SYMBOLCOMMON_NAMEaka. SYNONYMS
win.homefry (Back to overview)

homefry

Actor(s): Leviathan


a 64-bit Windows password dumper/cracker that has previously been used in conjunction with AIRBREAK and BADFLICK backdoors. Some strings are obfuscated with XOR x56. The malware accepts up to two arguments at the command line: one to display cleartext credentials for each login session, and a second to display cleartext credentials, NTLM hashes, and malware version for each login session.

References
2020SecureworksSecureWorks
@online{secureworks:2020:bronze:e8ad4fb, author = {SecureWorks}, title = {{BRONZE MOHAWK}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/bronze-mohawk}, language = {English}, urldate = {2020-05-23} } BRONZE MOHAWK
AIRBREAK scanbox BLACKCOFFEE CHINACHOPPER Cobalt Strike Derusbi homefry murkytop SeDll APT40
2018-03-16FireEyeFireEye
@online{fireeye:20180316:suspected:2a77316, author = {FireEye}, title = {{Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries}}, date = {2018-03-16}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html}, language = {English}, urldate = {2019-12-20} } Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries
badflick BLACKCOFFEE CHINACHOPPER homefry murkytop SeDll APT40
Yara Rules
[TLP:WHITE] win_homefry_auto (20221125 | Detects win.homefry.)
rule win_homefry_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-11-21"
        version = "1"
        description = "Detects win.homefry."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.homefry"
        malpedia_rule_date = "20221118"
        malpedia_hash = "e0702e2e6d1d00da65c8a29a4ebacd0a4c59e1af"
        malpedia_version = "20221125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 48895c2410 48896c2418 4889742420 57 4883ec20 8b35???????? }
            // n = 6, score = 100
            //   48895c2410           | dec                 ecx
            //   48896c2418           | arpl                word ptr [eax + eax], ax
            //   4889742420           | dec                 ecx
            //   57                   | arpl                cx, dx
            //   4883ec20             | dec                 eax
            //   8b35????????         |                     

        $sequence_1 = { 488d15591f0000 488bd8 ff15???????? 488b0d???????? 488d15621f0000 488bf0 }
            // n = 6, score = 100
            //   488d15591f0000       | je                  0x640
            //   488bd8               | dec                 eax
            //   ff15????????         |                     
            //   488b0d????????       |                     
            //   488d15621f0000       | mov                 ecx, dword ptr [ebp + 0x300]
            //   488bf0               | dec                 eax

        $sequence_2 = { 4803d3 4c03c0 486305???????? 4c890d???????? }
            // n = 4, score = 100
            //   4803d3               | dec                 eax
            //   4c03c0               | mov                 dword ptr [esp + 0x20], eax
            //   486305????????       |                     
            //   4c890d????????       |                     

        $sequence_3 = { 488b4c2440 4c8d4308 488bd0 488be8 e8???????? 84c0 }
            // n = 6, score = 100
            //   488b4c2440           | lea                 eax, [ebx + 8]
            //   4c8d4308             | dec                 eax
            //   488bd0               | mov                 edx, eax
            //   488be8               | dec                 eax
            //   e8????????           |                     
            //   84c0                 | mov                 ebp, eax

        $sequence_4 = { 458d4e04 488b09 4c8d442470 488d15420f0000 4489742428 4889442420 }
            // n = 6, score = 100
            //   458d4e04             | dec                 eax
            //   488b09               | cmp                 eax, -1
            //   4c8d442470           | jne                 0x157
            //   488d15420f0000       | dec                 eax
            //   4489742428           | mov                 edx, ecx
            //   4889442420           | dec                 eax

        $sequence_5 = { 4585c9 7415 488d0d33160000 4d8bce 4d8bc2 }
            // n = 5, score = 100
            //   4585c9               | dec                 eax
            //   7415                 | lea                 edx, [esp + 0x50]
            //   488d0d33160000       | je                  0x97d
            //   4d8bce               | mov                 ecx, 0xa8
            //   4d8bc2               | je                  0x98c

        $sequence_6 = { ff15???????? 488bc7 4c8d9c2480000000 498b5b10 498b7318 498b7b20 }
            // n = 6, score = 100
            //   ff15????????         |                     
            //   488bc7               | dec                 ecx
            //   4c8d9c2480000000     | mov                 edi, eax
            //   498b5b10             | inc                 ecx
            //   498b7318             | push                esi
            //   498b7b20             | inc                 ecx

        $sequence_7 = { 4183c0d8 488b5110 488b4c2440 4883c128 4883c228 e8???????? 84c0 }
            // n = 7, score = 100
            //   4183c0d8             | jae                 0xf9
            //   488b5110             | dec                 eax
            //   488b4c2440           | add                 edi, edx
            //   4883c128             | dec                 ecx
            //   4883c228             | mov                 ecx, esi
            //   e8????????           |                     
            //   84c0                 | dec                 eax

        $sequence_8 = { 48833d????????00 4c8b742450 488b7c2458 488b742460 488bac2488000000 }
            // n = 5, score = 100
            //   48833d????????00     |                     
            //   4c8b742450           | je                  0x7a
            //   488b7c2458           | mov                 ecx, dword ptr [ebx + ebp]
            //   488b742460           | mov                 eax, ebx
            //   488bac2488000000     | test                al, al

        $sequence_9 = { 2bf0 488d2d192a0000 488bc5 397008 }
            // n = 4, score = 100
            //   2bf0                 | js                  0xf2
            //   488d2d192a0000       | dec                 eax
            //   488bc5               | lea                 eax, [esp + 0x80]
            //   397008               | inc                 ebp

    condition:
        7 of them and filesize < 65536
}
Download all Yara Rules