Actor(s): Turla Group
There is no description at this point.
rule win_cobra_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2021-06-10" version = "1" description = "Detects win.cobra." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobra" malpedia_rule_date = "20210604" malpedia_hash = "be09d5d71e77373c0f538068be31a2ad4c69cfbd" malpedia_version = "20210616" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 7511 e8???????? 85c0 7508 ff15???????? } // n = 5, score = 2900 // 7511 | jne 0x13 // e8???????? | // 85c0 | test eax, eax // 7508 | jne 0xa // ff15???????? | $sequence_1 = { c3 83f801 75f1 b900010000 } // n = 4, score = 2500 // c3 | ret // 83f801 | cmp eax, 1 // 75f1 | jne 0xfffffff3 // b900010000 | mov ecx, 0x100 $sequence_2 = { 8b5c2458 85db 7514 391d???????? 754d 33c0 } // n = 6, score = 2500 // 8b5c2458 | mov ebx, dword ptr [esp + 0x58] // 85db | test ebx, ebx // 7514 | jne 0x16 // 391d???????? | // 754d | jne 0x4f // 33c0 | xor eax, eax $sequence_3 = { 8bf8 83fb01 751d 85ff } // n = 4, score = 2500 // 8bf8 | mov edi, eax // 83fb01 | cmp ebx, 1 // 751d | jne 0x1f // 85ff | test edi, edi $sequence_4 = { 8b442438 85c0 757f 8b05???????? 85c0 } // n = 5, score = 2500 // 8b442438 | mov eax, dword ptr [esp + 0x38] // 85c0 | test eax, eax // 757f | jne 0x81 // 8b05???????? | // 85c0 | test eax, eax $sequence_5 = { 8b442408 85c0 750e 3905???????? 7e2c ff0d???????? } // n = 6, score = 2500 // 8b442408 | mov eax, dword ptr [esp + 8] // 85c0 | test eax, eax // 750e | jne 0x10 // 3905???????? | // 7e2c | jle 0x2e // ff0d???????? | $sequence_6 = { 8b09 890d???????? 753c b980000000 e8???????? 85c0 } // n = 6, score = 2500 // 8b09 | mov ecx, dword ptr [ecx] // 890d???????? | // 753c | jne 0x3e // b980000000 | mov ecx, 0x80 // e8???????? | // 85c0 | test eax, eax $sequence_7 = { 5e 5b c3 83fb01 7405 83fb02 } // n = 6, score = 2500 // 5e | pop esi // 5b | pop ebx // c3 | ret // 83fb01 | cmp ebx, 1 // 7405 | je 7 // 83fb02 | cmp ebx, 2 $sequence_8 = { 5f 5e 5b c3 85ff 7418 } // n = 6, score = 2500 // 5f | pop edi // 5e | pop esi // 5b | pop ebx // c3 | ret // 85ff | test edi, edi // 7418 | je 0x1a $sequence_9 = { b980000000 e8???????? 85c0 a3???????? 7504 33c0 } // n = 6, score = 2500 // b980000000 | mov ecx, 0x80 // e8???????? | // 85c0 | test eax, eax // a3???????? | // 7504 | jne 6 // 33c0 | xor eax, eax $sequence_10 = { 5e 5b c3 85db 7405 83fb03 753b } // n = 7, score = 2500 // 5e | pop esi // 5b | pop ebx // c3 | ret // 85db | test ebx, ebx // 7405 | je 7 // 83fb03 | cmp ebx, 3 // 753b | jne 0x3d $sequence_11 = { c20c00 ff25???????? 53 56 57 8bd9 33f6 } // n = 7, score = 2500 // c20c00 | ret 0xc // ff25???????? | // 53 | push ebx // 56 | push esi // 57 | push edi // 8bd9 | mov ebx, ecx // 33f6 | xor esi, esi $sequence_12 = { 751c 8bcf ff15???????? 8d8fe8030000 } // n = 4, score = 2500 // 751c | jne 0x1e // 8bcf | mov ecx, edi // ff15???????? | // 8d8fe8030000 | lea ecx, dword ptr [edi + 0x3e8] $sequence_13 = { 33d2 b9e8030000 f7f1 83f805 } // n = 4, score = 2300 // 33d2 | xor edx, edx // b9e8030000 | mov ecx, 0x3e8 // f7f1 | div ecx // 83f805 | cmp eax, 5 $sequence_14 = { 57 ff15???????? 83f8ff 7435 53 8d45f8 } // n = 6, score = 1900 // 57 | push edi // ff15???????? | // 83f8ff | cmp eax, -1 // 7435 | je 0x37 // 53 | push ebx // 8d45f8 | lea eax, dword ptr [ebp - 8] $sequence_15 = { 80fb64 7507 33c0 e9???????? } // n = 4, score = 1900 // 80fb64 | cmp bl, 0x64 // 7507 | jne 9 // 33c0 | xor eax, eax // e9???????? | $sequence_16 = { 7517 8d45f8 50 6a28 } // n = 4, score = 1900 // 7517 | jne 0x19 // 8d45f8 | lea eax, dword ptr [ebp - 8] // 50 | push eax // 6a28 | push 0x28 $sequence_17 = { 8a1401 3217 47 8810 40 4e 75f4 } // n = 7, score = 1900 // 8a1401 | mov dl, byte ptr [ecx + eax] // 3217 | xor dl, byte ptr [edi] // 47 | inc edi // 8810 | mov byte ptr [eax], dl // 40 | inc eax // 4e | dec esi // 75f4 | jne 0xfffffff6 $sequence_18 = { 85c0 7f07 e8???????? eb26 } // n = 4, score = 1200 // 85c0 | jne 0x3e // 7f07 | mov ecx, 0x80 // e8???????? | // eb26 | test eax, eax $sequence_19 = { 894c2450 740f 034810 894c2450 } // n = 4, score = 1200 // 894c2450 | mov ecx, dword ptr [ecx] // 740f | jne 0x40 // 034810 | mov ecx, 0x80 // 894c2450 | test eax, eax $sequence_20 = { e8???????? 33db 3bc3 741a } // n = 4, score = 1200 // e8???????? | // 33db | mov ecx, 0x80 // 3bc3 | test eax, eax // 741a | jne 8 $sequence_21 = { 894304 eb11 8b03 85c0 7e0b 213b } // n = 6, score = 1200 // 894304 | jmp 0x6e // eb11 | and dword ptr [eax], 0 // 8b03 | mov ecx, dword ptr [ecx] // 85c0 | jne 0x40 // 7e0b | mov ecx, 0x80 // 213b | test eax, eax $sequence_22 = { 5e 5d c3 8bc5 ebe4 } // n = 5, score = 1200 // 5e | jne 0x13 // 5d | test eax, eax // c3 | jne 0xa // 8bc5 | jne 0x13 // ebe4 | test eax, eax $sequence_23 = { 7406 83430401 eb04 834b08ff } // n = 4, score = 1200 // 7406 | div ecx // 83430401 | cmp eax, 5 // eb04 | cmp dword ptr [eax + ecx], 0x4550 // 834b08ff | jne 5 $sequence_24 = { 83781400 750a b865005921 e9???????? } // n = 4, score = 900 // 83781400 | cmp dword ptr [eax + 0x14], 0 // 750a | jne 0xc // b865005921 | mov eax, 0x21590065 // e9???????? | $sequence_25 = { 8908 8b0d???????? 895004 894808 33c0 } // n = 5, score = 800 // 8908 | mov dword ptr [eax], ecx // 8b0d???????? | // 895004 | mov dword ptr [eax + 4], edx // 894808 | mov dword ptr [eax + 8], ecx // 33c0 | xor eax, eax $sequence_26 = { 56 6a00 6880000000 6a03 6a00 6a03 68000000c0 } // n = 7, score = 800 // 56 | push esi // 6a00 | push 0 // 6880000000 | push 0x80 // 6a03 | push 3 // 6a00 | push 0 // 6a03 | push 3 // 68000000c0 | push 0xc0000000 $sequence_27 = { 668b4802 83c002 663bcb 75f4 8b15???????? } // n = 5, score = 800 // 668b4802 | mov cx, word ptr [eax + 2] // 83c002 | add eax, 2 // 663bcb | cmp cx, bx // 75f4 | jne 0xfffffff6 // 8b15???????? | $sequence_28 = { ff15???????? 83f87a 740b 3d230000c0 } // n = 4, score = 800 // ff15???????? | // 83f87a | cmp eax, 0x7a // 740b | je 0xd // 3d230000c0 | cmp eax, 0xc0000023 $sequence_29 = { 68000000c0 50 ff15???????? 8bf0 83feff 7505 } // n = 6, score = 800 // 68000000c0 | push 0xc0000000 // 50 | push eax // ff15???????? | // 8bf0 | mov esi, eax // 83feff | cmp esi, -1 // 7505 | jne 7 $sequence_30 = { 8d45e8 50 6a00 6aff e8???????? 85c0 } // n = 6, score = 800 // 8d45e8 | lea eax, dword ptr [ebp - 0x18] // 50 | push eax // 6a00 | push 0 // 6aff | push -1 // e8???????? | // 85c0 | test eax, eax $sequence_31 = { 8b7d0c 3bc3 7508 3bfb } // n = 4, score = 800 // 8b7d0c | mov edi, dword ptr [ebp + 0xc] // 3bc3 | cmp eax, ebx // 7508 | jne 0xa // 3bfb | cmp edi, ebx $sequence_32 = { 8b4d08 57 51 6a00 6a00 56 } // n = 6, score = 800 // 8b4d08 | mov ecx, dword ptr [ebp + 8] // 57 | push edi // 51 | push ecx // 6a00 | push 0 // 6a00 | push 0 // 56 | push esi $sequence_33 = { 53 56 33db 57 6808020000 } // n = 5, score = 800 // 53 | push ebx // 56 | push esi // 33db | xor ebx, ebx // 57 | push edi // 6808020000 | push 0x208 $sequence_34 = { 663bcb 75f4 8b0d???????? 8b15???????? 