SYMBOLCOMMON_NAMEaka. SYNONYMS
win.findpos (Back to overview)

FindPOS

aka: Poseidon
VTCollection    

There is no description at this point.

References
2021-09-03Trend MicroMohamad Mokbel
The State of SSL/TLS Certificate Usage in Malware C&C Communications
AdWind ostap AsyncRAT BazarBackdoor BitRAT Buer Chthonic CloudEyE Cobalt Strike DCRat Dridex FindPOS GootKit Gozi IcedID ISFB Nanocore RAT Orcus RAT PandaBanker Qadars QakBot Quasar RAT Rockloader ServHelper Shifu SManager TorrentLocker TrickBot Vawtrak Zeus Zloader
2015-03-20Cisco TalosAlain Zidouemba, Andrea Allievi, Angel Villegas, Ben Baker, Douglas Goddard, JJ Cummings, Nick Biasini, William Largent
Threat Spotlight: PoSeidon, A Deep Dive Into Point of Sale Malware
FindPOS
2015-03-19Palo Alto Networks Unit 42Josh Grunzweig
FindPOS: New POS Malware Family Discovered
FindPOS
Yara Rules
[TLP:WHITE] win_findpos_auto (20230808 | Detects win.findpos.)
rule win_findpos_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.findpos."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.findpos"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 48 0f844b050000 33c0 8d8c24f0010000 50 51 8d8c243c020000 }
            // n = 7, score = 100
            //   48                   | dec                 eax
            //   0f844b050000         | je                  0x551
            //   33c0                 | xor                 eax, eax
            //   8d8c24f0010000       | lea                 ecx, [esp + 0x1f0]
            //   50                   | push                eax
            //   51                   | push                ecx
            //   8d8c243c020000       | lea                 ecx, [esp + 0x23c]

        $sequence_1 = { 68???????? e8???????? a1???????? 59 59 83c010 a3???????? }
            // n = 7, score = 100
            //   68????????           |                     
            //   e8????????           |                     
            //   a1????????           |                     
            //   59                   | pop                 ecx
            //   59                   | pop                 ecx
            //   83c010               | add                 eax, 0x10
            //   a3????????           |                     

        $sequence_2 = { 7671 8365d400 8d55d4 8bcf }
            // n = 4, score = 100
            //   7671                 | jbe                 0x73
            //   8365d400             | and                 dword ptr [ebp - 0x2c], 0
            //   8d55d4               | lea                 edx, [ebp - 0x2c]
            //   8bcf                 | mov                 ecx, edi

        $sequence_3 = { 8bcf e8???????? 8325????????00 833d????????10 68???????? 0f4335???????? }
            // n = 6, score = 100
            //   8bcf                 | mov                 ecx, edi
            //   e8????????           |                     
            //   8325????????00       |                     
            //   833d????????10       |                     
            //   68????????           |                     
            //   0f4335????????       |                     

        $sequence_4 = { 8b0cb8 03cb e8???????? 85c0 7414 8b4df0 }
            // n = 6, score = 100
            //   8b0cb8               | mov                 ecx, dword ptr [eax + edi*4]
            //   03cb                 | add                 ecx, ebx
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   7414                 | je                  0x16
            //   8b4df0               | mov                 ecx, dword ptr [ebp - 0x10]

        $sequence_5 = { eb29 8a01 3c33 7505 }
            // n = 4, score = 100
            //   eb29                 | jmp                 0x2b
            //   8a01                 | mov                 al, byte ptr [ecx]
            //   3c33                 | cmp                 al, 0x33
            //   7505                 | jne                 7

        $sequence_6 = { 8945f8 8d45f8 50 c745ec00200000 ff15???????? 85c0 745f }
            // n = 7, score = 100
            //   8945f8               | mov                 dword ptr [ebp - 8], eax
            //   8d45f8               | lea                 eax, [ebp - 8]
            //   50                   | push                eax
            //   c745ec00200000       | mov                 dword ptr [ebp - 0x14], 0x2000
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   745f                 | je                  0x61

        $sequence_7 = { 3b08 7518 53 51 51 6a01 8d45e4 }
            // n = 7, score = 100
            //   3b08                 | cmp                 ecx, dword ptr [eax]
            //   7518                 | jne                 0x1a
            //   53                   | push                ebx
            //   51                   | push                ecx
            //   51                   | push                ecx
            //   6a01                 | push                1
            //   8d45e4               | lea                 eax, [ebp - 0x1c]

        $sequence_8 = { 50 0fb6c1 50 8d85e8e7ffff 50 }
            // n = 5, score = 100
            //   50                   | push                eax
            //   0fb6c1               | movzx               eax, cl
            //   50                   | push                eax
            //   8d85e8e7ffff         | lea                 eax, [ebp - 0x1818]
            //   50                   | push                eax

        $sequence_9 = { 33f6 46 3bc6 0f8577040000 6a11 ffd7 663bc6 }
            // n = 7, score = 100
            //   33f6                 | xor                 esi, esi
            //   46                   | inc                 esi
            //   3bc6                 | cmp                 eax, esi
            //   0f8577040000         | jne                 0x47d
            //   6a11                 | push                0x11
            //   ffd7                 | call                edi
            //   663bc6               | cmp                 ax, si

    condition:
        7 of them and filesize < 286720
}
Download all Yara Rules