SYMBOLCOMMON_NAMEaka. SYNONYMS
win.highnote (Back to overview)

HIGHNOTE

aka: ChyNode

Actor(s): Axiom

There is no description at this point.

References
2019-07-24Twitter (@bkMSFT)Ben K (bkMSFT)
@online{bkmsft:20190724:apt17:8b88bcb, author = {Ben K (bkMSFT)}, title = {{Tweet on APT17}}, date = {2019-07-24}, organization = {Twitter (@bkMSFT)}, url = {https://twitter.com/bkMSFT/status/1153994428949749761}, language = {English}, urldate = {2020-01-07} } Tweet on APT17
HIGHNOTE
Yara Rules
[TLP:WHITE] win_highnote_auto (20230125 | Detects win.highnote.)
rule win_highnote_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-01-25"
        version = "1"
        description = "Detects win.highnote."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.highnote"
        malpedia_rule_date = "20230124"
        malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686"
        malpedia_version = "20230125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { b3f1 d7 ee 2f 68351fad87 9d 85c0 }
            // n = 7, score = 200
            //   b3f1                 | mov                 bl, 0xf1
            //   d7                   | xlatb               
            //   ee                   | out                 dx, al
            //   2f                   | das                 
            //   68351fad87           | push                0x87ad1f35
            //   9d                   | popfd               
            //   85c0                 | test                eax, eax

        $sequence_1 = { f61f 6669ceab5c 15c3a595c2 0e c87b3119 ec 32b8215f5c32 }
            // n = 7, score = 200
            //   f61f                 | neg                 byte ptr [edi]
            //   6669ceab5c           | imul                cx, si, 0x5cab
            //   15c3a595c2           | adc                 eax, 0xc295a5c3
            //   0e                   | push                cs
            //   c87b3119             | enter               0x317b, 0x19
            //   ec                   | in                  al, dx
            //   32b8215f5c32         | xor                 bh, byte ptr [eax + 0x325c5f21]

        $sequence_2 = { 1353db 43 672832 54 45 c14cf35e41 ee }
            // n = 7, score = 200
            //   1353db               | adc                 edx, dword ptr [ebx - 0x25]
            //   43                   | inc                 ebx
            //   672832               | sub                 byte ptr [bp + si], dh
            //   54                   | push                esp
            //   45                   | inc                 ebp
            //   c14cf35e41           | ror                 dword ptr [ebx + esi*8 + 0x5e], 0x41
            //   ee                   | out                 dx, al

        $sequence_3 = { 29d4 ad 2ac2 94 15042afd06 d15ae3 54 }
            // n = 7, score = 200
            //   29d4                 | sub                 esp, edx
            //   ad                   | lodsd               eax, dword ptr [esi]
            //   2ac2                 | sub                 al, dl
            //   94                   | xchg                eax, esp
            //   15042afd06           | adc                 eax, 0x6fd2a04
            //   d15ae3               | rcr                 dword ptr [edx - 0x1d], 1
            //   54                   | push                esp

        $sequence_4 = { 1b673a 40 6b7eae7b bb892ef3a2 0c5f d4bf }
            // n = 6, score = 200
            //   1b673a               | sbb                 esp, dword ptr [edi + 0x3a]
            //   40                   | inc                 eax
            //   6b7eae7b             | imul                edi, dword ptr [esi - 0x52], 0x7b
            //   bb892ef3a2           | mov                 ebx, 0xa2f32e89
            //   0c5f                 | or                  al, 0x5f
            //   d4bf                 | aam                 0xbf

        $sequence_5 = { 320c7e 47 8405???????? 59 296057 bf07e8a946 ddb61d4f1c2f }
            // n = 7, score = 200
            //   320c7e               | xor                 cl, byte ptr [esi + edi*2]
            //   47                   | inc                 edi
            //   8405????????         |                     
            //   59                   | pop                 ecx
            //   296057               | sub                 dword ptr [eax + 0x57], esp
            //   bf07e8a946           | mov                 edi, 0x46a9e807
            //   ddb61d4f1c2f         | fnsave              dword ptr [esi + 0x2f1c4f1d]

        $sequence_6 = { 366e 7f74 294840 b616 d924f1 8e13 }
            // n = 6, score = 200
            //   366e                 | outsb               dx, byte ptr ss:[esi]
            //   7f74                 | jg                  0x76
            //   294840               | sub                 dword ptr [eax + 0x40], ecx
            //   b616                 | mov                 dh, 0x16
            //   d924f1               | fldenv              [ecx + esi*8]
            //   8e13                 | mov                 ss, word ptr [ebx]

        $sequence_7 = { 17 5d 6f 638c740bbbf8b8 0a85aa638bfe aa 770d }
            // n = 7, score = 200
            //   17                   | pop                 ss
            //   5d                   | pop                 ebp
            //   6f                   | outsd               dx, dword ptr [esi]
            //   638c740bbbf8b8       | arpl                word ptr [esp + esi*2 - 0x470744f5], cx
            //   0a85aa638bfe         | or                  al, byte ptr [ebp - 0x1749c56]
            //   aa                   | stosb               byte ptr es:[edi], al
            //   770d                 | ja                  0xf

        $sequence_8 = { 98 55 b4f9 ad c9 a0???????? a5 }
            // n = 7, score = 200
            //   98                   | cwde                
            //   55                   | push                ebp
            //   b4f9                 | mov                 ah, 0xf9
            //   ad                   | lodsd               eax, dword ptr [esi]
            //   c9                   | leave               
            //   a0????????           |                     
            //   a5                   | movsd               dword ptr es:[edi], dword ptr [esi]

        $sequence_9 = { ab 85c0 0c9a 98 b531 df37 f1 }
            // n = 7, score = 200
            //   ab                   | stosd               dword ptr es:[edi], eax
            //   85c0                 | test                eax, eax
            //   0c9a                 | or                  al, 0x9a
            //   98                   | cwde                
            //   b531                 | mov                 ch, 0x31
            //   df37                 | fbstp               tbyte ptr [edi]
            //   f1                   | int1                

    condition:
        7 of them and filesize < 321536
}
Download all Yara Rules