SYMBOLCOMMON_NAMEaka. SYNONYMS
win.maui (Back to overview)

Maui Ransomware

Actor(s): Silent Chollima

There is no description at this point.

References
2022-08-09KasperskyKurt Baumgartner, Seongsu Park
@online{baumgartner:20220809:andariel:89d6b24, author = {Kurt Baumgartner and Seongsu Park}, title = {{Andariel deploys DTrack and Maui ransomware}}, date = {2022-08-09}, organization = {Kaspersky}, url = {https://securelist.com/andariel-deploys-dtrack-and-maui-ransomware/107063/}, language = {English}, urldate = {2022-08-11} } Andariel deploys DTrack and Maui ransomware
Dtrack Maui Ransomware
2022-07-06StairwellSilas Cutler
@techreport{cutler:20220706:maui:1d2ddc2, author = {Silas Cutler}, title = {{Maui Ransomware}}, date = {2022-07-06}, institution = {Stairwell}, url = {https://stairwell.com/wp-content/uploads/2022/07/Stairwell-Threat-Report-Maui-Ransomware.pdf}, language = {English}, urldate = {2022-07-06} } Maui Ransomware
Maui Ransomware
2022-07-06CISAFBI, CISA, Department of the Treasury (Treasury)
@online{fbi:20220706:alert:4231af8, author = {FBI and CISA and Department of the Treasury (Treasury)}, title = {{Alert (AA22-187A): North Korean State-Sponsored Cyber Actors Use Maui Ransomware to Target the Healthcare and Public Health Sector}}, date = {2022-07-06}, organization = {CISA}, url = {https://www.cisa.gov/uscert/ncas/alerts/aa22-187a}, language = {English}, urldate = {2022-07-13} } Alert (AA22-187A): North Korean State-Sponsored Cyber Actors Use Maui Ransomware to Target the Healthcare and Public Health Sector
Maui Ransomware
2022-07-06CISAFBI, CISA, Department of the Treasury (Treasury)
@techreport{fbi:20220706:csa:fcffb49, author = {FBI and CISA and Department of the Treasury (Treasury)}, title = {{CSA AA22-187A: North Korean State-Sponsored Cyber Actors Use Maui Ransomware to Target the Healthcare and Public Health Sector (PDF)}}, date = {2022-07-06}, institution = {CISA}, url = {https://www.cisa.gov/uscert/sites/default/files/publications/aa22-187a-north-korean%20state-sponsored-cyber-actors-use-maui-ransomware-to-target-the-hph-sector.pdf}, language = {English}, urldate = {2022-07-13} } CSA AA22-187A: North Korean State-Sponsored Cyber Actors Use Maui Ransomware to Target the Healthcare and Public Health Sector (PDF)
Maui Ransomware
Yara Rules
[TLP:WHITE] win_maui_auto (20230125 | Detects win.maui.)
rule win_maui_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-01-25"
        version = "1"
        description = "Detects win.maui."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.maui"
        malpedia_rule_date = "20230124"
        malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686"
        malpedia_version = "20230125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { a3???????? c705????????1b224100 c705????????fc184100 c705????????5e184100 c705????????eb174100 c3 8bff }
            // n = 7, score = 100
            //   a3????????           |                     
            //   c705????????1b224100     |     
            //   c705????????fc184100     |     
            //   c705????????5e184100     |     
            //   c705????????eb174100     |     
            //   c3                   | ret                 
            //   8bff                 | mov                 edi, edi

        $sequence_1 = { 81e6000000ff 33d6 8bf1 81e6ff000000 0fb634b5d0a14800 33d6 335508 }
            // n = 7, score = 100
            //   81e6000000ff         | and                 esi, 0xff000000
            //   33d6                 | xor                 edx, esi
            //   8bf1                 | mov                 esi, ecx
            //   81e6ff000000         | and                 esi, 0xff
            //   0fb634b5d0a14800     | movzx               esi, byte ptr [esi*4 + 0x48a1d0]
            //   33d6                 | xor                 edx, esi
            //   335508               | xor                 edx, dword ptr [ebp + 8]

