Actor(s): Turla
There is no description at this point.
rule win_cobra_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2023-07-11" version = "1" description = "Detects win.cobra." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobra" malpedia_rule_date = "20230705" malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41" malpedia_version = "20230715" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 7511 e8???????? 85c0 7508 ff15???????? } // n = 5, score = 2900 // 7511 | dec eax // e8???????? | // 85c0 | add esp, 0xd48 // 7508 | inc ecx // ff15???????? | $sequence_1 = { 757f 8b05???????? 85c0 0f8e8c000000 } // n = 4, score = 2500 // 757f | jle 0x92 // 8b05???????? | // 85c0 | sub eax, 1 // 0f8e8c000000 | pop edi $sequence_2 = { 8b442408 85c0 750e 3905???????? 7e2c } // n = 5, score = 2500 // 8b442408 | dec eax // 85c0 | add esp, 0x20 // 750e | mov eax, 0x21590001 // 3905???????? | // 7e2c | dec eax $sequence_3 = { 5b c3 83fb01 7405 83fb02 7537 } // n = 6, score = 2500 // 5b | add eax, 2 // c3 | cmp cx, bx // 83fb01 | jne 0xfffffffc // 7405 | mov dword ptr [eax], edx // 83fb02 | add eax, 2 // 7537 | cmp cx, bx $sequence_4 = { c3 85db 7405 83fb03 } // n = 4, score = 2500 // c3 | cmp ebx, 1 // 85db | jne 0x22 // 7405 | ret // 83fb03 | cmp eax, 1 $sequence_5 = { 85c0 0f8e8c000000 83e801 8905???????? } // n = 4, score = 2500 // 85c0 | ret // 0f8e8c000000 | cmp ebx, 1 // 83e801 | je 0xb // 8905???????? | $sequence_6 = { 83f801 75f1 b900010000 e8???????? } // n = 4, score = 2500 // 83f801 | push 0 // 75f1 | add eax, 2 // b900010000 | cmp cx, bx // e8???????? | $sequence_7 = { ff25???????? 53 56 57 8bd9 33f6 } // n = 6, score = 2500 // ff25???????? | // 53 | jne 0xd // 56 | jne 0x3e // 57 | mov ecx, 0x80 // 8bd9 | test eax, eax // 33f6 | test eax, eax $sequence_8 = { 890d???????? 753c b980000000 e8???????? 85c0 a3???????? } // n = 6, score = 2500 // 890d???????? | // 753c | add ecx, 8 // b980000000 | mov eax, 0x21590001 // e8???????? | // 85c0 | dec esp // a3???????? | $sequence_9 = { 5f 5e 5b c3 85ff 7418 } // n = 6, score = 2500 // 5f | jne 0x14 // 5e | jmp 5 // 5b | mov edi, dword ptr [ebp + 0xc] // c3 | cmp edi, ebx // 85ff | cmp eax, 1 // 7418 | jne 0xfffffff3 $sequence_10 = { 85c0 a3???????? 7504 33c0 eb68 } // n = 5, score = 2500 // 85c0 | mov ecx, 0x80 // a3???????? | // 7504 | test eax, eax // 33c0 | jne 0xf // eb68 | xor eax, eax $sequence_11 = { e8???????? 8bf8 83fb01 751d 85ff } // n = 5, score = 2500 // e8???????? | // 8bf8 | jne 0xfffffffc // 83fb01 | add eax, 2 // 751d | cmp cx, bx // 85ff | jne 0xfffffffc $sequence_12 = { 85c0 750e 33ff 8bc7 } // n = 4, score = 2500 // 85c0 | jne 0xfffffff6 // 750e | mov ecx, 0x100 // 33ff | ret // 8bc7 | cmp eax, 1 $sequence_13 = { 8d5e08 53 e8???????? ff7620 } // n = 4, score = 1900 // 8d5e08 | jne 5 // 53 | xor eax, eax // e8???????? | // ff7620 | ret $sequence_14 = { 8d45f8 50 6a02 8d45fc 50 57 ffd6 } // n = 7, score = 1900 // 8d45f8 | jmp 0x6e // 50 | and dword ptr [eax], 0 // 6a02 | test eax, eax // 8d45fc | jne 6 // 50 | xor eax, eax // 57 | jmp 0x6e // ffd6 | cmp dword ptr [eax + ecx], 0x4550 $sequence_15 = { 7407 33c0 e9???????? ff15???????? e9???????? } // n = 5, score = 1900 // 7407 | jne 0x12 // 33c0 | jle 0x32 // e9???????? | // ff15???????? | // e9???????? | $sequence_16 = { 8bf0 83fe0a 7f07 33c0 e9???????? 