There is no description at this point.
rule win_makop_ransomware_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2020-12-22" version = "1" description = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.makop_ransomware" malpedia_rule_date = "20201222" malpedia_hash = "30354d830a29f0fbd3714d93d94dea941d77a130" malpedia_version = "20201023" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 6a04 8d542408 52 6a18 50 c744241400000000 ff15???????? } // n = 7, score = 100 // 6a04 | push 4 // 8d542408 | lea edx, [esp + 8] // 52 | push edx // 6a18 | push 0x18 // 50 | push eax // c744241400000000 | mov dword ptr [esp + 0x14], 0 // ff15???????? | $sequence_1 = { 8d442410 e8???????? 6a00 6a00 6a00 6a00 } // n = 6, score = 100 // 8d442410 | lea eax, [esp + 0x10] // e8???????? | // 6a00 | push 0 // 6a00 | push 0 // 6a00 | push 0 // 6a00 | push 0 $sequence_2 = { 7403 50 ffd6 8b442410 83f8ff 7403 } // n = 6, score = 100 // 7403 | je 5 // 50 | push eax // ffd6 | call esi // 8b442410 | mov eax, dword ptr [esp + 0x10] // 83f8ff | cmp eax, -1 // 7403 | je 5 $sequence_3 = { 57 6a2c 33db 53 ffd6 8b3d???????? } // n = 6, score = 100 // 57 | push edi // 6a2c | push 0x2c // 33db | xor ebx, ebx // 53 | push ebx // ffd6 | call esi // 8b3d???????? | $sequence_4 = { 0fb74c1702 83c202 0fb7ee 2bcd 74e8 33ed 3bcd } // n = 7, score = 100 // 0fb74c1702 | movzx ecx, word ptr [edi + edx + 2] // 83c202 | add edx, 2 // 0fb7ee | movzx ebp, si // 2bcd | sub ecx, ebp // 74e8 | je 0xffffffea // 33ed | xor ebp, ebp // 3bcd | cmp ecx, ebp $sequence_5 = { 7420 837c240c08 7219 8b442410 8b4c2414 50 51 } // n = 7, score = 100 // 7420 | je 0x22 // 837c240c08 | cmp dword ptr [esp + 0xc], 8 // 7219 | jb 0x1b // 8b442410 | mov eax, dword ptr [esp + 0x10] // 8b4c2414 | mov ecx, dword ptr [esp + 0x14] // 50 | push eax // 51 | push ecx $sequence_6 = { 85c0 751a ff15???????? 8b4c2404 51 ff15???????? 32c0 } // n = 7, score = 100 // 85c0 | test eax, eax // 751a | jne 0x1c // ff15???????? | // 8b4c2404 | mov ecx, dword ptr [esp + 4] // 51 | push ecx // ff15???????? | // 32c0 | xor al, al $sequence_7 = { 56 6a00 ffd7 50 ff15???????? 6a08 } // n = 6, score = 100 // 56 | push esi // 6a00 | push 0 // ffd7 | call edi // 50 | push eax // ff15???????? | // 6a08 | push 8 $sequence_8 = { ffd3 50 ffd7 8b4628 85c0 741a b92c000000 } // n = 7, score = 100 // ffd3 | call ebx // 50 | push eax // ffd7 | call edi // 8b4628 | mov eax, dword ptr [esi + 0x28] // 85c0 | test eax, eax // 741a | je 0x1c // b92c000000 | mov ecx, 0x2c $sequence_9 = { 8b442418 8b542414 8bcf e8???????? 85c0 0f84db020000 8b442414 } // n = 7, score = 100 // 8b442418 | mov eax, dword ptr [esp + 0x18] // 8b542414 | mov edx, dword ptr [esp + 0x14] // 8bcf | mov ecx, edi // e8???????? | // 85c0 | test eax, eax // 0f84db020000 | je 0x2e1 // 8b442414 | mov eax, dword ptr [esp + 0x14] condition: 7 of them and filesize < 107520 }
rule win_makop_ransomware_w0 { meta: description = "Detects MAKOP ransomware payload" author = "@VK_Intel" reference = "https://twitter.com/VK_Intel/status/1242177227682390017" tlp = "white" date = "2020-03-23" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.makop_ransomware" malpedia_version = "20200325" malpedia_sharing = "TLP:WHITE" malpedia_license = "" strings: $str1 = "-%08X" $str2 = "MPR.dll" $str3 = "\\*.*" wide $dec1 = { 8b ?? ?? 6a 08 8d ?? ?? ?? 52 8d ?? ?? ?? 50 e8 ?? ?? ?? ?? 66 ?? ?? ?? ?? 66 ?? ?? ?? ?? 83 c4 0c 66 3b c1 76 ?? 0f b7 c9 0f b7 f8 2b f9 74 ?? 57 6a 00 ff ?? ?? ?? ?? ?? 50 ff ?? ?? ?? ?? ?? 8b d8 85 db 74 ?? 0f ?? ?? ?? ?? 03 ?? ?? 57 52 53 e8 ?? ?? ?? ?? 83 c4 0c 8d ?? ?? 55 ff ?? ?? ?? ?? ?? e8 ?? ?? ?? ?? 84 c0 74 ?? 8b ?? ?? ?? 50 53 6a 00 6a 00 89 ?? 8b ?? ?? 6a 00 50 ff ?? ?? ?? ?? ?? 85 c0 75 ?? ff ?? ?? ?? ?? ?? 50 e8 ?? ?? ?? ?? 83 c4 04 33 c0 5f 5e 5d 5b 83 c4 0c c2 08 00} $start = {55 8b ec 83 e4 f8 a1 ?? ?? ?? ?? 81 ec 64 02 00 00 85 c0 53 56 57 74 ?? 6a 00 50 ff ?? ?? ?? ?? ?? 85 c0 0f ?? ?? ?? ?? ?? 8b ?? ?? 0f ?? ?? ?? 8b ?? ?? 51 e8 ?? ?? ?? ?? 83 c4 04 84 c0 0f ?? ?? ?? ?? ?? 8b ?? ?? 8d ?? ?? 8d ?? ?? 85 c0 0f ?? ?? ?? ?? ?? 50 6a 00 ff ?? ?? ?? ?? ?? 50 ff ?? ?? ?? ?? ?? 8b f0 85 f6 0f ?? ?? ?? ?? ?? 8b ?? ?? 80 ?? ?? ?? 75 ?? 81 fb fa 00 00 00 72 ?? 8b ?? ?? ?? ?? ?? 8b de e8 ?? ?? ?? ?? 8b ?? ?? 8b ?? ?? 83 c7 04 8d ?? ?? e8 ?? ?? ?? ?? 8b ?? ?? 8d ?? ?? ?? bf 05 00 00 00 eb ??} condition: ( uint16(0) == 0x5a4d and ( 4 of them ) ) or ( all of them ) }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY