SYMBOLCOMMON_NAMEaka. SYNONYMS
win.maktub (Back to overview)

Maktub

According to PCrisk, Maktub is ransomware distributed via zipped Word documents. Once the file is extracted and opened, Maktub infiltrates the system and encrypts files stored on the victim's computer. Maktub ransomware adds a .NORV, .gyul (or other random) extension to each file encrypted, thus, making it straightforward to determine which files are encrypted.

References
2018-05-29IntezerOmri Ben Bassat
@online{bassat:20180529:iron:5943a09, author = {Omri Ben Bassat}, title = {{Iron Cybercrime Group Under The Scope}}, date = {2018-05-29}, organization = {Intezer}, url = {https://www.intezer.com/iron-cybercrime-group-under-the-scope-2/}, language = {English}, urldate = {2019-12-05} } Iron Cybercrime Group Under The Scope
Maktub Iron Group
2018-04-10Blaze's Security BlogBartBlaze
@online{bartblaze:20180410:maktub:e67ade0, author = {BartBlaze}, title = {{Maktub ransomware: possibly rebranded as Iron}}, date = {2018-04-10}, organization = {Blaze's Security Blog}, url = {https://bartblaze.blogspot.de/2018/04/maktub-ransomware-possibly-rebranded-as.html}, language = {English}, urldate = {2019-07-10} } Maktub ransomware: possibly rebranded as Iron
Maktub
2016-03-24Malwarebyteshasherezade
@online{hasherezade:20160324:maktub:fbe0f56, author = {hasherezade}, title = {{Maktub Locker – Beautiful And Dangerous}}, date = {2016-03-24}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2016/03/maktub-locker-beautiful-and-dangerous/}, language = {English}, urldate = {2019-12-20} } Maktub Locker – Beautiful And Dangerous
Maktub
Yara Rules
[TLP:WHITE] win_maktub_auto (20230715 | Detects win.maktub.)
rule win_maktub_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-07-11"
        version = "1"
        description = "Detects win.maktub."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.maktub"
        malpedia_rule_date = "20230705"
        malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
        malpedia_version = "20230715"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { ffd0 f7d8 1bc0 f7d8 8be5 }
            // n = 5, score = 400
            //   ffd0                 | call                eax
            //   f7d8                 | neg                 eax
            //   1bc0                 | sbb                 eax, eax
            //   f7d8                 | neg                 eax
            //   8be5                 | mov                 esp, ebp

        $sequence_1 = { c744241000000000 837e0800 51 89642428 }
            // n = 4, score = 300
            //   c744241000000000     | mov                 dword ptr [esp + 0x10], 0
            //   837e0800             | cmp                 dword ptr [esi + 8], 0
            //   51                   | push                ecx
            //   89642428             | mov                 dword ptr [esp + 0x28], esp

        $sequence_2 = { ff15???????? f6c301 7432 8b75b8 }
            // n = 4, score = 300
            //   ff15????????         |                     
            //   f6c301               | test                bl, 1
            //   7432                 | je                  0x34
            //   8b75b8               | mov                 esi, dword ptr [ebp - 0x48]

        $sequence_3 = { c744241000000000 51 50 ff15???????? 8b4c2410 8bf0 6a02 }
            // n = 7, score = 300
            //   c744241000000000     | mov                 dword ptr [esp + 0x10], 0
            //   51                   | push                ecx
            //   50                   | push                eax
            //   ff15????????         |                     
            //   8b4c2410             | mov                 ecx, dword ptr [esp + 0x10]
            //   8bf0                 | mov                 esi, eax
            //   6a02                 | push                2

        $sequence_4 = { ff15???????? f6c301 0f8414010000 8d46fc }
            // n = 4, score = 300
            //   ff15????????         |                     
            //   f6c301               | test                bl, 1
            //   0f8414010000         | je                  0x11a
            //   8d46fc               | lea                 eax, [esi - 4]

        $sequence_5 = { ff15???????? eb0a 57 6a08 50 ff15???????? }
            // n = 6, score = 300
            //   ff15????????         |                     
            //   eb0a                 | jmp                 0xc
            //   57                   | push                edi
            //   6a08                 | push                8
            //   50                   | push                eax
            //   ff15????????         |                     

        $sequence_6 = { e8???????? 8b75fc 0fb74d10 8d7ef4 8b45f8 }
            // n = 5, score = 300
            //   e8????????           |                     
            //   8b75fc               | mov                 esi, dword ptr [ebp - 4]
            //   0fb74d10             | movzx               ecx, word ptr [ebp + 0x10]
            //   8d7ef4               | lea                 edi, [esi - 0xc]
            //   8b45f8               | mov                 eax, dword ptr [ebp - 8]

        $sequence_7 = { ff15???????? ff75f8 ff15???????? 5f 5e b801000000 }
            // n = 6, score = 300
            //   ff15????????         |                     
            //   ff75f8               | push                dword ptr [ebp - 8]
            //   ff15????????         |                     
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi
            //   b801000000           | mov                 eax, 1

        $sequence_8 = { ff7004 ff30 e8???????? 8bc7 }
            // n = 4, score = 200
            //   ff7004               | push                dword ptr [eax + 4]
            //   ff30                 | push                dword ptr [eax]
            //   e8????????           |                     
            //   8bc7                 | mov                 eax, edi

