SYMBOLCOMMON_NAMEaka. SYNONYMS
win.killdisk (Back to overview)

KillDisk

Actor(s): Lazarus Group, Sandworm, TeleBots

There is no description at this point.

References
2022-02-24nvisoMichel Coene
@online{coene:20220224:threat:f0dba09, author = {Michel Coene}, title = {{Threat Update – Ukraine & Russia conflict}}, date = {2022-02-24}, organization = {nviso}, url = {https://blog.nviso.eu/2022/02/24/threat-update-ukraine-russia-tensions/}, language = {English}, urldate = {2022-03-01} } Threat Update – Ukraine & Russia conflict
EternalPetya GreyEnergy HermeticWiper Industroyer KillDisk WhisperGate
2020SecureworksSecureWorks
@online{secureworks:2020:iron:3c939bc, author = {SecureWorks}, title = {{IRON VIKING}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/iron-viking}, language = {English}, urldate = {2020-05-23} } IRON VIKING
BlackEnergy EternalPetya GreyEnergy Industroyer KillDisk TeleBot TeleDoor
2018-04-03ESET ResearchPeter Kálnai, Anton Cherepanov
@online{klnai:20180403:lazarus:14ff18c, author = {Peter Kálnai and Anton Cherepanov}, title = {{Lazarus KillDisks Central American casino}}, date = {2018-04-03}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2018/04/03/lazarus-killdisk-central-american-casino/}, language = {English}, urldate = {2019-11-14} } Lazarus KillDisks Central American casino
KillDisk Lazarus Group
2018-01-15Trend MicroGilbert Sison, Rheniel Ramos, Jay Yaneza, Alfredo Oliveira
@online{sison:20180115:new:15ece8f, author = {Gilbert Sison and Rheniel Ramos and Jay Yaneza and Alfredo Oliveira}, title = {{New KillDisk Variant Hits Financial Organizations in Latin America}}, date = {2018-01-15}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/new-killdisk-variant-hits-financial-organizations-in-latin-america/}, language = {English}, urldate = {2020-01-06} } New KillDisk Variant Hits Financial Organizations in Latin America
KillDisk Lazarus Group
2016-12-13ESET ResearchAnton Cherepanov
@online{cherepanov:20161213:rise:d6ee3c1, author = {Anton Cherepanov}, title = {{The rise of TeleBots: Analyzing disruptive KillDisk attacks}}, date = {2016-12-13}, organization = {ESET Research}, url = {http://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/}, language = {English}, urldate = {2019-12-20} } The rise of TeleBots: Analyzing disruptive KillDisk attacks
Credraptor KillDisk TeleBot TeleBots
Yara Rules
[TLP:WHITE] win_killdisk_auto (20220516 | Detects win.killdisk.)
rule win_killdisk_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-05-16"
        version = "1"
        description = "Detects win.killdisk."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.killdisk"
        malpedia_rule_date = "20220513"
        malpedia_hash = "7f4b2229e6ae614d86d74917f6d5b41890e62a26"
        malpedia_version = "20220516"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8d642430 e9???????? ff742404 66894500 886c2408 9c 66c70424306b }
            // n = 7, score = 100
            //   8d642430             | lea                 esp, [esp + 0x30]
            //   e9????????           |                     
            //   ff742404             | push                dword ptr [esp + 4]
            //   66894500             | mov                 word ptr [ebp], ax
            //   886c2408             | mov                 byte ptr [esp + 8], ch
            //   9c                   | pushfd              
            //   66c70424306b         | mov                 word ptr [esp], 0x6b30

        $sequence_1 = { 080f 872d???????? 0fc1c2 89e2 66d3c9 66d3c0 d2d0 }
            // n = 7, score = 100
            //   080f                 | or                  byte ptr [edi], cl
            //   872d????????         |                     
            //   0fc1c2               | xadd                edx, eax
            //   89e2                 | mov                 edx, esp
            //   66d3c9               | ror                 cx, cl
            //   66d3c0               | rol                 ax, cl
            //   d2d0                 | rcl                 al, cl

