SYMBOLCOMMON_NAMEaka. SYNONYMS
win.satan (Back to overview)

Satan

aka: 5ss5c, DBGer, Lucky Ransomware

Ransomware.

References
2020-01-14Blaze's Security BlogBartBlaze
@online{bartblaze:20200114:satan:4d45ea5, author = {BartBlaze}, title = {{Satan ransomware rebrands as 5ss5c ransomware}}, date = {2020-01-14}, organization = {Blaze's Security Blog}, url = {https://bartblaze.blogspot.com/2020/01/satan-ransomware-rebrands-as-5ss5c.html}, language = {English}, urldate = {2020-01-17} } Satan ransomware rebrands as 5ss5c ransomware
Satan
2018-12-11CywareSophia Brown
@online{brown:20181211:new:fa1fc12, author = {Sophia Brown}, title = {{New Satan ransomware variant ‘Lucky’ exposes 10 server-side vulnerabilities}}, date = {2018-12-11}, organization = {Cyware}, url = {https://cyware.com/news/new-satan-ransomware-variant-lucky-exposes-10-server-side-vulnerabilities-070afbd2}, language = {English}, urldate = {2020-01-07} } New Satan ransomware variant ‘Lucky’ exposes 10 server-side vulnerabilities
Satan
2018-12-06NSFOCUShaoming
@online{haoming:20181206:satan:69932c8, author = {haoming}, title = {{SATAN variant analysis & handling guide}}, date = {2018-12-06}, organization = {NSFOCUS}, url = {http://blog.nsfocusglobal.com/categories/trend-analysis/satan-variant-analysis-handling-guide/}, language = {English}, urldate = {2019-10-15} } SATAN variant analysis & handling guide
Satan
2018-11-26SangforSangfor
@online{sangfor:20181126:new:c43d870, author = {Sangfor}, title = {{New Lucky Ransomware Targets Linux Servers}}, date = {2018-11-26}, organization = {Sangfor}, url = {https://www.sangfor.com/source/blog-network-security/1094.html}, language = {English}, urldate = {2020-01-13} } New Lucky Ransomware Targets Linux Servers
Satan
2018-06-14Bleeping ComputerCatalin Cimpanu
@online{cimpanu:20180614:dbger:c326e0a, author = {Catalin Cimpanu}, title = {{DBGer Ransomware Uses EternalBlue and Mimikatz to Spread Across Networks}}, date = {2018-06-14}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/dbger-ransomware-uses-eternalblue-and-mimikatz-to-spread-across-networks/}, language = {English}, urldate = {2019-12-20} } DBGer Ransomware Uses EternalBlue and Mimikatz to Spread Across Networks
Satan
2018-06-01AT&TJavier Ruiz
@online{ruiz:20180601:satan:f427b73, author = {Javier Ruiz}, title = {{Satan Ransomware Spawns New Methods to Spread}}, date = {2018-06-01}, organization = {AT&T}, url = {https://www.alienvault.com/blogs/labs-research/satan-ransomware-spawns-new-methods-to-spread}, language = {English}, urldate = {2019-11-26} } Satan Ransomware Spawns New Methods to Spread
Satan
2018-04-22Blaze's Security BlogBartBlaze
@online{bartblaze:20180422:satan:04f63e8, author = {BartBlaze}, title = {{Satan ransomware adds EternalBlue exploit}}, date = {2018-04-22}, organization = {Blaze's Security Blog}, url = {https://bartblaze.blogspot.com/2018/04/satan-ransomware-adds-eternalblue.html}, language = {English}, urldate = {2020-01-10} } Satan ransomware adds EternalBlue exploit
Satan
2017-01-19Bleeping ComputerLawrence Abrams
@online{abrams:20170119:new:b020afc, author = {Lawrence Abrams}, title = {{New Satan Ransomware available through a Ransomware as a Service.}}, date = {2017-01-19}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/new-satan-ransomware-available-through-a-ransomware-as-a-service-/}, language = {English}, urldate = {2019-12-20} } New Satan Ransomware available through a Ransomware as a Service.
Satan
Yara Rules
[TLP:WHITE] win_satan_auto (20220808 | Detects win.satan.)
rule win_satan_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-08-05"
        version = "1"
        description = "Detects win.satan."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.satan"
        malpedia_rule_date = "20220805"
        malpedia_hash = "6ec06c64bcfdbeda64eff021c766b4ce34542b71"
        malpedia_version = "20220808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 64a300000000 8bf9 897dec c745f000000000 c707???????? c74710c4724700 }
            // n = 6, score = 100
            //   64a300000000         | mov                 dword ptr fs:[0], eax
            //   8bf9                 | mov                 edi, ecx
            //   897dec               | mov                 dword ptr [ebp - 0x14], edi
            //   c745f000000000       | mov                 dword ptr [ebp - 0x10], 0
            //   c707????????         |                     
            //   c74710c4724700       | mov                 dword ptr [edi + 0x10], 0x4772c4

