SYMBOLCOMMON_NAMEaka. SYNONYMS
win.homefry (Back to overview)

homefry

Actor(s): Leviathan

a 64-bit Windows password dumper/cracker that has previously been used in conjunction with AIRBREAK and BADFLICK backdoors. Some strings are obfuscated with XOR x56. The malware accepts up to two arguments at the command line: one to display cleartext credentials for each login session, and a second to display cleartext credentials, NTLM hashes, and malware version for each login session.

References
2020SecureworksSecureWorks
@online{secureworks:2020:bronze:e8ad4fb, author = {SecureWorks}, title = {{BRONZE MOHAWK}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/bronze-mohawk}, language = {English}, urldate = {2020-05-23} } BRONZE MOHAWK
AIRBREAK scanbox BLACKCOFFEE CHINACHOPPER Cobalt Strike Derusbi homefry murkytop SeDll APT40
2018-03-16FireEyeFireEye
@online{fireeye:20180316:suspected:2a77316, author = {FireEye}, title = {{Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries}}, date = {2018-03-16}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html}, language = {English}, urldate = {2019-12-20} } Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries
badflick BLACKCOFFEE CHINACHOPPER homefry murkytop SeDll APT40
Yara Rules
[TLP:WHITE] win_homefry_auto (20230125 | Detects win.homefry.)
rule win_homefry_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-01-25"
        version = "1"
        description = "Detects win.homefry."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.homefry"
        malpedia_rule_date = "20230124"
        malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686"
        malpedia_version = "20230125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 731f c705????????08000000 eb13 bb06000000 488d3d14290000 }
            // n = 5, score = 100
            //   731f                 | dec                 esp
            //   c705????????08000000     |     
            //   eb13                 | mov                 dword ptr [esp + 0x58], edi
            //   bb06000000           | inc                 ebp
            //   488d3d14290000       | lea                 ecx, [esi + 4]

        $sequence_1 = { 4157 4883ec20 448bf2 488bf1 498bf8 498d4e08 }
            // n = 6, score = 100
            //   4157                 | dec                 eax
            //   4883ec20             | mov                 ecx, ebx
            //   448bf2               | test                eax, eax
            //   488bf1               | jne                 0x68f
            //   498bf8               | dec                 eax
            //   498d4e08             | mov                 ecx, ebx

        $sequence_2 = { 4883ec40 488b0d???????? 488d15471f0000 4533f6 ff15???????? }
            // n = 5, score = 100
            //   4883ec40             | cmp                 ebx, ebp
            //   488b0d????????       |                     
            //   488d15471f0000       | test                eax, eax
            //   4533f6               | je                  0x566
            //   ff15????????         |                     

        $sequence_3 = { b857866f44 410fb63a f7e3 8bc3 2bc2 d1e8 }
            // n = 6, score = 100
            //   b857866f44           | test                ecx, ecx
            //   410fb63a             | jne                 0x38
            //   f7e3                 | add                 ebx, eax
            //   8bc3                 | dec                 ecx
            //   2bc2                 | dec                 edx
            //   d1e8                 | jne                 0x2a

        $sequence_4 = { 7416 8b0c2b 8bc3 390e 750d 8b4c2b04 394e04 }
            // n = 7, score = 100
            //   7416                 | mov                 dword ptr [ebx], ebp
            //   8b0c2b               | dec                 eax
            //   8bc3                 | arpl                word ptr [eax + ebx], cx
            //   390e                 | dec                 esp
            //   750d                 | add                 eax, ebx
            //   8b4c2b04             | inc                 eax
            //   394e04               | mov                 byte ptr [edx], bh

        $sequence_5 = { 488d15bf200000 488d0da8200000 488905???????? e8???????? ff05???????? b801000000 }
            // n = 6, score = 100
            //   488d15bf200000       | je                  0xba
            //   488d0da8200000       | inc                 ecx
            //   488905????????       |                     
            //   e8????????           |                     
            //   ff05????????         |                     
            //   b801000000           | mov                 eax, dword ptr [esi + ebx]

        $sequence_6 = { ff15???????? 4c8b0d???????? 458d4708 488d542458 488bce }
            // n = 5, score = 100
            //   ff15????????         |                     
            //   4c8b0d????????       |                     
            //   458d4708             | add                 edx, ecx
            //   488d542458           | xor                 ebp, ebp
            //   488bce               | inc                 ebp

        $sequence_7 = { 448d50ff 66660f1f840000000000 0fb601 c1e304 }
            // n = 4, score = 100
            //   448d50ff             | dec                 ecx
            //   66660f1f840000000000     | arpl    cx, dx
            //   0fb601               | inc                 ecx
            //   c1e304               | cmp                 ecx, 1

        $sequence_8 = { e8???????? eb05 e8???????? 84c0 7511 488d0ddd180000 }
            // n = 6, score = 100
            //   e8????????           |                     
            //   eb05                 | lea                 eax, [edi + 0x68]
            //   e8????????           |                     
            //   84c0                 | test                al, al
            //   7511                 | je                  0x1da
            //   488d0ddd180000       | xor                 edi, edi

        $sequence_9 = { 2bf0 488d2d192a0000 488bc5 397008 }
            // n = 4, score = 100
            //   2bf0                 | js                  0xfc
            //   488d2d192a0000       | dec                 eax
            //   488bc5               | lea                 eax, [esp + 0x80]
            //   397008               | inc                 ebp

    condition:
        7 of them and filesize < 65536
}
Download all Yara Rules