SYMBOLCOMMON_NAMEaka. SYNONYMS
win.combos (Back to overview)

Combos

Actor(s): Comment Crew


There is no description at this point.

References
2018MandiantMandiant
@techreport{mandiant:2018:apt1:b76cc4d, author = {Mandiant}, title = {{APT1}}, date = {2018}, institution = {Mandiant}, url = {https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf}, language = {English}, urldate = {2020-01-13} } APT1
Auriga Biscuit Bouncer Combos CookieBag Dairy GetMail GlooxMail Goggles Hacksfase Helauto Kurton ManItsMe MAPIget MiniASP NewsReels SeaSalt StarsyPound Sword TabMsgSQL Tarsip WebC2-AdSpace WebC2-Ausov WebC2-Bolid WebC2-Cson WebC2-DIV WebC2-GreenCat WebC2-Head WebC2-Kt3 WebC2-Qbp WebC2-Rave WebC2-Table WebC2-UGX WebC2-Yahoo
Yara Rules
[TLP:WHITE] win_combos_auto (20211008 | Detects win.combos.)
rule win_combos_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-10-07"
        version = "1"
        description = "Detects win.combos."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.combos"
        malpedia_rule_date = "20211007"
        malpedia_hash = "e5b790e0f888f252d49063a1251ca60ec2832535"
        malpedia_version = "20211008"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 5e 6a00 6a00 6a00 7528 68???????? }
            // n = 6, score = 100
            //   5e                   | pop                 esi
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   7528                 | jne                 0x2a
            //   68????????           |                     

        $sequence_1 = { 41 83f940 7cb7 46 83fe10 7caf }
            // n = 6, score = 100
            //   41                   | inc                 ecx
            //   83f940               | cmp                 ecx, 0x40
            //   7cb7                 | jl                  0xffffffb9
            //   46                   | inc                 esi
            //   83fe10               | cmp                 esi, 0x10
            //   7caf                 | jl                  0xffffffb1

        $sequence_2 = { b908000000 3bc1 7d0e 8d0c2a 40 }
            // n = 5, score = 100
            //   b908000000           | mov                 ecx, 8
            //   3bc1                 | cmp                 eax, ecx
            //   7d0e                 | jge                 0x10
            //   8d0c2a               | lea                 ecx, dword ptr [edx + ebp]
            //   40                   | inc                 eax

        $sequence_3 = { 41 83f838 7cd9 33c9 0fbe81f8900010 8a540447 84d2 }
            // n = 7, score = 100
            //   41                   | inc                 ecx
            //   83f838               | cmp                 eax, 0x38
            //   7cd9                 | jl                  0xffffffdb
            //   33c9                 | xor                 ecx, ecx
            //   0fbe81f8900010       | movsx               eax, byte ptr [ecx + 0x100090f8]
            //   8a540447             | mov                 dl, byte ptr [esp + eax + 0x47]
            //   84d2                 | test                dl, dl

        $sequence_4 = { b909000000 33c0 8dbda0feffff f3ab 33ff }
            // n = 5, score = 100
            //   b909000000           | mov                 ecx, 9
            //   33c0                 | xor                 eax, eax
            //   8dbda0feffff         | lea                 edi, dword ptr [ebp - 0x160]
            //   f3ab                 | rep stosd           dword ptr es:[edi], eax
            //   33ff                 | xor                 edi, edi

        $sequence_5 = { 8b4c2410 8bfb 8bc1 6a01 }
            // n = 4, score = 100
            //   8b4c2410             | mov                 ecx, dword ptr [esp + 0x10]
            //   8bfb                 | mov                 edi, ebx
            //   8bc1                 | mov                 eax, ecx
            //   6a01                 | push                1

        $sequence_6 = { 33f6 8bd8 8bc6 8bce d1f8 83e101 83e00f }
            // n = 7, score = 100
            //   33f6                 | xor                 esi, esi
            //   8bd8                 | mov                 ebx, eax
            //   8bc6                 | mov                 eax, esi
            //   8bce                 | mov                 ecx, esi
            //   d1f8                 | sar                 eax, 1
            //   83e101               | and                 ecx, 1
            //   83e00f               | and                 eax, 0xf

        $sequence_7 = { ffd5 6a40 6800100000 8b542418 }
            // n = 4, score = 100
            //   ffd5                 | call                ebp
            //   6a40                 | push                0x40
            //   6800100000           | push                0x1000
            //   8b542418             | mov                 edx, dword ptr [esp + 0x18]

        $sequence_8 = { 8088????????10 8a9405ecfdffff 889000190110 eb1c }
            // n = 4, score = 100
            //   8088????????10       |                     
            //   8a9405ecfdffff       | mov                 dl, byte ptr [ebp + eax - 0x214]
            //   889000190110         | mov                 byte ptr [eax + 0x10011900], dl
            //   eb1c                 | jmp                 0x1e

        $sequence_9 = { 83ff10 7c84 5f 5e 5b 33c0 5d }
            // n = 7, score = 100
            //   83ff10               | cmp                 edi, 0x10
            //   7c84                 | jl                  0xffffff86
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi
            //   5b                   | pop                 ebx
            //   33c0                 | xor                 eax, eax
            //   5d                   | pop                 ebp

    condition:
        7 of them and filesize < 163840
}
Download all Yara Rules