SYMBOLCOMMON_NAMEaka. SYNONYMS
win.findpos (Back to overview)

FindPOS

aka: Poseidon

There is no description at this point.

References
2021-09-03Trend MicroMohamad Mokbel
@techreport{mokbel:20210903:state:df86499, author = {Mohamad Mokbel}, title = {{The State of SSL/TLS Certificate Usage in Malware C&C Communications}}, date = {2021-09-03}, institution = {Trend Micro}, url = {https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf}, language = {English}, urldate = {2021-09-19} } The State of SSL/TLS Certificate Usage in Malware C&C Communications
AdWind ostap AsyncRAT BazarBackdoor BitRAT Buer Chthonic CloudEyE Cobalt Strike DCRat Dridex FindPOS GootKit Gozi IcedID ISFB Nanocore RAT Orcus RAT PandaBanker Qadars QakBot Quasar RAT Rockloader ServHelper Shifu SManager TorrentLocker TrickBot Vawtrak Zeus Zloader
2015-03-20Cisco TalosAndrea Allievi, Ben Baker, Nick Biasini, JJ Cummings, Douglas Goddard, William Largent, Angel Villegas, Alain Zidouemba
@online{allievi:20150320:threat:2f200b6, author = {Andrea Allievi and Ben Baker and Nick Biasini and JJ Cummings and Douglas Goddard and William Largent and Angel Villegas and Alain Zidouemba}, title = {{Threat Spotlight: PoSeidon, A Deep Dive Into Point of Sale Malware}}, date = {2015-03-20}, organization = {Cisco Talos}, url = {https://blogs.cisco.com/security/talos/poseidon}, language = {English}, urldate = {2020-01-13} } Threat Spotlight: PoSeidon, A Deep Dive Into Point of Sale Malware
FindPOS
2015-03-19Palo Alto Networks Unit 42Josh Grunzweig
@online{grunzweig:20150319:findpos:87059f2, author = {Josh Grunzweig}, title = {{FindPOS: New POS Malware Family Discovered}}, date = {2015-03-19}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2015/03/findpos-new-pos-malware-family-discovered/}, language = {English}, urldate = {2019-12-20} } FindPOS: New POS Malware Family Discovered
FindPOS
Yara Rules
[TLP:WHITE] win_findpos_auto (20221125 | Detects win.findpos.)
rule win_findpos_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-11-21"
        version = "1"
        description = "Detects win.findpos."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.findpos"
        malpedia_rule_date = "20221118"
        malpedia_hash = "e0702e2e6d1d00da65c8a29a4ebacd0a4c59e1af"
        malpedia_version = "20221125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8945f4 57 85f6 7526 bf???????? 57 e8???????? }
            // n = 7, score = 100
            //   8945f4               | mov                 dword ptr [ebp - 0xc], eax
            //   57                   | push                edi
            //   85f6                 | test                esi, esi
            //   7526                 | jne                 0x28
            //   bf????????           |                     
            //   57                   | push                edi
            //   e8????????           |                     

        $sequence_1 = { 85c0 7905 0fb7c0 eb06 8b45ec 83c002 50 }
            // n = 7, score = 100
            //   85c0                 | test                eax, eax
            //   7905                 | jns                 7
            //   0fb7c0               | movzx               eax, ax
            //   eb06                 | jmp                 8
            //   8b45ec               | mov                 eax, dword ptr [ebp - 0x14]
            //   83c002               | add                 eax, 2
            //   50                   | push                eax

        $sequence_2 = { 57 50 660f1345f0 8985e0feffff e8???????? 59 }
            // n = 6, score = 100
            //   57                   | push                edi
            //   50                   | push                eax
            //   660f1345f0           | movlpd              qword ptr [ebp - 0x10], xmm0
            //   8985e0feffff         | mov                 dword ptr [ebp - 0x120], eax
            //   e8????????           |                     
            //   59                   | pop                 ecx

        $sequence_3 = { 8b15???????? 395a08 757a 807f0d00 7404 8bc6 }
            // n = 6, score = 100
            //   8b15????????         |                     
            //   395a08               | cmp                 dword ptr [edx + 8], ebx
            //   757a                 | jne                 0x7c
            //   807f0d00             | cmp                 byte ptr [edi + 0xd], 0
            //   7404                 | je                  6
            //   8bc6                 | mov                 eax, esi

        $sequence_4 = { e9???????? 8bc3 83e813 0f84b5000000 48 747a 83e807 }
            // n = 7, score = 100
            //   e9????????           |                     
            //   8bc3                 | mov                 eax, ebx
            //   83e813               | sub                 eax, 0x13
            //   0f84b5000000         | je                  0xbb
            //   48                   | dec                 eax
            //   747a                 | je                  0x7c
            //   83e807               | sub                 eax, 7

        $sequence_5 = { 8b4df8 33c0 2b75fc 40 8931 }
            // n = 5, score = 100
            //   8b4df8               | mov                 ecx, dword ptr [ebp - 8]
            //   33c0                 | xor                 eax, eax
            //   2b75fc               | sub                 esi, dword ptr [ebp - 4]
            //   40                   | inc                 eax
            //   8931                 | mov                 dword ptr [ecx], esi

        $sequence_6 = { 8b7d0c 85ff 743d bb???????? 8d55f8 52 }
            // n = 6, score = 100
            //   8b7d0c               | mov                 edi, dword ptr [ebp + 0xc]
            //   85ff                 | test                edi, edi
            //   743d                 | je                  0x3f
            //   bb????????           |                     
            //   8d55f8               | lea                 edx, [ebp - 8]
            //   52                   | push                edx

        $sequence_7 = { 53 e8???????? 59 8b45f4 03c3 }
            // n = 5, score = 100
            //   53                   | push                ebx
            //   e8????????           |                     
            //   59                   | pop                 ecx
            //   8b45f4               | mov                 eax, dword ptr [ebp - 0xc]
            //   03c3                 | add                 eax, ebx

        $sequence_8 = { 3375f0 337df4 8b4008 8985dcfeffff 85c0 75ce 89b5dcfeffff }
            // n = 7, score = 100
            //   3375f0               | xor                 esi, dword ptr [ebp - 0x10]
            //   337df4               | xor                 edi, dword ptr [ebp - 0xc]
            //   8b4008               | mov                 eax, dword ptr [eax + 8]
            //   8985dcfeffff         | mov                 dword ptr [ebp - 0x124], eax
            //   85c0                 | test                eax, eax
            //   75ce                 | jne                 0xffffffd0
            //   89b5dcfeffff         | mov                 dword ptr [ebp - 0x124], esi

        $sequence_9 = { 33c9 8d5701 85d2 7e13 0fb6440df8 8a8030854100 8806 }
            // n = 7, score = 100
            //   33c9                 | xor                 ecx, ecx
            //   8d5701               | lea                 edx, [edi + 1]
            //   85d2                 | test                edx, edx
            //   7e13                 | jle                 0x15
            //   0fb6440df8           | movzx               eax, byte ptr [ebp + ecx - 8]
            //   8a8030854100         | mov                 al, byte ptr [eax + 0x418530]
            //   8806                 | mov                 byte ptr [esi], al

    condition:
        7 of them and filesize < 286720
}
Download all Yara Rules