win.padcrypt (Back to overview)

PadCrypt


There is no description at this point.

References
2016-03-06 ⋅ Johannes Bader
@online{bader:20160306:dga:fe673b7, author = {Johannes Bader}, title = {{The DGA of PadCrypt}}, date = {2016-03-06}, url = {https://johannesbader.ch/2016/03/the-dga-of-padcrypt/}, language = {English}, urldate = {2019-12-06} } The DGA of PadCrypt
PadCrypt
2016-02-14 ⋅ Bleeping ComputerLawrence Abrams
@online{abrams:20160214:padcrypt:626523d, author = {Lawrence Abrams}, title = {{PadCrypt: The first ransomware with Live Support Chat and an Uninstaller}}, date = {2016-02-14}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/padcrypt-the-first-ransomware-with-live-support-chat-and-an-uninstaller/}, language = {English}, urldate = {2019-12-20} } PadCrypt: The first ransomware with Live Support Chat and an Uninstaller
PadCrypt
Yara Rules
[TLP:WHITE] win_padcrypt_auto (20190204 | autogenerated rule brought to you by yara-signator)
rule win_padcrypt_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2019-11-26"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator 0.1a"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.padcrypt"
        malpedia_version = "20190204"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach will be published in the near future here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */

    strings:
        $sequence_0 = { 3bde d427 e318 02dc 0828 }
            // n = 5, score = 300
            //   3bde                 | cmp                 ebx, esi
            //   d427                 | aam                 0x27
            //   e318                 | jecxz               0x1a
            //   02dc                 | add                 bl, ah
            //   0828                 | or                  byte ptr [eax], ch

        $sequence_1 = { 801eb1 0997f06452d6 5e 4d 3465 f7b4765cd8185c }
            // n = 6, score = 300
            //   801eb1               | sbb                 byte ptr [esi], 0xb1
            //   0997f06452d6         | or                  dword ptr [edi - 0x29ad9b10], edx
            //   5e                   | pop                 esi
            //   4d                   | dec                 ebp
            //   3465                 | xor                 al, 0x65
            //   f7b4765cd8185c       | div                 dword ptr [esi + esi*2 + 0x5c18d85c]

        $sequence_2 = { 67027702 7ff0 57 27 24b0 }
            // n = 5, score = 300
            //   67027702             | add                 dh, byte ptr [bx + 2]
            //   7ff0                 | jg                  0xfffffff2
            //   57                   | push                edi
            //   27                   | daa                 
            //   24b0                 | and                 al, 0xb0

        $sequence_3 = { 725e 93 42 019772009532 }
            // n = 4, score = 300
            //   725e                 | jb                  0x60
            //   93                   | xchg                eax, ebx
            //   42                   | inc                 edx
            //   019772009532         | add                 dword ptr [edi + 0x32950072], edx

        $sequence_4 = { 90 41 1b8991d77252 1a992dc51053 2ea873 57 7191 }
            // n = 7, score = 300
            //   90                   | nop                 
            //   41                   | inc                 ecx
            //   1b8991d77252         | sbb                 ecx, dword ptr [ecx + 0x5272d791]
            //   1a992dc51053         | sbb                 bl, byte ptr [ecx + 0x5310c52d]
            //   2ea873               | test                al, 0x73
            //   57                   | push                edi
            //   7191                 | jno                 0xffffff93

        $sequence_5 = { 356ed8443b ec 67027702 7ff0 }
            // n = 4, score = 300
            //   356ed8443b           | xor                 eax, 0x3b44d86e
            //   ec                   | in                  al, dx
            //   67027702             | add                 dh, byte ptr [bx + 2]
            //   7ff0                 | jg                  0xfffffff2

        $sequence_6 = { e318 02dc 0828 2480 8ee3 6401e4 }
            // n = 6, score = 300
            //   e318                 | jecxz               0x1a
            //   02dc                 | add                 bl, ah
            //   0828                 | or                  byte ptr [eax], ch
            //   2480                 | and                 al, 0x80
            //   8ee3                 | mov                 fs, ebx
            //   6401e4               | add                 esp, esp

        $sequence_7 = { 2ea873 57 7191 3ed85122 }
            // n = 4, score = 300
            //   2ea873               | test                al, 0x73
            //   57                   | push                edi
            //   7191                 | jno                 0xffffff93
            //   3ed85122             | fcom                dword ptr ds:[ecx + 0x22]

    condition:
        1 of them
}
Download all Yara Rules