53 } // n = 6, score = 1900 // 8bf0 | test eax, eax // 83fe0a | jne 8 // 7f07 | xor eax, eax // 33c0 | jmp 0x70 // e9???????? | // 53 | ret 0xc $sequence_17 = { eb6d e8???????? 85c0 7564 } // n = 4, score = 1200 // eb6d | jmp 0x6f // e8???????? | // 85c0 | test eax, eax // 7564 | jne 0x66 $sequence_18 = { e8???????? 33db 3bc3 741a } // n = 4, score = 1200 // e8???????? | // 33db | xor ebx, ebx // 3bc3 | cmp eax, ebx // 741a | je 0x1c $sequence_19 = { 85c0 7f07 e8???????? eb26 83c0ff } // n = 5, score = 1200 // 85c0 | test eax, eax // 7f07 | jg 9 // e8???????? | // eb26 | jmp 0x28 // 83c0ff | add eax, -1 $sequence_20 = { e8???????? 85c0 7449 4885ed 7444 } // n = 5, score = 1100 // e8???????? | // 85c0 | test eax, eax // 7449 | je 0x4b // 4885ed | dec eax // 7444 | test ebp, ebp $sequence_21 = { e8???????? 4c8b1e 498b03 488bd5 488bce ff5064 488b0e } // n = 7, score = 1100 // e8???????? | // 4c8b1e | dec eax // 498b03 | and dword ptr [edi], 0 // 488bd5 | and dword ptr [ebp], 0 // 488bce | mov eax, esi // ff5064 | dec esp // 488b0e | mov ebx, dword ptr [esi] $sequence_22 = { e8???????? 48832700 83650000 8bc6 } // n = 4, score = 1100 // e8???????? | // 48832700 | je 0x46 // 83650000 | dec eax // 8bc6 | mov edi, dword ptr [esi] $sequence_23 = { eb0e 4883c108 e8???????? b801005921 } // n = 4, score = 1100 // eb0e | jmp 0x6f // 4883c108 | test eax, eax // e8???????? | // b801005921 | jne 0x68 $sequence_24 = { ba02000000 488bce e8???????? 498bce e8???????? 4c8b1e } // n = 6, score = 1100 // ba02000000 | dec esp // 488bce | mov ebx, dword ptr [esi] // e8???????? | // 498bce | dec ecx // e8???????? | // 4c8b1e | mov eax, dword ptr [ebx] $sequence_25 = { 83781400 750a b865005921 e9???????? } // n = 4, score = 900 // 83781400 | cmp esi, 0xa // 750a | jg 0xc // b865005921 | xor eax, eax // e9???????? | $sequence_26 = { 83c002 663bcb 75f4 8b0d???????? 8b15???????? 8908 8b0d???????? } // n = 7, score = 800 // 83c002 | mov ecx, dword ptr [ebp + 8] // 663bcb | add eax, 2 // 75f4 | cmp cx, bx // 8b0d???????? | // 8b15???????? | // 8908 | jne 0xfffffff9 // 8b0d???????? | $sequence_27 = { 6a03 68000000c0 50 ff15???????? 8bf0 83feff 7505 } // n = 7, score = 800 // 6a03 | mov dword ptr [eax], edx // 68000000c0 | add eax, 2 // 50 | cmp cx, bx // ff15???????? | // 8bf0 | jne 0xfffffff9 // 83feff | mov dword ptr [eax], edx // 7505 | mov ecx, dword ptr [ebp + 8] $sequence_28 = { 83c0fe 668b4802 83c002 663bcb 75f4 8b15???????? 8b0d???????? } // n = 7, score = 800 // 83c0fe | jne 0x40 // 668b4802 | mov ecx, 0x80 // 83c002 | test eax, eax // 663bcb | mov ecx, dword ptr [ecx] // 75f4 | jne 0x40 // 8b15???????? | // 8b0d???????? | $sequence_29 = { 6689440ffc 6685c0 75ee f685c003000010 } // n = 4, score = 800 // 6689440ffc | je 0xa // 6685c0 | cmp ebx, 2 // 75ee | jne 0x41 // f685c003000010 | ret $sequence_30 = { 33c0 5e 5d c3 8b4d08 57 51 } // n = 7, score = 800 // 33c0 | jle 0x36 // 5e | mov eax, dword ptr [esp + 8] // 5d | test eax, eax // c3 | jne 0x16 // 8b4d08 | jle 0x36 // 57 | cmp eax, 1 // 51 | mov ecx, dword ptr [ecx] $sequence_31 = { 56 33db 57 6808020000 } // n = 4, score = 800 // 56 | jne 0xfffffff6 // 33db | mov dword ptr [eax], ecx // 57 | pop esi // 6808020000 | pop ebp $sequence_32 = { 8d45e8 50 6a00 6aff e8???????? 85c0 7405 } // n = 7, score = 800 // 8d45e8 | push esi // 50 | lea eax, [ebp - 8] // 6a00 | push eax // 6aff | push 2 // e8???????? | // 85c0 | lea eax, [ebp - 4] // 7405 | push eax $sequence_33 = { 8b0d???????? 895004 894808 33c0 } // n = 4, score = 800 // 8b0d???????? | // 895004 | test eax, eax // 894808 | cmp dword ptr [eax + ecx], 0x4550 // 33c0 | jne 0xc $sequence_34 = { 68???????? 51 ffd6 83c40c 6a28 } // n = 5, score = 800 // 68???????? | // 51 | push edi // ffd6 | push ecx // 83c40c | push 0 // 6a28 | push 0 $sequence_35 = { ff15???????? 83f87a 740b 3d230000c0 } // n = 4, score = 800 // ff15???????? | // 83f87a | jne 0x68 // 740b | ret // 3d230000c0 | cmp ebx, 1 $sequence_36 = { 51 6a00 6a00 56 ff15???????? 56 8bf8 } // n = 7, score = 800 // 51 | cmp eax, -1 // 6a00 | je 9 // 6a00 | xor eax, eax // 56 | cmp eax, -1 // ff15???????? | // 56 | je 0x10 // 8bf8 | xor eax, eax $sequence_37 = { 488b05???????? 4889470e 0fb705???????? 66894716 } // n = 4, score = 700 // 488b05???????? | // 4889470e | dec eax // 0fb705???????? | // 66894716 | mov ecx, esi $sequence_38 = { 75e8 85f6 74e4 418936 b801000000 4881c4480d0000 415f } // n = 7, score = 700 // 75e8 | test al, al // 85f6 | cmovne edi, ecx // 74e4 | dec eax // 418936 | mov ecx, esi // b801000000 | mov ecx, 0x14 // 4881c4480d0000 | test al, al // 415f | cmovne edi, ecx $sequence_39 = { 48894c2450 4c89642448 488d4c2468 48894c2440 4c89642438 } // n = 5, score = 700 // 48894c2450 | jne 0x10 // 4c89642448 | xor edi, edi // 488d4c2468 | mov eax, edi // 48894c2440 | ret // 4c89642438 | test ebx, ebx $sequence_40 = { 4881ec480d0000 4533e4 4c8bf1 488bda 488d8d10060000 33d2 41b808020000 } // n = 7, score = 700 // 4881ec480d0000 | cmovne edi, ecx // 4533e4 | dec eax // 4c8bf1 | mov ecx, esi // 488bda | mov edx, edi // 488d8d10060000 | mov ecx, 0x14 // 33d2 | test al, al // 41b808020000 | cmovne edi, ecx $sequence_41 = { 84c0 0f45f9 488bce 8bd7 ff15???????? } // n = 5, score = 700 // 84c0 | test ebx, ebx // 0f45f9 | je 9 // 488bce | cmp ebx, 3 // 8bd7 | test eax, eax // ff15???????? | $sequence_42 = { 8d8588feffff 68???????? 50 ff15???????? 83c42c } // n = 5, score = 700 // 8d8588feffff | ret // 68???????? | // 50 | cmp ebx, 1 // ff15???????? | // 83c42c | je 0xd $sequence_43 = { ff15???????? 488bcf ff15???????? 