e1a                 | jle                 0x1c
            //   8b1d????????         |                     

    condition:
        7 of them and filesize < 49208
}
[TLP:WHITE] win_karma_w0   (20211108 | Detects Karma Ransomware 2021)
import "pe"

rule win_karma_w0 {
    meta:
        author = "Blackberry Threat Research Team"
        description = "Detects Karma Ransomware 2021"
        date = "2021-10"
        license = "This Yara rule is provided under the Apache License 2.0 (https://www.apache.org/licenses/LICENSE-2.0) and open to any user or organization, as long as you use it under this license and ensure originator credit in any derivative to The BlackBerry Research & Intelligence Team"
        source = "https://blogs.blackberry.com/en/2021/11/threat-thursday-karma-ransomware"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.dridex"
        malpedia_rule_date = "20211108"
        malpedia_hash = ""
        malpedia_version = "20211108"
        malpedia_license = "Apache License 2.0"
        malpedia_sharing = "TLP:WHITE"
 
    strings:
        $s1 = "WW91ciBuZXR3b3JrIGhhcyBiZWVuIGJyZWFjaGVkIGJ5IEthcm1hIHJhbnNvbXdhcmUgZ3JvdXAu" ascii wide
        $x2 = "crypt32.dll" nocase
        $x3 = "KARMA" ascii wide
        $x4 = "Sleep" nocase                            

    condition:
        //PE File
        uint16(0) == 0x5a4d and
        //Base64 Karma Note
        all of ($s*) and
        //All Strings
        all of ($x*)
}
Download all Yara Rules