SYMBOLCOMMON_NAMEaka. SYNONYMS
win.rook (Back to overview)

Rook

According to PCrisk, Rook is ransomware (an updated variant of Babuk) that prevents victims from accessing/opening files by encrypting them. It also modifies filenames and creates a text file/ransom note ("HowToRestoreYourFiles.txt"). Rook renames files by appending the ".Rook" extension. For example, it renames "1.jpg" to "1.jpg.Rook", "2.jpg" to "2.jpg.Rook".

References
2022-06-23SecureworksCounter Threat Unit ResearchTeam
@online{researchteam:20220623:bronze:8bccd74, author = {Counter Threat Unit ResearchTeam}, title = {{BRONZE STARLIGHT Ransomware Operations Use HUI Loader}}, date = {2022-06-23}, organization = {Secureworks}, url = {https://www.secureworks.com/research/bronze-starlight-ransomware-operations-use-hui-loader}, language = {English}, urldate = {2022-09-20} } BRONZE STARLIGHT Ransomware Operations Use HUI Loader
ATOMSILO Cobalt Strike HUI Loader LockFile NightSky Pandora PlugX Quasar RAT Rook SodaMaster
2022-05-09Microsoft SecurityMicrosoft Threat Intelligence Center, Microsoft 365 Defender Threat Intelligence Team
@online{center:20220509:ransomwareasaservice:3dac44d, author = {Microsoft Threat Intelligence Center and Microsoft 365 Defender Threat Intelligence Team}, title = {{Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself}}, date = {2022-05-09}, organization = {Microsoft Security}, url = {https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/}, language = {English}, urldate = {2022-06-02} } Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself
Griffon BazarBackdoor BlackCat BlackMatter Blister Gozi LockBit Pandora Rook SystemBC TrickBot
2022-05-09MicrosoftMicrosoft 365 Defender Threat Intelligence Team, Microsoft Threat Intelligence Center (MSTIC)
@online{team:20220509:ransomwareasaservice:13ec472, author = {Microsoft 365 Defender Threat Intelligence Team and Microsoft Threat Intelligence Center (MSTIC)}, title = {{Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself}}, date = {2022-05-09}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself}, language = {English}, urldate = {2022-05-17} } Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself
AnchorDNS BlackCat BlackMatter Conti DarkSide HelloKitty Hive LockBit REvil FAKEUPDATES Griffon ATOMSILO BazarBackdoor BlackCat BlackMatter Blister Cobalt Strike Conti DarkSide Emotet FiveHands Gozi HelloKitty Hive IcedID ISFB JSSLoader LockBit LockFile Maze NightSky Pandora Phobos Phoenix Locker PhotoLoader QakBot REvil Rook Ryuk SystemBC TrickBot WastedLocker BRONZE STARLIGHT
2022-03-17Seguranca InformaticaPedro Tavares
@online{tavares:20220317:rook:cae4010, author = {Pedro Tavares}, title = {{Rook ransomware analysis}}, date = {2022-03-17}, organization = {Seguranca Informatica}, url = {https://seguranca-informatica.pt/rook-ransomware-analysis/}, language = {English}, urldate = {2022-03-22} } Rook ransomware analysis
Rook
2022-03-15cybleCyble
@online{cyble:20220315:deep:6e5c8b7, author = {Cyble}, title = {{Deep Dive Analysis - Pandora Ransomware}}, date = {2022-03-15}, organization = {cyble}, url = {https://blog.cyble.com/2022/03/15/deep-dive-analysis-pandora-ransomware/}, language = {English}, urldate = {2022-09-19} } Deep Dive Analysis - Pandora Ransomware
Pandora Rook
2022-01-12Github (Dump-GUY)Jiří Vinopal
@online{vinopal:20220112:nightsky:a44e6b6, author = {Jiří Vinopal}, title = {{NightSky Ransomware – just a Rook RW fork in VMProtect suit}}, date = {2022-01-12}, organization = {Github (Dump-GUY)}, url = {https://github.com/Dump-GUY/Malware-analysis-and-Reverse-engineering/blob/main/NightSky_Ransomware%E2%80%93just_a_Rook_RW_fork_in_VMProtect_suit/NightSky_Ransomware%E2%80%93just_a_Rook_RW_fork_in_VMProtect_suit.md}, language = {English}, urldate = {2022-01-12} } NightSky Ransomware – just a Rook RW fork in VMProtect suit
Rook
2022-01-06Chuongdong blogChuong Dong
@online{dong:20220106:rook:0b69fa6, author = {Chuong Dong}, title = {{Rook Ransomware Analysis}}, date = {2022-01-06}, organization = {Chuongdong blog}, url = {https://chuongdong.com/reverse%20engineering/2022/01/06/RookRansomware/}, language = {English}, urldate = {2022-01-12} } Rook Ransomware Analysis
Rook
2021-12-23SentinelOneJim Walter
@online{walter:20211223:new:1768cb6, author = {Jim Walter}, title = {{New Rook Ransomware Feeds Off the Code of Babuk}}, date = {2021-12-23}, organization = {SentinelOne}, url = {https://www.sentinelone.com/labs/new-rook-ransomware-feeds-off-the-code-of-babuk/}, language = {English}, urldate = {2021-12-31} } New Rook Ransomware Feeds Off the Code of Babuk
Rook
Yara Rules
[TLP:WHITE] win_rook_auto (20230715 | Detects win.rook.)
rule win_rook_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-07-11"
        version = "1"
        description = "Detects win.rook."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.rook"
        malpedia_rule_date = "20230705"
        malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
        malpedia_version = "20230715"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 4c8bf1 488b0d???????? ba08000000 41b840000100 ff15???????? 488be8 4885c0 }
            // n = 7, score = 100
            //   4c8bf1               | cmp                 eax, -1
            //   488b0d????????       |                     
            //   ba08000000           | dec                 eax
            //   41b840000100         | lea                 edx, [esp + 0x40]
            //   ff15????????         |                     
            //   488be8               | dec                 eax
            //   4885c0               | mov                 ecx, esi

