SYMBOLCOMMON_NAMEaka. SYNONYMS
win.httpdropper (Back to overview)

httpdropper

aka: httpdr0pper

There is no description at this point.

References
2016-03-04SANSDavid Martin
@online{martin:20160304:tracing:ca8f6d7, author = {David Martin}, title = {{Tracing the Lineage of DarkSeoul}}, date = {2016-03-04}, organization = {SANS}, url = {https://www.sans.org/reading-room/whitepapers/critical/tracing-lineage-darkseoul-36787}, language = {English}, urldate = {2019-12-17} } Tracing the Lineage of DarkSeoul
httpdropper
2013-04-24R136a1
@online{r136a1:20130424:south:d6c223e, author = {R136a1}, title = {{South Korea Incident - New Malware samples}}, date = {2013-04-24}, url = {http://www.malware-reversing.com/2013/04/5-south-korea-incident-new-malware.html}, language = {English}, urldate = {2020-01-13} } South Korea Incident - New Malware samples
concealment_troy httpdropper http_troy
2013McAfeeRyan Sherstobitoff, Itai Liba, James Walter
@techreport{sherstobitoff:2013:dissecting:74f9183, author = {Ryan Sherstobitoff and Itai Liba and James Walter}, title = {{Dissecting Operation Troy: Cyberespionage in South Korea}}, date = {2013}, institution = {McAfee}, url = {https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2013/dissecting-operation-troy.pdf}, language = {English}, urldate = {2020-01-08} } Dissecting Operation Troy: Cyberespionage in South Korea
httpdropper
Yara Rules
[TLP:WHITE] win_httpdropper_auto (20230715 | Detects win.httpdropper.)
rule win_httpdropper_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-07-11"
        version = "1"
        description = "Detects win.httpdropper."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.httpdropper"
        malpedia_rule_date = "20230705"
        malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
        malpedia_version = "20230715"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 014b18 c7437c00000000 897b70 85c0 0f85b4010000 }
            // n = 5, score = 200
            //   014b18               | add                 ecx, ebx
            //   c7437c00000000       | imul                ecx, ecx, 0xea60
            //   897b70               | inc                 esi
            //   85c0                 | add                 edx, eax
            //   0f85b4010000         | movzx               eax, word ptr [esp + 0x22]

        $sequence_1 = { 0110 80aa0110a4aa01 1023 d18a0688078a 46 }
            // n = 5, score = 200
            //   0110                 | cmp                 edi, 0x194
            //   80aa0110a4aa01       | jne                 0x25
            //   1023                 | add                 ecx, ecx
            //   d18a0688078a         | sub                 ebx, ecx
            //   46                   | cmp                 edi, 0x194

        $sequence_2 = { 018614400000 8b8614400000 c68430142000000d ff8614400000 }
            // n = 4, score = 200
            //   018614400000         | test                esi, esi
            //   8b8614400000         | add                 dword ptr [ebx + 0x18], ecx
            //   c68430142000000d     | mov                 dword ptr [ebx + 0x7c], 0
            //   ff8614400000         | mov                 dword ptr [ebx + 0x70], edi

        $sequence_3 = { 018610200000 8d5e10 8d9b00000000 8b9610200000 }
            // n = 4, score = 200
            //   018610200000         | mov                 ebx, 0x40
            //   8d5e10               | sub                 ebx, ecx
            //   8d9b00000000         | cmp                 edi, ebx
            //   8b9610200000         | jb                  0x62

        $sequence_4 = { 014614 bb40000000 2bd9 3bfb 7254 }
            // n = 5, score = 200
            //   014614               | add                 ecx, ebx
            //   bb40000000           | imul                ecx, ecx, 0xea60
            //   2bd9                 | add                 ecx, ebx
            //   3bfb                 | imul                ecx, ecx, 0xea60
            //   7254                 | add                 ecx, ebx

        $sequence_5 = { 017df8 83f93d 7471 83f920 7505 b92b000000 0fbf0c4d20a80310 }
            // n = 7, score = 200
            //   017df8               | add                 dword ptr [eax + 0x468a0147], ecx
            //   83f93d               | add                 dword ptr [esi + 0x14], eax
            //   7471                 | mov                 ebx, 0x40
            //   83f920               | sub                 ebx, ecx
            //   7505                 | cmp                 edi, ebx
            //   b92b000000           | jb                  0x62
            //   0fbf0c4d20a80310     | add                 dword ptr [esi + 0x14], eax

