SYMBOLCOMMON_NAMEaka. SYNONYMS
win.m0yv (Back to overview)

m0yv


Modular x86/x64 file infector created/used by Maze ransomware developer. According to the author, it has been mistakenly tagged by AVs as Expiro.

References
2022-02-09Security AffairsPierluigi Paganini
@online{paganini:20220209:master:b0b64b8, author = {Pierluigi Paganini}, title = {{Master decryption keys for Maze, Egregor, and Sekhmet ransomware leaked online}}, date = {2022-02-09}, organization = {Security Affairs}, url = {https://securityaffairs.co/wordpress/127826/malware/egregor-sekhmet-decryption-keys.html}, language = {English}, urldate = {2022-02-10} } Master decryption keys for Maze, Egregor, and Sekhmet ransomware leaked online
Egregor m0yv Maze Sekhmet
2022-01-11Github (baderj)Johannes Bader
@online{bader:20220111:reimplementation:f8b45d0, author = {Johannes Bader}, title = {{Reimplementation of Expiro's DGA}}, date = {2022-01-11}, organization = {Github (baderj)}, url = {https://github.com/baderj/domain_generation_algorithms/blob/master/expiro/dga.py}, language = {English}, urldate = {2022-02-10} } Reimplementation of Expiro's DGA
m0yv
Yara Rules
[TLP:WHITE] win_m0yv_auto (20220516 | Detects win.m0yv.)
rule win_m0yv_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-05-16"
        version = "1"
        description = "Detects win.m0yv."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.m0yv"
        malpedia_rule_date = "20220513"
        malpedia_hash = "7f4b2229e6ae614d86d74917f6d5b41890e62a26"
        malpedia_version = "20220516"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 4c89642438 44896c2440 4889742448 897c2450 c744245400000000 488d4c2430 }
            // n = 6, score = 100
            //   4c89642438           | inc                 esp
            //   44896c2440           | mov                 edx, esi
            //   4889742448           | shr                 edx, 7
            //   897c2450             | mov                 byte ptr [ecx + 0x14], dl
            //   c744245400000000     | inc                 ecx
            //   488d4c2430           | shr                 esi, 0xf

        $sequence_1 = { 660f1f440000 8b1c84 0fb6fb 8b3cbc 48c1eb08 4831fb 0fb6fb }
            // n = 7, score = 100
            //   660f1f440000         | cmp                 eax, edx
            //   8b1c84               | jae                 0x2f5
            //   0fb6fb               | dec                 eax
            //   8b3cbc               | add                 eax, 2
            //   48c1eb08             | dec                 eax
            //   4831fb               | cmp                 edx, eax
            //   0fb6fb               | jne                 0x26a

        $sequence_2 = { 4801c1 4889f8 480fafc3 4801c1 4c89e0 490fafc6 4801c1 }
            // n = 7, score = 100
            //   4801c1               | inc                 ecx
            //   4889f8               | sub                 ecx, edi
            //   480fafc3             | dec                 esp
            //   4801c1               | lea                 esi, [esi + ebp]
            //   4c89e0               | dec                 eax
            //   490fafc6             | lea                 edi, [esi + ebp]
            //   4801c1               | dec                 eax

        $sequence_3 = { 4489e0 448b6704 4585e4 7e41 4963cc 4889ca }
            // n = 6, score = 100
            //   4489e0               | dec                 esp
            //   448b6704             | mov                 edi, edi
            //   4585e4               | dec                 eax
            //   7e41                 | rol                 edi, 0x1e
            //   4963cc               | dec                 esp
            //   4889ca               | mov                 ecx, edi

        $sequence_4 = { 488d9c2428010000 4c8d842488000000 4889d9 4889fa e8???????? 488d7c2420 }
            // n = 6, score = 100
            //   488d9c2428010000     | sub                 ecx, 1
            //   4c8d842488000000     | je                  0x32
            //   4889d9               | sub                 ecx, 1
            //   4889fa               | inc                 ecx
            //   e8????????           |                     
            //   488d7c2420           | movzx               ecx, al

        $sequence_5 = { 4129c5 48c1fe19 4d8d1c36 4a8d0436 480500000002 4c03842488000000 4889c6 }
            // n = 7, score = 100
            //   4129c5               | mov                 eax, edi
            //   48c1fe19             | dec                 esp
            //   4d8d1c36             | mov                 ecx, edi
            //   4a8d0436             | dec                 eax
            //   480500000002         | mov                 edx, edi
            //   4c03842488000000     | dec                 esp
            //   4889c6               | mov                 ecx, esi

        $sequence_6 = { 4889fa e8???????? 4c89f1 4889da e8???????? 4c89e1 4c89e2 }
            // n = 7, score = 100
            //   4889fa               | xor                 edi, eax
            //   e8????????           |                     
            //   4c89f1               | inc                 ecx
            //   4889da               | neg                 eax
            //   e8????????           |                     
            //   4c89e1               | inc                 ebp
            //   4c89e2               | and                 ecx, eax

        $sequence_7 = { 4889d9 4889f2 4989f8 e8???????? 4889f1 4889f2 4989f8 }
            // n = 7, score = 100
            //   4889d9               | lea                 ecx, [esp + 0x60]
            //   4889f2               | dec                 esp
            //   4989f8               | mov                 edx, edi
            //   e8????????           |                     
            //   4889f1               | je                  0x11e1
            //   4889f2               | inc                 ebp
            //   4989f8               | test                eax, eax

        $sequence_8 = { 4c89e1 480fafcf 4801ce 4889b42490000000 4c89f9 480faf8c24d8000000 488bbc2488000000 }
            // n = 7, score = 100
            //   4c89e1               | dec                 ecx
            //   480fafcf             | imul                esi, ebp, 0xfff59083
            //   4801ce               | dec                 eax
            //   4889b42490000000     | add                 esi, dword ptr [esp + 0x58]
            //   4c89f9               | dec                 ecx
            //   480faf8c24d8000000     | imul    ebp, edi, 0x215d1
            //   488bbc2488000000     | dec                 eax

        $sequence_9 = { 4869ed132c0a00 488bbc24c0000000 4c8d3c2f 4801fd 4881c500001000 488b742458 4869fe132c0a00 }
            // n = 7, score = 100
            //   4869ed132c0a00       | dec                 eax
            //   488bbc24c0000000     | lea                 edx, [edi + ebp]
            //   4c8d3c2f             | dec                 eax
            //   4801fd               | add                 edx, 0x348
            //   4881c500001000       | dec                 eax
            //   488b742458           | mov                 ecx, esi
            //   4869fe132c0a00       | inc                 ecx

    condition:
        7 of them and filesize < 779264
}
Download all Yara Rules