SYMBOLCOMMON_NAMEaka. SYNONYMS
win.rook (Back to overview)

Rook


Ransomware.

References
2022-06-23SecureworksCounter Threat Unit ResearchTeam
@online{researchteam:20220623:bronze:8bccd74, author = {Counter Threat Unit ResearchTeam}, title = {{BRONZE STARLIGHT Ransomware Operations Use HUI Loader}}, date = {2022-06-23}, organization = {Secureworks}, url = {https://www.secureworks.com/research/bronze-starlight-ransomware-operations-use-hui-loader}, language = {English}, urldate = {2022-09-20} } BRONZE STARLIGHT Ransomware Operations Use HUI Loader
ATOMSILO Cobalt Strike HUI Loader LockFile NightSky Pandora PlugX Quasar RAT Rook SodaMaster
2022-05-09Microsoft SecurityMicrosoft Threat Intelligence Center, Microsoft 365 Defender Threat Intelligence Team
@online{center:20220509:ransomwareasaservice:3dac44d, author = {Microsoft Threat Intelligence Center and Microsoft 365 Defender Threat Intelligence Team}, title = {{Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself}}, date = {2022-05-09}, organization = {Microsoft Security}, url = {https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/}, language = {English}, urldate = {2022-06-02} } Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself
Griffon BazarBackdoor BlackCat BlackMatter Blister Gozi LockBit Pandora Rook SystemBC TrickBot
2022-05-09MicrosoftMicrosoft 365 Defender Threat Intelligence Team, Microsoft Threat Intelligence Center (MSTIC)
@online{team:20220509:ransomwareasaservice:13ec472, author = {Microsoft 365 Defender Threat Intelligence Team and Microsoft Threat Intelligence Center (MSTIC)}, title = {{Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself}}, date = {2022-05-09}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself}, language = {English}, urldate = {2022-05-17} } Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself
AnchorDNS BlackCat BlackMatter Conti DarkSide HelloKitty Hive LockBit REvil FAKEUPDATES Griffon ATOMSILO BazarBackdoor BlackCat BlackMatter Blister Cobalt Strike Conti DarkSide Emotet FiveHands Gozi HelloKitty Hive IcedID ISFB JSSLoader LockBit LockFile Maze NightSky Pandora Phobos Phoenix Locker PhotoLoader QakBot REvil Rook Ryuk SystemBC TrickBot WastedLocker BRONZE STARLIGHT
2022-03-17Seguranca InformaticaPedro Tavares
@online{tavares:20220317:rook:cae4010, author = {Pedro Tavares}, title = {{Rook ransomware analysis}}, date = {2022-03-17}, organization = {Seguranca Informatica}, url = {https://seguranca-informatica.pt/rook-ransomware-analysis/}, language = {English}, urldate = {2022-03-22} } Rook ransomware analysis
Rook
2022-03-15cybleCyble
@online{cyble:20220315:deep:6e5c8b7, author = {Cyble}, title = {{Deep Dive Analysis - Pandora Ransomware}}, date = {2022-03-15}, organization = {cyble}, url = {https://blog.cyble.com/2022/03/15/deep-dive-analysis-pandora-ransomware/}, language = {English}, urldate = {2022-09-19} } Deep Dive Analysis - Pandora Ransomware
Pandora Rook
2022-01-12Github (Dump-GUY)Jiří Vinopal
@online{vinopal:20220112:nightsky:a44e6b6, author = {Jiří Vinopal}, title = {{NightSky Ransomware – just a Rook RW fork in VMProtect suit}}, date = {2022-01-12}, organization = {Github (Dump-GUY)}, url = {https://github.com/Dump-GUY/Malware-analysis-and-Reverse-engineering/blob/main/NightSky_Ransomware%E2%80%93just_a_Rook_RW_fork_in_VMProtect_suit/NightSky_Ransomware%E2%80%93just_a_Rook_RW_fork_in_VMProtect_suit.md}, language = {English}, urldate = {2022-01-12} } NightSky Ransomware – just a Rook RW fork in VMProtect suit
Rook
2022-01-06Chuongdong blogChuong Dong
@online{dong:20220106:rook:0b69fa6, author = {Chuong Dong}, title = {{Rook Ransomware Analysis}}, date = {2022-01-06}, organization = {Chuongdong blog}, url = {https://chuongdong.com/reverse%20engineering/2022/01/06/RookRansomware/}, language = {English}, urldate = {2022-01-12} } Rook Ransomware Analysis
Rook
2021-12-23SentinelOneJim Walter
@online{walter:20211223:new:1768cb6, author = {Jim Walter}, title = {{New Rook Ransomware Feeds Off the Code of Babuk}}, date = {2021-12-23}, organization = {SentinelOne}, url = {https://www.sentinelone.com/labs/new-rook-ransomware-feeds-off-the-code-of-babuk/}, language = {English}, urldate = {2021-12-31} } New Rook Ransomware Feeds Off the Code of Babuk
Rook
Yara Rules
[TLP:WHITE] win_rook_auto (20230125 | Detects win.rook.)
rule win_rook_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-01-25"
        version = "1"
        description = "Detects win.rook."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.rook"
        malpedia_rule_date = "20230124"
        malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686"
        malpedia_version = "20230125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 48b90000000000000080 488987c8000000 488d059f9d0200 48894718 488d05649c0200 c7470801000000 48c7471004000000 }
            // n = 7, score = 100
            //   48b90000000000000080     | cmp    eax, 1
            //   488987c8000000       | dec                 esp
            //   488d059f9d0200       | mov                 eax, ebx
            //   48894718             | xor                 edx, edx
            //   488d05649c0200       | mov                 ecx, dword ptr [ebp + 0x26b8]
            //   c7470801000000       | dec                 esp
            //   48c7471004000000     | mov                 eax, esi

        $sequence_1 = { 488d15e0ca0100 488bc1 83e13f 48c1f806 48c1e106 488b04c2 0fb6440838 }
            // n = 7, score = 100
            //   488d15e0ca0100       | mov                 dword ptr [esp + 0x30], 0
            //   488bc1               | mov                 dword ptr [esp + 0x20], 3
            //   83e13f               | dec                 ecx
            //   48c1f806             | mov                 ecx, ebp
            //   48c1e106             | dec                 esp
            //   488b04c2             | mov                 dword ptr [esp + 0x2758], edi
            //   0fb6440838           | dec                 ebp

        $sequence_2 = { 488bd3 e8???????? 4883c320 4983ee01 }
            // n = 4, score = 100
            //   488bd3               | arpl                word ptr [ebp + 0x26a8], ax
            //   e8????????           |                     
            //   4883c320             | dec                 eax
            //   4983ee01             | cmp                 eax, 0x900

        $sequence_3 = { 4533948da0a60500 453317 4983c704 4c897df0 44895548 8bce }
            // n = 6, score = 100
            //   4533948da0a60500     | dec                 eax
            //   453317               | lea                 ecx, [ebp + 8]
            //   4983c704             | nop                 word ptr [eax + eax]
            //   4c897df0             | dec                 eax
            //   44895548             | mov                 eax, dword ptr [ecx]
            //   8bce                 | cmp                 word ptr [eax], 0x2d

        $sequence_4 = { 47338496f08c0400 448b53f8 4533d8 4533d3 418bcb c1c904 }
            // n = 6, score = 100
            //   47338496f08c0400     | mov                 eax, edx
            //   448b53f8             | dec                 eax
            //   4533d8               | cwde                
            //   4533d3               | mov                 ecx, dword ptr [edx + eax*4 + 0xa4b4]
            //   418bcb               | dec                 eax
            //   c1c904               | add                 ecx, edx

        $sequence_5 = { 488b8da0260000 ff15???????? 4c8b85a0260000 33ff }
            // n = 4, score = 100
            //   488b8da0260000       | inc                 ebp
            //   ff15????????         |                     
            //   4c8b85a0260000       | xor                 ebx, eax
            //   33ff                 | inc                 edi

        $sequence_6 = { c1c008 4389848c70950500 49ffc1 4983eb01 0f859dfeffff }
            // n = 5, score = 100
            //   c1c008               | or                  ecx, 0xffffffff
            //   4389848c70950500     | inc                 ecx
            //   49ffc1               | mov                 eax, 1
            //   4983eb01             | dec                 ecx
            //   0f859dfeffff         | mov                 edx, edi

        $sequence_7 = { 418bbc96a0b20500 0fb6c8 458bd8 418bda 418bc4 4133bc8ea0a20500 48c1e818 }
            // n = 7, score = 100
            //   418bbc96a0b20500     | lea                 ecx, [0x1f500]
            //   0fb6c8               | inc                 ecx
            //   458bd8               | and                 edx, 0x3f
            //   418bda               | dec                 ecx
            //   418bc4               | add                 ebp, eax
            //   4133bc8ea0a20500     | and                 dword ptr [ebx], 0
            //   48c1e818             | dec                 ecx

        $sequence_8 = { 488b1d???????? 8d4101 488b1ccb 99 f73d???????? 488d0d3d650500 8915???????? }
            // n = 7, score = 100
            //   488b1d????????       |                     
            //   8d4101               | mov                 ecx, esi
            //   488b1ccb             | dec                 esp
            //   99                   | mov                 esp, dword ptr [esp + 0x2d8]
            //   f73d????????         |                     
            //   488d0d3d650500       | test                eax, eax
            //   8915????????         |                     

        $sequence_9 = { 488d442460 4d2bc1 4889442430 488d15a5bb0400 488d0dbebb0400 4c89642420 e8???????? }
            // n = 7, score = 100
            //   488d442460           | dec                 eax
            //   4d2bc1               | lea                 eax, [0x297fa]
            //   4889442430           | mov                 dword ptr [edi + 0x98], 1
            //   488d15a5bb0400       | dec                 eax
            //   488d0dbebb0400       | mov                 dword ptr [edi + 0xa0], 3
            //   4c89642420           | mov                 dword ptr [edi + 0x38], 1
            //   e8????????           |                     

    condition:
        7 of them and filesize < 843776
}
Download all Yara Rules