win.torrentlocker (Back to overview)

TorrentLocker


There is no description at this point.

References
http://www.bleepingcomputer.com/forums/t/547708/torrentlocker-ransomware-cracked-and-decrypter-has-been-made/
http://www.isightpartners.com/2014/08/analysis-torrentlocker-new-strain-malware-using-components-cryptolocker-cryptowall/
Yara Rules
[TLP:WHITE] win_torrentlocker_auto (20180607 | autogenerated rule brought to you by yara-signator)
rule win_torrentlocker_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2018-11-23"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator 0.1a"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.torrentlocker"
        malpedia_version = "20180607"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach will be published in the near future here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */

    strings:
        $sequence_0 = { 66891c86 6689548602 40 3bc7 }
            // n = 4, score = 2000
            //   66891c86             | mov                 word ptr [esi + eax*4], bx
            //   6689548602           | mov                 word ptr [esi + eax*4 + 2], dx
            //   40                   | inc                 eax
            //   3bc7                 | cmp                 eax, edi

        $sequence_1 = { 7205 b840000000 6830750000 6a01 }
            // n = 4, score = 2000
            //   7205                 | jb                  0xa6bff
            //   b840000000           | mov                 eax, 0x40
            //   6830750000           | push                0x7530
            //   6a01                 | push                1

        $sequence_2 = { 33c9 3db7000000 0f94c1 890b }
            // n = 4, score = 2000
            //   33c9                 | xor                 ecx, ecx
            //   3db7000000           | cmp                 eax, 0xb7
            //   0f94c1               | sete                cl
            //   890b                 | mov                 dword ptr [ebx], ecx

        $sequence_3 = { 2bce d1f9 8d5101 3bc2 }
            // n = 4, score = 2000
            //   2bce                 | sub                 ecx, esi
            //   d1f9                 | sar                 ecx, 1
            //   8d5101               | lea                 edx, dword ptr [ecx + 1]
            //   3bc2                 | cmp                 eax, edx

        $sequence_4 = { 8b91f8000000 50 ffd2 bb01000000 }
            // n = 4, score = 2000
            //   8b91f8000000         | mov                 edx, dword ptr [ecx + 0xf8]
            //   50                   | push                eax
            //   ffd2                 | call                edx
            //   bb01000000           | mov                 ebx, 1

        $sequence_5 = { 750f 83fa03 7612 0fb64103 }
            // n = 4, score = 2000
            //   750f                 | jne                 0xa6a09
            //   83fa03               | cmp                 edx, 3
            //   7612                 | jbe                 0xa6a11
            //   0fb64103             | movzx               eax, byte ptr [ecx + 3]

        $sequence_6 = { 81b80000090050450000 75ea b90b010000 66398818000900 }
            // n = 4, score = 2000
            //   81b80000090050450000     | cmp    dword ptr [eax + 0x90000], 0x4550
            //   75ea                 | jne                 0xaace4
            //   b90b010000           | mov                 ecx, 0x10b
            //   66398818000900       | cmp                 word ptr [eax + 0x90018], cx

        $sequence_7 = { 57 6a14 6a08 50 }
            // n = 4, score = 2000
            //   57                   | push                edi
            //   6a14                 | push                0x14
            //   6a08                 | push                8
            //   50                   | push                eax

        $sequence_8 = { 83c004 5f 8901 33c0 }
            // n = 4, score = 2000
            //   83c004               | add                 eax, 4
            //   5f                   | pop                 edi
            //   8901                 | mov                 dword ptr [ecx], eax
            //   33c0                 | xor                 eax, eax

        $sequence_9 = { 6a00 52 ffd3 8bf7 }
            // n = 4, score = 2000
            //   6a00                 | push                0
            //   52                   | push                edx
            //   ffd3                 | call                ebx
            //   8bf7                 | mov                 esi, edi

    condition:
        7 of them
}
Download all Yara Rules