SYMBOLCOMMON_NAMEaka. SYNONYMS
win.nefilim (Back to overview)

Nefilim

aka: Nephilim
VTCollection    

According to Vitali Kremez and Michael Gillespie, this ransomware shares much code with Nemty 2.5. A difference is removal of the RaaS component, which was switched to email communications for payments. Uses AES-128, which is then protected RSA2048.

References
2022-03-17SophosTilly Travers
The Ransomware Threat Intelligence Center
ATOMSILO Avaddon AvosLocker BlackKingdom Ransomware BlackMatter Conti Cring DarkSide dearcry Dharma Egregor Entropy Epsilon Red Gandcrab Karma LockBit LockFile Mailto Maze Nefilim RagnarLocker Ragnarok REvil RobinHood Ryuk SamSam Snatch WannaCryptor WastedLocker
2021-10-05Trend MicroByron Gelera, Fyodor Yarochkin, Janus Agcaoili, Nikko Tamana
Ransomware as a Service: Enabler of Widespread Attacks
Cerber Conti DarkSide Gandcrab Locky Nefilim REvil Ryuk
2021-07-14Intel 471Intel 471
How cybercriminals create turbulence for the transportation industry
Mount Locker Nefilim
2021-06-28Trend MicroTrend Micro
Nefilim Ransomware Attack Through a MITRE Att&ck Lens
Nefilim
2021-06-08Trend MicroDavid Sancho, Feike Hacquebord, Fernando Mercês, Ian Kenefick, Mayra Fuentes, Robert McArdle, Stephen Hilt, Vladimir Kropotov
Modern Ransomware’s Double Extortion Tactics and How to Protect Enterprises Against Them
Nefilim
2021-05-25KasperskyFedor Sinitsyn, Yanis Zinchenko
Evolution of JSWorm ransomware
Nefilim Nemty
2021-05-12QualysBajrang Mane
Nefilim Ransomware
Nefilim
2021-05-10DarkTracerDarkTracer
Intelligence Report on Ransomware Gangs on the DarkWeb: List of victim organizations attacked by ransomware gangs released on the DarkWeb
RansomEXX Avaddon Babuk Clop Conti Cuba DarkSide DoppelPaymer Egregor Hades LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker Nefilim Nemty Pay2Key PwndLocker RagnarLocker Ragnarok RansomEXX REvil Sekhmet SunCrypt ThunderX
2021-04-25Vulnerability.ch BlogCorsin Camichel
Ransomware and Data Leak Site Publication Time Analysis
Avaddon Babuk Clop Conti DarkSide DoppelPaymer Mespinoza Nefilim REvil
2021-02-28PWC UKPWC UK
Cyber Threats 2020: A Year in Retrospect
elf.wellmess FlowerPower PowGoop 8.t Dropper Agent.BTZ Agent Tesla Appleseed Ave Maria Bankshot BazarBackdoor BLINDINGCAN Chinoxy Conti Cotx RAT Crimson RAT DUSTMAN Emotet FriedEx FunnyDream Hakbit Mailto Maze METALJACK Nefilim Oblique RAT Pay2Key PlugX QakBot REvil Ryuk StoneDrill StrongPity SUNBURST SUPERNOVA TrickBot TurlaRPC Turla SilentMoon WastedLocker WellMess Winnti ZeroCleare APT10 APT23 APT27 APT31 APT41 BlackTech BRONZE EDGEWOOD Inception Framework MUSTANG PANDA Red Charon Red Nue Sea Turtle Tonto Team
2021-02-25IntezerIntezer
Year of the Gopher A 2020 Go Malware Round-Up
NiuB WellMail elf.wellmess ArdaMax AsyncRAT CyberGate DarkComet Glupteba Nanocore RAT Nefilim NjRAT Quasar RAT WellMess Zebrocy
2021-02-23Trend MicroByron Gelera, Janus Agcaoili
An Analysis of the Nefilim Ransomware
Nefilim
2021-01-26SophosLabs UncutBill Kearney, David Anderson, Michael Heller, Peter Mackenzie, Sergio Bestulic
Nefilim Ransomware Attack Uses “Ghost” Credentials
Nefilim
2021-01-01SecureworksSecureWorks
Threat Profile: GOLD MANSARD
Nefilim Nemty GOLD MANSARD
2020-12-28Bleeping ComputerLawrence Abrams
