SYMBOLCOMMON_NAMEaka. SYNONYMS
win.makop_ransomware (Back to overview)

Makop Ransomware

BeforeCrypt describes that MAKOP Ransomware first appeared in 2020 as an offshoot of the PHOBOS variant, and that it has infected a number of computers since then. Files encrypted by MAKOP often have the extension “.makop”. You may also notice that your desktop wallpaper has changed. MAKOP uses RSA encryption. There are no known free decryption tools capable of decrypting files encrypted by MAKOP.

References
2023-03-12Luca Mella
@online{mella:20230312:makop:66ffdb8, author = {Luca Mella}, title = {{Makop: The Toolkit of a Criminal Gang}}, date = {2023-03-12}, url = {https://medium.com/@lcam/makop-the-toolkit-of-a-criminal-gang-53cd44563c11}, language = {English}, urldate = {2023-03-13} } Makop: The Toolkit of a Criminal Gang
Makop Ransomware
2021-08-13LIFARSVlad Pasca
@techreport{pasca:20210813:makop:3945430, author = {Vlad Pasca}, title = {{Makop Ransomware}}, date = {2021-08-13}, institution = {LIFARS}, url = {https://lifars.com/wp-content/uploads/2021/08/Makop-Ransomware-Whitepaper-case-studyNEW-1.pdf}, language = {English}, urldate = {2022-01-20} } Makop Ransomware
Makop Ransomware
2021-02-01MicrosoftMicrosoft 365 Defender Threat Intelligence Team
@online{team:20210201:what:2e12897, author = {Microsoft 365 Defender Threat Intelligence Team}, title = {{What tracking an attacker email infrastructure tells us about persistent cybercriminal operations}}, date = {2021-02-01}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2021/02/01/what-tracking-an-attacker-email-infrastructure-tells-us-about-persistent-cybercriminal-operations/}, language = {English}, urldate = {2021-02-02} } What tracking an attacker email infrastructure tells us about persistent cybercriminal operations
Dridex Emotet Makop Ransomware SmokeLoader TrickBot
2020-01-27Twitter (@siri_urz)S!Ri
@online{sri:20200127:makop:078939c, author = {S!Ri}, title = {{Tweet on Makop Ransomware}}, date = {2020-01-27}, organization = {Twitter (@siri_urz)}, url = {https://twitter.com/siri_urz/status/1221797493849018368}, language = {English}, urldate = {2020-03-25} } Tweet on Makop Ransomware
Makop Ransomware
Yara Rules
[TLP:WHITE] win_makop_ransomware_auto (20230125 | Detects win.makop_ransomware.)
rule win_makop_ransomware_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-01-25"
        version = "1"
        description = "Detects win.makop_ransomware."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.makop_ransomware"
        malpedia_rule_date = "20230124"
        malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686"
        malpedia_version = "20230125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 81c410020000 c3 57 8b3d???????? 6a00 }
            // n = 5, score = 100
            //   81c410020000         | add                 esp, 0x210
            //   c3                   | ret                 
            //   57                   | push                edi
            //   8b3d????????         |                     
            //   6a00                 | push                0

        $sequence_1 = { 8b16 8b08 894a14 8b542418 8b02 85c0 }
            // n = 6, score = 100
            //   8b16                 | mov                 edx, dword ptr [esi]
            //   8b08                 | mov                 ecx, dword ptr [eax]
            //   894a14               | mov                 dword ptr [edx + 0x14], ecx
            //   8b542418             | mov                 edx, dword ptr [esp + 0x18]
            //   8b02                 | mov                 eax, dword ptr [edx]
            //   85c0                 | test                eax, eax

        $sequence_2 = { 51 6a0d e8???????? 8d542410 }
            // n = 4, score = 100
            //   51                   | push                ecx
            //   6a0d                 | push                0xd
            //   e8????????           |                     
            //   8d542410             | lea                 edx, [esp + 0x10]

        $sequence_3 = { 895c2424 e8???????? 3bc3 89442410 0f84bf000000 }
            // n = 5, score = 100
            //   895c2424             | mov                 dword ptr [esp + 0x24], ebx
            //   e8????????           |                     
            //   3bc3                 | cmp                 eax, ebx
            //   89442410             | mov                 dword ptr [esp + 0x10], eax
            //   0f84bf000000         | je                  0xc5

        $sequence_4 = { 89542410 895c2418 895c241c 895c2420 895c2424 745e 90 }
            // n = 7, score = 100
            //   89542410             | mov                 dword ptr [esp + 0x10], edx
            //   895c2418             | mov                 dword ptr [esp + 0x18], ebx
            //   895c241c             | mov                 dword ptr [esp + 0x1c], ebx
            //   895c2420             | mov                 dword ptr [esp + 0x20], ebx
            //   895c2424             | mov                 dword ptr [esp + 0x24], ebx
            //   745e                 | je                  0x60
            //   90                   | nop                 

        $sequence_5 = { c64424096e c644240a64 c644240c74 c644240e00 e8???????? 83c404 85c0 }
            // n = 7, score = 100
            //   c64424096e           | mov                 byte ptr [esp + 9], 0x6e
            //   c644240a64           | mov                 byte ptr [esp + 0xa], 0x64
            //   c644240c74           | mov                 byte ptr [esp + 0xc], 0x74
            //   c644240e00           | mov                 byte ptr [esp + 0xe], 0
            //   e8????????           |                     
            //   83c404               | add                 esp, 4
            //   85c0                 | test                eax, eax

        $sequence_6 = { 33c0 c3 8b4104 85c0 7409 8bc8 8b4104 }
            // n = 7, score = 100
            //   33c0                 | xor                 eax, eax
            //   c3                   | ret                 
            //   8b4104               | mov                 eax, dword ptr [ecx + 4]
            //   85c0                 | test                eax, eax
            //   7409                 | je                  0xb
            //   8bc8                 | mov                 ecx, eax
            //   8b4104               | mov                 eax, dword ptr [ecx + 4]

        $sequence_7 = { 8b5720 019040080000 8b5724 119044080000 84db 742d 018838080000 }
            // n = 7, score = 100
            //   8b5720               | mov                 edx, dword ptr [edi + 0x20]
            //   019040080000         | add                 dword ptr [eax + 0x840], edx
            //   8b5724               | mov                 edx, dword ptr [edi + 0x24]
            //   119044080000         | adc                 dword ptr [eax + 0x844], edx
            //   84db                 | test                bl, bl
            //   742d                 | je                  0x2f
            //   018838080000         | add                 dword ptr [eax + 0x838], ecx

        $sequence_8 = { ffd7 50 ffd3 eb02 33c0 8b0e }
            // n = 6, score = 100
            //   ffd7                 | call                edi
            //   50                   | push                eax
            //   ffd3                 | call                ebx
            //   eb02                 | jmp                 4
            //   33c0                 | xor                 eax, eax
            //   8b0e                 | mov                 ecx, dword ptr [esi]

        $sequence_9 = { 723f 01442418 8b44242c 8b5004 8b00 }
            // n = 5, score = 100
            //   723f                 | jb                  0x41
            //   01442418             | add                 dword ptr [esp + 0x18], eax
            //   8b44242c             | mov                 eax, dword ptr [esp + 0x2c]
            //   8b5004               | mov                 edx, dword ptr [eax + 4]
            //   8b00                 | mov                 eax, dword ptr [eax]

    condition:
        7 of them and filesize < 107520
}
[TLP:WHITE] win_makop_ransomware_w0   (20200325 | Detects MAKOP ransomware payload)
rule win_makop_ransomware_w0 {
    meta:
        description = "Detects MAKOP ransomware payload"
        author = "@VK_Intel"
        reference = "https://twitter.com/VK_Intel/status/1242177227682390017"
        tlp = "white"
        date = "2020-03-23"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.makop_ransomware"
        malpedia_version = "20200325"
        malpedia_sharing = "TLP:WHITE"
        malpedia_license = ""

    strings:
        $str1 = "-%08X"
        $str2 = "MPR.dll"
        $str3 = "\\*.*" wide

        $dec1 = { 8b ?? ?? 6a 08 8d ?? ?? ?? 52 8d ?? ?? ?? 50 e8 ?? ?? ?? ?? 66 ?? ?? ?? ?? 66 ?? ?? ?? ?? 83 c4 0c 66 3b c1 76 ?? 0f b7 c9 0f b7 f8 2b f9 74 ?? 57 6a 00 ff ?? ?? ?? ?? ?? 50 ff ?? ?? ?? ?? ?? 8b d8 85 db 74 ?? 0f ?? ?? ?? ?? 03 ?? ?? 57 52 53 e8 ?? ?? ?? ?? 83 c4 0c 8d ?? ?? 55 ff ?? ?? ?? ?? ?? e8 ?? ?? ?? ?? 84 c0 74 ?? 8b ?? ?? ?? 50 53 6a 00 6a 00 89 ?? 8b ?? ?? 6a 00 50 ff ?? ?? ?? ?? ?? 85 c0 75 ?? ff ?? ?? ?? ?? ?? 50 e8 ?? ?? ?? ?? 83 c4 04 33 c0 5f 5e 5d 5b 83 c4 0c c2 08 00}
        $start = {55 8b ec 83 e4 f8 a1 ?? ?? ?? ?? 81 ec 64 02 00 00 85 c0 53 56 57 74 ?? 6a 00 50 ff ?? ?? ?? ?? ?? 85 c0 0f ?? ?? ?? ?? ?? 8b ?? ?? 0f ?? ?? ?? 8b ?? ?? 51 e8 ?? ?? ?? ?? 83 c4 04 84 c0 0f ?? ?? ?? ?? ?? 8b ?? ?? 8d ?? ?? 8d ?? ?? 85 c0 0f ?? ?? ?? ?? ?? 50 6a 00 ff ?? ?? ?? ?? ?? 50 ff ?? ?? ?? ?? ?? 8b f0 85 f6 0f ?? ?? ?? ?? ?? 8b ?? ?? 80 ?? ?? ?? 75 ?? 81 fb fa 00 00 00 72 ?? 8b ?? ?? ?? ?? ?? 8b de e8 ?? ?? ?? ?? 8b ?? ?? 8b ?? ?? 83 c7 04 8d ?? ?? e8 ?? ?? ?? ?? 8b ?? ?? 8d ?? ?? ?? bf 05 00 00 00 eb ??}

    condition:
        ( uint16(0) == 0x5a4d and
        ( 4 of them )
        ) or ( all of them )
}
Download all Yara Rules