SYMBOLCOMMON_NAMEaka. SYNONYMS
win.yanluowang (Back to overview)

Yanluowang


Ransomware.

References
2022-08-10CiscoNick Biasini
@online{biasini:20220810:cisco:81eec81, author = {Nick Biasini}, title = {{Cisco Talos shares insights related to recent cyber attack on Cisco}}, date = {2022-08-10}, organization = {Cisco}, url = {https://blog.talosintelligence.com/2022/08/recent-cyber-attack.html}, language = {English}, urldate = {2022-08-11} } Cisco Talos shares insights related to recent cyber attack on Cisco
Yanluowang
2022-04-18KasperskyAMR
@online{amr:20220418:how:6783da1, author = {AMR}, title = {{How to recover files encrypted by Yanlouwang}}, date = {2022-04-18}, organization = {Kaspersky}, url = {https://securelist.com/how-to-recover-files-encrypted-by-yanlouwang/106332/}, language = {English}, urldate = {2022-04-20} } How to recover files encrypted by Yanlouwang
Yanluowang
2022-04-18Bleeping ComputerSergiu Gatlan
@online{gatlan:20220418:free:d6f6e7a, author = {Sergiu Gatlan}, title = {{Free decryptor released for Yanluowang ransomware victims}}, date = {2022-04-18}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/free-decryptor-released-for-yanluowang-ransomware-victims/}, language = {English}, urldate = {2022-04-20} } Free decryptor released for Yanluowang ransomware victims
Yanluowang
2022-04-06Github (albertzsigovits)Albert Zsigovits
@online{zsigovits:20220406:yanluowang:d74271b, author = {Albert Zsigovits}, title = {{Yanluowang Ransomware Analysis}}, date = {2022-04-06}, organization = {Github (albertzsigovits)}, url = {https://github.com/albertzsigovits/malware-notes/tree/master/Ransomware-Windows-Yanluowang}, language = {English}, urldate = {2022-04-13} } Yanluowang Ransomware Analysis
Yanluowang
2022-03-16SymantecSymantec Threat Hunter Team
@techreport{team:20220316:ransomware:1c2a72a, author = {Symantec Threat Hunter Team}, title = {{The Ransomware Threat Landscape: What to Expect in 2022}}, date = {2022-03-16}, institution = {Symantec}, url = {https://www.symantec.broadcom.com/hubfs/SED/SED_Threat_Hunter_Reports_Alerts/SED_FY22Q2_SES_Ransomware-Threat-Landscape_WP.pdf}, language = {English}, urldate = {2022-03-22} } The Ransomware Threat Landscape: What to Expect in 2022
AvosLocker BlackCat BlackMatter Conti DarkSide DoppelPaymer Emotet Hive Karma Mespinoza Nemty Squirrelwaffle VegaLocker WastedLocker Yanluowang Zeppelin
2021-10-14SymantecThreat Hunter Team
@online{team:20211014:new:7a0d638, author = {Threat Hunter Team}, title = {{New Yanluowang ransomware used in targeted attacks}}, date = {2021-10-14}, organization = {Symantec}, url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/yanluowang-targeted-ransomware}, language = {English}, urldate = {2021-11-03} } New Yanluowang ransomware used in targeted attacks
Yanluowang
Yara Rules
[TLP:WHITE] win_yanluowang_auto (20220808 | Detects win.yanluowang.)
rule win_yanluowang_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-08-05"
        version = "1"
        description = "Detects win.yanluowang."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.yanluowang"
        malpedia_rule_date = "20220805"
        malpedia_hash = "6ec06c64bcfdbeda64eff021c766b4ce34542b71"
        malpedia_version = "20220808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8b11 2bc5 50 ff5214 2bee 896f28 5f }
            // n = 7, score = 100
            //   8b11                 | mov                 edx, dword ptr [ecx]
            //   2bc5                 | sub                 eax, ebp
            //   50                   | push                eax
            //   ff5214               | call                dword ptr [edx + 0x14]
            //   2bee                 | sub                 ebp, esi
            //   896f28               | mov                 dword ptr [edi + 0x28], ebp
            //   5f                   | pop                 edi

        $sequence_1 = { 42 0fb606 80b860cb450000 74e9 8a0e 0fb6c1 }
            // n = 6, score = 100
            //   42                   | inc                 edx
            //   0fb606               | movzx               eax, byte ptr [esi]
            //   80b860cb450000       | cmp                 byte ptr [eax + 0x45cb60], 0
            //   74e9                 | je                  0xffffffeb
            //   8a0e                 | mov                 cl, byte ptr [esi]
            //   0fb6c1               | movzx               eax, cl

