SYMBOLCOMMON_NAMEaka. SYNONYMS
win.satan (Back to overview)

Satan

aka: 5ss5c, DBGer, Lucky Ransomware

Ransomware.

References
2020-01-14Blaze's Security BlogBartBlaze
@online{bartblaze:20200114:satan:4d45ea5, author = {BartBlaze}, title = {{Satan ransomware rebrands as 5ss5c ransomware}}, date = {2020-01-14}, organization = {Blaze's Security Blog}, url = {https://bartblaze.blogspot.com/2020/01/satan-ransomware-rebrands-as-5ss5c.html}, language = {English}, urldate = {2020-01-17} } Satan ransomware rebrands as 5ss5c ransomware
Satan
2018-12-11CywareSophia Brown
@online{brown:20181211:new:fa1fc12, author = {Sophia Brown}, title = {{New Satan ransomware variant ‘Lucky’ exposes 10 server-side vulnerabilities}}, date = {2018-12-11}, organization = {Cyware}, url = {https://cyware.com/news/new-satan-ransomware-variant-lucky-exposes-10-server-side-vulnerabilities-070afbd2}, language = {English}, urldate = {2020-01-07} } New Satan ransomware variant ‘Lucky’ exposes 10 server-side vulnerabilities
Satan
2018-12-06NSFOCUShaoming
@online{haoming:20181206:satan:69932c8, author = {haoming}, title = {{SATAN variant analysis & handling guide}}, date = {2018-12-06}, organization = {NSFOCUS}, url = {http://blog.nsfocusglobal.com/categories/trend-analysis/satan-variant-analysis-handling-guide/}, language = {English}, urldate = {2019-10-15} } SATAN variant analysis & handling guide
Satan
2018-11-26SangforSangfor
@online{sangfor:20181126:new:c43d870, author = {Sangfor}, title = {{New Lucky Ransomware Targets Linux Servers}}, date = {2018-11-26}, organization = {Sangfor}, url = {https://www.sangfor.com/source/blog-network-security/1094.html}, language = {English}, urldate = {2020-01-13} } New Lucky Ransomware Targets Linux Servers
Satan
2018-06-14Bleeping ComputerCatalin Cimpanu
@online{cimpanu:20180614:dbger:c326e0a, author = {Catalin Cimpanu}, title = {{DBGer Ransomware Uses EternalBlue and Mimikatz to Spread Across Networks}}, date = {2018-06-14}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/dbger-ransomware-uses-eternalblue-and-mimikatz-to-spread-across-networks/}, language = {English}, urldate = {2019-12-20} } DBGer Ransomware Uses EternalBlue and Mimikatz to Spread Across Networks
Satan
2018-06-01AT&TJavier Ruiz
@online{ruiz:20180601:satan:f427b73, author = {Javier Ruiz}, title = {{Satan Ransomware Spawns New Methods to Spread}}, date = {2018-06-01}, organization = {AT&T}, url = {https://www.alienvault.com/blogs/labs-research/satan-ransomware-spawns-new-methods-to-spread}, language = {English}, urldate = {2019-11-26} } Satan Ransomware Spawns New Methods to Spread
Satan
2018-04-22Blaze's Security BlogBartBlaze
@online{bartblaze:20180422:satan:04f63e8, author = {BartBlaze}, title = {{Satan ransomware adds EternalBlue exploit}}, date = {2018-04-22}, organization = {Blaze's Security Blog}, url = {https://bartblaze.blogspot.com/2018/04/satan-ransomware-adds-eternalblue.html}, language = {English}, urldate = {2020-01-10} } Satan ransomware adds EternalBlue exploit
Satan
2017-01-19Bleeping ComputerLawrence Abrams
@online{abrams:20170119:new:b020afc, author = {Lawrence Abrams}, title = {{New Satan Ransomware available through a Ransomware as a Service.}}, date = {2017-01-19}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/new-satan-ransomware-available-through-a-ransomware-as-a-service-/}, language = {English}, urldate = {2019-12-20} } New Satan Ransomware available through a Ransomware as a Service.
Satan
Yara Rules
[TLP:WHITE] win_satan_auto (20220411 | Detects win.satan.)
rule win_satan_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-04-08"
        version = "1"
        description = "Detects win.satan."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.satan"
        malpedia_rule_date = "20220405"
        malpedia_hash = "ecd38294bd47d5589be5cd5490dc8bb4804afc2a"
        malpedia_version = "20220411"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 7421 8b10 8b4a08 3b4e04 740f c70200000000 }
            // n = 6, score = 100
            //   7421                 | je                  0x23
            //   8b10                 | mov                 edx, dword ptr [eax]
            //   8b4a08               | mov                 ecx, dword ptr [edx + 8]
            //   3b4e04               | cmp                 ecx, dword ptr [esi + 4]
            //   740f                 | je                  0x11
            //   c70200000000         | mov                 dword ptr [edx], 0

        $sequence_1 = { c74408e0d0724700 8b41e0 8b5004 8d42e0 89440adc 8d51f8 8b42f8 }
            // n = 7, score = 100
            //   c74408e0d0724700     | mov                 dword ptr [eax + ecx - 0x20], 0x4772d0
            //   8b41e0               | mov                 eax, dword ptr [ecx - 0x20]
            //   8b5004               | mov                 edx, dword ptr [eax + 4]
            //   8d42e0               | lea                 eax, dword ptr [edx - 0x20]
            //   89440adc             | mov                 dword ptr [edx + ecx - 0x24], eax
            //   8d51f8               | lea                 edx, dword ptr [ecx - 8]
            //   8b42f8               | mov                 eax, dword ptr [edx - 8]

        $sequence_2 = { 85db 7457 6a00 6a00 6a00 68???????? 83ec1c }
            // n = 7, score = 100
            //   85db                 | test                ebx, ebx
            //   7457                 | je                  0x59
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   68????????           |                     
            //   83ec1c               | sub                 esp, 0x1c

        $sequence_3 = { 8b55f8 0fb682e0214200 ff2485b8214200 8b4dfc 8b5110 }
            // n = 5, score = 100
            //   8b55f8               | mov                 edx, dword ptr [ebp - 8]
            //   0fb682e0214200       | movzx               eax, byte ptr [edx + 0x4221e0]
            //   ff2485b8214200       | jmp                 dword ptr [eax*4 + 0x4221b8]
            //   8b4dfc               | mov                 ecx, dword ptr [ebp - 4]
            //   8b5110               | mov                 edx, dword ptr [ecx + 0x10]

        $sequence_4 = { 750e 6a02 e8???????? 83c404 32c0 eb68 ba02000000 }
            // n = 7, score = 100
            //   750e                 | jne                 0x10
            //   6a02                 | push                2
            //   e8????????           |                     
            //   83c404               | add                 esp, 4
            //   32c0                 | xor                 al, al
            //   eb68                 | jmp                 0x6a
            //   ba02000000           | mov                 edx, 2

        $sequence_5 = { 7548 e8???????? bf???????? bbe1000000 57 68???????? 6a00 }
            // n = 7, score = 100
            //   7548                 | jne                 0x4a
            //   e8????????           |                     
            //   bf????????           |                     
            //   bbe1000000           | mov                 ebx, 0xe1
            //   57                   | push                edi
            //   68????????           |                     
            //   6a00                 | push                0

        $sequence_6 = { 7411 8b75dc 85f6 740a }
            // n = 4, score = 100
            //   7411                 | je                  0x13
            //   8b75dc               | mov                 esi, dword ptr [ebp - 0x24]
            //   85f6                 | test                esi, esi
            //   740a                 | je                  0xc

        $sequence_7 = { 003c22 44 00f5 22440000 0201 0200 0201 }
            // n = 7, score = 100
            //   003c22               | add                 byte ptr [edx], bh
            //   44                   | inc                 esp
            //   00f5                 | add                 ch, dh
            //   22440000             | and                 al, byte ptr [eax + eax]
            //   0201                 | add                 al, byte ptr [ecx]
            //   0200                 | add                 al, byte ptr [eax]
            //   0201                 | add                 al, byte ptr [ecx]

        $sequence_8 = { 8b45d4 0fb608 83e107 b801000000 d3e0 0fb64c15dc 0bc8 }
            // n = 7, score = 100
            //   8b45d4               | mov                 eax, dword ptr [ebp - 0x2c]
            //   0fb608               | movzx               ecx, byte ptr [eax]
            //   83e107               | and                 ecx, 7
            //   b801000000           | mov                 eax, 1
            //   d3e0                 | shl                 eax, cl
            //   0fb64c15dc           | movzx               ecx, byte ptr [ebp + edx - 0x24]
            //   0bc8                 | or                  ecx, eax

        $sequence_9 = { 8b4014 03c1 3bc2 7358 68aa000000 68???????? 68???????? }
            // n = 7, score = 100
            //   8b4014               | mov                 eax, dword ptr [eax + 0x14]
            //   03c1                 | add                 eax, ecx
            //   3bc2                 | cmp                 eax, edx
            //   7358                 | jae                 0x5a
            //   68aa000000           | push                0xaa
            //   68????????           |                     
            //   68????????           |                     

    condition:
        7 of them and filesize < 1163264
}
Download all Yara Rules