Home appliance giant Whirlpool hit in Nefilim ransomware attack
Nefilim
2020-12-16AccenturePaul Mansfield
Tracking and combatting an evolving danger: Ransomware extortion
DarkSide Egregor Maze Nefilim RagnarLocker REvil Ryuk SunCrypt
2020-12-10US-CERTFBI, MS-ISAC, US-CERT
Alert (AA20-345A): Cyber Actors Target K-12 Distance Learning Education to Cause Disruptions and Steal Data
PerlBot Shlayer Agent Tesla Cerber Dridex Ghost RAT Kovter Maze MedusaLocker Nanocore RAT Nefilim REvil Ryuk Zeus
2020-12-03PICUS SecuritySüleyman Özarslan
How to Beat Nefilim Ransomware Attacks
Nefilim
2020-10-23HornetsecurityHornetsecurity Security Lab
Leakware-Ransomware-Hybrid Attacks
Avaddon Clop Conti DarkSide DoppelPaymer Mailto Maze Mespinoza Nefilim RagnarLocker REvil Sekhmet SunCrypt
2020-08-25KELAVictoria Kivilevich
How Ransomware Gangs Find New Monetization Schemes and Evolve in Marketing
Avaddon Clop DarkSide DoppelPaymer Mailto Maze MedusaLocker Mespinoza Nefilim RagnarLocker REvil Sekhmet
2020-07-15MandiantCorey Hildebrandt, Daniel Kapellmann Zafra, Keith Lunden, Ken Proska, Nathan Brubaker
Financially Motivated Actors Are Expanding Access Into OT: Analysis of Kill Lists That Include OT Processes Used With Seven Malware Families
Clop DoppelPaymer LockerGoga Maze MegaCortex Nefilim Snake
2020-06-16New Zealand CERTNew Zealand CERT
Active ransomware campaign leveraging remote access technologies
Nefilim
2020-05-04SentinelOneJim Walter
Meet NEMTY Successor, Nefilim/Nephilim Ransomware
Nefilim Nemty
2020-03-24Bleeping ComputerLawrence Abrams
Three More Ransomware Families Create Sites to Leak Stolen Data
Clop DoppelPaymer Maze Nefilim Nemty REvil
2020-03-23Trend MicroTrend Micro
Nefilim Ransomware Threatens to Expose Stolen Data
Nefilim
2020-03-17Bleeping ComputerLawrence Abrams
New Nefilim Ransomware Threatens to Release Victims' Data
Nefilim
2020-03-14ID RansomwareAndrew Ivanov
Nefilim Ransomware
Nefilim
2020-01-01BlackberryBlackberry Research
State of Ransomware
Maze MedusaLocker Nefilim Phobos REvil Ryuk STOP
Yara Rules
[TLP:WHITE] win_nefilim_auto (20230808 | Detects win.nefilim.)
rule win_nefilim_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.nefilim."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.nefilim"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { be00010000 56 e8???????? 56 8944244c }
            // n = 5, score = 200
            //   be00010000           | mov                 esi, 0x100
            //   56                   | push                esi
            //   e8????????           |                     
            //   56                   | push                esi
            //   8944244c             | mov                 dword ptr [esp + 0x4c], eax

        $sequence_1 = { 8945e4 3d00010000 7d10 8a8c181d010000 8888c0e64000 40 }
            // n = 6, score = 200
            //   8945e4               | mov                 dword ptr [ebp - 0x1c], eax
            //   3d00010000           | cmp                 eax, 0x100
            //   7d10                 | jge                 0x12
            //   8a8c181d010000       | mov                 cl, byte ptr [eax + ebx + 0x11d]
            //   8888c0e64000         | mov                 byte ptr [eax + 0x40e6c0], cl
            //   40                   | inc                 eax

