SYMBOLCOMMON_NAMEaka. SYNONYMS
win.babar (Back to overview)

Babar

aka: SNOWBALL

Actor(s): SNOWGLOBE


There is no description at this point.

References
2017-09-06Palo Alto Networks Unit 42Dominik Reichel
@online{reichel:20170906:analysing:a5a6017, author = {Dominik Reichel}, title = {{Analysing a 10-Year-Old SNOWBALL}}, date = {2017-09-06}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2017/09/unit42-analysing-10-year-old-snowball/}, language = {English}, urldate = {2019-12-20} } Analysing a 10-Year-Old SNOWBALL
Babar
2015-02-18CyphortMarion Marschalek
@online{marschalek:20150218:babar:f8c92b6, author = {Marion Marschalek}, title = {{Babar: Suspected Nation State Spyware In The Spotlight}}, date = {2015-02-18}, organization = {Cyphort}, url = {https://web.archive.org/web/20150218192803/http://www.cyphort.com/babar-suspected-nation-state-spyware-spotlight/}, language = {English}, urldate = {2020-06-08} } Babar: Suspected Nation State Spyware In The Spotlight
Babar Evilbunny SNOWGLOBE
2015-02-18CyphortMarion Marschalek
@online{marschalek:20150218:shooting:91fead0, author = {Marion Marschalek}, title = {{Shooting Elephants}}, date = {2015-02-18}, organization = {Cyphort}, url = {https://drive.google.com/a/cyphort.com/file/d/0B9Mrr-en8FX4dzJqLWhDblhseTA/}, language = {English}, urldate = {2020-01-08} } Shooting Elephants
Babar
2011Spiegel OnlineCSE Canada
@techreport{canada:2011:snowglobe:2cf6813, author = {CSE Canada}, title = {{SNOWGLOBE: From Discovery to Attribution}}, date = {2011}, institution = {Spiegel Online}, url = {http://www.spiegel.de/media/media-35683.pdf}, language = {English}, urldate = {2019-12-17} } SNOWGLOBE: From Discovery to Attribution
Babar
Yara Rules
[TLP:WHITE] win_babar_auto (20211008 | Detects win.babar.)
rule win_babar_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-10-07"
        version = "1"
        description = "Detects win.babar."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.babar"
        malpedia_rule_date = "20211007"
        malpedia_hash = "e5b790e0f888f252d49063a1251ca60ec2832535"
        malpedia_version = "20211008"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 3bc6 0f848b000000 56 ff7508 e8???????? 8b4508 897704 }
            // n = 7, score = 400
            //   3bc6                 | cmp                 eax, esi
            //   0f848b000000         | je                  0x91
            //   56                   | push                esi
            //   ff7508               | push                dword ptr [ebp + 8]
            //   e8????????           |                     
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   897704               | mov                 dword ptr [edi + 4], esi

        $sequence_1 = { 3bc6 0f84ab000000 8d4dd0 51 }
            // n = 4, score = 400
            //   3bc6                 | cmp                 eax, esi
            //   0f84ab000000         | je                  0xb1
            //   8d4dd0               | lea                 ecx, dword ptr [ebp - 0x30]
            //   51                   | push                ecx

        $sequence_2 = { 3bc6 0f84a4000000 8bf8 ff750c }
            // n = 4, score = 400
            //   3bc6                 | cmp                 eax, esi
            //   0f84a4000000         | je                  0xaa
            //   8bf8                 | mov                 edi, eax
            //   ff750c               | push                dword ptr [ebp + 0xc]

        $sequence_3 = { 3bc6 0f8664ffffff 8144242034030000 ddd8 }
            // n = 4, score = 400
            //   3bc6                 | cmp                 eax, esi
            //   0f8664ffffff         | jbe                 0xffffff6a
            //   8144242034030000     | add                 dword ptr [esp + 0x20], 0x334
            //   ddd8                 | fstp                st(0)

        $sequence_4 = { 3bc6 0f84eb000000 8d4dcc 51 }
            // n = 4, score = 400
            //   3bc6                 | cmp                 eax, esi
            //   0f84eb000000         | je                  0xf1
            //   8d4dcc               | lea                 ecx, dword ptr [ebp - 0x34]
            //   51                   | push                ecx

