SYMBOLCOMMON_NAMEaka. SYNONYMS
win.flame (Back to overview)

Flame

aka: sKyWIper
VTCollection    

There is no description at this point.

References
2023-04-11China Cybersecurity Industry AllianceChina Cybersecurity Industry Alliance
Review of Cyberattacks from US Intelligence Agencies - Based on Global Cybersecurity Communities' Analyses
DuQu Flame Gauss Stuxnet
2021-12-01ESET ResearchAlexis Dorais-Joncas, Facundo Muñoz
Jumping the air gap: 15 years of nation‑state effort
Agent.BTZ Fanny Flame Gauss PlugX Ramsay Retro Stuxnet USBCulprit USBferry
2019-04-09Chronicle SecurityJuan Andrés Guerrero-Saade, Silas Cutler
Flame 2.0: Risen from the Ashes
Flame
2018-03-01CrySyS LabBoldizsar Bencsath
Territorial Dispute – NSA’s perspective on APT landscape
9002 RAT Agent.BTZ DuQu EYService Flame FlowerShop Stuxnet Uroburos
2016-08-08SymantecA L Johnson
Strider: Cyberespionage group turns eye of Sauron on targets
Flame Regin Remsec ProjectSauron
2012-05-31CrySyS LabCrySyS Lab
sKyWIper (a.k.a. Flame a.k.a. Flamer): A complex malware for targeted attacks
Flame
2012-05-31SymantecSecurity Response
Flamer: A Recipe for Bluetoothache
Flame
2012-05-28Kaspersky LabsAlexander Gostev
The Flame: Questions and Answers
Flame
Yara Rules
[TLP:WHITE] win_flame_auto (20230808 | Detects win.flame.)
rule win_flame_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.flame."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.flame"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 741a 83f901 7415 e8???????? }
            // n = 4, score = 400
            //   741a                 | je                  0x1c
            //   83f901               | cmp                 ecx, 1
            //   7415                 | je                  0x17
            //   e8????????           |                     

        $sequence_1 = { 8b8ea4000000 48b8abaaaaaaaaaaaaaa 4c8bc5 48f7e1 }
            // n = 4, score = 200
            //   8b8ea4000000         | shr                 edx, 3
            //   48b8abaaaaaaaaaaaaaa     | dec    eax
            //   4c8bc5               | add                 ecx, ebp
            //   48f7e1               | test                al, al

        $sequence_2 = { a3???????? 85c0 0f84c8fcffff 68???????? ff35???????? e8???????? }
            // n = 6, score = 200
            //   a3????????           |                     
            //   85c0                 | test                eax, eax
            //   0f84c8fcffff         | je                  0xfffffcce
            //   68????????           |                     
            //   ff35????????         |                     
            //   e8????????           |                     

        $sequence_3 = { 744c 8b7518 ff75f8 8bce e8???????? 8b06 }
            // n = 6, score = 200
            //   744c                 | je                  0x4e
            //   8b7518               | mov                 esi, dword ptr [ebp + 0x18]
            //   ff75f8               | push                dword ptr [ebp - 8]
            //   8bce                 | mov                 ecx, esi
            //   e8????????           |                     
            //   8b06                 | mov                 eax, dword ptr [esi]

        $sequence_4 = { 8b8ea0000000 48c1ea03 4803cd ff15???????? }
            // n = 4, score = 200
            //   8b8ea0000000         | test                al, al
            //   48c1ea03             | je                  0xf
            //   4803cd               | dec                 eax
            //   ff15????????         |                     

        $sequence_5 = { ffd7 90 eb00 4883c430 5f 5e }
            // n = 6, score = 200
            //   ffd7                 | call                edi
            //   90                   | nop                 
            //   eb00                 | jmp                 2
            //   4883c430             | dec                 eax
            //   5f                   | add                 esp, 0x30
            //   5e                   | pop                 edi

        $sequence_6 = { 8b8ea0000000 4803cd ff15???????? 84c0 }
            // n = 4, score = 200
            //   8b8ea0000000         | and                 ecx, eax
            //   4803cd               | mov                 esi, dword ptr [esi + ecx*4]
            //   ff15????????         |                     
            //   84c0                 | jmp                 0x2f

        $sequence_7 = { 58 5e 5d c3 c701???????? c3 }
            // n = 6, score = 200
            //   58                   | pop                 eax
            //   5e                   | pop                 esi
            //   5d                   | pop                 ebp
            //   c3                   | ret                 
            //   c701????????         |                     
            //   c3                   | ret                 

        $sequence_8 = { 8b400c 83c006 50 ff15???????? 33db }
            // n = 5, score = 200
            //   8b400c               | mov                 eax, dword ptr [eax + 0xc]
            //   83c006               | add                 eax, 6
            //   50                   | push                eax
            //   ff15????????         |                     
            //   33db                 | xor                 ebx, ebx

        $sequence_9 = { 8365fc00 e9???????? b8???????? e8???????? }
            // n = 4, score = 200
            //   8365fc00             | and                 dword ptr [ebp - 4], 0
            //   e9????????           |                     
            //   b8????????           |                     
            //   e8????????           |                     

        $sequence_10 = { 7422 663b3b 0f94c0 84c0 }
            // n = 4, score = 200
            //   7422                 | pop                 esi
            //   663b3b               | je                  0x24
            //   0f94c0               | cmp                 di, word ptr [ebx]
            //   84c0                 | sete                al

        $sequence_11 = { ff15???????? 85c0 742e 56 8b35???????? 8d4514 }
            // n = 6, score = 200
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   742e                 | je                  0x30
            //   56                   | push                esi
            //   8b35????????         |                     
            //   8d4514               | lea                 eax, [ebp + 0x14]

        $sequence_12 = { 8b90b0000000 4903d3 eb64 448bc0 }
            // n = 4, score = 200
            //   8b90b0000000         | mov                 eax, 0xaaaaaaab
            //   4903d3               | stosb               byte ptr es:[edi], al
            //   eb64                 | stosb               byte ptr es:[edi], al
            //   448bc0               | stosb               byte ptr es:[edi], al

        $sequence_13 = { 8b8c2490000000 8bc3 4823c8 8b348e eb27 f6c240 0f8539020000 }
            // n = 7, score = 200
            //   8b8c2490000000       | dec                 esp
            //   8bc3                 | mov                 ecx, dword ptr [ebx + 0x2a]
            //   4823c8               | dec                 esp
            //   8b348e               | mov                 eax, dword ptr [ebx + 0x22]
            //   eb27                 | mov                 ecx, dword ptr [esp + 0x90]
            //   f6c240               | mov                 eax, ebx
            //   0f8539020000         | dec                 eax

        $sequence_14 = { ff15???????? 834dfcff 8d4de0 e8???????? b001 }
            // n = 5, score = 200
            //   ff15????????         |                     
            //   834dfcff             | or                  dword ptr [ebp - 4], 0xffffffff
            //   8d4de0               | lea                 ecx, [ebp - 0x20]
            //   e8????????           |                     
            //   b001                 | mov                 al, 1

    condition:
        7 of them and filesize < 1676288
}
Download all Yara Rules