SYMBOLCOMMON_NAMEaka. SYNONYMS
win.whiteblackcrypt (Back to overview)

WhiteBlackCrypt

aka: WARYLOOK
VTCollection    

There is no description at this point.

References
2022-01-31Medium SebdravenSébastien Larinier
WhisperKill vs WhiteBlackCrypt: un petit soucis de fichiers…
WhiteBlackCrypt
2021-07-26CheckMalCheckMal
WhiteBlackGroup Ransomware (.encrpt3d)
WhiteBlackCrypt
Yara Rules
[TLP:WHITE] win_whiteblackcrypt_auto (20230808 | Detects win.whiteblackcrypt.)
rule win_whiteblackcrypt_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.whiteblackcrypt."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.whiteblackcrypt"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 790d b910270000 ff15???????? ebea e8???????? b805000030 31c9 }
            // n = 7, score = 100
            //   790d                 | movapd              xmm0, xmm6
            //   b910270000           | shr                 edx, 1
            //   ff15????????         |                     
            //   ebea                 | js                  0x176
            //   e8????????           |                     
            //   b805000030           | test                edx, edx
            //   31c9                 | jns                 0xffffffde

        $sequence_1 = { 75ed 0f118fb0000000 4883c310 ebc4 4883c420 5b 5e }
            // n = 7, score = 100
            //   75ed                 | dec                 eax
            //   0f118fb0000000       | lea                 ecx, [0x41ab]
            //   4883c310             | mov                 edx, eax
            //   ebc4                 | mov                 eax, dword ptr [ebp]
            //   4883c420             | mov                 edi, edi
            //   5b                   | jne                 0xaae
            //   5e                   | dec                 eax

        $sequence_2 = { 4883ec38 83fa02 744c 7707 83fa01 745a eb4d }
            // n = 7, score = 100
            //   4883ec38             | jne                 0xace
            //   83fa02               | test                al, al
            //   744c                 | movapd              xmm6, xmm1
            //   7707                 | jne                 0xabe
            //   83fa01               | mov                 eax, edx
            //   745a                 | and                 eax, 1
            //   eb4d                 | jne                 0xae3

        $sequence_3 = { 75a2 5b 5e c3 4c8d4a10 48c1e104 }
            // n = 6, score = 100
            //   75a2                 | rep stosd           dword ptr es:[edi], eax
            //   5b                   | dec                 eax
            //   5e                   | lea                 eax, [esp + 0x64]
            //   c3                   | dec                 eax
            //   4c8d4a10             | mov                 dword ptr [esp + 0x28], edx
            //   48c1e104             | dec                 eax

        $sequence_4 = { 488d0d583d0000 c705????????01000000 e8???????? 4885c0 7414 b801000000 }
            // n = 6, score = 100
            //   488d0d583d0000       | mov                 eax, dword ptr [esp + 0x20]
            //   c705????????01000000     |     
            //   e8????????           |                     
            //   4885c0               | mov                 dword ptr [ebx], eax
            //   7414                 | movzx               eax, word ptr [esp + 0x24]
            //   b801000000           | cmp                 esi, -1

        $sequence_5 = { 4889c6 4889c7 4489f0 f3aa 4889f1 e8???????? }
            // n = 6, score = 100
            //   4889c6               | mov                 dword ptr [eax + 8], edi
            //   4889c7               | je                  0x101f
            //   4489f0               | cmp                 eax, 1
            //   f3aa                 | dec                 eax
            //   4889f1               | mov                 edi, eax
            //   e8????????           |                     

        $sequence_6 = { 4881ecb0030000 4c8d0504420000 31c0 41b9ffff0000 }
            // n = 4, score = 100
            //   4881ecb0030000       | mov                 byte ptr [ebx + 0xe], al
            //   4c8d0504420000       | inc                 ecx
            //   31c0                 | mov                 al, byte ptr [ebx + 3]
            //   41b9ffff0000         | inc                 ecx

        $sequence_7 = { 8801 48ffc1 ebe8 c3 55 }
            // n = 5, score = 100
            //   8801                 | inc                 esp
            //   48ffc1               | xor                 ecx, edi
            //   ebe8                 | inc                 ecx
            //   c3                   | mov                 ebp, edi
            //   55                   | inc                 ecx

        $sequence_8 = { 7412 8d509f 80fa19 7703 }
            // n = 4, score = 100
            //   7412                 | dec                 eax
            //   8d509f               | mov                 esi, eax
            //   80fa19               | dec                 eax
            //   7703                 | mov                 edi, eax

