SYMBOLCOMMON_NAMEaka. SYNONYMS
win.killdisk (Back to overview)

KillDisk

Actor(s): Lazarus Group, Sandworm, TeleBots

There is no description at this point.

References
2020SecureworksSecureWorks
@online{secureworks:2020:iron:3c939bc, author = {SecureWorks}, title = {{IRON VIKING}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/iron-viking}, language = {English}, urldate = {2020-05-23} } IRON VIKING
BlackEnergy EternalPetya GreyEnergy Industroyer KillDisk TeleBot TeleDoor
2018-04-03ESET ResearchPeter Kálnai, Anton Cherepanov
@online{klnai:20180403:lazarus:14ff18c, author = {Peter Kálnai and Anton Cherepanov}, title = {{Lazarus KillDisks Central American casino}}, date = {2018-04-03}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2018/04/03/lazarus-killdisk-central-american-casino/}, language = {English}, urldate = {2019-11-14} } Lazarus KillDisks Central American casino
KillDisk Lazarus Group
2018-01-15Trend MicroGilbert Sison, Rheniel Ramos, Jay Yaneza, Alfredo Oliveira
@online{sison:20180115:new:15ece8f, author = {Gilbert Sison and Rheniel Ramos and Jay Yaneza and Alfredo Oliveira}, title = {{New KillDisk Variant Hits Financial Organizations in Latin America}}, date = {2018-01-15}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/new-killdisk-variant-hits-financial-organizations-in-latin-america/}, language = {English}, urldate = {2020-01-06} } New KillDisk Variant Hits Financial Organizations in Latin America
KillDisk Lazarus Group
2016-12-13ESET ResearchAnton Cherepanov
@online{cherepanov:20161213:rise:d6ee3c1, author = {Anton Cherepanov}, title = {{The rise of TeleBots: Analyzing disruptive KillDisk attacks}}, date = {2016-12-13}, organization = {ESET Research}, url = {http://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/}, language = {English}, urldate = {2019-12-20} } The rise of TeleBots: Analyzing disruptive KillDisk attacks
Credraptor KillDisk TeleBot TeleBots
Yara Rules
[TLP:WHITE] win_killdisk_auto (20211008 | Detects win.killdisk.)
rule win_killdisk_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-10-07"
        version = "1"
        description = "Detects win.killdisk."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.killdisk"
        malpedia_rule_date = "20211007"
        malpedia_hash = "e5b790e0f888f252d49063a1251ca60ec2832535"
        malpedia_version = "20211008"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { c1f905 8bf0 83e61f 8d3c8dc00f4100 8b0f }
            // n = 5, score = 100
            //   c1f905               | sar                 ecx, 5
            //   8bf0                 | mov                 esi, eax
            //   83e61f               | and                 esi, 0x1f
            //   8d3c8dc00f4100       | lea                 edi, dword ptr [ecx*4 + 0x410fc0]
            //   8b0f                 | mov                 ecx, dword ptr [edi]

        $sequence_1 = { e8???????? 4e 80fcd7 60 }
            // n = 4, score = 100
            //   e8????????           |                     
            //   4e                   | dec                 esi
            //   80fcd7               | cmp                 ah, 0xd7
            //   60                   | pushal              

        $sequence_2 = { 83c408 85c0 0f845e020000 8d4c2444 68???????? }
            // n = 5, score = 100
            //   83c408               | add                 esp, 8
            //   85c0                 | test                eax, eax
            //   0f845e020000         | je                  0x264
            //   8d4c2444             | lea                 ecx, dword ptr [esp + 0x44]
            //   68????????           |                     

        $sequence_3 = { 8945fc 53 56 57 6824010000 8d85c4feffff }
            // n = 6, score = 100
            //   8945fc               | mov                 dword ptr [ebp - 4], eax
            //   53                   | push                ebx
            //   56                   | push                esi
            //   57                   | push                edi
            //   6824010000           | push                0x124
            //   8d85c4feffff         | lea                 eax, dword ptr [ebp - 0x13c]