8908 8b0d???????? } // n = 6, score = 800 // 663bcb | cmp cx, bx // 75f4 | jne 0xfffffff6 // 8b0d???????? | // 8b15???????? | // 8908 | mov dword ptr [eax], ecx // 8b0d???????? | $sequence_35 = { 6689440ffc 6685c0 75ee f685c003000010 } // n = 4, score = 800 // 6689440ffc | mov word ptr [edi + ecx - 4], ax // 6685c0 | test ax, ax // 75ee | jne 0xfffffff0 // f685c003000010 | test byte ptr [ebp + 0x3c0], 0x10 $sequence_36 = { 4585e4 75e8 85f6 74e4 } // n = 4, score = 700 // 4585e4 | jne 0xffffffec // 75e8 | xor eax, eax // 85f6 | dec eax // 74e4 | or ecx, 0xffffffff $sequence_37 = { 415c 5e 5b 5d c3 4585e4 75e8 } // n = 7, score = 700 // 415c | xor esp, esp // 5e | dec esp // 5b | mov esi, ecx // 5d | dec eax // c3 | mov ebx, edx // 4585e4 | dec eax // 75e8 | lea ecx, dword ptr [ebp + 0x610] $sequence_38 = { 6685c0 75e7 33c0 4883c9ff 488dbdb0010000 } // n = 5, score = 700 // 6685c0 | xor edx, edx // 75e7 | dec eax // 33c0 | sub esp, 0xd48 // 4883c9ff | inc ebp // 488dbdb0010000 | xor esp, esp $sequence_39 = { 4881ec480d0000 4533e4 4c8bf1 488bda 488d8d10060000 33d2 } // n = 6, score = 700 // 4881ec480d0000 | mov ecx, ebp // 4533e4 | cmp eax, 0x12 // 4c8bf1 | inc ecx // 488bda | cmove eax, esp // 488d8d10060000 | inc esp // 33d2 | mov esp, eax $sequence_40 = { 4154 4156 4157 488dac24b8f3ffff 4881ec480d0000 4533e4 } // n = 6, score = 700 // 4154 | xor edx, edx // 4156 | inc ecx // 4157 | mov eax, 0x208 // 488dac24b8f3ffff | inc ecx // 4881ec480d0000 | pop esp // 4533e4 | pop esi $sequence_41 = { ff15???????? 83f812 410f44c4 448be0 498bcd } // n = 5, score = 700 // ff15???????? | // 83f812 | cmp eax, 0x12 // 410f44c4 | inc ecx // 448be0 | cmove eax, esp // 498bcd | inc esp $sequence_42 = { 7507 32c0 e9???????? c745b818000000 } // n = 4, score = 600 // 7507 | jne 9 // 32c0 | xor al, al // e9???????? | // c745b818000000 | mov dword ptr [ebp - 0x48], 0x18 $sequence_43 = { 668cc8 c3 53 50 } // n = 4, score = 200 // 668cc8 | mov ax, cs // c3 | ret // 53 | push ebx // 50 | push eax $sequence_44 = { 85c0 740a b8050000c0 e9???????? } // n = 4, score = 200 // 85c0 | test eax, eax // 740a | je 0xc // b8050000c0 | mov eax, 0xc0000005 // e9???????? | $sequence_45 = { c744020800000000 8b45dc 69c018020000 8b4dbc } // n = 4, score = 100 // c744020800000000 | mov dword ptr [edx + eax + 8], 0 // 8b45dc | mov eax, dword ptr [ebp - 0x24] // 69c018020000 | imul eax, eax, 0x218 // 8b4dbc | mov ecx, dword ptr [ebp - 0x44] $sequence_46 = { c7426801000000 8b4514 8b4d10 894878 8b5514 8b4508 } // n = 6, score = 100 // c7426801000000 | mov dword ptr [edx + 0x68], 1 // 8b4514 | mov eax, dword ptr [ebp + 0x14] // 8b4d10 | mov ecx, dword ptr [ebp + 0x10] // 894878 | mov dword ptr [eax + 0x78], ecx // 8b5514 | mov edx, dword ptr [ebp + 0x14] // 8b4508 | mov eax, dword ptr [ebp + 8] condition: 7 of them and filesize < 1368064 }
rule win_cobra_w0 { meta: author = "ESET Research" source = "https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/#_footnote_2" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobra" malpedia_version = "20170512" malpedia_sharing = "TLP:WHITE" malpedia_license = "" strings: $s1 = "ModStart" $s2 = "ModuleStart" $t1 = "STOP|OK" $t2 = "STOP|KILL" condition: (uint16(0) == 0x5a4d) and (1 of ($s*)) and (1 of ($t*)) }
import "pe" rule win_cobra_w1 { meta: author = "ESET Research" source = "https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/#_footnote_2" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobra" malpedia_version = "20170512" malpedia_sharing = "TLP:WHITE" malpedia_license = "" condition: (pe.version_info["InternalName"] contains "SERVICE.EXE" or pe.version_info["InternalName"] contains "MSIMGHLP.DLL" or pe.version_info["InternalName"] contains "MSXIML.DLL") and pe.version_info["CompanyName"] contains "Microsoft Corporation" }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY