SYMBOLCOMMON_NAMEaka. SYNONYMS
win.mbrlock (Back to overview)

MBRlock

aka: DexLocker

This ransomware modifies the master boot record of the victim's computer so that it shows a ransom note before Windows starts.

References
2018-02-09Bleeping ComputerLawrence Abrams
@online{abrams:20180209:dexcrypt:a7d1f62, author = {Lawrence Abrams}, title = {{DexCrypt MBRLocker Demands 30 Yuan To Gain Access to Computer}}, date = {2018-02-09}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/dexcrypt-mbrlocker-demands-30-yuan-to-gain-access-to-computer/}, language = {English}, urldate = {2019-12-20} } DexCrypt MBRLocker Demands 30 Yuan To Gain Access to Computer
MBRlock
2018-02-08ID RansomwareAndrew Ivanov
@online{ivanov:20180208:mbrlock:2c9f6d5, author = {Andrew Ivanov}, title = {{MBRlock Ransomware}}, date = {2018-02-08}, organization = {ID Ransomware}, url = {http://id-ransomware.blogspot.com.tr/2018/02/mbrlock-hax-ransomware.html}, language = {Russian}, urldate = {2019-12-17} } MBRlock Ransomware
MBRlock
2018-02-08Hybrid-AnalysisHybrid-Analysis
@online{hybridanalysis:20180208:analysis:70d43bc, author = {Hybrid-Analysis}, title = {{Analysis Run}}, date = {2018-02-08}, organization = {Hybrid-Analysis}, url = {https://www.hybrid-analysis.com/sample/dfc56a704b5e031f3b0d2d0ea1d06f9157758ad950483b44ac4b77d33293cb38?environmentId=100}, language = {English}, urldate = {2020-01-08} } Analysis Run
MBRlock
2018-02-08ANY.RUNANY.RUN
@online{anyrun:20180208:anyrun:611fc13, author = {ANY.RUN}, title = {{ANY.RUN analysis of MBRLock}}, date = {2018-02-08}, organization = {ANY.RUN}, url = {https://app.any.run/tasks/0a7e643f-7562-4575-b8a5-747bd6b5f02d}, language = {English}, urldate = {2020-01-13} } ANY.RUN analysis of MBRLock
MBRlock
Yara Rules
[TLP:WHITE] win_mbrlock_auto (20230125 | Detects win.mbrlock.)
rule win_mbrlock_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-01-25"
        version = "1"
        description = "Detects win.mbrlock."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.mbrlock"
        malpedia_rule_date = "20230124"
        malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686"
        malpedia_version = "20230125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8b4dd0 8bc2 0bc1 0f8450feffff 83c708 83d300 81e100000080 }
            // n = 7, score = 100
            //   8b4dd0               | mov                 ecx, dword ptr [ebp - 0x30]
            //   8bc2                 | mov                 eax, edx
            //   0bc1                 | or                  eax, ecx
            //   0f8450feffff         | je                  0xfffffe56
            //   83c708               | add                 edi, 8
            //   83d300               | adc                 ebx, 0
            //   81e100000080         | and                 ecx, 0x80000000

        $sequence_1 = { 68a2000000 68804d0110 e8???????? 83c410 8b4508 50 ff15???????? }
            // n = 7, score = 100
            //   68a2000000           | push                0xa2
            //   68804d0110           | push                0x10014d80
            //   e8????????           |                     
            //   83c410               | add                 esp, 0x10
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   50                   | push                eax
            //   ff15????????         |                     

        $sequence_2 = { 83c410 8b55ec 8b06 6a00 6a00 52 57 }
            // n = 7, score = 100
            //   83c410               | add                 esp, 0x10
            //   8b55ec               | mov                 edx, dword ptr [ebp - 0x14]
            //   8b06                 | mov                 eax, dword ptr [esi]
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   52                   | push                edx
            //   57                   | push                edi

        $sequence_3 = { 8b4518 8b08 8b45d8 3bc8 7319 68fc600110 6a05 }
            // n = 7, score = 100
            //   8b4518               | mov                 eax, dword ptr [ebp + 0x18]
            //   8b08                 | mov                 ecx, dword ptr [eax]
            //   8b45d8               | mov                 eax, dword ptr [ebp - 0x28]
            //   3bc8                 | cmp                 ecx, eax
            //   7319                 | jae                 0x1b
            //   68fc600110           | push                0x100160fc
            //   6a05                 | push                5

        $sequence_4 = { 83c404 85db 895ddc 7518 68804e0110 50 68fd030000 }
            // n = 7, score = 100
            //   83c404               | add                 esp, 4
            //   85db                 | test                ebx, ebx
            //   895ddc               | mov                 dword ptr [ebp - 0x24], ebx
            //   7518                 | jne                 0x1a
            //   68804e0110           | push                0x10014e80
            //   50                   | push                eax
            //   68fd030000           | push                0x3fd

        $sequence_5 = { ffd7 894618 8b4610 688c500110 50 ffd7 8b4e10 }
            // n = 7, score = 100
            //   ffd7                 | call                edi
            //   894618               | mov                 dword ptr [esi + 0x18], eax
            //   8b4610               | mov                 eax, dword ptr [esi + 0x10]
            //   688c500110           | push                0x1001508c
            //   50                   | push                eax
            //   ffd7                 | call                edi
            //   8b4e10               | mov                 ecx, dword ptr [esi + 0x10]

        $sequence_6 = { 6858190110 51 c745e401000000 e8???????? 8b03 8b4004 83f8ff }
            // n = 7, score = 100
            //   6858190110           | push                0x10011958
            //   51                   | push                ecx
            //   c745e401000000       | mov                 dword ptr [ebp - 0x1c], 1
            //   e8????????           |                     
            //   8b03                 | mov                 eax, dword ptr [ebx]
            //   8b4004               | mov                 eax, dword ptr [eax + 4]
            //   83f8ff               | cmp                 eax, -1

        $sequence_7 = { 894508 e9???????? 8b8bd4030000 c1e102 51 e8???????? 33f6 }
            // n = 7, score = 100
            //   894508               | mov                 dword ptr [ebp + 8], eax
            //   e9????????           |                     
            //   8b8bd4030000         | mov                 ecx, dword ptr [ebx + 0x3d4]
            //   c1e102               | shl                 ecx, 2
            //   51                   | push                ecx
            //   e8????????           |                     
            //   33f6                 | xor                 esi, esi

        $sequence_8 = { eb0f e8???????? 83f803 7405 e8???????? f6c308 7432 }
            // n = 7, score = 100
            //   eb0f                 | jmp                 0x11
            //   e8????????           |                     
            //   83f803               | cmp                 eax, 3
            //   7405                 | je                  7
            //   e8????????           |                     
            //   f6c308               | test                bl, 8
            //   7432                 | je                  0x34

        $sequence_9 = { 8b4608 5f 5e 5b c3 8bc7 5f }
            // n = 7, score = 100
            //   8b4608               | mov                 eax, dword ptr [esi + 8]
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi
            //   5b                   | pop                 ebx
            //   c3                   | ret                 
            //   8bc7                 | mov                 eax, edi
            //   5f                   | pop                 edi

    condition:
        7 of them and filesize < 2031616
}
Download all Yara Rules