SYMBOLCOMMON_NAMEaka. SYNONYMS
win.tflower (Back to overview)

TFlower


TFlower is a new ransomware targeting mostly corporate networks discovered in August, 2019. It is reportedly installed on networks by attackers after they gain access via RDP. TFlower displays a console showing activity being performed by the ransomware when it encrypts a machine, further indicating that this ransomware is triggered by the attacker post compromise, similar to Samsam/Samas in terms of TTP. Once encryption is started, the ransomware will conduct a status report to an apparently hard-coded C2. Shadow copies are deleted and the Windows 10 repair environment is disabled by this ransomware. This malware also will terminate any running Outlook.exe process so that the mail files can be encrypted. This ransomware does not add an extention to encrypted files, but prepends the marker "*tflower" and what may be the encrypted encryption key for the file to each affected file. Once encryption is completed, another status report is sent to the C2 server.

References
2021-03-03SYGNIAAmitai Ben Shushan, Noam Lifshitz, Amnon Kushnir, Martin Korman, Boaz Wasserman
@online{shushan:20210303:lazarus:60339a7, author = {Amitai Ben Shushan and Noam Lifshitz and Amnon Kushnir and Martin Korman and Boaz Wasserman}, title = {{Lazarus Group’s MATA Framework Leveraged to Deploy TFlower Ransomware}}, date = {2021-03-03}, organization = {SYGNIA}, url = {https://www.sygnia.co/mata-framework}, language = {English}, urldate = {2021-03-04} } Lazarus Group’s MATA Framework Leveraged to Deploy TFlower Ransomware
Dacls Dacls Dacls TFlower
2019-09-20Canadian Centre for Cyber SecurityCanadian Centre for Cyber Security
@online{security:20190920:tflower:90d959d, author = {Canadian Centre for Cyber Security}, title = {{TFlower Ransomware Campaign}}, date = {2019-09-20}, organization = {Canadian Centre for Cyber Security}, url = {https://cyber.gc.ca/en/alerts/tflower-ransomware-campaign}, language = {English}, urldate = {2020-01-10} } TFlower Ransomware Campaign
TFlower
2019-09-17Bleeping ComputerLawrence Abrams
@online{abrams:20190917:tflower:31c9072, author = {Lawrence Abrams}, title = {{TFlower Ransomware - The Latest Attack Targeting Businesses}}, date = {2019-09-17}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/tflower-ransomware-the-latest-attack-targeting-businesses/}, language = {English}, urldate = {2019-10-15} } TFlower Ransomware - The Latest Attack Targeting Businesses
TFlower
Yara Rules
[TLP:WHITE] win_tflower_auto (20221125 | Detects win.tflower.)
rule win_tflower_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-11-21"
        version = "1"
        description = "Detects win.tflower."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.tflower"
        malpedia_rule_date = "20221118"
        malpedia_hash = "e0702e2e6d1d00da65c8a29a4ebacd0a4c59e1af"
        malpedia_version = "20221125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 0002 7408 00f7 7308 }
            // n = 4, score = 200
            //   0002                 | add                 byte ptr [ecx], al
            //   7408                 | ja                  0xc
            //   00f7                 | add                 bl, dh
            //   7308                 | jbe                 0xc

        $sequence_1 = { 0001 7708 00f3 7608 }
            // n = 4, score = 200
            //   0001                 | jne                 0x16
            //   7708                 | cmp                 dword ptr [ebx + 0xfc], edi
            //   00f3                 | je                  0x36
            //   7608                 | dec                 eax

        $sequence_2 = { 001a 0c05 003c0c 05004e0c05 }
            // n = 4, score = 200
            //   001a                 | add                 byte ptr [ecx], ah
            //   0c05                 | je                  0x11
            //   003c0c               | add                 byte ptr [eax], dl
            //   05004e0c05           | je                  0xd

        $sequence_3 = { 0008 7408 0002 7408 }
            // n = 4, score = 200
            //   0008                 | add                 byte ptr [edx], al
            //   7408                 | je                  0xc
            //   0002                 | add                 bh, dh
            //   7408                 | jae                 0xc

        $sequence_4 = { 8d8100f0ffff 83f804 0f8747030000 ff2485cc3c4900 f6c301 7411 6a43 }
            // n = 7, score = 200
            //   8d8100f0ffff         | je                  0x11
            //   83f804               | add                 byte ptr [eax], dl
            //   0f8747030000         | je                  0xd
            //   ff2485cc3c4900       | add                 byte ptr [ecx], ah
            //   f6c301               | je                  0x11
            //   7411                 | add                 byte ptr [edx + 0x74], ah
            //   6a43                 | add                 byte ptr [edx], bl

        $sequence_5 = { 6685c9 75ae 8a06 8b4dfc 33cd }
            // n = 5, score = 200
            //   6685c9               | or                  eax, dword ptr [eax]
            //   75ae                 | ja                  0xffffffb1
            //   8a06                 | lea                 eax, [ecx - 0x1000]
            //   8b4dfc               | cmp                 eax, 4
            //   33cd                 | ja                  0x350

        $sequence_6 = { 000f 7708 0001 7708 }
            // n = 4, score = 200
            //   000f                 | add                 byte ptr [eax - 0x7b], bh
            //   7708                 | add                 eax, 0x5867800
            //   0001                 | add                 byte ptr [ebx + 0x78000585], bl
            //   7708                 | add                 byte ptr [ebx], cl

        $sequence_7 = { 50 e8???????? 03f0 83c410 8b442410 3bf0 72e1 }
            // n = 7, score = 200
            //   50                   | mov                 ecx, dword ptr [ebp - 4]
            //   e8????????           |                     
            //   03f0                 | xor                 ecx, ebp
            //   83c410               | mov                 dword ptr [ebp - 0x320], eax
            //   8b442410             | jmp                 0xe
            //   3bf0                 | xor                 edi, edi
            //   72e1                 | mov                 dword ptr [ebp - 0x320], 0x50

        $sequence_8 = { 89442450 33148d20d54e00 33542410 33d0 8bc2 }
            // n = 5, score = 200
            //   89442450             | or                  al, 5
            //   33148d20d54e00       | add                 byte ptr [esp + ecx], bh
            //   33542410             | add                 eax, 0x50c4e00
            //   33d0                 | add                 byte ptr [edx], bl
            //   8bc2                 | lodsd               eax, dword ptr [esi]

        $sequence_9 = { 0010 740b 0021 740b }
            // n = 4, score = 200
            //   0010                 | add                 byte ptr [edi], cl
            //   740b                 | ja                  0xc
            //   0021                 | add                 byte ptr [ecx], al
            //   740b                 | ja                  0xc

        $sequence_10 = { 56 57 8b7c240c 33f6 0f1f840000000000 8b0cf580eb4f00 8bc7 }
            // n = 7, score = 200
            //   56                   | dec                 esi
            //   57                   | push                eax
            //   8b7c240c             | add                 esi, eax
            //   33f6                 | add                 esp, 0x10
            //   0f1f840000000000     | mov                 eax, dword ptr [esp + 0x10]
            //   8b0cf580eb4f00       | cmp                 esi, eax
            //   8bc7                 | jb                  0xffffffee

        $sequence_11 = { 773d ff24853cea4600 4e 8bc1 c1e818 8806 4e }
            // n = 7, score = 200
            //   773d                 | xor                 edx, dword ptr [ecx*4 + 0x4ed520]
            //   ff24853cea4600       | xor                 edx, dword ptr [esp + 0x10]
            //   4e                   | xor                 edx, eax
            //   8bc1                 | mov                 eax, edx
            //   c1e818               | test                cx, cx
            //   8806                 | jne                 0xffffffb3
            //   4e                   | mov                 al, byte ptr [esi]

        $sequence_12 = { 8985e0fcffff eb0c 33ff c785e0fcffff50000000 8d4303 }
            // n = 5, score = 200
            //   8985e0fcffff         | jmp                 dword ptr [eax*4 + 0x493ccc]
            //   eb0c                 | test                bl, 1
            //   33ff                 | je                  0x26
            //   c785e0fcffff50000000     | push    0x43
            //   8d4303               | mov                 dword ptr [esp + 0x50], eax

        $sequence_13 = { 0000 4885ff 7514 39bbfc000000 }
            // n = 4, score = 200
            //   0000                 | add                 byte ptr [eax], al
            //   4885ff               | dec                 eax
            //   7514                 | test                edi, edi
            //   39bbfc000000         | jne                 0x16

        $sequence_14 = { 3304ad20d54e00 8b6c2434 3304ad20d14e00 898424bc000000 8b04b520c94e00 3304bd20d54e00 33049d20cd4e00 }
            // n = 7, score = 200
            //   3304ad20d54e00       | lea                 eax, [ebx + 3]
            //   8b6c2434             | ja                  0x3f
            //   3304ad20d14e00       | jmp                 dword ptr [eax*4 + 0x46ea3c]
            //   898424bc000000       | dec                 esi
            //   8b04b520c94e00       | mov                 eax, ecx
            //   3304bd20d54e00       | shr                 eax, 0x18
            //   33049d20cd4e00       | mov                 byte ptr [esi], al

        $sequence_15 = { 000b 8605???????? 007885 0500788605 }
            // n = 4, score = 200
            //   000b                 | add                 byte ptr [eax], cl
            //   8605????????         |                     
            //   007885               | je                  0xc
            //   0500788605           | add                 byte ptr [edx], al

    condition:
        7 of them and filesize < 6578176
}
Download all Yara Rules