SYMBOLCOMMON_NAMEaka. SYNONYMS
win.ghostemperor (Back to overview)

GhostEmperor

VTCollection    

There is no description at this point.

References
2024-07-17SYGNIADor Nizar
The Return of Ghost Emperor’s Demodex
GhostEmperor GhostEmperor
2021-09-30KasperskyAseel Kayal, Mark Lechtik, Paul Rascagnères, Vasily Berdnikov
GhostEmperor: From ProxyLogon to kernel mode
GhostEmperor GhostEmperor
2021-09-30Kaspersky LabsKaspersky Labs
GhostEmperor’s infection chain and post-exploitation toolset: technical detail
GhostEmperor GhostEmperor
2021-07-29KasperskyKaspersky
GhostEmperor: Chinese-speaking APT targets high-profile victims using unknown rootkit
GhostEmperor
Yara Rules
[TLP:WHITE] win_ghostemperor_auto (20230808 | Detects win.ghostemperor.)
rule win_ghostemperor_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.ghostemperor."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ghostemperor"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { b801000000 4883c428 5b 5d 5f 5e }
            // n = 6, score = 200
            //   b801000000           | mov                 dword ptr [esi + 8], 0
            //   4883c428             | mov                 dword ptr [esi + 0x10], 0
            //   5b                   | test                edi, edi
            //   5d                   | je                  0x1b
            //   5f                   | dec                 eax
            //   5e                   | mov                 ecx, esi

        $sequence_1 = { 31d2 41b801000000 4531c9 ff15???????? }
            // n = 4, score = 200
            //   31d2                 | inc                 ecx
            //   41b801000000         | shr                 edx, 3
            //   4531c9               | inc                 ecx
            //   ff15????????         |                     

        $sequence_2 = { 41c1ea03 4183e007 4585d2 0f84b9000000 }
            // n = 4, score = 200
            //   41c1ea03             | ret                 
            //   4183e007             | dec                 eax
            //   4585d2               | test                ecx, ecx
            //   0f84b9000000         | je                  0xf

        $sequence_3 = { 8b5b10 4885db 7431 c7471800000000 89d9 }
            // n = 5, score = 200
            //   8b5b10               | dec                 eax
            //   4885db               | mov                 dword ptr [esi + 8], 0
            //   7431                 | dec                 ecx
            //   c7471800000000       | mov                 ecx, ecx
            //   89d9                 | dec                 eax

        $sequence_4 = { e8???????? 48c7470800000000 c7471000000000 4c8d7e18 4c89f9 ff15???????? 448b4648 }
            // n = 7, score = 200
            //   e8????????           |                     
            //   48c7470800000000     | mov                 eax, edx
            //   c7471000000000       | inc                 ebp
            //   4c8d7e18             | lea                 ebx, [edx - 1]
            //   4c89f9               | inc                 ecx
            //   ff15????????         |                     
            //   448b4648             | test                dl, 3

        $sequence_5 = { 4885c9 740d e8???????? 48c7460800000000 }
            // n = 4, score = 200
            //   4885c9               | dec                 eax
            //   740d                 | lea                 eax, [0x5457]
            //   e8????????           |                     
            //   48c7460800000000     | dec                 eax

        $sequence_6 = { 4989c9 4889d0 458d5aff 41f6c203 7427 4489d1 83e103 }
            // n = 7, score = 200
            //   4989c9               | mov                 ebx, ecx
            //   4889d0               | dec                 eax
            //   458d5aff             | mov                 dword ptr [ecx], eax
            //   41f6c203             | dec                 eax
            //   7427                 | lea                 ecx, [ebp + 0x72]
            //   4489d1               | inc                 ecx
            //   83e103               | mov                 edi, 2

        $sequence_7 = { 4883c410 c3 ff25???????? ff25???????? ff25???????? ff25???????? ff25???????? }
            // n = 7, score = 200
            //   4883c410             | dec                 eax
            //   c3                   | mov                 edx, ebp
            //   ff25????????         |                     
            //   ff25????????         |                     
            //   ff25????????         |                     
            //   ff25????????         |                     
            //   ff25????????         |                     

        $sequence_8 = { 4889c1 4863c6 488d0440 48c1e004 4801c8 eb02 31c0 }
            // n = 7, score = 200
            //   4889c1               | dec                 eax
            //   4863c6               | sub                 eax, ecx
            //   488d0440             | movzx               edx, word ptr [edi]
            //   48c1e004             | dec                 eax
            //   4801c8               | add                 esp, 0x10
            //   eb02                 | ret                 
            //   31c0                 | dec                 esp

        $sequence_9 = { 31f6 31d2 660f1f440000 488b3cf0 49313cf1 }
            // n = 5, score = 200
            //   31f6                 | je                  0x34
            //   31d2                 | inc                 esp
            //   660f1f440000         | mov                 ecx, edx
            //   488b3cf0             | and                 ecx, 3
            //   49313cf1             | dec                 eax

        $sequence_10 = { c74424504900df00 c744245436004d00 c74424586b007100 c744245cf5003400 }
            // n = 4, score = 100
            //   c74424504900df00     | mov                 ebp, edx
            //   c744245436004d00     | mov                 esi, 0x208
            //   c74424586b007100     | mov                 ecx, esi
            //   c744245cf5003400     | mov                 dword ptr [esp + 0x50], 0xdf0049