        $sequence_2 = { c1f802 6bc003 50 6a00 ff15???????? 50 }
            // n = 6, score = 200
            //   c1f802               | sar                 eax, 2
            //   6bc003               | imul                eax, eax, 3
            //   50                   | push                eax
            //   6a00                 | push                0
            //   ff15????????         |                     
            //   50                   | push                eax

        $sequence_3 = { 85c0 7506 ff15???????? 8d45d4 50 57 ffd3 }
            // n = 7, score = 200
            //   85c0                 | test                eax, eax
            //   7506                 | jne                 8
            //   ff15????????         |                     
            //   8d45d4               | lea                 eax, [ebp - 0x2c]
            //   50                   | push                eax
            //   57                   | push                edi
            //   ffd3                 | call                ebx

        $sequence_4 = { 397c2428 7304 8d442414 68???????? 50 ffd6 85c0 }
            // n = 7, score = 200
            //   397c2428             | cmp                 dword ptr [esp + 0x28], edi
            //   7304                 | jae                 6
            //   8d442414             | lea                 eax, [esp + 0x14]
            //   68????????           |                     
            //   50                   | push                eax
            //   ffd6                 | call                esi
            //   85c0                 | test                eax, eax

        $sequence_5 = { 50 ffd6 85c0 0f84cf020000 f68424a000000010 8d8424cc000000 }
            // n = 6, score = 200
            //   50                   | push                eax
            //   ffd6                 | call                esi
            //   85c0                 | test                eax, eax
            //   0f84cf020000         | je                  0x2d5
            //   f68424a000000010     | test                byte ptr [esp + 0xa0], 0x10
            //   8d8424cc000000       | lea                 eax, [esp + 0xcc]

        $sequence_6 = { 7421 68???????? 8d442444 e8???????? }
            // n = 4, score = 200
            //   7421                 | je                  0x23
            //   68????????           |                     
            //   8d442444             | lea                 eax, [esp + 0x44]
            //   e8????????           |                     

        $sequence_7 = { 8b3d???????? 8b1d???????? 33c9 8945e4 894de8 8b45e4 d3e8 }
            // n = 7, score = 200
            //   8b3d????????         |                     
            //   8b1d????????         |                     
            //   33c9                 | xor                 ecx, ecx
            //   8945e4               | mov                 dword ptr [ebp - 0x1c], eax
            //   894de8               | mov                 dword ptr [ebp - 0x18], ecx
            //   8b45e4               | mov                 eax, dword ptr [ebp - 0x1c]
            //   d3e8                 | shr                 eax, cl

        $sequence_8 = { 8944244c e8???????? ff74244c 8b542440 89442454 e8???????? }
            // n = 6, score = 200
            //   8944244c             | mov                 dword ptr [esp + 0x4c], eax
            //   e8????????           |                     
            //   ff74244c             | push                dword ptr [esp + 0x4c]
            //   8b542440             | mov                 edx, dword ptr [esp + 0x40]
            //   89442454             | mov                 dword ptr [esp + 0x54], eax
            //   e8????????           |                     

        $sequence_9 = { c745eceb7f4000 894df8 8945fc 64a100000000 8945e8 }
            // n = 5, score = 200
            //   c745eceb7f4000       | mov                 dword ptr [ebp - 0x14], 0x407feb
            //   894df8               | mov                 dword ptr [ebp - 8], ecx
            //   8945fc               | mov                 dword ptr [ebp - 4], eax
            //   64a100000000         | mov                 eax, dword ptr fs:[0]
            //   8945e8               | mov                 dword ptr [ebp - 0x18], eax

    condition:
        7 of them and filesize < 142336
}
Download all Yara Rules