Unmodified FUDCrypt samples may indicate initial compromise or reconnaissance by adversaries seeking to exploit known vulnerabilities. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential early-stage attacks and prevent lateral movement or data exfiltration.
YARA Rule
rule FUDCrypter
{
meta:
description = "Detects unmodified FUDCrypt samples"
reference = "https://github.com/gigajew/FudCrypt/"
author = "https://github.com/hwvs"
last_modified = "2019-11-21"
strings:
$ = "OcYjzPUtJkNbLOABqYvNbvhZf" wide ascii
$ = "gwiXxyIDDtoYzgMSRGMckRbJi" wide ascii
$ = "BclWgISTcaGjnwrzSCIuKruKm" wide ascii
$ = "CJyUSiUNrIVbgksjxpAMUkAJJ" wide ascii
$ = "fAMVdoPUEyHEWdxQIEJPRYbEN" wide ascii
$ = "CIGQUctdcUPqUjoucmcoffECY" wide ascii
$ = "wcZfHOgetgAExzSoWFJFQdAyO" wide ascii
$ = "DqYKDnIoLeZDWYlQWoxZnpfPR" wide ascii
$ = "MkhMoOHCbGUMqtnRDJKnBYnOj" wide ascii
$ = "sHEqLMGglkBAOIUfcSAgMvZfs" wide ascii
$ = "JtZApJhbFAIFxzHLjjyEQvtgd" wide ascii
$ = "IIQrSWZEMmoQIKGuxxwoTwXka" wide ascii
condition:
1 of them
}This YARA rule can be deployed in the following contexts:
Scenario: System backup or restore process using Veeam Backup & Replication
Filter/Exclusion: Check for presence of veeam in the process name or command line arguments.
Scenario: Scheduled system cleanup using Windows Task Scheduler with a script that mimics FUDCrypt behavior
Filter/Exclusion: Filter out processes initiated by schtasks.exe or with a scheduled task ID.
Scenario: Admin performing a disk imaging task using Acronis True Image
Filter/Exclusion: Exclude processes containing acronis or trueimage in the process name.
Scenario: Automated log rotation or file archiving using Logrotate on Linux systems
Filter/Exclusion: Filter out processes with logrotate in the command line or process name.
Scenario: Security tool or endpoint protection performing a full system scan using Kaspersky Endpoint Security
Filter/Exclusion: Exclude processes with kav or kaspersky in the process name or command line.