SYMBOLCOMMON_NAMEaka. SYNONYMS
win.vhd_ransomware (Back to overview)

VHD Ransomware


There is no description at this point.

References
2020-07-29Kaspersky LabsGReAT
@online{great:20200729:trends:6810325, author = {GReAT}, title = {{APT trends report Q2 2020}}, date = {2020-07-29}, organization = {Kaspersky Labs}, url = {https://securelist.com/apt-trends-report-q2-2020/97937/}, language = {English}, urldate = {2020-07-30} } APT trends report Q2 2020
PhantomLance Dacls Penquin Turla elf.wellmess AppleJeus Dacls AcidBox Cobalt Strike Dacls EternalPetya Godlike12 Olympic Destroyer PlugX shadowhammer ShadowPad Sinowal VHD Ransomware Volgmer WellMess X-Agent XTunnel
2020-07-28Kaspersky LabsIvan Kwiatkowski, Pierre Delcher, Félix Aime
@online{kwiatkowski:20200728:lazarus:5b1523a, author = {Ivan Kwiatkowski and Pierre Delcher and Félix Aime}, title = {{Lazarus on the hunt for big game}}, date = {2020-07-28}, organization = {Kaspersky Labs}, url = {https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/}, language = {English}, urldate = {2020-07-30} } Lazarus on the hunt for big game
Dacls Dacls Dacls VHD Ransomware
2020-03-22GrujaRS
@online{grujars:20200322:new:d94c371, author = {GrujaRS}, title = {{New #VHD (virtual hard disk)#Ransomware extension .vhd!}}, date = {2020-03-22}, url = {https://twitter.com/GrujaRS/status/1241657443282825217}, language = {English}, urldate = {2020-03-27} } New #VHD (virtual hard disk)#Ransomware extension .vhd!
VHD Ransomware
Yara Rules
[TLP:WHITE] win_vhd_ransomware_auto (20200817 | autogenerated rule brought to you by yara-signator)
rule win_vhd_ransomware_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-08-17"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.4.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.vhd_ransomware"
        malpedia_rule_date = "20200817"
        malpedia_hash = "8c895fd01eccb47a6225bcb1a3ba53cbb98644c5"
        malpedia_version = "20200817"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8b7d08 33b7e0000000 c1eb10 8970f8 0fb6db 0fb69b98744100 8bf1 }
            // n = 7, score = 100
            //   8b7d08               | mov                 edi, dword ptr [ebp + 8]
            //   33b7e0000000         | xor                 esi, dword ptr [edi + 0xe0]
            //   c1eb10               | shr                 ebx, 0x10
            //   8970f8               | mov                 dword ptr [eax - 8], esi
            //   0fb6db               | movzx               ebx, bl
            //   0fb69b98744100       | movzx               ebx, byte ptr [ebx + 0x417498]
            //   8bf1                 | mov                 esi, ecx

        $sequence_1 = { 3c2f 0f8589000000 837b1410 7204 8b03 eb02 }
            // n = 6, score = 100
            //   3c2f                 | cmp                 al, 0x2f
            //   0f8589000000         | jne                 0x8f
            //   837b1410             | cmp                 dword ptr [ebx + 0x14], 0x10
            //   7204                 | jb                  6
            //   8b03                 | mov                 eax, dword ptr [ebx]
            //   eb02                 | jmp                 4

        $sequence_2 = { ebcf 8bc6 c1f805 8b0485c0d44100 83e61f c1e606 8d443004 }
            // n = 7, score = 100
            //   ebcf                 | jmp                 0xffffffd1
            //   8bc6                 | mov                 eax, esi
            //   c1f805               | sar                 eax, 5
            //   8b0485c0d44100       | mov                 eax, dword ptr [eax*4 + 0x41d4c0]
            //   83e61f               | and                 esi, 0x1f
            //   c1e606               | shl                 esi, 6
            //   8d443004             | lea                 eax, [eax + esi + 4]

        $sequence_3 = { 33f6 8bcb 0bce 75e7 833a00 7506 c70201000000 }
            // n = 7, score = 100
            //   33f6                 | xor                 esi, esi
            //   8bcb                 | mov                 ecx, ebx
            //   0bce                 | or                  ecx, esi
            //   75e7                 | jne                 0xffffffe9
            //   833a00               | cmp                 dword ptr [edx], 0
            //   7506                 | jne                 8
            //   c70201000000         | mov                 dword ptr [edx], 1

        $sequence_4 = { 8d750c f3a5 8b4d08 33c0 899dc4fcffff 8995d0fcffff }
            // n = 6, score = 100
            //   8d750c               | lea                 esi, [ebp + 0xc]
            //   f3a5                 | rep movsd           dword ptr es:[edi], dword ptr [esi]
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]
            //   33c0                 | xor                 eax, eax
            //   899dc4fcffff         | mov                 dword ptr [ebp - 0x33c], ebx
            //   8995d0fcffff         | mov                 dword ptr [ebp - 0x330], edx

        $sequence_5 = { 8db568bcffff e9???????? 8b542408 8d420c 8b8a18b4ffff }
            // n = 5, score = 100
            //   8db568bcffff         | lea                 esi, [ebp - 0x4398]
            //   e9????????           |                     
            //   8b542408             | mov                 edx, dword ptr [esp + 8]
            //   8d420c               | lea                 eax, [edx + 0xc]
            //   8b8a18b4ffff         | mov                 ecx, dword ptr [edx - 0x4be8]

        $sequence_6 = { ffd6 8b0d???????? 6a00 8d858cb4ffff 50 6a40 68???????? }
            // n = 7, score = 100
            //   ffd6                 | call                esi
            //   8b0d????????         |                     
            //   6a00                 | push                0
            //   8d858cb4ffff         | lea                 eax, [ebp - 0x4b74]
            //   50                   | push                eax
            //   6a40                 | push                0x40
            //   68????????           |                     

        $sequence_7 = { b330 8a02 42 83f90b 0f871c020000 ff248d34324100 8d48cf }
            // n = 7, score = 100
            //   b330                 | mov                 bl, 0x30
            //   8a02                 | mov                 al, byte ptr [edx]
            //   42                   | inc                 edx
            //   83f90b               | cmp                 ecx, 0xb
            //   0f871c020000         | ja                  0x222
            //   ff248d34324100       | jmp                 dword ptr [ecx*4 + 0x413234]
            //   8d48cf               | lea                 ecx, [eax - 0x31]

        $sequence_8 = { 89b014010000 8bd6 8bf7 83e607 8975d0 }
            // n = 5, score = 100
            //   89b014010000         | mov                 dword ptr [eax + 0x114], esi
            //   8bd6                 | mov                 edx, esi
            //   8bf7                 | mov                 esi, edi
            //   83e607               | and                 esi, 7
            //   8975d0               | mov                 dword ptr [ebp - 0x30], esi

        $sequence_9 = { 8d4c0ae0 898d48f3ffff 33c9 898d30f3ffff 898d38f3ffff 3bc1 0f8e2a030000 }
            // n = 7, score = 100
            //   8d4c0ae0             | lea                 ecx, [edx + ecx - 0x20]
            //   898d48f3ffff         | mov                 dword ptr [ebp - 0xcb8], ecx
            //   33c9                 | xor                 ecx, ecx
            //   898d30f3ffff         | mov                 dword ptr [ebp - 0xcd0], ecx
            //   898d38f3ffff         | mov                 dword ptr [ebp - 0xcc8], ecx
            //   3bc1                 | cmp                 eax, ecx
            //   0f8e2a030000         | jle                 0x330

    condition:
        7 of them and filesize < 275456
}
Download all Yara Rules