Medusa is a DDoS bot written in .NET 2.0. In its current incarnation its C&C protocol is based on HTTP, while its predecessor made use of IRC.
| Title | Available | Last Visit | FQDN | Screenshot |
|---|---|---|---|---|
| None | 🔴 | 2021-05-01 00:00:00.000000 | qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion | N/A |
| Ransomware blog – We will not give ourselves a nam | 🔴 | 2024-08-21 05:42:02.268734 | z6wkgghtoawog5noty5nxulmmt2zs7c3yvwr22v4czbffdoly2kl4uad.onion | N/A |
| Employees(s) | Customer(s) | Third Party Employee(s) |
|---|---|---|
This information is provided by HudsonRock
You're leaving the Ransomare.live site. Do you want to continue?
rule win_medusalocker_auto {
meta:
author = "Felix Bilstein - yara-signator at cocacoding dot com"
date = "2023-07-11"
version = "1"
description = "Detects win.medusalocker."
info = "autogenerated rule brought to you by yara-signator"
tool = "yara-signator v0.6.0"
signator_config = "callsandjumps;datarefs;binvalue"
malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.medusalocker"
malpedia_rule_date = "20230705"
malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
malpedia_version = "20230715"
malpedia_license = "CC BY-SA 4.0"
malpedia_sharing = "TLP:WHITE"
/* DISCLAIMER
* The strings used in this rule have been automatically selected from the
* disassembly of memory dumps and unpacked files, using YARA-Signator.
* The code and documentation is published here:
* https://github.com/fxb-cocacoding/yara-signator
* As Malpedia is used as data source, please note that for a given
* number of families, only single samples are documented.
* This likely impacts the degree of generalization these rules will offer.
* Take the described generation method also into consideration when you
* apply the rules in your use cases and assign them confidence levels.
*/
strings:
$sequence_0 = { 8b45fc 83781000 7419 8b4dfc 8b5110 }
// n = 5, score = 400
// 8b45fc | mov eax, dword ptr [ebp - 4]
// 83781000 | cmp dword ptr [eax + 0x10], 0
// 7419 | je 0x1b
// 8b4dfc | mov ecx, dword ptr [ebp - 4]
// 8b5110 | mov edx, dword ptr [ecx + 0x10]
$sequence_1 = { e8???????? 8b08 51 8d95f4fdffff 52 e8???????? 83c40c }
// n = 7, score = 400
// e8???????? |
// 8b08 | mov ecx, dword ptr [eax]
// 51 | push ecx
// 8d95f4fdffff | lea edx, [ebp - 0x20c]
// 52 | push edx
// e8???????? |
// 83c40c | add esp, 0xc
$sequence_2 = { 8b45e4 50 8b4dec 83c104 e8???????? 8bc8 e8???????? }
// n = 7, score = 400
// 8b45e4 | mov eax, dword ptr [ebp - 0x1c]
// 50 | push eax
// 8b4dec | mov ecx, dword ptr [ebp - 0x14]
// 83c104 | add ecx, 4
// e8???????? |
// 8bc8 | mov ecx, eax
// e8???????? |
$sequence_3 = { 83c108 51 e8???????? 83c408 8945d0 837dd003 744d }
// n = 7, score = 400
// 83c108 | add ecx, 8
// 51 | push ecx
// e8???????? |
// 83c408 | add esp, 8
// 8945d0 | mov dword ptr [ebp - 0x30], eax
// 837dd003 | cmp dword ptr [ebp - 0x30], 3
// 744d | je 0x4f
$sequence_4 = { e8???????? 83c42c 8945e8 8b4df8 e8???????? 8845ff 0fb655ff }
// n = 7, score = 400
// e8???????? |
// 83c42c | add esp, 0x2c
// 8945e8 | mov dword ptr [ebp - 0x18], eax
// 8b4df8 | mov ecx, dword ptr [ebp - 8]
// e8???????? |
// 8845ff | mov byte ptr [ebp - 1], al
// 0fb655ff | movzx edx, byte ptr [ebp - 1]
$sequence_5 = { eb11 6a01 8d4de8 e8???????? 8bc8 e8???????? }
// n = 6, score = 400
// eb11 | jmp 0x13
// 6a01 | push 1
// 8d4de8 | lea ecx, [ebp - 0x18]
// e8???????? |
// 8bc8 | mov ecx, eax
// e8???????? |
$sequence_6 = { 83c408 8be5 5d c20c00 55 8bec 51 }
// n = 7, score = 400
// 83c408 | add esp, 8
// 8be5 | mov esp, ebp
// 5d | pop ebp
// c20c00 | ret 0xc
// 55 | push ebp
// 8bec | mov ebp, esp
// 51 | push ecx
$sequence_7 = { e8???????? 83c018 8bc8 e8???????? 85c0 753e 8b4dec }
// n = 7, score = 400
// e8???????? |
// 83c018 | add eax, 0x18
// 8bc8 | mov ecx, eax
// e8???????? |
// 85c0 | test eax, eax
// 753e | jne 0x40
// 8b4dec | mov ecx, dword ptr [ebp - 0x14]
$sequence_8 = { 8b450c 50 e8???????? 83c404 8945f8 837df800 741c }
// n = 7, score = 400
// 8b450c | mov eax, dword ptr [ebp + 0xc]
// 50 | push eax
// e8???????? |
// 83c404 | add esp, 4
// 8945f8 | mov dword ptr [ebp - 8], eax
// 837df800 | cmp dword ptr [ebp - 8], 0
// 741c | je 0x1e
$sequence_9 = { 8d45f4 64a300000000 894dbc 33c0 }
// n = 4, score = 400
// 8d45f4 | lea eax, [ebp - 0xc]
// 64a300000000 | mov dword ptr fs:[0], eax
// 894dbc | mov dword ptr [ebp - 0x44], ecx
// 33c0 | xor eax, eax
condition:
7 of them and filesize < 1433600
}