Makop (Malware Family)

Makop

VTCollection

BeforeCrypt describes that MAKOP Ransomware first appeared in 2020 as an offshoot of the PHOBOS variant, and that it has infected a number of computers since then. Files encrypted by MAKOP often have the extension “.makop”. You may also notice that your desktop wallpaper has changed. MAKOP uses RSA encryption. There are no known free decryption tools capable of decrypting files encrypted by MAKOP.

References

2021-04-02 ⋅ Morphisec ⋅ Michael Gorelik
The “Fair” Upgrade Variant of Phobos Ransomware
Makop Phobos

Yara Rules

[TLP:WHITE] win_makop_auto (20230808 | Detects win.makop.)

rule win_makop_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.makop."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.makop"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 55 8bec 83e4f8 81ec10040000 53 55 56 }
            // n = 7, score = 100
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   83e4f8               | and                 esp, 0xfffffff8
            //   81ec10040000         | sub                 esp, 0x410
            //   53                   | push                ebx
            //   55                   | push                ebp
            //   56                   | push                esi

        $sequence_1 = { 8b84244c010000 8bcb 51 8b8c244c010000 52 50 51 }
            // n = 7, score = 100
            //   8b84244c010000       | mov                 eax, dword ptr [esp + 0x14c]
            //   8bcb                 | mov                 ecx, ebx
            //   51                   | push                ecx
            //   8b8c244c010000       | mov                 ecx, dword ptr [esp + 0x14c]
            //   52                   | push                edx
            //   50                   | push                eax
            //   51                   | push                ecx

        $sequence_2 = { 117c241c 8bb840080000 017c2420 8bb844080000 117c2424 8b8050080000 3bc3 }
            // n = 7, score = 100
            //   117c241c             | adc                 dword ptr [esp + 0x1c], edi
            //   8bb840080000         | mov                 edi, dword ptr [eax + 0x840]
            //   017c2420             | add                 dword ptr [esp + 0x20], edi
            //   8bb844080000         | mov                 edi, dword ptr [eax + 0x844]
            //   117c2424             | adc                 dword ptr [esp + 0x24], edi
            //   8b8050080000         | mov                 eax, dword ptr [eax + 0x850]
            //   3bc3                 | cmp                 eax, ebx

        $sequence_3 = { 3d11010000 0f8567030000 0fb7442444 0517fcffff 83f806 0f8754030000 ff24859c4f4000 }
            // n = 7, score = 100
            //   3d11010000           | cmp                 eax, 0x111
            //   0f8567030000         | jne                 0x36d
            //   0fb7442444           | movzx               eax, word ptr [esp + 0x44]
            //   0517fcffff           | add                 eax, 0xfffffc17
            //   83f806               | cmp                 eax, 6
            //   0f8754030000         | ja                  0x35a
            //   ff24859c4f4000       | jmp                 dword ptr [eax*4 + 0x404f9c]

        $sequence_4 = { 53 ff15???????? 85c0 0f84f1000000 6a00 8d442418 }
            // n = 6, score = 100
            //   53                   | push                ebx
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   0f84f1000000         | je                  0xf7
            //   6a00                 | push                0
            //   8d442418             | lea                 eax, [esp + 0x18]

        $sequence_5 = { 8d442418 50 51 e8???????? 85c0 0f85cb000000 }
            // n = 6, score = 100
            //   8d442418             | lea                 eax, [esp + 0x18]
            //   50                   | push                eax
            //   51                   | push                ecx
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   0f85cb000000         | jne                 0xd1

        $sequence_6 = { bb01000000 395d08 7571 b8???????? 668b08 83c002 6685c9 }
            // n = 7, score = 100
            //   bb01000000           | mov                 ebx, 1
            //   395d08               | cmp                 dword ptr [ebp + 8], ebx
            //   7571                 | jne                 0x73
            //   b8????????           |                     
            //   668b08               | mov                 cx, word ptr [eax]
            //   83c002               | add                 eax, 2
            //   6685c9               | test                cx, cx

        $sequence_7 = { 5e 5b 83c41c c3 ff15???????? 50 }
            // n = 6, score = 100
            //   5e                   | pop                 esi
            //   5b                   | pop                 ebx
            //   83c41c               | add                 esp, 0x1c
            //   c3                   | ret                 
            //   ff15????????         |                     
            //   50                   | push                eax

        $sequence_8 = { 33db 3bf3 740f 56 895e18 895e1c }
            // n = 6, score = 100
            //   33db                 | xor                 ebx, ebx
            //   3bf3                 | cmp                 esi, ebx
            //   740f                 | je                  0x11
            //   56                   | push                esi
            //   895e18               | mov                 dword ptr [esi + 0x18], ebx
            //   895e1c               | mov                 dword ptr [esi + 0x1c], ebx

        $sequence_9 = { 895c241c 895c2420 895c2424 745e 90 8b06 }
            // n = 6, score = 100
            //   895c241c             | mov                 dword ptr [esp + 0x1c], ebx
            //   895c2420             | mov                 dword ptr [esp + 0x20], ebx
            //   895c2424             | mov                 dword ptr [esp + 0x24], ebx
            //   745e                 | je                  0x60
            //   90                   | nop                 
            //   8b06                 | mov                 eax, dword ptr [esi]

    condition:
        7 of them and filesize < 107520
}

[TLP:WHITE] win_makop_w0 (20200325 | Detects MAKOP ransomware payload)

rule win_makop_w0 {
    meta:
        description = "Detects MAKOP ransomware payload"
        author = "@VK_Intel"
        reference = "https://twitter.com/VK_Intel/status/1242177227682390017"
        tlp = "white"
        date = "2020-03-23"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.makop"
        malpedia_version = "20200325"
        malpedia_sharing = "TLP:WHITE"
        malpedia_license = ""

    strings:
        $str1 = "-%08X"
        $str2 = "MPR.dll"
        $str3 = "\\*.*" wide

        $dec1 = { 8b ?? ?? 6a 08 8d ?? ?? ?? 52 8d ?? ?? ?? 50 e8 ?? ?? ?? ?? 66 ?? ?? ?? ?? 66 ?? ?? ?? ?? 83 c4 0c 66 3b c1 76 ?? 0f b7 c9 0f b7 f8 2b f9 74 ?? 57 6a 00 ff ?? ?? ?? ?? ?? 50 ff ?? ?? ?? ?? ?? 8b d8 85 db 74 ?? 0f ?? ?? ?? ?? 03 ?? ?? 57 52 53 e8 ?? ?? ?? ?? 83 c4 0c 8d ?? ?? 55 ff ?? ?? ?? ?? ?? e8 ?? ?? ?? ?? 84 c0 74 ?? 8b ?? ?? ?? 50 53 6a 00 6a 00 89 ?? 8b ?? ?? 6a 00 50 ff ?? ?? ?? ?? ?? 85 c0 75 ?? ff ?? ?? ?? ?? ?? 50 e8 ?? ?? ?? ?? 83 c4 04 33 c0 5f 5e 5d 5b 83 c4 0c c2 08 00}
        $start = {55 8b ec 83 e4 f8 a1 ?? ?? ?? ?? 81 ec 64 02 00 00 85 c0 53 56 57 74 ?? 6a 00 50 ff ?? ?? ?? ?? ?? 85 c0 0f ?? ?? ?? ?? ?? 8b ?? ?? 0f ?? ?? ?? 8b ?? ?? 51 e8 ?? ?? ?? ?? 83 c4 04 84 c0 0f ?? ?? ?? ?? ?? 8b ?? ?? 8d ?? ?? 8d ?? ?? 85 c0 0f ?? ?? ?? ?? ?? 50 6a 00 ff ?? ?? ?? ?? ?? 50 ff ?? ?? ?? ?? ?? 8b f0 85 f6 0f ?? ?? ?? ?? ?? 8b ?? ?? 80 ?? ?? ?? 75 ?? 81 fb fa 00 00 00 72 ?? 8b ?? ?? ?? ?? ?? 8b de e8 ?? ?? ?? ?? 8b ?? ?? 8b ?? ?? 83 c7 04 8d ?? ?? e8 ?? ?? ?? ?? 8b ?? ?? 8d ?? ?? ?? bf 05 00 00 00 eb ??}

    condition:
        ( uint16(0) == 0x5a4d and
        ( 4 of them )
        ) or ( all of them )
}

Download all Yara Rules

Makop Propose Change

References

Yara Rules

Makop