rule win_whiteblackcrypt_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.whiteblackcrypt."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.whiteblackcrypt"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 0f1086b0000000 4889f2 4889e9 0f29442420 e8???????? }
            // n = 5, score = 100
            //   0f1086b0000000       | dec                 esp
            //   4889f2               | mov                 ebx, ebx
            //   4889e9               | inc                 ecx
            //   0f29442420           | mov                 al, byte ptr [ebx + 0xd]
            //   e8????????           |                     

        $sequence_1 = { 8a4301 0fb64c243a 8844243b 8a4302 8844243c }
            // n = 5, score = 100
            //   8a4301               | cmp                 dword ptr [esp + 0x30], ebx
            //   0fb64c243a           | jne                 0x130
            //   8844243b             | dec                 esi
            //   8a4302               | inc                 esp
            //   8844243c             | mov                 ebp, eax

        $sequence_2 = { 83f8ff 89c5 749a 8b442420 488d7324 41b804010000 }
            // n = 6, score = 100
            //   83f8ff               | lea                 edx, [0x4183]
            //   89c5                 | inc                 ebp
            //   749a                 | xor                 eax, eax
            //   8b442420             | dec                 eax
            //   488d7324             | mov                 ecx, ebx
            //   41b804010000         | dec                 eax

        $sequence_3 = { e8???????? 99 f7fd 88141e 48ffc3 ebec 4889f0 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   99                   | ret                 
            //   f7fd                 | cmp                 byte ptr [esi + 1], 0x3a
            //   88141e               | jne                 0x16dc
            //   48ffc3               | movzx               eax, byte ptr [esi + 1]
            //   ebec                 | cmp                 al, 0x5c
            //   4889f0               | ret                 

        $sequence_4 = { 4889c7 4989d9 41b800000002 ba01000000 4889f9 }
            // n = 5, score = 100
            //   4889c7               | idiv                ecx
            //   4989d9               | xor                 ecx, ecx
            //   41b800000002         | dec                 eax
            //   ba01000000           | lea                 edx, [0x3feb]
            //   4889f9               | sub                 eax, 0xc8

        $sequence_5 = { e8???????? 31c0 8a9407b0000000 301406 48ffc0 }
            // n = 5, score = 100
            //   e8????????           |                     
            //   31c0                 | dec                 eax
            //   8a9407b0000000       | arpl                ax, dx
            //   301406               | inc                 eax
            //   48ffc0               | mov                 dl, byte ptr [esp + edx + 0x20]

        $sequence_6 = { 0f8498000000 80fa2f 75e3 4883c001 }
            // n = 4, score = 100
            //   0f8498000000         | inc                 esp
            //   80fa2f               | mov                 ah, byte ptr [ebx + 3]
            //   75e3                 | mov                 byte ptr [esp + 0x3a], al
            //   4883c001             | je                  0x199

        $sequence_7 = { 458a4803 458a7801 4489f7 4489d1 4431cf }
            // n = 5, score = 100
            //   458a4803             | push                ebx
            //   458a7801             | dec                 eax
            //   4489f7               | sub                 esp, 0x20
            //   4489d1               | mov                 byte ptr [esi + eax + 0xb0], 0
            //   4431cf               | dec                 eax

        $sequence_8 = { 0f94c2 89d0 4883c458 c3 53 4883ec20 ba2e000000 }
            // n = 7, score = 100
            //   0f94c2               | inc                 ecx
            //   89d0                 | mov                 dl, byte ptr [ebx + 7]
            //   4883c458             | inc                 ecx
            //   c3                   | mov                 byte ptr [ebx + 3], dl
            //   53                   | inc                 ecx
            //   4883ec20             | mov                 dl, byte ptr [ebx + 0xb]
            //   ba2e000000           | inc                 ecx

