SYMBOLCOMMON_NAMEaka. SYNONYMS
win.whiteblackcrypt (Back to overview)

WhiteBlackCrypt

aka: WARYLOOK

There is no description at this point.

References
2022-01-31Medium SebdravenSébastien Larinier
@online{larinier:20220131:whisperkill:a46b908, author = {Sébastien Larinier}, title = {{WhisperKill vs WhiteBlackCrypt: un petit soucis de fichiers…}}, date = {2022-01-31}, organization = {Medium Sebdraven}, url = {https://sebdraven.medium.com/whisperkill-vs-whiteblackcrypt-un-petit-soucis-de-fichiers-9c4dcd013316}, language = {French}, urldate = {2022-03-07} } WhisperKill vs WhiteBlackCrypt: un petit soucis de fichiers…
WhiteBlackCrypt
2021-07-26CheckMalCheckMal
@online{checkmal:20210726:whiteblackgroup:397b3d3, author = {CheckMal}, title = {{WhiteBlackGroup Ransomware (.encrpt3d)}}, date = {2021-07-26}, organization = {CheckMal}, url = {https://www.checkmal.com/video/read/3605/}, language = {English}, urldate = {2022-03-07} } WhiteBlackGroup Ransomware (.encrpt3d)
WhiteBlackCrypt
Yara Rules
[TLP:WHITE] win_whiteblackcrypt_auto (20220516 | Detects win.whiteblackcrypt.)
rule win_whiteblackcrypt_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-05-16"
        version = "1"
        description = "Detects win.whiteblackcrypt."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.whiteblackcrypt"
        malpedia_rule_date = "20220513"
        malpedia_hash = "7f4b2229e6ae614d86d74917f6d5b41890e62a26"
        malpedia_version = "20220516"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { f20f1035???????? 0f853ffeffff 84c9 7410 84c0 }
            // n = 5, score = 100
            //   f20f1035????????     |                     
            //   0f853ffeffff         | dec                 eax
            //   84c9                 | mov                 edi, ebp
            //   7410                 | dec                 eax
            //   84c0                 | mov                 ecx, ebx

        $sequence_1 = { 4989c4 4d63c0 4889c1 e8???????? }
            // n = 4, score = 100
            //   4989c4               | cmp                 esi, -1
            //   4d63c0               | dec                 eax
            //   4889c1               | test                ebp, ebp
            //   e8????????           |                     

        $sequence_2 = { 31c1 324c243a 334c243c 4431e1 4131e8 40326c243d }
            // n = 6, score = 100
            //   31c1                 | mov                 ecx, ebx
            //   324c243a             | dec                 eax
            //   334c243c             | not                 esi
            //   4431e1               | dec                 eax
            //   4131e8               | mov                 ecx, esi
            //   40326c243d           | dec                 eax

        $sequence_3 = { 660f28f4 e9???????? 85c0 f20f1035???????? 0f841bffffff }
            // n = 5, score = 100
            //   660f28f4             | inc                 ecx
            //   e9????????           |                     
            //   85c0                 | mov                 byte ptr [ebx + 0xd], al
            //   f20f1035????????     |                     
            //   0f841bffffff         | inc                 ecx

        $sequence_4 = { 4131cd 0fb6c9 e8???????? 4489f9 4431d0 }
            // n = 5, score = 100
            //   4131cd               | lea                 eax, [edx - 0x1010101]
            //   0fb6c9               | not                 edx
            //   e8????????           |                     
            //   4489f9               | mov                 eax, dword ptr [esp + 0x20]
            //   4431d0               | dec                 eax

        $sequence_5 = { 57 56 53 4883ec60 4885c9 4889ce 4889d3 }
            // n = 7, score = 100
            //   57                   | je                  0x16d
            //   56                   | inc                 esp
            //   53                   | mov                 eax, esi
            //   4883ec60             | dec                 eax
            //   4885c9               | or                  ecx, 0xffffffff
            //   4889ce               | dec                 eax
            //   4889d3               | mov                 edi, ebp

        $sequence_6 = { 0f84d4000000 488b8b38020000 e8???????? 48c7c0ffffffff 48898338020000 }
            // n = 5, score = 100
            //   0f84d4000000         | lea                 ebx, [esp + 0x50]
            //   488b8b38020000       | dec                 ax
            //   e8????????           |                     
            //   48c7c0ffffffff       | movd                mm3, edi
            //   48898338020000       | jp                  0x3ea

        $sequence_7 = { 8801 48ffc1 ebe8 c3 55 }
            // n = 5, score = 100
            //   8801                 | mov                 edi, esi
            //   48ffc1               | inc                 esp
            //   ebe8                 | mov                 ecx, edx
            //   c3                   | inc                 esp
            //   55                   | xor                 edi, ecx

        $sequence_8 = { 0f854effffff 85c0 41b800050000 0f8440ffffff 66480f6eef 660f2eee 7a05 }
            // n = 7, score = 100
            //   0f854effffff         | inc                 ebp
            //   85c0                 | mov                 ebx, ecx
            //   41b800050000         | setnp               al
            //   0f8440ffffff         | inc                 ecx
            //   66480f6eef           | cmovne              eax, edx
            //   660f2eee             | test                edx, edx
            //   7a05                 | inc                 ecx

