Makop (Malware Family)

Makop

VTCollection

BeforeCrypt describes that MAKOP Ransomware first appeared in 2020 as an offshoot of the PHOBOS variant, and that it has infected a number of computers since then. Files encrypted by MAKOP often have the extension “.makop”. You may also notice that your desktop wallpaper has changed. MAKOP uses RSA encryption. There are no known free decryption tools capable of decrypting files encrypted by MAKOP.

References

2021-04-02 ⋅ Morphisec ⋅ Michael Gorelik
The “Fair” Upgrade Variant of Phobos Ransomware
Makop Phobos

Yara Rules

[TLP:WHITE] win_makop_auto (20260504 | Detects win.makop.)

rule win_makop_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.makop."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.makop"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 56 8bd8 57 8d442428 }
            // n = 4, score = 100
            //   56                   | push                esi
            //   8bd8                 | mov                 ebx, eax
            //   57                   | push                edi
            //   8d442428             | lea                 eax, [esp + 0x28]

        $sequence_1 = { 50 6a00 ffd7 50 ff15???????? eb06 8bc1 }
            // n = 7, score = 100
            //   50                   | push                eax
            //   6a00                 | push                0
            //   ffd7                 | call                edi
            //   50                   | push                eax
            //   ff15????????         |                     
            //   eb06                 | jmp                 8
            //   8bc1                 | mov                 eax, ecx

        $sequence_2 = { 6a00 6a01 ffd5 8bf0 85f6 7410 }
            // n = 6, score = 100
            //   6a00                 | push                0
            //   6a01                 | push                1
            //   ffd5                 | call                ebp
            //   8bf0                 | mov                 esi, eax
            //   85f6                 | test                esi, esi
            //   7410                 | je                  0x12

        $sequence_3 = { 663d5a00 7703 83c020 0fb7c8 0fb706 663d4100 }
            // n = 6, score = 100
            //   663d5a00             | cmp                 ax, 0x5a
            //   7703                 | ja                  5
            //   83c020               | add                 eax, 0x20
            //   0fb7c8               | movzx               ecx, ax
            //   0fb706               | movzx               eax, word ptr [esi]
            //   663d4100             | cmp                 ax, 0x41

        $sequence_4 = { 7439 53 55 8b2d???????? 57 8bde 8b3b }
            // n = 7, score = 100
            //   7439                 | je                  0x3b
            //   53                   | push                ebx
            //   55                   | push                ebp
            //   8b2d????????         |                     
            //   57                   | push                edi
            //   8bde                 | mov                 ebx, esi
            //   8b3b                 | mov                 edi, dword ptr [ebx]

        $sequence_5 = { 33c0 8d4c2414 51 a3???????? a1???????? 6a02 e8???????? }
            // n = 7, score = 100
            //   33c0                 | xor                 eax, eax
            //   8d4c2414             | lea                 ecx, [esp + 0x14]
            //   51                   | push                ecx
            //   a3????????           |                     
            //   a1????????           |                     
            //   6a02                 | push                2
            //   e8????????           |                     

        $sequence_6 = { 0fb7f9 2bc7 751a 6685c9 7415 0fb74e02 0fb74202 }
            // n = 7, score = 100
            //   0fb7f9               | movzx               edi, cx
            //   2bc7                 | sub                 eax, edi
            //   751a                 | jne                 0x1c
            //   6685c9               | test                cx, cx
            //   7415                 | je                  0x17
            //   0fb74e02             | movzx               ecx, word ptr [esi + 2]
            //   0fb74202             | movzx               eax, word ptr [edx + 2]

        $sequence_7 = { ff15???????? 83c414 eb1c 8d54243c }
            // n = 4, score = 100
            //   ff15????????         |                     
            //   83c414               | add                 esp, 0x14
            //   eb1c                 | jmp                 0x1e
            //   8d54243c             | lea                 edx, [esp + 0x3c]

