SYMBOLCOMMON_NAMEaka. SYNONYMS
win.homefry (Back to overview)

homefry

Actor(s): Leviathan


a 64-bit Windows password dumper/cracker that has previously been used in conjunction with AIRBREAK and BADFLICK backdoors. Some strings are obfuscated with XOR x56. The malware accepts up to two arguments at the command line: one to display cleartext credentials for each login session, and a second to display cleartext credentials, NTLM hashes, and malware version for each login session.

References
2020SecureworksSecureWorks
@online{secureworks:2020:bronze:e8ad4fb, author = {SecureWorks}, title = {{BRONZE MOHAWK}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/bronze-mohawk}, language = {English}, urldate = {2020-05-23} } BRONZE MOHAWK
AIRBREAK scanbox BLACKCOFFEE CHINACHOPPER Cobalt Strike Derusbi homefry murkytop SeDll Leviathan
2018-03-16FireEyeFireEye
@online{fireeye:20180316:suspected:2a77316, author = {FireEye}, title = {{Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries}}, date = {2018-03-16}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html}, language = {English}, urldate = {2019-12-20} } Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries
badflick BLACKCOFFEE CHINACHOPPER homefry murkytop SeDll Leviathan
Yara Rules
[TLP:WHITE] win_homefry_auto (20211008 | Detects win.homefry.)
rule win_homefry_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-10-07"
        version = "1"
        description = "Detects win.homefry."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.homefry"
        malpedia_rule_date = "20211007"
        malpedia_hash = "e5b790e0f888f252d49063a1251ca60ec2832535"
        malpedia_version = "20211008"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 48896c2418 57 4881ec90000000 488bea }
            // n = 4, score = 100
            //   48896c2418           | nop                 dword ptr [eax]
            //   57                   | dec                 eax
            //   4881ec90000000       | cmp                 eax, esi
            //   488bea               | jne                 0x102

        $sequence_1 = { 488d5710 488d4f20 4c8bc3 e8???????? }
            // n = 4, score = 100
            //   488d5710             | add                 eax, -0x28
            //   488d4f20             | dec                 eax
            //   4c8bc3               | lea                 edx, dword ptr [esp + 0x30]
            //   e8????????           |                     

        $sequence_2 = { 4803d3 4c03c0 486305???????? 4c890d???????? }
            // n = 4, score = 100
            //   4803d3               | dec                 eax
            //   4c03c0               | mov                 dword ptr [esp + 0x20], eax
            //   486305????????       |                     
            //   4c890d????????       |                     

        $sequence_3 = { 4885c0 750b 488b5c2468 4883c450 5f c3 }
            // n = 6, score = 100
            //   4885c0               | dec                 eax
            //   750b                 | lea                 edx, dword ptr [esp + 0x58]
            //   488b5c2468           | dec                 eax
            //   4883c450             | mov                 ecx, esi
            //   5f                   | dec                 eax
            //   c3                   | mov                 ebx, eax

        $sequence_4 = { 4803d1 e8???????? 33ed 4c8bd8 }
            // n = 4, score = 100
            //   4803d1               | mov                 dword ptr [esp + 0x20], esi
            //   e8????????           |                     
            //   33ed                 | call                ebx
            //   4c8bd8               | test                eax, eax

        $sequence_5 = { b938000000 488bf8 ff15???????? 4c8b0d???????? 488b0d???????? }
            // n = 5, score = 100
            //   b938000000           | lea                 ecx, dword ptr [edi + 0xd]
            //   488bf8               | dec                 esp
            //   ff15????????         |                     
            //   4c8b0d????????       |                     
            //   488b0d????????       |                     

        $sequence_6 = { ff15???????? 488bcb ff15???????? 4881c420040000 }
            // n = 4, score = 100
            //   ff15????????         |                     
            //   488bcb               | dec                 eax
            //   ff15????????         |                     
            //   4881c420040000       | mov                 ecx, dword ptr [ecx]

        $sequence_7 = { 486305???????? 48631418 4883c004 4983c1f3 }
            // n = 4, score = 100
            //   486305????????       |                     
            //   48631418             | dec                 eax
            //   4883c004             | add                 edx, ecx
            //   4983c1f3             | inc                 esp

        $sequence_8 = { ff15???????? 488d15fd280000 488bc8 488905???????? ff15???????? 488b0d???????? 488d15bf280000 }
            // n = 7, score = 100
            //   ff15????????         |                     
            //   488d15fd280000       | mov                 ecx, dword ptr [esp + 0x30]
            //   488bc8               | inc                 esp
            //   488905????????       |                     
            //   ff15????????         |                     
            //   488b0d????????       |                     
            //   488d15bf280000       | lea                 ecx, dword ptr [ebx + 7]

        $sequence_9 = { 483bdd 72d0 488bcf ff15???????? 33c0 488b5c2430 488b6c2438 }
            // n = 7, score = 100
            //   483bdd               | dec                 eax
            //   72d0                 | mov                 esi, ecx
            //   488bcf               | dec                 ecx
            //   ff15????????         |                     
            //   33c0                 | mov                 edi, eax
            //   488b5c2430           | dec                 ecx
            //   488b6c2438           | lea                 ecx, dword ptr [esi + 8]

    condition:
        7 of them and filesize < 65536
}
Download all Yara Rules