Actor(s): Aurora Panda, Hurricane Panda
There is no description at this point.
rule win_hikit_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2021-06-10" version = "1" description = "Detects win.hikit." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.hikit" malpedia_rule_date = "20210604" malpedia_hash = "be09d5d71e77373c0f538068be31a2ad4c69cfbd" malpedia_version = "20210616" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 56 ff15???????? 8d442420 50 c7451401000000 8b8b980a0000 038b940a0000 } // n = 7, score = 100 // 56 | push esi // ff15???????? | // 8d442420 | lea eax, dword ptr [esp + 0x20] // 50 | push eax // c7451401000000 | mov dword ptr [ebp + 0x14], 1 // 8b8b980a0000 | mov ecx, dword ptr [ebx + 0xa98] // 038b940a0000 | add ecx, dword ptr [ebx + 0xa94] $sequence_1 = { 53 50 51 e8???????? 33d2 83c40c 3bc3 } // n = 7, score = 100 // 53 | push ebx // 50 | push eax // 51 | push ecx // e8???????? | // 33d2 | xor edx, edx // 83c40c | add esp, 0xc // 3bc3 | cmp eax, ebx $sequence_2 = { 5e 56 8d45f8 50 ff15???????? 85c0 0f85b8fdffff } // n = 7, score = 100 // 5e | pop esi // 56 | push esi // 8d45f8 | lea eax, dword ptr [ebp - 8] // 50 | push eax // ff15???????? | // 85c0 | test eax, eax // 0f85b8fdffff | jne 0xfffffdbe $sequence_3 = { 8b4c2440 e8???????? 4c 8b5c2440 41 0fb64368 83f804 } // n = 7, score = 100 // 8b4c2440 | mov ecx, dword ptr [esp + 0x40] // e8???????? | // 4c | dec esp // 8b5c2440 | mov ebx, dword ptr [esp + 0x40] // 41 | inc ecx // 0fb64368 | movzx eax, byte ptr [ebx + 0x68] // 83f804 | cmp eax, 4 $sequence_4 = { 83b84c01000001 0f8e28010000 837c242001 750c 48 8b442450 c6803201000001 } // n = 7, score = 100 // 83b84c01000001 | cmp dword ptr [eax + 0x14c], 1 // 0f8e28010000 | jle 0x12e // 837c242001 | cmp dword ptr [esp + 0x20], 1 // 750c | jne 0xe // 48 | dec eax // 8b442450 | mov eax, dword ptr [esp + 0x50] // c6803201000001 | mov byte ptr [eax + 0x132], 1 $sequence_5 = { 48 8b8424d8000000 8b4004 898424b0000000 83bc24b000000036 7307 } // n = 6, score = 100 // 48 | dec eax // 8b8424d8000000 | mov eax, dword ptr [esp + 0xd8] // 8b4004 | mov eax, dword ptr [eax + 4] // 898424b0000000 | mov dword ptr [esp + 0xb0], eax // 83bc24b000000036 | cmp dword ptr [esp + 0xb0], 0x36 // 7307 | jae 9 $sequence_6 = { 48 894c2408 48 83ec68 4c 8b442470 4d } // n = 7, score = 100 // 48 | dec eax // 894c2408 | mov dword ptr [esp + 8], ecx // 48 | dec eax // 83ec68 | sub esp, 0x68 // 4c | dec esp // 8b442470 | mov eax, dword ptr [esp + 0x70] // 4d | dec ebp $sequence_7 = { 1bc0 40 894608 e9???????? 8bfd 8bc6 e8???????? } // n = 7, score = 100 // 1bc0 | sbb eax, eax // 40 | inc eax // 894608 | mov dword ptr [esi + 8], eax // e9???????? | // 8bfd | mov edi, ebp // 8bc6 | mov eax, esi // e8???????? | $sequence_8 = { 898180010000 48 8b442460 c70004000000 48 8b442468 } // n = 6, score = 100 // 898180010000 | mov dword ptr [ecx + 0x180], eax // 48 | dec eax // 8b442460 | mov eax, dword ptr [esp + 0x60] // c70004000000 | mov dword ptr [eax], 4 // 48 | dec eax // 8b442468 | mov eax, dword ptr [esp + 0x68] $sequence_9 = { 50 6a00 6a00 8b8de07fffff 51 8d95e87fffff 52 } // n = 7, score = 100 // 50 | push eax // 6a00 | push 0 // 6a00 | push 0 // 8b8de07fffff | mov ecx, dword ptr [ebp - 0x8020] // 51 | push ecx // 8d95e87fffff | lea edx, dword ptr [ebp - 0x8018] // 52 | push edx condition: 7 of them and filesize < 573440 }
rule win_hikit_w0 { meta: author = "31ric" description = "Backdoor.Hikit is a Trojan horse that opens a back door on the compromised computer." source = "https://github.com/mattulm/sfiles_yara/blob/master/malware/hiddenlynxfiles.yar" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.hikit" malpedia_version = "20170517" malpedia_license = "CC BY-NC-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $f1 = "w7fw.sys" nocase ascii wide $f2 = "w7fw_m.inf" nocase ascii wide $f3 = "w7fw.inf" nocase ascii wide $f4 = "w7fw.cat" nocase ascii wide condition: 1 of them }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY
