SYMBOLCOMMON_NAMEaka. SYNONYMS
win.cinobi (Back to overview)

Cinobi


There is no description at this point.

References
2020-03-11Trend MicroJaromír Hořejší, Joseph Chen
@online{hoej:20200311:operation:f03d64e, author = {Jaromír Hořejší and Joseph Chen}, title = {{Operation Overtrap Targets Japanese Online Banking Users Via Bottle Exploit Kit and Brand-New Cinobi Banking Trojan}}, date = {2020-03-11}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/operation-overtrap-targets-japanese-online-banking-users-via-bottle-exploit-kit-and-brand-new-cinobi-banking-trojan/}, language = {English}, urldate = {2020-03-11} } Operation Overtrap Targets Japanese Online Banking Users Via Bottle Exploit Kit and Brand-New Cinobi Banking Trojan
Cinobi
2020-03-11Trend MicroJaromír Hořejší, Joseph Chen
@techreport{hoej:20200311:operation:782b803, author = {Jaromír Hořejší and Joseph Chen}, title = {{Operation Overtrap Targets Japanese Online Banking Users Via Bottle Exploit Kit and Brand-New Cinobi Banking Trojan: Technical Brief}}, date = {2020-03-11}, institution = {Trend Micro}, url = {https://documents.trendmicro.com/assets/pdf/Tech%20Brief_Operation%20Overtrap%20Targets%20Japanese%20Online%20Banking%20Users.pdf}, language = {English}, urldate = {2020-03-11} } Operation Overtrap Targets Japanese Online Banking Users Via Bottle Exploit Kit and Brand-New Cinobi Banking Trojan: Technical Brief
Cinobi
2019-12-24pwncode.io blogc0d3inj3cT
@online{c0d3inj3ct:20191224:unpacking:3102f76, author = {c0d3inj3cT}, title = {{Unpacking Payload used in Bottle EK}}, date = {2019-12-24}, organization = {pwncode.io blog}, url = {http://www.pwncode.io/2019/12/unpacking-payload-used-in-bottle-ek.html}, language = {English}, urldate = {2020-03-11} } Unpacking Payload used in Bottle EK
Cinobi
Yara Rules
[TLP:WHITE] win_cinobi_auto (20201014 | autogenerated rule brought to you by yara-signator)
rule win_cinobi_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-10-14"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.5.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cinobi"
        malpedia_rule_date = "20201014"
        malpedia_hash = "a7e3bd57eaf12bf3ea29a863c041091ba3af9ac9"
        malpedia_version = "20201014"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { c9 c3 55 8bec 51 e8???????? 58 }
            // n = 7, score = 200
            //   c9                   | leave               
            //   c3                   | ret                 
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   51                   | push                ecx
            //   e8????????           |                     
            //   58                   | pop                 eax

        $sequence_1 = { 8945e4 8d45f4 50 33db }
            // n = 4, score = 100
            //   8945e4               | mov                 dword ptr [ebp - 0x1c], eax
            //   8d45f4               | lea                 eax, [ebp - 0xc]
            //   50                   | push                eax
            //   33db                 | xor                 ebx, ebx

        $sequence_2 = { 89819f000000 8b45c0 ff705f 8b45c0 ffb0a7000000 ff75dc }
            // n = 6, score = 100
            //   89819f000000         | mov                 dword ptr [ecx + 0x9f], eax
            //   8b45c0               | mov                 eax, dword ptr [ebp - 0x40]
            //   ff705f               | push                dword ptr [eax + 0x5f]
            //   8b45c0               | mov                 eax, dword ptr [ebp - 0x40]
            //   ffb0a7000000         | push                dword ptr [eax + 0xa7]
            //   ff75dc               | push                dword ptr [ebp - 0x24]

        $sequence_3 = { e8???????? 59 ebe5 8b45f8 8b75f4 }
            // n = 5, score = 100
            //   e8????????           |                     
            //   59                   | pop                 ecx
            //   ebe5                 | jmp                 0xffffffe7
            //   8b45f8               | mov                 eax, dword ptr [ebp - 8]
            //   8b75f4               | mov                 esi, dword ptr [ebp - 0xc]

        $sequence_4 = { 8a4634 88842448010000 8a4624 88842449010000 8a464e 8884244a010000 8a4635 }
            // n = 7, score = 100
            //   8a4634               | mov                 al, byte ptr [esi + 0x34]
            //   88842448010000       | mov                 byte ptr [esp + 0x148], al
            //   8a4624               | mov                 al, byte ptr [esi + 0x24]
            //   88842449010000       | mov                 byte ptr [esp + 0x149], al
            //   8a464e               | mov                 al, byte ptr [esi + 0x4e]
            //   8884244a010000       | mov                 byte ptr [esp + 0x14a], al
            //   8a4635               | mov                 al, byte ptr [esi + 0x35]

