SYMBOLCOMMON_NAMEaka. SYNONYMS
win.casper (Back to overview)

Casper

Actor(s): SNOWGLOBE


ESET describes Casper as a well-developed reconnaissance tool, making extensive efforts to remain unseen on targeted machines. Of particular note are the specific strategies adopted against anti-malware software. Casper was used against Syrian targets in April 2014, which makes it the most recent malware from this group publicly known at this time.

References
2015-03-05ESET ResearchJoan Calvet
@online{calvet:20150305:casper:be062ed, author = {Joan Calvet}, title = {{Casper Malware: After Babar and Bunny, Another Espionage Cartoon}}, date = {2015-03-05}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2015/03/05/casper-malware-babar-bunny-another-espionage-cartoon/}, language = {English}, urldate = {2019-11-14} } Casper Malware: After Babar and Bunny, Another Espionage Cartoon
Casper
Yara Rules
[TLP:WHITE] win_casper_auto (20220516 | Detects win.casper.)
rule win_casper_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-05-16"
        version = "1"
        description = "Detects win.casper."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.casper"
        malpedia_rule_date = "20220513"
        malpedia_hash = "7f4b2229e6ae614d86d74917f6d5b41890e62a26"
        malpedia_version = "20220516"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8d9d70e5ffff e8???????? 85c0 0f84d3000000 8bfb e8???????? 8bf8 }
            // n = 7, score = 100
            //   8d9d70e5ffff         | lea                 ebx, [ebp - 0x1a90]
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   0f84d3000000         | je                  0xd9
            //   8bfb                 | mov                 edi, ebx
            //   e8????????           |                     
            //   8bf8                 | mov                 edi, eax

        $sequence_1 = { e8???????? 85c0 7402 8b00 0fb77808 ff742414 }
            // n = 6, score = 100
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   7402                 | je                  4
            //   8b00                 | mov                 eax, dword ptr [eax]
            //   0fb77808             | movzx               edi, word ptr [eax + 8]
            //   ff742414             | push                dword ptr [esp + 0x14]

        $sequence_2 = { 0f8548020000 bb00080000 8db740010000 56 ffb784020000 e8???????? 85c0 }
            // n = 7, score = 100
            //   0f8548020000         | jne                 0x24e
            //   bb00080000           | mov                 ebx, 0x800
            //   8db740010000         | lea                 esi, [edi + 0x140]
            //   56                   | push                esi
            //   ffb784020000         | push                dword ptr [edi + 0x284]
            //   e8????????           |                     
            //   85c0                 | test                eax, eax

        $sequence_3 = { 8d45d4 e8???????? 8b4d08 8b01 ff5004 50 8d8590eeffff }
            // n = 7, score = 100
            //   8d45d4               | lea                 eax, [ebp - 0x2c]
            //   e8????????           |                     
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]
            //   8b01                 | mov                 eax, dword ptr [ecx]
            //   ff5004               | call                dword ptr [eax + 4]
            //   50                   | push                eax
            //   8d8590eeffff         | lea                 eax, [ebp - 0x1170]

        $sequence_4 = { 59 85c0 7410 33ff ff45fc 8b45fc 3b8688000000 }
            // n = 7, score = 100
            //   59                   | pop                 ecx
            //   85c0                 | test                eax, eax
            //   7410                 | je                  0x12
            //   33ff                 | xor                 edi, edi
            //   ff45fc               | inc                 dword ptr [ebp - 4]
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]
            //   3b8688000000         | cmp                 eax, dword ptr [esi + 0x88]

        $sequence_5 = { a1???????? 56 57 33ff 3bc7 750b 57 }
            // n = 7, score = 100
            //   a1????????           |                     
            //   56                   | push                esi
            //   57                   | push                edi
            //   33ff                 | xor                 edi, edi
            //   3bc7                 | cmp                 eax, edi
            //   750b                 | jne                 0xd
            //   57                   | push                edi

        $sequence_6 = { 83c40c 68???????? 8bf8 e8???????? 59 8d4dfc }
            // n = 6, score = 100
            //   83c40c               | add                 esp, 0xc
            //   68????????           |                     
            //   8bf8                 | mov                 edi, eax
            //   e8????????           |                     
            //   59                   | pop                 ecx
            //   8d4dfc               | lea                 ecx, [ebp - 4]

        $sequence_7 = { 8907 50 e8???????? 8b07 68???????? 53 c6040600 }
            // n = 7, score = 100
            //   8907                 | mov                 dword ptr [edi], eax
            //   50                   | push                eax
            //   e8????????           |                     
            //   8b07                 | mov                 eax, dword ptr [edi]
            //   68????????           |                     
            //   53                   | push                ebx
            //   c6040600             | mov                 byte ptr [esi + eax], 0

        $sequence_8 = { 85c0 7405 897df8 eb2f 8d45e8 50 8d45f0 }
            // n = 7, score = 100
            //   85c0                 | test                eax, eax
            //   7405                 | je                  7
            //   897df8               | mov                 dword ptr [ebp - 8], edi
            //   eb2f                 | jmp                 0x31
            //   8d45e8               | lea                 eax, [ebp - 0x18]
            //   50                   | push                eax
            //   8d45f0               | lea                 eax, [ebp - 0x10]

        $sequence_9 = { 895df8 894df4 83c010 c745f006000000 eb03 8b5df8 8bf7 }
            // n = 7, score = 100
            //   895df8               | mov                 dword ptr [ebp - 8], ebx
            //   894df4               | mov                 dword ptr [ebp - 0xc], ecx
            //   83c010               | add                 eax, 0x10
            //   c745f006000000       | mov                 dword ptr [ebp - 0x10], 6
            //   eb03                 | jmp                 5
            //   8b5df8               | mov                 ebx, dword ptr [ebp - 8]
            //   8bf7                 | mov                 esi, edi

    condition:
        7 of them and filesize < 434176
}
[TLP:WHITE] win_casper_w0   (20180301 | Casper French Espionage Malware - Win32/ProxyBot.B - x86 Payload http://goo.gl/VRJNLo)
rule win_casper_w0 {
	meta:
		author = "Florian Roth"
		description = "Casper French Espionage Malware - Win32/ProxyBot.B - x86 Payload http://goo.gl/VRJNLo"
		reference = "http://goo.gl/VRJNLo"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.casper"
        malpedia_version = "20180301"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
	strings:
		$s1 = "\"svchost.exe\"" fullword wide
		$s2 = "firefox.exe" fullword ascii
		$s3 = "\"Host Process for Windows Services\"" fullword wide
		
		$x1 = "\\Users\\*" fullword ascii
		$x2 = "\\Roaming\\Mozilla\\Firefox\\Profiles\\*" fullword ascii
		$x3 = "\\Mozilla\\Firefox\\Profiles\\*" fullword ascii
		$x4 = "\\Documents and Settings\\*" fullword ascii
		
		$y1 = "%s; %S=%S" fullword wide
		$y2 = "%s; %s=%s" fullword ascii
		$y3 = "Cookie: %s=%s" fullword ascii
		$y4 = "http://%S:%d" fullword wide
		
		$z1 = "http://google.com/" fullword ascii
		$z2 = "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; MALC)" fullword ascii
		$z3 = "Operating System\"" fullword wide
	condition:
		( all of ($s*) ) or
		( 3 of ($x*) and 2 of ($y*) and 2 of ($z*) )
}
Download all Yara Rules