SYMBOLCOMMON_NAMEaka. SYNONYMS
win.cryptic_convo (Back to overview)

CrypticConvo

Actor(s): Scarlet Mimic

CrypticConvo is a dropper trojan which appears to be embedded in an automatic generator framework to deliver the FakeM trojan. According to PaloaltoNetworks CrypticConvo and several additional trojans are believed to be included in a meta framework used by the "Scarlet Mimic" threat actor in order to quickly evade AV systems.

References
2016-01-24Palo Alto Networks Unit 42Robert Falcone, Jen Miller-Osborn
@online{falcone:20160124:scarlet:c5ef791, author = {Robert Falcone and Jen Miller-Osborn}, title = {{Scarlet Mimic: Years-Long Espionage Campaign Targets Minority Activists}}, date = {2016-01-24}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/scarlet-mimic-years-long-espionage-targets-minority-activists/}, language = {English}, urldate = {2020-01-08} } Scarlet Mimic: Years-Long Espionage Campaign Targets Minority Activists
CrypticConvo Scarlet Mimic
Yara Rules
[TLP:WHITE] win_cryptic_convo_auto (20230125 | Detects win.cryptic_convo.)
rule win_cryptic_convo_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-01-25"
        version = "1"
        description = "Detects win.cryptic_convo."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptic_convo"
        malpedia_rule_date = "20230124"
        malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686"
        malpedia_version = "20230125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 66a5 8d7dc8 4f 8a4701 47 84c0 }
            // n = 6, score = 100
            //   66a5                 | movsw               word ptr es:[edi], word ptr [esi]
            //   8d7dc8               | lea                 edi, [ebp - 0x38]
            //   4f                   | dec                 edi
            //   8a4701               | mov                 al, byte ptr [edi + 1]
            //   47                   | inc                 edi
            //   84c0                 | test                al, al

        $sequence_1 = { ff15???????? 8bd0 8995f4fcffff 3bd3 0f84ce000000 }
            // n = 5, score = 100
            //   ff15????????         |                     
            //   8bd0                 | mov                 edx, eax
            //   8995f4fcffff         | mov                 dword ptr [ebp - 0x30c], edx
            //   3bd3                 | cmp                 edx, ebx
            //   0f84ce000000         | je                  0xd4

        $sequence_2 = { 399e88000000 7445 399e8c000000 743d 6a40 6800300000 ff7510 }
            // n = 7, score = 100
            //   399e88000000         | cmp                 dword ptr [esi + 0x88], ebx
            //   7445                 | je                  0x47
            //   399e8c000000         | cmp                 dword ptr [esi + 0x8c], ebx
            //   743d                 | je                  0x3f
            //   6a40                 | push                0x40
            //   6800300000           | push                0x3000
            //   ff7510               | push                dword ptr [ebp + 0x10]

        $sequence_3 = { a5 a5 66a5 a4 8d7dc8 }
            // n = 5, score = 100
            //   a5                   | movsd               dword ptr es:[edi], dword ptr [esi]
            //   a5                   | movsd               dword ptr es:[edi], dword ptr [esi]
            //   66a5                 | movsw               word ptr es:[edi], word ptr [esi]
            //   a4                   | movsb               byte ptr es:[edi], byte ptr [esi]
            //   8d7dc8               | lea                 edi, [ebp - 0x38]

        $sequence_4 = { 8b859c000000 53 56 57 be???????? }
            // n = 5, score = 100
            //   8b859c000000         | mov                 eax, dword ptr [ebp + 0x9c]
            //   53                   | push                ebx
            //   56                   | push                esi
            //   57                   | push                edi
            //   be????????           |                     

        $sequence_5 = { 50 ff15???????? be???????? 8dbd70ffffff a5 a4 8dbd70ffffff }
            // n = 7, score = 100
            //   50                   | push                eax
            //   ff15????????         |                     
            //   be????????           |                     
            //   8dbd70ffffff         | lea                 edi, [ebp - 0x90]
            //   a5                   | movsd               dword ptr es:[edi], dword ptr [esi]
            //   a4                   | movsb               byte ptr es:[edi], byte ptr [esi]
            //   8dbd70ffffff         | lea                 edi, [ebp - 0x90]

        $sequence_6 = { ff4d08 75de 5f 5b 8bc1 }
            // n = 5, score = 100
            //   ff4d08               | dec                 dword ptr [ebp + 8]
            //   75de                 | jne                 0xffffffe0
            //   5f                   | pop                 edi
            //   5b                   | pop                 ebx
            //   8bc1                 | mov                 eax, ecx

        $sequence_7 = { 750a 8b15???????? ff32 eb01 56 50 ff5150 }
            // n = 7, score = 100
            //   750a                 | jne                 0xc
            //   8b15????????         |                     
            //   ff32                 | push                dword ptr [edx]
            //   eb01                 | jmp                 3
            //   56                   | push                esi
            //   50                   | push                eax
            //   ff5150               | call                dword ptr [ecx + 0x50]

        $sequence_8 = { e8???????? 83c40c 8d85b0fdffff 50 ffb5b0feffff }
            // n = 5, score = 100
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   8d85b0fdffff         | lea                 eax, [ebp - 0x250]
            //   50                   | push                eax
            //   ffb5b0feffff         | push                dword ptr [ebp - 0x150]

        $sequence_9 = { 33c0 40 eb11 68???????? 57 }
            // n = 5, score = 100
            //   33c0                 | xor                 eax, eax
            //   40                   | inc                 eax
            //   eb11                 | jmp                 0x13
            //   68????????           |                     
            //   57                   | push                edi

    condition:
        7 of them and filesize < 97280
}
Download all Yara Rules