        $sequence_4 = { 60 9c 9c 8d642428 e9???????? 60 }
            // n = 6, score = 100
            //   60                   | pushal              
            //   9c                   | pushfd              
            //   9c                   | pushfd              
            //   8d642428             | lea                 esp, dword ptr [esp + 0x28]
            //   e9????????           |                     
            //   60                   | pushal              

        $sequence_5 = { 0f84cd000000 83fdff 0f84c4000000 8b44240c 53 }
            // n = 5, score = 100
            //   0f84cd000000         | je                  0xd3
            //   83fdff               | cmp                 ebp, -1
            //   0f84c4000000         | je                  0xca
            //   8b44240c             | mov                 eax, dword ptr [esp + 0xc]
            //   53                   | push                ebx

        $sequence_6 = { 8d9424b0000000 52 e8???????? 83c404 b9???????? }
            // n = 5, score = 100
            //   8d9424b0000000       | lea                 edx, dword ptr [esp + 0xb0]
            //   52                   | push                edx
            //   e8????????           |                     
            //   83c404               | add                 esp, 4
            //   b9????????           |                     

        $sequence_7 = { 759e 8ac3 8b8c244c020000 5f }
            // n = 4, score = 100
            //   759e                 | jne                 0xffffffa0
            //   8ac3                 | mov                 al, bl
            //   8b8c244c020000       | mov                 ecx, dword ptr [esp + 0x24c]
            //   5f                   | pop                 edi

        $sequence_8 = { 57 e8???????? 60 4e 6681ff6148 f6d0 }
            // n = 6, score = 100
            //   57                   | push                edi
            //   e8????????           |                     
            //   60                   | pushal              
            //   4e                   | dec                 esi
            //   6681ff6148           | cmp                 di, 0x4861
            //   f6d0                 | not                 al

        $sequence_9 = { ff3424 660fb6f3 5e e8???????? 66ffc6 e8???????? }
            // n = 6, score = 100
            //   ff3424               | push                dword ptr [esp]
            //   660fb6f3             | movzx               si, bl
            //   5e                   | pop                 esi
            //   e8????????           |                     
            //   66ffc6               | inc                 si
            //   e8????????           |                     

        $sequence_10 = { 83c610 8985e4fdffff 83f804 7cac }
            // n = 4, score = 100
            //   83c610               | add                 esi, 0x10
            //   8985e4fdffff         | mov                 dword ptr [ebp - 0x21c], eax
            //   83f804               | cmp                 eax, 4
            //   7cac                 | jl                  0xffffffae

        $sequence_11 = { 85f6 0f84b9000000 8975e0 8b04bdc00f4100 0500080000 3bf0 }
            // n = 6, score = 100
            //   85f6                 | test                esi, esi
            //   0f84b9000000         | je                  0xbf
            //   8975e0               | mov                 dword ptr [ebp - 0x20], esi
            //   8b04bdc00f4100       | mov                 eax, dword ptr [edi*4 + 0x410fc0]
            //   0500080000           | add                 eax, 0x800
            //   3bf0                 | cmp                 esi, eax

        $sequence_12 = { e9???????? 880424 8774242c 9c 68a12348dd e8???????? }
            // n = 6, score = 100
            //   e9????????           |                     
            //   880424               | mov                 byte ptr [esp], al
            //   8774242c             | xchg                dword ptr [esp + 0x2c], esi
            //   9c                   | pushfd              
            //   68a12348dd           | push                0xdd4823a1
            //   e8????????           |                     

        $sequence_13 = { e8???????? 59 ebcf 8bc6 c1f805 8b0485c00f4100 83e61f }
            // n = 7, score = 100
            //   e8????????           |                     
            //   59                   | pop                 ecx
            //   ebcf                 | jmp                 0xffffffd1
            //   8bc6                 | mov                 eax, esi
            //   c1f805               | sar                 eax, 5
            //   8b0485c00f4100       | mov                 eax, dword ptr [eax*4 + 0x410fc0]
            //   83e61f               | and                 esi, 0x1f

        $sequence_14 = { 9c 88442408 50 8d642434 e9???????? }
            // n = 5, score = 100
            //   9c                   | pushfd              
            //   88442408             | mov                 byte ptr [esp + 8], al
            //   50                   | push                eax
            //   8d642434             | lea                 esp, dword ptr [esp + 0x34]
            //   e9????????           |                     

        $sequence_15 = { e9???????? 883424 ff742420 8f4500 }
            // n = 4, score = 100
            //   e9????????           |                     
            //   883424               | mov                 byte ptr [esp], dh
            //   ff742420             | push                dword ptr [esp + 0x20]
            //   8f4500               | pop                 dword ptr [ebp]

        $sequence_16 = { 751a 6a00 8d85d8fdffff 50 6800020000 68???????? }
            // n = 6, score = 100
            //   751a                 | jne                 0x1c
            //   6a00                 | push                0
            //   8d85d8fdffff         | lea                 eax, dword ptr [ebp - 0x228]
            //   50                   | push                eax
            //   6800020000           | push                0x200
            //   68????????           |                     

        $sequence_17 = { 83c41c 8bdf 8b54243c 85d2 7410 8b442440 }
            // n = 6, score = 100
            //   83c41c               | add                 esp, 0x1c
            //   8bdf                 | mov                 ebx, edi
            //   8b54243c             | mov                 edx, dword ptr [esp + 0x3c]
            //   85d2                 | test                edx, edx
            //   7410                 | je                  0x12
            //   8b442440             | mov                 eax, dword ptr [esp + 0x40]

        $sequence_18 = { 8b4c2418 8d44245c e8???????? 84c0 }
            // n = 4, score = 100
            //   8b4c2418             | mov                 ecx, dword ptr [esp + 0x18]
            //   8d44245c             | lea                 eax, dword ptr [esp + 0x5c]
            //   e8????????           |                     
            //   84c0                 | test                al, al

        $sequence_19 = { 882424 881c24 e8???????? d2cd }
            // n = 4, score = 100
            //   882424               | mov                 byte ptr [esp], ah
            //   881c24               | mov                 byte ptr [esp], bl
            //   e8????????           |                     
            //   d2cd                 | ror                 ch, cl

        $sequence_20 = { bf0a000000 897c2410 c744241c01000000 750c }
            // n = 4, score = 100
            //   bf0a000000           | mov                 edi, 0xa
            //   897c2410             | mov                 dword ptr [esp + 0x10], edi
            //   c744241c01000000     | mov                 dword ptr [esp + 0x1c], 1
            //   750c                 | jne                 0xe

        $sequence_21 = { 0f8266ffffff 8b7c2410 6aff 6a01 55 57 }
            // n = 6, score = 100
            //   0f8266ffffff         | jb                  0xffffff6c
            //   8b7c2410             | mov                 edi, dword ptr [esp + 0x10]
            //   6aff                 | push                -1
            //   6a01                 | push                1
            //   55                   | push                ebp
            //   57                   | push                edi

        $sequence_22 = { 68???????? 57 ff15???????? 46 83fe20 }
            // n = 5, score = 100
            //   68????????           |                     
            //   57                   | push                edi
            //   ff15????????         |                     
            //   46                   | inc                 esi
            //   83fe20               | cmp                 esi, 0x20

        $sequence_23 = { 744d 56 8d4900 8b742418 3bee 742f }
            // n = 6, score = 100
            //   744d                 | je                  0x4f
            //   56                   | push                esi
            //   8d4900               | lea                 ecx, dword ptr [ecx]
            //   8b742418             | mov                 esi, dword ptr [esp + 0x18]
            //   3bee                 | cmp                 ebp, esi
            //   742f                 | je                  0x31

    condition:
        7 of them and filesize < 10817536
}
Download all Yara Rules