CrypticConvo (Malware Family)

CrypticConvo

VTCollection
CrypticConvo is a dropper trojan which appears to be embedded in an automatic generator framework to deliver the FakeM trojan. According to PaloaltoNetworks CrypticConvo and several additional trojans are believed to be included in a meta framework used by the "Scarlet Mimic" threat actor in order to quickly evade AV systems.
References

2016-01-24 ⋅ Palo Alto Networks Unit 42 ⋅ Jen Miller-Osborn, Robert Falcone
Scarlet Mimic: Years-Long Espionage Campaign Targets Minority Activists
CrypticConvo Scarlet Mimic
Yara Rules

[TLP:WHITE] win_cryptic_convo_auto (20230808 | Detects win.cryptic_convo.)
rule win_cryptic_convo_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.cryptic_convo."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptic_convo"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8bf8 ffd6 85ff 7515 8d45e8 68???????? }
            // n = 6, score = 100
            //   8bf8                 | mov                 edi, eax
            //   ffd6                 | call                esi
            //   85ff                 | test                edi, edi
            //   7515                 | jne                 0x17
            //   8d45e8               | lea                 eax, [ebp - 0x18]
            //   68????????           |                     

        $sequence_1 = { 75f9 8dbddcfaffff 2bc2 4f 8a4f01 }
            // n = 5, score = 100
            //   75f9                 | jne                 0xfffffffb
            //   8dbddcfaffff         | lea                 edi, [ebp - 0x524]
            //   2bc2                 | sub                 eax, edx
            //   4f                   | dec                 edi
            //   8a4f01               | mov                 cl, byte ptr [edi + 1]

        $sequence_2 = { 399e88000000 7445 399e8c000000 743d 6a40 6800300000 ff7510 }
            // n = 7, score = 100
            //   399e88000000         | cmp                 dword ptr [esi + 0x88], ebx
            //   7445                 | je                  0x47
            //   399e8c000000         | cmp                 dword ptr [esi + 0x8c], ebx
            //   743d                 | je                  0x3f
            //   6a40                 | push                0x40
            //   6800300000           | push                0x3000
            //   ff7510               | push                dword ptr [ebp + 0x10]

        $sequence_3 = { c20400 0fb7442404 ff742408 50 e8???????? c20800 }
            // n = 6, score = 100
            //   c20400               | ret                 4
            //   0fb7442404           | movzx               eax, word ptr [esp + 4]
            //   ff742408             | push                dword ptr [esp + 8]
            //   50                   | push                eax
            //   e8????????           |                     
            //   c20800               | ret                 8

        $sequence_4 = { 50 6a01 6a00 68???????? 57 ffd3 85c0 }
            // n = 7, score = 100
            //   50                   | push                eax
            //   6a01                 | push                1
            //   6a00                 | push                0
            //   68????????           |                     
            //   57                   | push                edi
            //   ffd3                 | call                ebx
            //   85c0                 | test                eax, eax

        $sequence_5 = { a4 33c0 8a88d0474000 884c05e8 40 84c9 }
            // n = 6, score = 100
            //   a4                   | movsb               byte ptr es:[edi], byte ptr [esi]
            //   33c0                 | xor                 eax, eax
            //   8a88d0474000         | mov                 cl, byte ptr [eax + 0x4047d0]
            //   884c05e8             | mov                 byte ptr [ebp + eax - 0x18], cl
            //   40                   | inc                 eax
            //   84c9                 | test                cl, cl

        $sequence_6 = { f3a4 8dbddcfaffff 4f 8a4701 47 84c0 75f8 }
            // n = 7, score = 100
            //   f3a4                 | rep movsb           byte ptr es:[edi], byte ptr [esi]
            //   8dbddcfaffff         | lea                 edi, [ebp - 0x524]
            //   4f                   | dec                 edi
            //   8a4701               | mov                 al, byte ptr [edi + 1]
            //   47                   | inc                 edi
            //   84c0                 | test                al, al
            //   75f8                 | jne                 0xfffffffa

        $sequence_7 = { 85c0 7407 c605????????01 be???????? 8d7d98 a5 66a5 }
            // n = 7, score = 100
            //   85c0                 | test                eax, eax
            //   7407                 | je                  9
            //   c605????????01       |                     
            //   be????????           |                     
            //   8d7d98               | lea                 edi, [ebp - 0x68]
            //   a5                   | movsd               dword ptr es:[edi], dword ptr [esi]
            //   66a5                 | movsw               word ptr es:[edi], word ptr [esi]

        $sequence_8 = { 894584 ffd6 53 57 89458c ff15???????? }
            // n = 6, score = 100
            //   894584               | mov                 dword ptr [ebp - 0x7c], eax
            //   ffd6                 | call                esi
            //   53                   | push                ebx
            //   57                   | push                edi
            //   89458c               | mov                 dword ptr [ebp - 0x74], eax
            //   ff15????????         |                     

        $sequence_9 = { 8d45c8 66a5 50 53 }
            // n = 4, score = 100
            //   8d45c8               | lea                 eax, [ebp - 0x38]
            //   66a5                 | movsw               word ptr es:[edi], word ptr [esi]
            //   50                   | push                eax
            //   53                   | push                ebx

    condition:
        7 of them and filesize < 97280
}
Download all Yara Rules
CrypticConvo Propose Change

References

Yara Rules

CrypticConvo
