SYMBOLCOMMON_NAMEaka. SYNONYMS
win.rook (Back to overview)

Rook


Ransomware.

References
2022-06-23SecureworksCounter Threat Unit ResearchTeam
@online{researchteam:20220623:bronze:8bccd74, author = {Counter Threat Unit ResearchTeam}, title = {{BRONZE STARLIGHT Ransomware Operations Use HUI Loader}}, date = {2022-06-23}, organization = {Secureworks}, url = {https://www.secureworks.com/research/bronze-starlight-ransomware-operations-use-hui-loader}, language = {English}, urldate = {2022-09-20} } BRONZE STARLIGHT Ransomware Operations Use HUI Loader
ATOMSILO Cobalt Strike HUI Loader LockFile NightSky Pandora PlugX Quasar RAT Rook SodaMaster
2022-05-09Microsoft SecurityMicrosoft Threat Intelligence Center, Microsoft 365 Defender Threat Intelligence Team
@online{center:20220509:ransomwareasaservice:3dac44d, author = {Microsoft Threat Intelligence Center and Microsoft 365 Defender Threat Intelligence Team}, title = {{Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself}}, date = {2022-05-09}, organization = {Microsoft Security}, url = {https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/}, language = {English}, urldate = {2022-06-02} } Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself
Griffon BazarBackdoor BlackCat BlackMatter Blister Gozi LockBit Pandora Rook SystemBC TrickBot
2022-05-09MicrosoftMicrosoft 365 Defender Threat Intelligence Team, Microsoft Threat Intelligence Center (MSTIC)
@online{team:20220509:ransomwareasaservice:13ec472, author = {Microsoft 365 Defender Threat Intelligence Team and Microsoft Threat Intelligence Center (MSTIC)}, title = {{Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself}}, date = {2022-05-09}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself}, language = {English}, urldate = {2022-05-17} } Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself
AnchorDNS BlackCat BlackMatter Conti DarkSide HelloKitty Hive LockBit REvil FAKEUPDATES Griffon ATOMSILO BazarBackdoor BlackCat BlackMatter Blister Cobalt Strike Conti DarkSide Emotet FiveHands Gozi HelloKitty Hive IcedID ISFB JSSLoader LockBit LockFile Maze NightSky Pandora Phobos Phoenix Locker PhotoLoader QakBot REvil Rook Ryuk SystemBC TrickBot WastedLocker BRONZE STARLIGHT
2022-03-17Seguranca InformaticaPedro Tavares
@online{tavares:20220317:rook:cae4010, author = {Pedro Tavares}, title = {{Rook ransomware analysis}}, date = {2022-03-17}, organization = {Seguranca Informatica}, url = {https://seguranca-informatica.pt/rook-ransomware-analysis/}, language = {English}, urldate = {2022-03-22} } Rook ransomware analysis
Rook
2022-03-15cybleCyble
@online{cyble:20220315:deep:6e5c8b7, author = {Cyble}, title = {{Deep Dive Analysis - Pandora Ransomware}}, date = {2022-03-15}, organization = {cyble}, url = {https://blog.cyble.com/2022/03/15/deep-dive-analysis-pandora-ransomware/}, language = {English}, urldate = {2022-09-19} } Deep Dive Analysis - Pandora Ransomware
Pandora Rook
2022-01-12Github (Dump-GUY)Jiří Vinopal
@online{vinopal:20220112:nightsky:a44e6b6, author = {Jiří Vinopal}, title = {{NightSky Ransomware – just a Rook RW fork in VMProtect suit}}, date = {2022-01-12}, organization = {Github (Dump-GUY)}, url = {https://github.com/Dump-GUY/Malware-analysis-and-Reverse-engineering/blob/main/NightSky_Ransomware%E2%80%93just_a_Rook_RW_fork_in_VMProtect_suit/NightSky_Ransomware%E2%80%93just_a_Rook_RW_fork_in_VMProtect_suit.md}, language = {English}, urldate = {2022-01-12} } NightSky Ransomware – just a Rook RW fork in VMProtect suit
Rook
2022-01-06Chuongdong blogChuong Dong
@online{dong:20220106:rook:0b69fa6, author = {Chuong Dong}, title = {{Rook Ransomware Analysis}}, date = {2022-01-06}, organization = {Chuongdong blog}, url = {https://chuongdong.com/reverse%20engineering/2022/01/06/RookRansomware/}, language = {English}, urldate = {2022-01-12} } Rook Ransomware Analysis
Rook
2021-12-23SentinelOneJim Walter
@online{walter:20211223:new:1768cb6, author = {Jim Walter}, title = {{New Rook Ransomware Feeds Off the Code of Babuk}}, date = {2021-12-23}, organization = {SentinelOne}, url = {https://www.sentinelone.com/labs/new-rook-ransomware-feeds-off-the-code-of-babuk/}, language = {English}, urldate = {2021-12-31} } New Rook Ransomware Feeds Off the Code of Babuk
Rook
Yara Rules
[TLP:WHITE] win_rook_auto (20221125 | Detects win.rook.)
rule win_rook_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-11-21"
        version = "1"
        description = "Detects win.rook."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.rook"
        malpedia_rule_date = "20221118"
        malpedia_hash = "e0702e2e6d1d00da65c8a29a4ebacd0a4c59e1af"
        malpedia_version = "20221125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8975dc 4533948d70950500 410fb6cc 4533948da0a60500 453317 4983c704 }
            // n = 6, score = 100
            //   8975dc               | xor                 edx, edx
            //   4533948d70950500     | dec                 eax
            //   410fb6cc             | mov                 ecx, edi
            //   4533948da0a60500     | test                eax, eax
            //   453317               | je                  0x51a
            //   4983c704             | dec                 eax

        $sequence_1 = { 448945e4 458bd0 41339486a09e0500 413394bea09a0500 0fb6c3 }
            // n = 5, score = 100
            //   448945e4             | xor                 edi, edi
            //   458bd0               | inc                 ecx
            //   41339486a09e0500     | mov                 ebx, edi
            //   413394bea09a0500     | dec                 esp
            //   0fb6c3               | lea                 ecx, [0xfffd3d4a]

        $sequence_2 = { 4c8b85a0260000 33d2 48897c2438 448bc8 48897c2430 b9e9fd0000 }
            // n = 6, score = 100
            //   4c8b85a0260000       | imul                esi, eax, 0x29c
            //   33d2                 | inc                 esp
            //   48897c2438           | lea                 eax, [edx + 7]
            //   448bc8               | dec                 eax
            //   48897c2430           | lea                 ecx, [esp + 0x40]
            //   b9e9fd0000           | mov                 eax, dword ptr [esp + 0x60]

        $sequence_3 = { 7442 e9???????? 488b9540070000 4c8d05499e0000 498bce e8???????? 85c0 }
            // n = 7, score = 100
            //   7442                 | xor                 edx, edx
            //   e9????????           |                     
            //   488b9540070000       | dec                 eax
            //   4c8d05499e0000       | mov                 dword ptr [esp + 0x38], edi
            //   498bce               | je                  0xc7
            //   e8????????           |                     
            //   85c0                 | dec                 eax

        $sequence_4 = { 448d4302 48895c2420 488d154eb90400 ff15???????? 488d0d117b0500 ff15???????? 488b5c2460 }
            // n = 7, score = 100
            //   448d4302             | dec                 eax
            //   48895c2420           | lea                 eax, [0x29230]
            //   488d154eb90400       | mov                 dword ptr [edi + 0x98], 1
            //   ff15????????         |                     
            //   488d0d117b0500       | dec                 eax
            //   ff15????????         |                     
            //   488b5c2460           | mov                 dword ptr [edi + 0xa0], 6

        $sequence_5 = { 488d1547a10400 ff15???????? 85c0 744a 488d1546a10400 488d4c2450 }
            // n = 6, score = 100
            //   488d1547a10400       | sub                 esp, 0x3d0
            //   ff15????????         |                     
            //   85c0                 | dec                 eax
            //   744a                 | lea                 eax, [0x432ee]
            //   488d1546a10400       | inc                 ebp
            //   488d4c2450           | xor                 edi, edi

        $sequence_6 = { c7475001000000 48c7475804000000 48894778 488d050b710300 c7476801000000 48c7477004000000 48898790000000 }
            // n = 7, score = 100
            //   c7475001000000       | or                  ebx, ecx
            //   48c7475804000000     | mov                 ecx, edi
            //   48894778             | dec                 esp
            //   488d050b710300       | xor                 ecx, ecx
            //   c7476801000000       | inc                 esp
            //   48c7477004000000     | or                  ebx, ecx
            //   48898790000000       | inc                 esp

        $sequence_7 = { 0fb68c82e2220400 0fb6b482e3220400 8bd9 8bf8 33d2 48c1e302 }
            // n = 6, score = 100
            //   0fb68c82e2220400     | dec                 eax
            //   0fb6b482e3220400     | shr                 ecx, 0x10
            //   8bd9                 | dec                 eax
            //   8bf8                 | shr                 ecx, 0x18
            //   33d2                 | dec                 eax
            //   48c1e302             | inc                 ebp

        $sequence_8 = { 7579 486305e850fdff 488d15a550fdff 488d0c10 813950450000 }
            // n = 5, score = 100
            //   7579                 | dec                 eax
            //   486305e850fdff       | mov                 ebx, dword ptr [esp + 0x270]
            //   488d15a550fdff       | dec                 eax
            //   488d0c10             | mov                 ecx, esi
            //   813950450000         | dec                 eax

        $sequence_9 = { 4889442420 418d5101 ff15???????? 85c0 0f85f3000000 ff15???????? 3dea000000 }
            // n = 7, score = 100
            //   4889442420           | dec                 eax
            //   418d5101             | inc                 ecx
            //   ff15????????         |                     
            //   85c0                 | dec                 eax
            //   0f85f3000000         | cmp                 ecx, edx
            //   ff15????????         |                     
            //   3dea000000           | jl                  0x3d5

    condition:
        7 of them and filesize < 843776
}
Download all Yara Rules