SYMBOLCOMMON_NAMEaka. SYNONYMS
win.aytoke (Back to overview)

Aytoke


Keylogger.

References
2020-07-21YouTube ( OPCDE with Matt Suiche)Mohamad Mokbel
@online{mokbel:20200721:vopcde:26d48d0, author = {Mohamad Mokbel}, title = {{vOPCDE #9 - A Journey into Malware HTTP Communication Channels Spectacles (Mohamad Mokbel)}}, date = {2020-07-21}, organization = {YouTube ( OPCDE with Matt Suiche)}, url = {https://www.youtube.com/watch?v=FttiysUZmDw}, language = {English}, urldate = {2021-10-24} } vOPCDE #9 - A Journey into Malware HTTP Communication Channels Spectacles (Mohamad Mokbel)
Alureon Aytoke Cobra Carbon System CROSSWALK danbot ProtonBot Silence
2014-09-23SnortSnort
@online{snort:20140923:malwarecnc:62903a0, author = {Snort}, title = {{MALWARE-CNC Win.Trojan.Aytoke variant outbound connection}}, date = {2014-09-23}, organization = {Snort}, url = {https://snort.org/rule_docs/1-34217}, language = {English}, urldate = {2021-09-19} } MALWARE-CNC Win.Trojan.Aytoke variant outbound connection
Aytoke
Yara Rules
[TLP:WHITE] win_aytoke_auto (20221125 | Detects win.aytoke.)
rule win_aytoke_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-11-21"
        version = "1"
        description = "Detects win.aytoke."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.aytoke"
        malpedia_rule_date = "20221118"
        malpedia_hash = "e0702e2e6d1d00da65c8a29a4ebacd0a4c59e1af"
        malpedia_version = "20221125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { c1f805 8d3c8500c44100 8bf3 83e61f c1e606 8b07 }
            // n = 6, score = 200
            //   c1f805               | sar                 eax, 5
            //   8d3c8500c44100       | lea                 edi, [eax*4 + 0x41c400]
            //   8bf3                 | mov                 esi, ebx
            //   83e61f               | and                 esi, 0x1f
            //   c1e606               | shl                 esi, 6
            //   8b07                 | mov                 eax, dword ptr [edi]

        $sequence_1 = { 47 4d 4d 4d 4d 4d 4d }
            // n = 7, score = 200
            //   47                   | inc                 edi
            //   4d                   | dec                 ebp
            //   4d                   | dec                 ebp
            //   4d                   | dec                 ebp
            //   4d                   | dec                 ebp
            //   4d                   | dec                 ebp
            //   4d                   | dec                 ebp

        $sequence_2 = { 388150744100 7409 41 3bca 7ef3 8be5 }
            // n = 6, score = 200
            //   388150744100         | cmp                 byte ptr [ecx + 0x417450], al
            //   7409                 | je                  0xb
            //   41                   | inc                 ecx
            //   3bca                 | cmp                 ecx, edx
            //   7ef3                 | jle                 0xfffffff5
            //   8be5                 | mov                 esp, ebp

        $sequence_3 = { 8d8d20f6ffff 51 8d9548eeffff 68???????? 52 }
            // n = 5, score = 200
            //   8d8d20f6ffff         | lea                 ecx, [ebp - 0x9e0]
            //   51                   | push                ecx
            //   8d9548eeffff         | lea                 edx, [ebp - 0x11b8]
            //   68????????           |                     
            //   52                   | push                edx

        $sequence_4 = { 83e71f c1e706 8b048500c44100 8d44380c 50 }
            // n = 5, score = 200
            //   83e71f               | and                 edi, 0x1f
            //   c1e706               | shl                 edi, 6
            //   8b048500c44100       | mov                 eax, dword ptr [eax*4 + 0x41c400]
            //   8d44380c             | lea                 eax, [eax + edi + 0xc]
            //   50                   | push                eax

        $sequence_5 = { c1e106 030c9d00c44100 eb02 8bca f641247f 7526 }
            // n = 6, score = 200
            //   c1e106               | shl                 ecx, 6
            //   030c9d00c44100       | add                 ecx, dword ptr [ebx*4 + 0x41c400]
            //   eb02                 | jmp                 4
            //   8bca                 | mov                 ecx, edx
            //   f641247f             | test                byte ptr [ecx + 0x24], 0x7f
            //   7526                 | jne                 0x28

        $sequence_6 = { 43 8945f4 890d???????? 889148764100 83fb03 7e8f 5f }
            // n = 7, score = 200
            //   43                   | inc                 ebx
            //   8945f4               | mov                 dword ptr [ebp - 0xc], eax
            //   890d????????         |                     
            //   889148764100         | mov                 byte ptr [ecx + 0x417648], dl
            //   83fb03               | cmp                 ebx, 3
            //   7e8f                 | jle                 0xffffff91
            //   5f                   | pop                 edi

        $sequence_7 = { 8b4df4 8994b1c8944100 46 8914b5c8944100 }
            // n = 4, score = 200
            //   8b4df4               | mov                 ecx, dword ptr [ebp - 0xc]
            //   8994b1c8944100       | mov                 dword ptr [ecx + esi*4 + 0x4194c8], edx
            //   46                   | inc                 esi
            //   8914b5c8944100       | mov                 dword ptr [esi*4 + 0x4194c8], edx

        $sequence_8 = { e8???????? 83c408 33f6 881d???????? 881d???????? 8935???????? }
            // n = 6, score = 200
            //   e8????????           |                     
            //   83c408               | add                 esp, 8
            //   33f6                 | xor                 esi, esi
            //   881d????????         |                     
            //   881d????????         |                     
            //   8935????????         |                     

        $sequence_9 = { 75e9 e9???????? 33c0 8bff 0fb78880374100 66898c05fcfdffff }
            // n = 6, score = 200
            //   75e9                 | jne                 0xffffffeb
            //   e9????????           |                     
            //   33c0                 | xor                 eax, eax
            //   8bff                 | mov                 edi, edi
            //   0fb78880374100       | movzx               ecx, word ptr [eax + 0x413780]
            //   66898c05fcfdffff     | mov                 word ptr [ebp + eax - 0x204], cx

    condition:
        7 of them and filesize < 425984
}
Download all Yara Rules