Meow (Malware Family)

SYMBOL	COMMON_NAME	aka. SYNONYMS
win.meow (Back to overview)
Meow

VTCollection
According to PCrisk, MEOW is ransomware based on other ransomware called CONTI. MEOW encrypts files and appends the ".MEOW" extension to their filenames. It also drops the "readme.txt" file (a ransom note). An example of how MEOW ransomware modifies filenames: it renames "1.jpg" to "1.jpg.MEOW", "2.png" to "2.png.MEOW", and so forth.
References

2022-08-22 ⋅ ⋅ Andrew Ivanov
Meow Ransomware
Meow
Yara Rules

[TLP:WHITE] win_meow_auto (20260504 | Detects win.meow.)
rule win_meow_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.meow."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.meow"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { c685eafeffff03 c685ebfeffff7a c685ecfeffff03 c685edfeffff70 c685eefeffff03 c685effeffff04 c685f0feffff03 }
            // n = 7, score = 100
            //   c685eafeffff03       | mov                 byte ptr [ebp - 0x116], 3
            //   c685ebfeffff7a       | mov                 byte ptr [ebp - 0x115], 0x7a
            //   c685ecfeffff03       | mov                 byte ptr [ebp - 0x114], 3
            //   c685edfeffff70       | mov                 byte ptr [ebp - 0x113], 0x70
            //   c685eefeffff03       | mov                 byte ptr [ebp - 0x112], 3
            //   c685effeffff04       | mov                 byte ptr [ebp - 0x111], 4
            //   c685f0feffff03       | mov                 byte ptr [ebp - 0x110], 3

        $sequence_1 = { 8b5df0 2bc3 8b7d30 3bf8 772f 83f908 8d043b }
            // n = 7, score = 100
            //   8b5df0               | mov                 ebx, dword ptr [ebp - 0x10]
            //   2bc3                 | sub                 eax, ebx
            //   8b7d30               | mov                 edi, dword ptr [ebp + 0x30]
            //   3bf8                 | cmp                 edi, eax
            //   772f                 | ja                  0x31
            //   83f908               | cmp                 ecx, 8
            //   8d043b               | lea                 eax, [ebx + edi]

        $sequence_2 = { 0f434d08 57 8975ec 66837c41fe5c 0f859d000000 c645f800 }
            // n = 6, score = 100
            //   0f434d08             | cmovae              ecx, dword ptr [ebp + 8]
            //   57                   | push                edi
            //   8975ec               | mov                 dword ptr [ebp - 0x14], esi
            //   66837c41fe5c         | cmp                 word ptr [ecx + eax*2 - 2], 0x5c
            //   0f859d000000         | jne                 0xa3
            //   c645f800             | mov                 byte ptr [ebp - 8], 0

        $sequence_3 = { 8d4d90 c6459000 c645916c c6459205 c645936d }
            // n = 5, score = 100
            //   8d4d90               | lea                 ecx, [ebp - 0x70]
            //   c6459000             | mov                 byte ptr [ebp - 0x70], 0
            //   c645916c             | mov                 byte ptr [ebp - 0x6f], 0x6c
            //   c6459205             | mov                 byte ptr [ebp - 0x6e], 5
            //   c645936d             | mov                 byte ptr [ebp - 0x6d], 0x6d

        $sequence_4 = { 0fb6c0 83e848 8d04c0 99 f7fb 8d427f 99 }
            // n = 7, score = 100
            //   0fb6c0               | movzx               eax, al
            //   83e848               | sub                 eax, 0x48
            //   8d04c0               | lea                 eax, [eax + eax*8]
            //   99                   | cdq                 
            //   f7fb                 | idiv                ebx
            //   8d427f               | lea                 eax, [edx + 0x7f]
            //   99                   | cdq                 

        $sequence_5 = { c685f5f9ffff6d c685f6f9ffff0f c685f7f9ffff5b c685f8f9ffff0f 8d8df0f9ffff c685f9f9ffff0f }
            // n = 6, score = 100
            //   c685f5f9ffff6d       | mov                 byte ptr [ebp - 0x60b], 0x6d
            //   c685f6f9ffff0f       | mov                 byte ptr [ebp - 0x60a], 0xf
            //   c685f7f9ffff5b       | mov                 byte ptr [ebp - 0x609], 0x5b
            //   c685f8f9ffff0f       | mov                 byte ptr [ebp - 0x608], 0xf
            //   8d8df0f9ffff         | lea                 ecx, [ebp - 0x610]
            //   c685f9f9ffff0f       | mov                 byte ptr [ebp - 0x607], 0xf

        $sequence_6 = { c68555f8ffff52 c68556f8ffff05 c68557f8ffff63 c68558f8ffff05 c68559f8ffff77 c6855af8ffff05 8d8d50f8ffff }
            // n = 7, score = 100
            //   c68555f8ffff52       | mov                 byte ptr [ebp - 0x7ab], 0x52
            //   c68556f8ffff05       | mov                 byte ptr [ebp - 0x7aa], 5
            //   c68557f8ffff63       | mov                 byte ptr [ebp - 0x7a9], 0x63
            //   c68558f8ffff05       | mov                 byte ptr [ebp - 0x7a8], 5
            //   c68559f8ffff77       | mov                 byte ptr [ebp - 0x7a7], 0x77
            //   c6855af8ffff05       | mov                 byte ptr [ebp - 0x7a6], 5
            //   8d8d50f8ffff         | lea                 ecx, [ebp - 0x7b0]

        $sequence_7 = { c6858ffeffff6c c68590feffff29 c68591feffff0a c68592feffff29 c68593feffff7c }
            // n = 5, score = 100
            //   c6858ffeffff6c       | mov                 byte ptr [ebp - 0x171], 0x6c
            //   c68590feffff29       | mov                 byte ptr [ebp - 0x170], 0x29
            //   c68591feffff0a       | mov                 byte ptr [ebp - 0x16f], 0xa
            //   c68592feffff29       | mov                 byte ptr [ebp - 0x16e], 0x29
            //   c68593feffff7c       | mov                 byte ptr [ebp - 0x16d], 0x7c

        $sequence_8 = { c6459b28 c6459c5f c6459d55 c6459e5f c6459f67 c645a05f }
            // n = 6, score = 100
            //   c6459b28             | mov                 byte ptr [ebp - 0x65], 0x28
            //   c6459c5f             | mov                 byte ptr [ebp - 0x64], 0x5f
            //   c6459d55             | mov                 byte ptr [ebp - 0x63], 0x55
            //   c6459e5f             | mov                 byte ptr [ebp - 0x62], 0x5f
            //   c6459f67             | mov                 byte ptr [ebp - 0x61], 0x67
            //   c645a05f             | mov                 byte ptr [ebp - 0x60], 0x5f

        $sequence_9 = { 7540 33f6 8d7e7f 0f1f4000 0f1f840000000000 8a843545ffffff 0fb6c8 }
            // n = 7, score = 100
            //   7540                 | jne                 0x42
            //   33f6                 | xor                 esi, esi
            //   8d7e7f               | lea                 edi, [esi + 0x7f]
            //   0f1f4000             | nop                 dword ptr [eax]
            //   0f1f840000000000     | nop                 dword ptr [eax + eax]
            //   8a843545ffffff       | mov                 al, byte ptr [ebp + esi - 0xbb]
            //   0fb6c8               | movzx               ecx, al

    condition:
        7 of them and filesize < 492544
}
Download all Yara Rules
Meow Propose Change

References

Yara Rules

Meow
