SYMBOLCOMMON_NAMEaka. SYNONYMS
win.makop_ransomware (Back to overview)

Makop Ransomware

There is no description at this point.

References
2021-08-13LIFARSVlad Pasca
@techreport{pasca:20210813:makop:3945430, author = {Vlad Pasca}, title = {{Makop Ransomware}}, date = {2021-08-13}, institution = {LIFARS}, url = {https://lifars.com/wp-content/uploads/2021/08/Makop-Ransomware-Whitepaper-case-studyNEW-1.pdf}, language = {English}, urldate = {2022-01-20} } Makop Ransomware
Makop Ransomware
2021-02-01MicrosoftMicrosoft 365 Defender Threat Intelligence Team
@online{team:20210201:what:2e12897, author = {Microsoft 365 Defender Threat Intelligence Team}, title = {{What tracking an attacker email infrastructure tells us about persistent cybercriminal operations}}, date = {2021-02-01}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2021/02/01/what-tracking-an-attacker-email-infrastructure-tells-us-about-persistent-cybercriminal-operations/}, language = {English}, urldate = {2021-02-02} } What tracking an attacker email infrastructure tells us about persistent cybercriminal operations
Dridex Emotet Makop Ransomware SmokeLoader TrickBot
2020-01-27Twitter (@siri_urz)S!Ri
@online{sri:20200127:makop:078939c, author = {S!Ri}, title = {{Tweet on Makop Ransomware}}, date = {2020-01-27}, organization = {Twitter (@siri_urz)}, url = {https://twitter.com/siri_urz/status/1221797493849018368}, language = {English}, urldate = {2020-03-25} } Tweet on Makop Ransomware
Makop Ransomware
Yara Rules
[TLP:WHITE] win_makop_ransomware_auto (20220516 | Detects win.makop_ransomware.)
rule win_makop_ransomware_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-05-16"
        version = "1"
        description = "Detects win.makop_ransomware."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.makop_ransomware"
        malpedia_rule_date = "20220513"
        malpedia_hash = "7f4b2229e6ae614d86d74917f6d5b41890e62a26"
        malpedia_version = "20220516"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 01542418 8b8644080000 8b8e48080000 1144241c 014c2430 8b964c080000 8bb650080000 }
            // n = 7, score = 100
            //   01542418             | add                 dword ptr [esp + 0x18], edx
            //   8b8644080000         | mov                 eax, dword ptr [esi + 0x844]
            //   8b8e48080000         | mov                 ecx, dword ptr [esi + 0x848]
            //   1144241c             | adc                 dword ptr [esp + 0x1c], eax
            //   014c2430             | add                 dword ptr [esp + 0x30], ecx
            //   8b964c080000         | mov                 edx, dword ptr [esi + 0x84c]
            //   8bb650080000         | mov                 esi, dword ptr [esi + 0x850]

        $sequence_1 = { 8b4204 85c0 7407 8b4004 85c0 75f9 }
            // n = 6, score = 100
            //   8b4204               | mov                 eax, dword ptr [edx + 4]
            //   85c0                 | test                eax, eax
            //   7407                 | je                  9
            //   8b4004               | mov                 eax, dword ptr [eax + 4]
            //   85c0                 | test                eax, eax
            //   75f9                 | jne                 0xfffffffb

        $sequence_2 = { 8b17 8b4220 eb05 8b07 8b4028 8b4c2420 51 }
            // n = 7, score = 100
            //   8b17                 | mov                 edx, dword ptr [edi]
            //   8b4220               | mov                 eax, dword ptr [edx + 0x20]
            //   eb05                 | jmp                 7
            //   8b07                 | mov                 eax, dword ptr [edi]
            //   8b4028               | mov                 eax, dword ptr [eax + 0x28]
            //   8b4c2420             | mov                 ecx, dword ptr [esp + 0x20]
            //   51                   | push                ecx

        $sequence_3 = { 6800400000 6a00 c744241c00000000 c744242000400000 c7442418ffffffff ff15???????? 50 }
            // n = 7, score = 100
            //   6800400000           | push                0x4000
            //   6a00                 | push                0
            //   c744241c00000000     | mov                 dword ptr [esp + 0x1c], 0
            //   c744242000400000     | mov                 dword ptr [esp + 0x20], 0x4000
            //   c7442418ffffffff     | mov                 dword ptr [esp + 0x18], 0xffffffff
            //   ff15????????         |                     
            //   50                   | push                eax

        $sequence_4 = { bb28000000 56 be36000000 ba34000000 bd64000000 57 bf49000000 }
            // n = 7, score = 100
            //   bb28000000           | mov                 ebx, 0x28
            //   56                   | push                esi
            //   be36000000           | mov                 esi, 0x36
            //   ba34000000           | mov                 edx, 0x34
            //   bd64000000           | mov                 ebp, 0x64
            //   57                   | push                edi
            //   bf49000000           | mov                 edi, 0x49

        $sequence_5 = { c644241a61 c644241bc1 c644241c13 c644241d96 c644241efa c644241f15 751e }
            // n = 7, score = 100
            //   c644241a61           | mov                 byte ptr [esp + 0x1a], 0x61
            //   c644241bc1           | mov                 byte ptr [esp + 0x1b], 0xc1
            //   c644241c13           | mov                 byte ptr [esp + 0x1c], 0x13
            //   c644241d96           | mov                 byte ptr [esp + 0x1d], 0x96
            //   c644241efa           | mov                 byte ptr [esp + 0x1e], 0xfa
            //   c644241f15           | mov                 byte ptr [esp + 0x1f], 0x15
            //   751e                 | jne                 0x20

