SYMBOLCOMMON_NAMEaka. SYNONYMS
win.funny_dream (Back to overview)

FunnyDream


There is no description at this point.

References
2021-12-08Recorded FutureInsikt Group®
@techreport{group:20211208:chinese:98ded4d, author = {Insikt Group®}, title = {{Chinese State-Sponsored Cyber Espionage Activity Supports Expansion of Regional Power and Influence in Southeast Asia}}, date = {2021-12-08}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/cta-2021-1208.pdf}, language = {English}, urldate = {2021-12-23} } Chinese State-Sponsored Cyber Espionage Activity Supports Expansion of Regional Power and Influence in Southeast Asia
Chinoxy FunnyDream
2021-02-28PWC UKPWC UK
@techreport{uk:20210228:cyber:bd780cd, author = {PWC UK}, title = {{Cyber Threats 2020: A Year in Retrospect}}, date = {2021-02-28}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf}, language = {English}, urldate = {2021-03-04} } Cyber Threats 2020: A Year in Retrospect
elf.wellmess FlowerPower PowGoop 8.t Dropper Agent.BTZ Agent Tesla Appleseed Ave Maria Bankshot BazarBackdoor BLINDINGCAN Chinoxy Conti Cotx RAT Crimson RAT DUSTMAN Emotet FriedEx FunnyDream Hakbit Mailto Maze METALJACK Nefilim Oblique RAT Pay2Key PlugX QakBot REvil Ryuk StoneDrill StrongPity SUNBURST SUPERNOVA TrickBot TurlaRPC Turla SilentMoon WastedLocker WellMess Winnti ZeroCleare APT10 APT23 APT27 APT31 APT41 BlackTech BRONZE EDGEWOOD Inception Framework MUSTANG PANDA Red Charon Red Nue Sea Turtle Tonto Team
2021-01-04nao_sec blognao_sec
@online{naosec:20210104:royal:041b9d3, author = {nao_sec}, title = {{Royal Road! Re:Dive}}, date = {2021-01-04}, organization = {nao_sec blog}, url = {https://nao-sec.org/2021/01/royal-road-redive.html}, language = {English}, urldate = {2021-01-05} } Royal Road! Re:Dive
8.t Dropper Chinoxy FlowCloud FunnyDream Lookback
2020-12-11NTT SecurityHiroki Hada
@online{hada:20201211:pandas:b182e4e, author = {Hiroki Hada}, title = {{Panda’s New Arsenal: Part 3 Smanager}}, date = {2020-12-11}, organization = {NTT Security}, url = {https://insight-jp.nttsecurity.com/post/102glv5/pandas-new-arsenal-part-3-smanager}, language = {Japanese}, urldate = {2021-01-01} } Panda’s New Arsenal: Part 3 Smanager
FunnyDream SManager Tmanger
2020-11-16BitdefenderVictor Vrabie, Liviu Arsene
@techreport{vrabie:20201116:dissecting:1b39d4d, author = {Victor Vrabie and Liviu Arsene}, title = {{Dissecting a Chinese APT Targeting South Eastern Asian Government Institutions}}, date = {2020-11-16}, institution = {Bitdefender}, url = {https://www.bitdefender.com/files/News/CaseStudies/study/379/Bitdefender-Whitepaper-Chinese-APT.pdf}, language = {English}, urldate = {2020-11-18} } Dissecting a Chinese APT Targeting South Eastern Asian Government Institutions
Chinoxy FunnyDream
Yara Rules
[TLP:WHITE] win_funny_dream_auto (20230715 | Detects win.funny_dream.)
rule win_funny_dream_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-07-11"
        version = "1"
        description = "Detects win.funny_dream."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.funny_dream"
        malpedia_rule_date = "20230705"
        malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
        malpedia_version = "20230715"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 56 ffd0 6a05 6a40 b371 ff15???????? 8bf0 }
            // n = 7, score = 300
            //   56                   | push                esi
            //   ffd0                 | call                eax
            //   6a05                 | push                5
            //   6a40                 | push                0x40
            //   b371                 | mov                 bl, 0x71
            //   ff15????????         |                     
            //   8bf0                 | mov                 esi, eax

        $sequence_1 = { 83c404 8bde 3b7714 75e6 8b4714 }
            // n = 5, score = 300
            //   83c404               | add                 esp, 4
            //   8bde                 | mov                 ebx, esi
            //   3b7714               | cmp                 esi, dword ptr [edi + 0x14]
            //   75e6                 | jne                 0xffffffe8
            //   8b4714               | mov                 eax, dword ptr [edi + 0x14]

