SYMBOLCOMMON_NAMEaka. SYNONYMS
win.snatch (Back to overview)

Snatch


Snatch is a ransomware which infects victims by rebooting the PC into Safe Mode. Most of the existing security protections do not run in Safe Mode so that it the malware can act without expected countermeasures and it can encrypt as many files as it finds. It uses common packers such as UPX to hide its payload.

References
2020-06-21The DFIR ReportThe DFIR Report
@online{report:20200621:snatch:6d2d641, author = {The DFIR Report}, title = {{Snatch Ransomware}}, date = {2020-06-21}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2020/06/21/snatch-ransomware/}, language = {English}, urldate = {2020-06-22} } Snatch Ransomware
Snatch
2020-05-21Intel 471Intel 471
@online{471:20200521:brief:048d164, author = {Intel 471}, title = {{A brief history of TA505}}, date = {2020-05-21}, organization = {Intel 471}, url = {https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/}, language = {English}, urldate = {2020-05-23} } A brief history of TA505
AndroMut Bart Dridex FlawedAmmyy FlawedGrace Gandcrab Get2 GlobeImposter Jaff Kegotip Locky Necurs Philadephia Ransom Pony QuantLoader Rockloader SDBbot ServHelper Shifu Snatch TrickBot
2020-02-13QianxinQi Anxin Threat Intelligence Center
@techreport{center:20200213:report:146d333, author = {Qi Anxin Threat Intelligence Center}, title = {{APT Report 2019}}, date = {2020-02-13}, institution = {Qianxin}, url = {https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf}, language = {English}, urldate = {2020-02-27} } APT Report 2019
Chrysaor Exodus Dacls elf.vpnfilter DNSRat Griffon KopiLuwak More_eggs SQLRat AppleJeus BONDUPDATER Agent.BTZ Anchor AndroMut AppleJeus BOOSTWRITE Brambul Carbanak Cobalt Strike Dacls DistTrack DNSpionage Dtrack ELECTRICFISH FlawedAmmyy FlawedGrace Get2 Grateful POS HOPLIGHT Imminent Monitor RAT jason Joanap KerrDown KEYMARBLE Lambert LightNeuron LoJax MiniDuke PolyglotDuke PowerRatankba Rising Sun SDBbot ServHelper Snatch Stuxnet TinyMet tRat TrickBot Volgmer X-Agent Zebrocy
2019-12-09Bleeping ComputerSergiu Gatlan
@online{gatlan:20191209:snatch:04dbbf3, author = {Sergiu Gatlan}, title = {{Snatch Ransomware Reboots to Windows Safe Mode to Bypass AV Tools}}, date = {2019-12-09}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/snatch-ransomware-reboots-to-windows-safe-mode-to-bypass-av-tools/}, language = {English}, urldate = {2020-01-07} } Snatch Ransomware Reboots to Windows Safe Mode to Bypass AV Tools
Snatch
2019-12-05Github (albertzsigovits)Albert Zsigovits
@online{zsigovits:20191205:snatch:38c0ff8, author = {Albert Zsigovits}, title = {{Snatch ransomware}}, date = {2019-12-05}, organization = {Github (albertzsigovits)}, url = {https://github.com/albertzsigovits/malware-notes/blob/master/Snatch.md}, language = {English}, urldate = {2020-01-13} } Snatch ransomware
Snatch
2019-11-05Twitter (@VK_intel)Vitali Kremez
@online{kremez:20191105:possible:e2886d4, author = {Vitali Kremez}, title = {{Tweet on Possible Snatch}}, date = {2019-11-05}, organization = {Twitter (@VK_intel)}, url = {https://twitter.com/VK_Intel/status/1191414501297528832}, language = {English}, urldate = {2020-01-08} } Tweet on Possible Snatch
Snatch
Yara Rules
[TLP:WHITE] win_snatch_auto (20200817 | autogenerated rule brought to you by yara-signator)
rule win_snatch_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-08-17"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.4.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.snatch"
        malpedia_rule_date = "20200817"
        malpedia_hash = "8c895fd01eccb47a6225bcb1a3ba53cbb98644c5"
        malpedia_version = "20200817"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { e9???????? 488d0521302b00 e8???????? e9???????? 488b00 48890424 e8???????? }
            // n = 7, score = 100
            //   e9????????           |                     
            //   488d0521302b00       | dec                 eax
            //   e8????????           |                     
            //   e9????????           |                     
            //   488b00               | mov                 edx, dword ptr [ecx + 0x48]
            //   48890424             | dec                 eax
            //   e8????????           |                     

        $sequence_1 = { e9???????? 488d3d5fc35500 e8???????? e9???????? 488d3d56c35500 e8???????? e9???????? }
            // n = 7, score = 100
            //   e9????????           |                     
            //   488d3d5fc35500       | dec                 eax
            //   e8????????           |                     
            //   e9????????           |                     
            //   488d3d56c35500       | mov                 dword ptr [eax], ecx
            //   e8????????           |                     
            //   e9????????           |                     

        $sequence_2 = { e8???????? 807c241800 0f85f8feffff 488b8424a0000000 4883f813 e9???????? 488b8c2498000000 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   807c241800           | dec                 eax
            //   0f85f8feffff         | mov                 ecx, dword ptr [esp + 0x150]
            //   488b8424a0000000     | dec                 eax
            //   4883f813             | mov                 dword ptr [esp], ecx
            //   e9????????           |                     
            //   488b8c2498000000     | call                eax

        $sequence_3 = { e8???????? e9???????? 90 90 488d0539a61600 48890424 48c744240844000000 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   e9????????           |                     
            //   90                   | jne                 0x11c0
            //   90                   | dec                 eax
            //   488d0539a61600       | mov                 ecx, dword ptr [esp + 0x1f0]
            //   48890424             | dec                 eax
            //   48c744240844000000     | mov    dword ptr [edi], ecx

        $sequence_4 = { 488b8424c0030000 488b4818 48890c24 48c744240808000000 488d0d28f80a00 48894c2410 48c744241804000000 }
            // n = 7, score = 100
            //   488b8424c0030000     | mov                 dword ptr [ebx + 0x58], edx
            //   488b4818             | dec                 eax
            //   48890c24             | mov                 dword ptr [esp], edx
            //   48c744240808000000     | dec    eax
            //   488d0d28f80a00       | mov                 dword ptr [esp + 8], ecx
            //   48894c2410           | dec                 eax
            //   48c744241804000000     | mov    dword ptr [esp + 0x10], eax

        $sequence_5 = { 488d05a3d81b00 4889442420 48c74424280a000000 0f57c0 0f11442430 48c744244000000000 48895c2448 }
            // n = 7, score = 100
            //   488d05a3d81b00       | dec                 eax
            //   4889442420           | lea                 eax, [0x292ee5]
            //   48c74424280a000000     | dec    eax
            //   0f57c0               | mov                 dword ptr [esp], eax
            //   0f11442430           | dec                 eax
            //   48c744244000000000     | lea    eax, [esp + 0x2d0]
            //   48895c2448           | dec                 eax

        $sequence_6 = { ebe3 488d05b5793600 48890424 48c744240815000000 e8???????? 0f0b 488d059a793600 }
            // n = 7, score = 100
            //   ebe3                 | dec                 eax
            //   488d05b5793600       | mov                 esi, dword ptr [eax + 0x108]
            //   48890424             | dec                 eax
            //   48c744240815000000     | mov    eax, dword ptr [eax + 0x110]
            //   e8????????           |                     
            //   0f0b                 | dec                 eax
            //   488d059a793600       | mov                 dword ptr [esp], ebx

        $sequence_7 = { e9???????? 4883f817 747e 4883f819 0f85dffcffff 488d05ad870b00 48890424 }
            // n = 7, score = 100
            //   e9????????           |                     
            //   4883f817             | dec                 eax
            //   747e                 | mov                 dword ptr [esp + 0x18], ebp
            //   4883f819             | dec                 eax
            //   0f85dffcffff         | lea                 ebp, [esp + 0x18]
            //   488d05ad870b00       | dec                 eax
            //   48890424             | mov                 eax, dword ptr [edx + 8]

        $sequence_8 = { ffd0 488b4c2410 488b442408 0fb6542427 48894c2430 4889442428 88542427 }
            // n = 7, score = 100
            //   ffd0                 | dec                 eax
            //   488b4c2410           | mov                 ebx, dword ptr [esp + 0xc0]
            //   488b442408           | dec                 eax
            //   0fb6542427           | mov                 dword ptr [esp + 0x10], ebx
            //   48894c2430           | dec                 eax
            //   4889442428           | mov                 ebx, dword ptr [esp + 0xc8]
            //   88542427             | dec                 eax

        $sequence_9 = { e9???????? 488b8424b0010000 488b4848 488b9424b8010000 48891424 ffd1 488b442410 }
            // n = 7, score = 100
            //   e9????????           |                     
            //   488b8424b0010000     | dec                 eax
            //   488b4848             | mov                 eax, dword ptr [esp + 0x10]
            //   488b9424b8010000     | dec                 eax
            //   48891424             | mov                 dword ptr [esp + 0xb0], eax
            //   ffd1                 | dec                 eax
            //   488b442410           | lea                 edi, [esp + 0xb8]

    condition:
        7 of them and filesize < 12846080
}
Download all Yara Rules