win_makop_ransomware_auto
YARA-2023-0191
Critical
general
Active
Detects win.makop_ransomware.
win_makop_ransomware_auto.yar
Valid Syntax
rule win_makop_ransomware_auto {
meta:
author = "Felix Bilstein - yara-signator at cocacoding dot com"
date = "2023-07-11"
version = "1"
description = "Detects win.makop_ransomware."
info = "autogenerated rule brought to you by yara-signator"
tool = "yara-signator v0.6.0"
signator_config = "callsandjumps;datarefs;binvalue"
malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.makop_ransomware"
malpedia_rule_date = "20230705"
malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
malpedia_version = "20230715"
malpedia_license = "CC BY-SA 4.0"
malpedia_sharing = "TLP:WHITE"
/* DISCLAIMER
* The strings used in this rule have been automatically selected from the
* disassembly of memory dumps and unpacked files, using YARA-Signator.
* The code and documentation is published here:
* https://github.com/fxb-cocacoding/yara-signator
* As Malpedia is used as data source, please note that for a given
* number of families, only single samples are documented.
* This likely impacts the degree of generalization these rules will offer.
* Take the described generation method also into consideration when you
* apply the rules in your use cases and assign them confidence levels.
*/
strings:
$sequence_0 = { eb02 33f6 803d????????00 751f 803d????????00 7516 80fb01 }
// n = 7, score = 100
// eb02 | jmp 4
// 33f6 | xor esi, esi
// 803d????????00 |
// 751f | jne 0x21
// 803d????????00 |
// 7516 | jne 0x18
// 80fb01 | cmp bl, 1
$sequence_1 = { 52 50 51 e8???????? 8b542430 83c40c 68e0930400 }
// n = 7, score = 100
// 52 | push edx
// 50 | push eax
// 51 | push ecx
// e8???????? |
// 8b542430 | mov edx, dword ptr [esp + 0x30]
// 83c40c | add esp, 0xc
// 68e0930400 | push 0x493e0
$sequence_2 = { 52 66c7060802 66c746041066 c6460820 }
// n = 4, score = 100
// 52 | push edx
// 66c7060802 | mov word ptr [esi], 0x208
// 66c746041066 | mov word ptr [esi + 4], 0x6610
// c6460820 | mov byte ptr [esi + 8], 0x20
$sequence_3 = { 56 ff15???????? 85c0 750b 8906 32c0 5e }
// n = 7, score = 100
// 56 | push esi
// ff15???????? |
// 85c0 | test eax, eax
// 750b | jne 0xd
// 8906 | mov dword ptr [esi], eax
// 32c0 | xor al, al
// 5e | pop esi
$sequence_4 = { 83c001 84c9 75f7 2bc7 83e801 39442404 720a }
// n = 7, score = 100
// 83c001 | add eax, 1
// 84c9 | test cl, cl
// 75f7 | jne 0xfffffff9
// 2bc7 | sub eax, edi
// 83e801 | sub eax, 1
// 39442404 | cmp dword ptr [esp + 4], eax
// 720a | jb 0xc
$sequence_5 = { ffd6 85ff 740f 85db 740b 837c242000 7404 }
// n = 7, score = 100
// ffd6 | call esi
// 85ff | test edi, edi
// 740f | je 0x11
// 85db | test ebx, ebx
// 740b | je 0xd
// 837c242000 | cmp dword ptr [esp + 0x20], 0
// 7404 | je 6
$sequence_6 = { 8b2d???????? 3beb 742e 8b4524 3bc3 7407 50 }
// n = 7, score = 100
// 8b2d???????? |
// 3beb | cmp ebp, ebx
// 742e | je 0x30
// 8b4524 | mov eax, dword ptr [ebp + 0x24]
// 3bc3 | cmp eax, ebx
// 7407 | je 9
// 50 | push eax
$sequence_7 = { 7416 e8???????? 6a00 e8???????? 83c404 }
// n = 5, score = 100
// 7416 | je 0x18
// e8???????? |
// 6a00 | push 0
// e8???????? |
// 83c404 | add esp, 4
$sequence_8 = { e8???????? 8b442418 83c40c 8b4f0c }
// n = 4, score = 100
// e8???????? |
// 8b442418 | mov eax, dword ptr [esp + 0x18]
// 83c40c | add esp, 0xc
// 8b4f0c | mov ecx, dword ptr [edi + 0xc]
$sequence_9 = { 742f 33c0 3906 763d 8d4c2448 }
// n = 5, score = 100
// 742f | je 0x31
// 33c0 | xor eax, eax
// 3906 | cmp dword ptr [esi], eax
// 763d | jbe 0x3f
// 8d4c2448 | lea ecx, [esp + 0x48]
condition:
7 of them and filesize < 107520
}Rule Metadata
author
Felix Bilstein - yara-signator at cocacoding dot com
date
2023-07-11
version
1
description
Detects win.makop_ransomware.
