ElectricPowder (Malware Family)

ElectricPowder

VTCollection
There is no description at this point.
References

2017-03-14 ⋅ ClearSky ⋅ ClearSky Research Team
Operation Electric Powder – Who is targeting Israel Electric Company?
ElectricPowder
Yara Rules

[TLP:WHITE] win_electric_powder_auto (20230808 | Detects win.electric_powder.)
rule win_electric_powder_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.electric_powder."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.electric_powder"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 3b4e08 0f8324010000 8b4604 c704c810000000 8b4608 83e801 8945fc }
            // n = 7, score = 100
            //   3b4e08               | cmp                 ecx, dword ptr [esi + 8]
            //   0f8324010000         | jae                 0x12a
            //   8b4604               | mov                 eax, dword ptr [esi + 4]
            //   c704c810000000       | mov                 dword ptr [eax + ecx*8], 0x10
            //   8b4608               | mov                 eax, dword ptr [esi + 8]
            //   83e801               | sub                 eax, 1
            //   8945fc               | mov                 dword ptr [ebp - 4], eax

        $sequence_1 = { 03c0 660f289800904300 660f2835???????? 660f59cf 660f58d1 660f70caee f20f59d7 }
            // n = 7, score = 100
            //   03c0                 | add                 eax, eax
            //   660f289800904300     | movapd              xmm3, xmmword ptr [eax + 0x439000]
            //   660f2835????????     |                     
            //   660f59cf             | mulpd               xmm1, xmm7
            //   660f58d1             | addpd               xmm2, xmm1
            //   660f70caee           | pshufd              xmm1, xmm2, 0xee
            //   f20f59d7             | mulsd               xmm2, xmm7

        $sequence_2 = { 8d8d20fdffff c78530fdffff00000000 c78534fdffff0f000000 c68520fdffff00 e8???????? c745fc00000000 8d8d20fdffff }
            // n = 7, score = 100
            //   8d8d20fdffff         | lea                 ecx, [ebp - 0x2e0]
            //   c78530fdffff00000000     | mov    dword ptr [ebp - 0x2d0], 0
            //   c78534fdffff0f000000     | mov    dword ptr [ebp - 0x2cc], 0xf
            //   c68520fdffff00       | mov                 byte ptr [ebp - 0x2e0], 0
            //   e8????????           |                     
            //   c745fc00000000       | mov                 dword ptr [ebp - 4], 0
            //   8d8d20fdffff         | lea                 ecx, [ebp - 0x2e0]

        $sequence_3 = { 7202 8b39 8b4110 85c0 7449 48 83ceff }
            // n = 7, score = 100
            //   7202                 | jb                  4
            //   8b39                 | mov                 edi, dword ptr [ecx]
            //   8b4110               | mov                 eax, dword ptr [ecx + 0x10]
            //   85c0                 | test                eax, eax
            //   7449                 | je                  0x4b
            //   48                   | dec                 eax
            //   83ceff               | or                  esi, 0xffffffff

        $sequence_4 = { 0f8389010000 8b5604 3bc8 0f8388010000 8b44fa04 8944ca04 }
            // n = 6, score = 100
            //   0f8389010000         | jae                 0x18f
            //   8b5604               | mov                 edx, dword ptr [esi + 4]
            //   3bc8                 | cmp                 ecx, eax
            //   0f8388010000         | jae                 0x18e
            //   8b44fa04             | mov                 eax, dword ptr [edx + edi*8 + 4]
            //   8944ca04             | mov                 dword ptr [edx + ecx*8 + 4], eax

        $sequence_5 = { c645fc20 51 8bd0 8d8d78fcffff e8???????? 83c404 68???????? }
            // n = 7, score = 100
            //   c645fc20             | mov                 byte ptr [ebp - 4], 0x20
            //   51                   | push                ecx
            //   8bd0                 | mov                 edx, eax
            //   8d8d78fcffff         | lea                 ecx, [ebp - 0x388]
            //   e8????????           |                     
            //   83c404               | add                 esp, 4
            //   68????????           |                     

        $sequence_6 = { 50 51 8d8d68faffff e8???????? 83bd7cfaffff08 8d8568faffff }
            // n = 6, score = 100
            //   50                   | push                eax
            //   51                   | push                ecx
            //   8d8d68faffff         | lea                 ecx, [ebp - 0x598]
            //   e8????????           |                     
            //   83bd7cfaffff08       | cmp                 dword ptr [ebp - 0x584], 8
            //   8d8568faffff         | lea                 eax, [ebp - 0x598]

        $sequence_7 = { 7202 8b3f 83fa08 731a }
            // n = 4, score = 100
            //   7202                 | jb                  4
            //   8b3f                 | mov                 edi, dword ptr [edi]
            //   83fa08               | cmp                 edx, 8
            //   731a                 | jae                 0x1c

        $sequence_8 = { 83c404 89b518efffff 85f6 0f84be000000 8b8d40efffff 03c9 }
            // n = 6, score = 100
            //   83c404               | add                 esp, 4
            //   89b518efffff         | mov                 dword ptr [ebp - 0x10e8], esi
            //   85f6                 | test                esi, esi
            //   0f84be000000         | je                  0xc4
            //   8b8d40efffff         | mov                 ecx, dword ptr [ebp - 0x10c0]
            //   03c9                 | add                 ecx, ecx

        $sequence_9 = { 83f8ff 773b 83f8ef 7736 8b4f04 83c010 50 }
            // n = 7, score = 100
            //   83f8ff               | cmp                 eax, -1
            //   773b                 | ja                  0x3d
            //   83f8ef               | cmp                 eax, -0x11
            //   7736                 | ja                  0x38
            //   8b4f04               | mov                 ecx, dword ptr [edi + 4]
            //   83c010               | add                 eax, 0x10
            //   50                   | push                eax

    condition:
        7 of them and filesize < 565248
}
Download all Yara Rules
ElectricPowder Propose Change

References

Yara Rules

ElectricPowder
