COVID19 Malware Analysis - with Kill MBR Feature
Tags
| attack-pattern: | Data Malware - T1587.001 Malware - T1588.001 Software - T1592.002 |
Common Information
| Type | Value |
|---|---|
| UUID | c76b29b5-86ad-4275-9756-1919e56a4bef |
| Fingerprint | de030ff88c23c6b3 |
| Analysis status | DONE |
| Considered CTI value | 2 |
| Text language | |
| Published | April 8, 2020, 7:50 a.m. |
| Added to db | Sept. 26, 2022, 9:30 a.m. |
| Last updated | Nov. 18, 2024, 4:35 a.m. |
| Headline | {"®eve®se": "Enginee®ing"} |
| Title | COVID19 Malware Analysis - with Kill MBR Feature |
| Detected Hints/Tags/Attributes | 19/1/19 |
Source URLs
URL Provider
Attributes
| Details | Type | #Events | CTI | Value |
|---|---|---|---|---|
| Details | Domain | 88 | app.any.run |
|
| Details | File | 2 | mainwindow.exe |
|
| Details | File | 15 | run.exe |
|
| Details | File | 2 | end.exe |
|
| Details | md5 | 1 | 9dbbfa81fe433b24b3f3b7809be2cc7f |
|
| Details | md5 | 1 | 7def1c942eea4c2024164cd5b7970ec8 |
|
| Details | md5 | 1 | e6ccc960ae38768664e8cf40c74a9902 |
|
| Details | md5 | 1 | b1349ca048b6b09f2b8224367fda4950 |
|
| Details | sha1 | 1 | b87405ff26a1ab2a03f3803518f306cf906ab47f |
|
| Details | sha1 | 1 | b2f4288577bf8f8f06a487b17163d74ebe46ab43 |
|
| Details | sha1 | 1 | d29cbc92744db7dc5bb8b7a8de6e3fa2c75b9dcd |
|
| Details | sha1 | 1 | 44fac7dd4b9b1ccc61af4859c8104dd507e82e2d |
|
| Details | sha256 | 1 | dfbcce38214fdde0b8c80771cfdec499fc086735c8e7e25293e7292fc7993b4c |
|
| Details | sha256 | 2 | c3f11936fe43d62982160a876cc000f906cb34bb589f4e76e54d0a5589b2fdb9 |
|
| Details | sha256 | 2 | b780e24e14885c6ab836aae84747aa0d975017f5fc5b7f031d51c7469793eabe |
|
| Details | sha256 | 2 | c46c3d2bea1e42b628d6988063d247918f3f8b69b5a1c376028a2a0cadd53986 |
|
| Details | Url | 1 | https://app.any.run/tasks/8a404eaa-f7f5-425a-a49f-ae9138ce8e1c |
|
| Details | Windows Registry Key | 2 | HKLM\software\Microsoft\Windows\CurrentVersion\Run |
|
| Details | Yara rule | 1 | import "pe"
rule covid_mbr_gui {
meta:
author = "tcontre"
description = "detecting covid_19_main_window"
date = "2020-04-08"
sha256 = "b780e24e14885c6ab836aae84747aa0d975017f5fc5b7f031d51c7469793eabe"
strings:
$mz = { 4D 5A }
$s1 = "coronavirus has infected your PC!" fullword
$s2 = "Task Manager are disabled" wide fullword
condition:
($mz at 0) and all of ($s*)
}
rule covid_mbr_killer {
meta:
author = "tcontre"
description = "detecting covid_19_end_exe"
date = "2020-04-08"
sha256 = "c3f11936fe43d62982160a876cc000f906cb34bb589f4e76e54d0a5589b2fdb9"
strings:
$mz = { 4D 5A }
$c1 = { 8A 03 C1 E8 04 40 BA DC 83 40 00 8A 44 02 FF 5A 88 02 8B C5 }
$c2 = { 8B D6 03 D2 42 03 C2 50 8A 03 24 0F 25 FF 00 00 00 40 BA DC 83 40 00 8A 44 02 FF 5A 88 02 }
$d1 = { 6A 00 68 F4 B7 40 00 68 00 02 00 00 68 FC C5 40 00 53 E8 ?? ?? ?? ?? 6A 00 6A 00 68 00 02 00 00 }
$d2 = { 53 E8 ?? ?? ?? ?? 6A 00 68 F8 B7 40 00 A1 F4 B7 40 00 50 68 FC C5 40 00 53 E8 ?? ?? ?? ?? 53 E8 }
$s1 = "WobbyChip" fullword
condition:
($mz at 0) and $s1 and 1 of ($c*) and 1 of ($d*)
}
rule covid_runner {
meta:
author = "tcontre"
description = "detecting covid_19_unpack_run_exe"
date = "2020-04-08"
sha256 = "c46c3d2bea1e42b628d6988063d247918f3f8b69b5a1c376028a2a0cadd53986"
strings:
$mz = { 4D 5A }
$c = { 68 0A 00 00 00 FF 74 24 04 FF 74 24 14 E8 ?? ?? ?? ?? 89 44 24 04 83 7C 24 04 00 74 24 FF 74 24 04 FF 74 24 10 E8 }
$s1 = "%homedrive%\\COVID-19" fullword
$s2 = "disabletaskmgr" fullword
$s3 = "NoChangingWallPaper" fullword
$s4 = "ADD HKLM\\software\\Microsoft\\Windows\\CurrentVersion\\Run" fullword
condition:
($mz at 0) and 2 of ($s*) and $c
} |