Makop Ransomware (Malware Family)

Makop Ransomware

BeforeCrypt describes that MAKOP Ransomware first appeared in 2020 as an offshoot of the PHOBOS variant, and that it has infected a number of computers since then. Files encrypted by MAKOP often have the extension “.makop”. You may also notice that your desktop wallpaper has changed. MAKOP uses RSA encryption. There are no known free decryption tools capable of decrypting files encrypted by MAKOP.

References

2021-08-13 ⋅ LIFARS ⋅ Vlad Pasca
Makop Ransomware
Makop Ransomware

2021-02-01 ⋅ Microsoft ⋅ Microsoft 365 Defender Threat Intelligence Team
What tracking an attacker email infrastructure tells us about persistent cybercriminal operations
Dridex Emotet Makop Ransomware SmokeLoader TrickBot

2020-01-27 ⋅ Twitter (@siri_urz) ⋅ S!Ri
Tweet on Makop Ransomware
Makop Ransomware

Yara Rules

[TLP:WHITE] win_makop_ransomware_auto (20221125 | Detects win.makop_ransomware.)

rule win_makop_ransomware_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-11-21"
        version = "1"
        description = "Detects win.makop_ransomware."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.makop_ransomware"
        malpedia_rule_date = "20221118"
        malpedia_hash = "e0702e2e6d1d00da65c8a29a4ebacd0a4c59e1af"
        malpedia_version = "20221125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8b15???????? 52 e8???????? ffd5 6a00 6a00 8bf0 }
            // n = 7, score = 100
            //   8b15????????         |                     
            //   52                   | push                edx
            //   e8????????           |                     
            //   ffd5                 | call                ebp
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   8bf0                 | mov                 esi, eax

        $sequence_1 = { 7507 8b0b 8b4124 eb05 8b13 8b422c 6a00 }
            // n = 7, score = 100
            //   7507                 | jne                 9
            //   8b0b                 | mov                 ecx, dword ptr [ebx]
            //   8b4124               | mov                 eax, dword ptr [ecx + 0x24]
            //   eb05                 | jmp                 7
            //   8b13                 | mov                 edx, dword ptr [ebx]
            //   8b422c               | mov                 eax, dword ptr [edx + 0x2c]
            //   6a00                 | push                0

        $sequence_2 = { 8da42400000000 8b0b 8b410c 50 6a00 ffd7 50 }
            // n = 7, score = 100
            //   8da42400000000       | lea                 esp, [esp]
            //   8b0b                 | mov                 ecx, dword ptr [ebx]
            //   8b410c               | mov                 eax, dword ptr [ecx + 0xc]
            //   50                   | push                eax
            //   6a00                 | push                0
            //   ffd7                 | call                edi
            //   50                   | push                eax

        $sequence_3 = { 8b44240c 85c0 7403 50 ffd7 85f6 7403 }
            // n = 7, score = 100
            //   8b44240c             | mov                 eax, dword ptr [esp + 0xc]
            //   85c0                 | test                eax, eax
            //   7403                 | je                  5
            //   50                   | push                eax
            //   ffd7                 | call                edi
            //   85f6                 | test                esi, esi
            //   7403                 | je                  5

        $sequence_4 = { 85c0 5d 0f8596030000 8b0d???????? 50 68ef030000 51 }
            // n = 7, score = 100
            //   85c0                 | test                eax, eax
            //   5d                   | pop                 ebp
            //   0f8596030000         | jne                 0x39c
            //   8b0d????????         |                     
            //   50                   | push                eax
            //   68ef030000           | push                0x3ef
            //   51                   | push                ecx

        $sequence_5 = { 6aff 53 ff15???????? 53 ff15???????? 8b460c 50 }
            // n = 7, score = 100
            //   6aff                 | push                -1
            //   53                   | push                ebx
            //   ff15????????         |                     
            //   53                   | push                ebx
            //   ff15????????         |                     
            //   8b460c               | mov                 eax, dword ptr [esi + 0xc]
            //   50                   | push                eax

        $sequence_6 = { 8b2d???????? 3beb 742e 8b4524 3bc3 7407 50 }
            // n = 7, score = 100
            //   8b2d????????         |                     
            //   3beb                 | cmp                 ebp, ebx
            //   742e                 | je                  0x30
            //   8b4524               | mov                 eax, dword ptr [ebp + 0x24]
            //   3bc3                 | cmp                 eax, ebx
            //   7407                 | je                  9
            //   50                   | push                eax

