rule win_doublepulsar_auto {
meta:
author = "Felix Bilstein - yara-signator at cocacoding dot com"
date = "2023-12-06"
version = "1"
description = "Detects win.doublepulsar."
info = "autogenerated rule brought to you by yara-signator"
tool = "yara-signator v0.6.0"
signator_config = "callsandjumps;datarefs;binvalue"
malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.doublepulsar"
malpedia_rule_date = "20231130"
malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
malpedia_version = "20230808"
malpedia_license = "CC BY-SA 4.0"
malpedia_sharing = "TLP:WHITE"
/* DISCLAIMER
* The strings used in this rule have been automatically selected from the
* disassembly of memory dumps and unpacked files, using YARA-Signator.
* The code and documentation is published here:
* https://github.com/fxb-cocacoding/yara-signator
* As Malpedia is used as data source, please note that for a given
* number of families, only single samples are documented.
* This likely impacts the degree of generalization these rules will offer.
* Take the described generation method also into consideration when you
* apply the rules in your use cases and assign them confidence levels.
*/
strings:
$sequence_0 = { 731b 8a44144d 8d7c244c 8844144c }
// n = 4, score = 100
// 731b | jae 0x1d
// 8a44144d | mov al, byte ptr [esp + edx + 0x4d]
// 8d7c244c | lea edi, [esp + 0x4c]
// 8844144c | mov byte ptr [esp + edx + 0x4c], al
$sequence_1 = { 8d41ff 85c0 7c10 8a1430 80fa5c 7408 }
// n = 6, score = 100
// 8d41ff | lea eax, [ecx - 1]
// 85c0 | test eax, eax
// 7c10 | jl 0x12
// 8a1430 | mov dl, byte ptr [eax + esi]
// 80fa5c | cmp dl, 0x5c
// 7408 | je 0xa
$sequence_2 = { 8bc1 8bf7 8bfa 89ac245c020000 c1e902 f3a5 8b542410 }
// n = 7, score = 100
// 8bc1 | mov eax, ecx
// 8bf7 | mov esi, edi
// 8bfa | mov edi, edx
// 89ac245c020000 | mov dword ptr [esp + 0x25c], ebp
// c1e902 | shr ecx, 2
// f3a5 | rep movsd dword ptr es:[edi], dword ptr [esi]
// 8b542410 | mov edx, dword ptr [esp + 0x10]
$sequence_3 = { 0f8423010000 8b13 68???????? 52 ffd6 83c408 85c0 }
// n = 7, score = 100
// 0f8423010000 | je 0x129
// 8b13 | mov edx, dword ptr [ebx]
// 68???????? |
// 52 | push edx
// ffd6 | call esi
// 83c408 | add esp, 8
// 85c0 | test eax, eax
$sequence_4 = { e8???????? 48 8b4520 48 8b4878 48 }
// n = 6, score = 100
// e8???????? |
// 48 | dec eax
// 8b4520 | mov eax, dword ptr [ebp + 0x20]
// 48 | dec eax
// 8b4878 | mov ecx, dword ptr [eax + 0x78]
// 48 | dec eax
$sequence_5 = { 5b 81c4c8040000 c20800 a0???????? }
// n = 4, score = 100
// 5b | pop ebx
// 81c4c8040000 | add esp, 0x4c8
// c20800 | ret 8
// a0???????? |
$sequence_6 = { 8bc3 5f 5e 5b c3 b8???????? 83f901 }
// n = 7, score = 100
// 8bc3 | mov eax, ebx
// 5f | pop edi
// 5e | pop esi
// 5b | pop ebx
// c3 | ret
// b8???????? |
// 83f901 | cmp ecx, 1
$sequence_7 = { 83c410 85c0 740a 68???????? e9???????? 8b442408 53 }
// n = 7, score = 100