        $sequence_2 = { 68???????? 6800004006 6a00 8944242c }
            // n = 4, score = 100
            //   68????????           |                     
            //   6800004006           | push                0x6400000
            //   6a00                 | push                0
            //   8944242c             | mov                 dword ptr [esp + 0x2c], eax

        $sequence_3 = { c705????????1b4d4000 8935???????? a3???????? ff15???????? a3???????? 83f8ff 0f84c1000000 }
            // n = 7, score = 100
            //   c705????????1b4d4000     |     
            //   8935????????         |                     
            //   a3????????           |                     
            //   ff15????????         |                     
            //   a3????????           |                     
            //   83f8ff               | cmp                 eax, -1
            //   0f84c1000000         | je                  0xc7

        $sequence_4 = { 8d4df8 51 6800040000 68???????? 56 ffd7 }
            // n = 6, score = 100
            //   8d4df8               | lea                 ecx, [ebp - 8]
            //   51                   | push                ecx
            //   6800040000           | push                0x400
            //   68????????           |                     
            //   56                   | push                esi
            //   ffd7                 | call                edi

        $sequence_5 = { 60 896c2434 e8???????? 8b4500 }
            // n = 4, score = 100
            //   60                   | pushal              
            //   896c2434             | mov                 dword ptr [esp + 0x34], ebp
            //   e8????????           |                     
            //   8b4500               | mov                 eax, dword ptr [ebp]

        $sequence_6 = { 741b 8d85f4fdffff 50 8d8df8feffff 68???????? 51 e8???????? }
            // n = 7, score = 100
            //   741b                 | je                  0x1d
            //   8d85f4fdffff         | lea                 eax, [ebp - 0x20c]
            //   50                   | push                eax
            //   8d8df8feffff         | lea                 ecx, [ebp - 0x108]
            //   68????????           |                     
            //   51                   | push                ecx
            //   e8????????           |                     

        $sequence_7 = { 89842468060000 53 56 8b7508 57 }
            // n = 5, score = 100
            //   89842468060000       | mov                 dword ptr [esp + 0x668], eax
            //   53                   | push                ebx
            //   56                   | push                esi
            //   8b7508               | mov                 esi, dword ptr [ebp + 8]
            //   57                   | push                edi

        $sequence_8 = { 6a00 68008fa201 e8???????? 680000a000 }
            // n = 4, score = 100
            //   6a00                 | push                0
            //   68008fa201           | push                0x1a28f00
            //   e8????????           |                     
            //   680000a000           | push                0xa00000

        $sequence_9 = { c785c0feffff28010000 ff15???????? 85c0 0f8498000000 8b3d???????? 8b1d???????? 90 }
            // n = 7, score = 100
            //   c785c0feffff28010000     | mov    dword ptr [ebp - 0x140], 0x128
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   0f8498000000         | je                  0x9e
            //   8b3d????????         |                     
            //   8b1d????????         |                     
            //   90                   | nop                 

        $sequence_10 = { 84c9 75f6 8bca c1e902 }
            // n = 4, score = 100
            //   84c9                 | test                cl, cl
            //   75f6                 | jne                 0xfffffff8
            //   8bca                 | mov                 ecx, edx
            //   c1e902               | shr                 ecx, 2

        $sequence_11 = { 662dca11 e8???????? 881438 e8???????? }
            // n = 4, score = 100
            //   662dca11             | sub                 ax, 0x11ca
            //   e8????????           |                     
            //   881438               | mov                 byte ptr [eax + edi], dl
            //   e8????????           |                     

        $sequence_12 = { 0393ae3f9239 41 23c2 89810c708cd0 }
            // n = 4, score = 100
            //   0393ae3f9239         | add                 edx, dword ptr [ebx + 0x39923fae]
            //   41                   | inc                 ecx
            //   23c2                 | and                 eax, edx
            //   89810c708cd0         | mov                 dword ptr [ecx - 0x2f738ff4], eax

        $sequence_13 = { ff15???????? 8b4cb500 51 ff15???????? 83c601 }
            // n = 5, score = 100
            //   ff15????????         |                     
            //   8b4cb500             | mov                 ecx, dword ptr [ebp + esi*4]
            //   51                   | push                ecx
            //   ff15????????         |                     
            //   83c601               | add                 esi, 1

