SYMBOLCOMMON_NAMEaka. SYNONYMS
win.satan (Back to overview)

Satan

aka: 5ss5c, DBGer, Lucky Ransomware

Ransomware.

References
2020-01-14Blaze's Security BlogBartBlaze
@online{bartblaze:20200114:satan:4d45ea5, author = {BartBlaze}, title = {{Satan ransomware rebrands as 5ss5c ransomware}}, date = {2020-01-14}, organization = {Blaze's Security Blog}, url = {https://bartblaze.blogspot.com/2020/01/satan-ransomware-rebrands-as-5ss5c.html}, language = {English}, urldate = {2020-01-17} } Satan ransomware rebrands as 5ss5c ransomware
Satan
2018-12-11CywareSophia Brown
@online{brown:20181211:new:fa1fc12, author = {Sophia Brown}, title = {{New Satan ransomware variant ‘Lucky’ exposes 10 server-side vulnerabilities}}, date = {2018-12-11}, organization = {Cyware}, url = {https://cyware.com/news/new-satan-ransomware-variant-lucky-exposes-10-server-side-vulnerabilities-070afbd2}, language = {English}, urldate = {2020-01-07} } New Satan ransomware variant ‘Lucky’ exposes 10 server-side vulnerabilities
Satan
2018-12-06NSFOCUShaoming
@online{haoming:20181206:satan:69932c8, author = {haoming}, title = {{SATAN variant analysis & handling guide}}, date = {2018-12-06}, organization = {NSFOCUS}, url = {http://blog.nsfocusglobal.com/categories/trend-analysis/satan-variant-analysis-handling-guide/}, language = {English}, urldate = {2019-10-15} } SATAN variant analysis & handling guide
Satan
2018-11-26SangforSangfor
@online{sangfor:20181126:new:c43d870, author = {Sangfor}, title = {{New Lucky Ransomware Targets Linux Servers}}, date = {2018-11-26}, organization = {Sangfor}, url = {https://www.sangfor.com/source/blog-network-security/1094.html}, language = {English}, urldate = {2020-01-13} } New Lucky Ransomware Targets Linux Servers
Satan
2018-06-14Bleeping ComputerCatalin Cimpanu
@online{cimpanu:20180614:dbger:c326e0a, author = {Catalin Cimpanu}, title = {{DBGer Ransomware Uses EternalBlue and Mimikatz to Spread Across Networks}}, date = {2018-06-14}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/dbger-ransomware-uses-eternalblue-and-mimikatz-to-spread-across-networks/}, language = {English}, urldate = {2019-12-20} } DBGer Ransomware Uses EternalBlue and Mimikatz to Spread Across Networks
Satan
2018-06-01AT&TJavier Ruiz
@online{ruiz:20180601:satan:f427b73, author = {Javier Ruiz}, title = {{Satan Ransomware Spawns New Methods to Spread}}, date = {2018-06-01}, organization = {AT&T}, url = {https://www.alienvault.com/blogs/labs-research/satan-ransomware-spawns-new-methods-to-spread}, language = {English}, urldate = {2019-11-26} } Satan Ransomware Spawns New Methods to Spread
Satan
2018-04-22Blaze's Security BlogBartBlaze
@online{bartblaze:20180422:satan:04f63e8, author = {BartBlaze}, title = {{Satan ransomware adds EternalBlue exploit}}, date = {2018-04-22}, organization = {Blaze's Security Blog}, url = {https://bartblaze.blogspot.com/2018/04/satan-ransomware-adds-eternalblue.html}, language = {English}, urldate = {2020-01-10} } Satan ransomware adds EternalBlue exploit
Satan
2017-01-19Bleeping ComputerLawrence Abrams
@online{abrams:20170119:new:b020afc, author = {Lawrence Abrams}, title = {{New Satan Ransomware available through a Ransomware as a Service.}}, date = {2017-01-19}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/new-satan-ransomware-available-through-a-ransomware-as-a-service-/}, language = {English}, urldate = {2019-12-20} } New Satan Ransomware available through a Ransomware as a Service.
Satan
Yara Rules
[TLP:WHITE] win_satan_auto (20230407 | Detects win.satan.)
rule win_satan_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-03-28"
        version = "1"
        description = "Detects win.satan."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.satan"
        malpedia_rule_date = "20230328"
        malpedia_hash = "9d2d75cef573c1c2d861f5197df8f563b05a305d"
        malpedia_version = "20230407"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { ff7708 8bc8 e8???????? 8b4328 8b3f }
            // n = 5, score = 100
            //   ff7708               | push                dword ptr [edi + 8]
            //   8bc8                 | mov                 ecx, eax
            //   e8????????           |                     
            //   8b4328               | mov                 eax, dword ptr [ebx + 0x28]
            //   8b3f                 | mov                 edi, dword ptr [edi]

        $sequence_1 = { 8bf1 8975ec e8???????? 6a08 894604 c745fc00000000 }
            // n = 6, score = 100
            //   8bf1                 | mov                 esi, ecx
            //   8975ec               | mov                 dword ptr [ebp - 0x14], esi
            //   e8????????           |                     
            //   6a08                 | push                8
            //   894604               | mov                 dword ptr [esi + 4], eax
            //   c745fc00000000       | mov                 dword ptr [ebp - 4], 0

        $sequence_2 = { 8b4dfc 0fbe11 83fa41 7c19 8b45fc 0fbe08 }
            // n = 6, score = 100
            //   8b4dfc               | mov                 ecx, dword ptr [ebp - 4]
            //   0fbe11               | movsx               edx, byte ptr [ecx]
            //   83fa41               | cmp                 edx, 0x41
            //   7c19                 | jl                  0x1b
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]
            //   0fbe08               | movsx               ecx, byte ptr [eax]

        $sequence_3 = { 8b45fc 0fbe08 83c120 8b55fc 880a ebc7 33c0 }
            // n = 7, score = 100
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]
            //   0fbe08               | movsx               ecx, byte ptr [eax]
            //   83c120               | add                 ecx, 0x20
            //   8b55fc               | mov                 edx, dword ptr [ebp - 4]
            //   880a                 | mov                 byte ptr [edx], cl
            //   ebc7                 | jmp                 0xffffffc9
            //   33c0                 | xor                 eax, eax

        $sequence_4 = { 53 894514 c7472000000000 c7472400000000 e8???????? 8b45cc 83c430 }
            // n = 7, score = 100
            //   53                   | push                ebx
            //   894514               | mov                 dword ptr [ebp + 0x14], eax
            //   c7472000000000       | mov                 dword ptr [edi + 0x20], 0
            //   c7472400000000       | mov                 dword ptr [edi + 0x24], 0
            //   e8????????           |                     
            //   8b45cc               | mov                 eax, dword ptr [ebp - 0x34]
            //   83c430               | add                 esp, 0x30

        $sequence_5 = { 8b4318 83c304 8945d0 83f810 7207 8b03 8945d8 }
            // n = 7, score = 100
            //   8b4318               | mov                 eax, dword ptr [ebx + 0x18]
            //   83c304               | add                 ebx, 4
            //   8945d0               | mov                 dword ptr [ebp - 0x30], eax
            //   83f810               | cmp                 eax, 0x10
            //   7207                 | jb                  9
            //   8b03                 | mov                 eax, dword ptr [ebx]
            //   8945d8               | mov                 dword ptr [ebp - 0x28], eax

        $sequence_6 = { 8b8578ffffff 85c0 7403 50 ffd6 53 }
            // n = 6, score = 100
            //   8b8578ffffff         | mov                 eax, dword ptr [ebp - 0x88]
            //   85c0                 | test                eax, eax
            //   7403                 | je                  5
            //   50                   | push                eax
            //   ffd6                 | call                esi
            //   53                   | push                ebx

        $sequence_7 = { 7212 40 6a01 50 ffb5f4feffff }
            // n = 5, score = 100
            //   7212                 | jb                  0x14
            //   40                   | inc                 eax
            //   6a01                 | push                1
            //   50                   | push                eax
            //   ffb5f4feffff         | push                dword ptr [ebp - 0x10c]

        $sequence_8 = { ff7514 8bcf e8???????? 8d4d0c e8???????? 8d4d18 }
            // n = 6, score = 100
            //   ff7514               | push                dword ptr [ebp + 0x14]
            //   8bcf                 | mov                 ecx, edi
            //   e8????????           |                     
            //   8d4d0c               | lea                 ecx, [ebp + 0xc]
            //   e8????????           |                     
            //   8d4d18               | lea                 ecx, [ebp + 0x18]

        $sequence_9 = { c645fc03 51 8bd0 8d8d78feffff e8???????? 83c404 57 }
            // n = 7, score = 100
            //   c645fc03             | mov                 byte ptr [ebp - 4], 3
            //   51                   | push                ecx
            //   8bd0                 | mov                 edx, eax
            //   8d8d78feffff         | lea                 ecx, [ebp - 0x188]
            //   e8????????           |                     
            //   83c404               | add                 esp, 4
            //   57                   | push                edi

    condition:
        7 of them and filesize < 1163264
}
Download all Yara Rules