SYMBOLCOMMON_NAMEaka. SYNONYMS
win.whiteblackcrypt (Back to overview)

WhiteBlackCrypt

aka: WARYLOOK

There is no description at this point.

References
2022-01-31Medium SebdravenSébastien Larinier
@online{larinier:20220131:whisperkill:a46b908, author = {Sébastien Larinier}, title = {{WhisperKill vs WhiteBlackCrypt: un petit soucis de fichiers…}}, date = {2022-01-31}, organization = {Medium Sebdraven}, url = {https://sebdraven.medium.com/whisperkill-vs-whiteblackcrypt-un-petit-soucis-de-fichiers-9c4dcd013316}, language = {French}, urldate = {2022-03-07} } WhisperKill vs WhiteBlackCrypt: un petit soucis de fichiers…
WhiteBlackCrypt
2021-07-26CheckMalCheckMal
@online{checkmal:20210726:whiteblackgroup:397b3d3, author = {CheckMal}, title = {{WhiteBlackGroup Ransomware (.encrpt3d)}}, date = {2021-07-26}, organization = {CheckMal}, url = {https://www.checkmal.com/video/read/3605/}, language = {English}, urldate = {2022-03-07} } WhiteBlackGroup Ransomware (.encrpt3d)
WhiteBlackCrypt
Yara Rules
[TLP:WHITE] win_whiteblackcrypt_auto (20230715 | Detects win.whiteblackcrypt.)
rule win_whiteblackcrypt_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-07-11"
        version = "1"
        description = "Detects win.whiteblackcrypt."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.whiteblackcrypt"
        malpedia_rule_date = "20230705"
        malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
        malpedia_version = "20230715"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 418a5305 41885309 418a5301 41884301 418a4302 41885305 }
            // n = 6, score = 100
            //   418a5305             | mov                 ecx, eax
            //   41885309             | dec                 eax
            //   418a5301             | lea                 edx, [esp + 0x20]
            //   41884301             | dec                 esp
            //   418a4302             | mov                 ecx, esp
            //   41885305             | dec                 ebp

        $sequence_1 = { 8801 48ffc1 ebe8 c3 55 57 56 }
            // n = 7, score = 100
            //   8801                 | dec                 ecx
            //   48ffc1               | lea                 eax, [ebx + 0x10]
            //   ebe8                 | dec                 eax
            //   c3                   | mov                 dword ptr [esp + 0x30], eax
            //   55                   | mov                 ecx, 0x10
            //   57                   | xor                 ebx, ebx
            //   56                   | dec                 eax

        $sequence_2 = { e8???????? 0fb6c8 4189cf e8???????? }
            // n = 4, score = 100
            //   e8????????           |                     
            //   0fb6c8               | lea                 eax, [0x4204]
            //   4189cf               | xor                 eax, eax
            //   e8????????           |                     

        $sequence_3 = { dd5c2420 488b5c2420 4889d8 48c1e820 89c1 81e1ffffff7f 09d9 }
            // n = 7, score = 100
            //   dd5c2420             | mov                 al, byte ptr [ebx]
            //   488b5c2420           | inc                 esp
            //   4889d8               | mov                 ah, byte ptr [ebx + 3]
            //   48c1e820             | mov                 byte ptr [esp + 0x3a], al
            //   89c1                 | test                esi, esi
            //   81e1ffffff7f         | js                  0x1b8f
            //   09d9                 | movapd              xmm0, xmm6

        $sequence_4 = { 99 f7f9 31c9 488d15eb3f0000 }
            // n = 4, score = 100
            //   99                   | dec                 eax
            //   f7f9                 | mov                 edx, ecx
            //   31c9                 | xor                 ecx, ecx
            //   488d15eb3f0000       | dec                 ecx

        $sequence_5 = { b905000000 4883c438 48ff25???????? 31c9 ff15???????? eb0b 4883c438 }
            // n = 7, score = 100
            //   b905000000           | jns                 0x1364
            //   4883c438             | mov                 edx, 0xffffffff
            //   48ff25????????       |                     
            //   31c9                 | dec                 ax
            //   ff15????????         |                     
            //   eb0b                 | movd                mm0, ebp
            //   4883c438             | fstp                st(1)

        $sequence_6 = { 0f854effffff 85c0 41b800050000 0f8440ffffff 66480f6eef }
            // n = 5, score = 100
            //   0f854effffff         | lea                 ecx, [0x66f5]
            //   85c0                 | dec                 eax
            //   41b800050000         | add                 esp, 0x28
            //   0f8440ffffff         | pop                 ebx
            //   66480f6eef           | jne                 0x590

        $sequence_7 = { 0f857ffcffff 85f6 7834 660f2ec7 7a06 0f846ffcffff }
            // n = 6, score = 100
            //   0f857ffcffff         | mov                 ecx, 0x20
            //   85f6                 | dec                 eax
            //   7834                 | lea                 edx, [0x4533]
            //   660f2ec7             | xor                 esi, esi
            //   7a06                 | dec                 esp
            //   0f846ffcffff         | lea                 ebp, [0x7ca9]

