SYMBOLCOMMON_NAMEaka. SYNONYMS
win.mimic (Back to overview)

Mimic Ransomware


According to PCrisk, Mimic is a ransomware-type program. Malware within this classification is designed to encrypt data and demand ransoms for decryption. Evidence suggests that Mimic is based on the leaked CONTI ransomware builder. Mimic campaigns have been observed targeting English and Russian speaking users.

References
2023-01-26TrendmicroNathaniel Morales, Earle Maui Earnshaw, Don Ovid Ladores, Nick Dai, Nathaniel Gregory Ragasa
@online{morales:20230126:new:c7aa03b, author = {Nathaniel Morales and Earle Maui Earnshaw and Don Ovid Ladores and Nick Dai and Nathaniel Gregory Ragasa}, title = {{New Mimic Ransomware Abuses Everything APIs for its Encryption Process}}, date = {2023-01-26}, organization = {Trendmicro}, url = {https://www.trendmicro.com/en_us/research/23/a/new-mimic-ransomware-abuses-everything-apis-for-its-encryption-p.html}, language = {English}, urldate = {2023-01-31} } New Mimic Ransomware Abuses Everything APIs for its Encryption Process
Mimic Ransomware
Yara Rules
[TLP:WHITE] win_mimic_auto (20230407 | Detects win.mimic.)
rule win_mimic_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-03-28"
        version = "1"
        description = "Detects win.mimic."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.mimic"
        malpedia_rule_date = "20230328"
        malpedia_hash = "9d2d75cef573c1c2d861f5197df8f563b05a305d"
        malpedia_version = "20230407"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { eb23 ff15???????? 8b4e08 83c118 83791408 7202 8b09 }
            // n = 7, score = 100
            //   eb23                 | jmp                 0x25
            //   ff15????????         |                     
            //   8b4e08               | mov                 ecx, dword ptr [esi + 8]
            //   83c118               | add                 ecx, 0x18
            //   83791408             | cmp                 dword ptr [ecx + 0x14], 8
            //   7202                 | jb                  4
            //   8b09                 | mov                 ecx, dword ptr [ecx]

        $sequence_1 = { eb1c 8d4101 8b4de0 8901 ff4208 8b55e4 8b02 }
            // n = 7, score = 100
            //   eb1c                 | jmp                 0x1e
            //   8d4101               | lea                 eax, [ecx + 1]
            //   8b4de0               | mov                 ecx, dword ptr [ebp - 0x20]
            //   8901                 | mov                 dword ptr [ecx], eax
            //   ff4208               | inc                 dword ptr [edx + 8]
            //   8b55e4               | mov                 edx, dword ptr [ebp - 0x1c]
            //   8b02                 | mov                 eax, dword ptr [edx]

        $sequence_2 = { 0f4345c0 50 e8???????? 33c9 0f1000 0f1185d8feffff f30f7e4010 }
            // n = 7, score = 100
            //   0f4345c0             | cmovae              eax, dword ptr [ebp - 0x40]
            //   50                   | push                eax
            //   e8????????           |                     
            //   33c9                 | xor                 ecx, ecx
            //   0f1000               | movups              xmm0, xmmword ptr [eax]
            //   0f1185d8feffff       | movups              xmmword ptr [ebp - 0x128], xmm0
            //   f30f7e4010           | movq                xmm0, qword ptr [eax + 0x10]

        $sequence_3 = { 56 e8???????? 83c404 83f810 7f29 8b74241c }
            // n = 6, score = 100
            //   56                   | push                esi
            //   e8????????           |                     
            //   83c404               | add                 esp, 4
            //   83f810               | cmp                 eax, 0x10
            //   7f29                 | jg                  0x2b
            //   8b74241c             | mov                 esi, dword ptr [esp + 0x1c]

        $sequence_4 = { ffd3 85c0 7517 8d85e8fdffff 50 ffb5b0f5ffff ffd6 }
            // n = 7, score = 100
            //   ffd3                 | call                ebx
            //   85c0                 | test                eax, eax
            //   7517                 | jne                 0x19
            //   8d85e8fdffff         | lea                 eax, [ebp - 0x218]
            //   50                   | push                eax
            //   ffb5b0f5ffff         | push                dword ptr [ebp - 0xa50]
            //   ffd6                 | call                esi

        $sequence_5 = { eb1d 8d45c0 3bc6 7416 837e1408 8bc6 7202 }
            // n = 7, score = 100
            //   eb1d                 | jmp                 0x1f
            //   8d45c0               | lea                 eax, [ebp - 0x40]
            //   3bc6                 | cmp                 eax, esi
            //   7416                 | je                  0x18
            //   837e1408             | cmp                 dword ptr [esi + 0x14], 8
            //   8bc6                 | mov                 eax, esi
            //   7202                 | jb                  4

        $sequence_6 = { 6a00 6a00 ffd7 8b4e04 894608 85c9 }
            // n = 6, score = 100
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   ffd7                 | call                edi
            //   8b4e04               | mov                 ecx, dword ptr [esi + 4]
            //   894608               | mov                 dword ptr [esi + 8], eax
            //   85c9                 | test                ecx, ecx

        $sequence_7 = { e8???????? 83c40c c645fc16 8b55e0 83fa08 0f8299000000 8b4dcc }
            // n = 7, score = 100
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   c645fc16             | mov                 byte ptr [ebp - 4], 0x16
            //   8b55e0               | mov                 edx, dword ptr [ebp - 0x20]
            //   83fa08               | cmp                 edx, 8
            //   0f8299000000         | jb                  0x9f
            //   8b4dcc               | mov                 ecx, dword ptr [ebp - 0x34]

        $sequence_8 = { c745fcffffffff 8b75ac 85f6 7441 f00fc17e08 4f 7539 }
            // n = 7, score = 100
            //   c745fcffffffff       | mov                 dword ptr [ebp - 4], 0xffffffff
            //   8b75ac               | mov                 esi, dword ptr [ebp - 0x54]
            //   85f6                 | test                esi, esi
            //   7441                 | je                  0x43
            //   f00fc17e08           | lock xadd           dword ptr [esi + 8], edi
            //   4f                   | dec                 edi
            //   7539                 | jne                 0x3b

        $sequence_9 = { 33c8 8b44241c 330c95080b5c00 33c1 8b5738 8944241c 33d6 }
            // n = 7, score = 100
            //   33c8                 | xor                 ecx, eax
            //   8b44241c             | mov                 eax, dword ptr [esp + 0x1c]
            //   330c95080b5c00       | xor                 ecx, dword ptr [edx*4 + 0x5c0b08]
            //   33c1                 | xor                 eax, ecx
            //   8b5738               | mov                 edx, dword ptr [edi + 0x38]
            //   8944241c             | mov                 dword ptr [esp + 0x1c], eax
            //   33d6                 | xor                 edx, esi

    condition:
        7 of them and filesize < 4204544
}
Download all Yara Rules