SYMBOLCOMMON_NAMEaka. SYNONYMS
win.findpos (Back to overview)

FindPOS

aka: Poseidon

There is no description at this point.

References
2021-09-03Trend MicroMohamad Mokbel
@techreport{mokbel:20210903:state:df86499, author = {Mohamad Mokbel}, title = {{The State of SSL/TLS Certificate Usage in Malware C&C Communications}}, date = {2021-09-03}, institution = {Trend Micro}, url = {https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf}, language = {English}, urldate = {2021-09-19} } The State of SSL/TLS Certificate Usage in Malware C&C Communications
AdWind ostap AsyncRAT BazarBackdoor BitRAT Buer Chthonic CloudEyE Cobalt Strike DCRat Dridex FindPOS GootKit Gozi IcedID ISFB Nanocore RAT Orcus RAT PandaBanker Qadars QakBot Quasar RAT Rockloader ServHelper Shifu SManager TorrentLocker TrickBot Vawtrak Zeus Zloader
2015-03-20Cisco TalosAndrea Allievi, Ben Baker, Nick Biasini, JJ Cummings, Douglas Goddard, William Largent, Angel Villegas, Alain Zidouemba
@online{allievi:20150320:threat:2f200b6, author = {Andrea Allievi and Ben Baker and Nick Biasini and JJ Cummings and Douglas Goddard and William Largent and Angel Villegas and Alain Zidouemba}, title = {{Threat Spotlight: PoSeidon, A Deep Dive Into Point of Sale Malware}}, date = {2015-03-20}, organization = {Cisco Talos}, url = {https://blogs.cisco.com/security/talos/poseidon}, language = {English}, urldate = {2020-01-13} } Threat Spotlight: PoSeidon, A Deep Dive Into Point of Sale Malware
FindPOS
2015-03-19Palo Alto Networks Unit 42Josh Grunzweig
@online{grunzweig:20150319:findpos:87059f2, author = {Josh Grunzweig}, title = {{FindPOS: New POS Malware Family Discovered}}, date = {2015-03-19}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2015/03/findpos-new-pos-malware-family-discovered/}, language = {English}, urldate = {2019-12-20} } FindPOS: New POS Malware Family Discovered
FindPOS
Yara Rules
[TLP:WHITE] win_findpos_auto (20230125 | Detects win.findpos.)
rule win_findpos_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-01-25"
        version = "1"
        description = "Detects win.findpos."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.findpos"
        malpedia_rule_date = "20230124"
        malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686"
        malpedia_version = "20230125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8bc8 890d???????? 85c9 743b 8b45f8 a3???????? }
            // n = 6, score = 100
            //   8bc8                 | mov                 ecx, eax
            //   890d????????         |                     
            //   85c9                 | test                ecx, ecx
            //   743b                 | je                  0x3d
            //   8b45f8               | mov                 eax, dword ptr [ebp - 8]
            //   a3????????           |                     

        $sequence_1 = { eb02 8bcb e8???????? 33f6 46 53 85c0 }
            // n = 7, score = 100
            //   eb02                 | jmp                 4
            //   8bcb                 | mov                 ecx, ebx
            //   e8????????           |                     
            //   33f6                 | xor                 esi, esi
            //   46                   | inc                 esi
            //   53                   | push                ebx
            //   85c0                 | test                eax, eax

        $sequence_2 = { 51 50 ff75e4 8d45e8 50 e8???????? 8b00 }
            // n = 7, score = 100
            //   51                   | push                ecx
            //   50                   | push                eax
            //   ff75e4               | push                dword ptr [ebp - 0x1c]
            //   8d45e8               | lea                 eax, [ebp - 0x18]
            //   50                   | push                eax
            //   e8????????           |                     
            //   8b00                 | mov                 eax, dword ptr [eax]

        $sequence_3 = { 7405 e8???????? dbe2 5d c3 b8???????? c705????????499b4000 }
            // n = 7, score = 100
            //   7405                 | je                  7
            //   e8????????           |                     
            //   dbe2                 | fnclex              
            //   5d                   | pop                 ebp
            //   c3                   | ret                 
            //   b8????????           |                     
            //   c705????????499b4000     |     

        $sequence_4 = { ff15???????? 85c0 7477 8d45ec }
            // n = 4, score = 100
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   7477                 | je                  0x79
            //   8d45ec               | lea                 eax, [ebp - 0x14]

        $sequence_5 = { 8b750c 8d4de8 8975e8 e8???????? 8b00 3b05???????? 7416 }
            // n = 7, score = 100
            //   8b750c               | mov                 esi, dword ptr [ebp + 0xc]
            //   8d4de8               | lea                 ecx, [ebp - 0x18]
            //   8975e8               | mov                 dword ptr [ebp - 0x18], esi
            //   e8????????           |                     
            //   8b00                 | mov                 eax, dword ptr [eax]
            //   3b05????????         |                     
            //   7416                 | je                  0x18

        $sequence_6 = { 7411 8b45e8 53 8b4808 51 80790d00 7495 }
            // n = 7, score = 100
            //   7411                 | je                  0x13
            //   8b45e8               | mov                 eax, dword ptr [ebp - 0x18]
            //   53                   | push                ebx
            //   8b4808               | mov                 ecx, dword ptr [eax + 8]
            //   51                   | push                ecx
            //   80790d00             | cmp                 byte ptr [ecx + 0xd], 0
            //   7495                 | je                  0xffffff97

        $sequence_7 = { 0f43ca c6041900 5b 5f b8???????? 5e 5d }
            // n = 7, score = 100
            //   0f43ca               | cmovae              ecx, edx
            //   c6041900             | mov                 byte ptr [ecx + ebx], 0
            //   5b                   | pop                 ebx
            //   5f                   | pop                 edi
            //   b8????????           |                     
            //   5e                   | pop                 esi
            //   5d                   | pop                 ebp

        $sequence_8 = { 8bf0 83feff 7479 8b85f0efffff 89bdf8efffff 8bdf 89bdf4efffff }
            // n = 7, score = 100
            //   8bf0                 | mov                 esi, eax
            //   83feff               | cmp                 esi, -1
            //   7479                 | je                  0x7b
            //   8b85f0efffff         | mov                 eax, dword ptr [ebp - 0x1010]
            //   89bdf8efffff         | mov                 dword ptr [ebp - 0x1008], edi
            //   8bdf                 | mov                 ebx, edi
            //   89bdf4efffff         | mov                 dword ptr [ebp - 0x100c], edi

        $sequence_9 = { 8b4014 894df0 8945fc 85c9 742f 0fbf047a }
            // n = 6, score = 100
            //   8b4014               | mov                 eax, dword ptr [eax + 0x14]
            //   894df0               | mov                 dword ptr [ebp - 0x10], ecx
            //   8945fc               | mov                 dword ptr [ebp - 4], eax
            //   85c9                 | test                ecx, ecx
            //   742f                 | je                  0x31
            //   0fbf047a             | movsx               eax, word ptr [edx + edi*2]

    condition:
        7 of them and filesize < 286720
}
Download all Yara Rules