        $sequence_11 = { 0f8883020000 33d2 c78594000000f1008500 c78598000000a8003f00 448d630e c7859c000000f7003100 }
            // n = 6, score = 100
            //   0f8883020000         | mov                 dword ptr [esp + 0x54], 0x4d0036
            //   33d2                 | mov                 dword ptr [esp + 0x58], 0x71006b
            //   c78594000000f1008500     | mov    dword ptr [esp + 0x5c], 0x3400f5
            //   c78598000000a8003f00     | js    0x289
            //   448d630e             | xor                 edx, edx
            //   c7859c000000f7003100     | mov    dword ptr [ebp + 0x94], 0x8500f1

        $sequence_12 = { 01c1 89ca c1ea1f c1f904 }
            // n = 4, score = 100
            //   01c1                 | mov                 eax, dword ptr [ebp + 0x2b0]
            //   89ca                 | dec                 eax
            //   c1ea1f               | mov                 eax, dword ptr [ebp + 0x2b0]
            //   c1f904               | dec                 eax

        $sequence_13 = { 488d4dd0 48895dd8 895de0 4c8bea e8???????? be08020000 8bce }
            // n = 7, score = 100
            //   488d4dd0             | dec                 eax
            //   48895dd8             | lea                 ecx, [ebp - 0x30]
            //   895de0               | dec                 eax
            //   4c8bea               | mov                 dword ptr [ebp - 0x28], ebx
            //   e8????????           |                     
            //   be08020000           | mov                 dword ptr [ebp - 0x20], ebx
            //   8bce                 | dec                 esp

        $sequence_14 = { 00c2 488b8568020000 8854080c 488b85b0020000 }
            // n = 4, score = 100
            //   00c2                 | xor                 dword ptr [ecx + esi*8], edi
            //   488b8568020000       | mov                 cl, byte ptr [eax + 4]
            //   8854080c             | inc                 ecx
            //   488b85b0020000       | xor                 byte ptr [ecx + 4], cl

        $sequence_15 = { 00c1 488b8568020000 488b95b0020000 884c100c 488b85b0020000 488b85b0020000 488b85b0020000 }
            // n = 7, score = 100
            //   00c1                 | and                 eax, 7
            //   488b8568020000       | inc                 ebp
            //   488b95b0020000       | test                edx, edx
            //   884c100c             | je                  0xca
            //   488b85b0020000       | mov                 ebx, dword ptr [ebx + 0x10]
            //   488b85b0020000       | dec                 eax
            //   488b85b0020000       | test                ebx, ebx

        $sequence_16 = { 85c0 7417 418bce 448bc7 48034e08 488bd5 e8???????? }
            // n = 7, score = 100
            //   85c0                 | dec                 ebp
            //   7417                 | mov                 ebx, dword ptr [edx + 0x10]
            //   418bce               | dec                 ebp
            //   448bc7               | test                ebx, ebx
            //   48034e08             | je                  0xb
            //   488bd5               | dec                 eax
            //   e8????????           |                     

        $sequence_17 = { 7212 4d8b5a10 4d85db 7409 48895c2448 5b }
            // n = 6, score = 100
            //   7212                 | ret                 
            //   4d8b5a10             | or                  eax, 0xffffffff
            //   4d85db               | jmp                 0xfffffff7
            //   7409                 | mov                 eax, 1
            //   48895c2448           | jmp                 0xfffffff7
            //   5b                   | jb                  0x14

        $sequence_18 = { 01c3 69cbe8030000 81c130750000 4883ec20 }
            // n = 4, score = 100
            //   01c3                 | or                  ecx, 1
            //   69cbe8030000         | add                 cl, al
            //   81c130750000         | dec                 eax
            //   4883ec20             | mov                 eax, dword ptr [ebp + 0x268]

        $sequence_19 = { 01d1 89ca c1e205 89cb }
            // n = 4, score = 100
            //   01d1                 | dec                 eax
            //   89ca                 | mov                 dword ptr [ebp + 0xc8], eax
            //   c1e205               | mov                 eax, dword ptr [ebp + 0x2c8]
            //   89cb                 | add                 dl, al

        $sequence_20 = { 7449 8b5c2448 488bc7 d1eb ffcb }
            // n = 5, score = 100
            //   7449                 | mov                 dword ptr [ebp + 0x98], 0x3f00a8
            //   8b5c2448             | inc                 esp
            //   488bc7               | lea                 esp, [ebx + 0xe]
            //   d1eb                 | mov                 dword ptr [ebp + 0x9c], 0x3100f7
            //   ffcb                 | je                  0x4b

        $sequence_21 = { 48895c2408 57 4883ec20 488d0557540000 488bd9 488901 }
            // n = 6, score = 100
            //   48895c2408           | mov                 dword ptr [esp + 0x48], ebx
            //   57                   | pop                 ebx
            //   4883ec20             | test                eax, eax
            //   488d0557540000       | je                  0x19
            //   488bd9               | inc                 ecx
            //   488901               | mov                 ecx, esi

        $sequence_22 = { c3 83c8ff ebf5 b801000000 ebee }
            // n = 5, score = 100
            //   c3                   | mov                 ebx, dword ptr [esp + 0x48]
            //   83c8ff               | dec                 eax
            //   ebf5                 | mov                 eax, edi
            //   b801000000           | shr                 ebx, 1
            //   ebee                 | dec                 ebx

    condition:
        7 of them and filesize < 1115136
}
Download all Yara Rules