SYMBOLCOMMON_NAMEaka. SYNONYMS
win.funny_dream (Back to overview)

FunnyDream


There is no description at this point.

References
2021-12-08Recorded FutureInsikt Group®
@techreport{group:20211208:chinese:98ded4d, author = {Insikt Group®}, title = {{Chinese State-Sponsored Cyber Espionage Activity Supports Expansion of Regional Power and Influence in Southeast Asia}}, date = {2021-12-08}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/cta-2021-1208.pdf}, language = {English}, urldate = {2021-12-23} } Chinese State-Sponsored Cyber Espionage Activity Supports Expansion of Regional Power and Influence in Southeast Asia
Chinoxy FunnyDream
2021-02-28PWC UKPWC UK
@techreport{uk:20210228:cyber:bd780cd, author = {PWC UK}, title = {{Cyber Threats 2020: A Year in Retrospect}}, date = {2021-02-28}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf}, language = {English}, urldate = {2021-03-04} } Cyber Threats 2020: A Year in Retrospect
elf.wellmess FlowerPower PowGoop 8.t Dropper Agent.BTZ Agent Tesla Appleseed Ave Maria Bankshot BazarBackdoor BLINDINGCAN Chinoxy Conti Cotx RAT Crimson RAT DUSTMAN Emotet FriedEx FunnyDream Hakbit Mailto Maze METALJACK Nefilim Oblique RAT Pay2Key PlugX QakBot REvil Ryuk StoneDrill StrongPity SUNBURST SUPERNOVA TrickBot TurlaRPC Turla SilentMoon WastedLocker WellMess Winnti ZeroCleare
2021-01-04nao_sec blognao_sec
@online{naosec:20210104:royal:041b9d3, author = {nao_sec}, title = {{Royal Road! Re:Dive}}, date = {2021-01-04}, organization = {nao_sec blog}, url = {https://nao-sec.org/2021/01/royal-road-redive.html}, language = {English}, urldate = {2021-01-05} } Royal Road! Re:Dive
8.t Dropper Chinoxy FlowCloud FunnyDream Lookback
2020-12-11NTT SecurityHiroki Hada
@online{hada:20201211:pandas:b182e4e, author = {Hiroki Hada}, title = {{Panda’s New Arsenal: Part 3 Smanager}}, date = {2020-12-11}, organization = {NTT Security}, url = {https://insight-jp.nttsecurity.com/post/102glv5/pandas-new-arsenal-part-3-smanager}, language = {Japanese}, urldate = {2021-01-01} } Panda’s New Arsenal: Part 3 Smanager
FunnyDream SManager Tmanger
2020-11-16BitdefenderVictor Vrabie, Liviu Arsene
@techreport{vrabie:20201116:dissecting:1b39d4d, author = {Victor Vrabie and Liviu Arsene}, title = {{Dissecting a Chinese APT Targeting South Eastern Asian Government Institutions}}, date = {2020-11-16}, institution = {Bitdefender}, url = {https://www.bitdefender.com/files/News/CaseStudies/study/379/Bitdefender-Whitepaper-Chinese-APT.pdf}, language = {English}, urldate = {2020-11-18} } Dissecting a Chinese APT Targeting South Eastern Asian Government Institutions
Chinoxy FunnyDream
Yara Rules
[TLP:WHITE] win_funny_dream_auto (20211008 | Detects win.funny_dream.)
rule win_funny_dream_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-10-07"
        version = "1"
        description = "Detects win.funny_dream."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.funny_dream"
        malpedia_rule_date = "20211007"
        malpedia_hash = "e5b790e0f888f252d49063a1251ca60ec2832535"
        malpedia_version = "20211008"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { c785e0ddffff01000000 50 6880000000 68ffff0000 ffb3c0000000 }
            // n = 5, score = 300
            //   c785e0ddffff01000000     | mov    dword ptr [ebp - 0x2220], 1
            //   50                   | push                eax
            //   6880000000           | push                0x80
            //   68ffff0000           | push                0xffff
            //   ffb3c0000000         | push                dword ptr [ebx + 0xc0]

