A ransomware first observed in July 2021.
rule win_lockfile_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2023-01-25" version = "1" description = "Detects win.lockfile." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.lockfile" malpedia_rule_date = "20230124" malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686" malpedia_version = "20230125" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 4d03e5 488bf2 4c8d0401 488b4720 4c3bc1 4883d600 49f76668 } // n = 7, score = 200 // 4d03e5 | jb 0x638 // 488bf2 | dec eax // 4c8d0401 | mov dword ptr [esp + 0x40], ebp // 488b4720 | dec eax // 4c3bc1 | mov eax, ebx // 4883d600 | dec eax // 49f76668 | sub eax, edx $sequence_1 = { 4c8d442438 498bd7 488d4c2440 488b442440 ff9000010000 90 488d4c2440 } // n = 7, score = 200 // 4c8d442438 | dec eax // 498bd7 | mov dword ptr [edx], eax // 488d4c2440 | dec eax // 488b442440 | cmp eax, ecx // ff9000010000 | jbe 0x453 // 90 | mov ebx, 1 // 488d4c2440 | cmp edi, ebx $sequence_2 = { 4883d100 4c3bde 4c8b5d9f 4883d100 4d3bf7 4f8d040b } // n = 6, score = 200 // 4883d100 | xor ecx, esi // 4c3bde | xor ecx, edx // 4c8b5d9f | add ebx, 0x6ed9eba1 // 4883d100 | inc ecx // 4d3bf7 | ror eax, 2 // 4f8d040b | add eax, ebx $sequence_3 = { 498bc7 4c89442450 4889542428 488955d8 4c8945e8 66660f1f840000000000 4c8921 } // n = 7, score = 200 // 498bc7 | dec eax // 4c89442450 | lea eax, [0x36eba] // 4889542428 | dec eax // 488955d8 | mov dword ptr [esp + 0x48], ebx // 4c8945e8 | dec eax // 66660f1f840000000000 | lea ecx, [esp + 0x30] // 4c8921 | dec eax $sequence_4 = { 75f0 85ff 0f840d020000 3bcf 0f83d3000000 498bd7 488bcd } // n = 7, score = 200 // 75f0 | mov dword ptr [ebp + 0x60], eax // 85ff | xor edi, edi // 0f840d020000 | dec eax // 3bcf | mov dword ptr [ebp - 0x10], eax // 0f83d3000000 | inc ecx // 498bd7 | mov eax, 0x104 // 488bcd | dec eax $sequence_5 = { 488bdd 48c1fb02 488bd3 488d4c2428 e8???????? 4889442428 488d1c98 } // n = 7, score = 200 // 488bdd | dec ecx // 48c1fb02 | mov eax, dword ptr [edi] // 488bd3 | dec esp // 488d4c2428 | mov eax, dword ptr [ebp + 0x77] // e8???????? | // 4889442428 | dec eax // 488d1c98 | add edx, dword ptr [esi + 8] $sequence_6 = { 418bcd 498b442420 49f721 4c8be2 4d8d0c00 4d3bc8 4d13e5 } // n = 7, score = 200 // 418bcd | inc ecx // 498b442420 | movups xmm0, xmmword ptr [ecx + eax*8] // 49f721 | dec eax // 4c8be2 | lea edx, [0x1d003] // 4d8d0c00 | movsd xmm2, qword ptr [edx + eax*8] // 4d3bc8 | addsd xmm2, xmm5 // 4d13e5 | subsd xmm5, xmm1 $sequence_7 = { 488bfa 33c0 f348ab 488bca e8???????? 90 4c8d45d8 } // n = 7, score = 200 // 488bfa | lea edx, [0x66039] // 33c0 | dec eax // f348ab | mov ecx, ebx // 488bca | mov byte ptr [ebx + 0xb], 0 // e8???????? | // 90 | dec eax // 4c8d45d8 | lea eax, [esp + 0x30] $sequence_8 = { 4c3bfb 72d6 4c8bb42490000000 4c8bbc2480000000 488b742430 4c8bef 483bfb } // n = 7, score = 200 // 4c3bfb | mov ecx, dword ptr [esi + 8] // 72d6 | dec eax // 4c8bb42490000000 | sub ecx, edi // 4c8bbc2480000000 | dec eax // 488b742430 | mov eax, ebx // 4c8bef | dec eax // 483bfb | imul ecx $sequence_9 = { 0430 346c 88442474 8b442440 0431 3420 88442475 } // n = 7, score = 200 // 0430 | mov eax, dword ptr [esp + 0x40] // 346c | add al, 0x18 // 88442474 | mov eax, dword ptr [esp + 0x40] // 8b442440 | add al, 0x17 // 0431 | xor al, 0x65 // 3420 | mov byte ptr [esp + 0x5b], al // 88442475 | mov eax, dword ptr [esp + 0x40] condition: 7 of them and filesize < 1163264 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY