SYMBOLCOMMON_NAMEaka. SYNONYMS
win.aytoke (Back to overview)

Aytoke


Keylogger.

References
2020-07-21YouTube ( OPCDE with Matt Suiche)Mohamad Mokbel
@online{mokbel:20200721:vopcde:26d48d0, author = {Mohamad Mokbel}, title = {{vOPCDE #9 - A Journey into Malware HTTP Communication Channels Spectacles (Mohamad Mokbel)}}, date = {2020-07-21}, organization = {YouTube ( OPCDE with Matt Suiche)}, url = {https://www.youtube.com/watch?v=FttiysUZmDw}, language = {English}, urldate = {2021-10-24} } vOPCDE #9 - A Journey into Malware HTTP Communication Channels Spectacles (Mohamad Mokbel)
Alureon Aytoke Cobra Carbon System CROSSWALK danbot ProtonBot Silence
2014-09-23SnortSnort
@online{snort:20140923:malwarecnc:62903a0, author = {Snort}, title = {{MALWARE-CNC Win.Trojan.Aytoke variant outbound connection}}, date = {2014-09-23}, organization = {Snort}, url = {https://snort.org/rule_docs/1-34217}, language = {English}, urldate = {2021-09-19} } MALWARE-CNC Win.Trojan.Aytoke variant outbound connection
Aytoke
Yara Rules
[TLP:WHITE] win_aytoke_auto (20220516 | Detects win.aytoke.)
rule win_aytoke_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-05-16"
        version = "1"
        description = "Detects win.aytoke."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.aytoke"
        malpedia_rule_date = "20220513"
        malpedia_hash = "7f4b2229e6ae614d86d74917f6d5b41890e62a26"
        malpedia_version = "20220516"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 3b7d14 7d0f 8a16 8b85d8fbffff }
            // n = 4, score = 200
            //   3b7d14               | cmp                 edi, dword ptr [ebp + 0x14]
            //   7d0f                 | jge                 0x11
            //   8a16                 | mov                 dl, byte ptr [esi]
            //   8b85d8fbffff         | mov                 eax, dword ptr [ebp - 0x428]

        $sequence_1 = { 1e 1f 2021 2223 244d 4d 4d }
            // n = 7, score = 200
            //   1e                   | push                ds
            //   1f                   | pop                 ds
            //   2021                 | and                 byte ptr [ecx], ah
            //   2223                 | and                 ah, byte ptr [ebx]
            //   244d                 | and                 al, 0x4d
            //   4d                   | dec                 ebp
            //   4d                   | dec                 ebp

        $sequence_2 = { 75e9 e9???????? 33c0 8bff 0fb78808374100 66898c05fcfdffff 83c002 }
            // n = 7, score = 200
            //   75e9                 | jne                 0xffffffeb
            //   e9????????           |                     
            //   33c0                 | xor                 eax, eax
            //   8bff                 | mov                 edi, edi
            //   0fb78808374100       | movzx               ecx, word ptr [eax + 0x413708]
            //   66898c05fcfdffff     | mov                 word ptr [ebp + eax - 0x204], cx
            //   83c002               | add                 eax, 2

        $sequence_3 = { c70016000000 e8???????? 895de0 395de0 }
            // n = 4, score = 200
            //   c70016000000         | mov                 dword ptr [eax], 0x16
            //   e8????????           |                     
            //   895de0               | mov                 dword ptr [ebp - 0x20], ebx
            //   395de0               | cmp                 dword ptr [ebp - 0x20], ebx

        $sequence_4 = { 50 e8???????? 59 83f8ff 741b }
            // n = 5, score = 200
            //   50                   | push                eax
            //   e8????????           |                     
            //   59                   | pop                 ecx
            //   83f8ff               | cmp                 eax, -1
            //   741b                 | je                  0x1d

        $sequence_5 = { 8b10 ffd2 8b8594f9ffff 50 ff15???????? }
            // n = 5, score = 200
            //   8b10                 | mov                 edx, dword ptr [eax]
            //   ffd2                 | call                edx
            //   8b8594f9ffff         | mov                 eax, dword ptr [ebp - 0x66c]
            //   50                   | push                eax
            //   ff15????????         |                     

        $sequence_6 = { 88500a 8d85e0fdffff 68???????? 50 e8???????? 8bf0 83c408 }
            // n = 7, score = 200
            //   88500a               | mov                 byte ptr [eax + 0xa], dl
            //   8d85e0fdffff         | lea                 eax, [ebp - 0x220]
            //   68????????           |                     
            //   50                   | push                eax
            //   e8????????           |                     
            //   8bf0                 | mov                 esi, eax
            //   83c408               | add                 esp, 8

        $sequence_7 = { 8b4e04 8d95bcf9ffff 52 8d85f8f9ffff }
            // n = 4, score = 200
            //   8b4e04               | mov                 ecx, dword ptr [esi + 4]
            //   8d95bcf9ffff         | lea                 edx, [ebp - 0x644]
            //   52                   | push                edx
            //   8d85f8f9ffff         | lea                 eax, [ebp - 0x608]

        $sequence_8 = { 7409 8b34b560884100 eb07 8b34b52c884100 }
            // n = 4, score = 200
            //   7409                 | je                  0xb
            //   8b34b560884100       | mov                 esi, dword ptr [esi*4 + 0x418860]
            //   eb07                 | jmp                 9
            //   8b34b52c884100       | mov                 esi, dword ptr [esi*4 + 0x41882c]

        $sequence_9 = { 0f84ff000000 e8???????? ff4804 7811 e8???????? 8bd0 }
            // n = 6, score = 200
            //   0f84ff000000         | je                  0x105
            //   e8????????           |                     
            //   ff4804               | dec                 dword ptr [eax + 4]
            //   7811                 | js                  0x13
            //   e8????????           |                     
            //   8bd0                 | mov                 edx, eax

    condition:
        7 of them and filesize < 425984
}
Download all Yara Rules