Yara Rules for Ransomware group  blackmatter

/*
BlackMatter ransomware
*/

import "elf"

rule DarkSide_BM
{
    meta:
        author = "rivitna"
        family = "ransomware.darkside_blackmatter"
        description = "DarkSide/BlackMatter ransomware Windows payload"
        severity = 10
        score = 100

    strings:
        $h1 = { 64 A1 30 00 00 00     // mov  eax, large fs:30h
                8B B0 A4 00 00 00     // mov  esi, [eax+0A4h]
                8B B8 A8 00 00 00     // mov  edi, [eax+0A8h]
                83 FE 05              // cmp  esi, 5
                75 05                 // jnz  short L1
                83 FF 01 }            // cmp  edi, 1

    condition:
        ((uint16(0) == 0x5A4D) and (uint32(uint32(0x3C)) == 0x00004550)) and
        (
            (1 of ($h*))
        )
}

rule BlackMatter
{
    meta:
        author = "rivitna"
        family = "ransomware.blackmatter.windows"
        description = "BlackMatter ransomware Windows payload"
        severity = 10
        score = 100

    strings:
        $h0 = { 80 C6 61              // add  dh, 61h
                80 EE 61              // sub  dh, 61h
                C1 CA 0D              // ror  edx, 0Dh
                03 D0 }               // add  edx, eax
        $h1 = { 02 F1                 // add  dh, cl
                2A F1                 // sub  dh, cl
                B9 0D 00 00 00        // mov  ecx, 0Dh
                D3 CA                 // ror  edx, cl
                03 D0 }               // add  edx, eax
        $h2 = { 3C 2B                 // cmp  al, 2Bh
                75 04                 // jnz  short L1
                B0 78                 // mov  al, 78h
                EB 0E                 // jnz  short L3
                                      // L1:
                3C 2F                 // cmp  al, 2Fh
                75 04                 // jnz  short L2
                B0 69                 // mov  al, 69h
                EB 06                 // jmp  short L3
                                      // L2:
                3C 3D                 // cmp  al, 3Dh
                75 02                 // jnz  short L3
                B0 7A }               // mov  al, 7Ah
                                      // L3:
        $h3 = { 33 C0                 // xor  eax, eax
                40                    // inc  eax
                40                    // inc  eax
                8D 0C C5 01 00 00 00  // lea  ecx, [eax*8+1]
                83 7D 0? 00           // cmp  [ebp+arg_0], 0
                75 04                 // jnz  short L1
                F7 D8                 // neg  eax
                EB 0? }               // jmp  short L2
                                      // L1:

    condition:
        ((uint16(0) == 0x5A4D) and (uint32(uint32(0x3C)) == 0x00004550)) and
        (
            (1 of ($h*))
        )
}

rule BlackMatter_Linux
{
    meta:
        author = "rivitna"
        family = "ransomware.blackmatter.linux"
        description = "BlackMatter ransomware Linux payload"
        severity = 10
        score = 100

    strings:
        $h0 = {                       // Loop:
                0F B6 10              // movzx edx, byte ptr [rax]
                84 D2                 // test  dl, dl
                74 19                 // jz    L1
                0F B6 34 0F           // movzx esi, byte ptr [rdi+rcx]
                40 38 F2              // cmp   dl, sil
                74 10                 // jz    L1
                48 83 C1 01           // add   rcx, 1
                31 F2                 // xor   edx, esi
                48 83 F9 20           // cmp   rcx, 20h
                88 10                 // mov   [rax], dl
                49 0F 44 C9           // cmovz rcx, r9
                                      // L1:
                48 83 C0 01           // add   rax, 1
                4C 39 C0              // cmp   rax, r8
                75 D7 }               // jnz   Loop
        $h1 = { 44 42 46 44               // mov   [rsp+var_1], 44464244h
                C7 4? [1-2] 30 35 35 43   // mov   [rsp+var_2], 43353530h
                C7 4? [1-2] 2D 39 43 46   // mov   [rsp+var_3], 4643392Dh
                C7 4? [1-2] 32 2D 34 42   // mov   [rsp+var_4], 42342D32h
                C7 4? [1-2] 42 38 2D 39   // mov   [rsp+var_5], 392D3842h
                C7 4? [1-2] 30 38 45 2D   // mov   [rsp+var_6], 2D453830h
                C7 4? [1-2] 36 44 41 32   // mov   [rsp+var_7], 32414436h
                C7 4? [1-2] 32 33 32 31   // mov   [rsp+var_8], 31323332h
                C7 4? [1-2] 42 46 31 37 } // mov   [rsp+var_9], 37314642h


    condition:
        (uint32(0) == 0x464C457F) and
        (
            (1 of ($h*)) or
            for any i in (0..elf.number_of_sections-2):
            (
                (elf.sections[i].name == ".app.version") and
                (elf.sections[i+1].name == ".cfgETD")
            )
        )
}