SYMBOLCOMMON_NAMEaka. SYNONYMS
win.common_magic (Back to overview)

CommonMagic


There is no description at this point.

References
2023-05-19Kaspersky LabsLeonid Bezvershenko, Georgy Kucherin, Igor Kuznetsov
@online{bezvershenko:20230519:cloudwizard:7ad05b6, author = {Leonid Bezvershenko and Georgy Kucherin and Igor Kuznetsov}, title = {{CloudWizard APT: the bad magic story goes on}}, date = {2023-05-19}, organization = {Kaspersky Labs}, url = {https://securelist.com/cloudwizard-apt/109722/}, language = {English}, urldate = {2023-06-01} } CloudWizard APT: the bad magic story goes on
PowerMagic CloudWizard CommonMagic Prikormka
2023-03-21Kaspersky LabsLeonid Bezvershenko, Georgy Kucherin, Igor Kuznetsov
@online{bezvershenko:20230321:bad:054dcba, author = {Leonid Bezvershenko and Georgy Kucherin and Igor Kuznetsov}, title = {{Bad magic: new APT found in the area of Russo-Ukrainian conflict}}, date = {2023-03-21}, organization = {Kaspersky Labs}, url = {https://securelist.com/bad-magic-apt/109087/?s=31}, language = {English}, urldate = {2023-03-21} } Bad magic: new APT found in the area of Russo-Ukrainian conflict
PowerMagic CommonMagic
Yara Rules
[TLP:WHITE] win_common_magic_auto (20230407 | Detects win.common_magic.)
rule win_common_magic_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-03-28"
        version = "1"
        description = "Detects win.common_magic."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.common_magic"
        malpedia_rule_date = "20230328"
        malpedia_hash = "9d2d75cef573c1c2d861f5197df8f563b05a305d"
        malpedia_version = "20230407"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 85c9 747a 8b9578ffffff 51 e8???????? }
            // n = 5, score = 100
            //   85c9                 | test                ecx, ecx
            //   747a                 | je                  0x7c
            //   8b9578ffffff         | mov                 edx, dword ptr [ebp - 0x88]
            //   51                   | push                ecx
            //   e8????????           |                     

        $sequence_1 = { 85f6 7512 8d45c4 50 }
            // n = 4, score = 100
            //   85f6                 | test                esi, esi
            //   7512                 | jne                 0x14
            //   8d45c4               | lea                 eax, [ebp - 0x3c]
            //   50                   | push                eax

        $sequence_2 = { f30f7e8598fdffff 660fd64010 33c0 83470418 c78598fdffff00000000 898d9cfdffff }
            // n = 6, score = 100
            //   f30f7e8598fdffff     | movq                xmm0, qword ptr [ebp - 0x268]
            //   660fd64010           | movq                qword ptr [eax + 0x10], xmm0
            //   33c0                 | xor                 eax, eax
            //   83470418             | add                 dword ptr [edi + 4], 0x18
            //   c78598fdffff00000000     | mov    dword ptr [ebp - 0x268], 0
            //   898d9cfdffff         | mov                 dword ptr [ebp - 0x264], ecx

        $sequence_3 = { 8b45e8 c645d300 83f808 722b }
            // n = 4, score = 100
            //   8b45e8               | mov                 eax, dword ptr [ebp - 0x18]
            //   c645d300             | mov                 byte ptr [ebp - 0x2d], 0
            //   83f808               | cmp                 eax, 8
            //   722b                 | jb                  0x2d

        $sequence_4 = { 90 85f6 740b 83feff 0f8483000000 eb7d 8b1c9d901a4100 }
            // n = 7, score = 100
            //   90                   | nop                 
            //   85f6                 | test                esi, esi
            //   740b                 | je                  0xd
            //   83feff               | cmp                 esi, -1
            //   0f8483000000         | je                  0x89
            //   eb7d                 | jmp                 0x7f
            //   8b1c9d901a4100       | mov                 ebx, dword ptr [ebx*4 + 0x411a90]

        $sequence_5 = { 0f87ab020000 51 56 e8???????? 83c408 c7458000000000 }
            // n = 6, score = 100
            //   0f87ab020000         | ja                  0x2b1
            //   51                   | push                ecx
            //   56                   | push                esi
            //   e8????????           |                     
            //   83c408               | add                 esp, 8
            //   c7458000000000       | mov                 dword ptr [ebp - 0x80], 0

        $sequence_6 = { 81f9aaaaaa0a 0f8737010000 8d1c49 c1e303 }
            // n = 4, score = 100
            //   81f9aaaaaa0a         | cmp                 ecx, 0xaaaaaaa
            //   0f8737010000         | ja                  0x13d
            //   8d1c49               | lea                 ebx, [ecx + ecx*2]
            //   c1e303               | shl                 ebx, 3

        $sequence_7 = { c745d052004100 c745d44d004400 c745d841005400 894ddc }
            // n = 4, score = 100
            //   c745d052004100       | mov                 dword ptr [ebp - 0x30], 0x410052
            //   c745d44d004400       | mov                 dword ptr [ebp - 0x2c], 0x44004d
            //   c745d841005400       | mov                 dword ptr [ebp - 0x28], 0x540041
            //   894ddc               | mov                 dword ptr [ebp - 0x24], ecx

        $sequence_8 = { 85c0 0f848f000000 8b5508 8d7023 83e6e0 }
            // n = 5, score = 100
            //   85c0                 | test                eax, eax
            //   0f848f000000         | je                  0x95
            //   8b5508               | mov                 edx, dword ptr [ebp + 8]
            //   8d7023               | lea                 esi, [eax + 0x23]
            //   83e6e0               | and                 esi, 0xffffffe0

        $sequence_9 = { 8bb5a8fdffff eb20 8d8de8fdffff c685a4fdffff00 51 ffb5a4fdffff 8d8dacfdffff }
            // n = 7, score = 100
            //   8bb5a8fdffff         | mov                 esi, dword ptr [ebp - 0x258]
            //   eb20                 | jmp                 0x22
            //   8d8de8fdffff         | lea                 ecx, [ebp - 0x218]
            //   c685a4fdffff00       | mov                 byte ptr [ebp - 0x25c], 0
            //   51                   | push                ecx
            //   ffb5a4fdffff         | push                dword ptr [ebp - 0x25c]
            //   8d8dacfdffff         | lea                 ecx, [ebp - 0x254]

    condition:
        7 of them and filesize < 212992
}
Download all Yara Rules