Actor(s): Turla Group
There is no description at this point.
rule win_cobra_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2022-04-08" version = "1" description = "Detects win.cobra." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobra" malpedia_rule_date = "20220405" malpedia_hash = "ecd38294bd47d5589be5cd5490dc8bb4804afc2a" malpedia_version = "20220411" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 7511 e8???????? 85c0 7508 ff15???????? } // n = 5, score = 2900 // 7511 | mov edi, dword ptr [esp + 0xd88] // e8???????? | // 85c0 | dec eax // 7508 | test ebx, ebx // ff15???????? | $sequence_1 = { c3 83f801 75f1 b900010000 e8???????? } // n = 5, score = 2500 // c3 | ret // 83f801 | cmp eax, 1 // 75f1 | jne 0xfffffff3 // b900010000 | mov ecx, 0x100 // e8???????? | $sequence_2 = { 890d???????? 753c b980000000 e8???????? 85c0 a3???????? 7504 } // n = 7, score = 2500 // 890d???????? | // 753c | mov ecx, esi // b980000000 | dec ecx // e8???????? | // 85c0 | mov ecx, esi // a3???????? | // 7504 | test eax, eax $sequence_3 = { 5e 5b c3 83fb01 7405 83fb02 7537 } // n = 7, score = 2500 // 5e | pop esi // 5b | pop ebx // c3 | ret // 83fb01 | cmp ebx, 1 // 7405 | je 7 // 83fb02 | cmp ebx, 2 // 7537 | jne 0x39 $sequence_4 = { 85c0 a3???????? 7504 33c0 eb68 832000 } // n = 6, score = 2500 // 85c0 | cmp eax, 1 // a3???????? | // 7504 | jne 0x43 // 33c0 | mov ecx, 0x80 // eb68 | test eax, eax // 832000 | test eax, eax $sequence_5 = { e8???????? 8bf8 83fb01 751d } // n = 4, score = 2500 // e8???????? | // 8bf8 | mov edi, eax // 83fb01 | cmp ebx, 1 // 751d | jne 0x1f $sequence_6 = { 7514 391d???????? 754d 33c0 } // n = 4, score = 2500 // 7514 | jne 0x16 // 391d???????? | // 754d | jne 0x4f // 33c0 | xor eax, eax $sequence_7 = { ff25???????? 53 56 57 8bd9 33f6 53 } // n = 7, score = 2500 // ff25???????? | // 53 | test eax, eax // 56 | jne 6 // 57 | xor eax, eax // 8bd9 | jmp 0x6c // 33f6 | push ebx // 53 | push esi $sequence_8 = { 5f 5e 5b c3 85db 7405 83fb03 } // n = 7, score = 2500 // 5f | pop edi // 5e | pop esi // 5b | pop ebx // c3 | ret // 85db | test ebx, ebx // 7405 | je 7 // 83fb03 | cmp ebx, 3 $sequence_9 = { 85c0 757f 8b05???????? 85c0 } // n = 4, score = 2500 // 85c0 | test eax, eax // 757f | jne 0x81 // 8b05???????? | // 85c0 | test eax, eax $sequence_10 = { 85c0 750e 3905???????? 7e2c ff0d???????? 83f801 8b0d???????? } // n = 7, score = 2500 // 85c0 | jne 0x3e // 750e | mov ecx, 0x80 // 3905???????? | // 7e2c | test eax, eax // ff0d???????? | // 83f801 | jne 0xd // 8b0d???????? | $sequence_11 = { 751c 8bcf ff15???????? 8d8fe8030000 } // n = 4, score = 2500 // 751c | jne 0x1e // 8bcf | mov ecx, edi // ff15???????? | // 8d8fe8030000 | lea ecx, dword ptr [edi + 0x3e8] $sequence_12 = { 5b c3 85ff 7418 } // n = 4, score = 2500 // 5b | pop ebx // c3 | ret // 85ff | test edi, edi // 7418 | je 0x1a $sequence_13 = { eb09 8bc5 99 2bc2 } // n = 4, score = 1900 // eb09 | push eax // 8bc5 | mov eax, dword ptr [ebp + 0xc] // 99 | mov dword ptr [esi + 8], 1 // 2bc2 | add esp, 0x20 $sequence_14 = { e8???????? 8d4644 50 e8???????? 