SYMBOLCOMMON_NAMEaka. SYNONYMS
win.void (Back to overview)

Void

aka: VoidCrypt

Ransomware.

References
2021-10-07KasperskyFedor Sinitsyn, Yanis Zinchenko
@online{sinitsyn:20211007:ransomware:b5e74a3, author = {Fedor Sinitsyn and Yanis Zinchenko}, title = {{Ransomware in the CIS}}, date = {2021-10-07}, organization = {Kaspersky}, url = {https://securelist.com/cis-ransomware/104452/}, language = {English}, urldate = {2021-10-11} } Ransomware in the CIS
Cryakl Dharma Hakbit Phobos Void
2020-04-10ID RansomwareAndrew Ivanov
@online{ivanov:20200410:void:3b7f0d1, author = {Andrew Ivanov}, title = {{Void Ransomware}}, date = {2020-04-10}, organization = {ID Ransomware}, url = {https://id-ransomware.blogspot.com/2020/04/void-voidcrypt-ransomware.html}, language = {Russian}, urldate = {2020-04-13} } Void Ransomware
Void
Yara Rules
[TLP:WHITE] win_void_auto (20230715 | Detects win.void.)
rule win_void_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-07-11"
        version = "1"
        description = "Detects win.void."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.void"
        malpedia_rule_date = "20230705"
        malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
        malpedia_version = "20230715"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 83ec40 a1???????? 33c4 8944243c 8b442444 53 8b5c2450 }
            // n = 7, score = 200
            //   83ec40               | sub                 esp, 0x40
            //   a1????????           |                     
            //   33c4                 | xor                 eax, esp
            //   8944243c             | mov                 dword ptr [esp + 0x3c], eax
            //   8b442444             | mov                 eax, dword ptr [esp + 0x44]
            //   53                   | push                ebx
            //   8b5c2450             | mov                 ebx, dword ptr [esp + 0x50]

        $sequence_1 = { 51 52 8b5608 8bc8 c1e202 e8???????? 83c408 }
            // n = 7, score = 200
            //   51                   | push                ecx
            //   52                   | push                edx
            //   8b5608               | mov                 edx, dword ptr [esi + 8]
            //   8bc8                 | mov                 ecx, eax
            //   c1e202               | shl                 edx, 2
            //   e8????????           |                     
            //   83c408               | add                 esp, 8

        $sequence_2 = { 8a4605 8bce 3a45e7 7505 c6032b eb0f e8???????? }
            // n = 7, score = 200
            //   8a4605               | mov                 al, byte ptr [esi + 5]
            //   8bce                 | mov                 ecx, esi
            //   3a45e7               | cmp                 al, byte ptr [ebp - 0x19]
            //   7505                 | jne                 7
            //   c6032b               | mov                 byte ptr [ebx], 0x2b
            //   eb0f                 | jmp                 0x11
            //   e8????????           |                     

        $sequence_3 = { 50 8d4f30 c645fc11 e8???????? 8d8da4feffff e8???????? 8d8d38020000 }
            // n = 7, score = 200
            //   50                   | push                eax
            //   8d4f30               | lea                 ecx, [edi + 0x30]
            //   c645fc11             | mov                 byte ptr [ebp - 4], 0x11
            //   e8????????           |                     
            //   8d8da4feffff         | lea                 ecx, [ebp - 0x15c]
            //   e8????????           |                     
            //   8d8d38020000         | lea                 ecx, [ebp + 0x238]

        $sequence_4 = { 5f 5b 33cc e8???????? 83c430 c20400 8d4c240c }
            // n = 7, score = 200
            //   5f                   | pop                 edi
            //   5b                   | pop                 ebx
            //   33cc                 | xor                 ecx, esp
            //   e8????????           |                     
            //   83c430               | add                 esp, 0x30
            //   c20400               | ret                 4
            //   8d4c240c             | lea                 ecx, [esp + 0xc]

        $sequence_5 = { 3bde 0f42de 53 8bcf e8???????? 8bd6 89442414 }
            // n = 7, score = 200
            //   3bde                 | cmp                 ebx, esi
            //   0f42de               | cmovb               ebx, esi
            //   53                   | push                ebx
            //   8bcf                 | mov                 ecx, edi
            //   e8????????           |                     
            //   8bd6                 | mov                 edx, esi
            //   89442414             | mov                 dword ptr [esp + 0x14], eax

        $sequence_6 = { 68???????? eb07 6a06 68???????? 8d4dd8 e8???????? 837dec10 }
            // n = 7, score = 200
            //   68????????           |                     
            //   eb07                 | jmp                 9
            //   6a06                 | push                6
            //   68????????           |                     
            //   8d4dd8               | lea                 ecx, [ebp - 0x28]
            //   e8????????           |                     
            //   837dec10             | cmp                 dword ptr [ebp - 0x14], 0x10

        $sequence_7 = { 7421 83fb10 8d45d8 0f43c6 0fbe4007 50 e8???????? }
            // n = 7, score = 200
            //   7421                 | je                  0x23
            //   83fb10               | cmp                 ebx, 0x10
            //   8d45d8               | lea                 eax, [ebp - 0x28]
            //   0f43c6               | cmovae              eax, esi
            //   0fbe4007             | movsx               eax, byte ptr [eax + 7]
            //   50                   | push                eax
            //   e8????????           |                     

    condition:
        7 of them and filesize < 2744320
}
Download all Yara Rules