SYMBOLCOMMON_NAMEaka. SYNONYMS
win.tflower (Back to overview)

TFlower

VTCollection    

TFlower is a new ransomware targeting mostly corporate networks discovered in August, 2019. It is reportedly installed on networks by attackers after they gain access via RDP. TFlower displays a console showing activity being performed by the ransomware when it encrypts a machine, further indicating that this ransomware is triggered by the attacker post compromise, similar to Samsam/Samas in terms of TTP. Once encryption is started, the ransomware will conduct a status report to an apparently hard-coded C2. Shadow copies are deleted and the Windows 10 repair environment is disabled by this ransomware. This malware also will terminate any running Outlook.exe process so that the mail files can be encrypted. This ransomware does not add an extention to encrypted files, but prepends the marker "*tflower" and what may be the encrypted encryption key for the file to each affected file. Once encryption is completed, another status report is sent to the C2 server.

References
2021-03-03SYGNIAAmitai Ben Shushan, Amnon Kushnir, Boaz Wasserman, Martin Korman, Noam Lifshitz
Lazarus Group’s MATA Framework Leveraged to Deploy TFlower Ransomware
Dacls Dacls Dacls TFlower
2019-09-20Canadian Centre for Cyber SecurityCanadian Centre for Cyber Security
TFlower Ransomware Campaign
TFlower
2019-09-17Bleeping ComputerLawrence Abrams
TFlower Ransomware - The Latest Attack Targeting Businesses
TFlower
Yara Rules
[TLP:WHITE] win_tflower_auto (20230808 | Detects win.tflower.)
rule win_tflower_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.tflower."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.tflower"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 0001 0200 0103 0303 }
            // n = 4, score = 200
            //   0001                 | add                 byte ptr [ecx], al
            //   0200                 | add                 al, byte ptr [eax]
            //   0103                 | add                 dword ptr [ebx], eax
            //   0303                 | add                 eax, dword ptr [ebx]

        $sequence_1 = { 0001 7708 00f3 7608 }
            // n = 4, score = 200
            //   0001                 | add                 byte ptr [ecx], al
            //   7708                 | ja                  0xa
            //   00f3                 | add                 bl, dh
            //   7608                 | jbe                 0xa

        $sequence_2 = { 0002 7408 00f7 7308 }
            // n = 4, score = 200
            //   0002                 | add                 byte ptr [edx], al
            //   7408                 | je                  0xa
            //   00f7                 | add                 bh, dh
            //   7308                 | jae                 0xa

        $sequence_3 = { 001a 0c05 003c0c 05004e0c05 }
            // n = 4, score = 200
            //   001a                 | add                 byte ptr [edx], bl
            //   0c05                 | or                  al, 5
            //   003c0c               | add                 byte ptr [esp + ecx], bh
            //   05004e0c05           | add                 eax, 0x50c4e00

        $sequence_4 = { 0008 7408 0002 7408 }
            // n = 4, score = 200
            //   0008                 | add                 byte ptr [eax], cl
            //   7408                 | je                  0xa
            //   0002                 | add                 byte ptr [edx], al
            //   7408                 | je                  0xa

        $sequence_5 = { c1e104 0fb6d0 8b84248c000000 c1e204 8baa406f4f00 }
            // n = 5, score = 200
            //   c1e104               | shl                 ecx, 4
            //   0fb6d0               | movzx               edx, al
            //   8b84248c000000       | mov                 eax, dword ptr [esp + 0x8c]
            //   c1e204               | shl                 edx, 4
            //   8baa406f4f00         | mov                 ebp, dword ptr [edx + 0x4f6f40]

        $sequence_6 = { 000f 7708 0001 7708 }
            // n = 4, score = 200
            //   000f                 | add                 byte ptr [edi], cl
            //   7708                 | ja                  0xa
            //   0001                 | add                 byte ptr [ecx], al
            //   7708                 | ja                  0xa

        $sequence_7 = { c7405420164600 eb5e 57 e8???????? }
            // n = 4, score = 200
            //   c7405420164600       | mov                 dword ptr [eax + 0x54], 0x461620
            //   eb5e                 | jmp                 0x60
            //   57                   | push                edi
            //   e8????????           |                     

        $sequence_8 = { 3bf7 72e3 5b 5f b001 5e }
            // n = 6, score = 200
            //   3bf7                 | cmp                 esi, edi
            //   72e3                 | jb                  0xffffffe5
            //   5b                   | pop                 ebx
            //   5f                   | pop                 edi
            //   b001                 | mov                 al, 1
            //   5e                   | pop                 esi

        $sequence_9 = { 0010 740b 0021 740b }
            // n = 4, score = 200
            //   0010                 | add                 byte ptr [eax], dl
            //   740b                 | je                  0xd
            //   0021                 | add                 byte ptr [ecx], ah
            //   740b                 | je                  0xd

        $sequence_10 = { 0fb6c0 330c85c0fe4e00 0fb6c3 8b5f28 330c85c0fa4e00 33f1 8d0411 }
            // n = 7, score = 200
            //   0fb6c0               | movzx               eax, al
            //   330c85c0fe4e00       | xor                 ecx, dword ptr [eax*4 + 0x4efec0]
            //   0fb6c3               | movzx               eax, bl
            //   8b5f28               | mov                 ebx, dword ptr [edi + 0x28]
            //   330c85c0fa4e00       | xor                 ecx, dword ptr [eax*4 + 0x4efac0]
            //   33f1                 | xor                 esi, ecx
            //   8d0411               | lea                 eax, [ecx + edx]

        $sequence_11 = { 8b75fc 8b7df4 c60301 eb06 8b75fc 8b7df4 }
            // n = 6, score = 200
            //   8b75fc               | mov                 esi, dword ptr [ebp - 4]
            //   8b7df4               | mov                 edi, dword ptr [ebp - 0xc]
            //   c60301               | mov                 byte ptr [ebx], 1
            //   eb06                 | jmp                 8
            //   8b75fc               | mov                 esi, dword ptr [ebp - 4]
            //   8b7df4               | mov                 edi, dword ptr [ebp - 0xc]

        $sequence_12 = { 894c2448 7436 8b442410 8d90c8795000 }
            // n = 4, score = 200
            //   894c2448             | mov                 dword ptr [esp + 0x48], ecx
            //   7436                 | je                  0x38
            //   8b442410             | mov                 eax, dword ptr [esp + 0x10]
            //   8d90c8795000         | lea                 edx, [eax + 0x5079c8]

        $sequence_13 = { 330c8520dd4e00 8b442414 c1e818 330c8520d94e00 8b44242c 0fb6c0 }
            // n = 6, score = 200
            //   330c8520dd4e00       | xor                 ecx, dword ptr [eax*4 + 0x4edd20]
            //   8b442414             | mov                 eax, dword ptr [esp + 0x14]
            //   c1e818               | shr                 eax, 0x18
            //   330c8520d94e00       | xor                 ecx, dword ptr [eax*4 + 0x4ed920]
            //   8b44242c             | mov                 eax, dword ptr [esp + 0x2c]
            //   0fb6c0               | movzx               eax, al

        $sequence_14 = { 6a35 eb2b 8bfb eb04 8b442414 ff742420 }
            // n = 6, score = 200
            //   6a35                 | push                0x35
            //   eb2b                 | jmp                 0x2d
            //   8bfb                 | mov                 edi, ebx
            //   eb04                 | jmp                 6
            //   8b442414             | mov                 eax, dword ptr [esp + 0x14]
            //   ff742420             | push                dword ptr [esp + 0x20]

        $sequence_15 = { 000b 8605???????? 007885 0500788605 }
            // n = 4, score = 200
            //   000b                 | add                 byte ptr [ebx], cl
            //   8605????????         |                     
            //   007885               | add                 byte ptr [eax - 0x7b], bh
            //   0500788605           | add                 eax, 0x5867800

    condition:
        7 of them and filesize < 6578176
}
Download all Yara Rules