SYMBOLCOMMON_NAMEaka. SYNONYMS
win.ghostemperor (Back to overview)

GhostEmperor


There is no description at this point.

References
2021-09-30KasperskyMark Lechtik, Aseel Kayal, Paul Rascagnères, Vasily Berdnikov
@online{lechtik:20210930:ghostemperor:f7bdb63, author = {Mark Lechtik and Aseel Kayal and Paul Rascagnères and Vasily Berdnikov}, title = {{GhostEmperor: From ProxyLogon to kernel mode}}, date = {2021-09-30}, organization = {Kaspersky}, url = {https://securelist.com/ghostemperor-from-proxylogon-to-kernel-mode/104407/}, language = {English}, urldate = {2021-10-05} } GhostEmperor: From ProxyLogon to kernel mode
GhostEmperor
2021-07-29KasperskyKaspersky
@online{kaspersky:20210729:ghostemperor:c9ddfe4, author = {Kaspersky}, title = {{GhostEmperor: Chinese-speaking APT targets high-profile victims using unknown rootkit}}, date = {2021-07-29}, organization = {Kaspersky}, url = {https://www.kaspersky.com/about/press-releases/2021_ghostemperor-chinese-speaking-apt-targets-high-profile-victims-using-unknown-rootkit}, language = {English}, urldate = {2021-10-07} } GhostEmperor: Chinese-speaking APT targets high-profile victims using unknown rootkit
GhostEmperor
Yara Rules
[TLP:WHITE] win_ghostemperor_auto (20211008 | Detects win.ghostemperor.)
rule win_ghostemperor_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-10-07"
        version = "1"
        description = "Detects win.ghostemperor."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ghostemperor"
        malpedia_rule_date = "20211007"
        malpedia_hash = "e5b790e0f888f252d49063a1251ca60ec2832535"
        malpedia_version = "20211008"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { c644247041 c644247264 c644246d72 c644246f63 c644246b74 c644247164 c644246947 }
            // n = 7, score = 100
            //   c644247041           | mov                 dl, byte ptr [edx + 0xb]
            //   c644247264           | inc                 ecx
            //   c644246d72           | mov                 eax, 0xb
            //   c644246f63           | dec                 esp
            //   c644246b74           | mov                 dword ptr [esp + 0x1f8], ecx
            //   c644247164           | dec                 eax
            //   c644246947           | mov                 ecx, dword ptr [esp + 0x250]

        $sequence_1 = { c684241224000064 c6842411240000c1 c684241024000071 c78424fc230000e8fa571c 448b8c24fc230000 4589ca 41c1ea04 }
            // n = 7, score = 100
            //   c684241224000064     | mov                 eax, 1
            //   c6842411240000c1     | dec                 eax
            //   c684241024000071     | mov                 ecx, dword ptr [esp + 0x800]
            //   c78424fc230000e8fa571c     | mov    byte ptr [ecx + 1], al
            //   448b8c24fc230000     | dec                 esp
            //   4589ca               | mov                 ecx, dword ptr [esp + 0x7f8]
            //   41c1ea04             | dec                 ecx

        $sequence_2 = { 4c898c2438180000 e8???????? 488b8c2468180000 884106 4c8b8c2438180000 4983c101 4c8b942438260000 }
            // n = 7, score = 100
            //   4c898c2438180000     | mov                 byte ptr [esp + 0x2c], 0x6c
            //   e8????????           |                     
            //   488b8c2468180000     | mov                 byte ptr [esp + 0x24], 0x72
            //   884106               | mov                 byte ptr [esp + 0x2c], 0x6c
            //   4c8b8c2438180000     | mov                 byte ptr [esp + 0x2a], 0x2e
            //   4983c101             | mov                 byte ptr [esp + 0x23], 0x65
            //   4c8b942438260000     | mov                 byte ptr [esp + 0x29], 0x32