        $sequence_8 = { ff15???????? 488d442478 4531c0 41b906000200 4889442420 }
            // n = 5, score = 100
            //   ff15????????         |                     
            //   488d442478           | mov                 ecx, eax
            //   4531c0               | dec                 eax
            //   41b906000200         | mov                 ecx, esi
            //   4889442420           | dec                 eax

        $sequence_9 = { 41b804010000 488d5728 4889f1 8903 488b442428 48894308 }
            // n = 6, score = 100
            //   41b804010000         | dec                 ax
            //   488d5728             | movd                eax, mm0
            //   4889f1               | dec                 ax
            //   8903                 | movd                ebx, mm0
            //   488b442428           | dec                 eax
            //   48894308             | shr                 eax, 0x20

    condition:
        7 of them and filesize < 99328
}
[TLP:WHITE] win_whiteblackcrypt_w0   (20220318 | Matches strings seen in WhiteBlackCrypt)
rule win_whiteblackcrypt_w0 {
    meta:
        author= "Silas Cutler (silas@Stairwell.com)"
        description = "Matches strings seen in WhiteBlackCrypt"
        ref = "https://cip.gov.ua/ua/news/informaciya-shodo-imovirnoyi-provokaciyi"
        version = "0.1"
        source = "https://github.com/stairwell-inc/threat-research/blob/main/whispergate/WhiteBlackCrypt.yara"
        malpedia_rule_date = "20220318"
        malpedia_hash = ""
		malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.whiteblackcrypt"
		malpedia_version = "20220318"
		malpedia_license = "CC BY-NC-SA 4.0"
		malpedia_sharing = "TLP:WHITE"
    strings:
        $ = ".encrpt3d"
        $ = "C:\\ProgramData\\CheckServiceD.exe"
        $ = "HOMEDRIVE"
        $ = "ye64T0p"
        $ = "USERPROFILE"
        $ = "Software\\Microsoft\\Windows\\CurrentVersion\\Run"
    condition:
        5 of them    
}
[TLP:WHITE] win_whiteblackcrypt_w1   (20220318 | Matches file extensions seen in WhiteBlackCrypt)
rule win_whiteblackcrypt_w1 {
    meta:
        author= "Silas Cutler (silas@Stairwell.com)"
        description = "Matches file extensions seen in WhiteBlackCrypt"
        ref = "https://cip.gov.ua/ua/news/informaciya-shodo-imovirnoyi-provokaciyi"
        version = "0.1"
        source = "https://github.com/stairwell-inc/threat-research/blob/main/whispergate/WhiteBlackCrypt.yara"
        malpedia_rule_date = "20220318"
        malpedia_hash = ""
		malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.whiteblackcrypt"
		malpedia_version = "20220318"
		malpedia_license = "CC BY-NC-SA 4.0"
		malpedia_sharing = "TLP:WHITE"
    strings:
        $ = {2E 56 4D 44 4B 00 2E 56 4D 58 00 2E 47 50 47 00 2E 41 45 53 00 
             2E 41 52 43 00 2E 50 41 51 00 2E 42 5A 32 00 2E 54 42 4B 00 2E 
             42 41 4B 00 2E 54 41 52 00 2E 54 47 5A 00}
        $ = {2E 50 50 41 4D 00 2E 50 4F 54 58 00 2E 50 4F 54 4D 00 2E 45 44
             42 00 2E 48 57 50 00 2E 36 30 32 00 2E 53 58 49 00 2E 53 54 49 
             00 2E 53 4C 44 58 00 2E 53 4C 44 4D 00}
        $ = {2E 49 42 44 00 2E 4D 59 49 00 2E 4D 59 44 00 2E 46 52 4D 00 2E
        	 4F 44 42 00 2E 44 42 46 00 2E 44 42 00 2E 4D 44 42 00 2E 41 43 
        	 43 44 42 00 2E 53 51 4C 00 2E 53 51 4C 49 54 45 44 42 00}
    condition:
        3 of them    
}
[TLP:WHITE] win_whiteblackcrypt_w2   (20220318 | Matches ransom note seen in WhiteBlackCrypt)
rule win_whiteblackcrypt_w2 {
    meta:
        author= "Silas Cutler (silas@Stairwell.com)"
        description = "Matches ransom note seen in WhiteBlackCrypt"
        ref = "https://cip.gov.ua/ua/news/informaciya-shodo-imovirnoyi-provokaciyi"
        version = "0.1"
        source = "https://github.com/stairwell-inc/threat-research/blob/main/whispergate/WhiteBlackCrypt.yara"
        malpedia_rule_date = "20220318"
        malpedia_hash = ""
		malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.whiteblackcrypt"
		malpedia_version = "20220318"
		malpedia_license = "CC BY-NC-SA 4.0"
		malpedia_sharing = "TLP:WHITE"
    strings:
		$ = "Your files has been ENCRYPTED! Now, you cant access them, but they are not deleted. We need to get 10 BTC at the specified address:"
		$ = "19B5Bt11oUqYnwSXfBgRpwwDGg5Ajirbjn"
		$ = "we will send text document to you mail with a PRIVATE RSA key, and a link to a program, that can decrypt"
		$ = "all files on every computer, encrypted with this program"
		$ = "If we recieve moneys, "
		$ = "for acquiring decryption key, please send us"
		$ = "address of your bitcoin wallet."
    condition:
        3 of them    
}
Download all Yara Rules