Actor(s): Turla Group
There is no description at this point.
rule win_cobra_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2023-01-25" version = "1" description = "Detects win.cobra." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobra" malpedia_rule_date = "20230124" malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686" malpedia_version = "20230125" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 7511 e8???????? 85c0 7508 ff15???????? } // n = 5, score = 3100 // 7511 | jmp 0x6e // e8???????? | // 85c0 | and dword ptr [eax], 0 // 7508 | test eax, eax // ff15???????? | $sequence_1 = { 7514 391d???????? 754d 33c0 } // n = 4, score = 2800 // 7514 | cmp ebx, 1 // 391d???????? | // 754d | je 0xb // 33c0 | pop ebx $sequence_2 = { 83f801 75f1 b900010000 e8???????? } // n = 4, score = 2800 // 83f801 | ret // 75f1 | test edi, edi // b900010000 | je 0x1d // e8???????? | $sequence_3 = { 5e 5b c3 85ff 7418 } // n = 5, score = 2800 // 5e | lea eax, [esp + 0x2b0] // 5b | mov dword ptr [esp + 0x9c], eax // c3 | mov dword ptr [esp + 0xa0], eax // 85ff | push 0x208 // 7418 | lea eax, [esp + 0x2b0] $sequence_4 = { 83fb01 7405 83fb02 7537 } // n = 4, score = 2800 // 83fb01 | push 0x208 // 7405 | mov dword ptr [esp + 0x9c], eax // 83fb02 | mov dword ptr [esp + 0xa0], eax // 7537 | push 0x208 $sequence_5 = { 757f 8b05???????? 85c0 0f8e8c000000 } // n = 4, score = 2800 // 757f | push ebx // 8b05???????? | // 85c0 | mov dword ptr [esp + 0x9c], eax // 0f8e8c000000 | mov dword ptr [esp + 0xa0], eax $sequence_6 = { 5b c3 85db 7405 83fb03 753b } // n = 6, score = 2800 // 5b | pop ebx // c3 | ret // 85db | test ebx, ebx // 7405 | je 0xb // 83fb03 | cmp ebx, 3 // 753b | jne 0x81 $sequence_7 = { 85c0 750e 33ff 8bc7 } // n = 4, score = 2800 // 85c0 | cmp ebx, 1 // 750e | je 0xa // 33ff | cmp ebx, 2 // 8bc7 | jne 0x41 $sequence_8 = { 751c 8bcf ff15???????? 8d8fe8030000 } // n = 4, score = 2800 // 751c | push ebx // 8bcf | push eax // ff15???????? | // 8d8fe8030000 | mov dword ptr [esp + 0xa0], eax $sequence_9 = { e8???????? 85c0 a3???????? 7504 33c0 } // n = 5, score = 2700 // e8???????? | // 85c0 | push ebp // a3???????? | // 7504 | mov ecx, dword ptr [ebp + 8] // 33c0 | mov eax, dword ptr [ecx + 0x20] $sequence_10 = { 85c0 750e 3905???????? 7e2c ff0d???????? 83f801 8b0d???????? } // n = 7, score = 2700 // 85c0 | mov dword ptr [ecx], edx // 750e | xor eax, eax // 3905???????? | // 7e2c | mov ecx, dword ptr [ebp + 8] // ff0d???????? | // 83f801 | mov dword ptr [ecx], edx // 8b0d???????? | $sequence_11 = { ff25???????? 53 56 57 8bd9 33f6 } // n = 6, score = 2700 // ff25???????? | // 53 | mov ecx, dword ptr [ebp + 8] // 56 | mov ecx, dword ptr [ecx + 0x20] // 57 | mov edx, dword ptr [ebp + 8] // 8bd9 | jne 0x3e // 33f6 | mov ecx, 0x80 $sequence_12 = { 753c b980000000 e8???????? 