        $sequence_1 = { 6a01 ffd3 eb02 03f0 83fe08 7282 33c0 }
            // n = 7, score = 300
            //   6a01                 | push                1
            //   ffd3                 | call                ebx
            //   eb02                 | jmp                 4
            //   03f0                 | add                 esi, eax
            //   83fe08               | cmp                 esi, 8
            //   7282                 | jb                  0xffffff84
            //   33c0                 | xor                 eax, eax

        $sequence_2 = { 47 6a3b 57 e8???????? 6a3a 57 8945fc }
            // n = 7, score = 300
            //   47                   | inc                 edi
            //   6a3b                 | push                0x3b
            //   57                   | push                edi
            //   e8????????           |                     
            //   6a3a                 | push                0x3a
            //   57                   | push                edi
            //   8945fc               | mov                 dword ptr [ebp - 4], eax

        $sequence_3 = { 0f10842438010000 8b442414 898424cc000000 668b842468010000 }
            // n = 4, score = 300
            //   0f10842438010000     | movups              xmm0, xmmword ptr [esp + 0x138]
            //   8b442414             | mov                 eax, dword ptr [esp + 0x14]
            //   898424cc000000       | mov                 dword ptr [esp + 0xcc], eax
            //   668b842468010000     | mov                 ax, word ptr [esp + 0x168]

        $sequence_4 = { 8b4f04 56 e8???????? 56 ff15???????? e9???????? }
            // n = 6, score = 300
            //   8b4f04               | mov                 ecx, dword ptr [edi + 4]
            //   56                   | push                esi
            //   e8????????           |                     
            //   56                   | push                esi
            //   ff15????????         |                     
            //   e9????????           |                     

        $sequence_5 = { ff7714 e8???????? 83c404 c707???????? ff7708 }
            // n = 5, score = 300
            //   ff7714               | push                dword ptr [edi + 0x14]
            //   e8????????           |                     
            //   83c404               | add                 esp, 4
            //   c707????????         |                     
            //   ff7708               | push                dword ptr [edi + 8]

        $sequence_6 = { 8bf2 50 0f1184242c010000 8d84242c010000 0f2805???????? 50 0f11842420010000 }
            // n = 7, score = 300
            //   8bf2                 | mov                 esi, edx
            //   50                   | push                eax
            //   0f1184242c010000     | movups              xmmword ptr [esp + 0x12c], xmm0
            //   8d84242c010000       | lea                 eax, dword ptr [esp + 0x12c]
            //   0f2805????????       |                     
            //   50                   | push                eax
            //   0f11842420010000     | movups              xmmword ptr [esp + 0x120], xmm0

        $sequence_7 = { 0f1145bd 66895dd9 885ddb e8???????? 84c0 }
            // n = 5, score = 300
            //   0f1145bd             | movups              xmmword ptr [ebp - 0x43], xmm0
            //   66895dd9             | mov                 word ptr [ebp - 0x27], bx
            //   885ddb               | mov                 byte ptr [ebp - 0x25], bl
            //   e8????????           |                     
            //   84c0                 | test                al, al

        $sequence_8 = { e8???????? 8b742414 83c408 85c0 748d 68???????? 50 }
            // n = 7, score = 300
            //   e8????????           |                     
            //   8b742414             | mov                 esi, dword ptr [esp + 0x14]
            //   83c408               | add                 esp, 8
            //   85c0                 | test                eax, eax
            //   748d                 | je                  0xffffff8f
            //   68????????           |                     
            //   50                   | push                eax

        $sequence_9 = { 75f8 8bca 8d842450070000 c1e902 f3a5 8bca 83e103 }
            // n = 7, score = 300
            //   75f8                 | jne                 0xfffffffa
            //   8bca                 | mov                 ecx, edx
            //   8d842450070000       | lea                 eax, dword ptr [esp + 0x750]
            //   c1e902               | shr                 ecx, 2
            //   f3a5                 | rep movsd           dword ptr es:[edi], dword ptr [esi]
            //   8bca                 | mov                 ecx, edx
            //   83e103               | and                 ecx, 3

    condition:
        7 of them and filesize < 393216
}
Download all Yara Rules