win.flawedammyy (Back to overview)

FlawedAmmyy

URLhaus        

There is no description at this point.

References
https://www.sans.org/reading-room/whitepapers/reverseengineeringmalware/unpacking-decrypting-flawedammyy-38930
https://github.com/Coldzer0/Ammyy-v3
https://secrary.com/ReversingMalware/AMMY_RAT_Downloader/
https://www.proofpoint.com/us/threat-insight/post/leaked-source-code-ammyy-admin-turned-flawedammyy-rat
https://www.proofpoint.com/us/threat-insight/post/ta505-abusing-settingcontent-ms-within-pdf-files-distribute-flawedammyy-rat
Yara Rules
[TLP:WHITE] win_flawedammyy_auto (20180607 | autogenerated rule brought to you by yara-signator)
rule win_flawedammyy_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2018-11-23"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator 0.1a"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.flawedammyy"
        malpedia_version = "20180607"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach will be published in the near future here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */

    strings:
        $sequence_0 = { 03c1 8b4dbc 334df4 8b75e8 }
            // n = 4, score = 2000
            //   03c1                 | add                 eax, ecx
            //   8b4dbc               | mov                 ecx, dword ptr [ebp - 0x44]
            //   334df4               | xor                 ecx, dword ptr [ebp - 0xc]
            //   8b75e8               | mov                 esi, dword ptr [ebp - 0x18]

        $sequence_1 = { 03c1 c1f80b 8986e8000000 8b45fc }
            // n = 4, score = 2000
            //   03c1                 | add                 eax, ecx
            //   c1f80b               | sar                 eax, 0xb
            //   8986e8000000         | mov                 dword ptr [esi + 0xe8], eax
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]

        $sequence_2 = { 030c8510b44800 eb02 8bce f6412480 }
            // n = 4, score = 2000
            //   030c8510b44800       | add                 ecx, dword ptr [eax*4 + 0x48b410]
            //   eb02                 | jmp                 0x45d1f0
            //   8bce                 | mov                 ecx, esi
            //   f6412480             | test                byte ptr [ecx + 0x24], 0x80

        $sequence_3 = { 0500080000 8da42400000000 8b5508 8145088b4c0000 }
            // n = 4, score = 2000
            //   0500080000           | add                 eax, 0x800
            //   8da42400000000       | lea                 esp, dword ptr [esp]
            //   8b5508               | mov                 edx, dword ptr [ebp + 8]
            //   8145088b4c0000       | add                 dword ptr [ebp + 8], 0x4c8b

        $sequence_4 = { 03c2 81c600400000 03c6 c1f80f }
            // n = 4, score = 2000
            //   03c2                 | add                 eax, edx
            //   81c600400000         | add                 esi, 0x4000
            //   03c6                 | add                 eax, esi
            //   c1f80f               | sar                 eax, 0xf

        $sequence_5 = { 0bc1 c1e008 0bc1 89048d080c4900 }
            // n = 4, score = 2000
            //   0bc1                 | or                  eax, ecx
            //   c1e008               | shl                 eax, 8
            //   0bc1                 | or                  eax, ecx
            //   89048d080c4900       | mov                 dword ptr [ecx*4 + 0x490c08], eax

        $sequence_6 = { 0b74b820 5f 89750c 8a450e }
            // n = 4, score = 2000
            //   0b74b820             | or                  esi, dword ptr [eax + edi*4 + 0x20]
            //   5f                   | pop                 edi
            //   89750c               | mov                 dword ptr [ebp + 0xc], esi
            //   8a450e               | mov                 al, byte ptr [ebp + 0xe]

        $sequence_7 = { 034dd8 03d9 8bce f7d1 }
            // n = 4, score = 2000
            //   034dd8               | add                 ecx, dword ptr [ebp - 0x28]
            //   03d9                 | add                 ebx, ecx
            //   8bce                 | mov                 ecx, esi
            //   f7d1                 | not                 ecx

        $sequence_8 = { 034664 8b4e50 c7465800000000 0fb610 }
            // n = 4, score = 2000
            //   034664               | add                 eax, dword ptr [esi + 0x64]
            //   8b4e50               | mov                 ecx, dword ptr [esi + 0x50]
            //   c7465800000000       | mov                 dword ptr [esi + 0x58], 0
            //   0fb610               | movzx               edx, byte ptr [eax]

        $sequence_9 = { 03ca 6689b8b0160000 8b7de8 eb0f }
            // n = 4, score = 2000
            //   03ca                 | add                 ecx, edx
            //   6689b8b0160000       | mov                 word ptr [eax + 0x16b0], di
            //   8b7de8               | mov                 edi, dword ptr [ebp - 0x18]
            //   eb0f                 | jmp                 0x44a58d

    condition:
        7 of them
}
Download all Yara Rules