Actor(s): Leviathan
There is no description at this point.
rule win_dadstache_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2023-12-06" version = "1" description = "Detects win.dadstache." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.dadstache" malpedia_rule_date = "20231130" malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351" malpedia_version = "20230808" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 8d442414 50 6a1f ff35???????? } // n = 4, score = 500 // 8d442414 | lea eax, [esp + 0x14] // 50 | push eax // 6a1f | push 0x1f // ff35???????? | $sequence_1 = { 8b470c 8bf9 31460c 0f1006 c7450c09000000 0f1145e8 } // n = 6, score = 500 // 8b470c | mov eax, dword ptr [edi + 0xc] // 8bf9 | mov edi, ecx // 31460c | xor dword ptr [esi + 0xc], eax // 0f1006 | movups xmm0, xmmword ptr [esi] // c7450c09000000 | mov dword ptr [ebp + 0xc], 9 // 0f1145e8 | movups xmmword ptr [ebp - 0x18], xmm0 $sequence_2 = { 85c0 7550 8b0d???????? 8b35???????? 85c9 7403 } // n = 6, score = 500 // 85c0 | test eax, eax // 7550 | jne 0x52 // 8b0d???????? | // 8b35???????? | // 85c9 | test ecx, ecx // 7403 | je 5 $sequence_3 = { 53 8d4d08 895d08 51 53 50 53 } // n = 7, score = 500 // 53 | push ebx // 8d4d08 | lea ecx, [ebp + 8] // 895d08 | mov dword ptr [ebp + 8], ebx // 51 | push ecx // 53 | push ebx // 50 | push eax // 53 | push ebx $sequence_4 = { 837c242c10 8d442418 51 0f4344241c } // n = 4, score = 500 // 837c242c10 | cmp dword ptr [esp + 0x2c], 0x10 // 8d442418 | lea eax, [esp + 0x18] // 51 | push ecx // 0f4344241c | cmovae eax, dword ptr [esp + 0x1c] $sequence_5 = { 8d5201 8842ff 83e901 75f2 8bd3 c1ea04 } // n = 6, score = 500 // 8d5201 | lea edx, [edx + 1] // 8842ff | mov byte ptr [edx - 1], al // 83e901 | sub ecx, 1 // 75f2 | jne 0xfffffff4 // 8bd3 | mov edx, ebx // c1ea04 | shr edx, 4 $sequence_6 = { 6aff 6a00 8d442438 c74424340f000000 50 } // n = 5, score = 500 // 6aff | push -1 // 6a00 | push 0 // 8d442438 | lea eax, [esp + 0x38] // c74424340f000000 | mov dword ptr [esp + 0x34], 0xf // 50 | push eax $sequence_7 = { 6a1f ff35???????? ff15???????? a1???????? } // n = 4, score = 500 // 6a1f | push 0x1f // ff35???????? | // ff15???????? | // a1???????? | $sequence_8 = { 741b 8b45f0 47 83c628 3bf8 } // n = 5, score = 200 // 741b | je 0x1d // 8b45f0 | mov eax, dword ptr [ebp - 0x10] // 47 | inc edi // 83c628 | add esi, 0x28 // 3bf8 | cmp edi, eax $sequence_9 = { 7405 8b4718 8901 8b731c 57 } // n = 5, score = 200 // 7405 | je 7 // 8b4718 | mov eax, dword ptr [edi + 0x18] // 8901 | mov dword ptr [ecx], eax // 8b731c | mov esi, dword ptr [ebx + 0x1c] // 57 | push edi $sequence_10 = { 42 83c628 8955f0 3b55e4 0f8c66ffffff } // n = 5, score = 200 // 42 | inc edx // 83c628 | add esi, 0x28 // 8955f0 | mov dword ptr [ebp - 0x10], edx // 3b55e4 | cmp edx, dword ptr [ebp - 0x1c] // 0f8c66ffffff | jl 0xffffff6c $sequence_11 = { 7325 8b7c240c 4a 03d7 8d4fff } // n = 5, score = 200 // 7325 | jae 0x27 // 8b7c240c | mov edi, dword ptr [esp + 0xc] // 4a | dec edx // 03d7 | add edx, edi // 8d4fff | lea ecx, [edi - 1] $sequence_12 = { 8b4485b0 85d2 8b56f8 7405 0d00020000 8d5de4 53 } // n = 7, score = 200 // 8b4485b0 | mov eax, dword ptr [ebp + eax*4 - 0x50] // 85d2 | test edx, edx // 8b56f8 | mov edx, dword ptr [esi - 8] // 7405 | je 7 // 0d00020000 | or eax, 0x200 // 8d5de4 | lea ebx, [ebp - 0x1c] // 53 | push ebx $sequence_13 = { e8???????? 85c0 741d 8bce e8???????? 8bce } // n = 6, score = 200 // e8???????? | // 85c0 | test eax, eax // 741d | je 0x1f // 8bce | mov ecx, esi // e8???????? | // 8bce | mov ecx, esi $sequence_14 = { c3 8b4e04 8d4604 8945fc 8b06 } // n = 5, score = 200 // c3 | ret // 8b4e04 | mov ecx, dword ptr [esi + 4] // 8d4604 | lea eax, [esi + 4] // 8945fc | mov dword ptr [ebp - 4], eax // 8b06 | mov eax, dword ptr [esi] $sequence_15 = { 84c9 740e 3aca 74ef 0fb6c2 0fb6c9 } // n = 6, score = 200 // 84c9 | test cl, cl // 740e | je 0x10 // 3aca | cmp cl, dl // 74ef | je 0xfffffff1 // 0fb6c2 | movzx eax, dl // 0fb6c9 | movzx ecx, cl condition: 7 of them and filesize < 580608 }
rule win_dadstache_w0 { meta: author = "Elastic Security" description = "APT40 second stage implant" source = "https://www.elastic.co/blog/advanced-techniques-used-in-malaysian-focused-apt-campaign" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.dadstache" malpedia_version = "20200626" malpedia_license = "CC BY-NC-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $a = "/list_direction" fullword wide $b = "/post_document" fullword wide $c = "/postlogin" fullword wide $d = "Download Read Path Failed %s" fullword ascii $e = "Open Pipe Failed %s" fullword ascii $f = "Open Remote File %s Failed For: %s" fullword ascii $g = "Download Read Path Failed %s" fullword ascii $h = "\\cmd.exe" fullword wide condition: all of them }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY
