SYMBOLCOMMON_NAMEaka. SYNONYMS
win.killdisk (Back to overview)

KillDisk

Actor(s): Lazarus Group, Sandworm, TeleBots


There is no description at this point.

References
2020SecureworksSecureWorks
@online{secureworks:2020:iron:3c939bc, author = {SecureWorks}, title = {{IRON VIKING}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/iron-viking}, language = {English}, urldate = {2020-05-23} } IRON VIKING
BlackEnergy EternalPetya GreyEnergy Industroyer KillDisk TeleBot TeleDoor
2018-04-03ESET ResearchPeter Kálnai, Anton Cherepanov
@online{klnai:20180403:lazarus:14ff18c, author = {Peter Kálnai and Anton Cherepanov}, title = {{Lazarus KillDisks Central American casino}}, date = {2018-04-03}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2018/04/03/lazarus-killdisk-central-american-casino/}, language = {English}, urldate = {2019-11-14} } Lazarus KillDisks Central American casino
KillDisk Lazarus Group
2018-01-15Trend MicroGilbert Sison, Rheniel Ramos, Jay Yaneza, Alfredo Oliveira
@online{sison:20180115:new:15ece8f, author = {Gilbert Sison and Rheniel Ramos and Jay Yaneza and Alfredo Oliveira}, title = {{New KillDisk Variant Hits Financial Organizations in Latin America}}, date = {2018-01-15}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/new-killdisk-variant-hits-financial-organizations-in-latin-america/}, language = {English}, urldate = {2020-01-06} } New KillDisk Variant Hits Financial Organizations in Latin America
KillDisk Lazarus Group
2016-12-13ESET ResearchAnton Cherepanov
@online{cherepanov:20161213:rise:d6ee3c1, author = {Anton Cherepanov}, title = {{The rise of TeleBots: Analyzing disruptive KillDisk attacks}}, date = {2016-12-13}, organization = {ESET Research}, url = {http://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/}, language = {English}, urldate = {2019-12-20} } The rise of TeleBots: Analyzing disruptive KillDisk attacks
Credraptor KillDisk TeleBot TeleBots
Yara Rules
[TLP:WHITE] win_killdisk_auto (20201023 | autogenerated rule brought to you by yara-signator)
rule win_killdisk_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-12-22"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.killdisk"
        malpedia_rule_date = "20201222"
        malpedia_hash = "30354d830a29f0fbd3714d93d94dea941d77a130"
        malpedia_version = "20201023"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8d95e4fdffff 52 6800020000 68???????? }
            // n = 4, score = 100
            //   8d95e4fdffff         | lea                 edx, [ebp - 0x21c]
            //   52                   | push                edx
            //   6800020000           | push                0x200
            //   68????????           |                     

        $sequence_1 = { 88442408 50 8d642434 e9???????? }
            // n = 4, score = 100
            //   88442408             | mov                 byte ptr [esp + 8], al
            //   50                   | push                eax
            //   8d642434             | lea                 esp, [esp + 0x34]
            //   e9????????           |                     

        $sequence_2 = { ff15???????? 8bb5bcfeffff 8d95c0feffff 52 56 ff15???????? 85c0 }
            // n = 7, score = 100
            //   ff15????????         |                     
            //   8bb5bcfeffff         | mov                 esi, dword ptr [ebp - 0x144]
            //   8d95c0feffff         | lea                 edx, [ebp - 0x140]
            //   52                   | push                edx
            //   56                   | push                esi
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax

        $sequence_3 = { 030495c00f4100 eb05 b8???????? f6400420 }
            // n = 4, score = 100
            //   030495c00f4100       | add                 eax, dword ptr [edx*4 + 0x410fc0]
            //   eb05                 | jmp                 7
            //   b8????????           |                     
            //   f6400420             | test                byte ptr [eax + 4], 0x20

