SYMBOLCOMMON_NAMEaka. SYNONYMS
win.satan (Back to overview)

Satan

aka: 5ss5c, DBGer, Lucky Ransomware

Ransomware.

References
2020-01-14Blaze's Security BlogBartBlaze
@online{bartblaze:20200114:satan:4d45ea5, author = {BartBlaze}, title = {{Satan ransomware rebrands as 5ss5c ransomware}}, date = {2020-01-14}, organization = {Blaze's Security Blog}, url = {https://bartblaze.blogspot.com/2020/01/satan-ransomware-rebrands-as-5ss5c.html}, language = {English}, urldate = {2020-01-17} } Satan ransomware rebrands as 5ss5c ransomware
Satan
2018-12-11CywareSophia Brown
@online{brown:20181211:new:fa1fc12, author = {Sophia Brown}, title = {{New Satan ransomware variant ‘Lucky’ exposes 10 server-side vulnerabilities}}, date = {2018-12-11}, organization = {Cyware}, url = {https://cyware.com/news/new-satan-ransomware-variant-lucky-exposes-10-server-side-vulnerabilities-070afbd2}, language = {English}, urldate = {2020-01-07} } New Satan ransomware variant ‘Lucky’ exposes 10 server-side vulnerabilities
Satan
2018-12-06NSFOCUShaoming
@online{haoming:20181206:satan:69932c8, author = {haoming}, title = {{SATAN variant analysis & handling guide}}, date = {2018-12-06}, organization = {NSFOCUS}, url = {http://blog.nsfocusglobal.com/categories/trend-analysis/satan-variant-analysis-handling-guide/}, language = {English}, urldate = {2019-10-15} } SATAN variant analysis & handling guide
Satan
2018-11-26SangforSangfor
@online{sangfor:20181126:new:c43d870, author = {Sangfor}, title = {{New Lucky Ransomware Targets Linux Servers}}, date = {2018-11-26}, organization = {Sangfor}, url = {https://www.sangfor.com/source/blog-network-security/1094.html}, language = {English}, urldate = {2020-01-13} } New Lucky Ransomware Targets Linux Servers
Satan
2018-06-14Bleeping ComputerCatalin Cimpanu
@online{cimpanu:20180614:dbger:c326e0a, author = {Catalin Cimpanu}, title = {{DBGer Ransomware Uses EternalBlue and Mimikatz to Spread Across Networks}}, date = {2018-06-14}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/dbger-ransomware-uses-eternalblue-and-mimikatz-to-spread-across-networks/}, language = {English}, urldate = {2019-12-20} } DBGer Ransomware Uses EternalBlue and Mimikatz to Spread Across Networks
Satan
2018-06-01AT&TJavier Ruiz
@online{ruiz:20180601:satan:f427b73, author = {Javier Ruiz}, title = {{Satan Ransomware Spawns New Methods to Spread}}, date = {2018-06-01}, organization = {AT&T}, url = {https://www.alienvault.com/blogs/labs-research/satan-ransomware-spawns-new-methods-to-spread}, language = {English}, urldate = {2019-11-26} } Satan Ransomware Spawns New Methods to Spread
Satan
2018-04-22Blaze's Security BlogBartBlaze
@online{bartblaze:20180422:satan:04f63e8, author = {BartBlaze}, title = {{Satan ransomware adds EternalBlue exploit}}, date = {2018-04-22}, organization = {Blaze's Security Blog}, url = {https://bartblaze.blogspot.com/2018/04/satan-ransomware-adds-eternalblue.html}, language = {English}, urldate = {2020-01-10} } Satan ransomware adds EternalBlue exploit
Satan
2017-01-19Bleeping ComputerLawrence Abrams
@online{abrams:20170119:new:b020afc, author = {Lawrence Abrams}, title = {{New Satan Ransomware available through a Ransomware as a Service.}}, date = {2017-01-19}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/new-satan-ransomware-available-through-a-ransomware-as-a-service-/}, language = {English}, urldate = {2019-12-20} } New Satan Ransomware available through a Ransomware as a Service.
Satan
Yara Rules
[TLP:WHITE] win_satan_auto (20230125 | Detects win.satan.)
rule win_satan_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-01-25"
        version = "1"
        description = "Detects win.satan."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.satan"
        malpedia_rule_date = "20230124"
        malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686"
        malpedia_version = "20230125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 50 8d957cffffff 8d8d40ffffff e8???????? 8d4d98 c645fc04 51 }
            // n = 7, score = 100
            //   50                   | push                eax
            //   8d957cffffff         | lea                 edx, [ebp - 0x84]
            //   8d8d40ffffff         | lea                 ecx, [ebp - 0xc0]
            //   e8????????           |                     
            //   8d4d98               | lea                 ecx, [ebp - 0x68]
            //   c645fc04             | mov                 byte ptr [ebp - 4], 4
            //   51                   | push                ecx

        $sequence_1 = { eb07 c745cce8c14700 8b4dcc 8a512d 80e201 0fb6c2 85c0 }
            // n = 7, score = 100
            //   eb07                 | jmp                 9
            //   c745cce8c14700       | mov                 dword ptr [ebp - 0x34], 0x47c1e8
            //   8b4dcc               | mov                 ecx, dword ptr [ebp - 0x34]
            //   8a512d               | mov                 dl, byte ptr [ecx + 0x2d]
            //   80e201               | and                 dl, 1
            //   0fb6c2               | movzx               eax, dl
            //   85c0                 | test                eax, eax

        $sequence_2 = { 8d45d8 8b55b4 c745fc02000000 837dec10 0f4345d8 8b12 }
            // n = 6, score = 100
            //   8d45d8               | lea                 eax, [ebp - 0x28]
            //   8b55b4               | mov                 edx, dword ptr [ebp - 0x4c]
            //   c745fc02000000       | mov                 dword ptr [ebp - 4], 2
            //   837dec10             | cmp                 dword ptr [ebp - 0x14], 0x10
            //   0f4345d8             | cmovae              eax, dword ptr [ebp - 0x28]
            //   8b12                 | mov                 edx, dword ptr [edx]

        $sequence_3 = { 8bc7 397138 0f45c6 50 e8???????? ba???????? 8d8d40ffffff }
            // n = 7, score = 100
            //   8bc7                 | mov                 eax, edi
            //   397138               | cmp                 dword ptr [ecx + 0x38], esi
            //   0f45c6               | cmovne              eax, esi
            //   50                   | push                eax
            //   e8????????           |                     
            //   ba????????           |                     
            //   8d8d40ffffff         | lea                 ecx, [ebp - 0xc0]

        $sequence_4 = { 81fe00a00f00 7ce1 8d85f85ff0ff c645f800 50 8bcf e8???????? }
            // n = 7, score = 100
            //   81fe00a00f00         | cmp                 esi, 0xfa000
            //   7ce1                 | jl                  0xffffffe3
            //   8d85f85ff0ff         | lea                 eax, [ebp - 0xfa008]
            //   c645f800             | mov                 byte ptr [ebp - 8], 0
            //   50                   | push                eax
            //   8bcf                 | mov                 ecx, edi
            //   e8????????           |                     

        $sequence_5 = { 754e 6aff 8b4d08 8d148d74d64700 52 e8???????? 83c408 }
            // n = 7, score = 100
            //   754e                 | jne                 0x50
            //   6aff                 | push                -1
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]
            //   8d148d74d64700       | lea                 edx, [ecx*4 + 0x47d674]
            //   52                   | push                edx
            //   e8????????           |                     
            //   83c408               | add                 esp, 8

        $sequence_6 = { 740a 6aff 6a00 50 e8???????? 0f57c0 }
            // n = 6, score = 100
            //   740a                 | je                  0xc
            //   6aff                 | push                -1
            //   6a00                 | push                0
            //   50                   | push                eax
            //   e8????????           |                     
            //   0f57c0               | xorps               xmm0, xmm0

        $sequence_7 = { 3305???????? b904000000 6bd118 8982d0d14700 68???????? 8b45fc 50 }
            // n = 7, score = 100
            //   3305????????         |                     
            //   b904000000           | mov                 ecx, 4
            //   6bd118               | imul                edx, ecx, 0x18
            //   8982d0d14700         | mov                 dword ptr [edx + 0x47d1d0], eax
            //   68????????           |                     
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]
            //   50                   | push                eax

        $sequence_8 = { 8d4db4 c645fc03 51 8bd0 8d8d78feffff e8???????? 83c404 }
            // n = 7, score = 100
            //   8d4db4               | lea                 ecx, [ebp - 0x4c]
            //   c645fc03             | mov                 byte ptr [ebp - 4], 3
            //   51                   | push                ecx
            //   8bd0                 | mov                 edx, eax
            //   8d8d78feffff         | lea                 ecx, [ebp - 0x188]
            //   e8????????           |                     
            //   83c404               | add                 esp, 4

        $sequence_9 = { 0f85c9000000 897004 e9???????? 80790c00 7545 c6410c01 8b0a }
            // n = 7, score = 100
            //   0f85c9000000         | jne                 0xcf
            //   897004               | mov                 dword ptr [eax + 4], esi
            //   e9????????           |                     
            //   80790c00             | cmp                 byte ptr [ecx + 0xc], 0
            //   7545                 | jne                 0x47
            //   c6410c01             | mov                 byte ptr [ecx + 0xc], 1
            //   8b0a                 | mov                 ecx, dword ptr [edx]

    condition:
        7 of them and filesize < 1163264
}
Download all Yara Rules