        $sequence_9 = { c7451004000000 c7452802000000 897560 e8???????? 56 8d851cddffff 53 }
            // n = 7, score = 100
            //   c7451004000000       | mov                 dword ptr [ebp + 0x10], 4
            //   c7452802000000       | mov                 dword ptr [ebp + 0x28], 2
            //   897560               | mov                 dword ptr [ebp + 0x60], esi
            //   e8????????           |                     
            //   56                   | push                esi
            //   8d851cddffff         | lea                 eax, [ebp - 0x22e4]
            //   53                   | push                ebx

        $sequence_10 = { 8d4e44 e8???????? 8d4508 c7450801000000 }
            // n = 4, score = 100
            //   8d4e44               | lea                 ecx, [esi + 0x44]
            //   e8????????           |                     
            //   8d4508               | lea                 eax, [ebp + 8]
            //   c7450801000000       | mov                 dword ptr [ebp + 8], 1

        $sequence_11 = { c74544e8d54900 eb18 8d4544 b9???????? }
            // n = 4, score = 100
            //   c74544e8d54900       | mov                 dword ptr [ebp + 0x44], 0x49d5e8
            //   eb18                 | jmp                 0x1a
            //   8d4544               | lea                 eax, [ebp + 0x44]
            //   b9????????           |                     

        $sequence_12 = { 8d4e48 50 e8???????? 8d4d08 }
            // n = 4, score = 100
            //   8d4e48               | lea                 ecx, [esi + 0x48]
            //   50                   | push                eax
            //   e8????????           |                     
            //   8d4d08               | lea                 ecx, [ebp + 8]

        $sequence_13 = { c7454007000000 e8???????? 8d8538faffff 50 }
            // n = 4, score = 100
            //   c7454007000000       | mov                 dword ptr [ebp + 0x40], 7
            //   e8????????           |                     
            //   8d8538faffff         | lea                 eax, [ebp - 0x5c8]
            //   50                   | push                eax

        $sequence_14 = { c7452040000000 8d4d28 895d24 c70424???????? }
            // n = 4, score = 100
            //   c7452040000000       | mov                 dword ptr [ebp + 0x20], 0x40
            //   8d4d28               | lea                 ecx, [ebp + 0x28]
            //   895d24               | mov                 dword ptr [ebp + 0x24], ebx
            //   c70424????????       |                     

        $sequence_15 = { c7455001000000 50 8d4514 be01000080 }
            // n = 4, score = 100
            //   c7455001000000       | mov                 dword ptr [ebp + 0x50], 1
            //   50                   | push                eax
            //   8d4514               | lea                 eax, [ebp + 0x14]
            //   be01000080           | mov                 esi, 0x80000001

        $sequence_16 = { 8d4e44 e8???????? 8d4e34 e8???????? 8d4e14 }
            // n = 5, score = 100
            //   8d4e44               | lea                 ecx, [esi + 0x44]
            //   e8????????           |                     
            //   8d4e34               | lea                 ecx, [esi + 0x34]
            //   e8????????           |                     
            //   8d4e14               | lea                 ecx, [esi + 0x14]

        $sequence_17 = { 8d4e40 e8???????? 8d4df0 e8???????? }
            // n = 4, score = 100
            //   8d4e40               | lea                 ecx, [esi + 0x40]
            //   e8????????           |                     
            //   8d4df0               | lea                 ecx, [ebp - 0x10]
            //   e8????????           |                     

        $sequence_18 = { 8d4e40 e8???????? 8d4e30 e8???????? 8d4e1c }
            // n = 5, score = 100
            //   8d4e40               | lea                 ecx, [esi + 0x40]
            //   e8????????           |                     
            //   8d4e30               | lea                 ecx, [esi + 0x30]
            //   e8????????           |                     
            //   8d4e1c               | lea                 ecx, [esi + 0x1c]

        $sequence_19 = { 8d4e3c e8???????? 8d4e2c e8???????? 8d4e1c e8???????? 8d4e0c }
            // n = 7, score = 100
            //   8d4e3c               | lea                 ecx, [esi + 0x3c]
            //   e8????????           |                     
            //   8d4e2c               | lea                 ecx, [esi + 0x2c]
            //   e8????????           |                     
            //   8d4e1c               | lea                 ecx, [esi + 0x1c]
            //   e8????????           |                     
            //   8d4e0c               | lea                 ecx, [esi + 0xc]

        $sequence_20 = { c745140f000000 885d00 85c0 0f845a010000 }
            // n = 4, score = 100
            //   c745140f000000       | mov                 dword ptr [ebp + 0x14], 0xf
            //   885d00               | mov                 byte ptr [ebp], bl
            //   85c0                 | test                eax, eax
            //   0f845a010000         | je                  0x160

        $sequence_21 = { 8d4e40 e8???????? 8d4e50 e8???????? 8bc6 }
            // n = 5, score = 100
            //   8d4e40               | lea                 ecx, [esi + 0x40]
            //   e8????????           |                     
            //   8d4e50               | lea                 ecx, [esi + 0x50]
            //   e8????????           |                     
            //   8bc6                 | mov                 eax, esi

    condition:
        7 of them and filesize < 3063808
}
Download all Yara Rules