SYMBOLCOMMON_NAMEaka. SYNONYMS
win.confucius (Back to overview)

Confucius


There is no description at this point.

References
2021-01-12UptycsAbhijit Mohanta, Ashwin Vamshi
@online{mohanta:20210112:confucius:865bcc8, author = {Abhijit Mohanta and Ashwin Vamshi}, title = {{Confucius APT deploys Warzone RAT}}, date = {2021-01-12}, organization = {Uptycs}, url = {https://www.uptycs.com/blog/confucius-apt-deploys-warzone-rat}, language = {English}, urldate = {2021-01-13} } Confucius APT deploys Warzone RAT
Ave Maria Confucius
2017-11-02Palo Alto Networks Unit 42Jacob Soo, Josh Grunzweig
@online{soo:20171102:recent:af4616a, author = {Jacob Soo and Josh Grunzweig}, title = {{Recent InPage Exploits Lead to Multiple Malware Families}}, date = {2017-11-02}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2017/11/unit42-recent-inpage-exploits-lead-multiple-malware-families/}, language = {English}, urldate = {2019-12-20} } Recent InPage Exploits Lead to Multiple Malware Families
Confucius
2016-09-28Palo Alto Networks Unit 42Tom Lancaster, Micah Yates
@online{lancaster:20160928:confucius:24e8de3, author = {Tom Lancaster and Micah Yates}, title = {{Confucius Says…Malware Families Get Further By Abusing Legitimate Websites}}, date = {2016-09-28}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2016/09/unit42-confucius-says-malware-families-get-further-by-abusing-legitimate-websites/}, language = {English}, urldate = {2019-12-20} } Confucius Says…Malware Families Get Further By Abusing Legitimate Websites
Confucius SNEEPY
Yara Rules
[TLP:WHITE] win_confucius_auto (20201023 | autogenerated rule brought to you by yara-signator)
rule win_confucius_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-12-22"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.confucius"
        malpedia_rule_date = "20201222"
        malpedia_hash = "30354d830a29f0fbd3714d93d94dea941d77a130"
        malpedia_version = "20201023"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 33d2 2b4508 f7750c ebe5 53 56 }
            // n = 6, score = 100
            //   33d2                 | xor                 edx, edx
            //   2b4508               | sub                 eax, dword ptr [ebp + 8]
            //   f7750c               | div                 dword ptr [ebp + 0xc]
            //   ebe5                 | jmp                 0xffffffe7
            //   53                   | push                ebx
            //   56                   | push                esi

        $sequence_1 = { 395d10 7409 ff7510 ff15???????? 385d0f 0f8493fcffff 6882000000 }
            // n = 7, score = 100
            //   395d10               | cmp                 dword ptr [ebp + 0x10], ebx
            //   7409                 | je                  0xb
            //   ff7510               | push                dword ptr [ebp + 0x10]
            //   ff15????????         |                     
            //   385d0f               | cmp                 byte ptr [ebp + 0xf], bl
            //   0f8493fcffff         | je                  0xfffffc99
            //   6882000000           | push                0x82

        $sequence_2 = { e8???????? 0fb7c0 8945fc 8d460a 50 e8???????? 837dfc01 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   0fb7c0               | movzx               eax, ax
            //   8945fc               | mov                 dword ptr [ebp - 4], eax
            //   8d460a               | lea                 eax, [esi + 0xa]
            //   50                   | push                eax
            //   e8????????           |                     
            //   837dfc01             | cmp                 dword ptr [ebp - 4], 1

        $sequence_3 = { 59 59 85db 7506 43 eb03 8b5d70 }
            // n = 7, score = 100
            //   59                   | pop                 ecx
            //   59                   | pop                 ecx
            //   85db                 | test                ebx, ebx
            //   7506                 | jne                 8
            //   43                   | inc                 ebx
            //   eb03                 | jmp                 5
            //   8b5d70               | mov                 ebx, dword ptr [ebp + 0x70]

        $sequence_4 = { 6a00 83c038 50 e8???????? a1???????? 8d4838 51 }
            // n = 7, score = 100
            //   6a00                 | push                0
            //   83c038               | add                 eax, 0x38
            //   50                   | push                eax
            //   e8????????           |                     
            //   a1????????           |                     
            //   8d4838               | lea                 ecx, [eax + 0x38]
            //   51                   | push                ecx

        $sequence_5 = { 51 895d00 e8???????? 8d540601 83c408 }
            // n = 5, score = 100
            //   51                   | push                ecx
            //   895d00               | mov                 dword ptr [ebp], ebx
            //   e8????????           |                     
            //   8d540601             | lea                 edx, [esi + eax + 1]
            //   83c408               | add                 esp, 8

