Void (Malware Family)

SYMBOL	COMMON_NAME	aka. SYNONYMS
win.void (Back to overview)
Void

aka: VoidCrypt
Ransomware.
References

2021-10-07 ⋅ Kaspersky ⋅ Fedor Sinitsyn, Yanis Zinchenko
Ransomware in the CIS
Cryakl Dharma Hakbit Phobos Void
2020-04-10 ⋅ ID Ransomware ⋅ Andrew Ivanov
Void Ransomware
Void
Yara Rules

[TLP:WHITE] win_void_auto (20211008 | Detects win.void.)
rule win_void_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-10-07"
        version = "1"
        description = "Detects win.void."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.void"
        malpedia_rule_date = "20211007"
        malpedia_hash = "e5b790e0f888f252d49063a1251ca60ec2832535"
        malpedia_version = "20211008"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8b01 8b4004 740b ffd0 8d04f500000000 eb37 ffd0 }
            // n = 7, score = 200
            //   8b01                 | mov                 eax, dword ptr [ecx]
            //   8b4004               | mov                 eax, dword ptr [eax + 4]
            //   740b                 | je                  0xd
            //   ffd0                 | call                eax
            //   8d04f500000000       | lea                 eax, dword ptr [esi*8]
            //   eb37                 | jmp                 0x39
            //   ffd0                 | call                eax

        $sequence_1 = { 895df0 895dec 8d4b04 895de8 6a01 e8???????? 8d4b08 }
            // n = 7, score = 200
            //   895df0               | mov                 dword ptr [ebp - 0x10], ebx
            //   895dec               | mov                 dword ptr [ebp - 0x14], ebx
            //   8d4b04               | lea                 ecx, dword ptr [ebx + 4]
            //   895de8               | mov                 dword ptr [ebp - 0x18], ebx
            //   6a01                 | push                1
            //   e8????????           |                     
            //   8d4b08               | lea                 ecx, dword ptr [ebx + 8]

        $sequence_2 = { a2???????? 8bc1 2500000018 3d00000018 751c 33c9 }
            // n = 6, score = 200
            //   a2????????           |                     
            //   8bc1                 | mov                 eax, ecx
            //   2500000018           | and                 eax, 0x18000000
            //   3d00000018           | cmp                 eax, 0x18000000
            //   751c                 | jne                 0x1e
            //   33c9                 | xor                 ecx, ecx

        $sequence_3 = { f6c320 740b 8d4d30 83e3df e8???????? f6c310 740b }
            // n = 7, score = 200
            //   f6c320               | test                bl, 0x20
            //   740b                 | je                  0xd
            //   8d4d30               | lea                 ecx, dword ptr [ebp + 0x30]
            //   83e3df               | and                 ebx, 0xffffffdf
            //   e8????????           |                     
            //   f6c310               | test                bl, 0x10
            //   740b                 | je                  0xd

        $sequence_4 = { 83c42c 50 e8???????? c7456001000000 8b5554 395550 c645fc0c }
            // n = 7, score = 200
            //   83c42c               | add                 esp, 0x2c
            //   50                   | push                eax
            //   e8????????           |                     
            //   c7456001000000       | mov                 dword ptr [ebp + 0x60], 1
            //   8b5554               | mov                 edx, dword ptr [ebp + 0x54]
            //   395550               | cmp                 dword ptr [ebp + 0x50], edx
            //   c645fc0c             | mov                 byte ptr [ebp - 4], 0xc

        $sequence_5 = { e8???????? 8d8708ffffff c745fc00000000 bb01000400 8d4d48 50 }
            // n = 6, score = 200
            //   e8????????           |                     
            //   8d8708ffffff         | lea                 eax, dword ptr [edi - 0xf8]
            //   c745fc00000000       | mov                 dword ptr [ebp - 4], 0
            //   bb01000400           | mov                 ebx, 0x40001
            //   8d4d48               | lea                 ecx, dword ptr [ebp + 0x48]
            //   50                   | push                eax

        $sequence_6 = { c1c10f c1c00d 33c8 8b442454 c1e80a 33c8 03ca }
            // n = 7, score = 200
            //   c1c10f               | rol                 ecx, 0xf
            //   c1c00d               | rol                 eax, 0xd
            //   33c8                 | xor                 ecx, eax
            //   8b442454             | mov                 eax, dword ptr [esp + 0x54]
            //   c1e80a               | shr                 eax, 0xa
            //   33c8                 | xor                 ecx, eax
            //   03ca                 | add                 ecx, edx

        $sequence_7 = { 8d4d94 895d68 e8???????? c6456f01 85c0 }
            // n = 5, score = 200
            //   8d4d94               | lea                 ecx, dword ptr [ebp - 0x6c]
            //   895d68               | mov                 dword ptr [ebp + 0x68], ebx
            //   e8????????           |                     
            //   c6456f01             | mov                 byte ptr [ebp + 0x6f], 1
            //   85c0                 | test                eax, eax

        $sequence_8 = { 8b4608 8bd5 48 d1ea 23d0 8bcd 8b4604 }
            // n = 7, score = 200
            //   8b4608               | mov                 eax, dword ptr [esi + 8]
            //   8bd5                 | mov                 edx, ebp
            //   48                   | dec                 eax
            //   d1ea                 | shr                 edx, 1
            //   23d0                 | and                 edx, eax
            //   8bcd                 | mov                 ecx, ebp
            //   8b4604               | mov                 eax, dword ptr [esi + 4]

        $sequence_9 = { ff74245c 8b02 6a00 ff7638 ff7634 51 8bca }
            // n = 7, score = 200
            //   ff74245c             | push                dword ptr [esp + 0x5c]
            //   8b02                 | mov                 eax, dword ptr [edx]
            //   6a00                 | push                0
            //   ff7638               | push                dword ptr [esi + 0x38]
            //   ff7634               | push                dword ptr [esi + 0x34]
            //   51                   | push                ecx
            //   8bca                 | mov                 ecx, edx

    condition:
        7 of them and filesize < 2744320
}
Download all Yara Rules
Void Propose Change

References

Yara Rules

Void
