SYMBOLCOMMON_NAMEaka. SYNONYMS
win.makop (Back to overview)

Makop

BeforeCrypt describes that MAKOP Ransomware first appeared in 2020 as an offshoot of the PHOBOS variant, and that it has infected a number of computers since then. Files encrypted by MAKOP often have the extension “.makop”. You may also notice that your desktop wallpaper has changed. MAKOP uses RSA encryption. There are no known free decryption tools capable of decrypting files encrypted by MAKOP.

References
2021-04-02MorphisecMichael Gorelik
@online{gorelik:20210402:fair:6f62577, author = {Michael Gorelik}, title = {{The “Fair” Upgrade Variant of Phobos Ransomware}}, date = {2021-04-02}, organization = {Morphisec}, url = {https://blog.morphisec.com/the-fair-upgrade-variant-of-phobos-ransomware}, language = {English}, urldate = {2023-08-14} } The “Fair” Upgrade Variant of Phobos Ransomware
Makop Phobos
Yara Rules
[TLP:WHITE] win_makop_auto (20230715 | Detects win.makop.)
rule win_makop_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-07-11"
        version = "1"
        description = "Detects win.makop."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.makop"
        malpedia_rule_date = "20230705"
        malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
        malpedia_version = "20230715"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { eb02 33f6 803d????????00 751f 803d????????00 7516 80fb01 }
            // n = 7, score = 100
            //   eb02                 | jmp                 4
            //   33f6                 | xor                 esi, esi
            //   803d????????00       |                     
            //   751f                 | jne                 0x21
            //   803d????????00       |                     
            //   7516                 | jne                 0x18
            //   80fb01               | cmp                 bl, 1

        $sequence_1 = { 52 50 51 e8???????? 8b542430 83c40c 68e0930400 }
            // n = 7, score = 100
            //   52                   | push                edx
            //   50                   | push                eax
            //   51                   | push                ecx
            //   e8????????           |                     
            //   8b542430             | mov                 edx, dword ptr [esp + 0x30]
            //   83c40c               | add                 esp, 0xc
            //   68e0930400           | push                0x493e0

        $sequence_2 = { 52 66c7060802 66c746041066 c6460820 }
            // n = 4, score = 100
            //   52                   | push                edx
            //   66c7060802           | mov                 word ptr [esi], 0x208
            //   66c746041066         | mov                 word ptr [esi + 4], 0x6610
            //   c6460820             | mov                 byte ptr [esi + 8], 0x20

        $sequence_3 = { 56 ff15???????? 85c0 750b 8906 32c0 5e }
            // n = 7, score = 100
            //   56                   | push                esi
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   750b                 | jne                 0xd
            //   8906                 | mov                 dword ptr [esi], eax
            //   32c0                 | xor                 al, al
            //   5e                   | pop                 esi

        $sequence_4 = { 83c001 84c9 75f7 2bc7 83e801 39442404 720a }
            // n = 7, score = 100
            //   83c001               | add                 eax, 1
            //   84c9                 | test                cl, cl
            //   75f7                 | jne                 0xfffffff9
            //   2bc7                 | sub                 eax, edi
            //   83e801               | sub                 eax, 1
            //   39442404             | cmp                 dword ptr [esp + 4], eax
            //   720a                 | jb                  0xc

        $sequence_5 = { ffd6 85ff 740f 85db 740b 837c242000 7404 }
            // n = 7, score = 100
            //   ffd6                 | call                esi
            //   85ff                 | test                edi, edi
            //   740f                 | je                  0x11
            //   85db                 | test                ebx, ebx
            //   740b                 | je                  0xd
            //   837c242000           | cmp                 dword ptr [esp + 0x20], 0
            //   7404                 | je                  6

        $sequence_6 = { 8b2d???????? 3beb 742e 8b4524 3bc3 7407 50 }
            // n = 7, score = 100
            //   8b2d????????         |                     
            //   3beb                 | cmp                 ebp, ebx
            //   742e                 | je                  0x30
            //   8b4524               | mov                 eax, dword ptr [ebp + 0x24]
            //   3bc3                 | cmp                 eax, ebx
            //   7407                 | je                  9
            //   50                   | push                eax

        $sequence_7 = { 7416 e8???????? 6a00 e8???????? 83c404 }
            // n = 5, score = 100
            //   7416                 | je                  0x18
            //   e8????????           |                     
            //   6a00                 | push                0
            //   e8????????           |                     
            //   83c404               | add                 esp, 4

        $sequence_8 = { e8???????? 8b442418 83c40c 8b4f0c }
            // n = 4, score = 100
            //   e8????????           |                     
            //   8b442418             | mov                 eax, dword ptr [esp + 0x18]
            //   83c40c               | add                 esp, 0xc
            //   8b4f0c               | mov                 ecx, dword ptr [edi + 0xc]

        $sequence_9 = { 742f 33c0 3906 763d 8d4c2448 }
            // n = 5, score = 100
            //   742f                 | je                  0x31
            //   33c0                 | xor                 eax, eax
            //   3906                 | cmp                 dword ptr [esi], eax
            //   763d                 | jbe                 0x3f
            //   8d4c2448             | lea                 ecx, [esp + 0x48]

    condition:
        7 of them and filesize < 107520
}
[TLP:WHITE] win_makop_w0   (20200325 | Detects MAKOP ransomware payload)
rule win_makop_w0 {
    meta:
        description = "Detects MAKOP ransomware payload"
        author = "@VK_Intel"
        reference = "https://twitter.com/VK_Intel/status/1242177227682390017"
        tlp = "white"
        date = "2020-03-23"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.makop"
        malpedia_version = "20200325"
        malpedia_sharing = "TLP:WHITE"
        malpedia_license = ""

    strings:
        $str1 = "-%08X"
        $str2 = "MPR.dll"
        $str3 = "\\*.*" wide

        $dec1 = { 8b ?? ?? 6a 08 8d ?? ?? ?? 52 8d ?? ?? ?? 50 e8 ?? ?? ?? ?? 66 ?? ?? ?? ?? 66 ?? ?? ?? ?? 83 c4 0c 66 3b c1 76 ?? 0f b7 c9 0f b7 f8 2b f9 74 ?? 57 6a 00 ff ?? ?? ?? ?? ?? 50 ff ?? ?? ?? ?? ?? 8b d8 85 db 74 ?? 0f ?? ?? ?? ?? 03 ?? ?? 57 52 53 e8 ?? ?? ?? ?? 83 c4 0c 8d ?? ?? 55 ff ?? ?? ?? ?? ?? e8 ?? ?? ?? ?? 84 c0 74 ?? 8b ?? ?? ?? 50 53 6a 00 6a 00 89 ?? 8b ?? ?? 6a 00 50 ff ?? ?? ?? ?? ?? 85 c0 75 ?? ff ?? ?? ?? ?? ?? 50 e8 ?? ?? ?? ?? 83 c4 04 33 c0 5f 5e 5d 5b 83 c4 0c c2 08 00}
        $start = {55 8b ec 83 e4 f8 a1 ?? ?? ?? ?? 81 ec 64 02 00 00 85 c0 53 56 57 74 ?? 6a 00 50 ff ?? ?? ?? ?? ?? 85 c0 0f ?? ?? ?? ?? ?? 8b ?? ?? 0f ?? ?? ?? 8b ?? ?? 51 e8 ?? ?? ?? ?? 83 c4 04 84 c0 0f ?? ?? ?? ?? ?? 8b ?? ?? 8d ?? ?? 8d ?? ?? 85 c0 0f ?? ?? ?? ?? ?? 50 6a 00 ff ?? ?? ?? ?? ?? 50 ff ?? ?? ?? ?? ?? 8b f0 85 f6 0f ?? ?? ?? ?? ?? 8b ?? ?? 80 ?? ?? ?? 75 ?? 81 fb fa 00 00 00 72 ?? 8b ?? ?? ?? ?? ?? 8b de e8 ?? ?? ?? ?? 8b ?? ?? 8b ?? ?? 83 c7 04 8d ?? ?? e8 ?? ?? ?? ?? 8b ?? ?? 8d ?? ?? ?? bf 05 00 00 00 eb ??}

    condition:
        ( uint16(0) == 0x5a4d and
        ( 4 of them )
        ) or ( all of them )
}
Download all Yara Rules