        $sequence_9 = { f20f2ad2 48895c2420 dd442420 f20f11542428 dd442428 d9c9 d9fd }
            // n = 7, score = 100
            //   f20f2ad2             | mov                 eax, edx
            //   48895c2420           | xor                 ecx, ecx
            //   dd442420             | inc                 esp
            //   f20f11542428         | movzx               eax, byte ptr [eax]
            //   dd442428             | inc                 ecx
            //   d9c9                 | mov                 dl, byte ptr [ebx + 0xf]
            //   d9fd                 | inc                 ecx

    condition:
        7 of them and filesize < 99328
}
[TLP:WHITE] win_whiteblackcrypt_w0   (20220318 | Matches strings seen in WhiteBlackCrypt)
rule win_whiteblackcrypt_w0 {
    meta:
        author= "Silas Cutler (silas@Stairwell.com)"
        description = "Matches strings seen in WhiteBlackCrypt"
        ref = "https://cip.gov.ua/ua/news/informaciya-shodo-imovirnoyi-provokaciyi"
        version = "0.1"
        source = "https://github.com/stairwell-inc/threat-research/blob/main/whispergate/WhiteBlackCrypt.yara"
        malpedia_rule_date = "20220318"
        malpedia_hash = ""
		malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.whiteblackcrypt"
		malpedia_version = "20220318"
		malpedia_license = "CC BY-NC-SA 4.0"
		malpedia_sharing = "TLP:WHITE"
    strings:
        $ = ".encrpt3d"
        $ = "C:\\ProgramData\\CheckServiceD.exe"
        $ = "HOMEDRIVE"
        $ = "ye64T0p"
        $ = "USERPROFILE"
        $ = "Software\\Microsoft\\Windows\\CurrentVersion\\Run"
    condition:
        5 of them    
}
[TLP:WHITE] win_whiteblackcrypt_w1   (20220318 | Matches file extensions seen in WhiteBlackCrypt)
rule win_whiteblackcrypt_w1 {
    meta:
        author= "Silas Cutler (silas@Stairwell.com)"
        description = "Matches file extensions seen in WhiteBlackCrypt"
        ref = "https://cip.gov.ua/ua/news/informaciya-shodo-imovirnoyi-provokaciyi"
        version = "0.1"
        source = "https://github.com/stairwell-inc/threat-research/blob/main/whispergate/WhiteBlackCrypt.yara"
        malpedia_rule_date = "20220318"
        malpedia_hash = ""
		malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.whiteblackcrypt"
		malpedia_version = "20220318"
		malpedia_license = "CC BY-NC-SA 4.0"
		malpedia_sharing = "TLP:WHITE"
    strings:
        $ = {2E 56 4D 44 4B 00 2E 56 4D 58 00 2E 47 50 47 00 2E 41 45 53 00 
             2E 41 52 43 00 2E 50 41 51 00 2E 42 5A 32 00 2E 54 42 4B 00 2E 
             42 41 4B 00 2E 54 41 52 00 2E 54 47 5A 00}
        $ = {2E 50 50 41 4D 00 2E 50 4F 54 58 00 2E 50 4F 54 4D 00 2E 45 44
             42 00 2E 48 57 50 00 2E 36 30 32 00 2E 53 58 49 00 2E 53 54 49 
             00 2E 53 4C 44 58 00 2E 53 4C 44 4D 00}
        $ = {2E 49 42 44 00 2E 4D 59 49 00 2E 4D 59 44 00 2E 46 52 4D 00 2E
        	 4F 44 42 00 2E 44 42 46 00 2E 44 42 00 2E 4D 44 42 00 2E 41 43 
        	 43 44 42 00 2E 53 51 4C 00 2E 53 51 4C 49 54 45 44 42 00}
    condition:
        3 of them    
}
[TLP:WHITE] win_whiteblackcrypt_w2   (20220318 | Matches ransom note seen in WhiteBlackCrypt)
rule win_whiteblackcrypt_w2 {
    meta:
        author= "Silas Cutler (silas@Stairwell.com)"
        description = "Matches ransom note seen in WhiteBlackCrypt"
        ref = "https://cip.gov.ua/ua/news/informaciya-shodo-imovirnoyi-provokaciyi"
        version = "0.1"
        source = "https://github.com/stairwell-inc/threat-research/blob/main/whispergate/WhiteBlackCrypt.yara"
        malpedia_rule_date = "20220318"
        malpedia_hash = ""
		malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.whiteblackcrypt"
		malpedia_version = "20220318"
		malpedia_license = "CC BY-NC-SA 4.0"
		malpedia_sharing = "TLP:WHITE"
    strings:
		$ = "Your files has been ENCRYPTED! Now, you cant access them, but they are not deleted. We need to get 10 BTC at the specified address:"
		$ = "19B5Bt11oUqYnwSXfBgRpwwDGg5Ajirbjn"
		$ = "we will send text document to you mail with a PRIVATE RSA key, and a link to a program, that can decrypt"
		$ = "all files on every computer, encrypted with this program"
		$ = "If we recieve moneys, "
		$ = "for acquiring decryption key, please send us"
		$ = "address of your bitcoin wallet."
    condition:
        3 of them    
}
Download all Yara Rules