SYMBOLCOMMON_NAMEaka. SYNONYMS
win.funny_dream (Back to overview)

FunnyDream


There is no description at this point.

References
2021-12-08Recorded FutureInsikt Group®
@techreport{group:20211208:chinese:98ded4d, author = {Insikt Group®}, title = {{Chinese State-Sponsored Cyber Espionage Activity Supports Expansion of Regional Power and Influence in Southeast Asia}}, date = {2021-12-08}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/cta-2021-1208.pdf}, language = {English}, urldate = {2021-12-23} } Chinese State-Sponsored Cyber Espionage Activity Supports Expansion of Regional Power and Influence in Southeast Asia
Chinoxy FunnyDream
2021-02-28PWC UKPWC UK
@techreport{uk:20210228:cyber:bd780cd, author = {PWC UK}, title = {{Cyber Threats 2020: A Year in Retrospect}}, date = {2021-02-28}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf}, language = {English}, urldate = {2021-03-04} } Cyber Threats 2020: A Year in Retrospect
elf.wellmess FlowerPower PowGoop 8.t Dropper Agent.BTZ Agent Tesla Appleseed Ave Maria Bankshot BazarBackdoor BLINDINGCAN Chinoxy Conti Cotx RAT Crimson RAT DUSTMAN Emotet FriedEx FunnyDream Hakbit Mailto Maze METALJACK Nefilim Oblique RAT Pay2Key PlugX QakBot REvil Ryuk StoneDrill StrongPity SUNBURST SUPERNOVA TrickBot TurlaRPC Turla SilentMoon WastedLocker WellMess Winnti ZeroCleare APT10 APT23 APT27 APT31 APT41 BlackTech BRONZE EDGEWOOD Inception Framework MUSTANG PANDA Red Charon Red Nue Tonto Team
2021-01-04nao_sec blognao_sec
@online{naosec:20210104:royal:041b9d3, author = {nao_sec}, title = {{Royal Road! Re:Dive}}, date = {2021-01-04}, organization = {nao_sec blog}, url = {https://nao-sec.org/2021/01/royal-road-redive.html}, language = {English}, urldate = {2021-01-05} } Royal Road! Re:Dive
8.t Dropper Chinoxy FlowCloud FunnyDream Lookback
2020-12-11NTT SecurityHiroki Hada
@online{hada:20201211:pandas:b182e4e, author = {Hiroki Hada}, title = {{Panda’s New Arsenal: Part 3 Smanager}}, date = {2020-12-11}, organization = {NTT Security}, url = {https://insight-jp.nttsecurity.com/post/102glv5/pandas-new-arsenal-part-3-smanager}, language = {Japanese}, urldate = {2021-01-01} } Panda’s New Arsenal: Part 3 Smanager
FunnyDream SManager Tmanger
2020-11-16BitdefenderVictor Vrabie, Liviu Arsene
@techreport{vrabie:20201116:dissecting:1b39d4d, author = {Victor Vrabie and Liviu Arsene}, title = {{Dissecting a Chinese APT Targeting South Eastern Asian Government Institutions}}, date = {2020-11-16}, institution = {Bitdefender}, url = {https://www.bitdefender.com/files/News/CaseStudies/study/379/Bitdefender-Whitepaper-Chinese-APT.pdf}, language = {English}, urldate = {2020-11-18} } Dissecting a Chinese APT Targeting South Eastern Asian Government Institutions
Chinoxy FunnyDream
Yara Rules
[TLP:WHITE] win_funny_dream_auto (20221125 | Detects win.funny_dream.)
rule win_funny_dream_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-11-21"
        version = "1"
        description = "Detects win.funny_dream."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.funny_dream"
        malpedia_rule_date = "20221118"
        malpedia_hash = "e0702e2e6d1d00da65c8a29a4ebacd0a4c59e1af"
        malpedia_version = "20221125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8d4901 88840dfdfdffff 84c0 75ec }
            // n = 4, score = 300
            //   8d4901               | lea                 ecx, [ecx + 1]
            //   88840dfdfdffff       | mov                 byte ptr [ebp + ecx - 0x203], al
            //   84c0                 | test                al, al
            //   75ec                 | jne                 0xffffffee

