SYMBOLCOMMON_NAMEaka. SYNONYMS
win.findpos (Back to overview)

FindPOS

aka: Poseidon

There is no description at this point.

References
2021-09-03Trend MicroMohamad Mokbel
@techreport{mokbel:20210903:state:df86499, author = {Mohamad Mokbel}, title = {{The State of SSL/TLS Certificate Usage in Malware C&C Communications}}, date = {2021-09-03}, institution = {Trend Micro}, url = {https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf}, language = {English}, urldate = {2021-09-19} } The State of SSL/TLS Certificate Usage in Malware C&C Communications
AdWind ostap AsyncRAT BazarBackdoor BitRAT Buer Chthonic CloudEyE Cobalt Strike DCRat Dridex FindPOS GootKit Gozi IcedID ISFB Nanocore RAT Orcus RAT PandaBanker Qadars QakBot Quasar RAT Rockloader ServHelper Shifu SManager TorrentLocker TrickBot Vawtrak Zeus Zloader
2015-03-20Cisco TalosAndrea Allievi, Ben Baker, Nick Biasini, JJ Cummings, Douglas Goddard, William Largent, Angel Villegas, Alain Zidouemba
@online{allievi:20150320:threat:2f200b6, author = {Andrea Allievi and Ben Baker and Nick Biasini and JJ Cummings and Douglas Goddard and William Largent and Angel Villegas and Alain Zidouemba}, title = {{Threat Spotlight: PoSeidon, A Deep Dive Into Point of Sale Malware}}, date = {2015-03-20}, organization = {Cisco Talos}, url = {https://blogs.cisco.com/security/talos/poseidon}, language = {English}, urldate = {2020-01-13} } Threat Spotlight: PoSeidon, A Deep Dive Into Point of Sale Malware
FindPOS
2015-03-19Palo Alto Networks Unit 42Josh Grunzweig
@online{grunzweig:20150319:findpos:87059f2, author = {Josh Grunzweig}, title = {{FindPOS: New POS Malware Family Discovered}}, date = {2015-03-19}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2015/03/findpos-new-pos-malware-family-discovered/}, language = {English}, urldate = {2019-12-20} } FindPOS: New POS Malware Family Discovered
FindPOS
Yara Rules
[TLP:WHITE] win_findpos_auto (20211008 | Detects win.findpos.)
rule win_findpos_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-10-07"
        version = "1"
        description = "Detects win.findpos."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.findpos"
        malpedia_rule_date = "20211007"
        malpedia_hash = "e5b790e0f888f252d49063a1251ca60ec2832535"
        malpedia_version = "20211008"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { eb03 897e08 a1???????? 3918 7521 807f0d00 }
            // n = 6, score = 100
            //   eb03                 | jmp                 5
            //   897e08               | mov                 dword ptr [esi + 8], edi
            //   a1????????           |                     
            //   3918                 | cmp                 dword ptr [eax], ebx
            //   7521                 | jne                 0x23
            //   807f0d00             | cmp                 byte ptr [edi + 0xd], 0

        $sequence_1 = { 83e11f c1f805 c1e106 8b0485a0ed4100 0fbe440804 83e040 5d }
            // n = 7, score = 100
            //   83e11f               | and                 ecx, 0x1f
            //   c1f805               | sar                 eax, 5
            //   c1e106               | shl                 ecx, 6
            //   8b0485a0ed4100       | mov                 eax, dword ptr [eax*4 + 0x41eda0]
            //   0fbe440804           | movsx               eax, byte ptr [eax + ecx + 4]
            //   83e040               | and                 eax, 0x40
            //   5d                   | pop                 ebp

        $sequence_2 = { 0fb631 0fb6c3 83ce20 83c820 2bf0 751a 2bca }
            // n = 7, score = 100
            //   0fb631               | movzx               esi, byte ptr [ecx]
            //   0fb6c3               | movzx               eax, bl
            //   83ce20               | or                  esi, 0x20
            //   83c820               | or                  eax, 0x20
            //   2bf0                 | sub                 esi, eax
            //   751a                 | jne                 0x1c
            //   2bca                 | sub                 ecx, edx

        $sequence_3 = { 40 c745ec325a4000 894df8 8945fc }
            // n = 4, score = 100
            //   40                   | inc                 eax
            //   c745ec325a4000       | mov                 dword ptr [ebp - 0x14], 0x405a32
            //   894df8               | mov                 dword ptr [ebp - 8], ecx
            //   8945fc               | mov                 dword ptr [ebp - 4], eax

        $sequence_4 = { 8d4508 50 e8???????? 68???????? 8d45f4 c745f4d4324100 50 }
            // n = 7, score = 100
            //   8d4508               | lea                 eax, dword ptr [ebp + 8]
            //   50                   | push                eax
            //   e8????????           |                     
            //   68????????           |                     
            //   8d45f4               | lea                 eax, dword ptr [ebp - 0xc]
            //   c745f4d4324100       | mov                 dword ptr [ebp - 0xc], 0x4132d4
            //   50                   | push                eax

        $sequence_5 = { 85ff 741a 8b8cb5f8efffff 3bcb }
            // n = 4, score = 100
            //   85ff                 | test                edi, edi
            //   741a                 | je                  0x1c
            //   8b8cb5f8efffff       | mov                 ecx, dword ptr [ebp + esi*4 - 0x1008]
            //   3bcb                 | cmp                 ecx, ebx

        $sequence_6 = { 7411 8b45e8 53 8b4808 51 80790d00 7495 }
            // n = 7, score = 100
            //   7411                 | je                  0x13
            //   8b45e8               | mov                 eax, dword ptr [ebp - 0x18]
            //   53                   | push                ebx
            //   8b4808               | mov                 ecx, dword ptr [eax + 8]
            //   51                   | push                ecx
            //   80790d00             | cmp                 byte ptr [ecx + 0xd], 0
            //   7495                 | je                  0xffffff97

        $sequence_7 = { e8???????? 8be5 5d c3 e9???????? 56 6a04 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   8be5                 | mov                 esp, ebp
            //   5d                   | pop                 ebp
            //   c3                   | ret                 
            //   e9????????           |                     
            //   56                   | push                esi
            //   6a04                 | push                4

        $sequence_8 = { 8bec a1???????? 3d5c74d105 0f830f010000 56 57 8b7d18 }
            // n = 7, score = 100
            //   8bec                 | mov                 ebp, esp
            //   a1????????           |                     
            //   3d5c74d105           | cmp                 eax, 0x5d1745c
            //   0f830f010000         | jae                 0x115
            //   56                   | push                esi
            //   57                   | push                edi
            //   8b7d18               | mov                 edi, dword ptr [ebp + 0x18]

        $sequence_9 = { 51 a1???????? 33c5 8945fc 56 57 8b3d???????? }
            // n = 7, score = 100
            //   51                   | push                ecx
            //   a1????????           |                     
            //   33c5                 | xor                 eax, ebp
            //   8945fc               | mov                 dword ptr [ebp - 4], eax
            //   56                   | push                esi
            //   57                   | push                edi
            //   8b3d????????         |                     

    condition:
        7 of them and filesize < 286720
}
Download all Yara Rules