SYMBOLCOMMON_NAMEaka. SYNONYMS
win.scarecrow (Back to overview)

ScareCrow

VTCollection    

Based on the leaked Conti source code.

References
2022-12-08FortinetFred Gutierrez, Shunichi Imano
Ransomware Roundup – New Vohuk, ScareCrow, and AERST Variants
AESRT ScareCrow Vohuk
Yara Rules
[TLP:WHITE] win_scarecrow_auto (20230808 | Detects win.scarecrow.)
rule win_scarecrow_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.scarecrow."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.scarecrow"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { f7f9 85d2 743b 8b45f4 8d4f17 83c00b 99 }
            // n = 7, score = 100
            //   f7f9                 | idiv                ecx
            //   85d2                 | test                edx, edx
            //   743b                 | je                  0x3d
            //   8b45f4               | mov                 eax, dword ptr [ebp - 0xc]
            //   8d4f17               | lea                 ecx, [edi + 0x17]
            //   83c00b               | add                 eax, 0xb
            //   99                   | cdq                 

        $sequence_1 = { 74d9 eb57 99 f7ff 85d2 7450 8b4c2410 }
            // n = 7, score = 100
            //   74d9                 | je                  0xffffffdb
            //   eb57                 | jmp                 0x59
            //   99                   | cdq                 
            //   f7ff                 | idiv                edi
            //   85d2                 | test                edx, edx
            //   7450                 | je                  0x52
            //   8b4c2410             | mov                 ecx, dword ptr [esp + 0x10]

        $sequence_2 = { c68574faffff00 c68575faffff4b c68576faffff40 c68577faffff0a c68578faffff40 c68579faffff6e c6857afaffff40 }
            // n = 7, score = 100
            //   c68574faffff00       | mov                 byte ptr [ebp - 0x58c], 0
            //   c68575faffff4b       | mov                 byte ptr [ebp - 0x58b], 0x4b
            //   c68576faffff40       | mov                 byte ptr [ebp - 0x58a], 0x40
            //   c68577faffff0a       | mov                 byte ptr [ebp - 0x589], 0xa
            //   c68578faffff40       | mov                 byte ptr [ebp - 0x588], 0x40
            //   c68579faffff6e       | mov                 byte ptr [ebp - 0x587], 0x6e
            //   c6857afaffff40       | mov                 byte ptr [ebp - 0x586], 0x40

        $sequence_3 = { c6855bfcffff05 c6855cfcffff20 c6855dfcffff08 c6855efcffff20 c6855ffcffff27 c68560fcffff20 }
            // n = 6, score = 100
            //   c6855bfcffff05       | mov                 byte ptr [ebp - 0x3a5], 5
            //   c6855cfcffff20       | mov                 byte ptr [ebp - 0x3a4], 0x20
            //   c6855dfcffff08       | mov                 byte ptr [ebp - 0x3a3], 8
            //   c6855efcffff20       | mov                 byte ptr [ebp - 0x3a2], 0x20
            //   c6855ffcffff27       | mov                 byte ptr [ebp - 0x3a1], 0x27
            //   c68560fcffff20       | mov                 byte ptr [ebp - 0x3a0], 0x20

        $sequence_4 = { 7905 48 83c8fc 40 744a 8b4df4 8d4303 }
            // n = 7, score = 100
            //   7905                 | jns                 7
            //   48                   | dec                 eax
            //   83c8fc               | or                  eax, 0xfffffffc
            //   40                   | inc                 eax
            //   744a                 | je                  0x4c
            //   8b4df4               | mov                 ecx, dword ptr [ebp - 0xc]
            //   8d4303               | lea                 eax, [ebx + 3]

        $sequence_5 = { 99 f7ff 85d2 752c 0f1f4000 8b859cf7ffff 99 }
            // n = 7, score = 100
            //   99                   | cdq                 
            //   f7ff                 | idiv                edi
            //   85d2                 | test                edx, edx
            //   752c                 | jne                 0x2e
            //   0f1f4000             | nop                 dword ptr [eax]
            //   8b859cf7ffff         | mov                 eax, dword ptr [ebp - 0x864]
            //   99                   | cdq                 

        $sequence_6 = { 0f84f7040000 8d4f03 c745f005000000 660f1f840000000000 c745f405f26700 8b45f4 99 }
            // n = 7, score = 100
            //   0f84f7040000         | je                  0x4fd
            //   8d4f03               | lea                 ecx, [edi + 3]
            //   c745f005000000       | mov                 dword ptr [ebp - 0x10], 5
            //   660f1f840000000000     | nop    word ptr [eax + eax]
            //   c745f405f26700       | mov                 dword ptr [ebp - 0xc], 0x67f205
            //   8b45f4               | mov                 eax, dword ptr [ebp - 0xc]
            //   99                   | cdq                 

        $sequence_7 = { c645aa00 c645ab6b c645ac00 c645ad48 c645ae00 c645af00 c645b000 }
            // n = 7, score = 100
            //   c645aa00             | mov                 byte ptr [ebp - 0x56], 0
            //   c645ab6b             | mov                 byte ptr [ebp - 0x55], 0x6b
            //   c645ac00             | mov                 byte ptr [ebp - 0x54], 0
            //   c645ad48             | mov                 byte ptr [ebp - 0x53], 0x48
            //   c645ae00             | mov                 byte ptr [ebp - 0x52], 0
            //   c645af00             | mov                 byte ptr [ebp - 0x51], 0
            //   c645b000             | mov                 byte ptr [ebp - 0x50], 0

        $sequence_8 = { c644246205 c644246347 c644246405 c64424655a c644246605 c644246727 c644246805 }
            // n = 7, score = 100
            //   c644246205           | mov                 byte ptr [esp + 0x62], 5
            //   c644246347           | mov                 byte ptr [esp + 0x63], 0x47
            //   c644246405           | mov                 byte ptr [esp + 0x64], 5
            //   c64424655a           | mov                 byte ptr [esp + 0x65], 0x5a
            //   c644246605           | mov                 byte ptr [esp + 0x66], 5
            //   c644246727           | mov                 byte ptr [esp + 0x67], 0x27
            //   c644246805           | mov                 byte ptr [esp + 0x68], 5

        $sequence_9 = { 660f28b870024300 660f54f0 660f5cc6 660f59f4 660f5cf2 f20f58fe 660f59c4 }
            // n = 7, score = 100
            //   660f28b870024300     | movapd              xmm7, xmmword ptr [eax + 0x430270]
            //   660f54f0             | andpd               xmm6, xmm0
            //   660f5cc6             | subpd               xmm0, xmm6
            //   660f59f4             | mulpd               xmm6, xmm4
            //   660f5cf2             | subpd               xmm6, xmm2
            //   f20f58fe             | addsd               xmm7, xmm6
            //   660f59c4             | mulpd               xmm0, xmm4

    condition:
        7 of them and filesize < 501760
}
Download all Yara Rules