{
	"id": "05c6c058-bdb7-4c5f-8ba4-84b7bd4be04c",
	"created_at": "2026-04-06T00:13:50.078217Z",
	"updated_at": "2026-04-10T03:21:02.720892Z",
	"deleted_at": null,
	"sha1_hash": "61e320164a7eb3e5375f42ff0b270734a90b2dd5",
	"title": "Detect Nokoyawa ransomware With YARA Rule.",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 217996,
	"plain_text": "Detect Nokoyawa ransomware With YARA Rule.\r\nBy Gameel Ali\r\nPublished: 2022-12-21 · Archived: 2026-04-05 20:09:26 UTC\r\n4 minute read\r\nHow to write Yara rule for Nokoyawa ransomwarePermalink\r\nIn the frist, we will work with 3 files that shared by zscaler\r\nIntroductionPermalink\r\nNokoyawa is a ransomware family that targets 64-bit Windows systems. It was first identified in February 2022\r\nand is known for its use of double extortion tactics, which involve exfiltrating sensitive data from targeted\r\norganizations before encrypting files and demanding a ransom payment. The initial version of Nokoyawa was\r\nwritten in C programming language and used Elliptic Curve Cryptography (ECC) with SECT233R1 and Salsa20\r\nfor file encryption. In September 2022, a revised version of Nokoyawa was released, which was rewritten in Rust\r\nprogramming language and utilized ECC with Curve25519 and Salsa20 for file encryption. This new version,\r\nknown as Nokoyama 2.0, includes a configuration parameter that can be passed via the command-line, providing\r\nthreat actors with greater flexibility at runtime.\r\nIOCsPermalink\r\n7095beafff5837070a89407c1bf3c6acf8221ed786e0697f6c578d4c3de0efd6\r\n47c00ac29bbaee921496ef957adaf5f8b031121ef0607937b003b6ab2a895a12\r\n259f9ec10642442667a40bf78f03af2fc6d653443cce7062636eb750331657c4\r\nLoading sample with IDA proPermalink\r\nI manually write Yara rules by using IDA Pro to load samples and examine their strings for unique characteristics\r\nrelevant to a specific family. From this analysis, I can use the identified strings to craft effective Yara rules.\r\nStrings with IDAPermalink\r\nhttps://malgamy.github.io/malware-analysis/Nokoyawa/\r\nPage 1 of 6\n\n“deps\\noko.pdb”\r\n“How to run:”\r\n”–config (to start full encryption)\"\r\n”–config --file \"\r\n“CIS lang detected! Stop working”\r\n“config isn’t configurated to load hidden drives”\r\n“ENCRYPT_NETWORKYour config isn’t configurated to encrypt network shares”\r\n“Your config isn’t configurated to delete shadow copies”\r\n“Successfully deleted shadow copies”\r\nBy analyzing strings of malware, we can extract relevant strings and use VirusTotal (if you have a premium\r\naccount) to test them individually in order to select appropriate conditions for our rules\r\nWe can detect that the file “deps\\noko.pdb” will be present in all samples because it is a member of the family of\r\npdb files.\r\nhttps://malgamy.github.io/malware-analysis/Nokoyawa/\r\nPage 2 of 6\n\nPDB stands for “Program Database,” and it is a file format used by Microsoft Visual Studio to store\r\ndebugging information about a program. It contains information about the program’s code, data, and\r\nresources, as well as details about the program’s execution. PDB files are typically used by developers to\r\ndebug their programs and fix errors. They can also be used by other tools, such as debugger programs, to\r\nanalyze the code and execution of a program. PDB files are often associated with the .exe file of a\r\nprogram, and they are typically stored in a separate directory or folder.\r\nWe can use the PDB as a condition for detecting the presence of the Nokoyawa family in a sample. If the\r\nYara scan identifies PDB in the sample, it will be identified as belonging to the Nokoyawa family.\r\nAfter testing each string individually, we discovered that the first four strings were present in three samples, while\r\nthe remaining strings were present in only one sample. Based on this information, we can conclude that the first\r\nthree strings are except to the PDB string, and can therefore be used to detect the presence of the three samples.\r\nTherefore, our condition will be as follows: uint16(0) == 0x5A4D and ($pdb or 3 of ($s*))\r\nOur YARA rulePermalink\r\nrule Nokoyawa_ransomware: Nokoyawa\r\n{\r\n meta:\r\n description = \"Detect_Nokoyawa_ransomware\"\r\n author = \"@malgamy12\"\r\n date = \"20/12/2022\"\r\n license = \"DRL 1.1\"\r\n hash = \"7095beafff5837070a89407c1bf3c6acf8221ed786e0697f6c578d4c3de0efd6\"\r\n hash = \"47c00ac29bbaee921496ef957adaf5f8b031121ef0607937b003b6ab2a895a12\"\r\nhttps://malgamy.github.io/malware-analysis/Nokoyawa/\r\nPage 3 of 6\n\nhash = \"259f9ec10642442667a40bf78f03af2fc6d653443cce7062636eb750331657c4\"\r\n \r\n \r\n strings:\r\n \r\n $pdb = \"deps\\\\noko.pdb\" ascii\r\n $s1 = \"How to run:\" ascii\r\n $s2 = \"--config \u003cbase64 encoded config\u003e (to start full encryption)\" ascii\r\n $s3 = \"--config \u003cbase64 encoded config\u003e --file \u003cfilePath\u003e\" ascii\r\n $s4 = \"CIS lang detected! Stop working\" ascii\r\n $s5 = \"config isn't configurated to load hidden drives\" ascii\r\n $s6 = \"ENCRYPT_NETWORKYour config isn't configurated to encrypt network shares\" ascii\r\n $s7 = \"Your config isn't configurated to delete shadow copies\" ascii\r\n $s8 = \"Successfully deleted shadow copies from\" ascii\r\n \r\n condition:\r\n uint16(0) == 0x5A4D and ($pdb or 3 of ($s*))\r\n}\r\nTestingPermalink\r\nAs depicted in the preceding figure, it appears that our condition is functioning as intended. After conducting\r\ntesting, we can confidently assert that our rules are effective on our sample set.\r\nHuntingPermalink\r\nhttps://malgamy.github.io/malware-analysis/Nokoyawa/\r\nPage 4 of 6\n\nFrom the previous figure, we can see the results of our rules\r\nThanks a lot for reading. You can find me into the following links\r\nTwitter\r\nLinkedin\r\nYoutube\r\nGithub\r\nhttps://malgamy.github.io/malware-analysis/Nokoyawa/\r\nPage 5 of 6\n\nSource: https://malgamy.github.io/malware-analysis/Nokoyawa/\r\nhttps://malgamy.github.io/malware-analysis/Nokoyawa/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://malgamy.github.io/malware-analysis/Nokoyawa/"
	],
	"report_names": [
		"Nokoyawa"
	],
	"threat_actors": [],
	"ts_created_at": 1775434430,
	"ts_updated_at": 1775791262,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/61e320164a7eb3e5375f42ff0b270734a90b2dd5.pdf",
		"text": "https://archive.orkl.eu/61e320164a7eb3e5375f42ff0b270734a90b2dd5.txt",
		"img": "https://archive.orkl.eu/61e320164a7eb3e5375f42ff0b270734a90b2dd5.jpg"
	}
}