        $sequence_1 = { 0f1f4000 0f1f840000000000 33db 488bfd 6666660f1f840000000000 488b0f 488d54244c }
            // n = 7, score = 100
            //   0f1f4000             | xor                 eax, eax
            //   0f1f840000000000     | inc                 ecx
            //   33db                 | lea                 edx, [eax + 1]
            //   488bfd               | mov                 edx, 8
            //   6666660f1f840000000000     | inc    ebp
            //   488b0f               | xor                 eax, eax
            //   488d54244c           | inc                 ecx

        $sequence_2 = { 4156 0fb64201 4c8d359f9cfdff 440fb60a 498bf8 }
            // n = 5, score = 100
            //   4156                 | lea                 eax, [0x41532]
            //   0fb64201             | ret                 
            //   4c8d359f9cfdff       | dec                 eax
            //   440fb60a             | lea                 ecx, [0x4bb39]
            //   498bf8               | dec                 eax

        $sequence_3 = { ff15???????? ffc0 4898 4d8d3446 83ed01 7586 }
            // n = 6, score = 100
            //   ff15????????         |                     
            //   ffc0                 | dec                 eax
            //   4898                 | mov                 dword ptr [edi + 0xa8], eax
            //   4d8d3446             | dec                 eax
            //   83ed01               | lea                 eax, [0x28958]
            //   7586                 | mov                 dword ptr [edi + 0x98], 1

        $sequence_4 = { 488987a8000000 488d05749c0200 c7879800000001000000 48c787a000000004000000 48894760 488d055c990200 }
            // n = 6, score = 100
            //   488987a8000000       | test                eax, eax
            //   488d05749c0200       | dec                 eax
            //   c7879800000001000000     | lea    ecx, [0x44163]
            //   48c787a000000004000000     | dec    eax
            //   48894760             | test                eax, eax
            //   488d055c990200       | jne                 0x1989

        $sequence_5 = { 448b442408 03d0 488d0560640200 031488 418bc8 03d3 }
            // n = 6, score = 100
            //   448b442408           | jb                  0x14be
            //   03d0                 | inc                 esp
            //   488d0560640200       | mov                 dword ptr [esp + 0xc0], esi
            //   031488               | dec                 eax
            //   418bc8               | arpl                word ptr [esp + 0xc0], ax
            //   03d3                 | dec                 ecx

        $sequence_6 = { ff15???????? 4c8be0 4885c0 74e3 0f1f00 488b0d???????? }
            // n = 6, score = 100
            //   ff15????????         |                     
            //   4c8be0               | lea                 esi, [0xfffd9c9f]
            //   4885c0               | inc                 esp
            //   74e3                 | movzx               ecx, byte ptr [edx]
            //   0f1f00               | dec                 ecx
            //   488b0d????????       |                     

        $sequence_7 = { 0f8e91020000 4c8d2d8e88ffff 418bd8 418bc8 48c1e910 440fb6c1 418bfa }
            // n = 7, score = 100
            //   0f8e91020000         | jmp                 0x6d9
            //   4c8d2d8e88ffff       | dec                 eax
            //   418bd8               | mov                 eax, ebx
            //   418bc8               | dec                 ecx
            //   48c1e910             | xchg                dword ptr [edi + esi*8 + 0x55010], eax
            //   440fb6c1             | dec                 eax
            //   418bfa               | test                eax, eax

        $sequence_8 = { 4c8d0d169f0000 c5f35cca c4c173590cc1 4c8d0de58e0000 c5f359c1 c5fb101d???????? c5fb102d???????? }
            // n = 7, score = 100
            //   4c8d0d169f0000       | jne                 0x225
            //   c5f35cca             | dec                 eax
            //   c4c173590cc1         | mov                 dword ptr [esp + 0x40], ebx
            //   4c8d0de58e0000       | mov                 ebx, dword ptr [esp + 0x50]
            //   c5f359c1             | dec                 eax
            //   c5fb101d????????     |                     
            //   c5fb102d????????     |                     

        $sequence_9 = { 7452 6666660f1f840000000000 0fb713 418d4901 4883c002 4883c302 450fb7c2 }
            // n = 7, score = 100
            //   7452                 | movzx               edx, byte ptr [ecx + esi + 0x59970]
            //   6666660f1f840000000000     | inc    edx
            //   0fb713               | movzx               eax, byte ptr [eax + esi + 0x59970]
            //   418d4901             | movzx               ecx, al
            //   4883c002             | mov                 eax, esi
            //   4883c302             | dec                 eax
            //   450fb7c2             | shr                 eax, 0x18

    condition:
        7 of them and filesize < 843776
}
Download all Yara Rules