        $sequence_5 = { 40 eb27 33c0 eb23 }
            // n = 4, score = 400
            //   40                   | inc                 eax
            //   eb27                 | jmp                 0x29
            //   33c0                 | xor                 eax, eax
            //   eb23                 | jmp                 0x25

        $sequence_6 = { 3bc6 1bf6 0faf55f8 8345f404 }
            // n = 4, score = 400
            //   3bc6                 | cmp                 eax, esi
            //   1bf6                 | sbb                 esi, esi
            //   0faf55f8             | imul                edx, dword ptr [ebp - 8]
            //   8345f404             | add                 dword ptr [ebp - 0xc], 4

        $sequence_7 = { 3bc6 1bf6 f7de 03ce }
            // n = 4, score = 400
            //   3bc6                 | cmp                 eax, esi
            //   1bf6                 | sbb                 esi, esi
            //   f7de                 | neg                 esi
            //   03ce                 | add                 ecx, esi

        $sequence_8 = { 52 e8???????? 83c410 3c01 7530 8b442404 }
            // n = 6, score = 200
            //   52                   | push                edx
            //   e8????????           |                     
            //   83c410               | add                 esp, 0x10
            //   3c01                 | cmp                 al, 1
            //   7530                 | jne                 0x32
            //   8b442404             | mov                 eax, dword ptr [esp + 4]

        $sequence_9 = { 7506 ff15???????? 6a00 6a00 68???????? 6a00 6a00 }
            // n = 7, score = 200
            //   7506                 | jne                 8
            //   ff15????????         |                     
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   68????????           |                     
            //   6a00                 | push                0
            //   6a00                 | push                0

        $sequence_10 = { 83e61f 6bf628 8bc1 c1f805 8d3c85a09e0110 8b07 03c6 }
            // n = 7, score = 200
            //   83e61f               | and                 esi, 0x1f
            //   6bf628               | imul                esi, esi, 0x28
            //   8bc1                 | mov                 eax, ecx
            //   c1f805               | sar                 eax, 5
            //   8d3c85a09e0110       | lea                 edi, dword ptr [eax*4 + 0x10019ea0]
            //   8b07                 | mov                 eax, dword ptr [edi]
            //   03c6                 | add                 eax, esi

        $sequence_11 = { 52 e8???????? 8d84247c010000 50 8d4c247c }
            // n = 5, score = 200
            //   52                   | push                edx
            //   e8????????           |                     
            //   8d84247c010000       | lea                 eax, dword ptr [esp + 0x17c]
            //   50                   | push                eax
            //   8d4c247c             | lea                 ecx, dword ptr [esp + 0x7c]

        $sequence_12 = { 8d4501 50 68???????? 53 ff15???????? }
            // n = 5, score = 200
            //   8d4501               | lea                 eax, dword ptr [ebp + 1]
            //   50                   | push                eax
            //   68????????           |                     
            //   53                   | push                ebx
            //   ff15????????         |                     

        $sequence_13 = { 33d2 2bf1 f7f6 03d1 3bdf 8915???????? }
            // n = 6, score = 200
            //   33d2                 | xor                 edx, edx
            //   2bf1                 | sub                 esi, ecx
            //   f7f6                 | div                 esi
            //   03d1                 | add                 edx, ecx
            //   3bdf                 | cmp                 ebx, edi
            //   8915????????         |                     

        $sequence_14 = { b9???????? 8b442418 3bc3 7505 b8???????? }
            // n = 5, score = 200
            //   b9????????           |                     
            //   8b442418             | mov                 eax, dword ptr [esp + 0x18]
            //   3bc3                 | cmp                 eax, ebx
            //   7505                 | jne                 7
            //   b8????????           |                     

        $sequence_15 = { 8b15???????? 69d2e8030000 52 ff15???????? 33ff e9???????? 8b8c24d0000000 }
            // n = 7, score = 200
            //   8b15????????         |                     
            //   69d2e8030000         | imul                edx, edx, 0x3e8
            //   52                   | push                edx
            //   ff15????????         |                     
            //   33ff                 | xor                 edi, edi
            //   e9????????           |                     
            //   8b8c24d0000000       | mov                 ecx, dword ptr [esp + 0xd0]

    condition:
        7 of them and filesize < 1294336
}
Download all Yara Rules