SYMBOLCOMMON_NAMEaka. SYNONYMS
win.funny_dream (Back to overview)

FunnyDream


There is no description at this point.

References
2021-12-08Recorded FutureInsikt Group®
@techreport{group:20211208:chinese:98ded4d, author = {Insikt Group®}, title = {{Chinese State-Sponsored Cyber Espionage Activity Supports Expansion of Regional Power and Influence in Southeast Asia}}, date = {2021-12-08}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/cta-2021-1208.pdf}, language = {English}, urldate = {2021-12-23} } Chinese State-Sponsored Cyber Espionage Activity Supports Expansion of Regional Power and Influence in Southeast Asia
Chinoxy FunnyDream
2021-02-28PWC UKPWC UK
@techreport{uk:20210228:cyber:bd780cd, author = {PWC UK}, title = {{Cyber Threats 2020: A Year in Retrospect}}, date = {2021-02-28}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf}, language = {English}, urldate = {2021-03-04} } Cyber Threats 2020: A Year in Retrospect
elf.wellmess FlowerPower PowGoop 8.t Dropper Agent.BTZ Agent Tesla Appleseed Ave Maria Bankshot BazarBackdoor BLINDINGCAN Chinoxy Conti Cotx RAT Crimson RAT DUSTMAN Emotet FriedEx FunnyDream Hakbit Mailto Maze METALJACK Nefilim Oblique RAT Pay2Key PlugX QakBot REvil Ryuk StoneDrill StrongPity SUNBURST SUPERNOVA TrickBot TurlaRPC Turla SilentMoon WastedLocker WellMess Winnti ZeroCleare
2021-01-04nao_sec blognao_sec
@online{naosec:20210104:royal:041b9d3, author = {nao_sec}, title = {{Royal Road! Re:Dive}}, date = {2021-01-04}, organization = {nao_sec blog}, url = {https://nao-sec.org/2021/01/royal-road-redive.html}, language = {English}, urldate = {2021-01-05} } Royal Road! Re:Dive
8.t Dropper Chinoxy FlowCloud FunnyDream Lookback
2020-12-11NTT SecurityHiroki Hada
@online{hada:20201211:pandas:b182e4e, author = {Hiroki Hada}, title = {{Panda’s New Arsenal: Part 3 Smanager}}, date = {2020-12-11}, organization = {NTT Security}, url = {https://insight-jp.nttsecurity.com/post/102glv5/pandas-new-arsenal-part-3-smanager}, language = {Japanese}, urldate = {2021-01-01} } Panda’s New Arsenal: Part 3 Smanager
FunnyDream SManager Tmanger
2020-11-16BitdefenderVictor Vrabie, Liviu Arsene
@techreport{vrabie:20201116:dissecting:1b39d4d, author = {Victor Vrabie and Liviu Arsene}, title = {{Dissecting a Chinese APT Targeting South Eastern Asian Government Institutions}}, date = {2020-11-16}, institution = {Bitdefender}, url = {https://www.bitdefender.com/files/News/CaseStudies/study/379/Bitdefender-Whitepaper-Chinese-APT.pdf}, language = {English}, urldate = {2020-11-18} } Dissecting a Chinese APT Targeting South Eastern Asian Government Institutions
Chinoxy FunnyDream
Yara Rules
[TLP:WHITE] win_funny_dream_auto (20220516 | Detects win.funny_dream.)
rule win_funny_dream_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-05-16"
        version = "1"
        description = "Detects win.funny_dream."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.funny_dream"
        malpedia_rule_date = "20220513"
        malpedia_hash = "7f4b2229e6ae614d86d74917f6d5b41890e62a26"
        malpedia_version = "20220516"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 740a 6800800000 6a00 50 ffd3 8d472c }
            // n = 6, score = 300
            //   740a                 | je                  0xc
            //   6800800000           | push                0x8000
            //   6a00                 | push                0
            //   50                   | push                eax
            //   ffd3                 | call                ebx
            //   8d472c               | lea                 eax, [edi + 0x2c]