        $sequence_3 = { c68424b028000065 c68424a428000052 c68424af2800004d c68424b22800006f c68424a828000050 c68424b428000079 48898c2460210000 }
            // n = 7, score = 100
            //   c68424b028000065     | inc                 ecx
            //   c68424a428000052     | shl                 ecx, cl
            //   c68424af2800004d     | inc                 ebp
            //   c68424b22800006f     | or                  edx, ecx
            //   c68424a828000050     | inc                 esp
            //   c68424b428000079     | add                 edx, dword ptr [esp + 0x48c]
            //   48898c2460210000     | inc                 ecx

        $sequence_4 = { c644244c72 c644245364 c644244f6c 4889442430 4c89442428 44894c2424 488b4c2430 }
            // n = 7, score = 100
            //   c644244c72           | inc                 ecx
            //   c644245364           | mov                 ecx, 0x1487
            //   c644244f6c           | inc                 ebp
            //   4889442430           | mov                 edx, ecx
            //   4c89442428           | inc                 ecx
            //   44894c2424           | sar                 edx, cl
            //   488b4c2430           | inc                 esp

        $sequence_5 = { c6842408330000c2 488b842430190000 4835cd25820a 48052344d868 4889842410330000 c684242233000082 c684242133000048 }
            // n = 7, score = 100
            //   c6842408330000c2     | mov                 dl, byte ptr [ebx + 0xa]
            //   488b842430190000     | inc                 ecx
            //   4835cd25820a         | mov                 eax, 0xa
            //   48052344d868         | dec                 esp
            //   4889842410330000     | mov                 dword ptr [esp + 0xc0], ecx
            //   c684242233000082     | dec                 eax
            //   c684242133000048     | mov                 ecx, dword ptr [esp + 0x110]

        $sequence_6 = { 4c01d9 4c01d1 4c8b942410250000 49898a78010000 488b8c24c8240000 4c639424bc240000 4c01d1 }
            // n = 7, score = 100
            //   4c01d9               | sub                 esi, ecx
            //   4c01d1               | dec                 eax
            //   4c8b942410250000     | xor                 esi, 0x76e983c3
            //   49898a78010000       | mov                 ecx, dword ptr [eax + 0x20]
            //   488b8c24c8240000     | mov                 edi, ecx
            //   4c639424bc240000     | shr                 edi, 0x19
            //   4c01d1               | mov                 ecx, 0x71b6df52

        $sequence_7 = { c64424546c c644244b65 c64424522e c644244d6e c644244a6b c644245033 c644245132 }
            // n = 7, score = 100
            //   c64424546c           | mov                 dword ptr [esp + 0x1b8], ecx
            //   c644244b65           | inc                 ecx
            //   c64424522e           | mov                 eax, eax
            //   c644244d6e           | xor                 eax, eax
            //   c644244a6b           | mov                 dl, al
            //   c644245033           | dec                 esp
            //   c644245132           | mov                 eax, dword ptr [esp + 0x24c0]

        $sequence_8 = { e9???????? 488b842400010000 c6400b00 c7400c01000000 488b842400010000 4883c006 488d8c24a0010000 }
            // n = 7, score = 100
            //   e9????????           |                     
            //   488b842400010000     | dec                 eax
            //   c6400b00             | shr                 edi, 0xa
            //   c7400c01000000       | dec                 eax
            //   488b842400010000     | shl                 eax, 0x36
            //   4883c006             | dec                 eax
            //   488d8c24a0010000     | or                  edi, eax

        $sequence_9 = { e9???????? 4c89742448 bb0e000780 e9???????? 48896c2470 4c8d2582280100 488d742430 }
            // n = 7, score = 100
            //   e9????????           |                     
            //   4c89742448           | mov                 edi, dword ptr [eax + 0x7c]
            //   bb0e000780           | xor                 edi, 0xffffffff
            //   e9????????           |                     
            //   48896c2470           | xor                 edi, 0x72ad1104
            //   4c8d2582280100       | dec                 eax
            //   488d742430           | xor                 esi, ecx

    condition:
        7 of them and filesize < 1115136
}
Download all Yara Rules