SYMBOLCOMMON_NAMEaka. SYNONYMS
win.cinobi (Back to overview)

Cinobi


There is no description at this point.

References
2020-03-11Trend MicroJaromír Hořejší, Joseph Chen
@online{hoej:20200311:operation:f03d64e, author = {Jaromír Hořejší and Joseph Chen}, title = {{Operation Overtrap Targets Japanese Online Banking Users Via Bottle Exploit Kit and Brand-New Cinobi Banking Trojan}}, date = {2020-03-11}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/operation-overtrap-targets-japanese-online-banking-users-via-bottle-exploit-kit-and-brand-new-cinobi-banking-trojan/}, language = {English}, urldate = {2020-03-11} } Operation Overtrap Targets Japanese Online Banking Users Via Bottle Exploit Kit and Brand-New Cinobi Banking Trojan
Cinobi
2020-03-11Trend MicroJaromír Hořejší, Joseph Chen
@techreport{hoej:20200311:operation:782b803, author = {Jaromír Hořejší and Joseph Chen}, title = {{Operation Overtrap Targets Japanese Online Banking Users Via Bottle Exploit Kit and Brand-New Cinobi Banking Trojan: Technical Brief}}, date = {2020-03-11}, institution = {Trend Micro}, url = {https://documents.trendmicro.com/assets/pdf/Tech%20Brief_Operation%20Overtrap%20Targets%20Japanese%20Online%20Banking%20Users.pdf}, language = {English}, urldate = {2020-03-11} } Operation Overtrap Targets Japanese Online Banking Users Via Bottle Exploit Kit and Brand-New Cinobi Banking Trojan: Technical Brief
Cinobi
2019-12-24pwncode.io blogc0d3inj3cT
@online{c0d3inj3ct:20191224:unpacking:3102f76, author = {c0d3inj3cT}, title = {{Unpacking Payload used in Bottle EK}}, date = {2019-12-24}, organization = {pwncode.io blog}, url = {http://www.pwncode.io/2019/12/unpacking-payload-used-in-bottle-ek.html}, language = {English}, urldate = {2020-03-11} } Unpacking Payload used in Bottle EK
Cinobi
Yara Rules
[TLP:WHITE] win_cinobi_auto (20200529 | autogenerated rule brought to you by yara-signator)
rule win_cinobi_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-05-30"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.4.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cinobi"
        malpedia_rule_date = "20200529"
        malpedia_hash = "92c362319514e5a6da26204961446caa3a8b32a8"
        malpedia_version = "20200529"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { c9 c3 55 8bec 51 e8???????? 58 }
            // n = 7, score = 200
            //   c9                   | leave               
            //   c3                   | ret                 
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   51                   | push                ecx
            //   e8????????           |                     
            //   58                   | pop                 eax

        $sequence_1 = { 8a583a 885dd5 8a5848 885dd6 8a582f 884db8 }
            // n = 6, score = 100
            //   8a583a               | mov                 bl, byte ptr [eax + 0x3a]
            //   885dd5               | mov                 byte ptr [ebp - 0x2b], bl
            //   8a5848               | mov                 bl, byte ptr [eax + 0x48]
            //   885dd6               | mov                 byte ptr [ebp - 0x2a], bl
            //   8a582f               | mov                 bl, byte ptr [eax + 0x2f]
            //   884db8               | mov                 byte ptr [ebp - 0x48], cl

        $sequence_2 = { 8b45e4 66c74430050050 59 b860ea0000 6a04 8945e0 }
            // n = 6, score = 100
            //   8b45e4               | mov                 eax, dword ptr [ebp - 0x1c]
            //   66c74430050050       | mov                 word ptr [eax + esi + 5], 0x5000
            //   59                   | pop                 ecx
            //   b860ea0000           | mov                 eax, 0xea60
            //   6a04                 | push                4
            //   8945e0               | mov                 dword ptr [ebp - 0x20], eax

        $sequence_3 = { b008 c9 c3 32c0 c9 c3 56 }
            // n = 7, score = 100
            //   b008                 | mov                 al, 8
            //   c9                   | leave               
            //   c3                   | ret                 
            //   32c0                 | xor                 al, al
            //   c9                   | leave               
            //   c3                   | ret                 
            //   56                   | push                esi

        $sequence_4 = { 0fb70441 8b4df0 8b0481 034508 8945f8 eb02 eb97 }
            // n = 7, score = 100
            //   0fb70441             | movzx               eax, word ptr [ecx + eax*2]
            //   8b4df0               | mov                 ecx, dword ptr [ebp - 0x10]
            //   8b0481               | mov                 eax, dword ptr [ecx + eax*4]
            //   034508               | add                 eax, dword ptr [ebp + 8]
            //   8945f8               | mov                 dword ptr [ebp - 8], eax
            //   eb02                 | jmp                 4
            //   eb97                 | jmp                 0xffffff99

