SYMBOLCOMMON_NAMEaka. SYNONYMS
win.ghostemperor (Back to overview)

GhostEmperor


There is no description at this point.

References
2021-09-30KasperskyMark Lechtik, Aseel Kayal, Paul Rascagnères, Vasily Berdnikov
@online{lechtik:20210930:ghostemperor:f7bdb63, author = {Mark Lechtik and Aseel Kayal and Paul Rascagnères and Vasily Berdnikov}, title = {{GhostEmperor: From ProxyLogon to kernel mode}}, date = {2021-09-30}, organization = {Kaspersky}, url = {https://securelist.com/ghostemperor-from-proxylogon-to-kernel-mode/104407/}, language = {English}, urldate = {2021-10-05} } GhostEmperor: From ProxyLogon to kernel mode
GhostEmperor
2021-07-29KasperskyKaspersky
@online{kaspersky:20210729:ghostemperor:c9ddfe4, author = {Kaspersky}, title = {{GhostEmperor: Chinese-speaking APT targets high-profile victims using unknown rootkit}}, date = {2021-07-29}, organization = {Kaspersky}, url = {https://www.kaspersky.com/about/press-releases/2021_ghostemperor-chinese-speaking-apt-targets-high-profile-victims-using-unknown-rootkit}, language = {English}, urldate = {2021-10-07} } GhostEmperor: Chinese-speaking APT targets high-profile victims using unknown rootkit
GhostEmperor
Yara Rules
[TLP:WHITE] win_ghostemperor_auto (20220808 | Detects win.ghostemperor.)
rule win_ghostemperor_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-08-05"
        version = "1"
        description = "Detects win.ghostemperor."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ghostemperor"
        malpedia_rule_date = "20220805"
        malpedia_hash = "6ec06c64bcfdbeda64eff021c766b4ce34542b71"
        malpedia_version = "20220808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { c7471800000000 4c8d7618 4c89f1 ff15???????? }
            // n = 4, score = 200
            //   c7471800000000       | dec                 esp
            //   4c8d7618             | mov                 edx, dword ptr [esp]
            //   4c89f1               | dec                 esp
            //   ff15????????         |                     

        $sequence_1 = { b801000000 4883c428 5b 5d 5f 5e }
            // n = 6, score = 200
            //   b801000000           | dec                 eax
            //   4883c428             | add                 esp, 0x10
            //   5b                   | ret                 
            //   5d                   | dec                 eax
            //   5f                   | add                 esp, 0x10
            //   5e                   | ret                 

        $sequence_2 = { 4c896640 8b4650 034648 89464c }
            // n = 4, score = 200
            //   4c896640             | jne                 0xfffffff2
            //   8b4650               | dec                 esp
            //   034648               | mov                 edx, dword ptr [esp]
            //   89464c               | dec                 esp

        $sequence_3 = { 31d2 41b801000000 4531c9 ff15???????? }
            // n = 4, score = 200
            //   31d2                 | dec                 eax
            //   41b801000000         | add                 esp, 0x10
            //   4531c9               | ret                 
            //   ff15????????         |                     

        $sequence_4 = { 4d3bd3 75f0 4c8b1424 4c8b5c2408 4883c410 c3 ff25???????? }
            // n = 7, score = 200
            //   4d3bd3               | add                 esp, 0x10
            //   75f0                 | ret                 
            //   4c8b1424             | dec                 esp
            //   4c8b5c2408           | mov                 ebx, dword ptr [esp + 8]
            //   4883c410             | dec                 eax
            //   c3                   | add                 esp, 0x10
            //   ff25????????         |                     

        $sequence_5 = { c1e103 e8???????? 4885c0 7450 }
            // n = 4, score = 200
            //   c1e103               | mov                 ebx, dword ptr [esp + 8]
            //   e8????????           |                     
            //   4885c0               | dec                 eax
            //   7450                 | add                 esp, 0x10

        $sequence_6 = { 4883c410 c3 ff25???????? ff25???????? ff25???????? ff25???????? ff25???????? }
            // n = 7, score = 200
            //   4883c410             | inc                 ecx
            //   c3                   | mov                 eax, ebx
            //   ff25????????         |                     
            //   ff25????????         |                     
            //   ff25????????         |                     
            //   ff25????????         |                     
            //   ff25????????         |                     

        $sequence_7 = { 4983fb04 7222 488d3cc2 4883c708 }
            // n = 4, score = 200
            //   4983fb04             | jne                 0xfffffff5
            //   7222                 | dec                 esp
            //   488d3cc2             | mov                 edx, dword ptr [esp]
            //   4883c708             | dec                 esp

        $sequence_8 = { ff15???????? 8b4648 8b4e4c 39c1 }
            // n = 4, score = 200
            //   ff15????????         |                     
            //   8b4648               | dec                 ebp
            //   8b4e4c               | cmp                 edx, ebx
            //   39c1                 | jne                 0xfffffff2

        $sequence_9 = { 7439 8b5b10 4885db 7431 }
            // n = 4, score = 200
            //   7439                 | mov                 ebx, dword ptr [esp + 8]
            //   8b5b10               | dec                 eax
            //   4885db               | add                 esp, 0x10
            //   7431                 | ret                 

        $sequence_10 = { 4533c0 4c897c2438 33d2 895c2430 }
            // n = 4, score = 100
            //   4533c0               | dec                 ebp
            //   4c897c2438           | cmp                 eax, ecx
            //   33d2                 | jb                  0xffffffc3
            //   895c2430             | xor                 edi, edi

        $sequence_11 = { 00c2 488b8568020000 8854080c 488b85b0020000 }
            // n = 4, score = 100
            //   00c2                 | inc                 ecx
            //   488b8568020000       | mov                 byte ptr [ebx], 0
            //   8854080c             | dec                 ebp
            //   488b85b0020000       | cmp                 edx, ebx

        $sequence_12 = { c74586c9009000 c7458ab100a400 0f1044247e c7458e26009800 }
            // n = 4, score = 100
            //   c74586c9009000       | mov                 dword ptr [ebp - 0x7a], 0x9000c9
            //   c7458ab100a400       | mov                 dword ptr [ebp - 0x76], 0xa400b1
            //   0f1044247e           | movups              xmm0, xmmword ptr [esp + 0x7e]
            //   c7458e26009800       | mov                 dword ptr [ebp - 0x72], 0x980026

        $sequence_13 = { 6642897c45ae 49ffc0 4983f808 72c6 }
            // n = 4, score = 100
            //   6642897c45ae         | inc                 ebp
            //   49ffc0               | xor                 eax, eax
            //   4983f808             | dec                 esp
            //   72c6                 | mov                 dword ptr [esp + 0x38], edi

        $sequence_14 = { 01c1 89ca c1ea1f c1f904 }
            // n = 4, score = 100
            //   01c1                 | mov                 edx, dword ptr [esp]
            //   89ca                 | dec                 esp
            //   c1ea1f               | mov                 ebx, dword ptr [esp + 8]
            //   c1f904               | dec                 eax

        $sequence_15 = { 7281 b804000000 0f18040a 0f18440a40 4881c180000000 ffc8 75ec }
            // n = 7, score = 100
            //   7281                 | jb                  0xffffff83
            //   b804000000           | mov                 eax, 4
            //   0f18040a             | prefetchnta         byte ptr [edx + ecx]
            //   0f18440a40           | prefetchnta         byte ptr [edx + ecx + 0x40]
            //   4881c180000000       | dec                 eax
            //   ffc8                 | add                 ecx, 0x80
            //   75ec                 | dec                 eax

        $sequence_16 = { 01d1 89ca c1e205 89cb }
            // n = 4, score = 100
            //   01d1                 | dec                 ebp
            //   89ca                 | cmp                 edx, ebx
            //   c1e205               | jne                 0xfffffff2
            //   89cb                 | dec                 esp

        $sequence_17 = { b910000000 4123d4 418bfb 2bca 418bc3 66d3e7 }
            // n = 6, score = 100
            //   b910000000           | xor                 edx, edx
            //   4123d4               | mov                 dword ptr [esp + 0x30], ebx
            //   418bfb               | inc                 dx
            //   2bca                 | mov                 dword ptr [ebp + eax*2 - 0x52], edi
            //   418bc3               | dec                 ecx
            //   66d3e7               | inc                 eax

        $sequence_18 = { c7459ff600a600 c745a39700aa00 0f104597 c745a71100b700 c745ab8e008900 c745aff1002700 c745b35300e400 }
            // n = 7, score = 100
            //   c7459ff600a600       | mov                 dword ptr [ebp - 0x61], 0xa600f6
            //   c745a39700aa00       | mov                 dword ptr [ebp - 0x5d], 0xaa0097
            //   0f104597             | movups              xmm0, xmmword ptr [ebp - 0x69]
            //   c745a71100b700       | mov                 dword ptr [ebp - 0x59], 0xb70011
            //   c745ab8e008900       | mov                 dword ptr [ebp - 0x55], 0x89008e
            //   c745aff1002700       | mov                 dword ptr [ebp - 0x51], 0x2700f1
            //   c745b35300e400       | mov                 dword ptr [ebp - 0x4d], 0xe40053

        $sequence_19 = { 7405 4803d8 75b8 418bfe 488b4de8 }
            // n = 5, score = 100
            //   7405                 | dec                 ecx
            //   4803d8               | cmp                 eax, 8
            //   75b8                 | jb                  0xffffffcf
            //   418bfe               | mov                 ecx, 0x10
            //   488b4de8             | inc                 ecx

        $sequence_20 = { 01c3 69cbe8030000 81c130750000 4883ec20 }
            // n = 4, score = 100
            //   01c3                 | mov                 ebx, dword ptr [esp + 8]
            //   69cbe8030000         | dec                 eax
            //   81c130750000         | add                 esp, 0x10
            //   4883ec20             | ret                 

        $sequence_21 = { 664289bc4544020000 4c03c3 4d3bc1 72c1 33ff }
            // n = 5, score = 100
            //   664289bc4544020000     | jne    0xffffffee
            //   4c03c3               | inc                 dx
            //   4d3bc1               | mov                 dword ptr [ebp + eax*2 + 0x244], edi
            //   72c1                 | dec                 esp
            //   33ff                 | add                 eax, ebx

    condition:
        7 of them and filesize < 1115136
}
Download all Yara Rules