#100DaysofYARA 2024 – Day 76 – “lckmac” Ransomware

Peter Malware Analysis, YARA March 16, 2024March 16, 2024 1 Minute

Today’s rule matches function names found in a suspected macOS ransomware binary uploaded to VirusTotal as lckmac.

"lckmac": e02b3309c0b6a774a4d940369633e395b4c374dc3e6aaa64410cc33b0dcd67ac
Some Mac ransomware?
🤔 pic.twitter.com/FrU0DXZBsF
— MalwareHunterTeam (@malwrhunterteam) January 10, 2024

rule MAL_Lckmac_strings {
    meta:
        description = "Matches function name strings found in MachO ransomware sample uploaded to VirusTotal with filename 'lckmac'."
        last_modified = "2024-03-16"
        author = "@petermstewart"
        DaysofYara = "76/100"
        sha256 = "e02b3309c0b6a774a4d940369633e395b4c374dc3e6aaa64410cc33b0dcd67ac"
        ref = "https://x.com/malwrhunterteam/status/1745144586727526500"

    strings:
        $a1 = "main.parsePublicKey"
        $a2 = "main.writeKeyToFile"
        $a3 = "main.getSystemInfo"
        $a4 = "main.EncryptTargetedFiles"
        $a5 = "main.shouldEncryptFile"
        $a6 = "main.encryptFile"
        $a7 = "main.deleteSelf"

    condition:
        (uint32(0) == 0xfeedface or   //MH_MAGIC
        uint32(0) == 0xcefaedfe or    //MH_CIGAM
        uint32(0) == 0xfeedfacf or    //MH_MAGIC_64
        uint32(0) == 0xcffaedfe or    //MH_CIGAM_64
        uint32(0) == 0xcafebabe or    //FAT_MAGIC
        uint32(0) == 0xbebafeca) and  //FAT_CIGAM
        all of them
}

Find the rest of my 100DaysofYARA posts here, and the rules themselves on my Github repository.

Published by Peter

View all posts by Peter

Published March 16, 2024March 16, 2024

Leave a comment Cancel reply