SYMBOLCOMMON_NAMEaka. SYNONYMS
win.whiteblackcrypt (Back to overview)

WhiteBlackCrypt

aka: WARYLOOK

There is no description at this point.

References
2022-01-31Medium SebdravenSébastien Larinier
@online{larinier:20220131:whisperkill:a46b908, author = {Sébastien Larinier}, title = {{WhisperKill vs WhiteBlackCrypt: un petit soucis de fichiers…}}, date = {2022-01-31}, organization = {Medium Sebdraven}, url = {https://sebdraven.medium.com/whisperkill-vs-whiteblackcrypt-un-petit-soucis-de-fichiers-9c4dcd013316}, language = {French}, urldate = {2022-03-07} } WhisperKill vs WhiteBlackCrypt: un petit soucis de fichiers…
WhiteBlackCrypt
2021-07-26CheckMalCheckMal
@online{checkmal:20210726:whiteblackgroup:397b3d3, author = {CheckMal}, title = {{WhiteBlackGroup Ransomware (.encrpt3d)}}, date = {2021-07-26}, organization = {CheckMal}, url = {https://www.checkmal.com/video/read/3605/}, language = {English}, urldate = {2022-03-07} } WhiteBlackGroup Ransomware (.encrpt3d)
WhiteBlackCrypt
Yara Rules
[TLP:WHITE] win_whiteblackcrypt_auto (20221125 | Detects win.whiteblackcrypt.)
rule win_whiteblackcrypt_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-11-21"
        version = "1"
        description = "Detects win.whiteblackcrypt."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.whiteblackcrypt"
        malpedia_rule_date = "20221118"
        malpedia_hash = "e0702e2e6d1d00da65c8a29a4ebacd0a4c59e1af"
        malpedia_version = "20221125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 4c8d0504420000 31c0 41b9ffff0000 488d9424b0010000 4889cb b980000000 c744246400020000 }
            // n = 7, score = 100
            //   4c8d0504420000       | dec                 eax
            //   31c0                 | mov                 edx, ebx
            //   41b9ffff0000         | test                esi, esi
            //   488d9424b0010000     | js                  0xc41
            //   4889cb               | dec                 ax
            //   b980000000           | movd                mm0, ebp
            //   c744246400020000     | dec                 eax

        $sequence_1 = { e8???????? 488d74242c b920000000 488905???????? e8???????? 4c8b05???????? 488d0d287a0000 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   488d74242c           | mov                 edx, 0xffffffff
            //   b920000000           | dec                 ax
            //   488905????????       |                     
            //   e8????????           |                     
            //   4c8b05????????       |                     
            //   488d0d287a0000       | movd                mm0, ebp

        $sequence_2 = { 443209 41ffc2 4883c104 443241fd 3251fe 3241ff 4488490c }
            // n = 7, score = 100
            //   443209               | ucomisd             xmm0, xmm7
            //   41ffc2               | jp                  0xd09
            //   4883c104             | je                  0xd2b
            //   443241fd             | test                esi, esi
            //   3251fe               | dec                 eax
            //   3241ff               | mov                 edx, ebx
            //   4488490c             | ucomisd             xmm0, xmm7

        $sequence_3 = { 0fb64601 3c5c 7408 3c2f 0f8547ffffff 0fb65602 }
            // n = 6, score = 100
            //   0fb64601             | mov                 dword ptr [esp + 0xe0], 0
            //   3c5c                 | dec                 eax
            //   7408                 | mov                 dword ptr [esp + 0xf0], 0
            //   3c2f                 | dec                 eax
            //   0f8547ffffff         | lea                 edx, [ecx + 0xb0]
            //   0fb65602             | dec                 ecx

        $sequence_4 = { ff15???????? 488b4c2478 ff15???????? 488d1583410000 4531c0 }
            // n = 5, score = 100
            //   ff15????????         |                     
            //   488b4c2478           | ucomisd             xmm0, xmm7
            //   ff15????????         |                     
            //   488d1583410000       | jp                  0x1136
            //   4531c0               | je                  0xf2d

        $sequence_5 = { 31c9 440fb608 ffc1 4883c004 468a4c0d00 448848fc }
            // n = 6, score = 100
            //   31c9                 | mov                 ecx, esi
            //   440fb608             | dec                 eax
            //   ffc1                 | add                 ecx, 9
            //   4883c004             | dec                 eax
            //   468a4c0d00           | mov                 edx, ebp
            //   448848fc             | xor                 eax, eax

        $sequence_6 = { 7a02 746a 660fefd2 f20f2ad2 48895c2420 dd442420 f20f11542428 }
            // n = 7, score = 100
            //   7a02                 | mov                 dl, byte ptr [esp + edx + 0x20]
            //   746a                 | xor                 byte ptr [ebx], dl
            //   660fefd2             | mov                 dword ptr [ebx], eax
            //   f20f2ad2             | movzx               eax, word ptr [esp + 0x24]
            //   48895c2420           | mov                 word ptr [ebx + 4], ax
            //   dd442420             | movzx               eax, word ptr [esp + 0x26]
            //   f20f11542428         | mov                 word ptr [ebx + 6], ax

        $sequence_7 = { 488b5c2420 4889d8 48c1e820 89c1 }
            // n = 4, score = 100
            //   488b5c2420           | jne                 0xffffffea
            //   4889d8               | inc                 ecx
            //   48c1e820             | mov                 dl, byte ptr [ebx + 5]
            //   89c1                 | cmp                 ebx, 0xa