        $sequence_7 = { 8b74243c 8b3d???????? 6a01 56 ffd7 6a02 56 }
            // n = 7, score = 100
            //   8b74243c             | mov                 esi, dword ptr [esp + 0x3c]
            //   8b3d????????         |                     
            //   6a01                 | push                1
            //   56                   | push                esi
            //   ffd7                 | call                edi
            //   6a02                 | push                2
            //   56                   | push                esi

        $sequence_8 = { 33f6 6a00 89742418 8974241c 32db ff15???????? 85c0 }
            // n = 7, score = 100
            //   33f6                 | xor                 esi, esi
            //   6a00                 | push                0
            //   89742418             | mov                 dword ptr [esp + 0x18], esi
            //   8974241c             | mov                 dword ptr [esp + 0x1c], esi
            //   32db                 | xor                 bl, bl
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax

        $sequence_9 = { 6a00 741c ff15???????? 50 ff15???????? 8b442408 5e }
            // n = 7, score = 100
            //   6a00                 | push                0
            //   741c                 | je                  0x1e
            //   ff15????????         |                     
            //   50                   | push                eax
            //   ff15????????         |                     
            //   8b442408             | mov                 eax, dword ptr [esp + 8]
            //   5e                   | pop                 esi

    condition:
        7 of them and filesize < 107520
}

[TLP:WHITE] win_makop_ransomware_w0 (20200325 | Detects MAKOP ransomware payload)

rule win_makop_ransomware_w0 {
    meta:
        description = "Detects MAKOP ransomware payload"
        author = "@VK_Intel"
        reference = "https://twitter.com/VK_Intel/status/1242177227682390017"
        tlp = "white"
        date = "2020-03-23"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.makop_ransomware"
        malpedia_version = "20200325"
        malpedia_sharing = "TLP:WHITE"
        malpedia_license = ""

    strings:
        $str1 = "-%08X"
        $str2 = "MPR.dll"
        $str3 = "\\*.*" wide

        $dec1 = { 8b ?? ?? 6a 08 8d ?? ?? ?? 52 8d ?? ?? ?? 50 e8 ?? ?? ?? ?? 66 ?? ?? ?? ?? 66 ?? ?? ?? ?? 83 c4 0c 66 3b c1 76 ?? 0f b7 c9 0f b7 f8 2b f9 74 ?? 57 6a 00 ff ?? ?? ?? ?? ?? 50 ff ?? ?? ?? ?? ?? 8b d8 85 db 74 ?? 0f ?? ?? ?? ?? 03 ?? ?? 57 52 53 e8 ?? ?? ?? ?? 83 c4 0c 8d ?? ?? 55 ff ?? ?? ?? ?? ?? e8 ?? ?? ?? ?? 84 c0 74 ?? 8b ?? ?? ?? 50 53 6a 00 6a 00 89 ?? 8b ?? ?? 6a 00 50 ff ?? ?? ?? ?? ?? 85 c0 75 ?? ff ?? ?? ?? ?? ?? 50 e8 ?? ?? ?? ?? 83 c4 04 33 c0 5f 5e 5d 5b 83 c4 0c c2 08 00}
        $start = {55 8b ec 83 e4 f8 a1 ?? ?? ?? ?? 81 ec 64 02 00 00 85 c0 53 56 57 74 ?? 6a 00 50 ff ?? ?? ?? ?? ?? 85 c0 0f ?? ?? ?? ?? ?? 8b ?? ?? 0f ?? ?? ?? 8b ?? ?? 51 e8 ?? ?? ?? ?? 83 c4 04 84 c0 0f ?? ?? ?? ?? ?? 8b ?? ?? 8d ?? ?? 8d ?? ?? 85 c0 0f ?? ?? ?? ?? ?? 50 6a 00 ff ?? ?? ?? ?? ?? 50 ff ?? ?? ?? ?? ?? 8b f0 85 f6 0f ?? ?? ?? ?? ?? 8b ?? ?? 80 ?? ?? ?? 75 ?? 81 fb fa 00 00 00 72 ?? 8b ?? ?? ?? ?? ?? 8b de e8 ?? ?? ?? ?? 8b ?? ?? 8b ?? ?? 83 c7 04 8d ?? ?? e8 ?? ?? ?? ?? 8b ?? ?? 8d ?? ?? ?? bf 05 00 00 00 eb ??}

    condition:
        ( uint16(0) == 0x5a4d and
        ( 4 of them )
        ) or ( all of them )
}

Download all Yara Rules

Makop Ransomware Propose Change

References

Yara Rules

Makop Ransomware