SYMBOLCOMMON_NAMEaka. SYNONYMS
win.cryptic_convo (Back to overview)

CrypticConvo

Actor(s): Scarlet Mimic


CrypticConvo is a dropper trojan which appears to be embedded in an automatic generator framework to deliver the FakeM trojan. According to PaloaltoNetworks CrypticConvo and several additional trojans are believed to be included in a meta framework used by the "Scarlet Mimic" threat actor in order to quickly evade AV systems.

References
2016-01-24Palo Alto Networks Unit 42Robert Falcone, Jen Miller-Osborn
@online{falcone:20160124:scarlet:c5ef791, author = {Robert Falcone and Jen Miller-Osborn}, title = {{Scarlet Mimic: Years-Long Espionage Campaign Targets Minority Activists}}, date = {2016-01-24}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/scarlet-mimic-years-long-espionage-targets-minority-activists/}, language = {English}, urldate = {2020-01-08} } Scarlet Mimic: Years-Long Espionage Campaign Targets Minority Activists
CrypticConvo Scarlet Mimic
Yara Rules
[TLP:WHITE] win_cryptic_convo_auto (20201023 | autogenerated rule brought to you by yara-signator)
rule win_cryptic_convo_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-12-22"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptic_convo"
        malpedia_rule_date = "20201222"
        malpedia_hash = "30354d830a29f0fbd3714d93d94dea941d77a130"
        malpedia_version = "20201023"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 803d????????01 7412 803d????????01 7512 }
            // n = 4, score = 100
            //   803d????????01       |                     
            //   7412                 | je                  0x14
            //   803d????????01       |                     
            //   7512                 | jne                 0x14

        $sequence_1 = { be???????? 8dbd70ffffff a5 a4 8dbd70ffffff 59 4f }
            // n = 7, score = 100
            //   be????????           |                     
            //   8dbd70ffffff         | lea                 edi, [ebp - 0x90]
            //   a5                   | movsd               dword ptr es:[edi], dword ptr [esi]
            //   a4                   | movsb               byte ptr es:[edi], byte ptr [esi]
            //   8dbd70ffffff         | lea                 edi, [ebp - 0x90]
            //   59                   | pop                 ecx
            //   4f                   | dec                 edi

        $sequence_2 = { 8b4588 8b08 50 ff5108 ff15???????? 33c0 85f6 }
            // n = 7, score = 100
            //   8b4588               | mov                 eax, dword ptr [ebp - 0x78]
            //   8b08                 | mov                 ecx, dword ptr [eax]
            //   50                   | push                eax
            //   ff5108               | call                dword ptr [ecx + 8]
            //   ff15????????         |                     
            //   33c0                 | xor                 eax, eax
            //   85f6                 | test                esi, esi

        $sequence_3 = { 8dbdf8feffff a5 66a5 8d85f8feffff 50 a4 }
            // n = 6, score = 100
            //   8dbdf8feffff         | lea                 edi, [ebp - 0x108]
            //   a5                   | movsd               dword ptr es:[edi], dword ptr [esi]
            //   66a5                 | movsw               word ptr es:[edi], word ptr [esi]
            //   8d85f8feffff         | lea                 eax, [ebp - 0x108]
            //   50                   | push                eax
            //   a4                   | movsb               byte ptr es:[edi], byte ptr [esi]

        $sequence_4 = { 57 be???????? 8dbdf8feffff a5 66a5 }
            // n = 5, score = 100
            //   57                   | push                edi
            //   be????????           |                     
            //   8dbdf8feffff         | lea                 edi, [ebp - 0x108]
            //   a5                   | movsd               dword ptr es:[edi], dword ptr [esi]
            //   66a5                 | movsw               word ptr es:[edi], word ptr [esi]

        $sequence_5 = { 4f 8a4701 47 84c0 75f8 803d????????01 }
            // n = 6, score = 100
            //   4f                   | dec                 edi
            //   8a4701               | mov                 al, byte ptr [edi + 1]
            //   47                   | inc                 edi
            //   84c0                 | test                al, al
            //   75f8                 | jne                 0xfffffffa
            //   803d????????01       |                     

        $sequence_6 = { 51 51 83b98c00000000 745f 8b8188000000 }
            // n = 5, score = 100
            //   51                   | push                ecx
            //   51                   | push                ecx
            //   83b98c00000000       | cmp                 dword ptr [ecx + 0x8c], 0
            //   745f                 | je                  0x61
            //   8b8188000000         | mov                 eax, dword ptr [ecx + 0x88]

        $sequence_7 = { 6a01 8d558c 52 50 ff5118 }
            // n = 5, score = 100
            //   6a01                 | push                1
            //   8d558c               | lea                 edx, [ebp - 0x74]
            //   52                   | push                edx
            //   50                   | push                eax
            //   ff5118               | call                dword ptr [ecx + 0x18]

        $sequence_8 = { 52 8d85dc010000 50 52 }
            // n = 4, score = 100
            //   52                   | push                edx
            //   8d85dc010000         | lea                 eax, [ebp + 0x1dc]
            //   50                   | push                eax
            //   52                   | push                edx

        $sequence_9 = { 66a5 8d7dd4 4f 8a4701 }
            // n = 4, score = 100
            //   66a5                 | movsw               word ptr es:[edi], word ptr [esi]
            //   8d7dd4               | lea                 edi, [ebp - 0x2c]
            //   4f                   | dec                 edi
            //   8a4701               | mov                 al, byte ptr [edi + 1]

    condition:
        7 of them and filesize < 97280
}
Download all Yara Rules