SYMBOLCOMMON_NAMEaka. SYNONYMS
win.findpos (Back to overview)

FindPOS

aka: Poseidon

There is no description at this point.

References
2021-09-03Trend MicroMohamad Mokbel
@techreport{mokbel:20210903:state:df86499, author = {Mohamad Mokbel}, title = {{The State of SSL/TLS Certificate Usage in Malware C&C Communications}}, date = {2021-09-03}, institution = {Trend Micro}, url = {https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf}, language = {English}, urldate = {2021-09-19} } The State of SSL/TLS Certificate Usage in Malware C&C Communications
AdWind ostap AsyncRAT BazarBackdoor BitRAT Buer Chthonic CloudEyE Cobalt Strike DCRat Dridex FindPOS GootKit Gozi IcedID ISFB Nanocore RAT Orcus RAT PandaBanker Qadars QakBot Quasar RAT Rockloader ServHelper Shifu SManager TorrentLocker TrickBot Vawtrak Zeus Zloader
2015-03-20Cisco TalosAndrea Allievi, Ben Baker, Nick Biasini, JJ Cummings, Douglas Goddard, William Largent, Angel Villegas, Alain Zidouemba
@online{allievi:20150320:threat:2f200b6, author = {Andrea Allievi and Ben Baker and Nick Biasini and JJ Cummings and Douglas Goddard and William Largent and Angel Villegas and Alain Zidouemba}, title = {{Threat Spotlight: PoSeidon, A Deep Dive Into Point of Sale Malware}}, date = {2015-03-20}, organization = {Cisco Talos}, url = {https://blogs.cisco.com/security/talos/poseidon}, language = {English}, urldate = {2020-01-13} } Threat Spotlight: PoSeidon, A Deep Dive Into Point of Sale Malware
FindPOS
2015-03-19Palo Alto Networks Unit 42Josh Grunzweig
@online{grunzweig:20150319:findpos:87059f2, author = {Josh Grunzweig}, title = {{FindPOS: New POS Malware Family Discovered}}, date = {2015-03-19}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2015/03/findpos-new-pos-malware-family-discovered/}, language = {English}, urldate = {2019-12-20} } FindPOS: New POS Malware Family Discovered
FindPOS
Yara Rules
[TLP:WHITE] win_findpos_auto (20220516 | Detects win.findpos.)
rule win_findpos_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-05-16"
        version = "1"
        description = "Detects win.findpos."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.findpos"
        malpedia_rule_date = "20220513"
        malpedia_hash = "7f4b2229e6ae614d86d74917f6d5b41890e62a26"
        malpedia_version = "20220516"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { ba68cb7a76 873a bfe5920925 3f 2afa b4c5 b7cb }
            // n = 7, score = 100
            //   ba68cb7a76           | mov                 edx, 0x767acb68
            //   873a                 | xchg                dword ptr [edx], edi
            //   bfe5920925           | mov                 edi, 0x250992e5
            //   3f                   | aas                 
            //   2afa                 | sub                 bh, dl
            //   b4c5                 | mov                 ah, 0xc5
            //   b7cb                 | mov                 bh, 0xcb

        $sequence_1 = { 751a 2bca 84db 7414 42 }
            // n = 5, score = 100
            //   751a                 | jne                 0x1c
            //   2bca                 | sub                 ecx, edx
            //   84db                 | test                bl, bl
            //   7414                 | je                  0x16
            //   42                   | inc                 edx

        $sequence_2 = { e8???????? 6a00 6a01 8d4c2418 e9???????? 68???????? 8d4c242c }
            // n = 7, score = 100
            //   e8????????           |                     
            //   6a00                 | push                0
            //   6a01                 | push                1
            //   8d4c2418             | lea                 ecx, [esp + 0x18]
            //   e9????????           |                     
            //   68????????           |                     
            //   8d4c242c             | lea                 ecx, [esp + 0x2c]

        $sequence_3 = { 46 41 3bca 7ced 3bfb 7d10 }
            // n = 6, score = 100
            //   46                   | inc                 esi
            //   41                   | inc                 ecx
            //   3bca                 | cmp                 ecx, edx
            //   7ced                 | jl                  0xffffffef
            //   3bfb                 | cmp                 edi, ebx
            //   7d10                 | jge                 0x12

        $sequence_4 = { 8b75f8 3bf7 75cb 813d????????c8000000 }
            // n = 4, score = 100
            //   8b75f8               | mov                 esi, dword ptr [ebp - 8]
            //   3bf7                 | cmp                 esi, edi
            //   75cb                 | jne                 0xffffffcd
            //   813d????????c8000000     |     

        $sequence_5 = { 834dfcff 6a00 6a01 e8???????? eb02 }
            // n = 5, score = 100
            //   834dfcff             | or                  dword ptr [ebp - 4], 0xffffffff
            //   6a00                 | push                0
            //   6a01                 | push                1
            //   e8????????           |                     
            //   eb02                 | jmp                 4

        $sequence_6 = { 51 ff15???????? 8b45f8 891d???????? 6a04 6800300000 }
            // n = 6, score = 100
            //   51                   | push                ecx
            //   ff15????????         |                     
            //   8b45f8               | mov                 eax, dword ptr [ebp - 8]
            //   891d????????         |                     
            //   6a04                 | push                4
            //   6800300000           | push                0x3000

        $sequence_7 = { 6800800000 53 51 ff15???????? }
            // n = 4, score = 100
            //   6800800000           | push                0x8000
            //   53                   | push                ebx
            //   51                   | push                ecx
            //   ff15????????         |                     

        $sequence_8 = { 8945f8 8d45f8 50 c745ec00200000 ff15???????? 85c0 745f }
            // n = 7, score = 100
            //   8945f8               | mov                 dword ptr [ebp - 8], eax
            //   8d45f8               | lea                 eax, [ebp - 8]
            //   50                   | push                eax
            //   c745ec00200000       | mov                 dword ptr [ebp - 0x14], 0x2000
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   745f                 | je                  0x61

        $sequence_9 = { 02d0 8875fb 8855fa 33c9 }
            // n = 4, score = 100
            //   02d0                 | add                 dl, al
            //   8875fb               | mov                 byte ptr [ebp - 5], dh
            //   8855fa               | mov                 byte ptr [ebp - 6], dl
            //   33c9                 | xor                 ecx, ecx

    condition:
        7 of them and filesize < 286720
}
Download all Yara Rules