SYMBOLCOMMON_NAMEaka. SYNONYMS
win.homefry (Back to overview)

homefry

Actor(s): Leviathan


a 64-bit Windows password dumper/cracker that has previously been used in conjunction with AIRBREAK and BADFLICK backdoors. Some strings are obfuscated with XOR x56. The malware accepts up to two arguments at the command line: one to display cleartext credentials for each login session, and a second to display cleartext credentials, NTLM hashes, and malware version for each login session.

References
2020SecureworksSecureWorks
@online{secureworks:2020:bronze:e8ad4fb, author = {SecureWorks}, title = {{BRONZE MOHAWK}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/bronze-mohawk}, language = {English}, urldate = {2020-05-23} } BRONZE MOHAWK
AIRBREAK scanbox BLACKCOFFEE CHINACHOPPER Cobalt Strike Derusbi homefry murkytop SeDll Leviathan
2018-03-16FireEyeFireEye
@online{fireeye:20180316:suspected:2a77316, author = {FireEye}, title = {{Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries}}, date = {2018-03-16}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html}, language = {English}, urldate = {2019-12-20} } Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries
badflick BLACKCOFFEE CHINACHOPPER homefry murkytop SeDll Leviathan
Yara Rules
[TLP:WHITE] win_homefry_auto (20220516 | Detects win.homefry.)
rule win_homefry_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-05-16"
        version = "1"
        description = "Detects win.homefry."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.homefry"
        malpedia_rule_date = "20220513"
        malpedia_hash = "7f4b2229e6ae614d86d74917f6d5b41890e62a26"
        malpedia_version = "20220516"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 4803d0 488b05???????? 488917 48630a 4883c104 4803ca 48890f }
            // n = 7, score = 100
            //   4803d0               | dec                 eax
            //   488b05????????       |                     
            //   488917               | add                 eax, 4
            //   48630a               | dec                 ecx
            //   4883c104             | add                 eax, eax
            //   4803ca               | dec                 ecx
            //   48890f               | add                 eax, ebx

        $sequence_1 = { e8???????? 488bcb ff15???????? 488bb424a8000000 488b9c24a0000000 488bac24b0000000 }
            // n = 6, score = 100
            //   e8????????           |                     
            //   488bcb               | dec                 ecx
            //   ff15????????         |                     
            //   488bb424a8000000     | dec                 eax
            //   488b9c24a0000000     | jne                 0x1c
            //   488bac24b0000000     | mov                 byte ptr [eax + 0xc], cl

        $sequence_2 = { 488bd8 ff15???????? 488b0d???????? 488d15621f0000 488bf0 }
            // n = 5, score = 100
            //   488bd8               | lea                 ecx, [esp + 0x20]
            //   ff15????????         |                     
            //   488b0d????????       |                     
            //   488d15621f0000       | dec                 eax
            //   488bf0               | mov                 edx, eax

        $sequence_3 = { 498d4e08 4533ff ff15???????? 4c8b0d???????? 458d4708 488d542458 488bce }
            // n = 7, score = 100
            //   498d4e08             | lea                 edx, [0x28fd]
            //   4533ff               | dec                 eax
            //   ff15????????         |                     
            //   4c8b0d????????       |                     
            //   458d4708             | mov                 ecx, eax
            //   488d542458           | dec                 eax
            //   488bce               | lea                 edx, [0x28bf]

        $sequence_4 = { 5d c3 488d0dcc2d0000 48899c2408040000 }
            // n = 4, score = 100
            //   5d                   | mov                 edi, dword ptr [esp + 0xb0]
            //   c3                   | dec                 eax
            //   488d0dcc2d0000       | mov                 esi, dword ptr [esp + 0xa8]
            //   48899c2408040000     | cmp                 ebx, 3

        $sequence_5 = { b938000000 488bf8 ff15???????? 4c8b0d???????? 488b0d???????? }
            // n = 5, score = 100
            //   b938000000           | test                esi, esi
            //   488bf8               | je                  0x2ec
            //   ff15????????         |                     
            //   4c8b0d????????       |                     
            //   488b0d????????       |                     

        $sequence_6 = { 488bea ff15???????? 488bf8 483bdd 7339 }
            // n = 5, score = 100
            //   488bea               | je                  0x823
            //   ff15????????         |                     
            //   488bf8               | mov                 edx, dword ptr [esp + 0x38]
            //   483bdd               | test                eax, eax
            //   7339                 | jne                 0x7fd

        $sequence_7 = { 4183c0d8 488b5110 488b4c2440 4883c128 4883c228 e8???????? 84c0 }
            // n = 7, score = 100
            //   4183c0d8             | dec                 eax
            //   488b5110             | cmp                 ebx, esi
            //   488b4c2440           | jae                 0x7e4
            //   4883c128             | dec                 eax
            //   4883c228             | add                 edi, edx
            //   e8????????           |                     
            //   84c0                 | dec                 ecx

        $sequence_8 = { 488bd3 488bc8 e8???????? 84c0 7426 418b041e 3907 }
            // n = 7, score = 100
            //   488bd3               | inc                 esp
            //   488bc8               | lea                 ecx, [edi + 0x18]
            //   e8????????           |                     
            //   84c0                 | dec                 eax
            //   7426                 | mov                 ecx, eax
            //   418b041e             | mov                 dword ptr [esp + 0x60], 0x238
            //   3907                 | test                eax, eax

        $sequence_9 = { 7408 488bd6 e8???????? 488b6c2438 488b742440 488b7c2448 }
            // n = 6, score = 100
            //   7408                 | mov                 ecx, dword ptr [esp + 0x78]
            //   488bd6               | dec                 eax
            //   e8????????           |                     
            //   488b6c2438           | lea                 edx, [ebp - 0x70]
            //   488b742440           | dec                 eax
            //   488b7c2448           | mov                 dword ptr [eax], ecx

    condition:
        7 of them and filesize < 65536
}
Download all Yara Rules