        $sequence_6 = { ebc6 57 e8???????? 83c404 8bf0 8bc6 5f }
            // n = 7, score = 100
            //   ebc6                 | jmp                 0xffffffc8
            //   57                   | push                edi
            //   e8????????           |                     
            //   83c404               | add                 esp, 4
            //   8bf0                 | mov                 esi, eax
            //   8bc6                 | mov                 eax, esi
            //   5f                   | pop                 edi

        $sequence_7 = { 84c0 0f84a8030000 8b85d0010000 85c0 743b 8b9564850000 }
            // n = 6, score = 100
            //   84c0                 | test                al, al
            //   0f84a8030000         | je                  0x3ae
            //   8b85d0010000         | mov                 eax, dword ptr [ebp + 0x1d0]
            //   85c0                 | test                eax, eax
            //   743b                 | je                  0x3d
            //   8b9564850000         | mov                 edx, dword ptr [ebp + 0x8564]

        $sequence_8 = { 0f82effdffff 8b442418 c6451000 5f 5e }
            // n = 5, score = 100
            //   0f82effdffff         | jb                  0xfffffdf5
            //   8b442418             | mov                 eax, dword ptr [esp + 0x18]
            //   c6451000             | mov                 byte ptr [ebp + 0x10], 0
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi

        $sequence_9 = { 84c0 898e04010000 744b 8a8654030000 84c0 7410 }
            // n = 6, score = 100
            //   84c0                 | test                al, al
            //   898e04010000         | mov                 dword ptr [esi + 0x104], ecx
            //   744b                 | je                  0x4d
            //   8a8654030000         | mov                 al, byte ptr [esi + 0x354]
            //   84c0                 | test                al, al
            //   7410                 | je                  0x12

        $sequence_10 = { 837c242000 0f8550ffffff 837c241800 8b6c2414 0f8487fcffff }
            // n = 5, score = 100
            //   837c242000           | cmp                 dword ptr [esp + 0x20], 0
            //   0f8550ffffff         | jne                 0xffffff56
            //   837c241800           | cmp                 dword ptr [esp + 0x18], 0
            //   8b6c2414             | mov                 ebp, dword ptr [esp + 0x14]
            //   0f8487fcffff         | je                  0xfffffc8d

        $sequence_11 = { 0f84dc010000 8b8c244c080000 8b39 85ff 0f84e9010000 8b5718 8b5f0c }
            // n = 7, score = 100
            //   0f84dc010000         | je                  0x1e2
            //   8b8c244c080000       | mov                 ecx, dword ptr [esp + 0x84c]
            //   8b39                 | mov                 edi, dword ptr [ecx]
            //   85ff                 | test                edi, edi
            //   0f84e9010000         | je                  0x1ef
            //   8b5718               | mov                 edx, dword ptr [edi + 0x18]
            //   8b5f0c               | mov                 ebx, dword ptr [edi + 0xc]

        $sequence_12 = { 6a00 8d8528a7ffff 50 8d8dc8bbffff e8???????? }
            // n = 5, score = 100
            //   6a00                 | push                0
            //   8d8528a7ffff         | lea                 eax, [ebp - 0x58d8]
            //   50                   | push                eax
            //   8d8dc8bbffff         | lea                 ecx, [ebp - 0x4438]
            //   e8????????           |                     

        $sequence_13 = { 8325????????00 2bce 1b3d???????? 890d???????? }
            // n = 4, score = 100
            //   8325????????00       |                     
            //   2bce                 | sub                 ecx, esi
            //   1b3d????????         |                     
            //   890d????????         |                     

        $sequence_14 = { 55 e8???????? 83c418 85c0 7506 397c2418 741a }
            // n = 7, score = 100
            //   55                   | push                ebp
            //   e8????????           |                     
            //   83c418               | add                 esp, 0x18
            //   85c0                 | test                eax, eax
            //   7506                 | jne                 8
            //   397c2418             | cmp                 dword ptr [esp + 0x18], edi
            //   741a                 | je                  0x1c

        $sequence_15 = { e8???????? 84c0 7571 eb15 3ac3 7411 }
            // n = 6, score = 100
            //   e8????????           |                     
            //   84c0                 | test                al, al
            //   7571                 | jne                 0x73
            //   eb15                 | jmp                 0x17
            //   3ac3                 | cmp                 al, bl
            //   7411                 | je                  0x13

    condition:
        7 of them and filesize < 598016
}
Download all Yara Rules