SYMBOLCOMMON_NAMEaka. SYNONYMS
win.homefry (Back to overview)

homefry

Actor(s): Leviathan

VTCollection    

a 64-bit Windows password dumper/cracker that has previously been used in conjunction with AIRBREAK and BADFLICK backdoors. Some strings are obfuscated with XOR x56. The malware accepts up to two arguments at the command line: one to display cleartext credentials for each login session, and a second to display cleartext credentials, NTLM hashes, and malware version for each login session.

References
2020-01-01SecureworksSecureWorks
BRONZE MOHAWK
AIRBREAK scanbox BLACKCOFFEE CHINACHOPPER Cobalt Strike Derusbi homefry murkytop SeDll APT40
2018-03-16FireEyeFireEye
Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries
badflick BLACKCOFFEE CHINACHOPPER homefry murkytop SeDll APT40
Yara Rules
[TLP:WHITE] win_homefry_auto (20230808 | Detects win.homefry.)
rule win_homefry_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.homefry."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.homefry"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { e8???????? 4863d5 4803d0 488b05???????? 488917 48630a }
            // n = 6, score = 100
            //   e8????????           |                     
            //   4863d5               | lea                 ecx, [ecx + 1]
            //   4803d0               | add                 edi, eax
            //   488b05????????       |                     
            //   488917               | dec                 eax
            //   48630a               | dec                 edx

        $sequence_1 = { 4889b5f0020000 4803cb ff15???????? 85c0 7873 488b95f0020000 }
            // n = 6, score = 100
            //   4889b5f0020000       | dec                 eax
            //   4803cb               | cmp                 eax, -1
            //   ff15????????         |                     
            //   85c0                 | jne                 0x7ba
            //   7873                 | dec                 eax
            //   488b95f0020000       | mov                 edx, ecx

        $sequence_2 = { 740f 8bcf 4803cd 7408 }
            // n = 4, score = 100
            //   740f                 | dec                 eax
            //   8bcf                 | mov                 ebx, ebp
            //   4803cd               | dec                 eax
            //   7408                 | mov                 dword ptr [esp + 0x30], ebx

        $sequence_3 = { 8b4c2470 ff15???????? 8b4c2478 488905???????? ff15???????? 488b0d???????? }
            // n = 6, score = 100
            //   8b4c2470             | lea                 edx, [0x2b59]
            //   ff15????????         |                     
            //   8b4c2478             | test                eax, eax
            //   488905????????       |                     
            //   ff15????????         |                     
            //   488b0d????????       |                     

        $sequence_4 = { c705????????94000000 ff15???????? 33d2 8d4a02 ff15???????? 488bd8 }
            // n = 6, score = 100
            //   c705????????94000000     |     
            //   ff15????????         |                     
            //   33d2                 | dec                 eax
            //   8d4a02               | mov                 dword ptr [eax + 0x20], ebp
            //   ff15????????         |                     
            //   488bd8               | jbe                 0x359

        $sequence_5 = { e8???????? 84c0 0f8418010000 48833d????????00 48899c24a0000000 4889b424a8000000 7471 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   84c0                 | arpl                si, cx
            //   0f8418010000         | dec                 ebp
            //   48833d????????00     |                     
            //   48899c24a0000000     | arpl                si, ax
            //   4889b424a8000000     | dec                 eax
            //   7471                 | arpl                word ptr [ecx + eax], si

        $sequence_6 = { ff15???????? 488bcb ff15???????? 4881c420040000 }
            // n = 4, score = 100
            //   ff15????????         |                     
            //   488bcb               | dec                 eax
            //   ff15????????         |                     
            //   4881c420040000       | lea                 eax, [0x21f6]

        $sequence_7 = { 488bc8 e8???????? 84c0 7426 48630d???????? 488bc3 85c9 }
            // n = 7, score = 100
            //   488bc8               | je                  0x7ba
            //   e8????????           |                     
            //   84c0                 | dec                 eax
            //   7426                 | mov                 ecx, dword ptr [ebp + 0x300]
            //   48630d????????       |                     
            //   488bc3               | dec                 eax
            //   85c9                 | add                 ecx, ebx

        $sequence_8 = { e8???????? eb05 e8???????? 84c0 7511 488d0ddd180000 }
            // n = 6, score = 100
            //   e8????????           |                     
            //   eb05                 | je                  0x612
            //   e8????????           |                     
            //   84c0                 | dec                 eax
            //   7511                 | mov                 eax, dword ptr [ebx]
            //   488d0ddd180000       | cmp                 dword ptr [esi], ecx

        $sequence_9 = { 483bdd 72d0 488bcf ff15???????? 33c0 488b5c2430 488b6c2438 }
            // n = 7, score = 100
            //   483bdd               | sub                 esp, 0x20
            //   72d0                 | dec                 eax
            //   488bcf               | mov                 ebx, edx
            //   ff15????????         |                     
            //   33c0                 | dec                 eax
            //   488b5c2430           | mov                 edi, ecx
            //   488b6c2438           | inc                 esp

    condition:
        7 of them and filesize < 65536
}
Download all Yara Rules