8b450c c7460801000000 83c420 } // n = 7, score = 1900 // e8???????? | // 8d4644 | jl 0xd // 50 | mov al, byte ptr [edi + ebx] // e8???????? | // 8b450c | inc edi // c7460801000000 | and dword ptr [ebp - 8], 0 // 83c420 | lea eax, dword ptr [esi + 0x44] $sequence_15 = { ff45f8 837df808 7c0b 8a041f 47 8365f800 } // n = 6, score = 1900 // ff45f8 | xor eax, eax // 837df808 | cmp eax, -1 // 7c0b | je 9 // 8a041f | xor eax, eax // 47 | inc dword ptr [ebp - 8] // 8365f800 | cmp dword ptr [ebp - 8], 8 $sequence_16 = { 83f8ff 7407 33c0 e9???????? ff15???????? } // n = 5, score = 1900 // 83f8ff | cmp dword ptr [eax + ecx], 0x4550 // 7407 | jne 5 // 33c0 | xor eax, eax // e9???????? | // ff15???????? | $sequence_17 = { 8b03 85c0 7e0b 213b } // n = 4, score = 1200 // 8b03 | mov eax, dword ptr [ebx] // 85c0 | test eax, eax // 7e0b | jle 0xd // 213b | and dword ptr [ebx], edi $sequence_18 = { 8d7701 ff15???????? 8b4304 217b08 85c0 } // n = 5, score = 1200 // 8d7701 | lea esi, dword ptr [edi + 1] // ff15???????? | // 8b4304 | mov eax, dword ptr [ebx + 4] // 217b08 | and dword ptr [ebx + 8], edi // 85c0 | test eax, eax $sequence_19 = { 7f07 e8???????? eb26 83c0ff } // n = 4, score = 1200 // 7f07 | jg 9 // e8???????? | // eb26 | jmp 0x28 // 83c0ff | add eax, -1 $sequence_20 = { 7406 83430401 eb04 834b08ff } // n = 4, score = 1200 // 7406 | je 8 // 83430401 | add dword ptr [ebx + 4], 1 // eb04 | jmp 6 // 834b08ff | or dword ptr [ebx + 8], 0xffffffff $sequence_21 = { 894c2450 740f 034810 894c2450 } // n = 4, score = 1200 // 894c2450 | mov dword ptr [esp + 0x50], ecx // 740f | je 0x11 // 034810 | add ecx, dword ptr [eax + 0x10] // 894c2450 | mov dword ptr [esp + 0x50], ecx $sequence_22 = { 5f 5e 5d c3 8bc5 ebe4 } // n = 6, score = 1200 // 5f | pop edi // 5e | pop esi // 5d | pop ebp // c3 | ret // 8bc5 | mov eax, ebp // ebe4 | jmp 0xffffffe6 $sequence_23 = { e8???????? 33db 3bc3 741a } // n = 4, score = 1200 // e8???????? | // 33db | xor ebx, ebx // 3bc3 | cmp eax, ebx // 741a | je 0x1c $sequence_24 = { e8???????? eb6d e8???????? 85c0 7564 } // n = 5, score = 1200 // e8???????? | // eb6d | jmp 0x6f // e8???????? | // 85c0 | test eax, eax // 7564 | jne 0x66 $sequence_25 = { 83781400 750a b865005921 e9???????? } // n = 4, score = 900 // 83781400 | jmp 0xb // 750a | mov eax, 0x10000 // b865005921 | jmp 4 // e9???????? | $sequence_26 = { ff15???????? 83f87a 740b 3d230000c0 } // n = 4, score = 800 // ff15???????? | // 83f87a | je 0xc // 740b | test eax, eax // 3d230000c0 | jle 0x92 $sequence_27 = { 5d c3 8b4d08 57 51 6a00 } // n = 6, score = 800 // 5d | push 0 // c3 | push esi // 8b4d08 | push esi // 57 | mov edi, eax // 51 | pop ebp // 6a00 | ret $sequence_28 = { 663bcb 75f4 8b15???????? 8b0d???????? 8910 8b15???????? 894804 } // n = 7, score = 800 // 663bcb | push ecx // 75f4 | call esi // 8b15???????? | // 8b0d???????? | // 8910 | add esp, 0xc // 8b15???????? | // 894804 | push 0x28 $sequence_29 = { 68000000c0 50 ff15???????? 