SYMBOLCOMMON_NAMEaka. SYNONYMS
win.rook (Back to overview)

Rook


Ransomware.

References
2022-06-23SecureworksCounter Threat Unit ResearchTeam
@online{researchteam:20220623:bronze:8bccd74, author = {Counter Threat Unit ResearchTeam}, title = {{BRONZE STARLIGHT Ransomware Operations Use HUI Loader}}, date = {2022-06-23}, organization = {Secureworks}, url = {https://www.secureworks.com/research/bronze-starlight-ransomware-operations-use-hui-loader}, language = {English}, urldate = {2022-06-27} } BRONZE STARLIGHT Ransomware Operations Use HUI Loader
ATOMSILO Cobalt Strike HUI Loader LockFile NightSky Pandora Rook
2022-05-09MicrosoftMicrosoft 365 Defender Threat Intelligence Team, Microsoft Threat Intelligence Center (MSTIC)
@online{team:20220509:ransomwareasaservice:13ec472, author = {Microsoft 365 Defender Threat Intelligence Team and Microsoft Threat Intelligence Center (MSTIC)}, title = {{Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself}}, date = {2022-05-09}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself}, language = {English}, urldate = {2022-05-17} } Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself
AnchorDNS BlackCat BlackMatter Conti DarkSide HelloKitty Hive LockBit REvil FAKEUPDATES Griffon ATOMSILO BazarBackdoor BlackCat BlackMatter Blister Cobalt Strike Conti DarkSide Emotet FiveHands Gozi HelloKitty Hive IcedID ISFB JSSLoader LockBit LockFile Maze NightSky Pandora Phobos Phoenix Locker PhotoLoader QakBot REvil Rook Ryuk SystemBC TrickBot WastedLocker
2022-05-09Microsoft SecurityMicrosoft Threat Intelligence Center, Microsoft 365 Defender Threat Intelligence Team
@online{center:20220509:ransomwareasaservice:3dac44d, author = {Microsoft Threat Intelligence Center and Microsoft 365 Defender Threat Intelligence Team}, title = {{Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself}}, date = {2022-05-09}, organization = {Microsoft Security}, url = {https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/}, language = {English}, urldate = {2022-06-02} } Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself
Griffon BazarBackdoor BlackCat BlackMatter Blister Gozi LockBit Pandora Rook SystemBC TrickBot
2022-03-17Seguranca InformaticaPedro Tavares
@online{tavares:20220317:rook:cae4010, author = {Pedro Tavares}, title = {{Rook ransomware analysis}}, date = {2022-03-17}, organization = {Seguranca Informatica}, url = {https://seguranca-informatica.pt/rook-ransomware-analysis/}, language = {English}, urldate = {2022-03-22} } Rook ransomware analysis
Rook
2022-01-12Github (Dump-GUY)Jiří Vinopal
@online{vinopal:20220112:nightsky:a44e6b6, author = {Jiří Vinopal}, title = {{NightSky Ransomware – just a Rook RW fork in VMProtect suit}}, date = {2022-01-12}, organization = {Github (Dump-GUY)}, url = {https://github.com/Dump-GUY/Malware-analysis-and-Reverse-engineering/blob/main/NightSky_Ransomware%E2%80%93just_a_Rook_RW_fork_in_VMProtect_suit/NightSky_Ransomware%E2%80%93just_a_Rook_RW_fork_in_VMProtect_suit.md}, language = {English}, urldate = {2022-01-12} } NightSky Ransomware – just a Rook RW fork in VMProtect suit
Rook
2022-01-06Chuongdong blogChuong Dong
@online{dong:20220106:rook:0b69fa6, author = {Chuong Dong}, title = {{Rook Ransomware Analysis}}, date = {2022-01-06}, organization = {Chuongdong blog}, url = {https://chuongdong.com/reverse%20engineering/2022/01/06/RookRansomware/}, language = {English}, urldate = {2022-01-12} } Rook Ransomware Analysis
Rook
2021-12-23SentinelOneJim Walter
@online{walter:20211223:new:1768cb6, author = {Jim Walter}, title = {{New Rook Ransomware Feeds Off the Code of Babuk}}, date = {2021-12-23}, organization = {SentinelOne}, url = {https://www.sentinelone.com/labs/new-rook-ransomware-feeds-off-the-code-of-babuk/}, language = {English}, urldate = {2021-12-31} } New Rook Ransomware Feeds Off the Code of Babuk
Rook
Yara Rules
[TLP:WHITE] win_rook_auto (20220516 | Detects win.rook.)
rule win_rook_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-05-16"
        version = "1"
        description = "Detects win.rook."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.rook"
        malpedia_rule_date = "20220513"
        malpedia_hash = "7f4b2229e6ae614d86d74917f6d5b41890e62a26"
        malpedia_version = "20220516"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 0f858d000000 4883f916 0f8c87000000 41b816000000 488d1582470300 488bcb e8???????? }
            // n = 7, score = 100
            //   0f858d000000         | mov                 ecx, ebp
            //   4883f916             | inc                 esp
            //   0f8c87000000         | add                 eax, edx
            //   41b816000000         | ror                 ecx, 0xd
            //   488d1582470300       | inc                 ebp
            //   488bcb               | add                 eax, esp
            //   e8????????           |                     

        $sequence_1 = { 488bd7 488b4cddf0 ff15???????? 41b800800000 488bd7 498bce ff15???????? }
            // n = 7, score = 100
            //   488bd7               | xor                 ecx, ecx
            //   488b4cddf0           | jmp                 0x69
            //   ff15????????         |                     
            //   41b800800000         | mov                 ecx, 0x208
            //   488bd7               | mov                 dword ptr [esp + 0x38], 0x104
            //   498bce               | dec                 eax
            //   ff15????????         |                     

        $sequence_2 = { 488d15aba50400 488bce ff15???????? 488d54246c 488bce ff15???????? 488bce }
            // n = 7, score = 100
            //   488d15aba50400       | xor                 eax, esp
            //   488bce               | inc                 esp
            //   ff15????????         |                     
            //   488d54246c           | add                 eax, eax
            //   488bce               | dec                 eax
            //   ff15????????         |                     
            //   488bce               | lea                 eax, [0x262e2]

        $sequence_3 = { 33c9 488be8 48898424d8000000 ff15???????? }
            // n = 4, score = 100
            //   33c9                 | xor                 edx, dword ptr [esi + eax*4 + 0x5aea0]
            //   488be8               | movzx               eax, bl
            //   48898424d8000000     | shl                 ecx, 8
            //   ff15????????         |                     

        $sequence_4 = { 4533c0 418d5001 ff15???????? 488d542440 488bce ff15???????? 85c0 }
            // n = 7, score = 100
            //   4533c0               | nop                 dword ptr [eax]
            //   418d5001             | nop                 word ptr [eax + eax]
            //   ff15????????         |                     
            //   488d542440           | inc                 esp
            //   488bce               | mov                 eax, dword ptr [eax + 4]
            //   ff15????????         |                     
            //   85c0                 | inc                 esp

        $sequence_5 = { 420fb6843070940500 33c8 41330f 4983c704 894dd8 4c897df0 }
            // n = 6, score = 100
            //   420fb6843070940500     | mov    eax, 0x100
            //   33c8                 | dec                 eax
            //   41330f               | lea                 edx, [esp + 0x20]
            //   4983c704             | dec                 eax
            //   894dd8               | lea                 ecx, [0x50f3f]
            //   4c897df0             | dec                 eax

        $sequence_6 = { 488945c7 488d05cbae0000 488945cf 488945d7 488d05ccae0000 488945ff }
            // n = 6, score = 100
            //   488945c7             | dec                 eax
            //   488d05cbae0000       | mov                 dword ptr [esp + 8], ebx
            //   488945cf             | push                edi
            //   488945d7             | shr                 edi, 1
            //   488d05ccae0000       | inc                 bx
            //   488945ff             | cmp                 bx, 0x5a

        $sequence_7 = { 450bcc 488d054d670200 4423cf 031488 }
            // n = 4, score = 100
            //   450bcc               | lea                 edx, [ebp + 0x210]
            //   488d054d670200       | dec                 ecx
            //   4423cf               | mov                 ecx, esp
            //   031488               | inc                 ecx

        $sequence_8 = { 7403 33c0 c3 488d0562160400 c3 488d05fa150400 c3 }
            // n = 7, score = 100
            //   7403                 | jl                  0x8bb
            //   33c0                 | inc                 esp
            //   c3                   | xor                 ecx, eax
            //   488d0562160400       | inc                 ecx
            //   c3                   | movzx               eax, al
            //   488d05fa150400       | inc                 ecx
            //   c3                   | shl                 ecx, 8

        $sequence_9 = { 440f47e8 44896c2448 418d45ff 0fb68c82e2220400 0fb6b482e3220400 8bd9 8bf8 }
            // n = 7, score = 100
            //   440f47e8             | inc                 ecx
            //   44896c2448           | and                 eax, 0xf
            //   418d45ff             | or                  edx, dword ptr [edi + ecx*4 + 0x48b40]
            //   0fb68c82e2220400     | shl                 edx, 6
            //   0fb6b482e3220400     | dec                 eax
            //   8bd9                 | shr                 ecx, 0x10
            //   8bf8                 | movzx               edx, cl

    condition:
        7 of them and filesize < 843776
}
Download all Yara Rules