SYMBOLCOMMON_NAMEaka. SYNONYMS
win.purelocker (Back to overview)

PureLocker

ransomware

References
2019-11-21Github (albertzsigovits)Albert Zsigovits
@online{zsigovits:20191121:purelocker:4205fe2, author = {Albert Zsigovits}, title = {{PureLocker ransomware}}, date = {2019-11-21}, organization = {Github (albertzsigovits)}, url = {https://github.com/albertzsigovits/malware-notes/blob/master/PureLocker.md}, language = {English}, urldate = {2020-01-13} } PureLocker ransomware
PureLocker
2019-11-18IBMMegan Roddie
@online{roddie:20191118:new:0489a1e, author = {Megan Roddie}, title = {{New Ransomware Available for Targeted Attacks}}, date = {2019-11-18}, organization = {IBM}, url = {https://exchange.xforce.ibmcloud.com/collection/99c7156cff70e1d8e1687ab7dadc8c0e}, language = {English}, urldate = {2019-11-26} } New Ransomware Available for Targeted Attacks
PureLocker
2019-11-12IntezerMichael Kajiloti
@online{kajiloti:20191112:purelocker:9d8244d, author = {Michael Kajiloti}, title = {{PureLocker: New Ransomware-as-a-Service Being Used in Targeted Attacks Against Servers}}, date = {2019-11-12}, organization = {Intezer}, url = {https://www.intezer.com/blog-purelocker-ransomware-being-used-in-targeted-attacks-against-servers/}, language = {English}, urldate = {2020-01-13} } PureLocker: New Ransomware-as-a-Service Being Used in Targeted Attacks Against Servers
PureLocker
Yara Rules
[TLP:WHITE] win_purelocker_auto (20220808 | Detects win.purelocker.)
rule win_purelocker_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-08-05"
        version = "1"
        description = "Detects win.purelocker."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.purelocker"
        malpedia_rule_date = "20220805"
        malpedia_hash = "6ec06c64bcfdbeda64eff021c766b4ce34542b71"
        malpedia_version = "20220808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 75e6 8b442438 85c0 0f8e94000000 8b06 8d4c2410 89442420 }
            // n = 7, score = 100
            //   75e6                 | jne                 0xffffffe8
            //   8b442438             | mov                 eax, dword ptr [esp + 0x38]
            //   85c0                 | test                eax, eax
            //   0f8e94000000         | jle                 0x9a
            //   8b06                 | mov                 eax, dword ptr [esi]
            //   8d4c2410             | lea                 ecx, [esp + 0x10]
            //   89442420             | mov                 dword ptr [esp + 0x20], eax

        $sequence_1 = { 6802000000 8b5c241c 01db 4b 53 ff742418 }
            // n = 6, score = 100
            //   6802000000           | push                2
            //   8b5c241c             | mov                 ebx, dword ptr [esp + 0x1c]
            //   01db                 | add                 ebx, ebx
            //   4b                   | dec                 ebx
            //   53                   | push                ebx
            //   ff742418             | push                dword ptr [esp + 0x18]

        $sequence_2 = { c7042400000000 eb00 8b5c2414 4b 3b1c24 7c7b 8b542404 }
            // n = 7, score = 100
            //   c7042400000000       | mov                 dword ptr [esp], 0
            //   eb00                 | jmp                 2
            //   8b5c2414             | mov                 ebx, dword ptr [esp + 0x14]
            //   4b                   | dec                 ebx
            //   3b1c24               | cmp                 ebx, dword ptr [esp]
            //   7c7b                 | jl                  0x7d
            //   8b542404             | mov                 edx, dword ptr [esp + 4]

        $sequence_3 = { 81e1ff000000 333c8520300110 8bc6 8b0c8d20280110 c1e808 25ff000000 337d14 }
            // n = 7, score = 100
            //   81e1ff000000         | and                 ecx, 0xff
            //   333c8520300110       | xor                 edi, dword ptr [eax*4 + 0x10013020]
            //   8bc6                 | mov                 eax, esi
            //   8b0c8d20280110       | mov                 ecx, dword ptr [ecx*4 + 0x10012820]
            //   c1e808               | shr                 eax, 8
            //   25ff000000           | and                 eax, 0xff
            //   337d14               | xor                 edi, dword ptr [ebp + 0x14]

        $sequence_4 = { 31c0 ff742414 e8???????? 83c420 5b }
            // n = 5, score = 100
            //   31c0                 | xor                 eax, eax
            //   ff742414             | push                dword ptr [esp + 0x14]
            //   e8????????           |                     
            //   83c420               | add                 esp, 0x20
            //   5b                   | pop                 ebx

        $sequence_5 = { 035d3c 895c2404 8b5c2460 8b6c2404 035d78 895c2424 }
            // n = 6, score = 100
            //   035d3c               | add                 ebx, dword ptr [ebp + 0x3c]
            //   895c2404             | mov                 dword ptr [esp + 4], ebx
            //   8b5c2460             | mov                 ebx, dword ptr [esp + 0x60]
            //   8b6c2404             | mov                 ebp, dword ptr [esp + 4]
            //   035d78               | add                 ebx, dword ptr [ebp + 0x78]
            //   895c2424             | mov                 dword ptr [esp + 0x24], ebx

        $sequence_6 = { 33c1 89471c bf???????? 8da42400000000 8b4e18 8d7610 8bc1 }
            // n = 7, score = 100
            //   33c1                 | xor                 eax, ecx
            //   89471c               | mov                 dword ptr [edi + 0x1c], eax
            //   bf????????           |                     
            //   8da42400000000       | lea                 esp, [esp]
            //   8b4e18               | mov                 ecx, dword ptr [esi + 0x18]
            //   8d7610               | lea                 esi, [esi + 0x10]
            //   8bc1                 | mov                 eax, ecx

        $sequence_7 = { 8d6c240c c7450c40000000 c7450018000000 8d442424 50 58 894508 }
            // n = 7, score = 100
            //   8d6c240c             | lea                 ebp, [esp + 0xc]
            //   c7450c40000000       | mov                 dword ptr [ebp + 0xc], 0x40
            //   c7450018000000       | mov                 dword ptr [ebp], 0x18
            //   8d442424             | lea                 eax, [esp + 0x24]
            //   50                   | push                eax
            //   58                   | pop                 eax
            //   894508               | mov                 dword ptr [ebp + 8], eax

        $sequence_8 = { 894508 6860000000 6800000000 8d442454 50 8d44242c 50 }
            // n = 7, score = 100
            //   894508               | mov                 dword ptr [ebp + 8], eax
            //   6860000000           | push                0x60
            //   6800000000           | push                0
            //   8d442454             | lea                 eax, [esp + 0x54]
            //   50                   | push                eax
            //   8d44242c             | lea                 eax, [esp + 0x2c]
            //   50                   | push                eax

        $sequence_9 = { 50 e8???????? 58 8b54240c 52 e8???????? 8d158e410110 }
            // n = 7, score = 100
            //   50                   | push                eax
            //   e8????????           |                     
            //   58                   | pop                 eax
            //   8b54240c             | mov                 edx, dword ptr [esp + 0xc]
            //   52                   | push                edx
            //   e8????????           |                     
            //   8d158e410110         | lea                 edx, [0x1001418e]

    condition:
        7 of them and filesize < 193536
}
Download all Yara Rules