SYMBOLCOMMON_NAMEaka. SYNONYMS
win.maktub (Back to overview)

Maktub


There is no description at this point.

References
2018-05-29IntezerOmri Ben Bassat
@online{bassat:20180529:iron:5943a09, author = {Omri Ben Bassat}, title = {{Iron Cybercrime Group Under The Scope}}, date = {2018-05-29}, organization = {Intezer}, url = {https://www.intezer.com/iron-cybercrime-group-under-the-scope-2/}, language = {English}, urldate = {2019-12-05} } Iron Cybercrime Group Under The Scope
Maktub Iron Group
2018-04-10Blaze's Security BlogBartBlaze
@online{bartblaze:20180410:maktub:e67ade0, author = {BartBlaze}, title = {{Maktub ransomware: possibly rebranded as Iron}}, date = {2018-04-10}, organization = {Blaze's Security Blog}, url = {https://bartblaze.blogspot.de/2018/04/maktub-ransomware-possibly-rebranded-as.html}, language = {English}, urldate = {2019-07-10} } Maktub ransomware: possibly rebranded as Iron
Maktub
2016-03-24Malwarebyteshasherezade
@online{hasherezade:20160324:maktub:fbe0f56, author = {hasherezade}, title = {{Maktub Locker – Beautiful And Dangerous}}, date = {2016-03-24}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2016/03/maktub-locker-beautiful-and-dangerous/}, language = {English}, urldate = {2019-12-20} } Maktub Locker – Beautiful And Dangerous
Maktub
Yara Rules
[TLP:WHITE] win_maktub_auto (20220411 | Detects win.maktub.)
rule win_maktub_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-04-08"
        version = "1"
        description = "Detects win.maktub."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.maktub"
        malpedia_rule_date = "20220405"
        malpedia_hash = "ecd38294bd47d5589be5cd5490dc8bb4804afc2a"
        malpedia_version = "20220411"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { ffd0 f7d8 1bc0 f7d8 8be5 }
            // n = 5, score = 400
            //   ffd0                 | call                eax
            //   f7d8                 | neg                 eax
            //   1bc0                 | sbb                 eax, eax
            //   f7d8                 | neg                 eax
            //   8be5                 | mov                 esp, ebp

        $sequence_1 = { c7410411000000 c7410800000000 c7410c00000000 c7411000000000 }
            // n = 4, score = 300
            //   c7410411000000       | mov                 dword ptr [ecx + 4], 0x11
            //   c7410800000000       | mov                 dword ptr [ecx + 8], 0
            //   c7410c00000000       | mov                 dword ptr [ecx + 0xc], 0
            //   c7411000000000       | mov                 dword ptr [ecx + 0x10], 0

        $sequence_2 = { c7410801000000 5f 894104 8bc1 }
            // n = 4, score = 300
            //   c7410801000000       | mov                 dword ptr [ecx + 8], 1
            //   5f                   | pop                 edi
            //   894104               | mov                 dword ptr [ecx + 4], eax
            //   8bc1                 | mov                 eax, ecx

        $sequence_3 = { c7400801000000 c7400408000000 8bd6 c70000000000 c741f408000000 6a08 }
            // n = 6, score = 300
            //   c7400801000000       | mov                 dword ptr [eax + 8], 1
            //   c7400408000000       | mov                 dword ptr [eax + 4], 8
            //   8bd6                 | mov                 edx, esi
            //   c70000000000         | mov                 dword ptr [eax], 0
            //   c741f408000000       | mov                 dword ptr [ecx - 0xc], 8
            //   6a08                 | push                8

        $sequence_4 = { c7410801000000 8bc6 894104 c70100000000 }
            // n = 4, score = 300
            //   c7410801000000       | mov                 dword ptr [ecx + 8], 1
            //   8bc6                 | mov                 eax, esi
            //   894104               | mov                 dword ptr [ecx + 4], eax
            //   c70100000000         | mov                 dword ptr [ecx], 0

        $sequence_5 = { c740f400000000 8b06 c60000 e9???????? }
            // n = 4, score = 300
            //   c740f400000000       | mov                 dword ptr [eax - 0xc], 0
            //   8b06                 | mov                 eax, dword ptr [esi]
            //   c60000               | mov                 byte ptr [eax], 0
            //   e9????????           |                     

        $sequence_6 = { c7410400000000 8b410c 8902 ff4908 }
            // n = 4, score = 300
            //   c7410400000000       | mov                 dword ptr [ecx + 4], 0
            //   8b410c               | mov                 eax, dword ptr [ecx + 0xc]
            //   8902                 | mov                 dword ptr [edx], eax
            //   ff4908               | dec                 dword ptr [ecx + 8]

        $sequence_7 = { c740f400000000 8b07 5f 5e c60000 c3 }
            // n = 6, score = 300
            //   c740f400000000       | mov                 dword ptr [eax - 0xc], 0
            //   8b07                 | mov                 eax, dword ptr [edi]
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi
            //   c60000               | mov                 byte ptr [eax], 0
            //   c3                   | ret                 

