Banjori (Malware Family)

Banjori

aka: MultiBanker 2, BankPatch, BackPatcher
There is no description at this point.
References

2016-05-02 ⋅ John Bambenek ⋅ John Bambenek
OSINT Feed
Mirai Banjori
2015-02-10 ⋅ Johannes Bader's Blog ⋅ Johannes Bader
The DGA of Banjori
Banjori
2013-05-21 ⋅ Kleissner & Associates ⋅ Peter Kleissner
News on MultiBanker, features now a jabber p2p functionality
Banjori
2013-03-26 ⋅ Kleissner & Associates ⋅ Peter Kleissner
Behind MultiBanker, what the security industry doesn’t tell you and its money mule network
Banjori
Yara Rules

[TLP:WHITE] win_banjori_auto (20201023 | autogenerated rule brought to you by yara-signator)
rule win_banjori_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-12-22"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.banjori"
        malpedia_rule_date = "20201222"
        malpedia_hash = "30354d830a29f0fbd3714d93d94dea941d77a130"
        malpedia_version = "20201023"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 895df0 e8???????? 68e8030000 ff15???????? e9???????? 8d3df2129500 68e8030000 }
            // n = 7, score = 100
            //   895df0               | mov                 dword ptr [ebp - 0x10], ebx
            //   e8????????           |                     
            //   68e8030000           | push                0x3e8
            //   ff15????????         |                     
            //   e9????????           |                     
            //   8d3df2129500         | lea                 edi, [0x9512f2]
            //   68e8030000           | push                0x3e8

        $sequence_1 = { 85c0 0f84c6000000 8985fcfbffff 8b503c }
            // n = 4, score = 100
            //   85c0                 | test                eax, eax
            //   0f84c6000000         | je                  0xcc
            //   8985fcfbffff         | mov                 dword ptr [ebp - 0x404], eax
            //   8b503c               | mov                 edx, dword ptr [eax + 0x3c]

        $sequence_2 = { 85c0 741a 395d10 7415 6a04 8d45f4 }
            // n = 6, score = 100
            //   85c0                 | test                eax, eax
            //   741a                 | je                  0x1c
            //   395d10               | cmp                 dword ptr [ebp + 0x10], ebx
            //   7415                 | je                  0x17
            //   6a04                 | push                4
            //   8d45f4               | lea                 eax, [ebp - 0xc]

        $sequence_3 = { 53 68???????? ff35???????? e8???????? 85c0 7834 3d64696a6e }
            // n = 7, score = 100
            //   53                   | push                ebx
            //   68????????           |                     
            //   ff35????????         |                     
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   7834                 | js                  0x36
            //   3d64696a6e           | cmp                 eax, 0x6e6a6964

        $sequence_4 = { 7503 ff45f8 368a8428f8feffff 0facc306 c1ea08 8ac2 3c3d }
            // n = 7, score = 100
            //   7503                 | jne                 5
            //   ff45f8               | inc                 dword ptr [ebp - 8]
            //   368a8428f8feffff     | mov                 al, byte ptr ss:[eax + ebp - 0x108]
            //   0facc306             | shrd                ebx, eax, 6
            //   c1ea08               | shr                 edx, 8
            //   8ac2                 | mov                 al, dl
            //   3c3d                 | cmp                 al, 0x3d

        $sequence_5 = { e8???????? 83bd3cfeffff08 7317 68e8030000 682c010000 e8???????? 0f857c010000 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   83bd3cfeffff08       | cmp                 dword ptr [ebp - 0x1c4], 8
            //   7317                 | jae                 0x19
            //   68e8030000           | push                0x3e8
            //   682c010000           | push                0x12c
            //   e8????????           |                     
            //   0f857c010000         | jne                 0x182

        $sequence_6 = { ff75d8 ff75e0 68???????? ff75e4 ff15???????? 83c420 8bf0 }
            // n = 7, score = 100
            //   ff75d8               | push                dword ptr [ebp - 0x28]
            //   ff75e0               | push                dword ptr [ebp - 0x20]
            //   68????????           |                     
            //   ff75e4               | push                dword ptr [ebp - 0x1c]
            //   ff15????????         |                     
            //   83c420               | add                 esp, 0x20
            //   8bf0                 | mov                 esi, eax

        $sequence_7 = { 68e8030000 ff15???????? ebdc ff7508 6a01 53 }
            // n = 6, score = 100
            //   68e8030000           | push                0x3e8
            //   ff15????????         |                     
            //   ebdc                 | jmp                 0xffffffde
            //   ff7508               | push                dword ptr [ebp + 8]
            //   6a01                 | push                1
            //   53                   | push                ebx

        $sequence_8 = { c745ec80000000 8b4ddc 8919 8d45ec 50 51 53 }
            // n = 7, score = 100
            //   c745ec80000000       | mov                 dword ptr [ebp - 0x14], 0x80
            //   8b4ddc               | mov                 ecx, dword ptr [ebp - 0x24]
            //   8919                 | mov                 dword ptr [ecx], ebx
            //   8d45ec               | lea                 eax, [ebp - 0x14]
            //   50                   | push                eax
            //   51                   | push                ecx
            //   53                   | push                ebx

        $sequence_9 = { eb0c ab ff75f0 e8???????? 8b45fc 5e 5f }
            // n = 7, score = 100
            //   eb0c                 | jmp                 0xe
            //   ab                   | stosd               dword ptr es:[edi], eax
            //   ff75f0               | push                dword ptr [ebp - 0x10]
            //   e8????????           |                     
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]
            //   5e                   | pop                 esi
            //   5f                   | pop                 edi

    condition:
        7 of them and filesize < 139264
}
Download all Yara Rules
Banjori Propose Change

References

Yara Rules

Banjori