        $sequence_2 = { ffd7 8b1d???????? 6896000000 ffd3 }
            // n = 4, score = 300
            //   ffd7                 | call                edi
            //   8b1d????????         |                     
            //   6896000000           | push                0x96
            //   ffd3                 | call                ebx

        $sequence_3 = { 7f19 6a00 6800020000 ff75fc ff75f8 ff15???????? 8bf0 }
            // n = 7, score = 300
            //   7f19                 | jg                  0x1b
            //   6a00                 | push                0
            //   6800020000           | push                0x200
            //   ff75fc               | push                dword ptr [ebp - 4]
            //   ff75f8               | push                dword ptr [ebp - 8]
            //   ff15????????         |                     
            //   8bf0                 | mov                 esi, eax

        $sequence_4 = { 50 e8???????? 6800010000 8d85bcfeffff c785a8feffff40000000 }
            // n = 5, score = 300
            //   50                   | push                eax
            //   e8????????           |                     
            //   6800010000           | push                0x100
            //   8d85bcfeffff         | lea                 eax, [ebp - 0x144]
            //   c785a8feffff40000000     | mov    dword ptr [ebp - 0x158], 0x40

        $sequence_5 = { 8d45e4 50 33f6 c745e45368656c c745e86c33322e c745ec646c6c00 }
            // n = 6, score = 300
            //   8d45e4               | lea                 eax, [ebp - 0x1c]
            //   50                   | push                eax
            //   33f6                 | xor                 esi, esi
            //   c745e45368656c       | mov                 dword ptr [ebp - 0x1c], 0x6c656853
            //   c745e86c33322e       | mov                 dword ptr [ebp - 0x18], 0x2e32336c
            //   c745ec646c6c00       | mov                 dword ptr [ebp - 0x14], 0x6c6c64

        $sequence_6 = { c785bcfdffff01000000 668985c0fdffff 83c40c 8d85f8feffff c745dc6b65726e 898598fdffff }
            // n = 6, score = 300
            //   c785bcfdffff01000000     | mov    dword ptr [ebp - 0x244], 1
            //   668985c0fdffff       | mov                 word ptr [ebp - 0x240], ax
            //   83c40c               | add                 esp, 0xc
            //   8d85f8feffff         | lea                 eax, [ebp - 0x108]
            //   c745dc6b65726e       | mov                 dword ptr [ebp - 0x24], 0x6e72656b
            //   898598fdffff         | mov                 dword ptr [ebp - 0x268], eax

        $sequence_7 = { 8b4c2420 83c006 89442414 83ff0f 7c9f }
            // n = 5, score = 300
            //   8b4c2420             | mov                 ecx, dword ptr [esp + 0x20]
            //   83c006               | add                 eax, 6
            //   89442414             | mov                 dword ptr [esp + 0x14], eax
            //   83ff0f               | cmp                 edi, 0xf
            //   7c9f                 | jl                  0xffffffa1

        $sequence_8 = { 50 ffd7 8b4620 85c0 0f84b0010000 50 ffd7 }
            // n = 7, score = 300
            //   50                   | push                eax
            //   ffd7                 | call                edi
            //   8b4620               | mov                 eax, dword ptr [esi + 0x20]
            //   85c0                 | test                eax, eax
            //   0f84b0010000         | je                  0x1b6
            //   50                   | push                eax
            //   ffd7                 | call                edi

        $sequence_9 = { 8b85c4fdffff 89441f05 8b85b8fdffff 89441f09 8b85bcfdffff 89441f0d 83c711 }
            // n = 7, score = 300
            //   8b85c4fdffff         | mov                 eax, dword ptr [ebp - 0x23c]
            //   89441f05             | mov                 dword ptr [edi + ebx + 5], eax
            //   8b85b8fdffff         | mov                 eax, dword ptr [ebp - 0x248]
            //   89441f09             | mov                 dword ptr [edi + ebx + 9], eax
            //   8b85bcfdffff         | mov                 eax, dword ptr [ebp - 0x244]
            //   89441f0d             | mov                 dword ptr [edi + ebx + 0xd], eax
            //   83c711               | add                 edi, 0x11

    condition:
        7 of them and filesize < 393216
}
Download all Yara Rules