win.golroted (Back to overview)

Golroted

URLhaus    

There is no description at this point.

References
2017-11-12 ⋅ Vitali Kremez BlogVitali Kremez
@online{kremez:20171112:lets:4db8d74, author = {Vitali Kremez}, title = {{Let's Learn: Dissecting Golroted Trojan's Process Hollowing Technique & UAC Bypass in HKCU\Environment}}, date = {2017-11-12}, organization = {Vitali Kremez Blog}, url = {http://www.vkremez.com/2017/11/lets-learn-dissecting-golroted-trojans.html}, language = {English}, urldate = {2020-01-06} } Let's Learn: Dissecting Golroted Trojan's Process Hollowing Technique & UAC Bypass in HKCU\Environment
Golroted
Yara Rules
[TLP:WHITE] win_golroted_auto (20190204 | autogenerated rule brought to you by yara-signator)
rule win_golroted_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2019-11-26"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator 0.1a"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.golroted"
        malpedia_version = "20190204"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach will be published in the near future here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */

    strings:
        $sequence_0 = { 7903 83d100 8b06 ba01000000 e8???????? 8d55e4 }
            // n = 6, score = 300
            //   7903                 | jns                 5
            //   83d100               | adc                 ecx, 0
            //   8b06                 | mov                 eax, dword ptr [esi]
            //   ba01000000           | mov                 edx, 1
            //   e8????????           |                     
            //   8d55e4               | lea                 edx, [ebp - 0x1c]

        $sequence_1 = { 8385f8feffff04 8385f4feffff04 8b85f8feffff 8b18 85db 75b2 8385fcfeffff14 }
            // n = 7, score = 300
            //   8385f8feffff04       | add                 dword ptr [ebp - 0x108], 4
            //   8385f4feffff04       | add                 dword ptr [ebp - 0x10c], 4
            //   8b85f8feffff         | mov                 eax, dword ptr [ebp - 0x108]
            //   8b18                 | mov                 ebx, dword ptr [eax]
            //   85db                 | test                ebx, ebx
            //   75b2                 | jne                 0xffffffb4
            //   8385fcfeffff14       | add                 dword ptr [ebp - 0x104], 0x14

        $sequence_2 = { e8???????? 8a450c 50 8a4508 50 8b4df4 8b55f8 }
            // n = 7, score = 300
            //   e8????????           |                     
            //   8a450c               | mov                 al, byte ptr [ebp + 0xc]
            //   50                   | push                eax
            //   8a4508               | mov                 al, byte ptr [ebp + 8]
            //   50                   | push                eax
            //   8b4df4               | mov                 ecx, dword ptr [ebp - 0xc]
            //   8b55f8               | mov                 edx, dword ptr [ebp - 8]

        $sequence_3 = { 50 e8???????? 8b5db4 33c0 5a }
            // n = 5, score = 300
            //   50                   | push                eax
            //   e8????????           |                     
            //   8b5db4               | mov                 ebx, dword ptr [ebp - 0x4c]
            //   33c0                 | xor                 eax, eax
            //   5a                   | pop                 edx

        $sequence_4 = { 8b45fc 833c9800 75e5 83fe02 7509 6a00 e8???????? }
            // n = 7, score = 300
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]
            //   833c9800             | cmp                 dword ptr [eax + ebx*4], 0
            //   75e5                 | jne                 0xffffffe7
            //   83fe02               | cmp                 esi, 2
            //   7509                 | jne                 0xb
            //   6a00                 | push                0
            //   e8????????           |                     

        $sequence_5 = { 31d2 f7f1 89d3 b9f1ff0000 89f8 31d2 }
            // n = 6, score = 300
            //   31d2                 | xor                 edx, edx
            //   f7f1                 | div                 ecx
            //   89d3                 | mov                 ebx, edx
            //   b9f1ff0000           | mov                 ecx, 0xfff1
            //   89f8                 | mov                 eax, edi
            //   31d2                 | xor                 edx, edx

        $sequence_6 = { 8b0498 8b55e8 0304b2 b964010000 99 f7f9 8b45e8 }
            // n = 7, score = 300
            //   8b0498               | mov                 eax, dword ptr [eax + ebx*4]
            //   8b55e8               | mov                 edx, dword ptr [ebp - 0x18]
            //   0304b2               | add                 eax, dword ptr [edx + esi*4]
            //   b964010000           | mov                 ecx, 0x164
            //   99                   | cdq                 
            //   f7f9                 | idiv                ecx
            //   8b45e8               | mov                 eax, dword ptr [ebp - 0x18]

        $sequence_7 = { 33d2 8a542401 c1ea04 0ac2 8b542408 88043a 8d4701 }
            // n = 7, score = 300
            //   33d2                 | xor                 edx, edx
            //   8a542401             | mov                 dl, byte ptr [esp + 1]
            //   c1ea04               | shr                 edx, 4
            //   0ac2                 | or                  al, dl
            //   8b542408             | mov                 edx, dword ptr [esp + 8]
            //   88043a               | mov                 byte ptr [edx + edi], al
            //   8d4701               | lea                 eax, [edi + 1]

        $sequence_8 = { 59 e8???????? 8bd8 eb23 8a45ff 50 53 }
            // n = 7, score = 300
            //   59                   | pop                 ecx
            //   e8????????           |                     
            //   8bd8                 | mov                 ebx, eax
            //   eb23                 | jmp                 0x25
            //   8a45ff               | mov                 al, byte ptr [ebp - 1]
            //   50                   | push                eax
            //   53                   | push                ebx

        $sequence_9 = { e8???????? 85c0 0f8492010000 8b0424 50 e8???????? }
            // n = 6, score = 300
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   0f8492010000         | je                  0x198
            //   8b0424               | mov                 eax, dword ptr [esp]
            //   50                   | push                eax
            //   e8????????           |                     

    condition:
        7 of them
}
[TLP:WHITE] win_golroted_w0   (20171214 | Golroted Trojan rule - file golroted.exe)
rule win_golroted_w0 {
    meta:
        description = "Golroted Trojan rule - file golroted.exe"
        author = "@VK_Intel"
        reference = "Detects Golroted Trojan"
        date = "2017-11-11"
        hash = "e73b20f639cd9ecc4c8196e885de57043a4baddb70bb4b66e1df13abc7da487e"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.golroted"
        malpedia_version = "20171214"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    strings:
        $s0 = "C:\\Windows\\System32\\Mycomput.dll" fullword ascii
        $s1 = ".lnk\" \"C:\\Users\\" fullword ascii
        $s2 = "vbc.exe" fullword ascii 
        $s3 = "System32\\WerFault.exe" fullword ascii
        $s4 = "system32\\notepad.exe" fullword ascii
        $s5 = "Mozilla Firefox\\firefox.exe" fullword ascii
        $s6 = "FC:\\Windows\\System32\\" fullword ascii
        $s7 = "C:\\Windows\\SysWOW64\\ntdll.dll" fullword ascii
        $s9 = "Microsoft.NET\\Framework\\v2.0.50727\\regasm.exe" fullword ascii
        $s10 = "Microsoft.NET\\Framework\\v4.0.30319\\regasm.exe" fullword ascii
        $s11 = "/c reg add hkcu\\Environment /v windir /d \"cmd /c start " fullword ascii
        $s12 = "bindedfiledropandexecute" fullword ascii
        $s13 = "/c schtasks /Run /TN \\Microsoft\\Windows\\DiskCleanup\\SilentCleanup /I && exit" fullword ascii
        $s14 = "Microsoft.NET\\Framework\\v2.0.50727\\vbc.exe" fullword ascii
        $s15 = "Microsoft.NET\\Framework\\v4.0.30319\\vbc.exe" fullword ascii
        $s16 = "C:\\Program Files (x86)\\Kaspersky Lab\\Kaspersky Internet Security " fullword ascii
        $s17 = "\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\" fullword ascii
    condition:
        all of them
}
Download all Yara Rules