41b701 } // n = 4, score = 700 // ff15???????? | // 488bcf | mov edx, edi // ff15???????? | // 41b701 | dec eax $sequence_44 = { 7507 32c0 e9???????? c745b818000000 } // n = 4, score = 600 // 7507 | mov eax, 0x21590065 // 32c0 | xor eax, eax // e9???????? | // c745b818000000 | lea eax, [ebp - 0x18] $sequence_45 = { 83c002 6685c9 75f5 2bc2 d1f8 66837c43fe5c } // n = 6, score = 500 // 83c002 | cmp ebx, 2 // 6685c9 | pop esi // 75f5 | pop ebx // 2bc2 | ret // d1f8 | cmp ebx, 1 // 66837c43fe5c | je 0xd $sequence_46 = { 05a1000000 50 8d84249c0d0000 68???????? } // n = 4, score = 300 // 05a1000000 | ret // 50 | cmp ebx, 1 // 8d84249c0d0000 | je 0xd // 68???????? | $sequence_47 = { 0f8431ffffff 8b4d08 5f 8931 } // n = 4, score = 300 // 0f8431ffffff | test cx, cx // 8b4d08 | jne 0xfffffffa // 5f | sub eax, edx // 8931 | sar eax, 1 $sequence_48 = { 0f8456feffff 807c241301 6800080000 0f8544020000 } // n = 4, score = 300 // 0f8456feffff | add esp, 0xc // 807c241301 | add eax, 0xa2 // 6800080000 | push eax // 0f8544020000 | lea ecx, [esp + 0xd9c] $sequence_49 = { 05a2000000 50 8d94249c0d0000 68???????? } // n = 4, score = 300 // 05a2000000 | je 0xb // 50 | cmp ebx, 3 // 8d94249c0d0000 | pop ebx // 68???????? | $sequence_50 = { 0f84100f0000 6800080000 57 56 } // n = 4, score = 300 // 0f84100f0000 | mov ecx, edi // 6800080000 | lea ecx, [edi + 0x3e8] // 57 | mov edi, ecx // 56 | lea eax, [ebp - 0x178] $sequence_51 = { 05a2000000 50 8d8c249c0d0000 68???????? } // n = 4, score = 300 // 05a2000000 | je 0xd // 50 | cmp ebx, 2 // 8d8c249c0d0000 | pop edi // 68???????? | $sequence_52 = { 668cc8 c3 53 50 } // n = 4, score = 200 // 668cc8 | test eax, eax // c3 | push 0 // 53 | push -1 // 50 | test eax, eax $sequence_53 = { 85c0 740a b8050000c0 e9???????? } // n = 4, score = 200 // 85c0 | je 0xb // 740a | push 0x18 // b8050000c0 | lea eax, [ebp - 0x18] // e9???????? | $sequence_54 = { c745bc00000000 b9???????? ff15???????? 8845ff } // n = 4, score = 100 // c745bc00000000 | test eax, eax // b9???????? | // ff15???????? | // 8845ff | jne 9 $sequence_55 = { c745bc00000000 c645bb00 c645c700 c745dc00000000 } // n = 4, score = 100 // c745bc00000000 | push ecx // c645bb00 | mov ax, cs // c645c700 | ret // c745dc00000000 | push ebx condition: 7 of them and filesize < 1368064 }
rule win_cobra_w0 { meta: author = "ESET Research" source = "https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/#_footnote_2" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobra" malpedia_version = "20170512" malpedia_sharing = "TLP:WHITE" malpedia_license = "" strings: $s1 = "ModStart" $s2 = "ModuleStart" $t1 = "STOP|OK" $t2 = "STOP|KILL" condition: (uint16(0) == 0x5a4d) and (1 of ($s*)) and (1 of ($t*)) }
import "pe" rule win_cobra_w1 { meta: author = "ESET Research" source = "https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/#_footnote_2" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobra" malpedia_version = "20170512" malpedia_sharing = "TLP:WHITE" malpedia_license = "" condition: (pe.version_info["InternalName"] contains "SERVICE.EXE" or pe.version_info["InternalName"] contains "MSIMGHLP.DLL" or pe.version_info["InternalName"] contains "MSXIML.DLL") and pe.version_info["CompanyName"] contains "Microsoft Corporation" }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY