SYMBOLCOMMON_NAMEaka. SYNONYMS
win.satana (Back to overview)

Satana


According to bitdefender, Satana is an aggressive ransomware for Windows that encrypts the computer’s master boot record (MBR) and prevents it from starting.

References
2020-06-05ReversingLabsRobert Simmons
@online{simmons:20200605:retread:86b93a6, author = {Robert Simmons}, title = {{Retread Ransomware: Identifying Satana to Understand "CoronaVirus"}}, date = {2020-06-05}, organization = {ReversingLabs}, url = {https://blog.reversinglabs.com/blog/retread-ransomware}, language = {English}, urldate = {2020-06-11} } Retread Ransomware: Identifying Satana to Understand "CoronaVirus"
Satana
2017-02-06CylanceCylance Threat Research Team
@online{team:20170206:threat:6ebbaae, author = {Cylance Threat Research Team}, title = {{Threat Spotlight: Satan}}, date = {2017-02-06}, organization = {Cylance}, url = {https://www.cylance.com/threat-spotlight-satan-raas}, language = {English}, urldate = {2019-07-11} } Threat Spotlight: Satan
Satana
Yara Rules
[TLP:WHITE] win_satana_auto (20230715 | Detects win.satana.)
rule win_satana_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-07-11"
        version = "1"
        description = "Detects win.satana."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.satana"
        malpedia_rule_date = "20230705"
        malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
        malpedia_version = "20230715"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 52 ffd7 8b35???????? ba???????? }
            // n = 4, score = 100
            //   52                   | push                edx
            //   ffd7                 | call                edi
            //   8b35????????         |                     
            //   ba????????           |                     

        $sequence_1 = { 52 50 ff15???????? 8bc6 8d7801 8a08 40 }
            // n = 7, score = 100
            //   52                   | push                edx
            //   50                   | push                eax
            //   ff15????????         |                     
            //   8bc6                 | mov                 eax, esi
            //   8d7801               | lea                 edi, [eax + 1]
            //   8a08                 | mov                 cl, byte ptr [eax]
            //   40                   | inc                 eax

        $sequence_2 = { bfff000000 f7ff 8a8258fd4000 8845fd eb04 c645fd00 84db }
            // n = 7, score = 100
            //   bfff000000           | mov                 edi, 0xff
            //   f7ff                 | idiv                edi
            //   8a8258fd4000         | mov                 al, byte ptr [edx + 0x40fd58]
            //   8845fd               | mov                 byte ptr [ebp - 3], al
            //   eb04                 | jmp                 6
            //   c645fd00             | mov                 byte ptr [ebp - 3], 0
            //   84db                 | test                bl, bl

        $sequence_3 = { ff15???????? 8b75dc 8975bc 8b5de0 895dc0 }
            // n = 5, score = 100
            //   ff15????????         |                     
            //   8b75dc               | mov                 esi, dword ptr [ebp - 0x24]
            //   8975bc               | mov                 dword ptr [ebp - 0x44], esi
            //   8b5de0               | mov                 ebx, dword ptr [ebp - 0x20]
            //   895dc0               | mov                 dword ptr [ebp - 0x40], ebx

        $sequence_4 = { 56 6a08 50 ff15???????? 8bce a3???????? 85c9 }
            // n = 7, score = 100
            //   56                   | push                esi
            //   6a08                 | push                8
            //   50                   | push                eax
            //   ff15????????         |                     
            //   8bce                 | mov                 ecx, esi
            //   a3????????           |                     
            //   85c9                 | test                ecx, ecx

        $sequence_5 = { 68???????? eb47 68???????? e8???????? 83c404 }
            // n = 5, score = 100
            //   68????????           |                     
            //   eb47                 | jmp                 0x49
            //   68????????           |                     
            //   e8????????           |                     
            //   83c404               | add                 esp, 4

        $sequence_6 = { 668b0f 83c702 6685c9 75f5 66390f 75ad e9???????? }
            // n = 7, score = 100
            //   668b0f               | mov                 cx, word ptr [edi]
            //   83c702               | add                 edi, 2
            //   6685c9               | test                cx, cx
            //   75f5                 | jne                 0xfffffff7
            //   66390f               | cmp                 word ptr [edi], cx
            //   75ad                 | jne                 0xffffffaf
            //   e9????????           |                     

        $sequence_7 = { 33c9 8b45e4 ba02000000 f7e2 0f90c1 f7d9 }
            // n = 6, score = 100
            //   33c9                 | xor                 ecx, ecx
            //   8b45e4               | mov                 eax, dword ptr [ebp - 0x1c]
            //   ba02000000           | mov                 edx, 2
            //   f7e2                 | mul                 edx
            //   0f90c1               | seto                cl
            //   f7d9                 | neg                 ecx

        $sequence_8 = { e8???????? 8b45fc 8b35???????? 6a30 68???????? 6a01 }
            // n = 6, score = 100
            //   e8????????           |                     
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]
            //   8b35????????         |                     
            //   6a30                 | push                0x30
            //   68????????           |                     
            //   6a01                 | push                1

        $sequence_9 = { 0fb688a83f4100 0fb65602 884e01 0fb682a83f4100 0fb64e03 884602 0fb691a83f4100 }
            // n = 7, score = 100
            //   0fb688a83f4100       | movzx               ecx, byte ptr [eax + 0x413fa8]
            //   0fb65602             | movzx               edx, byte ptr [esi + 2]
            //   884e01               | mov                 byte ptr [esi + 1], cl
            //   0fb682a83f4100       | movzx               eax, byte ptr [edx + 0x413fa8]
            //   0fb64e03             | movzx               ecx, byte ptr [esi + 3]
            //   884602               | mov                 byte ptr [esi + 2], al
            //   0fb691a83f4100       | movzx               edx, byte ptr [ecx + 0x413fa8]

    condition:
        7 of them and filesize < 221184
}
Download all Yara Rules