SYMBOLCOMMON_NAMEaka. SYNONYMS
win.mbrlock (Back to overview)

MBRlock

aka: DexLocker

This ransomware modifies the master boot record of the victim's computer so that it shows a ransom note before Windows starts.

References
2018-02-09Bleeping ComputerLawrence Abrams
@online{abrams:20180209:dexcrypt:a7d1f62, author = {Lawrence Abrams}, title = {{DexCrypt MBRLocker Demands 30 Yuan To Gain Access to Computer}}, date = {2018-02-09}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/dexcrypt-mbrlocker-demands-30-yuan-to-gain-access-to-computer/}, language = {English}, urldate = {2019-12-20} } DexCrypt MBRLocker Demands 30 Yuan To Gain Access to Computer
MBRlock
2018-02-08ID RansomwareAndrew Ivanov
@online{ivanov:20180208:mbrlock:2c9f6d5, author = {Andrew Ivanov}, title = {{MBRlock Ransomware}}, date = {2018-02-08}, organization = {ID Ransomware}, url = {http://id-ransomware.blogspot.com.tr/2018/02/mbrlock-hax-ransomware.html}, language = {Russian}, urldate = {2019-12-17} } MBRlock Ransomware
MBRlock
2018-02-08Hybrid-AnalysisHybrid-Analysis
@online{hybridanalysis:20180208:analysis:70d43bc, author = {Hybrid-Analysis}, title = {{Analysis Run}}, date = {2018-02-08}, organization = {Hybrid-Analysis}, url = {https://www.hybrid-analysis.com/sample/dfc56a704b5e031f3b0d2d0ea1d06f9157758ad950483b44ac4b77d33293cb38?environmentId=100}, language = {English}, urldate = {2020-01-08} } Analysis Run
MBRlock
2018-02-08ANY.RUNANY.RUN
@online{anyrun:20180208:anyrun:611fc13, author = {ANY.RUN}, title = {{ANY.RUN analysis of MBRLock}}, date = {2018-02-08}, organization = {ANY.RUN}, url = {https://app.any.run/tasks/0a7e643f-7562-4575-b8a5-747bd6b5f02d}, language = {English}, urldate = {2020-01-13} } ANY.RUN analysis of MBRLock
MBRlock
Yara Rules
[TLP:WHITE] win_mbrlock_auto (20220808 | Detects win.mbrlock.)
rule win_mbrlock_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-08-05"
        version = "1"
        description = "Detects win.mbrlock."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.mbrlock"
        malpedia_rule_date = "20220805"
        malpedia_hash = "6ec06c64bcfdbeda64eff021c766b4ce34542b71"
        malpedia_version = "20220808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8d8c2408010000 c684245801000000 899c2408010000 e8???????? 896c2418 c7442414c8664a00 8d44242c }
            // n = 7, score = 100
            //   8d8c2408010000       | lea                 ecx, [esp + 0x108]
            //   c684245801000000     | mov                 byte ptr [esp + 0x158], 0
            //   899c2408010000       | mov                 dword ptr [esp + 0x108], ebx
            //   e8????????           |                     
            //   896c2418             | mov                 dword ptr [esp + 0x18], ebp
            //   c7442414c8664a00     | mov                 dword ptr [esp + 0x14], 0x4a66c8
            //   8d44242c             | lea                 eax, [esp + 0x2c]

        $sequence_1 = { 50 6801000000 bb???????? e8???????? 83c410 8945dc }
            // n = 6, score = 100
            //   50                   | push                eax
            //   6801000000           | push                1
            //   bb????????           |                     
            //   e8????????           |                     
            //   83c410               | add                 esp, 0x10
            //   8945dc               | mov                 dword ptr [ebp - 0x24], eax

        $sequence_2 = { 8b03 8b4cc704 85c9 7519 68804e0110 }
            // n = 5, score = 100
            //   8b03                 | mov                 eax, dword ptr [ebx]
            //   8b4cc704             | mov                 ecx, dword ptr [edi + eax*8 + 4]
            //   85c9                 | test                ecx, ecx
            //   7519                 | jne                 0x1b
            //   68804e0110           | push                0x10014e80

        $sequence_3 = { 689c4e0110 53 ff15???????? 83c408 eb05 bbd8540110 8b4604 }
            // n = 7, score = 100
            //   689c4e0110           | push                0x10014e9c
            //   53                   | push                ebx
            //   ff15????????         |                     
            //   83c408               | add                 esp, 8
            //   eb05                 | jmp                 7
            //   bbd8540110           | mov                 ebx, 0x100154d8
            //   8b4604               | mov                 eax, dword ptr [esi + 4]

        $sequence_4 = { 68bc5d0110 56 50 53 8bcf e8???????? }
            // n = 6, score = 100
            //   68bc5d0110           | push                0x10015dbc
            //   56                   | push                esi
            //   50                   | push                eax
            //   53                   | push                ebx
            //   8bcf                 | mov                 ecx, edi
            //   e8????????           |                     

        $sequence_5 = { 68e8500110 50 ffd7 8b4e10 68c4500110 51 894614 }
            // n = 7, score = 100
            //   68e8500110           | push                0x100150e8
            //   50                   | push                eax
            //   ffd7                 | call                edi
            //   8b4e10               | mov                 ecx, dword ptr [esi + 0x10]
            //   68c4500110           | push                0x100150c4
            //   51                   | push                ecx
            //   894614               | mov                 dword ptr [esi + 0x14], eax

        $sequence_6 = { e8???????? 83c408 8d4c2408 c7442464ffffffff e8???????? 8b4c245c 8bc6 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   83c408               | add                 esp, 8
            //   8d4c2408             | lea                 ecx, [esp + 8]
            //   c7442464ffffffff     | mov                 dword ptr [esp + 0x64], 0xffffffff
            //   e8????????           |                     
            //   8b4c245c             | mov                 ecx, dword ptr [esp + 0x5c]
            //   8bc6                 | mov                 eax, esi

        $sequence_7 = { 668b044d90864a00 c1ea0c 03d0 c1ea08 81e2ff000000 8bc2 884500 }
            // n = 7, score = 100
            //   668b044d90864a00     | mov                 ax, word ptr [ecx*2 + 0x4a8690]
            //   c1ea0c               | shr                 edx, 0xc
            //   03d0                 | add                 edx, eax
            //   c1ea08               | shr                 edx, 8
            //   81e2ff000000         | and                 edx, 0xff
            //   8bc2                 | mov                 eax, edx
            //   884500               | mov                 byte ptr [ebp], al

        $sequence_8 = { 5d c20400 57 ff15???????? 8bf0 46 8d0436 }
            // n = 7, score = 100
            //   5d                   | pop                 ebp
            //   c20400               | ret                 4
            //   57                   | push                edi
            //   ff15????????         |                     
            //   8bf0                 | mov                 esi, eax
            //   46                   | inc                 esi
            //   8d0436               | lea                 eax, [esi + esi]

        $sequence_9 = { e8???????? 8b4d08 89415c 8b45ec 85c0 7505 e8???????? }
            // n = 7, score = 100
            //   e8????????           |                     
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]
            //   89415c               | mov                 dword ptr [ecx + 0x5c], eax
            //   8b45ec               | mov                 eax, dword ptr [ebp - 0x14]
            //   85c0                 | test                eax, eax
            //   7505                 | jne                 7
            //   e8????????           |                     

    condition:
        7 of them and filesize < 2031616
}
Download all Yara Rules