rule win_doublepulsar_auto {
meta:
author = "Felix Bilstein - yara-signator at cocacoding dot com"
date = "2023-01-25"
version = "1"
description = "Detects win.doublepulsar."
info = "autogenerated rule brought to you by yara-signator"
tool = "yara-signator v0.6.0"
signator_config = "callsandjumps;datarefs;binvalue"
malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.doublepulsar"
malpedia_rule_date = "20230124"
malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686"
malpedia_version = "20230125"
malpedia_license = "CC BY-SA 4.0"
malpedia_sharing = "TLP:WHITE"
/* DISCLAIMER
* The strings used in this rule have been automatically selected from the
* disassembly of memory dumps and unpacked files, using YARA-Signator.
* The code and documentation is published here:
* https://github.com/fxb-cocacoding/yara-signator
* As Malpedia is used as data source, please note that for a given
* number of families, only single samples are documented.
* This likely impacts the degree of generalization these rules will offer.
* Take the described generation method also into consideration when you
* apply the rules in your use cases and assign them confidence levels.
*/
strings:
$sequence_0 = { 33c0 48 894330 49 3bc0 7504 33c0 }
// n = 7, score = 100
// 33c0 | xor eax, eax
// 48 | dec eax
// 894330 | mov dword ptr [ebx + 0x30], eax
// 49 | dec ecx
// 3bc0 | cmp eax, eax
// 7504 | jne 6
// 33c0 | xor eax, eax
$sequence_1 = { 3bc7 750a c74620e0d24000 897e28 397e24 7507 c7462400d34000 }
// n = 7, score = 100
// 3bc7 | cmp eax, edi
// 750a | jne 0xc
// c74620e0d24000 | mov dword ptr [esi + 0x20], 0x40d2e0
// 897e28 | mov dword ptr [esi + 0x28], edi
// 397e24 | cmp dword ptr [esi + 0x24], edi
// 7507 | jne 9
// c7462400d34000 | mov dword ptr [esi + 0x24], 0x40d300
$sequence_2 = { 48 31ff 8b3e 48 }
// n = 4, score = 100
// 48 | dec eax
// 31ff | xor edi, edi
// 8b3e | mov edi, dword ptr [esi]
// 48 | dec eax
$sequence_3 = { 740f 8b4db8 85c9 7407 8b4db0 85c9 7401 }
// n = 7, score = 100
// 740f | je 0x11
// 8b4db8 | mov ecx, dword ptr [ebp - 0x48]
// 85c9 | test ecx, ecx
// 7407 | je 9
// 8b4db0 | mov ecx, dword ptr [ebp - 0x50]
// 85c9 | test ecx, ecx
// 7401 | je 3
$sequence_4 = { 48 634802 48 8d540107 31c0 8a02 }
// n = 6, score = 100
// 48 | dec eax
// 634802 | arpl word ptr [eax + 2], cx
// 48 | dec eax
// 8d540107 | lea edx, [ecx + eax + 7]
// 31c0 | xor eax, eax
// 8a02 | mov al, byte ptr [edx]
$sequence_5 = { 8b542428 8b4a12 8bc1 8bd9 c1eb10 250000ff00 0bc3 }
// n = 7, score = 100
// 8b542428 | mov edx, dword ptr [esp + 0x28]
// 8b4a12 | mov ecx, dword ptr [edx + 0x12]
// 8bc1 | mov eax, ecx
// 8bd9 | mov ebx, ecx
// c1eb10 | shr ebx, 0x10
// 250000ff00 | and eax, 0xff0000
// 0bc3 | or eax, ebx
$sequence_6 = { 50 68???????? e8???????? 8b442418 6a00 }
// n = 5, score = 100
// 50 | push eax
// 68???????? |
// e8???????? |
// 8b442418 | mov eax, dword ptr [esp + 0x18]
// 6a00 | push 0
$sequence_7 = { 51 89742418 89742424 e8???????? 8b542418 8d049500000000 }
// n = 6, score = 100
// 51 | push ecx
// 89742418 | mov dword ptr [esp + 0x18], esi
