SYMBOLCOMMON_NAMEaka. SYNONYMS
win.killdisk (Back to overview)

KillDisk

Actor(s): Lazarus Group, Sandworm, TeleBots

There is no description at this point.

References
2022-08-12CrowdStrikeIoan Iacob, Iulian Madalin Ionita
@online{iacob:20220812:anatomy:b13ce32, author = {Ioan Iacob and Iulian Madalin Ionita}, title = {{The Anatomy of Wiper Malware, Part 1: Common Techniques}}, date = {2022-08-12}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-1/}, language = {English}, urldate = {2022-08-15} } The Anatomy of Wiper Malware, Part 1: Common Techniques
Apostle CaddyWiper DistTrack DoubleZero DUSTMAN HermeticWiper IsaacWiper IsraBye KillDisk Meteor Olympic Destroyer Ordinypt Petya Sierra(Alfa,Bravo, ...) StoneDrill WhisperGate ZeroCleare
2022-02-24nvisoMichel Coene
@online{coene:20220224:threat:f0dba09, author = {Michel Coene}, title = {{Threat Update – Ukraine & Russia conflict}}, date = {2022-02-24}, organization = {nviso}, url = {https://blog.nviso.eu/2022/02/24/threat-update-ukraine-russia-tensions/}, language = {English}, urldate = {2022-03-01} } Threat Update – Ukraine & Russia conflict
EternalPetya GreyEnergy HermeticWiper Industroyer KillDisk WhisperGate
2020SecureworksSecureWorks
@online{secureworks:2020:iron:3c939bc, author = {SecureWorks}, title = {{IRON VIKING}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/iron-viking}, language = {English}, urldate = {2020-05-23} } IRON VIKING
BlackEnergy EternalPetya GreyEnergy Industroyer KillDisk TeleBot TeleDoor
2018-04-03ESET ResearchPeter Kálnai, Anton Cherepanov
@online{klnai:20180403:lazarus:14ff18c, author = {Peter Kálnai and Anton Cherepanov}, title = {{Lazarus KillDisks Central American casino}}, date = {2018-04-03}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2018/04/03/lazarus-killdisk-central-american-casino/}, language = {English}, urldate = {2019-11-14} } Lazarus KillDisks Central American casino
KillDisk Lazarus Group
2018-01-15Trend MicroGilbert Sison, Rheniel Ramos, Jay Yaneza, Alfredo Oliveira
@online{sison:20180115:new:15ece8f, author = {Gilbert Sison and Rheniel Ramos and Jay Yaneza and Alfredo Oliveira}, title = {{New KillDisk Variant Hits Financial Organizations in Latin America}}, date = {2018-01-15}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/new-killdisk-variant-hits-financial-organizations-in-latin-america/}, language = {English}, urldate = {2020-01-06} } New KillDisk Variant Hits Financial Organizations in Latin America
KillDisk Lazarus Group
2017-05-31MITREMITRE ATT&CK
@online{attck:20170531:sandworm:1a9a446, author = {MITRE ATT&CK}, title = {{Sandworm Team}}, date = {2017-05-31}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0034}, language = {English}, urldate = {2022-08-25} } Sandworm Team
CyclopsBlink Exaramel BlackEnergy EternalPetya Exaramel GreyEnergy KillDisk MimiKatz Olympic Destroyer Sandworm
2017-01-05ESET ResearchRobert Lipovsky, Peter Kálnai
@online{lipovsky:20170105:killdisk:5d49eac, author = {Robert Lipovsky and Peter Kálnai}, title = {{KillDisk now targeting Linux: Demands $250K ransom, but can’t decrypt}}, date = {2017-01-05}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2017/01/05/killdisk-now-targeting-linux-demands-250k-ransom-cant-decrypt}, language = {English}, urldate = {2022-08-25} } KillDisk now targeting Linux: Demands $250K ransom, but can’t decrypt
KillDisk Sandworm
2016-12-13ESET ResearchAnton Cherepanov
@online{cherepanov:20161213:rise:d6ee3c1, author = {Anton Cherepanov}, title = {{The rise of TeleBots: Analyzing disruptive KillDisk attacks}}, date = {2016-12-13}, organization = {ESET Research}, url = {http://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/}, language = {English}, urldate = {2019-12-20} } The rise of TeleBots: Analyzing disruptive KillDisk attacks
Credraptor KillDisk TeleBot
2016-12-13ESET ResearchAnton Cherepanov
@online{cherepanov:20161213:rise:057c5f4, author = {Anton Cherepanov}, title = {{The rise of TeleBots: Analyzing disruptive KillDisk attacks}}, date = {2016-12-13}, organization = {ESET Research}, url = {http://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks}, language = {English}, urldate = {2022-08-25} } The rise of TeleBots: Analyzing disruptive KillDisk attacks
KillDisk TeleBot Sandworm
Yara Rules
[TLP:WHITE] win_killdisk_auto (20221125 | Detects win.killdisk.)
rule win_killdisk_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-11-21"
        version = "1"
        description = "Detects win.killdisk."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.killdisk"
        malpedia_rule_date = "20221118"
        malpedia_hash = "e0702e2e6d1d00da65c8a29a4ebacd0a4c59e1af"
        malpedia_version = "20221125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 0f84b1000000 85f6 0f84a9000000 6a2c }
            // n = 4, score = 100
            //   0f84b1000000         | je                  0xb7
            //   85f6                 | test                esi, esi
            //   0f84a9000000         | je                  0xaf
            //   6a2c                 | push                0x2c

