SYMBOLCOMMON_NAMEaka. SYNONYMS
win.vigilant_cleaner (Back to overview)

VIGILANT CLEANER

aka: VIGILANT CHECKER

Wiper malware discovered by Japanese security firm Mitsui Bussan Secure Directions (MBSD), which is assumed to target Japan, the host country of the 2021 Summer Olympics. In addition to targeting common file Office-related files, it specifically targets file types associated with the Japanese word processor Ichitaro.

References
2021-08-02Cybleinccybleinc
@online{cybleinc:20210802:deepdive:ed9c9d9, author = {cybleinc}, title = {{A Deep-Dive Analysis Of A New Wiper Malware Disguised As Tokyo Olympics Document}}, date = {2021-08-02}, organization = {Cybleinc}, url = {https://blog.cyble.com/2021/08/02/a-deep-dive-analysis-of-a-new-wiper-malware-disguised-as-tokyo-olympics-document/}, language = {English}, urldate = {2021-08-20} } A Deep-Dive Analysis Of A New Wiper Malware Disguised As Tokyo Olympics Document
VIGILANT CLEANER
2021-07-26FortninetShunichi Imano, Fred Gutierrez
@online{imano:20210726:wiper:cc926ab, author = {Shunichi Imano and Fred Gutierrez}, title = {{Wiper Malware Riding the 2021 Tokyo Olympic Games}}, date = {2021-07-26}, organization = {Fortninet}, url = {https://www.fortinet.com/blog/threat-research/wiper-malware-riding-tokyo-olympic-games}, language = {English}, urldate = {2021-08-20} } Wiper Malware Riding the 2021 Tokyo Olympic Games
VIGILANT CLEANER
2021-07-22The RecordCatalin Cimpanu
@online{cimpanu:20210722:wiper:08d9833, author = {Catalin Cimpanu}, title = {{Wiper malware targeting Japanese PCs discovered ahead of Tokyo Olympics opening}}, date = {2021-07-22}, organization = {The Record}, url = {https://therecord.media/wiper-malware-targeting-japanese-pcs-discovered-ahead-of-tokyo-olympics-opening/}, language = {English}, urldate = {2021-08-20} } Wiper malware targeting Japanese PCs discovered ahead of Tokyo Olympics opening
VIGILANT CLEANER
2021-07-22Trend MicroKatsuyuki Okamoto
@online{okamoto:20210722:analysis:486a6f2, author = {Katsuyuki Okamoto}, title = {{Analysis of "[Urgent] Damage report regarding the occurrence of cyber attacks, etc. associated with the Tokyo Olympics.exe"}}, date = {2021-07-22}, organization = {Trend Micro}, url = {https://blog.trendmicro.co.jp/archives/28319}, language = {Japanese}, urldate = {2021-08-20} } Analysis of "[Urgent] Damage report regarding the occurrence of cyber attacks, etc. associated with the Tokyo Olympics.exe"
VIGILANT CLEANER
2021-07-21MBSDTakashi Yoshikawa, Kei Sugawara
@online{yoshikawa:20210721:analysis:5b8602b, author = {Takashi Yoshikawa and Kei Sugawara}, title = {{Analysis of malware (wiper) with Japanese file names related to the Tokyo Olympics}}, date = {2021-07-21}, organization = {MBSD}, url = {https://www.mbsd.jp/research/20210721/blog/}, language = {Japanese}, urldate = {2021-08-20} } Analysis of malware (wiper) with Japanese file names related to the Tokyo Olympics
VIGILANT CLEANER
Yara Rules
[TLP:WHITE] win_vigilant_cleaner_auto (20211008 | Detects win.vigilant_cleaner.)
rule win_vigilant_cleaner_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-10-07"
        version = "1"
        description = "Detects win.vigilant_cleaner."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.vigilant_cleaner"
        malpedia_rule_date = "20211007"
        malpedia_hash = "e5b790e0f888f252d49063a1251ca60ec2832535"
        malpedia_version = "20211008"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { b868584d56 bb00000000 b90a000000 ba58560000 ed 5b }
            // n = 6, score = 200
            //   b868584d56           | mov                 eax, 0x564d5868
            //   bb00000000           | mov                 ebx, 0
            //   b90a000000           | mov                 ecx, 0xa
            //   ba58560000           | mov                 edx, 0x5658
            //   ed                   | in                  eax, dx
            //   5b                   | pop                 ebx

        $sequence_1 = { c3 3b0d???????? 7501 c3 e9???????? }
            // n = 5, score = 200
            //   c3                   | ret                 
            //   3b0d????????         |                     
            //   7501                 | jne                 3
            //   c3                   | ret                 
            //   e9????????           |                     

        $sequence_2 = { c20000 b8???????? c3 e8???????? }
            // n = 4, score = 200
            //   c20000               | ret                 0
            //   b8????????           |                     
            //   c3                   | ret                 
            //   e8????????           |                     

        $sequence_3 = { 8b45fc c745fcfeffffff 8945f8 8d45f0 64a300000000 c3 55 }
            // n = 7, score = 200
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]
            //   c745fcfeffffff       | mov                 dword ptr [ebp - 4], 0xfffffffe
            //   8945f8               | mov                 dword ptr [ebp - 8], eax
            //   8d45f0               | lea                 eax, dword ptr [ebp - 0x10]
            //   64a300000000         | mov                 dword ptr fs:[0], eax
            //   c3                   | ret                 
            //   55                   | push                ebp

        $sequence_4 = { bb00000000 b90a000000 ba58560000 ed 5b 59 5a }
            // n = 7, score = 200
            //   bb00000000           | mov                 ebx, 0
            //   b90a000000           | mov                 ecx, 0xa
            //   ba58560000           | mov                 edx, 0x5658
            //   ed                   | in                  eax, dx
            //   5b                   | pop                 ebx
            //   59                   | pop                 ecx
            //   5a                   | pop                 edx

        $sequence_5 = { 3b0d???????? 7501 c3 e9???????? 55 }
            // n = 5, score = 200
            //   3b0d????????         |                     
            //   7501                 | jne                 3
            //   c3                   | ret                 
            //   e9????????           |                     
            //   55                   | push                ebp

        $sequence_6 = { ed 5b 59 5a }
            // n = 4, score = 200
            //   ed                   | in                  eax, dx
            //   5b                   | pop                 ebx
            //   59                   | pop                 ecx
            //   5a                   | pop                 edx

        $sequence_7 = { b868584d56 bb00000000 b90a000000 ba58560000 ed 5b 59 }
            // n = 7, score = 200
            //   b868584d56           | mov                 eax, 0x564d5868
            //   bb00000000           | mov                 ebx, 0
            //   b90a000000           | mov                 ecx, 0xa
            //   ba58560000           | mov                 edx, 0x5658
            //   ed                   | in                  eax, dx
            //   5b                   | pop                 ebx
            //   59                   | pop                 ecx

        $sequence_8 = { 64a300000000 c3 55 8bec 8325????????00 83ec24 830d????????01 }
            // n = 7, score = 200
            //   64a300000000         | mov                 dword ptr fs:[0], eax
            //   c3                   | ret                 
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   8325????????00       |                     
            //   83ec24               | sub                 esp, 0x24
            //   830d????????01       |                     

        $sequence_9 = { c20000 b8???????? c3 e8???????? 8b4804 }
            // n = 5, score = 200
            //   c20000               | ret                 0
            //   b8????????           |                     
            //   c3                   | ret                 
            //   e8????????           |                     
            //   8b4804               | mov                 ecx, dword ptr [eax + 4]

    condition:
        7 of them and filesize < 1181696
}
Download all Yara Rules