SYMBOLCOMMON_NAMEaka. SYNONYMS
win.downeks (Back to overview)

Downeks

VTCollection     URLhaus    

There is no description at this point.

References
2020-03-03Palo Alto Networks Unit 42Alex Hinchliffe, Bryan Lee, Robert Falcone
Molerats Delivers Spark Backdoor to Government and Telecommunications Organizations
Downeks JhoneRAT Molerat Loader Spark
2017-01-30Palo Alto Networks Unit 42Mashav Sapir, Netanel Rimer, Simon Conant, Taras Malivanchuk, Tomer Bar, Yaron Samuel
Downeks and Quasar RAT Used in Recent Targeted Attacks Against Governments
Downeks
Yara Rules
[TLP:WHITE] win_downeks_auto (20260504 | Detects win.downeks.)
rule win_downeks_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.downeks."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.downeks"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { e8???????? 83c404 85c0 75aa 8b45fc 5f 5e }
            // n = 7, score = 200
            //   e8????????           |                     
            //   83c404               | add                 esp, 4
            //   85c0                 | test                eax, eax
            //   75aa                 | jne                 0xffffffac
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi

        $sequence_1 = { 51 68d0620804 52 e8???????? 83c40c 5b 5f }
            // n = 7, score = 200
            //   51                   | push                ecx
            //   68d0620804           | push                0x40862d0
            //   52                   | push                edx
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   5b                   | pop                 ebx
            //   5f                   | pop                 edi

        $sequence_2 = { b8d06f0804 8a10 3a11 751a 84d2 7412 8a5001 }
            // n = 7, score = 200
            //   b8d06f0804           | mov                 eax, 0x4086fd0
            //   8a10                 | mov                 dl, byte ptr [eax]
            //   3a11                 | cmp                 dl, byte ptr [ecx]
            //   751a                 | jne                 0x1c
            //   84d2                 | test                dl, dl
            //   7412                 | je                  0x14
            //   8a5001               | mov                 dl, byte ptr [eax + 1]

        $sequence_3 = { 52 50 68681d0804 6a06 56 e8???????? 83c414 }
            // n = 7, score = 200
            //   52                   | push                edx
            //   50                   | push                eax
            //   68681d0804           | push                0x4081d68
            //   6a06                 | push                6
            //   56                   | push                esi
            //   e8????????           |                     
            //   83c414               | add                 esp, 0x14

        $sequence_4 = { e8???????? 8bbd60ffffff 8b4da4 51 e8???????? 8b55a0 83c404 }
            // n = 7, score = 200
            //   e8????????           |                     
            //   8bbd60ffffff         | mov                 edi, dword ptr [ebp - 0xa0]
            //   8b4da4               | mov                 ecx, dword ptr [ebp - 0x5c]
            //   51                   | push                ecx
            //   e8????????           |                     
            //   8b55a0               | mov                 edx, dword ptr [ebp - 0x60]
            //   83c404               | add                 esp, 4

        $sequence_5 = { 8b7dc0 52 8bc6 e8???????? 83c404 56 e8???????? }
            // n = 7, score = 200
            //   8b7dc0               | mov                 edi, dword ptr [ebp - 0x40]
            //   52                   | push                edx
            //   8bc6                 | mov                 eax, esi
            //   e8????????           |                     
            //   83c404               | add                 esp, 4
            //   56                   | push                esi
            //   e8????????           |                     

        $sequence_6 = { 8d854cfdffff 50 e8???????? c3 8d8dd4fdffff e9???????? 8d8588fcffff }
            // n = 7, score = 200
            //   8d854cfdffff         | lea                 eax, [ebp - 0x2b4]
            //   50                   | push                eax
            //   e8????????           |                     
            //   c3                   | ret                 
            //   8d8dd4fdffff         | lea                 ecx, [ebp - 0x22c]
            //   e9????????           |                     
            //   8d8588fcffff         | lea                 eax, [ebp - 0x378]

        $sequence_7 = { e8???????? 3bf3 7d49 8b45d4 8b08 8b5108 50 }
            // n = 7, score = 200
            //   e8????????           |                     
            //   3bf3                 | cmp                 esi, ebx
            //   7d49                 | jge                 0x4b
            //   8b45d4               | mov                 eax, dword ptr [ebp - 0x2c]
            //   8b08                 | mov                 ecx, dword ptr [eax]
            //   8b5108               | mov                 edx, dword ptr [ecx + 8]
            //   50                   | push                eax

        $sequence_8 = { 8b450c ff3485c8790804 ff7508 e8???????? 83c40c 5d c3 }
            // n = 7, score = 200
            //   8b450c               | mov                 eax, dword ptr [ebp + 0xc]
            //   ff3485c8790804       | push                dword ptr [eax*4 + 0x40879c8]
            //   ff7508               | push                dword ptr [ebp + 8]
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   5d                   | pop                 ebp
            //   c3                   | ret                 

        $sequence_9 = { cc 6a0c 6890850904 e8???????? e8???????? 8365fc00 ff7058 }
            // n = 7, score = 200
            //   cc                   | int3                
            //   6a0c                 | push                0xc
            //   6890850904           | push                0x4098590
            //   e8????????           |                     
            //   e8????????           |                     
            //   8365fc00             | and                 dword ptr [ebp - 4], 0
            //   ff7058               | push                dword ptr [eax + 0x58]

    condition:
        7 of them and filesize < 1318912
}
Download all Yara Rules