        $sequence_2 = { 56 8bcf c705????????dc734400 e8???????? 68???????? e8???????? 59 }
            // n = 7, score = 100
            //   56                   | push                esi
            //   8bcf                 | mov                 ecx, edi
            //   c705????????dc734400     |     
            //   e8????????           |                     
            //   68????????           |                     
            //   e8????????           |                     
            //   59                   | pop                 ecx

        $sequence_3 = { e8???????? 56 8d45f0 56 50 e8???????? 83c40c }
            // n = 7, score = 100
            //   e8????????           |                     
            //   56                   | push                esi
            //   8d45f0               | lea                 eax, [ebp - 0x10]
            //   56                   | push                esi
            //   50                   | push                eax
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc

        $sequence_4 = { 33c2 d1c6 33c6 8bfe 337154 c1e707 33fd }
            // n = 7, score = 100
            //   33c2                 | xor                 eax, edx
            //   d1c6                 | rol                 esi, 1
            //   33c6                 | xor                 eax, esi
            //   8bfe                 | mov                 edi, esi
            //   337154               | xor                 esi, dword ptr [ecx + 0x54]
            //   c1e707               | shl                 edi, 7
            //   33fd                 | xor                 edi, ebp

        $sequence_5 = { 66390e 0f848a000000 83c602 83e801 75ef 8b5508 8b7d20 }
            // n = 7, score = 100
            //   66390e               | cmp                 word ptr [esi], cx
            //   0f848a000000         | je                  0x90
            //   83c602               | add                 esi, 2
            //   83e801               | sub                 eax, 1
            //   75ef                 | jne                 0xfffffff1
            //   8b5508               | mov                 edx, dword ptr [ebp + 8]
            //   8b7d20               | mov                 edi, dword ptr [ebp + 0x20]

        $sequence_6 = { 3bd0 0f8336010000 8b45d4 8bd0 2bd1 8955d8 }
            // n = 6, score = 100
            //   3bd0                 | cmp                 edx, eax
            //   0f8336010000         | jae                 0x13c
            //   8b45d4               | mov                 eax, dword ptr [ebp - 0x2c]
            //   8bd0                 | mov                 edx, eax
            //   2bd1                 | sub                 edx, ecx
            //   8955d8               | mov                 dword ptr [ebp - 0x28], edx

        $sequence_7 = { 7445 a90f000000 7518 660fef10 660fef4010 660fef7020 660fef5830 }
            // n = 7, score = 100
            //   7445                 | je                  0x47
            //   a90f000000           | test                eax, 0xf
            //   7518                 | jne                 0x1a
            //   660fef10             | pxor                xmm2, xmmword ptr [eax]
            //   660fef4010           | pxor                xmm0, xmmword ptr [eax + 0x10]
            //   660fef7020           | pxor                xmm6, xmmword ptr [eax + 0x20]
            //   660fef5830           | pxor                xmm3, xmmword ptr [eax + 0x30]

        $sequence_8 = { 33c0 c6855fecffff00 85c0 7407 c6855fecffff01 80bd57ecffff00 7435 }
            // n = 7, score = 100
            //   33c0                 | xor                 eax, eax
            //   c6855fecffff00       | mov                 byte ptr [ebp - 0x13a1], 0
            //   85c0                 | test                eax, eax
            //   7407                 | je                  9
            //   c6855fecffff01       | mov                 byte ptr [ebp - 0x13a1], 1
            //   80bd57ecffff00       | cmp                 byte ptr [ebp - 0x13a9], 0
            //   7435                 | je                  0x37

        $sequence_9 = { 8b4f50 8bf1 8b55ac 8b4754 8b7f58 8b525c 0bca }
            // n = 7, score = 100
            //   8b4f50               | mov                 ecx, dword ptr [edi + 0x50]
            //   8bf1                 | mov                 esi, ecx
            //   8b55ac               | mov                 edx, dword ptr [ebp - 0x54]
            //   8b4754               | mov                 eax, dword ptr [edi + 0x54]
            //   8b7f58               | mov                 edi, dword ptr [edi + 0x58]
            //   8b525c               | mov                 edx, dword ptr [edx + 0x5c]
            //   0bca                 | or                  ecx, edx

    condition:
        7 of them and filesize < 834560
}
Download all Yara Rules