SYMBOLCOMMON_NAMEaka. SYNONYMS
win.m0yv (Back to overview)

m0yv


Modular x86/x64 file infector created/used by Maze ransomware developer. According to the author, it has been mistakenly tagged by AVs as Expiro.

References
2022-02-09Security AffairsPierluigi Paganini
@online{paganini:20220209:master:b0b64b8, author = {Pierluigi Paganini}, title = {{Master decryption keys for Maze, Egregor, and Sekhmet ransomware leaked online}}, date = {2022-02-09}, organization = {Security Affairs}, url = {https://securityaffairs.co/wordpress/127826/malware/egregor-sekhmet-decryption-keys.html}, language = {English}, urldate = {2022-02-10} } Master decryption keys for Maze, Egregor, and Sekhmet ransomware leaked online
Egregor m0yv Maze Sekhmet
2022-01-11Github (baderj)Johannes Bader
@online{bader:20220111:reimplementation:f8b45d0, author = {Johannes Bader}, title = {{Reimplementation of Expiro's DGA}}, date = {2022-01-11}, organization = {Github (baderj)}, url = {https://github.com/baderj/domain_generation_algorithms/blob/master/m0yv/dga.py}, language = {English}, urldate = {2022-11-03} } Reimplementation of Expiro's DGA
m0yv
Yara Rules
[TLP:WHITE] win_m0yv_auto (20221125 | Detects win.m0yv.)
rule win_m0yv_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-11-21"
        version = "1"
        description = "Detects win.m0yv."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.m0yv"
        malpedia_rule_date = "20221118"
        malpedia_hash = "e0702e2e6d1d00da65c8a29a4ebacd0a4c59e1af"
        malpedia_version = "20221125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 4889ce 85d2 750b 4889f1 e8???????? 4189c4 8a0e }
            // n = 7, score = 100
            //   4889ce               | inc                 esp
            //   85d2                 | mov                 byte ptr [edi + 0x14], dl
            //   750b                 | mov                 byte ptr [edi + 0x15], bl
            //   4889f1               | mov                 byte ptr [edi + 0x1a], al
            //   e8????????           |                     
            //   4189c4               | dec                 ecx
            //   8a0e                 | shr                 eax, 6

        $sequence_1 = { 4c8d3477 48c1fa1a 488d0c77 4881c100000002 4889ce 81e1000000fc }
            // n = 6, score = 100
            //   4c8d3477             | dec                 eax
            //   48c1fa1a             | mov                 dword ptr [esp + 0x58], eax
            //   488d0c77             | dec                 eax
            //   4881c100000002       | mov                 eax, dword ptr [esp + 0x120]
            //   4889ce               | dec                 eax
            //   81e1000000fc         | mov                 esi, dword ptr [esp + 0x108]

        $sequence_2 = { 4889f9 e8???????? 89c3 488d0d95650100 }
            // n = 4, score = 100
            //   4889f9               | sub                 esp, 0xb0
            //   e8????????           |                     
            //   89c3                 | dec                 eax
            //   488d0d95650100       | mov                 edi, edx

        $sequence_3 = { ff5018 4885c0 0f84f1000000 4889c7 4889742438 488b4b10 488b01 }
            // n = 7, score = 100
            //   ff5018               | dec                 eax
            //   4885c0               | mov                 ecx, edi
            //   0f84f1000000         | dec                 eax
            //   4889c7               | mov                 ecx, dword ptr [esi + 0x10]
            //   4889742438           | call                dword ptr [edi + 8]
            //   488b4b10             | dec                 eax
            //   488b01               | mov                 ecx, esi

        $sequence_4 = { 4c8b6c2448 4c89e8 490fafc7 4801c3 }
            // n = 4, score = 100
            //   4c8b6c2448           | dec                 eax
            //   4c89e8               | lea                 ecx, [esi + 2]
            //   490fafc7             | dec                 eax
            //   4801c3               | mov                 ebp, esi

        $sequence_5 = { 488d8c2460020000 e8???????? 488d8c2460010000 4889fa e8???????? 4c8dbc2460030000 4c89f9 }
            // n = 7, score = 100
            //   488d8c2460020000     | dec                 eax
            //   e8????????           |                     
            //   488d8c2460010000     | lea                 eax, [0x1cf4d]
            //   4889fa               | dec                 edx
            //   e8????????           |                     
            //   4c8dbc2460030000     | mov                 eax, dword ptr [eax + ebp*8]
            //   4c89f9               | inc                 edx

        $sequence_6 = { 25ffff1f00 48898424a8000000 488d4e22 e8???????? d1e8 25ffff1f00 4889842498000000 }
            // n = 7, score = 100
            //   25ffff1f00           | imul                ebx, ebp, 0x72d18
            //   48898424a8000000     | dec                 ecx
            //   488d4e22             | imul                ecx, esp, 0x215d1
            //   e8????????           |                     
            //   d1e8                 | dec                 ecx
            //   25ffff1f00           | add                 ebx, ecx
            //   4889842498000000     | dec                 eax

        $sequence_7 = { 4801ca 4889542458 480fafc0 488b542410 480fafd2 486bc826 }
            // n = 6, score = 100
            //   4801ca               | and                 eax, 0x1fffff
            //   4889542458           | dec                 eax
            //   480fafc0             | mov                 dword ptr [esp + 0xb0], eax
            //   488b542410           | dec                 eax
            //   480fafd2             | lea                 ecx, [ebp + 0x2f]
            //   486bc826             | shr                 eax, 5

        $sequence_8 = { 8beb 85f6 7412 8bd6 b969000000 e8???????? f7d8 }
            // n = 7, score = 100
            //   8beb                 | dec                 eax
            //   85f6                 | mov                 dword ptr [esp + 0x60], eax
            //   7412                 | dec                 eax
            //   8bd6                 | lea                 ecx, [esi + 0xf]
            //   b969000000           | shr                 eax, 6
            //   e8????????           |                     
            //   f7d8                 | and                 eax, 0x1fffff

        $sequence_9 = { 48b81f6c3e2b8c68059b 48894130 48b86bbd41fbabd9831f 48894138 48b879217e1319cde05b 48894140 31c0 }
            // n = 7, score = 100
            //   48b81f6c3e2b8c68059b     | add    edx, edi
            //   48894130             | add                 edi, esi
            //   48b86bbd41fbabd9831f     | dec    eax
            //   48894138             | add                 edx, 1
            //   48b879217e1319cde05b     | dec    ecx
            //   48894140             | cmp                 ecx, edx
            //   31c0                 | je                  0xe2

    condition:
        7 of them and filesize < 779264
}
Download all Yara Rules