SYMBOLCOMMON_NAMEaka. SYNONYMS
win.highnote (Back to overview)

HIGHNOTE

aka: ChyNode

Actor(s): Axiom

There is no description at this point.

References
2019-07-24Twitter (@bkMSFT)Ben K (bkMSFT)
@online{bkmsft:20190724:apt17:8b88bcb, author = {Ben K (bkMSFT)}, title = {{Tweet on APT17}}, date = {2019-07-24}, organization = {Twitter (@bkMSFT)}, url = {https://twitter.com/bkMSFT/status/1153994428949749761}, language = {English}, urldate = {2020-01-07} } Tweet on APT17
HIGHNOTE
Yara Rules
[TLP:WHITE] win_highnote_auto (20201023 | autogenerated rule brought to you by yara-signator)
rule win_highnote_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-12-22"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.highnote"
        malpedia_rule_date = "20201222"
        malpedia_hash = "30354d830a29f0fbd3714d93d94dea941d77a130"
        malpedia_version = "20201023"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 4b fb 51 0443 084c37a1 9d 720a }
            // n = 7, score = 200
            //   4b                   | dec                 ebx
            //   fb                   | sti                 
            //   51                   | push                ecx
            //   0443                 | add                 al, 0x43
            //   084c37a1             | or                  byte ptr [edi + esi - 0x5f], cl
            //   9d                   | popfd               
            //   720a                 | jb                  0xc

        $sequence_1 = { 9d 4a 0520243bbc bfb001b386 81604914ae1fd0 97 96 }
            // n = 7, score = 200
            //   9d                   | popfd               
            //   4a                   | dec                 edx
            //   0520243bbc           | add                 eax, 0xbc3b2420
            //   bfb001b386           | mov                 edi, 0x86b301b0
            //   81604914ae1fd0       | and                 dword ptr [eax + 0x49], 0xd01fae14
            //   97                   | xchg                eax, edi
            //   96                   | xchg                eax, esi

        $sequence_2 = { 3bc7 0f8531050000 ff15???????? 39bb0c010000 0f854a010000 9c f605????????80 }
            // n = 7, score = 200
            //   3bc7                 | cmp                 eax, edi
            //   0f8531050000         | jne                 0x537
            //   ff15????????         |                     
            //   39bb0c010000         | cmp                 dword ptr [ebx + 0x10c], edi
            //   0f854a010000         | jne                 0x150
            //   9c                   | pushfd              
            //   f605????????80       |                     

        $sequence_3 = { 54 91 37 ab 34d1 90 ef }
            // n = 7, score = 200
            //   54                   | push                esp
            //   91                   | xchg                eax, ecx
            //   37                   | aaa                 
            //   ab                   | stosd               dword ptr es:[edi], eax
            //   34d1                 | xor                 al, 0xd1
            //   90                   | nop                 
            //   ef                   | out                 dx, eax

        $sequence_4 = { 11cd 007fb0 08ec b403 872e 6c }
            // n = 6, score = 200
            //   11cd                 | adc                 ebp, ecx
            //   007fb0               | add                 byte ptr [edi - 0x50], bh
            //   08ec                 | or                  ah, ch
            //   b403                 | mov                 ah, 3
            //   872e                 | xchg                dword ptr [esi], ebp
            //   6c                   | insb                byte ptr es:[edi], dx

        $sequence_5 = { 8b4dfc 9c f605????????e8 0f85cc000000 0425 ab 194d26 }
            // n = 7, score = 200
            //   8b4dfc               | mov                 ecx, dword ptr [ebp - 4]
            //   9c                   | pushfd              
            //   f605????????e8       |                     
            //   0f85cc000000         | jne                 0xd2
            //   0425                 | add                 al, 0x25
            //   ab                   | stosd               dword ptr es:[edi], eax
            //   194d26               | sbb                 dword ptr [ebp + 0x26], ecx

        $sequence_6 = { 37 247f 53 8e6691 0d10ec59ab 6bc2bd 3401 }
            // n = 7, score = 200
            //   37                   | aaa                 
            //   247f                 | and                 al, 0x7f
            //   53                   | push                ebx
            //   8e6691               | mov                 fs, word ptr [esi - 0x6f]
            //   0d10ec59ab           | or                  eax, 0xab59ec10
            //   6bc2bd               | imul                eax, edx, -0x43
            //   3401                 | xor                 al, 1

        $sequence_7 = { a1???????? 1478 d432 35accb1d71 55 a1???????? d00a }
            // n = 7, score = 200
            //   a1????????           |                     
            //   1478                 | adc                 al, 0x78
            //   d432                 | aam                 0x32
            //   35accb1d71           | xor                 eax, 0x711dcbac
            //   55                   | push                ebp
            //   a1????????           |                     
            //   d00a                 | ror                 byte ptr [edx], 1

        $sequence_8 = { d8c6 0b4a28 0937 638742f09696 8a6045 7429 6c }
            // n = 7, score = 200
            //   d8c6                 | fadd                st(6)
            //   0b4a28               | or                  ecx, dword ptr [edx + 0x28]
            //   0937                 | or                  dword ptr [edi], esi
            //   638742f09696         | arpl                word ptr [edi - 0x69690fbe], ax
            //   8a6045               | mov                 ah, byte ptr [eax + 0x45]
            //   7429                 | je                  0x2b
            //   6c                   | insb                byte ptr es:[edi], dx

        $sequence_9 = { 8435???????? 7267 98 58 e44b e2e9 7be2 }
            // n = 7, score = 200
            //   8435????????         |                     
            //   7267                 | jb                  0x69
            //   98                   | cwde                
            //   58                   | pop                 eax
            //   e44b                 | in                  al, 0x4b
            //   e2e9                 | loop                0xffffffeb
            //   7be2                 | jnp                 0xffffffe4

    condition:
        7 of them and filesize < 321536
}
Download all Yara Rules