SYMBOLCOMMON_NAMEaka. SYNONYMS
win.fakeword (Back to overview)

FakeWord


There is no description at this point.

References
2014-07-02Trend MicroKervin Alintanahin, Ronnie Giagone
@online{alintanahin:20140702:kivars:4fe6877, author = {Kervin Alintanahin and Ronnie Giagone}, title = {{KIVARS With Venom: Targeted Attacks Upgrade with 64-bit “Support”}}, date = {2014-07-02}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/kivars-with-venom-targeted-attacks-upgrade-with-64-bit-support/}, language = {English}, urldate = {2020-06-19} } KIVARS With Venom: Targeted Attacks Upgrade with 64-bit “Support”
FakeWord KIVARS PLEAD Poison RAT Zeus
Yara Rules
[TLP:WHITE] win_fakeword_auto (20211008 | Detects win.fakeword.)
rule win_fakeword_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-10-07"
        version = "1"
        description = "Detects win.fakeword."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.fakeword"
        malpedia_rule_date = "20211007"
        malpedia_hash = "e5b790e0f888f252d49063a1251ca60ec2832535"
        malpedia_version = "20211008"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 41 83f912 72ee 3bca 760a 8bd1 8b4c2430 }
            // n = 7, score = 200
            //   41                   | inc                 ecx
            //   83f912               | cmp                 ecx, 0x12
            //   72ee                 | jb                  0xfffffff0
            //   3bca                 | cmp                 ecx, edx
            //   760a                 | jbe                 0xc
            //   8bd1                 | mov                 edx, ecx
            //   8b4c2430             | mov                 ecx, dword ptr [esp + 0x30]

        $sequence_1 = { ff15???????? c6460300 c6460200 c6460100 }
            // n = 4, score = 200
            //   ff15????????         |                     
            //   c6460300             | mov                 byte ptr [esi + 3], 0
            //   c6460200             | mov                 byte ptr [esi + 2], 0
            //   c6460100             | mov                 byte ptr [esi + 1], 0

        $sequence_2 = { 53 ff15???????? 85c0 0f84aa000000 8d442412 68fe000000 50 }
            // n = 7, score = 200
            //   53                   | push                ebx
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   0f84aa000000         | je                  0xb0
            //   8d442412             | lea                 eax, dword ptr [esp + 0x12]
            //   68fe000000           | push                0xfe
            //   50                   | push                eax

        $sequence_3 = { eb02 6a2b 8b742414 68???????? 56 ff15???????? 8b5705 }
            // n = 7, score = 200
            //   eb02                 | jmp                 4
            //   6a2b                 | push                0x2b
            //   8b742414             | mov                 esi, dword ptr [esp + 0x14]
            //   68????????           |                     
            //   56                   | push                esi
            //   ff15????????         |                     
            //   8b5705               | mov                 edx, dword ptr [edi + 5]

        $sequence_4 = { 8b742418 50 68???????? 56 ff15???????? 83c40c }
            // n = 6, score = 200
            //   8b742418             | mov                 esi, dword ptr [esp + 0x18]
            //   50                   | push                eax
            //   68????????           |                     
            //   56                   | push                esi
            //   ff15????????         |                     
            //   83c40c               | add                 esp, 0xc

        $sequence_5 = { 68???????? ff15???????? 85c0 7509 5f 5e 81c484000000 }
            // n = 7, score = 200
            //   68????????           |                     
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   7509                 | jne                 0xb
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi
            //   81c484000000         | add                 esp, 0x84

        $sequence_6 = { 5e 83c440 c3 83fe08 751e 8b442450 68???????? }
            // n = 7, score = 200
            //   5e                   | pop                 esi
            //   83c440               | add                 esp, 0x40
            //   c3                   | ret                 
            //   83fe08               | cmp                 esi, 8
            //   751e                 | jne                 0x20
            //   8b442450             | mov                 eax, dword ptr [esp + 0x50]
            //   68????????           |                     

        $sequence_7 = { 56 e8???????? 56 e8???????? 8b442410 83c404 5f }
            // n = 7, score = 200
            //   56                   | push                esi
            //   e8????????           |                     
            //   56                   | push                esi
            //   e8????????           |                     
            //   8b442410             | mov                 eax, dword ptr [esp + 0x10]
            //   83c404               | add                 esp, 4
            //   5f                   | pop                 edi

        $sequence_8 = { 8b442408 83ec70 56 8b7001 ff15???????? 56 }
            // n = 6, score = 200
            //   8b442408             | mov                 eax, dword ptr [esp + 8]
            //   83ec70               | sub                 esp, 0x70
            //   56                   | push                esi
            //   8b7001               | mov                 esi, dword ptr [eax + 1]
            //   ff15????????         |                     
            //   56                   | push                esi

        $sequence_9 = { 85c0 7570 56 55 }
            // n = 4, score = 200
            //   85c0                 | test                eax, eax
            //   7570                 | jne                 0x72
            //   56                   | push                esi
            //   55                   | push                ebp

    condition:
        7 of them and filesize < 98304
}
Download all Yara Rules