SYMBOLCOMMON_NAMEaka. SYNONYMS
elf.persirai (Back to overview)

Persirai


There is no description at this point.

References
2017-05-09Trend MicroTim Yeh, Dove Chiu, Kenney Lu
@online{yeh:20170509:persirai:986b0fb, author = {Tim Yeh and Dove Chiu and Kenney Lu}, title = {{Persirai: New Internet of Things (IoT) Botnet Targets IP Cameras}}, date = {2017-05-09}, organization = {Trend Micro}, url = {http://blog.trendmicro.com/trendlabs-security-intelligence/persirai-new-internet-things-iot-botnet-targets-ip-cameras/}, language = {English}, urldate = {2020-01-13} } Persirai: New Internet of Things (IoT) Botnet Targets IP Cameras
Persirai
Yara Rules
[TLP:WHITE] elf_persirai_auto (20230407 | Detects elf.persirai.)
rule elf_persirai_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-03-28"
        version = "1"
        description = "Detects elf.persirai."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/elf.persirai"
        malpedia_rule_date = "20230328"
        malpedia_hash = "9d2d75cef573c1c2d861f5197df8f563b05a305d"
        malpedia_version = "20230407"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 50 8d442410 50 6aff e8???????? 8b5028 85d2 }
            // n = 7, score = 100
            //   50                   | push                eax
            //   8d442410             | lea                 eax, [esp + 0x10]
            //   50                   | push                eax
            //   6aff                 | push                -1
            //   e8????????           |                     
            //   8b5028               | mov                 edx, dword ptr [eax + 0x28]
            //   85d2                 | test                edx, edx

        $sequence_1 = { ebdf 5b 5e c3 55 }
            // n = 5, score = 100
            //   ebdf                 | jmp                 0xffffffe1
            //   5b                   | pop                 ebx
            //   5e                   | pop                 esi
            //   c3                   | ret                 
            //   55                   | push                ebp

        $sequence_2 = { 8944240c 83ec0c a1???????? 50 e8???????? 5a 59 }
            // n = 7, score = 100
            //   8944240c             | mov                 dword ptr [esp + 0xc], eax
            //   83ec0c               | sub                 esp, 0xc
            //   a1????????           |                     
            //   50                   | push                eax
            //   e8????????           |                     
            //   5a                   | pop                 edx
            //   59                   | pop                 ecx

        $sequence_3 = { 8144245818910508 8d4c245c e9???????? d9c0 d905???????? c744241008000000 ba0d000000 }
            // n = 7, score = 100
            //   8144245818910508     | add                 dword ptr [esp + 0x58], 0x8059118
            //   8d4c245c             | lea                 ecx, [esp + 0x5c]
            //   e9????????           |                     
            //   d9c0                 | fld                 st(0)
            //   d905????????         |                     
            //   c744241008000000     | mov                 dword ptr [esp + 0x10], 8
            //   ba0d000000           | mov                 edx, 0xd

        $sequence_4 = { 56 e8???????? 83c420 eb02 31c0 }
            // n = 5, score = 100
            //   56                   | push                esi
            //   e8????????           |                     
            //   83c420               | add                 esp, 0x20
            //   eb02                 | jmp                 4
            //   31c0                 | xor                 eax, eax

        $sequence_5 = { 50 6a02 e8???????? a1???????? 5f ff7018 e8???????? }
            // n = 7, score = 100
            //   50                   | push                eax
            //   6a02                 | push                2
            //   e8????????           |                     
            //   a1????????           |                     
            //   5f                   | pop                 edi
            //   ff7018               | push                dword ptr [eax + 0x18]
            //   e8????????           |                     

        $sequence_6 = { 50 8d9424b0020000 52 e8???????? 8b4308 66898424b0020000 83c410 }
            // n = 7, score = 100
            //   50                   | push                eax
            //   8d9424b0020000       | lea                 edx, [esp + 0x2b0]
            //   52                   | push                edx
            //   e8????????           |                     
            //   8b4308               | mov                 eax, dword ptr [ebx + 8]
            //   66898424b0020000     | mov                 word ptr [esp + 0x2b0], ax
            //   83c410               | add                 esp, 0x10

        $sequence_7 = { 50 8d8424d4170000 50 52 e8???????? 58 8d8424d8170000 }
            // n = 7, score = 100
            //   50                   | push                eax
            //   8d8424d4170000       | lea                 eax, [esp + 0x17d4]
            //   50                   | push                eax
            //   52                   | push                edx
            //   e8????????           |                     
            //   58                   | pop                 eax
            //   8d8424d8170000       | lea                 eax, [esp + 0x17d8]

        $sequence_8 = { 744c 8b530c 85d2 740c b801000000 83fa02 753d }
            // n = 7, score = 100
            //   744c                 | je                  0x4e
            //   8b530c               | mov                 edx, dword ptr [ebx + 0xc]
            //   85d2                 | test                edx, edx
            //   740c                 | je                  0xe
            //   b801000000           | mov                 eax, 1
            //   83fa02               | cmp                 edx, 2
            //   753d                 | jne                 0x3f

        $sequence_9 = { c744241800000000 c744241c06000000 8d442418 52 6894000000 }
            // n = 5, score = 100
            //   c744241800000000     | mov                 dword ptr [esp + 0x18], 0
            //   c744241c06000000     | mov                 dword ptr [esp + 0x1c], 6
            //   8d442418             | lea                 eax, [esp + 0x18]
            //   52                   | push                edx
            //   6894000000           | push                0x94

    condition:
        7 of them and filesize < 229376
}
[TLP:WHITE] elf_persirai_w0   (20170509 | Detects Persirai Botnet Malware)
rule elf_persirai_w0 {
    meta:
        description = "Detects Persirai Botnet Malware"
        soure = "http://blog.trendmicro.com/trendlabs-security-intelligence/persirai-new-internet-things-iot-botnet-targets-ip-cameras/"
        author = "Tim Yeh"
        reference = "Internal Research"
        date = "2017-04-21"
        hash = "f736948bb4575c10a3175f0078a2b5d36cce1aa4cd635307d03c826e305a7489"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/elf.persirai"
        malpedia_version = "20170509"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    strings:
        $x1 = "ftpupload.sh" fullword ascii
        $x2 = "/dev/misc/watchdog" fullword ascii
        $x3 = "/dev/watchdog" ascii
        $x4 = ":52869/picsdesc.xml" fullword ascii
        $x5 = "npxXoudifFeEgGaACScs" fullword ascii

        $s1 = "ftptest.cgi" fullword ascii
        $s2 = "set_ftp.cgi" fullword ascii
        $s3 = "2580e538f3723927f1ea2fdb8d57b99e9cc37ced1" fullword ascii
        $s4 = "023ea8c671c0abf77241886465200cf81b1a2bf5e" fullword ascii

    condition:
        uint16(0) == 0x457f and filesize < 300KB and ((1 of ($x*) and 1 of ($s*)) or 2 of ($s*))
}
Download all Yara Rules