Actor(s): Turla Group
There is no description at this point.
rule win_cobra_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2020-10-14" version = "1" description = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.5.0" tool_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobra" malpedia_rule_date = "20201014" malpedia_hash = "a7e3bd57eaf12bf3ea29a863c041091ba3af9ac9" malpedia_version = "20201014" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 5e 5b c3 85db 7405 83fb03 } // n = 6, score = 2500 // 5e | pop esi // 5b | pop ebx // c3 | ret // 85db | test ebx, ebx // 7405 | je 7 // 83fb03 | cmp ebx, 3 $sequence_1 = { 5b c3 85ff 7418 } // n = 4, score = 2500 // 5b | pop ebx // c3 | ret // 85ff | test edi, edi // 7418 | je 0x1a $sequence_2 = { 8b05???????? 85c0 0f8e8c000000 83e801 8905???????? } // n = 5, score = 2500 // 8b05???????? | // 85c0 | test eax, eax // 0f8e8c000000 | jle 0x92 // 83e801 | sub eax, 1 // 8905???????? | $sequence_3 = { 85c0 750e 33ff 8bc7 } // n = 4, score = 2500 // 85c0 | test eax, eax // 750e | jne 0x10 // 33ff | xor edi, edi // 8bc7 | mov eax, edi $sequence_4 = { e8???????? 8bf8 83fb01 751d 85ff } // n = 5, score = 2500 // e8???????? | // 8bf8 | mov edi, eax // 83fb01 | cmp ebx, 1 // 751d | jne 0x1f // 85ff | test edi, edi $sequence_5 = { 751c 8bcf ff15???????? 8d8fe8030000 8bf9 } // n = 5, score = 2500 // 751c | jne 0x1e // 8bcf | mov ecx, edi // ff15???????? | // 8d8fe8030000 | lea ecx, [edi + 0x3e8] // 8bf9 | mov edi, ecx $sequence_6 = { 8b442438 85c0 757f 8b05???????? } // n = 4, score = 2500 // 8b442438 | mov eax, dword ptr [esp + 0x38] // 85c0 | test eax, eax // 757f | jne 0x81 // 8b05???????? | $sequence_7 = { 5e 5b c3 83fb01 7405 83fb02 7537 } // n = 7, score = 2500 // 5e | pop esi // 5b | pop ebx // c3 | ret // 83fb01 | cmp ebx, 1 // 7405 | je 7 // 83fb02 | cmp ebx, 2 // 7537 | jne 0x39 $sequence_8 = { 7511 e8???????? 85c0 7508 ff15???????? } // n = 5, score = 2200 // 7511 | jne 0x13 // e8???????? | // 85c0 | test eax, eax // 7508 | jne 0xa // ff15???????? | $sequence_9 = { 33d2 b9e8030000 f7f1 83f805 } // n = 4, score = 1600 // 33d2 | xor edx, edx // b9e8030000 | mov ecx, 0x3e8 // f7f1 | div ecx // 83f805 | cmp eax, 5 $sequence_10 = { 7407 33c0 e9???????? ff15???????? e9???????? } // n = 5, score = 1500 // 7407 | je 9 // 33c0 | xor eax, eax // e9???????? | // ff15???????? | // e9???????? | $sequence_11 = { 85c0 a3???????? 7504 33c0 eb68 832000 a1???????? } // n = 7, score = 1300 // 85c0 | test eax, eax // a3???????? | // 7504 | jne 6 // 33c0 | xor eax, eax // eb68 | jmp 0x6a // 832000 | and dword ptr [eax], 0 // a1???????? | $sequence_12 = { 85c0 750e 3905???????? 7e2c } // n = 4, score = 1300 // 85c0 | test eax, eax // 750e | jne 0x10 // 3905???????? | // 7e2c | jle 0x2e $sequence_13 = { ff25???????? 53 56 57 8bd9 33f6 } // n = 6, score = 1300 // ff25???????? | // 53 | push ebx // 56 | push esi // 57 | push edi // 8bd9 | mov ebx, ecx // 33f6 | xor esi, esi $sequence_14 = { 890d???????? 753c b980000000 e8???????? 85c0 a3???????? 7504 } // n = 7, score = 1300 // 890d???????? | // 753c | jne 0x3e // b980000000 | mov ecx, 0x80 // e8???????? | // 85c0 | test eax, eax // a3???????? | // 7504 | jne 6 $sequence_15 = { eb6d e8???????? 85c0 7564 } // n = 4, score = 1200 // eb6d | jmp 0x6f // e8???????? | // 85c0 | test eax, eax // 7564 | jne 0x66 $sequence_16 = { b801000000 f00fc105???????? 