        $sequence_1 = { ff15???????? ffb3c4000000 ff15???????? c783c0000000ffffffff 8b4df8 }
            // n = 5, score = 300
            //   ff15????????         |                     
            //   ffb3c4000000         | push                dword ptr [ebx + 0xc4]
            //   ff15????????         |                     
            //   c783c0000000ffffffff     | mov    dword ptr [ebx + 0xc0], 0xffffffff
            //   8b4df8               | mov                 ecx, dword ptr [ebp - 8]

        $sequence_2 = { 47 6a3b 57 e8???????? 6a3a 57 8945fc }
            // n = 7, score = 300
            //   47                   | inc                 edi
            //   6a3b                 | push                0x3b
            //   57                   | push                edi
            //   e8????????           |                     
            //   6a3a                 | push                0x3a
            //   57                   | push                edi
            //   8945fc               | mov                 dword ptr [ebp - 4], eax

        $sequence_3 = { 8b4904 e8???????? 5e 5d c20800 57 0fb67e01 }
            // n = 7, score = 300
            //   8b4904               | mov                 ecx, dword ptr [ecx + 4]
            //   e8????????           |                     
            //   5e                   | pop                 esi
            //   5d                   | pop                 ebp
            //   c20800               | ret                 8
            //   57                   | push                edi
            //   0fb67e01             | movzx               edi, byte ptr [esi + 1]

        $sequence_4 = { 899de8f7ffff 8d85ecf7ffff c785ecf7ffff00000000 50 687e660480 57 ff15???????? }
            // n = 7, score = 300
            //   899de8f7ffff         | mov                 dword ptr [ebp - 0x818], ebx
            //   8d85ecf7ffff         | lea                 eax, [ebp - 0x814]
            //   c785ecf7ffff00000000     | mov    dword ptr [ebp - 0x814], 0
            //   50                   | push                eax
            //   687e660480           | push                0x8004667e
            //   57                   | push                edi
            //   ff15????????         |                     

        $sequence_5 = { 837b04ff 8d7e20 7510 e8???????? 33c0 }
            // n = 5, score = 300
            //   837b04ff             | cmp                 dword ptr [ebx + 4], -1
            //   8d7e20               | lea                 edi, [esi + 0x20]
            //   7510                 | jne                 0x12
            //   e8????????           |                     
            //   33c0                 | xor                 eax, eax

        $sequence_6 = { 8a85a4fdffff 8db5d0fdffff 2410 8d4e01 }
            // n = 4, score = 300
            //   8a85a4fdffff         | mov                 al, byte ptr [ebp - 0x25c]
            //   8db5d0fdffff         | lea                 esi, [ebp - 0x230]
            //   2410                 | and                 al, 0x10
            //   8d4e01               | lea                 ecx, [esi + 1]

        $sequence_7 = { 83c404 85c0 7458 6a10 8d442434 50 ffb3c0000000 }
            // n = 7, score = 300
            //   83c404               | add                 esp, 4
            //   85c0                 | test                eax, eax
            //   7458                 | je                  0x5a
            //   6a10                 | push                0x10
            //   8d442434             | lea                 eax, [esp + 0x34]
            //   50                   | push                eax
            //   ffb3c0000000         | push                dword ptr [ebx + 0xc0]

        $sequence_8 = { 6a01 ff10 8b4610 89460c }
            // n = 4, score = 300
            //   6a01                 | push                1
            //   ff10                 | call                dword ptr [eax]
            //   8b4610               | mov                 eax, dword ptr [esi + 0x10]
            //   89460c               | mov                 dword ptr [esi + 0xc], eax

        $sequence_9 = { e8???????? 57 e8???????? 83c404 8bfe 3b7314 }
            // n = 6, score = 300
            //   e8????????           |                     
            //   57                   | push                edi
            //   e8????????           |                     
            //   83c404               | add                 esp, 4
            //   8bfe                 | mov                 edi, esi
            //   3b7314               | cmp                 esi, dword ptr [ebx + 0x14]

    condition:
        7 of them and filesize < 393216
}
Download all Yara Rules