        $sequence_6 = { 89848dc0deffff 41 803f00 7416 c60700 8a4701 47 }
            // n = 7, score = 200
            //   89848dc0deffff       | mov                 eax, 0x4849
            //   41                   | add                 ecx, ecx
            //   803f00               | sub                 ebx, ecx
            //   7416                 | cmp                 edi, 0x194
            //   c60700               | jne                 0x25
            //   8a4701               | add                 ecx, ecx
            //   47                   | sub                 ebx, ecx

        $sequence_7 = { 015dfc 83c204 81fa???????? 7cb7 3d00010000 740a c786a4af060078420310 }
            // n = 7, score = 200
            //   015dfc               | inc                 esi
            //   83c204               | add                 dword ptr [eax], edx
            //   81fa????????         |                     
            //   7cb7                 | sub                 byte ptr [edx - 0x555befff], 1
            //   3d00010000           | adc                 byte ptr [ebx], ah
            //   740a                 | ror                 dword ptr [edx - 0x75f877fa], 1
            //   c786a4af060078420310     | inc    esi

        $sequence_8 = { 014e28 48c786a800000000000000 899698000000 85c0 }
            // n = 4, score = 100
            //   014e28               | add                 dword ptr [esi + 0x28], ecx
            //   48c786a800000000000000     | dec    eax
            //   899698000000         | mov                 dword ptr [esi + 0xa8], 0
            //   85c0                 | mov                 dword ptr [esi + 0x98], edx

        $sequence_9 = { 03742478 488d442478 4533c9 4533c0 }
            // n = 4, score = 100
            //   03742478             | add                 dword ptr [ebx + 0x1af70], ecx
            //   488d442478           | mov                 edx, dword ptr [ebx + 0x1af70]
            //   4533c9               | dec                 eax
            //   4533c0               | lea                 ecx, [0x16f8e]

        $sequence_10 = { 03cb 69c960ea0000 ff15???????? e9???????? }
            // n = 4, score = 100
            //   03cb                 | inc                 ebp
            //   69c960ea0000         | xor                 eax, eax
            //   ff15????????         |                     
            //   e9????????           |                     

        $sequence_11 = { 018b70af0100 8b9370af0100 488d0d8e6f0100 e8???????? }
            // n = 4, score = 100
            //   018b70af0100         | add                 dword ptr [ebx + 0x4018], ecx
            //   8b9370af0100         | mov                 eax, dword ptr [ebx + 0x4018]
            //   488d0d8e6f0100       | dec                 eax
            //   e8????????           |                     

        $sequence_12 = { 039c2488000000 488d842488000000 c744243080000000 4533c9 }
            // n = 4, score = 100
            //   039c2488000000       | dec                 eax
            //   488d842488000000     | lea                 eax, [esp + 0x78]
            //   c744243080000000     | inc                 ebp
            //   4533c9               | xor                 ecx, ecx

        $sequence_13 = { 018b18400000 8b8318400000 488d8b20400000 c68418182000000d }
            // n = 4, score = 100
            //   018b18400000         | test                eax, eax
            //   8b8318400000         | jne                 0x173
            //   488d8b20400000       | test                edi, edi
            //   c68418182000000d     | jne                 0xfffffc6e

        $sequence_14 = { 03c9 2bd9 81ff94010000 7519 }
            // n = 4, score = 100
            //   03c9                 | mov                 dword ptr [esp + 0x28], eax
            //   2bd9                 | add                 ebx, dword ptr [esp + 0x88]
            //   81ff94010000         | dec                 eax
            //   7519                 | lea                 eax, [esp + 0x88]

        $sequence_15 = { 03c8 85db 740e 3bd9 }
            // n = 4, score = 100
            //   03c8                 | xor                 ecx, ecx
            //   85db                 | inc                 ebp
            //   740e                 | xor                 eax, eax
            //   3bd9                 | dec                 eax

    condition:
        7 of them and filesize < 524288
}
Download all Yara Rules