SYMBOLCOMMON_NAMEaka. SYNONYMS
win.faketc (Back to overview)

FakeTC


There is no description at this point.

References
2015-07-30ESET ResearchRobert Lipovsky, Anton Cherepanov
@techreport{lipovsky:20150730:operation:bfe3508, author = {Robert Lipovsky and Anton Cherepanov}, title = {{Operation Potao Express: Analysis of a cyber‑espionage toolkit}}, date = {2015-07-30}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2015/07/Operation-Potao-Express_final_v2.pdf}, language = {English}, urldate = {2020-02-25} } Operation Potao Express: Analysis of a cyber‑espionage toolkit
FakeTC
2015-07-30ESET ResearchRobert Lipovsky, Anton Cherepanov
@online{lipovsky:20150730:operation:3e5afee, author = {Robert Lipovsky and Anton Cherepanov}, title = {{Operation Potao Express: Analysis of a cyber‑espionage toolkit}}, date = {2015-07-30}, organization = {ESET Research}, url = {http://www.welivesecurity.com/2015/07/30/operation-potao-express/}, language = {English}, urldate = {2019-12-20} } Operation Potao Express: Analysis of a cyber‑espionage toolkit
FakeTC
Yara Rules
[TLP:WHITE] win_faketc_auto (20230715 | Detects win.faketc.)
rule win_faketc_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-07-11"
        version = "1"
        description = "Detects win.faketc."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.faketc"
        malpedia_rule_date = "20230705"
        malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
        malpedia_version = "20230715"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { c785bcfeffff01000000 8b8dbcfeffff 898dc4feffff eb1d 0fb655e4 85d2 7415 }
            // n = 7, score = 100
            //   c785bcfeffff01000000     | mov    dword ptr [ebp - 0x144], 1
            //   8b8dbcfeffff         | mov                 ecx, dword ptr [ebp - 0x144]
            //   898dc4feffff         | mov                 dword ptr [ebp - 0x13c], ecx
            //   eb1d                 | jmp                 0x1f
            //   0fb655e4             | movzx               edx, byte ptr [ebp - 0x1c]
            //   85d2                 | test                edx, edx
            //   7415                 | je                  0x17

        $sequence_1 = { c745f0ffffffff eb4d 8b5508 a1???????? 3b4264 7e09 c745ec01000000 }
            // n = 7, score = 100
            //   c745f0ffffffff       | mov                 dword ptr [ebp - 0x10], 0xffffffff
            //   eb4d                 | jmp                 0x4f
            //   8b5508               | mov                 edx, dword ptr [ebp + 8]
            //   a1????????           |                     
            //   3b4264               | cmp                 eax, dword ptr [edx + 0x64]
            //   7e09                 | jle                 0xb
            //   c745ec01000000       | mov                 dword ptr [ebp - 0x14], 1

        $sequence_2 = { dc0d???????? dd1c24 e8???????? 50 6800040000 8d85e8efffff 50 }
            // n = 7, score = 100
            //   dc0d????????         |                     
            //   dd1c24               | fstp                qword ptr [esp]
            //   e8????????           |                     
            //   50                   | push                eax
            //   6800040000           | push                0x400
            //   8d85e8efffff         | lea                 eax, [ebp - 0x1018]
            //   50                   | push                eax

        $sequence_3 = { c1e818 0bd0 8b442424 89542420 8bd0 c1ea08 0fb6ca }
            // n = 7, score = 100
            //   c1e818               | shr                 eax, 0x18
            //   0bd0                 | or                  edx, eax
            //   8b442424             | mov                 eax, dword ptr [esp + 0x24]
            //   89542420             | mov                 dword ptr [esp + 0x20], edx
            //   8bd0                 | mov                 edx, eax
            //   c1ea08               | shr                 edx, 8
            //   0fb6ca               | movzx               ecx, dl

        $sequence_4 = { eb04 8b6c2410 8b049de0da6300 3304ade0d66300 5f 330495e0d26300 5e }
            // n = 7, score = 100
            //   eb04                 | jmp                 6
            //   8b6c2410             | mov                 ebp, dword ptr [esp + 0x10]
            //   8b049de0da6300       | mov                 eax, dword ptr [ebx*4 + 0x63dae0]
            //   3304ade0d66300       | xor                 eax, dword ptr [ebp*4 + 0x63d6e0]
            //   5f                   | pop                 edi
            //   330495e0d26300       | xor                 eax, dword ptr [edx*4 + 0x63d2e0]
            //   5e                   | pop                 esi

        $sequence_5 = { c68405a0fdffff03 8b8d64fdffff 83c101 898d64fdffff 8b9564fdffff 8a8568fdffff 888415a0fdffff }
            // n = 7, score = 100
            //   c68405a0fdffff03     | mov                 byte ptr [ebp + eax - 0x260], 3
            //   8b8d64fdffff         | mov                 ecx, dword ptr [ebp - 0x29c]
            //   83c101               | add                 ecx, 1
            //   898d64fdffff         | mov                 dword ptr [ebp - 0x29c], ecx
            //   8b9564fdffff         | mov                 edx, dword ptr [ebp - 0x29c]
            //   8a8568fdffff         | mov                 al, byte ptr [ebp - 0x298]
            //   888415a0fdffff       | mov                 byte ptr [ebp + edx - 0x260], al

        $sequence_6 = { e8???????? c744241000000000 ff15???????? 8bd8 e8???????? 837c243000 740e }
            // n = 7, score = 100
            //   e8????????           |                     
            //   c744241000000000     | mov                 dword ptr [esp + 0x10], 0
            //   ff15????????         |                     
            //   8bd8                 | mov                 ebx, eax
            //   e8????????           |                     
            //   837c243000           | cmp                 dword ptr [esp + 0x30], 0
            //   740e                 | je                  0x10

        $sequence_7 = { e8???????? 8b5c2428 395c2424 7605 e8???????? 8b442418 8bf8 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   8b5c2428             | mov                 ebx, dword ptr [esp + 0x28]
            //   395c2424             | cmp                 dword ptr [esp + 0x24], ebx
            //   7605                 | jbe                 7
            //   e8????????           |                     
            //   8b442418             | mov                 eax, dword ptr [esp + 0x18]
            //   8bf8                 | mov                 edi, eax

        $sequence_8 = { ffd0 c644242800 57 8b3d???????? 8bd8 ffd7 85db }
            // n = 7, score = 100
            //   ffd0                 | call                eax
            //   c644242800           | mov                 byte ptr [esp + 0x28], 0
            //   57                   | push                edi
            //   8b3d????????         |                     
            //   8bd8                 | mov                 ebx, eax
            //   ffd7                 | call                edi
            //   85db                 | test                ebx, ebx

        $sequence_9 = { e8???????? 83c408 85c0 7473 8b4df0 8b91a8020000 8b45f0 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   83c408               | add                 esp, 8
            //   85c0                 | test                eax, eax
            //   7473                 | je                  0x75
            //   8b4df0               | mov                 ecx, dword ptr [ebp - 0x10]
            //   8b91a8020000         | mov                 edx, dword ptr [ecx + 0x2a8]
            //   8b45f0               | mov                 eax, dword ptr [ebp - 0x10]

    condition:
        7 of them and filesize < 6864896
}
Download all Yara Rules