        $sequence_6 = { 8b2d???????? 3beb 742e 8b4524 3bc3 7407 50 }
            // n = 7, score = 100
            //   8b2d????????         |                     
            //   3beb                 | cmp                 ebp, ebx
            //   742e                 | je                  0x30
            //   8b4524               | mov                 eax, dword ptr [ebp + 0x24]
            //   3bc3                 | cmp                 eax, ebx
            //   7407                 | je                  9
            //   50                   | push                eax

        $sequence_7 = { 6a00 51 ff15???????? 85c0 0f8495000000 837c241c18 0f858a000000 }
            // n = 7, score = 100
            //   6a00                 | push                0
            //   51                   | push                ecx
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   0f8495000000         | je                  0x9b
            //   837c241c18           | cmp                 dword ptr [esp + 0x1c], 0x18
            //   0f858a000000         | jne                 0x90

        $sequence_8 = { 6880000000 6a00 56 e8???????? 83c40c 6880000000 6a00 }
            // n = 7, score = 100
            //   6880000000           | push                0x80
            //   6a00                 | push                0
            //   56                   | push                esi
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   6880000000           | push                0x80
            //   6a00                 | push                0

        $sequence_9 = { 39742410 0f82dc030000 807c240e01 7507 8b03 8b4020 eb05 }
            // n = 7, score = 100
            //   39742410             | cmp                 dword ptr [esp + 0x10], esi
            //   0f82dc030000         | jb                  0x3e2
            //   807c240e01           | cmp                 byte ptr [esp + 0xe], 1
            //   7507                 | jne                 9
            //   8b03                 | mov                 eax, dword ptr [ebx]
            //   8b4020               | mov                 eax, dword ptr [eax + 0x20]
            //   eb05                 | jmp                 7

    condition:
        7 of them and filesize < 107520
}
[TLP:WHITE] win_makop_ransomware_w0   (20200325 | Detects MAKOP ransomware payload)
rule win_makop_ransomware_w0 {
    meta:
        description = "Detects MAKOP ransomware payload"
        author = "@VK_Intel"
        reference = "https://twitter.com/VK_Intel/status/1242177227682390017"
        tlp = "white"
        date = "2020-03-23"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.makop_ransomware"
        malpedia_version = "20200325"
        malpedia_sharing = "TLP:WHITE"
        malpedia_license = ""

    strings:
        $str1 = "-%08X"
        $str2 = "MPR.dll"
        $str3 = "\\*.*" wide

        $dec1 = { 8b ?? ?? 6a 08 8d ?? ?? ?? 52 8d ?? ?? ?? 50 e8 ?? ?? ?? ?? 66 ?? ?? ?? ?? 66 ?? ?? ?? ?? 83 c4 0c 66 3b c1 76 ?? 0f b7 c9 0f b7 f8 2b f9 74 ?? 57 6a 00 ff ?? ?? ?? ?? ?? 50 ff ?? ?? ?? ?? ?? 8b d8 85 db 74 ?? 0f ?? ?? ?? ?? 03 ?? ?? 57 52 53 e8 ?? ?? ?? ?? 83 c4 0c 8d ?? ?? 55 ff ?? ?? ?? ?? ?? e8 ?? ?? ?? ?? 84 c0 74 ?? 8b ?? ?? ?? 50 53 6a 00 6a 00 89 ?? 8b ?? ?? 6a 00 50 ff ?? ?? ?? ?? ?? 85 c0 75 ?? ff ?? ?? ?? ?? ?? 50 e8 ?? ?? ?? ?? 83 c4 04 33 c0 5f 5e 5d 5b 83 c4 0c c2 08 00}
        $start = {55 8b ec 83 e4 f8 a1 ?? ?? ?? ?? 81 ec 64 02 00 00 85 c0 53 56 57 74 ?? 6a 00 50 ff ?? ?? ?? ?? ?? 85 c0 0f ?? ?? ?? ?? ?? 8b ?? ?? 0f ?? ?? ?? 8b ?? ?? 51 e8 ?? ?? ?? ?? 83 c4 04 84 c0 0f ?? ?? ?? ?? ?? 8b ?? ?? 8d ?? ?? 8d ?? ?? 85 c0 0f ?? ?? ?? ?? ?? 50 6a 00 ff ?? ?? ?? ?? ?? 50 ff ?? ?? ?? ?? ?? 8b f0 85 f6 0f ?? ?? ?? ?? ?? 8b ?? ?? 80 ?? ?? ?? 75 ?? 81 fb fa 00 00 00 72 ?? 8b ?? ?? ?? ?? ?? 8b de e8 ?? ?? ?? ?? 8b ?? ?? 8b ?? ?? 83 c7 04 8d ?? ?? e8 ?? ?? ?? ?? 8b ?? ?? 8d ?? ?? ?? bf 05 00 00 00 eb ??}

    condition:
        ( uint16(0) == 0x5a4d and
        ( 4 of them )
        ) or ( all of them )
}
Download all Yara Rules