SYMBOLCOMMON_NAMEaka. SYNONYMS
win.fusiondrive (Back to overview)

FusionDrive

Actor(s): APT28

There is no description at this point.

References
2023-04-19MicrosoftJustin Warner, Microsoft Threat Intelligence Center (MSTIC)
@online{warner:20230419:exploring:c68c1d0, author = {Justin Warner and Microsoft Threat Intelligence Center (MSTIC)}, title = {{Exploring STRONTIUM's Abuse of Cloud Services}}, date = {2023-04-19}, organization = {Microsoft}, url = {https://www.youtube.com/watch?v=_qdCGgQlHJE}, language = {English}, urldate = {2023-04-22} } Exploring STRONTIUM's Abuse of Cloud Services
FusionDrive
Yara Rules
[TLP:WHITE] win_fusiondrive_auto (20230715 | Detects win.fusiondrive.)
rule win_fusiondrive_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-07-11"
        version = "1"
        description = "Detects win.fusiondrive."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.fusiondrive"
        malpedia_rule_date = "20230705"
        malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
        malpedia_version = "20230715"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 49895108 d3e8 41894118 0fb60a 83e10f 4a0fbe8411a8150100 }
            // n = 6, score = 100
            //   49895108             | inc                 eax
            //   d3e8                 | xor                 bh, bh
            //   41894118             | inc                 ecx
            //   0fb60a               | mov                 eax, 0x104
            //   83e10f               | dec                 eax
            //   4a0fbe8411a8150100     | lea    edx, [ebp - 0x70]

        $sequence_1 = { 3bc6 752c 897c2420 4c8d4c2460 4d8bc5 ba02000000 488b8c2488000000 }
            // n = 7, score = 100
            //   3bc6                 | inc                 ecx
            //   752c                 | xor                 word ptr [edx], ax
            //   897c2420             | dec                 eax
            //   4c8d4c2460           | lea                 edx, [edx + 2]
            //   4d8bc5               | dec                 eax
            //   ba02000000           | lea                 edx, [0x13389]
            //   488b8c2488000000     | dec                 eax

        $sequence_2 = { ff25???????? ff25???????? 4883611000 488d056cec0000 48894108 488d0551ec0000 }
            // n = 6, score = 100
            //   ff25????????         |                     
            //   ff25????????         |                     
            //   4883611000           | lea                 edx, [0xb637]
            //   488d056cec0000       | mov                 ecx, 3
            //   48894108             | dec                 esp
            //   488d0551ec0000       | lea                 eax, [0xb623]

        $sequence_3 = { 4883c118 e9???????? 488b8a38000000 4883c120 e9???????? 488d8a68000000 e9???????? }
            // n = 7, score = 100
            //   4883c118             | dec                 eax
            //   e9????????           |                     
            //   488b8a38000000       | lea                 edx, [0xb69a]
            //   4883c120             | mov                 ebx, edx
            //   e9????????           |                     
            //   488d8a68000000       | dec                 esp
            //   e9????????           |                     

        $sequence_4 = { b201 488bcb e8???????? 488d4d88 e8???????? 488d1543530100 488d4d88 }
            // n = 7, score = 100
            //   b201                 | mov                 ecx, dword ptr [esp + 0x88]
            //   488bcb               | jne                 0x3cb
            //   e8????????           |                     
            //   488d4d88             | inc                 esp
            //   e8????????           |                     
            //   488d1543530100       | lea                 eax, [ebx + 7]
            //   488d4d88             | dec                 ecx

        $sequence_5 = { 48890d???????? e8???????? 4c8d0db9330100 4c8bc0 b201 }
            // n = 5, score = 100
            //   48890d????????       |                     
            //   e8????????           |                     
            //   4c8d0db9330100       | jae                 0x245
            //   4c8bc0               | dec                 esp
            //   b201                 | mov                 edi, dword ptr [ebp - 0x58]

        $sequence_6 = { 488d442470 4889442428 897c2420 4533c9 }
            // n = 4, score = 100
            //   488d442470           | mov                 dword ptr [ebp - 0x10], eax
            //   4889442428           | dec                 eax
            //   897c2420             | lea                 edx, [0x95f4]
            //   4533c9               | mov                 eax, 5

        $sequence_7 = { e8???????? 488d4d88 e8???????? 488d1543530100 488d4d88 e8???????? }
            // n = 6, score = 100
            //   e8????????           |                     
            //   488d4d88             | lea                 ecx, [esp + 0x60]
            //   e8????????           |                     
            //   488d1543530100       | dec                 eax
            //   488d4d88             | mov                 ecx, dword ptr [esp + 0x98]
            //   e8????????           |                     

        $sequence_8 = { 776a e8???????? 85c0 7428 85db 7524 488d0d92a30100 }
            // n = 7, score = 100
            //   776a                 | mov                 eax, dword ptr [ecx + 0x1e020]
            //   e8????????           |                     
            //   85c0                 | dec                 ebp
            //   7428                 | cmovae              ecx, edi
            //   85db                 | dec                 eax
            //   7524                 | lea                 edi, [esp + 0x20]
            //   488d0d92a30100       | dec                 ecx

        $sequence_9 = { 428a8c01b8150100 482bd0 8b42fc d3e8 41894720 488d4204 49895708 }
            // n = 7, score = 100
            //   428a8c01b8150100     | dec                 eax
            //   482bd0               | mov                 dword ptr [ebp + 0x1a0], eax
            //   8b42fc               | inc                 eax
            //   d3e8                 | xor                 bh, bh
            //   41894720             | dec                 eax
            //   488d4204             | lea                 esi, [ebx + 0x128]
            //   49895708             | mov                 ebp, 6

    condition:
        7 of them and filesize < 290816
}
Download all Yara Rules