Maktub (Malware Family)

Maktub

According to PCrisk, Maktub is ransomware distributed via zipped Word documents. Once the file is extracted and opened, Maktub infiltrates the system and encrypts files stored on the victim's computer. Maktub ransomware adds a .NORV, .gyul (or other random) extension to each file encrypted, thus, making it straightforward to determine which files are encrypted.
References

2018-05-29 ⋅ Intezer ⋅ Omri Ben Bassat
Iron Cybercrime Group Under The Scope
Maktub Iron Group
2018-04-10 ⋅ Blaze's Security Blog ⋅ BartBlaze
Maktub ransomware: possibly rebranded as Iron
Maktub
2016-03-24 ⋅ Malwarebytes ⋅ hasherezade
Maktub Locker – Beautiful And Dangerous
Maktub
Yara Rules

[TLP:WHITE] win_maktub_auto (20230407 | Detects win.maktub.)
rule win_maktub_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-03-28"
        version = "1"
        description = "Detects win.maktub."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.maktub"
        malpedia_rule_date = "20230328"
        malpedia_hash = "9d2d75cef573c1c2d861f5197df8f563b05a305d"
        malpedia_version = "20230407"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { ffd0 f7d8 1bc0 f7d8 8be5 }
            // n = 5, score = 400
            //   ffd0                 | call                eax
            //   f7d8                 | neg                 eax
            //   1bc0                 | sbb                 eax, eax
            //   f7d8                 | neg                 eax
            //   8be5                 | mov                 esp, ebp

        $sequence_1 = { ff15???????? f6c301 7432 8b75b8 }
            // n = 4, score = 300
            //   ff15????????         |                     
            //   f6c301               | test                bl, 1
            //   7432                 | je                  0x34
            //   8b75b8               | mov                 esi, dword ptr [ebp - 0x48]

        $sequence_2 = { c744241000000000 51 50 ff15???????? }
            // n = 4, score = 300
            //   c744241000000000     | mov                 dword ptr [esp + 0x10], 0
            //   51                   | push                ecx
            //   50                   | push                eax
            //   ff15????????         |                     

        $sequence_3 = { ff15???????? ff75f8 ff15???????? 5f 5e b801000000 }
            // n = 6, score = 300
            //   ff15????????         |                     
            //   ff75f8               | push                dword ptr [ebp - 8]
            //   ff15????????         |                     
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi
            //   b801000000           | mov                 eax, 1

        $sequence_4 = { c744241000000000 837e0800 51 89642428 }
            // n = 4, score = 300
            //   c744241000000000     | mov                 dword ptr [esp + 0x10], 0
            //   837e0800             | cmp                 dword ptr [esi + 8], 0
            //   51                   | push                ecx
            //   89642428             | mov                 dword ptr [esp + 0x28], esp

        $sequence_5 = { ff15???????? f6c301 0f8414010000 8d46fc }
            // n = 4, score = 300
            //   ff15????????         |                     
            //   f6c301               | test                bl, 1
            //   0f8414010000         | je                  0x11a
            //   8d46fc               | lea                 eax, [esi - 4]

        $sequence_6 = { ff15???????? eb0a 57 6a08 50 ff15???????? 8bc8 }
            // n = 7, score = 300
            //   ff15????????         |                     
            //   eb0a                 | jmp                 0xc
            //   57                   | push                edi
            //   6a08                 | push                8
            //   50                   | push                eax
            //   ff15????????         |                     
            //   8bc8                 | mov                 ecx, eax

        $sequence_7 = { ff7508 ffd0 8bc8 894de8 83f9ff 7509 c745f400000000 }
            // n = 7, score = 300
            //   ff7508               | push                dword ptr [ebp + 8]
            //   ffd0                 | call                eax
            //   8bc8                 | mov                 ecx, eax
            //   894de8               | mov                 dword ptr [ebp - 0x18], ecx
            //   83f9ff               | cmp                 ecx, -1
            //   7509                 | jne                 0xb
            //   c745f400000000       | mov                 dword ptr [ebp - 0xc], 0

        $sequence_8 = { ff7004 ff30 e8???????? 8bc7 5f 5e 5b }
            // n = 7, score = 200
            //   ff7004               | push                dword ptr [eax + 4]
            //   ff30                 | push                dword ptr [eax]
            //   e8????????           |                     
            //   8bc7                 | mov                 eax, edi
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi
            //   5b                   | pop                 ebx

        $sequence_9 = { 8d4e3c e8???????? 8d4e2c e8???????? }
            // n = 4, score = 100
            //   8d4e3c               | lea                 ecx, [esi + 0x3c]
            //   e8????????           |                     
            //   8d4e2c               | lea                 ecx, [esi + 0x2c]
            //   e8????????           |                     

        $sequence_10 = { 8d4e3c e8???????? 8d4c241c e8???????? }
            // n = 4, score = 100
            //   8d4e3c               | lea                 ecx, [esi + 0x3c]
            //   e8????????           |                     
            //   8d4c241c             | lea                 ecx, [esp + 0x1c]
            //   e8????????           |                     

        $sequence_11 = { 8d4e3c e8???????? 8d4ddc e8???????? }
            // n = 4, score = 100
            //   8d4e3c               | lea                 ecx, [esi + 0x3c]
            //   e8????????           |                     
            //   8d4ddc               | lea                 ecx, [ebp - 0x24]
            //   e8????????           |                     

        $sequence_12 = { 8d4e40 e8???????? 8d4df0 e8???????? }
            // n = 4, score = 100
            //   8d4e40               | lea                 ecx, [esi + 0x40]
            //   e8????????           |                     
            //   8d4df0               | lea                 ecx, [ebp - 0x10]
            //   e8????????           |                     

        $sequence_13 = { d548 7d2b 72db 85be6d80eec9 8518 37 91 }
            // n = 7, score = 100
            //   d548                 | aad                 0x48
            //   7d2b                 | jge                 0x2d
            //   72db                 | jb                  0xffffffdd
            //   85be6d80eec9         | test                dword ptr [esi - 0x36117f93], edi
            //   8518                 | test                dword ptr [eax], ebx
            //   37                   | aaa                 
            //   91                   | xchg                eax, ecx

        $sequence_14 = { d589 4a 2c97 99 }
            // n = 4, score = 100
            //   d589                 | aad                 0x89
            //   4a                   | dec                 edx
            //   2c97                 | sub                 al, 0x97
            //   99                   | cdq                 

        $sequence_15 = { d54b 59 2cdc 8d047589ee28cf }
            // n = 4, score = 100
            //   d54b                 | aad                 0x4b
            //   59                   | pop                 ecx
            //   2cdc                 | sub                 al, 0xdc
            //   8d047589ee28cf       | lea                 eax, [esi*2 - 0x30d71177]

        $sequence_16 = { 8d4e3c e8???????? 51 8d4e68 }
            // n = 4, score = 100
            //   8d4e3c               | lea                 ecx, [esi + 0x3c]
            //   e8????????           |                     
            //   51                   | push                ecx
            //   8d4e68               | lea                 ecx, [esi + 0x68]

        $sequence_17 = { d555 40 f9 c4b4c925105c47 }
            // n = 4, score = 100
            //   d555                 | aad                 0x55
            //   40                   | inc                 eax
            //   f9                   | stc                 
            //   c4b4c925105c47       | les                 esi, ptr [ecx + ecx*8 + 0x475c1025]

        $sequence_18 = { d5d3 ed ff19 334d43 }
            // n = 4, score = 100
            //   d5d3                 | aad                 0xd3
            //   ed                   | in                  eax, dx
            //   ff19                 | lcall               [ecx]
            //   334d43               | xor                 ecx, dword ptr [ebp + 0x43]

        $sequence_19 = { 8d4e34 ff7508 e8???????? 8d4dfc }
            // n = 4, score = 100
            //   8d4e34               | lea                 ecx, [esi + 0x34]
            //   ff7508               | push                dword ptr [ebp + 8]
            //   e8????????           |                     
            //   8d4dfc               | lea                 ecx, [ebp - 4]

        $sequence_20 = { d54d 5b 660fc8 59 }
            // n = 4, score = 100
            //   d54d                 | aad                 0x4d
            //   5b                   | pop                 ebx
            //   660fc8               | bswap               ax
            //   59                   | pop                 ecx

        $sequence_21 = { 8d4e34 e8???????? 8d4e44 e8???????? 8d4508 c7450801000000 }
            // n = 6, score = 100
            //   8d4e34               | lea                 ecx, [esi + 0x34]
            //   e8????????           |                     
            //   8d4e44               | lea                 ecx, [esi + 0x44]
            //   e8????????           |                     
            //   8d4508               | lea                 eax, [ebp + 8]
            //   c7450801000000       | mov                 dword ptr [ebp + 8], 1

    condition:
        7 of them and filesize < 3063808
}
Download all Yara Rules
Maktub Propose Change

References

Yara Rules

Maktub
