SYMBOLCOMMON_NAMEaka. SYNONYMS
win.funny_dream (Back to overview)

FunnyDream


There is no description at this point.

References
2021-02-28PWC UKPWC UK
@techreport{uk:20210228:cyber:bd780cd, author = {PWC UK}, title = {{Cyber Threats 2020: A Year in Retrospect}}, date = {2021-02-28}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf}, language = {English}, urldate = {2021-03-04} } Cyber Threats 2020: A Year in Retrospect
elf.wellmess FlowerPower PowGoop 8.t Dropper Agent.BTZ Agent Tesla Appleseed Ave Maria Bankshot BazarBackdoor BLINDINGCAN Chinoxy Conti Cotx RAT Crimson RAT DUSTMAN Emotet FriedEx FunnyDream Hakbit Mailto Maze METALJACK Nefilim Oblique RAT Pay2Key PlugX QakBot REvil Ryuk StoneDrill StrongPity SUNBURST SUPERNOVA TrickBot TurlaRPC Turla SilentMoon WastedLocker WellMess Winnti ZeroCleare
2021-01-04nao_sec blognao_sec
@online{naosec:20210104:royal:041b9d3, author = {nao_sec}, title = {{Royal Road! Re:Dive}}, date = {2021-01-04}, organization = {nao_sec blog}, url = {https://nao-sec.org/2021/01/royal-road-redive.html}, language = {English}, urldate = {2021-01-05} } Royal Road! Re:Dive
8.t Dropper Chinoxy FlowCloud FunnyDream Lookback
2020-12-11NTT SecurityHiroki Hada
@online{hada:20201211:pandas:b182e4e, author = {Hiroki Hada}, title = {{Panda’s New Arsenal: Part 3 Smanager}}, date = {2020-12-11}, organization = {NTT Security}, url = {https://insight-jp.nttsecurity.com/post/102glv5/pandas-new-arsenal-part-3-smanager}, language = {Japanese}, urldate = {2021-01-01} } Panda’s New Arsenal: Part 3 Smanager
FunnyDream SManager Tmanger
2020-11-16BitdefenderVictor Vrabie, Liviu Arsene
@techreport{vrabie:20201116:dissecting:1b39d4d, author = {Victor Vrabie and Liviu Arsene}, title = {{Dissecting a Chinese APT Targeting South Eastern Asian Government Institutions}}, date = {2020-11-16}, institution = {Bitdefender}, url = {https://www.bitdefender.com/files/News/CaseStudies/study/379/Bitdefender-Whitepaper-Chinese-APT.pdf}, language = {English}, urldate = {2020-11-18} } Dissecting a Chinese APT Targeting South Eastern Asian Government Institutions
Chinoxy FunnyDream
Yara Rules
[TLP:WHITE] win_funny_dream_auto (20210616 | Detects win.funny_dream.)
rule win_funny_dream_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-06-10"
        version = "1"
        description = "Detects win.funny_dream."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.funny_dream"
        malpedia_rule_date = "20210604"
        malpedia_hash = "be09d5d71e77373c0f538068be31a2ad4c69cfbd"
        malpedia_version = "20210616"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { ff15???????? 6800100000 8d842454070000 6a00 }
            // n = 4, score = 300
            //   ff15????????         |                     
            //   6800100000           | push                0x1000
            //   8d842454070000       | lea                 eax, dword ptr [esp + 0x754]
            //   6a00                 | push                0

        $sequence_1 = { 7447 83fe01 751f 8b85d4feffff be03000000 8985adfeffff 8b85d8feffff }
            // n = 7, score = 300
            //   7447                 | je                  0x49
            //   83fe01               | cmp                 esi, 1
            //   751f                 | jne                 0x21
            //   8b85d4feffff         | mov                 eax, dword ptr [ebp - 0x12c]
            //   be03000000           | mov                 esi, 3
            //   8985adfeffff         | mov                 dword ptr [ebp - 0x153], eax
            //   8b85d8feffff         | mov                 eax, dword ptr [ebp - 0x128]

        $sequence_2 = { ffd6 ff7708 c707???????? ffd6 }
            // n = 4, score = 300
            //   ffd6                 | call                esi
            //   ff7708               | push                dword ptr [edi + 8]
            //   c707????????         |                     
            //   ffd6                 | call                esi

        $sequence_3 = { 50 6802020000 c787c400000000000000 c787cc00000000000000 ff15???????? 6a00 6a00 }
            // n = 7, score = 300
            //   50                   | push                eax
            //   6802020000           | push                0x202
            //   c787c400000000000000     | mov    dword ptr [edi + 0xc4], 0
            //   c787cc00000000000000     | mov    dword ptr [edi + 0xcc], 0
            //   ff15????????         |                     
            //   6a00                 | push                0
            //   6a00                 | push                0

        $sequence_4 = { 57 8b7d08 85f6 7513 5f }
            // n = 5, score = 300
            //   57                   | push                edi
            //   8b7d08               | mov                 edi, dword ptr [ebp + 8]
            //   85f6                 | test                esi, esi
            //   7513                 | jne                 0x15
            //   5f                   | pop                 edi

        $sequence_5 = { 8945fc 83f8ff 750b 0bc0 5f }
            // n = 5, score = 300
            //   8945fc               | mov                 dword ptr [ebp - 4], eax
            //   83f8ff               | cmp                 eax, -1
            //   750b                 | jne                 0xd
            //   0bc0                 | or                  eax, eax
            //   5f                   | pop                 edi

        $sequence_6 = { 50 6a01 8d85fcfdffff 50 ff7614 }
            // n = 5, score = 300
            //   50                   | push                eax
            //   6a01                 | push                1
            //   8d85fcfdffff         | lea                 eax, dword ptr [ebp - 0x204]
            //   50                   | push                eax
            //   ff7614               | push                dword ptr [esi + 0x14]

        $sequence_7 = { 50 ffd7 e9???????? 6a00 8d85bcfeffff 50 8d4618 }
            // n = 7, score = 300
            //   50                   | push                eax
            //   ffd7                 | call                edi
            //   e9????????           |                     
            //   6a00                 | push                0
            //   8d85bcfeffff         | lea                 eax, dword ptr [ebp - 0x144]
            //   50                   | push                eax
            //   8d4618               | lea                 eax, dword ptr [esi + 0x18]

        $sequence_8 = { 8d45f0 66c745f42e2a 50 8d85e4feffff c645f600 }
            // n = 5, score = 300
            //   8d45f0               | lea                 eax, dword ptr [ebp - 0x10]
            //   66c745f42e2a         | mov                 word ptr [ebp - 0xc], 0x2a2e
            //   50                   | push                eax
            //   8d85e4feffff         | lea                 eax, dword ptr [ebp - 0x11c]
            //   c645f600             | mov                 byte ptr [ebp - 0xa], 0

        $sequence_9 = { 83c404 8b4f04 85c9 7504 33c0 eb05 8b4708 }
            // n = 7, score = 300
            //   83c404               | add                 esp, 4
            //   8b4f04               | mov                 ecx, dword ptr [edi + 4]
            //   85c9                 | test                ecx, ecx
            //   7504                 | jne                 6
            //   33c0                 | xor                 eax, eax
            //   eb05                 | jmp                 7
            //   8b4708               | mov                 eax, dword ptr [edi + 8]

    condition:
        7 of them and filesize < 393216
}
Download all Yara Rules