8bf0 83feff 7505 } // n = 6, score = 800 // 68000000c0 | mov dword ptr [eax], ecx // 50 | mov dword ptr [eax + 4], edx // ff15???????? | // 8bf0 | mov dword ptr [eax + 8], ecx // 83feff | xor eax, eax // 7505 | push 0xc0000000 $sequence_30 = { 6689440ffc 6685c0 75ee f685c003000010 } // n = 4, score = 800 // 6689440ffc | sub eax, 1 // 6685c0 | cmp eax, 0x7a // 75ee | je 0xd // f685c003000010 | cmp eax, 0xc0000023 $sequence_31 = { 83c002 663bcb 75f4 8b0d???????? 8b15???????? 8908 8b0d???????? } // n = 7, score = 800 // 83c002 | push 0 // 663bcb | push 0 // 75f4 | push esi // 8b0d???????? | // 8b15???????? | // 8908 | push esi // 8b0d???????? | $sequence_32 = { 68???????? 51 ffd6 83c40c 6a28 } // n = 5, score = 800 // 68???????? | // 51 | mov dword ptr [eax], ecx // ffd6 | mov dword ptr [eax + 4], edx // 83c40c | mov dword ptr [eax + 8], ecx // 6a28 | xor eax, eax $sequence_33 = { 8b0d???????? 895004 894808 33c0 } // n = 4, score = 800 // 8b0d???????? | // 895004 | mov ecx, dword ptr [ebp + 8] // 894808 | push edi // 33c0 | push ecx $sequence_34 = { 53 56 33db 57 6808020000 } // n = 5, score = 800 // 53 | add eax, 2 // 56 | cmp cx, bx // 33db | jne 0xfffffff9 // 57 | mov dword ptr [eax], edx // 6808020000 | push ebx $sequence_35 = { 8d45e8 50 6a00 6aff e8???????? 85c0 } // n = 6, score = 800 // 8d45e8 | xor eax, eax // 50 | jmp 7 // 6a00 | mov eax, 0x21590065 // 6aff | xor eax, eax // e8???????? | // 85c0 | lea eax, dword ptr [ebp - 0x18] $sequence_36 = { 51 6a00 6a00 56 ff15???????? 56 8bf8 } // n = 7, score = 800 // 51 | sub ecx, edx // 6a00 | lea eax, dword ptr [edi + edx] // 6a00 | sub esi, edi // 56 | mov edi, ebx // ff15???????? | // 56 | push ecx // 8bf8 | push 0 $sequence_37 = { 5b 5d c3 4585e4 } // n = 4, score = 700 // 5b | test al, al // 5d | cmovne edi, ecx // c3 | dec eax // 4585e4 | mov ecx, esi $sequence_38 = { 48894c2450 4c89642448 488d4c2468 48894c2440 4c89642438 } // n = 5, score = 700 // 48894c2450 | test al, al // 4c89642448 | cmovne edi, ecx // 488d4c2468 | dec eax // 48894c2440 | mov ecx, esi // 4c89642438 | mov edx, edi $sequence_39 = { 498bcd ff15???????? 4c8bac24400d0000 488bbc24880d0000 4885db 7418 } // n = 6, score = 700 // 498bcd | cmovne edi, ecx // ff15???????? | // 4c8bac24400d0000 | dec eax // 488bbc24880d0000 | mov ecx, esi // 4885db | mov edx, edi // 7418 | test eax, eax $sequence_40 = { ff15???????? 488bcf ff15???????? 41b701 } // n = 4, score = 700 // ff15???????? | // 488bcf | pop ebx // ff15???????? | // 41b701 | pop ebp $sequence_41 = { 8d8588feffff 68???????? 50 ff15???????? 83c42c } // n = 5, score = 700 // 8d8588feffff | test eax, eax // 68???????? | // 50 | jne 0x10 // ff15???????? | // 83c42c | jle 0x2e $sequence_42 = { b914000000 84c0 0f45f9 488bce 8bd7 } // n = 5, score = 700 // b914000000 | mov word ptr [edi + ecx - 4], ax // 84c0 | test ax, ax // 0f45f9 | jne 0xfffffff3 // 488bce | test byte ptr [ebp + 0x3c0], 0x10 // 8bd7 | mov ecx, 0x14 $sequence_43 = { 488bce 8bd7 ff15???????? 