Adylkuzz (Malware Family)

Adylkuzz

There is no description at this point.
References

2017-05-15 ⋅ Proofpoint ⋅ Kafeine
Adylkuzz Cryptocurrency Mining Malware Spreading for Weeks Via EternalBlue/DoublePulsar
Adylkuzz
Yara Rules

[TLP:WHITE] win_adylkuzz_auto (20230407 | Detects win.adylkuzz.)
rule win_adylkuzz_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-03-28"
        version = "1"
        description = "Detects win.adylkuzz."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.adylkuzz"
        malpedia_rule_date = "20230328"
        malpedia_hash = "9d2d75cef573c1c2d861f5197df8f563b05a305d"
        malpedia_version = "20230407"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { f8 81ed02000000 663bdc f5 6689442500 81ee04000000 660fa3f8 }
            // n = 7, score = 100
            //   f8                   | clc                 
            //   81ed02000000         | sub                 ebp, 2
            //   663bdc               | cmp                 bx, sp
            //   f5                   | cmc                 
            //   6689442500           | mov                 word ptr [ebp], ax
            //   81ee04000000         | sub                 esi, 4
            //   660fa3f8             | bt                  ax, di

        $sequence_1 = { c744240800000000 c7442404???????? 891c24 e8???????? 85c0 7513 83c42c }
            // n = 7, score = 100
            //   c744240800000000     | mov                 dword ptr [esp + 8], 0
            //   c7442404????????     |                     
            //   891c24               | mov                 dword ptr [esp], ebx
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   7513                 | jne                 0x15
            //   83c42c               | add                 esp, 0x2c

        $sequence_2 = { eb86 b801000000 d3e0 a90080e101 7509 a801 74e7 }
            // n = 7, score = 100
            //   eb86                 | jmp                 0xffffff88
            //   b801000000           | mov                 eax, 1
            //   d3e0                 | shl                 eax, cl
            //   a90080e101           | test                eax, 0x1e18000
            //   7509                 | jne                 0xb
            //   a801                 | test                al, 1
            //   74e7                 | je                  0xffffffe9

        $sequence_3 = { f7c4b64da62b 663bfd 66f7d0 3bf0 f8 66f7d1 3be0 }
            // n = 7, score = 100
            //   f7c4b64da62b         | test                esp, 0x2ba64db6
            //   663bfd               | cmp                 di, bp
            //   66f7d0               | not                 ax
            //   3bf0                 | cmp                 esi, eax
            //   f8                   | clc                 
            //   66f7d1               | not                 cx
            //   3be0                 | cmp                 esp, eax

        $sequence_4 = { f9 f7d0 2d064cd540 c1c002 6681fe3d41 f8 33d8 }
            // n = 7, score = 100
            //   f9                   | stc                 
            //   f7d0                 | not                 eax
            //   2d064cd540           | sub                 eax, 0x40d54c06
            //   c1c002               | rol                 eax, 2
            //   6681fe3d41           | cmp                 si, 0x413d
            //   f8                   | clc                 
            //   33d8                 | xor                 ebx, eax

        $sequence_5 = { e8???????? 8d85d4fdffff c7442404ffffffff 893424 89442408 e8???????? 83bdd4fdffff00 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   8d85d4fdffff         | lea                 eax, [ebp - 0x22c]
            //   c7442404ffffffff     | mov                 dword ptr [esp + 4], 0xffffffff
            //   893424               | mov                 dword ptr [esp], esi
            //   89442408             | mov                 dword ptr [esp + 8], eax
            //   e8????????           |                     
            //   83bdd4fdffff00       | cmp                 dword ptr [ebp - 0x22c], 0

        $sequence_6 = { 8b4310 8944241c 8d04f8 89c2 89442414 8a4374 88c1 }
            // n = 7, score = 100
            //   8b4310               | mov                 eax, dword ptr [ebx + 0x10]
            //   8944241c             | mov                 dword ptr [esp + 0x1c], eax
            //   8d04f8               | lea                 eax, [eax + edi*8]
            //   89c2                 | mov                 edx, eax
            //   89442414             | mov                 dword ptr [esp + 0x14], eax
            //   8a4374               | mov                 al, byte ptr [ebx + 0x74]
            //   88c1                 | mov                 cl, al

        $sequence_7 = { eb0c 3d793c2d66 740b 3d63e43ee3 7404 31d2 eb05 }
            // n = 7, score = 100
            //   eb0c                 | jmp                 0xe
            //   3d793c2d66           | cmp                 eax, 0x662d3c79
            //   740b                 | je                  0xd
            //   3d63e43ee3           | cmp                 eax, 0xe33ee463
            //   7404                 | je                  6
            //   31d2                 | xor                 edx, edx
            //   eb05                 | jmp                 7

        $sequence_8 = { d9dd 60 6e f6ef 14df 4b 5f }
            // n = 7, score = 100
            //   d9dd                 | fstpnce             st(5), st(0)
            //   60                   | pushal              
            //   6e                   | outsb               dx, byte ptr [esi]
            //   f6ef                 | imul                bh
            //   14df                 | adc                 al, 0xdf
            //   4b                   | dec                 ebx
            //   5f                   | pop                 edi

        $sequence_9 = { 891c24 89c1 89fa 89f0 e8???????? 83c42c 5b }
            // n = 7, score = 100
            //   891c24               | mov                 dword ptr [esp], ebx
            //   89c1                 | mov                 ecx, eax
            //   89fa                 | mov                 edx, edi
            //   89f0                 | mov                 eax, esi
            //   e8????????           |                     
            //   83c42c               | add                 esp, 0x2c
            //   5b                   | pop                 ebx

    condition:
        7 of them and filesize < 6438912
}
Download all Yara Rules
Adylkuzz Propose Change

References

Yara Rules

Adylkuzz
