SYMBOLCOMMON_NAMEaka. SYNONYMS
win.yanluowang (Back to overview)

Yanluowang

aka: Dryxiphia

Ransomware.

References
2022-11-22The RecordDina Temple-Raston
@online{templeraston:20221122:yanluowang:12e066a, author = {Dina Temple-Raston}, title = {{The Yanluowang ransomware group in their own words}}, date = {2022-11-22}, organization = {The Record}, url = {https://therecord.media/the-yanluowang-ransomware-group-in-their-own-words/}, language = {English}, urldate = {2022-11-23} } The Yanluowang ransomware group in their own words
Yanluowang
2022-11-07DarktraceTaisiia Garkava, Dillon Ashmore
@online{garkava:20221107:inside:43d468a, author = {Taisiia Garkava and Dillon Ashmore}, title = {{Inside the Yanluowang Leak: Organization, Members, and Tactics}}, date = {2022-11-07}, organization = {Darktrace}, url = {https://de.darktrace.com/blog/inside-the-yanluowang-leak-organization-members-and-tactics}, language = {English}, urldate = {2022-11-07} } Inside the Yanluowang Leak: Organization, Members, and Tactics
Yanluowang
2022-10-31Twitter (@CryptoInsane)CryptoInsane
@online{cryptoinsane:20221031:about:f607cf7, author = {CryptoInsane}, title = {{Tweet about Yanluowang Leaks}}, date = {2022-10-31}, organization = {Twitter (@CryptoInsane)}, url = {https://twitter.com/CryptoInsane/status/1586967110504398853}, language = {English}, urldate = {2022-12-29} } Tweet about Yanluowang Leaks
Yanluowang
2022-08-10CiscoNick Biasini
@online{biasini:20220810:cisco:81eec81, author = {Nick Biasini}, title = {{Cisco Talos shares insights related to recent cyber attack on Cisco}}, date = {2022-08-10}, organization = {Cisco}, url = {https://blog.talosintelligence.com/2022/08/recent-cyber-attack.html}, language = {English}, urldate = {2022-08-11} } Cisco Talos shares insights related to recent cyber attack on Cisco
Yanluowang
2022-04-18KasperskyAMR
@online{amr:20220418:how:6783da1, author = {AMR}, title = {{How to recover files encrypted by Yanlouwang}}, date = {2022-04-18}, organization = {Kaspersky}, url = {https://securelist.com/how-to-recover-files-encrypted-by-yanlouwang/106332/}, language = {English}, urldate = {2022-04-20} } How to recover files encrypted by Yanlouwang
Yanluowang
2022-04-18Bleeping ComputerSergiu Gatlan
@online{gatlan:20220418:free:d6f6e7a, author = {Sergiu Gatlan}, title = {{Free decryptor released for Yanluowang ransomware victims}}, date = {2022-04-18}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/free-decryptor-released-for-yanluowang-ransomware-victims/}, language = {English}, urldate = {2022-04-20} } Free decryptor released for Yanluowang ransomware victims
Yanluowang
2022-04-06Github (albertzsigovits)Albert Zsigovits
@online{zsigovits:20220406:yanluowang:d74271b, author = {Albert Zsigovits}, title = {{Yanluowang Ransomware Analysis}}, date = {2022-04-06}, organization = {Github (albertzsigovits)}, url = {https://github.com/albertzsigovits/malware-notes/tree/master/Ransomware-Windows-Yanluowang}, language = {English}, urldate = {2022-04-13} } Yanluowang Ransomware Analysis
Yanluowang
2022-03-16SymantecSymantec Threat Hunter Team
@techreport{team:20220316:ransomware:1c2a72a, author = {Symantec Threat Hunter Team}, title = {{The Ransomware Threat Landscape: What to Expect in 2022}}, date = {2022-03-16}, institution = {Symantec}, url = {https://www.symantec.broadcom.com/hubfs/SED/SED_Threat_Hunter_Reports_Alerts/SED_FY22Q2_SES_Ransomware-Threat-Landscape_WP.pdf}, language = {English}, urldate = {2022-03-22} } The Ransomware Threat Landscape: What to Expect in 2022
AvosLocker BlackCat BlackMatter Conti DarkSide DoppelPaymer Emotet Hive Karma Mespinoza Nemty Squirrelwaffle VegaLocker WastedLocker Yanluowang Zeppelin
2021-10-14SymantecThreat Hunter Team
@online{team:20211014:new:7a0d638, author = {Threat Hunter Team}, title = {{New Yanluowang ransomware used in targeted attacks}}, date = {2021-10-14}, organization = {Symantec}, url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/yanluowang-targeted-ransomware}, language = {English}, urldate = {2021-11-03} } New Yanluowang ransomware used in targeted attacks
Yanluowang
Yara Rules
[TLP:WHITE] win_yanluowang_auto (20230125 | Detects win.yanluowang.)
rule win_yanluowang_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-01-25"
        version = "1"
        description = "Detects win.yanluowang."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.yanluowang"
        malpedia_rule_date = "20230124"
        malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686"
        malpedia_version = "20230125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { c745740f000000 c6456000 83fa10 722c 8b4d48 }
            // n = 5, score = 100
            //   c745740f000000       | mov                 dword ptr [ebp + 0x74], 0xf
            //   c6456000             | mov                 byte ptr [ebp + 0x60], 0
            //   83fa10               | cmp                 edx, 0x10
            //   722c                 | jb                  0x2e
            //   8b4d48               | mov                 ecx, dword ptr [ebp + 0x48]