85c0 } // n = 4, score = 2700 // 753c | ret // b980000000 | mov ax, cs // e8???????? | // 85c0 | ret $sequence_13 = { 33d2 b9e8030000 f7f1 83f805 } // n = 4, score = 2500 // 33d2 | mov ecx, 0x80 // b9e8030000 | test eax, eax // f7f1 | jne 8 // 83f805 | test eax, eax $sequence_14 = { 7407 33c0 e9???????? ff15???????? e9???????? } // n = 5, score = 2100 // 7407 | and dword ptr [eax], 0 // 33c0 | mov ecx, dword ptr [ecx] // e9???????? | // ff15???????? | // e9???????? | $sequence_15 = { 8bc3 2b44242c 33ff 3bc7 } // n = 4, score = 2100 // 8bc3 | push esi // 2b44242c | push edi // 33ff | mov ebx, ecx // 3bc7 | xor esi, esi $sequence_16 = { e8???????? 99 b901040000 f7f9 8b7f0c } // n = 5, score = 2100 // e8???????? | // 99 | jle 0x32 // b901040000 | test eax, eax // f7f9 | jne 6 // 8b7f0c | xor eax, eax $sequence_17 = { 85c0 7f07 e8???????? eb26 83c0ff } // n = 5, score = 1400 // 85c0 | test eax, eax // 7f07 | jg 9 // e8???????? | // eb26 | jmp 0x28 // 83c0ff | add eax, -1 $sequence_18 = { eb6d e8???????? 85c0 7564 } // n = 4, score = 1400 // eb6d | jmp 0x6f // e8???????? | // 85c0 | test eax, eax // 7564 | jne 0x66 $sequence_19 = { e8???????? 33db 3bc3 741a } // n = 4, score = 1400 // e8???????? | // 33db | xor ebx, ebx // 3bc3 | cmp eax, ebx // 741a | je 0x1c $sequence_20 = { 83385c 7e4b 4c8b505c 4d85d2 7442 448b6c2470 4c8bce } // n = 7, score = 1100 // 83385c | dec eax // 7e4b | mov ecx, edi // 4c8b505c | xor ebx, ebx // 4d85d2 | cmp eax, ebx // 7442 | je 0x23 // 448b6c2470 | cmp dword ptr [eax], 0x5c // 4c8bce | jle 0x50 $sequence_21 = { eb0e 4883c108 e8???????? b801005921 488b5c2430 488b6c2438 488b742440 } // n = 7, score = 1100 // eb0e | dec esp // 4883c108 | mov edx, dword ptr [eax + 0x5c] // e8???????? | // b801005921 | dec ebp // 488b5c2430 | test edx, edx // 488b6c2438 | je 0x4b // 488b742440 | inc esp $sequence_22 = { e8???????? 48832700 ba02000000 488bce e8???????? 498bce } // n = 6, score = 1100 // e8???????? | // 48832700 | dec eax // ba02000000 | add ecx, 8 // 488bce | mov eax, 0x21590001 // e8???????? | // 498bce | dec eax $sequence_23 = { b801005921 488b5c2430 488b742438 4883c420 } // n = 4, score = 1100 // b801005921 | mov ebx, dword ptr [esp + 0x30] // 488b5c2430 | dec eax // 488b742438 | mov ebp, dword ptr [esp + 0x38] // 4883c420 | dec eax $sequence_24 = { 750b 4883c108 e8???????? eb0c bb06005921 eb05 } // n = 6, score = 1100 // 750b | dec eax // 4883c108 | mov ecx, dword ptr [edi] // e8???????? | // eb0c | jne 0xd // bb06005921 | dec eax // eb05 | add ecx, 8 $sequence_25 = { 50 6a00 6aff e8???????? 85c0 7405 } // n = 6, score = 1000 // 50 | mov ebx, dword ptr [esp + 0x30] // 6a00 | dec eax // 6aff | mov ebp, dword ptr [esp + 0x38] // e8???????? | // 85c0 | dec eax // 7405 | mov esi, dword ptr [esp + 0x40] $sequence_26 = { 898424a0000000 e8???????? 6808020000 8d8424b0020000 53 50 } // n = 6, score = 900 // 898424a0000000 | mov dword ptr [esp + 0x98], eax // e8???????? | // 6808020000 | mov dword ptr [esp + 0x9c], eax // 8d8424b0020000 | mov dword ptr [esp + 0xa0], eax // 53 | push 0x208 // 50 | mov dword ptr [esp + 0x98], eax $sequence_27 = { 83781400 750a b865005921 e9???????? } // n = 4, score = 900 // 83781400 | cmp eax, 1 // 750a | jne 0xfffffff3 // b865005921 | mov ecx, 0x100 // e9???????? | $sequence_28 = { 89842490000000 89842494000000 89842498000000 8984249c000000 898424a0000000 e8???????? 