        $sequence_1 = { 57 ff15???????? 8b4da2 8b45aa 8b55a6 8945f0 }
            // n = 6, score = 100
            //   57                   | push                edi
            //   ff15????????         |                     
            //   8b4da2               | mov                 ecx, dword ptr [ebp - 0x5e]
            //   8b45aa               | mov                 eax, dword ptr [ebp - 0x56]
            //   8b55a6               | mov                 edx, dword ptr [ebp - 0x5a]
            //   8945f0               | mov                 dword ptr [ebp - 0x10], eax

        $sequence_2 = { 3ddb03a80c 80d26f 3cbb 40 d3d2 3f e261 }
            // n = 7, score = 100
            //   3ddb03a80c           | cmp                 eax, 0xca803db
            //   80d26f               | adc                 dl, 0x6f
            //   3cbb                 | cmp                 al, 0xbb
            //   40                   | inc                 eax
            //   d3d2                 | rcl                 edx, cl
            //   3f                   | aas                 
            //   e261                 | loop                0x63

        $sequence_3 = { 88742408 c70424ba7bbfa4 660fbae408 662dca11 e8???????? 881438 e8???????? }
            // n = 7, score = 100
            //   88742408             | mov                 byte ptr [esp + 8], dh
            //   c70424ba7bbfa4       | mov                 dword ptr [esp], 0xa4bf7bba
            //   660fbae408           | bt                  sp, 8
            //   662dca11             | sub                 ax, 0x11ca
            //   e8????????           |                     
            //   881438               | mov                 byte ptr [eax + edi], dl
            //   e8????????           |                     

        $sequence_4 = { 8bf7 83e61f c1e606 033485c00f4100 }
            // n = 4, score = 100
            //   8bf7                 | mov                 esi, edi
            //   83e61f               | and                 esi, 0x1f
            //   c1e606               | shl                 esi, 6
            //   033485c00f4100       | add                 esi, dword ptr [eax*4 + 0x410fc0]

        $sequence_5 = { 8d85f8feffff 68???????? 50 e8???????? 8d8df8feffff 51 8d95f4fdffff }
            // n = 7, score = 100
            //   8d85f8feffff         | lea                 eax, [ebp - 0x108]
            //   68????????           |                     
            //   50                   | push                eax
            //   e8????????           |                     
            //   8d8df8feffff         | lea                 ecx, [ebp - 0x108]
            //   51                   | push                ecx
            //   8d95f4fdffff         | lea                 edx, [ebp - 0x20c]

        $sequence_6 = { 03c2 69c010040000 03c5 3bf3 8bd6 }
            // n = 5, score = 100
            //   03c2                 | add                 eax, edx
            //   69c010040000         | imul                eax, eax, 0x410
            //   03c5                 | add                 eax, ebp
            //   3bf3                 | cmp                 esi, ebx
            //   8bd6                 | mov                 edx, esi

        $sequence_7 = { 7428 57 6a00 56 e8???????? 8b442420 }
            // n = 6, score = 100
            //   7428                 | je                  0x2a
            //   57                   | push                edi
            //   6a00                 | push                0
            //   56                   | push                esi
            //   e8????????           |                     
            //   8b442420             | mov                 eax, dword ptr [esp + 0x20]

        $sequence_8 = { e8???????? d2cd 80d213 66c1e204 8b5500 }
            // n = 5, score = 100
            //   e8????????           |                     
            //   d2cd                 | ror                 ch, cl
            //   80d213               | adc                 dl, 0x13
            //   66c1e204             | shl                 dx, 4
            //   8b5500               | mov                 edx, dword ptr [ebp]

        $sequence_9 = { 895c2414 8bfb 8b442418 33f6 2bc7 }
            // n = 5, score = 100
            //   895c2414             | mov                 dword ptr [esp + 0x14], ebx
            //   8bfb                 | mov                 edi, ebx
            //   8b442418             | mov                 eax, dword ptr [esp + 0x18]
            //   33f6                 | xor                 esi, esi
            //   2bc7                 | sub                 eax, edi

        $sequence_10 = { 60 46 88742408 8d642444 e9???????? }
            // n = 5, score = 100
            //   60                   | pushal              
            //   46                   | inc                 esi
            //   88742408             | mov                 byte ptr [esp + 8], dh
            //   8d642444             | lea                 esp, [esp + 0x44]
            //   e9????????           |                     

        $sequence_11 = { 33c0 0fa4c109 33f6 56 894df4 8d4df4 }
            // n = 6, score = 100
            //   33c0                 | xor                 eax, eax
            //   0fa4c109             | shld                ecx, eax, 9
            //   33f6                 | xor                 esi, esi
            //   56                   | push                esi
            //   894df4               | mov                 dword ptr [ebp - 0xc], ecx
            //   8d4df4               | lea                 ecx, [ebp - 0xc]

        $sequence_12 = { c1f805 83e71f c1e706 8b0485c00f4100 8d44380c }
            // n = 5, score = 100
            //   c1f805               | sar                 eax, 5
            //   83e71f               | and                 edi, 0x1f
            //   c1e706               | shl                 edi, 6
            //   8b0485c00f4100       | mov                 eax, dword ptr [eax*4 + 0x410fc0]
            //   8d44380c             | lea                 eax, [eax + edi + 0xc]

        $sequence_13 = { 8bc8 2bce 81f9d0b60000 7604 3bc7 }
            // n = 5, score = 100
            //   8bc8                 | mov                 ecx, eax
            //   2bce                 | sub                 ecx, esi
            //   81f9d0b60000         | cmp                 ecx, 0xb6d0
            //   7604                 | jbe                 6
            //   3bc7                 | cmp                 eax, edi

        $sequence_14 = { 85c0 7440 3dea000000 0f85da000000 8d043f }
            // n = 5, score = 100
            //   85c0                 | test                eax, eax
            //   7440                 | je                  0x42
            //   3dea000000           | cmp                 eax, 0xea
            //   0f85da000000         | jne                 0xe0
            //   8d043f               | lea                 eax, [edi + edi]

        $sequence_15 = { 83c40c 8b4c2410 8d442418 50 }
            // n = 4, score = 100
            //   83c40c               | add                 esp, 0xc
            //   8b4c2410             | mov                 ecx, dword ptr [esp + 0x10]
            //   8d442418             | lea                 eax, [esp + 0x18]
            //   50                   | push                eax

        $sequence_16 = { 898dc0fdffff ffd6 3b85bcfdffff 751a 6a00 8d85d8fdffff }
            // n = 6, score = 100
            //   898dc0fdffff         | mov                 dword ptr [ebp - 0x240], ecx
            //   ffd6                 | call                esi
            //   3b85bcfdffff         | cmp                 eax, dword ptr [ebp - 0x244]
            //   751a                 | jne                 0x1c
            //   6a00                 | push                0
            //   8d85d8fdffff         | lea                 eax, [ebp - 0x228]

        $sequence_17 = { 8d642430 e9???????? ff742404 66894500 886c2408 9c }
            // n = 6, score = 100
            //   8d642430             | lea                 esp, [esp + 0x30]
            //   e9????????           |                     
            //   ff742404             | push                dword ptr [esp + 4]
            //   66894500             | mov                 word ptr [ebp], ax
            //   886c2408             | mov                 byte ptr [esp + 8], ch
            //   9c                   | pushfd              

        $sequence_18 = { 2bc2 3d08020000 0f83d9000000 8d942458010000 52 }
            // n = 5, score = 100
            //   2bc2                 | sub                 eax, edx
            //   3d08020000           | cmp                 eax, 0x208
            //   0f83d9000000         | jae                 0xdf
            //   8d942458010000       | lea                 edx, [esp + 0x158]
            //   52                   | push                edx

        $sequence_19 = { 8b742474 6816cc2923 46 66892c24 9c 8d64244c e9???????? }
            // n = 7, score = 100
            //   8b742474             | mov                 esi, dword ptr [esp + 0x74]
            //   6816cc2923           | push                0x2329cc16
            //   46                   | inc                 esi
            //   66892c24             | mov                 word ptr [esp], bp
            //   9c                   | pushfd              
            //   8d64244c             | lea                 esp, [esp + 0x4c]
            //   e9????????           |                     

        $sequence_20 = { 4e e8???????? 54 c7042400000000 66ffce }
            // n = 5, score = 100
            //   4e                   | dec                 esi
            //   e8????????           |                     
            //   54                   | push                esp
            //   c7042400000000       | mov                 dword ptr [esp], 0
            //   66ffce               | dec                 si

        $sequence_21 = { e9???????? 660fbcc3 660fa5e0 8b4500 }
            // n = 4, score = 100
            //   e9????????           |                     
            //   660fbcc3             | bsf                 ax, bx
            //   660fa5e0             | shld                ax, sp, cl
            //   8b4500               | mov                 eax, dword ptr [ebp]

        $sequence_22 = { 6a00 ff15???????? 8bd8 53 ffd6 6a00 }
            // n = 6, score = 100
            //   6a00                 | push                0
            //   ff15????????         |                     
            //   8bd8                 | mov                 ebx, eax
            //   53                   | push                ebx
            //   ffd6                 | call                esi
            //   6a00                 | push                0

        $sequence_23 = { b8cdcccccc f7e6 c1eb03 c1ea04 83c408 85db }
            // n = 6, score = 100
            //   b8cdcccccc           | mov                 eax, 0xcccccccd
            //   f7e6                 | mul                 esi
            //   c1eb03               | shr                 ebx, 3
            //   c1ea04               | shr                 edx, 4
            //   83c408               | add                 esp, 8
            //   85db                 | test                ebx, ebx

    condition:
        7 of them and filesize < 10817536
}
Download all Yara Rules