        $sequence_9 = { 0f29442420 e8???????? b80f000000 8a9406b0000000 80faff 7513 }
            // n = 6, score = 100
            //   0f29442420           | dec                 eax
            //   e8????????           |                     
            //   b80f000000           | lea                 eax, [0xfffffa28]
            //   8a9406b0000000       | dec                 eax
            //   80faff               | lea                 esi, [0x3479]
            //   7513                 | dec                 eax

    condition:
        7 of them and filesize < 99328
}

rule win_whiteblackcrypt_w0 {
    meta:
        author= "Silas Cutler (silas@Stairwell.com)"
        description = "Matches strings seen in WhiteBlackCrypt"
        ref = "https://cip.gov.ua/ua/news/informaciya-shodo-imovirnoyi-provokaciyi"
        version = "0.1"
        source = "https://github.com/stairwell-inc/threat-research/blob/main/whispergate/WhiteBlackCrypt.yara"
        malpedia_rule_date = "20220318"
        malpedia_hash = ""
		malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.whiteblackcrypt"
		malpedia_version = "20220318"
		malpedia_license = "CC BY-NC-SA 4.0"
		malpedia_sharing = "TLP:WHITE"
    strings:
        $ = ".encrpt3d"
        $ = "C:\\ProgramData\\CheckServiceD.exe"
        $ = "HOMEDRIVE"
        $ = "ye64T0p"
        $ = "USERPROFILE"
        $ = "Software\\Microsoft\\Windows\\CurrentVersion\\Run"
    condition:
        5 of them    
}

rule win_whiteblackcrypt_w1 {
    meta:
        author= "Silas Cutler (silas@Stairwell.com)"
        description = "Matches file extensions seen in WhiteBlackCrypt"
        ref = "https://cip.gov.ua/ua/news/informaciya-shodo-imovirnoyi-provokaciyi"
        version = "0.1"
        source = "https://github.com/stairwell-inc/threat-research/blob/main/whispergate/WhiteBlackCrypt.yara"
        malpedia_rule_date = "20220318"
        malpedia_hash = ""
		malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.whiteblackcrypt"
		malpedia_version = "20220318"
		malpedia_license = "CC BY-NC-SA 4.0"
		malpedia_sharing = "TLP:WHITE"
    strings:
        $ = {2E 56 4D 44 4B 00 2E 56 4D 58 00 2E 47 50 47 00 2E 41 45 53 00 
             2E 41 52 43 00 2E 50 41 51 00 2E 42 5A 32 00 2E 54 42 4B 00 2E 
             42 41 4B 00 2E 54 41 52 00 2E 54 47 5A 00}
        $ = {2E 50 50 41 4D 00 2E 50 4F 54 58 00 2E 50 4F 54 4D 00 2E 45 44
             42 00 2E 48 57 50 00 2E 36 30 32 00 2E 53 58 49 00 2E 53 54 49 
             00 2E 53 4C 44 58 00 2E 53 4C 44 4D 00}
        $ = {2E 49 42 44 00 2E 4D 59 49 00 2E 4D 59 44 00 2E 46 52 4D 00 2E
        	 4F 44 42 00 2E 44 42 46 00 2E 44 42 00 2E 4D 44 42 00 2E 41 43 
        	 43 44 42 00 2E 53 51 4C 00 2E 53 51 4C 49 54 45 44 42 00}
    condition:
        3 of them    
}

rule win_whiteblackcrypt_w2 {
    meta:
        author= "Silas Cutler (silas@Stairwell.com)"
        description = "Matches ransom note seen in WhiteBlackCrypt"
        ref = "https://cip.gov.ua/ua/news/informaciya-shodo-imovirnoyi-provokaciyi"
        version = "0.1"
        source = "https://github.com/stairwell-inc/threat-research/blob/main/whispergate/WhiteBlackCrypt.yara"
        malpedia_rule_date = "20220318"
        malpedia_hash = ""
		malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.whiteblackcrypt"
		malpedia_version = "20220318"
		malpedia_license = "CC BY-NC-SA 4.0"
		malpedia_sharing = "TLP:WHITE"
    strings:
		$ = "Your files has been ENCRYPTED! Now, you cant access them, but they are not deleted. We need to get 10 BTC at the specified address:"
		$ = "19B5Bt11oUqYnwSXfBgRpwwDGg5Ajirbjn"
		$ = "we will send text document to you mail with a PRIVATE RSA key, and a link to a program, that can decrypt"
		$ = "all files on every computer, encrypted with this program"
		$ = "If we recieve moneys, "
		$ = "for acquiring decryption key, please send us"
		$ = "address of your bitcoin wallet."
    condition:
        3 of them    
}