83c001 83f801 } // n = 4, score = 1200 // b801000000 | mov eax, 1 // f00fc105???????? | // 83c001 | add eax, 1 // 83f801 | cmp eax, 1 $sequence_17 = { 85c0 7f07 e8???????? eb26 } // n = 4, score = 1200 // 85c0 | test eax, eax // 7f07 | jg 9 // e8???????? | // eb26 | jmp 0x28 $sequence_18 = { 7406 83430401 eb04 834b08ff } // n = 4, score = 1200 // 7406 | je 8 // 83430401 | add dword ptr [ebx + 4], 1 // eb04 | jmp 6 // 834b08ff | or dword ptr [ebx + 8], 0xffffffff $sequence_19 = { e8???????? 33db 3bc3 741a } // n = 4, score = 1200 // e8???????? | // 33db | xor ebx, ebx // 3bc3 | cmp eax, ebx // 741a | je 0x1c $sequence_20 = { ff15???????? 8b4304 217b08 85c0 } // n = 4, score = 1200 // ff15???????? | // 8b4304 | mov eax, dword ptr [ebx + 4] // 217b08 | and dword ptr [ebx + 8], edi // 85c0 | test eax, eax $sequence_21 = { 5d c3 8bc5 ebe4 } // n = 4, score = 1200 // 5d | pop ebp // c3 | ret // 8bc5 | mov eax, ebp // ebe4 | jmp 0xffffffe6 $sequence_22 = { 8b03 85c0 7e0b 213b } // n = 4, score = 1200 // 8b03 | mov eax, dword ptr [ebx] // 85c0 | test eax, eax // 7e0b | jle 0xd // 213b | and dword ptr [ebx], edi $sequence_23 = { 80fb64 7507 33c0 e9???????? } // n = 4, score = 1200 // 80fb64 | cmp bl, 0x64 // 7507 | jne 9 // 33c0 | xor eax, eax // e9???????? | $sequence_24 = { 3c22 7404 3c27 7505 } // n = 4, score = 1200 // 3c22 | cmp al, 0x22 // 7404 | je 6 // 3c27 | cmp al, 0x27 // 7505 | jne 7 $sequence_25 = { 45 ff15???????? 8b4604 217e08 } // n = 4, score = 1000 // 45 | inc ebp // ff15???????? | // 8b4604 | mov eax, dword ptr [esi + 4] // 217e08 | and dword ptr [esi + 8], edi $sequence_26 = { ff7518 ff7514 ff7510 ff7508 e8???????? 83c414 5d } // n = 7, score = 1000 // ff7518 | push dword ptr [ebp + 0x18] // ff7514 | push dword ptr [ebp + 0x14] // ff7510 | push dword ptr [ebp + 0x10] // ff7508 | push dword ptr [ebp + 8] // e8???????? | // 83c414 | add esp, 0x14 // 5d | pop ebp $sequence_27 = { 03c7 50 ff760c ff15???????? } // n = 4, score = 1000 // 03c7 | add eax, edi // 50 | push eax // ff760c | push dword ptr [esi + 0xc] // ff15???????? | $sequence_28 = { 83781400 750a b865005921 e9???????? } // n = 4, score = 900 // 83781400 | ret // 750a | test edi, edi // b865005921 | je 0x1d // e9???????? | $sequence_29 = { ff15???????? 83f87a 740b 3d230000c0 } // n = 4, score = 800 // ff15???????? | // 83f87a | cmp eax, 0x7a // 740b | je 0xd // 3d230000c0 | cmp eax, 0xc0000023 $sequence_30 = { 6689440ffc 6685c0 75ee f685c003000010 } // n = 4, score = 800 // 6689440ffc | mov word ptr [edi + ecx - 4], ax // 6685c0 | test ax, ax // 75ee | jne 0xfffffff0 // f685c003000010 | test byte ptr [ebp + 0x3c0], 0x10 $sequence_31 = { 4c8bf1 488bda 488d8d10060000 33d2 } // n = 4, score = 700 // 4c8bf1 | dec esp // 488bda | mov esi, ecx // 488d8d10060000 | dec eax // 33d2 | mov ebx, edx $sequence_32 = { 4154 4156 4157 488dac24b8f3ffff } // n = 4, score = 700 // 4154 | mov edx, 0xc0000000 // 4156 | mov dword ptr [esp + 0x28], 0x80 // 4157 | mov dword ptr [esp + 0x20], 3 // 488dac24b8f3ffff | dec eax $sequence_33 = { 4883f8ff 741e 4c8d8dd4030000 4533c0 33d2 488bc8 } // n = 6, score = 700 // 4883f8ff | dec eax // 741e | or ecx, 0xffffffff // 4c8d8dd4030000 | dec eax // 4533c0 | lea edi, [ebp + 0x1b0] // 33d2 | repne scasd eax, dword ptr es:[edi] // 488bc8 | dec eax $sequence_34 = { 4889bc24880d0000 4c89ac24400d0000 ff15???????? 418bd4 0fb7841510060000 4883c202 } // n = 6, score = 700 // 4889bc24880d0000 | xor edx, edx // 4c89ac24400d0000 | dec eax // ff15???????? | // 418bd4 | mov ecx, eax // 0fb7841510060000 | inc ebp // 4883c202 | xor ecx, ecx $sequence_35 = { 75e7 33c0 4883c9ff 488dbdb0010000 66f2af } // n = 5, score = 700 // 75e7 | dec eax // 33c0 | lea ecx, [ebp + 0x610] // 4883c9ff | xor edx, edx // 488dbdb0010000 | jne 0xffffffe9 // 66f2af | xor eax, eax $sequence_36 = { 4533c9 ba000000c0 c744242880000000 c744242003000000 ff15???????? 