        $sequence_14 = { e8???????? 8b06 8bc8 83e01f c1f905 8b0c8dc00f4100 }
            // n = 6, score = 100
            //   e8????????           |                     
            //   8b06                 | mov                 eax, dword ptr [esi]
            //   8bc8                 | mov                 ecx, eax
            //   83e01f               | and                 eax, 0x1f
            //   c1f905               | sar                 ecx, 5
            //   8b0c8dc00f4100       | mov                 ecx, dword ptr [ecx*4 + 0x410fc0]

        $sequence_15 = { e8???????? e9???????? 894c2438 68c3221b81 46 }
            // n = 5, score = 100
            //   e8????????           |                     
            //   e9????????           |                     
            //   894c2438             | mov                 dword ptr [esp + 0x38], ecx
            //   68c3221b81           | push                0x811b22c3
            //   46                   | inc                 esi

        $sequence_16 = { 83ec08 53 8d442408 50 6a08 33db }
            // n = 6, score = 100
            //   83ec08               | sub                 esp, 8
            //   53                   | push                ebx
            //   8d442408             | lea                 eax, [esp + 8]
            //   50                   | push                eax
            //   6a08                 | push                8
            //   33db                 | xor                 ebx, ebx

        $sequence_17 = { 83c404 83fe10 7cef 68???????? }
            // n = 4, score = 100
            //   83c404               | add                 esp, 4
            //   83fe10               | cmp                 esi, 0x10
            //   7cef                 | jl                  0xfffffff1
            //   68????????           |                     

        $sequence_18 = { e8???????? 8bc5 8d5002 8d4900 668b08 }
            // n = 5, score = 100
            //   e8????????           |                     
            //   8bc5                 | mov                 eax, ebp
            //   8d5002               | lea                 edx, [eax + 2]
            //   8d4900               | lea                 ecx, [ecx]
            //   668b08               | mov                 cx, word ptr [eax]

        $sequence_19 = { 56 57 e8???????? 8b1d???????? 33ff 6803010000 8d44242d }
            // n = 7, score = 100
            //   56                   | push                esi
            //   57                   | push                edi
            //   e8????????           |                     
            //   8b1d????????         |                     
            //   33ff                 | xor                 edi, edi
            //   6803010000           | push                0x103
            //   8d44242d             | lea                 eax, [esp + 0x2d]

        $sequence_20 = { 3c58 770f 0fbec2 0fbe80a0b14000 83e00f eb02 }
            // n = 6, score = 100
            //   3c58                 | cmp                 al, 0x58
            //   770f                 | ja                  0x11
            //   0fbec2               | movsx               eax, dl
            //   0fbe80a0b14000       | movsx               eax, byte ptr [eax + 0x40b1a0]
            //   83e00f               | and                 eax, 0xf
            //   eb02                 | jmp                 4

        $sequence_21 = { 87742404 87fe e8???????? 60 9c 894500 6689542404 }
            // n = 7, score = 100
            //   87742404             | xchg                dword ptr [esp + 4], esi
            //   87fe                 | xchg                esi, edi
            //   e8????????           |                     
            //   60                   | pushal              
            //   9c                   | pushfd              
            //   894500               | mov                 dword ptr [ebp], eax
            //   6689542404           | mov                 word ptr [esp + 4], dx

        $sequence_22 = { 88442408 50 8d642434 e9???????? }
            // n = 4, score = 100
            //   88442408             | mov                 byte ptr [esp + 8], al
            //   50                   | push                eax
            //   8d642434             | lea                 esp, [esp + 0x34]
            //   e9????????           |                     

        $sequence_23 = { 89458c 0f877b070000 ff24853dd44000 834de0ff 897588 }
            // n = 5, score = 100
            //   89458c               | mov                 dword ptr [ebp - 0x74], eax
            //   0f877b070000         | ja                  0x781
            //   ff24853dd44000       | jmp                 dword ptr [eax*4 + 0x40d43d]
            //   834de0ff             | or                  dword ptr [ebp - 0x20], 0xffffffff
            //   897588               | mov                 dword ptr [ebp - 0x78], esi

    condition:
        7 of them and filesize < 10817536
}
Download all Yara Rules