SYMBOLCOMMON_NAMEaka. SYNONYMS
win.homefry (Back to overview)

homefry

Actor(s): Leviathan


a 64-bit Windows password dumper/cracker that has previously been used in conjunction with AIRBREAK and BADFLICK backdoors. Some strings are obfuscated with XOR x56. The malware accepts up to two arguments at the command line: one to display cleartext credentials for each login session, and a second to display cleartext credentials, NTLM hashes, and malware version for each login session.

References
2020SecureworksSecureWorks
@online{secureworks:2020:bronze:e8ad4fb, author = {SecureWorks}, title = {{BRONZE MOHAWK}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/bronze-mohawk}, language = {English}, urldate = {2020-05-23} } BRONZE MOHAWK
AIRBREAK scanbox BLACKCOFFEE CHINACHOPPER Cobalt Strike Derusbi homefry murkytop SeDll Leviathan
2018-03-16FireEyeFireEye
@online{fireeye:20180316:suspected:2a77316, author = {FireEye}, title = {{Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries}}, date = {2018-03-16}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html}, language = {English}, urldate = {2019-12-20} } Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries
badflick BLACKCOFFEE CHINACHOPPER homefry murkytop SeDll Leviathan
Yara Rules
[TLP:WHITE] win_homefry_auto (20201014 | autogenerated rule brought to you by yara-signator)
rule win_homefry_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-10-14"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.5.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.homefry"
        malpedia_rule_date = "20201014"
        malpedia_hash = "a7e3bd57eaf12bf3ea29a863c041091ba3af9ac9"
        malpedia_version = "20201014"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 4885c0 7430 4533c0 4c8d8df0020000 b201 418d4814 ffd0 }
            // n = 7, score = 100
            //   4885c0               | mov                 ecx, dword ptr [ebp - 0x80]
            //   7430                 | mov                 dword ptr [eax + 8], ecx
            //   4533c0               | dec                 eax
            //   4c8d8df0020000       | lea                 ecx, [ebp - 0x70]
            //   b201                 | dec                 eax
            //   418d4814             | sub                 eax, ecx
            //   ffd0                 | dec                 eax

        $sequence_1 = { 8d4730 48895c2430 48896c2438 8bc8 }
            // n = 4, score = 100
            //   8d4730               | lea                 edx, [esp + 0x30]
            //   48895c2430           | test                al, al
            //   48896c2438           | je                  0x1e3
            //   8bc8                 | dec                 eax

        $sequence_2 = { 488b0d???????? 488d842480000000 458d4e04 488b09 4c8d442478 }
            // n = 5, score = 100
            //   488b0d????????       |                     
            //   488d842480000000     | mov                 byte ptr [eax + 0xc], 0x84
            //   458d4e04             | jae                 0x1ca
            //   488b09               | mov                 dword ptr [eax + 0x10], 0x48188b48
            //   4c8d442478           | dec                 esp

        $sequence_3 = { 4803d1 e8???????? 33ed 4c8bd8 48898424a0000000 }
            // n = 5, score = 100
            //   4803d1               | jne                 0x207
            //   e8????????           |                     
            //   33ed                 | mov                 ecx, 0x110
            //   4c8bd8               | dec                 eax
            //   48898424a0000000     | mov                 ecx, dword ptr [esp + 0x78]

        $sequence_4 = { ffd5 85c0 0f8860010000 488b0d???????? 458d4e20 4c8d05480f0000 488b09 }
            // n = 7, score = 100
            //   ffd5                 | dec                 eax
            //   85c0                 | lea                 ecx, [ebp - 0x70]
            //   0f8860010000         | dec                 eax
            //   488b0d????????       |                     
            //   458d4e20             | sub                 eax, ecx
            //   4c8d05480f0000       | dec                 esp
            //   488b09               | lea                 eax, [eax + 0xc]

        $sequence_5 = { 488d15bf200000 488d0da8200000 488905???????? e8???????? ff05???????? b801000000 }
            // n = 6, score = 100
            //   488d15bf200000       | dec                 eax
            //   488d0da8200000       | mov                 eax, dword ptr [edi]
            //   488905????????       |                     
            //   e8????????           |                     
            //   ff05????????         |                     
            //   b801000000           | jne                 0x8d4

        $sequence_6 = { 4d8bce 4d8bc2 498bd7 e8???????? }
            // n = 4, score = 100
            //   4d8bce               | dec                 eax
            //   4d8bc2               | mov                 ebx, dword ptr [esp + 0x408]
            //   498bd7               | dec                 eax
            //   e8????????           |                     

        $sequence_7 = { 48890d???????? 8905???????? e8???????? 4885c0 7511 }
            // n = 5, score = 100
            //   48890d????????       |                     
            //   8905????????         |                     
            //   e8????????           |                     
            //   4885c0               | cmp                 dword ptr [esi + 4], ecx
            //   7511                 | dec                 eax

        $sequence_8 = { 85c0 0f889e000000 8b4c2470 ff15???????? 8b4c2478 488905???????? ff15???????? }
            // n = 7, score = 100
            //   85c0                 | test                al, al
            //   0f889e000000         | push                edi
            //   8b4c2470             | dec                 eax
            //   ff15????????         |                     
            //   8b4c2478             | sub                 esp, 0x90
            //   488905????????       |                     
            //   ff15????????         |                     

        $sequence_9 = { 4a634418f9 482bc2 4883c0fd 4903c0 }
            // n = 4, score = 100
            //   4a634418f9           | dec                 eax
            //   482bc2               | cmp                 eax, esi
            //   4883c0fd             | je                  0x7d
            //   4903c0               | nop                 dword ptr [eax]

    condition:
        7 of them and filesize < 65536
}
Download all Yara Rules