SYMBOLCOMMON_NAMEaka. SYNONYMS
win.glitch_pos (Back to overview)

GlitchPOS

There is no description at this point.

References
2019-03-13Cisco TalosWarren Mercer, Paul Rascagnères, Ben Baker
@online{mercer:20190313:glitchpos:a94f15c, author = {Warren Mercer and Paul Rascagnères and Ben Baker}, title = {{GlitchPOS: New PoS malware for sale}}, date = {2019-03-13}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2019/03/glitchpos-new-pos-malware-for-sale.html}, language = {English}, urldate = {2019-10-29} } GlitchPOS: New PoS malware for sale
GlitchPOS
Yara Rules
[TLP:WHITE] win_glitch_pos_auto (20230715 | Detects win.glitch_pos.)
rule win_glitch_pos_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-07-11"
        version = "1"
        description = "Detects win.glitch_pos."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.glitch_pos"
        malpedia_rule_date = "20230705"
        malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
        malpedia_version = "20230715"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8b4508 8b00 ff7508 ff9028070000 668b45d4 66050100 0f80fc050000 }
            // n = 7, score = 100
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   8b00                 | mov                 eax, dword ptr [eax]
            //   ff7508               | push                dword ptr [ebp + 8]
            //   ff9028070000         | call                dword ptr [eax + 0x728]
            //   668b45d4             | mov                 ax, word ptr [ebp - 0x2c]
            //   66050100             | add                 ax, 1
            //   0f80fc050000         | jo                  0x602

        $sequence_1 = { 8d4588 50 8b4508 8b00 }
            // n = 4, score = 100
            //   8d4588               | lea                 eax, [ebp - 0x78]
            //   50                   | push                eax
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   8b00                 | mov                 eax, dword ptr [eax]

        $sequence_2 = { e8???????? 898514ffffff 8d4dd0 e8???????? e9???????? 8b4508 8b00 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   898514ffffff         | mov                 dword ptr [ebp - 0xec], eax
            //   8d4dd0               | lea                 ecx, [ebp - 0x30]
            //   e8????????           |                     
            //   e9????????           |                     
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   8b00                 | mov                 eax, dword ptr [eax]

        $sequence_3 = { 668945dc 668b45dc 663b85acfdffff 0f8fd7000000 c745bc04000280 }
            // n = 5, score = 100
            //   668945dc             | mov                 word ptr [ebp - 0x24], ax
            //   668b45dc             | mov                 ax, word ptr [ebp - 0x24]
            //   663b85acfdffff       | cmp                 ax, word ptr [ebp - 0x254]
            //   0f8fd7000000         | jg                  0xdd
            //   c745bc04000280       | mov                 dword ptr [ebp - 0x44], 0x80020004

        $sequence_4 = { 89854cffffff 8d45bc 50 dd8570ffffff e8???????? 50 }
            // n = 6, score = 100
            //   89854cffffff         | mov                 dword ptr [ebp - 0xb4], eax
            //   8d45bc               | lea                 eax, [ebp - 0x44]
            //   50                   | push                eax
            //   dd8570ffffff         | fld                 qword ptr [ebp - 0x90]
            //   e8????????           |                     
            //   50                   | push                eax

        $sequence_5 = { e8???????? 833d????????00 751b 68???????? 68???????? e8???????? c78518feffff2cc34600 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   833d????????00       |                     
            //   751b                 | jne                 0x1d
            //   68????????           |                     
            //   68????????           |                     
            //   e8????????           |                     
            //   c78518feffff2cc34600     | mov    dword ptr [ebp - 0x1e8], 0x46c32c

        $sequence_6 = { 6b52365d 5c 3337 50 5e 3d2b5e3c52 }
            // n = 6, score = 100
            //   6b52365d             | imul                edx, dword ptr [edx + 0x36], 0x5d
            //   5c                   | pop                 esp
            //   3337                 | xor                 esi, dword ptr [edi]
            //   50                   | push                eax
            //   5e                   | pop                 esi
            //   3d2b5e3c52           | cmp                 eax, 0x523c5e2b

        $sequence_7 = { eb07 83a5d8feffff00 8b45b8 898518ffffff 8d45d0 }
            // n = 5, score = 100
            //   eb07                 | jmp                 9
            //   83a5d8feffff00       | and                 dword ptr [ebp - 0x128], 0
            //   8b45b8               | mov                 eax, dword ptr [ebp - 0x48]
            //   898518ffffff         | mov                 dword ptr [ebp - 0xe8], eax
            //   8d45d0               | lea                 eax, [ebp - 0x30]

        $sequence_8 = { 6a04 e8???????? 83c414 8d4ddc }
            // n = 4, score = 100
            //   6a04                 | push                4
            //   e8????????           |                     
            //   83c414               | add                 esp, 0x14
            //   8d4ddc               | lea                 ecx, [ebp - 0x24]

        $sequence_9 = { 898550feffff eb07 83a550feffff00 8d45c8 50 8d45cc 50 }
            // n = 7, score = 100
            //   898550feffff         | mov                 dword ptr [ebp - 0x1b0], eax
            //   eb07                 | jmp                 9
            //   83a550feffff00       | and                 dword ptr [ebp - 0x1b0], 0
            //   8d45c8               | lea                 eax, [ebp - 0x38]
            //   50                   | push                eax
            //   8d45cc               | lea                 eax, [ebp - 0x34]
            //   50                   | push                eax

    condition:
        7 of them and filesize < 1024000
}
Download all Yara Rules