// 89742424 | mov dword ptr [esp + 0x24], esi
// e8???????? |
// 8b542418 | mov edx, dword ptr [esp + 0x18]
// 8d049500000000 | lea eax, [edx*4]
$sequence_8 = { 8b0e 8b11 52 50 e8???????? 83c408 }
// n = 6, score = 100
// 8b0e | mov ecx, dword ptr [esi]
// 8b11 | mov edx, dword ptr [ecx]
// 52 | push edx
// 50 | push eax
// e8???????? |
// 83c408 | add esp, 8
$sequence_9 = { 8b8c2434080000 5d 33c0 5b }
// n = 4, score = 100
// 8b8c2434080000 | mov ecx, dword ptr [esp + 0x834]
// 5d | pop ebp
// 33c0 | xor eax, eax
// 5b | pop ebx
$sequence_10 = { f2ae f7d1 2bf9 c7842460020000c9000000 8bc1 8bf7 }
// n = 6, score = 100
// f2ae | repne scasb al, byte ptr es:[edi]
// f7d1 | not ecx
// 2bf9 | sub edi, ecx
// c7842460020000c9000000 | mov dword ptr [esp + 0x260], 0xc9
// 8bc1 | mov eax, ecx
// 8bf7 | mov esi, edi
$sequence_11 = { 83c41c 894c2464 895c2468 df6c2464 8d442448 }
// n = 5, score = 100
// 83c41c | add esp, 0x1c
// 894c2464 | mov dword ptr [esp + 0x64], ecx
// 895c2468 | mov dword ptr [esp + 0x68], ebx
// df6c2464 | fild qword ptr [esp + 0x64]
// 8d442448 | lea eax, [esp + 0x48]
$sequence_12 = { 5b 83c468 c3 8b4610 3bc5 }
// n = 5, score = 100
// 5b | pop ebx
// 83c468 | add esp, 0x68
// c3 | ret
// 8b4610 | mov eax, dword ptr [esi + 0x10]
// 3bc5 | cmp eax, ebp
$sequence_13 = { 55 e8???????? 8bb4246c020000 89442424 83c410 b903010000 }
// n = 6, score = 100
// 55 | push ebp
// e8???????? |
// 8bb4246c020000 | mov esi, dword ptr [esp + 0x26c]
// 89442424 | mov dword ptr [esp + 0x24], eax
// 83c410 | add esp, 0x10
// b903010000 | mov ecx, 0x103
$sequence_14 = { 894c2438 0f82aefdffff eb28 8b4c2454 c7411824204000 c7031b000000 }
// n = 6, score = 100
// 894c2438 | mov dword ptr [esp + 0x38], ecx
// 0f82aefdffff | jb 0xfffffdb4
// eb28 | jmp 0x2a
// 8b4c2454 | mov ecx, dword ptr [esp + 0x54]
// c7411824204000 | mov dword ptr [ecx + 0x18], 0x402024
// c7031b000000 | mov dword ptr [ebx], 0x1b
$sequence_15 = { 85c0 0f8588fdffff 8b442410 50 ffd3 50 }
// n = 6, score = 100
// 85c0 | test eax, eax
// 0f8588fdffff | jne 0xfffffd8e
// 8b442410 | mov eax, dword ptr [esp + 0x10]
// 50 | push eax
// ffd3 | call ebx
// 50 | push eax
condition:
7 of them and filesize < 140288
}
[TLP:WHITE] win_doublepulsar_w0 (20180301 | Detects Malware from APT28 incident - SOURFACE is a downloader that obtains a second-stage backdoor from a C2 server.)
rule win_doublepulsar_w0 {
meta:
author = "Florian Roth"
description = "Detects Malware from APT28 incident - SOURFACE is a downloader that obtains a second-stage backdoor from a C2 server."
reference = "https://www.fireeye.com/blog/threat-research/2014/10/apt28-a-window-into-russias-cyber-espionage-operations.html"
malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.doublepulsar"
malpedia_version = "20180301"
malpedia_license = "CC BY-NC-SA 4.0"
malpedia_sharing = "TLP:WHITE"
strings:
$x1 = "[+] Ping returned Target architecture: %s - XOR Key: 0x%08X" fullword ascii
$x2 = "[.] Sending shellcode to inject DLL" fullword ascii
$x3 = "[-] Error setting ShellcodeFile name" fullword ascii
condition:
1 of them
}