SYMBOLCOMMON_NAMEaka. SYNONYMS
win.satana (Back to overview)

Satana

VTCollection    

According to bitdefender, Satana is an aggressive ransomware for Windows that encrypts the computer’s master boot record (MBR) and prevents it from starting.

References
2020-06-05ReversingLabsRobert Simmons
Retread Ransomware: Identifying Satana to Understand "CoronaVirus"
Satana
2017-02-06CylanceCylance Threat Research Team
Threat Spotlight: Satan
Satana
Yara Rules
[TLP:WHITE] win_satana_auto (20260504 | Detects win.satana.)
rule win_satana_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.satana."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.satana"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { e8???????? 33c0 0fb78820b04000 668988a8404100 83c002 }
            // n = 5, score = 100
            //   e8????????           |                     
            //   33c0                 | xor                 eax, eax
            //   0fb78820b04000       | movzx               ecx, word ptr [eax + 0x40b020]
            //   668988a8404100       | mov                 word ptr [eax + 0x4140a8], cx
            //   83c002               | add                 eax, 2

        $sequence_1 = { eb0f 8d0437 2bd0 8a08 880c02 40 84c9 }
            // n = 7, score = 100
            //   eb0f                 | jmp                 0x11
            //   8d0437               | lea                 eax, [edi + esi]
            //   2bd0                 | sub                 edx, eax
            //   8a08                 | mov                 cl, byte ptr [eax]
            //   880c02               | mov                 byte ptr [edx + eax], cl
            //   40                   | inc                 eax
            //   84c9                 | test                cl, cl

        $sequence_2 = { 3006 8b45ec 47 46 3bf8 72c6 8b35???????? }
            // n = 7, score = 100
            //   3006                 | xor                 byte ptr [esi], al
            //   8b45ec               | mov                 eax, dword ptr [ebp - 0x14]
            //   47                   | inc                 edi
            //   46                   | inc                 esi
            //   3bf8                 | cmp                 edi, eax
            //   72c6                 | jb                  0xffffffc8
            //   8b35????????         |                     

        $sequence_3 = { 3463 0fb6d0 8881a83f4100 888a30f24000 41 81f900010000 7cbf }
            // n = 7, score = 100
            //   3463                 | xor                 al, 0x63
            //   0fb6d0               | movzx               edx, al
            //   8881a83f4100         | mov                 byte ptr [ecx + 0x413fa8], al
            //   888a30f24000         | mov                 byte ptr [edx + 0x40f230], cl
            //   41                   | inc                 ecx
            //   81f900010000         | cmp                 ecx, 0x100
            //   7cbf                 | jl                  0xffffffc1

        $sequence_4 = { 8b45dc 8945d4 8b4de0 894dd8 6a10 ff15???????? }
            // n = 6, score = 100
            //   8b45dc               | mov                 eax, dword ptr [ebp - 0x24]
            //   8945d4               | mov                 dword ptr [ebp - 0x2c], eax
            //   8b4de0               | mov                 ecx, dword ptr [ebp - 0x20]
            //   894dd8               | mov                 dword ptr [ebp - 0x28], ecx
            //   6a10                 | push                0x10
            //   ff15????????         |                     

        $sequence_5 = { 8da42400000000 8a88703f4100 888c05e4feffff 40 }
            // n = 4, score = 100
            //   8da42400000000       | lea                 esp, [esp]
            //   8a88703f4100         | mov                 cl, byte ptr [eax + 0x413f70]
            //   888c05e4feffff       | mov                 byte ptr [ebp + eax - 0x11c], cl
            //   40                   | inc                 eax

        $sequence_6 = { 40 84c9 75f6 c785e0feffff65000000 33c0 8da42400000000 }
            // n = 6, score = 100
            //   40                   | inc                 eax
            //   84c9                 | test                cl, cl
            //   75f6                 | jne                 0xfffffff8
            //   c785e0feffff65000000     | mov    dword ptr [ebp - 0x120], 0x65
            //   33c0                 | xor                 eax, eax
            //   8da42400000000       | lea                 esp, [esp]

        $sequence_7 = { 75ee b941000000 b8???????? 8d642400 8818 40 49 }
            // n = 7, score = 100
            //   75ee                 | jne                 0xfffffff0
            //   b941000000           | mov                 ecx, 0x41
            //   b8????????           |                     
            //   8d642400             | lea                 esp, [esp]
            //   8818                 | mov                 byte ptr [eax], bl
            //   40                   | inc                 eax
            //   49                   | dec                 ecx

        $sequence_8 = { 6a00 6a00 ff15???????? 0fb60d???????? 89048df8864100 6a32 ffd7 }
            // n = 7, score = 100
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   ff15????????         |                     
            //   0fb60d????????       |                     
            //   89048df8864100       | mov                 dword ptr [ecx*4 + 0x4186f8], eax
            //   6a32                 | push                0x32
            //   ffd7                 | call                edi

        $sequence_9 = { 8b1d???????? 83c408 6a00 6a00 ffd3 8bf8 a1???????? }
            // n = 7, score = 100
            //   8b1d????????         |                     
            //   83c408               | add                 esp, 8
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   ffd3                 | call                ebx
            //   8bf8                 | mov                 edi, eax
            //   a1????????           |                     

    condition:
        7 of them and filesize < 221184
}
Download all Yara Rules