rule win_doublepulsar_auto {
meta:
author = "Felix Bilstein - yara-signator at cocacoding dot com"
date = "2023-07-11"
version = "1"
description = "Detects win.doublepulsar."
info = "autogenerated rule brought to you by yara-signator"
tool = "yara-signator v0.6.0"
signator_config = "callsandjumps;datarefs;binvalue"
malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.doublepulsar"
malpedia_rule_date = "20230705"
malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
malpedia_version = "20230715"
malpedia_license = "CC BY-SA 4.0"
malpedia_sharing = "TLP:WHITE"
/* DISCLAIMER
* The strings used in this rule have been automatically selected from the
* disassembly of memory dumps and unpacked files, using YARA-Signator.
* The code and documentation is published here:
* https://github.com/fxb-cocacoding/yara-signator
* As Malpedia is used as data source, please note that for a given
* number of families, only single samples are documented.
* This likely impacts the degree of generalization these rules will offer.
* Take the described generation method also into consideration when you
* apply the rules in your use cases and assign them confidence levels.
*/
strings:
$sequence_0 = { 51 68???????? 56 e8???????? 8bc6 5f }
// n = 6, score = 100
// 51 | push ecx
// 68???????? |
// 56 | push esi
// e8???????? |
// 8bc6 | mov eax, esi
// 5f | pop edi
$sequence_1 = { c744242808164000 c744242cfc154000 c7442430f4154000 c7442434e0154000 89742424 }
// n = 5, score = 100
// c744242808164000 | mov dword ptr [esp + 0x28], 0x401608
// c744242cfc154000 | mov dword ptr [esp + 0x2c], 0x4015fc
// c7442430f4154000 | mov dword ptr [esp + 0x30], 0x4015f4
// c7442434e0154000 | mov dword ptr [esp + 0x34], 0x4015e0
// 89742424 | mov dword ptr [esp + 0x24], esi
$sequence_2 = { 88442414 b940010000 33c0 8d7c2415 f3ab 8b8c2424050000 }
// n = 6, score = 100
// 88442414 | mov byte ptr [esp + 0x14], al
// b940010000 | mov ecx, 0x140
// 33c0 | xor eax, eax
// 8d7c2415 | lea edi, [esp + 0x15]
// f3ab | rep stosd dword ptr es:[edi], eax
// 8b8c2424050000 | mov ecx, dword ptr [esp + 0x524]
$sequence_3 = { 3bc8 7321 8b4b68 33d2 668b144d702b4000 }
// n = 5, score = 100
// 3bc8 | cmp ecx, eax
// 7321 | jae 0x23
// 8b4b68 | mov ecx, dword ptr [ebx + 0x68]
// 33d2 | xor edx, edx
// 668b144d702b4000 | mov dx, word ptr [ecx*2 + 0x402b70]
$sequence_4 = { 83ef08 d1ef 31c9 39f9 744d 89d3 83c308 }
// n = 7, score = 100
// 83ef08 | sub edi, 8
// d1ef | shr edi, 1
// 31c9 | xor ecx, ecx
// 39f9 | cmp ecx, edi
// 744d | je 0x4f
// 89d3 | mov ebx, edx
// 83c308 | add ebx, 8
$sequence_5 = { e8???????? 03f0 85f6 7f10 e8???????? 3d33270000 }
// n = 6, score = 100
// e8???????? |
// 03f0 | add esi, eax
// 85f6 | test esi, esi
// 7f10 | jg 0x12
// e8???????? |
// 3d33270000 | cmp eax, 0x2733
$sequence_6 = { 8a9904334000 8b6c2424 8b88bc160000 33f6 ba10000000 668b749d02 895c241c }
// n = 7, score = 100
// 8a9904334000 | mov bl, byte ptr [ecx + 0x403304]
// 8b6c2424 | mov ebp, dword ptr [esp + 0x24]
// 8b88bc160000 | mov ecx, dword ptr [eax + 0x16bc]
// 33f6 | xor esi, esi
// ba10000000 | mov edx, 0x10
// 668b749d02 | mov si, word ptr [ebp + ebx*4 + 2]
