SYMBOLCOMMON_NAMEaka. SYNONYMS
win.fakeword (Back to overview)

FakeWord


There is no description at this point.

References
2014-07-02Trend MicroKervin Alintanahin, Ronnie Giagone
@online{alintanahin:20140702:kivars:4fe6877, author = {Kervin Alintanahin and Ronnie Giagone}, title = {{KIVARS With Venom: Targeted Attacks Upgrade with 64-bit “Support”}}, date = {2014-07-02}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/kivars-with-venom-targeted-attacks-upgrade-with-64-bit-support/}, language = {English}, urldate = {2020-06-19} } KIVARS With Venom: Targeted Attacks Upgrade with 64-bit “Support”
FakeWord KIVARS PLEAD Poison RAT Zeus
Yara Rules
[TLP:WHITE] win_fakeword_auto (20221125 | Detects win.fakeword.)
rule win_fakeword_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-11-21"
        version = "1"
        description = "Detects win.fakeword."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.fakeword"
        malpedia_rule_date = "20221118"
        malpedia_hash = "e0702e2e6d1d00da65c8a29a4ebacd0a4c59e1af"
        malpedia_version = "20221125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8bca 896c2414 03fd 8be9 }
            // n = 4, score = 200
            //   8bca                 | mov                 ecx, edx
            //   896c2414             | mov                 dword ptr [esp + 0x14], ebp
            //   03fd                 | add                 edi, ebp
            //   8be9                 | mov                 ebp, ecx

        $sequence_1 = { 56 68???????? 51 ff15???????? 83c40c b801000000 5f }
            // n = 7, score = 200
            //   56                   | push                esi
            //   68????????           |                     
            //   51                   | push                ecx
            //   ff15????????         |                     
            //   83c40c               | add                 esp, 0xc
            //   b801000000           | mov                 eax, 1
            //   5f                   | pop                 edi

        $sequence_2 = { 85c9 750b 8b480c 85c9 0f840c010000 8b700c 8b6c241c }
            // n = 7, score = 200
            //   85c9                 | test                ecx, ecx
            //   750b                 | jne                 0xd
            //   8b480c               | mov                 ecx, dword ptr [eax + 0xc]
            //   85c9                 | test                ecx, ecx
            //   0f840c010000         | je                  0x112
            //   8b700c               | mov                 esi, dword ptr [eax + 0xc]
            //   8b6c241c             | mov                 ebp, dword ptr [esp + 0x1c]

        $sequence_3 = { 8b4c240c 8b442408 8b54240a 81e1ffff0000 25ffff0000 81e2ffff0000 51 }
            // n = 7, score = 200
            //   8b4c240c             | mov                 ecx, dword ptr [esp + 0xc]
            //   8b442408             | mov                 eax, dword ptr [esp + 8]
            //   8b54240a             | mov                 edx, dword ptr [esp + 0xa]
            //   81e1ffff0000         | and                 ecx, 0xffff
            //   25ffff0000           | and                 eax, 0xffff
            //   81e2ffff0000         | and                 edx, 0xffff
            //   51                   | push                ecx

        $sequence_4 = { ff15???????? 83f8ff a3???????? 7525 }
            // n = 4, score = 200
            //   ff15????????         |                     
            //   83f8ff               | cmp                 eax, -1
            //   a3????????           |                     
            //   7525                 | jne                 0x27

        $sequence_5 = { a1???????? 894c244c 668b0d???????? 89542450 8a15???????? }
            // n = 5, score = 200
            //   a1????????           |                     
            //   894c244c             | mov                 dword ptr [esp + 0x4c], ecx
            //   668b0d????????       |                     
            //   89542450             | mov                 dword ptr [esp + 0x50], edx
            //   8a15????????         |                     

        $sequence_6 = { 57 ffd5 83f802 7e0c 57 ffd5 40 }
            // n = 7, score = 200
            //   57                   | push                edi
            //   ffd5                 | call                ebp
            //   83f802               | cmp                 eax, 2
            //   7e0c                 | jle                 0xe
            //   57                   | push                edi
            //   ffd5                 | call                ebp
            //   40                   | inc                 eax

        $sequence_7 = { 668944244c b802000000 8944246c 89442434 ff15???????? }
            // n = 5, score = 200
            //   668944244c           | mov                 word ptr [esp + 0x4c], ax
            //   b802000000           | mov                 eax, 2
            //   8944246c             | mov                 dword ptr [esp + 0x6c], eax
            //   89442434             | mov                 dword ptr [esp + 0x34], eax
            //   ff15????????         |                     

        $sequence_8 = { 89442437 56 884c2423 668b0d???????? 89542424 8a15???????? 57 }
            // n = 7, score = 200
            //   89442437             | mov                 dword ptr [esp + 0x37], eax
            //   56                   | push                esi
            //   884c2423             | mov                 byte ptr [esp + 0x23], cl
            //   668b0d????????       |                     
            //   89542424             | mov                 dword ptr [esp + 0x24], edx
            //   8a15????????         |                     
            //   57                   | push                edi

        $sequence_9 = { 5f 5e 81c484000000 c3 6800000002 6a00 6a01 }
            // n = 7, score = 200
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi
            //   81c484000000         | add                 esp, 0x84
            //   c3                   | ret                 
            //   6800000002           | push                0x2000000
            //   6a00                 | push                0
            //   6a01                 | push                1

    condition:
        7 of them and filesize < 98304
}
Download all Yara Rules