        $sequence_5 = { ff750c e8???????? 83c40c 84c0 7502 32db 56 }
            // n = 7, score = 100
            //   ff750c               | push                dword ptr [ebp + 0xc]
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   84c0                 | test                al, al
            //   7502                 | jne                 4
            //   32db                 | xor                 bl, bl
            //   56                   | push                esi

        $sequence_6 = { 8a403b 8845f0 8b45bc 8a400f 8845f1 }
            // n = 5, score = 100
            //   8a403b               | mov                 al, byte ptr [eax + 0x3b]
            //   8845f0               | mov                 byte ptr [ebp - 0x10], al
            //   8b45bc               | mov                 eax, dword ptr [ebp - 0x44]
            //   8a400f               | mov                 al, byte ptr [eax + 0xf]
            //   8845f1               | mov                 byte ptr [ebp - 0xf], al

        $sequence_7 = { 03483c 894de0 8b45e0 813850450000 7408 }
            // n = 5, score = 100
            //   03483c               | add                 ecx, dword ptr [eax + 0x3c]
            //   894de0               | mov                 dword ptr [ebp - 0x20], ecx
            //   8b45e0               | mov                 eax, dword ptr [ebp - 0x20]
            //   813850450000         | cmp                 dword ptr [eax], 0x4550
            //   7408                 | je                  0xa

        $sequence_8 = { 1ac0 fec0 5e 5d c3 55 8bec }
            // n = 7, score = 100
            //   1ac0                 | sbb                 al, al
            //   fec0                 | inc                 al
            //   5e                   | pop                 esi
            //   5d                   | pop                 ebp
            //   c3                   | ret                 
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp

        $sequence_9 = { 89466b ff7673 57 e8???????? ff765f }
            // n = 5, score = 100
            //   89466b               | mov                 dword ptr [esi + 0x6b], eax
            //   ff7673               | push                dword ptr [esi + 0x73]
            //   57                   | push                edi
            //   e8????????           |                     
            //   ff765f               | push                dword ptr [esi + 0x5f]

        $sequence_10 = { 8845e1 8b45dc 8a402f 8845e2 8b45dc }
            // n = 5, score = 100
            //   8845e1               | mov                 byte ptr [ebp - 0x1f], al
            //   8b45dc               | mov                 eax, dword ptr [ebp - 0x24]
            //   8a402f               | mov                 al, byte ptr [eax + 0x2f]
            //   8845e2               | mov                 byte ptr [ebp - 0x1e], al
            //   8b45dc               | mov                 eax, dword ptr [ebp - 0x24]

        $sequence_11 = { e9???????? 33c0 8b4dd0 8b5508 }
            // n = 4, score = 100
            //   e9????????           |                     
            //   33c0                 | xor                 eax, eax
            //   8b4dd0               | mov                 ecx, dword ptr [ebp - 0x30]
            //   8b5508               | mov                 edx, dword ptr [ebp + 8]

        $sequence_12 = { ff7508 e8???????? 59 8b4d08 8d0441 50 }
            // n = 6, score = 100
            //   ff7508               | push                dword ptr [ebp + 8]
            //   e8????????           |                     
            //   59                   | pop                 ecx
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]
            //   8d0441               | lea                 eax, [ecx + eax*2]
            //   50                   | push                eax

        $sequence_13 = { ffb09b000000 ff7598 e8???????? 83c40c 8b4dc0 89819b000000 }
            // n = 6, score = 100
            //   ffb09b000000         | push                dword ptr [eax + 0x9b]
            //   ff7598               | push                dword ptr [ebp - 0x68]
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   8b4dc0               | mov                 ecx, dword ptr [ebp - 0x40]
            //   89819b000000         | mov                 dword ptr [ecx + 0x9b], eax

        $sequence_14 = { 660fbe462f 6689871a210000 660fbe460b 6689871c210000 660fbe4619 6689871e210000 660fbe4654 }
            // n = 7, score = 100
            //   660fbe462f           | movsx               ax, byte ptr [esi + 0x2f]
            //   6689871a210000       | mov                 word ptr [edi + 0x211a], ax
            //   660fbe460b           | movsx               ax, byte ptr [esi + 0xb]
            //   6689871c210000       | mov                 word ptr [edi + 0x211c], ax
            //   660fbe4619           | movsx               ax, byte ptr [esi + 0x19]
            //   6689871e210000       | mov                 word ptr [edi + 0x211e], ax
            //   660fbe4654           | movsx               ax, byte ptr [esi + 0x54]

    condition:
        7 of them and filesize < 32768
}
Download all Yara Rules