SYMBOLCOMMON_NAMEaka. SYNONYMS
win.confucius (Back to overview)

Confucius

VTCollection    

There is no description at this point.

References
2022-12-28NSFOCUSFuying Laboratory
Analysis of Cyber Attacks by APT Organization Confucius Against IBO Anti-Terrorism Operations in Pakistan
Confucius Confucious
2021-08-17Trend MicroDaniel Lunghi
Confucius Uses Pegasus Spyware-related Lures to Target Pakistani Military
Chrysaor Confucius
2021-01-12UptycsAbhijit Mohanta, Ashwin Vamshi
Confucius APT deploys Warzone RAT
Ave Maria Confucius
2018-08-29Trend MicroDaniel Lunghi, Ecular Xu
Bahamut, Confucius and Patchwork Connected to Urpage
Bahamut Confucius
2017-11-02Palo Alto Networks Unit 42Jacob Soo, Josh Grunzweig
Recent InPage Exploits Lead to Multiple Malware Families
Confucius
2016-09-28Palo Alto Networks Unit 42Micah Yates, Tom Lancaster
Confucius Says…Malware Families Get Further By Abusing Legitimate Websites
Confucius SNEEPY
Yara Rules
[TLP:WHITE] win_confucius_auto (20230808 | Detects win.confucius.)
rule win_confucius_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.confucius."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.confucius"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { b9???????? e8???????? 6a04 58 5e c3 8bc1 }
            // n = 7, score = 100
            //   b9????????           |                     
            //   e8????????           |                     
            //   6a04                 | push                4
            //   58                   | pop                 eax
            //   5e                   | pop                 esi
            //   c3                   | ret                 
            //   8bc1                 | mov                 eax, ecx

        $sequence_1 = { 7404 8b0e 8908 8b442414 c70600000000 5f 5e }
            // n = 7, score = 100
            //   7404                 | je                  6
            //   8b0e                 | mov                 ecx, dword ptr [esi]
            //   8908                 | mov                 dword ptr [eax], ecx
            //   8b442414             | mov                 eax, dword ptr [esp + 0x14]
            //   c70600000000         | mov                 dword ptr [esi], 0
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi

        $sequence_2 = { e8???????? 8945fc 83f8ff 7541 c786200c000002000000 385e14 7432 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   8945fc               | mov                 dword ptr [ebp - 4], eax
            //   83f8ff               | cmp                 eax, -1
            //   7541                 | jne                 0x43
            //   c786200c000002000000     | mov    dword ptr [esi + 0xc20], 2
            //   385e14               | cmp                 byte ptr [esi + 0x14], bl
            //   7432                 | je                  0x34

        $sequence_3 = { 0f849c000000 5f 5e 5d 5b 83c444 c3 }
            // n = 7, score = 100
            //   0f849c000000         | je                  0xa2
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi
            //   5d                   | pop                 ebp
            //   5b                   | pop                 ebx
            //   83c444               | add                 esp, 0x44
            //   c3                   | ret                 

        $sequence_4 = { 6a00 8d95a0850000 51 52 53 56 e8???????? }
            // n = 7, score = 100
            //   6a00                 | push                0
            //   8d95a0850000         | lea                 edx, [ebp + 0x85a0]
            //   51                   | push                ecx
            //   52                   | push                edx
            //   53                   | push                ebx
            //   56                   | push                esi
            //   e8????????           |                     

        $sequence_5 = { 48 a3???????? 3bc1 73d5 eb19 2bc1 99 }
            // n = 7, score = 100
            //   48                   | dec                 eax
            //   a3????????           |                     
            //   3bc1                 | cmp                 eax, ecx
            //   73d5                 | jae                 0xffffffd7
            //   eb19                 | jmp                 0x1b
            //   2bc1                 | sub                 eax, ecx
            //   99                   | cdq                 

        $sequence_6 = { 50 ff7510 ff15???????? 8b45cc 2b45c4 6804020000 40 }
            // n = 7, score = 100
            //   50                   | push                eax
            //   ff7510               | push                dword ptr [ebp + 0x10]
            //   ff15????????         |                     
            //   8b45cc               | mov                 eax, dword ptr [ebp - 0x34]
            //   2b45c4               | sub                 eax, dword ptr [ebp - 0x3c]
            //   6804020000           | push                0x204
            //   40                   | inc                 eax

        $sequence_7 = { e8???????? 85c0 7423 8b450c 3bc3 741c 663918 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   7423                 | je                  0x25
            //   8b450c               | mov                 eax, dword ptr [ebp + 0xc]
            //   3bc3                 | cmp                 eax, ebx
            //   741c                 | je                  0x1e
            //   663918               | cmp                 word ptr [eax], bx

        $sequence_8 = { 51 8b442410 55 56 8b742414 85c0 c644240b01 }
            // n = 7, score = 100
            //   51                   | push                ecx
            //   8b442410             | mov                 eax, dword ptr [esp + 0x10]
            //   55                   | push                ebp
            //   56                   | push                esi
            //   8b742414             | mov                 esi, dword ptr [esp + 0x14]
            //   85c0                 | test                eax, eax
            //   c644240b01           | mov                 byte ptr [esp + 0xb], 1

        $sequence_9 = { e8???????? 8b4510 894610 8b4514 894614 8d45f0 50 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   8b4510               | mov                 eax, dword ptr [ebp + 0x10]
            //   894610               | mov                 dword ptr [esi + 0x10], eax
            //   8b4514               | mov                 eax, dword ptr [ebp + 0x14]
            //   894614               | mov                 dword ptr [esi + 0x14], eax
            //   8d45f0               | lea                 eax, [ebp - 0x10]
            //   50                   | push                eax

        $sequence_10 = { 83c404 84c0 743f 8b4c2414 8b5624 8b4620 51 }
            // n = 7, score = 100
            //   83c404               | add                 esp, 4
            //   84c0                 | test                al, al
            //   743f                 | je                  0x41
            //   8b4c2414             | mov                 ecx, dword ptr [esp + 0x14]
            //   8b5624               | mov                 edx, dword ptr [esi + 0x24]
            //   8b4620               | mov                 eax, dword ptr [esi + 0x20]
            //   51                   | push                ecx

        $sequence_11 = { 33c9 84c0 7408 8b869c000000 eb02 33c0 51 }
            // n = 7, score = 100
            //   33c9                 | xor                 ecx, ecx
            //   84c0                 | test                al, al
            //   7408                 | je                  0xa
            //   8b869c000000         | mov                 eax, dword ptr [esi + 0x9c]
            //   eb02                 | jmp                 4
            //   33c0                 | xor                 eax, eax
            //   51                   | push                ecx

        $sequence_12 = { 7514 8b4c242a 51 ffd6 85ed 7453 83fd01 }
            // n = 7, score = 100
            //   7514                 | jne                 0x16
            //   8b4c242a             | mov                 ecx, dword ptr [esp + 0x2a]
            //   51                   | push                ecx
            //   ffd6                 | call                esi
            //   85ed                 | test                ebp, ebp
            //   7453                 | je                  0x55
            //   83fd01               | cmp                 ebp, 1

        $sequence_13 = { 80fa01 750d 8b8138010000 bd01000000 8903 8b96b8000000 8bc2 }
            // n = 7, score = 100
            //   80fa01               | cmp                 dl, 1
            //   750d                 | jne                 0xf
            //   8b8138010000         | mov                 eax, dword ptr [ecx + 0x138]
            //   bd01000000           | mov                 ebp, 1
            //   8903                 | mov                 dword ptr [ebx], eax
            //   8b96b8000000         | mov                 edx, dword ptr [esi + 0xb8]
            //   8bc2                 | mov                 eax, edx

        $sequence_14 = { 50 ff15???????? 0d80000000 50 6af0 ff750c }
            // n = 6, score = 100
            //   50                   | push                eax
            //   ff15????????         |                     
            //   0d80000000           | or                  eax, 0x80
            //   50                   | push                eax
            //   6af0                 | push                -0x10
            //   ff750c               | push                dword ptr [ebp + 0xc]

        $sequence_15 = { 50 e8???????? 83f846 7424 83f855 7413 }
            // n = 6, score = 100
            //   50                   | push                eax
            //   e8????????           |                     
            //   83f846               | cmp                 eax, 0x46
            //   7424                 | je                  0x26
            //   83f855               | cmp                 eax, 0x55
            //   7413                 | je                  0x15

    condition:
        7 of them and filesize < 598016
}
Download all Yara Rules