SYMBOLCOMMON_NAMEaka. SYNONYMS
win.highnote (Back to overview)

HIGHNOTE

aka: ChyNode

Actor(s): Axiom

There is no description at this point.

References
2019-07-24Twitter (@bkMSFT)Ben K (bkMSFT)
@online{bkmsft:20190724:apt17:8b88bcb, author = {Ben K (bkMSFT)}, title = {{Tweet on APT17}}, date = {2019-07-24}, organization = {Twitter (@bkMSFT)}, url = {https://twitter.com/bkMSFT/status/1153994428949749761}, language = {English}, urldate = {2020-01-07} } Tweet on APT17
HIGHNOTE
Yara Rules
[TLP:WHITE] win_highnote_auto (20220516 | Detects win.highnote.)
rule win_highnote_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-05-16"
        version = "1"
        description = "Detects win.highnote."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.highnote"
        malpedia_rule_date = "20220513"
        malpedia_hash = "7f4b2229e6ae614d86d74917f6d5b41890e62a26"
        malpedia_version = "20220516"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8a8c75f4fdffff 0fb69475f5fdffff 8d85f0fcffff 50 }
            // n = 4, score = 200
            //   8a8c75f4fdffff       | mov                 cl, byte ptr [ebp + esi*2 - 0x20c]
            //   0fb69475f5fdffff     | movzx               edx, byte ptr [ebp + esi*2 - 0x20b]
            //   8d85f0fcffff         | lea                 eax, [ebp - 0x310]
            //   50                   | push                eax

        $sequence_1 = { f605????????8c 0f85b8000000 be323f27ce 24a3 a3???????? 2632b61d037935 47 }
            // n = 7, score = 200
            //   f605????????8c       |                     
            //   0f85b8000000         | jne                 0xbe
            //   be323f27ce           | mov                 esi, 0xce273f32
            //   24a3                 | and                 al, 0xa3
            //   a3????????           |                     
            //   2632b61d037935       | xor                 dh, byte ptr es:[esi + 0x3579031d]
            //   47                   | inc                 edi

        $sequence_2 = { 89d5 84bc9f4b27b071 79bd bf4d8b4d7b 1f d2b625d4dee6 }
            // n = 6, score = 200
            //   89d5                 | mov                 ebp, edx
            //   84bc9f4b27b071       | test                byte ptr [edi + ebx*4 + 0x71b0274b], bh
            //   79bd                 | jns                 0xffffffbf
            //   bf4d8b4d7b           | mov                 edi, 0x7b4d8b4d
            //   1f                   | pop                 ds
            //   d2b625d4dee6         | sal                 byte ptr [esi - 0x19212bdb], cl

        $sequence_3 = { 2abb227d6652 10b35ec9a720 0467 306c3550 ef }
            // n = 5, score = 200
            //   2abb227d6652         | sub                 bh, byte ptr [ebx + 0x52667d22]
            //   10b35ec9a720         | adc                 byte ptr [ebx + 0x20a7c95e], dh
            //   0467                 | add                 al, 0x67
            //   306c3550             | xor                 byte ptr [ebp + esi + 0x50], ch
            //   ef                   | out                 dx, eax

        $sequence_4 = { fa 91 d2dc 99 13ce a1???????? 9d }
            // n = 7, score = 200
            //   fa                   | cli                 
            //   91                   | xchg                eax, ecx
            //   d2dc                 | rcr                 ah, cl
            //   99                   | cdq                 
            //   13ce                 | adc                 ecx, esi
            //   a1????????           |                     
            //   9d                   | popfd               

        $sequence_5 = { 872c353e982ec0 261dac2f229f 2bda 8174184b043ecafc a897 56 }
            // n = 6, score = 200
            //   872c353e982ec0       | xchg                dword ptr [esi - 0x3fd167c2], ebp
            //   261dac2f229f         | sbb                 eax, 0x9f222fac
            //   2bda                 | sub                 ebx, edx
            //   8174184b043ecafc     | xor                 dword ptr [eax + ebx + 0x4b], 0xfcca3e04
            //   a897                 | test                al, 0x97
            //   56                   | push                esi

        $sequence_6 = { 26689dce7cdb 99 4e 796b 49 1e 838bc73ef8174e }
            // n = 7, score = 200
            //   26689dce7cdb         | push                0xdb7cce9d
            //   99                   | cdq                 
            //   4e                   | dec                 esi
            //   796b                 | jns                 0x6d
            //   49                   | dec                 ecx
            //   1e                   | push                ds
            //   838bc73ef8174e       | or                  dword ptr [ebx + 0x17f83ec7], 0x4e

        $sequence_7 = { e2d0 3471 ed 299d24922015 }
            // n = 4, score = 200
            //   e2d0                 | loop                0xffffffd2
            //   3471                 | xor                 al, 0x71
            //   ed                   | in                  eax, dx
            //   299d24922015         | sub                 dword ptr [ebp + 0x15209224], ebx

        $sequence_8 = { dd3a 1365ac a7 1866b5 1336 1150c8 e41e }
            // n = 7, score = 200
            //   dd3a                 | fnstsw              dword ptr [edx]
            //   1365ac               | adc                 esp, dword ptr [ebp - 0x54]
            //   a7                   | cmpsd               dword ptr [esi], dword ptr es:[edi]
            //   1866b5               | sbb                 byte ptr [esi - 0x4b], ah
            //   1336                 | adc                 esi, dword ptr [esi]
            //   1150c8               | adc                 dword ptr [eax - 0x38], edx
            //   e41e                 | in                  al, 0x1e

        $sequence_9 = { 657630 99 58 f5 bdff7feee0 c584aa5c2aa4e2 d6 }
            // n = 7, score = 200
            //   657630               | jbe                 0x33
            //   99                   | cdq                 
            //   58                   | pop                 eax
            //   f5                   | cmc                 
            //   bdff7feee0           | mov                 ebp, 0xe0ee7fff
            //   c584aa5c2aa4e2       | lds                 eax, ptr [edx + ebp*4 - 0x1d5bd5a4]
            //   d6                   | salc                

    condition:
        7 of them and filesize < 321536
}
Download all Yara Rules