        $sequence_1 = { 8d4c241c 0f2805???????? 0f1144240c e8???????? 85c0 742e 6a01 }
            // n = 7, score = 300
            //   8d4c241c             | lea                 ecx, [esp + 0x1c]
            //   0f2805????????       |                     
            //   0f1144240c           | movups              xmmword ptr [esp + 0xc], xmm0
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   742e                 | je                  0x30
            //   6a01                 | push                1

        $sequence_2 = { 6a00 6a00 ff15???????? 8bf0 85f6 750f 5e }
            // n = 7, score = 300
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   ff15????????         |                     
            //   8bf0                 | mov                 esi, eax
            //   85f6                 | test                esi, esi
            //   750f                 | jne                 0x11
            //   5e                   | pop                 esi

        $sequence_3 = { 7427 56 ff15???????? 85c0 741c 57 ff15???????? }
            // n = 7, score = 300
            //   7427                 | je                  0x29
            //   56                   | push                esi
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   741c                 | je                  0x1e
            //   57                   | push                edi
            //   ff15????????         |                     

        $sequence_4 = { 41 84c0 75f9 2bca 7513 68fe000000 8d84243c010000 }
            // n = 7, score = 300
            //   41                   | inc                 ecx
            //   84c0                 | test                al, al
            //   75f9                 | jne                 0xfffffffb
            //   2bca                 | sub                 ecx, edx
            //   7513                 | jne                 0x15
            //   68fe000000           | push                0xfe
            //   8d84243c010000       | lea                 eax, [esp + 0x13c]

        $sequence_5 = { c7450800000000 ff15???????? 8bf8 8d4508 }
            // n = 4, score = 300
            //   c7450800000000       | mov                 dword ptr [ebp + 8], 0
            //   ff15????????         |                     
            //   8bf8                 | mov                 edi, eax
            //   8d4508               | lea                 eax, [ebp + 8]

        $sequence_6 = { 50 57 ff15???????? 85c0 7523 8b4618 8b3d???????? }
            // n = 7, score = 300
            //   50                   | push                eax
            //   57                   | push                edi
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   7523                 | jne                 0x25
            //   8b4618               | mov                 eax, dword ptr [esi + 0x18]
            //   8b3d????????         |                     

        $sequence_7 = { 668985f2f7ffff c785f4f7ffff00000001 8bce 2bd6 }
            // n = 4, score = 300
            //   668985f2f7ffff       | mov                 word ptr [ebp - 0x80e], ax
            //   c785f4f7ffff00000001     | mov    dword ptr [ebp - 0x80c], 0x1000000
            //   8bce                 | mov                 ecx, esi
            //   2bd6                 | sub                 edx, esi

        $sequence_8 = { 85c0 0f84f8000000 68???????? 50 ff15???????? }
            // n = 5, score = 300
            //   85c0                 | test                eax, eax
            //   0f84f8000000         | je                  0xfe
            //   68????????           |                     
            //   50                   | push                eax
            //   ff15????????         |                     

        $sequence_9 = { 50 68f71f0000 c6076a 8d4709 8b0b 894f01 8b4b04 }
            // n = 7, score = 300
            //   50                   | push                eax
            //   68f71f0000           | push                0x1ff7
            //   c6076a               | mov                 byte ptr [edi], 0x6a
            //   8d4709               | lea                 eax, [edi + 9]
            //   8b0b                 | mov                 ecx, dword ptr [ebx]
            //   894f01               | mov                 dword ptr [edi + 1], ecx
            //   8b4b04               | mov                 ecx, dword ptr [ebx + 4]

    condition:
        7 of them and filesize < 393216
}
Download all Yara Rules