        $sequence_8 = { ff7004 ff30 e8???????? 8bc7 }
            // n = 4, score = 200
            //   ff7004               | push                dword ptr [eax + 4]
            //   ff30                 | push                dword ptr [eax]
            //   e8????????           |                     
            //   8bc7                 | mov                 eax, edi

        $sequence_9 = { 91 e503 98 bc2403a0e3 }
            // n = 4, score = 100
            //   91                   | xchg                eax, ecx
            //   e503                 | in                  eax, 3
            //   98                   | cwde                
            //   bc2403a0e3           | mov                 esp, 0xe3a00324

        $sequence_10 = { 91 f1 dc6041 91 }
            // n = 4, score = 100
            //   91                   | xchg                eax, ecx
            //   f1                   | int1                
            //   dc6041               | fsub                qword ptr [eax + 0x41]
            //   91                   | xchg                eax, ecx

        $sequence_11 = { 8d4e10 e8???????? 8d4e04 e8???????? 8bce }
            // n = 5, score = 100
            //   8d4e10               | lea                 ecx, dword ptr [esi + 0x10]
            //   e8????????           |                     
            //   8d4e04               | lea                 ecx, dword ptr [esi + 4]
            //   e8????????           |                     
            //   8bce                 | mov                 ecx, esi

        $sequence_12 = { 8d4e14 e8???????? 668b4524 8d4d2c }
            // n = 4, score = 100
            //   8d4e14               | lea                 ecx, dword ptr [esi + 0x14]
            //   e8????????           |                     
            //   668b4524             | mov                 ax, word ptr [ebp + 0x24]
            //   8d4d2c               | lea                 ecx, dword ptr [ebp + 0x2c]

        $sequence_13 = { 91 ddc8 40 216d4c }
            // n = 4, score = 100
            //   91                   | xchg                eax, ecx
            //   ddc8                 | fxch                st(0), st(0)
            //   40                   | inc                 eax
            //   216d4c               | and                 dword ptr [ebp + 0x4c], ebp

        $sequence_14 = { 8d4e14 e8???????? bf80000000 8d4e24 }
            // n = 4, score = 100
            //   8d4e14               | lea                 ecx, dword ptr [esi + 0x14]
            //   e8????????           |                     
            //   bf80000000           | mov                 edi, 0x80
            //   8d4e24               | lea                 ecx, dword ptr [esi + 0x24]

        $sequence_15 = { 92 16 5d 59 }
            // n = 4, score = 100
            //   92                   | xchg                eax, edx
            //   16                   | push                ss
            //   5d                   | pop                 ebp
            //   59                   | pop                 ecx

        $sequence_16 = { 91 d7 c09ace4db6b318 40 }
            // n = 4, score = 100
            //   91                   | xchg                eax, ecx
            //   d7                   | xlatb               
            //   c09ace4db6b318       | rcr                 byte ptr [edx - 0x4c49b232], 0x18
            //   40                   | inc                 eax

        $sequence_17 = { 8d4e14 66894604 8b450c 894608 }
            // n = 4, score = 100
            //   8d4e14               | lea                 ecx, dword ptr [esi + 0x14]
            //   66894604             | mov                 word ptr [esi + 4], ax
            //   8b450c               | mov                 eax, dword ptr [ebp + 0xc]
            //   894608               | mov                 dword ptr [esi + 8], eax

        $sequence_18 = { 91 8dad3cac8682 91 d7 }
            // n = 4, score = 100
            //   91                   | xchg                eax, ecx
            //   8dad3cac8682         | lea                 ebp, dword ptr [ebp - 0x7d7953c4]
            //   91                   | xchg                eax, ecx
            //   d7                   | xlatb               

        $sequence_19 = { 8d4e14 e8???????? 834e18ff 33c0 }
            // n = 4, score = 100
            //   8d4e14               | lea                 ecx, dword ptr [esi + 0x14]
            //   e8????????           |                     
            //   834e18ff             | or                  dword ptr [esi + 0x18], 0xffffffff
            //   33c0                 | xor                 eax, eax

        $sequence_20 = { 8d4e10 e8???????? b8e8030000 8d4e1c }
            // n = 4, score = 100
            //   8d4e10               | lea                 ecx, dword ptr [esi + 0x10]
            //   e8????????           |                     
            //   b8e8030000           | mov                 eax, 0x3e8
            //   8d4e1c               | lea                 ecx, dword ptr [esi + 0x1c]

        $sequence_21 = { 8d4e14 e8???????? 8d4e04 5e e9???????? 55 }
            // n = 6, score = 100
            //   8d4e14               | lea                 ecx, dword ptr [esi + 0x14]
            //   e8????????           |                     
            //   8d4e04               | lea                 ecx, dword ptr [esi + 4]
            //   5e                   | pop                 esi
            //   e9????????           |                     
            //   55                   | push                ebp

    condition:
        7 of them and filesize < 3063808
}
Download all Yara Rules