        $sequence_8 = { 7412 8d509f 80fa19 7703 }
            // n = 4, score = 100
            //   7412                 | mov                 ecx, ebp
            //   8d509f               | movaps              xmmword ptr [esp + 0x20], xmm0
            //   80fa19               | dec                 eax
            //   7703                 | mov                 edx, esi

        $sequence_9 = { d9c0 4883ec08 d97c2404 0fb7442404 80cc0c 66890424 }
            // n = 6, score = 100
            //   d9c0                 | add                 ebx, 4
            //   4883ec08             | inc                 ecx
            //   d97c2404             | xor                 eax, edi
            //   0fb7442404           | mov                 byte ptr [ebx - 3], cl
            //   80cc0c               | inc                 esp
            //   66890424             | xor                 edx, eax

    condition:
        7 of them and filesize < 99328
}
[TLP:WHITE] win_whiteblackcrypt_w0   (20220318 | Matches strings seen in WhiteBlackCrypt)
rule win_whiteblackcrypt_w0 {
    meta:
        author= "Silas Cutler (silas@Stairwell.com)"
        description = "Matches strings seen in WhiteBlackCrypt"
        ref = "https://cip.gov.ua/ua/news/informaciya-shodo-imovirnoyi-provokaciyi"
        version = "0.1"
        source = "https://github.com/stairwell-inc/threat-research/blob/main/whispergate/WhiteBlackCrypt.yara"
        malpedia_rule_date = "20220318"
        malpedia_hash = ""
		malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.whiteblackcrypt"
		malpedia_version = "20220318"
		malpedia_license = "CC BY-NC-SA 4.0"
		malpedia_sharing = "TLP:WHITE"
    strings:
        $ = ".encrpt3d"
        $ = "C:\\ProgramData\\CheckServiceD.exe"
        $ = "HOMEDRIVE"
        $ = "ye64T0p"
        $ = "USERPROFILE"
        $ = "Software\\Microsoft\\Windows\\CurrentVersion\\Run"
    condition:
        5 of them    
}
[TLP:WHITE] win_whiteblackcrypt_w1   (20220318 | Matches file extensions seen in WhiteBlackCrypt)
rule win_whiteblackcrypt_w1 {
    meta:
        author= "Silas Cutler (silas@Stairwell.com)"
        description = "Matches file extensions seen in WhiteBlackCrypt"
        ref = "https://cip.gov.ua/ua/news/informaciya-shodo-imovirnoyi-provokaciyi"
        version = "0.1"
        source = "https://github.com/stairwell-inc/threat-research/blob/main/whispergate/WhiteBlackCrypt.yara"
        malpedia_rule_date = "20220318"
        malpedia_hash = ""
		malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.whiteblackcrypt"
		malpedia_version = "20220318"
		malpedia_license = "CC BY-NC-SA 4.0"
		malpedia_sharing = "TLP:WHITE"
    strings:
        $ = {2E 56 4D 44 4B 00 2E 56 4D 58 00 2E 47 50 47 00 2E 41 45 53 00 
             2E 41 52 43 00 2E 50 41 51 00 2E 42 5A 32 00 2E 54 42 4B 00 2E 
             42 41 4B 00 2E 54 41 52 00 2E 54 47 5A 00}
        $ = {2E 50 50 41 4D 00 2E 50 4F 54 58 00 2E 50 4F 54 4D 00 2E 45 44
             42 00 2E 48 57 50 00 2E 36 30 32 00 2E 53 58 49 00 2E 53 54 49 
             00 2E 53 4C 44 58 00 2E 53 4C 44 4D 00}
        $ = {2E 49 42 44 00 2E 4D 59 49 00 2E 4D 59 44 00 2E 46 52 4D 00 2E
        	 4F 44 42 00 2E 44 42 46 00 2E 44 42 00 2E 4D 44 42 00 2E 41 43 
        	 43 44 42 00 2E 53 51 4C 00 2E 53 51 4C 49 54 45 44 42 00}
    condition:
        3 of them    
}
[TLP:WHITE] win_whiteblackcrypt_w2   (20220318 | Matches ransom note seen in WhiteBlackCrypt)
rule win_whiteblackcrypt_w2 {
    meta:
        author= "Silas Cutler (silas@Stairwell.com)"
        description = "Matches ransom note seen in WhiteBlackCrypt"
        ref = "https://cip.gov.ua/ua/news/informaciya-shodo-imovirnoyi-provokaciyi"
        version = "0.1"
        source = "https://github.com/stairwell-inc/threat-research/blob/main/whispergate/WhiteBlackCrypt.yara"
        malpedia_rule_date = "20220318"
        malpedia_hash = ""
		malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.whiteblackcrypt"
		malpedia_version = "20220318"
		malpedia_license = "CC BY-NC-SA 4.0"
		malpedia_sharing = "TLP:WHITE"
    strings:
		$ = "Your files has been ENCRYPTED! Now, you cant access them, but they are not deleted. We need to get 10 BTC at the specified address:"
		$ = "19B5Bt11oUqYnwSXfBgRpwwDGg5Ajirbjn"
		$ = "we will send text document to you mail with a PRIVATE RSA key, and a link to a program, that can decrypt"
		$ = "all files on every computer, encrypted with this program"
		$ = "If we recieve moneys, "
		$ = "for acquiring decryption key, please send us"
		$ = "address of your bitcoin wallet."
    condition:
        3 of them    
}
Download all Yara Rules