Maktub (Malware Family)

Maktub

VTCollection
According to PCrisk, Maktub is ransomware distributed via zipped Word documents. Once the file is extracted and opened, Maktub infiltrates the system and encrypts files stored on the victim's computer. Maktub ransomware adds a .NORV, .gyul (or other random) extension to each file encrypted, thus, making it straightforward to determine which files are encrypted.
References

2018-05-29 ⋅ Intezer ⋅ Omri Ben Bassat
Iron Cybercrime Group Under The Scope
Maktub Iron Group
2018-04-10 ⋅ Blaze's Security Blog ⋅ BartBlaze
Maktub ransomware: possibly rebranded as Iron
Maktub
2016-03-24 ⋅ Malwarebytes ⋅ hasherezade
Maktub Locker – Beautiful And Dangerous
Maktub
Yara Rules

[TLP:WHITE] win_maktub_auto (20230808 | Detects win.maktub.)
rule win_maktub_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.maktub."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.maktub"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { ffd0 f7d8 1bc0 f7d8 8be5 }
            // n = 5, score = 400
            //   ffd0                 | call                eax
            //   f7d8                 | neg                 eax
            //   1bc0                 | sbb                 eax, eax
            //   f7d8                 | neg                 eax
            //   8be5                 | mov                 esp, ebp

        $sequence_1 = { c7450c00000000 50 6a01 56 }
            // n = 4, score = 300
            //   c7450c00000000       | mov                 dword ptr [ebp + 0xc], 0
            //   50                   | push                eax
            //   6a01                 | push                1
            //   56                   | push                esi

        $sequence_2 = { ff30 8b86a4000000 ffd0 8b75b4 }
            // n = 4, score = 300
            //   ff30                 | push                dword ptr [eax]
            //   8b86a4000000         | mov                 eax, dword ptr [esi + 0xa4]
            //   ffd0                 | call                eax
            //   8b75b4               | mov                 esi, dword ptr [ebp - 0x4c]

        $sequence_3 = { ff30 8b83a4000000 ffd0 8b75d4 }
            // n = 4, score = 300
            //   ff30                 | push                dword ptr [eax]
            //   8b83a4000000         | mov                 eax, dword ptr [ebx + 0xa4]
            //   ffd0                 | call                eax
            //   8b75d4               | mov                 esi, dword ptr [ebp - 0x2c]

        $sequence_4 = { ff7508 ffd7 50 ffd6 53 8b5d08 6af4 }
            // n = 7, score = 300
            //   ff7508               | push                dword ptr [ebp + 8]
            //   ffd7                 | call                edi
            //   50                   | push                eax
            //   ffd6                 | call                esi
            //   53                   | push                ebx
            //   8b5d08               | mov                 ebx, dword ptr [ebp + 8]
            //   6af4                 | push                -0xc

        $sequence_5 = { ff30 8b8690000000 6a00 ffd0 }
            // n = 4, score = 300
            //   ff30                 | push                dword ptr [eax]
            //   8b8690000000         | mov                 eax, dword ptr [esi + 0x90]
            //   6a00                 | push                0
            //   ffd0                 | call                eax

        $sequence_6 = { ff30 8b4704 6a00 56 ffd0 85c0 }
            // n = 6, score = 300
            //   ff30                 | push                dword ptr [eax]
            //   8b4704               | mov                 eax, dword ptr [edi + 4]
            //   6a00                 | push                0
            //   56                   | push                esi
            //   ffd0                 | call                eax
            //   85c0                 | test                eax, eax

        $sequence_7 = { c74508???????? e9???????? 50 ff15???????? 85c0 7f1e a1???????? }
            // n = 7, score = 300
            //   c74508????????       |                     
            //   e9????????           |                     
            //   50                   | push                eax
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   7f1e                 | jg                  0x20
            //   a1????????           |                     

        $sequence_8 = { ff7004 ff30 e8???????? 8bc7 5f 5e }
            // n = 6, score = 200
            //   ff7004               | push                dword ptr [eax + 4]
            //   ff30                 | push                dword ptr [eax]
            //   e8????????           |                     
            //   8bc7                 | mov                 eax, edi
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi

        $sequence_9 = { f8 39dc f5 f7de }
            // n = 4, score = 100
            //   f8                   | clc                 
            //   39dc                 | cmp                 esp, ebx
            //   f5                   | cmc                 
            //   f7de                 | neg                 esi

        $sequence_10 = { f8 57 c64424084b 88442404 }
            // n = 4, score = 100
            //   f8                   | clc                 
            //   57                   | push                edi
            //   c64424084b           | mov                 byte ptr [esp + 8], 0x4b
            //   88442404             | mov                 byte ptr [esp + 4], al

        $sequence_11 = { f8 60 0145e0 f8 }
            // n = 4, score = 100
            //   f8                   | clc                 
            //   60                   | pushal              
            //   0145e0               | add                 dword ptr [ebp - 0x20], eax
            //   f8                   | clc                 

        $sequence_12 = { f8 50 55 660fa3d5 }
            // n = 4, score = 100
            //   f8                   | clc                 
            //   50                   | push                eax
            //   55                   | push                ebp
            //   660fa3d5             | bt                  bp, dx

        $sequence_13 = { 8d4f0c e8???????? 8d4de8 e8???????? }
            // n = 4, score = 100
            //   8d4f0c               | lea                 ecx, [edi + 0xc]
            //   e8????????           |                     
            //   8d4de8               | lea                 ecx, [ebp - 0x18]
            //   e8????????           |                     

        $sequence_14 = { 8d4f04 8b01 ff7508 ff5010 8bd8 }
            // n = 5, score = 100
            //   8d4f04               | lea                 ecx, [edi + 4]
            //   8b01                 | mov                 eax, dword ptr [ecx]
            //   ff7508               | push                dword ptr [ebp + 8]
            //   ff5010               | call                dword ptr [eax + 0x10]
            //   8bd8                 | mov                 ebx, eax

        $sequence_15 = { f8 3a07 6868c51b01 8d7f01 }
            // n = 4, score = 100
            //   f8                   | clc                 
            //   3a07                 | cmp                 al, byte ptr [edi]
            //   6868c51b01           | push                0x11bc568
            //   8d7f01               | lea                 edi, [edi + 1]

        $sequence_16 = { 8d4f04 8b45f4 8b31 2bc2 }
            // n = 4, score = 100
            //   8d4f04               | lea                 ecx, [edi + 4]
            //   8b45f4               | mov                 eax, dword ptr [ebp - 0xc]
            //   8b31                 | mov                 esi, dword ptr [ecx]
            //   2bc2                 | sub                 eax, edx

        $sequence_17 = { 8d4f04 e8???????? 8d5608 8d4f08 }
            // n = 4, score = 100
            //   8d4f04               | lea                 ecx, [edi + 4]
            //   e8????????           |                     
            //   8d5608               | lea                 edx, [esi + 8]
            //   8d4f08               | lea                 ecx, [edi + 8]

        $sequence_18 = { 8d4f08 e8???????? 8d560c 8d4f0c e8???????? }
            // n = 5, score = 100
            //   8d4f08               | lea                 ecx, [edi + 8]
            //   e8????????           |                     
            //   8d560c               | lea                 edx, [esi + 0xc]
            //   8d4f0c               | lea                 ecx, [edi + 0xc]
            //   e8????????           |                     

        $sequence_19 = { 8d4f0c e8???????? 5f 5e 5d c20400 }
            // n = 6, score = 100
            //   8d4f0c               | lea                 ecx, [edi + 0xc]
            //   e8????????           |                     
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi
            //   5d                   | pop                 ebp
            //   c20400               | ret                 4

        $sequence_20 = { f8 12644a00 40 d4b5 }
            // n = 4, score = 100
            //   f8                   | clc                 
            //   12644a00             | adc                 ah, byte ptr [edx + ecx*2]
            //   40                   | inc                 eax
            //   d4b5                 | aam                 0xb5

        $sequence_21 = { 8d4f10 50 e8???????? 8d45f8 }
            // n = 4, score = 100
            //   8d4f10               | lea                 ecx, [edi + 0x10]
            //   50                   | push                eax
            //   e8????????           |                     
            //   8d45f8               | lea                 eax, [ebp - 8]

    condition:
        7 of them and filesize < 3063808
}
Download all Yara Rules
Maktub Propose Change

References

Yara Rules

Maktub