85c0 } // n = 4, score = 700 // 488bce | cmovne edi, ecx // 8bd7 | dec eax // ff15???????? | // 85c0 | mov ecx, esi $sequence_44 = { 7507 32c0 e9???????? c745b818000000 } // n = 4, score = 600 // 7507 | push eax // 32c0 | push 0 // e9???????? | // c745b818000000 | push -1 $sequence_45 = { 668b08 83c002 6685c9 75f5 2bc2 d1f8 66837c43fe5c } // n = 7, score = 500 // 668b08 | jne 0x3e // 83c002 | mov ecx, 0x80 // 6685c9 | test eax, eax // 75f5 | jne 0xd // 2bc2 | test eax, eax // d1f8 | jne 6 // 66837c43fe5c | xor eax, eax $sequence_46 = { 0f8456feffff 807c241301 6800080000 0f8544020000 } // n = 4, score = 300 // 0f8456feffff | push edx // 807c241301 | call esi // 6800080000 | add eax, 0xa2 // 0f8544020000 | push eax $sequence_47 = { 05a1000000 50 8d84249c0d0000 68???????? } // n = 4, score = 300 // 05a1000000 | xor eax, eax // 50 | jmp 0x6e // 8d84249c0d0000 | and dword ptr [eax], 0 // 68???????? | $sequence_48 = { 0f84100f0000 6800080000 57 56 } // n = 4, score = 300 // 0f84100f0000 | lea eax, dword ptr [esp + 0xd9c] // 6800080000 | push eax // 57 | add eax, 0xa1 // 56 | push eax $sequence_49 = { 05a2000000 50 8d94249c0d0000 68???????? } // n = 4, score = 300 // 05a2000000 | sar eax, 1 // 50 | cmp word ptr [ebx + eax*2 - 2], 0x5c // 8d94249c0d0000 | test cx, cx // 68???????? | $sequence_50 = { 0f8431ffffff 8b4d08 5f 8931 } // n = 4, score = 300 // 0f8431ffffff | push ecx // 8b4d08 | add eax, 0xa2 // 5f | push eax // 8931 | lea ecx, dword ptr [esp + 0xd9c] $sequence_51 = { 05a2000000 50 8d8c249c0d0000 68???????? } // n = 4, score = 300 // 05a2000000 | jne 0x13 // 50 | test eax, eax // 8d8c249c0d0000 | jne 0xc // 68???????? | $sequence_52 = { 668cc8 c3 53 50 } // n = 4, score = 200 // 668cc8 | xor esi, esi // c3 | add eax, edx // 53 | adc ecx, esi // 50 | push ecx $sequence_53 = { 85c0 740a b8050000c0 e9???????? } // n = 4, score = 200 // 85c0 | mov ax, cs // 740a | ret // b8050000c0 | push ebx // e9???????? | $sequence_54 = { c745a018000000 c745a400000000 c745ac40000000 8d45c0 } // n = 4, score = 100 // c745a018000000 | mov eax, 0xc0000005 // c745a400000000 | test eax, eax // c745ac40000000 | je 0xe // 8d45c0 | mov eax, 0xc0000005 $sequence_55 = { c745a0ffffffff c745fcffffffff 8b45a0 e9???????? } // n = 4, score = 100 // c745a0ffffffff | lea edx, dword ptr [ebp - 0x38] // c745fcffffffff | mov dword ptr [ebp - 0x58], edx // 8b45a0 | mov dword ptr [ebp - 0x50], 0 // e9???????? | condition: 7 of them and filesize < 1368064 }
rule win_cobra_w0 { meta: author = "ESET Research" source = "https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/#_footnote_2" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobra" malpedia_version = "20170512" malpedia_sharing = "TLP:WHITE" malpedia_license = "" strings: $s1 = "ModStart" $s2 = "ModuleStart" $t1 = "STOP|OK" $t2 = "STOP|KILL" condition: (uint16(0) == 0x5a4d) and (1 of ($s*)) and (1 of ($t*)) }
import "pe" rule win_cobra_w1 { meta: author = "ESET Research" source = "https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/#_footnote_2" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobra" malpedia_version = "20170512" malpedia_sharing = "TLP:WHITE" malpedia_license = "" condition: (pe.version_info["InternalName"] contains "SERVICE.EXE" or pe.version_info["InternalName"] contains "MSIMGHLP.DLL" or pe.version_info["InternalName"] contains "MSXIML.DLL") and pe.version_info["CompanyName"] contains "Microsoft Corporation" }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY