SYMBOLCOMMON_NAMEaka. SYNONYMS
win.unidentified_088 (Back to overview)

Unidentified 088 (Nim Ransomware)


Ransomware written in Nim.

References
2021-10-14Medium walmartglobaltechJason Reaves
@online{reaves:20211014:investigation:29ef29c, author = {Jason Reaves}, title = {{Investigation into the state of NIM malware Part 2}}, date = {2021-10-14}, organization = {Medium walmartglobaltech}, url = {https://medium.com/walmartglobaltech/investigation-into-the-state-of-nim-malware-part-2-a28bffffa671}, language = {English}, urldate = {2021-12-15} } Investigation into the state of NIM malware Part 2
Cobalt Strike NimGrabber Nimrev Unidentified 088 (Nim Ransomware)
Yara Rules
[TLP:WHITE] win_unidentified_088_auto (20220516 | Detects win.unidentified_088.)
rule win_unidentified_088_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-05-16"
        version = "1"
        description = "Detects win.unidentified_088."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_088"
        malpedia_rule_date = "20220513"
        malpedia_hash = "7f4b2229e6ae614d86d74917f6d5b41890e62a26"
        malpedia_version = "20220516"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 3c5c 0f94c0 80fa2f 0f94c2 08d0 751f ebdf }
            // n = 7, score = 100
            //   3c5c                 | cmp                 al, 0x5c
            //   0f94c0               | sete                al
            //   80fa2f               | cmp                 dl, 0x2f
            //   0f94c2               | sete                dl
            //   08d0                 | or                  al, dl
            //   751f                 | jne                 0x21
            //   ebdf                 | jmp                 0xffffffe1

        $sequence_1 = { c74008???????? e8???????? 89430c 85ff 7407 89f8 e8???????? }
            // n = 7, score = 100
            //   c74008????????       |                     
            //   e8????????           |                     
            //   89430c               | mov                 dword ptr [ebx + 0xc], eax
            //   85ff                 | test                edi, edi
            //   7407                 | je                  9
            //   89f8                 | mov                 eax, edi
            //   e8????????           |                     

        $sequence_2 = { 81ecbc000000 8b4508 8b550c 894d94 8b7518 8b7d1c 894588 }
            // n = 7, score = 100
            //   81ecbc000000         | sub                 esp, 0xbc
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   8b550c               | mov                 edx, dword ptr [ebp + 0xc]
            //   894d94               | mov                 dword ptr [ebp - 0x6c], ecx
            //   8b7518               | mov                 esi, dword ptr [ebp + 0x18]
            //   8b7d1c               | mov                 edi, dword ptr [ebp + 0x1c]
            //   894588               | mov                 dword ptr [ebp - 0x78], eax

        $sequence_3 = { e8???????? 8b55e4 89d9 e8???????? 8b4dd4 89c2 }
            // n = 6, score = 100
            //   e8????????           |                     
            //   8b55e4               | mov                 edx, dword ptr [ebp - 0x1c]
            //   89d9                 | mov                 ecx, ebx
            //   e8????????           |                     
            //   8b4dd4               | mov                 ecx, dword ptr [ebp - 0x2c]
            //   89c2                 | mov                 edx, eax

        $sequence_4 = { 31c0 85d2 7402 8b02 3945ac 0f846bffffff }
            // n = 6, score = 100
            //   31c0                 | xor                 eax, eax
            //   85d2                 | test                edx, edx
            //   7402                 | je                  4
            //   8b02                 | mov                 eax, dword ptr [edx]
            //   3945ac               | cmp                 dword ptr [ebp - 0x54], eax
            //   0f846bffffff         | je                  0xffffff71

        $sequence_5 = { ba???????? a3???????? e8???????? a3???????? c9 c3 3dffff0000 }
            // n = 7, score = 100
            //   ba????????           |                     
            //   a3????????           |                     
            //   e8????????           |                     
            //   a3????????           |                     
            //   c9                   | leave               
            //   c3                   | ret                 
            //   3dffff0000           | cmp                 eax, 0xffff

        $sequence_6 = { 7c17 b904000000 85ff 0f845c010000 8b07 8d4804 e9???????? }
            // n = 7, score = 100
            //   7c17                 | jl                  0x19
            //   b904000000           | mov                 ecx, 4
            //   85ff                 | test                edi, edi
            //   0f845c010000         | je                  0x162
            //   8b07                 | mov                 eax, dword ptr [edi]
            //   8d4804               | lea                 ecx, [eax + 4]
            //   e9????????           |                     

        $sequence_7 = { 89c1 89c3 e8???????? 84c0 7513 8b4594 }
            // n = 6, score = 100
            //   89c1                 | mov                 ecx, eax
            //   89c3                 | mov                 ebx, eax
            //   e8????????           |                     
            //   84c0                 | test                al, al
            //   7513                 | jne                 0x15
            //   8b4594               | mov                 eax, dword ptr [ebp - 0x6c]

        $sequence_8 = { 85c0 7407 89d9 e8???????? 8b5608 8b4604 8b12 }
            // n = 7, score = 100
            //   85c0                 | test                eax, eax
            //   7407                 | je                  9
            //   89d9                 | mov                 ecx, ebx
            //   e8????????           |                     
            //   8b5608               | mov                 edx, dword ptr [esi + 8]
            //   8b4604               | mov                 eax, dword ptr [esi + 4]
            //   8b12                 | mov                 edx, dword ptr [edx]

        $sequence_9 = { 8d8d48f9ffff e8???????? 8d8568f8ffff c744240810000000 8d9578f8ffff 89442404 }
            // n = 6, score = 100
            //   8d8d48f9ffff         | lea                 ecx, [ebp - 0x6b8]
            //   e8????????           |                     
            //   8d8568f8ffff         | lea                 eax, [ebp - 0x798]
            //   c744240810000000     | mov                 dword ptr [esp + 8], 0x10
            //   8d9578f8ffff         | lea                 edx, [ebp - 0x788]
            //   89442404             | mov                 dword ptr [esp + 4], eax

    condition:
        7 of them and filesize < 919552
}
Download all Yara Rules