SYMBOLCOMMON_NAMEaka. SYNONYMS
win.funny_dream (Back to overview)

FunnyDream


There is no description at this point.

References
2021-02-28PWC UKPWC UK
@techreport{uk:20210228:cyber:bd780cd, author = {PWC UK}, title = {{Cyber Threats 2020: A Year in Retrospect}}, date = {2021-02-28}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf}, language = {English}, urldate = {2021-03-04} } Cyber Threats 2020: A Year in Retrospect
elf.wellmess FlowerPower PowGoop 8.t Dropper Agent.BTZ Agent Tesla Appleseed Ave Maria Bankshot BazarBackdoor BLINDINGCAN Chinoxy Conti Ransomware Cotx RAT Crimson RAT DUSTMAN Emotet FriedEx FunnyDream Hakbit Mailto Maze METALJACK Nefilim Ransomware Oblique RAT Pay2Key PlugX QakBot REvil Ryuk StoneDrill StrongPity SUNBURST SUPERNOVA TrickBot TurlaRPC Turla SilentMoon WastedLocker WellMess Winnti ZeroCleare
2021-01-04nao_sec blognao_sec
@online{naosec:20210104:royal:041b9d3, author = {nao_sec}, title = {{Royal Road! Re:Dive}}, date = {2021-01-04}, organization = {nao_sec blog}, url = {https://nao-sec.org/2021/01/royal-road-redive.html}, language = {English}, urldate = {2021-01-05} } Royal Road! Re:Dive
8.t Dropper Chinoxy FlowCloud FunnyDream Lookback
2020-12-11NTT SecurityHiroki Hada
@online{hada:20201211:pandas:b182e4e, author = {Hiroki Hada}, title = {{Panda’s New Arsenal: Part 3 Smanager}}, date = {2020-12-11}, organization = {NTT Security}, url = {https://insight-jp.nttsecurity.com/post/102glv5/pandas-new-arsenal-part-3-smanager}, language = {Japanese}, urldate = {2021-01-01} } Panda’s New Arsenal: Part 3 Smanager
FunnyDream SManager Tmanger
2020-11-16BitdefenderVictor Vrabie, Liviu Arsene
@techreport{vrabie:20201116:dissecting:1b39d4d, author = {Victor Vrabie and Liviu Arsene}, title = {{Dissecting a Chinese APT Targeting South Eastern Asian Government Institutions}}, date = {2020-11-16}, institution = {Bitdefender}, url = {https://www.bitdefender.com/files/News/CaseStudies/study/379/Bitdefender-Whitepaper-Chinese-APT.pdf}, language = {English}, urldate = {2020-11-18} } Dissecting a Chinese APT Targeting South Eastern Asian Government Institutions
Chinoxy FunnyDream
Yara Rules
[TLP:WHITE] win_funny_dream_auto (20201023 | autogenerated rule brought to you by yara-signator)
rule win_funny_dream_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-12-22"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.funny_dream"
        malpedia_rule_date = "20201222"
        malpedia_hash = "30354d830a29f0fbd3714d93d94dea941d77a130"
        malpedia_version = "20201023"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 64a300000000 8bf1 89b574fbffff 8b7d08 8d85dcfdffff }
            // n = 5, score = 200
            //   64a300000000         | mov                 dword ptr fs:[0], eax
            //   8bf1                 | mov                 esi, ecx
            //   89b574fbffff         | mov                 dword ptr [ebp - 0x48c], esi
            //   8b7d08               | mov                 edi, dword ptr [ebp + 8]
            //   8d85dcfdffff         | lea                 eax, [ebp - 0x224]

        $sequence_1 = { 0f85ed000000 47 6a3b 57 e8???????? }
            // n = 5, score = 200
            //   0f85ed000000         | jne                 0xf3
            //   47                   | inc                 edi
            //   6a3b                 | push                0x3b
            //   57                   | push                edi
            //   e8????????           |                     

        $sequence_2 = { 894628 8a4610 8885e9feffff 8d85e8feffff 50 e8???????? 6a00 }
            // n = 7, score = 200
            //   894628               | mov                 dword ptr [esi + 0x28], eax
            //   8a4610               | mov                 al, byte ptr [esi + 0x10]
            //   8885e9feffff         | mov                 byte ptr [ebp - 0x117], al
            //   8d85e8feffff         | lea                 eax, [ebp - 0x118]
            //   50                   | push                eax
            //   e8????????           |                     
            //   6a00                 | push                0

        $sequence_3 = { 3b5f14 7423 660f1f840000000000 8b33 }
            // n = 4, score = 200
            //   3b5f14               | cmp                 ebx, dword ptr [edi + 0x14]
            //   7423                 | je                  0x25
            //   660f1f840000000000     | nop    word ptr [eax + eax]
            //   8b33                 | mov                 esi, dword ptr [ebx]

        $sequence_4 = { 8d45f4 50 8d856cfeffff 50 e8???????? 83c408 85c0 }
            // n = 7, score = 200
            //   8d45f4               | lea                 eax, [ebp - 0xc]
            //   50                   | push                eax
            //   8d856cfeffff         | lea                 eax, [ebp - 0x194]
            //   50                   | push                eax
            //   e8????????           |                     
            //   83c408               | add                 esp, 8
            //   85c0                 | test                eax, eax

        $sequence_5 = { ffd6 8d4710 50 ff15???????? 8b4f04 }
            // n = 5, score = 200
            //   ffd6                 | call                esi
            //   8d4710               | lea                 eax, [edi + 0x10]
            //   50                   | push                eax
            //   ff15????????         |                     
            //   8b4f04               | mov                 ecx, dword ptr [edi + 4]

        $sequence_6 = { 84e4 0f85a6000000 85f6 0f849e000000 8bde 8d4b01 }
            // n = 6, score = 200
            //   84e4                 | test                ah, ah
            //   0f85a6000000         | jne                 0xac
            //   85f6                 | test                esi, esi
            //   0f849e000000         | je                  0xa4
            //   8bde                 | mov                 ebx, esi
            //   8d4b01               | lea                 ecx, [ebx + 1]

        $sequence_7 = { ffd0 8bf0 83feff 0f84c4000000 8d45f8 50 56 }
            // n = 7, score = 200
            //   ffd0                 | call                eax
            //   8bf0                 | mov                 esi, eax
            //   83feff               | cmp                 esi, -1
            //   0f84c4000000         | je                  0xca
            //   8d45f8               | lea                 eax, [ebp - 8]
            //   50                   | push                eax
            //   56                   | push                esi

        $sequence_8 = { 8db5d0fdffff 2410 8d4e01 88041f 47 6690 8a06 }
            // n = 7, score = 200
            //   8db5d0fdffff         | lea                 esi, [ebp - 0x230]
            //   2410                 | and                 al, 0x10
            //   8d4e01               | lea                 ecx, [esi + 1]
            //   88041f               | mov                 byte ptr [edi + ebx], al
            //   47                   | inc                 edi
            //   6690                 | nop                 
            //   8a06                 | mov                 al, byte ptr [esi]

        $sequence_9 = { e8???????? 57 e8???????? 83c404 8bfe 3b7314 }
            // n = 6, score = 200
            //   e8????????           |                     
            //   57                   | push                edi
            //   e8????????           |                     
            //   83c404               | add                 esp, 4
            //   8bfe                 | mov                 edi, esi
            //   3b7314               | cmp                 esi, dword ptr [ebx + 0x14]

    condition:
        7 of them and filesize < 393216
}
Download all Yara Rules