        $sequence_5 = { 51 8b4510 8945fc 8b45fc 8b4dfc 49 }
            // n = 6, score = 100
            //   51                   | push                ecx
            //   8b4510               | mov                 eax, dword ptr [ebp + 0x10]
            //   8945fc               | mov                 dword ptr [ebp - 4], eax
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]
            //   8b4dfc               | mov                 ecx, dword ptr [ebp - 4]
            //   49                   | dec                 ecx

        $sequence_6 = { 8a404b 8845c5 8b45c0 8a4013 8845c6 }
            // n = 5, score = 100
            //   8a404b               | mov                 al, byte ptr [eax + 0x4b]
            //   8845c5               | mov                 byte ptr [ebp - 0x3b], al
            //   8b45c0               | mov                 eax, dword ptr [ebp - 0x40]
            //   8a4013               | mov                 al, byte ptr [eax + 0x13]
            //   8845c6               | mov                 byte ptr [ebp - 0x3a], al

        $sequence_7 = { 88842448010000 8a4624 88842449010000 8a464e 8884244a010000 }
            // n = 5, score = 100
            //   88842448010000       | mov                 byte ptr [esp + 0x148], al
            //   8a4624               | mov                 al, byte ptr [esi + 0x24]
            //   88842449010000       | mov                 byte ptr [esp + 0x149], al
            //   8a464e               | mov                 al, byte ptr [esi + 0x4e]
            //   8884244a010000       | mov                 byte ptr [esp + 0x14a], al

        $sequence_8 = { 8bec 83ec70 e8???????? 8945f0 }
            // n = 4, score = 100
            //   8bec                 | mov                 ebp, esp
            //   83ec70               | sub                 esp, 0x70
            //   e8????????           |                     
            //   8945f0               | mov                 dword ptr [ebp - 0x10], eax

        $sequence_9 = { 660fbe4e42 66898f6a1c0000 660fbe4e27 66898f6c1c0000 660fbe4e3a 66898f6e1c0000 }
            // n = 6, score = 100
            //   660fbe4e42           | movsx               cx, byte ptr [esi + 0x42]
            //   66898f6a1c0000       | mov                 word ptr [edi + 0x1c6a], cx
            //   660fbe4e27           | movsx               cx, byte ptr [esi + 0x27]
            //   66898f6c1c0000       | mov                 word ptr [edi + 0x1c6c], cx
            //   660fbe4e3a           | movsx               cx, byte ptr [esi + 0x3a]
            //   66898f6e1c0000       | mov                 word ptr [edi + 0x1c6e], cx

        $sequence_10 = { e8???????? 8dbc456cf6ffff 8d4dfc e8???????? 8d8d6cf6ffff e8???????? 8dbc456cf6ffff }
            // n = 7, score = 100
            //   e8????????           |                     
            //   8dbc456cf6ffff       | lea                 edi, [ebp + eax*2 - 0x994]
            //   8d4dfc               | lea                 ecx, [ebp - 4]
            //   e8????????           |                     
            //   8d8d6cf6ffff         | lea                 ecx, [ebp - 0x994]
            //   e8????????           |                     
            //   8dbc456cf6ffff       | lea                 edi, [ebp + eax*2 - 0x994]

        $sequence_11 = { 66898556fbffff 8b45f8 660fbe4047 66898558fbffff }
            // n = 4, score = 100
            //   66898556fbffff       | mov                 word ptr [ebp - 0x4aa], ax
            //   8b45f8               | mov                 eax, dword ptr [ebp - 8]
            //   660fbe4047           | movsx               ax, byte ptr [eax + 0x47]
            //   66898558fbffff       | mov                 word ptr [ebp - 0x4a8], ax

        $sequence_12 = { 6689858efaffff 8b85a8faffff 660fbe4013 66898590faffff 8b85a8faffff }
            // n = 5, score = 100
            //   6689858efaffff       | mov                 word ptr [ebp - 0x572], ax
            //   8b85a8faffff         | mov                 eax, dword ptr [ebp - 0x558]
            //   660fbe4013           | movsx               ax, byte ptr [eax + 0x13]
            //   66898590faffff       | mov                 word ptr [ebp - 0x570], ax
            //   8b85a8faffff         | mov                 eax, dword ptr [ebp - 0x558]

        $sequence_13 = { 50 57 ff565f 898607010000 bf204e0000 }
            // n = 5, score = 100
            //   50                   | push                eax
            //   57                   | push                edi
            //   ff565f               | call                dword ptr [esi + 0x5f]
            //   898607010000         | mov                 dword ptr [esi + 0x107], eax
            //   bf204e0000           | mov                 edi, 0x4e20

        $sequence_14 = { e8???????? 83c40c 8b45f8 660fbe404b }
            // n = 4, score = 100
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   8b45f8               | mov                 eax, dword ptr [ebp - 8]
            //   660fbe404b           | movsx               ax, byte ptr [eax + 0x4b]

    condition:
        7 of them and filesize < 32768
}
Download all Yara Rules