488bf8 4883f8ff } // n = 7, score = 700 // 4533c9 | cmp eax, -1 // ba000000c0 | je 0x24 // c744242880000000 | dec esp // c744242003000000 | lea ecx, [ebp + 0x3d4] // ff15???????? | // 488bf8 | inc ebp // 4883f8ff | xor eax, eax $sequence_37 = { 6a18 8d45e8 50 6a00 6aff e8???????? 85c0 } // n = 7, score = 500 // 6a18 | sub eax, 1 // 8d45e8 | pop edi // 50 | pop esi // 6a00 | pop ebx // 6aff | ret // e8???????? | // 85c0 | test ebx, ebx $sequence_38 = { 33c0 6808020000 8d8c24000b0000 53 51 8944245c 89442460 } // n = 7, score = 400 // 33c0 | xor eax, eax // 6808020000 | push 0x208 // 8d8c24000b0000 | lea ecx, [esp + 0xb00] // 53 | push ebx // 51 | push ecx // 8944245c | mov dword ptr [esp + 0x5c], eax // 89442460 | mov dword ptr [esp + 0x60], eax $sequence_39 = { 7507 32c0 e9???????? c745b818000000 } // n = 4, score = 400 // 7507 | push -1 // 32c0 | test eax, eax // e9???????? | // c745b818000000 | je 0xe $sequence_40 = { ff15???????? eb03 8b7d0c 3bfb 740f } // n = 5, score = 400 // ff15???????? | // eb03 | jmp 5 // 8b7d0c | mov edi, dword ptr [ebp + 0xc] // 3bfb | cmp edi, ebx // 740f | je 0x11 $sequence_41 = { 52 ff15???????? 83f801 0f845afeffff ff15???????? } // n = 5, score = 400 // 52 | push edx // ff15???????? | // 83f801 | cmp eax, 1 // 0f845afeffff | je 0xfffffe60 // ff15???????? | $sequence_42 = { 75f5 2bce d1f9 7419 3bc3 7615 8b4c2420 } // n = 7, score = 400 // 75f5 | jne 0xfffffff7 // 2bce | sub ecx, esi // d1f9 | sar ecx, 1 // 7419 | je 0x1b // 3bc3 | cmp eax, ebx // 7615 | jbe 0x17 // 8b4c2420 | mov ecx, dword ptr [esp + 0x20] $sequence_43 = { e8???????? 85c0 740a b8050000c0 e9???????? } // n = 5, score = 200 // e8???????? | // 85c0 | push -1 // 740a | test eax, eax // b8050000c0 | je 9 // e9???????? | $sequence_44 = { 668cc8 c3 53 50 } // n = 4, score = 200 // 668cc8 | push eax // c3 | push 0 // 53 | push -1 // 50 | test eax, eax $sequence_45 = { 733f 8b4df4 034df8 8139???????? 752f } // n = 5, score = 100 // 733f | push ecx // 8b4df4 | push eax // 034df8 | test eax, eax // 8139???????? | // 752f | je 0xc $sequence_46 = { 85c0 740c c745fcffffffff e9???????? 6a04 8d4db0 51 } // n = 7, score = 100 // 85c0 | mov eax, 0xc0000005 // 740c | mov ax, cs // c745fcffffffff | ret // e9???????? | // 6a04 | push ebx // 8d4db0 | push eax // 51 | test eax, eax $sequence_47 = { 894590 e9???????? 33c9 0f8489000000 8b5594 8b4260 83e824 } // n = 7, score = 100 // 894590 | je 0xc // e9???????? | // 33c9 | mov eax, 0xc0000005 // 0f8489000000 | test eax, eax // 8b5594 | je 0xc // 8b4260 | mov eax, 0xc0000005 // 83e824 | ret condition: 7 of them and filesize < 1368064 }
rule win_cobra_w0 { meta: source = "https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/#_footnote_2" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobra" malpedia_version = "20170512" malpedia_license = "CC BY-NC-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $s1 = "ModStart" $s2 = "ModuleStart" $t1 = "STOP|OK" $t2 = "STOP|KILL" condition: (uint16(0) == 0x5a4d) and (1 of ($s*)) and (1 of ($t*)) }
import "pe" rule win_cobra_w1 { meta: source = "https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/#_footnote_2" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobra" malpedia_version = "20170512" malpedia_license = "CC BY-NC-SA 4.0" malpedia_sharing = "TLP:WHITE" condition: (pe.version_info["InternalName"] contains "SERVICE.EXE" or pe.version_info["InternalName"] contains "MSIMGHLP.DLL" or pe.version_info["InternalName"] contains "MSXIML.DLL") and pe.version_info["CompanyName"] contains "Microsoft Corporation" }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY