SYMBOLCOMMON_NAMEaka. SYNONYMS
win.void (Back to overview)

Void

aka: VoidCrypt

Ransomware.

References
2021-10-07KasperskyFedor Sinitsyn, Yanis Zinchenko
@online{sinitsyn:20211007:ransomware:b5e74a3, author = {Fedor Sinitsyn and Yanis Zinchenko}, title = {{Ransomware in the CIS}}, date = {2021-10-07}, organization = {Kaspersky}, url = {https://securelist.com/cis-ransomware/104452/}, language = {English}, urldate = {2021-10-11} } Ransomware in the CIS
Cryakl Dharma Hakbit Phobos Void
2020-04-10ID RansomwareAndrew Ivanov
@online{ivanov:20200410:void:3b7f0d1, author = {Andrew Ivanov}, title = {{Void Ransomware}}, date = {2020-04-10}, organization = {ID Ransomware}, url = {https://id-ransomware.blogspot.com/2020/04/void-voidcrypt-ransomware.html}, language = {Russian}, urldate = {2020-04-13} } Void Ransomware
Void
Yara Rules
[TLP:WHITE] win_void_auto (20220808 | Detects win.void.)
rule win_void_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-08-05"
        version = "1"
        description = "Detects win.void."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.void"
        malpedia_rule_date = "20220805"
        malpedia_hash = "6ec06c64bcfdbeda64eff021c766b4ce34542b71"
        malpedia_version = "20220808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { c785d4fbffff0f000000 c685c0fbffff00 e8???????? 6a0c 68???????? 8d8dd8fbffff }
            // n = 6, score = 200
            //   c785d4fbffff0f000000     | mov    dword ptr [ebp - 0x42c], 0xf
            //   c685c0fbffff00       | mov                 byte ptr [ebp - 0x440], 0
            //   e8????????           |                     
            //   6a0c                 | push                0xc
            //   68????????           |                     
            //   8d8dd8fbffff         | lea                 ecx, [ebp - 0x428]

        $sequence_1 = { c744f80400000000 ff4610 836c241801 8b5610 0f8579ffffff b901000000 8b7b5c }
            // n = 7, score = 200
            //   c744f80400000000     | mov                 dword ptr [eax + edi*8 + 4], 0
            //   ff4610               | inc                 dword ptr [esi + 0x10]
            //   836c241801           | sub                 dword ptr [esp + 0x18], 1
            //   8b5610               | mov                 edx, dword ptr [esi + 0x10]
            //   0f8579ffffff         | jne                 0xffffff7f
            //   b901000000           | mov                 ecx, 1
            //   8b7b5c               | mov                 edi, dword ptr [ebx + 0x5c]

        $sequence_2 = { ff74243c ff928c000000 8b74241c 8bc8 894c2410 85c9 0f85a1000000 }
            // n = 7, score = 200
            //   ff74243c             | push                dword ptr [esp + 0x3c]
            //   ff928c000000         | call                dword ptr [edx + 0x8c]
            //   8b74241c             | mov                 esi, dword ptr [esp + 0x1c]
            //   8bc8                 | mov                 ecx, eax
            //   894c2410             | mov                 dword ptr [esp + 0x10], ecx
            //   85c9                 | test                ecx, ecx
            //   0f85a1000000         | jne                 0xa7

        $sequence_3 = { 8b7c243c 2bc3 c1e002 8944244c 8d0c38 c7043800000000 894c2444 }
            // n = 7, score = 200
            //   8b7c243c             | mov                 edi, dword ptr [esp + 0x3c]
            //   2bc3                 | sub                 eax, ebx
            //   c1e002               | shl                 eax, 2
            //   8944244c             | mov                 dword ptr [esp + 0x4c], eax
            //   8d0c38               | lea                 ecx, [eax + edi]
            //   c7043800000000       | mov                 dword ptr [eax + edi], 0
            //   894c2444             | mov                 dword ptr [esp + 0x44], ecx

        $sequence_4 = { 8bfa 8bf1 e8???????? 83c40c 85c0 740e 893e }
            // n = 7, score = 200
            //   8bfa                 | mov                 edi, edx
            //   8bf1                 | mov                 esi, ecx
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   85c0                 | test                eax, eax
            //   740e                 | je                  0x10
            //   893e                 | mov                 dword ptr [esi], edi

        $sequence_5 = { 23ce 89442434 8bc7 23c3 89542454 0bc8 c1c205 }
            // n = 7, score = 200
            //   23ce                 | and                 ecx, esi
            //   89442434             | mov                 dword ptr [esp + 0x34], eax
            //   8bc7                 | mov                 eax, edi
            //   23c3                 | and                 eax, ebx
            //   89542454             | mov                 dword ptr [esp + 0x54], edx
            //   0bc8                 | or                  ecx, eax
            //   c1c205               | rol                 edx, 5

        $sequence_6 = { e8???????? 8b4b44 8b4608 8d0445ffffffff 23c1 89460c 8b7e10 }
            // n = 7, score = 200
            //   e8????????           |                     
            //   8b4b44               | mov                 ecx, dword ptr [ebx + 0x44]
            //   8b4608               | mov                 eax, dword ptr [esi + 8]
            //   8d0445ffffffff       | lea                 eax, [eax*2 - 1]
            //   23c1                 | and                 eax, ecx
            //   89460c               | mov                 dword ptr [esi + 0xc], eax
            //   8b7e10               | mov                 edi, dword ptr [esi + 0x10]

        $sequence_7 = { 8b01 6a01 ff10 8b7ddc 8d4dd0 8b75e0 51 }
            // n = 7, score = 200
            //   8b01                 | mov                 eax, dword ptr [ecx]
            //   6a01                 | push                1
            //   ff10                 | call                dword ptr [eax]
            //   8b7ddc               | mov                 edi, dword ptr [ebp - 0x24]
            //   8d4dd0               | lea                 ecx, [ebp - 0x30]
            //   8b75e0               | mov                 esi, dword ptr [ebp - 0x20]
            //   51                   | push                ecx

        $sequence_8 = { 8bbd6cffffff 8b8d68ffffff 8b55b4 8b4590 c60700 8901 83fa10 }
            // n = 7, score = 200
            //   8bbd6cffffff         | mov                 edi, dword ptr [ebp - 0x94]
            //   8b8d68ffffff         | mov                 ecx, dword ptr [ebp - 0x98]
            //   8b55b4               | mov                 edx, dword ptr [ebp - 0x4c]
            //   8b4590               | mov                 eax, dword ptr [ebp - 0x70]
            //   c60700               | mov                 byte ptr [edi], 0
            //   8901                 | mov                 dword ptr [ecx], eax
            //   83fa10               | cmp                 edx, 0x10

        $sequence_9 = { e8???????? 8d460c c745fc00000000 50 8d45dc 50 8d4dc4 }
            // n = 7, score = 200
            //   e8????????           |                     
            //   8d460c               | lea                 eax, [esi + 0xc]
            //   c745fc00000000       | mov                 dword ptr [ebp - 4], 0
            //   50                   | push                eax
            //   8d45dc               | lea                 eax, [ebp - 0x24]
            //   50                   | push                eax
            //   8d4dc4               | lea                 ecx, [ebp - 0x3c]

    condition:
        7 of them and filesize < 2744320
}
Download all Yara Rules