SYMBOLCOMMON_NAMEaka. SYNONYMS
win.maui (Back to overview)

Maui Ransomware

Actor(s): Silent Chollima

There is no description at this point.

References
2023-02-09NSA, FBI, CISA, HHS, ROK, DSA
@techreport{nsa:20230209:stopransomware:87d3a94, author = {NSA and FBI and CISA and HHS and ROK and DSA}, title = {{#StopRansomware: Ransomware Attacks on Critical Infrastructure Fund DPRK Malicious Cyber Activities}}, date = {2023-02-09}, institution = {}, url = {https://media.defense.gov/2023/Feb/09/2003159161/-1/-1/0/CSA_RANSOMWARE_ATTACKS_ON_CI_FUND_DPRK_ACTIVITIES.PDF}, language = {English}, urldate = {2023-02-13} } #StopRansomware: Ransomware Attacks on Critical Infrastructure Fund DPRK Malicious Cyber Activities
Maui Ransomware SiennaBlue SiennaPurple
2022-08-09KasperskyKurt Baumgartner, Seongsu Park
@online{baumgartner:20220809:andariel:89d6b24, author = {Kurt Baumgartner and Seongsu Park}, title = {{Andariel deploys DTrack and Maui ransomware}}, date = {2022-08-09}, organization = {Kaspersky}, url = {https://securelist.com/andariel-deploys-dtrack-and-maui-ransomware/107063/}, language = {English}, urldate = {2022-08-11} } Andariel deploys DTrack and Maui ransomware
Dtrack Maui Ransomware
2022-07-06StairwellSilas Cutler
@techreport{cutler:20220706:maui:1d2ddc2, author = {Silas Cutler}, title = {{Maui Ransomware}}, date = {2022-07-06}, institution = {Stairwell}, url = {https://stairwell.com/wp-content/uploads/2022/07/Stairwell-Threat-Report-Maui-Ransomware.pdf}, language = {English}, urldate = {2022-07-06} } Maui Ransomware
Maui Ransomware
2022-07-06CISAFBI, CISA, Department of the Treasury (Treasury)
@online{fbi:20220706:alert:4231af8, author = {FBI and CISA and Department of the Treasury (Treasury)}, title = {{Alert (AA22-187A): North Korean State-Sponsored Cyber Actors Use Maui Ransomware to Target the Healthcare and Public Health Sector}}, date = {2022-07-06}, organization = {CISA}, url = {https://www.cisa.gov/uscert/ncas/alerts/aa22-187a}, language = {English}, urldate = {2022-07-13} } Alert (AA22-187A): North Korean State-Sponsored Cyber Actors Use Maui Ransomware to Target the Healthcare and Public Health Sector
Maui Ransomware
2022-07-06CISAFBI, CISA, Department of the Treasury (Treasury)
@techreport{fbi:20220706:csa:fcffb49, author = {FBI and CISA and Department of the Treasury (Treasury)}, title = {{CSA AA22-187A: North Korean State-Sponsored Cyber Actors Use Maui Ransomware to Target the Healthcare and Public Health Sector (PDF)}}, date = {2022-07-06}, institution = {CISA}, url = {https://www.cisa.gov/uscert/sites/default/files/publications/aa22-187a-north-korean%20state-sponsored-cyber-actors-use-maui-ransomware-to-target-the-hph-sector.pdf}, language = {English}, urldate = {2022-07-13} } CSA AA22-187A: North Korean State-Sponsored Cyber Actors Use Maui Ransomware to Target the Healthcare and Public Health Sector (PDF)
Maui Ransomware
Yara Rules
[TLP:WHITE] win_maui_auto (20230407 | Detects win.maui.)
rule win_maui_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-03-28"
        version = "1"
        description = "Detects win.maui."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.maui"
        malpedia_rule_date = "20230328"
        malpedia_hash = "9d2d75cef573c1c2d861f5197df8f563b05a305d"
        malpedia_version = "20230407"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 83c40c 85c0 0f84f4010000 8b5610 52 53 e8???????? }
            // n = 7, score = 100
            //   83c40c               | add                 esp, 0xc
            //   85c0                 | test                eax, eax
            //   0f84f4010000         | je                  0x1fa
            //   8b5610               | mov                 edx, dword ptr [esi + 0x10]
            //   52                   | push                edx
            //   53                   | push                ebx
            //   e8????????           |                     

        $sequence_1 = { 8bef 81e5ff000000 3314add0b94800 8beb 335614 8bf0 c1ee10 }
            // n = 7, score = 100
            //   8bef                 | mov                 ebp, edi
            //   81e5ff000000         | and                 ebp, 0xff
            //   3314add0b94800       | xor                 edx, dword ptr [ebp*4 + 0x48b9d0]
            //   8beb                 | mov                 ebp, ebx
            //   335614               | xor                 edx, dword ptr [esi + 0x14]
            //   8bf0                 | mov                 esi, eax
            //   c1ee10               | shr                 esi, 0x10

        $sequence_2 = { e8???????? 8b4c2464 89442438 8b410c 83c41c 85c0 743b }
            // n = 7, score = 100
            //   e8????????           |                     
            //   8b4c2464             | mov                 ecx, dword ptr [esp + 0x64]
            //   89442438             | mov                 dword ptr [esp + 0x38], eax
            //   8b410c               | mov                 eax, dword ptr [ecx + 0xc]
            //   83c41c               | add                 esp, 0x1c
            //   85c0                 | test                eax, eax
            //   743b                 | je                  0x3d

        $sequence_3 = { 894e04 8bc8 c1f81f 2bca 8bd7 1bc2 }
            // n = 6, score = 100
            //   894e04               | mov                 dword ptr [esi + 4], ecx
            //   8bc8                 | mov                 ecx, eax
            //   c1f81f               | sar                 eax, 0x1f
            //   2bca                 | sub                 ecx, edx
            //   8bd7                 | mov                 edx, edi
            //   1bc2                 | sbb                 eax, edx

        $sequence_4 = { 742e 33ed c744243001000000 eb22 6829040000 eb05 }
            // n = 6, score = 100
            //   742e                 | je                  0x30
            //   33ed                 | xor                 ebp, ebp
            //   c744243001000000     | mov                 dword ptr [esp + 0x30], 1
            //   eb22                 | jmp                 0x24
            //   6829040000           | push                0x429
            //   eb05                 | jmp                 7

        $sequence_5 = { 755a 6852010000 68???????? 6a20 6a69 6a21 e8???????? }
            // n = 7, score = 100
            //   755a                 | jne                 0x5c
            //   6852010000           | push                0x152
            //   68????????           |                     
            //   6a20                 | push                0x20
            //   6a69                 | push                0x69
            //   6a21                 | push                0x21
            //   e8????????           |                     

        $sequence_6 = { 41 57 51 e8???????? 83c40c 85c0 0f84d9000000 }
            // n = 7, score = 100
            //   41                   | inc                 ecx
            //   57                   | push                edi
            //   51                   | push                ecx
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   85c0                 | test                eax, eax
            //   0f84d9000000         | je                  0xdf

        $sequence_7 = { ff7508 e8???????? 83c410 8945f4 83f8ff 0f856f010000 e8???????? }
            // n = 7, score = 100
            //   ff7508               | push                dword ptr [ebp + 8]
            //   e8????????           |                     
            //   83c410               | add                 esp, 0x10
            //   8945f4               | mov                 dword ptr [ebp - 0xc], eax
            //   83f8ff               | cmp                 eax, -1
            //   0f856f010000         | jne                 0x175
            //   e8????????           |                     

        $sequence_8 = { e8???????? 83c40c 85c0 0f8401030000 837d0400 0f84f7020000 }
            // n = 6, score = 100
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   85c0                 | test                eax, eax
            //   0f8401030000         | je                  0x307
            //   837d0400             | cmp                 dword ptr [ebp + 4], 0
            //   0f84f7020000         | je                  0x2fd

        $sequence_9 = { 7c0a c744242408000000 eb1c 53 e8???????? 33c9 83c404 }
            // n = 7, score = 100
            //   7c0a                 | jl                  0xc
            //   c744242408000000     | mov                 dword ptr [esp + 0x24], 8
            //   eb1c                 | jmp                 0x1e
            //   53                   | push                ebx
            //   e8????????           |                     
            //   33c9                 | xor                 ecx, ecx
            //   83c404               | add                 esp, 4

    condition:
        7 of them and filesize < 1616896
}
Download all Yara Rules