SYMBOLCOMMON_NAMEaka. SYNONYMS
win.tflower (Back to overview)

TFlower


TFlower is a new ransomware targeting mostly corporate networks discovered in August, 2019. It is reportedly installed on networks by attackers after they gain access via RDP. TFlower displays a console showing activity being performed by the ransomware when it encrypts a machine, further indicating that this ransomware is triggered by the attacker post compromise, similar to Samsam/Samas in terms of TTP. Once encryption is started, the ransomware will conduct a status report to an apparently hard-coded C2. Shadow copies are deleted and the Windows 10 repair environment is disabled by this ransomware. This malware also will terminate any running Outlook.exe process so that the mail files can be encrypted. This ransomware does not add an extention to encrypted files, but prepends the marker "*tflower" and what may be the encrypted encryption key for the file to each affected file. Once encryption is completed, another status report is sent to the C2 server.

References
2021-03-03SYGNIAAmitai Ben Shushan, Noam Lifshitz, Amnon Kushnir, Martin Korman, Boaz Wasserman
@online{shushan:20210303:lazarus:60339a7, author = {Amitai Ben Shushan and Noam Lifshitz and Amnon Kushnir and Martin Korman and Boaz Wasserman}, title = {{Lazarus Group’s MATA Framework Leveraged to Deploy TFlower Ransomware}}, date = {2021-03-03}, organization = {SYGNIA}, url = {https://www.sygnia.co/mata-framework}, language = {English}, urldate = {2021-03-04} } Lazarus Group’s MATA Framework Leveraged to Deploy TFlower Ransomware
Dacls Dacls Dacls TFlower
2019-09-20Canadian Centre for Cyber SecurityCanadian Centre for Cyber Security
@online{security:20190920:tflower:90d959d, author = {Canadian Centre for Cyber Security}, title = {{TFlower Ransomware Campaign}}, date = {2019-09-20}, organization = {Canadian Centre for Cyber Security}, url = {https://cyber.gc.ca/en/alerts/tflower-ransomware-campaign}, language = {English}, urldate = {2020-01-10} } TFlower Ransomware Campaign
TFlower
2019-09-17Bleeping ComputerLawrence Abrams
@online{abrams:20190917:tflower:31c9072, author = {Lawrence Abrams}, title = {{TFlower Ransomware - The Latest Attack Targeting Businesses}}, date = {2019-09-17}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/tflower-ransomware-the-latest-attack-targeting-businesses/}, language = {English}, urldate = {2019-10-15} } TFlower Ransomware - The Latest Attack Targeting Businesses
TFlower
Yara Rules
[TLP:WHITE] win_tflower_auto (20230715 | Detects win.tflower.)
rule win_tflower_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-07-11"
        version = "1"
        description = "Detects win.tflower."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.tflower"
        malpedia_rule_date = "20230705"
        malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
        malpedia_version = "20230715"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 0001 0200 0103 0303 }
            // n = 4, score = 200
            //   0001                 | add                 byte ptr [ecx], al
            //   0200                 | add                 al, byte ptr [eax]
            //   0103                 | add                 dword ptr [ebx], eax
            //   0303                 | add                 eax, dword ptr [ebx]

        $sequence_1 = { 0001 7708 00f3 7608 }
            // n = 4, score = 200
            //   0001                 | add                 byte ptr [ecx], al
            //   7708                 | ja                  0xa
            //   00f3                 | add                 bl, dh
            //   7608                 | jbe                 0xa

        $sequence_2 = { 8a07 8b0c9578515000 8844192e 8b049578515000 }
            // n = 4, score = 200
            //   8a07                 | mov                 al, byte ptr [edi]
            //   8b0c9578515000       | mov                 ecx, dword ptr [edx*4 + 0x505178]
            //   8844192e             | mov                 byte ptr [ecx + ebx + 0x2e], al
            //   8b049578515000       | mov                 eax, dword ptr [edx*4 + 0x505178]

        $sequence_3 = { 8d44243c 50 68???????? ff15???????? 50 }
            // n = 5, score = 200
            //   8d44243c             | lea                 eax, [esp + 0x3c]
            //   50                   | push                eax
            //   68????????           |                     
            //   ff15????????         |                     
            //   50                   | push                eax

        $sequence_4 = { 68???????? 50 e8???????? 83c408 85c0 0f847a010000 }
            // n = 6, score = 200
            //   68????????           |                     
            //   50                   | push                eax
            //   e8????????           |                     
            //   83c408               | add                 esp, 8
            //   85c0                 | test                eax, eax
            //   0f847a010000         | je                  0x180

        $sequence_5 = { 001a 0c05 003c0c 05004e0c05 }
            // n = 4, score = 200
            //   001a                 | add                 byte ptr [edx], bl
            //   0c05                 | or                  al, 5
            //   003c0c               | add                 byte ptr [esp + ecx], bh
            //   05004e0c05           | add                 eax, 0x50c4e00

        $sequence_6 = { 000f 7708 0001 7708 }
            // n = 4, score = 200
            //   000f                 | add                 byte ptr [edi], cl
            //   7708                 | ja                  0xa
            //   0001                 | add                 byte ptr [ecx], al
            //   7708                 | ja                  0xa

        $sequence_7 = { 8bcd 83e13f 0b3c8dd8a34e00 8bcf 81e70000ffff }
            // n = 5, score = 200
            //   8bcd                 | mov                 ecx, ebp
            //   83e13f               | and                 ecx, 0x3f
            //   0b3c8dd8a34e00       | or                  edi, dword ptr [ecx*4 + 0x4ea3d8]
            //   8bcf                 | mov                 ecx, edi
            //   81e70000ffff         | and                 edi, 0xffff0000

        $sequence_8 = { 0010 740b 0021 740b }
            // n = 4, score = 200
            //   0010                 | add                 byte ptr [eax], dl
            //   740b                 | je                  0xd
            //   0021                 | add                 byte ptr [ecx], ah
            //   740b                 | je                  0xd

        $sequence_9 = { 7cf1 c3 55 8bec b820000000 }
            // n = 5, score = 200
            //   7cf1                 | jl                  0xfffffff3
            //   c3                   | ret                 
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   b820000000           | mov                 eax, 0x20

        $sequence_10 = { 330c8518964e00 330c95189d4e00 330cb5189c4e00 8b574c 33d9 8b7748 }
            // n = 6, score = 200
            //   330c8518964e00       | xor                 ecx, dword ptr [eax*4 + 0x4e9618]
            //   330c95189d4e00       | xor                 ecx, dword ptr [edx*4 + 0x4e9d18]
            //   330cb5189c4e00       | xor                 ecx, dword ptr [esi*4 + 0x4e9c18]
            //   8b574c               | mov                 edx, dword ptr [edi + 0x4c]
            //   33d9                 | xor                 ebx, ecx
            //   8b7748               | mov                 esi, dword ptr [edi + 0x48]

        $sequence_11 = { c1e808 0fb6c0 330c85c0fe4e00 0fb6c2 330c85c0fa4e00 03d9 }
            // n = 6, score = 200
            //   c1e808               | shr                 eax, 8
            //   0fb6c0               | movzx               eax, al
            //   330c85c0fe4e00       | xor                 ecx, dword ptr [eax*4 + 0x4efec0]
            //   0fb6c2               | movzx               eax, dl
            //   330c85c0fa4e00       | xor                 ecx, dword ptr [eax*4 + 0x4efac0]
            //   03d9                 | add                 ebx, ecx

        $sequence_12 = { 0008 7408 0002 7408 }
            // n = 4, score = 200
            //   0008                 | add                 byte ptr [eax], cl
            //   7408                 | je                  0xa
            //   0002                 | add                 byte ptr [edx], al
            //   7408                 | je                  0xa

        $sequence_13 = { 0002 7408 00f7 7308 }
            // n = 4, score = 200
            //   0002                 | add                 byte ptr [edx], al
            //   7408                 | je                  0xa
            //   00f7                 | add                 bh, dh
            //   7308                 | jae                 0xa

        $sequence_14 = { 000b 8605???????? 007885 0500788605 }
            // n = 4, score = 200
            //   000b                 | add                 byte ptr [ebx], cl
            //   8605????????         |                     
            //   007885               | add                 byte ptr [eax - 0x7b], bh
            //   0500788605           | add                 eax, 0x5867800

        $sequence_15 = { 2bdd 0fb6c0 81eb73989121 c1e918 8b0c8dc0064f00 }
            // n = 5, score = 200
            //   2bdd                 | sub                 ebx, ebp
            //   0fb6c0               | movzx               eax, al
            //   81eb73989121         | sub                 ebx, 0x21919873
            //   c1e918               | shr                 ecx, 0x18
            //   8b0c8dc0064f00       | mov                 ecx, dword ptr [ecx*4 + 0x4f06c0]

    condition:
        7 of them and filesize < 6578176
}
Download all Yara Rules