SYMBOLCOMMON_NAMEaka. SYNONYMS
win.satan (Back to overview)

Satan

aka: 5ss5c, DBGer, Lucky Ransomware

Ransomware.

References
2020-01-14Blaze's Security BlogBartBlaze
@online{bartblaze:20200114:satan:4d45ea5, author = {BartBlaze}, title = {{Satan ransomware rebrands as 5ss5c ransomware}}, date = {2020-01-14}, organization = {Blaze's Security Blog}, url = {https://bartblaze.blogspot.com/2020/01/satan-ransomware-rebrands-as-5ss5c.html}, language = {English}, urldate = {2020-01-17} } Satan ransomware rebrands as 5ss5c ransomware
Satan
2018-12-11CywareSophia Brown
@online{brown:20181211:new:fa1fc12, author = {Sophia Brown}, title = {{New Satan ransomware variant ‘Lucky’ exposes 10 server-side vulnerabilities}}, date = {2018-12-11}, organization = {Cyware}, url = {https://cyware.com/news/new-satan-ransomware-variant-lucky-exposes-10-server-side-vulnerabilities-070afbd2}, language = {English}, urldate = {2020-01-07} } New Satan ransomware variant ‘Lucky’ exposes 10 server-side vulnerabilities
Satan
2018-12-06NSFOCUShaoming
@online{haoming:20181206:satan:69932c8, author = {haoming}, title = {{SATAN variant analysis & handling guide}}, date = {2018-12-06}, organization = {NSFOCUS}, url = {http://blog.nsfocusglobal.com/categories/trend-analysis/satan-variant-analysis-handling-guide/}, language = {English}, urldate = {2019-10-15} } SATAN variant analysis & handling guide
Satan
2018-11-26SangforSangfor
@online{sangfor:20181126:new:c43d870, author = {Sangfor}, title = {{New Lucky Ransomware Targets Linux Servers}}, date = {2018-11-26}, organization = {Sangfor}, url = {https://www.sangfor.com/source/blog-network-security/1094.html}, language = {English}, urldate = {2020-01-13} } New Lucky Ransomware Targets Linux Servers
Satan
2018-06-14Bleeping ComputerCatalin Cimpanu
@online{cimpanu:20180614:dbger:c326e0a, author = {Catalin Cimpanu}, title = {{DBGer Ransomware Uses EternalBlue and Mimikatz to Spread Across Networks}}, date = {2018-06-14}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/dbger-ransomware-uses-eternalblue-and-mimikatz-to-spread-across-networks/}, language = {English}, urldate = {2019-12-20} } DBGer Ransomware Uses EternalBlue and Mimikatz to Spread Across Networks
Satan
2018-06-01AT&TJavier Ruiz
@online{ruiz:20180601:satan:f427b73, author = {Javier Ruiz}, title = {{Satan Ransomware Spawns New Methods to Spread}}, date = {2018-06-01}, organization = {AT&T}, url = {https://www.alienvault.com/blogs/labs-research/satan-ransomware-spawns-new-methods-to-spread}, language = {English}, urldate = {2019-11-26} } Satan Ransomware Spawns New Methods to Spread
Satan
2018-04-22Blaze's Security BlogBartBlaze
@online{bartblaze:20180422:satan:04f63e8, author = {BartBlaze}, title = {{Satan ransomware adds EternalBlue exploit}}, date = {2018-04-22}, organization = {Blaze's Security Blog}, url = {https://bartblaze.blogspot.com/2018/04/satan-ransomware-adds-eternalblue.html}, language = {English}, urldate = {2020-01-10} } Satan ransomware adds EternalBlue exploit
Satan
2017-01-19Bleeping ComputerLawrence Abrams
@online{abrams:20170119:new:b020afc, author = {Lawrence Abrams}, title = {{New Satan Ransomware available through a Ransomware as a Service.}}, date = {2017-01-19}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/new-satan-ransomware-available-through-a-ransomware-as-a-service-/}, language = {English}, urldate = {2019-12-20} } New Satan Ransomware available through a Ransomware as a Service.
Satan
Yara Rules
[TLP:WHITE] win_satan_auto (20211008 | Detects win.satan.)
rule win_satan_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-10-07"
        version = "1"
        description = "Detects win.satan."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.satan"
        malpedia_rule_date = "20211007"
        malpedia_hash = "e5b790e0f888f252d49063a1251ca60ec2832535"
        malpedia_version = "20211008"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { e8???????? 8d4da0 e8???????? 8d4de4 e8???????? 8bc6 8b4df4 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   8d4da0               | lea                 ecx, dword ptr [ebp - 0x60]
            //   e8????????           |                     
            //   8d4de4               | lea                 ecx, dword ptr [ebp - 0x1c]
            //   e8????????           |                     
            //   8bc6                 | mov                 eax, esi
            //   8b4df4               | mov                 ecx, dword ptr [ebp - 0xc]

