FakeTC (Malware Family)

FakeTC

There is no description at this point.
References

2015-07-30 ⋅ ESET Research ⋅ Robert Lipovsky, Anton Cherepanov
Operation Potao Express: Analysis of a cyber‑espionage toolkit
FakeTC
Yara Rules

[TLP:WHITE] win_faketc_auto (20201023 | autogenerated rule brought to you by yara-signator)
rule win_faketc_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-12-22"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.faketc"
        malpedia_rule_date = "20201222"
        malpedia_hash = "30354d830a29f0fbd3714d93d94dea941d77a130"
        malpedia_version = "20201023"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { ff15???????? 83c404 3bf4 e8???????? 8b45e0 c70000000000 33c9 }
            // n = 7, score = 100
            //   ff15????????         |                     
            //   83c404               | add                 esp, 4
            //   3bf4                 | cmp                 esi, esp
            //   e8????????           |                     
            //   8b45e0               | mov                 eax, dword ptr [ebp - 0x20]
            //   c70000000000         | mov                 dword ptr [eax], 0
            //   33c9                 | xor                 ecx, ecx

        $sequence_1 = { ffd6 b801000000 e9???????? a1???????? 85c0 0f8e7d000000 8d78ff }
            // n = 7, score = 100
            //   ffd6                 | call                esi
            //   b801000000           | mov                 eax, 1
            //   e9????????           |                     
            //   a1????????           |                     
            //   85c0                 | test                eax, eax
            //   0f8e7d000000         | jle                 0x83
            //   8d78ff               | lea                 edi, [eax - 1]

        $sequence_2 = { e8???????? 83c408 85c0 752d 680b020000 68???????? 6a07 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   83c408               | add                 esp, 8
            //   85c0                 | test                eax, eax
            //   752d                 | jne                 0x2f
            //   680b020000           | push                0x20b
            //   68????????           |                     
            //   6a07                 | push                7

        $sequence_3 = { ffd7 680000401f 50 6851010000 53 ffd6 ba???????? }
            // n = 7, score = 100
            //   ffd7                 | call                edi
            //   680000401f           | push                0x1f400000
            //   50                   | push                eax
            //   6851010000           | push                0x151
            //   53                   | push                ebx
            //   ffd6                 | call                esi
            //   ba????????           |                     

        $sequence_4 = { 8bb55cffffff 83ec1c 8bcc bb02000000 897914 8bc6 c741180f000000 }
            // n = 7, score = 100
            //   8bb55cffffff         | mov                 esi, dword ptr [ebp - 0xa4]
            //   83ec1c               | sub                 esp, 0x1c
            //   8bcc                 | mov                 ecx, esp
            //   bb02000000           | mov                 ebx, 2
            //   897914               | mov                 dword ptr [ecx + 0x14], edi
            //   8bc6                 | mov                 eax, esi
            //   c741180f000000       | mov                 dword ptr [ecx + 0x18], 0xf

        $sequence_5 = { eb05 1bc9 83d9ff 85c9 7511 3dc1ce78be 0f8586f6ffff }
            // n = 7, score = 100
            //   eb05                 | jmp                 7
            //   1bc9                 | sbb                 ecx, ecx
            //   83d9ff               | sbb                 ecx, -1
            //   85c9                 | test                ecx, ecx
            //   7511                 | jne                 0x13
            //   3dc1ce78be           | cmp                 eax, 0xbe78cec1
            //   0f8586f6ffff         | jne                 0xfffff68c

        $sequence_6 = { eb21 c745a400000000 837da400 7414 8b4db4 51 e8???????? }
            // n = 7, score = 100
            //   eb21                 | jmp                 0x23
            //   c745a400000000       | mov                 dword ptr [ebp - 0x5c], 0
            //   837da400             | cmp                 dword ptr [ebp - 0x5c], 0
            //   7414                 | je                  0x16
            //   8b4db4               | mov                 ecx, dword ptr [ebp - 0x4c]
            //   51                   | push                ecx
            //   e8????????           |                     

        $sequence_7 = { f3a5 53 6a00 b804000000 8d4c2428 8d542470 e8???????? }
            // n = 7, score = 100
            //   f3a5                 | rep movsd           dword ptr es:[edi], dword ptr [esi]
            //   53                   | push                ebx
            //   6a00                 | push                0
            //   b804000000           | mov                 eax, 4
            //   8d4c2428             | lea                 ecx, [esp + 0x28]
            //   8d542470             | lea                 edx, [esp + 0x70]
            //   e8????????           |                     

        $sequence_8 = { e8???????? 8b857cffffff 80bd55ffffff00 8bf0 0f94c1 8975c4 888d55ffffff }
            // n = 7, score = 100
            //   e8????????           |                     
            //   8b857cffffff         | mov                 eax, dword ptr [ebp - 0x84]
            //   80bd55ffffff00       | cmp                 byte ptr [ebp - 0xab], 0
            //   8bf0                 | mov                 esi, eax
            //   0f94c1               | sete                cl
            //   8975c4               | mov                 dword ptr [ebp - 0x3c], esi
            //   888d55ffffff         | mov                 byte ptr [ebp - 0xab], cl

        $sequence_9 = { a1???????? 3bc3 7511 68007f0000 53 ff15???????? a3???????? }
            // n = 7, score = 100
            //   a1????????           |                     
            //   3bc3                 | cmp                 eax, ebx
            //   7511                 | jne                 0x13
            //   68007f0000           | push                0x7f00
            //   53                   | push                ebx
            //   ff15????????         |                     
            //   a3????????           |                     

    condition:
        7 of them and filesize < 6864896
}
Download all Yara Rules
FakeTC Propose Change

References

Yara Rules

FakeTC
