SYMBOLCOMMON_NAMEaka. SYNONYMS
win.nagini (Back to overview)

Nagini


There is no description at this point.

References
2016-09-27Best Security ResearchAlex Dimchev
@online{dimchev:20160927:new:3bba3cd, author = {Alex Dimchev}, title = {{New Voldemort/Nagini Ransomware Virus Infection}}, date = {2016-09-27}, organization = {Best Security Research}, url = {http://bestsecuritysearch.com/voldemortnagini-ransomware-virus/}, language = {English}, urldate = {2019-11-28} } New Voldemort/Nagini Ransomware Virus Infection
Nagini
Yara Rules
[TLP:WHITE] win_nagini_auto (20230715 | Detects win.nagini.)
rule win_nagini_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-07-11"
        version = "1"
        description = "Detects win.nagini."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.nagini"
        malpedia_rule_date = "20230705"
        malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
        malpedia_version = "20230715"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 50 ff15???????? 8bf8 83ff09 7d3e 6a00 }
            // n = 6, score = 100
            //   50                   | push                eax
            //   ff15????????         |                     
            //   8bf8                 | mov                 edi, eax
            //   83ff09               | cmp                 edi, 9
            //   7d3e                 | jge                 0x40
            //   6a00                 | push                0

        $sequence_1 = { 48 7412 e8???????? c70016000000 e8???????? ebb4 c745e40c9a4200 }
            // n = 7, score = 100
            //   48                   | dec                 eax
            //   7412                 | je                  0x14
            //   e8????????           |                     
            //   c70016000000         | mov                 dword ptr [eax], 0x16
            //   e8????????           |                     
            //   ebb4                 | jmp                 0xffffffb6
            //   c745e40c9a4200       | mov                 dword ptr [ebp - 0x1c], 0x429a0c

        $sequence_2 = { e9???????? 8d442428 50 53 ff15???????? 6a65 ff35???????? }
            // n = 7, score = 100
            //   e9????????           |                     
            //   8d442428             | lea                 eax, [esp + 0x28]
            //   50                   | push                eax
            //   53                   | push                ebx
            //   ff15????????         |                     
            //   6a65                 | push                0x65
            //   ff35????????         |                     

        $sequence_3 = { 0904050904050c 0405 0c04 050c04050d }
            // n = 4, score = 100
            //   0904050904050c       | or                  dword ptr [eax + 0xc050409], eax
            //   0405                 | add                 al, 5
            //   0c04                 | or                  al, 4
            //   050c04050d           | add                 eax, 0xd05040c

        $sequence_4 = { 8935???????? 8b5004 a1???????? 8982cc8a4200 a1???????? 8b4004 834c301402 }
            // n = 7, score = 100
            //   8935????????         |                     
            //   8b5004               | mov                 edx, dword ptr [eax + 4]
            //   a1????????           |                     
            //   8982cc8a4200         | mov                 dword ptr [edx + 0x428acc], eax
            //   a1????????           |                     
            //   8b4004               | mov                 eax, dword ptr [eax + 4]
            //   834c301402           | or                  dword ptr [eax + esi + 0x14], 2

        $sequence_5 = { 2c63 40 005863 40 007c6340 0023 d18a0688078a }
            // n = 7, score = 100
            //   2c63                 | sub                 al, 0x63
            //   40                   | inc                 eax
            //   005863               | add                 byte ptr [eax + 0x63], bl
            //   40                   | inc                 eax
            //   007c6340             | add                 byte ptr [ebx + 0x40], bh
            //   0023                 | add                 byte ptr [ebx], ah
            //   d18a0688078a         | ror                 dword ptr [edx - 0x75f877fa], 1

        $sequence_6 = { 07 0505070505 0806 06 07 }
            // n = 5, score = 100
            //   07                   | pop                 es
            //   0505070505           | add                 eax, 0x5050705
            //   0806                 | or                  byte ptr [esi], al
            //   06                   | push                es
            //   07                   | pop                 es

        $sequence_7 = { 83c602 eb33 58 668906 83c602 8b0c95c0914200 8a45f8 }
            // n = 7, score = 100
            //   83c602               | add                 esi, 2
            //   eb33                 | jmp                 0x35
            //   58                   | pop                 eax
            //   668906               | mov                 word ptr [esi], ax
            //   83c602               | add                 esi, 2
            //   8b0c95c0914200       | mov                 ecx, dword ptr [edx*4 + 0x4291c0]
            //   8a45f8               | mov                 al, byte ptr [ebp - 8]

        $sequence_8 = { ff75e4 8b0485c0914200 ff3418 ff15???????? 85c0 7518 ff15???????? }
            // n = 7, score = 100
            //   ff75e4               | push                dword ptr [ebp - 0x1c]
            //   8b0485c0914200       | mov                 eax, dword ptr [eax*4 + 0x4291c0]
            //   ff3418               | push                dword ptr [eax + ebx]
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   7518                 | jne                 0x1a
            //   ff15????????         |                     

        $sequence_9 = { ff15???????? 68007f0000 6a00 8945cc c745d001000000 c745d400000000 c745d8c4384200 }
            // n = 7, score = 100
            //   ff15????????         |                     
            //   68007f0000           | push                0x7f00
            //   6a00                 | push                0
            //   8945cc               | mov                 dword ptr [ebp - 0x34], eax
            //   c745d001000000       | mov                 dword ptr [ebp - 0x30], 1
            //   c745d400000000       | mov                 dword ptr [ebp - 0x2c], 0
            //   c745d8c4384200       | mov                 dword ptr [ebp - 0x28], 0x4238c4

    condition:
        7 of them and filesize < 12820480
}
Download all Yara Rules