SYMBOLCOMMON_NAMEaka. SYNONYMS
win.byeby (Back to overview)

BYEBY

Actor(s): Calypso group, Karma Panda

There is no description at this point.

References
2020-05-14ESET ResearchPeter Kálnai
@online{klnai:20200514:mikroceen:b259a8c, author = {Peter Kálnai}, title = {{Mikroceen: Spying backdoor leveraged in high‑profile networks in Central Asia}}, date = {2020-05-14}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2020/05/14/mikroceen-spying-backdoor-high-profile-networks-central-asia/}, language = {English}, urldate = {2020-05-14} } Mikroceen: Spying backdoor leveraged in high‑profile networks in Central Asia
BYEBY Microcin Microcin
2020-05-14Avast DecodedLuigino Camastra
@online{camastra:20200514:planted:03eab5a, author = {Luigino Camastra}, title = {{APT Group Planted Backdoors Targeting High Profile Networks in Central Asia}}, date = {2020-05-14}, organization = {Avast Decoded}, url = {https://decoded.avast.io/luigicamastra/apt-group-planted-backdoors-targeting-high-profile-networks-in-central-asia/}, language = {English}, urldate = {2020-05-14} } APT Group Planted Backdoors Targeting High Profile Networks in Central Asia
BYEBY Microcin Microcin
2020-03-12Check PointCheck Point Research
@online{research:20200312:vicious:3218bb8, author = {Check Point Research}, title = {{Vicious Panda: The COVID Campaign}}, date = {2020-03-12}, organization = {Check Point}, url = {https://research.checkpoint.com/2020/vicious-panda-the-covid-campaign/}, language = {English}, urldate = {2020-03-13} } Vicious Panda: The COVID Campaign
8.t Dropper BYEBY Enfal Korlia Poison Ivy
2019-10-31PTSecurityPTSecurity
@online{ptsecurity:20191031:calypso:adaf761, author = {PTSecurity}, title = {{Calypso APT: new group attacking state institutions}}, date = {2019-10-31}, organization = {PTSecurity}, url = {https://www.ptsecurity.com/ww-en/analytics/calypso-apt-2019/}, language = {English}, urldate = {2020-01-12} } Calypso APT: new group attacking state institutions
BYEBY FlyingDutchman Hussar PlugX
2017-09-28Palo Alto Networks Unit 42Josh Grunzweig, Robert Falcone
@online{grunzweig:20170928:threat:835bf8e, author = {Josh Grunzweig and Robert Falcone}, title = {{Threat Actors Target Government of Belarus Using CMSTAR Trojan}}, date = {2017-09-28}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2017/09/unit42-threat-actors-target-government-belarus-using-cmstar-trojan}, language = {English}, urldate = {2019-12-20} } Threat Actors Target Government of Belarus Using CMSTAR Trojan
BYEBY CMSTAR
Yara Rules
[TLP:WHITE] win_byeby_auto (20211008 | Detects win.byeby.)
rule win_byeby_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-10-07"
        version = "1"
        description = "Detects win.byeby."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.byeby"
        malpedia_rule_date = "20211007"
        malpedia_hash = "e5b790e0f888f252d49063a1251ca60ec2832535"
        malpedia_version = "20211008"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 81ff12030900 7414 81ff18030980 740c 81ff20030900 0f8505020000 }
            // n = 6, score = 100
            //   81ff12030900         | cmp                 edi, 0x90312
            //   7414                 | je                  0x16
            //   81ff18030980         | cmp                 edi, 0x80090318
            //   740c                 | je                  0xe
            //   81ff20030900         | cmp                 edi, 0x90320
            //   0f8505020000         | jne                 0x20b

        $sequence_1 = { 8d442430 50 6805100000 68ffff0000 }
            // n = 4, score = 100
            //   8d442430             | lea                 eax, dword ptr [esp + 0x30]
            //   50                   | push                eax
            //   6805100000           | push                0x1005
            //   68ffff0000           | push                0xffff

        $sequence_2 = { 50 ff15???????? 50 8d842448060000 50 }
            // n = 5, score = 100
            //   50                   | push                eax
            //   ff15????????         |                     
            //   50                   | push                eax
            //   8d842448060000       | lea                 eax, dword ptr [esp + 0x648]
            //   50                   | push                eax

        $sequence_3 = { 8d7f08 8b048d78000110 ffe0 f7c703000000 7515 c1e902 }
            // n = 6, score = 100
            //   8d7f08               | lea                 edi, dword ptr [edi + 8]
            //   8b048d78000110       | mov                 eax, dword ptr [ecx*4 + 0x10010078]
            //   ffe0                 | jmp                 eax
            //   f7c703000000         | test                edi, 3
            //   7515                 | jne                 0x17
            //   c1e902               | shr                 ecx, 2

        $sequence_4 = { 8bf1 50 ff15???????? 6803050000 8d85c1f9ffff c685c0f9ffff00 6a00 }
            // n = 7, score = 100
            //   8bf1                 | mov                 esi, ecx
            //   50                   | push                eax
            //   ff15????????         |                     
            //   6803050000           | push                0x503
            //   8d85c1f9ffff         | lea                 eax, dword ptr [ebp - 0x63f]
            //   c685c0f9ffff00       | mov                 byte ptr [ebp - 0x640], 0
            //   6a00                 | push                0

        $sequence_5 = { 8b4e68 85c9 7577 81ff12030900 0f85cd000000 85c9 }
            // n = 6, score = 100
            //   8b4e68               | mov                 ecx, dword ptr [esi + 0x68]
            //   85c9                 | test                ecx, ecx
            //   7577                 | jne                 0x79
            //   81ff12030900         | cmp                 edi, 0x90312
            //   0f85cd000000         | jne                 0xd3
            //   85c9                 | test                ecx, ecx

        $sequence_6 = { 0f847b020000 6a00 8d442460 c744246001000000 }
            // n = 4, score = 100
            //   0f847b020000         | je                  0x281
            //   6a00                 | push                0
            //   8d442460             | lea                 eax, dword ptr [esp + 0x60]
            //   c744246001000000     | mov                 dword ptr [esp + 0x60], 1

        $sequence_7 = { 83c40c 85c0 0f85db000000 6a40 }
            // n = 4, score = 100
            //   83c40c               | add                 esp, 0xc
            //   85c0                 | test                eax, eax
            //   0f85db000000         | jne                 0xe1
            //   6a40                 | push                0x40

        $sequence_8 = { 8d8424f8060000 50 57 ff15???????? 85c0 75a3 83ceff }
            // n = 7, score = 100
            //   8d8424f8060000       | lea                 eax, dword ptr [esp + 0x6f8]
            //   50                   | push                eax
            //   57                   | push                edi
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   75a3                 | jne                 0xffffffa5
            //   83ceff               | or                  esi, 0xffffffff

        $sequence_9 = { 8945e0 8bdf 83e31f c1e306 8b048518ab0110 0fbe440304 83e001 }
            // n = 7, score = 100
            //   8945e0               | mov                 dword ptr [ebp - 0x20], eax
            //   8bdf                 | mov                 ebx, edi
            //   83e31f               | and                 ebx, 0x1f
            //   c1e306               | shl                 ebx, 6
            //   8b048518ab0110       | mov                 eax, dword ptr [eax*4 + 0x1001ab18]
            //   0fbe440304           | movsx               eax, byte ptr [ebx + eax + 4]
            //   83e001               | and                 eax, 1

    condition:
        7 of them and filesize < 253952
}
Download all Yara Rules