info
autogenerated rule brought to you by yara-signator
tool
yara-signator v0.6.0
signator_config
callsandjumps;datarefs;binvalue
malpedia_reference
https://malpedia.caad.fkie.fraunhofer.de/details/win.makop_ransomware
malpedia_rule_date
20230705
malpedia_hash
42d0574f4405bd7d2b154d321d345acb18834a41
malpedia_version
20230715
malpedia_license
CC BY-SA 4.0
malpedia_sharing
TLP:WHITE
String Definitions
{"name":"$sequence_0","value":"{ eb02 33f6 803d????????00 751f 803d????????00 7516 80fb01 }\n \/\/ n = 7, score = 100\n \/\/ eb02 | jmp 4\n \/\/ 33f6 | xor esi, esi\n \/\/ 803d????????00 | \n \/\/ 751f | jne 0x21\n \/\/ 803d????????00 | \n \/\/ 7516 | jne 0x18\n \/\/ 80fb01 | cmp bl, 1"}
{"name":"$sequence_1","value":"{ 52 50 51 e8???????? 8b542430 83c40c 68e0930400 }\n \/\/ n = 7, score = 100\n \/\/ 52 | push edx\n \/\/ 50 | push eax\n \/\/ 51 | push ecx\n \/\/ e8???????? | \n \/\/ 8b542430 | mov edx, dword ptr [esp + 0x30]\n \/\/ 83c40c | add esp, 0xc\n \/\/ 68e0930400 | push 0x493e0"}
{"name":"$sequence_2","value":"{ 52 66c7060802 66c746041066 c6460820 }\n \/\/ n = 4, score = 100\n \/\/ 52 | push edx\n \/\/ 66c7060802 | mov word ptr [esi], 0x208\n \/\/ 66c746041066 | mov word ptr [esi + 4], 0x6610\n \/\/ c6460820 | mov byte ptr [esi + 8], 0x20"}
{"name":"$sequence_3","value":"{ 56 ff15???????? 85c0 750b 8906 32c0 5e }\n \/\/ n = 7, score = 100\n \/\/ 56 | push esi\n \/\/ ff15???????? | \n \/\/ 85c0 | test eax, eax\n \/\/ 750b | jne 0xd\n \/\/ 8906 | mov dword ptr [esi], eax\n \/\/ 32c0 | xor al, al\n \/\/ 5e | pop esi"}
{"name":"$sequence_4","value":"{ 83c001 84c9 75f7 2bc7 83e801 39442404 720a }\n \/\/ n = 7, score = 100\n \/\/ 83c001 | add eax, 1\n \/\/ 84c9 | test cl, cl\n \/\/ 75f7 | jne 0xfffffff9\n \/\/ 2bc7 | sub eax, edi\n \/\/ 83e801 | sub eax, 1\n \/\/ 39442404 | cmp dword ptr [esp + 4], eax\n \/\/ 720a | jb 0xc"}
{"name":"$sequence_5","value":"{ ffd6 85ff 740f 85db 740b 837c242000 7404 }\n \/\/ n = 7, score = 100\n \/\/ ffd6 | call esi\n \/\/ 85ff | test edi, edi\n \/\/ 740f | je 0x11\n \/\/ 85db | test ebx, ebx\n \/\/ 740b | je 0xd\n \/\/ 837c242000 | cmp dword ptr [esp + 0x20], 0\n \/\/ 7404 | je 6"}
{"name":"$sequence_6","value":"{ 8b2d???????? 3beb 742e 8b4524 3bc3 7407 50 }\n \/\/ n = 7, score = 100\n \/\/ 8b2d???????? | \n \/\/ 3beb | cmp ebp, ebx\n \/\/ 742e | je 0x30\n \/\/ 8b4524 | mov eax, dword ptr [ebp + 0x24]\n \/\/ 3bc3 | cmp eax, ebx\n \/\/ 7407 | je 9\n \/\/ 50 | push eax"}
{"name":"$sequence_7","value":"{ 7416 e8???????? 6a00 e8???????? 83c404 }\n \/\/ n = 5, score = 100\n \/\/ 7416 | je 0x18\n \/\/ e8???????? | \n \/\/ 6a00 | push 0\n \/\/ e8???????? | \n \/\/ 83c404 | add esp, 4"}
{"name":"$sequence_8","value":"{ e8???????? 8b442418 83c40c 8b4f0c }\n \/\/ n = 4, score = 100\n \/\/ e8???????? | \n \/\/ 8b442418 | mov eax, dword ptr [esp + 0x18]\n \/\/ 83c40c | add esp, 0xc\n \/\/ 8b4f0c | mov ecx, dword ptr [edi + 0xc]"}
{"name":"$sequence_9","value":"{ 742f 33c0 3906 763d 8d4c2448 }\n \/\/ n = 5, score = 100\n \/\/ 742f | je 0x31\n \/\/ 33c0 | xor eax, eax\n \/\/ 3906 | cmp dword ptr [esi], eax\n \/\/ 763d | jbe 0x3f\n \/\/ 8d4c2448 | lea ecx, [esp + 0x48]"}
Threat Analysis
This YARA rule is designed to detect general threats.
Severity Level: Critical
The rule uses pattern matching to identify specific byte sequences, strings, or behavioral patterns associated with malicious activity.
Detection Capabilities
- File-based detection for executables and documents
- Memory scanning for running processes
- Network traffic analysis support
Command Line Usage
# Scan a single file yara win_makop_ransomware_auto.yar /path/to/suspicious/file # Scan a directory recursively yara -r win_makop_ransomware_auto.yar /path/to/directory/ # Scan with metadata output yara -m win_makop_ransomware_auto.yar target_file # Scan process memory (Linux) yara win_makop_ransomware_auto.yar /proc/[pid]/exe
Integration Examples
Python (yara-python)
import yara
rules = yara.compile(filepath='win_makop_ransomware_auto.yar')
matches = rules.match('/path/to/file')
ClamAV Integration
clamscan --yara-rules=win_makop_ransomware_auto.yar /path/to/scan
Rule Information
YARA ID
YARA-2023-0191
Repository
Created
August 19, 2025
Last Updated
August 19, 2025
Last Imported
Never
Threat Intelligence
Risk Level
Critical
Category
general
Detection Confidence
Analysis Pending
False Positive Rate
Not Available
Last Seen in Wild
No Data
Related Rules
Export Options
Similar Rules in general
YARA-2023-0001
CRI
Detect_Mimic_Ransomware
Detect_Mimic_Ransomware
YARA-2023-0002
MED
SystemBC_malware
Detect_SystemBC
YARA-2023-0003
MED
detect_catB
detect_CatB_ransomware
YARA-2022-0001
MED
detect_Typhon_Stealer
detect_Typhon_Stealer
YARA-2023-0004
MED
Nosu_stealer
Detect_Nosu_stealer
YARA-2022-0002
MED
detect_Lumma_stealer
detect_Lumma_stealer
YARA-2022-0003
MED
detect_StrelaStealer
detect_StrelaStealer
YARA-2022-0004
MED
detect_silence_Downloader
detect_silence_Downloader