Banjori (Malware Family)

Banjori

aka: MultiBanker 2, BankPatch, BackPatcher
There is no description at this point.
References

2016-05-02 ⋅ John Bambenek ⋅ John Bambenek
OSINT Feed
Mirai Banjori
2015-02-10 ⋅ Johannes Bader's Blog ⋅ Johannes Bader
The DGA of Banjori
Banjori
2013-05-21 ⋅ Kleissner & Associates ⋅ Peter Kleissner
News on MultiBanker, features now a jabber p2p functionality
Banjori
2013-03-26 ⋅ Kleissner & Associates ⋅ Peter Kleissner
Behind MultiBanker, what the security industry doesn’t tell you and its money mule network
Banjori
Yara Rules

[TLP:WHITE] win_banjori_auto (20211008 | Detects win.banjori.)
rule win_banjori_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-10-07"
        version = "1"
        description = "Detects win.banjori."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.banjori"
        malpedia_rule_date = "20211007"
        malpedia_hash = "e5b790e0f888f252d49063a1251ca60ec2832535"
        malpedia_version = "20211008"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { ff75e8 ff15???????? 0345b8 c640ff5c 8945dc 68???????? ff75ec }
            // n = 7, score = 100
            //   ff75e8               | push                dword ptr [ebp - 0x18]
            //   ff15????????         |                     
            //   0345b8               | add                 eax, dword ptr [ebp - 0x48]
            //   c640ff5c             | mov                 byte ptr [eax - 1], 0x5c
            //   8945dc               | mov                 dword ptr [ebp - 0x24], eax
            //   68????????           |                     
            //   ff75ec               | push                dword ptr [ebp - 0x14]

        $sequence_1 = { 813f68747470 7503 83c707 0fb607 0fb64f03 03c1 50 }
            // n = 7, score = 100
            //   813f68747470         | cmp                 dword ptr [edi], 0x70747468
            //   7503                 | jne                 5
            //   83c707               | add                 edi, 7
            //   0fb607               | movzx               eax, byte ptr [edi]
            //   0fb64f03             | movzx               ecx, byte ptr [edi + 3]
            //   03c1                 | add                 eax, ecx
            //   50                   | push                eax

        $sequence_2 = { 6561 7475 7265 20786d 6c 6e }
            // n = 6, score = 100
            //   6561                 | popal               
            //   7475                 | je                  0x77
            //   7265                 | jb                  0x67
            //   20786d               | and                 byte ptr [eax + 0x6d], bh
            //   6c                   | insb                byte ptr es:[edi], dx
            //   6e                   | outsb               dx, byte ptr [esi]

        $sequence_3 = { 8d440101 ff75e0 50 e8???????? ff75f0 e8???????? 68???????? }
            // n = 7, score = 100
            //   8d440101             | lea                 eax, dword ptr [ecx + eax + 1]
            //   ff75e0               | push                dword ptr [ebp - 0x20]
            //   50                   | push                eax
            //   e8????????           |                     
            //   ff75f0               | push                dword ptr [ebp - 0x10]
            //   e8????????           |                     
            //   68????????           |                     

        $sequence_4 = { 83f864 0f82c2000000 40 50 6a40 ff15???????? 8985a0feffff }
            // n = 7, score = 100
            //   83f864               | cmp                 eax, 0x64
            //   0f82c2000000         | jb                  0xc8
            //   40                   | inc                 eax
            //   50                   | push                eax
            //   6a40                 | push                0x40
            //   ff15????????         |                     
            //   8985a0feffff         | mov                 dword ptr [ebp - 0x160], eax

        $sequence_5 = { a3???????? 890d???????? 6a04 8d45f0 50 6a04 53 }
            // n = 7, score = 100
            //   a3????????           |                     
            //   890d????????         |                     
            //   6a04                 | push                4
            //   8d45f0               | lea                 eax, dword ptr [ebp - 0x10]
            //   50                   | push                eax
            //   6a04                 | push                4
            //   53                   | push                ebx

        $sequence_6 = { 6561 7475 7265 20786d 6c 6e 733d }
            // n = 7, score = 100
            //   6561                 | popal               
            //   7475                 | je                  0x77
            //   7265                 | jb                  0x67
            //   20786d               | and                 byte ptr [eax + 0x6d], bh
            //   6c                   | insb                byte ptr es:[edi], dx
            //   6e                   | outsb               dx, byte ptr [esi]
            //   733d                 | jae                 0x3f

        $sequence_7 = { 6a01 53 68???????? ff35???????? ff15???????? ff75f0 e8???????? }
            // n = 7, score = 100
            //   6a01                 | push                1
            //   53                   | push                ebx
            //   68????????           |                     
            //   ff35????????         |                     
            //   ff15????????         |                     
            //   ff75f0               | push                dword ptr [ebp - 0x10]
            //   e8????????           |                     

        $sequence_8 = { 74df f785bafeffff10000000 74d3 68???????? ffb5a8feffff ff15???????? 8d85e6feffff }
            // n = 7, score = 100
            //   74df                 | je                  0xffffffe1
            //   f785bafeffff10000000     | test    dword ptr [ebp - 0x146], 0x10
            //   74d3                 | je                  0xffffffd5
            //   68????????           |                     
            //   ffb5a8feffff         | push                dword ptr [ebp - 0x158]
            //   ff15????????         |                     
            //   8d85e6feffff         | lea                 eax, dword ptr [ebp - 0x11a]

        $sequence_9 = { 50 ff15???????? 8d45e8 50 6819000200 6a00 }
            // n = 6, score = 100
            //   50                   | push                eax
            //   ff15????????         |                     
            //   8d45e8               | lea                 eax, dword ptr [ebp - 0x18]
            //   50                   | push                eax
            //   6819000200           | push                0x20019
            //   6a00                 | push                0

    condition:
        7 of them and filesize < 139264
}
Download all Yara Rules
Banjori Propose Change

References

Yara Rules

Banjori
