encrypt data using FAKEM cipher

edit on GitHub
search on VirusTotal

# generated using capa explorer for IDA Pro
rule:
  meta:
    name: encrypt data using FAKEM cipher
    namespace: data-manipulation/encryption
    authors:
      - michael.hunhoff@mandiant.com
    description: Detect custom encryption cipher used by FAKEM malware family
    scopes:
      static: basic block
      dynamic: unsupported  # requires characteristic, mnemonic features
    att&ck:
      - Defense Evasion::Obfuscated Files or Information [T1027]
    mbc:
      - Cryptography::Decrypt Data [C0031]
      - Cryptography::Encrypt Data [C0027]
    references:
      - https://attack.mitre.org/software/S0076/
  features:
    - and:
      - characteristic: tight loop
      - count(mnemonic(ror)): 5
      - count(mnemonic(xor)): 5
      - number: 0x59 = Y
      - number: 0x48 = H
      - number: 0x43 = C
      - number: 0x52 = R
      - number: 0x41 = A

last edited: 2023-11-24 10:34:28