Void (Malware Family)

SYMBOL	COMMON_NAME	aka. SYNONYMS
win.void (Back to overview)
Void

aka: VoidCrypt
Ransomware.
References

2021-10-07 ⋅ Kaspersky ⋅ Fedor Sinitsyn, Yanis Zinchenko
Ransomware in the CIS
Cryakl Dharma Hakbit Phobos Void
2020-04-10 ⋅ ID Ransomware ⋅ Andrew Ivanov
Void Ransomware
Void
Yara Rules

[TLP:WHITE] win_void_auto (20220411 | Detects win.void.)
rule win_void_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-04-08"
        version = "1"
        description = "Detects win.void."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.void"
        malpedia_rule_date = "20220405"
        malpedia_hash = "ecd38294bd47d5589be5cd5490dc8bb4804afc2a"
        malpedia_version = "20220411"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { e8???????? 83c404 85db 7515 33d2 895e08 89560c }
            // n = 7, score = 200
            //   e8????????           |                     
            //   83c404               | add                 esp, 4
            //   85db                 | test                ebx, ebx
            //   7515                 | jne                 0x17
            //   33d2                 | xor                 edx, edx
            //   895e08               | mov                 dword ptr [esi + 8], ebx
            //   89560c               | mov                 dword ptr [esi + 0xc], edx

        $sequence_1 = { ff7510 50 53 e8???????? 8b75b8 33ff 837dec10 }
            // n = 7, score = 200
            //   ff7510               | push                dword ptr [ebp + 0x10]
            //   50                   | push                eax
            //   53                   | push                ebx
            //   e8????????           |                     
            //   8b75b8               | mov                 esi, dword ptr [ebp - 0x48]
            //   33ff                 | xor                 edi, edi
            //   837dec10             | cmp                 dword ptr [ebp - 0x14], 0x10

        $sequence_2 = { 897c2410 eb08 33ff eb04 8b7c2410 c1e602 2bce }
            // n = 7, score = 200
            //   897c2410             | mov                 dword ptr [esp + 0x10], edi
            //   eb08                 | jmp                 0xa
            //   33ff                 | xor                 edi, edi
            //   eb04                 | jmp                 6
            //   8b7c2410             | mov                 edi, dword ptr [esp + 0x10]
            //   c1e602               | shl                 esi, 2
            //   2bce                 | sub                 ecx, esi

        $sequence_3 = { 897d24 8b4d10 c645fc10 85c9 7406 8b01 6a01 }
            // n = 7, score = 200
            //   897d24               | mov                 dword ptr [ebp + 0x24], edi
            //   8b4d10               | mov                 ecx, dword ptr [ebp + 0x10]
            //   c645fc10             | mov                 byte ptr [ebp - 4], 0x10
            //   85c9                 | test                ecx, ecx
            //   7406                 | je                  8
            //   8b01                 | mov                 eax, dword ptr [ecx]
            //   6a01                 | push                1

        $sequence_4 = { 3913 7440 8b460c 66893a 8b00 3bc2 7410 }
            // n = 7, score = 200
            //   3913                 | cmp                 dword ptr [ebx], edx
            //   7440                 | je                  0x42
            //   8b460c               | mov                 eax, dword ptr [esi + 0xc]
            //   66893a               | mov                 word ptr [edx], di
            //   8b00                 | mov                 eax, dword ptr [eax]
            //   3bc2                 | cmp                 eax, edx
            //   7410                 | je                  0x12

        $sequence_5 = { 8d4dac e9???????? 8d4dc0 e9???????? 8b542408 8d420c 8b4a8c }
            // n = 7, score = 200
            //   8d4dac               | lea                 ecx, dword ptr [ebp - 0x54]
            //   e9????????           |                     
            //   8d4dc0               | lea                 ecx, dword ptr [ebp - 0x40]
            //   e9????????           |                     
            //   8b542408             | mov                 edx, dword ptr [esp + 8]
            //   8d420c               | lea                 eax, dword ptr [edx + 0xc]
            //   8b4a8c               | mov                 ecx, dword ptr [edx - 0x74]

        $sequence_6 = { 8b458c 83c40c 8818 c6400100 8b8564ffffff 8906 }
            // n = 6, score = 200
            //   8b458c               | mov                 eax, dword ptr [ebp - 0x74]
            //   83c40c               | add                 esp, 0xc
            //   8818                 | mov                 byte ptr [eax], bl
            //   c6400100             | mov                 byte ptr [eax + 1], 0
            //   8b8564ffffff         | mov                 eax, dword ptr [ebp - 0x9c]
            //   8906                 | mov                 dword ptr [esi], eax

        $sequence_7 = { e9???????? 8b5dec 8d4b38 e9???????? 8b5dec 8d4b20 }
            // n = 6, score = 200
            //   e9????????           |                     
            //   8b5dec               | mov                 ebx, dword ptr [ebp - 0x14]
            //   8d4b38               | lea                 ecx, dword ptr [ebx + 0x38]
            //   e9????????           |                     
            //   8b5dec               | mov                 ebx, dword ptr [ebp - 0x14]
            //   8d4b20               | lea                 ecx, dword ptr [ebx + 0x20]

        $sequence_8 = { 660f7ec8 660f73d904 0fb6f8 03ff 660fef84fe20800000 0fb6fc 03ff }
            // n = 7, score = 200
            //   660f7ec8             | movd                eax, xmm1
            //   660f73d904           | psrldq              xmm1, 4
            //   0fb6f8               | movzx               edi, al
            //   03ff                 | add                 edi, edi
            //   660fef84fe20800000     | pxor    xmm0, xmmword ptr [esi + edi*8 + 0x8020]
            //   0fb6fc               | movzx               edi, ah
            //   03ff                 | add                 edi, edi

        $sequence_9 = { e8???????? 83c404 c745fcffffffff 8bf8 85f6 7413 8b06 }
            // n = 7, score = 200
            //   e8????????           |                     
            //   83c404               | add                 esp, 4
            //   c745fcffffffff       | mov                 dword ptr [ebp - 4], 0xffffffff
            //   8bf8                 | mov                 edi, eax
            //   85f6                 | test                esi, esi
            //   7413                 | je                  0x15
            //   8b06                 | mov                 eax, dword ptr [esi]

    condition:
        7 of them and filesize < 2744320
}
Download all Yara Rules
Void Propose Change

References

Yara Rules

Void
