Void (Malware Family)

SYMBOL	COMMON_NAME	aka. SYNONYMS
win.void (Back to overview)
Void

aka: VoidCrypt
Ransomware.
References

2021-10-07 ⋅ Kaspersky ⋅ Fedor Sinitsyn, Yanis Zinchenko
Ransomware in the CIS
Cryakl Dharma Hakbit Phobos Void
2020-04-10 ⋅ ID Ransomware ⋅ Andrew Ivanov
Void Ransomware
Void
Yara Rules

[TLP:WHITE] win_void_auto (20230125 | Detects win.void.)
rule win_void_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-01-25"
        version = "1"
        description = "Detects win.void."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.void"
        malpedia_rule_date = "20230124"
        malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686"
        malpedia_version = "20230125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { ff504c ff742418 8bf8 ff742418 8bcf ff742424 8b17 }
            // n = 7, score = 200
            //   ff504c               | call                dword ptr [eax + 0x4c]
            //   ff742418             | push                dword ptr [esp + 0x18]
            //   8bf8                 | mov                 edi, eax
            //   ff742418             | push                dword ptr [esp + 0x18]
            //   8bcf                 | mov                 ecx, edi
            //   ff742424             | push                dword ptr [esp + 0x24]
            //   8b17                 | mov                 edx, dword ptr [edi]

        $sequence_1 = { eb06 8bb56cfbffff 6a0e 68???????? 8d8dd8fbffff c785e8fbffff00000000 }
            // n = 6, score = 200
            //   eb06                 | jmp                 8
            //   8bb56cfbffff         | mov                 esi, dword ptr [ebp - 0x494]
            //   6a0e                 | push                0xe
            //   68????????           |                     
            //   8d8dd8fbffff         | lea                 ecx, [ebp - 0x428]
            //   c785e8fbffff00000000     | mov    dword ptr [ebp - 0x418], 0

        $sequence_2 = { 8bf1 8b6f0c 8b460c 3be8 762e 6a01 55 }
            // n = 7, score = 200
            //   8bf1                 | mov                 esi, ecx
            //   8b6f0c               | mov                 ebp, dword ptr [edi + 0xc]
            //   8b460c               | mov                 eax, dword ptr [esi + 0xc]
            //   3be8                 | cmp                 ebp, eax
            //   762e                 | jbe                 0x30
            //   6a01                 | push                1
            //   55                   | push                ebp

        $sequence_3 = { 8bd0 89442454 8b84248c000000 8bc8 c1c007 c1c90b 33c8 }
            // n = 7, score = 200
            //   8bd0                 | mov                 edx, eax
            //   89442454             | mov                 dword ptr [esp + 0x54], eax
            //   8b84248c000000       | mov                 eax, dword ptr [esp + 0x8c]
            //   8bc8                 | mov                 ecx, eax
            //   c1c007               | rol                 eax, 7
            //   c1c90b               | ror                 ecx, 0xb
            //   33c8                 | xor                 ecx, eax

        $sequence_4 = { ff5004 8d4584 c745fc00000000 50 e8???????? 8b4d88 83c404 }
            // n = 7, score = 200
            //   ff5004               | call                dword ptr [eax + 4]
            //   8d4584               | lea                 eax, [ebp - 0x7c]
            //   c745fc00000000       | mov                 dword ptr [ebp - 4], 0
            //   50                   | push                eax
            //   e8????????           |                     
            //   8b4d88               | mov                 ecx, dword ptr [ebp - 0x78]
            //   83c404               | add                 esp, 4

        $sequence_5 = { 7f0e 7c08 8b4508 3b4510 7704 b001 5d }
            // n = 7, score = 200
            //   7f0e                 | jg                  0x10
            //   7c08                 | jl                  0xa
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   3b4510               | cmp                 eax, dword ptr [ebp + 0x10]
            //   7704                 | ja                  6
            //   b001                 | mov                 al, 1
            //   5d                   | pop                 ebp

        $sequence_6 = { e8???????? 8a45d7 83c408 84c0 0f8490000000 68???????? e8???????? }
            // n = 7, score = 200
            //   e8????????           |                     
            //   8a45d7               | mov                 al, byte ptr [ebp - 0x29]
            //   83c408               | add                 esp, 8
            //   84c0                 | test                al, al
            //   0f8490000000         | je                  0x96
            //   68????????           |                     
            //   e8????????           |                     

        $sequence_7 = { c3 8d8dd8fbffff e9???????? 8d8dc0fbffff e9???????? 8b542408 }
            // n = 6, score = 200
            //   c3                   | ret                 
            //   8d8dd8fbffff         | lea                 ecx, [ebp - 0x428]
            //   e9????????           |                     
            //   8d8dc0fbffff         | lea                 ecx, [ebp - 0x440]
            //   e9????????           |                     
            //   8b542408             | mov                 edx, dword ptr [esp + 8]

        $sequence_8 = { 740b 8d4da0 83e3fd e8???????? f6c301 7408 8d4d88 }
            // n = 7, score = 200
            //   740b                 | je                  0xd
            //   8d4da0               | lea                 ecx, [ebp - 0x60]
            //   83e3fd               | and                 ebx, 0xfffffffd
            //   e8????????           |                     
            //   f6c301               | test                bl, 1
            //   7408                 | je                  0xa
            //   8d4d88               | lea                 ecx, [ebp - 0x78]

        $sequence_9 = { 8d4f10 c745ec00000000 c745f000000000 c745f400000000 c745f800000000 e8???????? }
            // n = 6, score = 200
            //   8d4f10               | lea                 ecx, [edi + 0x10]
            //   c745ec00000000       | mov                 dword ptr [ebp - 0x14], 0
            //   c745f000000000       | mov                 dword ptr [ebp - 0x10], 0
            //   c745f400000000       | mov                 dword ptr [ebp - 0xc], 0
            //   c745f800000000       | mov                 dword ptr [ebp - 8], 0
            //   e8????????           |                     

    condition:
        7 of them and filesize < 2744320
}
Download all Yara Rules
Void Propose Change

References

Yara Rules

Void