        $sequence_1 = { 83c40c c745e80f000000 c745e400000000 c645d400 8d4dd0 c645fc0c e8???????? }
            // n = 7, score = 100
            //   83c40c               | add                 esp, 0xc
            //   c745e80f000000       | mov                 dword ptr [ebp - 0x18], 0xf
            //   c745e400000000       | mov                 dword ptr [ebp - 0x1c], 0
            //   c645d400             | mov                 byte ptr [ebp - 0x2c], 0
            //   8d4dd0               | lea                 ecx, dword ptr [ebp - 0x30]
            //   c645fc0c             | mov                 byte ptr [ebp - 4], 0xc
            //   e8????????           |                     

        $sequence_2 = { 83c408 85c0 7418 83bdb0feffff00 750f e8???????? c785b0feffff01000000 }
            // n = 7, score = 100
            //   83c408               | add                 esp, 8
            //   85c0                 | test                eax, eax
            //   7418                 | je                  0x1a
            //   83bdb0feffff00       | cmp                 dword ptr [ebp - 0x150], 0
            //   750f                 | jne                 0x11
            //   e8????????           |                     
            //   c785b0feffff01000000     | mov    dword ptr [ebp - 0x150], 1

        $sequence_3 = { 6bd112 8982d0d14700 68???????? 8b45fc 50 ff15???????? 3305???????? }
            // n = 7, score = 100
            //   6bd112               | imul                edx, ecx, 0x12
            //   8982d0d14700         | mov                 dword ptr [edx + 0x47d1d0], eax
            //   68????????           |                     
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]
            //   50                   | push                eax
            //   ff15????????         |                     
            //   3305????????         |                     

        $sequence_4 = { 89511c 8b5514 8955b0 8b45b0 8b4db0 }
            // n = 5, score = 100
            //   89511c               | mov                 dword ptr [ecx + 0x1c], edx
            //   8b5514               | mov                 edx, dword ptr [ebp + 0x14]
            //   8955b0               | mov                 dword ptr [ebp - 0x50], edx
            //   8b45b0               | mov                 eax, dword ptr [ebp - 0x50]
            //   8b4db0               | mov                 ecx, dword ptr [ebp - 0x50]

        $sequence_5 = { 8d4db8 c745fcffffffff e8???????? 8d45b8 c745fc14000000 50 8d45e4 }
            // n = 7, score = 100
            //   8d4db8               | lea                 ecx, dword ptr [ebp - 0x48]
            //   c745fcffffffff       | mov                 dword ptr [ebp - 4], 0xffffffff
            //   e8????????           |                     
            //   8d45b8               | lea                 eax, dword ptr [ebp - 0x48]
            //   c745fc14000000       | mov                 dword ptr [ebp - 4], 0x14
            //   50                   | push                eax
            //   8d45e4               | lea                 eax, dword ptr [ebp - 0x1c]

        $sequence_6 = { 56 57 50 8d45f4 64a300000000 8bfa 89bd18feffff }
            // n = 7, score = 100
            //   56                   | push                esi
            //   57                   | push                edi
            //   50                   | push                eax
            //   8d45f4               | lea                 eax, dword ptr [ebp - 0xc]
            //   64a300000000         | mov                 dword ptr fs:[0], eax
            //   8bfa                 | mov                 edi, edx
            //   89bd18feffff         | mov                 dword ptr [ebp - 0x1e8], edi

        $sequence_7 = { e9???????? 837d0c01 7c06 837d0c0c 7e16 e8???????? }
            // n = 6, score = 100
            //   e9????????           |                     
            //   837d0c01             | cmp                 dword ptr [ebp + 0xc], 1
            //   7c06                 | jl                  8
            //   837d0c0c             | cmp                 dword ptr [ebp + 0xc], 0xc
            //   7e16                 | jle                 0x18
            //   e8????????           |                     

        $sequence_8 = { c645bc00 8d4db8 c745fc2b000000 e8???????? 8d4db8 e8???????? }
            // n = 6, score = 100
            //   c645bc00             | mov                 byte ptr [ebp - 0x44], 0
            //   8d4db8               | lea                 ecx, dword ptr [ebp - 0x48]
            //   c745fc2b000000       | mov                 dword ptr [ebp - 4], 0x2b
            //   e8????????           |                     
            //   8d4db8               | lea                 ecx, dword ptr [ebp - 0x48]
            //   e8????????           |                     

        $sequence_9 = { 8bc8 83f9ff 0f94c0 84c0 7426 8b07 }
            // n = 6, score = 100
            //   8bc8                 | mov                 ecx, eax
            //   83f9ff               | cmp                 ecx, -1
            //   0f94c0               | sete                al
            //   84c0                 | test                al, al
            //   7426                 | je                  0x28
            //   8b07                 | mov                 eax, dword ptr [edi]

    condition:
        7 of them and filesize < 1163264
}
Download all Yara Rules