SYMBOLCOMMON_NAMEaka. SYNONYMS
win.elirks (Back to overview)

Elirks

VTCollection    

Elirks is a basic backdoor Trojan, first discovered in 2010, that is primarily used to steal information from compromised systems. Mostly attacks using Elirks occurring in East Asia. One of the unique features of the malware is that it retrieves its C2 address by accessing a pre-determined microblog service or SNS. Attackers create accounts on those services and post encoded IP addresses or the domain names of real C2 servers in advance of distributing the backdoor. Multiple Elirks variants using Japanese blog services for the last couple of years.

References
2016-09-15Palo Alto Networks Unit 42Kaoru Hayashi
MILE TEA: Cyber Espionage Campaign Targets Asia Pacific Businesses and Government Agencies
Elirks Logedrut Micrass
2016-06-23Palo Alto Networks Unit 42Kaoru Hayashi
Tracking Elirks Variants in Japan: Similarities to Previous Attacks
Elirks
Yara Rules
[TLP:WHITE] win_elirks_auto (20260504 | Detects win.elirks.)
rule win_elirks_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.elirks."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.elirks"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8b4c240c 8d54240c 52 8d442418 50 51 8d942424030000 }
            // n = 7, score = 100
            //   8b4c240c             | mov                 ecx, dword ptr [esp + 0xc]
            //   8d54240c             | lea                 edx, [esp + 0xc]
            //   52                   | push                edx
            //   8d442418             | lea                 eax, [esp + 0x18]
            //   50                   | push                eax
            //   51                   | push                ecx
            //   8d942424030000       | lea                 edx, [esp + 0x324]

        $sequence_1 = { 83c40c c20400 8b44241c 8b4c2410 85c9 750a }
            // n = 6, score = 100
            //   83c40c               | add                 esp, 0xc
            //   c20400               | ret                 4
            //   8b44241c             | mov                 eax, dword ptr [esp + 0x1c]
            //   8b4c2410             | mov                 ecx, dword ptr [esp + 0x10]
            //   85c9                 | test                ecx, ecx
            //   750a                 | jne                 0xc

        $sequence_2 = { 33dd 03c3 8bd8 c1e304 8be8 c1ed05 }
            // n = 6, score = 100
            //   33dd                 | xor                 ebx, ebp
            //   03c3                 | add                 eax, ebx
            //   8bd8                 | mov                 ebx, eax
            //   c1e304               | shl                 ebx, 4
            //   8be8                 | mov                 ebp, eax
            //   c1ed05               | shr                 ebp, 5

        $sequence_3 = { 51 8d94248c040000 52 ff15???????? 8bd8 83fbff 895c2410 }
            // n = 7, score = 100
            //   51                   | push                ecx
            //   8d94248c040000       | lea                 edx, [esp + 0x48c]
            //   52                   | push                edx
            //   ff15????????         |                     
            //   8bd8                 | mov                 ebx, eax
            //   83fbff               | cmp                 ebx, -1
            //   895c2410             | mov                 dword ptr [esp + 0x10], ebx

        $sequence_4 = { 75d1 8bc6 5e 5d 5f c3 5e }
            // n = 7, score = 100
            //   75d1                 | jne                 0xffffffd3
            //   8bc6                 | mov                 eax, esi
            //   5e                   | pop                 esi
            //   5d                   | pop                 ebp
            //   5f                   | pop                 edi
            //   c3                   | ret                 
            //   5e                   | pop                 esi

        $sequence_5 = { 55 6a02 55 55 6800000040 8d442468 50 }
            // n = 7, score = 100
            //   55                   | push                ebp
            //   6a02                 | push                2
            //   55                   | push                ebp
            //   55                   | push                ebp
            //   6800000040           | push                0x40000000
            //   8d442468             | lea                 eax, [esp + 0x68]
            //   50                   | push                eax

        $sequence_6 = { eb14 80f940 7506 c6042a1a }
            // n = 4, score = 100
            //   eb14                 | jmp                 0x16
            //   80f940               | cmp                 cl, 0x40
            //   7506                 | jne                 8
            //   c6042a1a             | mov                 byte ptr [edx + ebp], 0x1a

        $sequence_7 = { 8b542424 890a 7e19 8b4d00 80393c 740f 83c101 }
            // n = 7, score = 100
            //   8b542424             | mov                 edx, dword ptr [esp + 0x24]
            //   890a                 | mov                 dword ptr [edx], ecx
            //   7e19                 | jle                 0x1b
            //   8b4d00               | mov                 ecx, dword ptr [ebp]
            //   80393c               | cmp                 byte ptr [ecx], 0x3c
            //   740f                 | je                  0x11
            //   83c101               | add                 ecx, 1

        $sequence_8 = { 8d54241c 52 50 56 55 }
            // n = 5, score = 100
            //   8d54241c             | lea                 edx, [esp + 0x1c]
            //   52                   | push                edx
            //   50                   | push                eax
            //   56                   | push                esi
            //   55                   | push                ebp

        $sequence_9 = { 56 8bf0 8b4604 33c9 898e00600000 25ffffff00 }
            // n = 6, score = 100
            //   56                   | push                esi
            //   8bf0                 | mov                 esi, eax
            //   8b4604               | mov                 eax, dword ptr [esi + 4]
            //   33c9                 | xor                 ecx, ecx
            //   898e00600000         | mov                 dword ptr [esi + 0x6000], ecx
            //   25ffffff00           | and                 eax, 0xffffff

    condition:
        7 of them and filesize < 81920
}
Download all Yara Rules