        $sequence_1 = { 8d4b08 c745fc1f000000 e8???????? 8d4b08 e8???????? 8b4df4 }
            // n = 6, score = 100
            //   8d4b08               | lea                 ecx, [ebx + 8]
            //   c745fc1f000000       | mov                 dword ptr [ebp - 4], 0x1f
            //   e8????????           |                     
            //   8d4b08               | lea                 ecx, [ebx + 8]
            //   e8????????           |                     
            //   8b4df4               | mov                 ecx, dword ptr [ebp - 0xc]

        $sequence_2 = { e8???????? 83c404 85c0 7408 8b45c8 8b55cc eb06 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   83c404               | add                 esp, 4
            //   85c0                 | test                eax, eax
            //   7408                 | je                  0xa
            //   8b45c8               | mov                 eax, dword ptr [ebp - 0x38]
            //   8b55cc               | mov                 edx, dword ptr [ebp - 0x34]
            //   eb06                 | jmp                 8

        $sequence_3 = { e8???????? 83c404 0fb6d0 85d2 743d b802000000 c1e000 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   83c404               | add                 esp, 4
            //   0fb6d0               | movzx               edx, al
            //   85d2                 | test                edx, edx
            //   743d                 | je                  0x3f
            //   b802000000           | mov                 eax, 2
            //   c1e000               | shl                 eax, 0

        $sequence_4 = { 8b7508 83e63f 6bf630 8b0c8d40e04700 89443120 89543124 e9???????? }
            // n = 7, score = 100
            //   8b7508               | mov                 esi, dword ptr [ebp + 8]
            //   83e63f               | and                 esi, 0x3f
            //   6bf630               | imul                esi, esi, 0x30
            //   8b0c8d40e04700       | mov                 ecx, dword ptr [ecx*4 + 0x47e040]
            //   89443120             | mov                 dword ptr [ecx + esi + 0x20], eax
            //   89543124             | mov                 dword ptr [ecx + esi + 0x24], edx
            //   e9????????           |                     

        $sequence_5 = { 33c9 33f6 3b45dc 0f47d9 85db 741a 0fbe0406 }
            // n = 7, score = 100
            //   33c9                 | xor                 ecx, ecx
            //   33f6                 | xor                 esi, esi
            //   3b45dc               | cmp                 eax, dword ptr [ebp - 0x24]
            //   0f47d9               | cmova               ebx, ecx
            //   85db                 | test                ebx, ebx
            //   741a                 | je                  0x1c
            //   0fbe0406             | movsx               eax, byte ptr [esi + eax]

        $sequence_6 = { 8b45d8 8945bc eb09 8b4dd8 83c101 894dd8 }
            // n = 6, score = 100
            //   8b45d8               | mov                 eax, dword ptr [ebp - 0x28]
            //   8945bc               | mov                 dword ptr [ebp - 0x44], eax
            //   eb09                 | jmp                 0xb
            //   8b4dd8               | mov                 ecx, dword ptr [ebp - 0x28]
            //   83c101               | add                 ecx, 1
            //   894dd8               | mov                 dword ptr [ebp - 0x28], ecx

        $sequence_7 = { c78405c4feffffd8674700 8b85c4feffff 8b4804 8d4198 89840dc0feffff 8d8dc8feffff e8???????? }
            // n = 7, score = 100
            //   c78405c4feffffd8674700     | mov    dword ptr [ebp + eax - 0x13c], 0x4767d8
            //   8b85c4feffff         | mov                 eax, dword ptr [ebp - 0x13c]
            //   8b4804               | mov                 ecx, dword ptr [eax + 4]
            //   8d4198               | lea                 eax, [ecx - 0x68]
            //   89840dc0feffff       | mov                 dword ptr [ebp + ecx - 0x140], eax
            //   8d8dc8feffff         | lea                 ecx, [ebp - 0x138]
            //   e8????????           |                     

        $sequence_8 = { 8b10 52 8d4df8 e8???????? 8d4df8 e8???????? 0fb6c0 }
            // n = 7, score = 100
            //   8b10                 | mov                 edx, dword ptr [eax]
            //   52                   | push                edx
            //   8d4df8               | lea                 ecx, [ebp - 8]
            //   e8????????           |                     
            //   8d4df8               | lea                 ecx, [ebp - 8]
            //   e8????????           |                     
            //   0fb6c0               | movzx               eax, al

        $sequence_9 = { e9???????? 837d0cff 745e 817d0cffffff7f 7455 8b45f4 83c001 }
            // n = 7, score = 100
            //   e9????????           |                     
            //   837d0cff             | cmp                 dword ptr [ebp + 0xc], -1
            //   745e                 | je                  0x60
            //   817d0cffffff7f       | cmp                 dword ptr [ebp + 0xc], 0x7fffffff
            //   7455                 | je                  0x57
            //   8b45f4               | mov                 eax, dword ptr [ebp - 0xc]
            //   83c001               | add                 eax, 1

    condition:
        7 of them and filesize < 1163264
}
Download all Yara Rules