// 895c241c | mov dword ptr [esp + 0x1c], ebx
$sequence_7 = { 8d4c240c c744242801000000 e8???????? 6a5c 8d4c240c 8bf0 e8???????? }
// n = 7, score = 100
// 8d4c240c | lea ecx, [esp + 0xc]
// c744242801000000 | mov dword ptr [esp + 0x28], 1
// e8???????? |
// 6a5c | push 0x5c
// 8d4c240c | lea ecx, [esp + 0xc]
// 8bf0 | mov esi, eax
// e8???????? |
$sequence_8 = { e8???????? 68???????? 57 894630 e8???????? 8d4e34 }
// n = 6, score = 100
// e8???????? |
// 68???????? |
// 57 | push edi
// 894630 | mov dword ptr [esi + 0x30], eax
// e8???????? |
// 8d4e34 | lea ecx, [esi + 0x34]
$sequence_9 = { 754c 8b16 8b442420 6800000100 }
// n = 4, score = 100
// 754c | jne 0x4e
// 8b16 | mov edx, dword ptr [esi]
// 8b442420 | mov eax, dword ptr [esp + 0x20]
// 6800000100 | push 0x10000
$sequence_10 = { e8???????? 83c404 89463c 85c0 7414 8b5640 8b4c2414 }
// n = 7, score = 100
// e8???????? |
// 83c404 | add esp, 4
// 89463c | mov dword ptr [esi + 0x3c], eax
// 85c0 | test eax, eax
// 7414 | je 0x16
// 8b5640 | mov edx, dword ptr [esi + 0x40]
// 8b4c2414 | mov ecx, dword ptr [esp + 0x14]
$sequence_11 = { 7408 81ffc8000000 7507 8b06 3b4604 7e0c }
// n = 6, score = 100
// 7408 | je 0xa
// 81ffc8000000 | cmp edi, 0xc8
// 7507 | jne 9
// 8b06 | mov eax, dword ptr [esi]
// 3b4604 | cmp eax, dword ptr [esi + 4]
// 7e0c | jle 0xe
$sequence_12 = { 53 33c0 56 8b742420 33db 6689442415 }
// n = 6, score = 100
// 53 | push ebx
// 33c0 | xor eax, eax
// 56 | push esi
// 8b742420 | mov esi, dword ptr [esp + 0x20]
// 33db | xor ebx, ebx
// 6689442415 | mov word ptr [esp + 0x15], ax
$sequence_13 = { 8d7101 56 e8???????? 8bce 8be8 8bc1 }
// n = 6, score = 100
// 8d7101 | lea esi, [ecx + 1]
// 56 | push esi
// e8???????? |
// 8bce | mov ecx, esi
// 8be8 | mov ebp, eax
// 8bc1 | mov eax, ecx
$sequence_14 = { 89d8 8945fc e8???????? 85c0 746e }
// n = 5, score = 100
// 89d8 | mov eax, ebx
// 8945fc | mov dword ptr [ebp - 4], eax
// e8???????? |
// 85c0 | test eax, eax
// 746e | je 0x70
$sequence_15 = { e8???????? 8bf8 85ff 7518 81fb20010000 750a }
// n = 6, score = 100
// e8???????? |
// 8bf8 | mov edi, eax
// 85ff | test edi, edi
// 7518 | jne 0x1a
// 81fb20010000 | cmp ebx, 0x120
// 750a | jne 0xc
condition:
7 of them and filesize < 140288
}
[TLP:WHITE] win_doublepulsar_w0 (20180301 | Detects Malware from APT28 incident - SOURFACE is a downloader that obtains a second-stage backdoor from a C2 server.)
rule win_doublepulsar_w0 {
meta:
author = "Florian Roth"
description = "Detects Malware from APT28 incident - SOURFACE is a downloader that obtains a second-stage backdoor from a C2 server."
reference = "https://www.fireeye.com/blog/threat-research/2014/10/apt28-a-window-into-russias-cyber-espionage-operations.html"
malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.doublepulsar"
malpedia_version = "20180301"
malpedia_license = "CC BY-NC-SA 4.0"
malpedia_sharing = "TLP:WHITE"
strings:
$x1 = "[+] Ping returned Target architecture: %s - XOR Key: 0x%08X" fullword ascii
$x2 = "[.] Sending shellcode to inject DLL" fullword ascii
$x3 = "[-] Error setting ShellcodeFile name" fullword ascii
condition:
1 of them
}