SYMBOLCOMMON_NAMEaka. SYNONYMS
win.satana (Back to overview)

Satana

VTCollection    

According to bitdefender, Satana is an aggressive ransomware for Windows that encrypts the computer’s master boot record (MBR) and prevents it from starting.

References
2020-06-05ReversingLabsRobert Simmons
Retread Ransomware: Identifying Satana to Understand "CoronaVirus"
Satana
2017-02-06CylanceCylance Threat Research Team
Threat Spotlight: Satan
Satana
Yara Rules
[TLP:WHITE] win_satana_auto (20230808 | Detects win.satana.)
rule win_satana_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.satana."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.satana"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8b3d???????? 90 ffd6 68e8030000 ffd7 }
            // n = 5, score = 100
            //   8b3d????????         |                     
            //   90                   | nop                 
            //   ffd6                 | call                esi
            //   68e8030000           | push                0x3e8
            //   ffd7                 | call                edi

        $sequence_1 = { ff15???????? 8b459c 50 ff15???????? 8b4ddc 010d???????? }
            // n = 6, score = 100
            //   ff15????????         |                     
            //   8b459c               | mov                 eax, dword ptr [ebp - 0x64]
            //   50                   | push                eax
            //   ff15????????         |                     
            //   8b4ddc               | mov                 ecx, dword ptr [ebp - 0x24]
            //   010d????????         |                     

        $sequence_2 = { 8d8c2468020000 51 e8???????? 8b442410 8d542418 52 }
            // n = 6, score = 100
            //   8d8c2468020000       | lea                 ecx, [esp + 0x268]
            //   51                   | push                ecx
            //   e8????????           |                     
            //   8b442410             | mov                 eax, dword ptr [esp + 0x10]
            //   8d542418             | lea                 edx, [esp + 0x18]
            //   52                   | push                edx

        $sequence_3 = { 8b5108 ffd2 6a00 8b45fc 8b480c ffd1 8be5 }
            // n = 7, score = 100
            //   8b5108               | mov                 edx, dword ptr [ecx + 8]
            //   ffd2                 | call                edx
            //   6a00                 | push                0
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]
            //   8b480c               | mov                 ecx, dword ptr [eax + 0xc]
            //   ffd1                 | call                ecx
            //   8be5                 | mov                 esp, ebp

        $sequence_4 = { 68???????? e8???????? 83c414 53 6880000000 }
            // n = 5, score = 100
            //   68????????           |                     
            //   e8????????           |                     
            //   83c414               | add                 esp, 0x14
            //   53                   | push                ebx
            //   6880000000           | push                0x80

        $sequence_5 = { 83c002 663bcb 75f1 8d8de89effff 51 e8???????? }
            // n = 6, score = 100
            //   83c002               | add                 eax, 2
            //   663bcb               | cmp                 cx, bx
            //   75f1                 | jne                 0xfffffff3
            //   8d8de89effff         | lea                 ecx, [ebp - 0x6118]
            //   51                   | push                ecx
            //   e8????????           |                     

        $sequence_6 = { 57 50 68???????? e8???????? 83c414 833d????????00 745a }
            // n = 7, score = 100
            //   57                   | push                edi
            //   50                   | push                eax
            //   68????????           |                     
            //   e8????????           |                     
            //   83c414               | add                 esp, 0x14
            //   833d????????00       |                     
            //   745a                 | je                  0x5c

        $sequence_7 = { ffd3 8bf8 a1???????? 57 }
            // n = 4, score = 100
            //   ffd3                 | call                ebx
            //   8bf8                 | mov                 edi, eax
            //   a1????????           |                     
            //   57                   | push                edi

        $sequence_8 = { 105353 bf60600157 ff7528 fc ffd6 0105???????? f8 }
            // n = 7, score = 100
            //   105353               | adc                 byte ptr [ebx + 0x53], dl
            //   bf60600157           | mov                 edi, 0x57016060
            //   ff7528               | push                dword ptr [ebp + 0x28]
            //   fc                   | cld                 
            //   ffd6                 | call                esi
            //   0105????????         |                     
            //   f8                   | clc                 

        $sequence_9 = { ff15???????? e8???????? 837de401 0f8e12030000 8b4704 }
            // n = 5, score = 100
            //   ff15????????         |                     
            //   e8????????           |                     
            //   837de401             | cmp                 dword ptr [ebp - 0x1c], 1
            //   0f8e12030000         | jle                 0x318
            //   8b4704               | mov                 eax, dword ptr [edi + 4]

    condition:
        7 of them and filesize < 221184
}
Download all Yara Rules