        $sequence_1 = { 83e03f c1f906 6bd030 8b0c8d38034600 804c112802 }
            // n = 5, score = 100
            //   83e03f               | and                 eax, 0x3f
            //   c1f906               | sar                 ecx, 6
            //   6bd030               | imul                edx, eax, 0x30
            //   8b0c8d38034600       | mov                 ecx, dword ptr [ecx*4 + 0x460338]
            //   804c112802           | or                  byte ptr [ecx + edx + 0x28], 2

        $sequence_2 = { 3a11 0f85f1000000 84d2 7416 8a5001 3a5101 0f85e1000000 }
            // n = 7, score = 100
            //   3a11                 | cmp                 dl, byte ptr [ecx]
            //   0f85f1000000         | jne                 0xf7
            //   84d2                 | test                dl, dl
            //   7416                 | je                  0x18
            //   8a5001               | mov                 dl, byte ptr [eax + 1]
            //   3a5101               | cmp                 dl, byte ptr [ecx + 1]
            //   0f85e1000000         | jne                 0xe7

        $sequence_3 = { e8???????? 83c408 8bf3 85db 75b7 8b4df0 8b4110 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   83c408               | add                 esp, 8
            //   8bf3                 | mov                 esi, ebx
            //   85db                 | test                ebx, ebx
            //   75b7                 | jne                 0xffffffb9
            //   8b4df0               | mov                 ecx, dword ptr [ebp - 0x10]
            //   8b4110               | mov                 eax, dword ptr [ecx + 0x10]

        $sequence_4 = { 83ec18 03c6 8bcc 50 e8???????? ba01000000 c645fc0e }
            // n = 7, score = 100
            //   83ec18               | sub                 esp, 0x18
            //   03c6                 | add                 eax, esi
            //   8bcc                 | mov                 ecx, esp
            //   50                   | push                eax
            //   e8????????           |                     
            //   ba01000000           | mov                 edx, 1
            //   c645fc0e             | mov                 byte ptr [ebp - 4], 0xe

        $sequence_5 = { eb02 32db c745fcffffffff 8b55d4 83fa10 7228 8b4dc0 }
            // n = 7, score = 100
            //   eb02                 | jmp                 4
            //   32db                 | xor                 bl, bl
            //   c745fcffffffff       | mov                 dword ptr [ebp - 4], 0xffffffff
            //   8b55d4               | mov                 edx, dword ptr [ebp - 0x2c]
            //   83fa10               | cmp                 edx, 0x10
            //   7228                 | jb                  0x2a
            //   8b4dc0               | mov                 ecx, dword ptr [ebp - 0x40]

        $sequence_6 = { 8945dc 8b00 894dcc 2bc8 8945d4 b8abaaaa2a }
            // n = 6, score = 100
            //   8945dc               | mov                 dword ptr [ebp - 0x24], eax
            //   8b00                 | mov                 eax, dword ptr [eax]
            //   894dcc               | mov                 dword ptr [ebp - 0x34], ecx
            //   2bc8                 | sub                 ecx, eax
            //   8945d4               | mov                 dword ptr [ebp - 0x2c], eax
            //   b8abaaaa2a           | mov                 eax, 0x2aaaaaab

        $sequence_7 = { 1bc0 83c801 8b8d4cecffff 33d2 85c0 0fb6c9 0f44ca }
            // n = 7, score = 100
            //   1bc0                 | sbb                 eax, eax
            //   83c801               | or                  eax, 1
            //   8b8d4cecffff         | mov                 ecx, dword ptr [ebp - 0x13b4]
            //   33d2                 | xor                 edx, edx
            //   85c0                 | test                eax, eax
            //   0fb6c9               | movzx               ecx, cl
            //   0f44ca               | cmove               ecx, edx

        $sequence_8 = { 3bc1 8b4dd4 b8abaaaa2a 0f8613020000 2b4dbc f7e9 b8aaaaaa0a }
            // n = 7, score = 100
            //   3bc1                 | cmp                 eax, ecx
            //   8b4dd4               | mov                 ecx, dword ptr [ebp - 0x2c]
            //   b8abaaaa2a           | mov                 eax, 0x2aaaaaab
            //   0f8613020000         | jbe                 0x219
            //   2b4dbc               | sub                 ecx, dword ptr [ebp - 0x44]
            //   f7e9                 | imul                ecx
            //   b8aaaaaa0a           | mov                 eax, 0xaaaaaaa

        $sequence_9 = { e9???????? d9ee 84cd 0f8432ad0000 d9e0 e9???????? }
            // n = 6, score = 100
            //   e9????????           |                     
            //   d9ee                 | fldz                
            //   84cd                 | test                ch, cl
            //   0f8432ad0000         | je                  0xad38
            //   d9e0                 | fchs                
            //   e9????????           |                     

    condition:
        7 of them and filesize < 834560
}
Download all Yara Rules