        $sequence_2 = { 5f 5e c3 56 8b742408 837e5c00 b801000000 }
            // n = 7, score = 100
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi
            //   c3                   | ret                 
            //   56                   | push                esi
            //   8b742408             | mov                 esi, dword ptr [esp + 8]
            //   837e5c00             | cmp                 dword ptr [esi + 0x5c], 0
            //   b801000000           | mov                 eax, 1

        $sequence_3 = { 895c2428 55 8b6e08 03ed 03ed 0f8581000000 8b442428 }
            // n = 7, score = 100
            //   895c2428             | mov                 dword ptr [esp + 0x28], ebx
            //   55                   | push                ebp
            //   8b6e08               | mov                 ebp, dword ptr [esi + 8]
            //   03ed                 | add                 ebp, ebp
            //   03ed                 | add                 ebp, ebp
            //   0f8581000000         | jne                 0x87
            //   8b442428             | mov                 eax, dword ptr [esp + 0x28]

        $sequence_4 = { 89442404 85ed 0f84c8020000 53 56 57 6a01 }
            // n = 7, score = 100
            //   89442404             | mov                 dword ptr [esp + 4], eax
            //   85ed                 | test                ebp, ebp
            //   0f84c8020000         | je                  0x2ce
            //   53                   | push                ebx
            //   56                   | push                esi
            //   57                   | push                edi
            //   6a01                 | push                1

        $sequence_5 = { 03de 03d5 895c241c 85f6 7e2f 89742410 8bcd }
            // n = 7, score = 100
            //   03de                 | add                 ebx, esi
            //   03d5                 | add                 edx, ebp
            //   895c241c             | mov                 dword ptr [esp + 0x1c], ebx
            //   85f6                 | test                esi, esi
            //   7e2f                 | jle                 0x31
            //   89742410             | mov                 dword ptr [esp + 0x10], esi
            //   8bcd                 | mov                 ecx, ebp

        $sequence_6 = { e8???????? 83c404 8d9b00000000 8b44245c 83f80a 7c0b bf0a000000 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   83c404               | add                 esp, 4
            //   8d9b00000000         | lea                 ebx, [ebx]
            //   8b44245c             | mov                 eax, dword ptr [esp + 0x5c]
            //   83f80a               | cmp                 eax, 0xa
            //   7c0b                 | jl                  0xd
            //   bf0a000000           | mov                 edi, 0xa

        $sequence_7 = { 51 e8???????? 83c410 85c0 0f8e0b020000 8b4c2424 53 }
            // n = 7, score = 100
            //   51                   | push                ecx
            //   e8????????           |                     
            //   83c410               | add                 esp, 0x10
            //   85c0                 | test                eax, eax
            //   0f8e0b020000         | jle                 0x211
            //   8b4c2424             | mov                 ecx, dword ptr [esp + 0x24]
            //   53                   | push                ebx

        $sequence_8 = { 017e04 2bdf 817e04de050000 7e17 68???????? 68d9010000 68???????? }
            // n = 7, score = 100
            //   017e04               | add                 dword ptr [esi + 4], edi
            //   2bdf                 | sub                 ebx, edi
            //   817e04de050000       | cmp                 dword ptr [esi + 4], 0x5de
            //   7e17                 | jle                 0x19
            //   68????????           |                     
            //   68d9010000           | push                0x1d9
            //   68????????           |                     

        $sequence_9 = { 2c89 4c 2408 89542410 }
            // n = 4, score = 100
            //   2c89                 | sub                 al, 0x89
            //   4c                   | dec                 esp
            //   2408                 | and                 al, 8
            //   89542410             | mov                 dword ptr [esp + 0x10], edx

    condition:
        7 of them and filesize < 1616896
}
Download all Yara Rules