SYMBOLCOMMON_NAMEaka. SYNONYMS
win.yanluowang (Back to overview)

Yanluowang

aka: Dryxiphia
VTCollection    

According to PCrisk, Yanluowang is ransomware that encrypts (and renames) files, ends all running processes, stops services, and creates the "README.txt" file containing a ransom note. It appends the ".yanluowang" extension to filenames. Cybercriminals behind Yanluowang are targeting enterprise entities and organizations in the financial sector.

Files encrypted by Yanluowang can be decrypted with this tool (it is possible to decrypt all files if the original file is larger than 3GB. If the original file is smaller than 3GB, then only smaller files can be decrypted).

References
2022-11-22The RecordDina Temple-Raston
The Yanluowang ransomware group in their own words
Yanluowang
2022-11-07DarktraceDillon Ashmore, Taisiia Garkava
Inside the Yanluowang Leak: Organization, Members, and Tactics
Yanluowang
2022-10-31Twitter (@CryptoInsane)CryptoInsane
Tweet about Yanluowang Leaks
Yanluowang
2022-08-10CiscoNick Biasini
Cisco Talos shares insights related to recent cyber attack on Cisco
Yanluowang UNC2447
2022-04-18Bleeping ComputerSergiu Gatlan
Free decryptor released for Yanluowang ransomware victims
Yanluowang
2022-04-18KasperskyAMR
How to recover files encrypted by Yanlouwang
Yanluowang
2022-04-06Github (albertzsigovits)Albert Zsigovits
Yanluowang Ransomware Analysis
Yanluowang
2022-03-16SymantecSymantec Threat Hunter Team
The Ransomware Threat Landscape: What to Expect in 2022
AvosLocker BlackCat BlackMatter Conti DarkSide DoppelPaymer Emotet Hive Karma Mespinoza Nemty Squirrelwaffle VegaLocker WastedLocker Yanluowang Zeppelin
2021-10-14SymantecThreat Hunter Team
New Yanluowang ransomware used in targeted attacks
Yanluowang
Yara Rules
[TLP:WHITE] win_yanluowang_auto (20230808 | Detects win.yanluowang.)
rule win_yanluowang_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.yanluowang."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.yanluowang"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 50 c745c8eca14400 c745cc02000000 e8???????? 8d45f8 50 8d8578ffffff }
            // n = 7, score = 100
            //   50                   | push                eax
            //   c745c8eca14400       | mov                 dword ptr [ebp - 0x38], 0x44a1ec
            //   c745cc02000000       | mov                 dword ptr [ebp - 0x34], 2
            //   e8????????           |                     
            //   8d45f8               | lea                 eax, [ebp - 8]
            //   50                   | push                eax
            //   8d8578ffffff         | lea                 eax, [ebp - 0x88]

        $sequence_1 = { 7402 8913 8d510c 33ff 85d2 7402 }
            // n = 6, score = 100
            //   7402                 | je                  4
            //   8913                 | mov                 dword ptr [ebx], edx
            //   8d510c               | lea                 edx, [ecx + 0xc]
            //   33ff                 | xor                 edi, edi
            //   85d2                 | test                edx, edx
            //   7402                 | je                  4

        $sequence_2 = { 85c1 750c 3bd1 1bd2 23d0 23542430 }
            // n = 6, score = 100
            //   85c1                 | test                ecx, eax
            //   750c                 | jne                 0xe
            //   3bd1                 | cmp                 edx, ecx
            //   1bd2                 | sbb                 edx, edx
            //   23d0                 | and                 edx, eax
            //   23542430             | and                 edx, dword ptr [esp + 0x30]

        $sequence_3 = { 85c0 7402 8908 8b55d8 8d4804 33d6 85c9 }
            // n = 7, score = 100
            //   85c0                 | test                eax, eax
            //   7402                 | je                  4
            //   8908                 | mov                 dword ptr [eax], ecx
            //   8b55d8               | mov                 edx, dword ptr [ebp - 0x28]
            //   8d4804               | lea                 ecx, [eax + 4]
            //   33d6                 | xor                 edx, esi
            //   85c9                 | test                ecx, ecx

        $sequence_4 = { 8b048528c44500 6975d007536554 33048d28c04500 8945c0 8b45f8 8b4dc0 c1e808 }
            // n = 7, score = 100
            //   8b048528c44500       | mov                 eax, dword ptr [eax*4 + 0x45c428]
            //   6975d007536554       | imul                esi, dword ptr [ebp - 0x30], 0x54655307
            //   33048d28c04500       | xor                 eax, dword ptr [ecx*4 + 0x45c028]
            //   8945c0               | mov                 dword ptr [ebp - 0x40], eax
            //   8b45f8               | mov                 eax, dword ptr [ebp - 8]
            //   8b4dc0               | mov                 ecx, dword ptr [ebp - 0x40]
            //   c1e808               | shr                 eax, 8

        $sequence_5 = { 8b4508 8bd6 33d7 f7d6 }
            // n = 4, score = 100
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   8bd6                 | mov                 edx, esi
            //   33d7                 | xor                 edx, edi
            //   f7d6                 | not                 esi

        $sequence_6 = { 83c438 c645fc14 8d8d78eeffff ffb5e8eeffff ffb5b8eeffff ffb5b4eeffff ffb57ceeffff }
            // n = 7, score = 100
            //   83c438               | add                 esp, 0x38
            //   c645fc14             | mov                 byte ptr [ebp - 4], 0x14
            //   8d8d78eeffff         | lea                 ecx, [ebp - 0x1188]
            //   ffb5e8eeffff         | push                dword ptr [ebp - 0x1118]
            //   ffb5b8eeffff         | push                dword ptr [ebp - 0x1148]
            //   ffb5b4eeffff         | push                dword ptr [ebp - 0x114c]
            //   ffb57ceeffff         | push                dword ptr [ebp - 0x1184]

        $sequence_7 = { 8b01 85c0 0f84cc2b0200 83f808 7d0f 6bc018 }
            // n = 6, score = 100
            //   8b01                 | mov                 eax, dword ptr [ecx]
            //   85c0                 | test                eax, eax
            //   0f84cc2b0200         | je                  0x22bd2
            //   83f808               | cmp                 eax, 8
            //   7d0f                 | jge                 0x11
            //   6bc018               | imul                eax, eax, 0x18

        $sequence_8 = { 84ff 7557 8b95acf5ffff 8bc2 8b8da8f5ffff 2bc1 }
            // n = 6, score = 100
            //   84ff                 | test                bh, bh
            //   7557                 | jne                 0x59
            //   8b95acf5ffff         | mov                 edx, dword ptr [ebp - 0xa54]
            //   8bc2                 | mov                 eax, edx
            //   8b8da8f5ffff         | mov                 ecx, dword ptr [ebp - 0xa58]
            //   2bc1                 | sub                 eax, ecx

        $sequence_9 = { 337dc8 8b4514 85c0 7402 8938 8d7904 33d2 }
            // n = 7, score = 100
            //   337dc8               | xor                 edi, dword ptr [ebp - 0x38]
            //   8b4514               | mov                 eax, dword ptr [ebp + 0x14]
            //   85c0                 | test                eax, eax
            //   7402                 | je                  4
            //   8938                 | mov                 dword ptr [eax], edi
            //   8d7904               | lea                 edi, [ecx + 4]
            //   33d2                 | xor                 edx, edx

    condition:
        7 of them and filesize < 834560
}
Download all Yara Rules