SYMBOLCOMMON_NAMEaka. SYNONYMS
win.funny_dream (Back to overview)

FunnyDream

There is no description at this point.

References
2021-12-08Recorded FutureInsikt Group®
@techreport{group:20211208:chinese:98ded4d, author = {Insikt Group®}, title = {{Chinese State-Sponsored Cyber Espionage Activity Supports Expansion of Regional Power and Influence in Southeast Asia}}, date = {2021-12-08}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/cta-2021-1208.pdf}, language = {English}, urldate = {2021-12-23} } Chinese State-Sponsored Cyber Espionage Activity Supports Expansion of Regional Power and Influence in Southeast Asia
Chinoxy FunnyDream
2021-02-28PWC UKPWC UK
@techreport{uk:20210228:cyber:bd780cd, author = {PWC UK}, title = {{Cyber Threats 2020: A Year in Retrospect}}, date = {2021-02-28}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf}, language = {English}, urldate = {2021-03-04} } Cyber Threats 2020: A Year in Retrospect
elf.wellmess FlowerPower PowGoop 8.t Dropper Agent.BTZ Agent Tesla Appleseed Ave Maria Bankshot BazarBackdoor BLINDINGCAN Chinoxy Conti Cotx RAT Crimson RAT DUSTMAN Emotet FriedEx FunnyDream Hakbit Mailto Maze METALJACK Nefilim Oblique RAT Pay2Key PlugX QakBot REvil Ryuk StoneDrill StrongPity SUNBURST SUPERNOVA TrickBot TurlaRPC Turla SilentMoon WastedLocker WellMess Winnti ZeroCleare APT10 APT23 APT27 APT31 APT41 BlackTech BRONZE EDGEWOOD Inception Framework MUSTANG PANDA Red Charon Red Nue Tonto Team
2021-01-04nao_sec blognao_sec
@online{naosec:20210104:royal:041b9d3, author = {nao_sec}, title = {{Royal Road! Re:Dive}}, date = {2021-01-04}, organization = {nao_sec blog}, url = {https://nao-sec.org/2021/01/royal-road-redive.html}, language = {English}, urldate = {2021-01-05} } Royal Road! Re:Dive
8.t Dropper Chinoxy FlowCloud FunnyDream Lookback
2020-12-11NTT SecurityHiroki Hada
@online{hada:20201211:pandas:b182e4e, author = {Hiroki Hada}, title = {{Panda’s New Arsenal: Part 3 Smanager}}, date = {2020-12-11}, organization = {NTT Security}, url = {https://insight-jp.nttsecurity.com/post/102glv5/pandas-new-arsenal-part-3-smanager}, language = {Japanese}, urldate = {2021-01-01} } Panda’s New Arsenal: Part 3 Smanager
FunnyDream SManager Tmanger
2020-11-16BitdefenderVictor Vrabie, Liviu Arsene
@techreport{vrabie:20201116:dissecting:1b39d4d, author = {Victor Vrabie and Liviu Arsene}, title = {{Dissecting a Chinese APT Targeting South Eastern Asian Government Institutions}}, date = {2020-11-16}, institution = {Bitdefender}, url = {https://www.bitdefender.com/files/News/CaseStudies/study/379/Bitdefender-Whitepaper-Chinese-APT.pdf}, language = {English}, urldate = {2020-11-18} } Dissecting a Chinese APT Targeting South Eastern Asian Government Institutions
Chinoxy FunnyDream
Yara Rules
[TLP:WHITE] win_funny_dream_auto (20230125 | Detects win.funny_dream.)
rule win_funny_dream_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-01-25"
        version = "1"
        description = "Detects win.funny_dream."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.funny_dream"
        malpedia_rule_date = "20230124"
        malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686"
        malpedia_version = "20230125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { ff15???????? 8bd8 c745f025735c2a 56 8d45f0 }
            // n = 5, score = 300
            //   ff15????????         |                     
            //   8bd8                 | mov                 ebx, eax
            //   c745f025735c2a       | mov                 dword ptr [ebp - 0x10], 0x2a5c7325
            //   56                   | push                esi
            //   8d45f0               | lea                 eax, [ebp - 0x10]

        $sequence_1 = { 50 6a00 6a00 6a00 ffb5b4feffff ff15???????? 6a40 }
            // n = 7, score = 300
            //   50                   | push                eax
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   ffb5b4feffff         | push                dword ptr [ebp - 0x14c]
            //   ff15????????         |                     
            //   6a40                 | push                0x40

        $sequence_2 = { 57 8945f8 8bf9 8b02 68???????? c745fc00000000 894508 }
            // n = 7, score = 300
            //   57                   | push                edi
            //   8945f8               | mov                 dword ptr [ebp - 8], eax
            //   8bf9                 | mov                 edi, ecx
            //   8b02                 | mov                 eax, dword ptr [edx]
            //   68????????           |                     
            //   c745fc00000000       | mov                 dword ptr [ebp - 4], 0
            //   894508               | mov                 dword ptr [ebp + 8], eax

        $sequence_3 = { e8???????? 8be5 5d c20800 0f57c0 c744244a00000000 b802000000 }
            // n = 7, score = 300
            //   e8????????           |                     
            //   8be5                 | mov                 esp, ebp
            //   5d                   | pop                 ebp
            //   c20800               | ret                 8
            //   0f57c0               | xorps               xmm0, xmm0
            //   c744244a00000000     | mov                 dword ptr [esp + 0x4a], 0
            //   b802000000           | mov                 eax, 2

        $sequence_4 = { 7736 b902000000 66890f 8b400c 8b00 }
            // n = 5, score = 300
            //   7736                 | ja                  0x38
            //   b902000000           | mov                 ecx, 2
            //   66890f               | mov                 word ptr [edi], cx
            //   8b400c               | mov                 eax, dword ptr [eax + 0xc]
            //   8b00                 | mov                 eax, dword ptr [eax]

        $sequence_5 = { 8a02 42 84c0 75f9 8dbdb4fdffff 2bd6 }
            // n = 6, score = 300
            //   8a02                 | mov                 al, byte ptr [edx]
            //   42                   | inc                 edx
            //   84c0                 | test                al, al
            //   75f9                 | jne                 0xfffffffb
            //   8dbdb4fdffff         | lea                 edi, [ebp - 0x24c]
            //   2bd6                 | sub                 edx, esi

        $sequence_6 = { 53 56 8b35???????? 57 68???????? c745d800000000 c745d004000000 }
            // n = 7, score = 300
            //   53                   | push                ebx
            //   56                   | push                esi
            //   8b35????????         |                     
            //   57                   | push                edi
            //   68????????           |                     
            //   c745d800000000       | mov                 dword ptr [ebp - 0x28], 0
            //   c745d004000000       | mov                 dword ptr [ebp - 0x30], 4

        $sequence_7 = { 6a78 8d8500ffffff c685effdffff00 6a00 50 8bf1 c785f8feffff74657374 }
            // n = 7, score = 300
            //   6a78                 | push                0x78
            //   8d8500ffffff         | lea                 eax, [ebp - 0x100]
            //   c685effdffff00       | mov                 byte ptr [ebp - 0x211], 0
            //   6a00                 | push                0
            //   50                   | push                eax
            //   8bf1                 | mov                 esi, ecx
            //   c785f8feffff74657374     | mov    dword ptr [ebp - 0x108], 0x74736574

        $sequence_8 = { 53 8a4810 8d4602 50 884e01 e8???????? 8b4508 }
            // n = 7, score = 300
            //   53                   | push                ebx
            //   8a4810               | mov                 cl, byte ptr [eax + 0x10]
            //   8d4602               | lea                 eax, [esi + 2]
            //   50                   | push                eax
            //   884e01               | mov                 byte ptr [esi + 1], cl
            //   e8????????           |                     
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]

        $sequence_9 = { 8d85c2fdffff c785b4fdffff2f632072 6a00 50 c785b8fdffff6d646972 c785bcfdffff202f7320 66c785c0fdffff2f71 }
            // n = 7, score = 300
            //   8d85c2fdffff         | lea                 eax, [ebp - 0x23e]
            //   c785b4fdffff2f632072     | mov    dword ptr [ebp - 0x24c], 0x7220632f
            //   6a00                 | push                0
            //   50                   | push                eax
            //   c785b8fdffff6d646972     | mov    dword ptr [ebp - 0x248], 0x7269646d
            //   c785bcfdffff202f7320     | mov    dword ptr [ebp - 0x244], 0x20732f20
            //   66c785c0fdffff2f71     | mov    word ptr [ebp - 0x240], 0x712f

    condition:
        7 of them and filesize < 393216
}
Download all Yara Rules