        $sequence_8 = { 7504 8907 eb44 6a2c 6a00 ff15???????? 50 }
            // n = 7, score = 100
            //   7504                 | jne                 6
            //   8907                 | mov                 dword ptr [edi], eax
            //   eb44                 | jmp                 0x46
            //   6a2c                 | push                0x2c
            //   6a00                 | push                0
            //   ff15????????         |                     
            //   50                   | push                eax

        $sequence_9 = { 6a00 8d4c2414 51 52 57 55 c744242800000000 }
            // n = 7, score = 100
            //   6a00                 | push                0
            //   8d4c2414             | lea                 ecx, [esp + 0x14]
            //   51                   | push                ecx
            //   52                   | push                edx
            //   57                   | push                edi
            //   55                   | push                ebp
            //   c744242800000000     | mov                 dword ptr [esp + 0x28], 0

    condition:
        7 of them and filesize < 107520
}

[TLP:WHITE] win_makop_w0 (20200325 | Detects MAKOP ransomware payload)

rule win_makop_w0 {
    meta:
        description = "Detects MAKOP ransomware payload"
        author = "@VK_Intel"
        reference = "https://twitter.com/VK_Intel/status/1242177227682390017"
        tlp = "white"
        date = "2020-03-23"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.makop"
        malpedia_version = "20200325"
        malpedia_sharing = "TLP:WHITE"
        malpedia_license = ""

    strings:
        $str1 = "-%08X"
        $str2 = "MPR.dll"
        $str3 = "\\*.*" wide

        $dec1 = { 8b ?? ?? 6a 08 8d ?? ?? ?? 52 8d ?? ?? ?? 50 e8 ?? ?? ?? ?? 66 ?? ?? ?? ?? 66 ?? ?? ?? ?? 83 c4 0c 66 3b c1 76 ?? 0f b7 c9 0f b7 f8 2b f9 74 ?? 57 6a 00 ff ?? ?? ?? ?? ?? 50 ff ?? ?? ?? ?? ?? 8b d8 85 db 74 ?? 0f ?? ?? ?? ?? 03 ?? ?? 57 52 53 e8 ?? ?? ?? ?? 83 c4 0c 8d ?? ?? 55 ff ?? ?? ?? ?? ?? e8 ?? ?? ?? ?? 84 c0 74 ?? 8b ?? ?? ?? 50 53 6a 00 6a 00 89 ?? 8b ?? ?? 6a 00 50 ff ?? ?? ?? ?? ?? 85 c0 75 ?? ff ?? ?? ?? ?? ?? 50 e8 ?? ?? ?? ?? 83 c4 04 33 c0 5f 5e 5d 5b 83 c4 0c c2 08 00}
        $start = {55 8b ec 83 e4 f8 a1 ?? ?? ?? ?? 81 ec 64 02 00 00 85 c0 53 56 57 74 ?? 6a 00 50 ff ?? ?? ?? ?? ?? 85 c0 0f ?? ?? ?? ?? ?? 8b ?? ?? 0f ?? ?? ?? 8b ?? ?? 51 e8 ?? ?? ?? ?? 83 c4 04 84 c0 0f ?? ?? ?? ?? ?? 8b ?? ?? 8d ?? ?? 8d ?? ?? 85 c0 0f ?? ?? ?? ?? ?? 50 6a 00 ff ?? ?? ?? ?? ?? 50 ff ?? ?? ?? ?? ?? 8b f0 85 f6 0f ?? ?? ?? ?? ?? 8b ?? ?? 80 ?? ?? ?? 75 ?? 81 fb fa 00 00 00 72 ?? 8b ?? ?? ?? ?? ?? 8b de e8 ?? ?? ?? ?? 8b ?? ?? 8b ?? ?? 83 c7 04 8d ?? ?? e8 ?? ?? ?? ?? 8b ?? ?? 8d ?? ?? ?? bf 05 00 00 00 eb ??}

    condition:
        ( uint16(0) == 0x5a4d and
        ( 4 of them )
        ) or ( all of them )
}

Download all Yara Rules

Makop Propose Change

References

Yara Rules

Makop