6808020000 } // n = 7, score = 900 // 89842490000000 | mov byte ptr [esp + 0x1f], bl // 89842494000000 | xor eax, eax // 89842498000000 | push 0x208 // 8984249c000000 | mov dword ptr [esp + 0x34], ebx // 898424a0000000 | mov dword ptr [esp + 0x30], ebx // e8???????? | // 6808020000 | mov dword ptr [esp + 0x24], ebx $sequence_29 = { 8975fc e8???????? 681c010000 8d8de0feffff } // n = 4, score = 900 // 8975fc | mov byte ptr [esp + 0x1f], bl // e8???????? | // 681c010000 | mov dword ptr [esp + 0x30], ebx // 8d8de0feffff | mov dword ptr [esp + 0x24], ebx $sequence_30 = { 895c2428 895c2434 895c2430 895c2424 895c2420 885c241f e8???????? } // n = 7, score = 900 // 895c2428 | test eax, eax // 895c2434 | jne 0xd // 895c2430 | jne 0x3e // 895c2424 | mov ecx, 0x80 // 895c2420 | test eax, eax // 885c241f | jne 0xd // e8???????? | $sequence_31 = { 7507 32c0 e9???????? c745b818000000 } // n = 4, score = 800 // 7507 | push 0 // 32c0 | push -1 // e9???????? | // c745b818000000 | test eax, eax $sequence_32 = { 85c0 740a b8050000c0 e9???????? } // n = 4, score = 200 // 85c0 | push -1 // 740a | test eax, eax // b8050000c0 | push -1 // e9???????? | $sequence_33 = { 668cc8 c3 53 50 } // n = 4, score = 200 // 668cc8 | push 0x18 // c3 | lea eax, [ebp - 0x18] // 53 | push eax // 50 | push 0 $sequence_34 = { 8b4d08 8b4120 8b5124 5d c20400 } // n = 5, score = 100 // 8b4d08 | add eax, edx // 8b4120 | adc ecx, esi // 8b5124 | push ecx // 5d | xor esi, esi // c20400 | add eax, edx $sequence_35 = { 8b4d08 8b15???????? 8911 33c0 e9???????? } // n = 5, score = 100 // 8b4d08 | jmp 9 // 8b15???????? | // 8911 | mov eax, 0x21590065 // 33c0 | cmp dword ptr [eax + 0x14], 0 // e9???????? | condition: 7 of them and filesize < 1368064 }
rule win_cobra_w0 { meta: author = "ESET Research" source = "https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/#_footnote_2" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobra" malpedia_version = "20170512" malpedia_sharing = "TLP:WHITE" malpedia_license = "" strings: $s1 = "ModStart" $s2 = "ModuleStart" $t1 = "STOP|OK" $t2 = "STOP|KILL" condition: (uint16(0) == 0x5a4d) and (1 of ($s*)) and (1 of ($t*)) }
import "pe" rule win_cobra_w1 { meta: author = "ESET Research" source = "https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/#_footnote_2" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobra" malpedia_version = "20170512" malpedia_sharing = "TLP:WHITE" malpedia_license = "" condition: (pe.version_info["InternalName"] contains "SERVICE.EXE" or pe.version_info["InternalName"] contains "MSIMGHLP.DLL" or pe.version_info["InternalName"] contains "MSXIML.DLL") and pe.version_info["CompanyName"] contains "Microsoft Corporation" }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY