SYMBOLCOMMON_NAMEaka. SYNONYMS
win.aytoke (Back to overview)

Aytoke


Keylogger.

References
2020-07-21YouTube ( OPCDE with Matt Suiche)Mohamad Mokbel
@online{mokbel:20200721:vopcde:26d48d0, author = {Mohamad Mokbel}, title = {{vOPCDE #9 - A Journey into Malware HTTP Communication Channels Spectacles (Mohamad Mokbel)}}, date = {2020-07-21}, organization = {YouTube ( OPCDE with Matt Suiche)}, url = {https://www.youtube.com/watch?v=FttiysUZmDw}, language = {English}, urldate = {2021-10-24} } vOPCDE #9 - A Journey into Malware HTTP Communication Channels Spectacles (Mohamad Mokbel)
Alureon Aytoke Cobra Carbon System CROSSWALK danbot ProtonBot Silence
2014-09-23SnortSnort
@online{snort:20140923:malwarecnc:62903a0, author = {Snort}, title = {{MALWARE-CNC Win.Trojan.Aytoke variant outbound connection}}, date = {2014-09-23}, organization = {Snort}, url = {https://snort.org/rule_docs/1-34217}, language = {English}, urldate = {2021-09-19} } MALWARE-CNC Win.Trojan.Aytoke variant outbound connection
Aytoke
Yara Rules
[TLP:WHITE] win_aytoke_auto (20211008 | Detects win.aytoke.)
rule win_aytoke_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-10-07"
        version = "1"
        description = "Detects win.aytoke."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.aytoke"
        malpedia_rule_date = "20211007"
        malpedia_hash = "e5b790e0f888f252d49063a1251ca60ec2832535"
        malpedia_version = "20211008"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { eb12 8b45e0 8a804c814100 08443b1d 0fb64601 47 }
            // n = 6, score = 200
            //   eb12                 | jmp                 0x14
            //   8b45e0               | mov                 eax, dword ptr [ebp - 0x20]
            //   8a804c814100         | mov                 al, byte ptr [eax + 0x41814c]
            //   08443b1d             | or                  byte ptr [ebx + edi + 0x1d], al
            //   0fb64601             | movzx               eax, byte ptr [esi + 1]
            //   47                   | inc                 edi

        $sequence_1 = { 8d4f01 42 3bc1 7c17 8d642400 3b148d68a44100 }
            // n = 6, score = 200
            //   8d4f01               | lea                 ecx, dword ptr [edi + 1]
            //   42                   | inc                 edx
            //   3bc1                 | cmp                 eax, ecx
            //   7c17                 | jl                  0x19
            //   8d642400             | lea                 esp, dword ptr [esp]
            //   3b148d68a44100       | cmp                 edx, dword ptr [ecx*4 + 0x41a468]

        $sequence_2 = { c1f805 8bcf 83e11f c1e106 8b048500c44100 }
            // n = 5, score = 200
            //   c1f805               | sar                 eax, 5
            //   8bcf                 | mov                 ecx, edi
            //   83e11f               | and                 ecx, 0x1f
            //   c1e106               | shl                 ecx, 6
            //   8b048500c44100       | mov                 eax, dword ptr [eax*4 + 0x41c400]

        $sequence_3 = { 83f8ff 0f847b000000 8b8dd4fbffff 51 }
            // n = 4, score = 200
            //   83f8ff               | cmp                 eax, -1
            //   0f847b000000         | je                  0x81
            //   8b8dd4fbffff         | mov                 ecx, dword ptr [ebp - 0x42c]
            //   51                   | push                ecx

        $sequence_4 = { 56 6a10 68???????? e8???????? 56 e8???????? 83c414 }
            // n = 7, score = 200
            //   56                   | push                esi
            //   6a10                 | push                0x10
            //   68????????           |                     
            //   e8????????           |                     
            //   56                   | push                esi
            //   e8????????           |                     
            //   83c414               | add                 esp, 0x14

        $sequence_5 = { 68???????? 52 e8???????? 83c40c 85c0 0f8527130000 8d8508faffff }
            // n = 7, score = 200
            //   68????????           |                     
            //   52                   | push                edx
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   85c0                 | test                eax, eax
            //   0f8527130000         | jne                 0x132d
            //   8d8508faffff         | lea                 eax, dword ptr [ebp - 0x5f8]

        $sequence_6 = { 48 85c0 7ff1 eb0a 33c9 66890c45d88a4100 e8???????? }
            // n = 7, score = 200
            //   48                   | dec                 eax
            //   85c0                 | test                eax, eax
            //   7ff1                 | jg                  0xfffffff3
            //   eb0a                 | jmp                 0xc
            //   33c9                 | xor                 ecx, ecx
            //   66890c45d88a4100     | mov                 word ptr [eax*2 + 0x418ad8], cx
            //   e8????????           |                     

        $sequence_7 = { 7ef3 8be5 5d c3 8b148d68a44100 }
            // n = 5, score = 200
            //   7ef3                 | jle                 0xfffffff5
            //   8be5                 | mov                 esp, ebp
            //   5d                   | pop                 ebp
            //   c3                   | ret                 
            //   8b148d68a44100       | mov                 edx, dword ptr [ecx*4 + 0x41a468]

        $sequence_8 = { eb0c 68???????? 8d8520f6ffff 50 ff15???????? 83c408 }
            // n = 6, score = 200
            //   eb0c                 | jmp                 0xe
            //   68????????           |                     
            //   8d8520f6ffff         | lea                 eax, dword ptr [ebp - 0x9e0]
            //   50                   | push                eax
            //   ff15????????         |                     
            //   83c408               | add                 esp, 8

        $sequence_9 = { 0f84ff000000 e8???????? ff4804 7811 e8???????? 8bd0 }
            // n = 6, score = 200
            //   0f84ff000000         | je                  0x105
            //   e8????????           |                     
            //   ff4804               | dec                 dword ptr [eax + 4]
            //   7811                 | js                  0x13
            //   e8????????           |                     
            //   8bd0                 | mov                 edx, eax

    condition:
        7 of them and filesize < 425984
}
Download all Yara Rules