SYMBOLCOMMON_NAMEaka. SYNONYMS
win.cloudwizard (Back to overview)

CloudWizard


There is no description at this point.

References
2023-05-19Kaspersky LabsLeonid Bezvershenko, Georgy Kucherin, Igor Kuznetsov
@online{bezvershenko:20230519:cloudwizard:7ad05b6, author = {Leonid Bezvershenko and Georgy Kucherin and Igor Kuznetsov}, title = {{CloudWizard APT: the bad magic story goes on}}, date = {2023-05-19}, organization = {Kaspersky Labs}, url = {https://securelist.com/cloudwizard-apt/109722/}, language = {English}, urldate = {2023-06-01} } CloudWizard APT: the bad magic story goes on
PowerMagic CloudWizard CommonMagic Prikormka
Yara Rules
[TLP:WHITE] win_cloudwizard_auto (20230715 | Detects win.cloudwizard.)
rule win_cloudwizard_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-07-11"
        version = "1"
        description = "Detects win.cloudwizard."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudwizard"
        malpedia_rule_date = "20230705"
        malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
        malpedia_version = "20230715"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { ff15???????? 85c0 7417 ff15???????? 8945fc }
            // n = 5, score = 100
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   7417                 | je                  0x19
            //   ff15????????         |                     
            //   8945fc               | mov                 dword ptr [ebp - 4], eax

        $sequence_1 = { 58 6a47 66894564 58 66894568 6a5f 58 }
            // n = 7, score = 100
            //   58                   | pop                 eax
            //   6a47                 | push                0x47
            //   66894564             | mov                 word ptr [ebp + 0x64], ax
            //   58                   | pop                 eax
            //   66894568             | mov                 word ptr [ebp + 0x68], ax
            //   6a5f                 | push                0x5f
            //   58                   | pop                 eax

        $sequence_2 = { 75c1 e9???????? 8bb5c4fdffff e9???????? 8b00 }
            // n = 5, score = 100
            //   75c1                 | jne                 0xffffffc3
            //   e9????????           |                     
            //   8bb5c4fdffff         | mov                 esi, dword ptr [ebp - 0x23c]
            //   e9????????           |                     
            //   8b00                 | mov                 eax, dword ptr [eax]

        $sequence_3 = { c645c35a c645c447 c645c546 c645c645 c645c74d }
            // n = 5, score = 100
            //   c645c35a             | mov                 byte ptr [ebp - 0x3d], 0x5a
            //   c645c447             | mov                 byte ptr [ebp - 0x3c], 0x47
            //   c645c546             | mov                 byte ptr [ebp - 0x3b], 0x46
            //   c645c645             | mov                 byte ptr [ebp - 0x3a], 0x45
            //   c645c74d             | mov                 byte ptr [ebp - 0x39], 0x4d

        $sequence_4 = { 33f6 57 ff15???????? 8bc6 ebd4 8b85dcfdffff 3b462c }
            // n = 7, score = 100
            //   33f6                 | xor                 esi, esi
            //   57                   | push                edi
            //   ff15????????         |                     
            //   8bc6                 | mov                 eax, esi
            //   ebd4                 | jmp                 0xffffffd6
            //   8b85dcfdffff         | mov                 eax, dword ptr [ebp - 0x224]
            //   3b462c               | cmp                 eax, dword ptr [esi + 0x2c]

        $sequence_5 = { 668945de 58 6a4d 668945e0 58 6a4e }
            // n = 6, score = 100
            //   668945de             | mov                 word ptr [ebp - 0x22], ax
            //   58                   | pop                 eax
            //   6a4d                 | push                0x4d
            //   668945e0             | mov                 word ptr [ebp - 0x20], ax
            //   58                   | pop                 eax
            //   6a4e                 | push                0x4e

        $sequence_6 = { 58 6a69 668945ea 58 6a7a 668945ec }
            // n = 6, score = 100
            //   58                   | pop                 eax
            //   6a69                 | push                0x69
            //   668945ea             | mov                 word ptr [ebp - 0x16], ax
            //   58                   | pop                 eax
            //   6a7a                 | push                0x7a
            //   668945ec             | mov                 word ptr [ebp - 0x14], ax

        $sequence_7 = { 59 3bfb 7406 33c0 ab }
            // n = 5, score = 100
            //   59                   | pop                 ecx
            //   3bfb                 | cmp                 edi, ebx
            //   7406                 | je                  8
            //   33c0                 | xor                 eax, eax
            //   ab                   | stosd               dword ptr es:[edi], eax

        $sequence_8 = { 668945dc 58 6a66 668945de }
            // n = 4, score = 100
            //   668945dc             | mov                 word ptr [ebp - 0x24], ax
            //   58                   | pop                 eax
            //   6a66                 | push                0x66
            //   668945de             | mov                 word ptr [ebp - 0x22], ax

        $sequence_9 = { c9 c3 55 8d6c2488 81ec9c040000 }
            // n = 5, score = 100
            //   c9                   | leave               
            //   c3                   | ret                 
            //   55                   | push                ebp
            //   8d6c2488             | lea                 ebp, [esp - 0x78]
            //   81ec9c040000         | sub                 esp, 0x49c

    condition:
        7 of them and filesize < 134144
}
Download all Yara Rules