        $sequence_4 = { e8???????? 9c 8f442420 ff3424 }
            // n = 4, score = 100
            //   e8????????           |                     
            //   9c                   | pushfd              
            //   8f442420             | pop                 dword ptr [esp + 0x20]
            //   ff3424               | push                dword ptr [esp]

        $sequence_5 = { 33c0 57 51 8d742414 8bfa 89442414 89442418 }
            // n = 7, score = 100
            //   33c0                 | xor                 eax, eax
            //   57                   | push                edi
            //   51                   | push                ecx
            //   8d742414             | lea                 esi, [esp + 0x14]
            //   8bfa                 | mov                 edi, edx
            //   89442414             | mov                 dword ptr [esp + 0x14], eax
            //   89442418             | mov                 dword ptr [esp + 0x18], eax

        $sequence_6 = { 0f84eb000000 807d1400 7413 8b442410 50 6a01 }
            // n = 6, score = 100
            //   0f84eb000000         | je                  0xf1
            //   807d1400             | cmp                 byte ptr [ebp + 0x14], 0
            //   7413                 | je                  0x15
            //   8b442410             | mov                 eax, dword ptr [esp + 0x10]
            //   50                   | push                eax
            //   6a01                 | push                1

        $sequence_7 = { e8???????? 60 9c 894500 6689542404 53 }
            // n = 6, score = 100
            //   e8????????           |                     
            //   60                   | pushal              
            //   9c                   | pushfd              
            //   894500               | mov                 dword ptr [ebp], eax
            //   6689542404           | mov                 word ptr [esp + 4], dx
            //   53                   | push                ebx

        $sequence_8 = { 6681ff6148 f6d0 e9???????? 46 60 9c 9c }
            // n = 7, score = 100
            //   6681ff6148           | cmp                 di, 0x4861
            //   f6d0                 | not                 al
            //   e9????????           |                     
            //   46                   | inc                 esi
            //   60                   | pushal              
            //   9c                   | pushfd              
            //   9c                   | pushfd              

        $sequence_9 = { 53 8b5e08 395e04 55 }
            // n = 4, score = 100
            //   53                   | push                ebx
            //   8b5e08               | mov                 ebx, dword ptr [esi + 8]
            //   395e04               | cmp                 dword ptr [esi + 4], ebx
            //   55                   | push                ebp

        $sequence_10 = { 8b0485c00f4100 83e61f c1e606 8d443004 8020fe }
            // n = 5, score = 100
            //   8b0485c00f4100       | mov                 eax, dword ptr [eax*4 + 0x410fc0]
            //   83e61f               | and                 esi, 0x1f
            //   c1e606               | shl                 esi, 6
            //   8d443004             | lea                 eax, [eax + esi + 4]
            //   8020fe               | and                 byte ptr [eax], 0xfe

        $sequence_11 = { 8d442444 0f84b8000000 b9???????? 8bff 8a10 3a11 }
            // n = 6, score = 100
            //   8d442444             | lea                 eax, [esp + 0x44]
            //   0f84b8000000         | je                  0xbe
            //   b9????????           |                     
            //   8bff                 | mov                 edi, edi
            //   8a10                 | mov                 dl, byte ptr [eax]
            //   3a11                 | cmp                 dl, byte ptr [ecx]

        $sequence_12 = { 803800 75f5 51 e8???????? 8b4c241c }
            // n = 5, score = 100
            //   803800               | cmp                 byte ptr [eax], 0
            //   75f5                 | jne                 0xfffffff7
            //   51                   | push                ecx
            //   e8????????           |                     
            //   8b4c241c             | mov                 ecx, dword ptr [esp + 0x1c]

        $sequence_13 = { 6a00 6a00 6a01 6a00 ff15???????? 8bf0 56 }
            // n = 7, score = 100
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   6a01                 | push                1
            //   6a00                 | push                0
            //   ff15????????         |                     
            //   8bf0                 | mov                 esi, eax
            //   56                   | push                esi

        $sequence_14 = { e9???????? 9c 9c 66894504 57 60 }
            // n = 6, score = 100
            //   e9????????           |                     
            //   9c                   | pushfd              
            //   9c                   | pushfd              
            //   66894504             | mov                 word ptr [ebp + 4], ax
            //   57                   | push                edi
            //   60                   | pushal              

        $sequence_15 = { e9???????? 60 8774241c 660fb6f3 e8???????? 895500 60 }
            // n = 7, score = 100
            //   e9????????           |                     
            //   60                   | pushal              
            //   8774241c             | xchg                dword ptr [esp + 0x1c], esi
            //   660fb6f3             | movzx               si, bl
            //   e8????????           |                     
            //   895500               | mov                 dword ptr [ebp], edx
            //   60                   | pushal              

        $sequence_16 = { ff15???????? 8b4da2 8b45aa 8b55a6 8945f0 894de8 }
            // n = 6, score = 100
            //   ff15????????         |                     
            //   8b4da2               | mov                 ecx, dword ptr [ebp - 0x5e]
            //   8b45aa               | mov                 eax, dword ptr [ebp - 0x56]
            //   8b55a6               | mov                 edx, dword ptr [ebp - 0x5a]
            //   8945f0               | mov                 dword ptr [ebp - 0x10], eax
            //   894de8               | mov                 dword ptr [ebp - 0x18], ecx

        $sequence_17 = { c785e0fdffff00000000 ffd6 3b85d4fdffff 7520 }
            // n = 4, score = 100
            //   c785e0fdffff00000000     | mov    dword ptr [ebp - 0x220], 0
            //   ffd6                 | call                esi
            //   3b85d4fdffff         | cmp                 eax, dword ptr [ebp - 0x22c]
            //   7520                 | jne                 0x22

        $sequence_18 = { 83ef01 75e3 be???????? bf0000a000 }
            // n = 4, score = 100
            //   83ef01               | sub                 edi, 1
            //   75e3                 | jne                 0xffffffe5
            //   be????????           |                     
            //   bf0000a000           | mov                 edi, 0xa00000

        $sequence_19 = { 9c 51 897c2408 9c 8d642430 e9???????? ff742404 }
            // n = 7, score = 100
            //   9c                   | pushfd              
            //   51                   | push                ecx
            //   897c2408             | mov                 dword ptr [esp + 8], edi
            //   9c                   | pushfd              
            //   8d642430             | lea                 esp, [esp + 0x30]
            //   e9????????           |                     
            //   ff742404             | push                dword ptr [esp + 4]

        $sequence_20 = { e8???????? d2cd 80d213 66c1e204 8b5500 f8 66c1d902 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   d2cd                 | ror                 ch, cl
            //   80d213               | adc                 dl, 0x13
            //   66c1e204             | shl                 dx, 4
            //   8b5500               | mov                 edx, dword ptr [ebp]
            //   f8                   | clc                 
            //   66c1d902             | rcr                 cx, 2

        $sequence_21 = { e8???????? 57 56 55 e8???????? 56 b301 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   57                   | push                edi
            //   56                   | push                esi
            //   55                   | push                ebp
            //   e8????????           |                     
            //   56                   | push                esi
            //   b301                 | mov                 bl, 1

        $sequence_22 = { 50 51 ff15???????? 85c0 0f8565fdffff ff0d???????? }
            // n = 6, score = 100
            //   50                   | push                eax
            //   51                   | push                ecx
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   0f8565fdffff         | jne                 0xfffffd6b
            //   ff0d????????         |                     

        $sequence_23 = { 59 c3 681c040000 6a00 56 e8???????? }
            // n = 6, score = 100
            //   59                   | pop                 ecx
            //   c3                   | ret                 
            //   681c040000           | push                0x41c
            //   6a00                 | push                0
            //   56                   | push                esi
            //   e8????????           |                     

    condition:
        7 of them and filesize < 10817536
}
Download all Yara Rules