        $sequence_9 = { e8???????? 4531c0 89f2 4889d9 e8???????? 4401e6 4d63c4 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   4531c0               | jmp                 0x12a3
            //   89f2                 | cmp                 edx, 0xf
            //   4889d9               | je                  0x12ae
            //   e8????????           |                     
            //   4401e6               | cmp                 edx, 0x138
            //   4d63c4               | jne                 0x12a3

    condition:
        7 of them and filesize < 99328
}
[TLP:WHITE] win_whiteblackcrypt_w0   (20220318 | Matches strings seen in WhiteBlackCrypt)
rule win_whiteblackcrypt_w0 {
    meta:
        author= "Silas Cutler (silas@Stairwell.com)"
        description = "Matches strings seen in WhiteBlackCrypt"
        ref = "https://cip.gov.ua/ua/news/informaciya-shodo-imovirnoyi-provokaciyi"
        version = "0.1"
        source = "https://github.com/stairwell-inc/threat-research/blob/main/whispergate/WhiteBlackCrypt.yara"
        malpedia_rule_date = "20220318"
        malpedia_hash = ""
		malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.whiteblackcrypt"
		malpedia_version = "20220318"
		malpedia_license = "CC BY-NC-SA 4.0"
		malpedia_sharing = "TLP:WHITE"
    strings:
        $ = ".encrpt3d"
        $ = "C:\\ProgramData\\CheckServiceD.exe"
        $ = "HOMEDRIVE"
        $ = "ye64T0p"
        $ = "USERPROFILE"
        $ = "Software\\Microsoft\\Windows\\CurrentVersion\\Run"
    condition:
        5 of them    
}
[TLP:WHITE] win_whiteblackcrypt_w1   (20220318 | Matches file extensions seen in WhiteBlackCrypt)
rule win_whiteblackcrypt_w1 {
    meta:
        author= "Silas Cutler (silas@Stairwell.com)"
        description = "Matches file extensions seen in WhiteBlackCrypt"
        ref = "https://cip.gov.ua/ua/news/informaciya-shodo-imovirnoyi-provokaciyi"
        version = "0.1"
        source = "https://github.com/stairwell-inc/threat-research/blob/main/whispergate/WhiteBlackCrypt.yara"
        malpedia_rule_date = "20220318"
        malpedia_hash = ""
		malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.whiteblackcrypt"
		malpedia_version = "20220318"
		malpedia_license = "CC BY-NC-SA 4.0"
		malpedia_sharing = "TLP:WHITE"
    strings:
        $ = {2E 56 4D 44 4B 00 2E 56 4D 58 00 2E 47 50 47 00 2E 41 45 53 00 
             2E 41 52 43 00 2E 50 41 51 00 2E 42 5A 32 00 2E 54 42 4B 00 2E 
             42 41 4B 00 2E 54 41 52 00 2E 54 47 5A 00}
        $ = {2E 50 50 41 4D 00 2E 50 4F 54 58 00 2E 50 4F 54 4D 00 2E 45 44
             42 00 2E 48 57 50 00 2E 36 30 32 00 2E 53 58 49 00 2E 53 54 49 
             00 2E 53 4C 44 58 00 2E 53 4C 44 4D 00}
        $ = {2E 49 42 44 00 2E 4D 59 49 00 2E 4D 59 44 00 2E 46 52 4D 00 2E
        	 4F 44 42 00 2E 44 42 46 00 2E 44 42 00 2E 4D 44 42 00 2E 41 43 
        	 43 44 42 00 2E 53 51 4C 00 2E 53 51 4C 49 54 45 44 42 00}
    condition:
        3 of them    
}
[TLP:WHITE] win_whiteblackcrypt_w2   (20220318 | Matches ransom note seen in WhiteBlackCrypt)
rule win_whiteblackcrypt_w2 {
    meta:
        author= "Silas Cutler (silas@Stairwell.com)"
        description = "Matches ransom note seen in WhiteBlackCrypt"
        ref = "https://cip.gov.ua/ua/news/informaciya-shodo-imovirnoyi-provokaciyi"
        version = "0.1"
        source = "https://github.com/stairwell-inc/threat-research/blob/main/whispergate/WhiteBlackCrypt.yara"
        malpedia_rule_date = "20220318"
        malpedia_hash = ""
		malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.whiteblackcrypt"
		malpedia_version = "20220318"
		malpedia_license = "CC BY-NC-SA 4.0"
		malpedia_sharing = "TLP:WHITE"
    strings:
		$ = "Your files has been ENCRYPTED! Now, you cant access them, but they are not deleted. We need to get 10 BTC at the specified address:"
		$ = "19B5Bt11oUqYnwSXfBgRpwwDGg5Ajirbjn"
		$ = "we will send text document to you mail with a PRIVATE RSA key, and a link to a program, that can decrypt"
		$ = "all files on every computer, encrypted with this program"
		$ = "If we recieve moneys, "
		$ = "for acquiring decryption key, please send us"
		$ = "address of your bitcoin wallet."
    condition:
        3 of them    
}
Download all Yara Rules