SYMBOLCOMMON_NAMEaka. SYNONYMS
win.maktub (Back to overview)

Maktub


There is no description at this point.

References
2018-05-29IntezerOmri Ben Bassat
@online{bassat:20180529:iron:5943a09, author = {Omri Ben Bassat}, title = {{Iron Cybercrime Group Under The Scope}}, date = {2018-05-29}, organization = {Intezer}, url = {https://www.intezer.com/iron-cybercrime-group-under-the-scope-2/}, language = {English}, urldate = {2019-12-05} } Iron Cybercrime Group Under The Scope
Maktub Iron Group
2018-04-10Blaze's Security BlogBartBlaze
@online{bartblaze:20180410:maktub:e67ade0, author = {BartBlaze}, title = {{Maktub ransomware: possibly rebranded as Iron}}, date = {2018-04-10}, organization = {Blaze's Security Blog}, url = {https://bartblaze.blogspot.de/2018/04/maktub-ransomware-possibly-rebranded-as.html}, language = {English}, urldate = {2019-07-10} } Maktub ransomware: possibly rebranded as Iron
Maktub
2016-03-24Malwarebyteshasherezade
@online{hasherezade:20160324:maktub:fbe0f56, author = {hasherezade}, title = {{Maktub Locker – Beautiful And Dangerous}}, date = {2016-03-24}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2016/03/maktub-locker-beautiful-and-dangerous/}, language = {English}, urldate = {2019-12-20} } Maktub Locker – Beautiful And Dangerous
Maktub
Yara Rules
[TLP:WHITE] win_maktub_auto (20230125 | Detects win.maktub.)
rule win_maktub_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-01-25"
        version = "1"
        description = "Detects win.maktub."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.maktub"
        malpedia_rule_date = "20230124"
        malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686"
        malpedia_version = "20230125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { ffd0 f7d8 1bc0 f7d8 8be5 }
            // n = 5, score = 400
            //   ffd0                 | call                eax
            //   f7d8                 | neg                 eax
            //   1bc0                 | sbb                 eax, eax
            //   f7d8                 | neg                 eax
            //   8be5                 | mov                 esp, ebp

        $sequence_1 = { ff15???????? eb0a 57 6a08 }
            // n = 4, score = 300
            //   ff15????????         |                     
            //   eb0a                 | jmp                 0xc
            //   57                   | push                edi
            //   6a08                 | push                8

        $sequence_2 = { ff30 6a00 6a00 6a00 }
            // n = 4, score = 300
            //   ff30                 | push                dword ptr [eax]
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   6a00                 | push                0

        $sequence_3 = { ff15???????? f6c301 0f8414010000 8d46fc }
            // n = 4, score = 300
            //   ff15????????         |                     
            //   f6c301               | test                bl, 1
            //   0f8414010000         | je                  0x11a
            //   8d46fc               | lea                 eax, [esi - 4]

        $sequence_4 = { ff7508 ffd0 8bc8 894de8 83f9ff 7509 }
            // n = 6, score = 300
            //   ff7508               | push                dword ptr [ebp + 8]
            //   ffd0                 | call                eax
            //   8bc8                 | mov                 ecx, eax
            //   894de8               | mov                 dword ptr [ebp - 0x18], ecx
            //   83f9ff               | cmp                 ecx, -1
            //   7509                 | jne                 0xb

        $sequence_5 = { ff15???????? f6c301 7432 8b75b8 }
            // n = 4, score = 300
            //   ff15????????         |                     
            //   f6c301               | test                bl, 1
            //   7432                 | je                  0x34
            //   8b75b8               | mov                 esi, dword ptr [ebp - 0x48]

        $sequence_6 = { ff15???????? ff75f8 ff15???????? 5f 5e b801000000 }
            // n = 6, score = 300
            //   ff15????????         |                     
            //   ff75f8               | push                dword ptr [ebp - 8]
            //   ff15????????         |                     
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi
            //   b801000000           | mov                 eax, 1

        $sequence_7 = { ff15???????? ff75fc 8b4320 ffd0 }
            // n = 4, score = 300
            //   ff15????????         |                     
            //   ff75fc               | push                dword ptr [ebp - 4]
            //   8b4320               | mov                 eax, dword ptr [ebx + 0x20]
            //   ffd0                 | call                eax

        $sequence_8 = { ff7004 ff30 e8???????? 8bc7 5f }
            // n = 5, score = 200
            //   ff7004               | push                dword ptr [eax + 4]
            //   ff30                 | push                dword ptr [eax]
            //   e8????????           |                     
            //   8bc7                 | mov                 eax, edi
            //   5f                   | pop                 edi

        $sequence_9 = { d2e1 18e1 d2d9 8a4d02 }
            // n = 4, score = 100
            //   d2e1                 | shl                 cl, cl
            //   18e1                 | sbb                 cl, ah
            //   d2d9                 | rcr                 cl, cl
            //   8a4d02               | mov                 cl, byte ptr [ebp + 2]

        $sequence_10 = { 8d8d54ffffff e8???????? 6aff 56 }
            // n = 4, score = 100
            //   8d8d54ffffff         | lea                 ecx, [ebp - 0xac]
            //   e8????????           |                     
            //   6aff                 | push                -1
            //   56                   | push                esi

        $sequence_11 = { d2e0 8b4c2408 18f4 d2c0 }
            // n = 4, score = 100
            //   d2e0                 | shl                 al, cl
            //   8b4c2408             | mov                 ecx, dword ptr [esp + 8]
            //   18f4                 | sbb                 ah, dh
            //   d2c0                 | rol                 al, cl

        $sequence_12 = { 8d8d54ffffff e8???????? 8bd0 8d8d64ffffff }
            // n = 4, score = 100
            //   8d8d54ffffff         | lea                 ecx, [ebp - 0xac]
            //   e8????????           |                     
            //   8bd0                 | mov                 edx, eax
            //   8d8d64ffffff         | lea                 ecx, [ebp - 0x9c]

        $sequence_13 = { 8d8d54ffffff e8???????? 8d4dac e8???????? }
            // n = 4, score = 100
            //   8d8d54ffffff         | lea                 ecx, [ebp - 0xac]
            //   e8????????           |                     
            //   8d4dac               | lea                 ecx, [ebp - 0x54]
            //   e8????????           |                     

        $sequence_14 = { 8d8d5cffffff e8???????? 8d8d4cffffff e8???????? 8d8d3cffffff e8???????? }
            // n = 6, score = 100
            //   8d8d5cffffff         | lea                 ecx, [ebp - 0xa4]
            //   e8????????           |                     
            //   8d8d4cffffff         | lea                 ecx, [ebp - 0xb4]
            //   e8????????           |                     
            //   8d8d3cffffff         | lea                 ecx, [ebp - 0xc4]
            //   e8????????           |                     

        $sequence_15 = { 8d8d5cffffff e8???????? 8bd0 8d8d6cffffff }
            // n = 4, score = 100
            //   8d8d5cffffff         | lea                 ecx, [ebp - 0xa4]
            //   e8????????           |                     
            //   8bd0                 | mov                 edx, eax
            //   8d8d6cffffff         | lea                 ecx, [ebp - 0x94]

        $sequence_16 = { d2e0 20c8 d2d8 8a46ff f9 }
            // n = 5, score = 100
            //   d2e0                 | shl                 al, cl
            //   20c8                 | and                 al, cl
            //   d2d8                 | rcr                 al, cl
            //   8a46ff               | mov                 al, byte ptr [esi - 1]
            //   f9                   | stc                 

        $sequence_17 = { 8d8d54ffffff e8???????? 8d4dc0 e8???????? 807d1800 }
            // n = 5, score = 100
            //   8d8d54ffffff         | lea                 ecx, [ebp - 0xac]
            //   e8????????           |                     
            //   8d4dc0               | lea                 ecx, [ebp - 0x40]
            //   e8????????           |                     
            //   807d1800             | cmp                 byte ptr [ebp + 0x18], 0

        $sequence_18 = { d2e2 e8???????? e8???????? 0000 }
            // n = 4, score = 100
            //   d2e2                 | shl                 dl, cl
            //   e8????????           |                     
            //   e8????????           |                     
            //   0000                 | add                 byte ptr [eax], al

        $sequence_19 = { d2e0 60 e8???????? 368a02 }
            // n = 4, score = 100
            //   d2e0                 | shl                 al, cl
            //   60                   | pushal              
            //   e8????????           |                     
            //   368a02               | mov                 al, byte ptr ss:[edx]

        $sequence_20 = { 8d8d54ffffff e8???????? 6a01 8d4dbc e8???????? 50 8d8d64ffffff }
            // n = 7, score = 100
            //   8d8d54ffffff         | lea                 ecx, [ebp - 0xac]
            //   e8????????           |                     
            //   6a01                 | push                1
            //   8d4dbc               | lea                 ecx, [ebp - 0x44]
            //   e8????????           |                     
            //   50                   | push                eax
            //   8d8d64ffffff         | lea                 ecx, [ebp - 0x9c]

        $sequence_21 = { d2e2 0810 3bf7 7caf }
            // n = 4, score = 100
            //   d2e2                 | shl                 dl, cl
            //   0810                 | or                  byte ptr [eax], dl
            //   3bf7                 | cmp                 esi, edi
            //   7caf                 | jl                  0xffffffb1

    condition:
        7 of them and filesize < 3063808
}
Download all Yara Rules