SYMBOLCOMMON_NAMEaka. SYNONYMS
win.homefry (Back to overview)

homefry

Actor(s): Leviathan


a 64-bit Windows password dumper/cracker that has previously been used in conjunction with AIRBREAK and BADFLICK backdoors. Some strings are obfuscated with XOR x56. The malware accepts up to two arguments at the command line: one to display cleartext credentials for each login session, and a second to display cleartext credentials, NTLM hashes, and malware version for each login session.

References
2020SecureworksSecureWorks
@online{secureworks:2020:bronze:e8ad4fb, author = {SecureWorks}, title = {{BRONZE MOHAWK}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/bronze-mohawk}, language = {English}, urldate = {2020-05-23} } BRONZE MOHAWK
AIRBREAK scanbox BLACKCOFFEE CHINACHOPPER Cobalt Strike Derusbi homefry murkytop SeDll Leviathan
2018-03-16FireEyeFireEye
@online{fireeye:20180316:suspected:2a77316, author = {FireEye}, title = {{Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries}}, date = {2018-03-16}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html}, language = {English}, urldate = {2019-12-20} } Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries
badflick BLACKCOFFEE CHINACHOPPER homefry murkytop SeDll Leviathan
Yara Rules
[TLP:WHITE] win_homefry_auto (20210616 | Detects win.homefry.)
rule win_homefry_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-06-10"
        version = "1"
        description = "Detects win.homefry."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.homefry"
        malpedia_rule_date = "20210604"
        malpedia_hash = "be09d5d71e77373c0f538068be31a2ad4c69cfbd"
        malpedia_version = "20210616"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { c3 48635a07 488b05???????? 4883c207 482b5c2430 }
            // n = 5, score = 100
            //   c3                   | dec                 eax
            //   48635a07             | sub                 eax, edx
            //   488b05????????       |                     
            //   4883c207             | dec                 edx
            //   482b5c2430           | arpl                word ptr [eax + ebx - 7], cx

        $sequence_1 = { b801000000 4883c468 c3 b001 }
            // n = 4, score = 100
            //   b801000000           | mov                 dword ptr [eax], ecx
            //   4883c468             | mov                 ecx, dword ptr [ebp - 0x80]
            //   c3                   | dec                 eax
            //   b001                 | lea                 edx, dword ptr [esi + 0x20]

        $sequence_2 = { 448d4508 0f45d9 488b08 488d9424a0000000 482b0d???????? 48030d???????? }
            // n = 6, score = 100
            //   448d4508             | je                  0x831
            //   0f45d9               | dec                 eax
            //   488b08               | mov                 ecx, dword ptr [esp + 0x30]
            //   488d9424a0000000     | dec                 eax
            //   482b0d????????       |                     
            //   48030d????????       |                     

        $sequence_3 = { 488b95f0020000 488bca ff15???????? ffc7 3bbdf8020000 }
            // n = 5, score = 100
            //   488b95f0020000       | test                al, al
            //   488bca               | je                  0x55d
            //   ff15????????         |                     
            //   ffc7                 | test                al, al
            //   3bbdf8020000         | je                  0x576

        $sequence_4 = { 488905???????? 4885c0 751c 488d0d070a0000 488bac24b8000000 4881c490000000 }
            // n = 6, score = 100
            //   488905????????       |                     
            //   4885c0               | mov                 edx, ebp
            //   751c                 | dec                 eax
            //   488d0d070a0000       | lea                 ecx, dword ptr [ebp + 0x1cc]
            //   488bac24b8000000     | dec                 eax
            //   4881c490000000       | mov                 ecx, ebx

        $sequence_5 = { 57 4883ec20 8b35???????? 488b1d???????? b90a000000 4803f3 }
            // n = 6, score = 100
            //   57                   | dec                 eax
            //   4883ec20             | add                 edx, ecx
            //   8b35????????         |                     
            //   488b1d????????       |                     
            //   b90a000000           | dec                 esp
            //   4803f3               | mov                 eax, esi

        $sequence_6 = { 0f1f4000 660f1f840000000000 0fb60a c1e604 488d5201 03f1 49ffc8 }
            // n = 7, score = 100
            //   0f1f4000             | inc                 esp
            //   660f1f840000000000     | mov    dword ptr [esp + 0x28], esi
            //   0fb60a               | dec                 eax
            //   c1e604               | mov                 dword ptr [esp + 0x20], eax
            //   488d5201             | call                esi
            //   03f1                 | test                eax, eax
            //   49ffc8               | js                  0x337

        $sequence_7 = { 4881ec80000000 8b05???????? c745b04c891b48 c745b489430849 c745b8895b0848 c645bc8d c745c04c891b48 }
            // n = 7, score = 100
            //   4881ec80000000       | inc                 ecx
            //   8b05????????         |                     
            //   c745b04c891b48       | mov                 eax, 0xa8
            //   c745b489430849       | dec                 eax
            //   c745b8895b0848       | mov                 edx, ebx
            //   c645bc8d             | dec                 eax
            //   c745c04c891b48       | mov                 ecx, eax

        $sequence_8 = { 4d8bce 4d8bc2 498bd7 e8???????? }
            // n = 4, score = 100
            //   4d8bce               | mov                 ecx, dword ptr [ebp + 0x300]
            //   4d8bc2               | dec                 eax
            //   498bd7               | mov                 edx, dword ptr [ebp + 0x2f0]
            //   e8????????           |                     

        $sequence_9 = { 7408 488bd6 e8???????? 488b6c2438 488b742440 488b7c2448 }
            // n = 6, score = 100
            //   7408                 | dec                 eax
            //   488bd6               | add                 esi, ebx
            //   e8????????           |                     
            //   488b6c2438           | xor                 ebp, ebp
            //   488b742440           | dec                 eax
            //   488b7c2448           | mov                 edi, eax

    condition:
        7 of them and filesize < 65536
}
Download all Yara Rules