// 83c410 | add esp, 0x10
// 85c0 | test eax, eax
// 740a | je 0xc
// 68???????? |
// e9???????? |
// 8b442408 | mov eax, dword ptr [esp + 8]
// 53 | push ebx
$sequence_8 = { 53 33c0 56 8b742420 }
// n = 4, score = 100
// 53 | push ebx
// 33c0 | xor eax, eax
// 56 | push esi
// 8b742420 | mov esi, dword ptr [esp + 0x20]
$sequence_9 = { 83c151 57 51 ff5618 85c0 7404 31c0 }
// n = 7, score = 100
// 83c151 | add ecx, 0x51
// 57 | push edi
// 51 | push ecx
// ff5618 | call dword ptr [esi + 0x18]
// 85c0 | test eax, eax
// 7404 | je 6
// 31c0 | xor eax, eax
$sequence_10 = { ffd6 83c408 85c0 0f84990e0000 8b03 68???????? }
// n = 6, score = 100
// ffd6 | call esi
// 83c408 | add esp, 8
// 85c0 | test eax, eax
// 0f84990e0000 | je 0xe9f
// 8b03 | mov eax, dword ptr [ebx]
// 68???????? |
$sequence_11 = { 7414 8b5640 8b4c2414 52 51 }
// n = 5, score = 100
// 7414 | je 0x16
// 8b5640 | mov edx, dword ptr [esi + 0x40]
// 8b4c2414 | mov ecx, dword ptr [esp + 0x14]
// 52 | push edx
// 51 | push ecx
$sequence_12 = { 55 e8???????? 8bd8 85db 0f84a0000000 56 }
// n = 6, score = 100
// 55 | push ebp
// e8???????? |
// 8bd8 | mov ebx, eax
// 85db | test ebx, ebx
// 0f84a0000000 | je 0xa6
// 56 | push esi
$sequence_13 = { 33c0 bade47773f 8d4848 f3aa }
// n = 4, score = 100
// 33c0 | xor eax, eax
// bade47773f | mov edx, 0x3f7747de
// 8d4848 | lea ecx, [eax + 0x48]
// f3aa | rep stosb byte ptr es:[edi], al
$sequence_14 = { c1ea18 33c3 8b1c95f0354000 8b56fc 33c3 8b1c8df0414000 }
// n = 6, score = 100
// c1ea18 | shr edx, 0x18
// 33c3 | xor eax, ebx
// 8b1c95f0354000 | mov ebx, dword ptr [edx*4 + 0x4035f0]
// 8b56fc | mov edx, dword ptr [esi - 4]
// 33c3 | xor eax, ebx
// 8b1c8df0414000 | mov ebx, dword ptr [ecx*4 + 0x4041f0]
$sequence_15 = { 52 ff15???????? 8b4518 83c404 85c0 7517 a1???????? }
// n = 7, score = 100
// 52 | push edx
// ff15???????? |
// 8b4518 | mov eax, dword ptr [ebp + 0x18]
// 83c404 | add esp, 4
// 85c0 | test eax, eax
// 7517 | jne 0x19
// a1???????? |
condition:
7 of them and filesize < 140288
}
[TLP:WHITE] win_doublepulsar_w0 (20180301 | Detects Malware from APT28 incident - SOURFACE is a downloader that obtains a second-stage backdoor from a C2 server.)
rule win_doublepulsar_w0 {
meta:
author = "Florian Roth"
description = "Detects Malware from APT28 incident - SOURFACE is a downloader that obtains a second-stage backdoor from a C2 server."
reference = "https://www.fireeye.com/blog/threat-research/2014/10/apt28-a-window-into-russias-cyber-espionage-operations.html"
malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.doublepulsar"
malpedia_version = "20180301"
malpedia_license = "CC BY-NC-SA 4.0"
malpedia_sharing = "TLP:WHITE"
strings:
$x1 = "[+] Ping returned Target architecture: %s - XOR Key: 0x%08X" fullword ascii
$x2 = "[.] Sending shellcode to inject DLL" fullword ascii
$x3 = "[-] Error setting ShellcodeFile name" fullword ascii
condition:
1 of them
}