SYMBOLCOMMON_NAMEaka. SYNONYMS
win.ariabody (Back to overview)

Aria-body

Actor(s): Naikon


There is no description at this point.

References
2021-09-29Medium BlueMonkeyBlueMonkey
@online{bluemonkey:20210929:ariabody:49911f8, author = {BlueMonkey}, title = {{Aria-Body Loader? Is that you?}}, date = {2021-09-29}, organization = {Medium BlueMonkey}, url = {https://medium.com/insomniacs/aria-body-loader-is-that-you-53bdd630f8a1}, language = {English}, urldate = {2021-10-20} } Aria-Body Loader? Is that you?
Aria-body
2020-05-08Kaspersky LabsGReAT
@online{great:20200508:naikons:f1646a6, author = {GReAT}, title = {{Naikon’s Aria}}, date = {2020-05-08}, organization = {Kaspersky Labs}, url = {https://securelist.com/naikons-aria/96899/}, language = {English}, urldate = {2020-07-06} } Naikon’s Aria
Aria-body
2020-05-07CheckpointCheck Point Research
@online{research:20200507:naikon:7449e41, author = {Check Point Research}, title = {{Naikon APT: Cyber Espionage Reloaded}}, date = {2020-05-07}, organization = {Checkpoint}, url = {https://research.checkpoint.com/2020/naikon-apt-cyber-espionage-reloaded/}, language = {English}, urldate = {2020-05-07} } Naikon APT: Cyber Espionage Reloaded
Aria-body
Yara Rules
[TLP:WHITE] win_ariabody_auto (20211008 | Detects win.ariabody.)
rule win_ariabody_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-10-07"
        version = "1"
        description = "Detects win.ariabody."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ariabody"
        malpedia_rule_date = "20211007"
        malpedia_hash = "e5b790e0f888f252d49063a1251ca60ec2832535"
        malpedia_version = "20211008"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8bf8 893e eb13 8b16 8bcf e8???????? 8906 }
            // n = 7, score = 300
            //   8bf8                 | mov                 edi, eax
            //   893e                 | mov                 dword ptr [esi], edi
            //   eb13                 | jmp                 0x15
            //   8b16                 | mov                 edx, dword ptr [esi]
            //   8bcf                 | mov                 ecx, edi
            //   e8????????           |                     
            //   8906                 | mov                 dword ptr [esi], eax

        $sequence_1 = { 8d0c30 ffd1 8bc6 5f }
            // n = 4, score = 300
            //   8d0c30               | lea                 ecx, dword ptr [eax + esi]
            //   ffd1                 | call                ecx
            //   8bc6                 | mov                 eax, esi
            //   5f                   | pop                 edi

        $sequence_2 = { 7406 3ac3 7402 32c3 88040a 41 }
            // n = 6, score = 300
            //   7406                 | je                  8
            //   3ac3                 | cmp                 al, bl
            //   7402                 | je                  4
            //   32c3                 | xor                 al, bl
            //   88040a               | mov                 byte ptr [edx + ecx], al
            //   41                   | inc                 ecx

        $sequence_3 = { 56 8d55fc 03f9 e8???????? }
            // n = 4, score = 300
            //   56                   | push                esi
            //   8d55fc               | lea                 edx, dword ptr [ebp - 4]
            //   03f9                 | add                 edi, ecx
            //   e8????????           |                     

        $sequence_4 = { 03c7 50 ff5204 8b1e }
            // n = 4, score = 300
            //   03c7                 | add                 eax, edi
            //   50                   | push                eax
            //   ff5204               | call                dword ptr [edx + 4]
            //   8b1e                 | mov                 ebx, dword ptr [esi]

        $sequence_5 = { 50 8d040a 50 57 }
            // n = 4, score = 300
            //   50                   | push                eax
            //   8d040a               | lea                 eax, dword ptr [edx + ecx]
            //   50                   | push                eax
            //   57                   | push                edi

        $sequence_6 = { 8901 33c0 40 5b 5e 5f }
            // n = 6, score = 300
            //   8901                 | mov                 dword ptr [ecx], eax
            //   33c0                 | xor                 eax, eax
            //   40                   | inc                 eax
            //   5b                   | pop                 ebx
            //   5e                   | pop                 esi
            //   5f                   | pop                 edi

        $sequence_7 = { 8bcf 0fb6c0 50 ff75fc }
            // n = 4, score = 300
            //   8bcf                 | mov                 ecx, edi
            //   0fb6c0               | movzx               eax, al
            //   50                   | push                eax
            //   ff75fc               | push                dword ptr [ebp - 4]

        $sequence_8 = { c78424440200002d416765 c78424480200006e743a20 c784244c0200004d6f7a69 c78424500200006c6c612f }
            // n = 4, score = 100
            //   c78424440200002d416765     | mov    ebp, edx
            //   c78424480200006e743a20     | movzx    eax, word ptr [ebx]
            //   c784244c0200004d6f7a69     | cmp    eax, 0x5a4d
            //   c78424500200006c6c612f     | je    0x1a

        $sequence_9 = { 488d05ffb40000 4a8b0ce8 41f6440c0880 0f84cb020000 33db 4d8bee }
            // n = 6, score = 100
            //   488d05ffb40000       | mov                 dword ptr [esp + 0x250], 0x2f616c6c
            //   4a8b0ce8             | dec                 eax
            //   41f6440c0880         | lea                 edx, dword ptr [0x7b96]
            //   0f84cb020000         | dec                 eax
            //   33db                 | lea                 ecx, dword ptr [0x7b87]
            //   4d8bee               | nop                 

        $sequence_10 = { 488d15967b0000 488d0d877b0000 e8???????? 90 }
            // n = 4, score = 100
            //   488d15967b0000       | xor                 eax, eax
            //   488d0d877b0000       | dec                 eax
            //   e8????????           |                     
            //   90                   | add                 esp, 0x58

        $sequence_11 = { 4b8b8cea808a0100 8a443108 84c0 0f8935030000 }
            // n = 4, score = 100
            //   4b8b8cea808a0100     | arpl                word ptr [ebx], cx
            //   8a443108             | dec                 esp
            //   84c0                 | lea                 ebp, dword ptr [0xa088]
            //   0f8935030000         | dec                 eax

        $sequence_12 = { 4889d5 0fb703 3d4d5a0000 7413 33c0 4883c458 5d }
            // n = 7, score = 100
            //   4889d5               | mov                 eax, ecx
            //   0fb703               | dec                 ebx
            //   3d4d5a0000           | mov                 ecx, dword ptr [edx + ebp*8 + 0x18a80]
            //   7413                 | mov                 al, byte ptr [ecx + esi + 8]
            //   33c0                 | test                al, al
            //   4883c458             | jns                 0x341
            //   5d                   | dec                 eax

        $sequence_13 = { ba00000080 884101 4533c9 884102 }
            // n = 4, score = 100
            //   ba00000080           | pop                 ebp
            //   884101               | mov                 dword ptr [esp + 0x244], 0x6567412d
            //   4533c9               | mov                 dword ptr [esp + 0x248], 0x203a746e
            //   884102               | mov                 dword ptr [esp + 0x24c], 0x697a6f4d

        $sequence_14 = { 488945e7 4883f8ff 753b 48630b 4c8d2d88a00000 488bc1 }
            // n = 6, score = 100
            //   488945e7             | dec                 eax
            //   4883f8ff             | mov                 dword ptr [ebp - 0x19], eax
            //   753b                 | dec                 eax
            //   48630b               | cmp                 eax, -1
            //   4c8d2d88a00000       | jne                 0x3d
            //   488bc1               | dec                 eax

        $sequence_15 = { 4881ec10010000 4989cf 4889e2 b0c0 888424b8000000 }
            // n = 5, score = 100
            //   4881ec10010000       | mov                 edx, 0x80000000
            //   4989cf               | mov                 byte ptr [ecx + 1], al
            //   4889e2               | inc                 ebp
            //   b0c0                 | xor                 ecx, ecx
            //   888424b8000000       | mov                 byte ptr [ecx + 2], al

    condition:
        7 of them and filesize < 253952
}
Download all Yara Rules