SYMBOLCOMMON_NAMEaka. SYNONYMS
win.http_troy (Back to overview)

http_troy


There is no description at this point.

References
2018-05-03McAfeeRyan Sherstobitoff, Itai Liba, James Walter
@techreport{sherstobitoff:20180503:dissecting:13102f0, author = {Ryan Sherstobitoff and Itai Liba and James Walter}, title = {{Dissecting Operation Troy: Cyberespionage in South Korea}}, date = {2018-05-03}, institution = {McAfee}, url = {https://www.mcafee.com/enterprise/en-us/assets/white-papers/wp-dissecting-operation-troy.pdf}, language = {English}, urldate = {2020-01-10} } Dissecting Operation Troy: Cyberespionage in South Korea
concealment_troy http_troy Lazarus Group
2013-04-24R136a1
@online{r136a1:20130424:south:d6c223e, author = {R136a1}, title = {{South Korea Incident - New Malware samples}}, date = {2013-04-24}, url = {http://www.malware-reversing.com/2013/04/5-south-korea-incident-new-malware.html}, language = {English}, urldate = {2020-01-13} } South Korea Incident - New Malware samples
concealment_troy httpdropper http_troy
Yara Rules
[TLP:WHITE] win_http_troy_auto (20230125 | Detects win.http_troy.)
rule win_http_troy_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-01-25"
        version = "1"
        description = "Detects win.http_troy."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.http_troy"
        malpedia_rule_date = "20230124"
        malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686"
        malpedia_version = "20230125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8d4c2434 51 56 8844243c ffd7 8a5307 6a01 }
            // n = 7, score = 200
            //   8d4c2434             | lea                 ecx, [esp + 0x34]
            //   51                   | push                ecx
            //   56                   | push                esi
            //   8844243c             | mov                 byte ptr [esp + 0x3c], al
            //   ffd7                 | call                edi
            //   8a5307               | mov                 dl, byte ptr [ebx + 7]
            //   6a01                 | push                1

        $sequence_1 = { 8b7508 8d442408 8d5001 90 8a08 40 }
            // n = 6, score = 200
            //   8b7508               | mov                 esi, dword ptr [ebp + 8]
            //   8d442408             | lea                 eax, [esp + 8]
            //   8d5001               | lea                 edx, [eax + 1]
            //   90                   | nop                 
            //   8a08                 | mov                 cl, byte ptr [eax]
            //   40                   | inc                 eax

        $sequence_2 = { 6a00 56 ff15???????? 85c0 7535 8b4c2410 }
            // n = 6, score = 200
            //   6a00                 | push                0
            //   56                   | push                esi
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   7535                 | jne                 0x37
            //   8b4c2410             | mov                 ecx, dword ptr [esp + 0x10]

        $sequence_3 = { 56 57 8b7c2410 6a00 6880000000 6a03 6a00 }
            // n = 7, score = 200
            //   56                   | push                esi
            //   57                   | push                edi
            //   8b7c2410             | mov                 edi, dword ptr [esp + 0x10]
            //   6a00                 | push                0
            //   6880000000           | push                0x80
            //   6a03                 | push                3
            //   6a00                 | push                0

        $sequence_4 = { 8d4411ff 3dff7f0000 740a c786a4af0600d4a70210 8b5c243c 33f6 85db }
            // n = 7, score = 200
            //   8d4411ff             | lea                 eax, [ecx + edx - 1]
            //   3dff7f0000           | cmp                 eax, 0x7fff
            //   740a                 | je                  0xc
            //   c786a4af0600d4a70210     | mov    dword ptr [esi + 0x6afa4], 0x1002a7d4
            //   8b5c243c             | mov                 ebx, dword ptr [esp + 0x3c]
            //   33f6                 | xor                 esi, esi
            //   85db                 | test                ebx, ebx

        $sequence_5 = { 03763c 56 ff15???????? 85c0 741a 55 ff15???????? }
            // n = 7, score = 200
            //   03763c               | add                 esi, dword ptr [esi + 0x3c]
            //   56                   | push                esi
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   741a                 | je                  0x1c
            //   55                   | push                ebp
            //   ff15????????         |                     

        $sequence_6 = { 8d442404 33ff 50 57 897c240c e8???????? 83f86f }
            // n = 7, score = 200
            //   8d442404             | lea                 eax, [esp + 4]
            //   33ff                 | xor                 edi, edi
            //   50                   | push                eax
            //   57                   | push                edi
            //   897c240c             | mov                 dword ptr [esp + 0xc], edi
            //   e8????????           |                     
            //   83f86f               | cmp                 eax, 0x6f

        $sequence_7 = { 834dfcff 8345e404 ebd5 e8???????? c3 8b0d???????? 8bc2 }
            // n = 7, score = 200
            //   834dfcff             | or                  dword ptr [ebp - 4], 0xffffffff
            //   8345e404             | add                 dword ptr [ebp - 0x1c], 4
            //   ebd5                 | jmp                 0xffffffd7
            //   e8????????           |                     
            //   c3                   | ret                 
            //   8b0d????????         |                     
            //   8bc2                 | mov                 eax, edx

        $sequence_8 = { 50 6a00 8d4c2418 51 6a00 56 e8???????? }
            // n = 7, score = 200
            //   50                   | push                eax
            //   6a00                 | push                0
            //   8d4c2418             | lea                 ecx, [esp + 0x18]
            //   51                   | push                ecx
            //   6a00                 | push                0
            //   56                   | push                esi
            //   e8????????           |                     

        $sequence_9 = { 899e6caf0600 33c0 83fa02 b9ff7f0000 8dbe70af0400 f3ab }
            // n = 6, score = 200
            //   899e6caf0600         | mov                 dword ptr [esi + 0x6af6c], ebx
            //   33c0                 | xor                 eax, eax
            //   83fa02               | cmp                 edx, 2
            //   b9ff7f0000           | mov                 ecx, 0x7fff
            //   8dbe70af0400         | lea                 edi, [esi + 0x4af70]
            //   f3ab                 | rep stosd           dword ptr es:[edi], eax

    condition:
        7 of them and filesize < 475136
}
Download all Yara Rules