SYMBOLCOMMON_NAMEaka. SYNONYMS
win.snatch (Back to overview)

Snatch


Snatch is a ransomware which infects victims by rebooting the PC into Safe Mode. Most of the existing security protections do not run in Safe Mode so that it the malware can act without expected countermeasures and it can encrypt as many files as it finds. It uses common packers such as UPX to hide its payload.

References
2020-06-21The DFIR ReportThe DFIR Report
@online{report:20200621:snatch:6d2d641, author = {The DFIR Report}, title = {{Snatch Ransomware}}, date = {2020-06-21}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2020/06/21/snatch-ransomware/}, language = {English}, urldate = {2020-06-22} } Snatch Ransomware
Snatch
2020-05-21Intel 471Intel 471
@online{471:20200521:brief:048d164, author = {Intel 471}, title = {{A brief history of TA505}}, date = {2020-05-21}, organization = {Intel 471}, url = {https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/}, language = {English}, urldate = {2020-05-23} } A brief history of TA505
AndroMut Bart Dridex FlawedAmmyy FlawedGrace Gandcrab Get2 GlobeImposter Jaff Kegotip Locky Necurs Philadephia Ransom Pony QuantLoader Rockloader SDBbot ServHelper Shifu Snatch TrickBot
2020-02-13QianxinQi Anxin Threat Intelligence Center
@techreport{center:20200213:report:146d333, author = {Qi Anxin Threat Intelligence Center}, title = {{APT Report 2019}}, date = {2020-02-13}, institution = {Qianxin}, url = {https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf}, language = {English}, urldate = {2020-02-27} } APT Report 2019
Chrysaor Exodus Dacls elf.vpnfilter DNSRat Griffon KopiLuwak More_eggs SQLRat AppleJeus BONDUPDATER Agent.BTZ Anchor AndroMut AppleJeus BOOSTWRITE Brambul Carbanak Cobalt Strike Dacls DistTrack DNSpionage Dtrack ELECTRICFISH FlawedAmmyy FlawedGrace Get2 Grateful POS HOPLIGHT Imminent Monitor RAT jason Joanap KerrDown KEYMARBLE Lambert LightNeuron LoJax MiniDuke PolyglotDuke PowerRatankba Rising Sun SDBbot ServHelper Snatch Stuxnet TinyMet tRat TrickBot Volgmer X-Agent Zebrocy
2019-12-09Bleeping ComputerSergiu Gatlan
@online{gatlan:20191209:snatch:04dbbf3, author = {Sergiu Gatlan}, title = {{Snatch Ransomware Reboots to Windows Safe Mode to Bypass AV Tools}}, date = {2019-12-09}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/snatch-ransomware-reboots-to-windows-safe-mode-to-bypass-av-tools/}, language = {English}, urldate = {2020-01-07} } Snatch Ransomware Reboots to Windows Safe Mode to Bypass AV Tools
Snatch
2019-12-05Github (albertzsigovits)Albert Zsigovits
@online{zsigovits:20191205:snatch:38c0ff8, author = {Albert Zsigovits}, title = {{Snatch ransomware}}, date = {2019-12-05}, organization = {Github (albertzsigovits)}, url = {https://github.com/albertzsigovits/malware-notes/blob/master/Snatch.md}, language = {English}, urldate = {2020-01-13} } Snatch ransomware
Snatch
2019-11-05Twitter (@VK_intel)Vitali Kremez
@online{kremez:20191105:possible:e2886d4, author = {Vitali Kremez}, title = {{Tweet on Possible Snatch}}, date = {2019-11-05}, organization = {Twitter (@VK_intel)}, url = {https://twitter.com/VK_Intel/status/1191414501297528832}, language = {English}, urldate = {2020-01-08} } Tweet on Possible Snatch
Snatch
Yara Rules
[TLP:WHITE] win_snatch_auto (20200529 | autogenerated rule brought to you by yara-signator)
rule win_snatch_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-05-30"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.4.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.snatch"
        malpedia_rule_date = "20200529"
        malpedia_hash = "92c362319514e5a6da26204961446caa3a8b32a8"
        malpedia_version = "20200529"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { eb80 488b442448 e8???????? e9???????? 4889542458 488d43ff 4889c1 }
            // n = 7, score = 100
            //   eb80                 | sub                 ebp, edi
            //   488b442448           | dec                 ebp
            //   e8????????           |                     
            //   e9????????           |                     
            //   4889542458           | imul                edi, ebx, 0x215d1
            //   488d43ff             | dec                 ebp
            //   4889c1               | imul                edi, ebx, 0x9fb67

        $sequence_1 = { e9???????? 4889c7 488d0545861b00 e8???????? 4889f8 ebbd 90 }
            // n = 7, score = 100
            //   e9????????           |                     
            //   4889c7               | dec                 ecx
            //   488d0545861b00       | imul                ecx, edi
            //   e8????????           |                     
            //   4889f8               | dec                 eax
            //   ebbd                 | add                 ecx, edx
            //   90                   | dec                 eax

        $sequence_2 = { 90 488d059ea61600 48890424 48c744240834000000 488d8c24c8000000 48894c2410 48c744241803000000 }
            // n = 7, score = 100
            //   90                   | mov                 dword ptr [esp + 0x48], edx
            //   488d059ea61600       | dec                 eax
            //   48890424             | lea                 eax, [0x12eb18]
            //   48c744240834000000     | dec    eax
            //   488d8c24c8000000     | lea                 edi, [ecx + 0x10]
            //   48894c2410           | dec                 esp
            //   48c744241803000000     | mov    eax, eax

        $sequence_3 = { 48c1e104 488b742450 4889740808 488d3c08 833d????????00 0f8514010000 488b742468 }
            // n = 7, score = 100
            //   48c1e104             | dec                 eax
            //   488b742450           | mov                 ecx, dword ptr [esp + 0x80]
            //   4889740808           | dec                 eax
            //   488d3c08             | mov                 dword ptr [esp + 8], ecx
            //   833d????????00       |                     
            //   0f8514010000         | dec                 eax
            //   488b742468           | lea                 eax, [0x360243]

        $sequence_4 = { ffd2 488b442410 48898424e0000000 488b4c2418 488b542420 4885c9 0f854e010000 }
            // n = 7, score = 100
            //   ffd2                 | mov                 dword ptr [eax + 8], ecx
            //   488b442410           | dec                 eax
            //   48898424e0000000     | mov                 ecx, dword ptr [esp + 0x60]
            //   488b4c2418           | dec                 eax
            //   488b542420           | mov                 dword ptr [ecx], eax
            //   4885c9               | dec                 eax
            //   0f854e010000         | lea                 edi, [eax + 8]

        $sequence_5 = { e9???????? 488d7a08 e8???????? ebeb 4889c7 488d05ebbf1a00 e8???????? }
            // n = 7, score = 100
            //   e9????????           |                     
            //   488d7a08             | dec                 esp
            //   e8????????           |                     
            //   ebeb                 | mov                 edx, dword ptr [esp + 0xb0]
            //   4889c7               | dec                 esp
            //   488d05ebbf1a00       | add                 ecx, edx
            //   e8????????           |                     

        $sequence_6 = { 90 488d0578221900 48890424 e8???????? 488b7c2408 48c747082a000000 833d????????00 }
            // n = 7, score = 100
            //   90                   | lea                 edi, [eax + 0x30]
            //   488d0578221900       | dec                 eax
            //   48890424             | mov                 ecx, eax
            //   e8????????           |                     
            //   488b7c2408           | dec                 eax
            //   48c747082a000000     | lea                 eax, [0x23ba9d]
            //   833d????????00       |                     

        $sequence_7 = { e9???????? 488d0582df0e00 e8???????? e9???????? 488d0559df0e00 e8???????? e9???????? }
            // n = 7, score = 100
            //   e9????????           |                     
            //   488d0582df0e00       | dec                 ecx
            //   e8????????           |                     
            //   e9????????           |                     
            //   488d0559df0e00       | neg                 eax
            //   e8????????           |                     
            //   e9????????           |                     

        $sequence_8 = { 48c744240836000000 488d442460 4889442410 48c744241801000000 48c744242001000000 e8???????? 488b442430 }
            // n = 7, score = 100
            //   48c744240836000000     | ret    
            //   488d442460           | dec                 eax
            //   4889442410           | lea                 eax, [0x2b3563]
            //   48c744241801000000     | jmp    0x1e5b
            //   48c744242001000000     | dec    eax
            //   e8????????           |                     
            //   488b442430           | lea                 ecx, [0x2aa6f2]

        $sequence_9 = { e9???????? 488b8424b0010000 488b4848 488b9424b8010000 48891424 ffd1 488b442410 }
            // n = 7, score = 100
            //   e9????????           |                     
            //   488b8424b0010000     | dec                 esp
            //   488b4848             | mov                 eax, dword ptr [eax]
            //   488b9424b8010000     | dec                 ebp
            //   48891424             | test                eax, eax
            //   ffd1                 | jne                 0x1228
            //   488b442410           | dec                 eax

    condition:
        7 of them and filesize < 12846080
}
Download all Yara Rules